| Message ID | 20180316203837.10174-4-bauerman@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Herbert Xu |
| Headers | show |
On Fri, 2018-03-16 at 17:38 -0300, Thiago Jung Bauermann wrote: > IMA will need to access the digest of the PKCS7 message (as calculated by > the kernel) before the signature is verified, so introduce > pkcs7_get_digest() for that purpose. > > Also, modify pkcs7_digest() to detect when the digest was already > calculated so that it doesn't have to do redundant work. Verifying that > sinfo->sig->digest isn't NULL is sufficient because both places which > allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info()) > use kzalloc() so sig->digest is always initialized to zero. > > Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> > Cc: David Howells <dhowells@redhat.com> > Cc: Herbert Xu <herbert@gondor.apana.org.au> > Cc: "David S. Miller" <davem@davemloft.net> Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com> > --- > crypto/asymmetric_keys/pkcs7_verify.c | 25 +++++++++++++++++++++++++ > include/crypto/pkcs7.h | 3 +++ > 2 files changed, 28 insertions(+) > > diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c > index 39e6de0c2761..bd02360f8be5 100644 > --- a/crypto/asymmetric_keys/pkcs7_verify.c > +++ b/crypto/asymmetric_keys/pkcs7_verify.c > @@ -33,6 +33,10 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, > > kenter(",%u,%s", sinfo->index, sinfo->sig->hash_algo); > > + /* The digest was calculated already. */ > + if (sig->digest) > + return 0; > + > if (!sinfo->sig->hash_algo) > return -ENOPKG; > > @@ -122,6 +126,27 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, > return ret; > } > > +int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf, u8 *len) > +{ > + struct pkcs7_signed_info *sinfo = pkcs7->signed_infos; > + int ret; > + > + /* > + * This function doesn't support messages with more than one signature. > + */ > + if (sinfo == NULL || sinfo->next != NULL) > + return -EBADMSG; > + > + ret = pkcs7_digest(pkcs7, sinfo); > + if (ret) > + return ret; > + > + *buf = sinfo->sig->digest; > + *len = sinfo->sig->digest_size; > + > + return 0; > +} > + > /* > * Find the key (X.509 certificate) to use to verify a PKCS#7 message. PKCS#7 > * uses the issuer's name and the issuing certificate serial number for > diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h > index 6f51d0cb6d12..cfaea9c37f4a 100644 > --- a/include/crypto/pkcs7.h > +++ b/include/crypto/pkcs7.h > @@ -46,4 +46,7 @@ extern int pkcs7_verify(struct pkcs7_message *pkcs7, > extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, > const void *data, size_t datalen); > > +extern int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf, > + u8 *len); > + > #endif /* _CRYPTO_PKCS7_H */ >
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 39e6de0c2761..bd02360f8be5 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -33,6 +33,10 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, kenter(",%u,%s", sinfo->index, sinfo->sig->hash_algo); + /* The digest was calculated already. */ + if (sig->digest) + return 0; + if (!sinfo->sig->hash_algo) return -ENOPKG; @@ -122,6 +126,27 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, return ret; } +int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf, u8 *len) +{ + struct pkcs7_signed_info *sinfo = pkcs7->signed_infos; + int ret; + + /* + * This function doesn't support messages with more than one signature. + */ + if (sinfo == NULL || sinfo->next != NULL) + return -EBADMSG; + + ret = pkcs7_digest(pkcs7, sinfo); + if (ret) + return ret; + + *buf = sinfo->sig->digest; + *len = sinfo->sig->digest_size; + + return 0; +} + /* * Find the key (X.509 certificate) to use to verify a PKCS#7 message. PKCS#7 * uses the issuer's name and the issuing certificate serial number for diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 6f51d0cb6d12..cfaea9c37f4a 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -46,4 +46,7 @@ extern int pkcs7_verify(struct pkcs7_message *pkcs7, extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, const void *data, size_t datalen); +extern int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf, + u8 *len); + #endif /* _CRYPTO_PKCS7_H */
IMA will need to access the digest of the PKCS7 message (as calculated by the kernel) before the signature is verified, so introduce pkcs7_get_digest() for that purpose. Also, modify pkcs7_digest() to detect when the digest was already calculated so that it doesn't have to do redundant work. Verifying that sinfo->sig->digest isn't NULL is sufficient because both places which allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info()) use kzalloc() so sig->digest is always initialized to zero. Signed-off-by: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> Cc: David Howells <dhowells@redhat.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "David S. Miller" <davem@davemloft.net> --- crypto/asymmetric_keys/pkcs7_verify.c | 25 +++++++++++++++++++++++++ include/crypto/pkcs7.h | 3 +++ 2 files changed, 28 insertions(+)