Re: [Linux-ima-user] Calculate Template Hash using ruby

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Andreas,

Thanks for your help, this solved the problem I had!

Happy New Year to you, the Strongswan team and everbody on the IMA 
mailinglist.

Regards,

Jens

Here is the working ruby script if anybody is interested in it:

#!/usr/bin/env ruby
require 'digest/sha1'
fhash="037d38f6148770b9565ba3f6b532c7794e37e025"
fhashhex = [fhash].pack('H*')
fname0="/sbin/init\x00"
thash="79fa39c792abfd03ba7569e1900d155f993b01e8"
algname="sha1:\00"
hash = Digest::SHA1.hexdigest([fhashhex.length+algname.length].pack('i') 
+ algname  + fhashhex +  [fname0.length].pack('i')  + fname0)
print "\nTest: #{thash==hash} ima #{thash} hash: #{hash} \n"

Am 31.12.2014 um 06:59 schrieb Andreas Steffen:
> Hello Jens,
>
> have a look at our working strongSwan IMA-NG source code:
>
> https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libimcv/pts/components/ita/ita_comp_ima.c#L230 
>
>
> The evident wrong steps that you are making are the following:
>
> - Hash the algorithm name without the ":" separator but
>   include the terminating nul character in your hash (see line 236
>   of the strongSwan source code).
>
> - The file or event name must also be hashed with the terminating
>   nul character included (see line 237 of the strongSwan source code)
>
> Also have a look at the strongSwan parse_validation_uri() function
>
> https://wiki.strongswan.org/projects/strongswan/repository/revisions/master/entry/src/libimcv/pts/components/ita/ita_comp_ima.c#L465 
>
>
> which parses the string <hash algorithm>:<event name> into its two
> components.
>
> I don't know how Ruby computes the hash of the fhash.length and
> fname.length values. Currently the Linux kernel IMA-NG code treats
> the uint32_t lengths as a 4-byte value in host order (see lines 240
> and 244 of the strongSwan source code).
>
> A couple of months ago I proposed on this list to make these two
> length hashes platform-independent by hashing the uint32_t values
> in network order. This would help tremendously if an TNC attestion
> IMC is running on a little-endian platform but the TNC attestion IMV
> deriving the IMA-NG hash from a stored reference file hash is running
> on a big-endian host or vice versa. Unfortunately my patch was not
> accepted into the Linux kernel.
>
> I hope this helps you to arrive at the correct hash values.
>
> Best regards and a Happy New Year!
>
> Andreas
>
> On 31.12.2014 00:48, Jens Lucius wrote:
>> Hello,
>>
>> I am trying to calculate the template hash for ima-ng using ruby but
>> after trying lots of combinations it seems I am not getting the correct
>> hash value.
>>
>> According to documentation the template hash is:
>> template-hash: sha1 hash(filedata-hash length, filedata-hash, pathname
>> length, pathname)
>>
>> So I am trying to re-calculate the following IMA measurement:
>> 10 79fa39c792abfd03ba7569e1900d155f993b01e8 ima-ng
>> sha1:037d38f6148770b9565ba3f6b532c7794e37e025 /sbin/init
>>
>> I would be happy if someone could have a look what I am doing wrong 
>> here.
>>
>> Thanks,
>>
>> Jens Lucius
>>
>>
>> #!/usr/bin/env ruby
>> require 'digest/sha1'
>> fhash="sha1:037d38f6148770b9565ba3f6b532c7794e37e025"
>> fhash2="037d38f6148770b9565ba3f6b532c7794e37e025"
>> thash="79fa39c792abfd03ba7569e1900d155f993b01e8"
>> fname="/sbin/init"
>> hash=Digest::SHA1.hexdigest([fhash.length].pack('i') + "sha1:" +
>> [fhash2].pack('H*') + [fname.length].pack('i') + fname)
>> print "\nTest: #{thash==hash} ima #{thash} hash: #{hash}"
>
> ======================================================================
> Andreas Steffen and...@st...
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>