ChangeLog

@@ -1,12 +1,3 @@
-2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
-
-	version 1.0
-	* Recursive hashing
-	* Immutable EVM signatures (experimental)
-	* Command 'ima_clear' to remove xattrs
-	* Support for passing password to the library
-	* Support for asking password safely from the user
-
 2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>
 
 	version 0.9

README

@@ -142,7 +142,7 @@ EVM encrypted key is used for EVM HMAC calculation:
     keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
 
     # create the EVM encrypted key
-    keyctl add encrypted evm-key "new user:kmk 64" @u
+    keyctl add encrypted evm-key "new user:kmk 32" @u
     keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
 
 
@@ -403,7 +403,7 @@ When using plain RSA public keys in PEM format, use 'evmctl import --rsa' for im
 
 Latest version of keyctl allows to import X509 public key certificates:
 
-    cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
+    cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' @ima_id
 
 
 FILES

build-static.sh

@@ -1,4 +0,0 @@
-#!/bin/sh
-
-gcc -static -o evmctl.static -include config.h src/evmctl.c src/libimaevm.c -lcrypto -lkeyutils -ldl
-

configure.ac

@@ -1,7 +1,7 @@
 # autoconf script
 
 AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 1.0, dmitry.kasatkin@huawei.com)
+AC_INIT(ima-evm-utils, 0.9, d.kasatkin@samsung.com)
 AM_INIT_AUTOMAKE
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])

packaging/ima-evm-utils.spec

@@ -1,5 +1,5 @@
 Name:		ima-evm-utils
-Version:	1.0
+Version:	0.9
 Release:	1%{?dist}
 Summary:	ima-evm-utils - IMA/EVM control utility
 Group:		System/Libraries

src/evmctl.c

@@ -54,7 +54,6 @@
 #include <getopt.h>
 #include <keyutils.h>
 #include <ctype.h>
-#include <termios.h>
 
 #include <openssl/sha.h>
 #include <openssl/pem.h>
@@ -104,24 +103,14 @@ static int digest;
 static int digsig;
 static int sigfile;
 static char *uuid_str;
-static char *ino_str;
-static char *uid_str;
-static char *gid_str;
-static char *mode_str;
-static char *generation_str;
-static char *caps_str;
-static char *ima_str;
-static char *selinux_str;
 static char *search_type;
 static int recursive;
 static int msize;
 static dev_t fs_dev;
-static bool evm_immutable;
 
-#define HMAC_FLAG_NO_UUID	0x0001
+#define HMAC_FLAG_UUID			0x0001
-#define HMAC_FLAG_CAPS_SET	0x0002
+#define HMAC_FLAG_UUID_SET		0x0002
-
+static unsigned long hmac_flags = HMAC_FLAG_UUID;
-static unsigned long hmac_flags;
 
 typedef int (*find_cb_t)(const char *path);
 static int find(const char *path, int dts, find_cb_t func);
@@ -209,7 +198,7 @@ static int hex_to_bin(char ch)
 	return -1;
 }
 
-static int hex2bin(void *dst, const char *src, size_t count)
+static int hex2bin(uint8_t *dst, const char *src, size_t count)
 {
 	int hi, lo;
 
@@ -223,7 +212,7 @@ static int hex2bin(void *dst, const char *src, size_t count)
 		if ((hi < 0) || (lo < 0))
 			return -1;
 
-		*(uint8_t *)dst++ = (hi << 4) | lo;
+		*dst++ = (hi << 4) | lo;
 	}
 	return 0;
 }
@@ -284,7 +273,7 @@ static int get_uuid(struct stat *st, char *uuid)
 	FILE *fp;
 	size_t len;
 
-	if (uuid_str)
+	if (hmac_flags & HMAC_FLAG_UUID_SET)
 		return pack_uuid(uuid_str, uuid);
 
 	dev = st->st_dev;
@@ -329,37 +318,24 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 		return -1;
 	}
 
-	if (generation_str)
+	if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) {
-		generation = strtoul(generation_str, NULL, 10);
+		/* we cannot at the momement to get generation of special files..
-	if (ino_str)
+		 * kernel API does not support it */
-		st.st_ino = strtoul(ino_str, NULL, 10);
+		int fd = open(file, 0);
-	if (uid_str)
-		st.st_uid = strtoul(uid_str, NULL, 10);
-	if (gid_str)
-		st.st_gid = strtoul(gid_str, NULL, 10);
-	if (mode_str)
-		st.st_mode = strtoul(mode_str, NULL, 10);
 
-	if (!evm_immutable) {
+		if (fd < 0) {
-		if ((S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) && !generation_str) {
+			log_err("Failed to open: %s\n", file);
-			/* we cannot at the momement to get generation of
+			return -1;
-			   special files kernel API does not support it */
-			int fd = open(file, 0);
-
-			if (fd < 0) {
-				log_err("Failed to open: %s\n", file);
-				return -1;
-			}
-			if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
-				log_err("ioctl() failed\n");
-				close(fd);
-				return -1;
-			}
-			close(fd);
 		}
-		log_info("generation: %u\n", generation);
+		if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
+			log_err("ioctl() failed\n");
+			return -1;
+		}
+		close(fd);
 	}
 
+	log_info("generation: %u\n", generation);
+
 	list_size = llistxattr(file, list, sizeof(list));
 	if (list_size < 0) {
 		log_err("llistxattr() failed\n");
@@ -373,27 +349,14 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 	}
 
 	for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
-		if (!strcmp(*xattrname, XATTR_NAME_SELINUX) && selinux_str) {
+		err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
-			strcpy(xattr_value, selinux_str);
+		if (err < 0) {
-			err = strlen(selinux_str) + 1;
+			log_info("no xattr: %s\n", *xattrname);
-		} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) {
+			continue;
-			hex2bin(xattr_value, ima_str, strlen(ima_str) / 2);
+		}
-			err = strlen(ima_str) / 2;
+		if (!find_xattr(list, list_size, *xattrname)) {
-		} else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) {
+			log_info("skipping xattr: %s\n", *xattrname);
-			if (!caps_str)
+			continue;
-				continue;
-			strcpy(xattr_value, caps_str);
-			err = strlen(caps_str);
-		} else {
-			err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
-			if (err < 0) {
-				log_info("no xattr: %s\n", *xattrname);
-				continue;
-			}
-			if (!find_xattr(list, list_size, *xattrname)) {
-				log_info("skipping xattr: %s\n", *xattrname);
-				continue;
-			}
 		}
 		/*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
 		log_info("name: %s, size: %d\n", *xattrname, err);
@@ -407,14 +370,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 
 	memset(&hmac_misc, 0, sizeof(hmac_misc));
 
-	if (evm_immutable) {
+	if (msize == 0) {
-		struct h_misc_digsig *hmac = (struct h_misc_digsig *)&hmac_misc;
-
-		hmac_size = sizeof(*hmac);
-		hmac->uid = st.st_uid;
-		hmac->gid = st.st_gid;
-		hmac->mode = st.st_mode;
-	} else if (msize == 0) {
 		struct h_misc *hmac = (struct h_misc *)&hmac_misc;
 
 		hmac_size = sizeof(*hmac);
@@ -452,7 +408,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 		return 1;
 	}
 
-	if (!evm_immutable && !(hmac_flags & HMAC_FLAG_NO_UUID)) {
+	if (hmac_flags & HMAC_FLAG_UUID) {
 		err = get_uuid(&st, uuid);
 		if (err)
 			return -1;
@@ -483,7 +439,7 @@ static int sign_evm(const char *file, const char *key)
 	if (len <= 1)
 		return len;
 
-	len = sign_hash("sha1", hash, len, key, NULL, sig + 1);
+	len = sign_hash("sha1", hash, len, key, sig + 1);
 	if (len <= 1)
 		return len;
 
@@ -491,9 +447,6 @@ static int sign_evm(const char *file, const char *key)
 	len++;
 	sig[0] = EVM_IMA_XATTR_DIGSIG;
 
-	if (evm_immutable)
-		sig[1] = 3; /* immutable signature version */
-
 	if (sigdump || params.verbose >= LOG_INFO)
 		dump(sig, len);
 
@@ -546,6 +499,19 @@ static int hash_ima(const char *file)
 	return 0;
 }
 
+static int cmd_hash_ima(struct command *cmd)
+{
+	char *file = g_argv[optind++];
+
+	if (!file) {
+		log_err("Parameters missing\n");
+		print_usage(cmd);
+		return -1;
+	}
+
+	return hash_ima(file);
+}
+
 static int sign_ima(const char *file, const char *key)
 {
 	unsigned char hash[64];
@@ -556,7 +522,7 @@ static int sign_ima(const char *file, const char *key)
 	if (len <= 1)
 		return len;
 
-	len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
+	len = sign_hash(params.hash_algo, hash, len, key, sig + 1);
 	if (len <= 1)
 		return len;
 
@@ -611,39 +577,9 @@ static int get_file_type(const char *path, const char *search_type)
 	return dts;
 }
 
-static int do_cmd(struct command *cmd, find_cb_t func)
-{
-	char *path = g_argv[optind++];
-	int err, dts = REG_MASK; /* only regular files by default */
-
-	if (!path) {
-		log_err("Parameters missing\n");
-		print_usage(cmd);
-		return -1;
-	}
-
-	if (recursive) {
-		if (search_type) {
-			dts = get_file_type(path, search_type);
-			if (dts < 0)
-				return dts;
-		}
-		err = find(path, dts, func);
-	} else {
-		err = func(path);
-	}
-
-	return err;
-}
-
-static int cmd_hash_ima(struct command *cmd)
-{
-	return do_cmd(cmd, hash_ima);
-}
-
 static int sign_ima_file(const char *file)
 {
-	const char *key;
+	char *key;
 
 	key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
 
@@ -652,13 +588,32 @@ static int sign_ima_file(const char *file)
 
 static int cmd_sign_ima(struct command *cmd)
 {
-	return do_cmd(cmd, sign_ima_file);
+	char *file = g_argv[optind++];
+	int err, dts = REG_MASK; /* only regular files by default */
+
+	if (!file) {
+		log_err("Parameters missing\n");
+		print_usage(cmd);
+		return -1;
+	}
+
+	if (recursive) {
+		if (search_type) {
+			dts = get_file_type(file, search_type);
+			if (dts < 0)
+				return dts;
+		}
+		err = find(file, dts, sign_ima_file);
+	} else {
+		err = sign_ima_file(file);
+	}
+
+	return err;
 }
 
 static int cmd_sign_hash(struct command *cmd)
 {
-	const char *key;
+	char *key, *token, *line = NULL;
-	char *token, *line = NULL;
 	int hashlen = 0;
 	size_t line_len;
 	ssize_t len;
@@ -680,7 +635,7 @@ static int cmd_sign_hash(struct command *cmd)
 
 		hex2bin(hash, line, hashlen);
 		siglen = sign_hash(params.hash_algo, hash, hashlen/2,
-				 key, NULL, sig + 1);
+				 key, sig + 1);
 		if (siglen <= 1)
 			return siglen;
 
@@ -701,7 +656,7 @@ static int cmd_sign_hash(struct command *cmd)
 
 static int sign_evm_path(const char *file)
 {
-	const char *key;
+	char *key;
 	int err;
 
 	key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
@@ -723,7 +678,27 @@ static int sign_evm_path(const char *file)
 
 static int cmd_sign_evm(struct command *cmd)
 {
-	return do_cmd(cmd, sign_evm_path);
+	char *path = g_argv[optind++];
+	int err, dts = REG_MASK; /* only regular files by default */
+
+	if (!path) {
+		log_err("Parameters missing\n");
+		print_usage(cmd);
+		return -1;
+	}
+
+	if (recursive) {
+		if (search_type) {
+			dts = get_file_type(path, search_type);
+			if (dts < 0)
+				return dts;
+		}
+		err = find(path, dts, sign_evm_path);
+	} else {
+		err = sign_evm_path(path);
+	}
+
+	return err;
 }
 
 static int verify_evm(const char *file)
@@ -768,12 +743,7 @@ static int verify_ima(const char *file)
 	unsigned char sig[1024];
 	int len;
 
-	if (sigfile) {
+	if (xattr) {
-		void *tmp = file2bin(file, "sig", &len);
-
-		memcpy(sig, tmp, len);
-		free(tmp);
-	} else {
 		len = lgetxattr(file, "security.ima", sig, sizeof(sig));
 		if (len < 0) {
 			log_err("getxattr failed: %s\n", file);
@@ -781,6 +751,13 @@ static int verify_ima(const char *file)
 		}
 	}
 
+	if (sigfile) {
+		void *tmp = file2bin(file, "sig", &len);
+
+		memcpy(sig, tmp, len);
+		free(tmp);
+	}
+
 	return ima_verify_signature(file, sig, len);
 }
 
@@ -797,38 +774,6 @@ static int cmd_verify_ima(struct command *cmd)
 	return verify_ima(file);
 }
 
-static int cmd_convert(struct command *cmd)
-{
-	char *inkey;
-	unsigned char _pub[1024], *pub = _pub;
-	int len, err = 0;
-	char name[20];
-	uint8_t keyid[8];
-	RSA *key;
-
-	params.x509 = 0;
-
-	inkey = g_argv[optind++];
-	if (!inkey) {
-		inkey = params.x509 ? "/etc/keys/x509_evm.der" :
-				      "/etc/keys/pubkey_evm.pem";
-	}
-
-	key = read_pub_key(inkey, params.x509);
-	if (!key)
-		return 1;
-
-	len = key2bin(key, pub);
-	calc_keyid_v1(keyid, name, pub, len);
-
-	bin2file(inkey, "bin", pub, len);
-	bin2file(inkey, "keyid", (const unsigned char *)name, strlen(name));
-
-	RSA_free(key);
-	return err;
-}
-
-
 static int cmd_import(struct command *cmd)
 {
 	char *inkey, *ring = NULL;
@@ -951,7 +896,6 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
 		}
 		if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
 			log_err("ioctl() failed\n");
-			close(fd);
 			goto out;
 		}
 		close(fd);
@@ -1068,7 +1012,7 @@ static int hmac_evm(const char *file, const char *key)
 
 static int cmd_hmac_evm(struct command *cmd)
 {
-	const char *key, *file = g_argv[optind++];
+	char *key, *file = g_argv[optind++];
 	int err;
 
 	if (!file) {
@@ -1185,22 +1129,29 @@ static int find(const char *path, int dts, find_cb_t func)
 
 static int cmd_ima_fix(struct command *cmd)
 {
-	return do_cmd(cmd, ima_fix);
+	char *path = g_argv[optind++];
+	int err, dts = REG_MASK; /* only regular files by default */
+
+	if (!path) {
+		log_err("Parameters missing\n");
+		print_usage(cmd);
+		return -1;
+	}
+
+	if (recursive) {
+		if (search_type) {
+			dts = get_file_type(path, search_type);
+			if (dts < 0)
+				return dts;
+		}
+		err = find(path, dts, ima_fix);
+	} else {
+		err = ima_fix(path);
+	}
+
+	return err;
 }
 
-static int ima_clear(const char *path)
-{
-	log_info("%s\n", path);
-	lremovexattr(path, "security.ima");
-	lremovexattr(path, "security.evm");
-
-	return 0;
-}
-
-static int cmd_ima_clear(struct command *cmd)
-{
-	return do_cmd(cmd, ima_clear);
-}
 
 static char *pcrs = "/sys/class/misc/tpm0/device/pcrs";
 
@@ -1208,7 +1159,6 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
 {
 	FILE *fp;
 	char *p, pcr_str[7], buf[70]; /* length of the TPM string */
-	int result = -1;
 
 	sprintf(pcr_str, "PCR-%d", idx);
 
@@ -1224,12 +1174,11 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
 			break;
 		if (!strncmp(p, pcr_str, 6)) {
 			hex2bin(pcr, p + 7, len);
-			result = 0;
+			return 0;
-			break;
 		}
 	}
 	fclose(fp);
-	return result;
+	return -1;
 }
 
 #define TCG_EVENT_NAME_LEN_MAX	255
@@ -1527,14 +1476,6 @@ static void usage(void)
 		"      --smack        use extra SMACK xattrs for EVM\n"
 		"      --m32          force EVM hmac/signature for 32 bit target system\n"
 		"      --m64          force EVM hmac/signature for 64 bit target system\n"
-		"      --ino          use custom inode for EVM\n"
-		"      --uid          use custom UID for EVM\n"
-		"      --gid          use custom GID for EVM\n"
-		"      --mode         use custom Mode for EVM\n"
-		"      --generation   use custom Generation for EVM(unspecified: from FS, empty: use 0)\n"
-		"      --ima          use custom IMA signature for EVM\n"
-		"      --selinux      use custom Selinux label for EVM\n"
-		"      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
 		"  -v                 increase verbosity level\n"
 		"  -h, --help         display this help and exit\n"
 		"\n");
@@ -1544,16 +1485,14 @@ struct command cmds[] = {
 	{"--version", NULL, 0, ""},
 	{"help", cmd_help, 0, "<command>"},
 	{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
-	{"convert", cmd_convert, 0, "key", "convert public key into the keyring.\n"},
+	{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass password] file", "Sign file metadata.\n"},
-	{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
 	{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
-	{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},
+	{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass password] file", "Make file content signature.\n"},
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
 	{"ima_measurement", cmd_ima_measurement, 0, "file", "Verify measurement list (experimental).\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
-	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
+	{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass password]", "Sign hashes from shaXsum output.\n"},
-	{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"},
 #ifdef DEBUG
 	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
 #endif
@@ -1565,7 +1504,7 @@ static struct option opts[] = {
 	{"imasig", 0, 0, 's'},
 	{"imahash", 0, 0, 'd'},
 	{"hashalgo", 1, 0, 'a'},
-	{"pass", 2, 0, 'p'},
+	{"pass", 1, 0, 'p'},
 	{"sigfile", 0, 0, 'f'},
 	{"uuid", 2, 0, 'u'},
 	{"rsa", 0, 0, '1'},
@@ -1574,54 +1513,12 @@ static struct option opts[] = {
 	{"recursive", 0, 0, 'r'},
 	{"m32", 0, 0, '3'},
 	{"m64", 0, 0, '6'},
-	{"smack", 0, 0, 128},
+	{"smack", 0, 0, 256},
-	{"version", 0, 0, 129},
+	{"version", 0, 0, 257},
-	{"inode", 1, 0, 130},
-	{"uid", 1, 0, 131},
-	{"gid", 1, 0, 132},
-	{"mode", 1, 0, 133},
-	{"generation", 1, 0, 134},
-	{"ima", 1, 0, 135},
-	{"selinux", 1, 0, 136},
-	{"caps", 2, 0, 137},
 	{}
 
 };
 
-static char *get_password(void)
-{
-	struct termios flags, tmp_flags;
-	char *password, *pwd;
-	int passlen = 64;
-
-	password = malloc(passlen);
-	if (!password) {
-		perror("malloc");
-		return NULL;
-	}
-
-	tcgetattr(fileno(stdin), &flags);
-	tmp_flags = flags;
-	tmp_flags.c_lflag &= ~ECHO;
-	tmp_flags.c_lflag |= ECHONL;
-
-	if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
-		perror("tcsetattr");
-		return NULL;
-	}
-
-	printf("PEM password: ");
-	pwd = fgets(password, passlen, stdin);
-
-	/* restore terminal */
-	if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
-		perror("tcsetattr");
-		return NULL;
-	}
-
-	return pwd;
-}
-
 int main(int argc, char *argv[])
 {
 	int err = 0, c, lind;
@@ -1630,7 +1527,7 @@ int main(int argc, char *argv[])
 	g_argc = argc;
 
 	while (1) {
-		c = getopt_long(argc, argv, "hvnsda:p::fu::k:t:ri", opts, &lind);
+		c = getopt_long(argc, argv, "hvnsda:p:fu::k:t:r", opts, &lind);
 		if (c == -1)
 			break;
 
@@ -1657,18 +1554,18 @@ int main(int argc, char *argv[])
 			params.hash_algo = optarg;
 			break;
 		case 'p':
-			if (optarg)
+			params.keypass = optarg;
-				params.keypass = optarg;
-			else
-				params.keypass = get_password();
 			break;
 		case 'f':
 			sigfile = 1;
+			xattr = 0;
 			break;
 		case 'u':
 			uuid_str = optarg;
-			if (!uuid_str)
+			if (uuid_str)
-				hmac_flags |= HMAC_FLAG_NO_UUID;
+				hmac_flags |= HMAC_FLAG_UUID_SET;
+			else
+				hmac_flags &= ~HMAC_FLAG_UUID;
 			break;
 		case '1':
 			params.x509 = 0;
@@ -1676,9 +1573,6 @@ int main(int argc, char *argv[])
 		case 'k':
 			params.keyfile = optarg;
 			break;
-		case 'i':
-			evm_immutable = true;
-			break;
 		case 't':
 			search_type = optarg;
 			break;
@@ -1691,38 +1585,13 @@ int main(int argc, char *argv[])
 		case '6':
 			msize = 64;
 			break;
-		case 128:
+		case 256:
 			evm_config_xattrnames = evm_extra_smack_xattrs;
 			break;
-		case 129:
+		case 257:
 			printf("evmctl %s\n", VERSION);
 			exit(0);
 			break;
-		case 130:
-			ino_str = optarg;
-			break;
-		case 131:
-			uid_str = optarg;
-			break;
-		case 132:
-			gid_str = optarg;
-			break;
-		case 133:
-			mode_str = optarg;
-			break;
-		case 134:
-			generation_str = optarg;
-			break;
-		case 135:
-			ima_str = optarg;
-			break;
-		case 136:
-			selinux_str = optarg;
-			break;
-		case 137:
-			caps_str = optarg;
-			hmac_flags |= HMAC_FLAG_CAPS_SET;
-			break;
 		case '?':
 			exit(1);
 			break;
@@ -1731,6 +1600,9 @@ int main(int argc, char *argv[])
 		}
 	}
 
+	OpenSSL_add_all_algorithms();
+	ERR_load_crypto_strings();
+
 	if (argv[optind] == NULL)
 		usage();
 	else
@@ -1751,6 +1623,6 @@ int main(int argc, char *argv[])
 
 	ERR_free_strings();
 	EVP_cleanup();
-	BIO_free(NULL);
+
 	return err;
 }

src/imaevm.h

@@ -108,12 +108,6 @@ struct h_misc_64 {
 	unsigned short mode;
 };
 
-struct h_misc_digsig {
-	uid_t uid;
-	gid_t gid;
-	unsigned short mode;
-};
-
 enum pubkey_algo {
 	PUBKEY_ALGO_RSA,
 	PUBKEY_ALGO_MAX,
@@ -178,8 +172,8 @@ struct libevm_params {
 	int verbose;
 	int x509;
 	const char *hash_algo;
-	const char *keyfile;
+	char *keyfile;
-	const char *keypass;
+	char *keypass;
 };
 
 struct RSA_ASN1_template {
@@ -201,7 +195,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
 void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key);
 int key2bin(RSA *key, unsigned char *pub);
 
-int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
+int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
 int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen);
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen);
 

src/libimaevm.c

@@ -53,7 +53,6 @@
 #include <openssl/pem.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
-#include <openssl/err.h>
 
 #include "imaevm.h"
 
@@ -131,8 +130,6 @@ struct libevm_params params = {
 	.hash_algo = "sha1",
 };
 
-static void __attribute__ ((constructor)) libinit(void);
-
 void do_dump(FILE *fp, const void *ptr, int len, bool cr)
 {
 	int i;
@@ -214,7 +211,6 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
 	DIR *dir;
 	unsigned long long ino, off;
 	unsigned int type;
-	int result = 0;
 
 	dir = opendir(file);
 	if (!dir) {
@@ -234,14 +230,13 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
 		err |= EVP_DigestUpdate(ctx, &type, sizeof(type));
 		if (!err) {
 			log_err("EVP_DigestUpdate() failed\n");
-			result = 1;
+			return 1;
-			break;
 		}
 	}
 
 	closedir(dir);
 
-	return result;
+	return 0;
 }
 
 static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
@@ -375,7 +370,7 @@ int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int
 	unsigned char sighash[20];
 	struct signature_hdr *hdr = (struct signature_hdr *)sig;
 
-	log_info("hash-v1: ");
+	log_info("hash: ");
 	log_dump(hash, size);
 
 	key = read_pub_key(keyfile, 0);
@@ -493,7 +488,7 @@ static int get_hash_algo_from_sig(unsigned char *sig)
 
 int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen)
 {
-	const char *key;
+	char *key;
 	int x509;
 	verify_hash_fn_t verify_hash;
 
@@ -589,7 +584,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
 
 	id = __be64_to_cpup((__be64 *) keyid);
 	sprintf(str, "%llX", (unsigned long long)id);
-	log_info("keyid-v1: %s\n", str);
+	log_info("keyid: %s\n", str);
 }
 
 void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
@@ -613,7 +608,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
 	free(pkey);
 }
 
-static RSA *read_priv_key(const char *keyfile, const char *keypass)
+static RSA *read_priv_key(const char *keyfile, char *keypass)
 {
 	FILE *fp;
 	RSA *key;
@@ -623,14 +618,9 @@ static RSA *read_priv_key(const char *keyfile, const char *keypass)
 		log_err("Failed to open keyfile: %s\n", keyfile);
 		return NULL;
 	}
-	ERR_load_crypto_strings();
+	key = PEM_read_RSAPrivateKey(fp, NULL, NULL, keypass);
-	key = PEM_read_RSAPrivateKey(fp, NULL, NULL, (void *)keypass);
+	if (!key)
-	if (!key) {
+		log_err("PEM_read_RSAPrivateKey() failed\n");
-		char str[256];
-
-		ERR_error_string(ERR_get_error(), str);
-		log_err("PEM_read_RSAPrivateKey() failed: %s\n", str);
-	}
 
 	fclose(fp);
 	return key;
@@ -721,7 +711,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons
 	blen = (uint16_t *) (sig + sizeof(*hdr));
 	*blen = __cpu_to_be16(len << 3);
 	len += sizeof(*hdr) + 2;
-	log_info("evm/ima signature-v1: %d bytes\n", len);
+	log_info("evm/ima signature: %d bytes\n", len);
 out:
 	RSA_free(key);
 	return len;
@@ -796,18 +786,8 @@ out:
 	return len;
 }
 
-
+int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig)
-int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)
 {
-	if (keypass)
-		params.keypass = keypass;
-
 	return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
 			     sign_hash_v1(hashalgo, hash, size, keyfile, sig);
 }
-
-static void libinit()
-{
-	OpenSSL_add_all_algorithms();
-	ERR_load_crypto_strings();
-}