Re: [PATCH v2 ima-evm-utils 2/6] Pass ENGINE and keyid through to function using them

Mimi Zohar <zohar@xxxxxxxxxxxxx> · Mon, 26 Feb 2024 11:06:38 -0500

Hi Stefan,

"Pass ENGINE and keyid through to function using them" describes what the patch
does, but not the reason for the patch.  Please update the patch description
Subject line and similarly the cover letter Subject line.

On Fri, 2024-02-23 at 10:30 -0500, Stefan Berger wrote:
> Pass the ENGINE and keyid all the way through to the function that is
> using them and deprecate sign_hash since it needs to pass these parameters
> from the global imaevm_params. Define a new API call imaevm_signhash that
> takes all necessary variables as parameters.

The motiviation for this patch is missing.

Instead of relying on imaevm_params.engine and imaevm_params.keyid global
variables, which are not concurrency-safe, define a new library function
imaevm_signhash() function with the engine and keyid as parameters.

Pass the ENGINE and keyid ...

> 
> In preparation of support for OpenSSL providers, wrap the ENGINE in a
> union inside a struct imaevm_ossl_access and add a type for the selection
> of the ENGINE or provider later on.

(If possible) Make sign_hash() a wrapper for imaevm_signhash().

Deprecate sign_hash().

> 
> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
> ---

[...]

>  int sign_hash(const char *hashalgo, const unsigned char *hash, int size,
> const char *keyfile, const char *keypass, unsigned char *sig)
>  {
> +	const struct imaevm_ossl_access access_info = {
> +		.type = IMAEVM_OSSL_ACCESS_TYPE_ENGINE,
> +		.u.engine = imaevm_params.eng,
> +	};
>  	if (!keypass)	/* Avoid breaking existing libimaevm usage */
>  		keypass = imaevm_params.keypass;
>  
>  	if (imaevm_params.x509)
> -		return sign_hash_v2(hashalgo, hash, size, keyfile, keypass,
> sig);
> +		return sign_hash_v2(hashalgo, hash, size, keyfile, keypass, sig,
> +				    &access_info, imaevm_params.keyid);
>  #if CONFIG_SIGV1
>  	else
> -		return sign_hash_v1(hashalgo, hash, size, keyfile, keypass,
> sig);
> +		return sign_hash_v1(hashalgo, hash, size, keyfile, keypass, sig,
> +				    &access_info, imaevm_params.keyid);

If possible sign_hash() should become a wrapper for imaevm_signhash().

>  #endif
>  	log_info("Signature version 1 deprecated.");

>  	return -1;

thanks,

Mimi