dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-11-04 06:40:49 +01:00
Code Releases Activity

ima-evm-utils: Define hash and sig buffer sizes and add asserts

Browse Source 
To prevent hash and sig buffers size mismatch, define their maximum
sizes and add sanity checking asserts.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Vitaly Chikunov
2018-12-03 06:35:20 +03:00
committed by Mimi Zohar
parent 9643544701
commit 1d9c279279
3 changed files with 28 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
src/evmctl.c
View File

@@ -505,15 +505,17 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
static int sign_evm(const char *file, const char *key)
{
unsigned char hash[64];
unsigned char sig[1024];
unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[MAX_SIGNATURE_SIZE];
int len, err;
len = calc_evm_hash(file, hash);
assert(len <= sizeof(hash));
if (len <= 1)
return len;
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
assert(len < sizeof(sig));
if (len <= 1)
return len;
@@ -543,7 +545,7 @@ static int sign_evm(const char *file, const char *key)
static int hash_ima(const char *file)
{
unsigned char hash[66]; /* MAX hash size + 2 */
unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */
int len, err, offset;
int algo = get_hash_algo(params.hash_algo);
@@ -557,6 +559,7 @@ static int hash_ima(const char *file)
}
len = ima_calc_hash(file, hash + offset);
assert(len + offset <= sizeof(hash));
if (len <= 1)
return len;
@@ -581,15 +584,17 @@ static int hash_ima(const char *file)
static int sign_ima(const char *file, const char *key)
{
unsigned char hash[64];
unsigned char sig[1024];
unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[MAX_SIGNATURE_SIZE];
int len, err;
len = ima_calc_hash(file, hash);
assert(len <= sizeof(hash));
if (len <= 1)
return len;
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
assert(len < sizeof(sig));
if (len <= 1)
return len;
@@ -695,8 +700,8 @@ static int cmd_sign_hash(struct command *cmd)
int hashlen = 0;
size_t line_len;
ssize_t len;
unsigned char hash[64];
unsigned char sig[1024] = "\x03";
unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[MAX_SIGNATURE_SIZE] = "\x03";
int siglen;
key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
@@ -711,9 +716,11 @@ static int cmd_sign_hash(struct command *cmd)
token = strpbrk(line, ", \t");
hashlen = token ? token - line : strlen(line);
hex2bin(hash, line, hashlen);
assert(hashlen / 2 <= sizeof(hash));
hex2bin(hash, line, hashlen / 2);
siglen = sign_hash(params.hash_algo, hash, hashlen/2,
key, NULL, sig + 1);
assert(siglen < sizeof(sig));
if (siglen <= 1)
return siglen;
@@ -761,8 +768,8 @@ static int cmd_sign_evm(struct command *cmd)
static int verify_evm(const char *file)
{
unsigned char hash[64];
unsigned char sig[1024];
unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[MAX_SIGNATURE_SIZE];
int mdlen;
int len;
@@ -804,12 +811,13 @@ static int cmd_verify_evm(struct command *cmd)
static int verify_ima(const char *file)
{
unsigned char sig[1024];
unsigned char sig[MAX_SIGNATURE_SIZE];
int len;
if (sigfile) {
void *tmp = file2bin(file, "sig", &len);
assert(len <= sizeof(sig));
memcpy(sig, tmp, len);
free(tmp);
} else {
@@ -1138,8 +1146,8 @@ out:
static int hmac_evm(const char *file, const char *key)
{
unsigned char hash[64];
unsigned char sig[1024];
unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[MAX_SIGNATURE_SIZE];
int len, err;
len = calc_evm_hmac(file, key, hash);
@@ -1149,6 +1157,7 @@ static int hmac_evm(const char *file, const char *key)
log_info("hmac: ");
log_dump(hash, len);
assert(len < sizeof(sig));
memcpy(sig + 1, hash, len);
if (xattr) {

3
src/imaevm.h
View File

@@ -75,6 +75,9 @@
#define DATA_SIZE 4096
#define SHA1_HASH_LEN 20
#define MAX_DIGEST_SIZE 64
#define MAX_SIGNATURE_SIZE 1024
#define __packed __attribute__((packed))
enum evm_ima_xattr_type {

4
src/libimaevm.c
View File

@@ -49,6 +49,7 @@
#include <dirent.h>
#include <string.h>
#include <stdio.h>
#include <assert.h>
#include <openssl/pem.h>
#include <openssl/evp.h>
@@ -590,7 +591,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
unsigned char *digest, int digestlen)
{
unsigned char hash[64];
unsigned char hash[MAX_DIGEST_SIZE];
int hashlen, sig_hash_algo;
if (sig[0] != 0x03) {
@@ -614,6 +615,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
hashlen = ima_calc_hash(file, hash);
assert(hashlen <= sizeof(hash));
if (hashlen <= 1)
return hashlen;