|
 |
c395a8 |
From 916a0f97fd244a48fde429a63ddc04ed1ed94f8b Mon Sep 17 00:00:00 2001
|
|
|
c395a8 |
From: Bruno Meneguele <bmeneg@redhat.com>
|
|
|
c395a8 |
Date: Mon, 16 Aug 2021 17:58:35 -0300
|
|
|
c395a8 |
Subject: [PATCH] libimaevm: make SHA-256 the default hash algorithm
|
|
|
c395a8 |
|
|
|
c395a8 |
The SHA-1 algorithm is considered a weak hash algorithm and there has been
|
|
|
c395a8 |
some movement within certain distros to drop its support completely or at
|
|
|
c395a8 |
least drop it from the default behavior. ima-evm-utils uses it as the
|
|
|
c395a8 |
default algorithm in case the user doesn't explicitly ask for another
|
|
|
c395a8 |
through the --hashalgo/-a option. With that, make SHA-256 the default hash
|
|
|
c395a8 |
algorithm instead.
|
|
|
c395a8 |
|
|
|
c395a8 |
Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
|
|
|
c395a8 |
---
|
|
|
c395a8 |
README | 2 +-
|
|
|
c395a8 |
src/evmctl.c | 2 +-
|
|
|
c395a8 |
src/libimaevm.c | 2 +-
|
|
|
c395a8 |
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
c395a8 |
|
|
|
c395a8 |
diff --git a/README b/README
|
|
|
c395a8 |
index 87cd3b5cd7da..0dc02f551673 100644
|
|
|
c395a8 |
--- a/README
|
|
|
c395a8 |
+++ b/README
|
|
|
c395a8 |
@@ -41,7 +41,7 @@ COMMANDS
|
|
|
c395a8 |
OPTIONS
|
|
|
c395a8 |
-------
|
|
|
c395a8 |
|
|
|
c395a8 |
- -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512
|
|
|
c395a8 |
+ -a, --hashalgo sha1, sha224, sha256 (default), sha384, sha512
|
|
|
c395a8 |
-s, --imasig make IMA signature
|
|
|
c395a8 |
-d, --imahash make IMA hash
|
|
|
c395a8 |
-f, --sigfile store IMA signature in .sig file instead of xattr
|
|
|
c395a8 |
diff --git a/src/evmctl.c b/src/evmctl.c
|
|
|
c395a8 |
index a8065bbe124a..e0e55bc0b122 100644
|
|
|
c395a8 |
--- a/src/evmctl.c
|
|
|
c395a8 |
+++ b/src/evmctl.c
|
|
|
c395a8 |
@@ -2496,7 +2496,7 @@ static void usage(void)
|
|
|
c395a8 |
|
|
|
c395a8 |
printf(
|
|
|
c395a8 |
"\n"
|
|
|
c395a8 |
- " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512\n"
|
|
|
c395a8 |
+ " -a, --hashalgo sha1, sha224, sha256 (default), sha384, sha512, streebog256, streebog512\n"
|
|
|
c395a8 |
" -s, --imasig make IMA signature\n"
|
|
|
c395a8 |
" -d, --imahash make IMA hash\n"
|
|
|
c395a8 |
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
|
|
|
c395a8 |
diff --git a/src/libimaevm.c b/src/libimaevm.c
|
|
|
c395a8 |
index 8e9615796153..f6c72b878d88 100644
|
|
|
c395a8 |
--- a/src/libimaevm.c
|
|
|
c395a8 |
+++ b/src/libimaevm.c
|
|
|
c395a8 |
@@ -88,7 +88,7 @@ static const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
|
|
|
c395a8 |
struct libimaevm_params imaevm_params = {
|
|
|
c395a8 |
.verbose = LOG_INFO,
|
|
|
c395a8 |
.x509 = 1,
|
|
|
c395a8 |
- .hash_algo = "sha1",
|
|
|
c395a8 |
+ .hash_algo = "sha256",
|
|
|
c395a8 |
};
|
|
|
c395a8 |
|
|
|
c395a8 |
static void __attribute__ ((constructor)) libinit(void);
|
|
|
c395a8 |
--
|
|
|
c395a8 |
2.31.1
|
|
|
c395a8 |
|