linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Thiago Jung Bauermann <bauerman@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
	linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	Mimi Zohar <zohar@linux.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	James Morris <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	David Howells <dhowells@redhat.com>,
	David Woodhouse <dwmw2@infradead.org>,
	Jessica Yu <jeyu@kernel.org>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Jonathan Corbet <corbet@lwn.net>,
	"AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
	Thiago Jung Bauermann <bauerman@linux.ibm.com>
Subject: [PATCH v10 03/12] PKCS#7: Introduce pkcs7_get_digest()
Date: Thu, 18 Apr 2019 00:51:11 -0300	[thread overview]
Message-ID: <20190418035120.2354-4-bauerman@linux.ibm.com> (raw)
In-Reply-To: <20190418035120.2354-1-bauerman@linux.ibm.com>

IMA will need to access the digest of the PKCS7 message (as calculated by
the kernel) before the signature is verified, so introduce
pkcs7_get_digest() for that purpose.

Also, modify pkcs7_digest() to detect when the digest was already
calculated so that it doesn't have to do redundant work. Verifying that
sinfo->sig->digest isn't NULL is sufficient because both places which
allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info())
use kzalloc() so sig->digest is always initialized to zero.

Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
---
 crypto/asymmetric_keys/pkcs7_verify.c | 33 +++++++++++++++++++++++++++
 include/crypto/pkcs7.h                |  4 ++++
 2 files changed, 37 insertions(+)

diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index 97c77f66b20d..5c3de46b0b73 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -16,6 +16,7 @@
 #include <linux/err.h>
 #include <linux/asn1.h>
 #include <crypto/hash.h>
+#include <crypto/hash_info.h>
 #include <crypto/public_key.h>
 #include "pkcs7_parser.h"
 
@@ -33,6 +34,10 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
 
 	kenter(",%u,%s", sinfo->index, sinfo->sig->hash_algo);
 
+	/* The digest was calculated already. */
+	if (sig->digest)
+		return 0;
+
 	if (!sinfo->sig->hash_algo)
 		return -ENOPKG;
 
@@ -122,6 +127,34 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
 	return ret;
 }
 
+int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf, u32 *len,
+		     enum hash_algo *hash_algo)
+{
+	struct pkcs7_signed_info *sinfo = pkcs7->signed_infos;
+	int i, ret;
+
+	/*
+	 * This function doesn't support messages with more than one signature.
+	 */
+	if (sinfo == NULL || sinfo->next != NULL)
+		return -EBADMSG;
+
+	ret = pkcs7_digest(pkcs7, sinfo);
+	if (ret)
+		return ret;
+
+	*buf = sinfo->sig->digest;
+	*len = sinfo->sig->digest_size;
+
+	for (i = 0; i < HASH_ALGO__LAST; i++)
+		if (!strcmp(hash_algo_name[i], sinfo->sig->hash_algo)) {
+			*hash_algo = i;
+			break;
+		}
+
+	return 0;
+}
+
 /*
  * Find the key (X.509 certificate) to use to verify a PKCS#7 message.  PKCS#7
  * uses the issuer's name and the issuing certificate serial number for
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 583f199400a3..3bfe6829eaae 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -13,6 +13,7 @@
 #define _CRYPTO_PKCS7_H
 
 #include <linux/verification.h>
+#include <linux/hash_info.h>
 #include <crypto/public_key.h>
 
 struct key;
@@ -44,4 +45,7 @@ extern int pkcs7_verify(struct pkcs7_message *pkcs7,
 extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
 				      const void *data, size_t datalen);
 
+extern int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf,
+			    u32 *len, enum hash_algo *hash_algo);
+
 #endif /* _CRYPTO_PKCS7_H */


  parent reply	other threads:[~2019-04-18  3:52 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-18  3:51 [PATCH v10 00/12] Appended signatures support for IMA appraisal Thiago Jung Bauermann
2019-04-18  3:51 ` [PATCH v10 01/12] MODSIGN: Export module signature definitions Thiago Jung Bauermann
2019-05-09 15:42   ` Mimi Zohar
2019-05-28 19:03     ` Thiago Jung Bauermann
2019-04-18  3:51 ` [PATCH v10 02/12] PKCS#7: Refactor verify_pkcs7_signature() Thiago Jung Bauermann
2019-05-09 15:42   ` Mimi Zohar
2019-04-18  3:51 ` Thiago Jung Bauermann [this message]
2019-05-09 15:42   ` [PATCH v10 03/12] PKCS#7: Introduce pkcs7_get_digest() Mimi Zohar
2019-04-18  3:51 ` [PATCH v10 04/12] integrity: Introduce struct evm_xattr Thiago Jung Bauermann
2019-04-18  3:51 ` [PATCH v10 05/12] integrity: Select CONFIG_KEYS instead of depending on it Thiago Jung Bauermann
2019-04-18  3:51 ` [PATCH v10 06/12] ima: Use designated initializers for struct ima_event_data Thiago Jung Bauermann
2019-05-09 15:46   ` Mimi Zohar
2019-04-18  3:51 ` [PATCH v10 07/12] ima: Add modsig appraise_type option for module-style appended signatures Thiago Jung Bauermann
2019-04-18  3:51 ` [PATCH v10 08/12] ima: Factor xattr_verify() out of ima_appraise_measurement() Thiago Jung Bauermann
2019-05-09 15:53   ` Mimi Zohar
2019-04-18  3:51 ` [PATCH v10 09/12] ima: Implement support for module-style appended signatures Thiago Jung Bauermann
2019-05-09 23:01   ` Mimi Zohar
2019-05-28 19:23     ` Thiago Jung Bauermann
2019-05-28 20:06       ` Mimi Zohar
2019-05-14 12:09   ` Mimi Zohar
2019-05-28 19:27     ` Thiago Jung Bauermann
2019-04-18  3:51 ` [PATCH v10 10/12] ima: Collect modsig Thiago Jung Bauermann
2019-04-18  3:51 ` [PATCH v10 11/12] ima: Define ima-modsig template Thiago Jung Bauermann
2019-05-09 23:01   ` Mimi Zohar
2019-05-28 19:09     ` Thiago Jung Bauermann
2019-04-18  3:51 ` [PATCH v10 12/12] ima: Store the measurement again when appraising a modsig Thiago Jung Bauermann
2019-05-28 14:09   ` Mimi Zohar
2019-05-28 19:14     ` Thiago Jung Bauermann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190418035120.2354-4-bauerman@linux.ibm.com \
    --to=bauerman@linux.ibm.com \
    --cc=corbet@lwn.net \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=dwmw2@infradead.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=jeyu@kernel.org \
    --cc=jmorris@namei.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=serge@hallyn.com \
    --cc=takahiro.akashi@linaro.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).