Re: [ima-evm-utils PATCH v2 12/13] Update sign_hash_v*() definition to include the key password

Tue, 02 Jan 2024 05:44:35 -0800 



On 12/6/23 14:27, Mimi Zohar wrote:

The library sign_hash() definition already includes a key password as a
parameter, but it isn't passed on to sign_hash_v*() functions.  Update
the sign_hash_v*() function definitions and callers.

Signed-off-by: Mimi Zohar <zo...@linux.ibm.com>


Reviewed-by: Stefan Berger <stef...@linux.ibm.com>


---
  src/libimaevm.c | 18 ++++++++++--------
  1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 10e1ed3eab4d..9d8f419ae64d 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -1115,7 +1115,8 @@ static int get_hash_algo_v1(const char *algo)
  }

  
  static int sign_hash_v1(const char *hashalgo, const unsigned char *hash,

-                       int size, const char *keyfile, unsigned char *sig)
+                       int size, const char *keyfile, const char *keypass,
+                       unsigned char *sig)
  {
        int len = -1, hashalgo_idx;
        SHA_CTX ctx;
@@ -1149,7 +1150,7 @@ static int sign_hash_v1(const char *hashalgo, const 
unsigned char *hash,
        log_info("hash(%s): ", hashalgo);
        log_dump(hash, size);

  
-	key = read_priv_key(keyfile, imaevm_params.keypass);

+       key = read_priv_key(keyfile, keypass);
        if (!key)
                return -1;

  
@@ -1202,7 +1203,8 @@ out:

   * Return: -1 signing error, >0 length of signature
   */
  static int sign_hash_v2(const char *algo, const unsigned char *hash,
-                       int size, const char *keyfile, unsigned char *sig)
+                       int size, const char *keyfile, const char *keypass,
+                       unsigned char *sig)
  {
        struct signature_v2_hdr *hdr;
        int len = -1;
@@ -1237,7 +1239,7 @@ static int sign_hash_v2(const char *algo, const unsigned 
char *hash,
        log_info("hash(%s): ", algo);
        log_dump(hash, size);

  
-	pkey = read_priv_pkey(keyfile, imaevm_params.keypass);

+       pkey = read_priv_pkey(keyfile, keypass);
        if (!pkey)
                return -1;

  
@@ -1307,14 +1309,14 @@ err:
  
  int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)

  {
-       if (keypass)
-               imaevm_params.keypass = keypass;
+       if (!keypass)   /* Avoid breaking existing libimaevm usage */
+               keypass = imaevm_params.keypass;

  
  	if (imaevm_params.x509)

-               return sign_hash_v2(hashalgo, hash, size, keyfile, sig);
+               return sign_hash_v2(hashalgo, hash, size, keyfile, keypass, 
sig);
  #if CONFIG_SIGV1
        else
-               return sign_hash_v1(hashalgo, hash, size, keyfile, sig);
+               return sign_hash_v1(hashalgo, hash, size, keyfile, keypass, 
sig);
  #endif
        log_info("Signature version 1 deprecated.");
        return -1;
























					Reply via email to