diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2013-02-21 11:18:12 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-02-21 11:18:12 -0500 |
commit | 33673dcb372b5d8179c22127ca71deb5f3dc7016 (patch) | |
tree | d182e9dc6aa127375a92b5eb619d6cd2ddc23ce7 /lib | |
parent | fe9453a1dcb5fb146f9653267e78f4a558066f6f (diff) | |
parent | 5b2660326039a32b28766cb4c1a8b1bdcfadc375 (diff) |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"This is basically a maintenance update for the TPM driver and EVM/IMA"
Fix up conflicts in lib/digsig.c and security/integrity/ima/ima_main.c
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (45 commits)
tpm/ibmvtpm: build only when IBM pseries is configured
ima: digital signature verification using asymmetric keys
ima: rename hash calculation functions
ima: use new crypto_shash API instead of old crypto_hash
ima: add policy support for file system uuid
evm: add file system uuid to EVM hmac
tpm_tis: check pnp_acpi_device return code
char/tpm/tpm_i2c_stm_st33: drop temporary variable for return value
char/tpm/tpm_i2c_stm_st33: remove dead assignment in tpm_st33_i2c_probe
char/tpm/tpm_i2c_stm_st33: Remove __devexit attribute
char/tpm/tpm_i2c_stm_st33: Don't use memcpy for one byte assignment
tpm_i2c_stm_st33: removed unused variables/code
TPM: Wait for TPM_ACCESS tpmRegValidSts to go high at startup
tpm: Fix cancellation of TPM commands (interrupt mode)
tpm: Fix cancellation of TPM commands (polling mode)
tpm: Store TPM vendor ID
TPM: Work around buggy TPMs that block during continue self test
tpm_i2c_stm_st33: fix oops when i2c client is unavailable
char/tpm: Use struct dev_pm_ops for power management
TPM: STMicroelectronics ST33 I2C BUILD STUFF
...
Diffstat (limited to 'lib')
-rw-r--r-- | lib/digsig.c | 41 | ||||
-rw-r--r-- | lib/mpi/mpi-internal.h | 4 | ||||
-rw-r--r-- | lib/mpi/mpicoder.c | 8 |
3 files changed, 18 insertions, 35 deletions
diff --git a/lib/digsig.c b/lib/digsig.c index dc2be7ed1765..2f31e6a45f0a 100644 --- a/lib/digsig.c +++ b/lib/digsig.c | |||
@@ -30,11 +30,10 @@ | |||
30 | 30 | ||
31 | static struct crypto_shash *shash; | 31 | static struct crypto_shash *shash; |
32 | 32 | ||
33 | static int pkcs_1_v1_5_decode_emsa(const unsigned char *msg, | 33 | static const char *pkcs_1_v1_5_decode_emsa(const unsigned char *msg, |
34 | unsigned long msglen, | 34 | unsigned long msglen, |
35 | unsigned long modulus_bitlen, | 35 | unsigned long modulus_bitlen, |
36 | unsigned char *out, | 36 | unsigned long *outlen) |
37 | unsigned long *outlen) | ||
38 | { | 37 | { |
39 | unsigned long modulus_len, ps_len, i; | 38 | unsigned long modulus_len, ps_len, i; |
40 | 39 | ||
@@ -42,11 +41,11 @@ static int pkcs_1_v1_5_decode_emsa(const unsigned char *msg, | |||
42 | 41 | ||
43 | /* test message size */ | 42 | /* test message size */ |
44 | if ((msglen > modulus_len) || (modulus_len < 11)) | 43 | if ((msglen > modulus_len) || (modulus_len < 11)) |
45 | return -EINVAL; | 44 | return NULL; |
46 | 45 | ||
47 | /* separate encoded message */ | 46 | /* separate encoded message */ |
48 | if ((msg[0] != 0x00) || (msg[1] != (unsigned char)1)) | 47 | if (msg[0] != 0x00 || msg[1] != 0x01) |
49 | return -EINVAL; | 48 | return NULL; |
50 | 49 | ||
51 | for (i = 2; i < modulus_len - 1; i++) | 50 | for (i = 2; i < modulus_len - 1; i++) |
52 | if (msg[i] != 0xFF) | 51 | if (msg[i] != 0xFF) |
@@ -56,19 +55,13 @@ static int pkcs_1_v1_5_decode_emsa(const unsigned char *msg, | |||
56 | if (msg[i] != 0) | 55 | if (msg[i] != 0) |
57 | /* There was no octet with hexadecimal value 0x00 | 56 | /* There was no octet with hexadecimal value 0x00 |
58 | to separate ps from m. */ | 57 | to separate ps from m. */ |
59 | return -EINVAL; | 58 | return NULL; |
60 | 59 | ||
61 | ps_len = i - 2; | 60 | ps_len = i - 2; |
62 | 61 | ||
63 | if (*outlen < (msglen - (2 + ps_len + 1))) { | ||
64 | *outlen = msglen - (2 + ps_len + 1); | ||
65 | return -EOVERFLOW; | ||
66 | } | ||
67 | |||
68 | *outlen = (msglen - (2 + ps_len + 1)); | 62 | *outlen = (msglen - (2 + ps_len + 1)); |
69 | memcpy(out, &msg[2 + ps_len + 1], *outlen); | ||
70 | 63 | ||
71 | return 0; | 64 | return msg + 2 + ps_len + 1; |
72 | } | 65 | } |
73 | 66 | ||
74 | /* | 67 | /* |
@@ -83,7 +76,8 @@ static int digsig_verify_rsa(struct key *key, | |||
83 | unsigned long mlen, mblen; | 76 | unsigned long mlen, mblen; |
84 | unsigned nret, l; | 77 | unsigned nret, l; |
85 | int head, i; | 78 | int head, i; |
86 | unsigned char *out1 = NULL, *out2 = NULL; | 79 | unsigned char *out1 = NULL; |
80 | const char *m; | ||
87 | MPI in = NULL, res = NULL, pkey[2]; | 81 | MPI in = NULL, res = NULL, pkey[2]; |
88 | uint8_t *p, *datap, *endp; | 82 | uint8_t *p, *datap, *endp; |
89 | struct user_key_payload *ukp; | 83 | struct user_key_payload *ukp; |
@@ -120,7 +114,7 @@ static int digsig_verify_rsa(struct key *key, | |||
120 | } | 114 | } |
121 | 115 | ||
122 | mblen = mpi_get_nbits(pkey[0]); | 116 | mblen = mpi_get_nbits(pkey[0]); |
123 | mlen = (mblen + 7)/8; | 117 | mlen = DIV_ROUND_UP(mblen, 8); |
124 | 118 | ||
125 | if (mlen == 0) | 119 | if (mlen == 0) |
126 | goto err; | 120 | goto err; |
@@ -129,10 +123,6 @@ static int digsig_verify_rsa(struct key *key, | |||
129 | if (!out1) | 123 | if (!out1) |
130 | goto err; | 124 | goto err; |
131 | 125 | ||
132 | out2 = kzalloc(mlen, GFP_KERNEL); | ||
133 | if (!out2) | ||
134 | goto err; | ||
135 | |||
136 | nret = siglen; | 126 | nret = siglen; |
137 | in = mpi_read_from_buffer(sig, &nret); | 127 | in = mpi_read_from_buffer(sig, &nret); |
138 | if (!in) | 128 | if (!in) |
@@ -164,18 +154,15 @@ static int digsig_verify_rsa(struct key *key, | |||
164 | 154 | ||
165 | kfree(p); | 155 | kfree(p); |
166 | 156 | ||
167 | err = pkcs_1_v1_5_decode_emsa(out1, len, mblen, out2, &len); | 157 | m = pkcs_1_v1_5_decode_emsa(out1, len, mblen, &len); |
168 | if (err) | ||
169 | goto err; | ||
170 | 158 | ||
171 | if (len != hlen || memcmp(out2, h, hlen)) | 159 | if (!m || len != hlen || memcmp(m, h, hlen)) |
172 | err = -EINVAL; | 160 | err = -EINVAL; |
173 | 161 | ||
174 | err: | 162 | err: |
175 | mpi_free(in); | 163 | mpi_free(in); |
176 | mpi_free(res); | 164 | mpi_free(res); |
177 | kfree(out1); | 165 | kfree(out1); |
178 | kfree(out2); | ||
179 | while (--i >= 0) | 166 | while (--i >= 0) |
180 | mpi_free(pkey[i]); | 167 | mpi_free(pkey[i]); |
181 | err1: | 168 | err1: |
diff --git a/lib/mpi/mpi-internal.h b/lib/mpi/mpi-internal.h index 77adcf6bc257..60cf765628e9 100644 --- a/lib/mpi/mpi-internal.h +++ b/lib/mpi/mpi-internal.h | |||
@@ -65,10 +65,6 @@ | |||
65 | typedef mpi_limb_t *mpi_ptr_t; /* pointer to a limb */ | 65 | typedef mpi_limb_t *mpi_ptr_t; /* pointer to a limb */ |
66 | typedef int mpi_size_t; /* (must be a signed type) */ | 66 | typedef int mpi_size_t; /* (must be a signed type) */ |
67 | 67 | ||
68 | #define ABS(x) (x >= 0 ? x : -x) | ||
69 | #define MIN(l, o) ((l) < (o) ? (l) : (o)) | ||
70 | #define MAX(h, i) ((h) > (i) ? (h) : (i)) | ||
71 | |||
72 | static inline int RESIZE_IF_NEEDED(MPI a, unsigned b) | 68 | static inline int RESIZE_IF_NEEDED(MPI a, unsigned b) |
73 | { | 69 | { |
74 | if (a->alloced < b) | 70 | if (a->alloced < b) |
diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c index 3962b7f7fe3f..5f9c44cdf1f5 100644 --- a/lib/mpi/mpicoder.c +++ b/lib/mpi/mpicoder.c | |||
@@ -52,7 +52,7 @@ MPI mpi_read_raw_data(const void *xbuffer, size_t nbytes) | |||
52 | else | 52 | else |
53 | nbits = 0; | 53 | nbits = 0; |
54 | 54 | ||
55 | nlimbs = (nbytes + BYTES_PER_MPI_LIMB - 1) / BYTES_PER_MPI_LIMB; | 55 | nlimbs = DIV_ROUND_UP(nbytes, BYTES_PER_MPI_LIMB); |
56 | val = mpi_alloc(nlimbs); | 56 | val = mpi_alloc(nlimbs); |
57 | if (!val) | 57 | if (!val) |
58 | return NULL; | 58 | return NULL; |
@@ -96,8 +96,8 @@ MPI mpi_read_from_buffer(const void *xbuffer, unsigned *ret_nread) | |||
96 | buffer += 2; | 96 | buffer += 2; |
97 | nread = 2; | 97 | nread = 2; |
98 | 98 | ||
99 | nbytes = (nbits + 7) / 8; | 99 | nbytes = DIV_ROUND_UP(nbits, 8); |
100 | nlimbs = (nbytes + BYTES_PER_MPI_LIMB - 1) / BYTES_PER_MPI_LIMB; | 100 | nlimbs = DIV_ROUND_UP(nbytes, BYTES_PER_MPI_LIMB); |
101 | val = mpi_alloc(nlimbs); | 101 | val = mpi_alloc(nlimbs); |
102 | if (!val) | 102 | if (!val) |
103 | return NULL; | 103 | return NULL; |
@@ -193,7 +193,7 @@ int mpi_set_buffer(MPI a, const void *xbuffer, unsigned nbytes, int sign) | |||
193 | int nlimbs; | 193 | int nlimbs; |
194 | int i; | 194 | int i; |
195 | 195 | ||
196 | nlimbs = (nbytes + BYTES_PER_MPI_LIMB - 1) / BYTES_PER_MPI_LIMB; | 196 | nlimbs = DIV_ROUND_UP(nbytes, BYTES_PER_MPI_LIMB); |
197 | if (RESIZE_IF_NEEDED(a, nlimbs) < 0) | 197 | if (RESIZE_IF_NEEDED(a, nlimbs) < 0) |
198 | return -ENOMEM; | 198 | return -ENOMEM; |
199 | a->sign = sign; | 199 | a->sign = sign; |