Menu
▾
▴
Re: [Linux-ima-user] Calculate Template Hash using ruby
|
From: Andreas S. <and...@st...> - 2014-12-31 06:16:48
|
Hello Jens, have a look at our working strongSwan IMA-NG source code: https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libimcv/pts/components/ita/ita_comp_ima.c#L230 The evident wrong steps that you are making are the following: - Hash the algorithm name without the ":" separator but include the terminating nul character in your hash (see line 236 of the strongSwan source code). - The file or event name must also be hashed with the terminating nul character included (see line 237 of the strongSwan source code) Also have a look at the strongSwan parse_validation_uri() function https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libimcv/pts/components/ita/ita_comp_ima.c#L465 which parses the string <hash algorithm>:<event name> into its two components. I don't know how Ruby computes the hash of the fhash.length and fname.length values. Currently the Linux kernel IMA-NG code treats the uint32_t lengths as a 4-byte value in host order (see lines 240 and 244 of the strongSwan source code). A couple of months ago I proposed on this list to make these two length hashes platform-independent by hashing the uint32_t values in network order. This would help tremendously if an TNC attestion IMC is running on a little-endian platform but the TNC attestion IMV deriving the IMA-NG hash from a stored reference file hash is running on a big-endian host or vice versa. Unfortunately my patch was not accepted into the Linux kernel. I hope this helps you to arrive at the correct hash values. Best regards and a Happy New Year! Andreas On 31.12.2014 00:48, Jens Lucius wrote: > Hello, > > I am trying to calculate the template hash for ima-ng using ruby but > after trying lots of combinations it seems I am not getting the correct > hash value. > > According to documentation the template hash is: > template-hash: sha1 hash(filedata-hash length, filedata-hash, pathname > length, pathname) > > So I am trying to re-calculate the following IMA measurement: > 10 79fa39c792abfd03ba7569e1900d155f993b01e8 ima-ng > sha1:037d38f6148770b9565ba3f6b532c7794e37e025 /sbin/init > > I would be happy if someone could have a look what I am doing wrong here. > > Thanks, > > Jens Lucius > > > #!/usr/bin/env ruby > require 'digest/sha1' > fhash="sha1:037d38f6148770b9565ba3f6b532c7794e37e025" > fhash2="037d38f6148770b9565ba3f6b532c7794e37e025" > thash="79fa39c792abfd03ba7569e1900d155f993b01e8" > fname="/sbin/init" > hash=Digest::SHA1.hexdigest([fhash.length].pack('i') + "sha1:" + > [fhash2].pack('H*') + [fname.length].pack('i') + fname) > print "\nTest: #{thash==hash} ima #{thash} hash: #{hash}" ====================================================================== Andreas Steffen and...@st... strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== |
