|
 |
657fb1 |
From 2ea354b4c6c442400e6d06c3b9041bc4603f9784 Mon Sep 17 00:00:00 2001
|
|
|
657fb1 |
From: Jes Sorensen <jsorensen@fb.com>
|
|
|
657fb1 |
Date: Mon, 20 Apr 2020 14:13:51 -0400
|
|
|
657fb1 |
Subject: [PATCH 29/33] fsverity plugin: Use tag for algorithm
|
|
|
657fb1 |
|
|
|
657fb1 |
This uses the algorithm from the tag, if available. Fallback is SHA256.
|
|
|
657fb1 |
|
|
|
657fb1 |
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
|
|
|
657fb1 |
---
|
|
|
657fb1 |
lib/rpmfi.c | 9 ++++++---
|
|
|
657fb1 |
lib/rpmfi.h | 3 ++-
|
|
|
657fb1 |
lib/rpmfiles.h | 3 ++-
|
|
|
657fb1 |
plugins/fsverity.c | 8 ++++++--
|
|
|
657fb1 |
4 files changed, 16 insertions(+), 7 deletions(-)
|
|
|
657fb1 |
|
|
|
657fb1 |
diff --git a/lib/rpmfi.c b/lib/rpmfi.c
|
|
|
657fb1 |
index 70f05f509..3e2b4e676 100644
|
|
|
657fb1 |
--- a/lib/rpmfi.c
|
|
|
657fb1 |
+++ b/lib/rpmfi.c
|
|
|
657fb1 |
@@ -585,7 +585,8 @@ const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len)
|
|
|
657fb1 |
return signature;
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
-const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len)
|
|
|
657fb1 |
+const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len,
|
|
|
657fb1 |
+ uint16_t *algo)
|
|
|
657fb1 |
{
|
|
|
657fb1 |
const unsigned char *vsignature = NULL;
|
|
|
657fb1 |
|
|
|
657fb1 |
@@ -594,6 +595,8 @@ const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len)
|
|
|
657fb1 |
vsignature = fi->veritysigs + (fi->veritysiglength * ix);
|
|
|
657fb1 |
if (len)
|
|
|
657fb1 |
*len = fi->veritysiglength;
|
|
|
657fb1 |
+ if (algo)
|
|
|
657fb1 |
+ *algo = fi->verityalgo;
|
|
|
657fb1 |
}
|
|
|
657fb1 |
return vsignature;
|
|
|
657fb1 |
}
|
|
|
657fb1 |
@@ -1963,9 +1966,9 @@ const unsigned char * rpmfiFSignature(rpmfi fi, size_t *len)
|
|
|
657fb1 |
return rpmfilesFSignature(fi->files, fi ? fi->i : -1, len);
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
-const unsigned char * rpmfiVSignature(rpmfi fi, size_t *len)
|
|
|
657fb1 |
+const unsigned char * rpmfiVSignature(rpmfi fi, size_t *len, uint16_t *algo)
|
|
|
657fb1 |
{
|
|
|
657fb1 |
- return rpmfilesVSignature(fi->files, fi ? fi->i : -1, len);
|
|
|
657fb1 |
+ return rpmfilesVSignature(fi->files, fi ? fi->i : -1, len, algo);
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
uint32_t rpmfiFDepends(rpmfi fi, const uint32_t ** fddictp)
|
|
|
657fb1 |
diff --git a/lib/rpmfi.h b/lib/rpmfi.h
|
|
|
657fb1 |
index fcb9d3acd..6fd2747d6 100644
|
|
|
657fb1 |
--- a/lib/rpmfi.h
|
|
|
657fb1 |
+++ b/lib/rpmfi.h
|
|
|
657fb1 |
@@ -194,9 +194,10 @@ const unsigned char * rpmfiFSignature(rpmfi fi, size_t *siglen);
|
|
|
657fb1 |
* Return current verity (binary) signature of file info set iterator.
|
|
|
657fb1 |
* @param fi file info set iterator
|
|
|
657fb1 |
* @retval siglen signature length (pass NULL to ignore)
|
|
|
657fb1 |
+ * @retval algo fsverity algorithm
|
|
|
657fb1 |
* @return current verity signature, NULL on invalid
|
|
|
657fb1 |
*/
|
|
|
657fb1 |
-const unsigned char * rpmfiVSignature(rpmfi fi, size_t *siglen);
|
|
|
657fb1 |
+const unsigned char * rpmfiVSignature(rpmfi fi, size_t *siglen, uint16_t *algo);
|
|
|
657fb1 |
|
|
|
657fb1 |
/** \ingroup rpmfi
|
|
|
657fb1 |
* Return current file linkto (i.e. symlink(2) target) from file info set iterator.
|
|
|
657fb1 |
diff --git a/lib/rpmfiles.h b/lib/rpmfiles.h
|
|
|
657fb1 |
index 81b3d01a1..64b33281a 100644
|
|
|
657fb1 |
--- a/lib/rpmfiles.h
|
|
|
657fb1 |
+++ b/lib/rpmfiles.h
|
|
|
657fb1 |
@@ -450,7 +450,8 @@ const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len);
|
|
|
657fb1 |
* @retval len signature length (pass NULL to ignore)
|
|
|
657fb1 |
* @return verity signature, NULL on invalid
|
|
|
657fb1 |
*/
|
|
|
657fb1 |
-const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len);
|
|
|
657fb1 |
+const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len,
|
|
|
657fb1 |
+ uint16_t *algo);
|
|
|
657fb1 |
|
|
|
657fb1 |
/** \ingroup rpmfiles
|
|
|
657fb1 |
* Return file rdev from file info set.
|
|
|
657fb1 |
diff --git a/plugins/fsverity.c b/plugins/fsverity.c
|
|
|
657fb1 |
index 15ddcf33e..1e7f38b38 100644
|
|
|
657fb1 |
--- a/plugins/fsverity.c
|
|
|
657fb1 |
+++ b/plugins/fsverity.c
|
|
|
657fb1 |
@@ -39,6 +39,7 @@ static rpmRC fsverity_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
|
657fb1 |
struct fsverity_enable_arg arg;
|
|
|
657fb1 |
const unsigned char * signature = NULL;
|
|
|
657fb1 |
size_t len;
|
|
|
657fb1 |
+ uint16_t algo = 0;
|
|
|
657fb1 |
int rc = RPMRC_OK;
|
|
|
657fb1 |
int fd;
|
|
|
657fb1 |
rpmFileAction action = XFO_ACTION(op);
|
|
|
657fb1 |
@@ -75,7 +76,7 @@ static rpmRC fsverity_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
|
657fb1 |
goto exit;
|
|
|
657fb1 |
}
|
|
|
657fb1 |
|
|
|
657fb1 |
- signature = rpmfiVSignature(fi, &len;;
|
|
|
657fb1 |
+ signature = rpmfiVSignature(fi, &len, &algo);
|
|
|
657fb1 |
if (!signature || !len) {
|
|
|
657fb1 |
rpmlog(RPMLOG_DEBUG, "fsverity no signature for: path %s dest %s\n",
|
|
|
657fb1 |
path, dest);
|
|
|
657fb1 |
@@ -84,7 +85,10 @@ static rpmRC fsverity_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
|
657fb1 |
|
|
|
657fb1 |
memset(&arg, 0, sizeof(arg));
|
|
|
657fb1 |
arg.version = 1;
|
|
|
657fb1 |
- arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
|
|
|
657fb1 |
+ if (algo)
|
|
|
657fb1 |
+ arg.hash_algorithm = algo;
|
|
|
657fb1 |
+ else
|
|
|
657fb1 |
+ arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
|
|
|
657fb1 |
arg.block_size = RPM_FSVERITY_BLKSZ;
|
|
|
657fb1 |
arg.sig_ptr = (uintptr_t)signature;
|
|
|
657fb1 |
arg.sig_size = len;
|
|
|
657fb1 |
--
|
|
|
657fb1 |
2.13.5
|
|
|
657fb1 |
|