Message ID | 20240104190558.3674008-10-zohar@linux.ibm.com (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | Address non concurrency-safe libimaevm global variables | expand |
On 1/4/24 14:05, Mimi Zohar wrote: > Instead of relying on the "imaevm_params.algo" global variable, which > is not concurrency-safe, define and use a local variable. > > Update static verify_hash_v2(), verify_hash_v3(), and verify_hash_common() > function definitions to include a hash algorithm argument. > > Similarly update ima_verify_signature2() and ima_calc_hash2() to define > and use a local hash algorithm variable. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> > --- > src/libimaevm.c | 48 ++++++++++++++++++++++++++++-------------------- > 1 file changed, 28 insertions(+), 20 deletions(-) > > diff --git a/src/libimaevm.c b/src/libimaevm.c > index 214c656d6eba..48bce59fba43 100644 > --- a/src/libimaevm.c > +++ b/src/libimaevm.c > @@ -485,7 +485,8 @@ void init_public_keys(const char *keyfiles) > * (Note: signature_v2_hdr struct does not contain the 'type'.) > */ > static int verify_hash_common(struct public_key_entry *public_keys, > - const char *file, const unsigned char *hash, > + const char *file, const char *hash_algo, > + const unsigned char *hash, > int size, unsigned char *sig, int siglen) > { > int ret = -1; > @@ -496,7 +497,7 @@ static int verify_hash_common(struct public_key_entry *public_keys, > const char *st; > > if (imaevm_params.verbose > LOG_INFO) { > - log_info("hash(%s): ", imaevm_params.hash_algo); > + log_info("hash(%s): ", hash_algo); > log_dump(hash, size); > } > > @@ -527,7 +528,8 @@ static int verify_hash_common(struct public_key_entry *public_keys, > if (!EVP_PKEY_verify_init(ctx)) > goto err; > st = "EVP_get_digestbyname"; > - if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) > + md = EVP_get_digestbyname(hash_algo); > + if (!md) > goto err; > st = "EVP_PKEY_CTX_set_signature_md"; > if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) > @@ -563,11 +565,12 @@ err: > * Return: 0 verification good, 1 verification bad, -1 error. > */ > static int verify_hash_v2(struct public_key_entry *public_keys, > - const char *file, const unsigned char *hash, > + const char *file, const char *hash_algo, > + const unsigned char *hash, > int size, unsigned char *sig, int siglen) > { > /* note: signature_v2_hdr does not contain 'type', use sig + 1 */ > - return verify_hash_common(public_keys, file, hash, size, > + return verify_hash_common(public_keys, file, hash_algo, hash, size, > sig + 1, siglen - 1); > } > > @@ -578,19 +581,20 @@ static int verify_hash_v2(struct public_key_entry *public_keys, > * Return: 0 verification good, 1 verification bad, -1 error. > */ > static int verify_hash_v3(struct public_key_entry *public_keys, > - const char *file, const unsigned char *hash, > + const char *file, const char *hash_algo, > + const unsigned char *hash, > int size, unsigned char *sig, int siglen) > { > unsigned char sigv3_hash[MAX_DIGEST_SIZE]; > int ret; > > - ret = calc_hash_sigv3(sig[0], NULL, hash, sigv3_hash); > + ret = calc_hash_sigv3(sig[0], hash_algo, hash, sigv3_hash); > if (ret < 0) > return ret; > > /* note: signature_v2_hdr does not contain 'type', use sig + 1 */ > - return verify_hash_common(public_keys, file, sigv3_hash, size, > - sig + 1, siglen - 1); > + return verify_hash_common(public_keys, file, hash_algo, sigv3_hash, > + size, sig + 1, siglen - 1); > } > > #define HASH_MAX_DIGESTSIZE 64 /* kernel HASH_MAX_DIGESTSIZE is 64 bytes */ > @@ -633,8 +637,10 @@ int calc_hash_sigv3(enum evm_ima_xattr_type type, const char *algo, > return -EINVAL; > } > > - if (!algo) > - algo = imaevm_params.hash_algo; > + if (!algo) { > + log_err("Hash algorithm unspecified\n"); > + return -EINVAL; > + } > > if ((hash_algo = imaevm_get_hash_algo(algo)) < 0) { > log_err("Hash algorithm %s not supported\n", algo); > @@ -754,10 +760,10 @@ int imaevm_verify_hash(struct public_key_entry *public_keys, const char *file, > return -1; > #endif > } else if (sig[1] == DIGSIG_VERSION_2) { > - return verify_hash_v2(public_keys, file, hash, size, > + return verify_hash_v2(public_keys, file, hash_algo, hash, size, > sig, siglen); > } else if (sig[1] == DIGSIG_VERSION_3) { > - return verify_hash_v3(public_keys, file, hash, size, > + return verify_hash_v3(public_keys, file, hash_algo, hash, size, > sig, siglen); > } else > return -1; > @@ -766,8 +772,8 @@ int imaevm_verify_hash(struct public_key_entry *public_keys, const char *file, > int verify_hash(const char *file, const unsigned char *hash, int size, > unsigned char *sig, int siglen) > { > - return imaevm_verify_hash(g_public_keys, file, NULL, hash, size, > - sig, siglen); > + return imaevm_verify_hash(g_public_keys, file, imaevm_params.hash_algo, > + hash, size, sig, siglen); > } > > int ima_verify_signature2(struct public_key_entry *public_keys, const char *file, > @@ -776,6 +782,7 @@ int ima_verify_signature2(struct public_key_entry *public_keys, const char *file > { > unsigned char hash[MAX_DIGEST_SIZE]; > int hashlen, sig_hash_algo; > + const char *hash_algo; > > if (sig[0] != EVM_IMA_XATTR_DIGSIG && sig[0] != IMA_VERITY_DIGSIG) { > log_err("%s: xattr ima has no signature\n", file); > @@ -793,22 +800,23 @@ int ima_verify_signature2(struct public_key_entry *public_keys, const char *file > return -1; > } > /* Use hash algorithm as retrieved from signature */ > - imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo); > + hash_algo = imaevm_hash_algo_by_id(sig_hash_algo); > > /* > * Validate the signature based on the digest included in the > * measurement list, not by calculating the local file digest. > */ > if (digest && digestlen > 0) > - return imaevm_verify_hash(public_keys, file, NULL, digest, > - digestlen, sig, siglen); > + return imaevm_verify_hash(public_keys, file, > + hash_algo, digest, digestlen, > + sig, siglen); > > - hashlen = ima_calc_hash(file, hash); > + hashlen = ima_calc_hash2(file, hash_algo, hash); > if (hashlen <= 1) > return hashlen; > assert(hashlen <= sizeof(hash)); > > - return imaevm_verify_hash(public_keys, file, NULL, hash, hashlen, > + return imaevm_verify_hash(public_keys, file, hash_algo, hash, hashlen, > sig, siglen); > } >
diff --git a/src/libimaevm.c b/src/libimaevm.c index 214c656d6eba..48bce59fba43 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -485,7 +485,8 @@ void init_public_keys(const char *keyfiles) * (Note: signature_v2_hdr struct does not contain the 'type'.) */ static int verify_hash_common(struct public_key_entry *public_keys, - const char *file, const unsigned char *hash, + const char *file, const char *hash_algo, + const unsigned char *hash, int size, unsigned char *sig, int siglen) { int ret = -1; @@ -496,7 +497,7 @@ static int verify_hash_common(struct public_key_entry *public_keys, const char *st; if (imaevm_params.verbose > LOG_INFO) { - log_info("hash(%s): ", imaevm_params.hash_algo); + log_info("hash(%s): ", hash_algo); log_dump(hash, size); } @@ -527,7 +528,8 @@ static int verify_hash_common(struct public_key_entry *public_keys, if (!EVP_PKEY_verify_init(ctx)) goto err; st = "EVP_get_digestbyname"; - if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) + md = EVP_get_digestbyname(hash_algo); + if (!md) goto err; st = "EVP_PKEY_CTX_set_signature_md"; if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) @@ -563,11 +565,12 @@ err: * Return: 0 verification good, 1 verification bad, -1 error. */ static int verify_hash_v2(struct public_key_entry *public_keys, - const char *file, const unsigned char *hash, + const char *file, const char *hash_algo, + const unsigned char *hash, int size, unsigned char *sig, int siglen) { /* note: signature_v2_hdr does not contain 'type', use sig + 1 */ - return verify_hash_common(public_keys, file, hash, size, + return verify_hash_common(public_keys, file, hash_algo, hash, size, sig + 1, siglen - 1); } @@ -578,19 +581,20 @@ static int verify_hash_v2(struct public_key_entry *public_keys, * Return: 0 verification good, 1 verification bad, -1 error. */ static int verify_hash_v3(struct public_key_entry *public_keys, - const char *file, const unsigned char *hash, + const char *file, const char *hash_algo, + const unsigned char *hash, int size, unsigned char *sig, int siglen) { unsigned char sigv3_hash[MAX_DIGEST_SIZE]; int ret; - ret = calc_hash_sigv3(sig[0], NULL, hash, sigv3_hash); + ret = calc_hash_sigv3(sig[0], hash_algo, hash, sigv3_hash); if (ret < 0) return ret; /* note: signature_v2_hdr does not contain 'type', use sig + 1 */ - return verify_hash_common(public_keys, file, sigv3_hash, size, - sig + 1, siglen - 1); + return verify_hash_common(public_keys, file, hash_algo, sigv3_hash, + size, sig + 1, siglen - 1); } #define HASH_MAX_DIGESTSIZE 64 /* kernel HASH_MAX_DIGESTSIZE is 64 bytes */ @@ -633,8 +637,10 @@ int calc_hash_sigv3(enum evm_ima_xattr_type type, const char *algo, return -EINVAL; } - if (!algo) - algo = imaevm_params.hash_algo; + if (!algo) { + log_err("Hash algorithm unspecified\n"); + return -EINVAL; + } if ((hash_algo = imaevm_get_hash_algo(algo)) < 0) { log_err("Hash algorithm %s not supported\n", algo); @@ -754,10 +760,10 @@ int imaevm_verify_hash(struct public_key_entry *public_keys, const char *file, return -1; #endif } else if (sig[1] == DIGSIG_VERSION_2) { - return verify_hash_v2(public_keys, file, hash, size, + return verify_hash_v2(public_keys, file, hash_algo, hash, size, sig, siglen); } else if (sig[1] == DIGSIG_VERSION_3) { - return verify_hash_v3(public_keys, file, hash, size, + return verify_hash_v3(public_keys, file, hash_algo, hash, size, sig, siglen); } else return -1; @@ -766,8 +772,8 @@ int imaevm_verify_hash(struct public_key_entry *public_keys, const char *file, int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen) { - return imaevm_verify_hash(g_public_keys, file, NULL, hash, size, - sig, siglen); + return imaevm_verify_hash(g_public_keys, file, imaevm_params.hash_algo, + hash, size, sig, siglen); } int ima_verify_signature2(struct public_key_entry *public_keys, const char *file, @@ -776,6 +782,7 @@ int ima_verify_signature2(struct public_key_entry *public_keys, const char *file { unsigned char hash[MAX_DIGEST_SIZE]; int hashlen, sig_hash_algo; + const char *hash_algo; if (sig[0] != EVM_IMA_XATTR_DIGSIG && sig[0] != IMA_VERITY_DIGSIG) { log_err("%s: xattr ima has no signature\n", file); @@ -793,22 +800,23 @@ int ima_verify_signature2(struct public_key_entry *public_keys, const char *file return -1; } /* Use hash algorithm as retrieved from signature */ - imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo); + hash_algo = imaevm_hash_algo_by_id(sig_hash_algo); /* * Validate the signature based on the digest included in the * measurement list, not by calculating the local file digest. */ if (digest && digestlen > 0) - return imaevm_verify_hash(public_keys, file, NULL, digest, - digestlen, sig, siglen); + return imaevm_verify_hash(public_keys, file, + hash_algo, digest, digestlen, + sig, siglen); - hashlen = ima_calc_hash(file, hash); + hashlen = ima_calc_hash2(file, hash_algo, hash); if (hashlen <= 1) return hashlen; assert(hashlen <= sizeof(hash)); - return imaevm_verify_hash(public_keys, file, NULL, hash, hashlen, + return imaevm_verify_hash(public_keys, file, hash_algo, hash, hashlen, sig, siglen); }
Instead of relying on the "imaevm_params.algo" global variable, which is not concurrency-safe, define and use a local variable. Update static verify_hash_v2(), verify_hash_v3(), and verify_hash_common() function definitions to include a hash algorithm argument. Similarly update ima_verify_signature2() and ima_calc_hash2() to define and use a local hash algorithm variable. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- src/libimaevm.c | 48 ++++++++++++++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 20 deletions(-)