ima-evm-utils: Allow EVM verify to determine hash algo

Previously for EVM verify you should specify `--hashalgo' option while for IMA ima_verify you didn't. Allow EVM verify to determine hash algo from signature. Also, this makes two previously static functions to become exportable and renamed: get_hash_algo_from_sig -> imaevm_hash_algo_from_sig get_hash_algo_by_id -> imaevm_hash_algo_by_id This is needed because EVM hash is calculated (in calc_evm_hash) outside of library. imaevm_hash_algo_by_id() will now return NULL if algo is not found. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-04-27 22:32:31 +02:00 · 2019-07-29 09:18:07 +03:00 · 2019-07-29 09:18:07 +03:00 · cf1b8fda8d
commit cf1b8fda8d
parent 90176e835a
3 changed files with 20 additions and 10 deletions
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -810,14 +810,10 @@ static int verify_evm(const char *file)
 {
 	unsigned char hash[MAX_DIGEST_SIZE];
 	unsigned char sig[MAX_SIGNATURE_SIZE];
+	int sig_hash_algo;
 	int mdlen;
 	int len;

-	mdlen = calc_evm_hash(file, hash);
-	if (mdlen <= 1)
-		return mdlen;
-	assert(mdlen <= sizeof(hash));
-
 	len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
 	if (len < 0) {
 		log_err("getxattr failed: %s\n", file);
@ -829,6 +825,18 @@ static int verify_evm(const char *file)
 		return -1;
 	}

+	sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
+	if (sig_hash_algo < 0) {
+		log_err("unknown hash algo: %s\n", file);
+		return -1;
+	}
+	imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
+
+	mdlen = calc_evm_hash(file, hash);
+	if (mdlen <= 1)
+		return mdlen;
+	assert(mdlen <= sizeof(hash));
+
 	return verify_hash(file, hash, mdlen, sig + 1, len - 1);
 }

--- a/src/imaevm.h
+++ b/src/imaevm.h
@ -223,5 +223,7 @@ int sign_hash(const char *algo, const unsigned char *hash, int size, const char
 int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
 void init_public_keys(const char *keyfiles);
+int imaevm_hash_algo_from_sig(unsigned char *sig);
+const char *imaevm_hash_algo_by_id(int algo);

 #endif
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@ -105,7 +105,7 @@ void imaevm_hexdump(const void *ptr, int len)
 	imaevm_do_hexdump(stdout, ptr, len, true);
 }

-static const char *get_hash_algo_by_id(int algo)
+const char *imaevm_hash_algo_by_id(int algo)
 {
 	if (algo < PKEY_HASH__LAST)
 		return pkey_hash_algo[algo];
@ -113,7 +113,7 @@ static const char *get_hash_algo_by_id(int algo)
 		return hash_algo_name[algo];

 	log_err("digest %d not found\n", algo);
-	return "unknown";
+	return NULL;
 }

 /* Output all remaining openssl error messages. */
@ -575,7 +575,7 @@ int imaevm_get_hash_algo(const char *algo)
 	return -1;
 }

-static int get_hash_algo_from_sig(unsigned char *sig)
+int imaevm_hash_algo_from_sig(unsigned char *sig)
 {
 	uint8_t hashalgo;

@ -632,13 +632,13 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
 		return -1;
 	}

-	sig_hash_algo = get_hash_algo_from_sig(sig + 1);
+	sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
 	if (sig_hash_algo < 0) {
 		log_err("Invalid signature\n");
 		return -1;
 	}
 	/* Use hash algorithm as retrieved from signature */
-	imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
+	imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);

 	/*
 	 * Validate the signature based on the digest included in the