* [PATCH v2] ima-evm-utils: Namespace some too generic object names
@ 2019-07-25 14:11 Vitaly Chikunov
2019-07-25 14:34 ` Mimi Zohar
0 siblings, 1 reply; 4+ messages in thread
From: Vitaly Chikunov @ 2019-07-25 14:11 UTC (permalink / raw)
To: Mimi Zohar, Dmitry Kasatkin, linux-integrity
Prefix `dump', `do_dump', and `params' with `imaevm_' to avoid colliding
with other global symbols.
Also, rename `libevm_' to `libimaevm_`, only used with `params'.
Additionally, rename `dump' into `hexdump'.
Finally, rename `get_hash_algo' to `imaevm_get_hash_algo' as suggested by
Mimi Zohar.
Lines that became too long are splitted, indent corrected. No code changes.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
Changes from 1:
- Change prefix from ima_ to imaevm_.
- Add prefix to get_hash_algo.
- This should be applied over "[PATCH 2/2] ima-evm-utils: Show used hash algo
in verbose mode".
src/evmctl.c | 109 +++++++++++++++++++++++++++++---------------------------
src/imaevm.h | 16 +++++----
src/libimaevm.c | 46 ++++++++++++------------
3 files changed, 89 insertions(+), 82 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 75dd163..b02be8b 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -403,9 +403,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
return -1;
}
- md = EVP_get_digestbyname(params.hash_algo);
+ md = EVP_get_digestbyname(imaevm_params.hash_algo);
if (!md) {
- log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
+ log_err("EVP_get_digestbyname(%s) failed\n",
+ imaevm_params.hash_algo);
return 1;
}
@@ -549,7 +550,7 @@ static int sign_evm(const char *file, const char *key)
return len;
assert(len <= sizeof(hash));
- len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
+ len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1);
if (len <= 1)
return len;
assert(len < sizeof(sig));
@@ -564,8 +565,8 @@ static int sign_evm(const char *file, const char *key)
if (evm_immutable)
sig[1] = 3; /* immutable signature version */
- if (sigdump || params.verbose >= LOG_INFO)
- dump(sig, len);
+ if (sigdump || imaevm_params.verbose >= LOG_INFO)
+ imaevm_hexdump(sig, len);
if (xattr) {
err = lsetxattr(file, xattr_evm, sig, len, 0);
@@ -582,10 +583,10 @@ static int hash_ima(const char *file)
{
unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */
int len, err, offset;
- int algo = get_hash_algo(params.hash_algo);
+ int algo = imaevm_get_hash_algo(imaevm_params.hash_algo);
if (algo < 0) {
- log_err("Unknown hash algo: %s\n", params.hash_algo);
+ log_err("Unknown hash algo: %s\n", imaevm_params.hash_algo);
return -1;
}
if (algo > PKEY_HASH_SHA1) {
@@ -604,11 +605,11 @@ static int hash_ima(const char *file)
len += offset;
- if (params.verbose >= LOG_INFO)
- log_info("hash(%s): ", params.hash_algo);
+ if (imaevm_params.verbose >= LOG_INFO)
+ log_info("hash(%s): ", imaevm_params.hash_algo);
- if (sigdump || params.verbose >= LOG_INFO)
- dump(hash, len);
+ if (sigdump || imaevm_params.verbose >= LOG_INFO)
+ imaevm_hexdump(hash, len);
if (xattr) {
err = lsetxattr(file, xattr_ima, hash, len, 0);
@@ -632,7 +633,7 @@ static int sign_ima(const char *file, const char *key)
return len;
assert(len <= sizeof(hash));
- len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
+ len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1);
if (len <= 1)
return len;
assert(len < sizeof(sig));
@@ -641,8 +642,8 @@ static int sign_ima(const char *file, const char *key)
len++;
sig[0] = EVM_IMA_XATTR_DIGSIG;
- if (sigdump || params.verbose >= LOG_INFO)
- dump(sig, len);
+ if (sigdump || imaevm_params.verbose >= LOG_INFO)
+ imaevm_hexdump(sig, len);
if (sigfile)
bin2file(file, "sig", sig, len);
@@ -722,7 +723,7 @@ static int sign_ima_file(const char *file)
{
const char *key;
- key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
+ key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
return sign_ima(file, key);
}
@@ -743,7 +744,7 @@ static int cmd_sign_hash(struct command *cmd)
unsigned char sig[MAX_SIGNATURE_SIZE] = "\x03";
int siglen;
- key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
+ key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
/* support reading hash (eg. output of shasum) */
while ((len = getline(&line, &line_len, stdin)) > 0) {
@@ -757,7 +758,7 @@ static int cmd_sign_hash(struct command *cmd)
assert(hashlen / 2 <= sizeof(hash));
hex2bin(hash, line, hashlen / 2);
- siglen = sign_hash(params.hash_algo, hash, hashlen/2,
+ siglen = sign_hash(imaevm_params.hash_algo, hash, hashlen / 2,
key, NULL, sig + 1);
if (siglen <= 1)
return siglen;
@@ -783,7 +784,7 @@ static int sign_evm_path(const char *file)
const char *key;
int err;
- key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
+ key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
if (digsig) {
err = sign_ima(file, key);
@@ -842,13 +843,13 @@ static int cmd_verify_evm(struct command *cmd)
return -1;
}
- if (params.keyfile) /* Support multiple public keys */
- init_public_keys(params.keyfile);
- else /* assume read pubkey from x509 cert */
+ if (imaevm_params.keyfile) /* Support multiple public keys */
+ init_public_keys(imaevm_params.keyfile);
+ else /* assume read pubkey from x509 cert */
init_public_keys("/etc/keys/x509_evm.der");
err = verify_evm(file);
- if (!err && params.verbose >= LOG_INFO)
+ if (!err && imaevm_params.verbose >= LOG_INFO)
log_info("%s: verification is OK\n", file);
return err;
}
@@ -888,9 +889,9 @@ static int cmd_verify_ima(struct command *cmd)
char *file = g_argv[optind++];
int err;
- if (params.keyfile) /* Support multiple public keys */
- init_public_keys(params.keyfile);
- else /* assume read pubkey from x509 cert */
+ if (imaevm_params.keyfile) /* Support multiple public keys */
+ init_public_keys(imaevm_params.keyfile);
+ else /* assume read pubkey from x509 cert */
init_public_keys("/etc/keys/x509_evm.der");
errno = 0;
@@ -902,7 +903,7 @@ static int cmd_verify_ima(struct command *cmd)
do {
err = verify_ima(file);
- if (!err && params.verbose >= LOG_INFO)
+ if (!err && imaevm_params.verbose >= LOG_INFO)
log_info("%s: verification is OK\n", file);
} while ((file = g_argv[optind++]));
return err;
@@ -917,15 +918,15 @@ static int cmd_convert(struct command *cmd)
uint8_t keyid[8];
RSA *key;
- params.x509 = 0;
+ imaevm_params.x509 = 0;
inkey = g_argv[optind++];
if (!inkey) {
- inkey = params.x509 ? "/etc/keys/x509_evm.der" :
- "/etc/keys/pubkey_evm.pem";
+ inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" :
+ "/etc/keys/pubkey_evm.pem";
}
- key = read_pub_key(inkey, params.x509);
+ key = read_pub_key(inkey, imaevm_params.x509);
if (!key)
return 1;
@@ -949,8 +950,8 @@ static int cmd_import(struct command *cmd)
inkey = g_argv[optind++];
if (!inkey) {
- inkey = params.x509 ? "/etc/keys/x509_evm.der" :
- "/etc/keys/pubkey_evm.pem";
+ inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" :
+ "/etc/keys/pubkey_evm.pem";
} else
ring = g_argv[optind++];
@@ -979,8 +980,8 @@ static int cmd_import(struct command *cmd)
}
}
- if (params.x509) {
- EVP_PKEY *pkey = read_pub_pkey(inkey, params.x509);
+ if (imaevm_params.x509) {
+ EVP_PKEY *pkey = read_pub_pkey(inkey, imaevm_params.x509);
if (!pkey)
return 1;
@@ -992,7 +993,7 @@ static int cmd_import(struct command *cmd)
calc_keyid_v2((uint32_t *)keyid, name, pkey);
EVP_PKEY_free(pkey);
} else {
- RSA *key = read_pub_key(inkey, params.x509);
+ RSA *key = read_pub_key(inkey, imaevm_params.x509);
if (!key)
return 1;
@@ -1003,7 +1004,8 @@ static int cmd_import(struct command *cmd)
log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
- id = add_key(params.x509 ? "asymmetric" : "user", params.x509 ? NULL : name, pub, len, id);
+ id = add_key(imaevm_params.x509 ? "asymmetric" : "user",
+ imaevm_params.x509 ? NULL : name, pub, len, id);
if (id < 0) {
log_err("add_key failed\n");
err = id;
@@ -1011,7 +1013,7 @@ static int cmd_import(struct command *cmd)
log_info("keyid: %d\n", id);
printf("%d\n", id);
}
- if (params.x509)
+ if (imaevm_params.x509)
free(pub);
return err;
}
@@ -1123,9 +1125,10 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
goto out;
}
- md = EVP_get_digestbyname(params.hash_algo);
+ md = EVP_get_digestbyname(imaevm_params.hash_algo);
if (!md) {
- log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
+ log_err("EVP_get_digestbyname(%s) failed\n",
+ imaevm_params.hash_algo);
goto out;
}
@@ -1247,7 +1250,7 @@ static int cmd_hmac_evm(struct command *cmd)
return -1;
}
- key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
+ key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
if (digsig) {
err = sign_ima(file, key);
@@ -1588,7 +1591,7 @@ void ima_ng_show(struct template_entry *entry)
}
/* ascii_runtime_measurements */
- if (params.verbose > LOG_INFO) {
+ if (imaevm_params.verbose > LOG_INFO) {
log_info("%d ", entry->header.pcr);
log_dump_n(entry->header.digest, sizeof(entry->header.digest));
log_info(" %s %s", entry->name, algo);
@@ -1601,7 +1604,7 @@ void ima_ng_show(struct template_entry *entry)
}
if (sig) {
- if (params.verbose > LOG_INFO) {
+ if (imaevm_params.verbose > LOG_INFO) {
log_info(" ");
log_dump(sig, sig_len);
}
@@ -1610,10 +1613,10 @@ void ima_ng_show(struct template_entry *entry)
digest, digest_len);
else
err = ima_verify_signature(path, sig, sig_len, NULL, 0);
- if (!err && params.verbose > LOG_INFO)
+ if (!err && imaevm_params.verbose > LOG_INFO)
log_info("%s: verification is OK\n", path);
} else {
- if (params.verbose > LOG_INFO)
+ if (imaevm_params.verbose > LOG_INFO)
log_info("\n");
}
@@ -1648,9 +1651,9 @@ static int ima_measurement(const char *file)
return -1;
}
- if (params.keyfile) /* Support multiple public keys */
- init_public_keys(params.keyfile);
- else /* assume read pubkey from x509 cert */
+ if (imaevm_params.keyfile) /* Support multiple public keys */
+ init_public_keys(imaevm_params.keyfile);
+ else /* assume read pubkey from x509 cert */
init_public_keys("/etc/keys/x509_evm.der");
while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
@@ -1959,7 +1962,7 @@ int main(int argc, char *argv[])
exit(0);
break;
case 'v':
- params.verbose++;
+ imaevm_params.verbose++;
break;
case 'd':
digest = 1;
@@ -1973,13 +1976,13 @@ int main(int argc, char *argv[])
sigdump = 1;
break;
case 'a':
- params.hash_algo = optarg;
+ imaevm_params.hash_algo = optarg;
break;
case 'p':
if (optarg)
- params.keypass = optarg;
+ imaevm_params.keypass = optarg;
else
- params.keypass = get_password();
+ imaevm_params.keypass = get_password();
break;
case 'f':
sigfile = 1;
@@ -1990,10 +1993,10 @@ int main(int argc, char *argv[])
hmac_flags |= HMAC_FLAG_NO_UUID;
break;
case '1':
- params.x509 = 0;
+ imaevm_params.x509 = 0;
break;
case 'k':
- params.keyfile = optarg;
+ imaevm_params.keyfile = optarg;
break;
case 'i':
if (evm_portable)
diff --git a/src/imaevm.h b/src/imaevm.h
index 0414433..b881d92 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -50,8 +50,10 @@
#include <openssl/rsa.h>
#ifdef USE_FPRINTF
-#define do_log(level, fmt, args...) ({ if (level <= params.verbose) fprintf(stderr, fmt, ##args); })
-#define do_log_dump(level, p, len, cr) ({ if (level <= params.verbose) do_dump(stderr, p, len, cr); })
+#define do_log(level, fmt, args...) \
+ ({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); })
+#define do_log_dump(level, p, len, cr) \
+ ({ if (level <= imaevm_params.verbose) imaevm_do_hexdump(stderr, p, len, cr); })
#else
#define do_log(level, fmt, args...) syslog(level, fmt, ##args)
#define do_log_dump(level, p, len, cr)
@@ -188,7 +190,7 @@ struct signature_v2_hdr {
uint8_t sig[0]; /* signature payload */
} __packed;
-struct libevm_params {
+struct libimaevm_params {
int verbose;
int x509;
const char *hash_algo;
@@ -204,12 +206,12 @@ struct RSA_ASN1_template {
#define NUM_PCRS 20
#define DEFAULT_PCR 10
-extern struct libevm_params params;
+extern struct libimaevm_params imaevm_params;
-void do_dump(FILE *fp, const void *ptr, int len, bool cr);
-void dump(const void *ptr, int len);
+void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr);
+void imaevm_hexdump(const void *ptr, int len);
int ima_calc_hash(const char *file, uint8_t *hash);
-int get_hash_algo(const char *algo);
+int imaevm_get_hash_algo(const char *algo);
RSA *read_pub_key(const char *keyfile, int x509);
EVP_PKEY *read_pub_pkey(const char *keyfile, int x509);
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 11dbf11..a582872 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -81,7 +81,7 @@ const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
[PKEY_HASH_STREEBOG_512] = "streebog512",
};
-struct libevm_params params = {
+struct libimaevm_params imaevm_params = {
.verbose = LOG_INFO - 1,
.x509 = 1,
.hash_algo = "sha1",
@@ -89,7 +89,7 @@ struct libevm_params params = {
static void __attribute__ ((constructor)) libinit(void);
-void do_dump(FILE *fp, const void *ptr, int len, bool cr)
+void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr)
{
int i;
uint8_t *data = (uint8_t *) ptr;
@@ -100,9 +100,9 @@ void do_dump(FILE *fp, const void *ptr, int len, bool cr)
fprintf(fp, "\n");
}
-void dump(const void *ptr, int len)
+void imaevm_hexdump(const void *ptr, int len)
{
- do_dump(stdout, ptr, len, true);
+ imaevm_do_hexdump(stdout, ptr, len, true);
}
const char *get_hash_algo_by_id(int algo)
@@ -258,9 +258,10 @@ int ima_calc_hash(const char *file, uint8_t *hash)
goto err;
}
- md = EVP_get_digestbyname(params.hash_algo);
+ md = EVP_get_digestbyname(imaevm_params.hash_algo);
if (!md) {
- log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
+ log_err("EVP_get_digestbyname(%s) failed\n",
+ imaevm_params.hash_algo);
err = 1;
goto err;
}
@@ -500,8 +501,8 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
const EVP_MD *md;
const char *st;
- if (params.verbose > LOG_INFO) {
- log_info("hash(%s): ", params.hash_algo);
+ if (imaevm_params.verbose > LOG_INFO) {
+ log_info("hash(%s): ", imaevm_params.hash_algo);
log_dump(hash, size);
}
@@ -521,7 +522,7 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
if (!EVP_PKEY_verify_init(ctx))
goto err;
st = "EVP_get_digestbyname";
- if (!(md = EVP_get_digestbyname(params.hash_algo)))
+ if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
goto err;
st = "EVP_PKEY_CTX_set_signature_md";
if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
@@ -550,7 +551,7 @@ err:
return ret;
}
-int get_hash_algo(const char *algo)
+int imaevm_get_hash_algo(const char *algo)
{
int i;
@@ -609,7 +610,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
const char *key = NULL;
/* Read pubkey from RSA key */
- if (!params.keyfile)
+ if (!imaevm_params.keyfile)
key = "/etc/keys/pubkey_evm.pem";
return verify_hash_v1(file, hash, size, sig, siglen, key);
} else if (sig[0] == DIGSIG_VERSION_2) {
@@ -635,7 +636,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
return -1;
}
/* Use hash algorithm as retrieved from signature */
- params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
+ imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
/*
* Validate the signature based on the digest included in the
@@ -707,7 +708,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
id = __be64_to_cpup((__be64 *) keyid);
sprintf(str, "%llX", (unsigned long long)id);
- if (params.verbose > LOG_INFO)
+ if (imaevm_params.verbose > LOG_INFO)
log_info("keyid-v1: %s\n", str);
}
@@ -735,7 +736,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey)
log_debug_dump(keyid, 4);
sprintf(str, "%x", __be32_to_cpup(keyid));
- if (params.verbose > LOG_INFO)
+ if (imaevm_params.verbose > LOG_INFO)
log_info("keyid: %s\n", str);
X509_PUBKEY_free(pk);
@@ -825,7 +826,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons
log_info("hash(%s): ", hashalgo);
log_dump(hash, size);
- key = read_priv_key(keyfile, params.keypass);
+ key = read_priv_key(keyfile, imaevm_params.keypass);
if (!key)
return -1;
@@ -908,17 +909,17 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
return -1;
}
- log_info("hash(%s): ", params.hash_algo);
+ log_info("hash(%s): ", imaevm_params.hash_algo);
log_dump(hash, size);
- pkey = read_priv_pkey(keyfile, params.keypass);
+ pkey = read_priv_pkey(keyfile, imaevm_params.keypass);
if (!pkey)
return -1;
hdr = (struct signature_v2_hdr *)sig;
hdr->version = (uint8_t) DIGSIG_VERSION_2;
- hdr->hash_algo = get_hash_algo(algo);
+ hdr->hash_algo = imaevm_get_hash_algo(algo);
if (hdr->hash_algo == -1) {
log_err("sign_hash_v2: hash algo is unknown: %s\n", algo);
return -1;
@@ -934,7 +935,7 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
if (!EVP_PKEY_sign_init(ctx))
goto err;
st = "EVP_get_digestbyname";
- if (!(md = EVP_get_digestbyname(params.hash_algo)))
+ if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
goto err;
st = "EVP_PKEY_CTX_set_signature_md";
if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
@@ -965,10 +966,11 @@ err:
int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)
{
if (keypass)
- params.keypass = keypass;
+ imaevm_params.keypass = keypass;
- return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
- sign_hash_v1(hashalgo, hash, size, keyfile, sig);
+ return imaevm_params.x509 ?
+ sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
+ sign_hash_v1(hashalgo, hash, size, keyfile, sig);
}
static void libinit()
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] ima-evm-utils: Namespace some too generic object names
2019-07-25 14:11 [PATCH v2] ima-evm-utils: Namespace some too generic object names Vitaly Chikunov
@ 2019-07-25 14:34 ` Mimi Zohar
2019-07-25 15:19 ` Bruno E. O. Meneguele
0 siblings, 1 reply; 4+ messages in thread
From: Mimi Zohar @ 2019-07-25 14:34 UTC (permalink / raw)
To: Vitaly Chikunov, Mimi Zohar, Dmitry Kasatkin, linux-integrity
Cc: Bruno E. O. Meneguele, Petr Vorel
On Thu, 2019-07-25 at 17:11 +0300, Vitaly Chikunov wrote:
> Prefix `dump', `do_dump', and `params' with `imaevm_' to avoid colliding
> with other global symbols.
> Also, rename `libevm_' to `libimaevm_`, only used with `params'.
> Additionally, rename `dump' into `hexdump'.
> Finally, rename `get_hash_algo' to `imaevm_get_hash_algo' as suggested by
> Mimi Zohar.
>
> Lines that became too long are splitted, indent corrected. No code changes.
>
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Looks good, thanks! At this point all 3 patches are applied, in the
order you indicated. Just waiting to see if Bruno or Petr want to add
their tag to this version, before pushing it out.
thanks!
Mimi
> ---
> Changes from 1:
> - Change prefix from ima_ to imaevm_.
> - Add prefix to get_hash_algo.
> - This should be applied over "[PATCH 2/2] ima-evm-utils: Show used hash algo
> in verbose mode".
>
> src/evmctl.c | 109 +++++++++++++++++++++++++++++---------------------------
> src/imaevm.h | 16 +++++----
> src/libimaevm.c | 46 ++++++++++++------------
> 3 files changed, 89 insertions(+), 82 deletions(-)
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 75dd163..b02be8b 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -403,9 +403,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> return -1;
> }
>
> - md = EVP_get_digestbyname(params.hash_algo);
> + md = EVP_get_digestbyname(imaevm_params.hash_algo);
> if (!md) {
> - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
> + log_err("EVP_get_digestbyname(%s) failed\n",
> + imaevm_params.hash_algo);
> return 1;
> }
>
> @@ -549,7 +550,7 @@ static int sign_evm(const char *file, const char *key)
> return len;
> assert(len <= sizeof(hash));
>
> - len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
> + len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1);
> if (len <= 1)
> return len;
> assert(len < sizeof(sig));
> @@ -564,8 +565,8 @@ static int sign_evm(const char *file, const char *key)
> if (evm_immutable)
> sig[1] = 3; /* immutable signature version */
>
> - if (sigdump || params.verbose >= LOG_INFO)
> - dump(sig, len);
> + if (sigdump || imaevm_params.verbose >= LOG_INFO)
> + imaevm_hexdump(sig, len);
>
> if (xattr) {
> err = lsetxattr(file, xattr_evm, sig, len, 0);
> @@ -582,10 +583,10 @@ static int hash_ima(const char *file)
> {
> unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */
> int len, err, offset;
> - int algo = get_hash_algo(params.hash_algo);
> + int algo = imaevm_get_hash_algo(imaevm_params.hash_algo);
>
> if (algo < 0) {
> - log_err("Unknown hash algo: %s\n", params.hash_algo);
> + log_err("Unknown hash algo: %s\n", imaevm_params.hash_algo);
> return -1;
> }
> if (algo > PKEY_HASH_SHA1) {
> @@ -604,11 +605,11 @@ static int hash_ima(const char *file)
>
> len += offset;
>
> - if (params.verbose >= LOG_INFO)
> - log_info("hash(%s): ", params.hash_algo);
> + if (imaevm_params.verbose >= LOG_INFO)
> + log_info("hash(%s): ", imaevm_params.hash_algo);
>
> - if (sigdump || params.verbose >= LOG_INFO)
> - dump(hash, len);
> + if (sigdump || imaevm_params.verbose >= LOG_INFO)
> + imaevm_hexdump(hash, len);
>
> if (xattr) {
> err = lsetxattr(file, xattr_ima, hash, len, 0);
> @@ -632,7 +633,7 @@ static int sign_ima(const char *file, const char *key)
> return len;
> assert(len <= sizeof(hash));
>
> - len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
> + len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1);
> if (len <= 1)
> return len;
> assert(len < sizeof(sig));
> @@ -641,8 +642,8 @@ static int sign_ima(const char *file, const char *key)
> len++;
> sig[0] = EVM_IMA_XATTR_DIGSIG;
>
> - if (sigdump || params.verbose >= LOG_INFO)
> - dump(sig, len);
> + if (sigdump || imaevm_params.verbose >= LOG_INFO)
> + imaevm_hexdump(sig, len);
>
> if (sigfile)
> bin2file(file, "sig", sig, len);
> @@ -722,7 +723,7 @@ static int sign_ima_file(const char *file)
> {
> const char *key;
>
> - key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
> + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
>
> return sign_ima(file, key);
> }
> @@ -743,7 +744,7 @@ static int cmd_sign_hash(struct command *cmd)
> unsigned char sig[MAX_SIGNATURE_SIZE] = "\x03";
> int siglen;
>
> - key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
> + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
>
> /* support reading hash (eg. output of shasum) */
> while ((len = getline(&line, &line_len, stdin)) > 0) {
> @@ -757,7 +758,7 @@ static int cmd_sign_hash(struct command *cmd)
>
> assert(hashlen / 2 <= sizeof(hash));
> hex2bin(hash, line, hashlen / 2);
> - siglen = sign_hash(params.hash_algo, hash, hashlen/2,
> + siglen = sign_hash(imaevm_params.hash_algo, hash, hashlen / 2,
> key, NULL, sig + 1);
> if (siglen <= 1)
> return siglen;
> @@ -783,7 +784,7 @@ static int sign_evm_path(const char *file)
> const char *key;
> int err;
>
> - key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
> + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
>
> if (digsig) {
> err = sign_ima(file, key);
> @@ -842,13 +843,13 @@ static int cmd_verify_evm(struct command *cmd)
> return -1;
> }
>
> - if (params.keyfile) /* Support multiple public keys */
> - init_public_keys(params.keyfile);
> - else /* assume read pubkey from x509 cert */
> + if (imaevm_params.keyfile) /* Support multiple public keys */
> + init_public_keys(imaevm_params.keyfile);
> + else /* assume read pubkey from x509 cert */
> init_public_keys("/etc/keys/x509_evm.der");
>
> err = verify_evm(file);
> - if (!err && params.verbose >= LOG_INFO)
> + if (!err && imaevm_params.verbose >= LOG_INFO)
> log_info("%s: verification is OK\n", file);
> return err;
> }
> @@ -888,9 +889,9 @@ static int cmd_verify_ima(struct command *cmd)
> char *file = g_argv[optind++];
> int err;
>
> - if (params.keyfile) /* Support multiple public keys */
> - init_public_keys(params.keyfile);
> - else /* assume read pubkey from x509 cert */
> + if (imaevm_params.keyfile) /* Support multiple public keys */
> + init_public_keys(imaevm_params.keyfile);
> + else /* assume read pubkey from x509 cert */
> init_public_keys("/etc/keys/x509_evm.der");
>
> errno = 0;
> @@ -902,7 +903,7 @@ static int cmd_verify_ima(struct command *cmd)
>
> do {
> err = verify_ima(file);
> - if (!err && params.verbose >= LOG_INFO)
> + if (!err && imaevm_params.verbose >= LOG_INFO)
> log_info("%s: verification is OK\n", file);
> } while ((file = g_argv[optind++]));
> return err;
> @@ -917,15 +918,15 @@ static int cmd_convert(struct command *cmd)
> uint8_t keyid[8];
> RSA *key;
>
> - params.x509 = 0;
> + imaevm_params.x509 = 0;
>
> inkey = g_argv[optind++];
> if (!inkey) {
> - inkey = params.x509 ? "/etc/keys/x509_evm.der" :
> - "/etc/keys/pubkey_evm.pem";
> + inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" :
> + "/etc/keys/pubkey_evm.pem";
> }
>
> - key = read_pub_key(inkey, params.x509);
> + key = read_pub_key(inkey, imaevm_params.x509);
> if (!key)
> return 1;
>
> @@ -949,8 +950,8 @@ static int cmd_import(struct command *cmd)
>
> inkey = g_argv[optind++];
> if (!inkey) {
> - inkey = params.x509 ? "/etc/keys/x509_evm.der" :
> - "/etc/keys/pubkey_evm.pem";
> + inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" :
> + "/etc/keys/pubkey_evm.pem";
> } else
> ring = g_argv[optind++];
>
> @@ -979,8 +980,8 @@ static int cmd_import(struct command *cmd)
> }
> }
>
> - if (params.x509) {
> - EVP_PKEY *pkey = read_pub_pkey(inkey, params.x509);
> + if (imaevm_params.x509) {
> + EVP_PKEY *pkey = read_pub_pkey(inkey, imaevm_params.x509);
>
> if (!pkey)
> return 1;
> @@ -992,7 +993,7 @@ static int cmd_import(struct command *cmd)
> calc_keyid_v2((uint32_t *)keyid, name, pkey);
> EVP_PKEY_free(pkey);
> } else {
> - RSA *key = read_pub_key(inkey, params.x509);
> + RSA *key = read_pub_key(inkey, imaevm_params.x509);
>
> if (!key)
> return 1;
> @@ -1003,7 +1004,8 @@ static int cmd_import(struct command *cmd)
>
> log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
>
> - id = add_key(params.x509 ? "asymmetric" : "user", params.x509 ? NULL : name, pub, len, id);
> + id = add_key(imaevm_params.x509 ? "asymmetric" : "user",
> + imaevm_params.x509 ? NULL : name, pub, len, id);
> if (id < 0) {
> log_err("add_key failed\n");
> err = id;
> @@ -1011,7 +1013,7 @@ static int cmd_import(struct command *cmd)
> log_info("keyid: %d\n", id);
> printf("%d\n", id);
> }
> - if (params.x509)
> + if (imaevm_params.x509)
> free(pub);
> return err;
> }
> @@ -1123,9 +1125,10 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> goto out;
> }
>
> - md = EVP_get_digestbyname(params.hash_algo);
> + md = EVP_get_digestbyname(imaevm_params.hash_algo);
> if (!md) {
> - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
> + log_err("EVP_get_digestbyname(%s) failed\n",
> + imaevm_params.hash_algo);
> goto out;
> }
>
> @@ -1247,7 +1250,7 @@ static int cmd_hmac_evm(struct command *cmd)
> return -1;
> }
>
> - key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
> + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
>
> if (digsig) {
> err = sign_ima(file, key);
> @@ -1588,7 +1591,7 @@ void ima_ng_show(struct template_entry *entry)
> }
>
> /* ascii_runtime_measurements */
> - if (params.verbose > LOG_INFO) {
> + if (imaevm_params.verbose > LOG_INFO) {
> log_info("%d ", entry->header.pcr);
> log_dump_n(entry->header.digest, sizeof(entry->header.digest));
> log_info(" %s %s", entry->name, algo);
> @@ -1601,7 +1604,7 @@ void ima_ng_show(struct template_entry *entry)
> }
>
> if (sig) {
> - if (params.verbose > LOG_INFO) {
> + if (imaevm_params.verbose > LOG_INFO) {
> log_info(" ");
> log_dump(sig, sig_len);
> }
> @@ -1610,10 +1613,10 @@ void ima_ng_show(struct template_entry *entry)
> digest, digest_len);
> else
> err = ima_verify_signature(path, sig, sig_len, NULL, 0);
> - if (!err && params.verbose > LOG_INFO)
> + if (!err && imaevm_params.verbose > LOG_INFO)
> log_info("%s: verification is OK\n", path);
> } else {
> - if (params.verbose > LOG_INFO)
> + if (imaevm_params.verbose > LOG_INFO)
> log_info("\n");
> }
>
> @@ -1648,9 +1651,9 @@ static int ima_measurement(const char *file)
> return -1;
> }
>
> - if (params.keyfile) /* Support multiple public keys */
> - init_public_keys(params.keyfile);
> - else /* assume read pubkey from x509 cert */
> + if (imaevm_params.keyfile) /* Support multiple public keys */
> + init_public_keys(imaevm_params.keyfile);
> + else /* assume read pubkey from x509 cert */
> init_public_keys("/etc/keys/x509_evm.der");
>
> while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
> @@ -1959,7 +1962,7 @@ int main(int argc, char *argv[])
> exit(0);
> break;
> case 'v':
> - params.verbose++;
> + imaevm_params.verbose++;
> break;
> case 'd':
> digest = 1;
> @@ -1973,13 +1976,13 @@ int main(int argc, char *argv[])
> sigdump = 1;
> break;
> case 'a':
> - params.hash_algo = optarg;
> + imaevm_params.hash_algo = optarg;
> break;
> case 'p':
> if (optarg)
> - params.keypass = optarg;
> + imaevm_params.keypass = optarg;
> else
> - params.keypass = get_password();
> + imaevm_params.keypass = get_password();
> break;
> case 'f':
> sigfile = 1;
> @@ -1990,10 +1993,10 @@ int main(int argc, char *argv[])
> hmac_flags |= HMAC_FLAG_NO_UUID;
> break;
> case '1':
> - params.x509 = 0;
> + imaevm_params.x509 = 0;
> break;
> case 'k':
> - params.keyfile = optarg;
> + imaevm_params.keyfile = optarg;
> break;
> case 'i':
> if (evm_portable)
> diff --git a/src/imaevm.h b/src/imaevm.h
> index 0414433..b881d92 100644
> --- a/src/imaevm.h
> +++ b/src/imaevm.h
> @@ -50,8 +50,10 @@
> #include <openssl/rsa.h>
>
> #ifdef USE_FPRINTF
> -#define do_log(level, fmt, args...) ({ if (level <= params.verbose) fprintf(stderr, fmt, ##args); })
> -#define do_log_dump(level, p, len, cr) ({ if (level <= params.verbose) do_dump(stderr, p, len, cr); })
> +#define do_log(level, fmt, args...) \
> + ({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); })
> +#define do_log_dump(level, p, len, cr) \
> + ({ if (level <= imaevm_params.verbose) imaevm_do_hexdump(stderr, p, len, cr); })
> #else
> #define do_log(level, fmt, args...) syslog(level, fmt, ##args)
> #define do_log_dump(level, p, len, cr)
> @@ -188,7 +190,7 @@ struct signature_v2_hdr {
> uint8_t sig[0]; /* signature payload */
> } __packed;
>
> -struct libevm_params {
> +struct libimaevm_params {
> int verbose;
> int x509;
> const char *hash_algo;
> @@ -204,12 +206,12 @@ struct RSA_ASN1_template {
> #define NUM_PCRS 20
> #define DEFAULT_PCR 10
>
> -extern struct libevm_params params;
> +extern struct libimaevm_params imaevm_params;
>
> -void do_dump(FILE *fp, const void *ptr, int len, bool cr);
> -void dump(const void *ptr, int len);
> +void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr);
> +void imaevm_hexdump(const void *ptr, int len);
> int ima_calc_hash(const char *file, uint8_t *hash);
> -int get_hash_algo(const char *algo);
> +int imaevm_get_hash_algo(const char *algo);
> RSA *read_pub_key(const char *keyfile, int x509);
> EVP_PKEY *read_pub_pkey(const char *keyfile, int x509);
>
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 11dbf11..a582872 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -81,7 +81,7 @@ const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
> [PKEY_HASH_STREEBOG_512] = "streebog512",
> };
>
> -struct libevm_params params = {
> +struct libimaevm_params imaevm_params = {
> .verbose = LOG_INFO - 1,
> .x509 = 1,
> .hash_algo = "sha1",
> @@ -89,7 +89,7 @@ struct libevm_params params = {
>
> static void __attribute__ ((constructor)) libinit(void);
>
> -void do_dump(FILE *fp, const void *ptr, int len, bool cr)
> +void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr)
> {
> int i;
> uint8_t *data = (uint8_t *) ptr;
> @@ -100,9 +100,9 @@ void do_dump(FILE *fp, const void *ptr, int len, bool cr)
> fprintf(fp, "\n");
> }
>
> -void dump(const void *ptr, int len)
> +void imaevm_hexdump(const void *ptr, int len)
> {
> - do_dump(stdout, ptr, len, true);
> + imaevm_do_hexdump(stdout, ptr, len, true);
> }
>
> const char *get_hash_algo_by_id(int algo)
> @@ -258,9 +258,10 @@ int ima_calc_hash(const char *file, uint8_t *hash)
> goto err;
> }
>
> - md = EVP_get_digestbyname(params.hash_algo);
> + md = EVP_get_digestbyname(imaevm_params.hash_algo);
> if (!md) {
> - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
> + log_err("EVP_get_digestbyname(%s) failed\n",
> + imaevm_params.hash_algo);
> err = 1;
> goto err;
> }
> @@ -500,8 +501,8 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
> const EVP_MD *md;
> const char *st;
>
> - if (params.verbose > LOG_INFO) {
> - log_info("hash(%s): ", params.hash_algo);
> + if (imaevm_params.verbose > LOG_INFO) {
> + log_info("hash(%s): ", imaevm_params.hash_algo);
> log_dump(hash, size);
> }
>
> @@ -521,7 +522,7 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
> if (!EVP_PKEY_verify_init(ctx))
> goto err;
> st = "EVP_get_digestbyname";
> - if (!(md = EVP_get_digestbyname(params.hash_algo)))
> + if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
> goto err;
> st = "EVP_PKEY_CTX_set_signature_md";
> if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
> @@ -550,7 +551,7 @@ err:
> return ret;
> }
>
> -int get_hash_algo(const char *algo)
> +int imaevm_get_hash_algo(const char *algo)
> {
> int i;
>
> @@ -609,7 +610,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
> const char *key = NULL;
>
> /* Read pubkey from RSA key */
> - if (!params.keyfile)
> + if (!imaevm_params.keyfile)
> key = "/etc/keys/pubkey_evm.pem";
> return verify_hash_v1(file, hash, size, sig, siglen, key);
> } else if (sig[0] == DIGSIG_VERSION_2) {
> @@ -635,7 +636,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
> return -1;
> }
> /* Use hash algorithm as retrieved from signature */
> - params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
> + imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
>
> /*
> * Validate the signature based on the digest included in the
> @@ -707,7 +708,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
> id = __be64_to_cpup((__be64 *) keyid);
> sprintf(str, "%llX", (unsigned long long)id);
>
> - if (params.verbose > LOG_INFO)
> + if (imaevm_params.verbose > LOG_INFO)
> log_info("keyid-v1: %s\n", str);
> }
>
> @@ -735,7 +736,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey)
> log_debug_dump(keyid, 4);
> sprintf(str, "%x", __be32_to_cpup(keyid));
>
> - if (params.verbose > LOG_INFO)
> + if (imaevm_params.verbose > LOG_INFO)
> log_info("keyid: %s\n", str);
>
> X509_PUBKEY_free(pk);
> @@ -825,7 +826,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons
> log_info("hash(%s): ", hashalgo);
> log_dump(hash, size);
>
> - key = read_priv_key(keyfile, params.keypass);
> + key = read_priv_key(keyfile, imaevm_params.keypass);
> if (!key)
> return -1;
>
> @@ -908,17 +909,17 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
> return -1;
> }
>
> - log_info("hash(%s): ", params.hash_algo);
> + log_info("hash(%s): ", imaevm_params.hash_algo);
> log_dump(hash, size);
>
> - pkey = read_priv_pkey(keyfile, params.keypass);
> + pkey = read_priv_pkey(keyfile, imaevm_params.keypass);
> if (!pkey)
> return -1;
>
> hdr = (struct signature_v2_hdr *)sig;
> hdr->version = (uint8_t) DIGSIG_VERSION_2;
>
> - hdr->hash_algo = get_hash_algo(algo);
> + hdr->hash_algo = imaevm_get_hash_algo(algo);
> if (hdr->hash_algo == -1) {
> log_err("sign_hash_v2: hash algo is unknown: %s\n", algo);
> return -1;
> @@ -934,7 +935,7 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
> if (!EVP_PKEY_sign_init(ctx))
> goto err;
> st = "EVP_get_digestbyname";
> - if (!(md = EVP_get_digestbyname(params.hash_algo)))
> + if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
> goto err;
> st = "EVP_PKEY_CTX_set_signature_md";
> if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
> @@ -965,10 +966,11 @@ err:
> int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)
> {
> if (keypass)
> - params.keypass = keypass;
> + imaevm_params.keypass = keypass;
>
> - return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
> - sign_hash_v1(hashalgo, hash, size, keyfile, sig);
> + return imaevm_params.x509 ?
> + sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
> + sign_hash_v1(hashalgo, hash, size, keyfile, sig);
> }
>
> static void libinit()
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] ima-evm-utils: Namespace some too generic object names
2019-07-25 14:34 ` Mimi Zohar
@ 2019-07-25 15:19 ` Bruno E. O. Meneguele
0 siblings, 0 replies; 4+ messages in thread
From: Bruno E. O. Meneguele @ 2019-07-25 15:19 UTC (permalink / raw)
To: Mimi Zohar
Cc: Vitaly Chikunov, Mimi Zohar, Dmitry Kasatkin, linux-integrity,
Petr Vorel
[-- Attachment #1: Type: text/plain, Size: 21463 bytes --]
On Thu, Jul 25, 2019 at 10:34:23AM -0400, Mimi Zohar wrote:
> On Thu, 2019-07-25 at 17:11 +0300, Vitaly Chikunov wrote:
> > Prefix `dump', `do_dump', and `params' with `imaevm_' to avoid colliding
> > with other global symbols.
> > Also, rename `libevm_' to `libimaevm_`, only used with `params'.
> > Additionally, rename `dump' into `hexdump'.
> > Finally, rename `get_hash_algo' to `imaevm_get_hash_algo' as suggested by
> > Mimi Zohar.
> >
> > Lines that became too long are splitted, indent corrected. No code changes.
> >
> > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
>
> Looks good, thanks! At this point all 3 patches are applied, in the
> order you indicated. Just waiting to see if Bruno or Petr want to add
> their tag to this version, before pushing it out.
>
> thanks!
>
> Mimi
>
Yep! Seems pretty good to me :)
Reviewed-by: Bruno E. O. Meneguele <bmeneg@redhat.com>
> > ---
> > Changes from 1:
> > - Change prefix from ima_ to imaevm_.
> > - Add prefix to get_hash_algo.
> > - This should be applied over "[PATCH 2/2] ima-evm-utils: Show used hash algo
> > in verbose mode".
> >
> > src/evmctl.c | 109 +++++++++++++++++++++++++++++---------------------------
> > src/imaevm.h | 16 +++++----
> > src/libimaevm.c | 46 ++++++++++++------------
> > 3 files changed, 89 insertions(+), 82 deletions(-)
> >
> > diff --git a/src/evmctl.c b/src/evmctl.c
> > index 75dd163..b02be8b 100644
> > --- a/src/evmctl.c
> > +++ b/src/evmctl.c
> > @@ -403,9 +403,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
> > return -1;
> > }
> >
> > - md = EVP_get_digestbyname(params.hash_algo);
> > + md = EVP_get_digestbyname(imaevm_params.hash_algo);
> > if (!md) {
> > - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
> > + log_err("EVP_get_digestbyname(%s) failed\n",
> > + imaevm_params.hash_algo);
> > return 1;
> > }
> >
> > @@ -549,7 +550,7 @@ static int sign_evm(const char *file, const char *key)
> > return len;
> > assert(len <= sizeof(hash));
> >
> > - len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
> > + len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1);
> > if (len <= 1)
> > return len;
> > assert(len < sizeof(sig));
> > @@ -564,8 +565,8 @@ static int sign_evm(const char *file, const char *key)
> > if (evm_immutable)
> > sig[1] = 3; /* immutable signature version */
> >
> > - if (sigdump || params.verbose >= LOG_INFO)
> > - dump(sig, len);
> > + if (sigdump || imaevm_params.verbose >= LOG_INFO)
> > + imaevm_hexdump(sig, len);
> >
> > if (xattr) {
> > err = lsetxattr(file, xattr_evm, sig, len, 0);
> > @@ -582,10 +583,10 @@ static int hash_ima(const char *file)
> > {
> > unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */
> > int len, err, offset;
> > - int algo = get_hash_algo(params.hash_algo);
> > + int algo = imaevm_get_hash_algo(imaevm_params.hash_algo);
> >
> > if (algo < 0) {
> > - log_err("Unknown hash algo: %s\n", params.hash_algo);
> > + log_err("Unknown hash algo: %s\n", imaevm_params.hash_algo);
> > return -1;
> > }
> > if (algo > PKEY_HASH_SHA1) {
> > @@ -604,11 +605,11 @@ static int hash_ima(const char *file)
> >
> > len += offset;
> >
> > - if (params.verbose >= LOG_INFO)
> > - log_info("hash(%s): ", params.hash_algo);
> > + if (imaevm_params.verbose >= LOG_INFO)
> > + log_info("hash(%s): ", imaevm_params.hash_algo);
> >
> > - if (sigdump || params.verbose >= LOG_INFO)
> > - dump(hash, len);
> > + if (sigdump || imaevm_params.verbose >= LOG_INFO)
> > + imaevm_hexdump(hash, len);
> >
> > if (xattr) {
> > err = lsetxattr(file, xattr_ima, hash, len, 0);
> > @@ -632,7 +633,7 @@ static int sign_ima(const char *file, const char *key)
> > return len;
> > assert(len <= sizeof(hash));
> >
> > - len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
> > + len = sign_hash(imaevm_params.hash_algo, hash, len, key, NULL, sig + 1);
> > if (len <= 1)
> > return len;
> > assert(len < sizeof(sig));
> > @@ -641,8 +642,8 @@ static int sign_ima(const char *file, const char *key)
> > len++;
> > sig[0] = EVM_IMA_XATTR_DIGSIG;
> >
> > - if (sigdump || params.verbose >= LOG_INFO)
> > - dump(sig, len);
> > + if (sigdump || imaevm_params.verbose >= LOG_INFO)
> > + imaevm_hexdump(sig, len);
> >
> > if (sigfile)
> > bin2file(file, "sig", sig, len);
> > @@ -722,7 +723,7 @@ static int sign_ima_file(const char *file)
> > {
> > const char *key;
> >
> > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
> > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
> >
> > return sign_ima(file, key);
> > }
> > @@ -743,7 +744,7 @@ static int cmd_sign_hash(struct command *cmd)
> > unsigned char sig[MAX_SIGNATURE_SIZE] = "\x03";
> > int siglen;
> >
> > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
> > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
> >
> > /* support reading hash (eg. output of shasum) */
> > while ((len = getline(&line, &line_len, stdin)) > 0) {
> > @@ -757,7 +758,7 @@ static int cmd_sign_hash(struct command *cmd)
> >
> > assert(hashlen / 2 <= sizeof(hash));
> > hex2bin(hash, line, hashlen / 2);
> > - siglen = sign_hash(params.hash_algo, hash, hashlen/2,
> > + siglen = sign_hash(imaevm_params.hash_algo, hash, hashlen / 2,
> > key, NULL, sig + 1);
> > if (siglen <= 1)
> > return siglen;
> > @@ -783,7 +784,7 @@ static int sign_evm_path(const char *file)
> > const char *key;
> > int err;
> >
> > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
> > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
> >
> > if (digsig) {
> > err = sign_ima(file, key);
> > @@ -842,13 +843,13 @@ static int cmd_verify_evm(struct command *cmd)
> > return -1;
> > }
> >
> > - if (params.keyfile) /* Support multiple public keys */
> > - init_public_keys(params.keyfile);
> > - else /* assume read pubkey from x509 cert */
> > + if (imaevm_params.keyfile) /* Support multiple public keys */
> > + init_public_keys(imaevm_params.keyfile);
> > + else /* assume read pubkey from x509 cert */
> > init_public_keys("/etc/keys/x509_evm.der");
> >
> > err = verify_evm(file);
> > - if (!err && params.verbose >= LOG_INFO)
> > + if (!err && imaevm_params.verbose >= LOG_INFO)
> > log_info("%s: verification is OK\n", file);
> > return err;
> > }
> > @@ -888,9 +889,9 @@ static int cmd_verify_ima(struct command *cmd)
> > char *file = g_argv[optind++];
> > int err;
> >
> > - if (params.keyfile) /* Support multiple public keys */
> > - init_public_keys(params.keyfile);
> > - else /* assume read pubkey from x509 cert */
> > + if (imaevm_params.keyfile) /* Support multiple public keys */
> > + init_public_keys(imaevm_params.keyfile);
> > + else /* assume read pubkey from x509 cert */
> > init_public_keys("/etc/keys/x509_evm.der");
> >
> > errno = 0;
> > @@ -902,7 +903,7 @@ static int cmd_verify_ima(struct command *cmd)
> >
> > do {
> > err = verify_ima(file);
> > - if (!err && params.verbose >= LOG_INFO)
> > + if (!err && imaevm_params.verbose >= LOG_INFO)
> > log_info("%s: verification is OK\n", file);
> > } while ((file = g_argv[optind++]));
> > return err;
> > @@ -917,15 +918,15 @@ static int cmd_convert(struct command *cmd)
> > uint8_t keyid[8];
> > RSA *key;
> >
> > - params.x509 = 0;
> > + imaevm_params.x509 = 0;
> >
> > inkey = g_argv[optind++];
> > if (!inkey) {
> > - inkey = params.x509 ? "/etc/keys/x509_evm.der" :
> > - "/etc/keys/pubkey_evm.pem";
> > + inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" :
> > + "/etc/keys/pubkey_evm.pem";
> > }
> >
> > - key = read_pub_key(inkey, params.x509);
> > + key = read_pub_key(inkey, imaevm_params.x509);
> > if (!key)
> > return 1;
> >
> > @@ -949,8 +950,8 @@ static int cmd_import(struct command *cmd)
> >
> > inkey = g_argv[optind++];
> > if (!inkey) {
> > - inkey = params.x509 ? "/etc/keys/x509_evm.der" :
> > - "/etc/keys/pubkey_evm.pem";
> > + inkey = imaevm_params.x509 ? "/etc/keys/x509_evm.der" :
> > + "/etc/keys/pubkey_evm.pem";
> > } else
> > ring = g_argv[optind++];
> >
> > @@ -979,8 +980,8 @@ static int cmd_import(struct command *cmd)
> > }
> > }
> >
> > - if (params.x509) {
> > - EVP_PKEY *pkey = read_pub_pkey(inkey, params.x509);
> > + if (imaevm_params.x509) {
> > + EVP_PKEY *pkey = read_pub_pkey(inkey, imaevm_params.x509);
> >
> > if (!pkey)
> > return 1;
> > @@ -992,7 +993,7 @@ static int cmd_import(struct command *cmd)
> > calc_keyid_v2((uint32_t *)keyid, name, pkey);
> > EVP_PKEY_free(pkey);
> > } else {
> > - RSA *key = read_pub_key(inkey, params.x509);
> > + RSA *key = read_pub_key(inkey, imaevm_params.x509);
> >
> > if (!key)
> > return 1;
> > @@ -1003,7 +1004,8 @@ static int cmd_import(struct command *cmd)
> >
> > log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
> >
> > - id = add_key(params.x509 ? "asymmetric" : "user", params.x509 ? NULL : name, pub, len, id);
> > + id = add_key(imaevm_params.x509 ? "asymmetric" : "user",
> > + imaevm_params.x509 ? NULL : name, pub, len, id);
> > if (id < 0) {
> > log_err("add_key failed\n");
> > err = id;
> > @@ -1011,7 +1013,7 @@ static int cmd_import(struct command *cmd)
> > log_info("keyid: %d\n", id);
> > printf("%d\n", id);
> > }
> > - if (params.x509)
> > + if (imaevm_params.x509)
> > free(pub);
> > return err;
> > }
> > @@ -1123,9 +1125,10 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
> > goto out;
> > }
> >
> > - md = EVP_get_digestbyname(params.hash_algo);
> > + md = EVP_get_digestbyname(imaevm_params.hash_algo);
> > if (!md) {
> > - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
> > + log_err("EVP_get_digestbyname(%s) failed\n",
> > + imaevm_params.hash_algo);
> > goto out;
> > }
> >
> > @@ -1247,7 +1250,7 @@ static int cmd_hmac_evm(struct command *cmd)
> > return -1;
> > }
> >
> > - key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
> > + key = imaevm_params.keyfile ? : "/etc/keys/privkey_evm.pem";
> >
> > if (digsig) {
> > err = sign_ima(file, key);
> > @@ -1588,7 +1591,7 @@ void ima_ng_show(struct template_entry *entry)
> > }
> >
> > /* ascii_runtime_measurements */
> > - if (params.verbose > LOG_INFO) {
> > + if (imaevm_params.verbose > LOG_INFO) {
> > log_info("%d ", entry->header.pcr);
> > log_dump_n(entry->header.digest, sizeof(entry->header.digest));
> > log_info(" %s %s", entry->name, algo);
> > @@ -1601,7 +1604,7 @@ void ima_ng_show(struct template_entry *entry)
> > }
> >
> > if (sig) {
> > - if (params.verbose > LOG_INFO) {
> > + if (imaevm_params.verbose > LOG_INFO) {
> > log_info(" ");
> > log_dump(sig, sig_len);
> > }
> > @@ -1610,10 +1613,10 @@ void ima_ng_show(struct template_entry *entry)
> > digest, digest_len);
> > else
> > err = ima_verify_signature(path, sig, sig_len, NULL, 0);
> > - if (!err && params.verbose > LOG_INFO)
> > + if (!err && imaevm_params.verbose > LOG_INFO)
> > log_info("%s: verification is OK\n", path);
> > } else {
> > - if (params.verbose > LOG_INFO)
> > + if (imaevm_params.verbose > LOG_INFO)
> > log_info("\n");
> > }
> >
> > @@ -1648,9 +1651,9 @@ static int ima_measurement(const char *file)
> > return -1;
> > }
> >
> > - if (params.keyfile) /* Support multiple public keys */
> > - init_public_keys(params.keyfile);
> > - else /* assume read pubkey from x509 cert */
> > + if (imaevm_params.keyfile) /* Support multiple public keys */
> > + init_public_keys(imaevm_params.keyfile);
> > + else /* assume read pubkey from x509 cert */
> > init_public_keys("/etc/keys/x509_evm.der");
> >
> > while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
> > @@ -1959,7 +1962,7 @@ int main(int argc, char *argv[])
> > exit(0);
> > break;
> > case 'v':
> > - params.verbose++;
> > + imaevm_params.verbose++;
> > break;
> > case 'd':
> > digest = 1;
> > @@ -1973,13 +1976,13 @@ int main(int argc, char *argv[])
> > sigdump = 1;
> > break;
> > case 'a':
> > - params.hash_algo = optarg;
> > + imaevm_params.hash_algo = optarg;
> > break;
> > case 'p':
> > if (optarg)
> > - params.keypass = optarg;
> > + imaevm_params.keypass = optarg;
> > else
> > - params.keypass = get_password();
> > + imaevm_params.keypass = get_password();
> > break;
> > case 'f':
> > sigfile = 1;
> > @@ -1990,10 +1993,10 @@ int main(int argc, char *argv[])
> > hmac_flags |= HMAC_FLAG_NO_UUID;
> > break;
> > case '1':
> > - params.x509 = 0;
> > + imaevm_params.x509 = 0;
> > break;
> > case 'k':
> > - params.keyfile = optarg;
> > + imaevm_params.keyfile = optarg;
> > break;
> > case 'i':
> > if (evm_portable)
> > diff --git a/src/imaevm.h b/src/imaevm.h
> > index 0414433..b881d92 100644
> > --- a/src/imaevm.h
> > +++ b/src/imaevm.h
> > @@ -50,8 +50,10 @@
> > #include <openssl/rsa.h>
> >
> > #ifdef USE_FPRINTF
> > -#define do_log(level, fmt, args...) ({ if (level <= params.verbose) fprintf(stderr, fmt, ##args); })
> > -#define do_log_dump(level, p, len, cr) ({ if (level <= params.verbose) do_dump(stderr, p, len, cr); })
> > +#define do_log(level, fmt, args...) \
> > + ({ if (level <= imaevm_params.verbose) fprintf(stderr, fmt, ##args); })
> > +#define do_log_dump(level, p, len, cr) \
> > + ({ if (level <= imaevm_params.verbose) imaevm_do_hexdump(stderr, p, len, cr); })
> > #else
> > #define do_log(level, fmt, args...) syslog(level, fmt, ##args)
> > #define do_log_dump(level, p, len, cr)
> > @@ -188,7 +190,7 @@ struct signature_v2_hdr {
> > uint8_t sig[0]; /* signature payload */
> > } __packed;
> >
> > -struct libevm_params {
> > +struct libimaevm_params {
> > int verbose;
> > int x509;
> > const char *hash_algo;
> > @@ -204,12 +206,12 @@ struct RSA_ASN1_template {
> > #define NUM_PCRS 20
> > #define DEFAULT_PCR 10
> >
> > -extern struct libevm_params params;
> > +extern struct libimaevm_params imaevm_params;
> >
> > -void do_dump(FILE *fp, const void *ptr, int len, bool cr);
> > -void dump(const void *ptr, int len);
> > +void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr);
> > +void imaevm_hexdump(const void *ptr, int len);
> > int ima_calc_hash(const char *file, uint8_t *hash);
> > -int get_hash_algo(const char *algo);
> > +int imaevm_get_hash_algo(const char *algo);
> > RSA *read_pub_key(const char *keyfile, int x509);
> > EVP_PKEY *read_pub_pkey(const char *keyfile, int x509);
> >
> > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > index 11dbf11..a582872 100644
> > --- a/src/libimaevm.c
> > +++ b/src/libimaevm.c
> > @@ -81,7 +81,7 @@ const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
> > [PKEY_HASH_STREEBOG_512] = "streebog512",
> > };
> >
> > -struct libevm_params params = {
> > +struct libimaevm_params imaevm_params = {
> > .verbose = LOG_INFO - 1,
> > .x509 = 1,
> > .hash_algo = "sha1",
> > @@ -89,7 +89,7 @@ struct libevm_params params = {
> >
> > static void __attribute__ ((constructor)) libinit(void);
> >
> > -void do_dump(FILE *fp, const void *ptr, int len, bool cr)
> > +void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr)
> > {
> > int i;
> > uint8_t *data = (uint8_t *) ptr;
> > @@ -100,9 +100,9 @@ void do_dump(FILE *fp, const void *ptr, int len, bool cr)
> > fprintf(fp, "\n");
> > }
> >
> > -void dump(const void *ptr, int len)
> > +void imaevm_hexdump(const void *ptr, int len)
> > {
> > - do_dump(stdout, ptr, len, true);
> > + imaevm_do_hexdump(stdout, ptr, len, true);
> > }
> >
> > const char *get_hash_algo_by_id(int algo)
> > @@ -258,9 +258,10 @@ int ima_calc_hash(const char *file, uint8_t *hash)
> > goto err;
> > }
> >
> > - md = EVP_get_digestbyname(params.hash_algo);
> > + md = EVP_get_digestbyname(imaevm_params.hash_algo);
> > if (!md) {
> > - log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
> > + log_err("EVP_get_digestbyname(%s) failed\n",
> > + imaevm_params.hash_algo);
> > err = 1;
> > goto err;
> > }
> > @@ -500,8 +501,8 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
> > const EVP_MD *md;
> > const char *st;
> >
> > - if (params.verbose > LOG_INFO) {
> > - log_info("hash(%s): ", params.hash_algo);
> > + if (imaevm_params.verbose > LOG_INFO) {
> > + log_info("hash(%s): ", imaevm_params.hash_algo);
> > log_dump(hash, size);
> > }
> >
> > @@ -521,7 +522,7 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
> > if (!EVP_PKEY_verify_init(ctx))
> > goto err;
> > st = "EVP_get_digestbyname";
> > - if (!(md = EVP_get_digestbyname(params.hash_algo)))
> > + if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
> > goto err;
> > st = "EVP_PKEY_CTX_set_signature_md";
> > if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
> > @@ -550,7 +551,7 @@ err:
> > return ret;
> > }
> >
> > -int get_hash_algo(const char *algo)
> > +int imaevm_get_hash_algo(const char *algo)
> > {
> > int i;
> >
> > @@ -609,7 +610,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
> > const char *key = NULL;
> >
> > /* Read pubkey from RSA key */
> > - if (!params.keyfile)
> > + if (!imaevm_params.keyfile)
> > key = "/etc/keys/pubkey_evm.pem";
> > return verify_hash_v1(file, hash, size, sig, siglen, key);
> > } else if (sig[0] == DIGSIG_VERSION_2) {
> > @@ -635,7 +636,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
> > return -1;
> > }
> > /* Use hash algorithm as retrieved from signature */
> > - params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
> > + imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
> >
> > /*
> > * Validate the signature based on the digest included in the
> > @@ -707,7 +708,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
> > id = __be64_to_cpup((__be64 *) keyid);
> > sprintf(str, "%llX", (unsigned long long)id);
> >
> > - if (params.verbose > LOG_INFO)
> > + if (imaevm_params.verbose > LOG_INFO)
> > log_info("keyid-v1: %s\n", str);
> > }
> >
> > @@ -735,7 +736,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey)
> > log_debug_dump(keyid, 4);
> > sprintf(str, "%x", __be32_to_cpup(keyid));
> >
> > - if (params.verbose > LOG_INFO)
> > + if (imaevm_params.verbose > LOG_INFO)
> > log_info("keyid: %s\n", str);
> >
> > X509_PUBKEY_free(pk);
> > @@ -825,7 +826,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons
> > log_info("hash(%s): ", hashalgo);
> > log_dump(hash, size);
> >
> > - key = read_priv_key(keyfile, params.keypass);
> > + key = read_priv_key(keyfile, imaevm_params.keypass);
> > if (!key)
> > return -1;
> >
> > @@ -908,17 +909,17 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
> > return -1;
> > }
> >
> > - log_info("hash(%s): ", params.hash_algo);
> > + log_info("hash(%s): ", imaevm_params.hash_algo);
> > log_dump(hash, size);
> >
> > - pkey = read_priv_pkey(keyfile, params.keypass);
> > + pkey = read_priv_pkey(keyfile, imaevm_params.keypass);
> > if (!pkey)
> > return -1;
> >
> > hdr = (struct signature_v2_hdr *)sig;
> > hdr->version = (uint8_t) DIGSIG_VERSION_2;
> >
> > - hdr->hash_algo = get_hash_algo(algo);
> > + hdr->hash_algo = imaevm_get_hash_algo(algo);
> > if (hdr->hash_algo == -1) {
> > log_err("sign_hash_v2: hash algo is unknown: %s\n", algo);
> > return -1;
> > @@ -934,7 +935,7 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
> > if (!EVP_PKEY_sign_init(ctx))
> > goto err;
> > st = "EVP_get_digestbyname";
> > - if (!(md = EVP_get_digestbyname(params.hash_algo)))
> > + if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
> > goto err;
> > st = "EVP_PKEY_CTX_set_signature_md";
> > if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
> > @@ -965,10 +966,11 @@ err:
> > int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)
> > {
> > if (keypass)
> > - params.keypass = keypass;
> > + imaevm_params.keypass = keypass;
> >
> > - return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
> > - sign_hash_v1(hashalgo, hash, size, keyfile, sig);
> > + return imaevm_params.x509 ?
> > + sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
> > + sign_hash_v1(hashalgo, hash, size, keyfile, sig);
> > }
> >
> > static void libinit()
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] ima-evm-utils: Namespace some too generic object names
@ 2019-07-25 2:24 Vitaly Chikunov
0 siblings, 0 replies; 4+ messages in thread
From: Vitaly Chikunov @ 2019-07-25 2:24 UTC (permalink / raw)
To: Mimi Zohar, Dmitry Kasatkin, linux-integrity
Prefix `dump', `do_dump', and `params' with `ima_' to avoid colliding
with other global symbols.
Also, rename `libevm_' to `libimaevm_`, only used with `params'.
Additionally, rename `dump' into `hexdump'.
Lines that became too long are splitted. No code changes.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
src/evmctl.c | 94 +++++++++++++++++++++++++++++----------------------------
src/imaevm.h | 14 +++++----
src/libimaevm.c | 42 ++++++++++++++------------
3 files changed, 78 insertions(+), 72 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 3289061..38193ec 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -403,9 +403,10 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
return -1;
}
- md = EVP_get_digestbyname(params.hash_algo);
+ md = EVP_get_digestbyname(ima_params.hash_algo);
if (!md) {
- log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
+ log_err("EVP_get_digestbyname(%s) failed\n",
+ ima_params.hash_algo);
return 1;
}
@@ -549,7 +550,7 @@ static int sign_evm(const char *file, const char *key)
return len;
assert(len <= sizeof(hash));
- len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
+ len = sign_hash(ima_params.hash_algo, hash, len, key, NULL, sig + 1);
if (len <= 1)
return len;
assert(len < sizeof(sig));
@@ -564,8 +565,8 @@ static int sign_evm(const char *file, const char *key)
if (evm_immutable)
sig[1] = 3; /* immutable signature version */
- if (sigdump || params.verbose >= LOG_INFO)
- dump(sig, len);
+ if (sigdump || ima_params.verbose >= LOG_INFO)
+ ima_hexdump(sig, len);
if (xattr) {
err = lsetxattr(file, xattr_evm, sig, len, 0);
@@ -582,7 +583,7 @@ static int hash_ima(const char *file)
{
unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */
int len, err, offset;
- int algo = get_hash_algo(params.hash_algo);
+ int algo = get_hash_algo(ima_params.hash_algo);
if (algo > PKEY_HASH_SHA1) {
hash[0] = IMA_XATTR_DIGEST_NG;
@@ -600,11 +601,11 @@ static int hash_ima(const char *file)
len += offset;
- if (params.verbose >= LOG_INFO)
+ if (ima_params.verbose >= LOG_INFO)
log_info("hash: ");
- if (sigdump || params.verbose >= LOG_INFO)
- dump(hash, len);
+ if (sigdump || ima_params.verbose >= LOG_INFO)
+ ima_hexdump(hash, len);
if (xattr) {
err = lsetxattr(file, xattr_ima, hash, len, 0);
@@ -628,7 +629,7 @@ static int sign_ima(const char *file, const char *key)
return len;
assert(len <= sizeof(hash));
- len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
+ len = sign_hash(ima_params.hash_algo, hash, len, key, NULL, sig + 1);
if (len <= 1)
return len;
assert(len < sizeof(sig));
@@ -637,8 +638,8 @@ static int sign_ima(const char *file, const char *key)
len++;
sig[0] = EVM_IMA_XATTR_DIGSIG;
- if (sigdump || params.verbose >= LOG_INFO)
- dump(sig, len);
+ if (sigdump || ima_params.verbose >= LOG_INFO)
+ ima_hexdump(sig, len);
if (sigfile)
bin2file(file, "sig", sig, len);
@@ -718,7 +719,7 @@ static int sign_ima_file(const char *file)
{
const char *key;
- key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
+ key = ima_params.keyfile ? : "/etc/keys/privkey_evm.pem";
return sign_ima(file, key);
}
@@ -739,7 +740,7 @@ static int cmd_sign_hash(struct command *cmd)
unsigned char sig[MAX_SIGNATURE_SIZE] = "\x03";
int siglen;
- key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
+ key = ima_params.keyfile ? : "/etc/keys/privkey_evm.pem";
/* support reading hash (eg. output of shasum) */
while ((len = getline(&line, &line_len, stdin)) > 0) {
@@ -753,7 +754,7 @@ static int cmd_sign_hash(struct command *cmd)
assert(hashlen / 2 <= sizeof(hash));
hex2bin(hash, line, hashlen / 2);
- siglen = sign_hash(params.hash_algo, hash, hashlen/2,
+ siglen = sign_hash(ima_params.hash_algo, hash, hashlen/2,
key, NULL, sig + 1);
if (siglen <= 1)
return siglen;
@@ -779,7 +780,7 @@ static int sign_evm_path(const char *file)
const char *key;
int err;
- key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
+ key = ima_params.keyfile ? : "/etc/keys/privkey_evm.pem";
if (digsig) {
err = sign_ima(file, key);
@@ -838,13 +839,13 @@ static int cmd_verify_evm(struct command *cmd)
return -1;
}
- if (params.keyfile) /* Support multiple public keys */
- init_public_keys(params.keyfile);
+ if (ima_params.keyfile) /* Support multiple public keys */
+ init_public_keys(ima_params.keyfile);
else /* assume read pubkey from x509 cert */
init_public_keys("/etc/keys/x509_evm.der");
err = verify_evm(file);
- if (!err && params.verbose >= LOG_INFO)
+ if (!err && ima_params.verbose >= LOG_INFO)
log_info("%s: verification is OK\n", file);
return err;
}
@@ -884,8 +885,8 @@ static int cmd_verify_ima(struct command *cmd)
char *file = g_argv[optind++];
int err;
- if (params.keyfile) /* Support multiple public keys */
- init_public_keys(params.keyfile);
+ if (ima_params.keyfile) /* Support multiple public keys */
+ init_public_keys(ima_params.keyfile);
else /* assume read pubkey from x509 cert */
init_public_keys("/etc/keys/x509_evm.der");
@@ -898,7 +899,7 @@ static int cmd_verify_ima(struct command *cmd)
do {
err = verify_ima(file);
- if (!err && params.verbose >= LOG_INFO)
+ if (!err && ima_params.verbose >= LOG_INFO)
log_info("%s: verification is OK\n", file);
} while ((file = g_argv[optind++]));
return err;
@@ -913,15 +914,15 @@ static int cmd_convert(struct command *cmd)
uint8_t keyid[8];
RSA *key;
- params.x509 = 0;
+ ima_params.x509 = 0;
inkey = g_argv[optind++];
if (!inkey) {
- inkey = params.x509 ? "/etc/keys/x509_evm.der" :
+ inkey = ima_params.x509 ? "/etc/keys/x509_evm.der" :
"/etc/keys/pubkey_evm.pem";
}
- key = read_pub_key(inkey, params.x509);
+ key = read_pub_key(inkey, ima_params.x509);
if (!key)
return 1;
@@ -945,7 +946,7 @@ static int cmd_import(struct command *cmd)
inkey = g_argv[optind++];
if (!inkey) {
- inkey = params.x509 ? "/etc/keys/x509_evm.der" :
+ inkey = ima_params.x509 ? "/etc/keys/x509_evm.der" :
"/etc/keys/pubkey_evm.pem";
} else
ring = g_argv[optind++];
@@ -975,8 +976,8 @@ static int cmd_import(struct command *cmd)
}
}
- if (params.x509) {
- EVP_PKEY *pkey = read_pub_pkey(inkey, params.x509);
+ if (ima_params.x509) {
+ EVP_PKEY *pkey = read_pub_pkey(inkey, ima_params.x509);
if (!pkey)
return 1;
@@ -988,7 +989,7 @@ static int cmd_import(struct command *cmd)
calc_keyid_v2((uint32_t *)keyid, name, pkey);
EVP_PKEY_free(pkey);
} else {
- RSA *key = read_pub_key(inkey, params.x509);
+ RSA *key = read_pub_key(inkey, ima_params.x509);
if (!key)
return 1;
@@ -999,7 +1000,8 @@ static int cmd_import(struct command *cmd)
log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id);
- id = add_key(params.x509 ? "asymmetric" : "user", params.x509 ? NULL : name, pub, len, id);
+ id = add_key(ima_params.x509 ? "asymmetric" : "user",
+ ima_params.x509 ? NULL : name, pub, len, id);
if (id < 0) {
log_err("add_key failed\n");
err = id;
@@ -1007,7 +1009,7 @@ static int cmd_import(struct command *cmd)
log_info("keyid: %d\n", id);
printf("%d\n", id);
}
- if (params.x509)
+ if (ima_params.x509)
free(pub);
return err;
}
@@ -1119,9 +1121,9 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
goto out;
}
- md = EVP_get_digestbyname(params.hash_algo);
+ md = EVP_get_digestbyname(ima_params.hash_algo);
if (!md) {
- log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
+ log_err("EVP_get_digestbyname(%s) failed\n", ima_params.hash_algo);
goto out;
}
@@ -1243,7 +1245,7 @@ static int cmd_hmac_evm(struct command *cmd)
return -1;
}
- key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
+ key = ima_params.keyfile ? : "/etc/keys/privkey_evm.pem";
if (digsig) {
err = sign_ima(file, key);
@@ -1584,7 +1586,7 @@ void ima_ng_show(struct template_entry *entry)
}
/* ascii_runtime_measurements */
- if (params.verbose > LOG_INFO) {
+ if (ima_params.verbose > LOG_INFO) {
log_info("%d ", entry->header.pcr);
log_dump_n(entry->header.digest, sizeof(entry->header.digest));
log_info(" %s %s", entry->name, algo);
@@ -1597,7 +1599,7 @@ void ima_ng_show(struct template_entry *entry)
}
if (sig) {
- if (params.verbose > LOG_INFO) {
+ if (ima_params.verbose > LOG_INFO) {
log_info(" ");
log_dump(sig, sig_len);
}
@@ -1606,10 +1608,10 @@ void ima_ng_show(struct template_entry *entry)
digest, digest_len);
else
err = ima_verify_signature(path, sig, sig_len, NULL, 0);
- if (!err && params.verbose > LOG_INFO)
+ if (!err && ima_params.verbose > LOG_INFO)
log_info("%s: verification is OK\n", path);
} else {
- if (params.verbose > LOG_INFO)
+ if (ima_params.verbose > LOG_INFO)
log_info("\n");
}
@@ -1644,8 +1646,8 @@ static int ima_measurement(const char *file)
return -1;
}
- if (params.keyfile) /* Support multiple public keys */
- init_public_keys(params.keyfile);
+ if (ima_params.keyfile) /* Support multiple public keys */
+ init_public_keys(ima_params.keyfile);
else /* assume read pubkey from x509 cert */
init_public_keys("/etc/keys/x509_evm.der");
@@ -1955,7 +1957,7 @@ int main(int argc, char *argv[])
exit(0);
break;
case 'v':
- params.verbose++;
+ ima_params.verbose++;
break;
case 'd':
digest = 1;
@@ -1969,13 +1971,13 @@ int main(int argc, char *argv[])
sigdump = 1;
break;
case 'a':
- params.hash_algo = optarg;
+ ima_params.hash_algo = optarg;
break;
case 'p':
if (optarg)
- params.keypass = optarg;
+ ima_params.keypass = optarg;
else
- params.keypass = get_password();
+ ima_params.keypass = get_password();
break;
case 'f':
sigfile = 1;
@@ -1986,10 +1988,10 @@ int main(int argc, char *argv[])
hmac_flags |= HMAC_FLAG_NO_UUID;
break;
case '1':
- params.x509 = 0;
+ ima_params.x509 = 0;
break;
case 'k':
- params.keyfile = optarg;
+ ima_params.keyfile = optarg;
break;
case 'i':
if (evm_portable)
diff --git a/src/imaevm.h b/src/imaevm.h
index 0414433..81596cb 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -50,8 +50,10 @@
#include <openssl/rsa.h>
#ifdef USE_FPRINTF
-#define do_log(level, fmt, args...) ({ if (level <= params.verbose) fprintf(stderr, fmt, ##args); })
-#define do_log_dump(level, p, len, cr) ({ if (level <= params.verbose) do_dump(stderr, p, len, cr); })
+#define do_log(level, fmt, args...) \
+ ({ if (level <= ima_params.verbose) fprintf(stderr, fmt, ##args); })
+#define do_log_dump(level, p, len, cr) \
+ ({ if (level <= ima_params.verbose) ima_do_hexdump(stderr, p, len, cr); })
#else
#define do_log(level, fmt, args...) syslog(level, fmt, ##args)
#define do_log_dump(level, p, len, cr)
@@ -188,7 +190,7 @@ struct signature_v2_hdr {
uint8_t sig[0]; /* signature payload */
} __packed;
-struct libevm_params {
+struct libimaevm_params {
int verbose;
int x509;
const char *hash_algo;
@@ -204,10 +206,10 @@ struct RSA_ASN1_template {
#define NUM_PCRS 20
#define DEFAULT_PCR 10
-extern struct libevm_params params;
+extern struct libimaevm_params ima_params;
-void do_dump(FILE *fp, const void *ptr, int len, bool cr);
-void dump(const void *ptr, int len);
+void ima_do_hexdump(FILE *fp, const void *ptr, int len, bool cr);
+void ima_hexdump(const void *ptr, int len);
int ima_calc_hash(const char *file, uint8_t *hash);
int get_hash_algo(const char *algo);
RSA *read_pub_key(const char *keyfile, int x509);
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 2d99570..f83a347 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -81,7 +81,7 @@ const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
[PKEY_HASH_STREEBOG_512] = "streebog512",
};
-struct libevm_params params = {
+struct libimaevm_params ima_params = {
.verbose = LOG_INFO - 1,
.x509 = 1,
.hash_algo = "sha1",
@@ -89,7 +89,7 @@ struct libevm_params params = {
static void __attribute__ ((constructor)) libinit(void);
-void do_dump(FILE *fp, const void *ptr, int len, bool cr)
+void ima_do_hexdump(FILE *fp, const void *ptr, int len, bool cr)
{
int i;
uint8_t *data = (uint8_t *) ptr;
@@ -100,9 +100,9 @@ void do_dump(FILE *fp, const void *ptr, int len, bool cr)
fprintf(fp, "\n");
}
-void dump(const void *ptr, int len)
+void ima_hexdump(const void *ptr, int len)
{
- do_dump(stdout, ptr, len, true);
+ ima_do_hexdump(stdout, ptr, len, true);
}
const char *get_hash_algo_by_id(int algo)
@@ -258,9 +258,10 @@ int ima_calc_hash(const char *file, uint8_t *hash)
goto err;
}
- md = EVP_get_digestbyname(params.hash_algo);
+ md = EVP_get_digestbyname(ima_params.hash_algo);
if (!md) {
- log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
+ log_err("EVP_get_digestbyname(%s) failed\n",
+ ima_params.hash_algo);
err = 1;
goto err;
}
@@ -500,8 +501,8 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
const EVP_MD *md;
const char *st;
- if (params.verbose > LOG_INFO) {
- log_info("hash(%s): ", params.hash_algo);
+ if (ima_params.verbose > LOG_INFO) {
+ log_info("hash(%s): ", ima_params.hash_algo);
log_dump(hash, size);
}
@@ -521,7 +522,7 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
if (!EVP_PKEY_verify_init(ctx))
goto err;
st = "EVP_get_digestbyname";
- if (!(md = EVP_get_digestbyname(params.hash_algo)))
+ if (!(md = EVP_get_digestbyname(ima_params.hash_algo)))
goto err;
st = "EVP_PKEY_CTX_set_signature_md";
if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
@@ -610,7 +611,7 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
const char *key = NULL;
/* Read pubkey from RSA key */
- if (!params.keyfile)
+ if (!ima_params.keyfile)
key = "/etc/keys/pubkey_evm.pem";
return verify_hash_v1(file, hash, size, sig, siglen, key);
} else if (sig[0] == DIGSIG_VERSION_2) {
@@ -636,7 +637,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
return -1;
}
/* Use hash algorithm as retrieved from signature */
- params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
+ ima_params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
/*
* Validate the signature based on the digest included in the
@@ -708,7 +709,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
id = __be64_to_cpup((__be64 *) keyid);
sprintf(str, "%llX", (unsigned long long)id);
- if (params.verbose > LOG_INFO)
+ if (ima_params.verbose > LOG_INFO)
log_info("keyid-v1: %s\n", str);
}
@@ -736,7 +737,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey)
log_debug_dump(keyid, 4);
sprintf(str, "%x", __be32_to_cpup(keyid));
- if (params.verbose > LOG_INFO)
+ if (ima_params.verbose > LOG_INFO)
log_info("keyid: %s\n", str);
X509_PUBKEY_free(pk);
@@ -826,7 +827,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons
log_info("hash: ");
log_dump(hash, size);
- key = read_priv_key(keyfile, params.keypass);
+ key = read_priv_key(keyfile, ima_params.keypass);
if (!key)
return -1;
@@ -909,10 +910,10 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
return -1;
}
- log_info("hash(%s): ", params.hash_algo);
+ log_info("hash(%s): ", ima_params.hash_algo);
log_dump(hash, size);
- pkey = read_priv_pkey(keyfile, params.keypass);
+ pkey = read_priv_pkey(keyfile, ima_params.keypass);
if (!pkey)
return -1;
@@ -931,7 +932,7 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch
if (!EVP_PKEY_sign_init(ctx))
goto err;
st = "EVP_get_digestbyname";
- if (!(md = EVP_get_digestbyname(params.hash_algo)))
+ if (!(md = EVP_get_digestbyname(ima_params.hash_algo)))
goto err;
st = "EVP_PKEY_CTX_set_signature_md";
if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
@@ -962,10 +963,11 @@ err:
int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)
{
if (keypass)
- params.keypass = keypass;
+ ima_params.keypass = keypass;
- return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
- sign_hash_v1(hashalgo, hash, size, keyfile, sig);
+ return ima_params.x509 ?
+ sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
+ sign_hash_v1(hashalgo, hash, size, keyfile, sig);
}
static void libinit()
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-07-25 15:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-25 14:11 [PATCH v2] ima-evm-utils: Namespace some too generic object names Vitaly Chikunov
2019-07-25 14:34 ` Mimi Zohar
2019-07-25 15:19 ` Bruno E. O. Meneguele
-- strict thread matches above, loose matches on Subject: below --
2019-07-25 2:24 Vitaly Chikunov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).