ima_verify: ignore -n flag

"evmutil ima_verify -n <some file>" disabled using xattrs without enabling
using a signature file, resulting in the use of uninitialized memory in
ima_verify_signature() and thus unpredictable results.

Such a mode of operation makes no sense, so interpret -n as
documented ("print result to stdout instead of setting xattr") and ignore it
during ima_verify. Instead, switch between the two verification modes only
via the global sigfile variable.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>

src/evmctl.c

@@ -734,19 +734,17 @@ static int verify_ima(const char *file)
 	unsigned char sig[1024];
 	int len;
 
-	if (xattr) {
-		len = lgetxattr(file, "security.ima", sig, sizeof(sig));
-		if (len < 0) {
-			log_err("getxattr failed: %s\n", file);
-			return len;
-		}
-	}
-
 	if (sigfile) {
 		void *tmp = file2bin(file, "sig", &len);
 
 		memcpy(sig, tmp, len);
 		free(tmp);
+	} else {
+		len = lgetxattr(file, "security.ima", sig, sizeof(sig));
+		if (len < 0) {
+			log_err("getxattr failed: %s\n", file);
+			return len;
+		}
 	}
 
 	return ima_verify_signature(file, sig, len);
@@ -1582,7 +1580,6 @@ int main(int argc, char *argv[])
 			break;
 		case 'f':
 			sigfile = 1;
-			xattr = 0;
 			break;
 		case 'u':
 			uuid_str = optarg;