From 057efc397dc5c9e4916e3df4e433d6d4c178ab8b Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Mon, 5 Feb 2018 22:23:01 -0500 Subject: [PATCH] Include the file name in "ima_measurement" verification result When displaying the measurement list, include the filename in the result. Signed-of-by: Mimi Zohar --- src/evmctl.c | 2 +- src/imaevm.h | 4 ++-- src/libimaevm.c | 35 +++++++++++++++++++---------------- 3 files changed, 22 insertions(+), 19 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index ba63654..1c35ec3 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -765,7 +765,7 @@ static int verify_evm(const char *file) return -1; } - return verify_hash(hash, sizeof(hash), sig + 1, len - 1); + return verify_hash(file, hash, sizeof(hash), sig + 1, len - 1); } static int cmd_verify_evm(struct command *cmd) diff --git a/src/imaevm.h b/src/imaevm.h index 69d663c..1bafaad 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -173,7 +173,7 @@ struct signature_v2_hdr { } __packed; -typedef int (*verify_hash_fn_t)(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile); +typedef int (*verify_hash_fn_t)(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile); struct libevm_params { int verbose; @@ -206,7 +206,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key); int key2bin(RSA *key, unsigned char *pub); int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig); -int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen); +int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen); int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen); void init_public_keys(const char *keyfiles); diff --git a/src/libimaevm.c b/src/libimaevm.c index ba28639..370a0ff 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -372,7 +372,8 @@ out: return key; } -int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile) +int verify_hash_v1(const char *file, const unsigned char *hash, int size, + unsigned char *sig, int siglen, const char *keyfile) { int err, len; SHA_CTX ctx; @@ -398,18 +399,18 @@ int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING); RSA_free(key); if (err < 0) { - log_err("RSA_public_decrypt() failed: %d\n", err); + log_err("%s: RSA_public_decrypt() failed: %d\n", file, err); return 1; } len = err; if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) { - log_err("Verification failed: %d\n", err); + log_err("%s: verification failed: %d\n", file, err); return -1; } else { - /*log_info("Verification is OK\n");*/ - printf("Verification is OK\n"); + /*log_info("%s: verification is OK\n", file);*/ + printf("%s: verification is OK\n", file); } return 0; @@ -470,7 +471,8 @@ void init_public_keys(const char *keyfiles) } } -int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile) +int verify_hash_v2(const char *file, const unsigned char *hash, int size, + unsigned char *sig, int siglen, const char *keyfile) { int err, len; unsigned char out[1024]; @@ -484,7 +486,7 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int if (public_keys) { key = find_keyid(hdr->keyid); if (!key) { - log_err("Unknown keyid: %x\n", + log_err("%s: Unknown keyid: %x\n", file, __be32_to_cpup(&hdr->keyid)); return -1; } @@ -498,7 +500,7 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int err = RSA_public_decrypt(siglen - sizeof(*hdr), sig + sizeof(*hdr), out, key, RSA_PKCS1_PADDING); if (err < 0) { - log_err("RSA_public_decrypt() failed: %d\n", err); + log_err("%s: RSA_public_decrypt() failed: %d\n", file, err); return 1; } @@ -507,19 +509,19 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int asn1 = &RSA_ASN1_templates[hdr->hash_algo]; if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) { - log_err("Verification failed: %d\n", err); + log_err("%s: verification failed: %d\n", file, err); return -1; } len -= asn1->size; if (len != size || memcmp(out + asn1->size, hash, len)) { - log_err("Verification failed: %d\n", err); + log_err("%s: verification failed: %d\n", file, err); return -1; } - /*log_info("Verification is OK\n");*/ - printf("Verification is OK\n"); + /*log_info("%s: verification is OK\n", file);*/ + printf("%s: verification is OK\n", file); return 0; } @@ -562,7 +564,8 @@ static int get_hash_algo_from_sig(unsigned char *sig) return -1; } -int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen) +int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, + int siglen) { const char *key; int x509; @@ -585,7 +588,7 @@ int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int sig "/etc/keys/x509_evm.der" : "/etc/keys/pubkey_evm.pem"; - return verify_hash(hash, size, sig, siglen, key); + return verify_hash(file, hash, size, sig, siglen, key); } int ima_verify_signature(const char *file, unsigned char *sig, int siglen, @@ -612,13 +615,13 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen, * measurement list, not by calculating the local file digest. */ if (digestlen > 0) - return verify_hash(digest, digestlen, sig + 1, siglen - 1); + return verify_hash(file, digest, digestlen, sig + 1, siglen - 1); hashlen = ima_calc_hash(file, hash); if (hashlen <= 1) return hashlen; - return verify_hash(hash, hashlen, sig + 1, siglen - 1); + return verify_hash(file, hash, hashlen, sig + 1, siglen - 1); } /*