From 5a5286ac37cd58779cc0e5b69088d9acc8f40c4e Mon Sep 17 00:00:00 2001
From: Jes Sorensen <jsorensen@fb.com>
Date: Mon, 20 Apr 2020 14:13:51 -0400
Subject: [PATCH 28/33] fsverity plugin: Use tag for algorithm
This uses the algorithm from the tag, if available. Fallback is SHA256.
Signed-off-by: Jes Sorensen <jsorensen@fb.com>
---
lib/rpmfi.c | 9 ++++++---
lib/rpmfi.h | 3 ++-
lib/rpmfiles.h | 3 ++-
plugins/fsverity.c | 8 ++++++--
4 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/lib/rpmfi.c b/lib/rpmfi.c
index 70f05f509..3e2b4e676 100644
--- a/lib/rpmfi.c
+++ b/lib/rpmfi.c
@@ -585,7 +585,8 @@ const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len)
return signature;
}
-const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len)
+const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len,
+ uint16_t *algo)
{
const unsigned char *vsignature = NULL;
@@ -594,6 +595,8 @@ const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len)
vsignature = fi->veritysigs + (fi->veritysiglength * ix);
if (len)
*len = fi->veritysiglength;
+ if (algo)
+ *algo = fi->verityalgo;
}
return vsignature;
}
@@ -1963,9 +1966,9 @@ const unsigned char * rpmfiFSignature(rpmfi fi, size_t *len)
return rpmfilesFSignature(fi->files, fi ? fi->i : -1, len);
}
-const unsigned char * rpmfiVSignature(rpmfi fi, size_t *len)
+const unsigned char * rpmfiVSignature(rpmfi fi, size_t *len, uint16_t *algo)
{
- return rpmfilesVSignature(fi->files, fi ? fi->i : -1, len);
+ return rpmfilesVSignature(fi->files, fi ? fi->i : -1, len, algo);
}
uint32_t rpmfiFDepends(rpmfi fi, const uint32_t ** fddictp)
diff --git a/lib/rpmfi.h b/lib/rpmfi.h
index fcb9d3acd..6fd2747d6 100644
--- a/lib/rpmfi.h
+++ b/lib/rpmfi.h
@@ -194,9 +194,10 @@ const unsigned char * rpmfiFSignature(rpmfi fi, size_t *siglen);
* Return current verity (binary) signature of file info set iterator.
* @param fi file info set iterator
* @retval siglen signature length (pass NULL to ignore)
+ * @retval algo fsverity algorithm
* @return current verity signature, NULL on invalid
*/
-const unsigned char * rpmfiVSignature(rpmfi fi, size_t *siglen);
+const unsigned char * rpmfiVSignature(rpmfi fi, size_t *siglen, uint16_t *algo);
/** \ingroup rpmfi
* Return current file linkto (i.e. symlink(2) target) from file info set iterator.
diff --git a/lib/rpmfiles.h b/lib/rpmfiles.h
index 81b3d01a1..64b33281a 100644
--- a/lib/rpmfiles.h
+++ b/lib/rpmfiles.h
@@ -450,7 +450,8 @@ const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len);
* @retval len signature length (pass NULL to ignore)
* @return verity signature, NULL on invalid
*/
-const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len);
+const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len,
+ uint16_t *algo);
/** \ingroup rpmfiles
* Return file rdev from file info set.
diff --git a/plugins/fsverity.c b/plugins/fsverity.c
index 15ddcf33e..1e7f38b38 100644
--- a/plugins/fsverity.c
+++ b/plugins/fsverity.c
@@ -39,6 +39,7 @@ static rpmRC fsverity_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
struct fsverity_enable_arg arg;
const unsigned char * signature = NULL;
size_t len;
+ uint16_t algo = 0;
int rc = RPMRC_OK;
int fd;
rpmFileAction action = XFO_ACTION(op);
@@ -75,7 +76,7 @@ static rpmRC fsverity_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
goto exit;
}
- signature = rpmfiVSignature(fi, &len);
+ signature = rpmfiVSignature(fi, &len, &algo);
if (!signature || !len) {
rpmlog(RPMLOG_DEBUG, "fsverity no signature for: path %s dest %s\n",
path, dest);
@@ -84,7 +85,10 @@ static rpmRC fsverity_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
memset(&arg, 0, sizeof(arg));
arg.version = 1;
- arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
+ if (algo)
+ arg.hash_algorithm = algo;
+ else
+ arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
arg.block_size = RPM_FSVERITY_BLKSZ;
arg.sig_ptr = (uintptr_t)signature;
arg.sig_size = len;
--
2.27.0