Message ID | 20231119165043.46960-12-zohar@linux.ibm.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Address non concurrency-safe libimaevm global variables | expand |
On 11/19/23 11:50, Mimi Zohar wrote: > Instead of relying on the library "imaevm_params.algo" global variable, > which is not concurrency-safe, define and use an evmctl file specific > hash algorithm variable. > > Propogate using the file specific hash algorithm variable in sign_evm(), -> Propagate > sign_ima(), hash_ima(), and sign_hash() function. > > Replace using the library function ima_calc_hash() with ima_calc_hash2(). > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > src/evmctl.c | 21 +++++++++++---------- > 1 file changed, 11 insertions(+), 10 deletions(-) > > diff --git a/src/evmctl.c b/src/evmctl.c > index 7ae897d8b8b3..b802eeb1bf15 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -140,6 +140,7 @@ static bool evm_immutable; > static bool evm_portable; > static bool veritysig; > static bool hwtpm; > +static char *hash_algo; g_hash_algo to avoid shadowing this variable in some cases where there is a function parameter of the same name? > > #define HMAC_FLAG_NO_UUID 0x0001 > #define HMAC_FLAG_CAPS_SET 0x0002 > @@ -570,12 +571,12 @@ static int sign_evm(const char *file, const char *key) Add hash_algo to the parameters here and call it sign_evm(file, key, g_hash_algo)? It makes sense to pass the hash_algo into this function that needs to know this for the signature and pushed the usage of global variables further out. > unsigned char sig[MAX_SIGNATURE_SIZE]; > int len, err; > > - len = calc_evm_hash(file, imaevm_params.hash_algo, hash); > + len = calc_evm_hash(file, hash_algo, hash); > if (len <= 1) > return len; > assert(len <= sizeof(hash)); > > - len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); > + len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1); > if (len <= 1) > return len; > assert(len < sizeof(sig)); > @@ -609,10 +610,10 @@ static int hash_ima(const char *file) > { > unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */ > int len, err, offset; > - int algo = imaevm_get_hash_algo(imaevm_params.hash_algo); > + int algo = imaevm_get_hash_algo(hash_algo); > > if (algo < 0) { > - log_err("Unknown hash algo: %s\n", imaevm_params.hash_algo); > + log_err("Unknown hash algo: %s\n", hash_algo); > return -1; > } > if (algo > PKEY_HASH_SHA1) { > @@ -624,7 +625,7 @@ static int hash_ima(const char *file) > offset = 1; > } > > - len = ima_calc_hash(file, hash + offset); > + len = ima_calc_hash2(file, hash_algo, hash + offset); > if (len <= 1) > return len; > assert(len + offset <= sizeof(hash)); > @@ -632,7 +633,7 @@ static int hash_ima(const char *file) > len += offset; > > if (imaevm_params.verbose >= LOG_INFO) > - log_info("hash(%s): ", imaevm_params.hash_algo); > + log_info("hash(%s): ", hash_algo); > > if (sigdump || imaevm_params.verbose >= LOG_INFO) > imaevm_hexdump(hash, len); > @@ -656,12 +657,12 @@ static int sign_ima(const char *file, const char *key) > unsigned char sig[MAX_SIGNATURE_SIZE]; > int len, err; > > - len = ima_calc_hash(file, hash); > + len = ima_calc_hash2(file, hash_algo, hash); > if (len <= 1) > return len; > assert(len <= sizeof(hash)); > > - len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); > + len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1); > if (len <= 1) > return len; > assert(len < sizeof(sig)); > @@ -854,7 +855,7 @@ static int cmd_sign_hash(struct command *cmd) > assert(hashlen / 2 <= sizeof(hash)); > hex2bin(hash, line, hashlen / 2); > > - siglen = sign_hash(imaevm_params.hash_algo, hash, > + siglen = sign_hash(hash_algo, hash, > hashlen / 2, key, NULL, sig + 1); > sig[0] = EVM_IMA_XATTR_DIGSIG; > } > @@ -3077,7 +3078,7 @@ int main(int argc, char *argv[]) > sigdump = 1; > break; > case 'a': > - imaevm_params.hash_algo = optarg; > + hash_algo = optarg; > break; > case 'p': > if (optarg)
diff --git a/src/evmctl.c b/src/evmctl.c index 7ae897d8b8b3..b802eeb1bf15 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -140,6 +140,7 @@ static bool evm_immutable; static bool evm_portable; static bool veritysig; static bool hwtpm; +static char *hash_algo; #define HMAC_FLAG_NO_UUID 0x0001 #define HMAC_FLAG_CAPS_SET 0x0002 @@ -570,12 +571,12 @@ static int sign_evm(const char *file, const char *key) unsigned char sig[MAX_SIGNATURE_SIZE]; int len, err; - len = calc_evm_hash(file, imaevm_params.hash_algo, hash); + len = calc_evm_hash(file, hash_algo, hash); if (len <= 1) return len; assert(len <= sizeof(hash)); - len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); + len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1); if (len <= 1) return len; assert(len < sizeof(sig)); @@ -609,10 +610,10 @@ static int hash_ima(const char *file) { unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */ int len, err, offset; - int algo = imaevm_get_hash_algo(imaevm_params.hash_algo); + int algo = imaevm_get_hash_algo(hash_algo); if (algo < 0) { - log_err("Unknown hash algo: %s\n", imaevm_params.hash_algo); + log_err("Unknown hash algo: %s\n", hash_algo); return -1; } if (algo > PKEY_HASH_SHA1) { @@ -624,7 +625,7 @@ static int hash_ima(const char *file) offset = 1; } - len = ima_calc_hash(file, hash + offset); + len = ima_calc_hash2(file, hash_algo, hash + offset); if (len <= 1) return len; assert(len + offset <= sizeof(hash)); @@ -632,7 +633,7 @@ static int hash_ima(const char *file) len += offset; if (imaevm_params.verbose >= LOG_INFO) - log_info("hash(%s): ", imaevm_params.hash_algo); + log_info("hash(%s): ", hash_algo); if (sigdump || imaevm_params.verbose >= LOG_INFO) imaevm_hexdump(hash, len); @@ -656,12 +657,12 @@ static int sign_ima(const char *file, const char *key) unsigned char sig[MAX_SIGNATURE_SIZE]; int len, err; - len = ima_calc_hash(file, hash); + len = ima_calc_hash2(file, hash_algo, hash); if (len <= 1) return len; assert(len <= sizeof(hash)); - len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1); + len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1); if (len <= 1) return len; assert(len < sizeof(sig)); @@ -854,7 +855,7 @@ static int cmd_sign_hash(struct command *cmd) assert(hashlen / 2 <= sizeof(hash)); hex2bin(hash, line, hashlen / 2); - siglen = sign_hash(imaevm_params.hash_algo, hash, + siglen = sign_hash(hash_algo, hash, hashlen / 2, key, NULL, sig + 1); sig[0] = EVM_IMA_XATTR_DIGSIG; } @@ -3077,7 +3078,7 @@ int main(int argc, char *argv[]) sigdump = 1; break; case 'a': - imaevm_params.hash_algo = optarg; + hash_algo = optarg; break; case 'p': if (optarg)
Instead of relying on the library "imaevm_params.algo" global variable, which is not concurrency-safe, define and use an evmctl file specific hash algorithm variable. Propogate using the file specific hash algorithm variable in sign_evm(), sign_ima(), hash_ima(), and sign_hash() function. Replace using the library function ima_calc_hash() with ima_calc_hash2(). Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- src/evmctl.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-)