[PATCH ima-evm-utils 1/3] ima-evm-utils: Fix mismatched type checking

[PATCH ima-evm-utils 1/3] ima-evm-utils: Fix mismatched type checking

[Tianjia Zhang]

Even if imaevm_get_hash_algo() returns an error value of -1, it is
forced to be converted to uint8_t type here, resulting in this error
not being checked by the if condition. This patch fixes this error.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
 src/libimaevm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index e6947d7..a9419ee 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -922,7 +922,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
 	hdr->version = (uint8_t) DIGSIG_VERSION_2;
 
 	hdr->hash_algo = imaevm_get_hash_algo(algo);
-	if (hdr->hash_algo == -1) {
+	if (hdr->hash_algo == (uint8_t)-1) {
 		log_err("sign_hash_v2: hash algo is unknown: %s\n", algo);
 		return -1;
 	}
-- 
2.17.1

[PATCH ima-evm-utils 2/3] ima-evm-utils: beautify the code to make it more readable

[Tianjia Zhang]

Use enum type instead of hard-coded numbers to improve code readability.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
 src/libimaevm.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index a9419ee..8f2ebcf 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -579,7 +579,7 @@ static int get_hash_algo_from_sig(unsigned char *sig)
 {
 	uint8_t hashalgo;
 
-	if (sig[0] == 1) {
+	if (sig[0] == DIGSIG_VERSION_1) {
 		hashalgo = ((struct signature_hdr *)sig)->hash;
 
 		if (hashalgo >= DIGEST_ALGO_MAX)
@@ -593,7 +593,7 @@ static int get_hash_algo_from_sig(unsigned char *sig)
 		default:
 			return -1;
 		}
-	} else if (sig[0] == 2) {
+	} else if (sig[0] == DIGSIG_VERSION_2) {
 		hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo;
 		if (hashalgo >= PKEY_HASH__LAST)
 			return -1;
@@ -625,7 +625,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
 	unsigned char hash[MAX_DIGEST_SIZE];
 	int hashlen, sig_hash_algo;
 
-	if (sig[0] != 0x03) {
+	if (sig[0] != EVM_IMA_XATTR_DIGSIG) {
 		log_err("xattr ima has no signature\n");
 		return -1;
 	}
-- 
2.17.1

[PATCH ima-evm-utils 3/3] ima-evm-utils: ima_sign supports sm3 algorithm

[Tianjia Zhang]

imaevm sign and verify support sm3 hash algorithm.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
 src/libimaevm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 8f2ebcf..9c61e64 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -71,6 +71,7 @@ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
 	[PKEY_HASH_SHA384]	= "sha384",
 	[PKEY_HASH_SHA512]	= "sha512",
 	[PKEY_HASH_SHA224]	= "sha224",
+	[PKEY_HASH_SM3_256]	= "sm3",
 	[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
 	[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
 };
-- 
2.17.1

Re: [PATCH ima-evm-utils 1/3] ima-evm-utils: Fix mismatched type checking

[Mimi Zohar]

On Tue, 2020-07-07 at 11:35 +0800, Tianjia Zhang wrote:
> Even if imaevm_get_hash_algo() returns an error value of -1, it is
> forced to be converted to uint8_t type here, resulting in this error
> not being checked by the if condition. This patch fixes this error.
> 
> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Thanks!  This patch is now queued in the next branch.

Mimi

Re: [PATCH ima-evm-utils 2/3] ima-evm-utils: beautify the code to make it more readable

[Mimi Zohar]

On Tue, 2020-07-07 at 11:35 +0800, Tianjia Zhang wrote:
> @@ -625,7 +625,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
>  	unsigned char hash[MAX_DIGEST_SIZE];
>  	int hashlen, sig_hash_algo;
>  
> -	if (sig[0] != 0x03) {
> +	if (sig[0] != EVM_IMA_XATTR_DIGSIG) {
>  		log_err("xattr ima has no signature\n");
>  		return -1;
>  	}

This last hunk didn't apply properly.  The error message now includes
the filename.  I've fixed this patch.  In the future, please post
patches against the next-testing branch.

thanks,

Mimi

Re: [PATCH ima-evm-utils 3/3] ima-evm-utils: ima_sign supports sm3 algorithm

[Mimi Zohar]

On Tue, 2020-07-07 at 11:35 +0800, Tianjia Zhang wrote:
> imaevm sign and verify support sm3 hash algorithm.
> 
> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

The patch description is a bit off.  The crypto support already
exists.  Please update the patch description appropriately.

Mimi

[PATCH ima-evm-utils 3/3] ima-evm-utils: ima_sign supports sm3 algorithm

[Tianjia Zhang]

imaevm sign and verify support sm3 hash algorithm.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
 src/libimaevm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 8f2ebcf..9c61e64 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -71,6 +71,7 @@ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
 	[PKEY_HASH_SHA384]	= "sha384",
 	[PKEY_HASH_SHA512]	= "sha512",
 	[PKEY_HASH_SHA224]	= "sha224",
+	[PKEY_HASH_SM3_256]	= "sm3",
 	[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
 	[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
 };
-- 
2.17.1