lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Aug 2017 19:03:27 -0300 From: Thiago Jung Bauermann <bauerman@...ux.vnet.ibm.com> To: linux-security-module@...r.kernel.org Cc: linux-ima-devel@...ts.sourceforge.net, keyrings@...r.kernel.org, linux-crypto@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org, linux-kernel@...r.kernel.org, Mimi Zohar <zohar@...ux.vnet.ibm.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, James Morris <james.l.morris@...cle.com>, "Serge E. Hallyn" <serge@...lyn.com>, David Howells <dhowells@...hat.com>, David Woodhouse <dwmw2@...radead.org>, Jessica Yu <jeyu@...hat.com>, Rusty Russell <rusty@...tcorp.com.au>, Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, "AKASHI, Takahiro" <takahiro.akashi@...aro.org>, Thiago Jung Bauermann <bauerman@...ux.vnet.ibm.com> Subject: [PATCH v4 4/7] integrity: Introduce integrity_keyring_from_id IMA will need to obtain the keyring used to verify file signatures so that it can verify the module-style signature appended to files. Signed-off-by: Thiago Jung Bauermann <bauerman@...ux.vnet.ibm.com> --- security/integrity/digsig.c | 28 +++++++++++++++++++--------- security/integrity/integrity.h | 1 + 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 06554c448dce..bb5328ba2848 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -48,11 +48,10 @@ static bool init_keyring __initdata; #define restrict_link_to_ima restrict_link_by_builtin_trusted #endif -int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, - const char *digest, int digestlen) +struct key *integrity_keyring_from_id(const unsigned int id) { - if (id >= INTEGRITY_KEYRING_MAX || siglen < 2) - return -EINVAL; + if (id >= INTEGRITY_KEYRING_MAX) + return ERR_PTR(-EINVAL); if (!keyring[id]) { keyring[id] = @@ -61,18 +60,29 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, int err = PTR_ERR(keyring[id]); pr_err("no %s keyring: %d\n", keyring_name[id], err); keyring[id] = NULL; - return err; + return ERR_PTR(err); } } + return keyring[id]; +} + +int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, + const char *digest, int digestlen) +{ + struct key *keyring = integrity_keyring_from_id(id); + + if (IS_ERR(keyring) || siglen < 2) + return PTR_ERR(keyring); + switch (sig[1]) { case 1: /* v1 API expect signature without xattr type */ - return digsig_verify(keyring[id], sig + 1, siglen - 1, - digest, digestlen); + return digsig_verify(keyring, sig + 1, siglen - 1, digest, + digestlen); case 2: - return asymmetric_verify(keyring[id], sig, siglen, - digest, digestlen); + return asymmetric_verify(keyring, sig, siglen, digest, + digestlen); } return -EOPNOTSUPP; diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 9b1762076f38..1f8f1a31d487 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -134,6 +134,7 @@ int __init integrity_read_file(const char *path, char **data); #ifdef CONFIG_INTEGRITY_SIGNATURE +struct key *integrity_keyring_from_id(const unsigned int id); int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen); -- 2.13.0
Powered by blists - more mailing lists