[PATCH v5 1/3] crypto: KEYS: convert public key and digsig asym to the akcipher api
This patch converts the module verification code to the new akcipher API.
Signed-off-by: Tadeusz Struk
---
crypto/asymmetric_keys/Kconfig|2
crypto/asymmetric_keys/Makefile |7 -
crypto/asymmetric_keys/pkcs7_parser.c | 12 +-
crypto/asymmetric_keys/pkcs7_trust.c |2
crypto/asymmetric_keys/pkcs7_verify.c |2
crypto/asymmetric_keys/public_key.c | 64 +++--
crypto/asymmetric_keys/public_key.h | 36 -
crypto/asymmetric_keys/rsa.c | 213 +++--
crypto/asymmetric_keys/x509_cert_parser.c | 37 +
crypto/asymmetric_keys/x509_public_key.c | 17 +-
crypto/asymmetric_keys/x509_rsakey.asn1 |4 -
include/crypto/public_key.h | 34 +
12 files changed, 134 insertions(+), 296 deletions(-)
delete mode 100644 crypto/asymmetric_keys/public_key.h
delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 4870f28..905d745 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -22,7 +22,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
config PUBLIC_KEY_ALGO_RSA
tristate "RSA public-key algorithm"
- select MPILIB
+ select CRYPTO_RSA
help
This option enables support for the RSA algorithm (PKCS#1, RFC3447).
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index cd1406f..b78a194 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -16,21 +16,18 @@ obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o
x509_key_parser-y := \
x509-asn1.o \
x509_akid-asn1.o \
- x509_rsakey-asn1.o \
x509_cert_parser.o \
x509_public_key.o
$(obj)/x509_cert_parser.o: \
$(obj)/x509-asn1.h \
- $(obj)/x509_akid-asn1.h \
- $(obj)/x509_rsakey-asn1.h
+ $(obj)/x509_akid-asn1.h
+
$(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h
$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h
-$(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h
clean-files+= x509-asn1.c x509-asn1.h
clean-files+= x509_akid-asn1.c x509_akid-asn1.h
-clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h
#
# PKCS#7 message handling
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c
b/crypto/asymmetric_keys/pkcs7_parser.c
index 758acab..12912c1 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -15,7 +15,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
#include "pkcs7-asn1.h"
@@ -44,7 +44,7 @@ struct pkcs7_parse_context {
static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
{
if (sinfo) {
- mpi_free(sinfo->sig.mpi[0]);
+ kfree(sinfo->sig.s);
kfree(sinfo->sig.digest);
kfree(sinfo->signing_cert_id);
kfree(sinfo);
@@ -616,16 +616,14 @@ int pkcs7_sig_note_signature(void *context, size_t hdrlen,
const void *value, size_t vlen)
{
struct pkcs7_parse_context *ctx = context;
- MPI mpi;
BUG_ON(ctx->sinfo->sig.pkey_algo != PKEY_ALGO_RSA);
- mpi = mpi_read_raw_data(value, vlen);
- if (!mpi)
+ ctx->sinfo->sig.s = kmemdup(value, vlen, GFP_KERNEL);
+ if (!ctx->sinfo->sig.s)
return -ENOMEM;
- ctx->sinfo->sig.mpi[0] = mpi;
- ctx->sinfo->sig.nr_mpi = 1;
+ ctx->sinfo->sig.s_size = vlen;
return 0;
}
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c
b/crypto/asymmetric_keys/pkcs7_trust.c
index 90d6d47..3bbdcc7 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -17,7 +17,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
/**
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c
b/crypto/asymmetric_keys/pkcs7_verify.c
index 325575c..f5db137 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -16,7 +16,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
/*
diff --git a/crypto/asymmetric_keys/public_key.c
b/crypto/asymmetric_keys/public_key.c
index 6db4c01..b383629 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -18,24 +18,16 @@
#include
#include
#include
-#include "public_key.h"
+#include
MODULE_LICENSE("GPL");
const char *const pkey_algo_name[PKEY_ALGO__LAST] = {
- [PKEY_ALGO_DSA] = "DSA",
- [PKEY_ALGO_RSA] = "RSA",
+ [PKEY_ALGO_DSA]
[PATCH v5 2/3] integrity: convert digsig to akcipher api
Convert asymmetric_verify to akcipher api.
Signed-off-by: Tadeusz Struk
---
security/integrity/Kconfig |1 +
security/integrity/digsig_asymmetric.c | 10 +++---
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 73c457b..f0b2463 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -36,6 +36,7 @@ config INTEGRITY_ASYMMETRIC_KEYS
select ASYMMETRIC_KEY_TYPE
select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select PUBLIC_KEY_ALGO_RSA
+select CRYPTO_RSA
select X509_CERTIFICATE_PARSER
help
This option enables digital signature verification using
diff --git a/security/integrity/digsig_asymmetric.c
b/security/integrity/digsig_asymmetric.c
index 4fec181..5629372 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -92,13 +92,9 @@ int asymmetric_verify(struct key *keyring, const char *sig,
pks.pkey_hash_algo = hdr->hash_algo;
pks.digest = (u8 *)data;
pks.digest_size = datalen;
- pks.nr_mpi = 1;
- pks.rsa.s = mpi_read_raw_data(hdr->sig, siglen);
-
- if (pks.rsa.s)
- ret = verify_signature(key, &pks);
-
- mpi_free(pks.rsa.s);
+ pks.s = hdr->sig;
+ pks.s_size = siglen;
+ ret = verify_signature(key, &pks);
key_put(key);
pr_debug("%s() = %d\n", __func__, ret);
return ret;
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v5 3/3] crypto: public_key: remove MPIs from public_key_signature struct
After digsig_asymmetric.c is converted the MPIs can be now
safely removed from the public_key_signature structure.
Signed-off-by: Tadeusz Struk
---
include/crypto/public_key.h | 14 +-
1 file changed, 1 insertion(+), 13 deletions(-)
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 50ac875..a1693ed 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -14,7 +14,6 @@
#ifndef _LINUX_PUBLIC_KEY_H
#define _LINUX_PUBLIC_KEY_H
-#include
#include
enum pkey_algo {
@@ -73,20 +72,9 @@ struct public_key_signature {
u8 *s; /* Signature */
u32 s_size; /* Number of bytes in signature */
u8 *digest;
- u8 digest_size; /* Number of bytes in digest */
- u8 nr_mpi; /* Occupancy of mpi[] */
+ u8 digest_size; /* Number of bytes in digest */
enum pkey_algo pkey_algo : 8;
enum hash_algo pkey_hash_algo : 8;
- union {
- MPI mpi[2];
- struct {
- MPI s; /* m^d mod n */
- } rsa;
- struct {
- MPI r;
- MPI s;
- } dsa;
- };
};
extern struct asymmetric_key_subtype public_key_subtype;
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v5 0/3] crypto: KEYS: convert public key to akcipher api
This patch set converts the module verification and digital signature code to the new akcipher API. RSA implementation has been removed from crypto/asymmetric_keys and the new API is used for cryptographic primitives. There is no need for MPI above the akcipher API anymore. Modules can be verified with software as well as HW RSA implementations. Patches generated against cryptodev-2.6 Changes in v5: - Revert back v4 and add a new patch that removes the MPIs from the public_key_signature struct after the asymmetric_verify funtc in digsig is converted as proposed by Herbert. Changes in v4: - Flatten both patches into one to avoid bisect compilation problems. Changes in v3: - Don't include keys/asymmetric-type.h in crypto/public_key.h Changes in v2: - Fix the whey public_key_signature is setup. The pointer s needs to point to the signature instread of the signature_v2_hdr. - Select CRYPTO_RSA when INTEGRITY_ASYMMETRIC_KEYS is selected. --- Tadeusz Struk (3): crypto: KEYS: convert public key and digsig asym to the akcipher api integrity: convert digsig to akcipher api crypto: public_key: remove MPIs from public_key_signature struct crypto/asymmetric_keys/Kconfig|2 crypto/asymmetric_keys/Makefile |7 - crypto/asymmetric_keys/pkcs7_parser.c | 12 +- crypto/asymmetric_keys/pkcs7_trust.c |2 crypto/asymmetric_keys/pkcs7_verify.c |2 crypto/asymmetric_keys/public_key.c | 64 +++-- crypto/asymmetric_keys/public_key.h | 36 - crypto/asymmetric_keys/rsa.c | 213 +++-- crypto/asymmetric_keys/x509_cert_parser.c | 37 + crypto/asymmetric_keys/x509_public_key.c | 17 +- crypto/asymmetric_keys/x509_rsakey.asn1 |4 - include/crypto/public_key.h | 48 +-- security/integrity/Kconfig|1 security/integrity/digsig_asymmetric.c| 10 - 14 files changed, 139 insertions(+), 316 deletions(-) delete mode 100644 crypto/asymmetric_keys/public_key.h delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1 -- -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api
On 12/23/2015 12:21 PM, Herbert Xu wrote: > Why not just leave the MPIs in the structure and only remove them > by adding a third patch? Right, I think that's a better way of resolving this. v5 on it's way. Thanks, -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api
On 12/23/2015 06:51 AM, Herbert Xu wrote: >> > Changes in v4: >> > - Flatten both patches into one to avoid bisect compilation problems. > Why is this necessary? Because the first patch modifies the struct public_key and removes the MPIs from it, which the code modified in the second patch still uses. If bisect only takes the first then the build will fail on the security/integrity/digsig_asymmetric.c as reported by kbuild test robot: >> security/integrity/digsig_asymmetric.c:95:5: error: 'struct >> public_key_signature' has no member named 'nr_mpi' pks.nr_mpi = 1; Thanks, -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v4] crypto: KEYS: convert public key and digsig asym to the akcipher api
This patch converts the module verification and digital signature
code to the new akcipher API.
RSA implementation has been removed from crypto/asymmetric_keys and the
new API is used for cryptographic primitives.
There is no need for MPI above the akcipher API anymore.
Modules can be verified with software as well as HW RSA implementations.
Patches generated against cryptodev-2.6
Changes in v4:
- Flatten both patches into one to avoid bisect compilation problems.
Changes in v3:
- Don't include keys/asymmetric-type.h in crypto/public_key.h
Changes in v2:
- Fix the whey public_key_signature is setup. The pointer s needs to
point to the signature instread of the signature_v2_hdr.
- Select CRYPTO_RSA when INTEGRITY_ASYMMETRIC_KEYS is selected.
Signed-off-by: Tadeusz Struk
---
crypto/asymmetric_keys/Kconfig|2
crypto/asymmetric_keys/Makefile |7 -
crypto/asymmetric_keys/pkcs7_parser.c | 12 +-
crypto/asymmetric_keys/pkcs7_trust.c |2
crypto/asymmetric_keys/pkcs7_verify.c |2
crypto/asymmetric_keys/public_key.c | 64 +++--
crypto/asymmetric_keys/public_key.h | 36 -
crypto/asymmetric_keys/rsa.c | 213 +++--
crypto/asymmetric_keys/x509_cert_parser.c | 37 +
crypto/asymmetric_keys/x509_public_key.c | 17 +-
crypto/asymmetric_keys/x509_rsakey.asn1 |4 -
include/crypto/public_key.h | 48 +--
security/integrity/Kconfig|1
security/integrity/digsig_asymmetric.c| 10 -
14 files changed, 139 insertions(+), 316 deletions(-)
delete mode 100644 crypto/asymmetric_keys/public_key.h
delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 4870f28..905d745 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -22,7 +22,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
config PUBLIC_KEY_ALGO_RSA
tristate "RSA public-key algorithm"
- select MPILIB
+ select CRYPTO_RSA
help
This option enables support for the RSA algorithm (PKCS#1, RFC3447).
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index cd1406f..b78a194 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -16,21 +16,18 @@ obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o
x509_key_parser-y := \
x509-asn1.o \
x509_akid-asn1.o \
- x509_rsakey-asn1.o \
x509_cert_parser.o \
x509_public_key.o
$(obj)/x509_cert_parser.o: \
$(obj)/x509-asn1.h \
- $(obj)/x509_akid-asn1.h \
- $(obj)/x509_rsakey-asn1.h
+ $(obj)/x509_akid-asn1.h
+
$(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h
$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h
-$(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h
clean-files+= x509-asn1.c x509-asn1.h
clean-files+= x509_akid-asn1.c x509_akid-asn1.h
-clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h
#
# PKCS#7 message handling
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c
b/crypto/asymmetric_keys/pkcs7_parser.c
index 758acab..12912c1 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -15,7 +15,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
#include "pkcs7-asn1.h"
@@ -44,7 +44,7 @@ struct pkcs7_parse_context {
static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
{
if (sinfo) {
- mpi_free(sinfo->sig.mpi[0]);
+ kfree(sinfo->sig.s);
kfree(sinfo->sig.digest);
kfree(sinfo->signing_cert_id);
kfree(sinfo);
@@ -616,16 +616,14 @@ int pkcs7_sig_note_signature(void *context, size_t hdrlen,
const void *value, size_t vlen)
{
struct pkcs7_parse_context *ctx = context;
- MPI mpi;
BUG_ON(ctx->sinfo->sig.pkey_algo != PKEY_ALGO_RSA);
- mpi = mpi_read_raw_data(value, vlen);
- if (!mpi)
+ ctx->sinfo->sig.s = kmemdup(value, vlen, GFP_KERNEL);
+ if (!ctx->sinfo->sig.s)
return -ENOMEM;
- ctx->sinfo->sig.mpi[0] = mpi;
- ctx->sinfo->sig.nr_mpi = 1;
+ ctx->sinfo->sig.s_size = vlen;
return 0;
}
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c
b/crypto/asymmetric_keys/pkcs7_trust.c
index 90d6d47..3bbdcc7 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -17,7 +17,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
/**
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c
b/crypto/asymmetric_keys/pkcs
[PATCH v3 2/2] integrity: convert digsig to akcipher api
Convert asymmetric_verify to akcipher api.
Signed-off-by: Tadeusz Struk
---
security/integrity/Kconfig |1 +
security/integrity/digsig_asymmetric.c | 10 +++---
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 73c457b..f0b2463 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -36,6 +36,7 @@ config INTEGRITY_ASYMMETRIC_KEYS
select ASYMMETRIC_KEY_TYPE
select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select PUBLIC_KEY_ALGO_RSA
+select CRYPTO_RSA
select X509_CERTIFICATE_PARSER
help
This option enables digital signature verification using
diff --git a/security/integrity/digsig_asymmetric.c
b/security/integrity/digsig_asymmetric.c
index 4fec181..5629372 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -92,13 +92,9 @@ int asymmetric_verify(struct key *keyring, const char *sig,
pks.pkey_hash_algo = hdr->hash_algo;
pks.digest = (u8 *)data;
pks.digest_size = datalen;
- pks.nr_mpi = 1;
- pks.rsa.s = mpi_read_raw_data(hdr->sig, siglen);
-
- if (pks.rsa.s)
- ret = verify_signature(key, &pks);
-
- mpi_free(pks.rsa.s);
+ pks.s = hdr->sig;
+ pks.s_size = siglen;
+ ret = verify_signature(key, &pks);
key_put(key);
pr_debug("%s() = %d\n", __func__, ret);
return ret;
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v3 1/2] crypto: KEYS: convert public key to the akcipher api
This patch converts the module verification code to the new akcipher API.
Signed-off-by: Tadeusz Struk
---
crypto/asymmetric_keys/Kconfig|2
crypto/asymmetric_keys/Makefile |7 -
crypto/asymmetric_keys/pkcs7_parser.c | 12 +-
crypto/asymmetric_keys/pkcs7_trust.c |2
crypto/asymmetric_keys/pkcs7_verify.c |2
crypto/asymmetric_keys/public_key.c | 64 +++--
crypto/asymmetric_keys/public_key.h | 36 -
crypto/asymmetric_keys/rsa.c | 213 +++--
crypto/asymmetric_keys/x509_cert_parser.c | 37 +
crypto/asymmetric_keys/x509_public_key.c | 17 +-
crypto/asymmetric_keys/x509_rsakey.asn1 |4 -
include/crypto/public_key.h | 48 +--
12 files changed, 135 insertions(+), 309 deletions(-)
delete mode 100644 crypto/asymmetric_keys/public_key.h
delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 4870f28..905d745 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -22,7 +22,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
config PUBLIC_KEY_ALGO_RSA
tristate "RSA public-key algorithm"
- select MPILIB
+ select CRYPTO_RSA
help
This option enables support for the RSA algorithm (PKCS#1, RFC3447).
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index cd1406f..b78a194 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -16,21 +16,18 @@ obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o
x509_key_parser-y := \
x509-asn1.o \
x509_akid-asn1.o \
- x509_rsakey-asn1.o \
x509_cert_parser.o \
x509_public_key.o
$(obj)/x509_cert_parser.o: \
$(obj)/x509-asn1.h \
- $(obj)/x509_akid-asn1.h \
- $(obj)/x509_rsakey-asn1.h
+ $(obj)/x509_akid-asn1.h
+
$(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h
$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h
-$(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h
clean-files+= x509-asn1.c x509-asn1.h
clean-files+= x509_akid-asn1.c x509_akid-asn1.h
-clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h
#
# PKCS#7 message handling
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c
b/crypto/asymmetric_keys/pkcs7_parser.c
index 758acab..12912c1 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -15,7 +15,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
#include "pkcs7-asn1.h"
@@ -44,7 +44,7 @@ struct pkcs7_parse_context {
static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
{
if (sinfo) {
- mpi_free(sinfo->sig.mpi[0]);
+ kfree(sinfo->sig.s);
kfree(sinfo->sig.digest);
kfree(sinfo->signing_cert_id);
kfree(sinfo);
@@ -616,16 +616,14 @@ int pkcs7_sig_note_signature(void *context, size_t hdrlen,
const void *value, size_t vlen)
{
struct pkcs7_parse_context *ctx = context;
- MPI mpi;
BUG_ON(ctx->sinfo->sig.pkey_algo != PKEY_ALGO_RSA);
- mpi = mpi_read_raw_data(value, vlen);
- if (!mpi)
+ ctx->sinfo->sig.s = kmemdup(value, vlen, GFP_KERNEL);
+ if (!ctx->sinfo->sig.s)
return -ENOMEM;
- ctx->sinfo->sig.mpi[0] = mpi;
- ctx->sinfo->sig.nr_mpi = 1;
+ ctx->sinfo->sig.s_size = vlen;
return 0;
}
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c
b/crypto/asymmetric_keys/pkcs7_trust.c
index 90d6d47..3bbdcc7 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -17,7 +17,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
/**
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c
b/crypto/asymmetric_keys/pkcs7_verify.c
index 325575c..f5db137 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -16,7 +16,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
/*
diff --git a/crypto/asymmetric_keys/public_key.c
b/crypto/asymmetric_keys/public_key.c
index 6db4c01..b383629 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -18,24 +18,16 @@
#include
#include
#include
-#include "public_key.h"
+#include
MODULE_LICENSE("GPL");
const char *const pkey_algo_name[PKEY_ALGO__LAST] = {
- [PKEY_ALGO_DSA] = "DSA",
- [PKEY_ALGO_RSA] = "RSA",
+ [PKEY_ALGO_DSA]
[PATCH v3 0/2] crypto: KEYS: convert public key to akcipher api
This patch set converts the module verification and digital signature code to the new akcipher API. RSA implementation has been removed from crypto/asymmetric_keys and the new API is used for cryptographic primitives. There is no need for MPI above the akcipher API anymore. Modules can be verified with software as well as HW RSA implementations. Patches generated against cryptodev-2.6 Changes in v3: - Don't include keys/asymmetric-type.h in crypto/public_key.h Changes in v2: - Fix the whey public_key_signature is setup. The pointer s needs to point to the signature instread of the signature_v2_hdr. - Select CRYPTO_RSA when INTEGRITY_ASYMMETRIC_KEYS is selected. --- Tadeusz Struk (2): crypto: KEYS: convert public key to the akcipher api integrity: convert digsig to akcipher api crypto/asymmetric_keys/Kconfig|2 crypto/asymmetric_keys/Makefile |7 - crypto/asymmetric_keys/pkcs7_parser.c | 12 +- crypto/asymmetric_keys/pkcs7_trust.c |2 crypto/asymmetric_keys/pkcs7_verify.c |2 crypto/asymmetric_keys/public_key.c | 64 +++-- crypto/asymmetric_keys/public_key.h | 36 - crypto/asymmetric_keys/rsa.c | 213 +++-- crypto/asymmetric_keys/x509_cert_parser.c | 37 + crypto/asymmetric_keys/x509_public_key.c | 17 +- crypto/asymmetric_keys/x509_rsakey.asn1 |4 - include/crypto/public_key.h | 48 ++- security/integrity/Kconfig|1 security/integrity/digsig_asymmetric.c| 10 - 14 files changed, 139 insertions(+), 316 deletions(-) delete mode 100644 crypto/asymmetric_keys/public_key.h delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1 -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 1/2] crypto: KEYS: convert public key to the akcipher api
On 12/22/2015 06:33 PM, Herbert Xu wrote: >> What about the first two. This one is completely unrelated. >> > It only supposed to fix some random configuration issue >> > reported by a build robot, which isn't really important now. >> > The other two convert the module verifier to the new API. > No this compile breakage was introduced by your first two patches > because you changed crypto/public_key.h which is used by entities > outside of your patch. > > So fix your first two patches by not breaking existing users > of it. Ok I can see the problem now. I just don't should not include the asymmetric-type.h in the public_key.h and it fixes it. Will send v3 soon. Thanks, -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 1/2] crypto: KEYS: convert public key to the akcipher api
Hi Herbert On 12/22/2015 04:09 AM, Herbert Xu wrote: > On Mon, Dec 21, 2015 at 12:59:59PM -0800, Tadeusz Struk wrote: >> >> The previous patch was broken, re-sending again, sorry. >> >> I think there is something missing in this configuration. >> cat .config | grep KEXEC_BZIMAGE_VERIFY_SIG gives nothing. >> Anyways, this patch should fix it. > > No this is unacceptable. Please fix it properly by making the > header file self-contained, e.g., by using a forward declaration. What about the first two. This one is completely unrelated. It only supposed to fix some random configuration issue reported by a build robot, which isn't really important now. The other two convert the module verifier to the new API. Thanks, -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 1/2] crypto: KEYS: convert public key to the akcipher api
Hi,
On 12/19/2015 03:49 PM, kbuild test robot wrote:
> Hi Tadeusz,
>
> [auto build test ERROR on crypto/master]
> [also build test ERROR on v4.4-rc5 next-20151218]
>
> url:
> https://github.com/0day-ci/linux/commits/Tadeusz-Struk/crypto-KEYS-convert-public-key-to-akcipher-api/20151213-103429
> base:
> https://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git master
> config: x86_64-randconfig-s4-12200710 (attached as .config)
> reproduce:
> # save the attached .config to linux build tree
> make ARCH=x86_64
>
> All errors (new ones prefixed by >>):
>
>In file included from include/crypto/public_key.h:17:0,
> from include/linux/verify_pefile.h:15,
> from arch/x86/kernel/kexec-bzimage64.c:22:
>include/keys/asymmetric-type.h: In function 'asymmetric_key_ids':
>>> include/keys/asymmetric-type.h:74:12: error: dereferencing pointer to
>>> incomplete type 'const struct key'
> return key->payload.data[asym_key_ids];
>^
>
> vim +74 include/keys/asymmetric-type.h
>
> 7901c1a8 David Howells 2014-09-16 68
> size_t len_1,
> 7901c1a8 David Howells 2014-09-16 69
> const void *val_2,
> 7901c1a8 David Howells 2014-09-16 70
> size_t len_2);
> 146aa8b1 David Howells 2015-10-21 71 static inline
> 146aa8b1 David Howells 2015-10-21 72 const struct asymmetric_key_ids
> *asymmetric_key_ids(const struct key *key)
> 146aa8b1 David Howells 2015-10-21 73 {
> 146aa8b1 David Howells 2015-10-21 @74 return
> key->payload.data[asym_key_ids];
> 146aa8b1 David Howells 2015-10-21 75 }
> 7901c1a8 David Howells 2014-09-16 76
> 7901c1a8 David Howells 2014-09-16 77 /*
>
> :: The code at line 74 was first introduced by commit
> :: 146aa8b1453bd8f1ff2304ffb71b4ee0eb9acdcc KEYS: Merge the type-specific
> data with the payload data
>
> :: TO: David Howells
> :: CC: David Howells
>
The previous patch was broken, re-sending again, sorry.
I think there is something missing in this configuration.
cat .config | grep KEXEC_BZIMAGE_VERIFY_SIG gives nothing.
Anyways, this patch should fix it.
---8<---
From: Tadeusz Struk
Fix auto build test ERROR on crypto/master
Reported-by:
Signed-off-by: Tadeusz Struk
diff --git a/arch/x86/kernel/kexec-bzimage64.c
b/arch/x86/kernel/kexec-bzimage64.c
index 0f8a6bb..23aa625 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -19,9 +19,10 @@
#include
#include
#include
+#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
#include
#include
-
+#endif
#include
#include
#include
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 1/2] crypto: KEYS: convert public key to the akcipher api
On 12/19/2015 03:49 PM, kbuild test robot wrote:
> Hi Tadeusz,
>
> [auto build test ERROR on crypto/master]
> [also build test ERROR on v4.4-rc5 next-20151218]
>
> url:
> https://github.com/0day-ci/linux/commits/Tadeusz-Struk/crypto-KEYS-convert-public-key-to-akcipher-api/20151213-103429
> base:
> https://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git master
> config: x86_64-randconfig-s4-12200710 (attached as .config)
> reproduce:
> # save the attached .config to linux build tree
> make ARCH=x86_64
>
> All errors (new ones prefixed by >>):
>
>In file included from include/crypto/public_key.h:17:0,
> from include/linux/verify_pefile.h:15,
> from arch/x86/kernel/kexec-bzimage64.c:22:
>include/keys/asymmetric-type.h: In function 'asymmetric_key_ids':
>>> >> include/keys/asymmetric-type.h:74:12: error: dereferencing pointer to
>>> >> incomplete type 'const struct key'
> return key->payload.data[asym_key_ids];
>^
>
> vim +74 include/keys/asymmetric-type.h
>
> 7901c1a8 David Howells 2014-09-16 68
> size_t len_1,
> 7901c1a8 David Howells 2014-09-16 69
> const void *val_2,
> 7901c1a8 David Howells 2014-09-16 70
> size_t len_2);
> 146aa8b1 David Howells 2015-10-21 71 static inline
> 146aa8b1 David Howells 2015-10-21 72 const struct asymmetric_key_ids
> *asymmetric_key_ids(const struct key *key)
> 146aa8b1 David Howells 2015-10-21 73 {
> 146aa8b1 David Howells 2015-10-21 @74 return
> key->payload.data[asym_key_ids];
> 146aa8b1 David Howells 2015-10-21 75 }
> 7901c1a8 David Howells 2014-09-16 76
> 7901c1a8 David Howells 2014-09-16 77 /*
>
> :: The code at line 74 was first introduced by commit
> :: 146aa8b1453bd8f1ff2304ffb71b4ee0eb9acdcc KEYS: Merge the type-specific
> data with the payload data
>
> :: TO: David Howells
> :: CC: David Howells
I think there is something missing in this configuration.
cat .config | grep KEXEC_BZIMAGE_VERIFY_SIG gives nothing.
Anyways, this patch should fix it.
---8<---
From: Tadeusz Struk
Fix auto build test ERROR on crypto/master
Reported-by:
Signed-off-by: Tadeusz Struk
diff --git a/arch/x86/kernel/kexec-bzimage64.c
b/arch/x86/kernel/kexec-bzimage64.c
index 0f8a6bb..23aa625 100644
--- a/arch/x86/kernel/kexec-bzimage64.c
+++ b/arch/x86/kernel/kexec-bzimage64.c
@@ -19,9 +19,10 @@
#include
#include
#include
+#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
#include
#include
-
+#endif
#include
#include
#include
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 2/2] integrity: convert digsig to akcipher api
On 12/14/2015 05:24 AM, Mimi Zohar wrote: > On Sat, 2015-12-12 at 18:26 -0800, Tadeusz Struk wrote: >> Convert asymmetric_verify to akcipher api. >> >> Signed-off-by: Tadeusz Struk >> --- >> security/integrity/Kconfig |1 + >> security/integrity/digsig_asymmetric.c | 10 +++--- >> 2 files changed, 4 insertions(+), 7 deletions(-) >> >> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig >> index 73c457b..f0b2463 100644 >> --- a/security/integrity/Kconfig >> +++ b/security/integrity/Kconfig >> @@ -36,6 +36,7 @@ config INTEGRITY_ASYMMETRIC_KEYS >> select ASYMMETRIC_KEY_TYPE >> select ASYMMETRIC_PUBLIC_KEY_SUBTYPE >> select PUBLIC_KEY_ALGO_RSA >> +select CRYPTO_RSA >> select X509_CERTIFICATE_PARSER >> help >>This option enables digital signature verification using >> diff --git a/security/integrity/digsig_asymmetric.c >> b/security/integrity/digsig_asymmetric.c >> index 4fec181..5629372 100644 >> --- a/security/integrity/digsig_asymmetric.c >> +++ b/security/integrity/digsig_asymmetric.c >> @@ -92,13 +92,9 @@ int asymmetric_verify(struct key *keyring, const char >> *sig, >> pks.pkey_hash_algo = hdr->hash_algo; >> pks.digest = (u8 *)data; >> pks.digest_size = datalen; >> -pks.nr_mpi = 1; >> -pks.rsa.s = mpi_read_raw_data(hdr->sig, siglen); >> - >> -if (pks.rsa.s) >> -ret = verify_signature(key, &pks); >> - >> -mpi_free(pks.rsa.s); >> +pks.s = hdr->sig; > > Thanks! With this change, my system is now able to boot. > Thanks Mimi. David, do you have any comments to this patch set? If not could you ACK please. Thanks, -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 1/2] crypto: KEYS: convert public key to the akcipher api
This patch converts the module verification code to the new akcipher API.
Signed-off-by: Tadeusz Struk
---
crypto/asymmetric_keys/Kconfig|2
crypto/asymmetric_keys/Makefile |7 -
crypto/asymmetric_keys/pkcs7_parser.c | 12 +-
crypto/asymmetric_keys/pkcs7_trust.c |2
crypto/asymmetric_keys/pkcs7_verify.c |2
crypto/asymmetric_keys/public_key.c | 64 +++--
crypto/asymmetric_keys/public_key.h | 36 -
crypto/asymmetric_keys/rsa.c | 213 +++--
crypto/asymmetric_keys/x509_cert_parser.c | 37 +
crypto/asymmetric_keys/x509_public_key.c | 17 +-
crypto/asymmetric_keys/x509_rsakey.asn1 |4 -
include/crypto/public_key.h | 49 ++-
12 files changed, 136 insertions(+), 309 deletions(-)
delete mode 100644 crypto/asymmetric_keys/public_key.h
delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 4870f28..905d745 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -22,7 +22,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
config PUBLIC_KEY_ALGO_RSA
tristate "RSA public-key algorithm"
- select MPILIB
+ select CRYPTO_RSA
help
This option enables support for the RSA algorithm (PKCS#1, RFC3447).
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index cd1406f..b78a194 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -16,21 +16,18 @@ obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o
x509_key_parser-y := \
x509-asn1.o \
x509_akid-asn1.o \
- x509_rsakey-asn1.o \
x509_cert_parser.o \
x509_public_key.o
$(obj)/x509_cert_parser.o: \
$(obj)/x509-asn1.h \
- $(obj)/x509_akid-asn1.h \
- $(obj)/x509_rsakey-asn1.h
+ $(obj)/x509_akid-asn1.h
+
$(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h
$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h
-$(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h
clean-files+= x509-asn1.c x509-asn1.h
clean-files+= x509_akid-asn1.c x509_akid-asn1.h
-clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h
#
# PKCS#7 message handling
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c
b/crypto/asymmetric_keys/pkcs7_parser.c
index 758acab..12912c1 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -15,7 +15,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
#include "pkcs7-asn1.h"
@@ -44,7 +44,7 @@ struct pkcs7_parse_context {
static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
{
if (sinfo) {
- mpi_free(sinfo->sig.mpi[0]);
+ kfree(sinfo->sig.s);
kfree(sinfo->sig.digest);
kfree(sinfo->signing_cert_id);
kfree(sinfo);
@@ -616,16 +616,14 @@ int pkcs7_sig_note_signature(void *context, size_t hdrlen,
const void *value, size_t vlen)
{
struct pkcs7_parse_context *ctx = context;
- MPI mpi;
BUG_ON(ctx->sinfo->sig.pkey_algo != PKEY_ALGO_RSA);
- mpi = mpi_read_raw_data(value, vlen);
- if (!mpi)
+ ctx->sinfo->sig.s = kmemdup(value, vlen, GFP_KERNEL);
+ if (!ctx->sinfo->sig.s)
return -ENOMEM;
- ctx->sinfo->sig.mpi[0] = mpi;
- ctx->sinfo->sig.nr_mpi = 1;
+ ctx->sinfo->sig.s_size = vlen;
return 0;
}
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c
b/crypto/asymmetric_keys/pkcs7_trust.c
index 90d6d47..3bbdcc7 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -17,7 +17,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
/**
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c
b/crypto/asymmetric_keys/pkcs7_verify.c
index 325575c..f5db137 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -16,7 +16,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
/*
diff --git a/crypto/asymmetric_keys/public_key.c
b/crypto/asymmetric_keys/public_key.c
index 6db4c01..b383629 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -18,24 +18,16 @@
#include
#include
#include
-#include "public_key.h"
+#include
MODULE_LICENSE("GPL");
const char *const pkey_algo_name[PKEY_ALGO__LAST] = {
- [PKEY_ALGO_DSA] = "DSA",
- [PKEY_ALGO_RSA] = "RSA",
+ [PKEY_ALGO_DSA]
[PATCH v2 2/2] integrity: convert digsig to akcipher api
Convert asymmetric_verify to akcipher api.
Signed-off-by: Tadeusz Struk
---
security/integrity/Kconfig |1 +
security/integrity/digsig_asymmetric.c | 10 +++---
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 73c457b..f0b2463 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -36,6 +36,7 @@ config INTEGRITY_ASYMMETRIC_KEYS
select ASYMMETRIC_KEY_TYPE
select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select PUBLIC_KEY_ALGO_RSA
+select CRYPTO_RSA
select X509_CERTIFICATE_PARSER
help
This option enables digital signature verification using
diff --git a/security/integrity/digsig_asymmetric.c
b/security/integrity/digsig_asymmetric.c
index 4fec181..5629372 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -92,13 +92,9 @@ int asymmetric_verify(struct key *keyring, const char *sig,
pks.pkey_hash_algo = hdr->hash_algo;
pks.digest = (u8 *)data;
pks.digest_size = datalen;
- pks.nr_mpi = 1;
- pks.rsa.s = mpi_read_raw_data(hdr->sig, siglen);
-
- if (pks.rsa.s)
- ret = verify_signature(key, &pks);
-
- mpi_free(pks.rsa.s);
+ pks.s = hdr->sig;
+ pks.s_size = siglen;
+ ret = verify_signature(key, &pks);
key_put(key);
pr_debug("%s() = %d\n", __func__, ret);
return ret;
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 0/2] crypto: KEYS: convert public key to akcipher api
This patch set converts the module verification and digital signature code to the new akcipher API. RSA implementation has been removed from crypto/asymmetric_keys and the new API is used for cryptographic primitives. There is no need for MPI above the akcipher API anymore. Modules can be verified with software as well as HW RSA implementations. Patches generated against cryptodev-2.6 Changes in v2: - Fix the whey public_key_signature is setup. The pointer s needs to point to the signature instread of the signature_v2_hdr. - Select CRYPTO_RSA when INTEGRITY_ASYMMETRIC_KEYS is selected. --- Tadeusz Struk (2): crypto: KEYS: convert public key to the akcipher api integrity: convert digsig to akcipher api crypto/asymmetric_keys/Kconfig|2 crypto/asymmetric_keys/Makefile |7 - crypto/asymmetric_keys/pkcs7_parser.c | 12 +- crypto/asymmetric_keys/pkcs7_trust.c |2 crypto/asymmetric_keys/pkcs7_verify.c |2 crypto/asymmetric_keys/public_key.c | 64 +++-- crypto/asymmetric_keys/public_key.h | 36 - crypto/asymmetric_keys/rsa.c | 213 +++-- crypto/asymmetric_keys/x509_cert_parser.c | 37 + crypto/asymmetric_keys/x509_public_key.c | 17 +- crypto/asymmetric_keys/x509_rsakey.asn1 |4 - include/crypto/public_key.h | 49 ++- security/integrity/Kconfig|1 security/integrity/digsig_asymmetric.c| 10 - 14 files changed, 140 insertions(+), 316 deletions(-) delete mode 100644 crypto/asymmetric_keys/public_key.h delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1 -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/2] crypto: KEYS: convert public key to akcipher api
Hi Mimi, On 12/10/2015 10:25 AM, Mimi Zohar wrote: >> This patch set converts the module verification and digital signature >> > code to the new akcipher API. >> > RSA implementation has been removed from crypto/asymmetric_keys and the >> > new API is used for cryptographic primitives. >> > There is no need for MPI above the akcipher API anymore. >> > Modules can be verified with software as well as HW RSA implementations. > With these two patches my system doesn't even boot. Digging deeper... > It needs RSA implementation built-in. Could you check if you have CONFIG_CRYPTO_RSA=y Thanks -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/2] crypto: KEYS: convert public key to the akcipher api
This patch converts the module verification code to the new akcipher API.
Signed-off-by: Tadeusz Struk
---
crypto/asymmetric_keys/Kconfig|2
crypto/asymmetric_keys/Makefile |7 -
crypto/asymmetric_keys/pkcs7_parser.c | 12 +-
crypto/asymmetric_keys/pkcs7_trust.c |2
crypto/asymmetric_keys/pkcs7_verify.c |2
crypto/asymmetric_keys/public_key.c | 64 +++--
crypto/asymmetric_keys/public_key.h | 36 -
crypto/asymmetric_keys/rsa.c | 211 +++--
crypto/asymmetric_keys/x509_cert_parser.c | 37 +
crypto/asymmetric_keys/x509_public_key.c | 17 +-
crypto/asymmetric_keys/x509_rsakey.asn1 |4 -
include/crypto/public_key.h | 49 ++-
12 files changed, 135 insertions(+), 308 deletions(-)
delete mode 100644 crypto/asymmetric_keys/public_key.h
delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 4870f28..905d745 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -22,7 +22,7 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
config PUBLIC_KEY_ALGO_RSA
tristate "RSA public-key algorithm"
- select MPILIB
+ select CRYPTO_RSA
help
This option enables support for the RSA algorithm (PKCS#1, RFC3447).
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index cd1406f..b78a194 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -16,21 +16,18 @@ obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o
x509_key_parser-y := \
x509-asn1.o \
x509_akid-asn1.o \
- x509_rsakey-asn1.o \
x509_cert_parser.o \
x509_public_key.o
$(obj)/x509_cert_parser.o: \
$(obj)/x509-asn1.h \
- $(obj)/x509_akid-asn1.h \
- $(obj)/x509_rsakey-asn1.h
+ $(obj)/x509_akid-asn1.h
+
$(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h
$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h
-$(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h
clean-files+= x509-asn1.c x509-asn1.h
clean-files+= x509_akid-asn1.c x509_akid-asn1.h
-clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h
#
# PKCS#7 message handling
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c
b/crypto/asymmetric_keys/pkcs7_parser.c
index 758acab..12912c1 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -15,7 +15,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
#include "pkcs7-asn1.h"
@@ -44,7 +44,7 @@ struct pkcs7_parse_context {
static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
{
if (sinfo) {
- mpi_free(sinfo->sig.mpi[0]);
+ kfree(sinfo->sig.s);
kfree(sinfo->sig.digest);
kfree(sinfo->signing_cert_id);
kfree(sinfo);
@@ -616,16 +616,14 @@ int pkcs7_sig_note_signature(void *context, size_t hdrlen,
const void *value, size_t vlen)
{
struct pkcs7_parse_context *ctx = context;
- MPI mpi;
BUG_ON(ctx->sinfo->sig.pkey_algo != PKEY_ALGO_RSA);
- mpi = mpi_read_raw_data(value, vlen);
- if (!mpi)
+ ctx->sinfo->sig.s = kmemdup(value, vlen, GFP_KERNEL);
+ if (!ctx->sinfo->sig.s)
return -ENOMEM;
- ctx->sinfo->sig.mpi[0] = mpi;
- ctx->sinfo->sig.nr_mpi = 1;
+ ctx->sinfo->sig.s_size = vlen;
return 0;
}
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c
b/crypto/asymmetric_keys/pkcs7_trust.c
index 90d6d47..3bbdcc7 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -17,7 +17,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
/**
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c
b/crypto/asymmetric_keys/pkcs7_verify.c
index 325575c..f5db137 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -16,7 +16,7 @@
#include
#include
#include
-#include "public_key.h"
+#include
#include "pkcs7_parser.h"
/*
diff --git a/crypto/asymmetric_keys/public_key.c
b/crypto/asymmetric_keys/public_key.c
index 6db4c01..b383629 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -18,24 +18,16 @@
#include
#include
#include
-#include "public_key.h"
+#include
MODULE_LICENSE("GPL");
const char *const pkey_algo_name[PKEY_ALGO__LAST] = {
- [PKEY_ALGO_DSA] = "DSA",
- [PKEY_ALGO_RSA] = "RSA",
+ [PKEY_ALGO_DSA]
[PATCH 2/2] integrity: convert digsig to akcipher api
Convert asymmetric_verify to akcipher api.
Signed-off-by: Tadeusz Struk
---
security/integrity/digsig_asymmetric.c | 10 +++---
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/security/integrity/digsig_asymmetric.c
b/security/integrity/digsig_asymmetric.c
index 4fec181..55f4830 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -92,13 +92,9 @@ int asymmetric_verify(struct key *keyring, const char *sig,
pks.pkey_hash_algo = hdr->hash_algo;
pks.digest = (u8 *)data;
pks.digest_size = datalen;
- pks.nr_mpi = 1;
- pks.rsa.s = mpi_read_raw_data(hdr->sig, siglen);
-
- if (pks.rsa.s)
- ret = verify_signature(key, &pks);
-
- mpi_free(pks.rsa.s);
+ pks.s = sig;
+ pks.s_size = siglen;
+ ret = verify_signature(key, &pks);
key_put(key);
pr_debug("%s() = %d\n", __func__, ret);
return ret;
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/2] crypto: KEYS: convert public key to akcipher api
This patch set converts the module verification and digital signature code to the new akcipher API. RSA implementation has been removed from crypto/asymmetric_keys and the new API is used for cryptographic primitives. There is no need for MPI above the akcipher API anymore. Modules can be verified with software as well as HW RSA implementations. Patches generated against cryptodev-2.6 --- Tadeusz Struk (2): crypto: KEYS: convert public key to the akcipher api integrity: convert digsig to akcipher api crypto/asymmetric_keys/Kconfig|2 crypto/asymmetric_keys/Makefile |7 - crypto/asymmetric_keys/pkcs7_parser.c | 12 +- crypto/asymmetric_keys/pkcs7_trust.c |2 crypto/asymmetric_keys/pkcs7_verify.c |2 crypto/asymmetric_keys/public_key.c | 64 +++-- crypto/asymmetric_keys/public_key.h | 36 - crypto/asymmetric_keys/rsa.c | 211 +++-- crypto/asymmetric_keys/x509_cert_parser.c | 37 + crypto/asymmetric_keys/x509_public_key.c | 17 +- crypto/asymmetric_keys/x509_rsakey.asn1 |4 - include/crypto/public_key.h | 49 ++- security/integrity/digsig_asymmetric.c| 10 - 13 files changed, 138 insertions(+), 315 deletions(-) delete mode 100644 crypto/asymmetric_keys/public_key.h delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1 -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
