[PATCH] ima-evm-utils: Allow EVM verify to determine hash algo

[Vitaly Chikunov <vt@altlinux.org>]

Previously for EVM verify you should specify `--hashalgo' option while
for IMA ima_verify you didn't.

Allow EVM verify to determine hash algo from signature.

Also, this makes two previously static functions to become exportable
and renamed:

  get_hash_algo_from_sig -> imaevm_hash_algo_from_sig
  get_hash_algo_by_id    -> imaevm_hash_algo_by_id

This is needed because EVM hash is calculated (in calc_evm_hash) outside
of library.

imaevm_hash_algo_by_id() will now return NULL if algo is not found.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 src/evmctl.c    | 18 +++++++++++++-----
 src/imaevm.h    |  2 ++
 src/libimaevm.c | 10 +++++-----
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 0f821e4..e7e5fbf 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -810,14 +810,10 @@ static int verify_evm(const char *file)
 {
 	unsigned char hash[MAX_DIGEST_SIZE];
 	unsigned char sig[MAX_SIGNATURE_SIZE];
+	int sig_hash_algo;
 	int mdlen;
 	int len;
 
-	mdlen = calc_evm_hash(file, hash);
-	if (mdlen <= 1)
-		return mdlen;
-	assert(mdlen <= sizeof(hash));
-
 	len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
 	if (len < 0) {
 		log_err("getxattr failed: %s\n", file);
@@ -829,6 +825,18 @@ static int verify_evm(const char *file)
 		return -1;
 	}
 
+	sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
+	if (sig_hash_algo < 0) {
+		log_err("unknown hash algo: %s\n", file);
+		return -1;
+	}
+	imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
+
+	mdlen = calc_evm_hash(file, hash);
+	if (mdlen <= 1)
+		return mdlen;
+	assert(mdlen <= sizeof(hash));
+
 	return verify_hash(file, hash, mdlen, sig + 1, len - 1);
 }
 
diff --git a/src/imaevm.h b/src/imaevm.h
index b881d92..30e9730 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -223,5 +223,7 @@ int sign_hash(const char *algo, const unsigned char *hash, int size, const char
 int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
 void init_public_keys(const char *keyfiles);
+int imaevm_hash_algo_from_sig(unsigned char *sig);
+const char *imaevm_hash_algo_by_id(int algo);
 
 #endif
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 4f4b207..c35a47d 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -105,7 +105,7 @@ void imaevm_hexdump(const void *ptr, int len)
 	imaevm_do_hexdump(stdout, ptr, len, true);
 }
 
-static const char *get_hash_algo_by_id(int algo)
+const char *imaevm_hash_algo_by_id(int algo)
 {
 	if (algo < PKEY_HASH__LAST)
 		return pkey_hash_algo[algo];
@@ -113,7 +113,7 @@ static const char *get_hash_algo_by_id(int algo)
 		return hash_algo_name[algo];
 
 	log_err("digest %d not found\n", algo);
-	return "unknown";
+	return NULL;
 }
 
 /* Output all remaining openssl error messages. */
@@ -575,7 +575,7 @@ int imaevm_get_hash_algo(const char *algo)
 	return -1;
 }
 
-static int get_hash_algo_from_sig(unsigned char *sig)
+int imaevm_hash_algo_from_sig(unsigned char *sig)
 {
 	uint8_t hashalgo;
 
@@ -632,13 +632,13 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
 		return -1;
 	}
 
-	sig_hash_algo = get_hash_algo_from_sig(sig + 1);
+	sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
 	if (sig_hash_algo < 0) {
 		log_err("Invalid signature\n");
 		return -1;
 	}
 	/* Use hash algorithm as retrieved from signature */
-	imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
+	imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
 
 	/*
 	 * Validate the signature based on the digest included in the
-- 
2.11.0