| Message ID | 20190725141114.28415-1-vt@altlinux.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] ima-evm-utils: Namespace some too generic object names | expand |
On Thu, 2019-07-25 at 17:11 +0300, Vitaly Chikunov wrote: > Prefix `dump', `do_dump', and `params' with `imaevm_' to avoid colliding > with other global symbols. > Also, rename `libevm_' to `libimaevm_`, only used with `params'. > Additionally, rename `dump' into `hexdump'. > Finally, rename `get_hash_algo' to `imaevm_get_hash_algo' as suggested by > Mimi Zohar. > > Lines that became too long are splitted, indent corrected. No code changes. > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Looks good, thanks! At this point all 3 patches are applied, in the order you indicated. Just waiting to see if Bruno or Petr want to add their tag to this version, before pushing it out. thanks! Mimi > --- > Changes from 1: > - Change prefix from ima_ to imaevm_. > - Add prefix to get_hash_algo. > - This should be applied over "[PATCH 2/2] ima-evm-utils: Show used hash algo > in verbose mode". > > src/evmctl.c | 109 +++++++++++++++++++++++++++++--------------------------- > src/imaevm.h | 16 +++++---- > src/libimaevm.c | 46 ++++++++++++------------ > 3 files changed, 89 insertions(+), 82 deletions(-) > > diff --git a/src/evmctl.c b/src/evmctl.c > index 75dd163..b02be8b 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -403,9 +403,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash) > return -1; > } > > - md = EVP_get_digestbyname(params.hash_algo); > + md = EVP_get_digestbyname(imaevm_params.hash_algo); > if (!md) { > - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); > + log_err("EVP_get_digestbyname(%s) failed\n", > + imaevm_params.hash_algo); > return 1; > } > > @@ -549,7 +550,7 @@ static int sign_evm(const char *file, const char *key) > return len; > assert(len <= sizeof(hash)); > > - len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1); > + len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); > if (len <= 1) > return len; > assert(len < sizeof(sig)); > @@ -564,8 +565,8 @@ static int sign_evm(const char *file, const char *key) > if (evm_immutable) > sig[1] = 3; /* immutable signature version */ > > - if (sigdump || params.verbose >= LOG_INFO) > - dump(sig, len); > + if (sigdump || imaevm_params.verbose >= LOG_INFO) > + imaevm_hexdump(sig, len); > > if (xattr) { > err = lsetxattr(file, xattr_evm, sig, len, 0); > @@ -582,10 +583,10 @@ static int hash_ima(const char *file) > { > unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */ > int len, err, offset; > - int algo = get_hash_algo(params.hash_algo); > + int algo = imaevm_get_hash_algo(imaevm_params.hash_algo); > > if (algo < 0) { > - log_err("Unknown hash algo: %s\n", params.hash_algo); > + log_err("Unknown hash algo: %s\n", imaevm_params.hash_algo); > return -1; > } > if (algo > PKEY_HASH_SHA1) { > @@ -604,11 +605,11 @@ static int hash_ima(const char *file) > > len += offset; > > - if (params.verbose >= LOG_INFO) > - log_info("hash(%s): ", params.hash_algo); > + if (imaevm_params.verbose >= LOG_INFO) > + log_info("hash(%s): ", imaevm_params.hash_algo); > > - if (sigdump || params.verbose >= LOG_INFO) > - dump(hash, len); > + if (sigdump || imaevm_params.verbose >= LOG_INFO) > + imaevm_hexdump(hash, len); > > if (xattr) { > err = lsetxattr(file, xattr_ima, hash, len, 0); > @@ -632,7 +633,7 @@ static int sign_ima(const char *file, const char *key) > return len; > assert(len <= sizeof(hash)); > > - len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1); > + len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); > if (len <= 1) > return len; > assert(len < sizeof(sig)); > @@ -641,8 +642,8 @@ static int sign_ima(const char *file, const char *key) > len++; > sig[0] = EVM_IMA_XATTR_DIGSIG; > > - if (sigdump || params.verbose >= LOG_INFO) > - dump(sig, len); > + if (sigdump || imaevm_params.verbose >= LOG_INFO) > + imaevm_hexdump(sig, len); > > if (sigfile) > bin2file(file, "sig", sig, len); > @@ -722,7 +723,7 @@ static int sign_ima_file(const char *file) > { > const char *key; > > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > return sign_ima(file, key); > } > @@ -743,7 +744,7 @@ static int cmd_sign_hash(struct command *cmd) > unsigned char sig[MAX_SIGNATURE_SIZE] = "\x03"; > int siglen; > > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > /* support reading hash (eg. output of shasum) */ > while ((len = getline(&line, &line_len, stdin)) > 0) { > @@ -757,7 +758,7 @@ static int cmd_sign_hash(struct command *cmd) > > assert(hashlen / 2 <= sizeof(hash)); > hex2bin(hash, line, hashlen / 2); > - siglen = sign_hash(params.hash_algo, hash, hashlen/2, > + siglen = sign_hash(imaevm_params.hash_algo, hash, hashlen / 2, > key, NULL, sig + 1); > if (siglen <= 1) > return siglen; > @@ -783,7 +784,7 @@ static int sign_evm_path(const char *file) > const char *key; > int err; > > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > if (digsig) { > err = sign_ima(file, key); > @@ -842,13 +843,13 @@ static int cmd_verify_evm(struct command *cmd) > return -1; > } > > - if (params.keyfile) /* Support multiple public keys */ > - init_public_keys(params.keyfile); > - else /* assume read pubkey from x509 cert */ > + if (imaevm_params.keyfile) /* Support multiple public keys */ > + init_public_keys(imaevm_params.keyfile); > + else /* assume read pubkey from x509 cert */ > init_public_keys("/etc/keys/x509_evm.der"); > > err = verify_evm(file); > - if (!err && params.verbose >= LOG_INFO) > + if (!err && imaevm_params.verbose >= LOG_INFO) > log_info("%s: verification is OK\n", file); > return err; > } > @@ -888,9 +889,9 @@ static int cmd_verify_ima(struct command *cmd) > char *file = g_argv[optind++]; > int err; > > - if (params.keyfile) /* Support multiple public keys */ > - init_public_keys(params.keyfile); > - else /* assume read pubkey from x509 cert */ > + if (imaevm_params.keyfile) /* Support multiple public keys */ > + init_public_keys(imaevm_params.keyfile); > + else /* assume read pubkey from x509 cert */ > init_public_keys("/etc/keys/x509_evm.der"); > > errno = 0; > @@ -902,7 +903,7 @@ static int cmd_verify_ima(struct command *cmd) > > do { > err = verify_ima(file); > - if (!err && params.verbose >= LOG_INFO) > + if (!err && imaevm_params.verbose >= LOG_INFO) > log_info("%s: verification is OK\n", file); > } while ((file = g_argv[optind++])); > return err; > @@ -917,15 +918,15 @@ static int cmd_convert(struct command *cmd) > uint8_t keyid[8]; > RSA *key; > > - params.x509 = 0; > + imaevm_params.x509 = 0; > > inkey = g_argv[optind++]; > if (!inkey) { > - inkey = params.x509 ? "/etc/keys/x509_evm.der" : > - "/etc/keys/pubkey_evm.pem"; > + inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" : > + "/etc/keys/pubkey_evm.pem"; > } > > - key = read_pub_key(inkey, params.x509); > + key = read_pub_key(inkey, imaevm_params.x509); > if (!key) > return 1; > > @@ -949,8 +950,8 @@ static int cmd_import(struct command *cmd) > > inkey = g_argv[optind++]; > if (!inkey) { > - inkey = params.x509 ? "/etc/keys/x509_evm.der" : > - "/etc/keys/pubkey_evm.pem"; > + inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" : > + "/etc/keys/pubkey_evm.pem"; > } else > ring = g_argv[optind++]; > > @@ -979,8 +980,8 @@ static int cmd_import(struct command *cmd) > } > } > > - if (params.x509) { > - EVP_PKEY *pkey = read_pub_pkey(inkey, params.x509); > + if (imaevm_params.x509) { > + EVP_PKEY *pkey = read_pub_pkey(inkey, imaevm_params.x509); > > if (!pkey) > return 1; > @@ -992,7 +993,7 @@ static int cmd_import(struct command *cmd) > calc_keyid_v2((uint32_t *)keyid, name, pkey); > EVP_PKEY_free(pkey); > } else { > - RSA *key = read_pub_key(inkey, params.x509); > + RSA *key = read_pub_key(inkey, imaevm_params.x509); > > if (!key) > return 1; > @@ -1003,7 +1004,8 @@ static int cmd_import(struct command *cmd) > > log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id); > > - id = add_key(params.x509 ? "asymmetric" : "user", params.x509 ? NULL : name, pub, len, id); > + id = add_key(imaevm_params.x509 ? "asymmetric" : "user", > + imaevm_params.x509 ? NULL : name, pub, len, id); > if (id < 0) { > log_err("add_key failed\n"); > err = id; > @@ -1011,7 +1013,7 @@ static int cmd_import(struct command *cmd) > log_info("keyid: %d\n", id); > printf("%d\n", id); > } > - if (params.x509) > + if (imaevm_params.x509) > free(pub); > return err; > } > @@ -1123,9 +1125,10 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h > goto out; > } > > - md = EVP_get_digestbyname(params.hash_algo); > + md = EVP_get_digestbyname(imaevm_params.hash_algo); > if (!md) { > - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); > + log_err("EVP_get_digestbyname(%s) failed\n", > + imaevm_params.hash_algo); > goto out; > } > > @@ -1247,7 +1250,7 @@ static int cmd_hmac_evm(struct command *cmd) > return -1; > } > > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > if (digsig) { > err = sign_ima(file, key); > @@ -1588,7 +1591,7 @@ void ima_ng_show(struct template_entry *entry) > } > > /* ascii_runtime_measurements */ > - if (params.verbose > LOG_INFO) { > + if (imaevm_params.verbose > LOG_INFO) { > log_info("%d ", entry->header.pcr); > log_dump_n(entry->header.digest, sizeof(entry->header.digest)); > log_info(" %s %s", entry->name, algo); > @@ -1601,7 +1604,7 @@ void ima_ng_show(struct template_entry *entry) > } > > if (sig) { > - if (params.verbose > LOG_INFO) { > + if (imaevm_params.verbose > LOG_INFO) { > log_info(" "); > log_dump(sig, sig_len); > } > @@ -1610,10 +1613,10 @@ void ima_ng_show(struct template_entry *entry) > digest, digest_len); > else > err = ima_verify_signature(path, sig, sig_len, NULL, 0); > - if (!err && params.verbose > LOG_INFO) > + if (!err && imaevm_params.verbose > LOG_INFO) > log_info("%s: verification is OK\n", path); > } else { > - if (params.verbose > LOG_INFO) > + if (imaevm_params.verbose > LOG_INFO) > log_info("\n"); > } > > @@ -1648,9 +1651,9 @@ static int ima_measurement(const char *file) > return -1; > } > > - if (params.keyfile) /* Support multiple public keys */ > - init_public_keys(params.keyfile); > - else /* assume read pubkey from x509 cert */ > + if (imaevm_params.keyfile) /* Support multiple public keys */ > + init_public_keys(imaevm_params.keyfile); > + else /* assume read pubkey from x509 cert */ > init_public_keys("/etc/keys/x509_evm.der"); > > while (fread(&entry.header, sizeof(entry.header), 1, fp)) { > @@ -1959,7 +1962,7 @@ int main(int argc, char *argv[]) > exit(0); > break; > case 'v': > - params.verbose++; > + imaevm_params.verbose++; > break; > case 'd': > digest = 1; > @@ -1973,13 +1976,13 @@ int main(int argc, char *argv[]) > sigdump = 1; > break; > case 'a': > - params.hash_algo = optarg; > + imaevm_params.hash_algo = optarg; > break; > case 'p': > if (optarg) > - params.keypass = optarg; > + imaevm_params.keypass = optarg; > else > - params.keypass = get_password(); > + imaevm_params.keypass = get_password(); > break; > case 'f': > sigfile = 1; > @@ -1990,10 +1993,10 @@ int main(int argc, char *argv[]) > hmac_flags |= HMAC_FLAG_NO_UUID; > break; > case '1': > - params.x509 = 0; > + imaevm_params.x509 = 0; > break; > case 'k': > - params.keyfile = optarg; > + imaevm_params.keyfile = optarg; > break; > case 'i': > if (evm_portable) > diff --git a/src/imaevm.h b/src/imaevm.h > index 0414433..b881d92 100644 > --- a/src/imaevm.h > +++ b/src/imaevm.h > @@ -50,8 +50,10 @@ > #include <openssl/rsa.h> > > #ifdef USE_FPRINTF > -#define do_log(level, fmt, args...) ({ if (level <= params.verbose) fprintf(stderr, fmt, ##args); }) > -#define do_log_dump(level, p, len, cr) ({ if (level <= params.verbose) do_dump(stderr, p, len, cr); }) > +#define do_log(level, fmt, args...) \ > + ({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); }) > +#define do_log_dump(level, p, len, cr) \ > + ({ if (level <= imaevm_params.verbose) imaevm_do_hexdump(stderr, p, len, cr); }) > #else > #define do_log(level, fmt, args...) syslog(level, fmt, ##args) > #define do_log_dump(level, p, len, cr) > @@ -188,7 +190,7 @@ struct signature_v2_hdr { > uint8_t sig[0]; /* signature payload */ > } __packed; > > -struct libevm_params { > +struct libimaevm_params { > int verbose; > int x509; > const char *hash_algo; > @@ -204,12 +206,12 @@ struct RSA_ASN1_template { > #define NUM_PCRS 20 > #define DEFAULT_PCR 10 > > -extern struct libevm_params params; > +extern struct libimaevm_params imaevm_params; > > -void do_dump(FILE *fp, const void *ptr, int len, bool cr); > -void dump(const void *ptr, int len); > +void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr); > +void imaevm_hexdump(const void *ptr, int len); > int ima_calc_hash(const char *file, uint8_t *hash); > -int get_hash_algo(const char *algo); > +int imaevm_get_hash_algo(const char *algo); > RSA *read_pub_key(const char *keyfile, int x509); > EVP_PKEY *read_pub_pkey(const char *keyfile, int x509); > > diff --git a/src/libimaevm.c b/src/libimaevm.c > index 11dbf11..a582872 100644 > --- a/src/libimaevm.c > +++ b/src/libimaevm.c > @@ -81,7 +81,7 @@ const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { > [PKEY_HASH_STREEBOG_512] = "streebog512", > }; > > -struct libevm_params params = { > +struct libimaevm_params imaevm_params = { > .verbose = LOG_INFO - 1, > .x509 = 1, > .hash_algo = "sha1", > @@ -89,7 +89,7 @@ struct libevm_params params = { > > static void __attribute__ ((constructor)) libinit(void); > > -void do_dump(FILE *fp, const void *ptr, int len, bool cr) > +void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr) > { > int i; > uint8_t *data = (uint8_t *) ptr; > @@ -100,9 +100,9 @@ void do_dump(FILE *fp, const void *ptr, int len, bool cr) > fprintf(fp, "\n"); > } > > -void dump(const void *ptr, int len) > +void imaevm_hexdump(const void *ptr, int len) > { > - do_dump(stdout, ptr, len, true); > + imaevm_do_hexdump(stdout, ptr, len, true); > } > > const char *get_hash_algo_by_id(int algo) > @@ -258,9 +258,10 @@ int ima_calc_hash(const char *file, uint8_t *hash) > goto err; > } > > - md = EVP_get_digestbyname(params.hash_algo); > + md = EVP_get_digestbyname(imaevm_params.hash_algo); > if (!md) { > - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); > + log_err("EVP_get_digestbyname(%s) failed\n", > + imaevm_params.hash_algo); > err = 1; > goto err; > } > @@ -500,8 +501,8 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, > const EVP_MD *md; > const char *st; > > - if (params.verbose > LOG_INFO) { > - log_info("hash(%s): ", params.hash_algo); > + if (imaevm_params.verbose > LOG_INFO) { > + log_info("hash(%s): ", imaevm_params.hash_algo); > log_dump(hash, size); > } > > @@ -521,7 +522,7 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, > if (!EVP_PKEY_verify_init(ctx)) > goto err; > st = "EVP_get_digestbyname"; > - if (!(md = EVP_get_digestbyname(params.hash_algo))) > + if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) > goto err; > st = "EVP_PKEY_CTX_set_signature_md"; > if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) > @@ -550,7 +551,7 @@ err: > return ret; > } > > -int get_hash_algo(const char *algo) > +int imaevm_get_hash_algo(const char *algo) > { > int i; > > @@ -609,7 +610,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned > const char *key = NULL; > > /* Read pubkey from RSA key */ > - if (!params.keyfile) > + if (!imaevm_params.keyfile) > key = "/etc/keys/pubkey_evm.pem"; > return verify_hash_v1(file, hash, size, sig, siglen, key); > } else if (sig[0] == DIGSIG_VERSION_2) { > @@ -635,7 +636,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen, > return -1; > } > /* Use hash algorithm as retrieved from signature */ > - params.hash_algo = get_hash_algo_by_id(sig_hash_algo); > + imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo); > > /* > * Validate the signature based on the digest included in the > @@ -707,7 +708,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len > id = __be64_to_cpup((__be64 *) keyid); > sprintf(str, "%llX", (unsigned long long)id); > > - if (params.verbose > LOG_INFO) > + if (imaevm_params.verbose > LOG_INFO) > log_info("keyid-v1: %s\n", str); > } > > @@ -735,7 +736,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey) > log_debug_dump(keyid, 4); > sprintf(str, "%x", __be32_to_cpup(keyid)); > > - if (params.verbose > LOG_INFO) > + if (imaevm_params.verbose > LOG_INFO) > log_info("keyid: %s\n", str); > > X509_PUBKEY_free(pk); > @@ -825,7 +826,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons > log_info("hash(%s): ", hashalgo); > log_dump(hash, size); > > - key = read_priv_key(keyfile, params.keypass); > + key = read_priv_key(keyfile, imaevm_params.keypass); > if (!key) > return -1; > > @@ -908,17 +909,17 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch > return -1; > } > > - log_info("hash(%s): ", params.hash_algo); > + log_info("hash(%s): ", imaevm_params.hash_algo); > log_dump(hash, size); > > - pkey = read_priv_pkey(keyfile, params.keypass); > + pkey = read_priv_pkey(keyfile, imaevm_params.keypass); > if (!pkey) > return -1; > > hdr = (struct signature_v2_hdr *)sig; > hdr->version = (uint8_t) DIGSIG_VERSION_2; > > - hdr->hash_algo = get_hash_algo(algo); > + hdr->hash_algo = imaevm_get_hash_algo(algo); > if (hdr->hash_algo == -1) { > log_err("sign_hash_v2: hash algo is unknown: %s\n", algo); > return -1; > @@ -934,7 +935,7 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch > if (!EVP_PKEY_sign_init(ctx)) > goto err; > st = "EVP_get_digestbyname"; > - if (!(md = EVP_get_digestbyname(params.hash_algo))) > + if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) > goto err; > st = "EVP_PKEY_CTX_set_signature_md"; > if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) > @@ -965,10 +966,11 @@ err: > int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig) > { > if (keypass) > - params.keypass = keypass; > + imaevm_params.keypass = keypass; > > - return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) : > - sign_hash_v1(hashalgo, hash, size, keyfile, sig); > + return imaevm_params.x509 ? > + sign_hash_v2(hashalgo, hash, size, keyfile, sig) : > + sign_hash_v1(hashalgo, hash, size, keyfile, sig); > } > > static void libinit()
On Thu, Jul 25, 2019 at 10:34:23AM -0400, Mimi Zohar wrote: > On Thu, 2019-07-25 at 17:11 +0300, Vitaly Chikunov wrote: > > Prefix `dump', `do_dump', and `params' with `imaevm_' to avoid colliding > > with other global symbols. > > Also, rename `libevm_' to `libimaevm_`, only used with `params'. > > Additionally, rename `dump' into `hexdump'. > > Finally, rename `get_hash_algo' to `imaevm_get_hash_algo' as suggested by > > Mimi Zohar. > > > > Lines that became too long are splitted, indent corrected. No code changes. > > > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> > > Looks good, thanks! At this point all 3 patches are applied, in the > order you indicated. Just waiting to see if Bruno or Petr want to add > their tag to this version, before pushing it out. > > thanks! > > Mimi > Yep! Seems pretty good to me :) Reviewed-by: Bruno E. O. Meneguele <bmeneg@redhat.com> > > --- > > Changes from 1: > > - Change prefix from ima_ to imaevm_. > > - Add prefix to get_hash_algo. > > - This should be applied over "[PATCH 2/2] ima-evm-utils: Show used hash algo > > in verbose mode". > > > > src/evmctl.c | 109 +++++++++++++++++++++++++++++--------------------------- > > src/imaevm.h | 16 +++++---- > > src/libimaevm.c | 46 ++++++++++++------------ > > 3 files changed, 89 insertions(+), 82 deletions(-) > > > > diff --git a/src/evmctl.c b/src/evmctl.c > > index 75dd163..b02be8b 100644 > > --- a/src/evmctl.c > > +++ b/src/evmctl.c > > @@ -403,9 +403,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash) > > return -1; > > } > > > > - md = EVP_get_digestbyname(params.hash_algo); > > + md = EVP_get_digestbyname(imaevm_params.hash_algo); > > if (!md) { > > - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); > > + log_err("EVP_get_digestbyname(%s) failed\n", > > + imaevm_params.hash_algo); > > return 1; > > } > > > > @@ -549,7 +550,7 @@ static int sign_evm(const char *file, const char *key) > > return len; > > assert(len <= sizeof(hash)); > > > > - len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1); > > + len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); > > if (len <= 1) > > return len; > > assert(len < sizeof(sig)); > > @@ -564,8 +565,8 @@ static int sign_evm(const char *file, const char *key) > > if (evm_immutable) > > sig[1] = 3; /* immutable signature version */ > > > > - if (sigdump || params.verbose >= LOG_INFO) > > - dump(sig, len); > > + if (sigdump || imaevm_params.verbose >= LOG_INFO) > > + imaevm_hexdump(sig, len); > > > > if (xattr) { > > err = lsetxattr(file, xattr_evm, sig, len, 0); > > @@ -582,10 +583,10 @@ static int hash_ima(const char *file) > > { > > unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */ > > int len, err, offset; > > - int algo = get_hash_algo(params.hash_algo); > > + int algo = imaevm_get_hash_algo(imaevm_params.hash_algo); > > > > if (algo < 0) { > > - log_err("Unknown hash algo: %s\n", params.hash_algo); > > + log_err("Unknown hash algo: %s\n", imaevm_params.hash_algo); > > return -1; > > } > > if (algo > PKEY_HASH_SHA1) { > > @@ -604,11 +605,11 @@ static int hash_ima(const char *file) > > > > len += offset; > > > > - if (params.verbose >= LOG_INFO) > > - log_info("hash(%s): ", params.hash_algo); > > + if (imaevm_params.verbose >= LOG_INFO) > > + log_info("hash(%s): ", imaevm_params.hash_algo); > > > > - if (sigdump || params.verbose >= LOG_INFO) > > - dump(hash, len); > > + if (sigdump || imaevm_params.verbose >= LOG_INFO) > > + imaevm_hexdump(hash, len); > > > > if (xattr) { > > err = lsetxattr(file, xattr_ima, hash, len, 0); > > @@ -632,7 +633,7 @@ static int sign_ima(const char *file, const char *key) > > return len; > > assert(len <= sizeof(hash)); > > > > - len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1); > > + len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); > > if (len <= 1) > > return len; > > assert(len < sizeof(sig)); > > @@ -641,8 +642,8 @@ static int sign_ima(const char *file, const char *key) > > len++; > > sig[0] = EVM_IMA_XATTR_DIGSIG; > > > > - if (sigdump || params.verbose >= LOG_INFO) > > - dump(sig, len); > > + if (sigdump || imaevm_params.verbose >= LOG_INFO) > > + imaevm_hexdump(sig, len); > > > > if (sigfile) > > bin2file(file, "sig", sig, len); > > @@ -722,7 +723,7 @@ static int sign_ima_file(const char *file) > > { > > const char *key; > > > > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > > > return sign_ima(file, key); > > } > > @@ -743,7 +744,7 @@ static int cmd_sign_hash(struct command *cmd) > > unsigned char sig[MAX_SIGNATURE_SIZE] = "\x03"; > > int siglen; > > > > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > > > /* support reading hash (eg. output of shasum) */ > > while ((len = getline(&line, &line_len, stdin)) > 0) { > > @@ -757,7 +758,7 @@ static int cmd_sign_hash(struct command *cmd) > > > > assert(hashlen / 2 <= sizeof(hash)); > > hex2bin(hash, line, hashlen / 2); > > - siglen = sign_hash(params.hash_algo, hash, hashlen/2, > > + siglen = sign_hash(imaevm_params.hash_algo, hash, hashlen / 2, > > key, NULL, sig + 1); > > if (siglen <= 1) > > return siglen; > > @@ -783,7 +784,7 @@ static int sign_evm_path(const char *file) > > const char *key; > > int err; > > > > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > > > if (digsig) { > > err = sign_ima(file, key); > > @@ -842,13 +843,13 @@ static int cmd_verify_evm(struct command *cmd) > > return -1; > > } > > > > - if (params.keyfile) /* Support multiple public keys */ > > - init_public_keys(params.keyfile); > > - else /* assume read pubkey from x509 cert */ > > + if (imaevm_params.keyfile) /* Support multiple public keys */ > > + init_public_keys(imaevm_params.keyfile); > > + else /* assume read pubkey from x509 cert */ > > init_public_keys("/etc/keys/x509_evm.der"); > > > > err = verify_evm(file); > > - if (!err && params.verbose >= LOG_INFO) > > + if (!err && imaevm_params.verbose >= LOG_INFO) > > log_info("%s: verification is OK\n", file); > > return err; > > } > > @@ -888,9 +889,9 @@ static int cmd_verify_ima(struct command *cmd) > > char *file = g_argv[optind++]; > > int err; > > > > - if (params.keyfile) /* Support multiple public keys */ > > - init_public_keys(params.keyfile); > > - else /* assume read pubkey from x509 cert */ > > + if (imaevm_params.keyfile) /* Support multiple public keys */ > > + init_public_keys(imaevm_params.keyfile); > > + else /* assume read pubkey from x509 cert */ > > init_public_keys("/etc/keys/x509_evm.der"); > > > > errno = 0; > > @@ -902,7 +903,7 @@ static int cmd_verify_ima(struct command *cmd) > > > > do { > > err = verify_ima(file); > > - if (!err && params.verbose >= LOG_INFO) > > + if (!err && imaevm_params.verbose >= LOG_INFO) > > log_info("%s: verification is OK\n", file); > > } while ((file = g_argv[optind++])); > > return err; > > @@ -917,15 +918,15 @@ static int cmd_convert(struct command *cmd) > > uint8_t keyid[8]; > > RSA *key; > > > > - params.x509 = 0; > > + imaevm_params.x509 = 0; > > > > inkey = g_argv[optind++]; > > if (!inkey) { > > - inkey = params.x509 ? "/etc/keys/x509_evm.der" : > > - "/etc/keys/pubkey_evm.pem"; > > + inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" : > > + "/etc/keys/pubkey_evm.pem"; > > } > > > > - key = read_pub_key(inkey, params.x509); > > + key = read_pub_key(inkey, imaevm_params.x509); > > if (!key) > > return 1; > > > > @@ -949,8 +950,8 @@ static int cmd_import(struct command *cmd) > > > > inkey = g_argv[optind++]; > > if (!inkey) { > > - inkey = params.x509 ? "/etc/keys/x509_evm.der" : > > - "/etc/keys/pubkey_evm.pem"; > > + inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" : > > + "/etc/keys/pubkey_evm.pem"; > > } else > > ring = g_argv[optind++]; > > > > @@ -979,8 +980,8 @@ static int cmd_import(struct command *cmd) > > } > > } > > > > - if (params.x509) { > > - EVP_PKEY *pkey = read_pub_pkey(inkey, params.x509); > > + if (imaevm_params.x509) { > > + EVP_PKEY *pkey = read_pub_pkey(inkey, imaevm_params.x509); > > > > if (!pkey) > > return 1; > > @@ -992,7 +993,7 @@ static int cmd_import(struct command *cmd) > > calc_keyid_v2((uint32_t *)keyid, name, pkey); > > EVP_PKEY_free(pkey); > > } else { > > - RSA *key = read_pub_key(inkey, params.x509); > > + RSA *key = read_pub_key(inkey, imaevm_params.x509); > > > > if (!key) > > return 1; > > @@ -1003,7 +1004,8 @@ static int cmd_import(struct command *cmd) > > > > log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id); > > > > - id = add_key(params.x509 ? "asymmetric" : "user", params.x509 ? NULL : name, pub, len, id); > > + id = add_key(imaevm_params.x509 ? "asymmetric" : "user", > > + imaevm_params.x509 ? NULL : name, pub, len, id); > > if (id < 0) { > > log_err("add_key failed\n"); > > err = id; > > @@ -1011,7 +1013,7 @@ static int cmd_import(struct command *cmd) > > log_info("keyid: %d\n", id); > > printf("%d\n", id); > > } > > - if (params.x509) > > + if (imaevm_params.x509) > > free(pub); > > return err; > > } > > @@ -1123,9 +1125,10 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h > > goto out; > > } > > > > - md = EVP_get_digestbyname(params.hash_algo); > > + md = EVP_get_digestbyname(imaevm_params.hash_algo); > > if (!md) { > > - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); > > + log_err("EVP_get_digestbyname(%s) failed\n", > > + imaevm_params.hash_algo); > > goto out; > > } > > > > @@ -1247,7 +1250,7 @@ static int cmd_hmac_evm(struct command *cmd) > > return -1; > > } > > > > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; > > > > if (digsig) { > > err = sign_ima(file, key); > > @@ -1588,7 +1591,7 @@ void ima_ng_show(struct template_entry *entry) > > } > > > > /* ascii_runtime_measurements */ > > - if (params.verbose > LOG_INFO) { > > + if (imaevm_params.verbose > LOG_INFO) { > > log_info("%d ", entry->header.pcr); > > log_dump_n(entry->header.digest, sizeof(entry->header.digest)); > > log_info(" %s %s", entry->name, algo); > > @@ -1601,7 +1604,7 @@ void ima_ng_show(struct template_entry *entry) > > } > > > > if (sig) { > > - if (params.verbose > LOG_INFO) { > > + if (imaevm_params.verbose > LOG_INFO) { > > log_info(" "); > > log_dump(sig, sig_len); > > } > > @@ -1610,10 +1613,10 @@ void ima_ng_show(struct template_entry *entry) > > digest, digest_len); > > else > > err = ima_verify_signature(path, sig, sig_len, NULL, 0); > > - if (!err && params.verbose > LOG_INFO) > > + if (!err && imaevm_params.verbose > LOG_INFO) > > log_info("%s: verification is OK\n", path); > > } else { > > - if (params.verbose > LOG_INFO) > > + if (imaevm_params.verbose > LOG_INFO) > > log_info("\n"); > > } > > > > @@ -1648,9 +1651,9 @@ static int ima_measurement(const char *file) > > return -1; > > } > > > > - if (params.keyfile) /* Support multiple public keys */ > > - init_public_keys(params.keyfile); > > - else /* assume read pubkey from x509 cert */ > > + if (imaevm_params.keyfile) /* Support multiple public keys */ > > + init_public_keys(imaevm_params.keyfile); > > + else /* assume read pubkey from x509 cert */ > > init_public_keys("/etc/keys/x509_evm.der"); > > > > while (fread(&entry.header, sizeof(entry.header), 1, fp)) { > > @@ -1959,7 +1962,7 @@ int main(int argc, char *argv[]) > > exit(0); > > break; > > case 'v': > > - params.verbose++; > > + imaevm_params.verbose++; > > break; > > case 'd': > > digest = 1; > > @@ -1973,13 +1976,13 @@ int main(int argc, char *argv[]) > > sigdump = 1; > > break; > > case 'a': > > - params.hash_algo = optarg; > > + imaevm_params.hash_algo = optarg; > > break; > > case 'p': > > if (optarg) > > - params.keypass = optarg; > > + imaevm_params.keypass = optarg; > > else > > - params.keypass = get_password(); > > + imaevm_params.keypass = get_password(); > > break; > > case 'f': > > sigfile = 1; > > @@ -1990,10 +1993,10 @@ int main(int argc, char *argv[]) > > hmac_flags |= HMAC_FLAG_NO_UUID; > > break; > > case '1': > > - params.x509 = 0; > > + imaevm_params.x509 = 0; > > break; > > case 'k': > > - params.keyfile = optarg; > > + imaevm_params.keyfile = optarg; > > break; > > case 'i': > > if (evm_portable) > > diff --git a/src/imaevm.h b/src/imaevm.h > > index 0414433..b881d92 100644 > > --- a/src/imaevm.h > > +++ b/src/imaevm.h > > @@ -50,8 +50,10 @@ > > #include <openssl/rsa.h> > > > > #ifdef USE_FPRINTF > > -#define do_log(level, fmt, args...) ({ if (level <= params.verbose) fprintf(stderr, fmt, ##args); }) > > -#define do_log_dump(level, p, len, cr) ({ if (level <= params.verbose) do_dump(stderr, p, len, cr); }) > > +#define do_log(level, fmt, args...) \ > > + ({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); }) > > +#define do_log_dump(level, p, len, cr) \ > > + ({ if (level <= imaevm_params.verbose) imaevm_do_hexdump(stderr, p, len, cr); }) > > #else > > #define do_log(level, fmt, args...) syslog(level, fmt, ##args) > > #define do_log_dump(level, p, len, cr) > > @@ -188,7 +190,7 @@ struct signature_v2_hdr { > > uint8_t sig[0]; /* signature payload */ > > } __packed; > > > > -struct libevm_params { > > +struct libimaevm_params { > > int verbose; > > int x509; > > const char *hash_algo; > > @@ -204,12 +206,12 @@ struct RSA_ASN1_template { > > #define NUM_PCRS 20 > > #define DEFAULT_PCR 10 > > > > -extern struct libevm_params params; > > +extern struct libimaevm_params imaevm_params; > > > > -void do_dump(FILE *fp, const void *ptr, int len, bool cr); > > -void dump(const void *ptr, int len); > > +void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr); > > +void imaevm_hexdump(const void *ptr, int len); > > int ima_calc_hash(const char *file, uint8_t *hash); > > -int get_hash_algo(const char *algo); > > +int imaevm_get_hash_algo(const char *algo); > > RSA *read_pub_key(const char *keyfile, int x509); > > EVP_PKEY *read_pub_pkey(const char *keyfile, int x509); > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > index 11dbf11..a582872 100644 > > --- a/src/libimaevm.c > > +++ b/src/libimaevm.c > > @@ -81,7 +81,7 @@ const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { > > [PKEY_HASH_STREEBOG_512] = "streebog512", > > }; > > > > -struct libevm_params params = { > > +struct libimaevm_params imaevm_params = { > > .verbose = LOG_INFO - 1, > > .x509 = 1, > > .hash_algo = "sha1", > > @@ -89,7 +89,7 @@ struct libevm_params params = { > > > > static void __attribute__ ((constructor)) libinit(void); > > > > -void do_dump(FILE *fp, const void *ptr, int len, bool cr) > > +void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr) > > { > > int i; > > uint8_t *data = (uint8_t *) ptr; > > @@ -100,9 +100,9 @@ void do_dump(FILE *fp, const void *ptr, int len, bool cr) > > fprintf(fp, "\n"); > > } > > > > -void dump(const void *ptr, int len) > > +void imaevm_hexdump(const void *ptr, int len) > > { > > - do_dump(stdout, ptr, len, true); > > + imaevm_do_hexdump(stdout, ptr, len, true); > > } > > > > const char *get_hash_algo_by_id(int algo) > > @@ -258,9 +258,10 @@ int ima_calc_hash(const char *file, uint8_t *hash) > > goto err; > > } > > > > - md = EVP_get_digestbyname(params.hash_algo); > > + md = EVP_get_digestbyname(imaevm_params.hash_algo); > > if (!md) { > > - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); > > + log_err("EVP_get_digestbyname(%s) failed\n", > > + imaevm_params.hash_algo); > > err = 1; > > goto err; > > } > > @@ -500,8 +501,8 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, > > const EVP_MD *md; > > const char *st; > > > > - if (params.verbose > LOG_INFO) { > > - log_info("hash(%s): ", params.hash_algo); > > + if (imaevm_params.verbose > LOG_INFO) { > > + log_info("hash(%s): ", imaevm_params.hash_algo); > > log_dump(hash, size); > > } > > > > @@ -521,7 +522,7 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, > > if (!EVP_PKEY_verify_init(ctx)) > > goto err; > > st = "EVP_get_digestbyname"; > > - if (!(md = EVP_get_digestbyname(params.hash_algo))) > > + if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) > > goto err; > > st = "EVP_PKEY_CTX_set_signature_md"; > > if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) > > @@ -550,7 +551,7 @@ err: > > return ret; > > } > > > > -int get_hash_algo(const char *algo) > > +int imaevm_get_hash_algo(const char *algo) > > { > > int i; > > > > @@ -609,7 +610,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned > > const char *key = NULL; > > > > /* Read pubkey from RSA key */ > > - if (!params.keyfile) > > + if (!imaevm_params.keyfile) > > key = "/etc/keys/pubkey_evm.pem"; > > return verify_hash_v1(file, hash, size, sig, siglen, key); > > } else if (sig[0] == DIGSIG_VERSION_2) { > > @@ -635,7 +636,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen, > > return -1; > > } > > /* Use hash algorithm as retrieved from signature */ > > - params.hash_algo = get_hash_algo_by_id(sig_hash_algo); > > + imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo); > > > > /* > > * Validate the signature based on the digest included in the > > @@ -707,7 +708,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len > > id = __be64_to_cpup((__be64 *) keyid); > > sprintf(str, "%llX", (unsigned long long)id); > > > > - if (params.verbose > LOG_INFO) > > + if (imaevm_params.verbose > LOG_INFO) > > log_info("keyid-v1: %s\n", str); > > } > > > > @@ -735,7 +736,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey) > > log_debug_dump(keyid, 4); > > sprintf(str, "%x", __be32_to_cpup(keyid)); > > > > - if (params.verbose > LOG_INFO) > > + if (imaevm_params.verbose > LOG_INFO) > > log_info("keyid: %s\n", str); > > > > X509_PUBKEY_free(pk); > > @@ -825,7 +826,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons > > log_info("hash(%s): ", hashalgo); > > log_dump(hash, size); > > > > - key = read_priv_key(keyfile, params.keypass); > > + key = read_priv_key(keyfile, imaevm_params.keypass); > > if (!key) > > return -1; > > > > @@ -908,17 +909,17 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch > > return -1; > > } > > > > - log_info("hash(%s): ", params.hash_algo); > > + log_info("hash(%s): ", imaevm_params.hash_algo); > > log_dump(hash, size); > > > > - pkey = read_priv_pkey(keyfile, params.keypass); > > + pkey = read_priv_pkey(keyfile, imaevm_params.keypass); > > if (!pkey) > > return -1; > > > > hdr = (struct signature_v2_hdr *)sig; > > hdr->version = (uint8_t) DIGSIG_VERSION_2; > > > > - hdr->hash_algo = get_hash_algo(algo); > > + hdr->hash_algo = imaevm_get_hash_algo(algo); > > if (hdr->hash_algo == -1) { > > log_err("sign_hash_v2: hash algo is unknown: %s\n", algo); > > return -1; > > @@ -934,7 +935,7 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch > > if (!EVP_PKEY_sign_init(ctx)) > > goto err; > > st = "EVP_get_digestbyname"; > > - if (!(md = EVP_get_digestbyname(params.hash_algo))) > > + if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) > > goto err; > > st = "EVP_PKEY_CTX_set_signature_md"; > > if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) > > @@ -965,10 +966,11 @@ err: > > int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig) > > { > > if (keypass) > > - params.keypass = keypass; > > + imaevm_params.keypass = keypass; > > > > - return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) : > > - sign_hash_v1(hashalgo, hash, size, keyfile, sig); > > + return imaevm_params.x509 ? > > + sign_hash_v2(hashalgo, hash, size, keyfile, sig) : > > + sign_hash_v1(hashalgo, hash, size, keyfile, sig); > > } > > > > static void libinit() >
diff --git a/src/evmctl.c b/src/evmctl.c index 75dd163..b02be8b 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -403,9 +403,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash) return -1; } - md = EVP_get_digestbyname(params.hash_algo); + md = EVP_get_digestbyname(imaevm_params.hash_algo); if (!md) { - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); + log_err("EVP_get_digestbyname(%s) failed\n", + imaevm_params.hash_algo); return 1; } @@ -549,7 +550,7 @@ static int sign_evm(const char *file, const char *key) return len; assert(len <= sizeof(hash)); - len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1); + len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); if (len <= 1) return len; assert(len < sizeof(sig)); @@ -564,8 +565,8 @@ static int sign_evm(const char *file, const char *key) if (evm_immutable) sig[1] = 3; /* immutable signature version */ - if (sigdump || params.verbose >= LOG_INFO) - dump(sig, len); + if (sigdump || imaevm_params.verbose >= LOG_INFO) + imaevm_hexdump(sig, len); if (xattr) { err = lsetxattr(file, xattr_evm, sig, len, 0); @@ -582,10 +583,10 @@ static int hash_ima(const char *file) { unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */ int len, err, offset; - int algo = get_hash_algo(params.hash_algo); + int algo = imaevm_get_hash_algo(imaevm_params.hash_algo); if (algo < 0) { - log_err("Unknown hash algo: %s\n", params.hash_algo); + log_err("Unknown hash algo: %s\n", imaevm_params.hash_algo); return -1; } if (algo > PKEY_HASH_SHA1) { @@ -604,11 +605,11 @@ static int hash_ima(const char *file) len += offset; - if (params.verbose >= LOG_INFO) - log_info("hash(%s): ", params.hash_algo); + if (imaevm_params.verbose >= LOG_INFO) + log_info("hash(%s): ", imaevm_params.hash_algo); - if (sigdump || params.verbose >= LOG_INFO) - dump(hash, len); + if (sigdump || imaevm_params.verbose >= LOG_INFO) + imaevm_hexdump(hash, len); if (xattr) { err = lsetxattr(file, xattr_ima, hash, len, 0); @@ -632,7 +633,7 @@ static int sign_ima(const char *file, const char *key) return len; assert(len <= sizeof(hash)); - len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1); + len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); if (len <= 1) return len; assert(len < sizeof(sig)); @@ -641,8 +642,8 @@ static int sign_ima(const char *file, const char *key) len++; sig[0] = EVM_IMA_XATTR_DIGSIG; - if (sigdump || params.verbose >= LOG_INFO) - dump(sig, len); + if (sigdump || imaevm_params.verbose >= LOG_INFO) + imaevm_hexdump(sig, len); if (sigfile) bin2file(file, "sig", sig, len); @@ -722,7 +723,7 @@ static int sign_ima_file(const char *file) { const char *key; - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; return sign_ima(file, key); } @@ -743,7 +744,7 @@ static int cmd_sign_hash(struct command *cmd) unsigned char sig[MAX_SIGNATURE_SIZE] = "\x03"; int siglen; - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; /* support reading hash (eg. output of shasum) */ while ((len = getline(&line, &line_len, stdin)) > 0) { @@ -757,7 +758,7 @@ static int cmd_sign_hash(struct command *cmd) assert(hashlen / 2 <= sizeof(hash)); hex2bin(hash, line, hashlen / 2); - siglen = sign_hash(params.hash_algo, hash, hashlen/2, + siglen = sign_hash(imaevm_params.hash_algo, hash, hashlen / 2, key, NULL, sig + 1); if (siglen <= 1) return siglen; @@ -783,7 +784,7 @@ static int sign_evm_path(const char *file) const char *key; int err; - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; if (digsig) { err = sign_ima(file, key); @@ -842,13 +843,13 @@ static int cmd_verify_evm(struct command *cmd) return -1; } - if (params.keyfile) /* Support multiple public keys */ - init_public_keys(params.keyfile); - else /* assume read pubkey from x509 cert */ + if (imaevm_params.keyfile) /* Support multiple public keys */ + init_public_keys(imaevm_params.keyfile); + else /* assume read pubkey from x509 cert */ init_public_keys("/etc/keys/x509_evm.der"); err = verify_evm(file); - if (!err && params.verbose >= LOG_INFO) + if (!err && imaevm_params.verbose >= LOG_INFO) log_info("%s: verification is OK\n", file); return err; } @@ -888,9 +889,9 @@ static int cmd_verify_ima(struct command *cmd) char *file = g_argv[optind++]; int err; - if (params.keyfile) /* Support multiple public keys */ - init_public_keys(params.keyfile); - else /* assume read pubkey from x509 cert */ + if (imaevm_params.keyfile) /* Support multiple public keys */ + init_public_keys(imaevm_params.keyfile); + else /* assume read pubkey from x509 cert */ init_public_keys("/etc/keys/x509_evm.der"); errno = 0; @@ -902,7 +903,7 @@ static int cmd_verify_ima(struct command *cmd) do { err = verify_ima(file); - if (!err && params.verbose >= LOG_INFO) + if (!err && imaevm_params.verbose >= LOG_INFO) log_info("%s: verification is OK\n", file); } while ((file = g_argv[optind++])); return err; @@ -917,15 +918,15 @@ static int cmd_convert(struct command *cmd) uint8_t keyid[8]; RSA *key; - params.x509 = 0; + imaevm_params.x509 = 0; inkey = g_argv[optind++]; if (!inkey) { - inkey = params.x509 ? "/etc/keys/x509_evm.der" : - "/etc/keys/pubkey_evm.pem"; + inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" : + "/etc/keys/pubkey_evm.pem"; } - key = read_pub_key(inkey, params.x509); + key = read_pub_key(inkey, imaevm_params.x509); if (!key) return 1; @@ -949,8 +950,8 @@ static int cmd_import(struct command *cmd) inkey = g_argv[optind++]; if (!inkey) { - inkey = params.x509 ? "/etc/keys/x509_evm.der" : - "/etc/keys/pubkey_evm.pem"; + inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" : + "/etc/keys/pubkey_evm.pem"; } else ring = g_argv[optind++]; @@ -979,8 +980,8 @@ static int cmd_import(struct command *cmd) } } - if (params.x509) { - EVP_PKEY *pkey = read_pub_pkey(inkey, params.x509); + if (imaevm_params.x509) { + EVP_PKEY *pkey = read_pub_pkey(inkey, imaevm_params.x509); if (!pkey) return 1; @@ -992,7 +993,7 @@ static int cmd_import(struct command *cmd) calc_keyid_v2((uint32_t *)keyid, name, pkey); EVP_PKEY_free(pkey); } else { - RSA *key = read_pub_key(inkey, params.x509); + RSA *key = read_pub_key(inkey, imaevm_params.x509); if (!key) return 1; @@ -1003,7 +1004,8 @@ static int cmd_import(struct command *cmd) log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id); - id = add_key(params.x509 ? "asymmetric" : "user", params.x509 ? NULL : name, pub, len, id); + id = add_key(imaevm_params.x509 ? "asymmetric" : "user", + imaevm_params.x509 ? NULL : name, pub, len, id); if (id < 0) { log_err("add_key failed\n"); err = id; @@ -1011,7 +1013,7 @@ static int cmd_import(struct command *cmd) log_info("keyid: %d\n", id); printf("%d\n", id); } - if (params.x509) + if (imaevm_params.x509) free(pub); return err; } @@ -1123,9 +1125,10 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h goto out; } - md = EVP_get_digestbyname(params.hash_algo); + md = EVP_get_digestbyname(imaevm_params.hash_algo); if (!md) { - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); + log_err("EVP_get_digestbyname(%s) failed\n", + imaevm_params.hash_algo); goto out; } @@ -1247,7 +1250,7 @@ static int cmd_hmac_evm(struct command *cmd) return -1; } - key = params.keyfile ? : "/etc/keys/privkey_evm.pem"; + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem"; if (digsig) { err = sign_ima(file, key); @@ -1588,7 +1591,7 @@ void ima_ng_show(struct template_entry *entry) } /* ascii_runtime_measurements */ - if (params.verbose > LOG_INFO) { + if (imaevm_params.verbose > LOG_INFO) { log_info("%d ", entry->header.pcr); log_dump_n(entry->header.digest, sizeof(entry->header.digest)); log_info(" %s %s", entry->name, algo); @@ -1601,7 +1604,7 @@ void ima_ng_show(struct template_entry *entry) } if (sig) { - if (params.verbose > LOG_INFO) { + if (imaevm_params.verbose > LOG_INFO) { log_info(" "); log_dump(sig, sig_len); } @@ -1610,10 +1613,10 @@ void ima_ng_show(struct template_entry *entry) digest, digest_len); else err = ima_verify_signature(path, sig, sig_len, NULL, 0); - if (!err && params.verbose > LOG_INFO) + if (!err && imaevm_params.verbose > LOG_INFO) log_info("%s: verification is OK\n", path); } else { - if (params.verbose > LOG_INFO) + if (imaevm_params.verbose > LOG_INFO) log_info("\n"); } @@ -1648,9 +1651,9 @@ static int ima_measurement(const char *file) return -1; } - if (params.keyfile) /* Support multiple public keys */ - init_public_keys(params.keyfile); - else /* assume read pubkey from x509 cert */ + if (imaevm_params.keyfile) /* Support multiple public keys */ + init_public_keys(imaevm_params.keyfile); + else /* assume read pubkey from x509 cert */ init_public_keys("/etc/keys/x509_evm.der"); while (fread(&entry.header, sizeof(entry.header), 1, fp)) { @@ -1959,7 +1962,7 @@ int main(int argc, char *argv[]) exit(0); break; case 'v': - params.verbose++; + imaevm_params.verbose++; break; case 'd': digest = 1; @@ -1973,13 +1976,13 @@ int main(int argc, char *argv[]) sigdump = 1; break; case 'a': - params.hash_algo = optarg; + imaevm_params.hash_algo = optarg; break; case 'p': if (optarg) - params.keypass = optarg; + imaevm_params.keypass = optarg; else - params.keypass = get_password(); + imaevm_params.keypass = get_password(); break; case 'f': sigfile = 1; @@ -1990,10 +1993,10 @@ int main(int argc, char *argv[]) hmac_flags |= HMAC_FLAG_NO_UUID; break; case '1': - params.x509 = 0; + imaevm_params.x509 = 0; break; case 'k': - params.keyfile = optarg; + imaevm_params.keyfile = optarg; break; case 'i': if (evm_portable) diff --git a/src/imaevm.h b/src/imaevm.h index 0414433..b881d92 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -50,8 +50,10 @@ #include <openssl/rsa.h> #ifdef USE_FPRINTF -#define do_log(level, fmt, args...) ({ if (level <= params.verbose) fprintf(stderr, fmt, ##args); }) -#define do_log_dump(level, p, len, cr) ({ if (level <= params.verbose) do_dump(stderr, p, len, cr); }) +#define do_log(level, fmt, args...) \ + ({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); }) +#define do_log_dump(level, p, len, cr) \ + ({ if (level <= imaevm_params.verbose) imaevm_do_hexdump(stderr, p, len, cr); }) #else #define do_log(level, fmt, args...) syslog(level, fmt, ##args) #define do_log_dump(level, p, len, cr) @@ -188,7 +190,7 @@ struct signature_v2_hdr { uint8_t sig[0]; /* signature payload */ } __packed; -struct libevm_params { +struct libimaevm_params { int verbose; int x509; const char *hash_algo; @@ -204,12 +206,12 @@ struct RSA_ASN1_template { #define NUM_PCRS 20 #define DEFAULT_PCR 10 -extern struct libevm_params params; +extern struct libimaevm_params imaevm_params; -void do_dump(FILE *fp, const void *ptr, int len, bool cr); -void dump(const void *ptr, int len); +void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr); +void imaevm_hexdump(const void *ptr, int len); int ima_calc_hash(const char *file, uint8_t *hash); -int get_hash_algo(const char *algo); +int imaevm_get_hash_algo(const char *algo); RSA *read_pub_key(const char *keyfile, int x509); EVP_PKEY *read_pub_pkey(const char *keyfile, int x509); diff --git a/src/libimaevm.c b/src/libimaevm.c index 11dbf11..a582872 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -81,7 +81,7 @@ const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { [PKEY_HASH_STREEBOG_512] = "streebog512", }; -struct libevm_params params = { +struct libimaevm_params imaevm_params = { .verbose = LOG_INFO - 1, .x509 = 1, .hash_algo = "sha1", @@ -89,7 +89,7 @@ struct libevm_params params = { static void __attribute__ ((constructor)) libinit(void); -void do_dump(FILE *fp, const void *ptr, int len, bool cr) +void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr) { int i; uint8_t *data = (uint8_t *) ptr; @@ -100,9 +100,9 @@ void do_dump(FILE *fp, const void *ptr, int len, bool cr) fprintf(fp, "\n"); } -void dump(const void *ptr, int len) +void imaevm_hexdump(const void *ptr, int len) { - do_dump(stdout, ptr, len, true); + imaevm_do_hexdump(stdout, ptr, len, true); } const char *get_hash_algo_by_id(int algo) @@ -258,9 +258,10 @@ int ima_calc_hash(const char *file, uint8_t *hash) goto err; } - md = EVP_get_digestbyname(params.hash_algo); + md = EVP_get_digestbyname(imaevm_params.hash_algo); if (!md) { - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); + log_err("EVP_get_digestbyname(%s) failed\n", + imaevm_params.hash_algo); err = 1; goto err; } @@ -500,8 +501,8 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, const EVP_MD *md; const char *st; - if (params.verbose > LOG_INFO) { - log_info("hash(%s): ", params.hash_algo); + if (imaevm_params.verbose > LOG_INFO) { + log_info("hash(%s): ", imaevm_params.hash_algo); log_dump(hash, size); } @@ -521,7 +522,7 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, if (!EVP_PKEY_verify_init(ctx)) goto err; st = "EVP_get_digestbyname"; - if (!(md = EVP_get_digestbyname(params.hash_algo))) + if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) goto err; st = "EVP_PKEY_CTX_set_signature_md"; if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) @@ -550,7 +551,7 @@ err: return ret; } -int get_hash_algo(const char *algo) +int imaevm_get_hash_algo(const char *algo) { int i; @@ -609,7 +610,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned const char *key = NULL; /* Read pubkey from RSA key */ - if (!params.keyfile) + if (!imaevm_params.keyfile) key = "/etc/keys/pubkey_evm.pem"; return verify_hash_v1(file, hash, size, sig, siglen, key); } else if (sig[0] == DIGSIG_VERSION_2) { @@ -635,7 +636,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen, return -1; } /* Use hash algorithm as retrieved from signature */ - params.hash_algo = get_hash_algo_by_id(sig_hash_algo); + imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo); /* * Validate the signature based on the digest included in the @@ -707,7 +708,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len id = __be64_to_cpup((__be64 *) keyid); sprintf(str, "%llX", (unsigned long long)id); - if (params.verbose > LOG_INFO) + if (imaevm_params.verbose > LOG_INFO) log_info("keyid-v1: %s\n", str); } @@ -735,7 +736,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey) log_debug_dump(keyid, 4); sprintf(str, "%x", __be32_to_cpup(keyid)); - if (params.verbose > LOG_INFO) + if (imaevm_params.verbose > LOG_INFO) log_info("keyid: %s\n", str); X509_PUBKEY_free(pk); @@ -825,7 +826,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons log_info("hash(%s): ", hashalgo); log_dump(hash, size); - key = read_priv_key(keyfile, params.keypass); + key = read_priv_key(keyfile, imaevm_params.keypass); if (!key) return -1; @@ -908,17 +909,17 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch return -1; } - log_info("hash(%s): ", params.hash_algo); + log_info("hash(%s): ", imaevm_params.hash_algo); log_dump(hash, size); - pkey = read_priv_pkey(keyfile, params.keypass); + pkey = read_priv_pkey(keyfile, imaevm_params.keypass); if (!pkey) return -1; hdr = (struct signature_v2_hdr *)sig; hdr->version = (uint8_t) DIGSIG_VERSION_2; - hdr->hash_algo = get_hash_algo(algo); + hdr->hash_algo = imaevm_get_hash_algo(algo); if (hdr->hash_algo == -1) { log_err("sign_hash_v2: hash algo is unknown: %s\n", algo); return -1; @@ -934,7 +935,7 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch if (!EVP_PKEY_sign_init(ctx)) goto err; st = "EVP_get_digestbyname"; - if (!(md = EVP_get_digestbyname(params.hash_algo))) + if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) goto err; st = "EVP_PKEY_CTX_set_signature_md"; if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) @@ -965,10 +966,11 @@ err: int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig) { if (keypass) - params.keypass = keypass; + imaevm_params.keypass = keypass; - return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) : - sign_hash_v1(hashalgo, hash, size, keyfile, sig); + return imaevm_params.x509 ? + sign_hash_v2(hashalgo, hash, size, keyfile, sig) : + sign_hash_v1(hashalgo, hash, size, keyfile, sig); } static void libinit()
Prefix `dump', `do_dump', and `params' with `imaevm_' to avoid colliding with other global symbols. Also, rename `libevm_' to `libimaevm_`, only used with `params'. Additionally, rename `dump' into `hexdump'. Finally, rename `get_hash_algo' to `imaevm_get_hash_algo' as suggested by Mimi Zohar. Lines that became too long are splitted, indent corrected. No code changes. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> --- Changes from 1: - Change prefix from ima_ to imaevm_. - Add prefix to get_hash_algo. - This should be applied over "[PATCH 2/2] ima-evm-utils: Show used hash algo in verbose mode". src/evmctl.c | 109 +++++++++++++++++++++++++++++--------------------------- src/imaevm.h | 16 +++++---- src/libimaevm.c | 46 ++++++++++++------------ 3 files changed, 89 insertions(+), 82 deletions(-)