lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Nov 2014 06:52:08 -0500 From: Mimi Zohar <zohar@...ux.vnet.ibm.com> To: David Howells <dhowells@...hat.com> Cc: mmarek@...e.cz, d.kasatkin@...sung.com, rusty@...tcorp.com.au, vgoyal@...hat.com, keyrings@...ux-nfs.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 3/5] PKCS#7: Allow detached data to be supplied for signature checking purposes On Thu, 2014-11-20 at 16:54 +0000, David Howells wrote: > It is possible for a PKCS#7 message to have detached data. However, to verify > the signatures on a PKCS#7 message, we have to be able to digest the data. > Provide a function to supply that data. An error is given if the PKCS#7 > message included embedded data. > > Signed-off-by: David Howells <dhowells@...hat.com> Ok, PCKS#7 supports detached data. I assume this is not needed for kernel modules. What is the motivation for adding this support to the kernel? Mimi > --- > > crypto/asymmetric_keys/pkcs7_verify.c | 26 ++++++++++++++++++++++++++ > include/crypto/pkcs7.h | 3 +++ > 2 files changed, 29 insertions(+) > > diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c > index 667064daf66b..c6ee41bfda6e 100644 > --- a/crypto/asymmetric_keys/pkcs7_verify.c > +++ b/crypto/asymmetric_keys/pkcs7_verify.c > @@ -382,3 +382,29 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) > return enopkg; > } > EXPORT_SYMBOL_GPL(pkcs7_verify); > + > +/** > + * pkcs7_supply_detached_data - Supply the data needed to verify a PKCS#7 message > + * @pkcs7: The PKCS#7 message > + * @data: The data to be verified > + * @datalen: The amount of data > + * > + * Supply the detached data needed to verify a PKCS#7 message. Note that no > + * attempt to retain/pin the data is made. That is left to the caller. The > + * data will not be modified by pkcs7_verify() and will not be freed when the > + * PKCS#7 message is freed. > + * > + * Returns -EINVAL if data is already supplied in the message, 0 otherwise. > + */ > +int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, > + const void *data, size_t datalen) > +{ > + if (pkcs7->data) { > + pr_debug("Data already supplied\n"); > + return -EINVAL; > + } > + pkcs7->data = data; > + pkcs7->data_len = datalen; > + return 0; > +} > +EXPORT_SYMBOL_GPL(pkcs7_supply_detached_data); > diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h > index 691c79172a26..e235ab4957ee 100644 > --- a/include/crypto/pkcs7.h > +++ b/include/crypto/pkcs7.h > @@ -34,3 +34,6 @@ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, > * pkcs7_verify.c > */ > extern int pkcs7_verify(struct pkcs7_message *pkcs7); > + > +extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, > + const void *data, size_t datalen); > > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists