dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-11-04 06:40:49 +01:00
Code Releases Activity

Get hash algorithm info from the signature

Browse Source 
If one signs a file using hash algo -sha256 then one needs to specify
signature during verification also. Otherwise evmctl using default sha1
for calculating hash and signature verification fails. One needs to
specify -a sha256 on command line even during signature verification
phase to make sure file is signed right.

I think that's completely unnecessary. A user is not always supposed
to know what algorithm was used to generate signature. User is only
concered with whether this signature is valid or not.

So retrieve hash algorithm info from signature and use that.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
Vivek Goyal
2013-07-12 14:52:08 -04:00
committed by Dmitry Kasatkin
parent 00caa1d5ba
commit fa3c365cce
1 changed files with 42 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
src/evmctl.c
View File

@@ -244,7 +244,7 @@ static int xattr = 1;
static int sigdump; static int sigdump;
static int digest; static int digest;
static int digsig; static int digsig;
static char *hash_algo = "sha1"; static const char *hash_algo = "sha1";
static char *keypass; static char *keypass;
static int sigfile; static int sigfile;
static int modsig; static int modsig;
@@ -1228,15 +1228,39 @@ static int cmd_verify_evm(struct command *cmd)
return verify_evm(file, key); return verify_evm(file, key);
} }
static uint8_t get_hash_algo_from_sig(unsigned char *sig)
{
uint8_t hashalgo;
if (sig[0] == 1) {
hashalgo = ((struct signature_hdr *)sig)->hash;
if (hashalgo >= DIGEST_ALGO_MAX)
return -1;
switch (hashalgo) {
case DIGEST_ALGO_SHA1:
return PKEY_HASH_SHA1;
case DIGEST_ALGO_SHA256:
return PKEY_HASH_SHA256;
default:
return -1;
}
} else if (sig[0] == 2) {
hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo;
if (hashalgo >= PKEY_HASH__LAST)
return -1;
return hashalgo;
} else
return -1;
}
static int verify_ima(const char *file, const char *key) static int verify_ima(const char *file, const char *key)
{ {
unsigned char hash[64]; unsigned char hash[64];
unsigned char sig[1024]; unsigned char sig[1024];
int len, hashlen; int len, hashlen;
int sig_hash_algo;
hashlen = calc_hash(file, hash);
if (hashlen <= 1)
return hashlen;
if (xattr) { if (xattr) {
len = getxattr(file, "security.ima", sig, sizeof(sig)); len = getxattr(file, "security.ima", sig, sizeof(sig));
@@ -1259,6 +1283,19 @@ static int verify_ima(const char *file, const char *key)
return -1; return -1;
} }
sig_hash_algo = get_hash_algo_from_sig(sig + 1);
if (sig_hash_algo < 0) {
log_err("Invalid signature\n");
return -1;
}
/* Use hash algorithm as retrieved from signature */
hash_algo = pkey_hash_algo[sig_hash_algo];
hashlen = calc_hash(file, hash);
if (hashlen <= 1)
return hashlen;
return verify_hash(hash, hashlen, sig + 1, len - 1, key); return verify_hash(hash, hashlen, sig + 1, len - 1, key);
} }