From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Stefan Berger <stefanb@linux.ibm.com>, Mimi Zohar <zohar@linux.ibm.com>
Subject: [ima-evm-utils PATCH v3 03/13] Update library function definitions to include a "public_keys" parameter
Date: Thu, 4 Jan 2024 14:05:48 -0500 [thread overview]
Message-ID: <20240104190558.3674008-4-zohar@linux.ibm.com> (raw)
In-Reply-To: <20240104190558.3674008-1-zohar@linux.ibm.com>
Instead of relying on a global static "public_keys" variable, which is
not concurrency-safe, update static library function definitions to
include it as a parameter, define new library functions with it as
a parameter, and deprecate existing functions.
Define imaevm_init_public_keys(), imaevm_verify_hash(), and
ima_verify_signature2() functions. Update static function definitions
to include "public_keys".
To avoid library incompatibility, make the existing functions -
init_public_keys(), verify_hash(), ima_verify_signature() - wrappers
for the new function versions.
Deprecate init_public_keys(), verify_hash(), ima_verify_signature()
functions.
Allow suppressing just the libimevm deprecate warnings by enabling
IMAEVM_SUPPRESS_DEPRECATED.
e.g. configure CFLAGS="-DIMAEVM_SUPPRESS_DEPRECATED"
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/imaevm.h | 21 +++++++++++--
src/libimaevm.c | 82 ++++++++++++++++++++++++++++++++++++-------------
2 files changed, 78 insertions(+), 25 deletions(-)
diff --git a/src/imaevm.h b/src/imaevm.h
index 64f7db79b33a..4fd421f5cd1d 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -232,6 +232,12 @@ struct RSA_ASN1_template {
#define NUM_PCRS 24
#define DEFAULT_PCR 10
+#ifdef IMAEVM_SUPPRESS_DEPRECATED
+#define IMAEVM_DEPRECATED
+#else
+#define IMAEVM_DEPRECATED __attribute__ ((deprecated))
+#endif
+
extern struct libimaevm_params imaevm_params;
struct public_key_entry;
@@ -248,9 +254,18 @@ int key2bin(RSA *key, unsigned char *pub);
uint32_t imaevm_read_keyid(const char *certfile);
int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
-int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
-int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
-void init_public_keys(const char *keyfiles);
+IMAEVM_DEPRECATED int verify_hash(const char *file, const unsigned char *hash,
+ int size, unsigned char *sig, int siglen);
+IMAEVM_DEPRECATED int ima_verify_signature(const char *file, unsigned char *sig,
+ int siglen, unsigned char *digest,
+ int digestlen);
+IMAEVM_DEPRECATED void init_public_keys(const char *keyfiles);
+
+int ima_verify_signature2(struct public_key_entry *public_keys, const char *file,
+ unsigned char *sig, int siglen,
+ unsigned char *digest, int digestlen);
+int imaevm_init_public_keys(const char *keyfiles,
+ struct public_key_entry **public_keys);
void imaevm_free_public_keys(struct public_key_entry *public_keys);
int imaevm_hash_algo_from_sig(unsigned char *sig);
const char *imaevm_hash_algo_by_id(int algo);
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 61f91df02460..9cc83e071610 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -372,12 +372,13 @@ struct public_key_entry {
};
static struct public_key_entry *g_public_keys = NULL;
-static EVP_PKEY *find_keyid(uint32_t keyid)
+static EVP_PKEY *find_keyid(struct public_key_entry *public_keys,
+ uint32_t keyid)
{
- struct public_key_entry *entry, *tail = g_public_keys;
+ struct public_key_entry *entry, *tail = public_keys;
int i = 1;
- for (entry = g_public_keys; entry; entry = entry->next) {
+ for (entry = public_keys; entry; entry = entry->next) {
if (entry->keyid == keyid)
return entry->key;
i++;
@@ -394,7 +395,7 @@ static EVP_PKEY *find_keyid(uint32_t keyid)
if (tail)
tail->next = entry;
else
- g_public_keys = entry;
+ public_keys = entry;
log_err("key %d: %x (unknown keyid)\n", i, __be32_to_cpup(&keyid));
return 0;
}
@@ -412,7 +413,8 @@ void imaevm_free_public_keys(struct public_key_entry *public_keys)
}
}
-void init_public_keys(const char *keyfiles)
+int imaevm_init_public_keys(const char *keyfiles,
+ struct public_key_entry **public_keys)
{
struct public_key_entry *entry;
char *tmp_keyfiles, *keyfiles_free;
@@ -420,6 +422,11 @@ void init_public_keys(const char *keyfiles)
int err = 0;
int i = 1;
+ if (!public_keys)
+ return -EINVAL;
+
+ *public_keys = NULL;
+
tmp_keyfiles = strdup(keyfiles);
keyfiles_free = tmp_keyfiles;
@@ -444,12 +451,19 @@ void init_public_keys(const char *keyfiles)
calc_keyid_v2(&entry->keyid, entry->name, entry->key);
sprintf(entry->name, "%x", __be32_to_cpup(&entry->keyid));
log_info("key %d: %s %s\n", i++, entry->name, keyfile);
- entry->next = g_public_keys;
- g_public_keys = entry;
+ entry->next = *public_keys;
+ *public_keys = entry;
}
+
free(keyfiles_free);
if (err < 0)
- imaevm_free_public_keys(g_public_keys);
+ imaevm_free_public_keys(*public_keys);
+ return err;
+}
+
+void init_public_keys(const char *keyfiles)
+{
+ imaevm_init_public_keys(keyfiles, &g_public_keys);
}
/*
@@ -466,7 +480,8 @@ void init_public_keys(const char *keyfiles)
*
* (Note: signature_v2_hdr struct does not contain the 'type'.)
*/
-static int verify_hash_common(const char *file, const unsigned char *hash,
+static int verify_hash_common(struct public_key_entry *public_keys,
+ const char *file, const unsigned char *hash,
int size, unsigned char *sig, int siglen)
{
int ret = -1;
@@ -481,7 +496,7 @@ static int verify_hash_common(const char *file, const unsigned char *hash,
log_dump(hash, size);
}
- pkey = find_keyid(hdr->keyid);
+ pkey = find_keyid(public_keys, hdr->keyid);
if (!pkey) {
uint32_t keyid = hdr->keyid;
@@ -543,11 +558,13 @@ err:
*
* Return: 0 verification good, 1 verification bad, -1 error.
*/
-static int verify_hash_v2(const char *file, const unsigned char *hash,
+static int verify_hash_v2(struct public_key_entry *public_keys,
+ const char *file, const unsigned char *hash,
int size, unsigned char *sig, int siglen)
{
/* note: signature_v2_hdr does not contain 'type', use sig + 1 */
- return verify_hash_common(file, hash, size, sig + 1, siglen - 1);
+ return verify_hash_common(public_keys, file, hash, size,
+ sig + 1, siglen - 1);
}
/*
@@ -556,7 +573,8 @@ static int verify_hash_v2(const char *file, const unsigned char *hash,
*
* Return: 0 verification good, 1 verification bad, -1 error.
*/
-static int verify_hash_v3(const char *file, const unsigned char *hash,
+static int verify_hash_v3(struct public_key_entry *public_keys,
+ const char *file, const unsigned char *hash,
int size, unsigned char *sig, int siglen)
{
unsigned char sigv3_hash[MAX_DIGEST_SIZE];
@@ -567,7 +585,8 @@ static int verify_hash_v3(const char *file, const unsigned char *hash,
return ret;
/* note: signature_v2_hdr does not contain 'type', use sig + 1 */
- return verify_hash_common(file, sigv3_hash, size, sig + 1, siglen - 1);
+ return verify_hash_common(public_keys, file, sigv3_hash, size,
+ sig + 1, siglen - 1);
}
#define HASH_MAX_DIGESTSIZE 64 /* kernel HASH_MAX_DIGESTSIZE is 64 bytes */
@@ -710,8 +729,9 @@ int imaevm_hash_algo_from_sig(unsigned char *sig)
return -1;
}
-int verify_hash(const char *file, const unsigned char *hash, int size,
- unsigned char *sig, int siglen)
+int imaevm_verify_hash(void *public_keys, const char *file,
+ const unsigned char *hash, int size,
+ unsigned char *sig, int siglen)
{
/* Get signature type from sig header */
if (sig[1] == DIGSIG_VERSION_1) {
@@ -730,15 +750,24 @@ int verify_hash(const char *file, const unsigned char *hash, int size,
return -1;
#endif
} else if (sig[1] == DIGSIG_VERSION_2) {
- return verify_hash_v2(file, hash, size, sig, siglen);
+ return verify_hash_v2(public_keys, file, hash, size,
+ sig, siglen);
} else if (sig[1] == DIGSIG_VERSION_3) {
- return verify_hash_v3(file, hash, size, sig, siglen);
+ return verify_hash_v3(public_keys, file, hash, size,
+ sig, siglen);
} else
return -1;
}
-int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
- unsigned char *digest, int digestlen)
+int verify_hash(const char *file, const unsigned char *hash, int size,
+ unsigned char *sig, int siglen)
+{
+ return imaevm_verify_hash(g_public_keys, file, hash, size, sig, siglen);
+}
+
+int ima_verify_signature2(struct public_key_entry *public_keys, const char *file,
+ unsigned char *sig, int siglen,
+ unsigned char *digest, int digestlen)
{
unsigned char hash[MAX_DIGEST_SIZE];
int hashlen, sig_hash_algo;
@@ -766,14 +795,23 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
* measurement list, not by calculating the local file digest.
*/
if (digest && digestlen > 0)
- return verify_hash(file, digest, digestlen, sig, siglen);
+ return imaevm_verify_hash(public_keys, file, digest, digestlen,
+ sig, siglen);
hashlen = ima_calc_hash(file, hash);
if (hashlen <= 1)
return hashlen;
assert(hashlen <= sizeof(hash));
- return verify_hash(file, hash, hashlen, sig, siglen);
+ return imaevm_verify_hash(public_keys, file, hash, hashlen,
+ sig, siglen);
+}
+
+int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
+ unsigned char *digest, int digestlen)
+{
+ return ima_verify_signature2(g_public_keys, file, sig, siglen,
+ digest, digestlen);
}
#if CONFIG_SIGV1
--
2.39.3
next prev parent reply other threads:[~2024-01-04 19:06 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-04 19:05 [ima-evm-utils PATCH v3 00/13] Address non concurrency-safe libimaevm global variables Mimi Zohar
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 01/13] Rename "public_keys" to "g_public_keys" Mimi Zohar
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 02/13] Free public keys list Mimi Zohar
2024-01-04 19:05 ` Mimi Zohar [this message]
2024-01-09 16:18 ` [ima-evm-utils PATCH v3 03/13] Update library function definitions to include a "public_keys" parameter Stefan Berger
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 04/13] Update imaevm_verify_hash() definition to include "hash_algo" parameter Mimi Zohar
2024-01-09 16:34 ` Stefan Berger
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 05/13] Update cmd_verify_ima() to define and use a local list of public keys Mimi Zohar
2024-01-09 16:37 ` Stefan Berger
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 06/13] Update cmd_verify_evm " Mimi Zohar
2024-01-09 17:00 ` Stefan Berger
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 07/13] Update ima_measurements " Mimi Zohar
2024-01-09 17:07 ` Stefan Berger
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 08/13] Define library ima_calc_hash2() function with a hash algorithm parameter Mimi Zohar
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 09/13] Use a local hash algorithm variable when verifying file signatures Mimi Zohar
2024-01-09 17:21 ` Stefan Berger
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 10/13] Update EVM signature verification to use a local hash algorithm variable Mimi Zohar
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 11/13] Use a file specific hash algorithm variable for signing files Mimi Zohar
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 12/13] Update sign_hash_v*() definition to include the key password Mimi Zohar
2024-01-04 19:05 ` [ima-evm-utils PATCH v3 13/13] Define and use a file specific "keypass" variable Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240104190558.3674008-4-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.