path: root/patches/ima-evm-utils-1.1/0008-evmctl-add-parameter-e-to-set-evm-hash-algo.patch

From: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Date: Tue, 8 Mar 2016 13:46:14 +0100
Subject: [PATCH] evmctl: add parameter -e to set evm hash algo

The paramter -a sets the hash algorithm only for IMA. To not break
anything, add a new parameter -e to be able to change the hash for
EVM, too.

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
 src/evmctl.c    | 27 +++++++++++++++++++++++----
 src/imaevm.h    |  1 +
 src/libimaevm.c |  1 +
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index b0f3b6362528..5d664005e915 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -336,6 +336,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 #else
 	pctx = EVP_MD_CTX_new();
 #endif
+	const EVP_MD *md;
 
 	if (lstat(file, &st)) {
 		log_err("Failed to stat: %s\n", file);
@@ -379,7 +380,13 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 		return -1;
 	}
 
-	err = EVP_DigestInit(pctx, EVP_sha1());
+	md = EVP_get_digestbyname(params.evm_hash_algo);
+	if (!md) {
+		log_err("EVP_get_digestbyname() failed\n");
+		return 1;
+	}
+
+	err = EVP_DigestInit(pctx, md);
 	if (!err) {
 		log_err("EVP_DigestInit() failed\n");
 		return 1;
@@ -503,7 +510,7 @@ static int sign_evm(const char *file, const char *key)
 	if (len <= 1)
 		return len;
 
-	len = sign_hash("sha1", hash, len, key, NULL, sig + 1);
+	len = sign_hash(params.evm_hash_algo, hash, len, key, NULL, sig + 1);
 	if (len <= 1)
 		return len;
 
@@ -992,6 +999,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
 #else
 	pctx = HMAC_CTX_new();
 #endif
+	const EVP_MD *md;
 
 	key = file2bin(keyfile, NULL, &keylen);
 	if (!key) {
@@ -1038,7 +1046,13 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
 		goto out;
 	}
 
-	err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), EVP_sha1(), NULL);
+	md = EVP_get_digestbyname(params.evm_hash_algo);
+	if (!md) {
+		log_err("EVP_get_digestbyname() failed\n");
+		return 1;
+	}
+
+	err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), md, NULL);
 	if (err) {
 		log_err("HMAC_Init() failed\n");
 		goto out;
@@ -1635,6 +1649,7 @@ static void usage(void)
 	printf(
 		"\n"
 		"  -a, --hashalgo     sha1 (default), sha224, sha256, sha384, sha512\n"
+		"  -e, --evmhashalgo  sha1 (default), sha224, sha256, sha384, sha512\n"
 		"  -s, --imasig       make IMA signature\n"
 		"  -d, --imahash      make IMA hash\n"
 		"  -f, --sigfile      store IMA signature in .sig file instead of xattr\n"
@@ -1691,6 +1706,7 @@ static struct option opts[] = {
 	{"imasig", 0, 0, 's'},
 	{"imahash", 0, 0, 'd'},
 	{"hashalgo", 1, 0, 'a'},
+	{"evmhashalgo", 1, 0, 'e'},
 	{"pass", 2, 0, 'p'},
 	{"sigfile", 0, 0, 'f'},
 	{"uuid", 2, 0, 'u'},
@@ -1758,7 +1774,7 @@ int main(int argc, char *argv[])
 	g_argc = argc;
 
 	while (1) {
-		c = getopt_long(argc, argv, "hvnsda:op::fu::k:t:ri", opts, &lind);
+		c = getopt_long(argc, argv, "hvnsda:e:op::fu::k:t:ri", opts, &lind);
 		if (c == -1)
 			break;
 
@@ -1784,6 +1800,9 @@ int main(int argc, char *argv[])
 		case 'a':
 			params.hash_algo = optarg;
 			break;
+		case 'e':
+			params.evm_hash_algo = optarg;
+			break;
 		case 'p':
 			if (optarg)
 				params.keypass = optarg;
diff --git a/src/imaevm.h b/src/imaevm.h
index 1bafaad0f4ab..ed92e4d8981d 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -179,6 +179,7 @@ struct libevm_params {
 	int verbose;
 	int x509;
 	const char *hash_algo;
+	const char *evm_hash_algo;
 	const char *keyfile;
 	const char *keypass;
 };
diff --git a/src/libimaevm.c b/src/libimaevm.c
index b6c328801708..4c093a038b72 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -129,6 +129,7 @@ struct libevm_params params = {
 	.verbose = LOG_INFO - 1,
 	.x509 = 1,
 	.hash_algo = "sha1",
+	.evm_hash_algo = "sha1",
 };
 
 static void __attribute__ ((constructor)) libinit(void);