IMA will only look for a modsig if the xattr sig references a key which is
not in the expected kernel keyring. To that end, introduce
asymmetric_sig_has_known_key().

The logic of extracting the key used in the xattr sig is factored out from
asymmetric_verify() so that it can be used by the new function.

Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com>
Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
 security/integrity/digsig_asymmetric.c | 44 +++++++++++++++++++++++++---------
 security/integrity/integrity.h         |  8 +++++++
 2 files changed, 41 insertions(+), 11 deletions(-)

diff --git a/security/integrity/digsig_asymmetric.c 
b/security/integrity/digsig_asymmetric.c
index ab6a029062a1..241647970c19 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -79,26 +79,48 @@ static struct key *request_asymmetric_key(struct key 
*keyring, uint32_t keyid)
        return key;
 }
 
-int asymmetric_verify(struct key *keyring, const char *sig,
-                     int siglen, const char *data, int datalen)
+static struct key *asymmetric_key_from_sig(struct key *keyring, const char 
*sig,
+                                          int siglen)
 {
-       struct public_key_signature pks;
-       struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
-       struct key *key;
-       int ret = -ENOMEM;
+       const struct signature_v2_hdr *hdr = (struct signature_v2_hdr *) sig;
 
        if (siglen <= sizeof(*hdr))
-               return -EBADMSG;
+               return ERR_PTR(-EBADMSG);
 
        siglen -= sizeof(*hdr);
 
        if (siglen != be16_to_cpu(hdr->sig_size))
-               return -EBADMSG;
+               return ERR_PTR(-EBADMSG);
 
        if (hdr->hash_algo >= HASH_ALGO__LAST)
-               return -ENOPKG;
+               return ERR_PTR(-ENOPKG);
+
+       return request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid));
+}
+
+bool asymmetric_sig_has_known_key(struct key *keyring, const char *sig,
+                                 int siglen)
+{
+       struct key *key;
+
+       key = asymmetric_key_from_sig(keyring, sig, siglen);
+       if (IS_ERR_OR_NULL(key))
+               return false;
+
+       key_put(key);
+
+       return true;
+}
+
+int asymmetric_verify(struct key *keyring, const char *sig,
+                     int siglen, const char *data, int datalen)
+{
+       struct public_key_signature pks;
+       struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
+       struct key *key;
+       int ret = -ENOMEM;
 
-       key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid));
+       key = asymmetric_key_from_sig(keyring, sig, siglen);
        if (IS_ERR(key))
                return PTR_ERR(key);
 
@@ -109,7 +131,7 @@ int asymmetric_verify(struct key *keyring, const char *sig,
        pks.digest = (u8 *)data;
        pks.digest_size = datalen;
        pks.s = hdr->sig;
-       pks.s_size = siglen;
+       pks.s_size = siglen - sizeof(*hdr);
        ret = verify_signature(key, &pks);
        key_put(key);
        pr_debug("%s() = %d\n", __func__, ret);
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index d4f676906442..7f80c3e44d51 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -181,12 +181,20 @@ static inline int integrity_init_keyring(const unsigned 
int id)
 #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
 int asymmetric_verify(struct key *keyring, const char *sig,
                      int siglen, const char *data, int datalen);
+bool asymmetric_sig_has_known_key(struct key *keyring, const char *sig,
+                                 int siglen);
 #else
 static inline int asymmetric_verify(struct key *keyring, const char *sig,
                                    int siglen, const char *data, int datalen)
 {
        return -EOPNOTSUPP;
 }
+
+static inline bool asymmetric_sig_has_known_key(struct key *keyring,
+                                               const char *sig, int siglen)
+{
+       return false;
+}
 #endif
 
 #ifdef CONFIG_IMA_LOAD_X509

Reply via email to