dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 14:43:37 +02:00
Code Releases Activity

Remove hardcoding of SHA1 in EVM signatures

Browse Source 
EVM signatures are always being generated with SHA1 even if the -a
argument has been provided to evmctl. Fix this so the provided hash
algorithm is used instead.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

Changelog:
- Like for cmd_sign_hash() and sign_ima(), the hash size for sign_evm()
should now be 64.
This commit is contained in:
Matthew Garrett 2018-04-17 15:56:00 -07:00 committed by Mimi Zohar
parent 6aea54d2ad
commit ae1319eeab
1 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/evmctl.c
View File

@ -313,6 +313,7 @@ err:
static int calc_evm_hash(const char *file, unsigned char *hash) static int calc_evm_hash(const char *file, unsigned char *hash)
{ {
const EVP_MD *md;
struct stat st; struct stat st;
int err; int err;
uint32_t generation = 0; uint32_t generation = 0;
@ -374,7 +375,13 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
return -1; return -1;
} }
err = EVP_DigestInit(pctx, EVP_sha1()); md = EVP_get_digestbyname(params.hash_algo);
if (!md) {
log_err("EVP_get_digestbyname() failed\n");
return 1;
}
err = EVP_DigestInit(pctx, md);
if (!err) { if (!err) {
log_err("EVP_DigestInit() failed\n"); log_err("EVP_DigestInit() failed\n");
return 1; return 1;
@ -490,7 +497,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
static int sign_evm(const char *file, const char *key) static int sign_evm(const char *file, const char *key)
{ {
unsigned char hash[20]; unsigned char hash[64];
unsigned char sig[1024]; unsigned char sig[1024];
int len, err; int len, err;
@ -498,7 +505,7 @@ static int sign_evm(const char *file, const char *key)
if (len <= 1) if (len <= 1)
return len; return len;
len = sign_hash("sha1", hash, len, key, NULL, sig + 1); len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
if (len <= 1) if (len <= 1)
return len; return len;
@ -967,6 +974,7 @@ static int cmd_setxattr_ima(struct command *cmd)
static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *hash) static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *hash)
{ {
const EVP_MD *md;
struct stat st; struct stat st;
int err = -1; int err = -1;
uint32_t generation = 0; uint32_t generation = 0;
@ -1033,7 +1041,13 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
goto out; goto out;
} }
err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), EVP_sha1(), NULL); md = EVP_get_digestbyname(params.hash_algo);
if (!md) {
log_err("EVP_get_digestbyname() failed\n");
goto out;
}
err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), md, NULL);
if (err) { if (err) {
log_err("HMAC_Init() failed\n"); log_err("HMAC_Init() failed\n");
goto out; goto out;