Replace the deprecated sign_hash with imaevm_signhash. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> --- src/evmctl.c | 74 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 30 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index d050b5e..776f304 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -147,6 +147,13 @@ static char *g_keypass; #define HMAC_FLAG_CAPS_SET 0x0002 static unsigned long hmac_flags; +static uint32_t imaevm_keyid; +static struct imaevm_ossl_access access_info; +static long sigflags; + +static inline bool use_x509(long sigflags) { + return (sigflags & IMAEVM_SIGFLAG_SIGNATURE_V1) == 0; +} typedef int (*find_cb_t)(const char *path); static int find(const char *path, int dts, find_cb_t func); @@ -577,7 +584,8 @@ static int sign_evm(const char *file, char *hash_algo, const char *key) return len; assert(len <= sizeof(hash)); - len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1); + len = imaevm_signhash(hash_algo, hash, len, key, g_keypass, + sig + 1, sigflags, &access_info, imaevm_keyid); if (len <= 1) return len; assert(len < sizeof(sig)); @@ -663,7 +671,8 @@ static int sign_ima(const char *file, char *hash_algo, const char *key) return len; assert(len <= sizeof(hash)); - len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1); + len = imaevm_signhash(hash_algo, hash, len, key, g_keypass, + sig + 1, sigflags, &access_info, imaevm_keyid); if (len <= 1) return len; assert(len < sizeof(sig)); @@ -844,8 +853,9 @@ static int cmd_sign_hash(struct command *cmd) continue; } - siglen = sign_hash(algo, sigv3_hash, hashlen / 2, - key, g_keypass, sig + 1); + siglen = imaevm_signhash(algo, sigv3_hash, hashlen / 2, + key, g_keypass, sig + 1, sigflags, + &access_info, imaevm_keyid); sig[0] = IMA_VERITY_DIGSIG; sig[1] = DIGSIG_VERSION_3; /* sigv3 */ @@ -856,8 +866,10 @@ static int cmd_sign_hash(struct command *cmd) assert(hashlen / 2 <= sizeof(hash)); hex2bin(hash, line, hashlen / 2); - siglen = sign_hash(g_hash_algo, hash, - hashlen / 2, key, g_keypass, sig + 1); + siglen = imaevm_signhash(g_hash_algo, hash, + hashlen / 2, key, g_keypass, + sig + 1, sigflags, + &access_info, imaevm_keyid); sig[0] = EVM_IMA_XATTR_DIGSIG; } @@ -963,7 +975,7 @@ static int cmd_verify_evm(struct command *cmd) return -1; } - if (imaevm_params.x509) { + if (use_x509(sigflags)) { if (imaevm_params.keyfile) /* Support multiple public keys */ err = imaevm_init_public_keys(imaevm_params.keyfile, &public_keys); @@ -1026,7 +1038,7 @@ static int cmd_verify_ima(struct command *cmd) return -1; } - if (imaevm_params.x509) { + if (use_x509(sigflags)) { if (imaevm_params.keyfile) /* Support multiple public keys */ err = imaevm_init_public_keys(imaevm_params.keyfile, &public_keys); @@ -1061,15 +1073,12 @@ static int cmd_convert(struct command *cmd) uint8_t keyid[8]; RSA *key; - imaevm_params.x509 = 0; - inkey = g_argv[optind++]; if (!inkey) { - inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" : - "/etc/keys/pubkey_evm.pem"; + inkey = "/etc/keys/pubkey_evm.pem"; } - key = read_pub_key(inkey, imaevm_params.x509); + key = read_pub_key(inkey, 0); if (!key) return 1; @@ -1094,7 +1103,7 @@ static int cmd_import(struct command *cmd) inkey = g_argv[optind++]; if (!inkey) { - inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" : + inkey = use_x509(sigflags) ? "/etc/keys/x509_evm.der" : "/etc/keys/pubkey_evm.pem"; } else ring = g_argv[optind++]; @@ -1124,8 +1133,8 @@ static int cmd_import(struct command *cmd) } } - if (imaevm_params.x509) { - EVP_PKEY *pkey = read_pub_pkey(inkey, imaevm_params.x509); + if (use_x509(sigflags)) { + EVP_PKEY *pkey = read_pub_pkey(inkey, 1); if (!pkey) return 1; @@ -1138,7 +1147,7 @@ static int cmd_import(struct command *cmd) EVP_PKEY_free(pkey); } else { #if CONFIG_SIGV1 - RSA *key = read_pub_key(inkey, imaevm_params.x509); + RSA *key = read_pub_key(inkey, 0); if (!key) return 1; @@ -1153,8 +1162,8 @@ static int cmd_import(struct command *cmd) log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id); - id = add_key(imaevm_params.x509 ? "asymmetric" : "user", - imaevm_params.x509 ? NULL : name, pub, len, id); + id = add_key(use_x509(sigflags) ? "asymmetric" : "user", + use_x509(sigflags) ? NULL : name, pub, len, id); if (id < 0) { log_err("add_key failed\n"); err = id; @@ -3106,7 +3115,7 @@ int main(int argc, char *argv[]) hmac_flags |= HMAC_FLAG_NO_UUID; break; case '1': - imaevm_params.x509 = 0; + sigflags |= IMAEVM_SIGFLAG_SIGNATURE_V1; break; case 'k': imaevm_params.keyfile = optarg; @@ -3172,11 +3181,12 @@ int main(int argc, char *argv[]) break; #if CONFIG_IMA_EVM_ENGINE case 139: /* --engine e */ - imaevm_params.eng = setup_engine(optarg); - if (!imaevm_params.eng) { + access_info.u.engine = setup_engine(optarg); + if (!access_info.u.engine) { log_info("setup_engine failed\n"); goto error; } + access_info.type = IMAEVM_OSSL_ACCESS_TYPE_ENGINE; break; #endif case 140: /* --xattr-user */ @@ -3210,7 +3220,7 @@ int main(int argc, char *argv[]) log_err("Invalid keyid value.\n"); exit(1); } - imaevm_params.keyid = keyid; + imaevm_keyid = keyid; break; case 145: keyid = imaevm_read_keyid(optarg); @@ -3218,7 +3228,7 @@ int main(int argc, char *argv[]) log_err("Error reading keyid.\n"); exit(1); } - imaevm_params.keyid = keyid; + imaevm_keyid = keyid; break; case 146: veritysig = 1; @@ -3241,12 +3251,16 @@ int main(int argc, char *argv[]) g_keypass = getenv("EVMCTL_KEY_PASSWORD"); if (imaevm_params.keyfile != NULL && - imaevm_params.eng == NULL && + access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE && !strncmp(imaevm_params.keyfile, "pkcs11:", 7)) { #if CONFIG_IMA_EVM_ENGINE - imaevm_params.eng = setup_engine("pkcs11"); + if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE) { + access_info.u.engine = setup_engine("pkcs11"); + if (access_info.u.engine) + access_info.type = IMAEVM_OSSL_ACCESS_TYPE_ENGINE; + } #endif - if (!imaevm_params.eng) + if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE) goto error; } @@ -3272,9 +3286,9 @@ int main(int argc, char *argv[]) error: #if CONFIG_IMA_EVM_ENGINE - if (imaevm_params.eng) { - ENGINE_finish(imaevm_params.eng); - ENGINE_free(imaevm_params.eng); + if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_ENGINE) { + ENGINE_finish(access_info.u.engine); + ENGINE_free(access_info.u.engine); #if OPENSSL_API_COMPAT < 0x10100000L ENGINE_cleanup(); #endif -- 2.43.0