mirror of
https://git.code.sf.net/p/linux-ima/ima-evm-utils
synced 2025-04-29 15:13:38 +02:00
ima-evm-utils: Pass status codes from sign and hash functions to the callers
Move sign_hash()/ima_calc_hash()/calc_evm_hmac()/calc_evm_hash() status
checking before assert()'ing of their return values, so it can be passed
to the upper level callers. Especially useful for showing errors.
Fixes: 1d9c279279 ("Define hash and sig buffer sizes and add asserts")
Fixes: 9643544701 ("Fix hash buffer overflow in verify_evm and hmac_evm")
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
ima-evm-utils: Fix assert after ima_calc_hash
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Vitaly Chikunov
Mimi Zohar
parent
28d3a1b293
commit
5f126d1d25
16
src/evmctl.c
16
src/evmctl.c
@ -514,14 +514,14 @@ static int sign_evm(const char *file, const char *key)
|
|||||||
int len, err;
|
int len, err;
|
||||||
|
|
||||||
len = calc_evm_hash(file, hash);
|
len = calc_evm_hash(file, hash);
|
||||||
assert(len <= sizeof(hash));
|
|
||||||
if (len <= 1)
|
if (len <= 1)
|
||||||
return len;
|
return len;
|
||||||
|
assert(len <= sizeof(hash));
|
||||||
|
|
||||||
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
|
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
|
||||||
assert(len < sizeof(sig));
|
|
||||||
if (len <= 1)
|
if (len <= 1)
|
||||||
return len;
|
return len;
|
||||||
|
assert(len < sizeof(sig));
|
||||||
|
|
||||||
/* add header */
|
/* add header */
|
||||||
len++;
|
len++;
|
||||||
@ -563,9 +563,9 @@ static int hash_ima(const char *file)
|
|||||||
}
|
}
|
||||||
|
|
||||||
len = ima_calc_hash(file, hash + offset);
|
len = ima_calc_hash(file, hash + offset);
|
||||||
assert(len + offset <= sizeof(hash));
|
|
||||||
if (len <= 1)
|
if (len <= 1)
|
||||||
return len;
|
return len;
|
||||||
|
assert(len + offset <= sizeof(hash));
|
||||||
|
|
||||||
len += offset;
|
len += offset;
|
||||||
|
|
||||||
@ -593,14 +593,14 @@ static int sign_ima(const char *file, const char *key)
|
|||||||
int len, err;
|
int len, err;
|
||||||
|
|
||||||
len = ima_calc_hash(file, hash);
|
len = ima_calc_hash(file, hash);
|
||||||
assert(len <= sizeof(hash));
|
|
||||||
if (len <= 1)
|
if (len <= 1)
|
||||||
return len;
|
return len;
|
||||||
|
assert(len <= sizeof(hash));
|
||||||
|
|
||||||
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
|
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
|
||||||
assert(len < sizeof(sig));
|
|
||||||
if (len <= 1)
|
if (len <= 1)
|
||||||
return len;
|
return len;
|
||||||
|
assert(len < sizeof(sig));
|
||||||
|
|
||||||
/* add header */
|
/* add header */
|
||||||
len++;
|
len++;
|
||||||
@ -724,9 +724,9 @@ static int cmd_sign_hash(struct command *cmd)
|
|||||||
hex2bin(hash, line, hashlen / 2);
|
hex2bin(hash, line, hashlen / 2);
|
||||||
siglen = sign_hash(params.hash_algo, hash, hashlen/2,
|
siglen = sign_hash(params.hash_algo, hash, hashlen/2,
|
||||||
key, NULL, sig + 1);
|
key, NULL, sig + 1);
|
||||||
assert(siglen < sizeof(sig));
|
|
||||||
if (siglen <= 1)
|
if (siglen <= 1)
|
||||||
return siglen;
|
return siglen;
|
||||||
|
assert(siglen < sizeof(sig));
|
||||||
|
|
||||||
fwrite(line, len, 1, stdout);
|
fwrite(line, len, 1, stdout);
|
||||||
fprintf(stdout, " ");
|
fprintf(stdout, " ");
|
||||||
@ -778,9 +778,9 @@ static int verify_evm(const char *file)
|
|||||||
int len;
|
int len;
|
||||||
|
|
||||||
mdlen = calc_evm_hash(file, hash);
|
mdlen = calc_evm_hash(file, hash);
|
||||||
assert(mdlen <= sizeof(hash));
|
|
||||||
if (mdlen <= 1)
|
if (mdlen <= 1)
|
||||||
return mdlen;
|
return mdlen;
|
||||||
|
assert(mdlen <= sizeof(hash));
|
||||||
|
|
||||||
len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
|
len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
|
||||||
if (len < 0) {
|
if (len < 0) {
|
||||||
@ -1160,9 +1160,9 @@ static int hmac_evm(const char *file, const char *key)
|
|||||||
int len, err;
|
int len, err;
|
||||||
|
|
||||||
len = calc_evm_hmac(file, key, hash);
|
len = calc_evm_hmac(file, key, hash);
|
||||||
assert(len <= sizeof(hash));
|
|
||||||
if (len <= 1)
|
if (len <= 1)
|
||||||
return len;
|
return len;
|
||||||
|
assert(len <= sizeof(hash));
|
||||||
|
|
||||||
log_info("hmac: ");
|
log_info("hmac: ");
|
||||||
log_dump(hash, len);
|
log_dump(hash, len);
|
||||||
|
|||||||
@ -618,9 +618,9 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
|
|||||||
return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
|
return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
|
||||||
|
|
||||||
hashlen = ima_calc_hash(file, hash);
|
hashlen = ima_calc_hash(file, hash);
|
||||||
assert(hashlen <= sizeof(hash));
|
|
||||||
if (hashlen <= 1)
|
if (hashlen <= 1)
|
||||||
return hashlen;
|
return hashlen;
|
||||||
|
assert(hashlen <= sizeof(hash));
|
||||||
|
|
||||||
return verify_hash(file, hash, hashlen, sig + 1, siglen - 1);
|
return verify_hash(file, hash, hashlen, sig + 1, siglen - 1);
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user