From: John Johansen Date: Mon, 30 Jun 2025 07:06:22 +0000 (-0700) Subject: Revert "apparmor: use SHA-256 library API instead of crypto_shash API" X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37a3741d27b64012ab6a5d9c92b514b977349dbb;p=thirdparty%2Fkernel%2Flinux.git Revert "apparmor: use SHA-256 library API instead of crypto_shash API" This reverts commit e9ed1eb8f6217e53843d82ecf2d50f8d1a93e77c. Eric has requested that this patch be taken through the libcrypto-next tree, instead. Signed-off-by: John Johansen --- diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig index 1e3bd44643dac..64cc3044a42ce 100644 --- a/security/apparmor/Kconfig +++ b/security/apparmor/Kconfig @@ -59,7 +59,8 @@ config SECURITY_APPARMOR_INTROSPECT_POLICY config SECURITY_APPARMOR_HASH bool "Enable introspection of sha256 hashes for loaded profiles" depends on SECURITY_APPARMOR_INTROSPECT_POLICY - select CRYPTO_LIB_SHA256 + select CRYPTO + select CRYPTO_SHA256 default y help This option selects whether introspection of loaded policy diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c index 40e17e153f1e5..aad486b2fca65 100644 --- a/security/apparmor/crypto.c +++ b/security/apparmor/crypto.c @@ -11,52 +11,113 @@ * it should be. */ -#include +#include #include "include/apparmor.h" #include "include/crypto.h" +static unsigned int apparmor_hash_size; + +static struct crypto_shash *apparmor_tfm; + unsigned int aa_hash_size(void) { - return SHA256_DIGEST_SIZE; + return apparmor_hash_size; } char *aa_calc_hash(void *data, size_t len) { + SHASH_DESC_ON_STACK(desc, apparmor_tfm); char *hash; + int error; + + if (!apparmor_tfm) + return NULL; - hash = kzalloc(SHA256_DIGEST_SIZE, GFP_KERNEL); + hash = kzalloc(apparmor_hash_size, GFP_KERNEL); if (!hash) return ERR_PTR(-ENOMEM); - sha256(data, len, hash); + desc->tfm = apparmor_tfm; + + error = crypto_shash_init(desc); + if (error) + goto fail; + error = crypto_shash_update(desc, (u8 *) data, len); + if (error) + goto fail; + error = crypto_shash_final(desc, hash); + if (error) + goto fail; + return hash; + +fail: + kfree(hash); + + return ERR_PTR(error); } int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start, size_t len) { - struct sha256_state state; + SHASH_DESC_ON_STACK(desc, apparmor_tfm); + int error; __le32 le32_version = cpu_to_le32(version); if (!aa_g_hash_policy) return 0; - profile->hash = kzalloc(SHA256_DIGEST_SIZE, GFP_KERNEL); + if (!apparmor_tfm) + return 0; + + profile->hash = kzalloc(apparmor_hash_size, GFP_KERNEL); if (!profile->hash) return -ENOMEM; - sha256_init(&state); - sha256_update(&state, (u8 *)&le32_version, 4); - sha256_update(&state, (u8 *)start, len); - sha256_final(&state, profile->hash); + desc->tfm = apparmor_tfm; + + error = crypto_shash_init(desc); + if (error) + goto fail; + error = crypto_shash_update(desc, (u8 *) &le32_version, 4); + if (error) + goto fail; + error = crypto_shash_update(desc, (u8 *) start, len); + if (error) + goto fail; + error = crypto_shash_final(desc, profile->hash); + if (error) + goto fail; + return 0; + +fail: + kfree(profile->hash); + profile->hash = NULL; + + return error; } static int __init init_profile_hash(void) { - if (apparmor_initialized) - aa_info_message("AppArmor sha256 policy hashing enabled"); + struct crypto_shash *tfm; + + if (!apparmor_initialized) + return 0; + + tfm = crypto_alloc_shash("sha256", 0, 0); + if (IS_ERR(tfm)) { + int error = PTR_ERR(tfm); + AA_ERROR("failed to setup profile sha256 hashing: %d\n", error); + return error; + } + apparmor_tfm = tfm; + apparmor_hash_size = crypto_shash_digestsize(apparmor_tfm); + + aa_info_message("AppArmor sha256 policy hashing enabled"); + return 0; } + late_initcall(init_profile_hash);