Re: [PATCH v2] signature: do not report wrong data for pkc#7 signature

[Lucas De Marchi <lucas.demarchi@intel.com>]

On 11/16/18 12:56 AM, Yauheni Kaliuta wrote:
> when PKC#7 signing method is used the old structure doesn't contain
> any useful data, but the data are encoded in the certificate.
> 
> The info getting/showing code is not aware of that at the moment and
> since 0 is a valid constant, shows, for example, wrong "md4" for the
> hash algo.
> 
> The patch splits the 2 mothods of gethering the info and reports
> "unknown" for the algo.
> 
> Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
> ---
>   libkmod/libkmod-module.c    |  2 +-
>   libkmod/libkmod-signature.c | 59 ++++++++++++++++++++++++++-----------
>   2 files changed, 42 insertions(+), 19 deletions(-)
> ---
> 
> Changelog:
> 
> v1 -> v2:
> 
> changed helper names to verb form.
> 
> diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
> index ee420f4ec2bf..889f26479a98 100644
> --- a/libkmod/libkmod-module.c
> +++ b/libkmod/libkmod-module.c
> @@ -2273,7 +2273,7 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
>   	struct kmod_elf *elf;
>   	char **strings;
>   	int i, count, ret = -ENOMEM;
> -	struct kmod_signature_info sig_info;
> +	struct kmod_signature_info sig_info = {};
>   
>   	if (mod == NULL || list == NULL)
>   		return -ENOENT;
> diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
> index 1f3e26dea203..13c426ace901 100644
> --- a/libkmod/libkmod-signature.c
> +++ b/libkmod/libkmod-signature.c
> @@ -92,6 +92,38 @@ struct module_signature {
>   	uint32_t sig_len;    /* Length of signature data (big endian) */
>   };
>   
> +static bool fill_default(const char *mem, off_t size,
> +			 const struct module_signature *modsig, size_t sig_len,
> +			 struct kmod_signature_info *sig_info)
> +{
> +	size -= sig_len;
> +	sig_info->sig = mem + size;
> +	sig_info->sig_len = sig_len;
> +
> +	size -= modsig->key_id_len;
> +	sig_info->key_id = mem + size;
> +	sig_info->key_id_len = modsig->key_id_len;
> +
> +	size -= modsig->signer_len;
> +	sig_info->signer = mem + size;
> +	sig_info->signer_len = modsig->signer_len;
> +
> +	sig_info->algo = pkey_algo[modsig->algo];
> +	sig_info->hash_algo = pkey_hash_algo[modsig->hash];
> +	sig_info->id_type = pkey_id_type[modsig->id_type];
> +
> +	return true;
> +}
> +
> +static bool fill_unknown(const char *mem, off_t size,
> +			 const struct module_signature *modsig, size_t sig_len,
> +			 struct kmod_signature_info *sig_info)
> +{
> +	sig_info->hash_algo = "unknown";
> +	sig_info->id_type = pkey_id_type[modsig->id_type];
> +	return true;
> +}
> +
>   #define SIG_MAGIC "~Module signature appended~\n"
>   
>   /*
> @@ -111,7 +143,7 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
>   	off_t size;
>   	const struct module_signature *modsig;
>   	size_t sig_len;
> -
> +	bool ret;
>   
>   	size = kmod_file_get_size(file);
>   	mem = kmod_file_get_contents(file);
> @@ -134,21 +166,12 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
>   	    size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len))
>   		return false;
>   
> -	size -= sig_len;
> -	sig_info->sig = mem + size;
> -	sig_info->sig_len = sig_len;
> -
> -	size -= modsig->key_id_len;
> -	sig_info->key_id = mem + size;
> -	sig_info->key_id_len = modsig->key_id_len;
> -
> -	size -= modsig->signer_len;
> -	sig_info->signer = mem + size;
> -	sig_info->signer_len = modsig->signer_len;
> -
> -	sig_info->algo = pkey_algo[modsig->algo];
> -	sig_info->hash_algo = pkey_hash_algo[modsig->hash];
> -	sig_info->id_type = pkey_id_type[modsig->id_type];
> -
> -	return true;
> +	switch (modsig->id_type) {
> +	case PKEY_ID_PKCS7:
> +		ret = fill_unknown(mem, size, modsig, sig_len, sig_info);
> +		break;
> +	default:
> +		ret = fill_default(mem, size, modsig, sig_len, sig_info);
> +	}

I squashed the patch to remove "ret" and just returning inside the switch.

Applied, thanks.

Lucas De Marchi

> +	return ret;
>   }
>