aboutsummaryrefslogtreecommitdiffstats
path: root/security/integrity
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2013-10-10 03:12:03 -0400
committerMimi Zohar <zohar@linux.vnet.ibm.com>2013-10-25 17:16:59 -0400
commitb1aaab22e263d0cca1effe319b7d2bf895444219 (patch)
treea46f2285bd884e784d967e4132f71cd2f09565da /security/integrity
parentd3634d0f426bdeb433cb288bdbb0a5e16cf3dbbf (diff)
ima: pass full xattr with the signature
For possibility to use xattr type for new signature formats, pass full xattr to the signature verification function. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity')
-rw-r--r--security/integrity/digsig.c5
-rw-r--r--security/integrity/evm/evm_main.c4
-rw-r--r--security/integrity/ima/ima_appraise.c2
-rw-r--r--security/integrity/integrity.h1
4 files changed, 7 insertions, 5 deletions
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 198e60903685..b4af4ebc5be2 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -44,9 +44,10 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
44 } 44 }
45 } 45 }
46 46
47 switch (sig[0]) { 47 switch (sig[1]) {
48 case 1: 48 case 1:
49 return digsig_verify(keyring[id], sig, siglen, 49 /* v1 API expect signature without xattr type */
50 return digsig_verify(keyring[id], sig + 1, siglen - 1,
50 digest, digestlen); 51 digest, digestlen);
51 case 2: 52 case 2:
52 return asymmetric_verify(keyring[id], sig, siglen, 53 return asymmetric_verify(keyring[id], sig, siglen,
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index af9b6852f4e1..336b3ddfe63f 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -123,7 +123,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
123 goto out; 123 goto out;
124 } 124 }
125 125
126 xattr_len = rc - 1; 126 xattr_len = rc;
127 127
128 /* check value type */ 128 /* check value type */
129 switch (xattr_data->type) { 129 switch (xattr_data->type) {
@@ -143,7 +143,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
143 if (rc) 143 if (rc)
144 break; 144 break;
145 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, 145 rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
146 xattr_data->digest, xattr_len, 146 (const char *)xattr_data, xattr_len,
147 calc.digest, sizeof(calc.digest)); 147 calc.digest, sizeof(calc.digest));
148 if (!rc) { 148 if (!rc) {
149 /* we probably want to replace rsa with hmac here */ 149 /* we probably want to replace rsa with hmac here */
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 00708a3052cc..e1865a6e80ec 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -205,7 +205,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
205 case EVM_IMA_XATTR_DIGSIG: 205 case EVM_IMA_XATTR_DIGSIG:
206 iint->flags |= IMA_DIGSIG; 206 iint->flags |= IMA_DIGSIG;
207 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, 207 rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
208 xattr_value->digest, rc - 1, 208 (const char *)xattr_value, rc,
209 iint->ima_hash.digest, 209 iint->ima_hash.digest,
210 iint->ima_hash.length); 210 iint->ima_hash.length);
211 if (rc == -EOPNOTSUPP) { 211 if (rc == -EOPNOTSUPP) {
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index ea2318983d97..aead6b2b5488 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -74,6 +74,7 @@ struct ima_digest_data {
74 * signature format v2 - for using with asymmetric keys 74 * signature format v2 - for using with asymmetric keys
75 */ 75 */
76struct signature_v2_hdr { 76struct signature_v2_hdr {
77 uint8_t type; /* xattr type */
77 uint8_t version; /* signature format version */ 78 uint8_t version; /* signature format version */
78 uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */ 79 uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */
79 uint32_t keyid; /* IMA key identifier - not X509/PGP specific */ 80 uint32_t keyid; /* IMA key identifier - not X509/PGP specific */