Get signature version from the header

Currently we assume signature version is v1 until and unless -x is
specified on kernel command line. Given the fact that signature version
information is available in signature itself, it is much better to get
it from there and not require user to pass -x during verification phase.

If user passed -x on command line, then honor it.

Now one can do following.

	evmctl ima_sign -x /tmp/data.txt
	evmctl ima_verify /tmp/data.txt

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>

diff --git a/src/evmctl.c b/src/evmctl.c
index da9d86c..9a36def 100644 (file)
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -256,6 +256,7 @@ static int sigfile;
 static int modsig;
 static char *uuid_str;
 static int x509;
+static int user_sig_type;
 static char *keyfile;
 
 typedef int (*sign_hash_fn_t)(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
@@ -1306,6 +1307,17 @@ static int verify_ima(const char *file)
        if (hashlen <= 1)
                return hashlen;
 
+       /* Get signature type from sig header if user did not enforce it */
+       if (!user_sig_type) {
+               if (sig[1] == DIGSIG_VERSION_1)
+                       verify_hash = verify_hash_v1;
+               else if (sig[1] == DIGSIG_VERSION_2) {
+                       verify_hash = verify_hash_v2;
+                       /* Read pubkey from x509 cert */
+                       x509 = 1;
+               }
+       }
+
        /* Determine what key to use for verification*/
        key = keyfile ? : x509 ?
                        "/etc/keys/x509_evm.der" :
@@ -1719,6 +1731,7 @@ int main(int argc, char *argv[])
                        x509 = 1;
                        sign_hash = sign_hash_v2;
                        verify_hash = verify_hash_v2;
+                       user_sig_type = 1;
                        break;
                case 'k':
                        keyfile = optarg;