dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-06-30 21:02:33 +02:00
Code Releases Activity

ima-evm-utils: Allow EVM verify to determine hash algo

Browse Source 
Previously for EVM verify you should specify `--hashalgo' option while
for IMA ima_verify you didn't.

Allow EVM verify to determine hash algo from signature.

Also, this makes two previously static functions to become exportable
and renamed:

  get_hash_algo_from_sig -> imaevm_hash_algo_from_sig
  get_hash_algo_by_id    -> imaevm_hash_algo_by_id

This is needed because EVM hash is calculated (in calc_evm_hash) outside
of library.

imaevm_hash_algo_by_id() will now return NULL if algo is not found.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Vitaly Chikunov
2019-07-29 09:18:07 +03:00
committed by Mimi Zohar
parent 90176e835a
commit cf1b8fda8d
3 changed files with 20 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/evmctl.c
View File

@ -810,14 +810,10 @@ static int verify_evm(const char *file)
{
unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[MAX_SIGNATURE_SIZE];
int sig_hash_algo;
int mdlen;
int len;
mdlen = calc_evm_hash(file, hash);
if (mdlen <= 1)
return mdlen;
assert(mdlen <= sizeof(hash));
len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
if (len < 0) {
log_err("getxattr failed: %s\n", file);
@ -829,6 +825,18 @@ static int verify_evm(const char *file)
return -1;
}
sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
if (sig_hash_algo < 0) {
log_err("unknown hash algo: %s\n", file);
return -1;
}
imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
mdlen = calc_evm_hash(file, hash);
if (mdlen <= 1)
return mdlen;
assert(mdlen <= sizeof(hash));
return verify_hash(file, hash, mdlen, sig + 1, len - 1);
}