dh/ima-evm-utils
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix setting correct hash header

Browse Source 
'ima_hash -a sha256' and 'sign -a sha256 --imahash' commands did set
incorrect xattr header for hash algos other than sha1.

Fix it.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
This commit is contained in:
Dmitry Kasatkin 2014-06-24 15:52:16 +03:00
parent 9bc24ee556
commit c958062023
1 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/evmctl.c
View File

@ -651,22 +651,33 @@ static int sign_evm(const char *file, const char *key)
static int hash_ima(const char *file) static int hash_ima(const char *file)
{ {
unsigned char hash[65]; /* MAX hash size + 1 */ unsigned char hash[66]; /* MAX hash size + 2 */
int len, err; int len, err, offset;
int algo = get_hash_algo(params.hash_algo);
hash[0] = IMA_XATTR_DIGEST; if (algo > PKEY_HASH_SHA1) {
len = ima_calc_hash(file, hash + 1); hash[0] = IMA_XATTR_DIGEST_NG;
hash[1] = algo;
offset = 2;
} else {
hash[0] = IMA_XATTR_DIGEST;
offset = 1;
}
len = ima_calc_hash(file, hash + offset);
if (len <= 1) if (len <= 1)
return len; return len;
len += offset;
if (params.verbose >= LOG_INFO) if (params.verbose >= LOG_INFO)
log_info("hash: "); log_info("hash: ");
if (sigdump || params.verbose >= LOG_INFO) if (sigdump || params.verbose >= LOG_INFO)
dump(hash, len + 1); dump(hash, len);
if (xattr) { if (xattr) {
err = lsetxattr(file, "security.ima", hash, len + 1, 0); err = lsetxattr(file, "security.ima", hash, len, 0);
if (err < 0) { if (err < 0) {
log_err("setxattr failed: %s\n", file); log_err("setxattr failed: %s\n", file);
return err; return err;