Instead of relying on the "imaevm_params.algo" global variable, which is not concurrency-safe, define and use a local variable.
Update static verify_hash_v2(), verify_hash_v3(), and verify_hash_common() function definitions to include a hash algorithm argument. Similarly update ima_verify_signature2() and ima_calc_hash2() to define and use a local hash algorithm variable. Signed-off-by: Mimi Zohar <[email protected]> --- src/libimaevm.c | 48 ++++++++++++++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 20 deletions(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index c14ba7632b61..10e1ed3eab4d 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -484,7 +484,8 @@ __attribute__((deprecated)) void init_public_keys(const char *keyfiles) * (Note: signature_v2_hdr struct does not contain the 'type'.) */ static int verify_hash_common(struct public_key_entry *public_keys, - const char *file, const unsigned char *hash, + const char *file, const char *hash_algo, + const unsigned char *hash, int size, unsigned char *sig, int siglen) { int ret = -1; @@ -495,7 +496,7 @@ static int verify_hash_common(struct public_key_entry *public_keys, const char *st; if (imaevm_params.verbose > LOG_INFO) { - log_info("hash(%s): ", imaevm_params.hash_algo); + log_info("hash(%s): ", hash_algo); log_dump(hash, size); } @@ -526,7 +527,8 @@ static int verify_hash_common(struct public_key_entry *public_keys, if (!EVP_PKEY_verify_init(ctx)) goto err; st = "EVP_get_digestbyname"; - if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) + md = EVP_get_digestbyname(hash_algo); + if (!md) goto err; st = "EVP_PKEY_CTX_set_signature_md"; if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) @@ -562,11 +564,12 @@ err: * Return: 0 verification good, 1 verification bad, -1 error. */ static int verify_hash_v2(struct public_key_entry *public_keys, - const char *file, const unsigned char *hash, + const char *file, const char *hash_algo, + const unsigned char *hash, int size, unsigned char *sig, int siglen) { /* note: signature_v2_hdr does not contain 'type', use sig + 1 */ - return verify_hash_common(public_keys, file, hash, size, + return verify_hash_common(public_keys, file, hash_algo, hash, size, sig + 1, siglen - 1); } @@ -577,19 +580,20 @@ static int verify_hash_v2(struct public_key_entry *public_keys, * Return: 0 verification good, 1 verification bad, -1 error. */ static int verify_hash_v3(struct public_key_entry *public_keys, - const char *file, const unsigned char *hash, + const char *file, const char *hash_algo, + const unsigned char *hash, int size, unsigned char *sig, int siglen) { unsigned char sigv3_hash[MAX_DIGEST_SIZE]; int ret; - ret = calc_hash_sigv3(sig[0], NULL, hash, sigv3_hash); + ret = calc_hash_sigv3(sig[0], hash_algo, hash, sigv3_hash); if (ret < 0) return ret; /* note: signature_v2_hdr does not contain 'type', use sig + 1 */ - return verify_hash_common(public_keys, file, sigv3_hash, size, - sig + 1, siglen - 1); + return verify_hash_common(public_keys, file, hash_algo, sigv3_hash, + size, sig + 1, siglen - 1); } #define HASH_MAX_DIGESTSIZE 64 /* kernel HASH_MAX_DIGESTSIZE is 64 bytes */ @@ -632,8 +636,10 @@ int calc_hash_sigv3(enum evm_ima_xattr_type type, const char *algo, return -EINVAL; } - if (!algo) - algo = imaevm_params.hash_algo; + if (!algo) { + log_err("Hash algorithm unspecified\n"); + return -EINVAL; + } if ((hash_algo = imaevm_get_hash_algo(algo)) < 0) { log_err("Hash algorithm %s not supported\n", algo); @@ -753,10 +759,10 @@ int imaevm_verify_hash(void *public_keys, const char *file, return -1; #endif } else if (sig[1] == DIGSIG_VERSION_2) { - return verify_hash_v2(public_keys, file, hash, size, + return verify_hash_v2(public_keys, file, hash_algo, hash, size, sig, siglen); } else if (sig[1] == DIGSIG_VERSION_3) { - return verify_hash_v3(public_keys, file, hash, size, + return verify_hash_v3(public_keys, file, hash_algo, hash, size, sig, siglen); } else return -1; @@ -766,8 +772,8 @@ __attribute__((deprecated)) int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen) { - return imaevm_verify_hash(g_public_keys, file, NULL, hash, size, - sig, siglen); + return imaevm_verify_hash(g_public_keys, file, imaevm_params.hash_algo, + hash, size, sig, siglen); } int ima_verify_signature2(void *public_keys, const char *file, @@ -776,6 +782,7 @@ int ima_verify_signature2(void *public_keys, const char *file, { unsigned char hash[MAX_DIGEST_SIZE]; int hashlen, sig_hash_algo; + const char *hash_algo; if (sig[0] != EVM_IMA_XATTR_DIGSIG && sig[0] != IMA_VERITY_DIGSIG) { log_err("%s: xattr ima has no signature\n", file); @@ -793,22 +800,23 @@ int ima_verify_signature2(void *public_keys, const char *file, return -1; } /* Use hash algorithm as retrieved from signature */ - imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo); + hash_algo = imaevm_hash_algo_by_id(sig_hash_algo); /* * Validate the signature based on the digest included in the * measurement list, not by calculating the local file digest. */ if (digest && digestlen > 0) - return imaevm_verify_hash(public_keys, file, NULL, digest, - digestlen, sig, siglen); + return imaevm_verify_hash(public_keys, file, + hash_algo, digest, digestlen, + sig, siglen); - hashlen = ima_calc_hash(file, hash); + hashlen = ima_calc_hash2(file, hash_algo, hash); if (hashlen <= 1) return hashlen; assert(hashlen <= sizeof(hash)); - return imaevm_verify_hash(public_keys, file, NULL, hash, hashlen, + return imaevm_verify_hash(public_keys, file, hash_algo, hash, hashlen, sig, siglen); } -- 2.39.3
