IMA will need to verify a PKCS#7 signature which has already been parsed.
For this reason, factor out the code which does that from
verify_pkcs7_signature() into a new function which takes a struct
pkcs7_message instead of a data buffer.

Signed-off-by: Thiago Jung Bauermann <bauer...@linux.ibm.com>
Reviewed-by: Mimi Zohar <zo...@linux.ibm.com>
Cc: David Howells <dhowe...@redhat.com>
Cc: David Woodhouse <dw...@infradead.org>
Cc: Herbert Xu <herb...@gondor.apana.org.au>
Cc: "David S. Miller" <da...@davemloft.net>
---
 certs/system_keyring.c       | 61 ++++++++++++++++++++++++++----------
 include/linux/verification.h | 10 ++++++
 2 files changed, 55 insertions(+), 16 deletions(-)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index c05c29ae4d5d..4ba82e52e4b4 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -194,33 +194,27 @@ late_initcall(load_system_certificate_list);
 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
 
 /**
- * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
+ * verify_pkcs7_message_sig - Verify a PKCS#7-based signature on system data.
  * @data: The data to be verified (NULL if expecting internal data).
  * @len: Size of @data.
- * @raw_pkcs7: The PKCS#7 message that is the signature.
- * @pkcs7_len: The size of @raw_pkcs7.
+ * @pkcs7: The PKCS#7 message that is the signature.
  * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
  *                                     (void *)1UL for all trusted keys).
  * @usage: The use to which the key is being put.
  * @view_content: Callback to gain access to content.
  * @ctx: Context for callback.
  */
-int verify_pkcs7_signature(const void *data, size_t len,
-                          const void *raw_pkcs7, size_t pkcs7_len,
-                          struct key *trusted_keys,
-                          enum key_being_used_for usage,
-                          int (*view_content)(void *ctx,
-                                              const void *data, size_t len,
-                                              size_t asn1hdrlen),
-                          void *ctx)
+int verify_pkcs7_message_sig(const void *data, size_t len,
+                            struct pkcs7_message *pkcs7,
+                            struct key *trusted_keys,
+                            enum key_being_used_for usage,
+                            int (*view_content)(void *ctx,
+                                                const void *data, size_t len,
+                                                size_t asn1hdrlen),
+                            void *ctx)
 {
-       struct pkcs7_message *pkcs7;
        int ret;
 
-       pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
-       if (IS_ERR(pkcs7))
-               return PTR_ERR(pkcs7);
-
        /* The data should be detached - so we need to supply it. */
        if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
                pr_err("PKCS#7 signature with non-detached data\n");
@@ -273,6 +267,41 @@ int verify_pkcs7_signature(const void *data, size_t len,
        }
 
 error:
+       pr_devel("<==%s() = %d\n", __func__, ret);
+       return ret;
+}
+
+/**
+ * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
+ * @data: The data to be verified (NULL if expecting internal data).
+ * @len: Size of @data.
+ * @raw_pkcs7: The PKCS#7 message that is the signature.
+ * @pkcs7_len: The size of @raw_pkcs7.
+ * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only,
+ *                                     (void *)1UL for all trusted keys).
+ * @usage: The use to which the key is being put.
+ * @view_content: Callback to gain access to content.
+ * @ctx: Context for callback.
+ */
+int verify_pkcs7_signature(const void *data, size_t len,
+                          const void *raw_pkcs7, size_t pkcs7_len,
+                          struct key *trusted_keys,
+                          enum key_being_used_for usage,
+                          int (*view_content)(void *ctx,
+                                              const void *data, size_t len,
+                                              size_t asn1hdrlen),
+                          void *ctx)
+{
+       struct pkcs7_message *pkcs7;
+       int ret;
+
+       pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
+       if (IS_ERR(pkcs7))
+               return PTR_ERR(pkcs7);
+
+       ret = verify_pkcs7_message_sig(data, len, pkcs7, trusted_keys, usage,
+                                      view_content, ctx);
+
        pkcs7_free_message(pkcs7);
        pr_devel("<==%s() = %d\n", __func__, ret);
        return ret;
diff --git a/include/linux/verification.h b/include/linux/verification.h
index 018fb5f13d44..5e1d41f2b336 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -36,6 +36,7 @@ extern const char *const 
key_being_used_for[NR__KEY_BEING_USED_FOR];
 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
 
 struct key;
+struct pkcs7_message;
 
 extern int verify_pkcs7_signature(const void *data, size_t len,
                                  const void *raw_pkcs7, size_t pkcs7_len,
@@ -45,6 +46,15 @@ extern int verify_pkcs7_signature(const void *data, size_t 
len,
                                                      const void *data, size_t 
len,
                                                      size_t asn1hdrlen),
                                  void *ctx);
+extern int verify_pkcs7_message_sig(const void *data, size_t len,
+                                   struct pkcs7_message *pkcs7,
+                                   struct key *trusted_keys,
+                                   enum key_being_used_for usage,
+                                   int (*view_content)(void *ctx,
+                                                       const void *data,
+                                                       size_t len,
+                                                       size_t asn1hdrlen),
+                                   void *ctx);
 
 #ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
 extern int verify_pefile_signature(const void *pebuf, unsigned pelen,

Reply via email to