On 11/19/23 11:50, Mimi Zohar wrote:
Instead of relying on the library "imaevm_params.algo" global variable,
which is not concurrency-safe, define and use an evmctl file specific
hash algorithm variable.
Propogate using the file specific hash algorithm variable in sign_evm(),
-> Propagate
sign_ima(), hash_ima(), and sign_hash() function.
Replace using the library function ima_calc_hash() with ima_calc_hash2().
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
src/evmctl.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 7ae897d8b8b3..b802eeb1bf15 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -140,6 +140,7 @@ static bool evm_immutable;
static bool evm_portable;
static bool veritysig;
static bool hwtpm;
+static char *hash_algo;
g_hash_algo to avoid shadowing this variable in some cases where there
is a function parameter of the same name?
#define HMAC_FLAG_NO_UUID 0x0001
#define HMAC_FLAG_CAPS_SET 0x0002
@@ -570,12 +571,12 @@ static int sign_evm(const char *file, const char *key)
Add hash_algo to the parameters here and call it sign_evm(file, key,
g_hash_algo)? It makes sense to pass the hash_algo into this function
that needs to know this for the signature and pushed the usage of global
variables further out.
unsigned char sig[MAX_SIGNATURE_SIZE];
int len, err;
- len = calc_evm_hash(file, imaevm_params.hash_algo, hash);
+ len = calc_evm_hash(file, hash_algo, hash);
if (len <= 1)
return len;
assert(len <= sizeof(hash));
- len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1);
+ len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1);
if (len <= 1)
return len;
assert(len < sizeof(sig));
@@ -609,10 +610,10 @@ static int hash_ima(const char *file)
{
unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */
int len, err, offset;
- int algo = imaevm_get_hash_algo(imaevm_params.hash_algo);
+ int algo = imaevm_get_hash_algo(hash_algo);
if (algo < 0) {
- log_err("Unknown hash algo: %s\n", imaevm_params.hash_algo);
+ log_err("Unknown hash algo: %s\n", hash_algo);
return -1;
}
if (algo > PKEY_HASH_SHA1) {
@@ -624,7 +625,7 @@ static int hash_ima(const char *file)
offset = 1;
}
- len = ima_calc_hash(file, hash + offset);
+ len = ima_calc_hash2(file, hash_algo, hash + offset);
if (len <= 1)
return len;
assert(len + offset <= sizeof(hash));
@@ -632,7 +633,7 @@ static int hash_ima(const char *file)
len += offset;
if (imaevm_params.verbose >= LOG_INFO)
- log_info("hash(%s): ", imaevm_params.hash_algo);
+ log_info("hash(%s): ", hash_algo);
if (sigdump || imaevm_params.verbose >= LOG_INFO)
imaevm_hexdump(hash, len);
@@ -656,12 +657,12 @@ static int sign_ima(const char *file, const char *key)
unsigned char sig[MAX_SIGNATURE_SIZE];
int len, err;
- len = ima_calc_hash(file, hash);
+ len = ima_calc_hash2(file, hash_algo, hash);
if (len <= 1)
return len;
assert(len <= sizeof(hash));
- len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1);
+ len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1);
if (len <= 1)
return len;
assert(len < sizeof(sig));
@@ -854,7 +855,7 @@ static int cmd_sign_hash(struct command *cmd)
assert(hashlen / 2 <= sizeof(hash));
hex2bin(hash, line, hashlen / 2);
- siglen = sign_hash(imaevm_params.hash_algo, hash,
+ siglen = sign_hash(hash_algo, hash,
hashlen / 2, key, NULL, sig + 1);
sig[0] = EVM_IMA_XATTR_DIGSIG;
}
@@ -3077,7 +3078,7 @@ int main(int argc, char *argv[])
sigdump = 1;
break;
case 'a':
- imaevm_params.hash_algo = optarg;
+ hash_algo = optarg;
break;
case 'p':
if (optarg)
