KEYS: Generalise system_verify_data() to provide access to internal content

Generalise system_verify_data() to provide access to internal content through a callback. This allows all the PKCS#7 stuff to be hidden inside this function and removed from the PE file parser and the PKCS#7 test key. If external content is not required, NULL should be passed as data to the function. If the callback is not required, that can be set to NULL. The function is now called verify_pkcs7_signature() to contrast with verify_pefile_signature() and the definitions of both have been moved into linux/verification.h along with the key_being_used_for enum. Signed-off-by: David Howells <dhowells@redhat.com>
author: David Howells <dhowells@redhat.com> 2016-04-06 11:14:24 -0400
committer: David Howells <dhowells@redhat.com> 2016-04-06 11:14:24 -0400
commit: e68503bd6836ba765dc8e0ee77ea675fedc07e41 (patch)
tree: 31ebec81d2f52adc89796dd063468235bfd1cc0e /include
parent: ad3043fda39db0361d9601685356db4512e914be (diff)
6 files changed, 54 insertions, 43 deletions
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 441aff9b5aa7..8323e3e57131 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -12,6 +12,7 @@
 #ifndef _CRYPTO_PKCS7_H
 #define _CRYPTO_PKCS7_H
+#include <linux/verification.h>
 #include <crypto/public_key.h>
 struct key;
@@ -26,7 +27,7 @@ extern void pkcs7_free_message(struct pkcs7_message *pkcs7);
 extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
                                  const void **_data, size_t *_datalen,
-                                  bool want_wrapper);
+                                  size_t *_headerlen);
 /*
 * pkcs7_trust.c
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 2f5de5c1a3a0..b3928e801b8c 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -15,20 +15,6 @@
 #define _LINUX_PUBLIC_KEY_H
 /*
- * The use to which an asymmetric key is being put.
- */
-enum key_being_used_for {
-        VERIFYING_MODULE_SIGNATURE,
-        VERIFYING_FIRMWARE_SIGNATURE,
-        VERIFYING_KEXEC_PE_SIGNATURE,
-        VERIFYING_KEY_SIGNATURE,
-        VERIFYING_KEY_SELF_SIGNATURE,
-        VERIFYING_UNSPECIFIED_SIGNATURE,
-        NR__KEY_BEING_USED_FOR
-};
-extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
-/*
 * Cryptographic data for the public-key subtype of the asymmetric key type.
 *
 * Note that this may include private part of the key as well as the public
diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h
index 70a8775bb444..d1e23dda4363 100644
--- a/include/keys/asymmetric-type.h
+++ b/include/keys/asymmetric-type.h
@@ -15,6 +15,7 @@
 #define _KEYS_ASYMMETRIC_TYPE_H
 #include <linux/key-type.h>
+#include <linux/verification.h>
 extern struct key_type key_type_asymmetric;
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 39fd38cfa8c9..b2d645ac35a0 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -15,6 +15,7 @@
 #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
 #include <linux/key.h>
+#include <linux/verification.h>
 #include <crypto/public_key.h>
 extern struct key *system_trusted_keyring;
@@ -29,12 +30,6 @@ static inline struct key *get_system_trusted_keyring(void)
 }
 #endif
-#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
-extern int system_verify_data(const void *data, unsigned long len,
-                              const void *raw_pkcs7, size_t pkcs7_len,
-                              enum key_being_used_for usage);
-#endif
 #ifdef CONFIG_IMA_MOK_KEYRING
 extern struct key *ima_mok_keyring;
 extern struct key *ima_blacklist_keyring;
diff --git a/include/linux/verification.h b/include/linux/verification.h
new file mode 100644
index 000000000000..bb0fcf941cb7
--- /dev/null
+++ b/include/linux/verification.h
@@ -0,0 +1,50 @@
+/* Signature verification
+ *
+ * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#ifndef _LINUX_VERIFICATION_H
+#define _LINUX_VERIFICATION_H
+/*
+ * The use to which an asymmetric key is being put.
+ */
+enum key_being_used_for {
+        VERIFYING_MODULE_SIGNATURE,
+        VERIFYING_FIRMWARE_SIGNATURE,
+        VERIFYING_KEXEC_PE_SIGNATURE,
+        VERIFYING_KEY_SIGNATURE,
+        VERIFYING_KEY_SELF_SIGNATURE,
+        VERIFYING_UNSPECIFIED_SIGNATURE,
+        NR__KEY_BEING_USED_FOR
+};
+extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
+#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
+struct key;
+extern int verify_pkcs7_signature(const void *data, size_t len,
+                                  const void *raw_pkcs7, size_t pkcs7_len,
+                                  struct key *trusted_keys,
+                                  int untrusted_error,
+                                  enum key_being_used_for usage,
+                                  int (*view_content)(void *ctx,
+                                                      const void *data, size_t len,
+                                                      size_t asn1hdrlen),
+                                  void *ctx);
+#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
+extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
+                                   struct key *trusted_keys,
+                                   enum key_being_used_for usage);
+#endif
+#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
+#endif /* _LINUX_VERIFY_PEFILE_H */
diff --git a/include/linux/verify_pefile.h b/include/linux/verify_pefile.h
deleted file mode 100644
index da2049b5161c..000000000000
--- a/include/linux/verify_pefile.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/* Signed PE file verification
- *
- * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
- * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public Licence
- * as published by the Free Software Foundation; either version
- * 2 of the Licence, or (at your option) any later version.
- */
-#ifndef _LINUX_VERIFY_PEFILE_H
-#define _LINUX_VERIFY_PEFILE_H
-#include <crypto/public_key.h>
-extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
-                                   struct key *trusted_keyring,
-                                   enum key_being_used_for usage,
-                                   bool *_trusted);
-#endif /* _LINUX_VERIFY_PEFILE_H */
author	David Howells <dhowells@redhat.com>	2016-04-06 11:14:24 -0400
committer	David Howells <dhowells@redhat.com>	2016-04-06 11:14:24 -0400
commit	e68503bd6836ba765dc8e0ee77ea675fedc07e41 (patch)
tree	31ebec81d2f52adc89796dd063468235bfd1cc0e /include
parent	ad3043fda39db0361d9601685356db4512e914be (diff)