dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-27 22:32:31 +02:00
Code Releases Activity

ima-evm-utils: Do not allow fallback and unknown hash algos

Browse Source 
Falling back and permissiveness could have security implications.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Vitaly Chikunov 2019-07-25 09:13:05 +03:00 committed by Mimi Zohar
parent 31ceff7eb6
commit 25fce6e76a
2 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/evmctl.c
View File

@ -584,6 +584,10 @@ static int hash_ima(const char *file)
int len, err, offset;
int algo = get_hash_algo(params.hash_algo);
if (algo < 0) {
log_err("Unknown hash algo: %s\n", params.hash_algo);
return -1;
}
if (algo > PKEY_HASH_SHA1) {
hash[0] = IMA_XATTR_DIGEST_NG;
hash[1] = algo;

7
src/libimaevm.c
View File

@ -571,8 +571,7 @@ int get_hash_algo(const char *algo)
!strcmp(algo, hash_algo_name[i]))
return i;
log_info("digest %s not found, fall back to sha1\n", algo);
return PKEY_HASH_SHA1;
return -1;
}
static int get_hash_algo_from_sig(unsigned char *sig)
@ -920,6 +919,10 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
hdr->version = (uint8_t) DIGSIG_VERSION_2;
hdr->hash_algo = get_hash_algo(algo);
if (hdr->hash_algo == -1) {
log_err("sign_hash_v2: hash algo is unknown: %s\n", algo);
return -1;
}
calc_keyid_v2(&keyid, name, pkey);
hdr->keyid = keyid;