@@ -514,14 +514,14 @@ static int sign_evm(const char *file, const char *key)
int len, err;
len = calc_evm_hash(file, hash);
- assert(len <= sizeof(hash));
if (len <= 1)
return len;
+ assert(len <= sizeof(hash));
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
- assert(len < sizeof(sig));
if (len <= 1)
return len;
+ assert(len < sizeof(sig));
/* add header */
len++;
@@ -563,9 +563,9 @@ static int hash_ima(const char *file)
}
len = ima_calc_hash(file, hash + offset);
- assert(len + offset <= sizeof(hash));
if (len <= 1)
return len;
+ assert(len + offset <= sizeof(hash));
len += offset;
@@ -593,14 +593,14 @@ static int sign_ima(const char *file, const char *key)
int len, err;
len = ima_calc_hash(file, hash);
- assert(len <= sizeof(hash));
if (len <= 1)
return len;
+ assert(len <= sizeof(hash));
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
- assert(len < sizeof(sig));
if (len <= 1)
return len;
+ assert(len < sizeof(sig));
/* add header */
len++;
@@ -724,9 +724,9 @@ static int cmd_sign_hash(struct command *cmd)
hex2bin(hash, line, hashlen / 2);
siglen = sign_hash(params.hash_algo, hash, hashlen/2,
key, NULL, sig + 1);
- assert(siglen < sizeof(sig));
if (siglen <= 1)
return siglen;
+ assert(siglen < sizeof(sig));
fwrite(line, len, 1, stdout);
fprintf(stdout, " ");
@@ -778,9 +778,9 @@ static int verify_evm(const char *file)
int len;
mdlen = calc_evm_hash(file, hash);
- assert(mdlen <= sizeof(hash));
if (mdlen <= 1)
return mdlen;
+ assert(mdlen <= sizeof(hash));
len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
if (len < 0) {
@@ -1160,9 +1160,9 @@ static int hmac_evm(const char *file, const char *key)
int len, err;
len = calc_evm_hmac(file, key, hash);
- assert(len <= sizeof(hash));
if (len <= 1)
return len;
+ assert(len <= sizeof(hash));
log_info("hmac: ");
log_dump(hash, len);
@@ -618,9 +618,9 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
hashlen = ima_calc_hash(file, hash);
- assert(hashlen <= sizeof(hash));
if (hashlen <= 1)
return hashlen;
+ assert(hashlen <= sizeof(hash));
return verify_hash(file, hash, hashlen, sig + 1, siglen - 1);
}
Move sign_hash()/ima_calc_hash()/calc_evm_hmac()/calc_evm_hash() status checking before assert()'ing of their return values, so it can be passed to the upper level callers. Especially useful for showing errors. Fixes: 1d9c279279 ("Define hash and sig buffer sizes and add asserts") Fixes: 9643544701 ("Fix hash buffer overflow in verify_evm and hmac_evm") Signed-off-by: Vitaly Chikunov <vt@altlinux.org> ima-evm-utils: Fix assert after ima_calc_hash --- src/evmctl.c | 16 ++++++++-------- src/libimaevm.c | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-)