Re: [PATCH 4/8] akcipher: Move the RSA DER encoding to the crypto layer
From: Mimi Zohar
Date: Wed Feb 24 2016 - 00:04:26 EST
On Fri, 2016-02-19 at 17:18 +0000, David Howells wrote:
> /*
> * Verify a signature using a public key.
> */
> int public_key_verify_signature(const struct public_key *pkey,
> const struct public_key_signature *sig)
> {
> + struct public_key_completion compl;
> + struct crypto_akcipher *tfm;
> + struct akcipher_request *req;
> + struct scatterlist sig_sg, digest_sg;
> + int ret = -ENOMEM;
> +
> + pr_devel("==>%s()\n", __func__);
> +
> BUG_ON(!pkey);
> BUG_ON(!sig);
> BUG_ON(!sig->digest);
> BUG_ON(!sig->s);
>
> - if (pkey->pkey_algo >= PKEY_ALGO__LAST)
> - return -ENOPKG;
> + tfm = crypto_alloc_akcipher(pkey_algo_name[sig->pkey_algo], 0, 0);
> + if (IS_ERR(tfm))
> + return PTR_ERR(tfm);
IMA fails here. The security.ima xattr header includes the hash
algorithm as defined in
include/uapi/linux/hash_info.h.
struct signature_v2_hdr {
uint8_t type; /* xattr type */
uint8_t version; /* signature format version */
uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */
uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
uint16_t sig_size; /* signature size */
uint8_t sig[0]; /* signature payload */
} __packed;
Mimi