Message ID | 20231206192734.339999-14-zohar@linux.ibm.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Address non concurrency-safe libimaevm global variables | expand |
On 12/6/23 14:27, Mimi Zohar wrote: > Instead of relying on the "imaevm_parrams.keypass" global variable, > which is not concurrency-safe, define and use a file specific variable. > > To avoid library incompatibility, don't remove imaevm_params.keypass > variable. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> > --- > src/evmctl.c | 17 +++++++++-------- > 1 file changed, 9 insertions(+), 8 deletions(-) > > diff --git a/src/evmctl.c b/src/evmctl.c > index 8eb2c46fbff0..72b800f6884c 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -141,6 +141,7 @@ static bool evm_portable; > static bool veritysig; > static bool hwtpm; > static char *g_hash_algo = DEFAULT_HASH_ALGO; > +static char *g_keypass; > > #define HMAC_FLAG_NO_UUID 0x0001 > #define HMAC_FLAG_CAPS_SET 0x0002 > @@ -576,7 +577,7 @@ static int sign_evm(const char *file, char *hash_algo, const char *key) > return len; > assert(len <= sizeof(hash)); > > - len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1); > + len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1); > if (len <= 1) > return len; > assert(len < sizeof(sig)); > @@ -662,7 +663,7 @@ static int sign_ima(const char *file, char *hash_algo, const char *key) > return len; > assert(len <= sizeof(hash)); > > - len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1); > + len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1); > if (len <= 1) > return len; > assert(len < sizeof(sig)); > @@ -844,7 +845,7 @@ static int cmd_sign_hash(struct command *cmd) > } > > siglen = sign_hash(algo, sigv3_hash, hashlen / 2, > - key, NULL, sig + 1); > + key, g_keypass, sig + 1); > > sig[0] = IMA_VERITY_DIGSIG; > sig[1] = DIGSIG_VERSION_3; /* sigv3 */ > @@ -856,7 +857,7 @@ static int cmd_sign_hash(struct command *cmd) > hex2bin(hash, line, hashlen / 2); > > siglen = sign_hash(g_hash_algo, hash, > - hashlen / 2, key, NULL, sig + 1); > + hashlen / 2, key, g_keypass, sig + 1); > sig[0] = EVM_IMA_XATTR_DIGSIG; > } > > @@ -3091,9 +3092,9 @@ int main(int argc, char *argv[]) > break; > case 'p': > if (optarg) > - imaevm_params.keypass = optarg; > + g_keypass = optarg; > else > - imaevm_params.keypass = get_password(); > + g_keypass = get_password(); > break; > case 'f': > sigfile = 1; > @@ -3235,8 +3236,8 @@ int main(int argc, char *argv[]) > } > } > > - if (!imaevm_params.keypass) > - imaevm_params.keypass = getenv("EVMCTL_KEY_PASSWORD"); > + if (!g_keypass) > + g_keypass = getenv("EVMCTL_KEY_PASSWORD"); > > if (imaevm_params.keyfile != NULL && > imaevm_params.eng == NULL &&
diff --git a/src/evmctl.c b/src/evmctl.c index 8eb2c46fbff0..72b800f6884c 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -141,6 +141,7 @@ static bool evm_portable; static bool veritysig; static bool hwtpm; static char *g_hash_algo = DEFAULT_HASH_ALGO; +static char *g_keypass; #define HMAC_FLAG_NO_UUID 0x0001 #define HMAC_FLAG_CAPS_SET 0x0002 @@ -576,7 +577,7 @@ static int sign_evm(const char *file, char *hash_algo, const char *key) return len; assert(len <= sizeof(hash)); - len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1); + len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1); if (len <= 1) return len; assert(len < sizeof(sig)); @@ -662,7 +663,7 @@ static int sign_ima(const char *file, char *hash_algo, const char *key) return len; assert(len <= sizeof(hash)); - len = sign_hash(hash_algo, hash, len, key, NULL, sig + 1); + len = sign_hash(hash_algo, hash, len, key, g_keypass, sig + 1); if (len <= 1) return len; assert(len < sizeof(sig)); @@ -844,7 +845,7 @@ static int cmd_sign_hash(struct command *cmd) } siglen = sign_hash(algo, sigv3_hash, hashlen / 2, - key, NULL, sig + 1); + key, g_keypass, sig + 1); sig[0] = IMA_VERITY_DIGSIG; sig[1] = DIGSIG_VERSION_3; /* sigv3 */ @@ -856,7 +857,7 @@ static int cmd_sign_hash(struct command *cmd) hex2bin(hash, line, hashlen / 2); siglen = sign_hash(g_hash_algo, hash, - hashlen / 2, key, NULL, sig + 1); + hashlen / 2, key, g_keypass, sig + 1); sig[0] = EVM_IMA_XATTR_DIGSIG; } @@ -3091,9 +3092,9 @@ int main(int argc, char *argv[]) break; case 'p': if (optarg) - imaevm_params.keypass = optarg; + g_keypass = optarg; else - imaevm_params.keypass = get_password(); + g_keypass = get_password(); break; case 'f': sigfile = 1; @@ -3235,8 +3236,8 @@ int main(int argc, char *argv[]) } } - if (!imaevm_params.keypass) - imaevm_params.keypass = getenv("EVMCTL_KEY_PASSWORD"); + if (!g_keypass) + g_keypass = getenv("EVMCTL_KEY_PASSWORD"); if (imaevm_params.keyfile != NULL && imaevm_params.eng == NULL &&
Instead of relying on the "imaevm_parrams.keypass" global variable, which is not concurrency-safe, define and use a file specific variable. To avoid library incompatibility, don't remove imaevm_params.keypass variable. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- src/evmctl.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-)