ima-evm-utils: log unknown keyid's as errors

Each tima a new unknown key is encountered, emit a message of the format "key #: <keyid> (unknown keyid)". The individual files using unknown keys are then only logged in verbose mode. Also update the message emitted to be consistent with other "verification failed" messages. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Changlog: - Incorporated Vitaly's fix to prevent a null dereference in `tail->next`
2025-04-27 22:32:31 +02:00 · 2019-07-18 09:49:51 -04:00 · 2019-07-18 09:49:51 -04:00 · 3eac3710a9
commit 3eac3710a9
parent 15afdbeae7
1 changed files with 20 additions and 4 deletions
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@ -424,13 +424,29 @@ static struct public_key_entry *public_keys = NULL;

 static EVP_PKEY *find_keyid(uint32_t keyid)
 {
-	struct public_key_entry *entry;
+	struct public_key_entry *entry, *tail = public_keys;
+	int i = 1;

 	for (entry = public_keys; entry != NULL; entry = entry->next) {
 		if (entry->keyid == keyid)
 			return entry->key;
+		i++;
+		tail = entry;
 	}
-	return NULL;
+
+	/* add unknown keys to list */
+	entry = calloc(1, sizeof(struct public_key_entry));
+	if (!entry) {
+		perror("calloc");
+		return 0;
+	}
+	entry->keyid = keyid;
+	if (tail)
+		tail->next = entry;
+	else
+		public_keys = entry;
+	log_err("key %d: %x (unknown keyid)\n", i, __be32_to_cpup(&keyid));
+	return 0;
 }

 void init_public_keys(const char *keyfiles)
@ -493,8 +509,8 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
 	if (!pkey) {
 		uint32_t keyid = hdr->keyid;

-		log_err("%s: unknown keyid: %x\n", file,
-			__be32_to_cpup(&keyid));
+		log_info("%s: verification failed: unknown keyid %x\n",
+			 file, __be32_to_cpup(&keyid));
 		return -1;
 	}