From 915bceb4c7db08a1d0bb2ff942e89d8b943f03c2 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Mon, 16 Jul 2012 22:39:34 +0200 Subject: [PATCH] fixed potential hasher problems --- src/libpts/pts/components/ita/ita_comp_ima.c | 24 ++++++++++++++++-------- src/libpts/pts/pts_file_meas.c | 16 +++++++++++++--- 2 files changed, 29 insertions(+), 11 deletions(-) diff --git a/src/libpts/pts/components/ita/ita_comp_ima.c b/src/libpts/pts/components/ita/ita_comp_ima.c index 2de3caf..0c855bd 100644 --- a/src/libpts/pts/components/ita/ita_comp_ima.c +++ b/src/libpts/pts/components/ita/ita_comp_ima.c @@ -369,8 +369,11 @@ pts_comp_evidence_t* extend_pcr(pts_ita_comp_ima_t* this, u_int32_t pcr, pcr_len = HASH_SIZE_SHA1; pcr_transform = pts_meas_algo_to_pcr_transform(hash_algo, pcr_len); pcr_before = chunk_clone(this->pcrs[pcr]); - this->hasher->get_hash(this->hasher, pcr_before, NULL); - this->hasher->get_hash(this->hasher, measurement, this->pcrs[pcr].ptr); + if (!this->hasher->get_hash(this->hasher, pcr_before, NULL) || + !this->hasher->get_hash(this->hasher, measurement, this->pcrs[pcr].ptr)) + { + DBG1(DBG_PTS, "PCR%d was not extended due to a hasher problem", pcr); + } pcr_after = chunk_clone(this->pcrs[pcr]); evidence = pts_comp_evidence_create(this->name->clone(this->name), @@ -391,6 +394,7 @@ void check_boot_aggregate(pts_ita_comp_ima_t *this, chunk_t measurement) u_char boot_aggregate_name[] = "boot_aggregate"; u_char filename_buffer[IMA_EVENT_NAME_LEN_MAX + 1]; chunk_t boot_aggregate, file_name; + bool pcr_ok = TRUE; /* See Linux kernel header: security/integrity/ima/ima.h */ boot_aggregate = chunk_create(pcr_buffer, sizeof(pcr_buffer)); @@ -398,14 +402,18 @@ void check_boot_aggregate(pts_ita_comp_ima_t *this, chunk_t measurement) strcpy(filename_buffer, boot_aggregate_name); file_name = chunk_create(filename_buffer, sizeof(filename_buffer)); - for (pcr = 0; pcr < 8; pcr++) + for (pcr = 0; pcr < 8 && pcr_ok; pcr++) { - this->hasher->get_hash(this->hasher, this->pcrs[pcr], NULL); + pcr_ok = this->hasher->get_hash(this->hasher, this->pcrs[pcr], NULL); + } + if (!pcr_ok || + !this->hasher->get_hash(this->hasher, chunk_empty, pcr_buffer) || + !this->hasher->get_hash(this->hasher, boot_aggregate, NULL) || + !this->hasher->get_hash(this->hasher, file_name, pcr_buffer)) + { + DBG1(DBG_PTS, "failed to compute boot aggregate value"); + return; } - this->hasher->get_hash(this->hasher, chunk_empty, pcr_buffer); - this->hasher->get_hash(this->hasher, boot_aggregate, NULL); - this->hasher->get_hash(this->hasher, file_name, pcr_buffer); - DBG1(DBG_PTS, "boot aggregate value is %scorrect", chunk_equals(boot_aggregate, measurement) ? "":"in"); } diff --git a/src/libpts/pts/pts_file_meas.c b/src/libpts/pts/pts_file_meas.c index 32d50c9..c8793e3 100644 --- a/src/libpts/pts/pts_file_meas.c +++ b/src/libpts/pts/pts_file_meas.c @@ -212,6 +212,7 @@ static bool hash_file(hasher_t *hasher, char *pathname, u_char *hash) { u_char buffer[4096]; size_t bytes_read; + bool success = TRUE; FILE *file; file = fopen(pathname, "rb"); @@ -226,17 +227,26 @@ static bool hash_file(hasher_t *hasher, char *pathname, u_char *hash) bytes_read = fread(buffer, 1, sizeof(buffer), file); if (bytes_read > 0) { - hasher->get_hash(hasher, chunk_create(buffer, bytes_read), NULL); + if (!hasher->get_hash(hasher, chunk_create(buffer, bytes_read), NULL)) + { + DBG1(DBG_PTS, " hasher increment error"); + success = FALSE; + break; + } } else { - hasher->get_hash(hasher, chunk_empty, hash); + if (!hasher->get_hash(hasher, chunk_empty, hash)) + { + DBG1(DBG_PTS, " hasher finalize error"); + success = FALSE; + } break; } } fclose(file); - return TRUE; + return success; } /** -- 2.7.4