Get hash algorithm info from the signature

If one signs a file using hash algo -sha256 then one needs to specify signature during verification also. Otherwise evmctl using default sha1 for calculating hash and signature verification fails. One needs to specify -a sha256 on command line even during signature verification phase to make sure file is signed right. I think that's completely unnecessary. A user is not always supposed to know what algorithm was used to generate signature. User is only concered with whether this signature is valid or not. So retrieve hash algorithm info from signature and use that. Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2025-04-28 14:43:37 +02:00 · 2013-07-12 14:52:08 -04:00 · 2013-07-12 14:52:08 -04:00 · fa3c365cce
commit fa3c365cce
parent 00caa1d5ba
1 changed files with 42 additions and 5 deletions
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -244,7 +244,7 @@ static int xattr = 1;
 static int sigdump;
 static int digest;
 static int digsig;
-static char *hash_algo = "sha1";
+static const char *hash_algo = "sha1";
 static char *keypass;
 static int sigfile;
 static int modsig;
@ -1228,15 +1228,39 @@ static int cmd_verify_evm(struct command *cmd)
 	return verify_evm(file, key);
 }

+static uint8_t get_hash_algo_from_sig(unsigned char *sig)
+{
+	uint8_t hashalgo;
+
+	if (sig[0] == 1) {
+		hashalgo = ((struct signature_hdr *)sig)->hash;
+
+		if (hashalgo >= DIGEST_ALGO_MAX)
+			return -1;
+
+		switch (hashalgo) {
+		case DIGEST_ALGO_SHA1:
+			return PKEY_HASH_SHA1;
+		case DIGEST_ALGO_SHA256:
+			return PKEY_HASH_SHA256;
+		default:
+			return -1;
+		}
+	} else if (sig[0] == 2) {
+		hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo;
+		if (hashalgo >= PKEY_HASH__LAST)
+			return -1;
+		return hashalgo;
+	} else
+		return -1;
+}
+
 static int verify_ima(const char *file, const char *key)
 {
 	unsigned char hash[64];
 	unsigned char sig[1024];
 	int len, hashlen;
-
-	hashlen = calc_hash(file, hash);
-	if (hashlen <= 1)
-		return hashlen;
+	int sig_hash_algo;

 	if (xattr) {
 		len = getxattr(file, "security.ima", sig, sizeof(sig));
@ -1259,6 +1283,19 @@ static int verify_ima(const char *file, const char *key)
 		return -1;
 	}

+	sig_hash_algo = get_hash_algo_from_sig(sig + 1);
+	if (sig_hash_algo < 0) {
+		log_err("Invalid signature\n");
+		return -1;
+	}
+
+	/* Use hash algorithm as retrieved from signature */
+	hash_algo = pkey_hash_algo[sig_hash_algo];
+
+	hashlen = calc_hash(file, hash);
+	if (hashlen <= 1)
+		return hashlen;
+
 	return verify_hash(hash, hashlen, sig + 1, len - 1, key);
 }