dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-06-30 21:02:33 +02:00
Code Releases Activity

ima-evm-utils: verify the measurement list signature based on the list digest

Browse Source 
Instead of verifying file signatures included in the measurement list,
by calculating the local file hash, verify the file signature based on the
digest contained in the measurement list.

This patch defines a new option named "--list".

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Mimi Zohar
2018-01-17 15:31:31 -05:00
parent 9c79b7de72
commit 1a69e42ac1
4 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/libimaevm.c
View File

@ -582,7 +582,8 @@ int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int sig
return verify_hash(hash, size, sig, siglen, key);
}
int ima_verify_signature(const char *file, unsigned char *sig, int siglen)
int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
unsigned char *digest, int digestlen)
{
unsigned char hash[64];
int hashlen, sig_hash_algo;
@ -600,6 +601,13 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen)
/* Use hash algorithm as retrieved from signature */
params.hash_algo = pkey_hash_algo[sig_hash_algo];
/*
* Validate the signature based on the digest included in the
* measurement list, not by calculating the local file digest.
*/
if (digestlen > 0)
return verify_hash(digest, digestlen, sig + 1, siglen - 1);
hashlen = ima_calc_hash(file, hash);
if (hashlen <= 1)
return hashlen;