From b1aaab22e263d0cca1effe319b7d2bf895444219 Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Thu, 10 Oct 2013 16:12:03 +0900 Subject: ima: pass full xattr with the signature For possibility to use xattr type for new signature formats, pass full xattr to the signature verification function. Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- security/integrity/digsig.c | 5 +++-- security/integrity/evm/evm_main.c | 4 ++-- security/integrity/ima/ima_appraise.c | 2 +- security/integrity/integrity.h | 1 + 4 files changed, 7 insertions(+), 5 deletions(-) (limited to 'security/integrity') diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 198e6090368..b4af4ebc5be 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -44,9 +44,10 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, } } - switch (sig[0]) { + switch (sig[1]) { case 1: - return digsig_verify(keyring[id], sig, siglen, + /* v1 API expect signature without xattr type */ + return digsig_verify(keyring[id], sig + 1, siglen - 1, digest, digestlen); case 2: return asymmetric_verify(keyring[id], sig, siglen, diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index af9b6852f4e..336b3ddfe63 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -123,7 +123,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, goto out; } - xattr_len = rc - 1; + xattr_len = rc; /* check value type */ switch (xattr_data->type) { @@ -143,7 +143,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, if (rc) break; rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM, - xattr_data->digest, xattr_len, + (const char *)xattr_data, xattr_len, calc.digest, sizeof(calc.digest)); if (!rc) { /* we probably want to replace rsa with hmac here */ diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c index 00708a3052c..e1865a6e80e 100644 --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -205,7 +205,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, case EVM_IMA_XATTR_DIGSIG: iint->flags |= IMA_DIGSIG; rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA, - xattr_value->digest, rc - 1, + (const char *)xattr_value, rc, iint->ima_hash.digest, iint->ima_hash.length); if (rc == -EOPNOTSUPP) { diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index ea2318983d9..aead6b2b548 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -74,6 +74,7 @@ struct ima_digest_data { * signature format v2 - for using with asymmetric keys */ struct signature_v2_hdr { + uint8_t type; /* xattr type */ uint8_t version; /* signature format version */ uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */ uint32_t keyid; /* IMA key identifier - not X509/PGP specific */ -- cgit v1.2.3-70-g09d2