|
 |
eb2dbd |
diff -up ./BUILD.md.openssl ./BUILD.md
|
|
|
eb2dbd |
--- ./BUILD.md.openssl 2022-06-21 16:55:47.000000000 +0200
|
|
|
eb2dbd |
+++ ./BUILD.md 2022-08-02 14:10:48.092466542 +0200
|
|
|
eb2dbd |
@@ -16,7 +16,8 @@ BUILD-TIME DEPENDENCIES (fedora and RHEL
|
|
|
eb2dbd |
* libudev-devel
|
|
|
eb2dbd |
* kernel-headers
|
|
|
eb2dbd |
* systemd-devel
|
|
|
eb2dbd |
-* libgcrypt-devel
|
|
|
eb2dbd |
+* libgcrypt-devel ( <= fapolicyd-1.1.3)
|
|
|
eb2dbd |
+* openssl ( >= fapolicyd-1.1.4)
|
|
|
eb2dbd |
* rpm-devel (optional)
|
|
|
eb2dbd |
* file
|
|
|
eb2dbd |
* file-devel
|
|
|
eb2dbd |
diff -U0 ./ChangeLog.openssl ./ChangeLog
|
|
|
eb2dbd |
diff -up ./configure.ac.openssl ./configure.ac
|
|
|
eb2dbd |
--- ./configure.ac.openssl 2022-06-21 16:55:47.000000000 +0200
|
|
|
eb2dbd |
+++ ./configure.ac 2022-08-02 14:10:48.092466542 +0200
|
|
|
eb2dbd |
@@ -87,7 +87,7 @@ AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERRO
|
|
|
eb2dbd |
echo .
|
|
|
eb2dbd |
echo Checking for required libraries
|
|
|
eb2dbd |
AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
|
|
|
eb2dbd |
-AC_CHECK_LIB(gcrypt, gcry_md_open, , [AC_MSG_ERROR([libgcrypt not found])], -lgcrypt)
|
|
|
eb2dbd |
+AC_CHECK_LIB(crypto, SHA256, , [AC_MSG_ERROR([openssl libcrypto not found])], -lcrypto)
|
|
|
eb2dbd |
AC_CHECK_LIB(magic, magic_descriptor, , [AC_MSG_ERROR([libmagic not found])], -lmagic)
|
|
|
eb2dbd |
AC_CHECK_LIB(cap-ng, capng_change_id, , [AC_MSG_ERROR([libcap-ng not found])], -lcap-ng)
|
|
|
eb2dbd |
AC_CHECK_LIB(seccomp, seccomp_rule_add, , [AC_MSG_ERROR([libseccomp not found])], -lseccomp)
|
|
|
eb2dbd |
diff -up ./fapolicyd.spec.openssl ./fapolicyd.spec
|
|
|
eb2dbd |
--- ./fapolicyd.spec.openssl 2022-06-21 16:55:47.000000000 +0200
|
|
|
eb2dbd |
+++ ./fapolicyd.spec 2022-08-02 14:10:48.092466542 +0200
|
|
|
eb2dbd |
@@ -8,7 +8,7 @@ Source0: https://people.redhat.com/sgrub
|
|
|
eb2dbd |
BuildRequires: gcc
|
|
|
eb2dbd |
BuildRequires: kernel-headers
|
|
|
eb2dbd |
BuildRequires: autoconf automake make gcc libtool
|
|
|
eb2dbd |
-BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
|
|
|
eb2dbd |
+BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file
|
|
|
eb2dbd |
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
|
|
|
eb2dbd |
BuildRequires: python3-devel
|
|
|
eb2dbd |
BuildRequires: uthash-devel
|
|
|
eb2dbd |
diff -up ./src/cli/fapolicyd-cli.c.openssl ./src/cli/fapolicyd-cli.c
|
|
|
eb2dbd |
--- ./src/cli/fapolicyd-cli.c.openssl 2022-06-21 16:55:47.000000000 +0200
|
|
|
eb2dbd |
+++ ./src/cli/fapolicyd-cli.c 2022-08-02 14:10:48.093466520 +0200
|
|
|
eb2dbd |
@@ -39,7 +39,6 @@
|
|
|
eb2dbd |
#include <stdatomic.h>
|
|
|
eb2dbd |
#include <lmdb.h>
|
|
|
eb2dbd |
#include <limits.h>
|
|
|
eb2dbd |
-#include <gcrypt.h>
|
|
|
eb2dbd |
#include "policy.h"
|
|
|
eb2dbd |
#include "database.h"
|
|
|
eb2dbd |
#include "file-cli.h"
|
|
|
eb2dbd |
@@ -670,11 +669,6 @@ static int check_trustdb(void)
|
|
|
eb2dbd |
if (rc)
|
|
|
eb2dbd |
return 1;
|
|
|
eb2dbd |
|
|
|
eb2dbd |
- // Initialize libgcrypt
|
|
|
eb2dbd |
- gcry_check_version(NULL);
|
|
|
eb2dbd |
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
|
|
|
eb2dbd |
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
|
|
|
eb2dbd |
-
|
|
|
eb2dbd |
do {
|
|
|
eb2dbd |
unsigned int tsource; // unused
|
|
|
eb2dbd |
off_t size;
|
|
|
eb2dbd |
diff -up ./src/library/database.c.openssl ./src/library/database.c
|
|
|
eb2dbd |
--- ./src/library/database.c.openssl 2022-08-02 14:10:48.090466587 +0200
|
|
|
eb2dbd |
+++ ./src/library/database.c 2022-08-02 14:13:11.995236110 +0200
|
|
|
eb2dbd |
@@ -35,7 +35,7 @@
|
|
|
eb2dbd |
#include <unistd.h>
|
|
|
eb2dbd |
#include <fcntl.h>
|
|
|
eb2dbd |
#include <ctype.h>
|
|
|
eb2dbd |
-#include <gcrypt.h>
|
|
|
eb2dbd |
+#include <openssl/sha.h>
|
|
|
eb2dbd |
#include <signal.h>
|
|
|
eb2dbd |
#include <sys/stat.h>
|
|
|
eb2dbd |
#include <sys/types.h>
|
|
|
eb2dbd |
@@ -244,26 +244,18 @@ static void abort_transaction(MDB_txn *t
|
|
|
eb2dbd |
static char *path_to_hash(const char *path, const size_t path_len) MALLOCLIKE;
|
|
|
eb2dbd |
static char *path_to_hash(const char *path, const size_t path_len)
|
|
|
eb2dbd |
{
|
|
|
eb2dbd |
- gcry_md_hd_t h;
|
|
|
eb2dbd |
- unsigned int len;
|
|
|
eb2dbd |
- unsigned char *hptr;
|
|
|
eb2dbd |
+ unsigned char hptr[80];
|
|
|
eb2dbd |
char *digest;
|
|
|
eb2dbd |
|
|
|
eb2dbd |
- if (gcry_md_open(&h, GCRY_MD_SHA512, GCRY_MD_FLAG_SECURE))
|
|
|
eb2dbd |
+ if (path_len == 0)
|
|
|
eb2dbd |
return NULL;
|
|
|
eb2dbd |
|
|
|
eb2dbd |
- gcry_md_write(h, path, path_len);
|
|
|
eb2dbd |
- hptr = gcry_md_read(h, GCRY_MD_SHA512);
|
|
|
eb2dbd |
-
|
|
|
eb2dbd |
- len = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * sizeof(char);
|
|
|
eb2dbd |
- digest = malloc((2 * len) + 1);
|
|
|
eb2dbd |
- if (digest == NULL) {
|
|
|
eb2dbd |
- gcry_md_close(h);
|
|
|
eb2dbd |
+ SHA512((unsigned char *)path, path_len, (unsigned char *)&hptr);
|
|
|
eb2dbd |
+ digest = malloc((SHA512_LEN * 2) + 1);
|
|
|
eb2dbd |
+ if (digest == NULL)
|
|
|
eb2dbd |
return digest;
|
|
|
eb2dbd |
- }
|
|
|
eb2dbd |
|
|
|
eb2dbd |
- bytes2hex(digest, hptr, len);
|
|
|
eb2dbd |
- gcry_md_close(h);
|
|
|
eb2dbd |
+ bytes2hex(digest, hptr, SHA512_LEN);
|
|
|
eb2dbd |
|
|
|
eb2dbd |
return digest;
|
|
|
eb2dbd |
}
|
|
|
eb2dbd |
@@ -296,7 +288,7 @@ static int write_db(const char *idx, con
|
|
|
eb2dbd |
if (hash == NULL)
|
|
|
eb2dbd |
return 5;
|
|
|
eb2dbd |
key.mv_data = (void *)hash;
|
|
|
eb2dbd |
- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1;
|
|
|
eb2dbd |
+ key.mv_size = (SHA512_LEN * 2) + 1;
|
|
|
eb2dbd |
} else {
|
|
|
eb2dbd |
key.mv_data = (void *)idx;
|
|
|
eb2dbd |
key.mv_size = len;
|
|
|
eb2dbd |
@@ -416,7 +408,7 @@ static char *lt_read_db(const char *inde
|
|
|
eb2dbd |
if (hash == NULL)
|
|
|
eb2dbd |
return NULL;
|
|
|
eb2dbd |
key.mv_data = (void *)hash;
|
|
|
eb2dbd |
- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1;
|
|
|
eb2dbd |
+ key.mv_size = (SHA512_LEN * 2) + 1;
|
|
|
eb2dbd |
} else {
|
|
|
eb2dbd |
key.mv_data = (void *)index;
|
|
|
eb2dbd |
key.mv_size = len;
|
|
|
eb2dbd |
diff -up ./src/library/file.c.openssl ./src/library/file.c
|
|
|
eb2dbd |
--- ./src/library/file.c.openssl 2022-06-21 16:55:47.000000000 +0200
|
|
|
eb2dbd |
+++ ./src/library/file.c 2022-08-02 14:10:48.094466497 +0200
|
|
|
eb2dbd |
@@ -31,7 +31,7 @@
|
|
|
eb2dbd |
#include <sys/stat.h>
|
|
|
eb2dbd |
#include <string.h>
|
|
|
eb2dbd |
#include <stdlib.h>
|
|
|
eb2dbd |
-#include <gcrypt.h>
|
|
|
eb2dbd |
+#include <openssl/sha.h>
|
|
|
eb2dbd |
#include <magic.h>
|
|
|
eb2dbd |
#include <libudev.h>
|
|
|
eb2dbd |
#include <elf.h>
|
|
|
eb2dbd |
@@ -51,7 +51,6 @@ static struct udev *udev;
|
|
|
eb2dbd |
magic_t magic_cookie;
|
|
|
eb2dbd |
struct cache { dev_t device; const char *devname; };
|
|
|
eb2dbd |
static struct cache c = { 0, NULL };
|
|
|
eb2dbd |
-static size_t hash_size = 32; // init so cli doesn't need to call file_init
|
|
|
eb2dbd |
|
|
|
eb2dbd |
// readelf -l path-to-app | grep 'Requesting' | cut -d':' -f2 | tr -d ' ]';
|
|
|
eb2dbd |
static const char *interpreters[] = {
|
|
|
eb2dbd |
@@ -96,12 +95,6 @@ void file_init(void)
|
|
|
eb2dbd |
msg(LOG_ERR, "Unable to load magic database");
|
|
|
eb2dbd |
exit(1);
|
|
|
eb2dbd |
}
|
|
|
eb2dbd |
-
|
|
|
eb2dbd |
- // Initialize libgcrypt
|
|
|
eb2dbd |
- gcry_check_version(NULL);
|
|
|
eb2dbd |
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
|
|
|
eb2dbd |
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
|
|
|
eb2dbd |
- hash_size = gcry_md_get_algo_dlen(GCRY_MD_SHA256) * sizeof(char);
|
|
|
eb2dbd |
}
|
|
|
eb2dbd |
|
|
|
eb2dbd |
|
|
|
eb2dbd |
@@ -445,12 +438,12 @@ char *get_hash_from_fd2(int fd, size_t s
|
|
|
eb2dbd |
if (mapped != MAP_FAILED) {
|
|
|
eb2dbd |
unsigned char hptr[40];
|
|
|
eb2dbd |
|
|
|
eb2dbd |
- gcry_md_hash_buffer(GCRY_MD_SHA256, &hptr, mapped, size);
|
|
|
eb2dbd |
+ SHA256(mapped, size, (unsigned char *)&hptr);
|
|
|
eb2dbd |
munmap(mapped, size);
|
|
|
eb2dbd |
- digest = malloc(65);
|
|
|
eb2dbd |
+ digest = malloc((SHA256_LEN * 2) + 1);
|
|
|
eb2dbd |
|
|
|
eb2dbd |
// Convert to ASCII string
|
|
|
eb2dbd |
- bytes2hex(digest, hptr, hash_size);
|
|
|
eb2dbd |
+ bytes2hex(digest, hptr, SHA256_LEN);
|
|
|
eb2dbd |
}
|
|
|
eb2dbd |
return digest;
|
|
|
eb2dbd |
}
|
|
|
eb2dbd |
@@ -476,7 +469,7 @@ int get_ima_hash(int fd, char *sha)
|
|
|
eb2dbd |
}
|
|
|
eb2dbd |
|
|
|
eb2dbd |
// Looks like it what we want...
|
|
|
eb2dbd |
- bytes2hex(sha, &tmp[2], 32);
|
|
|
eb2dbd |
+ bytes2hex(sha, &tmp[2], SHA256_LEN);
|
|
|
eb2dbd |
return 1;
|
|
|
eb2dbd |
}
|
|
|
eb2dbd |
|
|
|
eb2dbd |
diff -up ./src/library/file.h.openssl ./src/library/file.h
|
|
|
eb2dbd |
--- ./src/library/file.h.openssl 2022-06-21 16:55:47.000000000 +0200
|
|
|
eb2dbd |
+++ ./src/library/file.h 2022-08-02 14:10:48.094466497 +0200
|
|
|
eb2dbd |
@@ -40,6 +40,9 @@ struct file_info
|
|
|
eb2dbd |
struct timespec time;
|
|
|
eb2dbd |
};
|
|
|
eb2dbd |
|
|
|
eb2dbd |
+#define SHA256_LEN 32
|
|
|
eb2dbd |
+#define SHA512_LEN 64
|
|
|
eb2dbd |
+
|
|
|
eb2dbd |
void file_init(void);
|
|
|
eb2dbd |
void file_close(void);
|
|
|
eb2dbd |
struct file_info *stat_file_entry(int fd) MALLOCLIKE;
|