diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-09-08 15:41:25 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-09-08 15:41:25 -0400 |
| commit | b793c005ceabf6db0b17494b0ec67ade6796bb34 (patch) | |
| tree | 080c884f04254403ec9564742f591a9fd9b7e95a /include/crypto | |
| parent | 6f0a2fc1feb19bd142961a39dc118e7e55418b3f (diff) | |
| parent | 07f081fb5057b2ea98baeca3a47bf0eb33e94aa1 (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"Highlights:
- PKCS#7 support added to support signed kexec, also utilized for
module signing. See comments in 3f1e1bea.
** NOTE: this requires linking against the OpenSSL library, which
must be installed, e.g. the openssl-devel on Fedora **
- Smack
- add IPv6 host labeling; ignore labels on kernel threads
- support smack labeling mounts which use binary mount data
- SELinux:
- add ioctl whitelisting (see
http://kernsec.org/files/lss2015/vanderstoep.pdf)
- fix mprotect PROT_EXEC regression caused by mm change
- Seccomp:
- add ptrace options for suspend/resume"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (57 commits)
PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
Documentation/Changes: Now need OpenSSL devel packages for module signing
scripts: add extract-cert and sign-file to .gitignore
modsign: Handle signing key in source tree
modsign: Use if_changed rule for extracting cert from module signing key
Move certificate handling to its own directory
sign-file: Fix warning about BIO_reset() return value
PKCS#7: Add MODULE_LICENSE() to test module
Smack - Fix build error with bringup unconfigured
sign-file: Document dependency on OpenSSL devel libraries
PKCS#7: Appropriately restrict authenticated attributes and content type
KEYS: Add a name for PKEY_ID_PKCS7
PKCS#7: Improve and export the X.509 ASN.1 time object decoder
modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
extract-cert: Cope with multiple X.509 certificates in a single file
sign-file: Generate CMS message as signature instead of PKCS#7
PKCS#7: Support CMS messages also [RFC5652]
X.509: Change recorded SKID & AKID to not include Subject or Issuer
PKCS#7: Check content type and versions
MAINTAINERS: The keyrings mailing list has moved
...
Diffstat (limited to 'include/crypto')
| -rw-r--r-- | include/crypto/pkcs7.h | 13 | ||||
| -rw-r--r-- | include/crypto/public_key.h | 18 |
2 files changed, 29 insertions, 2 deletions
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 691c79172a26..441aff9b5aa7 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h | |||
| @@ -9,6 +9,11 @@ | |||
| 9 | * 2 of the Licence, or (at your option) any later version. | 9 | * 2 of the Licence, or (at your option) any later version. |
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | #ifndef _CRYPTO_PKCS7_H | ||
| 13 | #define _CRYPTO_PKCS7_H | ||
| 14 | |||
| 15 | #include <crypto/public_key.h> | ||
| 16 | |||
| 12 | struct key; | 17 | struct key; |
| 13 | struct pkcs7_message; | 18 | struct pkcs7_message; |
| 14 | 19 | ||
| @@ -33,4 +38,10 @@ extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, | |||
| 33 | /* | 38 | /* |
| 34 | * pkcs7_verify.c | 39 | * pkcs7_verify.c |
| 35 | */ | 40 | */ |
| 36 | extern int pkcs7_verify(struct pkcs7_message *pkcs7); | 41 | extern int pkcs7_verify(struct pkcs7_message *pkcs7, |
| 42 | enum key_being_used_for usage); | ||
| 43 | |||
| 44 | extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, | ||
| 45 | const void *data, size_t datalen); | ||
| 46 | |||
| 47 | #endif /* _CRYPTO_PKCS7_H */ | ||
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 54add2069901..067c242b1e15 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h | |||
| @@ -33,12 +33,27 @@ extern const struct public_key_algorithm *pkey_algo[PKEY_ALGO__LAST]; | |||
| 33 | enum pkey_id_type { | 33 | enum pkey_id_type { |
| 34 | PKEY_ID_PGP, /* OpenPGP generated key ID */ | 34 | PKEY_ID_PGP, /* OpenPGP generated key ID */ |
| 35 | PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ | 35 | PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ |
| 36 | PKEY_ID_PKCS7, /* Signature in PKCS#7 message */ | ||
| 36 | PKEY_ID_TYPE__LAST | 37 | PKEY_ID_TYPE__LAST |
| 37 | }; | 38 | }; |
| 38 | 39 | ||
| 39 | extern const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST]; | 40 | extern const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST]; |
| 40 | 41 | ||
| 41 | /* | 42 | /* |
| 43 | * The use to which an asymmetric key is being put. | ||
| 44 | */ | ||
| 45 | enum key_being_used_for { | ||
| 46 | VERIFYING_MODULE_SIGNATURE, | ||
| 47 | VERIFYING_FIRMWARE_SIGNATURE, | ||
| 48 | VERIFYING_KEXEC_PE_SIGNATURE, | ||
| 49 | VERIFYING_KEY_SIGNATURE, | ||
| 50 | VERIFYING_KEY_SELF_SIGNATURE, | ||
| 51 | VERIFYING_UNSPECIFIED_SIGNATURE, | ||
| 52 | NR__KEY_BEING_USED_FOR | ||
| 53 | }; | ||
| 54 | extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR]; | ||
| 55 | |||
| 56 | /* | ||
| 42 | * Cryptographic data for the public-key subtype of the asymmetric key type. | 57 | * Cryptographic data for the public-key subtype of the asymmetric key type. |
| 43 | * | 58 | * |
| 44 | * Note that this may include private part of the key as well as the public | 59 | * Note that this may include private part of the key as well as the public |
| @@ -101,7 +116,8 @@ extern int verify_signature(const struct key *key, | |||
| 101 | 116 | ||
| 102 | struct asymmetric_key_id; | 117 | struct asymmetric_key_id; |
| 103 | extern struct key *x509_request_asymmetric_key(struct key *keyring, | 118 | extern struct key *x509_request_asymmetric_key(struct key *keyring, |
| 104 | const struct asymmetric_key_id *kid, | 119 | const struct asymmetric_key_id *id, |
| 120 | const struct asymmetric_key_id *skid, | ||
| 105 | bool partial); | 121 | bool partial); |
| 106 | 122 | ||
| 107 | #endif /* _LINUX_PUBLIC_KEY_H */ | 123 | #endif /* _LINUX_PUBLIC_KEY_H */ |