fixed potential hasher problems
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 16 Jul 2012 20:39:34 +0000 (22:39 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 16 Jul 2012 20:39:34 +0000 (22:39 +0200)
src/libpts/pts/components/ita/ita_comp_ima.c
src/libpts/pts/pts_file_meas.c

index 2de3caf..0c855bd 100644 (file)
@@ -369,8 +369,11 @@ pts_comp_evidence_t* extend_pcr(pts_ita_comp_ima_t* this, u_int32_t pcr,
        pcr_len = HASH_SIZE_SHA1;
        pcr_transform = pts_meas_algo_to_pcr_transform(hash_algo, pcr_len);
        pcr_before = chunk_clone(this->pcrs[pcr]);
-       this->hasher->get_hash(this->hasher, pcr_before, NULL);
-       this->hasher->get_hash(this->hasher, measurement, this->pcrs[pcr].ptr);
+       if (!this->hasher->get_hash(this->hasher, pcr_before, NULL) ||
+               !this->hasher->get_hash(this->hasher, measurement, this->pcrs[pcr].ptr))
+       {
+               DBG1(DBG_PTS, "PCR%d was not extended due to a hasher problem", pcr);
+       }
        pcr_after = chunk_clone(this->pcrs[pcr]);
 
        evidence = pts_comp_evidence_create(this->name->clone(this->name),
@@ -391,6 +394,7 @@ void check_boot_aggregate(pts_ita_comp_ima_t *this, chunk_t measurement)
        u_char boot_aggregate_name[] = "boot_aggregate";
        u_char filename_buffer[IMA_EVENT_NAME_LEN_MAX + 1];
        chunk_t boot_aggregate, file_name;
+       bool pcr_ok = TRUE;
 
        /* See Linux kernel header: security/integrity/ima/ima.h */
        boot_aggregate = chunk_create(pcr_buffer, sizeof(pcr_buffer));
@@ -398,14 +402,18 @@ void check_boot_aggregate(pts_ita_comp_ima_t *this, chunk_t measurement)
        strcpy(filename_buffer, boot_aggregate_name);
        file_name = chunk_create(filename_buffer, sizeof(filename_buffer));
 
-       for (pcr = 0; pcr < 8; pcr++)
+       for (pcr = 0; pcr < 8 && pcr_ok; pcr++)
        {
-               this->hasher->get_hash(this->hasher, this->pcrs[pcr], NULL);
+               pcr_ok = this->hasher->get_hash(this->hasher, this->pcrs[pcr], NULL);
+       }
+       if (!pcr_ok ||
+               !this->hasher->get_hash(this->hasher, chunk_empty, pcr_buffer) ||
+               !this->hasher->get_hash(this->hasher, boot_aggregate, NULL) ||
+               !this->hasher->get_hash(this->hasher, file_name, pcr_buffer))
+       {
+               DBG1(DBG_PTS, "failed to compute boot aggregate value");
+               return;
        }
-       this->hasher->get_hash(this->hasher, chunk_empty, pcr_buffer);
-       this->hasher->get_hash(this->hasher, boot_aggregate, NULL);
-       this->hasher->get_hash(this->hasher, file_name, pcr_buffer);
-
        DBG1(DBG_PTS, "boot aggregate value is %scorrect",
                 chunk_equals(boot_aggregate, measurement) ? "":"in");
 }
index 32d50c9..c8793e3 100644 (file)
@@ -212,6 +212,7 @@ static bool hash_file(hasher_t *hasher, char *pathname, u_char *hash)
 {
        u_char buffer[4096];
        size_t bytes_read;
+       bool success = TRUE;
        FILE *file;
 
        file = fopen(pathname, "rb");
@@ -226,17 +227,26 @@ static bool hash_file(hasher_t *hasher, char *pathname, u_char *hash)
                bytes_read = fread(buffer, 1, sizeof(buffer), file);
                if (bytes_read > 0)
                {
-                       hasher->get_hash(hasher, chunk_create(buffer, bytes_read), NULL);
+                       if (!hasher->get_hash(hasher, chunk_create(buffer, bytes_read), NULL))
+                       {
+                               DBG1(DBG_PTS, "  hasher increment error");
+                               success = FALSE;
+                               break;
+                       }
                }
                else
                {
-                       hasher->get_hash(hasher, chunk_empty, hash);
+                       if (!hasher->get_hash(hasher, chunk_empty, hash))
+                       {
+                               DBG1(DBG_PTS, "  hasher finalize error");
+                               success = FALSE;
+                       }
                        break;
                }
        }
        fclose(file);
 
-       return TRUE;
+       return success;
 }
 
 /**