dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-27 14:22:31 +02:00
Code Releases Activity

Add missing EVP_MD_CTX_free() call in calc_evm_hash()

Browse Source 
When EVP_MD_CTX_new() call was added, the corresponding EVP_MD_CTX_free()
was never called.  Properly free it.

Fixes: 81010f0d87ef ("ima-evm-utils: Add backward compatible support for openssl 1.1")
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Mimi Zohar 2022-08-10 10:12:16 -04:00
parent 67ca790435
commit a7b5bdbf36
1 changed files with 39 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
src/evmctl.c
View File

@ -331,11 +331,17 @@ err:
return -1; return -1;
} }
/*
* calc_evm_hash - calculate the file metadata hash
*
* Returns 0 for EVP_ function failures. Return -1 for other failures.
* Return hash algorithm size on success.
*/
static int calc_evm_hash(const char *file, unsigned char *hash) static int calc_evm_hash(const char *file, unsigned char *hash)
{ {
const EVP_MD *md; const EVP_MD *md;
struct stat st; struct stat st;
int err; int err = -1;
uint32_t generation = 0; uint32_t generation = 0;
EVP_MD_CTX *pctx; EVP_MD_CTX *pctx;
unsigned int mdlen; unsigned int mdlen;
@ -349,12 +355,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
#if OPENSSL_VERSION_NUMBER < 0x10100000 #if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_MD_CTX ctx; EVP_MD_CTX ctx;
pctx = &ctx; pctx = &ctx;
#else
pctx = EVP_MD_CTX_new();
#endif #endif
if (lstat(file, &st)) { if (lstat(file, &st)) {
log_err("Failed to stat: %s\n", file); log_errno_reset(LOG_ERR, "Failed to stat: %s", file);
return -1; return -1;
} }
@ -389,21 +393,30 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
list_size = llistxattr(file, list, sizeof(list)); list_size = llistxattr(file, list, sizeof(list));
if (list_size < 0) { if (list_size < 0) {
log_err("llistxattr() failed\n"); log_errno_reset(LOG_ERR, "llistxattr() failed");
return -1; return -1;
} }
#if OPENSSL_VERSION_NUMBER >= 0x10100000
pctx = EVP_MD_CTX_new();
if (!pctx) {
log_err("EVP_MD_CTX_new() failed\n");
return 0;
}
#endif
md = EVP_get_digestbyname(imaevm_params.hash_algo); md = EVP_get_digestbyname(imaevm_params.hash_algo);
if (!md) { if (!md) {
log_err("EVP_get_digestbyname(%s) failed\n", log_err("EVP_get_digestbyname(%s) failed\n",
imaevm_params.hash_algo); imaevm_params.hash_algo);
return 1; err = 0;
goto out;
} }
err = EVP_DigestInit(pctx, md); err = EVP_DigestInit(pctx, md);
if (!err) { if (!err) {
log_err("EVP_DigestInit() failed\n"); log_err("EVP_DigestInit() failed\n");
return 1; goto out;
} }
for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
@ -414,7 +427,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err > sizeof(xattr_value)) { if (err > sizeof(xattr_value)) {
log_err("selinux[%u] value is too long to fit into xattr[%zu]\n", log_err("selinux[%u] value is too long to fit into xattr[%zu]\n",
err, sizeof(xattr_value)); err, sizeof(xattr_value));
return -1; err = -1;
goto out;
} }
strcpy(xattr_value, selinux_str); strcpy(xattr_value, selinux_str);
} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) { } else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) {
@ -422,7 +436,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err > sizeof(xattr_value)) { if (err > sizeof(xattr_value)) {
log_err("ima[%u] value is too long to fit into xattr[%zu]\n", log_err("ima[%u] value is too long to fit into xattr[%zu]\n",
err, sizeof(xattr_value)); err, sizeof(xattr_value));
return -1; err = -1;
goto out;
} }
hex2bin(xattr_value, ima_str, err); hex2bin(xattr_value, ima_str, err);
} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && evm_portable){ } else if (!strcmp(*xattrname, XATTR_NAME_IMA) && evm_portable){
@ -431,7 +446,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err < 0) { if (err < 0) {
log_err("EVM portable sig: %s required\n", log_err("EVM portable sig: %s required\n",
xattr_ima); xattr_ima);
return -1; goto out;
} }
use_xattr_ima = 1; use_xattr_ima = 1;
} else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) { } else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) {
@ -441,7 +456,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err >= sizeof(xattr_value)) { if (err >= sizeof(xattr_value)) {
log_err("caps[%u] value is too long to fit into xattr[%zu]\n", log_err("caps[%u] value is too long to fit into xattr[%zu]\n",
err + 1, sizeof(xattr_value)); err + 1, sizeof(xattr_value));
return -1; err = -1;
goto out;
} }
strcpy(xattr_value, caps_str); strcpy(xattr_value, caps_str);
} else { } else {
@ -462,7 +478,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
err = EVP_DigestUpdate(pctx, xattr_value, err); err = EVP_DigestUpdate(pctx, xattr_value, err);
if (!err) { if (!err) {
log_err("EVP_DigestUpdate() failed\n"); log_err("EVP_DigestUpdate() failed\n");
return 1; goto out;
} }
} }
@ -516,29 +532,33 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size); err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size);
if (!err) { if (!err) {
log_err("EVP_DigestUpdate() failed\n"); log_err("EVP_DigestUpdate() failed\n");
return 1; goto out;
} }
if (!evm_immutable && !evm_portable && if (!evm_immutable && !evm_portable &&
!(hmac_flags & HMAC_FLAG_NO_UUID)) { !(hmac_flags & HMAC_FLAG_NO_UUID)) {
err = get_uuid(&st, uuid); err = get_uuid(&st, uuid);
if (err) if (err)
return -1; goto out;
err = EVP_DigestUpdate(pctx, (const unsigned char *)uuid, sizeof(uuid)); err = EVP_DigestUpdate(pctx, (const unsigned char *)uuid, sizeof(uuid));
if (!err) { if (!err) {
log_err("EVP_DigestUpdate() failed\n"); log_err("EVP_DigestUpdate() failed\n");
return 1; goto out;
} }
} }
err = EVP_DigestFinal(pctx, hash, &mdlen); err = EVP_DigestFinal(pctx, hash, &mdlen);
if (!err) { if (!err)
log_err("EVP_DigestFinal() failed\n"); log_err("EVP_DigestFinal() failed\n");
return 1;
}
return mdlen; out:
#if OPENSSL_VERSION_NUMBER >= 0x10100000
EVP_MD_CTX_free(pctx);
#endif
if (err == 1)
return mdlen;
return err;
} }
static int sign_evm(const char *file, const char *key) static int sign_evm(const char *file, const char *key)