From: Thiago Jung Bauermann <bauerman@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
Mimi Zohar <zohar@linux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Jessica Yu <jeyu@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Jonathan Corbet <corbet@lwn.net>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>
Subject: [PATCH v8 03/14] PKCS#7: Introduce pkcs7_get_digest()
Date: Fri, 16 Nov 2018 18:07:01 -0200 [thread overview]
Message-ID: <20181116200712.14154-4-bauerman@linux.ibm.com> (raw)
In-Reply-To: <20181116200712.14154-1-bauerman@linux.ibm.com>
IMA will need to access the digest of the PKCS7 message (as calculated by
the kernel) before the signature is verified, so introduce
pkcs7_get_digest() for that purpose.
Also, modify pkcs7_digest() to detect when the digest was already
calculated so that it doesn't have to do redundant work. Verifying that
sinfo->sig->digest isn't NULL is sufficient because both places which
allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info())
use kzalloc() so sig->digest is always initialized to zero.
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
---
crypto/asymmetric_keys/pkcs7_verify.c | 25 +++++++++++++++++++++++++
include/crypto/pkcs7.h | 3 +++
2 files changed, 28 insertions(+)
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index 97c77f66b20d..e61f121bfc87 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -33,6 +33,10 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
kenter(",%u,%s", sinfo->index, sinfo->sig->hash_algo);
+ /* The digest was calculated already. */
+ if (sig->digest)
+ return 0;
+
if (!sinfo->sig->hash_algo)
return -ENOPKG;
@@ -122,6 +126,27 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
return ret;
}
+int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf, u8 *len)
+{
+ struct pkcs7_signed_info *sinfo = pkcs7->signed_infos;
+ int ret;
+
+ /*
+ * This function doesn't support messages with more than one signature.
+ */
+ if (sinfo == NULL || sinfo->next != NULL)
+ return -EBADMSG;
+
+ ret = pkcs7_digest(pkcs7, sinfo);
+ if (ret)
+ return ret;
+
+ *buf = sinfo->sig->digest;
+ *len = sinfo->sig->digest_size;
+
+ return 0;
+}
+
/*
* Find the key (X.509 certificate) to use to verify a PKCS#7 message. PKCS#7
* uses the issuer's name and the issuing certificate serial number for
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 6f51d0cb6d12..cfaea9c37f4a 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -46,4 +46,7 @@ extern int pkcs7_verify(struct pkcs7_message *pkcs7,
extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
const void *data, size_t datalen);
+extern int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf,
+ u8 *len);
+
#endif /* _CRYPTO_PKCS7_H */
next prev parent reply other threads:[~2018-11-16 20:08 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-16 20:06 [PATCH v8 00/14] Appended signatures support for IMA appraisal Thiago Jung Bauermann
2018-11-16 20:06 ` [PATCH v8 01/14] MODSIGN: Export module signature definitions Thiago Jung Bauermann
2018-11-16 20:07 ` [PATCH v8 02/14] PKCS#7: Refactor verify_pkcs7_signature() and add pkcs7_get_message_sig() Thiago Jung Bauermann
2018-11-16 20:07 ` Thiago Jung Bauermann [this message]
2018-11-16 20:07 ` [PATCH v8 04/14] integrity: Introduce struct evm_xattr Thiago Jung Bauermann
2018-11-29 20:59 ` Mimi Zohar
2018-11-16 20:07 ` [PATCH v8 05/14] integrity: Introduce integrity_keyring_from_id() Thiago Jung Bauermann
2018-11-16 20:07 ` [PATCH v8 06/14] integrity: Introduce asymmetric_sig_has_known_key() Thiago Jung Bauermann
2018-11-16 20:07 ` [PATCH v8 07/14] integrity: Select CONFIG_KEYS instead of depending on it Thiago Jung Bauermann
2018-11-16 20:07 ` [PATCH v8 08/14] ima: Introduce is_signed() Thiago Jung Bauermann
2018-11-16 20:07 ` [PATCH v8 09/14] ima: Export func_tokens Thiago Jung Bauermann
2018-11-16 20:07 ` [PATCH v8 10/14] ima: Add modsig appraise_type option for module-style appended signatures Thiago Jung Bauermann
2018-11-16 20:07 ` [PATCH v8 11/14] ima: Implement support " Thiago Jung Bauermann
2018-11-16 20:07 ` [PATCH v8 12/14] ima: Add new "d-sig" template field Thiago Jung Bauermann
2018-11-16 20:07 ` [PATCH v8 13/14] ima: Write modsig to the measurement list Thiago Jung Bauermann
2018-11-16 20:07 ` [PATCH v8 14/14] ima: Store the measurement again when appraising a modsig Thiago Jung Bauermann
2018-12-04 21:59 ` [PATCH v8 00/14] Appended signatures support for IMA appraisal James Morris
2018-12-04 23:35 ` Thiago Jung Bauermann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181116200712.14154-4-bauerman@linux.ibm.com \
--to=bauerman@linux.ibm.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=jeyu@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=serge@hallyn.com \
--cc=takahiro.akashi@linaro.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).