From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>
Subject: [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message
Date: Tue, 16 Jul 2019 10:30:16 -0400 [thread overview]
Message-ID: <1563287417-31780-1-git-send-email-zohar@linux.ibm.com> (raw)
When keys are not provided, the default key is used to verify the file
signature, resulting in this erroneous message. Before using the default
key to verify the file signature, verify the keyid is correct.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/libimaevm.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/libimaevm.c b/src/libimaevm.c
index ae487f9fe36c..472ab53c7b42 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -302,6 +302,9 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
X509 *crt = NULL;
EVP_PKEY *pkey = NULL;
+ if (!keyfile)
+ return NULL;
+
fp = fopen(keyfile, "r");
if (!fp) {
log_err("Failed to open keyfile: %s\n", keyfile);
@@ -569,27 +572,25 @@ static int get_hash_algo_from_sig(unsigned char *sig)
int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
int siglen)
{
- const char *key;
- int x509;
+ const char *key = NULL;
verify_hash_fn_t verify_hash;
/* Get signature type from sig header */
if (sig[0] == DIGSIG_VERSION_1) {
verify_hash = verify_hash_v1;
+
/* Read pubkey from RSA key */
- x509 = 0;
+ if (!params.keyfile)
+ key = "/etc/keys/pubkey_evm.pem";
} else if (sig[0] == DIGSIG_VERSION_2) {
verify_hash = verify_hash_v2;
+
/* Read pubkey from x509 cert */
- x509 = 1;
+ if (!params.keyfile)
+ init_public_keys("/etc/keys/x509_evm.der");
} else
return -1;
- /* Determine what key to use for verification*/
- key = params.keyfile ? : x509 ?
- "/etc/keys/x509_evm.der" :
- "/etc/keys/pubkey_evm.pem";
-
return verify_hash(file, hash, size, sig, siglen, key);
}
--
2.7.5
next reply other threads:[~2019-07-16 14:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-16 14:30 Mimi Zohar [this message]
2019-07-16 14:30 ` [PATCH 2/2] ima_evm_utils: limit duplicate "Failed to open keyfile" messages Mimi Zohar
2019-07-16 21:49 ` Vitaly Chikunov
2019-07-16 22:13 ` Mimi Zohar
2019-07-17 13:23 ` Mimi Zohar
2019-07-16 21:37 ` [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message Vitaly Chikunov
2019-07-16 21:55 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1563287417-31780-1-git-send-email-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.