dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-07-01 21:31:14 +02:00
Code Releases Activity

Include the file name in "ima_measurement" verification result

Browse Source 
When displaying the measurement list, include the filename in the result.

Signed-of-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mimi Zohar
2018-02-05 22:23:01 -05:00
parent c2ef2aabe2
commit 057efc397d
3 changed files with 22 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/evmctl.c
View File

@ -765,7 +765,7 @@ static int verify_evm(const char *file)
return -1; return -1;
} }
return verify_hash(hash, sizeof(hash), sig + 1, len - 1); return verify_hash(file, hash, sizeof(hash), sig + 1, len - 1);
} }
static int cmd_verify_evm(struct command *cmd) static int cmd_verify_evm(struct command *cmd)

4
src/imaevm.h
View File

@ -173,7 +173,7 @@ struct signature_v2_hdr {
} __packed; } __packed;
typedef int (*verify_hash_fn_t)(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile); typedef int (*verify_hash_fn_t)(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile);
struct libevm_params { struct libevm_params {
int verbose; int verbose;
@ -206,7 +206,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key);
int key2bin(RSA *key, unsigned char *pub); int key2bin(RSA *key, unsigned char *pub);
int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig); int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen); int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen); int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
void init_public_keys(const char *keyfiles); void init_public_keys(const char *keyfiles);

35
src/libimaevm.c
View File

@ -372,7 +372,8 @@ out:
return key; return key;
} }
int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile) int verify_hash_v1(const char *file, const unsigned char *hash, int size,
unsigned char *sig, int siglen, const char *keyfile)
{ {
int err, len; int err, len;
SHA_CTX ctx; SHA_CTX ctx;
@ -398,18 +399,18 @@ int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int
err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING); err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING);
RSA_free(key); RSA_free(key);
if (err < 0) { if (err < 0) {
log_err("RSA_public_decrypt() failed: %d\n", err); log_err("%s: RSA_public_decrypt() failed: %d\n", file, err);
return 1; return 1;
} }
len = err; len = err;
if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) { if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
log_err("Verification failed: %d\n", err); log_err("%s: verification failed: %d\n", file, err);
return -1; return -1;
} else { } else {
/*log_info("Verification is OK\n");*/ /*log_info("%s: verification is OK\n", file);*/
printf("Verification is OK\n"); printf("%s: verification is OK\n", file);
} }
return 0; return 0;
@ -470,7 +471,8 @@ void init_public_keys(const char *keyfiles)
} }
} }
int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile) int verify_hash_v2(const char *file, const unsigned char *hash, int size,
unsigned char *sig, int siglen, const char *keyfile)
{ {
int err, len; int err, len;
unsigned char out[1024]; unsigned char out[1024];
@ -484,7 +486,7 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int
if (public_keys) { if (public_keys) {
key = find_keyid(hdr->keyid); key = find_keyid(hdr->keyid);
if (!key) { if (!key) {
log_err("Unknown keyid: %x\n", log_err("%s: Unknown keyid: %x\n", file,
__be32_to_cpup(&hdr->keyid)); __be32_to_cpup(&hdr->keyid));
return -1; return -1;
} }
@ -498,7 +500,7 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int
err = RSA_public_decrypt(siglen - sizeof(*hdr), sig + sizeof(*hdr), err = RSA_public_decrypt(siglen - sizeof(*hdr), sig + sizeof(*hdr),
out, key, RSA_PKCS1_PADDING); out, key, RSA_PKCS1_PADDING);
if (err < 0) { if (err < 0) {
log_err("RSA_public_decrypt() failed: %d\n", err); log_err("%s: RSA_public_decrypt() failed: %d\n", file, err);
return 1; return 1;
} }
@ -507,19 +509,19 @@ int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int
asn1 = &RSA_ASN1_templates[hdr->hash_algo]; asn1 = &RSA_ASN1_templates[hdr->hash_algo];
if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) { if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) {
log_err("Verification failed: %d\n", err); log_err("%s: verification failed: %d\n", file, err);
return -1; return -1;
} }
len -= asn1->size; len -= asn1->size;
if (len != size || memcmp(out + asn1->size, hash, len)) { if (len != size || memcmp(out + asn1->size, hash, len)) {
log_err("Verification failed: %d\n", err); log_err("%s: verification failed: %d\n", file, err);
return -1; return -1;
} }
/*log_info("Verification is OK\n");*/ /*log_info("%s: verification is OK\n", file);*/
printf("Verification is OK\n"); printf("%s: verification is OK\n", file);
return 0; return 0;
} }
@ -562,7 +564,8 @@ static int get_hash_algo_from_sig(unsigned char *sig)
return -1; return -1;
} }
int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen) int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
int siglen)
{ {
const char *key; const char *key;
int x509; int x509;
@ -585,7 +588,7 @@ int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int sig
"/etc/keys/x509_evm.der" : "/etc/keys/x509_evm.der" :
"/etc/keys/pubkey_evm.pem"; "/etc/keys/pubkey_evm.pem";
return verify_hash(hash, size, sig, siglen, key); return verify_hash(file, hash, size, sig, siglen, key);
} }
int ima_verify_signature(const char *file, unsigned char *sig, int siglen, int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
@ -612,13 +615,13 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
* measurement list, not by calculating the local file digest. * measurement list, not by calculating the local file digest.
*/ */
if (digestlen > 0) if (digestlen > 0)
return verify_hash(digest, digestlen, sig + 1, siglen - 1); return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
hashlen = ima_calc_hash(file, hash); hashlen = ima_calc_hash(file, hash);
if (hashlen <= 1) if (hashlen <= 1)
return hashlen; return hashlen;
return verify_hash(hash, hashlen, sig + 1, siglen - 1); return verify_hash(file, hash, hashlen, sig + 1, siglen - 1);
} }
/* /*