From 5a5286ac37cd58779cc0e5b69088d9acc8f40c4e Mon Sep 17 00:00:00 2001
From: Jes Sorensen <jsorensen@fb.com>
Date: Mon, 20 Apr 2020 14:13:51 -0400
Subject: [PATCH 28/33] fsverity plugin: Use tag for algorithm

This uses the algorithm from the tag, if available. Fallback is SHA256.

Signed-off-by: Jes Sorensen <jsorensen@fb.com>
---
 lib/rpmfi.c        | 9 ++++++---
 lib/rpmfi.h        | 3 ++-
 lib/rpmfiles.h     | 3 ++-
 plugins/fsverity.c | 8 ++++++--
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/lib/rpmfi.c b/lib/rpmfi.c
index 70f05f509..3e2b4e676 100644
--- a/lib/rpmfi.c
+++ b/lib/rpmfi.c
@@ -585,7 +585,8 @@ const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len)
     return signature;
 }
 
-const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len)
+const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len,
+					 uint16_t *algo)
 {
     const unsigned char *vsignature = NULL;
 
@@ -594,6 +595,8 @@ const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len)
 	    vsignature = fi->veritysigs + (fi->veritysiglength * ix);
 	if (len)
 	    *len = fi->veritysiglength;
+	if (algo)
+	    *algo = fi->verityalgo;
     }
     return vsignature;
 }
@@ -1963,9 +1966,9 @@ const unsigned char * rpmfiFSignature(rpmfi fi, size_t *len)
     return rpmfilesFSignature(fi->files, fi ? fi->i : -1, len);
 }
 
-const unsigned char * rpmfiVSignature(rpmfi fi, size_t *len)
+const unsigned char * rpmfiVSignature(rpmfi fi, size_t *len, uint16_t *algo)
 {
-    return rpmfilesVSignature(fi->files, fi ? fi->i : -1, len);
+    return rpmfilesVSignature(fi->files, fi ? fi->i : -1, len, algo);
 }
 
 uint32_t rpmfiFDepends(rpmfi fi, const uint32_t ** fddictp)
diff --git a/lib/rpmfi.h b/lib/rpmfi.h
index fcb9d3acd..6fd2747d6 100644
--- a/lib/rpmfi.h
+++ b/lib/rpmfi.h
@@ -194,9 +194,10 @@ const unsigned char * rpmfiFSignature(rpmfi fi, size_t *siglen);
  * Return current verity (binary) signature of file info set iterator.
  * @param fi		file info set iterator
  * @retval siglen	signature length (pass NULL to ignore)
+ * @retval algo		fsverity algorithm
  * @return		current verity signature, NULL on invalid
  */
-const unsigned char * rpmfiVSignature(rpmfi fi, size_t *siglen);
+const unsigned char * rpmfiVSignature(rpmfi fi, size_t *siglen, uint16_t *algo);
 
 /** \ingroup rpmfi
  * Return current file linkto (i.e. symlink(2) target) from file info set iterator.
diff --git a/lib/rpmfiles.h b/lib/rpmfiles.h
index 81b3d01a1..64b33281a 100644
--- a/lib/rpmfiles.h
+++ b/lib/rpmfiles.h
@@ -450,7 +450,8 @@ const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len);
  * @retval len       signature length (pass NULL to ignore)
  * @return              verity signature, NULL on invalid
  */
-const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len);
+const unsigned char * rpmfilesVSignature(rpmfiles fi, int ix, size_t *len,
+					 uint16_t *algo);
 
 /** \ingroup rpmfiles
  * Return file rdev from file info set.
diff --git a/plugins/fsverity.c b/plugins/fsverity.c
index 15ddcf33e..1e7f38b38 100644
--- a/plugins/fsverity.c
+++ b/plugins/fsverity.c
@@ -39,6 +39,7 @@ static rpmRC fsverity_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
     struct fsverity_enable_arg arg;
     const unsigned char * signature = NULL;
     size_t len;
+    uint16_t algo = 0;
     int rc = RPMRC_OK;
     int fd;
     rpmFileAction action = XFO_ACTION(op);
@@ -75,7 +76,7 @@ static rpmRC fsverity_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
 	goto exit;
     }
 
-    signature = rpmfiVSignature(fi, &len);
+    signature = rpmfiVSignature(fi, &len, &algo);
     if (!signature || !len) {
 	rpmlog(RPMLOG_DEBUG, "fsverity no signature for: path %s dest %s\n",
 	       path, dest);
@@ -84,7 +85,10 @@ static rpmRC fsverity_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
 
     memset(&arg, 0, sizeof(arg));
     arg.version = 1;
-    arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
+    if (algo)
+	arg.hash_algorithm = algo;
+    else
+	arg.hash_algorithm = FS_VERITY_HASH_ALG_SHA256;
     arg.block_size = RPM_FSVERITY_BLKSZ;
     arg.sig_ptr = (uintptr_t)signature;
     arg.sig_size = len;
-- 
2.27.0