Get hash algorithm info from the signature
If one signs a file using hash algo -sha256 then one needs to specify signature during verification also. Otherwise evmctl using default sha1 for calculating hash and signature verification fails. One needs to specify -a sha256 on command line even during signature verification phase to make sure file is signed right. I think that's completely unnecessary. A user is not always supposed to know what algorithm was used to generate signature. User is only concered with whether this signature is valid or not. So retrieve hash algorithm info from signature and use that. Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
Vivek Goyal
Dmitry Kasatkin
parent
00caa1d5ba
commit
fa3c365cce
47
src/evmctl.c
47
src/evmctl.c
@ -244,7 +244,7 @@ static int xattr = 1;
|
|||||||
static int sigdump;
|
static int sigdump;
|
||||||
static int digest;
|
static int digest;
|
||||||
static int digsig;
|
static int digsig;
|
||||||
static char *hash_algo = "sha1";
|
static const char *hash_algo = "sha1";
|
||||||
static char *keypass;
|
static char *keypass;
|
||||||
static int sigfile;
|
static int sigfile;
|
||||||
static int modsig;
|
static int modsig;
|
||||||
@ -1228,15 +1228,39 @@ static int cmd_verify_evm(struct command *cmd)
|
|||||||
return verify_evm(file, key);
|
return verify_evm(file, key);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static uint8_t get_hash_algo_from_sig(unsigned char *sig)
|
||||||
|
{
|
||||||
|
uint8_t hashalgo;
|
||||||
|
|
||||||
|
if (sig[0] == 1) {
|
||||||
|
hashalgo = ((struct signature_hdr *)sig)->hash;
|
||||||
|
|
||||||
|
if (hashalgo >= DIGEST_ALGO_MAX)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
switch (hashalgo) {
|
||||||
|
case DIGEST_ALGO_SHA1:
|
||||||
|
return PKEY_HASH_SHA1;
|
||||||
|
case DIGEST_ALGO_SHA256:
|
||||||
|
return PKEY_HASH_SHA256;
|
||||||
|
default:
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
} else if (sig[0] == 2) {
|
||||||
|
hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo;
|
||||||
|
if (hashalgo >= PKEY_HASH__LAST)
|
||||||
|
return -1;
|
||||||
|
return hashalgo;
|
||||||
|
} else
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
static int verify_ima(const char *file, const char *key)
|
static int verify_ima(const char *file, const char *key)
|
||||||
{
|
{
|
||||||
unsigned char hash[64];
|
unsigned char hash[64];
|
||||||
unsigned char sig[1024];
|
unsigned char sig[1024];
|
||||||
int len, hashlen;
|
int len, hashlen;
|
||||||
|
int sig_hash_algo;
|
||||||
hashlen = calc_hash(file, hash);
|
|
||||||
if (hashlen <= 1)
|
|
||||||
return hashlen;
|
|
||||||
|
|
||||||
if (xattr) {
|
if (xattr) {
|
||||||
len = getxattr(file, "security.ima", sig, sizeof(sig));
|
len = getxattr(file, "security.ima", sig, sizeof(sig));
|
||||||
@ -1259,6 +1283,19 @@ static int verify_ima(const char *file, const char *key)
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sig_hash_algo = get_hash_algo_from_sig(sig + 1);
|
||||||
|
if (sig_hash_algo < 0) {
|
||||||
|
log_err("Invalid signature\n");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Use hash algorithm as retrieved from signature */
|
||||||
|
hash_algo = pkey_hash_algo[sig_hash_algo];
|
||||||
|
|
||||||
|
hashlen = calc_hash(file, hash);
|
||||||
|
if (hashlen <= 1)
|
||||||
|
return hashlen;
|
||||||
|
|
||||||
return verify_hash(hash, hashlen, sig + 1, len - 1, key);
|
return verify_hash(hash, hashlen, sig + 1, len - 1, key);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user