Remove common code for returning supported fingerprints. This is done now

via sysctl(8) using kern.veriexec.algorithms. Also add an entry for the 'algorithms' variable in sysctl.8 forgotten in the last commit.
2005-05-20 19:52:52 +00:00 · 2005-05-20 19:52:52 +00:00 · cd0c4134f1
parent 2ecd1730c0
commit cd0c4134f1
6 changed files with 22 additions and 103 deletions
--- a/sbin/sysctl/sysctl.8
+++ b/sbin/sysctl/sysctl.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.8,v 1.119 2005/05/19 20:16:19 elad Exp $
+.\"	$NetBSD: sysctl.8,v 1.120 2005/05/20 19:52:52 elad Exp $
 .\"
 .\" Copyright (c) 2004 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@ -365,6 +365,7 @@ privilege can change the value.
 .It kern.vdisable	integer	no
 .It kern.veriexec.verbose	integer	yes
 .It kern.veriexec.strict	integer	raise only
+.It kern.veriexec.algorithms	string	no
 .It kern.version	string	no
 .It machdep.console_device	dev_t	no
 .It net.bpf.maxbufsize	integer	yes
--- a/sbin/veriexecctl/veriexecctl.8
+++ b/sbin/veriexecctl/veriexecctl.8
@ -1,4 +1,4 @@
-.\" $NetBSD: veriexecctl.8,v 1.11 2005/04/24 13:23:55 blymn Exp $
+.\" $NetBSD: veriexecctl.8,v 1.12 2005/05/20 19:52:52 elad Exp $
 .\"
 .\" Copyright (c) 1999
 .\"	Brett Lymn - blymn@baea.com.au, brett_lymn@yahoo.com.au
@ -29,7 +29,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"	$Id: veriexecctl.8,v 1.11 2005/04/24 13:23:55 blymn Exp $
+.\"	$Id: veriexecctl.8,v 1.12 2005/05/20 19:52:52 elad Exp $
 .\"
 .Dd April 22, 2005
 .Dt VERIEXECCTL 8
@ -50,26 +50,6 @@ Verified Exec must have been configured into the booted kernel for this
 commaned to work.
 .Sh COMMANDS
 .Bl -tag -width 25n
-.It Cm fingerprints
-Report the fingerprint methods that are available in the currently running
-kernel.
-This command will return a space separated list of supported fingerprint
-methods that will be accepted by the kernel.
-The default list is:
-.Bl -item -offset indent -compact
-.It
-MD5
-.It
-RMD160
-.It
-SHA1
-.It
-SHA256
-.It
-SHA384
-.It
-SHA512
-.El
 .It Cm load Ar veriexec.conf
 Load the fingerprint entries contained in
 .Ar veriexec.conf
--- a/sbin/veriexecctl/veriexecctl.c
+++ b/sbin/veriexecctl/veriexecctl.c
@ -1,4 +1,4 @@
-/*	$NetBSD: veriexecctl.c,v 1.8 2005/04/21 12:45:12 christos Exp $	*/
+/*	$NetBSD: veriexecctl.c,v 1.9 2005/05/20 19:52:52 elad Exp $	*/

 /*-
 * Copyright 2005 Elad Efrat <elad@bsd.org.il>
@ -190,8 +190,8 @@ fingerprint_load(char *ifile)
 static void
 usage(void)
 {
-	(void)fprintf(stderr, "Usage: %s [-v] [load <signature_file>] "
-	     "[fingerprints]", getprogname());
+	(void)fprintf(stderr, "Usage: %s [-v] [load <signature_file>] ", 
+	    getprogname());
 	exit(1);
 }

@ -221,37 +221,13 @@ main(int argc, char **argv)
 	if ((gfd = open(VERIEXEC_DEVICE, O_RDWR, 0)) == -1)
 		err(1, "Cannot open `%s'", VERIEXEC_DEVICE);

-	  /*
-	   * Handle the different commands we can do.
-	   */
+	/*
+	 * Handle the different commands we can do.
+	 */
 	if (argc == 2 && strcasecmp(argv[0], "load") == 0) {
 		line = 0;
 		filename = argv[1];
 		fingerprint_load(argv[1]);
-	} else if (argc == 1 && strcasecmp(argv[0], "fingerprints") == 0) {
-		size = report.size = 100;
-		if ((report.fingerprints = malloc(report.size)) == NULL)
-			err(1, "malloc fingeprints");
-		
-		if (ioctl(gfd, VERIEXEC_FINGERPRINTS, &report) == -1)
-			err(1, "fingerprints ioctl");
-
-		if (size != report.size) {
-			if (verbose)
-				(void)printf("fingerprints: buffer too small, "
-				    "reallocating to %d bytes.\n",
-				    report.size);
-			
-			/* fingerprint store was not large enough
-			   make more room and try again. */
-			if ((newp = realloc(report.fingerprints, report.size))
-			    == NULL)
-				err(1, "realloc fingeprints");
-			if (ioctl(gfd, VERIEXEC_FINGERPRINTS,
-			    &report) == -1)
-				err(1, "fingerprints ioctl");
-		}
-		printf("Supported fingerprints: %s\n", report.fingerprints);
 	} else
 		usage();

--- a/share/man/man4/veriexec.4
+++ b/share/man/man4/veriexec.4
@ -1,4 +1,4 @@
-.\" $NetBSD: veriexec.4,v 1.5 2005/04/24 13:16:26 blymn Exp $
+.\" $NetBSD: veriexec.4,v 1.6 2005/05/20 19:52:52 elad Exp $
 .\"
 .\" Copyright 2005 Elad Efrat <elad@bsd.org.il>
 .\" Copyright 2005 Brett Lymn <blymn@netbsd.org>
@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"	$Id: veriexec.4,v 1.5 2005/04/24 13:16:26 blymn Exp $
+.\"	$Id: veriexec.4,v 1.6 2005/05/20 19:52:52 elad Exp $
 .\"
 .Dd March 24, 2005
 .Dt VERIEXEC 4
@ -39,9 +39,8 @@
 The
 .Nm
 pseudo-device is used to interface the kernel's Veriexec data-structures.
-It is used to size the kernel data structures, load the Veriexec
-fingerprints into kernel memory and report the fingerprint methods
-supported by the currently running kernel.
+It is used to size the kernel data structures and load the Veriexec
+fingerprints into kernel memory.
 .Ss Veriexec file operations
 All the following operations are invoked using the
 .Xr ioctl 2
@ -54,7 +53,7 @@ parameters.
 The following section lists the requests that can be made via
 .Xr ioctl 2 .
 .Ss Veriexec file request descriptions
-.Bl -tag -width VERIEXEC_FINGERPRINTS
+.Bl -tag -width VERIEXEC_TABLESIZE
 .It Dv VERIEXEC_TABLESIZE Fa struct veriexec_sizing_params
 Sizes the in kernel hash tables to accommodate the fingerprint entries.
 This request must be made prior to loading the fingerprints into the
@ -99,20 +98,6 @@ fingerprint, this is used by the kernel to provide a simple sanity check
 on the fingerprint passed.
 Lastly, the fingerprint is a pointer to an
 array of characters that comprise the fingerprint for the file.
-.It Dv VERIEXEC_FINGERPRINTS Fa struct veriexec_fp_report
-Copies a string that contains the fingerprint methods supported by the
-kernel into the buffer pointed to in the argument structure.
-The argument structure also contains the size of the storage that has
-been allocated by the caller to hold the string.
-If the size of the storage is insufficient to hold the entire string,
-then the string will not be copied into the buffer by the kernel; instead
-the size field will be updated with the amount of storage required to hold
-the fingerprint string.
-After performing this request the caller must check the size field in the
-argument structure.
-If this field differs from what was set prior to the
-request then the caller should reallocate the storage with the updated size
-and perform the request again.
 .El
 .Pp
 Note that the requests
--- a/sys/dev/verified_exec.c
+++ b/sys/dev/verified_exec.c
@ -1,4 +1,4 @@
-/*	$NetBSD: verified_exec.c,v 1.8 2005/05/19 20:16:19 elad Exp $	*/
+/*	$NetBSD: verified_exec.c,v 1.9 2005/05/20 19:52:52 elad Exp $	*/

 /*-
 * Copyright 2005 Elad Efrat <elad@bsd.org.il>
@ -31,9 +31,9 @@

 #include <sys/cdefs.h>
 #if defined(__NetBSD__)
-__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.8 2005/05/19 20:16:19 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: verified_exec.c,v 1.9 2005/05/20 19:52:52 elad Exp $");
 #else
-__RCSID("$Id: verified_exec.c,v 1.8 2005/05/19 20:16:19 elad Exp $\n$NetBSD: verified_exec.c,v 1.8 2005/05/19 20:16:19 elad Exp $");
+__RCSID("$Id: verified_exec.c,v 1.9 2005/05/20 19:52:52 elad Exp $\n$NetBSD: verified_exec.c,v 1.9 2005/05/20 19:52:52 elad Exp $");
 #endif

 #include <sys/param.h>
@ -154,11 +154,9 @@ veriexecioctl(dev_t dev __unused, u_long cmd, caddr_t data,
 	u_long hashmask;

 	/*
-	 * Don't allow updates in multi-user mode, but we will allow
-	 * queries of supported fingerprints.
-	 *
+	 * Don't allow updates in multi-user mode.
 	 */
-	if ((securelevel >= 1) && (cmd != VERIEXEC_FINGERPRINTS)) {
+	if (securelevel >= 1) {
 		printf("Veriexec: veriexecioctl: Securelevel raised, loading"
 		       "fingerprints is not permitted\n");

@ -293,20 +291,6 @@ veriexecioctl(dev_t dev __unused, u_long cmd, caddr_t data,
 		break;
 		}

-	case VERIEXEC_FINGERPRINTS: {
-		struct veriexec_fp_report *params =
-			(struct veriexec_fp_report *) data;
-		
-		if (strlen(veriexec_fp_names) >= params->size) {
-			params->size = strlen(veriexec_fp_names) + 1;
-		} else {
-			strlcpy(params->fingerprints, veriexec_fp_names,
-				params->size);
-		}
-		
-		break;
-		}
-	
 	default:
 		/* Invalid operation. */
 		error = ENODEV;
--- a/sys/sys/verified_exec.h
+++ b/sys/sys/verified_exec.h
@ -1,4 +1,4 @@
-/*	$NetBSD: verified_exec.h,v 1.8 2005/05/19 20:16:19 elad Exp $	*/
+/*	$NetBSD: verified_exec.h,v 1.9 2005/05/20 19:52:52 elad Exp $	*/

 /*-
 * Copyright 2005 Elad Efrat <elad@bsd.org.il>
@ -30,7 +30,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: verified_exec.h,v 1.8 2005/05/19 20:16:19 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: verified_exec.h,v 1.9 2005/05/20 19:52:52 elad Exp $");

 /*
 *
@ -60,12 +60,6 @@ struct veriexec_sizing_params {
 	size_t hash_size;
 };

-struct veriexec_fp_report {
-	unsigned int size;
-	unsigned char *fingerprints;
-};
-
-	
 /*
 * Types of veriexec inodes we can have
 */
@ -75,7 +69,6 @@ struct veriexec_fp_report {

 #define VERIEXEC_LOAD _IOW('S', 0x1, struct veriexec_params)
 #define VERIEXEC_TABLESIZE _IOW('S', 0x2, struct veriexec_sizing_params)
-#define VERIEXEC_FINGERPRINTS _IOWR('S', 0x3, struct veriexec_fp_report)

 /* Verified exec sysctl objects. */
 #define	VERIEXEC_VERBOSE	1 /* Verbosity level. */