}
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
- const char *digest, int digestlen)
+ const char *digest, int digestlen, u8 algo)
{
struct key *keyring;
return digsig_verify(keyring, sig + 1, siglen - 1, digest,
digestlen);
case 2: /* regular file data hash based signature */
- case 3: /* struct ima_file_id data based signature */
return asymmetric_verify(keyring, sig, siglen, digest,
- digestlen);
+ digestlen);
+ case 3: /* struct ima_file_id data based signature */
+ return asymmetric_verify_v3(keyring, sig, siglen, digest,
+ digestlen, algo);
}
return -EOPNOTSUPP;
pr_debug("%s() = %d\n", __func__, ret);
return ret;
}
+
+/*
+ * calc_file_id_hash - calculate the hash of the ima_file_id struct data
+ * @type: xattr type [enum evm_ima_xattr_type]
+ * @algo: hash algorithm [enum hash_algo]
+ * @digest: pointer to the digest to be hashed
+ * @hash: (out) pointer to the hash
+ *
+ * IMA signature version 3 disambiguates the data that is signed by
+ * indirectly signing the hash of the ima_file_id structure data.
+ *
+ * Return 0 on success, error code otherwise.
+ */
+static int calc_file_id_hash(enum evm_ima_xattr_type type,
+ enum hash_algo algo, const u8 *digest,
+ struct ima_max_digest_data *hash)
+{
+ struct ima_file_id file_id = {.hash_type = type, .hash_algorithm = algo};
+ size_t digest_size = hash_digest_size[algo];
+ struct crypto_shash *tfm;
+ size_t file_id_size;
+ int rc;
+
+ if (type != IMA_VERITY_DIGSIG)
+ return -EINVAL;
+
+ tfm = crypto_alloc_shash(hash_algo_name[algo], 0, 0);
+ if (IS_ERR(tfm))
+ return PTR_ERR(tfm);
+
+ memcpy(file_id.hash, digest, digest_size);
+
+ /* Calculate the ima_file_id struct hash on the portion used. */
+ file_id_size = sizeof(file_id) - (HASH_MAX_DIGESTSIZE - digest_size);
+
+ hash->hdr.algo = algo;
+ hash->hdr.length = digest_size;
+ rc = crypto_shash_tfm_digest(tfm, (const u8 *)&file_id, file_id_size,
+ hash->digest);
+
+ crypto_free_shash(tfm);
+ return rc;
+}
+
+int asymmetric_verify_v3(struct key *keyring, const char *sig, int siglen,
+ const char *data, int datalen, u8 algo)
+{
+ struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
+ struct ima_max_digest_data hash;
+ int rc;
+
+ rc = calc_file_id_hash(hdr->type, algo, data, &hash);
+ if (rc)
+ return -EINVAL;
+
+ return asymmetric_verify(keyring, sig, siglen, hash.digest,
+ hash.hdr.length);
+}
break;
rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
(const char *)xattr_data, xattr_len,
- digest.digest, digest.hdr.length);
+ digest.digest, digest.hdr.length,
+ digest.hdr.algo);
if (!rc) {
if (xattr_data->type == EVM_XATTR_PORTABLE_DIGSIG) {
if (iint)
return ret;
}
-/*
- * calc_file_id_hash - calculate the hash of the ima_file_id struct data
- * @type: xattr type [enum evm_ima_xattr_type]
- * @algo: hash algorithm [enum hash_algo]
- * @digest: pointer to the digest to be hashed
- * @hash: (out) pointer to the hash
- *
- * IMA signature version 3 disambiguates the data that is signed by
- * indirectly signing the hash of the ima_file_id structure data.
- *
- * Signing the ima_file_id struct is currently only supported for
- * IMA_VERITY_DIGSIG type xattrs.
- *
- * Return 0 on success, error code otherwise.
- */
-static int calc_file_id_hash(enum evm_ima_xattr_type type,
- enum hash_algo algo, const u8 *digest,
- struct ima_digest_data *hash)
-{
- struct ima_file_id file_id = {
- .hash_type = IMA_VERITY_DIGSIG, .hash_algorithm = algo};
- unsigned int unused = HASH_MAX_DIGESTSIZE - hash_digest_size[algo];
-
- if (type != IMA_VERITY_DIGSIG)
- return -EINVAL;
-
- memcpy(file_id.hash, digest, hash_digest_size[algo]);
-
- hash->algo = algo;
- hash->length = hash_digest_size[algo];
-
- return ima_calc_buffer_hash(&file_id, sizeof(file_id) - unused, hash);
-}
-
/*
* xattr_verify - verify xattr digest or signature
*
struct evm_ima_xattr_data *xattr_value, int xattr_len,
enum integrity_status *status, const char **cause)
{
- struct ima_max_digest_data hash;
struct signature_v2_hdr *sig;
int rc = -EINVAL, hash_start = 0;
int mask;
(const char *)xattr_value,
xattr_len,
iint->ima_hash->digest,
- iint->ima_hash->length);
+ iint->ima_hash->length,
+ iint->ima_hash->algo);
if (rc == -EOPNOTSUPP) {
*status = INTEGRITY_UNKNOWN;
break;
(const char *)xattr_value,
xattr_len,
iint->ima_hash->digest,
- iint->ima_hash->length);
+ iint->ima_hash->length,
+ iint->ima_hash->algo);
+
if (rc) {
*cause = "invalid-signature";
*status = INTEGRITY_FAIL;
break;
}
- rc = calc_file_id_hash(IMA_VERITY_DIGSIG, iint->ima_hash->algo,
- iint->ima_hash->digest,
- container_of(&hash.hdr,
- struct ima_digest_data, hdr));
- if (rc) {
- *cause = "sigv3-hashing-error";
- *status = INTEGRITY_FAIL;
- break;
- }
-
rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
(const char *)xattr_value,
- xattr_len, hash.digest,
- hash.hdr.length);
- if (rc) {
+ xattr_len,
+ iint->ima_hash->digest,
+ iint->ima_hash->length,
+ iint->ima_hash->algo);
+ if (rc == -EOPNOTSUPP) {
+ *status = INTEGRITY_UNKNOWN;
+ break;
+ } else if (rc) {
*cause = "invalid-verity-signature";
*status = INTEGRITY_FAIL;
} else {
#ifdef CONFIG_INTEGRITY_SIGNATURE
int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
- const char *digest, int digestlen);
+ const char *digest, int digestlen, u8 algo);
int integrity_modsig_verify(unsigned int id, const struct modsig *modsig);
int __init integrity_init_keyring(const unsigned int id);
static inline int integrity_digsig_verify(const unsigned int id,
const char *sig, int siglen,
- const char *digest, int digestlen)
+ const char *digest, int digestlen,
+ u8 algo)
{
return -EOPNOTSUPP;
}
#ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
int asymmetric_verify(struct key *keyring, const char *sig,
int siglen, const char *data, int datalen);
+int asymmetric_verify_v3(struct key *keyring, const char *sig,
+ int siglen, const char *data, int datalen, u8 algo);
#else
static inline int asymmetric_verify(struct key *keyring, const char *sig,
int siglen, const char *data, int datalen)
{
return -EOPNOTSUPP;
}
+
+static inline int asymmetric_verify_v3(struct key *keyring,
+ const char *sig, int siglen,
+ const char *data, int datalen, u8 algo)
+{
+ return -EOPNOTSUPP;
+}
#endif
#ifdef CONFIG_IMA_APPRAISE_MODSIG
projects / thirdparty / kernel / linux.git / commitdiff
