From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Jessica Yu <jeyu@redhat.com>,
Rusty Russell <rusty@rustcorp.com.au>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>
Subject: Re: [PATCH v5 13/18] PKCS#7: Introduce pkcs7_get_message_sig and verify_pkcs7_message_sig
Date: Thu, 26 Oct 2017 16:12:57 -0400 [thread overview]
Message-ID: <1509048777.5886.113.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20171018005331.2688-14-bauerman@linux.vnet.ibm.com>
On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote:
> IMA will need to access the digest used in the signature so that it can
> verify files containing module-style appended signatures. For this purpose,
> add function pkcs7_get_message_sig.
>
> It will also need to verify an already parsed PKCS#7 message. For this
> purpose, add function verify_pkcs7_message_signature which takes a struct
> pkcs7_message for verification instead of the raw bytes that
> verify_pkcs7_signature takes.
>
> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
> certs/system_keyring.c | 60 +++++++++++++++++++++++++----------
> crypto/asymmetric_keys/pkcs7_parser.c | 12 +++++++
> include/crypto/pkcs7.h | 2 ++
> include/linux/verification.h | 10 ++++++
> 4 files changed, 68 insertions(+), 16 deletions(-)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 6251d1b27f0c..6a8684959780 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -190,33 +190,26 @@ late_initcall(load_system_certificate_list);
> #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
>
> /**
> - * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
> + * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
> * @data: The data to be verified (NULL if expecting internal data).
> * @len: Size of @data.
> - * @raw_pkcs7: The PKCS#7 message that is the signature.
> - * @pkcs7_len: The size of @raw_pkcs7.
> + * @pkcs7: The PKCS#7 message that is the signature.
> * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
> * (void *)1UL for all trusted keys).
> * @usage: The use to which the key is being put.
> * @view_content: Callback to gain access to content.
> * @ctx: Context for callback.
> */
> -int verify_pkcs7_signature(const void *data, size_t len,
> - const void *raw_pkcs7, size_t pkcs7_len,
> - struct key *trusted_keys,
> - enum key_being_used_for usage,
> - int (*view_content)(void *ctx,
> - const void *data, size_t len,
> - size_t asn1hdrlen),
> - void *ctx)
> +int verify_pkcs7_message_sig(const void *data, size_t len,
> + struct pkcs7_message *pkcs7,
> + struct key *trusted_keys,
> + enum key_being_used_for usage,
> + int (*view_content)(void *ctx, const void *data,
> + size_t len, size_t asn1hdrlen),
> + void *ctx)
> {
> - struct pkcs7_message *pkcs7;
> int ret;
>
> - pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
> - if (IS_ERR(pkcs7))
> - return PTR_ERR(pkcs7);
> -
> /* The data should be detached - so we need to supply it. */
> if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
> pr_err("PKCS#7 signature with non-detached data\n");
> @@ -258,6 +251,41 @@ int verify_pkcs7_signature(const void *data, size_t len,
> }
>
> error:
> + pr_devel("<==%s() = %d\n", __func__, ret);
> + return ret;
> +}
> +
> +/**
> + * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
> + * @data: The data to be verified (NULL if expecting internal data).
> + * @len: Size of @data.
> + * @raw_pkcs7: The PKCS#7 message that is the signature.
> + * @pkcs7_len: The size of @raw_pkcs7.
> + * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
> + * (void *)1UL for all trusted keys).
> + * @usage: The use to which the key is being put.
> + * @view_content: Callback to gain access to content.
> + * @ctx: Context for callback.
> + */
> +int verify_pkcs7_signature(const void *data, size_t len,
> + const void *raw_pkcs7, size_t pkcs7_len,
> + struct key *trusted_keys,
> + enum key_being_used_for usage,
> + int (*view_content)(void *ctx,
> + const void *data, size_t len,
> + size_t asn1hdrlen),
> + void *ctx)
> +{
> + struct pkcs7_message *pkcs7;
> + int ret;
> +
> + pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
> + if (IS_ERR(pkcs7))
> + return PTR_ERR(pkcs7);
> +
> + ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
> + view_content, ctx);
> +
> pkcs7_free_message(pkcs7);
> pr_devel("<==%s() = %d\n", __func__, ret);
> return ret;
> diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
> index af4cd8649117..e41beda297a8 100644
> --- a/crypto/asymmetric_keys/pkcs7_parser.c
> +++ b/crypto/asymmetric_keys/pkcs7_parser.c
> @@ -673,3 +673,15 @@ int pkcs7_note_signed_info(void *context, size_t hdrlen,
> return -ENOMEM;
> return 0;
> }
> +
> +/**
> + * pkcs7_get_message_sig - get signature in @pkcs7
> + *
> + * This function doesn't meaningfully support messages with more than one
> + * signature. It will always return the first signature.
> + */
> +const struct public_key_signature *pkcs7_get_message_sig(
> + const struct pkcs7_message *pkcs7)
> +{
> + return pkcs7->signed_infos ? pkcs7->signed_infos->sig : NULL;
> +}
> diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
> index 583f199400a3..6f51d0cb6d12 100644
> --- a/include/crypto/pkcs7.h
> +++ b/include/crypto/pkcs7.h
> @@ -28,6 +28,8 @@ extern void pkcs7_free_message(struct pkcs7_message *pkcs7);
> extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
> const void **_data, size_t *_datalen,
> size_t *_headerlen);
> +extern const struct public_key_signature *pkcs7_get_message_sig(
> + const struct pkcs7_message *pkcs7);
>
> /*
> * pkcs7_trust.c
> diff --git a/include/linux/verification.h b/include/linux/verification.h
> index a10549a6c7cd..f04dac2728ec 100644
> --- a/include/linux/verification.h
> +++ b/include/linux/verification.h
> @@ -29,6 +29,7 @@ extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
> #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
>
> struct key;
> +struct pkcs7_message;
>
> extern int verify_pkcs7_signature(const void *data, size_t len,
> const void *raw_pkcs7, size_t pkcs7_len,
> @@ -38,6 +39,15 @@ extern int verify_pkcs7_signature(const void *data, size_t len,
> const void *data, size_t len,
> size_t asn1hdrlen),
> void *ctx);
> +extern int verify_pkcs7_message_sig(const void *data, size_t len,
> + struct pkcs7_message *pkcs7,
> + struct key *trusted_keys,
> + enum key_being_used_for usage,
> + int (*view_content)(void *ctx,
> + const void *data,
> + size_t len,
> + size_t asn1hdrlen),
> + void *ctx);
>
> #ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
> extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>,
linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-kernel@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Jessica Yu <jeyu@redhat.com>,
Rusty Russell <rusty@rustcorp.com.au>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>
Subject: Re: [PATCH v5 13/18] PKCS#7: Introduce pkcs7_get_message_sig and verify_pkcs7_message_sig
Date: Thu, 26 Oct 2017 20:12:57 +0000 [thread overview]
Message-ID: <1509048777.5886.113.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20171018005331.2688-14-bauerman@linux.vnet.ibm.com>
On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote:
> IMA will need to access the digest used in the signature so that it can
> verify files containing module-style appended signatures. For this purpose,
> add function pkcs7_get_message_sig.
>
> It will also need to verify an already parsed PKCS#7 message. For this
> purpose, add function verify_pkcs7_message_signature which takes a struct
> pkcs7_message for verification instead of the raw bytes that
> verify_pkcs7_signature takes.
>
> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
> certs/system_keyring.c | 60 +++++++++++++++++++++++++----------
> crypto/asymmetric_keys/pkcs7_parser.c | 12 +++++++
> include/crypto/pkcs7.h | 2 ++
> include/linux/verification.h | 10 ++++++
> 4 files changed, 68 insertions(+), 16 deletions(-)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 6251d1b27f0c..6a8684959780 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -190,33 +190,26 @@ late_initcall(load_system_certificate_list);
> #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
>
> /**
> - * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
> + * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
> * @data: The data to be verified (NULL if expecting internal data).
> * @len: Size of @data.
> - * @raw_pkcs7: The PKCS#7 message that is the signature.
> - * @pkcs7_len: The size of @raw_pkcs7.
> + * @pkcs7: The PKCS#7 message that is the signature.
> * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
> * (void *)1UL for all trusted keys).
> * @usage: The use to which the key is being put.
> * @view_content: Callback to gain access to content.
> * @ctx: Context for callback.
> */
> -int verify_pkcs7_signature(const void *data, size_t len,
> - const void *raw_pkcs7, size_t pkcs7_len,
> - struct key *trusted_keys,
> - enum key_being_used_for usage,
> - int (*view_content)(void *ctx,
> - const void *data, size_t len,
> - size_t asn1hdrlen),
> - void *ctx)
> +int verify_pkcs7_message_sig(const void *data, size_t len,
> + struct pkcs7_message *pkcs7,
> + struct key *trusted_keys,
> + enum key_being_used_for usage,
> + int (*view_content)(void *ctx, const void *data,
> + size_t len, size_t asn1hdrlen),
> + void *ctx)
> {
> - struct pkcs7_message *pkcs7;
> int ret;
>
> - pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
> - if (IS_ERR(pkcs7))
> - return PTR_ERR(pkcs7);
> -
> /* The data should be detached - so we need to supply it. */
> if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
> pr_err("PKCS#7 signature with non-detached data\n");
> @@ -258,6 +251,41 @@ int verify_pkcs7_signature(const void *data, size_t len,
> }
>
> error:
> + pr_devel("<=%s() = %d\n", __func__, ret);
> + return ret;
> +}
> +
> +/**
> + * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
> + * @data: The data to be verified (NULL if expecting internal data).
> + * @len: Size of @data.
> + * @raw_pkcs7: The PKCS#7 message that is the signature.
> + * @pkcs7_len: The size of @raw_pkcs7.
> + * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
> + * (void *)1UL for all trusted keys).
> + * @usage: The use to which the key is being put.
> + * @view_content: Callback to gain access to content.
> + * @ctx: Context for callback.
> + */
> +int verify_pkcs7_signature(const void *data, size_t len,
> + const void *raw_pkcs7, size_t pkcs7_len,
> + struct key *trusted_keys,
> + enum key_being_used_for usage,
> + int (*view_content)(void *ctx,
> + const void *data, size_t len,
> + size_t asn1hdrlen),
> + void *ctx)
> +{
> + struct pkcs7_message *pkcs7;
> + int ret;
> +
> + pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
> + if (IS_ERR(pkcs7))
> + return PTR_ERR(pkcs7);
> +
> + ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
> + view_content, ctx);
> +
> pkcs7_free_message(pkcs7);
> pr_devel("<=%s() = %d\n", __func__, ret);
> return ret;
> diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
> index af4cd8649117..e41beda297a8 100644
> --- a/crypto/asymmetric_keys/pkcs7_parser.c
> +++ b/crypto/asymmetric_keys/pkcs7_parser.c
> @@ -673,3 +673,15 @@ int pkcs7_note_signed_info(void *context, size_t hdrlen,
> return -ENOMEM;
> return 0;
> }
> +
> +/**
> + * pkcs7_get_message_sig - get signature in @pkcs7
> + *
> + * This function doesn't meaningfully support messages with more than one
> + * signature. It will always return the first signature.
> + */
> +const struct public_key_signature *pkcs7_get_message_sig(
> + const struct pkcs7_message *pkcs7)
> +{
> + return pkcs7->signed_infos ? pkcs7->signed_infos->sig : NULL;
> +}
> diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
> index 583f199400a3..6f51d0cb6d12 100644
> --- a/include/crypto/pkcs7.h
> +++ b/include/crypto/pkcs7.h
> @@ -28,6 +28,8 @@ extern void pkcs7_free_message(struct pkcs7_message *pkcs7);
> extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
> const void **_data, size_t *_datalen,
> size_t *_headerlen);
> +extern const struct public_key_signature *pkcs7_get_message_sig(
> + const struct pkcs7_message *pkcs7);
>
> /*
> * pkcs7_trust.c
> diff --git a/include/linux/verification.h b/include/linux/verification.h
> index a10549a6c7cd..f04dac2728ec 100644
> --- a/include/linux/verification.h
> +++ b/include/linux/verification.h
> @@ -29,6 +29,7 @@ extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
> #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
>
> struct key;
> +struct pkcs7_message;
>
> extern int verify_pkcs7_signature(const void *data, size_t len,
> const void *raw_pkcs7, size_t pkcs7_len,
> @@ -38,6 +39,15 @@ extern int verify_pkcs7_signature(const void *data, size_t len,
> const void *data, size_t len,
> size_t asn1hdrlen),
> void *ctx);
> +extern int verify_pkcs7_message_sig(const void *data, size_t len,
> + struct pkcs7_message *pkcs7,
> + struct key *trusted_keys,
> + enum key_being_used_for usage,
> + int (*view_content)(void *ctx,
> + const void *data,
> + size_t len,
> + size_t asn1hdrlen),
> + void *ctx);
>
> #ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
> extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
>
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v5 13/18] PKCS#7: Introduce pkcs7_get_message_sig and verify_pkcs7_message_sig
Date: Thu, 26 Oct 2017 16:12:57 -0400 [thread overview]
Message-ID: <1509048777.5886.113.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20171018005331.2688-14-bauerman@linux.vnet.ibm.com>
On Tue, 2017-10-17 at 22:53 -0200, Thiago Jung Bauermann wrote:
> IMA will need to access the digest used in the signature so that it can
> verify files containing module-style appended signatures. For this purpose,
> add function pkcs7_get_message_sig.
>
> It will also need to verify an already parsed PKCS#7 message. For this
> purpose, add function verify_pkcs7_message_signature which takes a struct
> pkcs7_message for verification instead of the raw bytes that
> verify_pkcs7_signature takes.
>
> Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> ---
> certs/system_keyring.c | 60 +++++++++++++++++++++++++----------
> crypto/asymmetric_keys/pkcs7_parser.c | 12 +++++++
> include/crypto/pkcs7.h | 2 ++
> include/linux/verification.h | 10 ++++++
> 4 files changed, 68 insertions(+), 16 deletions(-)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 6251d1b27f0c..6a8684959780 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -190,33 +190,26 @@ late_initcall(load_system_certificate_list);
> #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
>
> /**
> - * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
> + * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
> * @data: The data to be verified (NULL if expecting internal data).
> * @len: Size of @data.
> - * @raw_pkcs7: The PKCS#7 message that is the signature.
> - * @pkcs7_len: The size of @raw_pkcs7.
> + * @pkcs7: The PKCS#7 message that is the signature.
> * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
> * (void *)1UL for all trusted keys).
> * @usage: The use to which the key is being put.
> * @view_content: Callback to gain access to content.
> * @ctx: Context for callback.
> */
> -int verify_pkcs7_signature(const void *data, size_t len,
> - const void *raw_pkcs7, size_t pkcs7_len,
> - struct key *trusted_keys,
> - enum key_being_used_for usage,
> - int (*view_content)(void *ctx,
> - const void *data, size_t len,
> - size_t asn1hdrlen),
> - void *ctx)
> +int verify_pkcs7_message_sig(const void *data, size_t len,
> + struct pkcs7_message *pkcs7,
> + struct key *trusted_keys,
> + enum key_being_used_for usage,
> + int (*view_content)(void *ctx, const void *data,
> + size_t len, size_t asn1hdrlen),
> + void *ctx)
> {
> - struct pkcs7_message *pkcs7;
> int ret;
>
> - pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
> - if (IS_ERR(pkcs7))
> - return PTR_ERR(pkcs7);
> -
> /* The data should be detached - so we need to supply it. */
> if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
> pr_err("PKCS#7 signature with non-detached data\n");
> @@ -258,6 +251,41 @@ int verify_pkcs7_signature(const void *data, size_t len,
> }
>
> error:
> + pr_devel("<==%s() = %d\n", __func__, ret);
> + return ret;
> +}
> +
> +/**
> + * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
> + * @data: The data to be verified (NULL if expecting internal data).
> + * @len: Size of @data.
> + * @raw_pkcs7: The PKCS#7 message that is the signature.
> + * @pkcs7_len: The size of @raw_pkcs7.
> + * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
> + * (void *)1UL for all trusted keys).
> + * @usage: The use to which the key is being put.
> + * @view_content: Callback to gain access to content.
> + * @ctx: Context for callback.
> + */
> +int verify_pkcs7_signature(const void *data, size_t len,
> + const void *raw_pkcs7, size_t pkcs7_len,
> + struct key *trusted_keys,
> + enum key_being_used_for usage,
> + int (*view_content)(void *ctx,
> + const void *data, size_t len,
> + size_t asn1hdrlen),
> + void *ctx)
> +{
> + struct pkcs7_message *pkcs7;
> + int ret;
> +
> + pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
> + if (IS_ERR(pkcs7))
> + return PTR_ERR(pkcs7);
> +
> + ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
> + view_content, ctx);
> +
> pkcs7_free_message(pkcs7);
> pr_devel("<==%s() = %d\n", __func__, ret);
> return ret;
> diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
> index af4cd8649117..e41beda297a8 100644
> --- a/crypto/asymmetric_keys/pkcs7_parser.c
> +++ b/crypto/asymmetric_keys/pkcs7_parser.c
> @@ -673,3 +673,15 @@ int pkcs7_note_signed_info(void *context, size_t hdrlen,
> return -ENOMEM;
> return 0;
> }
> +
> +/**
> + * pkcs7_get_message_sig - get signature in @pkcs7
> + *
> + * This function doesn't meaningfully support messages with more than one
> + * signature. It will always return the first signature.
> + */
> +const struct public_key_signature *pkcs7_get_message_sig(
> + const struct pkcs7_message *pkcs7)
> +{
> + return pkcs7->signed_infos ? pkcs7->signed_infos->sig : NULL;
> +}
> diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
> index 583f199400a3..6f51d0cb6d12 100644
> --- a/include/crypto/pkcs7.h
> +++ b/include/crypto/pkcs7.h
> @@ -28,6 +28,8 @@ extern void pkcs7_free_message(struct pkcs7_message *pkcs7);
> extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
> const void **_data, size_t *_datalen,
> size_t *_headerlen);
> +extern const struct public_key_signature *pkcs7_get_message_sig(
> + const struct pkcs7_message *pkcs7);
>
> /*
> * pkcs7_trust.c
> diff --git a/include/linux/verification.h b/include/linux/verification.h
> index a10549a6c7cd..f04dac2728ec 100644
> --- a/include/linux/verification.h
> +++ b/include/linux/verification.h
> @@ -29,6 +29,7 @@ extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
> #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
>
> struct key;
> +struct pkcs7_message;
>
> extern int verify_pkcs7_signature(const void *data, size_t len,
> const void *raw_pkcs7, size_t pkcs7_len,
> @@ -38,6 +39,15 @@ extern int verify_pkcs7_signature(const void *data, size_t len,
> const void *data, size_t len,
> size_t asn1hdrlen),
> void *ctx);
> +extern int verify_pkcs7_message_sig(const void *data, size_t len,
> + struct pkcs7_message *pkcs7,
> + struct key *trusted_keys,
> + enum key_being_used_for usage,
> + int (*view_content)(void *ctx,
> + const void *data,
> + size_t len,
> + size_t asn1hdrlen),
> + void *ctx);
>
> #ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
> extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-10-26 20:12 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-18 0:53 [PATCH v5 00/18] Appended signatures support for IMA appraisal Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 01/18] ima: Remove redundant conditional operator Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 02/18] ima: Remove some superfluous parentheses Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 03/18] evm, ima: Remove " Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 04/18] evm, ima: Remove more " Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 05/18] ima: Simplify ima_eventsig_init Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 06/18] ima: Improvements in ima_appraise_measurement Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 07/18] integrity: Introduce struct evm_xattr Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 08/18] integrity: Select CONFIG_KEYS instead of depending on it Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 09/18] ima: Don't pass xattr value to EVM xattr verification Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 10/18] ima: Store measurement after appraisal Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 11/18] ima: Export func_tokens Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 12/18] MODSIGN: Export module signature definitions Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-26 20:12 ` Mimi Zohar
2017-10-26 20:12 ` Mimi Zohar
2017-10-26 20:12 ` Mimi Zohar
2017-10-26 20:12 ` Mimi Zohar
2017-10-26 22:47 ` Thiago Jung Bauermann
2017-10-26 22:47 ` Thiago Jung Bauermann
2017-10-26 22:47 ` Thiago Jung Bauermann
2017-10-26 23:13 ` Mimi Zohar
2017-10-26 23:13 ` Mimi Zohar
2017-10-26 23:13 ` Mimi Zohar
2017-10-18 0:53 ` [PATCH v5 13/18] PKCS#7: Introduce pkcs7_get_message_sig and verify_pkcs7_message_sig Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-26 20:12 ` Mimi Zohar [this message]
2017-10-26 20:12 ` Mimi Zohar
2017-10-26 20:12 ` Mimi Zohar
2017-10-18 0:53 ` [PATCH v5 14/18] integrity: Introduce integrity_keyring_from_id Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 15/18] ima: Add modsig appraise_type option for module-style appended signatures Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 16/18] ima: Add functions to read and verify a modsig signature Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` [PATCH v5 17/18] ima: Implement support for module-style appended signatures Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-31 13:31 ` Mimi Zohar
2017-10-31 13:31 ` Mimi Zohar
2017-10-31 13:31 ` Mimi Zohar
2017-10-31 13:31 ` Mimi Zohar
2017-10-18 0:53 ` [PATCH v5 18/18] ima: Write modsig to the measurement list Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-18 0:53 ` Thiago Jung Bauermann
2017-10-26 20:07 ` Mimi Zohar
2017-10-26 20:07 ` Mimi Zohar
2017-10-26 20:07 ` Mimi Zohar
2017-10-26 20:07 ` Mimi Zohar
2017-10-26 22:02 ` Thiago Jung Bauermann
2017-10-26 22:02 ` Thiago Jung Bauermann
2017-10-26 22:02 ` Thiago Jung Bauermann
2017-10-26 20:53 ` [PATCH v5 00/18] Appended signatures support for IMA appraisal Mimi Zohar
2017-10-26 20:53 ` Mimi Zohar
2017-10-26 20:53 ` Mimi Zohar
2017-10-26 20:53 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1509048777.5886.113.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=bauerman@linux.vnet.ibm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=james.l.morris@oracle.com \
--cc=jeyu@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=rusty@rustcorp.com.au \
--cc=serge@hallyn.com \
--cc=takahiro.akashi@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.