Commit 4e8ae72a authored by David Howells's avatar David Howells

X.509: Make algo identifiers text instead of enum

Make the identifier public key and digest algorithm fields text instead of
enum.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent d43de6c7
...@@ -86,25 +86,25 @@ int mscode_note_digest_algo(void *context, size_t hdrlen, ...@@ -86,25 +86,25 @@ int mscode_note_digest_algo(void *context, size_t hdrlen,
oid = look_up_OID(value, vlen); oid = look_up_OID(value, vlen);
switch (oid) { switch (oid) {
case OID_md4: case OID_md4:
ctx->digest_algo = HASH_ALGO_MD4; ctx->digest_algo = "md4";
break; break;
case OID_md5: case OID_md5:
ctx->digest_algo = HASH_ALGO_MD5; ctx->digest_algo = "md5";
break; break;
case OID_sha1: case OID_sha1:
ctx->digest_algo = HASH_ALGO_SHA1; ctx->digest_algo = "sha1";
break; break;
case OID_sha256: case OID_sha256:
ctx->digest_algo = HASH_ALGO_SHA256; ctx->digest_algo = "sha256";
break; break;
case OID_sha384: case OID_sha384:
ctx->digest_algo = HASH_ALGO_SHA384; ctx->digest_algo = "sha384";
break; break;
case OID_sha512: case OID_sha512:
ctx->digest_algo = HASH_ALGO_SHA512; ctx->digest_algo = "sha512";
break; break;
case OID_sha224: case OID_sha224:
ctx->digest_algo = HASH_ALGO_SHA224; ctx->digest_algo = "sha224";
break; break;
case OID__NR: case OID__NR:
......
...@@ -218,25 +218,25 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen, ...@@ -218,25 +218,25 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
switch (ctx->last_oid) { switch (ctx->last_oid) {
case OID_md4: case OID_md4:
ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_MD4; ctx->sinfo->sig.hash_algo = "md4";
break; break;
case OID_md5: case OID_md5:
ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_MD5; ctx->sinfo->sig.hash_algo = "md5";
break; break;
case OID_sha1: case OID_sha1:
ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA1; ctx->sinfo->sig.hash_algo = "sha1";
break; break;
case OID_sha256: case OID_sha256:
ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA256; ctx->sinfo->sig.hash_algo = "sha256";
break; break;
case OID_sha384: case OID_sha384:
ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA384; ctx->sinfo->sig.hash_algo = "sha384";
break; break;
case OID_sha512: case OID_sha512:
ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA512; ctx->sinfo->sig.hash_algo = "sha512";
break; break;
case OID_sha224: case OID_sha224:
ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA224; ctx->sinfo->sig.hash_algo = "sha224";
default: default:
printk("Unsupported digest algo: %u\n", ctx->last_oid); printk("Unsupported digest algo: %u\n", ctx->last_oid);
return -ENOPKG; return -ENOPKG;
...@@ -255,7 +255,7 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen, ...@@ -255,7 +255,7 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
switch (ctx->last_oid) { switch (ctx->last_oid) {
case OID_rsaEncryption: case OID_rsaEncryption:
ctx->sinfo->sig.pkey_algo = PKEY_ALGO_RSA; ctx->sinfo->sig.pkey_algo = "rsa";
break; break;
default: default:
printk("Unsupported pkey algo: %u\n", ctx->last_oid); printk("Unsupported pkey algo: %u\n", ctx->last_oid);
...@@ -615,8 +615,6 @@ int pkcs7_sig_note_signature(void *context, size_t hdrlen, ...@@ -615,8 +615,6 @@ int pkcs7_sig_note_signature(void *context, size_t hdrlen,
{ {
struct pkcs7_parse_context *ctx = context; struct pkcs7_parse_context *ctx = context;
BUG_ON(ctx->sinfo->sig.pkey_algo != PKEY_ALGO_RSA);
ctx->sinfo->sig.s = kmemdup(value, vlen, GFP_KERNEL); ctx->sinfo->sig.s = kmemdup(value, vlen, GFP_KERNEL);
if (!ctx->sinfo->sig.s) if (!ctx->sinfo->sig.s)
return -ENOMEM; return -ENOMEM;
......
...@@ -31,17 +31,15 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, ...@@ -31,17 +31,15 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
void *digest; void *digest;
int ret; int ret;
kenter(",%u,%u", sinfo->index, sinfo->sig.pkey_hash_algo); kenter(",%u,%s", sinfo->index, sinfo->sig.hash_algo);
if (sinfo->sig.pkey_hash_algo >= PKEY_HASH__LAST || if (!sinfo->sig.hash_algo)
!hash_algo_name[sinfo->sig.pkey_hash_algo])
return -ENOPKG; return -ENOPKG;
/* Allocate the hashing algorithm we're going to need and find out how /* Allocate the hashing algorithm we're going to need and find out how
* big the hash operational data will be. * big the hash operational data will be.
*/ */
tfm = crypto_alloc_shash(hash_algo_name[sinfo->sig.pkey_hash_algo], tfm = crypto_alloc_shash(sinfo->sig.hash_algo, 0, 0);
0, 0);
if (IS_ERR(tfm)) if (IS_ERR(tfm))
return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
......
...@@ -24,19 +24,6 @@ ...@@ -24,19 +24,6 @@
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
const char *const pkey_algo_name[PKEY_ALGO__LAST] = {
[PKEY_ALGO_DSA] = "dsa",
[PKEY_ALGO_RSA] = "rsa",
};
EXPORT_SYMBOL_GPL(pkey_algo_name);
const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST] = {
[PKEY_ID_PGP] = "PGP",
[PKEY_ID_X509] = "X509",
[PKEY_ID_PKCS7] = "PKCS#7",
};
EXPORT_SYMBOL_GPL(pkey_id_type_name);
/* /*
* Provide a part of a description of the key for /proc/keys. * Provide a part of a description of the key for /proc/keys.
*/ */
...@@ -46,9 +33,7 @@ static void public_key_describe(const struct key *asymmetric_key, ...@@ -46,9 +33,7 @@ static void public_key_describe(const struct key *asymmetric_key,
struct public_key *key = asymmetric_key->payload.data[asym_crypto]; struct public_key *key = asymmetric_key->payload.data[asym_crypto];
if (key) if (key)
seq_printf(m, "%s.%s", seq_printf(m, "%s.%s", key->id_type, key->pkey_algo);
pkey_id_type_name[key->id_type],
pkey_algo_name[key->pkey_algo]);
} }
/* /*
...@@ -103,15 +88,14 @@ int public_key_verify_signature(const struct public_key *pkey, ...@@ -103,15 +88,14 @@ int public_key_verify_signature(const struct public_key *pkey,
BUG_ON(!sig->digest); BUG_ON(!sig->digest);
BUG_ON(!sig->s); BUG_ON(!sig->s);
alg_name = pkey_algo_name[sig->pkey_algo]; alg_name = sig->pkey_algo;
if (sig->pkey_algo == PKEY_ALGO_RSA) { if (strcmp(sig->pkey_algo, "rsa") == 0) {
/* The data wangled by the RSA algorithm is typically padded /* The data wangled by the RSA algorithm is typically padded
* and encoded in some manner, such as EMSA-PKCS1-1_5 [RFC3447 * and encoded in some manner, such as EMSA-PKCS1-1_5 [RFC3447
* sec 8.2]. * sec 8.2].
*/ */
if (snprintf(alg_name_buf, CRYPTO_MAX_ALG_NAME, if (snprintf(alg_name_buf, CRYPTO_MAX_ALG_NAME,
"pkcs1pad(rsa,%s)", "pkcs1pad(rsa,%s)", sig->hash_algo
hash_algo_name[sig->pkey_hash_algo]
) >= CRYPTO_MAX_ALG_NAME) ) >= CRYPTO_MAX_ALG_NAME)
return -EINVAL; return -EINVAL;
alg_name = alg_name_buf; alg_name = alg_name_buf;
......
...@@ -328,12 +328,12 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, ...@@ -328,12 +328,12 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
void *digest; void *digest;
int ret; int ret;
kenter(",%u", ctx->digest_algo); kenter(",%s", ctx->digest_algo);
/* Allocate the hashing algorithm we're going to need and find out how /* Allocate the hashing algorithm we're going to need and find out how
* big the hash operational data will be. * big the hash operational data will be.
*/ */
tfm = crypto_alloc_shash(hash_algo_name[ctx->digest_algo], 0, 0); tfm = crypto_alloc_shash(ctx->digest_algo, 0, 0);
if (IS_ERR(tfm)) if (IS_ERR(tfm))
return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
......
...@@ -28,7 +28,7 @@ struct pefile_context { ...@@ -28,7 +28,7 @@ struct pefile_context {
/* PKCS#7 MS Individual Code Signing content */ /* PKCS#7 MS Individual Code Signing content */
const void *digest; /* Digest */ const void *digest; /* Digest */
unsigned digest_len; /* Digest length */ unsigned digest_len; /* Digest length */
enum hash_algo digest_algo; /* Digest algorithm */ const char *digest_algo; /* Digest algorithm */
}; };
#define kenter(FMT, ...) \ #define kenter(FMT, ...) \
......
...@@ -188,33 +188,33 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, ...@@ -188,33 +188,33 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
return -ENOPKG; /* Unsupported combination */ return -ENOPKG; /* Unsupported combination */
case OID_md4WithRSAEncryption: case OID_md4WithRSAEncryption:
ctx->cert->sig.pkey_hash_algo = HASH_ALGO_MD5; ctx->cert->sig.hash_algo = "md4";
ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; ctx->cert->sig.pkey_algo = "rsa";
break; break;
case OID_sha1WithRSAEncryption: case OID_sha1WithRSAEncryption:
ctx->cert->sig.pkey_hash_algo = HASH_ALGO_SHA1; ctx->cert->sig.hash_algo = "sha1";
ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; ctx->cert->sig.pkey_algo = "rsa";
break; break;
case OID_sha256WithRSAEncryption: case OID_sha256WithRSAEncryption:
ctx->cert->sig.pkey_hash_algo = HASH_ALGO_SHA256; ctx->cert->sig.hash_algo = "sha256";
ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; ctx->cert->sig.pkey_algo = "rsa";
break; break;
case OID_sha384WithRSAEncryption: case OID_sha384WithRSAEncryption:
ctx->cert->sig.pkey_hash_algo = HASH_ALGO_SHA384; ctx->cert->sig.hash_algo = "sha384";
ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; ctx->cert->sig.pkey_algo = "rsa";
break; break;
case OID_sha512WithRSAEncryption: case OID_sha512WithRSAEncryption:
ctx->cert->sig.pkey_hash_algo = HASH_ALGO_SHA512; ctx->cert->sig.hash_algo = "sha512";
ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; ctx->cert->sig.pkey_algo = "rsa";
break; break;
case OID_sha224WithRSAEncryption: case OID_sha224WithRSAEncryption:
ctx->cert->sig.pkey_hash_algo = HASH_ALGO_SHA224; ctx->cert->sig.hash_algo = "sha224";
ctx->cert->sig.pkey_algo = PKEY_ALGO_RSA; ctx->cert->sig.pkey_algo = "rsa";
break; break;
} }
...@@ -396,7 +396,7 @@ int x509_extract_key_data(void *context, size_t hdrlen, ...@@ -396,7 +396,7 @@ int x509_extract_key_data(void *context, size_t hdrlen,
if (ctx->last_oid != OID_rsaEncryption) if (ctx->last_oid != OID_rsaEncryption)
return -ENOPKG; return -ENOPKG;
ctx->cert->pub->pkey_algo = PKEY_ALGO_RSA; ctx->cert->pub->pkey_algo = "rsa";
/* Discard the BIT STRING metadata */ /* Discard the BIT STRING metadata */
ctx->key = value + 1; ctx->key = value + 1;
......
...@@ -176,7 +176,7 @@ int x509_get_sig_params(struct x509_certificate *cert) ...@@ -176,7 +176,7 @@ int x509_get_sig_params(struct x509_certificate *cert)
/* Allocate the hashing algorithm we're going to need and find out how /* Allocate the hashing algorithm we're going to need and find out how
* big the hash operational data will be. * big the hash operational data will be.
*/ */
tfm = crypto_alloc_shash(hash_algo_name[cert->sig.pkey_hash_algo], 0, 0); tfm = crypto_alloc_shash(cert->sig.hash_algo, 0, 0);
if (IS_ERR(tfm)) { if (IS_ERR(tfm)) {
if (PTR_ERR(tfm) == -ENOENT) { if (PTR_ERR(tfm) == -ENOENT) {
cert->unsupported_crypto = true; cert->unsupported_crypto = true;
...@@ -291,21 +291,20 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) ...@@ -291,21 +291,20 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
pr_devel("Cert Issuer: %s\n", cert->issuer); pr_devel("Cert Issuer: %s\n", cert->issuer);
pr_devel("Cert Subject: %s\n", cert->subject); pr_devel("Cert Subject: %s\n", cert->subject);
if (cert->pub->pkey_algo >= PKEY_ALGO__LAST || if (!cert->pub->pkey_algo ||
cert->sig.pkey_algo >= PKEY_ALGO__LAST || !cert->sig.pkey_algo ||
cert->sig.pkey_hash_algo >= PKEY_HASH__LAST || !cert->sig.hash_algo) {
!hash_algo_name[cert->sig.pkey_hash_algo]) {
ret = -ENOPKG; ret = -ENOPKG;
goto error_free_cert; goto error_free_cert;
} }
pr_devel("Cert Key Algo: %s\n", pkey_algo_name[cert->pub->pkey_algo]); pr_devel("Cert Key Algo: %s\n", cert->pub->pkey_algo);
pr_devel("Cert Valid period: %lld-%lld\n", cert->valid_from, cert->valid_to); pr_devel("Cert Valid period: %lld-%lld\n", cert->valid_from, cert->valid_to);
pr_devel("Cert Signature: %s + %s\n", pr_devel("Cert Signature: %s + %s\n",
pkey_algo_name[cert->sig.pkey_algo], cert->sig.pkey_algo,
hash_algo_name[cert->sig.pkey_hash_algo]); cert->sig.hash_algo);
cert->pub->id_type = PKEY_ID_X509; cert->pub->id_type = "X509";
/* Check the signature on the key if it appears to be self-signed */ /* Check the signature on the key if it appears to be self-signed */
if ((!cert->akid_skid && !cert->akid_id) || if ((!cert->akid_skid && !cert->akid_id) ||
......
...@@ -14,28 +14,6 @@ ...@@ -14,28 +14,6 @@
#ifndef _LINUX_PUBLIC_KEY_H #ifndef _LINUX_PUBLIC_KEY_H
#define _LINUX_PUBLIC_KEY_H #define _LINUX_PUBLIC_KEY_H
#include <crypto/hash_info.h>
enum pkey_algo {
PKEY_ALGO_DSA,
PKEY_ALGO_RSA,
PKEY_ALGO__LAST
};
extern const char *const pkey_algo_name[PKEY_ALGO__LAST];
/* asymmetric key implementation supports only up to SHA224 */
#define PKEY_HASH__LAST (HASH_ALGO_SHA224 + 1)
enum pkey_id_type {
PKEY_ID_PGP, /* OpenPGP generated key ID */
PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
PKEY_ID_TYPE__LAST
};
extern const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST];
/* /*
* The use to which an asymmetric key is being put. * The use to which an asymmetric key is being put.
*/ */
...@@ -59,8 +37,8 @@ extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR]; ...@@ -59,8 +37,8 @@ extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
struct public_key { struct public_key {
void *key; void *key;
u32 keylen; u32 keylen;
enum pkey_algo pkey_algo : 8; const char *id_type;
enum pkey_id_type id_type : 8; const char *pkey_algo;
}; };
extern void public_key_destroy(void *payload); extern void public_key_destroy(void *payload);
...@@ -73,8 +51,8 @@ struct public_key_signature { ...@@ -73,8 +51,8 @@ struct public_key_signature {
u32 s_size; /* Number of bytes in signature */ u32 s_size; /* Number of bytes in signature */
u8 *digest; u8 *digest;
u8 digest_size; /* Number of bytes in digest */ u8 digest_size; /* Number of bytes in digest */
enum pkey_algo pkey_algo : 8; const char *pkey_algo;
enum hash_algo pkey_hash_algo : 8; const char *hash_algo;
}; };
extern struct asymmetric_key_subtype public_key_subtype; extern struct asymmetric_key_subtype public_key_subtype;
......
...@@ -16,6 +16,12 @@ ...@@ -16,6 +16,12 @@
#include <crypto/public_key.h> #include <crypto/public_key.h>
#include "module-internal.h" #include "module-internal.h"
enum pkey_id_type {
PKEY_ID_PGP, /* OpenPGP generated key ID */
PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
PKEY_ID_PKCS7, /* Signature in PKCS#7 message */
};
/* /*
* Module signature information block. * Module signature information block.
* *
......
...@@ -16,6 +16,7 @@ ...@@ -16,6 +16,7 @@
#include <linux/ratelimit.h> #include <linux/ratelimit.h>
#include <linux/key-type.h> #include <linux/key-type.h>
#include <crypto/public_key.h> #include <crypto/public_key.h>
#include <crypto/hash_info.h>
#include <keys/asymmetric-type.h> #include <keys/asymmetric-type.h>
#include <keys/system_keyring.h> #include <keys/system_keyring.h>
...@@ -94,7 +95,7 @@ int asymmetric_verify(struct key *keyring, const char *sig, ...@@ -94,7 +95,7 @@ int asymmetric_verify(struct key *keyring, const char *sig,
if (siglen != __be16_to_cpu(hdr->sig_size)) if (siglen != __be16_to_cpu(hdr->sig_size))
return -EBADMSG; return -EBADMSG;
if (hdr->hash_algo >= PKEY_HASH__LAST) if (hdr->hash_algo >= HASH_ALGO__LAST)
return -ENOPKG; return -ENOPKG;
key = request_asymmetric_key(keyring, __be32_to_cpu(hdr->keyid)); key = request_asymmetric_key(keyring, __be32_to_cpu(hdr->keyid));
...@@ -103,8 +104,8 @@ int asymmetric_verify(struct key *keyring, const char *sig, ...@@ -103,8 +104,8 @@ int asymmetric_verify(struct key *keyring, const char *sig,
memset(&pks, 0, sizeof(pks)); memset(&pks, 0, sizeof(pks));
pks.pkey_algo = PKEY_ALGO_RSA; pks.pkey_algo = "rsa";
pks.pkey_hash_algo = hdr->hash_algo; pks.hash_algo = hash_algo_name[hdr->hash_algo];
pks.digest = (u8 *)data; pks.digest = (u8 *)data;
pks.digest_size = datalen; pks.digest_size = datalen;
pks.s = hdr->sig; pks.s = hdr->sig;
......
...@@ -94,7 +94,7 @@ struct ima_digest_data { ...@@ -94,7 +94,7 @@ struct ima_digest_data {
struct signature_v2_hdr { struct signature_v2_hdr {
uint8_t type; /* xattr type */ uint8_t type; /* xattr type */
uint8_t version; /* signature format version */ uint8_t version; /* signature format version */
uint8_t hash_algo; /* Digest algorithm [enum pkey_hash_algo] */ uint8_t hash_algo; /* Digest algorithm [enum hash_algo] */
uint32_t keyid; /* IMA key identifier - not X509/PGP specific */ uint32_t keyid; /* IMA key identifier - not X509/PGP specific */
uint16_t sig_size; /* signature size */ uint16_t sig_size; /* signature size */
uint8_t sig[0]; /* signature payload */ uint8_t sig[0]; /* signature payload */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment