[PATCH v1 ima-evm-utils 3/6] evmctl: Replace deprecated sign_hash with imaevm_signhash

Stefan Berger Mon, 05 Feb 2024 06:16:50 -0800

Replace the deprecated sign_hash with imaevm_signhash.

Signed-off-by: Stefan Berger <[email protected]>
---
 src/evmctl.c | 74 +++++++++++++++++++++++++++++++---------------------
 1 file changed, 44 insertions(+), 30 deletions(-)


diff --git a/src/evmctl.c b/src/evmctl.c
index d050b5e..776f304 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -147,6 +147,13 @@ static char *g_keypass;
 #define HMAC_FLAG_CAPS_SET     0x0002
 
 static unsigned long hmac_flags;
+static uint32_t imaevm_keyid;
+static struct imaevm_ossl_access access_info;
+static long sigflags;
+
+static inline bool use_x509(long sigflags) {
+       return (sigflags & IMAEVM_SIGFLAG_SIGNATURE_V1) == 0;
+}
 
 typedef int (*find_cb_t)(const char *path);
 static int find(const char *path, int dts, find_cb_t func);
@@ -577,7 +584,8 @@ static int sign_evm(const char *file, char *hash_algo, 
const char *key)
                return len;
        assert(len <= sizeof(hash));
 
-       len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1);
+       len = imaevm_signhash(hash_algo, hash, len, key, g_keypass,
+                             sig + 1, sigflags, &access_info, imaevm_keyid);
        if (len <= 1)
                return len;
        assert(len < sizeof(sig));
@@ -663,7 +671,8 @@ static int sign_ima(const char *file, char *hash_algo, 
const char *key)
                return len;
        assert(len <= sizeof(hash));
 
-       len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1);
+       len = imaevm_signhash(hash_algo, hash, len, key, g_keypass,
+                             sig + 1, sigflags, &access_info, imaevm_keyid);
        if (len <= 1)
                return len;
        assert(len < sizeof(sig));
@@ -844,8 +853,9 @@ static int cmd_sign_hash(struct command *cmd)
                                continue;
                        }
 
-                       siglen = sign_hash(algo, sigv3_hash, hashlen / 2,
-                                          key, g_keypass, sig + 1);
+                       siglen = imaevm_signhash(algo, sigv3_hash, hashlen / 2,
+                                                key, g_keypass, sig + 1, 
sigflags,
+                                                &access_info, imaevm_keyid);
 
                        sig[0] = IMA_VERITY_DIGSIG;
                        sig[1] = DIGSIG_VERSION_3;      /* sigv3 */
@@ -856,8 +866,10 @@ static int cmd_sign_hash(struct command *cmd)
                        assert(hashlen / 2 <= sizeof(hash));
                        hex2bin(hash, line, hashlen / 2);
 
-                       siglen = sign_hash(g_hash_algo, hash,
-                                          hashlen / 2, key, g_keypass, sig + 
1);
+                       siglen = imaevm_signhash(g_hash_algo, hash,
+                                                hashlen / 2, key, g_keypass,
+                                                sig + 1, sigflags,
+                                                &access_info, imaevm_keyid);
                        sig[0] = EVM_IMA_XATTR_DIGSIG;
                }
 
@@ -963,7 +975,7 @@ static int cmd_verify_evm(struct command *cmd)
                return -1;
        }
 
-       if (imaevm_params.x509) {
+       if (use_x509(sigflags)) {
                if (imaevm_params.keyfile) /* Support multiple public keys */
                        err = imaevm_init_public_keys(imaevm_params.keyfile,
                                                      &public_keys);
@@ -1026,7 +1038,7 @@ static int cmd_verify_ima(struct command *cmd)
                return -1;
        }
 
-       if (imaevm_params.x509) {
+       if (use_x509(sigflags)) {
                if (imaevm_params.keyfile) /* Support multiple public keys */
                        err = imaevm_init_public_keys(imaevm_params.keyfile,
                                                      &public_keys);
@@ -1061,15 +1073,12 @@ static int cmd_convert(struct command *cmd)
        uint8_t keyid[8];
        RSA *key;
 
-       imaevm_params.x509 = 0;
-
        inkey = g_argv[optind++];
        if (!inkey) {
-               inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" :
-                                            "/etc/keys/pubkey_evm.pem";
+               inkey = "/etc/keys/pubkey_evm.pem";
        }
 
-       key = read_pub_key(inkey, imaevm_params.x509);
+       key = read_pub_key(inkey, 0);
        if (!key)
                return 1;
 
@@ -1094,7 +1103,7 @@ static int cmd_import(struct command *cmd)
 
        inkey = g_argv[optind++];
        if (!inkey) {
-               inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" :
+               inkey = use_x509(sigflags) ? "/etc/keys/x509_evm.der" :
                                             "/etc/keys/pubkey_evm.pem";
        } else
                ring = g_argv[optind++];
@@ -1124,8 +1133,8 @@ static int cmd_import(struct command *cmd)
                }
        }
 
-       if (imaevm_params.x509) {
-               EVP_PKEY *pkey = read_pub_pkey(inkey, imaevm_params.x509);
+       if (use_x509(sigflags)) {
+               EVP_PKEY *pkey = read_pub_pkey(inkey, 1);
 
                if (!pkey)
                        return 1;
@@ -1138,7 +1147,7 @@ static int cmd_import(struct command *cmd)
                EVP_PKEY_free(pkey);
        } else {
 #if CONFIG_SIGV1
-               RSA *key = read_pub_key(inkey, imaevm_params.x509);
+               RSA *key = read_pub_key(inkey, 0);
 
                if (!key)
                        return 1;
@@ -1153,8 +1162,8 @@ static int cmd_import(struct command *cmd)
 
        log_info("Importing public key %s from file %s into keyring %d\n", 
name, inkey, id);
 
-       id = add_key(imaevm_params.x509 ? "asymmetric" : "user",
-                    imaevm_params.x509 ? NULL : name, pub, len, id);
+       id = add_key(use_x509(sigflags) ? "asymmetric" : "user",
+                    use_x509(sigflags) ? NULL : name, pub, len, id);
        if (id < 0) {
                log_err("add_key failed\n");
                err = id;
@@ -3106,7 +3115,7 @@ int main(int argc, char *argv[])
                                hmac_flags |= HMAC_FLAG_NO_UUID;
                        break;
                case '1':
-                       imaevm_params.x509 = 0;
+                       sigflags |= IMAEVM_SIGFLAG_SIGNATURE_V1;
                        break;
                case 'k':
                        imaevm_params.keyfile = optarg;
@@ -3172,11 +3181,12 @@ int main(int argc, char *argv[])
                        break;
 #if CONFIG_IMA_EVM_ENGINE
                case 139: /* --engine e */
-                       imaevm_params.eng = setup_engine(optarg);
-                       if (!imaevm_params.eng) {
+                       access_info.u.engine = setup_engine(optarg);
+                       if (!access_info.u.engine) {
                                log_info("setup_engine failed\n");
                                goto error;
                        }
+                       access_info.type = IMAEVM_OSSL_ACCESS_TYPE_ENGINE;
                        break;
 #endif
                case 140: /* --xattr-user */
@@ -3210,7 +3220,7 @@ int main(int argc, char *argv[])
                                log_err("Invalid keyid value.\n");
                                exit(1);
                        }
-                       imaevm_params.keyid = keyid;
+                       imaevm_keyid = keyid;
                        break;
                case 145:
                        keyid = imaevm_read_keyid(optarg);
@@ -3218,7 +3228,7 @@ int main(int argc, char *argv[])
                                log_err("Error reading keyid.\n");
                                exit(1);
                        }
-                       imaevm_params.keyid = keyid;
+                       imaevm_keyid = keyid;
                        break;
                case 146:
                        veritysig = 1;
@@ -3241,12 +3251,16 @@ int main(int argc, char *argv[])
                g_keypass = getenv("EVMCTL_KEY_PASSWORD");
 
        if (imaevm_params.keyfile != NULL &&
-           imaevm_params.eng == NULL &&
+           access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE &&
            !strncmp(imaevm_params.keyfile, "pkcs11:", 7)) {
 #if CONFIG_IMA_EVM_ENGINE
-               imaevm_params.eng = setup_engine("pkcs11");
+               if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE) {
+                       access_info.u.engine = setup_engine("pkcs11");
+                       if (access_info.u.engine)
+                               access_info.type = 
IMAEVM_OSSL_ACCESS_TYPE_ENGINE;
+               }
 #endif
-               if (!imaevm_params.eng)
+               if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_NONE)
                        goto error;
        }
 
@@ -3272,9 +3286,9 @@ int main(int argc, char *argv[])
 
 error:
 #if CONFIG_IMA_EVM_ENGINE
-       if (imaevm_params.eng) {
-               ENGINE_finish(imaevm_params.eng);
-               ENGINE_free(imaevm_params.eng);
+       if (access_info.type == IMAEVM_OSSL_ACCESS_TYPE_ENGINE) {
+               ENGINE_finish(access_info.u.engine);
+               ENGINE_free(access_info.u.engine);
 #if OPENSSL_API_COMPAT < 0x10100000L
                ENGINE_cleanup();
 #endif
-- 
2.43.0

[PATCH v1 ima-evm-utils 3/6] evmctl: Replace deprecated sign_hash with imaevm_signhash

Reply via email to