summaryrefslogtreecommitdiff
path: root/security/integrity/evm/evm_main.c
diff options
context:
space:
mode:
authorMatthew Garrett <mjg59@google.com>2018-06-09 00:57:43 +0300
committerMimi Zohar <zohar@linux.vnet.ibm.com>2018-07-18 14:27:22 +0300
commit5feeb61183dde9d4f4026fd0d5801388c21d61a2 (patch)
tree6998490db3d17d7dffbfcc4d69d521c44f0fe8ac /security/integrity/evm/evm_main.c
parente2861fa71641c6414831d628a1f4f793b6562580 (diff)
downloadlinux-5feeb61183dde9d4f4026fd0d5801388c21d61a2.tar.xz
evm: Allow non-SHA1 digital signatures
SHA1 is reasonable in HMAC constructs, but it's desirable to be able to use stronger hashes in digital signatures. Modify the EVM crypto code so the hash type is imported from the digital signature and passed down to the hash calculation code, and return the digest size to higher layers for validation. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'security/integrity/evm/evm_main.c')
-rw-r--r--security/integrity/evm/evm_main.c19
1 files changed, 12 insertions, 7 deletions
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index f9eff5041e4c..7f3f54d89a6e 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -25,6 +25,7 @@
#include <linux/magic.h>
#include <crypto/hash.h>
+#include <crypto/hash_info.h>
#include <crypto/algapi.h>
#include "evm.h"
@@ -134,8 +135,9 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
struct integrity_iint_cache *iint)
{
struct evm_ima_xattr_data *xattr_data = NULL;
- struct evm_ima_xattr_data calc;
+ struct signature_v2_hdr *hdr;
enum integrity_status evm_status = INTEGRITY_PASS;
+ struct evm_digest digest;
struct inode *inode;
int rc, xattr_len;
@@ -171,25 +173,28 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
evm_status = INTEGRITY_FAIL;
goto out;
}
+
+ digest.hdr.algo = HASH_ALGO_SHA1;
rc = evm_calc_hmac(dentry, xattr_name, xattr_value,
- xattr_value_len, calc.digest);
+ xattr_value_len, &digest);
if (rc)
break;
- rc = crypto_memneq(xattr_data->digest, calc.digest,
- sizeof(calc.digest));
+ rc = crypto_memneq(xattr_data->digest, digest.digest,
+ SHA1_DIGEST_SIZE);
if (rc)
rc = -EINVAL;
break;
case EVM_IMA_XATTR_DIGSIG:
case EVM_XATTR_PORTABLE_DIGSIG:
+ hdr = (struct signature_v2_hdr *)xattr_data;
+ digest.hdr.algo = hdr->hash_algo;
rc = evm_calc_hash(dentry, xattr_name, xattr_value,
- xattr_value_len, xattr_data->type,
- calc.digest);
+ xattr_value_len, xattr_data->type, &digest);
if (rc)
break;
rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
(const char *)xattr_data, xattr_len,
- calc.digest, sizeof(calc.digest));
+ digest.digest, digest.hdr.length);
if (!rc) {
inode = d_backing_inode(dentry);