tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
PKCS#7: Refactor verify_pkcs7_signature()
IMA will need to verify a PKCS#7 signature which has already been parsed.
For this reason, factor out the code which does that from
verify_pkcs7_signature() into a new function which takes a struct
pkcs7_message instead of a data buffer.
Signed-off-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
authored by
Thiago Jung Bauermann
and committed by
Mimi Zohar
2a7bf671
c8424e77
+55
-16
+45
-16
certs/system_keyring.c
+45
-16
certs/system_keyring.c
···
190
190
#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
191
191
192
192
/**
193
-
* verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
193
+
* verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
194
194
* @data: The data to be verified (NULL if expecting internal data).
195
195
* @len: Size of @data.
196
-
* @raw_pkcs7: The PKCS#7 message that is the signature.
197
-
* @pkcs7_len: The size of @raw_pkcs7.
196
+
* @pkcs7: The PKCS#7 message that is the signature.
198
197
* @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
199
198
* (void *)1UL for all trusted keys).
200
199
* @usage: The use to which the key is being put.
201
200
* @view_content: Callback to gain access to content.
202
201
* @ctx: Context for callback.
203
202
*/
204
-
int verify_pkcs7_signature(const void *data, size_t len,
205
-
const void *raw_pkcs7, size_t pkcs7_len,
206
-
struct key *trusted_keys,
207
-
enum key_being_used_for usage,
208
-
int (*view_content)(void *ctx,
209
-
const void *data, size_t len,
210
-
size_t asn1hdrlen),
211
-
void *ctx)
203
+
int verify_pkcs7_message_sig(const void *data, size_t len,
204
+
struct pkcs7_message *pkcs7,
205
+
struct key *trusted_keys,
206
+
enum key_being_used_for usage,
207
+
int (*view_content)(void *ctx,
208
+
const void *data, size_t len,
209
+
size_t asn1hdrlen),
210
+
void *ctx)
212
211
{
213
-
struct pkcs7_message *pkcs7;
214
212
int ret;
215
-
216
-
pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
217
-
if (IS_ERR(pkcs7))
218
-
return PTR_ERR(pkcs7);
219
213
220
214
/* The data should be detached - so we need to supply it. */
221
215
if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
···
263
269
}
264
270
265
271
error:
272
+
pr_devel("<==%s() = %d\n", __func__, ret);
273
+
return ret;
274
+
}
275
+
276
+
/**
277
+
* verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
278
+
* @data: The data to be verified (NULL if expecting internal data).
279
+
* @len: Size of @data.
280
+
* @raw_pkcs7: The PKCS#7 message that is the signature.
281
+
* @pkcs7_len: The size of @raw_pkcs7.
282
+
* @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
283
+
* (void *)1UL for all trusted keys).
284
+
* @usage: The use to which the key is being put.
285
+
* @view_content: Callback to gain access to content.
286
+
* @ctx: Context for callback.
287
+
*/
288
+
int verify_pkcs7_signature(const void *data, size_t len,
289
+
const void *raw_pkcs7, size_t pkcs7_len,
290
+
struct key *trusted_keys,
291
+
enum key_being_used_for usage,
292
+
int (*view_content)(void *ctx,
293
+
const void *data, size_t len,
294
+
size_t asn1hdrlen),
295
+
void *ctx)
296
+
{
297
+
struct pkcs7_message *pkcs7;
298
+
int ret;
299
+
300
+
pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
301
+
if (IS_ERR(pkcs7))
302
+
return PTR_ERR(pkcs7);
303
+
304
+
ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
305
+
view_content, ctx);
306
+
266
307
pkcs7_free_message(pkcs7);
267
308
pr_devel("<==%s() = %d\n", __func__, ret);
268
309
return ret;
+10
include/linux/verification.h
+10
include/linux/verification.h
···
32
32
#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
33
33
34
34
struct key;
35
+
struct pkcs7_message;
35
36
36
37
extern int verify_pkcs7_signature(const void *data, size_t len,
37
38
const void *raw_pkcs7, size_t pkcs7_len,
···
42
41
const void *data, size_t len,
43
42
size_t asn1hdrlen),
44
43
void *ctx);
44
+
extern int verify_pkcs7_message_sig(const void *data, size_t len,
45
+
struct pkcs7_message *pkcs7,
46
+
struct key *trusted_keys,
47
+
enum key_being_used_for usage,
48
+
int (*view_content)(void *ctx,
49
+
const void *data,
50
+
size_t len,
51
+
size_t asn1hdrlen),
52
+
void *ctx);
45
53
46
54
#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
47
55
extern int verify_pefile_signature(const void *pebuf, unsigned pelen,