Menu
▾
▴
[Linux-ima-user] [PATCH] evmctl verify: immutable EVM sign verification support, ignore -i flag.
|
From: Mikhail K. <vie...@vi...> - 2016-12-19 22:58:31
|
This patch add verification support for immutable EVM sign, ignore -i flag during EVM sign verification. - verify_hash function (/src/libimaevm.c) parse DIGSIG_VERSION_3 in same way as DIGSIG_VERSION_2, since version 3 on this stage should use same code as version 2. - verify_evm function (/src/evmctl.c) care about "evm_immutable" internal flag to be sure, that "-i" flag is ignored and hash will be generated accordingly to the file EVM sign version. Please note, I don't use in this source file DIGSIG_VERSION_3 from "enum digsig_version", since Dmitry Kasatkin used "3" for some reason in his patch (see https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/92033dc4042668aaec2df45aa864edc705bd607b/). - this patch fix issue in EVM sign verification, when flag "-i" is provided by mistake during EVM sign version 1 or version 2 verification (in this case hash will be generated for version 3 accordingly to provided flags, but not to the file EVM sign version as it should be, so, verification will be failed for sure). Signed-off-by: Mikhail Kurinnoi <vie...@vi...> --- a/src/evmctl.c +++ b/src/evmctl.c @@ -730,24 +730,29 @@ static int verify_evm(const char *file) { unsigned char hash[20]; unsigned char sig[1024]; - int len; - - len = calc_evm_hash(file, hash); - if (len <= 1) - return len; - - len = lgetxattr(file, "security.evm", sig, sizeof(sig)); - if (len < 0) { + int sig_len, hash_len; + + sig_len = lgetxattr(file, "security.evm", sig, sizeof(sig)); + if (sig_len < 0) { log_err("getxattr failed: %s\n", file); - return len; + return sig_len; } if (sig[0] != 0x03) { log_err("security.evm has no signature\n"); return -1; } - - return verify_hash(hash, sizeof(hash), sig + 1, len - 1); + + if (sig[1] == 3) + evm_immutable = true; + else + evm_immutable = false; + + hash_len = calc_evm_hash(file, hash); + if (hash_len <= 1) + return hash_len; + + return verify_hash(hash, sizeof(hash), sig + 1, sig_len - 1); } static int cmd_verify_evm(struct command *cmd) --- a/src/imaevm.h +++ b/src/imaevm.h @@ -127,7 +127,8 @@ enum digsig_version { DIGSIG_VERSION_1 = 1, - DIGSIG_VERSION_2 + DIGSIG_VERSION_2, + DIGSIG_VERSION_3 }; struct pubkey_hdr { --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -502,7 +502,7 @@ int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen) verify_hash = verify_hash_v1; /* Read pubkey from RSA key */ x509 = 0; - } else if (sig[0] == DIGSIG_VERSION_2) { + } else if ((sig[0] == DIGSIG_VERSION_2) || (sig[0] == DIGSIG_VERSION_3)) { verify_hash = verify_hash_v2; /* Read pubkey from x509 cert */ x509 = 1; |
