| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a2657484-95e6-843c-7864-dd3b28557ce2@linux.alibaba.com>
Date: Mon, 1 Feb 2021 18:36:10 +0800
From: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
To: Stefan Berger <stefanb@...ux.ibm.com>, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, patrick@...terwijk.org,
linux-integrity@...r.kernel.org, Vitaly Chikunov <vt@...linux.org>,
Mimi Zohar <zohar@...ux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
David Howells <dhowells@...hat.com>
Subject: Re: [PATCH v6 4/4] ima: Support EC keys for signature verification
On 2/1/21 7:33 AM, Stefan Berger wrote:
> Add support for IMA signature verification for EC keys. Since SHA type
> of hashes can be used by RSA and ECDSA signature schemes we need to
> look at the key and derive from the key which signature scheme to use.
> Since this can be applied to all types of keys, we change the selection
> of the encoding type to be driven by the key's signature scheme rather
> than by the hash type.
>
> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>
> Reviewed-by: Vitaly Chikunov <vt@...linux.org>
> Cc: Mimi Zohar <zohar@...ux.ibm.com>
> Cc: Dmitry Kasatkin <dmitry.kasatkin@...il.com>
> Cc: linux-integrity@...r.kernel.org
> Cc: Vitaly Chikunov <vt@...linux.org>
> Cc: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
> Cc: David Howells <dhowells@...hat.com>
> Cc: keyrings@...r.kernel.org
> ---
> include/keys/asymmetric-type.h | 6 ++++++
> security/integrity/digsig_asymmetric.c | 29 ++++++++++++--------------
> 2 files changed, 19 insertions(+), 16 deletions(-)
>
> diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h
> index a29d3ff2e7e8..c432fdb8547f 100644
> --- a/include/keys/asymmetric-type.h
> +++ b/include/keys/asymmetric-type.h
> @@ -72,6 +72,12 @@ const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
> return key->payload.data[asym_key_ids];
> }
>
> +static inline
> +const struct public_key *asymmetric_key_public_key(const struct key *key)
> +{
> + return key->payload.data[asym_crypto];
> +}
> +
> extern struct key *find_asymmetric_key(struct key *keyring,
> const struct asymmetric_key_id *id_0,
> const struct asymmetric_key_id *id_1,
> diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
> index a662024b4c70..29002d016607 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -84,6 +84,7 @@ int asymmetric_verify(struct key *keyring, const char *sig,
> {
> struct public_key_signature pks;
> struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
> + const struct public_key *pk;
> struct key *key;
> int ret;
>
> @@ -105,23 +106,19 @@ int asymmetric_verify(struct key *keyring, const char *sig,
> memset(&pks, 0, sizeof(pks));
>
> pks.hash_algo = hash_algo_name[hdr->hash_algo];
> - switch (hdr->hash_algo) {
> - case HASH_ALGO_STREEBOG_256:
> - case HASH_ALGO_STREEBOG_512:
> - /* EC-RDSA and Streebog should go together. */
> - pks.pkey_algo = "ecrdsa";
> - pks.encoding = "raw";
> - break;
> - case HASH_ALGO_SM3_256:
> - /* SM2 and SM3 should go together. */
> - pks.pkey_algo = "sm2";
> - pks.encoding = "raw";
> - break;
> - default:
> - pks.pkey_algo = "rsa";
> +
> + pk = asymmetric_key_public_key(key);
> + pks.pkey_algo = pk->pkey_algo;
> + if (!strcmp(pk->pkey_algo, "rsa"))
> pks.encoding = "pkcs1";
> - break;
> - }
> + else if (!strcmp(pk->pkey_algo, "ecdsa"))
> + pks.encoding = "x962";
> + else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
> + !strcmp(pk->pkey_algo, "sm2"))
> + pks.encoding = "raw";
> + else
> + return -ENOPKG;
> +
> pks.digest = (u8 *)data;
> pks.digest_size = datalen;
> pks.s = hdr->sig;
>
Looks good to me, so
Reviewed-by: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
Thanks,
Tianjia
Powered by blists - more mailing lists