Message ID | 20190718213510.10829-2-vt@altlinux.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [1/3] ima-evm-utils: Remove indirect call to subfunctions in verify_hash | expand |
On Fri, 2019-07-19 at 00:35 +0300, Vitaly Chikunov wrote: > Since we now always call verify_hash_v2() with NULL keyfile (assuming > all keys are already loaded into public_keys list), remove keyfile > argument and its handling from verify_hash_v2(). > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Thanks! > --- > src/libimaevm.c | 21 +++++++-------------- > 1 file changed, 7 insertions(+), 14 deletions(-) > > diff --git a/src/libimaevm.c b/src/libimaevm.c > index 97b7167..b153f1b 100644 > --- a/src/libimaevm.c > +++ b/src/libimaevm.c > @@ -453,7 +453,7 @@ void init_public_keys(const char *keyfiles) > * Return: 0 verification good, 1 verification bad, -1 error. > */ > int verify_hash_v2(const char *file, const unsigned char *hash, int size, > - unsigned char *sig, int siglen, const char *keyfile) > + unsigned char *sig, int siglen) > { While making this change, could we also make both this and verify_hash_v1() functions static? Should I make the change? Mimi > int ret = -1; > EVP_PKEY *pkey, *pkey_free = NULL; > @@ -467,20 +467,13 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size, > log_dump(hash, size); > } > > - if (public_keys) { > + pkey = find_keyid(hdr->keyid); > + if (!pkey) { > uint32_t keyid = hdr->keyid; > > - pkey = find_keyid(keyid); > - if (!pkey) { > - log_err("%s: unknown keyid: %x\n", file, > - __be32_to_cpup(&keyid)); > - return -1; > - } > - } else { > - pkey = read_pub_pkey(keyfile, 1); > - if (!pkey) > - return -1; > - pkey_free = pkey; > + log_err("%s: unknown keyid: %x\n", file, > + __be32_to_cpup(&keyid)); > + return -1; > } > > st = "EVP_PKEY_CTX_new"; > @@ -581,7 +574,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned > key = "/etc/keys/pubkey_evm.pem"; > return verify_hash_v1(file, hash, size, sig, siglen, key); > } else if (sig[0] == DIGSIG_VERSION_2) { > - return verify_hash_v2(file, hash, size, sig, siglen, NULL); > + return verify_hash_v2(file, hash, size, sig, siglen); > } else > return -1; > }
Mimi, On Thu, Jul 18, 2019 at 07:23:21PM -0400, Mimi Zohar wrote: > On Fri, 2019-07-19 at 00:35 +0300, Vitaly Chikunov wrote: > > Since we now always call verify_hash_v2() with NULL keyfile (assuming > > all keys are already loaded into public_keys list), remove keyfile > > argument and its handling from verify_hash_v2(). > > > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> > > Thanks! > > > --- > > src/libimaevm.c | 21 +++++++-------------- > > 1 file changed, 7 insertions(+), 14 deletions(-) > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > index 97b7167..b153f1b 100644 > > --- a/src/libimaevm.c > > +++ b/src/libimaevm.c > > @@ -453,7 +453,7 @@ void init_public_keys(const char *keyfiles) > > * Return: 0 verification good, 1 verification bad, -1 error. > > */ > > int verify_hash_v2(const char *file, const unsigned char *hash, int size, > > - unsigned char *sig, int siglen, const char *keyfile) > > + unsigned char *sig, int siglen) > > { > > While making this change, could we also make both this and > verify_hash_v1() functions static? Yes, I wonder why they wasn't static in the first place. > Should I make the change? OK! Thanks,
diff --git a/src/libimaevm.c b/src/libimaevm.c index 97b7167..b153f1b 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -453,7 +453,7 @@ void init_public_keys(const char *keyfiles) * Return: 0 verification good, 1 verification bad, -1 error. */ int verify_hash_v2(const char *file, const unsigned char *hash, int size, - unsigned char *sig, int siglen, const char *keyfile) + unsigned char *sig, int siglen) { int ret = -1; EVP_PKEY *pkey, *pkey_free = NULL; @@ -467,20 +467,13 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size, log_dump(hash, size); } - if (public_keys) { + pkey = find_keyid(hdr->keyid); + if (!pkey) { uint32_t keyid = hdr->keyid; - pkey = find_keyid(keyid); - if (!pkey) { - log_err("%s: unknown keyid: %x\n", file, - __be32_to_cpup(&keyid)); - return -1; - } - } else { - pkey = read_pub_pkey(keyfile, 1); - if (!pkey) - return -1; - pkey_free = pkey; + log_err("%s: unknown keyid: %x\n", file, + __be32_to_cpup(&keyid)); + return -1; } st = "EVP_PKEY_CTX_new"; @@ -581,7 +574,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned key = "/etc/keys/pubkey_evm.pem"; return verify_hash_v1(file, hash, size, sig, siglen, key); } else if (sig[0] == DIGSIG_VERSION_2) { - return verify_hash_v2(file, hash, size, sig, siglen, NULL); + return verify_hash_v2(file, hash, size, sig, siglen); } else return -1; }
Since we now always call verify_hash_v2() with NULL keyfile (assuming all keys are already loaded into public_keys list), remove keyfile argument and its handling from verify_hash_v2(). Signed-off-by: Vitaly Chikunov <vt@altlinux.org> --- src/libimaevm.c | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-)