From 6a712b3b3871d6a170667602b0a747631fc5534b Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Fri, 3 Jul 2015 09:13:58 -0400
Subject: [PATCH] Add support for passing the private key password to
 sign_hash()

evmctl defines the "--pass | -p" command line option for providing
the private key's password.  The password is then stored in a global
variable accessible by the sign_hash_XXXX() functions.

This patch modifies the arguments to the library sign_hash()
function to include the password, allowing callers to specify the
private key password.

Changelog:
- add library init to call OpenSSL_add_all_algorithms

Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 src/evmctl.c    |  9 +++------
 src/imaevm.h    |  2 +-
 src/libimaevm.c | 24 +++++++++++++++++++++---
 3 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index c29c1cb..3097494 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -448,7 +448,7 @@ static int sign_evm(const char *file, const char *key)
 	if (len <= 1)
 		return len;
 
-	len = sign_hash("sha1", hash, len, key, sig + 1);
+	len = sign_hash("sha1", hash, len, key, NULL, sig + 1);
 	if (len <= 1)
 		return len;
 
@@ -521,7 +521,7 @@ static int sign_ima(const char *file, const char *key)
 	if (len <= 1)
 		return len;
 
-	len = sign_hash(params.hash_algo, hash, len, key, sig + 1);
+	len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
 	if (len <= 1)
 		return len;
 
@@ -644,7 +644,7 @@ static int cmd_sign_hash(struct command *cmd)
 
 		hex2bin(hash, line, hashlen);
 		siglen = sign_hash(params.hash_algo, hash, hashlen/2,
-				 key, sig + 1);
+				 key, NULL, sig + 1);
 		if (siglen <= 1)
 			return siglen;
 
@@ -1586,9 +1586,6 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	OpenSSL_add_all_algorithms();
-	ERR_load_crypto_strings();
-
 	if (argv[optind] == NULL)
 		usage();
 	else
diff --git a/src/imaevm.h b/src/imaevm.h
index f37ca0a..31358ed 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -201,7 +201,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
 void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key);
 int key2bin(RSA *key, unsigned char *pub);
 
-int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
+int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, char *keypass, unsigned char *sig);
 int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen);
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen);
 
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 2ce819f..ecd43c9 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -53,6 +53,7 @@
 #include <openssl/pem.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/err.h>
 
 #include "imaevm.h"
 
@@ -130,6 +131,8 @@ struct libevm_params params = {
 	.hash_algo = "sha1",
 };
 
+static void __attribute__ ((constructor)) libinit(void);
+
 void do_dump(FILE *fp, const void *ptr, int len, bool cr)
 {
 	int i;
@@ -618,9 +621,14 @@ static RSA *read_priv_key(const char *keyfile, char *keypass)
 		log_err("Failed to open keyfile: %s\n", keyfile);
 		return NULL;
 	}
+	ERR_load_crypto_strings();
 	key = PEM_read_RSAPrivateKey(fp, NULL, NULL, keypass);
-	if (!key)
-		log_err("PEM_read_RSAPrivateKey() failed\n");
+	if (!key) {
+		char str[256];
+
+		ERR_error_string(ERR_get_error(), str);
+		log_err("PEM_read_RSAPrivateKey() failed: %s\n", str);
+	}
 
 	fclose(fp);
 	return key;
@@ -786,8 +794,18 @@ out:
 	return len;
 }
 
-int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig)
+
+int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, char *keypass, unsigned char *sig)
 {
+	if (keypass)
+		params.keypass = keypass;
+
 	return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
 			     sign_hash_v1(hashalgo, hash, size, keyfile, sig);
 }
+
+static void libinit()
+{
+	OpenSSL_add_all_algorithms();
+	ERR_load_crypto_strings();
+}