Get signature version from the header

Currently we assume signature version is v1 until and unless -x is specified on kernel command line. Given the fact that signature version information is available in signature itself, it is much better to get it from there and not require user to pass -x during verification phase. If user passed -x on command line, then honor it. Now one can do following. evmctl ima_sign -x /tmp/data.txt evmctl ima_verify /tmp/data.txt Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2013-07-12 14:52:11 -04:00 · 2013-07-12 14:52:11 -04:00 · ab18c60ec1
commit ab18c60ec1
parent d9678295b9
1 changed files with 13 additions and 0 deletions
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -256,6 +256,7 @@ static int sigfile;
 static int modsig;
 static char *uuid_str;
 static int x509;
+static int user_sig_type;
 static char *keyfile;

 typedef int (*sign_hash_fn_t)(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
@ -1306,6 +1307,17 @@ static int verify_ima(const char *file)
 	if (hashlen <= 1)
 		return hashlen;

+	/* Get signature type from sig header if user did not enforce it */
+	if (!user_sig_type) {
+		if (sig[1] == DIGSIG_VERSION_1)
+			verify_hash = verify_hash_v1;
+		else if (sig[1] == DIGSIG_VERSION_2) {
+			verify_hash = verify_hash_v2;
+			/* Read pubkey from x509 cert */
+			x509 = 1;
+		}
+	}
+
 	/* Determine what key to use for verification*/
 	key = keyfile ? : x509 ?
 			"/etc/keys/x509_evm.der" :
@ -1719,6 +1731,7 @@ int main(int argc, char *argv[])
 			x509 = 1;
 			sign_hash = sign_hash_v2;
 			verify_hash = verify_hash_v2;
+			user_sig_type = 1;
 			break;
 		case 'k':
 			keyfile = optarg;