Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b1aaab22 authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar
Browse files

ima: pass full xattr with the signature 



For possibility to use xattr type for new signature formats,
pass full xattr to the signature verification function.

Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent d3634d0f

security/integrity/digsig.c

+3 −2
Original line number Diff line number Diff line
@@ -44,9 +44,10 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, 
		}

	}



	switch (sig[0]) {

	switch (sig[1]) {

	case 1:

		return digsig_verify(keyring[id], sig, siglen,

		/* v1 API expect signature without xattr type */

		return digsig_verify(keyring[id], sig + 1, siglen - 1,

				     digest, digestlen);

	case 2:

		return asymmetric_verify(keyring[id], sig, siglen,

security/integrity/evm/evm_main.c

+2 −2
Original line number Diff line number Diff line
@@ -123,7 +123,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, 
		goto out;

	}



	xattr_len = rc - 1;

	xattr_len = rc;



	/* check value type */

	switch (xattr_data->type) {
@@ -143,7 +143,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry, 
		if (rc)

			break;

		rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,

					xattr_data->digest, xattr_len,

					(const char *)xattr_data, xattr_len,

					calc.digest, sizeof(calc.digest));

		if (!rc) {

			/* we probably want to replace rsa with hmac here */

security/integrity/ima/ima_appraise.c

+1 −1
Original line number Diff line number Diff line
@@ -205,7 +205,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint, 
	case EVM_IMA_XATTR_DIGSIG:

		iint->flags |= IMA_DIGSIG;

		rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,

					     xattr_value->digest, rc - 1,

					     (const char *)xattr_value, rc,

					     iint->ima_hash.digest,

					     iint->ima_hash.length);

		if (rc == -EOPNOTSUPP) {

security/integrity/integrity.h

+1 −0
Original line number Diff line number Diff line
@@ -74,6 +74,7 @@ struct ima_digest_data { 
 * signature format v2 - for using with asymmetric keys

 */

struct signature_v2_hdr {

	uint8_t type;		/* xattr type */

	uint8_t version;	/* signature format version */

	uint8_t	hash_algo;	/* Digest algorithm [enum pkey_hash_algo] */

	uint32_t keyid;		/* IMA key identifier - not X509/PGP specific */