Re: [ima-evm-utils PATCH v2 13/13] Define and use a file specific "keypass" variable

[Stefan Berger <stefanb@xxxxxxxxxxxxx>]

On 12/6/23 14:27, Mimi Zohar wrote:
> Instead of relying on the "imaevm_parrams.keypass" global variable,
> which is not concurrency-safe, define and use a file specific variable.
>
> To avoid library incompatibility, don't remove imaevm_params.keypass
> variable.
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>

Reviewed-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>


> ---
>   src/evmctl.c | 17 +++++++++--------
>   1 file changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 8eb2c46fbff0..72b800f6884c 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -141,6 +141,7 @@ static bool evm_portable;
>   static bool veritysig;
>   static bool hwtpm;
>   static char *g_hash_algo = DEFAULT_HASH_ALGO;
> +static char *g_keypass;
>   
>   #define HMAC_FLAG_NO_UUID	0x0001
>   #define HMAC_FLAG_CAPS_SET	0x0002
> @@ -576,7 +577,7 @@ static int sign_evm(const char *file, char *hash_algo, const char *key)
>   		return len;
>   	assert(len <= sizeof(hash));
>   
> -	len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1);
> +	len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1);
>   	if (len <= 1)
>   		return len;
>   	assert(len < sizeof(sig));
> @@ -662,7 +663,7 @@ static int sign_ima(const char *file, char *hash_algo, const char *key)
>   		return len;
>   	assert(len <= sizeof(hash));
>   
> -	len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1);
> +	len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1);
>   	if (len <= 1)
>   		return len;
>   	assert(len < sizeof(sig));
> @@ -844,7 +845,7 @@ static int cmd_sign_hash(struct command *cmd)
>   			}
>   
>   			siglen = sign_hash(algo, sigv3_hash, hashlen / 2,
> -					   key, NULL, sig + 1);
> +					   key, g_keypass, sig + 1);
>   
>   			sig[0] = IMA_VERITY_DIGSIG;
>   			sig[1] = DIGSIG_VERSION_3;	/* sigv3 */
> @@ -856,7 +857,7 @@ static int cmd_sign_hash(struct command *cmd)
>   			hex2bin(hash, line, hashlen / 2);
>   
>   			siglen = sign_hash(g_hash_algo, hash,
> -					   hashlen / 2, key, NULL, sig + 1);
> +					   hashlen / 2, key, g_keypass, sig + 1);
>   			sig[0] = EVM_IMA_XATTR_DIGSIG;
>   		}
>   
> @@ -3091,9 +3092,9 @@ int main(int argc, char *argv[])
>   			break;
>   		case 'p':
>   			if (optarg)
> -				imaevm_params.keypass = optarg;
> +				g_keypass = optarg;
>   			else
> -				imaevm_params.keypass = get_password();
> +				g_keypass = get_password();
>   			break;
>   		case 'f':
>   			sigfile = 1;
> @@ -3235,8 +3236,8 @@ int main(int argc, char *argv[])
>   		}
>   	}
>   
> -	if (!imaevm_params.keypass)
> -		imaevm_params.keypass = getenv("EVMCTL_KEY_PASSWORD");
> +	if (!g_keypass)
> +		g_keypass = getenv("EVMCTL_KEY_PASSWORD");
>   
>   	if (imaevm_params.keyfile != NULL &&
>   	    imaevm_params.eng == NULL &&