Re: [PATCH v11 02/13] PKCS#7: Refactor verify_pkcs7_signature()
Hello David, AFAIK Mimi is happy with this patch set, but I still need acks from maintainers of other subsystems that my changes touch before she can accept it. Are this patch and the next one ("PKCS#7: Introduce pkcs7_get_digest()") OK from your PoV? -- Thiago Jung Bauermann IBM Linux Technology Center Thiago Jung Bauermann writes: > IMA will need to verify a PKCS#7 signature which has already been parsed. > For this reason, factor out the code which does that from > verify_pkcs7_signature() into a new function which takes a struct > pkcs7_message instead of a data buffer. > > Signed-off-by: Thiago Jung Bauermann > Reviewed-by: Mimi Zohar > Cc: David Howells > Cc: David Woodhouse > Cc: Herbert Xu > Cc: "David S. Miller" > --- > certs/system_keyring.c | 61 ++-- > include/linux/verification.h | 10 ++ > 2 files changed, 55 insertions(+), 16 deletions(-) > > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > index c05c29ae4d5d..4ba82e52e4b4 100644 > --- a/certs/system_keyring.c > +++ b/certs/system_keyring.c > @@ -194,33 +194,27 @@ late_initcall(load_system_certificate_list); > #ifdef CONFIG_SYSTEM_DATA_VERIFICATION > > /** > - * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data. > + * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data. > * @data: The data to be verified (NULL if expecting internal data). > * @len: Size of @data. > - * @raw_pkcs7: The PKCS#7 message that is the signature. > - * @pkcs7_len: The size of @raw_pkcs7. > + * @pkcs7: The PKCS#7 message that is the signature. > * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only, > * (void *)1UL for all trusted keys). > * @usage: The use to which the key is being put. > * @view_content: Callback to gain access to content. > * @ctx: Context for callback. > */ > -int verify_pkcs7_signature(const void *data, size_t len, > -const void *raw_pkcs7, size_t pkcs7_len, > -struct key *trusted_keys, > -enum key_being_used_for usage, > -int (*view_content)(void *ctx, > -const void *data, size_t len, > -size_t asn1hdrlen), > -void *ctx) > +int verify_pkcs7_message_sig(const void *data, size_t len, > + struct pkcs7_message *pkcs7, > + struct key *trusted_keys, > + enum key_being_used_for usage, > + int (*view_content)(void *ctx, > + const void *data, size_t len, > + size_t asn1hdrlen), > + void *ctx) > { > - struct pkcs7_message *pkcs7; > int ret; > > - pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len); > - if (IS_ERR(pkcs7)) > - return PTR_ERR(pkcs7); > - > /* The data should be detached - so we need to supply it. */ > if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) { > pr_err("PKCS#7 signature with non-detached data\n"); > @@ -273,6 +267,41 @@ int verify_pkcs7_signature(const void *data, size_t len, > } > > error: > + pr_devel("<==%s() = %d\n", __func__, ret); > + return ret; > +} > + > +/** > + * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data. > + * @data: The data to be verified (NULL if expecting internal data). > + * @len: Size of @data. > + * @raw_pkcs7: The PKCS#7 message that is the signature. > + * @pkcs7_len: The size of @raw_pkcs7. > + * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only, > + * (void *)1UL for all trusted keys). > + * @usage: The use to which the key is being put. > + * @view_content: Callback to gain access to content. > + * @ctx: Context for callback. > + */ > +int verify_pkcs7_signature(const void *data, size_t len, > +const void *raw_pkcs7, size_t pkcs7_len, > +struct key *trusted_keys, > +enum key_being_used_for usage, > +int (*view_content)(void *ctx, > +const void *data, size_t len, > +size_t asn1hdrlen), > +void *ctx) > +{ > + struct pkcs7_message *pkcs7; > + int ret; > + > + pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len); > + if (IS_ERR(pkcs7)) > + return PTR_ERR(pkcs7); > + > + ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage, > +view_content, ctx); > + > pkcs7_free_message(pkcs7); > pr_devel("<==%s() = %d\n", __func__, ret); > return ret; > diff --git
[PATCH v11 02/13] PKCS#7: Refactor verify_pkcs7_signature()
IMA will need to verify a PKCS#7 signature which has already been parsed. For this reason, factor out the code which does that from verify_pkcs7_signature() into a new function which takes a struct pkcs7_message instead of a data buffer. Signed-off-by: Thiago Jung Bauermann Reviewed-by: Mimi Zohar Cc: David Howells Cc: David Woodhouse Cc: Herbert Xu Cc: "David S. Miller" --- certs/system_keyring.c | 61 ++-- include/linux/verification.h | 10 ++ 2 files changed, 55 insertions(+), 16 deletions(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index c05c29ae4d5d..4ba82e52e4b4 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -194,33 +194,27 @@ late_initcall(load_system_certificate_list); #ifdef CONFIG_SYSTEM_DATA_VERIFICATION /** - * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data. + * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data. * @data: The data to be verified (NULL if expecting internal data). * @len: Size of @data. - * @raw_pkcs7: The PKCS#7 message that is the signature. - * @pkcs7_len: The size of @raw_pkcs7. + * @pkcs7: The PKCS#7 message that is the signature. * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only, * (void *)1UL for all trusted keys). * @usage: The use to which the key is being put. * @view_content: Callback to gain access to content. * @ctx: Context for callback. */ -int verify_pkcs7_signature(const void *data, size_t len, - const void *raw_pkcs7, size_t pkcs7_len, - struct key *trusted_keys, - enum key_being_used_for usage, - int (*view_content)(void *ctx, - const void *data, size_t len, - size_t asn1hdrlen), - void *ctx) +int verify_pkcs7_message_sig(const void *data, size_t len, +struct pkcs7_message *pkcs7, +struct key *trusted_keys, +enum key_being_used_for usage, +int (*view_content)(void *ctx, +const void *data, size_t len, +size_t asn1hdrlen), +void *ctx) { - struct pkcs7_message *pkcs7; int ret; - pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len); - if (IS_ERR(pkcs7)) - return PTR_ERR(pkcs7); - /* The data should be detached - so we need to supply it. */ if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) { pr_err("PKCS#7 signature with non-detached data\n"); @@ -273,6 +267,41 @@ int verify_pkcs7_signature(const void *data, size_t len, } error: + pr_devel("<==%s() = %d\n", __func__, ret); + return ret; +} + +/** + * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data. + * @data: The data to be verified (NULL if expecting internal data). + * @len: Size of @data. + * @raw_pkcs7: The PKCS#7 message that is the signature. + * @pkcs7_len: The size of @raw_pkcs7. + * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only, + * (void *)1UL for all trusted keys). + * @usage: The use to which the key is being put. + * @view_content: Callback to gain access to content. + * @ctx: Context for callback. + */ +int verify_pkcs7_signature(const void *data, size_t len, + const void *raw_pkcs7, size_t pkcs7_len, + struct key *trusted_keys, + enum key_being_used_for usage, + int (*view_content)(void *ctx, + const void *data, size_t len, + size_t asn1hdrlen), + void *ctx) +{ + struct pkcs7_message *pkcs7; + int ret; + + pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len); + if (IS_ERR(pkcs7)) + return PTR_ERR(pkcs7); + + ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage, + view_content, ctx); + pkcs7_free_message(pkcs7); pr_devel("<==%s() = %d\n", __func__, ret); return ret; diff --git a/include/linux/verification.h b/include/linux/verification.h index 018fb5f13d44..5e1d41f2b336 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -36,6 +36,7 @@ extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR]; #ifdef CONFIG_SYSTEM_DATA_VERIFICATION struct key; +struct pkcs7_message; extern int verify_pkcs7_signature(const void *data, size_t len, const void *raw_pkcs7,