dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-06-30 21:02:33 +02:00
Code Releases Activity

Include the file name in "ima_measurement" verification result

Browse Source 
When displaying the measurement list, include the filename in the result.

Signed-of-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mimi Zohar
2018-02-05 22:23:01 -05:00
parent c2ef2aabe2
commit 057efc397d
3 changed files with 22 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/evmctl.c
View File

@ -765,7 +765,7 @@ static int verify_evm(const char *file)
return -1;
}
return verify_hash(hash, sizeof(hash), sig + 1, len - 1);
return verify_hash(file, hash, sizeof(hash), sig + 1, len - 1);
}
static int cmd_verify_evm(struct command *cmd)

4
src/imaevm.h
View File

@ -173,7 +173,7 @@ struct signature_v2_hdr {
} __packed;
typedef int (*verify_hash_fn_t)(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile);
typedef int (*verify_hash_fn_t)(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile);
struct libevm_params {
int verbose;
@ -206,7 +206,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key);
int key2bin(RSA *key, unsigned char *pub);
int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen);
int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
void init_public_keys(const char *keyfiles);

35
src/libimaevm.c
View File

@ -372,7 +372,8 @@ out:
return key;
}
int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile)
int verify_hash_v1(const char *file, const unsigned char *hash, int size,
unsigned char *sig, int siglen, const char *keyfile)
{
int err, len;
SHA_CTX ctx;
@ -398,18 +399,18 @@ int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int
err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING);
RSA_free(key);
if (err < 0) {
log_err("RSA_public_decrypt() failed: %d\n", err);
log_err("%s: RSA_public_decrypt() failed: %d\n", file, err);
return 1;
}
len = err;
if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
log_err("Verification failed: %d\n", err);
log_err("%s: verification failed: %d\n", file, err);
return -1;
} else {
/*log_info("Verification is OK\n");*/
printf("Verification is OK\n");
/*log_info("%s: verification is OK\n", file);*/
printf("%s: verification is OK\n", file);
}
return 0;
@ -470,7 +471,8 @@ void init_public_keys(const char *keyfiles)
}
}
int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile)
int verify_hash_v2(const char *file, const unsigned char *hash, int size,
unsigned char *sig, int siglen, const char *keyfile)
{
int err, len;
unsigned char out[1024];
@ -484,7 +486,7 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int
if (public_keys) {
key = find_keyid(hdr->keyid);
if (!key) {
log_err("Unknown keyid: %x\n",
log_err("%s: Unknown keyid: %x\n", file,
__be32_to_cpup(&hdr->keyid));
return -1;
}
@ -498,7 +500,7 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int
err = RSA_public_decrypt(siglen - sizeof(*hdr), sig + sizeof(*hdr),
out, key, RSA_PKCS1_PADDING);
if (err < 0) {
log_err("RSA_public_decrypt() failed: %d\n", err);
log_err("%s: RSA_public_decrypt() failed: %d\n", file, err);
return 1;
}
@ -507,19 +509,19 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int
asn1 = &RSA_ASN1_templates[hdr->hash_algo];
if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) {
log_err("Verification failed: %d\n", err);
log_err("%s: verification failed: %d\n", file, err);
return -1;
}
len -= asn1->size;
if (len != size || memcmp(out + asn1->size, hash, len)) {
log_err("Verification failed: %d\n", err);
log_err("%s: verification failed: %d\n", file, err);
return -1;
}
/*log_info("Verification is OK\n");*/
printf("Verification is OK\n");
/*log_info("%s: verification is OK\n", file);*/
printf("%s: verification is OK\n", file);
return 0;
}
@ -562,7 +564,8 @@ static int get_hash_algo_from_sig(unsigned char *sig)
return -1;
}
int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen)
int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
int siglen)
{
const char *key;
int x509;
@ -585,7 +588,7 @@ int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int sig
"/etc/keys/x509_evm.der" :
"/etc/keys/pubkey_evm.pem";
return verify_hash(hash, size, sig, siglen, key);
return verify_hash(file, hash, size, sig, siglen, key);
}
int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
@ -612,13 +615,13 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
* measurement list, not by calculating the local file digest.
*/
if (digestlen > 0)
return verify_hash(digest, digestlen, sig + 1, siglen - 1);
return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
hashlen = ima_calc_hash(file, hash);
if (hashlen <= 1)
return hashlen;
return verify_hash(hash, hashlen, sig + 1, siglen - 1);
return verify_hash(file, hash, hashlen, sig + 1, siglen - 1);
}
/*