From: David Howells <dhowells@redhat.com>
To: mmarek@suse.cz, d.kasatkin@samsung.com, rusty@rustcorp.com.au,
vgoyal@redhat.com
Cc: dhowells@redhat.com, keyrings@linux-nfs.org,
linux-security-module@vger.kernel.org, zohar@linux.vnet.ibm.com,
linux-kernel@vger.kernel.org
Subject: [PATCH 3/5] PKCS#7: Allow detached data to be supplied for signature checking purposes
Date: Thu, 20 Nov 2014 16:54:25 +0000 [thread overview]
Message-ID: <20141120165425.5264.24661.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <20141120165351.5264.61930.stgit@warthog.procyon.org.uk>
It is possible for a PKCS#7 message to have detached data. However, to verify
the signatures on a PKCS#7 message, we have to be able to digest the data.
Provide a function to supply that data. An error is given if the PKCS#7
message included embedded data.
Signed-off-by: David Howells <dhowells@redhat.com>
---
crypto/asymmetric_keys/pkcs7_verify.c | 26 ++++++++++++++++++++++++++
include/crypto/pkcs7.h | 3 +++
2 files changed, 29 insertions(+)
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index 667064daf66b..c6ee41bfda6e 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -382,3 +382,29 @@ int pkcs7_verify(struct pkcs7_message *pkcs7)
return enopkg;
}
EXPORT_SYMBOL_GPL(pkcs7_verify);
+
+/**
+ * pkcs7_supply_detached_data - Supply the data needed to verify a PKCS#7 message
+ * @pkcs7: The PKCS#7 message
+ * @data: The data to be verified
+ * @datalen: The amount of data
+ *
+ * Supply the detached data needed to verify a PKCS#7 message. Note that no
+ * attempt to retain/pin the data is made. That is left to the caller. The
+ * data will not be modified by pkcs7_verify() and will not be freed when the
+ * PKCS#7 message is freed.
+ *
+ * Returns -EINVAL if data is already supplied in the message, 0 otherwise.
+ */
+int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
+ const void *data, size_t datalen)
+{
+ if (pkcs7->data) {
+ pr_debug("Data already supplied\n");
+ return -EINVAL;
+ }
+ pkcs7->data = data;
+ pkcs7->data_len = datalen;
+ return 0;
+}
+EXPORT_SYMBOL_GPL(pkcs7_supply_detached_data);
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 691c79172a26..e235ab4957ee 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -34,3 +34,6 @@ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
* pkcs7_verify.c
*/
extern int pkcs7_verify(struct pkcs7_message *pkcs7);
+
+extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
+ const void *data, size_t datalen);
next prev parent reply other threads:[~2014-11-20 16:54 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-20 16:53 [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures David Howells
2014-11-20 16:54 ` [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier David Howells
2014-11-21 14:42 ` Vivek Goyal
2014-12-04 12:24 ` Dmitry Kasatkin
2014-12-04 13:02 ` David Howells
2014-11-24 13:35 ` David Howells
2014-11-20 16:54 ` [PATCH 2/5] X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier David Howells
2014-11-21 15:33 ` Vivek Goyal
2014-11-24 0:00 ` Mimi Zohar
2014-11-24 11:58 ` [Keyrings] " Mimi Zohar
2014-11-24 16:55 ` David Howells
2014-11-24 17:12 ` Mimi Zohar
2014-11-24 16:58 ` David Howells
2014-11-24 17:33 ` Mimi Zohar
2014-11-24 19:36 ` David Howells
2014-11-20 16:54 ` David Howells [this message]
2014-11-24 11:52 ` [PATCH 3/5] PKCS#7: Allow detached data to be supplied for signature checking purposes Mimi Zohar
2014-11-24 12:48 ` David Howells
2014-11-24 13:43 ` Mimi Zohar
2014-11-24 14:41 ` David Howells
2014-11-24 14:59 ` Mimi Zohar
2014-11-24 15:14 ` David Howells
2014-11-20 16:54 ` [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module David Howells
2014-11-20 16:54 ` [PATCH 5/5] MODSIGN: Use PKCS#7 messages as module signatures David Howells
2014-11-24 14:06 ` Mimi Zohar
2014-11-21 12:59 ` [PATCH 0/5] MODSIGN: Use PKCS#7 for " Dmitry Kasatkin
2014-11-24 9:19 ` Dmitry Kasatkin
2014-11-24 12:52 ` David Howells
2014-11-24 16:13 ` David Howells
2014-11-24 17:14 ` Mimi Zohar
2014-11-24 12:33 ` Dmitry Kasatkin
2014-11-24 12:51 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141120165425.5264.24661.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=d.kasatkin@samsung.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mmarek@suse.cz \
--cc=rusty@rustcorp.com.au \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.