[2/3] ima-evm-utils: Remove not needed argument from verify_hash_v2
diff mbox series

Message ID 20190718213510.10829-2-vt@altlinux.org
State New
Headers show
Series
  • [1/3] ima-evm-utils: Remove indirect call to subfunctions in verify_hash
Related show

Commit Message

Vitaly Chikunov July 18, 2019, 9:35 p.m. UTC
Since we now always call verify_hash_v2() with NULL keyfile (assuming
all keys are already loaded into public_keys list), remove keyfile
argument and its handling from verify_hash_v2().

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 src/libimaevm.c | 21 +++++++--------------
 1 file changed, 7 insertions(+), 14 deletions(-)

Comments

Mimi Zohar July 18, 2019, 11:23 p.m. UTC | #1
On Fri, 2019-07-19 at 00:35 +0300, Vitaly Chikunov wrote:
> Since we now always call verify_hash_v2() with NULL keyfile (assuming
> all keys are already loaded into public_keys list), remove keyfile
> argument and its handling from verify_hash_v2().
> 
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>

Thanks!

> ---
>  src/libimaevm.c | 21 +++++++--------------
>  1 file changed, 7 insertions(+), 14 deletions(-)
> 
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 97b7167..b153f1b 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -453,7 +453,7 @@ void init_public_keys(const char *keyfiles)
>   * Return: 0 verification good, 1 verification bad, -1 error.
>   */
>  int verify_hash_v2(const char *file, const unsigned char *hash, int size,
> -		   unsigned char *sig, int siglen, const char *keyfile)
> +		   unsigned char *sig, int siglen)
>  {

While making this change, could we also make both this and
verify_hash_v1() functions static?  Should I make the change?

Mimi

>  	int ret = -1;
>  	EVP_PKEY *pkey, *pkey_free = NULL;
> @@ -467,20 +467,13 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
>  		log_dump(hash, size);
>  	}
> 
> -	if (public_keys) {
> +	pkey = find_keyid(hdr->keyid);
> +	if (!pkey) {
>  		uint32_t keyid = hdr->keyid;
> 
> -		pkey = find_keyid(keyid);
> -		if (!pkey) {
> -			log_err("%s: unknown keyid: %x\n", file,
> -				__be32_to_cpup(&keyid));
> -			return -1;
> -		}
> -	} else {
> -		pkey = read_pub_pkey(keyfile, 1);
> -		if (!pkey)
> -			return -1;
> -		pkey_free = pkey;
> +		log_err("%s: unknown keyid: %x\n", file,
> +			__be32_to_cpup(&keyid));
> +		return -1;
>  	}
> 
>  	st = "EVP_PKEY_CTX_new";
> @@ -581,7 +574,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
>  			key = "/etc/keys/pubkey_evm.pem";
>  		return verify_hash_v1(file, hash, size, sig, siglen, key);
>  	} else if (sig[0] == DIGSIG_VERSION_2) {
> -		return verify_hash_v2(file, hash, size, sig, siglen, NULL);
> +		return verify_hash_v2(file, hash, size, sig, siglen);
>  	} else
>  		return -1;
>  }
Vitaly Chikunov July 18, 2019, 11:26 p.m. UTC | #2
Mimi,

On Thu, Jul 18, 2019 at 07:23:21PM -0400, Mimi Zohar wrote:
> On Fri, 2019-07-19 at 00:35 +0300, Vitaly Chikunov wrote:
> > Since we now always call verify_hash_v2() with NULL keyfile (assuming
> > all keys are already loaded into public_keys list), remove keyfile
> > argument and its handling from verify_hash_v2().
> > 
> > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> 
> Thanks!
> 
> > ---
> >  src/libimaevm.c | 21 +++++++--------------
> >  1 file changed, 7 insertions(+), 14 deletions(-)
> > 
> > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > index 97b7167..b153f1b 100644
> > --- a/src/libimaevm.c
> > +++ b/src/libimaevm.c
> > @@ -453,7 +453,7 @@ void init_public_keys(const char *keyfiles)
> >   * Return: 0 verification good, 1 verification bad, -1 error.
> >   */
> >  int verify_hash_v2(const char *file, const unsigned char *hash, int size,
> > -		   unsigned char *sig, int siglen, const char *keyfile)
> > +		   unsigned char *sig, int siglen)
> >  {
> 
> While making this change, could we also make both this and
> verify_hash_v1() functions static?

Yes, I wonder why they wasn't static in the first place.

> Should I make the change?

OK!

Thanks,

Patch
diff mbox series

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 97b7167..b153f1b 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -453,7 +453,7 @@  void init_public_keys(const char *keyfiles)
  * Return: 0 verification good, 1 verification bad, -1 error.
  */
 int verify_hash_v2(const char *file, const unsigned char *hash, int size,
-		   unsigned char *sig, int siglen, const char *keyfile)
+		   unsigned char *sig, int siglen)
 {
 	int ret = -1;
 	EVP_PKEY *pkey, *pkey_free = NULL;
@@ -467,20 +467,13 @@  int verify_hash_v2(const char *file, const unsigned char *hash, int size,
 		log_dump(hash, size);
 	}
 
-	if (public_keys) {
+	pkey = find_keyid(hdr->keyid);
+	if (!pkey) {
 		uint32_t keyid = hdr->keyid;
 
-		pkey = find_keyid(keyid);
-		if (!pkey) {
-			log_err("%s: unknown keyid: %x\n", file,
-				__be32_to_cpup(&keyid));
-			return -1;
-		}
-	} else {
-		pkey = read_pub_pkey(keyfile, 1);
-		if (!pkey)
-			return -1;
-		pkey_free = pkey;
+		log_err("%s: unknown keyid: %x\n", file,
+			__be32_to_cpup(&keyid));
+		return -1;
 	}
 
 	st = "EVP_PKEY_CTX_new";
@@ -581,7 +574,7 @@  int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
 			key = "/etc/keys/pubkey_evm.pem";
 		return verify_hash_v1(file, hash, size, sig, siglen, key);
 	} else if (sig[0] == DIGSIG_VERSION_2) {
-		return verify_hash_v2(file, hash, size, sig, siglen, NULL);
+		return verify_hash_v2(file, hash, size, sig, siglen);
 	} else
 		return -1;
 }