Instead of relying on a global static "hash_algo" variable, which is not concurrency-safe, update the imaevm_verify_hash() function definition and callers to include a "hash_algo" parameter as a place holder.
Now with the "hash_algo" parameter, export the imaevm_verify_hash() definition. Signed-off-by: Mimi Zohar <[email protected]> --- src/imaevm.h | 3 +++ src/libimaevm.c | 15 ++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/imaevm.h b/src/imaevm.h index 4fd421f5cd1d..0b86d28944b3 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -261,6 +261,9 @@ IMAEVM_DEPRECATED int ima_verify_signature(const char *file, unsigned char *sig, int digestlen); IMAEVM_DEPRECATED void init_public_keys(const char *keyfiles); +int imaevm_verify_hash(struct public_key_entry *public_keys, const char *file, + const char *hash_algo, const unsigned char *hash, + int size, unsigned char *sig, int siglen); int ima_verify_signature2(struct public_key_entry *public_keys, const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen); diff --git a/src/libimaevm.c b/src/libimaevm.c index 9cc83e071610..a5e9fd5080ac 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -729,9 +729,9 @@ int imaevm_hash_algo_from_sig(unsigned char *sig) return -1; } -int imaevm_verify_hash(void *public_keys, const char *file, - const unsigned char *hash, int size, - unsigned char *sig, int siglen) +int imaevm_verify_hash(struct public_key_entry *public_keys, const char *file, + const char *hash_algo, const unsigned char *hash, + int size, unsigned char *sig, int siglen) { /* Get signature type from sig header */ if (sig[1] == DIGSIG_VERSION_1) { @@ -762,7 +762,8 @@ int imaevm_verify_hash(void *public_keys, const char *file, int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen) { - return imaevm_verify_hash(g_public_keys, file, hash, size, sig, siglen); + return imaevm_verify_hash(g_public_keys, file, NULL, hash, size, + sig, siglen); } int ima_verify_signature2(struct public_key_entry *public_keys, const char *file, @@ -795,15 +796,15 @@ int ima_verify_signature2(struct public_key_entry *public_keys, const char *file * measurement list, not by calculating the local file digest. */ if (digest && digestlen > 0) - return imaevm_verify_hash(public_keys, file, digest, digestlen, - sig, siglen); + return imaevm_verify_hash(public_keys, file, NULL, digest, + digestlen, sig, siglen); hashlen = ima_calc_hash(file, hash); if (hashlen <= 1) return hashlen; assert(hashlen <= sizeof(hash)); - return imaevm_verify_hash(public_keys, file, hash, hashlen, + return imaevm_verify_hash(public_keys, file, NULL, hash, hashlen, sig, siglen); } -- 2.39.3
