dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 14:43:37 +02:00
Code Releases Activity

ima-evm-utils: Define hash and sig buffer sizes and add asserts

Browse Source 
To prevent hash and sig buffers size mismatch, define their maximum
sizes and add sanity checking asserts.

Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Vitaly Chikunov 2018-12-03 06:35:20 +03:00 committed by Mimi Zohar
parent 9643544701
commit 1d9c279279
3 changed files with 28 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
src/evmctl.c
View File

@ -505,15 +505,17 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
static int sign_evm(const char *file, const char *key) static int sign_evm(const char *file, const char *key)
{ {
unsigned char hash[64]; unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[1024]; unsigned char sig[MAX_SIGNATURE_SIZE];
int len, err; int len, err;
len = calc_evm_hash(file, hash); len = calc_evm_hash(file, hash);
assert(len <= sizeof(hash));
if (len <= 1) if (len <= 1)
return len; return len;
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1); len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
assert(len < sizeof(sig));
if (len <= 1) if (len <= 1)
return len; return len;
@ -543,7 +545,7 @@ static int sign_evm(const char *file, const char *key)
static int hash_ima(const char *file) static int hash_ima(const char *file)
{ {
unsigned char hash[66]; /* MAX hash size + 2 */ unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */
int len, err, offset; int len, err, offset;
int algo = get_hash_algo(params.hash_algo); int algo = get_hash_algo(params.hash_algo);
@ -557,6 +559,7 @@ static int hash_ima(const char *file)
} }
len = ima_calc_hash(file, hash + offset); len = ima_calc_hash(file, hash + offset);
assert(len + offset <= sizeof(hash));
if (len <= 1) if (len <= 1)
return len; return len;
@ -581,15 +584,17 @@ static int hash_ima(const char *file)
static int sign_ima(const char *file, const char *key) static int sign_ima(const char *file, const char *key)
{ {
unsigned char hash[64]; unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[1024]; unsigned char sig[MAX_SIGNATURE_SIZE];
int len, err; int len, err;
len = ima_calc_hash(file, hash); len = ima_calc_hash(file, hash);
assert(len <= sizeof(hash));
if (len <= 1) if (len <= 1)
return len; return len;
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1); len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
assert(len < sizeof(sig));
if (len <= 1) if (len <= 1)
return len; return len;
@ -695,8 +700,8 @@ static int cmd_sign_hash(struct command *cmd)
int hashlen = 0; int hashlen = 0;
size_t line_len; size_t line_len;
ssize_t len; ssize_t len;
unsigned char hash[64]; unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[1024] = "\x03"; unsigned char sig[MAX_SIGNATURE_SIZE] = "\x03";
int siglen; int siglen;
key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
@ -711,9 +716,11 @@ static int cmd_sign_hash(struct command *cmd)
token = strpbrk(line, ", \t"); token = strpbrk(line, ", \t");
hashlen = token ? token - line : strlen(line); hashlen = token ? token - line : strlen(line);
hex2bin(hash, line, hashlen); assert(hashlen / 2 <= sizeof(hash));
hex2bin(hash, line, hashlen / 2);
siglen = sign_hash(params.hash_algo, hash, hashlen/2, siglen = sign_hash(params.hash_algo, hash, hashlen/2,
key, NULL, sig + 1); key, NULL, sig + 1);
assert(siglen < sizeof(sig));
if (siglen <= 1) if (siglen <= 1)
return siglen; return siglen;
@ -761,8 +768,8 @@ static int cmd_sign_evm(struct command *cmd)
static int verify_evm(const char *file) static int verify_evm(const char *file)
{ {
unsigned char hash[64]; unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[1024]; unsigned char sig[MAX_SIGNATURE_SIZE];
int mdlen; int mdlen;
int len; int len;
@ -804,12 +811,13 @@ static int cmd_verify_evm(struct command *cmd)
static int verify_ima(const char *file) static int verify_ima(const char *file)
{ {
unsigned char sig[1024]; unsigned char sig[MAX_SIGNATURE_SIZE];
int len; int len;
if (sigfile) { if (sigfile) {
void *tmp = file2bin(file, "sig", &len); void *tmp = file2bin(file, "sig", &len);
assert(len <= sizeof(sig));
memcpy(sig, tmp, len); memcpy(sig, tmp, len);
free(tmp); free(tmp);
} else { } else {
@ -1138,8 +1146,8 @@ out:
static int hmac_evm(const char *file, const char *key) static int hmac_evm(const char *file, const char *key)
{ {
unsigned char hash[64]; unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[1024]; unsigned char sig[MAX_SIGNATURE_SIZE];
int len, err; int len, err;
len = calc_evm_hmac(file, key, hash); len = calc_evm_hmac(file, key, hash);
@ -1149,6 +1157,7 @@ static int hmac_evm(const char *file, const char *key)
log_info("hmac: "); log_info("hmac: ");
log_dump(hash, len); log_dump(hash, len);
assert(len < sizeof(sig));
memcpy(sig + 1, hash, len); memcpy(sig + 1, hash, len);
if (xattr) { if (xattr) {

3
src/imaevm.h
View File

@ -75,6 +75,9 @@
#define DATA_SIZE 4096 #define DATA_SIZE 4096
#define SHA1_HASH_LEN 20 #define SHA1_HASH_LEN 20
#define MAX_DIGEST_SIZE 64
#define MAX_SIGNATURE_SIZE 1024
#define __packed __attribute__((packed)) #define __packed __attribute__((packed))
enum evm_ima_xattr_type { enum evm_ima_xattr_type {

4
src/libimaevm.c
View File

@ -49,6 +49,7 @@
#include <dirent.h> #include <dirent.h>
#include <string.h> #include <string.h>
#include <stdio.h> #include <stdio.h>
#include <assert.h>
#include <openssl/pem.h> #include <openssl/pem.h>
#include <openssl/evp.h> #include <openssl/evp.h>
@ -590,7 +591,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
int ima_verify_signature(const char *file, unsigned char *sig, int siglen, int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
unsigned char *digest, int digestlen) unsigned char *digest, int digestlen)
{ {
unsigned char hash[64]; unsigned char hash[MAX_DIGEST_SIZE];
int hashlen, sig_hash_algo; int hashlen, sig_hash_algo;
if (sig[0] != 0x03) { if (sig[0] != 0x03) {
@ -614,6 +615,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
return verify_hash(file, digest, digestlen, sig + 1, siglen - 1); return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
hashlen = ima_calc_hash(file, hash); hashlen = ima_calc_hash(file, hash);
assert(hashlen <= sizeof(hash));
if (hashlen <= 1) if (hashlen <= 1)
return hashlen; return hashlen;