lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1378849471-10521-5-git-send-email-vgoyal@redhat.com>
Date:	Tue, 10 Sep 2013 17:44:19 -0400
From:	Vivek Goyal <vgoyal@...hat.com>
To:	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, kexec@...ts.infradead.org
Cc:	akpm@...ux-foundation.org, zohar@...ux.vnet.ibm.com,
	d.kasatkin@...sung.com, ebiederm@...ssion.com, hpa@...or.com,
	matthew.garrett@...ula.com, vgoyal@...hat.com
Subject: [PATCH 04/16] integrity: Allow digital signature verification with a given keyring ptr

Currently digital signature verification code assumes that it can be
used only with 3 keyrings. IMA, EVM and MODULE keyring. Provide another
variant where one can pass in a pointer to keyring (struct key *), and
integrity code can try to find key in that keyring and verify signature.

This will be useful at two places.

- elf binary loader can use system keyring and call into integrity
  subsystem for signature verification.
- In later patches I am extending keyctl() to allow signature of
  a user buffer against specified keyring. That logic can make use
  of this code too.

Signed-off-by: Vivek Goyal <vgoyal@...hat.com>
---
 security/integrity/digsig.c    | 26 ++++++++++++++++----------
 security/integrity/integrity.h |  9 +++++++++
 2 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 160fec7..f1259bd 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -44,6 +44,20 @@ int integrity_get_digsig_size(char *sig)
 	return -EBADMSG;
 }
 
+int integrity_digsig_verify_keyring(struct key *keyring, const char *sig,
+			int siglen, const char *digest, int digestlen)
+{
+	switch (sig[0]) {
+	case 1:
+		return digsig_verify(keyring, sig, siglen,
+				     digest, digestlen);
+	case 2:
+		return asymmetric_verify(keyring, sig, siglen,
+					 digest, digestlen);
+	}
+	return -EOPNOTSUPP;
+}
+
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 					const char *digest, int digestlen)
 {
@@ -61,14 +75,6 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 		}
 	}
 
-	switch (sig[0]) {
-	case 1:
-		return digsig_verify(keyring[id], sig, siglen,
-				     digest, digestlen);
-	case 2:
-		return asymmetric_verify(keyring[id], sig, siglen,
-					 digest, digestlen);
-	}
-
-	return -EOPNOTSUPP;
+	return integrity_digsig_verify_keyring(keyring[id], sig, siglen,
+						digest, digestlen);
 }
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 4246417..130eb3b 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -101,6 +101,8 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
 
 int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
 					const char *digest, int digestlen);
+int integrity_digsig_verify_keyring(struct key *keyring, const char *sig,
+			int siglen, const char *digest, int digestlen);
 extern int integrity_get_digsig_size(char *sig);
 
 #else
@@ -112,6 +114,13 @@ static inline int integrity_digsig_verify(const unsigned int id,
 	return -EOPNOTSUPP;
 }
 
+static inline int integrity_digsig_verify_keyring(struct key *keyring,
+			const char *sig, int siglen, const char *digest,
+			int digestlen)
+{
+	return -EOPNOTSUPP;
+}
+
 static inline int integrity_get_digsig_size(char *sig) { return -EOPNOTSUPP; }
 
 #endif /* CONFIG_INTEGRITY_SIGNATURE */
-- 
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ