From: Lucas De Marchi <lucas.demarchi@intel.com>
To: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>,
linux-modules@vger.kernel.org
Cc: ykaliuta@redhat.com
Subject: Re: [PATCH] signature: do not report wrong data for pkc#7 signature
Date: Thu, 15 Nov 2018 16:07:49 -0800 [thread overview]
Message-ID: <c5ee17b5-d3cf-9b88-5dd4-96f695ffdadd@intel.com> (raw)
In-Reply-To: <20181115212945.24690-1-yauheni.kaliuta@redhat.com>
On 11/15/18 1:29 PM, Yauheni Kaliuta wrote:
> when PKC#7 signing method is used the old structure doesn't contain
> any useful data, but the data are encoded in the certificate.
>
> The info getting/showing code is not aware of that at the moment and
> since 0 is a valid constant, shows, for example, wrong "md4" for the
> hash algo.
>
> The patch splits the 2 mothods of gethering the info and reports
> "unknown" for the algo.
>
> Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
> ---
> libkmod/libkmod-module.c | 2 +-
> libkmod/libkmod-signature.c | 69 +++++++++++++++++++++++++++----------
> 2 files changed, 52 insertions(+), 19 deletions(-)
>
> diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
> index ee420f4ec2bf..889f26479a98 100644
> --- a/libkmod/libkmod-module.c
> +++ b/libkmod/libkmod-module.c
> @@ -2273,7 +2273,7 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
> struct kmod_elf *elf;
> char **strings;
> int i, count, ret = -ENOMEM;
> - struct kmod_signature_info sig_info;
> + struct kmod_signature_info sig_info = {};
>
> if (mod == NULL || list == NULL)
> return -ENOENT;
> diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
> index 1f3e26dea203..2ec2dc1a1a73 100644
> --- a/libkmod/libkmod-signature.c
> +++ b/libkmod/libkmod-signature.c
> @@ -92,6 +92,44 @@ struct module_signature {
> uint32_t sig_len; /* Length of signature data (big endian) */
> };
>
> +static bool
> +kmod_module_signature_info_default(const char *mem,
> + off_t size,
> + const struct module_signature *modsig,
> + size_t sig_len,
> + struct kmod_signature_info *sig_info)
> +{
> + size -= sig_len;
> + sig_info->sig = mem + size;
> + sig_info->sig_len = sig_len;
> +
> + size -= modsig->key_id_len;
> + sig_info->key_id = mem + size;
> + sig_info->key_id_len = modsig->key_id_len;
> +
> + size -= modsig->signer_len;
> + sig_info->signer = mem + size;
> + sig_info->signer_len = modsig->signer_len;
> +
> + sig_info->algo = pkey_algo[modsig->algo];
> + sig_info->hash_algo = pkey_hash_algo[modsig->hash];
> + sig_info->id_type = pkey_id_type[modsig->id_type];
> +
> + return true;
> +}
> +
> +static bool
> +kmod_module_signature_info_pkcs7(const char *mem,
I miss a verb in these function names. Those seem more reasonable:
static bool fill_default() { }
static bool fill_unknown() { }
Otherwise looks good.
thanks
Lucas De Marchi
> + off_t size,
> + const struct module_signature *modsig,
> + size_t sig_len,
> + struct kmod_signature_info *sig_info)
> +{
> + sig_info->hash_algo = "unknown";
> + sig_info->id_type = pkey_id_type[modsig->id_type];
> + return true;
> +}
> +
> #define SIG_MAGIC "~Module signature appended~\n"
>
> /*
> @@ -111,7 +149,7 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
> off_t size;
> const struct module_signature *modsig;
> size_t sig_len;
> -
> + bool ret;
>
> size = kmod_file_get_size(file);
> mem = kmod_file_get_contents(file);
> @@ -134,21 +172,16 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
> size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len))
> return false;
>
> - size -= sig_len;
> - sig_info->sig = mem + size;
> - sig_info->sig_len = sig_len;
> -
> - size -= modsig->key_id_len;
> - sig_info->key_id = mem + size;
> - sig_info->key_id_len = modsig->key_id_len;
> -
> - size -= modsig->signer_len;
> - sig_info->signer = mem + size;
> - sig_info->signer_len = modsig->signer_len;
> -
> - sig_info->algo = pkey_algo[modsig->algo];
> - sig_info->hash_algo = pkey_hash_algo[modsig->hash];
> - sig_info->id_type = pkey_id_type[modsig->id_type];
> -
> - return true;
> + switch (modsig->id_type) {
> + case PKEY_ID_PKCS7:
> + ret = kmod_module_signature_info_pkcs7(mem, size,
> + modsig, sig_len,
> + sig_info);
> + break;
> + default:
> + ret = kmod_module_signature_info_default(mem, size,
> + modsig, sig_len,
> + sig_info);
> + }
> + return ret;
> }
>
prev parent reply other threads:[~2018-11-16 0:07 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-15 21:29 [PATCH] signature: do not report wrong data for pkc#7 signature Yauheni Kaliuta
2018-11-16 0:07 ` Lucas De Marchi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c5ee17b5-d3cf-9b88-5dd4-96f695ffdadd@intel.com \
--to=lucas.demarchi@intel.com \
--cc=linux-modules@vger.kernel.org \
--cc=yauheni.kaliuta@redhat.com \
--cc=ykaliuta@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).