diff mbox

[2/3] lib/security: New lib for security functions.

Message ID 1464861418-19709-3-git-send-email-nayna@linux.vnet.ibm.com
State RFC
Headers show

Commit Message

Nayna June 2, 2016, 9:56 a.m. UTC
Adds new lib to support security specific functions.
Functions are separated into different files based on
functionality they provide. Details as below:

lib/security/crypto: Set of files to support crypto functions
like hash, encryption etc. Currently, it provides support
only for hash function and can be extended as needed. Hash
function is implemented using kernel crypto API.

lib/security/tpmOperations: Set of files to support tpm
specific operations. Currently, it provides function to extend TPM.
The implmentation of this function is currently experimental and
is bound to change.

Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>
---
 lib/Makefile.am              |  6 +++-
 lib/security/crypto.c        | 73 ++++++++++++++++++++++++++++++++++++++++++++
 lib/security/crypto.h        | 22 +++++++++++++
 lib/security/tpmOperations.c | 72 +++++++++++++++++++++++++++++++++++++++++++
 lib/security/tpmOperations.h | 18 +++++++++++
 5 files changed, 190 insertions(+), 1 deletion(-)
 create mode 100644 lib/security/crypto.c
 create mode 100644 lib/security/crypto.h
 create mode 100644 lib/security/tpmOperations.c
 create mode 100644 lib/security/tpmOperations.h

Comments

samjonas June 3, 2016, 5:52 a.m. UTC | #1
On Thu, Jun 02, 2016 at 05:56:57AM -0400, Nayna Jain wrote:
> Adds new lib to support security specific functions.
> Functions are separated into different files based on
> functionality they provide. Details as below:
> 
> lib/security/crypto: Set of files to support crypto functions
> like hash, encryption etc. Currently, it provides support
> only for hash function and can be extended as needed. Hash
> function is implemented using kernel crypto API.
> 
> lib/security/tpmOperations: Set of files to support tpm
> specific operations. Currently, it provides function to extend TPM.
> The implmentation of this function is currently experimental and
> is bound to change.
> 
> Signed-off-by: Nayna Jain <nayna@linux.vnet.ibm.com>

Format sounds good - although please don't use camelcase in filenames
(eg. tpm_operations instead of tmpOperations)

> ---
>  lib/Makefile.am              |  6 +++-
>  lib/security/crypto.c        | 73 ++++++++++++++++++++++++++++++++++++++++++++
>  lib/security/crypto.h        | 22 +++++++++++++
>  lib/security/tpmOperations.c | 72 +++++++++++++++++++++++++++++++++++++++++++
>  lib/security/tpmOperations.h | 18 +++++++++++
>  5 files changed, 190 insertions(+), 1 deletion(-)
>  create mode 100644 lib/security/crypto.c
>  create mode 100644 lib/security/crypto.h
>  create mode 100644 lib/security/tpmOperations.c
>  create mode 100644 lib/security/tpmOperations.h
> 
> diff --git a/lib/Makefile.am b/lib/Makefile.am
> index 09bc1aa..d5559f0 100644
> --- a/lib/Makefile.am
> +++ b/lib/Makefile.am
> @@ -50,7 +50,11 @@ lib_libpbcore_la_SOURCES = \
>  	lib/util/util.c \
>  	lib/util/util.h \
>  	lib/flash/config.h \
> -	lib/flash/flash.h
> +	lib/flash/flash.h \
> +	lib/security/tpmOperations.c \
> +	lib/security/tpmOperations.h \
> +	lib/security/crypto.c \
> +	lib/security/crypto.h
>  
>  if ENABLE_MTD
>  lib_libpbcore_la_SOURCES += \
> diff --git a/lib/security/crypto.c b/lib/security/crypto.c
> new file mode 100644
> index 0000000..e5344a8
> --- /dev/null
> +++ b/lib/security/crypto.c
> @@ -0,0 +1,73 @@
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <unistd.h>
> +
> +#include <sys/socket.h>
> +#include <linux/if_alg.h>
> +#include <linux/socket.h>
> +
> +#include <log/log.h>
> +
> +#include "crypto.h"
> +
> +#define DIGEST_SIZE(digestname)	!strcmp(digestname, "sha1")? \
> +	SHA1_DIGEST_SIZE : !strcmp(digestname, "sha256")? \
> +	SHA256_DIGEST_SIZE : !strcmp(digestname, "sha512")? \
> +	SHA512_DIGEST_SIZE : 0

Please use strncmp() instead of strcmp(). Also this would probably be
better off as a small (inline?) function instead of a macro.

> +
> +
> +int calc_digest(const char *digestname, const unsigned char *ibuf,
> +		uint8_t *obuf)
> +{
> +        struct sockaddr_alg sa = {
> +                .salg_family = AF_ALG,
> +                .salg_type = "hash",
> +        };
> +
> +	int fd = -1;
> +	int sockfd = -1;
> +	int rc = 0;
> +	unsigned char digest[DIGEST_SIZE(digestname)];
> +        char *input = NULL;
> +	input = ibuf ;

I've noticed this in a few places, please be consistent with
indentation.

> +	memset(sa.salg_name, 0, sizeof(sa.salg_name));
> +        memcpy(sa.salg_name, digestname, sizeof(sa.salg_name));
> +
> +        sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
> +	if (sockfd == -1)
> +	{
> +		rc = -1;
> +		goto out;
> +	}
> +
> +        rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa));
> +	if (rc == -1)
> +		goto out;
> +
> +        fd = accept(sockfd, NULL, 0);
> +	if (fd == -1)
> +	{
> +		rc = -1;
> +		goto out;
> +	}
> +
> +	rc = write(fd, input, sizeof(input));
> +	if (rc == -1)
> +		goto out;
> +
> +        read(fd, digest, sizeof(digest));
> +
> +        memset(obuf, 0, sizeof(digest));
> +        memcpy(obuf, digest, sizeof(digest));
> +
> +
> +out:
> +	if (fd > 0)
> +		close(fd);
> +	if (sockfd > 0)
> +		close(sockfd);
> +
> +        return 0;
> +
> +}
> diff --git a/lib/security/crypto.h b/lib/security/crypto.h
> new file mode 100644
> index 0000000..111c1ea
> --- /dev/null
> +++ b/lib/security/crypto.h
> @@ -0,0 +1,22 @@
> +#ifndef CRYPTO_H
> +#define CRYPTO_H
> +
> +#include <stdint.h>
> +
> +#define SHA1_DIGEST_SIZE	 20
> +#define SHA256_DIGEST_SIZE	 32
> +#define SHA512_DIGEST_SIZE	 64
> +
> +/**
> + * Calculates and returns the digest of the input buffer.
> + * @digestname: Type of digest to be calculated.
> + * @ibuf: Input buffer whose digest is to be calculated.
> + * @obuf: Output buffer in which calculated digest is returned.
> + *
> + * On success, 0 is returned. On error, -1 is returned.
> + **/
> +int calc_digest(const char *digestname, const unsigned char *ibuf,
> +		uint8_t *obuf);
> +
> +#endif /* CRYPTO_H */
> +
> diff --git a/lib/security/tpmOperations.c b/lib/security/tpmOperations.c
> new file mode 100644
> index 0000000..bfb2c21
> --- /dev/null
> +++ b/lib/security/tpmOperations.c
> @@ -0,0 +1,72 @@
> +#include <stdio.h>
> +#include <string.h>
> +#include <stdlib.h>
> +#include <unistd.h>
> +#include <sys/socket.h>
> +#include <linux/if_alg.h>
> +#include <linux/socket.h>
> +
> +#include <log/log.h>
> +
> +#include "crypto.h"
> +#include "tpmOperations.h"
> +
> +/**
> +Note: The implementation of this function is experimental.
> +It only servers the purpose of showing tpm_extend API and its interface.
> +Final implementation will be changed.
> +**/

Right - I'd like to see a lot more detail about what is expected to
happen here so I can fully understand the purpose.

> +
> +int tpm_extend(unsigned int pcr, const char* pcr_bank_hash_alg, uint8_t * buf,
> +		uint8_t buflen)
> +{
> +
> +        struct sockaddr_alg sa = {
> +                .salg_family = AF_ALG,
> +                .salg_type = "tpm-extend",
> +        };
> +	int i=0;
> +	int sockfd = -1;
> +	int fd = -1;
> +        int rc = 0;
> +	char res[256];	//This is temporary size and will be defined correctly once 
> +	//response status code is finalized for extend operation.
> +	memset(sa.salg_name, 0, sizeof(sa.salg_name));
> +	memcpy(sa.salg_name, pcr_bank_hash_alg, sizeof(pcr_bank_hash_alg));
> +
> +        sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
> +	if (sockfd == -1)
> +	{
> +		rc = -1;
> +		goto out;
> +	}
> +
> +        rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa));
> +	if (rc == -1)
> +		goto out;
> +
> +        fd = accept(sockfd, NULL, 0);
> +	if (fd == -1)
> +	{
> +		rc = -1;
> +		goto out;
> +	}
> +
> +        rc = write(fd, buf, buflen);
> +	if (rc == -1)
> +	{
> +		rc = -1;
> +		goto out;
> +	}
> +
> +	//response will contain status code for extend operation.
> +	//handling of error status code is yet to be finalized.
> +	read(fd, res, sizeof(res));
> +
> +out:
> +	if (fd > 0)
> +        	close(fd);
> +	if (sockfd > 0)
> +	        close(sockfd);
> +        return rc;
> +}
> diff --git a/lib/security/tpmOperations.h b/lib/security/tpmOperations.h
> new file mode 100644
> index 0000000..2231152
> --- /dev/null
> +++ b/lib/security/tpmOperations.h
> @@ -0,0 +1,18 @@
> +#ifndef _TPM_OPERATIONS_H 
> +#define _TPM_OPERATIONS_H
> +
> +/**
> + * Prepares the request and send to TPM for extend.
> + * @pcr : PCR Index to which to be extended.
> + * @pcr_bank : PCR Bank to which to be extended.
> + * @buf : Input data to be extended.
> + * @buflen : Length of the input data.
> + *
> + * On success, 0 is returned. On error, -1 is returned.
> +**/
> +
> +int tpm_extend(unsigned int pcr, const char* pcr_bank, uint8_t * buf,
> +		uint8_t buflen);
> +
> +#endif /* _TPM_OPERATIONS_H */
> +
> -- 
> 2.5.0
> 
> _______________________________________________
> Petitboot mailing list
> Petitboot@lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/petitboot
diff mbox

Patch

diff --git a/lib/Makefile.am b/lib/Makefile.am
index 09bc1aa..d5559f0 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -50,7 +50,11 @@  lib_libpbcore_la_SOURCES = \
 	lib/util/util.c \
 	lib/util/util.h \
 	lib/flash/config.h \
-	lib/flash/flash.h
+	lib/flash/flash.h \
+	lib/security/tpmOperations.c \
+	lib/security/tpmOperations.h \
+	lib/security/crypto.c \
+	lib/security/crypto.h
 
 if ENABLE_MTD
 lib_libpbcore_la_SOURCES += \
diff --git a/lib/security/crypto.c b/lib/security/crypto.c
new file mode 100644
index 0000000..e5344a8
--- /dev/null
+++ b/lib/security/crypto.c
@@ -0,0 +1,73 @@ 
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/socket.h>
+#include <linux/if_alg.h>
+#include <linux/socket.h>
+
+#include <log/log.h>
+
+#include "crypto.h"
+
+#define DIGEST_SIZE(digestname)	!strcmp(digestname, "sha1")? \
+	SHA1_DIGEST_SIZE : !strcmp(digestname, "sha256")? \
+	SHA256_DIGEST_SIZE : !strcmp(digestname, "sha512")? \
+	SHA512_DIGEST_SIZE : 0
+
+
+int calc_digest(const char *digestname, const unsigned char *ibuf,
+		uint8_t *obuf)
+{
+        struct sockaddr_alg sa = {
+                .salg_family = AF_ALG,
+                .salg_type = "hash",
+        };
+
+	int fd = -1;
+	int sockfd = -1;
+	int rc = 0;
+	unsigned char digest[DIGEST_SIZE(digestname)];
+        char *input = NULL;
+	input = ibuf ;
+	memset(sa.salg_name, 0, sizeof(sa.salg_name));
+        memcpy(sa.salg_name, digestname, sizeof(sa.salg_name));
+
+        sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+	if (sockfd == -1)
+	{
+		rc = -1;
+		goto out;
+	}
+
+        rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa));
+	if (rc == -1)
+		goto out;
+
+        fd = accept(sockfd, NULL, 0);
+	if (fd == -1)
+	{
+		rc = -1;
+		goto out;
+	}
+
+	rc = write(fd, input, sizeof(input));
+	if (rc == -1)
+		goto out;
+
+        read(fd, digest, sizeof(digest));
+
+        memset(obuf, 0, sizeof(digest));
+        memcpy(obuf, digest, sizeof(digest));
+
+
+out:
+	if (fd > 0)
+		close(fd);
+	if (sockfd > 0)
+		close(sockfd);
+
+        return 0;
+
+}
diff --git a/lib/security/crypto.h b/lib/security/crypto.h
new file mode 100644
index 0000000..111c1ea
--- /dev/null
+++ b/lib/security/crypto.h
@@ -0,0 +1,22 @@ 
+#ifndef CRYPTO_H
+#define CRYPTO_H
+
+#include <stdint.h>
+
+#define SHA1_DIGEST_SIZE	 20
+#define SHA256_DIGEST_SIZE	 32
+#define SHA512_DIGEST_SIZE	 64
+
+/**
+ * Calculates and returns the digest of the input buffer.
+ * @digestname: Type of digest to be calculated.
+ * @ibuf: Input buffer whose digest is to be calculated.
+ * @obuf: Output buffer in which calculated digest is returned.
+ *
+ * On success, 0 is returned. On error, -1 is returned.
+ **/
+int calc_digest(const char *digestname, const unsigned char *ibuf,
+		uint8_t *obuf);
+
+#endif /* CRYPTO_H */
+
diff --git a/lib/security/tpmOperations.c b/lib/security/tpmOperations.c
new file mode 100644
index 0000000..bfb2c21
--- /dev/null
+++ b/lib/security/tpmOperations.c
@@ -0,0 +1,72 @@ 
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <linux/if_alg.h>
+#include <linux/socket.h>
+
+#include <log/log.h>
+
+#include "crypto.h"
+#include "tpmOperations.h"
+
+/**
+Note: The implementation of this function is experimental.
+It only servers the purpose of showing tpm_extend API and its interface.
+Final implementation will be changed.
+**/
+
+int tpm_extend(unsigned int pcr, const char* pcr_bank_hash_alg, uint8_t * buf,
+		uint8_t buflen)
+{
+
+        struct sockaddr_alg sa = {
+                .salg_family = AF_ALG,
+                .salg_type = "tpm-extend",
+        };
+	int i=0;
+	int sockfd = -1;
+	int fd = -1;
+        int rc = 0;
+	char res[256];	//This is temporary size and will be defined correctly once 
+	//response status code is finalized for extend operation.
+	memset(sa.salg_name, 0, sizeof(sa.salg_name));
+	memcpy(sa.salg_name, pcr_bank_hash_alg, sizeof(pcr_bank_hash_alg));
+
+        sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+	if (sockfd == -1)
+	{
+		rc = -1;
+		goto out;
+	}
+
+        rc = bind(sockfd, (struct sockaddr *)&sa, sizeof(sa));
+	if (rc == -1)
+		goto out;
+
+        fd = accept(sockfd, NULL, 0);
+	if (fd == -1)
+	{
+		rc = -1;
+		goto out;
+	}
+
+        rc = write(fd, buf, buflen);
+	if (rc == -1)
+	{
+		rc = -1;
+		goto out;
+	}
+
+	//response will contain status code for extend operation.
+	//handling of error status code is yet to be finalized.
+	read(fd, res, sizeof(res));
+
+out:
+	if (fd > 0)
+        	close(fd);
+	if (sockfd > 0)
+	        close(sockfd);
+        return rc;
+}
diff --git a/lib/security/tpmOperations.h b/lib/security/tpmOperations.h
new file mode 100644
index 0000000..2231152
--- /dev/null
+++ b/lib/security/tpmOperations.h
@@ -0,0 +1,18 @@ 
+#ifndef _TPM_OPERATIONS_H 
+#define _TPM_OPERATIONS_H
+
+/**
+ * Prepares the request and send to TPM for extend.
+ * @pcr : PCR Index to which to be extended.
+ * @pcr_bank : PCR Bank to which to be extended.
+ * @buf : Input data to be extended.
+ * @buflen : Length of the input data.
+ *
+ * On success, 0 is returned. On error, -1 is returned.
+**/
+
+int tpm_extend(unsigned int pcr, const char* pcr_bank, uint8_t * buf,
+		uint8_t buflen);
+
+#endif /* _TPM_OPERATIONS_H */
+