Menu
▾
▴
Re: [Linux-ima-user] Endianness-dependent IMA field array hash
|
From: Dmitry K. <dmi...@gm...> - 2014-04-30 07:34:17
|
Hello, On 30 April 2014 09:43, Andreas Steffen <and...@st...> wrote: > Hi Mimi, > > I'm currently updating strongSwan's remote attestation capability > to include the new IMA-NG hash formats. While inspecting the IMA > source code I noticed that the hash of the template data computed > by im_calc_field_array_hash_tfm() in ima_crypto.c depends on the > endianness of the host platform: > > rc = crypto_shash_update(&desc.shash, > (const u8 *) &field_data[i].len, > sizeof(field_data[i].len)); > > Since the attestation server reconstructs the template data hash > from the SHA-1/SHA-256 file hash and absolute file name stored in > the reference database I would be much happier if the 32 bit > unsigned integer stored in field_data[i].len would be converted into > platform-independent network order before these four bytes are > included in the template hash. With the current code the attestation > server must know the endianness of each of its clients in order to > generate the correct hash value. > It is very good point. Measurement list should not depend on endianness. > Since the IMA-NG code has already been released with the 3.13 kernel > I don't know if it is possible to include my proposed change. > It would make life really much easier! > It should be possible. I do not think it is so widely used "format" now to allow it. Other packages can be fixed... - Dmitry > Best regards > > Andreas > > ====================================================================== > Andreas Steffen and...@st... > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Linux-ima-user mailing list > Lin...@li... > https://lists.sourceforge.net/lists/listinfo/linux-ima-user > -- Thanks, Dmitry |
