[v9,03/14] PKCS#7: Introduce pkcs7_get_digest()

Message ID	20181213020907.13601-4-bauerman@linux.ibm.com (mailing list archive)
State	Not Applicable
Headers	show Return-Path: <linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org> Gateway: Authorized Use Only! Violators will be prosecuted for <linuxppc-dev@lists.ozlabs.org> from <bauerman@linux.ibm.com>; Thu, 13 Dec 2018 02:11:11 -0000 Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 13 Dec 2018 02:11:05 -0000 From: Thiago Jung Bauermann <bauerman@linux.ibm.com> To: linux-integrity@vger.kernel.org Subject: [PATCH v9 03/14] PKCS#7: Introduce pkcs7_get_digest() Date: Thu, 13 Dec 2018 00:08:56 -0200 In-Reply-To: <20181213020907.13601-1-bauerman@linux.ibm.com> References: <20181213020907.13601-1-bauerman@linux.ibm.com> Message-Id: <20181213020907.13601-4-bauerman@linux.ibm.com> Precedence: list Cc: Herbert Xu <herbert@gondor.apana.org.au>, linux-doc@vger.kernel.org, Dmitry Kasatkin <dmitry.kasatkin@gmail.com>, "David S. Miller" <davem@davemloft.net>, Jonathan Corbet <corbet@lwn.net>, linux-kernel@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>, James Morris <jmorris@namei.org>, David Howells <dhowells@redhat.com>, "AKASHI, Takahiro" <takahiro.akashi@linaro.org>, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, Jessica Yu <jeyu@kernel.org>, linuxppc-dev@lists.ozlabs.org, David Woodhouse <dwmw2@infradead.org>, Thiago Jung Bauermann <bauerman@linux.ibm.com>, "Serge E. Hallyn" <serge@hallyn.com> Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" <linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>
Series	Appended signatures support for IMA appraisal \| expand [v9,00/14] Appended signatures support for IMA appraisal [v9,01/14] MODSIGN: Export module signature definitions [v9,02/14] PKCS#7: Refactor verify_pkcs7_signature() and add pkcs7_get_message_sig() [v9,03/14] PKCS#7: Introduce pkcs7_get_digest() [v9,04/14] integrity: Introduce struct evm_xattr [v9,05/14] integrity: Introduce integrity_keyring_from_id() [v9,06/14] integrity: Introduce asymmetric_sig_has_known_key() [v9,07/14] integrity: Select CONFIG_KEYS instead of depending on it [v9,08/14] ima: Introduce is_signed() [v9,09/14] ima: Export func_tokens [v9,10/14] ima: Add modsig appraise_type option for module-style appended signatures [v9,11/14] ima: Implement support for module-style appended signatures [v9,12/14] ima: Add new "d-sig" template field [v9,13/14] ima: Write modsig to the measurement list [v9,14/14] ima: Store the measurement again when appraising a modsig

Message ID

20181213020907.13601-4-bauerman@linux.ibm.com (mailing list archive)

State

Not Applicable

Headers

From: Thiago Jung Bauermann <bauerman@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Subject: [PATCH v9 03/14] PKCS#7: Introduce pkcs7_get_digest()
Date: Thu, 13 Dec 2018 00:08:56 -0200
In-Reply-To: <20181213020907.13601-1-bauerman@linux.ibm.com>
References: <20181213020907.13601-1-bauerman@linux.ibm.com>
Message-Id: <20181213020907.13601-4-bauerman@linux.ibm.com>
Precedence: list
Cc: Herbert Xu <herbert@gondor.apana.org.au>, linux-doc@vger.kernel.org,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	Jonathan Corbet <corbet@lwn.net>, 
	linux-kernel@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
	James Morris <jmorris@namei.org>, David Howells <dhowells@redhat.com>,
	"AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
	linux-security-module@vger.kernel.org, 
	keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
	Jessica Yu <jeyu@kernel.org>, linuxppc-dev@lists.ozlabs.org,
	David Woodhouse <dwmw2@infradead.org>,
	Thiago Jung Bauermann <bauerman@linux.ibm.com>,
	"Serge E. Hallyn" <serge@hallyn.com>
Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org
Sender: "Linuxppc-dev"
	<linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org>

Series

Appended signatures support for IMA appraisal | expand

Checks

Context	Check	Description
snowpatch_ozlabs/apply_patch	success	next/apply_patch Successfully applied
snowpatch_ozlabs/checkpatch	warning	total: 0 errors, 0 warnings, 1 checks, 46 lines checked

Context

Check

Description

snowpatch_ozlabs/apply_patch

success

next/apply_patch Successfully applied

snowpatch_ozlabs/checkpatch

warning

total: 0 errors, 0 warnings, 1 checks, 46 lines checked

Commit Message

Thiago Jung Bauermann Dec. 13, 2018, 2:08 a.m. UTC

IMA will need to access the digest of the PKCS7 message (as calculated by
the kernel) before the signature is verified, so introduce
pkcs7_get_digest() for that purpose.

Also, modify pkcs7_digest() to detect when the digest was already
calculated so that it doesn't have to do redundant work. Verifying that
sinfo->sig->digest isn't NULL is sufficient because both places which
allocate sinfo->sig (pkcs7_parse_message() and pkcs7_note_signed_info())
use kzalloc() so sig->digest is always initialized to zero.

Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
---
 crypto/asymmetric_keys/pkcs7_verify.c | 27 +++++++++++++++++++++++++++
 include/crypto/pkcs7.h                |  3 +++
 2 files changed, 30 insertions(+)

diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index 97c77f66b20d..ccf80a7b7d9b 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -33,6 +33,10 @@  static int pkcs7_digest(struct pkcs7_message *pkcs7,
 
 	kenter(",%u,%s", sinfo->index, sinfo->sig->hash_algo);
 
+	/* The digest was calculated already. */
+	if (sig->digest)
+		return 0;
+
 	if (!sinfo->sig->hash_algo)
 		return -ENOPKG;
 
@@ -122,6 +126,29 @@  static int pkcs7_digest(struct pkcs7_message *pkcs7,
 	return ret;
 }
 
+int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf, u8 *len)
+{
+	struct pkcs7_signed_info *sinfo = pkcs7->signed_infos;
+	int ret;
+
+	/*
+	 * This function doesn't support messages with more than one signature.
+	 */
+	if (sinfo == NULL || sinfo->next != NULL)
+		return -EBADMSG;
+
+	ret = pkcs7_digest(pkcs7, sinfo);
+	if (ret)
+		return ret;
+
+	if (buf)
+		*buf = sinfo->sig->digest;
+	if (len)
+		*len = sinfo->sig->digest_size;
+
+	return 0;
+}
+
 /*
  * Find the key (X.509 certificate) to use to verify a PKCS#7 message.  PKCS#7
  * uses the issuer's name and the issuing certificate serial number for
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 6f51d0cb6d12..cfaea9c37f4a 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -46,4 +46,7 @@  extern int pkcs7_verify(struct pkcs7_message *pkcs7,
 extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
 				      const void *data, size_t datalen);
 
+extern int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf,
+			    u8 *len);
+
 #endif /* _CRYPTO_PKCS7_H */

[v9,03/14] PKCS#7: Introduce pkcs7_get_digest()

Checks

Commit Message

Patch