From 3eac3710a985b35b049b2efd078b49f4ad6b4273 Mon Sep 17 00:00:00 2001 From: Mimi Zohar Date: Thu, 18 Jul 2019 09:49:51 -0400 Subject: [PATCH] ima-evm-utils: log unknown keyid's as errors Each tima a new unknown key is encountered, emit a message of the format "key #: (unknown keyid)". The individual files using unknown keys are then only logged in verbose mode. Also update the message emitted to be consistent with other "verification failed" messages. Signed-off-by: Mimi Zohar Changlog: - Incorporated Vitaly's fix to prevent a null dereference in `tail->next` --- src/libimaevm.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index f399e75..c45eb2b 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -424,13 +424,29 @@ static struct public_key_entry *public_keys = NULL; static EVP_PKEY *find_keyid(uint32_t keyid) { - struct public_key_entry *entry; + struct public_key_entry *entry, *tail = public_keys; + int i = 1; for (entry = public_keys; entry != NULL; entry = entry->next) { if (entry->keyid == keyid) return entry->key; + i++; + tail = entry; } - return NULL; + + /* add unknown keys to list */ + entry = calloc(1, sizeof(struct public_key_entry)); + if (!entry) { + perror("calloc"); + return 0; + } + entry->keyid = keyid; + if (tail) + tail->next = entry; + else + public_keys = entry; + log_err("key %d: %x (unknown keyid)\n", i, __be32_to_cpup(&keyid)); + return 0; } void init_public_keys(const char *keyfiles) @@ -493,8 +509,8 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, if (!pkey) { uint32_t keyid = hdr->keyid; - log_err("%s: unknown keyid: %x\n", file, - __be32_to_cpup(&keyid)); + log_info("%s: verification failed: unknown keyid %x\n", + file, __be32_to_cpup(&keyid)); return -1; }