Re: [Linux-ima-devel] IMA SHA-1 log format "specification"

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 7/17/2017 7:26 PM, Mehmet Kayaalp wrote:
> 
>>
>> Question:  What is the maximum number of event records?
> 
> There is no limit and the number is stored in a long field.

1 - Long is platform dependent, right?

2 - If an attacker sends a long with 0xffffffff records, or 0xfffffff 
ffffffff records, the server should not blindly try to malloc that much 
memory.

>> This is a 4-byte integer representing the length of the Template Name field.
>>
>> Question:  What is the maximum length?
> 
> in security/integrity/ima/ima_template.c
> #define MAX_TEMPLATE_NAME_LEN 15

I'm looking for a guaranteed maximum.  I don't want a server to break
if the client side code changes.

>> 3.4.1. Signature Type
>>
>> This is a 1-byte field.  The value is 0x03.
>>
>> Question:  What are the valid values and meanings.  How does the type affect the other fields.
> 
> The whole signature data is part of the xattr data. This is actually
> not the signature type, but the xattr type defined in:
> security/integrity/integrity.h as:
> 
> enum evm_ima_xattr_type {
> 	IMA_XATTR_DIGEST = 0x01,
> 	EVM_XATTR_HMAC,
> 	EVM_IMA_XATTR_DIGSIG,
> 	IMA_XATTR_DIGEST_NG,
> 	IMA_XATTR_LAST
> };
> 
> So the only value is 3 for an event with signature.

I'm looking for a definition of 0x03, as well as any other values a 
server might receive.

> 
>> 3.4.2. Signature Version
>>
>> This is a 1-byte field.  The value is 0x02.
>>
>> Question:  What are the valid values and meanings.  How does the version affect the other fields.
> 
> Only 1 and 2 are valid right now. In function integrity_digsig_verify:

What are the meanings of 1 and 2 - something I could add to the 
specification.

>> 3.4.5. Signature Size
>>
>> This is a 2-byte integer representing the size of the Signature field.
>>
>> Question:  What are the legal values?  1024 and 2048?  Others?
> 
> This one is defined by the signature. For RSA, the key determines the
> resulting signature size. When writing the xattr, it is set to the return value
> of RSA_private_encrypt:

Understood, but what are the legal sizes that a server must handle.