From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
Vitaly Chikunov <vt@altlinux.org>,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH ima-evm-utils v3 06/15] Add missing EVP_MD_CTX_free() call in calc_evm_hash()
Date: Tue, 13 Sep 2022 22:29:47 -0400 [thread overview]
Message-ID: <20220914022956.1359218-7-zohar@linux.ibm.com> (raw)
In-Reply-To: <20220914022956.1359218-1-zohar@linux.ibm.com>
When EVP_MD_CTX_new() call was added, the corresponding EVP_MD_CTX_free()
was never called. Properly free it.
Fixes: 81010f0d87ef ("ima-evm-utils: Add backward compatible support for openssl 1.1")
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/evmctl.c | 57 ++++++++++++++++++++++++++++++++++++----------------
1 file changed, 40 insertions(+), 17 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 27d2061f23be..b8c92aad6b84 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -332,11 +332,17 @@ err:
return -1;
}
+/*
+ * calc_evm_hash - calculate the file metadata hash
+ *
+ * Returns 0 for EVP_ function failures. Return -1 for other failures.
+ * Return hash algorithm size on success.
+ */
static int calc_evm_hash(const char *file, unsigned char *hash)
{
const EVP_MD *md;
struct stat st;
- int err;
+ int err = -1;
uint32_t generation = 0;
EVP_MD_CTX *pctx;
unsigned int mdlen;
@@ -350,12 +356,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
#if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_MD_CTX ctx;
pctx = &ctx;
-#else
- pctx = EVP_MD_CTX_new();
#endif
if (lstat(file, &st)) {
log_err("Failed to stat: %s\n", file);
+ errno = 0;
return -1;
}
@@ -392,20 +397,30 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
list_size = llistxattr(file, list, sizeof(list));
if (list_size < 0) {
log_err("llistxattr() failed\n");
+ errno = 0;
return -1;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ pctx = EVP_MD_CTX_new();
+ if (!pctx) {
+ log_err("EVP_MD_CTX_new() failed\n");
+ return 0;
+ }
+#endif
+
md = EVP_get_digestbyname(imaevm_params.hash_algo);
if (!md) {
log_err("EVP_get_digestbyname(%s) failed\n",
imaevm_params.hash_algo);
- return 1;
+ err = 0;
+ goto out;
}
err = EVP_DigestInit(pctx, md);
if (!err) {
log_err("EVP_DigestInit() failed\n");
- return 1;
+ goto out;
}
for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
@@ -416,7 +431,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err > sizeof(xattr_value)) {
log_err("selinux[%u] value is too long to fit into xattr[%zu]\n",
err, sizeof(xattr_value));
- return -1;
+ err = -1;
+ goto out;
}
strcpy(xattr_value, selinux_str);
} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) {
@@ -424,7 +440,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err > sizeof(xattr_value)) {
log_err("ima[%u] value is too long to fit into xattr[%zu]\n",
err, sizeof(xattr_value));
- return -1;
+ err = -1;
+ goto out;
}
hex2bin(xattr_value, ima_str, err);
} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && evm_portable){
@@ -433,7 +450,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err < 0) {
log_err("EVM portable sig: %s required\n",
xattr_ima);
- return -1;
+ goto out;
}
use_xattr_ima = 1;
} else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) {
@@ -443,7 +460,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (err >= sizeof(xattr_value)) {
log_err("caps[%u] value is too long to fit into xattr[%zu]\n",
err + 1, sizeof(xattr_value));
- return -1;
+ err = -1;
+ goto out;
}
strcpy(xattr_value, caps_str);
} else {
@@ -464,7 +482,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
err = EVP_DigestUpdate(pctx, xattr_value, err);
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
- return 1;
+ goto out;
}
}
@@ -518,29 +536,33 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size);
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
- return 1;
+ goto out;
}
if (!evm_immutable && !evm_portable &&
!(hmac_flags & HMAC_FLAG_NO_UUID)) {
err = get_uuid(&st, uuid);
if (err)
- return -1;
+ goto out;
err = EVP_DigestUpdate(pctx, (const unsigned char *)uuid, sizeof(uuid));
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
- return 1;
+ goto out;
}
}
err = EVP_DigestFinal(pctx, hash, &mdlen);
- if (!err) {
+ if (!err)
log_err("EVP_DigestFinal() failed\n");
- return 1;
- }
- return mdlen;
+out:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ EVP_MD_CTX_free(pctx);
+#endif
+ if (err == 1)
+ return mdlen;
+ return err;
}
static int sign_evm(const char *file, const char *key)
@@ -576,6 +598,7 @@ static int sign_evm(const char *file, const char *key)
err = lsetxattr(file, xattr_evm, sig, len, 0);
if (err < 0) {
log_err("setxattr failed: %s\n", file);
+ errno = 0;
return err;
}
}
--
2.31.1
next prev parent reply other threads:[~2022-09-14 2:30 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-14 2:29 [PATCH ima-evm-utils v3 00/15] address deprecated warnings Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 01/15] travis: update dist=focal Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 02/15] Update configure.ac to address a couple of obsolete warnings Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 03/15] Deprecate IMA signature version 1 Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 04/15] Replace the low level SHA1 calls when calculating the TPM 1.2 PCRs Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 05/15] Replace the low level HMAC calls when calculating the EVM HMAC Mimi Zohar
2022-09-14 2:29 ` Mimi Zohar [this message]
2022-09-14 14:51 ` [PATCH ima-evm-utils v3 06/15] Add missing EVP_MD_CTX_free() call in calc_evm_hash() Vitaly Chikunov
2022-09-15 11:58 ` Mimi Zohar
2022-09-15 15:36 ` Vitaly Chikunov
2022-09-16 13:07 ` Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 07/15] Disable use of OpenSSL "engine" support Mimi Zohar
2022-09-14 16:38 ` Vitaly Chikunov
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 08/15] Fix potential use after free in read_tpm_banks() Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 09/15] Limit the file hash algorithm name length Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 10/15] Missing template data size lower bounds checking Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 11/15] Limit configuring OpenSSL engine support Mimi Zohar
2022-09-14 14:59 ` Vitaly Chikunov
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 12/15] Base sm2/sm3 test on openssl version installed Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 13/15] Compile a newer version of OpenSSL Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 14/15] Build OpenSSL without engine support Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 15/15] Fix d2i_x509_fp failure Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220914022956.1359218-7-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=stefanb@linux.ibm.com \
--cc=vt@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox