This patch imposes minimum key size limit.
It declares EVM_MIN_KEY_SIZE and EVM_MAX_KEY_SIZE in public header file.
Signed-off-by: Dmitry Kasatkin <dmitry.kasat...@huawei.com>
---
include/linux/evm.h | 3 +++
security/integrity/evm/evm_crypto.c | 7 +++----
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/include/linux/evm.h b/include/linux/evm.h
index 35ed9a8..0aeedec 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -11,6 +11,9 @@
#include <linux/integrity.h>
#include <linux/xattr.h>
+#define EVM_MAX_KEY_SIZE 128
+#define EVM_MIN_KEY_SIZE 64
+
struct integrity_iint_cache;
#ifdef CONFIG_EVM
diff --git a/security/integrity/evm/evm_crypto.c
b/security/integrity/evm/evm_crypto.c
index 7aec93e..cfb788c 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -24,9 +24,8 @@
#include "evm.h"
#define EVMKEY "evm-key"
-#define MAX_KEY_SIZE 128
-static unsigned char evmkey[MAX_KEY_SIZE];
-static int evmkey_len = MAX_KEY_SIZE;
+static unsigned char evmkey[EVM_MAX_KEY_SIZE];
+static int evmkey_len = EVM_MAX_KEY_SIZE;
struct crypto_shash *hmac_tfm;
struct crypto_shash *hash_tfm;
@@ -54,7 +53,7 @@ int evm_set_key(void *key, size_t keylen)
if (test_and_set_bit(EVM_SET_KEY_BUSY, &evm_set_key_flags))
goto busy;
rc = -EINVAL;
- if (keylen > MAX_KEY_SIZE)
+ if (keylen < EVM_MIN_KEY_SIZE || keylen > EVM_MAX_KEY_SIZE)
goto inval;
memcpy(evmkey, key, keylen);
evm_initialized |= EVM_INIT_HMAC;
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
