Commit 661cb9c4 authored by David Howells's avatar David Howells

KEYS: Generalise system_verify_data() to provide access to internal content

Generalise system_verify_data() to provide access to internal content
through a callback.  This allows all the PKCS#7 stuff to be hidden inside
this function and removed from the PE file parser and the PKCS#7 test key.

If external content is not required, NULL should be passed as data to the
function.  If the callback is not required, that can be set to NULL.

The function is now called verify_pkcs7_signature() to contrast with
verify_pefile_signature() and the definitions of both have been moved into
linux/verification.h along with the key_being_used_for enum.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent 146aa8b1
...@@ -19,8 +19,7 @@ ...@@ -19,8 +19,7 @@
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/mm.h> #include <linux/mm.h>
#include <linux/efi.h> #include <linux/efi.h>
#include <linux/verify_pefile.h> #include <linux/verification.h>
#include <keys/system_keyring.h>
#include <asm/bootparam.h> #include <asm/bootparam.h>
#include <asm/setup.h> #include <asm/setup.h>
...@@ -529,18 +528,9 @@ static int bzImage64_cleanup(void *loader_data) ...@@ -529,18 +528,9 @@ static int bzImage64_cleanup(void *loader_data)
#ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG #ifdef CONFIG_KEXEC_BZIMAGE_VERIFY_SIG
static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len) static int bzImage64_verify_sig(const char *kernel, unsigned long kernel_len)
{ {
bool trusted; return verify_pefile_signature(kernel, kernel_len,
int ret; NULL,
VERIFYING_KEXEC_PE_SIGNATURE);
ret = verify_pefile_signature(kernel, kernel_len,
system_trusted_keyring,
VERIFYING_KEXEC_PE_SIGNATURE,
&trusted);
if (ret < 0)
return ret;
if (!trusted)
return -EKEYREJECTED;
return 0;
} }
#endif #endif
......
...@@ -108,16 +108,25 @@ late_initcall(load_system_certificate_list); ...@@ -108,16 +108,25 @@ late_initcall(load_system_certificate_list);
#ifdef CONFIG_SYSTEM_DATA_VERIFICATION #ifdef CONFIG_SYSTEM_DATA_VERIFICATION
/** /**
* Verify a PKCS#7-based signature on system data. * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data.
* @data: The data to be verified. * @data: The data to be verified (NULL if expecting internal data).
* @len: Size of @data. * @len: Size of @data.
* @raw_pkcs7: The PKCS#7 message that is the signature. * @raw_pkcs7: The PKCS#7 message that is the signature.
* @pkcs7_len: The size of @raw_pkcs7. * @pkcs7_len: The size of @raw_pkcs7.
* @trusted_keys: Trusted keys to use (NULL for system_trusted_keyring).
* @usage: The use to which the key is being put. * @usage: The use to which the key is being put.
* @view_content: Callback to gain access to content.
* @ctx: Context for callback.
*/ */
int system_verify_data(const void *data, unsigned long len, int verify_pkcs7_signature(const void *data, size_t len,
const void *raw_pkcs7, size_t pkcs7_len, const void *raw_pkcs7, size_t pkcs7_len,
enum key_being_used_for usage) struct key *trusted_keys,
int untrusted_error,
enum key_being_used_for usage,
int (*view_content)(void *ctx,
const void *data, size_t len,
size_t asn1hdrlen),
void *ctx)
{ {
struct pkcs7_message *pkcs7; struct pkcs7_message *pkcs7;
bool trusted; bool trusted;
...@@ -128,7 +137,7 @@ int system_verify_data(const void *data, unsigned long len, ...@@ -128,7 +137,7 @@ int system_verify_data(const void *data, unsigned long len,
return PTR_ERR(pkcs7); return PTR_ERR(pkcs7);
/* The data should be detached - so we need to supply it. */ /* The data should be detached - so we need to supply it. */
if (pkcs7_supply_detached_data(pkcs7, data, len) < 0) { if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) {
pr_err("PKCS#7 signature with non-detached data\n"); pr_err("PKCS#7 signature with non-detached data\n");
ret = -EBADMSG; ret = -EBADMSG;
goto error; goto error;
...@@ -138,13 +147,29 @@ int system_verify_data(const void *data, unsigned long len, ...@@ -138,13 +147,29 @@ int system_verify_data(const void *data, unsigned long len,
if (ret < 0) if (ret < 0)
goto error; goto error;
ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted); if (!trusted_keys)
trusted_keys = system_trusted_keyring;
ret = pkcs7_validate_trust(pkcs7, trusted_keys, &trusted);
if (ret < 0) if (ret < 0)
goto error; goto error;
if (!trusted) { if (!trusted && untrusted_error) {
pr_err("PKCS#7 signature not signed with a trusted key\n"); pr_err("PKCS#7 signature not signed with a trusted key\n");
ret = -ENOKEY; ret = untrusted_error;
goto error;
}
if (view_content) {
size_t asn1hdrlen;
ret = pkcs7_get_content_data(pkcs7, &data, &len, &asn1hdrlen);
if (ret < 0) {
if (ret == -ENODATA)
pr_devel("PKCS#7 message does not contain data\n");
goto error;
}
ret = view_content(ctx, data, len, asn1hdrlen);
} }
error: error:
...@@ -152,6 +177,6 @@ int system_verify_data(const void *data, unsigned long len, ...@@ -152,6 +177,6 @@ int system_verify_data(const void *data, unsigned long len,
pr_devel("<==%s() = %d\n", __func__, ret); pr_devel("<==%s() = %d\n", __func__, ret);
return ret; return ret;
} }
EXPORT_SYMBOL_GPL(system_verify_data); EXPORT_SYMBOL_GPL(verify_pkcs7_signature);
#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
...@@ -61,6 +61,7 @@ config PKCS7_TEST_KEY ...@@ -61,6 +61,7 @@ config PKCS7_TEST_KEY
config SIGNED_PE_FILE_VERIFICATION config SIGNED_PE_FILE_VERIFICATION
bool "Support for PE file signature verification" bool "Support for PE file signature verification"
depends on PKCS7_MESSAGE_PARSER=y depends on PKCS7_MESSAGE_PARSER=y
depends on SYSTEM_DATA_VERIFICATION
select ASN1 select ASN1
select OID_REGISTRY select OID_REGISTRY
help help
......
...@@ -21,19 +21,13 @@ ...@@ -21,19 +21,13 @@
/* /*
* Parse a Microsoft Individual Code Signing blob * Parse a Microsoft Individual Code Signing blob
*/ */
int mscode_parse(struct pefile_context *ctx) int mscode_parse(void *_ctx, const void *content_data, size_t data_len,
size_t asn1hdrlen)
{ {
const void *content_data; struct pefile_context *ctx = _ctx;
size_t data_len;
int ret;
ret = pkcs7_get_content_data(ctx->pkcs7, &content_data, &data_len, 1);
if (ret) {
pr_debug("PKCS#7 message does not contain data\n");
return ret;
}
content_data -= asn1hdrlen;
data_len += asn1hdrlen;
pr_devel("Data: %zu [%*ph]\n", data_len, (unsigned)(data_len), pr_devel("Data: %zu [%*ph]\n", data_len, (unsigned)(data_len),
content_data); content_data);
...@@ -129,7 +123,6 @@ int mscode_note_digest(void *context, size_t hdrlen, ...@@ -129,7 +123,6 @@ int mscode_note_digest(void *context, size_t hdrlen,
{ {
struct pefile_context *ctx = context; struct pefile_context *ctx = context;
ctx->digest = value; ctx->digest = kmemdup(value, vlen, GFP_KERNEL);
ctx->digest_len = vlen; return ctx->digest ? 0 : -ENOMEM;
return 0;
} }
...@@ -28,16 +28,38 @@ module_param_named(usage, pkcs7_usage, uint, S_IWUSR | S_IRUGO); ...@@ -28,16 +28,38 @@ module_param_named(usage, pkcs7_usage, uint, S_IWUSR | S_IRUGO);
MODULE_PARM_DESC(pkcs7_usage, MODULE_PARM_DESC(pkcs7_usage,
"Usage to specify when verifying the PKCS#7 message"); "Usage to specify when verifying the PKCS#7 message");
/*
* Retrieve the PKCS#7 message content.
*/
static int pkcs7_view_content(void *ctx, const void *data, size_t len,
size_t asn1hdrlen)
{
struct key_preparsed_payload *prep = ctx;
const void *saved_prep_data;
size_t saved_prep_datalen;
int ret;
kenter(",%zu", len);
saved_prep_data = prep->data;
saved_prep_datalen = prep->datalen;
prep->data = data;
prep->datalen = len;
ret = user_preparse(prep);
prep->data = saved_prep_data;
prep->datalen = saved_prep_datalen;
kleave(" = %d", ret);
return ret;
}
/* /*
* Preparse a PKCS#7 wrapped and validated data blob. * Preparse a PKCS#7 wrapped and validated data blob.
*/ */
static int pkcs7_preparse(struct key_preparsed_payload *prep) static int pkcs7_preparse(struct key_preparsed_payload *prep)
{ {
enum key_being_used_for usage = pkcs7_usage; enum key_being_used_for usage = pkcs7_usage;
struct pkcs7_message *pkcs7;
const void *data, *saved_prep_data;
size_t datalen, saved_prep_datalen;
bool trusted;
int ret; int ret;
kenter(""); kenter("");
...@@ -47,37 +69,11 @@ static int pkcs7_preparse(struct key_preparsed_payload *prep) ...@@ -47,37 +69,11 @@ static int pkcs7_preparse(struct key_preparsed_payload *prep)
return -EINVAL; return -EINVAL;
} }
saved_prep_data = prep->data; ret = verify_pkcs7_signature(NULL, 0,
saved_prep_datalen = prep->datalen; prep->data, prep->datalen,
pkcs7 = pkcs7_parse_message(saved_prep_data, saved_prep_datalen); NULL, -ENOKEY, usage,
if (IS_ERR(pkcs7)) { pkcs7_view_content, prep);
ret = PTR_ERR(pkcs7);
goto error;
}
ret = pkcs7_verify(pkcs7, usage);
if (ret < 0)
goto error_free;
ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
if (ret < 0)
goto error_free;
if (!trusted)
pr_warn("PKCS#7 message doesn't chain back to a trusted key\n");
ret = pkcs7_get_content_data(pkcs7, &data, &datalen, false);
if (ret < 0)
goto error_free;
prep->data = data;
prep->datalen = datalen;
ret = user_preparse(prep);
prep->data = saved_prep_data;
prep->datalen = saved_prep_datalen;
error_free:
pkcs7_free_message(pkcs7);
error:
kleave(" = %d", ret); kleave(" = %d", ret);
return ret; return ret;
} }
......
...@@ -165,24 +165,25 @@ EXPORT_SYMBOL_GPL(pkcs7_parse_message); ...@@ -165,24 +165,25 @@ EXPORT_SYMBOL_GPL(pkcs7_parse_message);
* @pkcs7: The preparsed PKCS#7 message to access * @pkcs7: The preparsed PKCS#7 message to access
* @_data: Place to return a pointer to the data * @_data: Place to return a pointer to the data
* @_data_len: Place to return the data length * @_data_len: Place to return the data length
* @want_wrapper: True if the ASN.1 object header should be included in the data * @_headerlen: Size of ASN.1 header not included in _data
* *
* Get access to the data content of the PKCS#7 message, including, optionally, * Get access to the data content of the PKCS#7 message. The size of the
* the header of the ASN.1 object that contains it. Returns -ENODATA if the * header of the ASN.1 object that contains it is also provided and can be used
* data object was missing from the message. * to adjust *_data and *_data_len to get the entire object.
*
* Returns -ENODATA if the data object was missing from the message.
*/ */
int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
const void **_data, size_t *_data_len, const void **_data, size_t *_data_len,
bool want_wrapper) size_t *_headerlen)
{ {
size_t wrapper;
if (!pkcs7->data) if (!pkcs7->data)
return -ENODATA; return -ENODATA;
wrapper = want_wrapper ? pkcs7->data_hdrlen : 0; *_data = pkcs7->data;
*_data = pkcs7->data - wrapper; *_data_len = pkcs7->data_len;
*_data_len = pkcs7->data_len + wrapper; if (_headerlen)
*_headerlen = pkcs7->data_hdrlen;
return 0; return 0;
} }
EXPORT_SYMBOL_GPL(pkcs7_get_content_data); EXPORT_SYMBOL_GPL(pkcs7_get_content_data);
......
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
#include <linux/err.h> #include <linux/err.h>
#include <linux/pe.h> #include <linux/pe.h>
#include <linux/asn1.h> #include <linux/asn1.h>
#include <crypto/pkcs7.h> #include <linux/verification.h>
#include <crypto/hash.h> #include <crypto/hash.h>
#include "verify_pefile.h" #include "verify_pefile.h"
...@@ -392,9 +392,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, ...@@ -392,9 +392,8 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
* verify_pefile_signature - Verify the signature on a PE binary image * verify_pefile_signature - Verify the signature on a PE binary image
* @pebuf: Buffer containing the PE binary image * @pebuf: Buffer containing the PE binary image
* @pelen: Length of the binary image * @pelen: Length of the binary image
* @trust_keyring: Signing certificates to use as starting points * @trust_keys: Signing certificate(s) to use as starting points
* @usage: The use to which the key is being put. * @usage: The use to which the key is being put.
* @_trusted: Set to true if trustworth, false otherwise
* *
* Validate that the certificate chain inside the PKCS#7 message inside the PE * Validate that the certificate chain inside the PKCS#7 message inside the PE
* binary image intersects keys we already know and trust. * binary image intersects keys we already know and trust.
...@@ -418,14 +417,10 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen, ...@@ -418,14 +417,10 @@ static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
* May also return -ENOMEM. * May also return -ENOMEM.
*/ */
int verify_pefile_signature(const void *pebuf, unsigned pelen, int verify_pefile_signature(const void *pebuf, unsigned pelen,
struct key *trusted_keyring, struct key *trusted_keys,
enum key_being_used_for usage, enum key_being_used_for usage)
bool *_trusted)
{ {
struct pkcs7_message *pkcs7;
struct pefile_context ctx; struct pefile_context ctx;
const void *data;
size_t datalen;
int ret; int ret;
kenter(""); kenter("");
...@@ -439,19 +434,10 @@ int verify_pefile_signature(const void *pebuf, unsigned pelen, ...@@ -439,19 +434,10 @@ int verify_pefile_signature(const void *pebuf, unsigned pelen,
if (ret < 0) if (ret < 0)
return ret; return ret;
pkcs7 = pkcs7_parse_message(pebuf + ctx.sig_offset, ctx.sig_len); ret = verify_pkcs7_signature(NULL, 0,
if (IS_ERR(pkcs7)) pebuf + ctx.sig_offset, ctx.sig_len,
return PTR_ERR(pkcs7); trusted_keys, -EKEYREJECTED, usage,
ctx.pkcs7 = pkcs7; mscode_parse, &ctx);
ret = pkcs7_get_content_data(ctx.pkcs7, &data, &datalen, false);
if (ret < 0 || datalen == 0) {
pr_devel("PKCS#7 message does not contain data\n");
ret = -EBADMSG;
goto error;
}
ret = mscode_parse(&ctx);
if (ret < 0) if (ret < 0)
goto error; goto error;
...@@ -462,16 +448,8 @@ int verify_pefile_signature(const void *pebuf, unsigned pelen, ...@@ -462,16 +448,8 @@ int verify_pefile_signature(const void *pebuf, unsigned pelen,
* contents. * contents.
*/ */
ret = pefile_digest_pe(pebuf, pelen, &ctx); ret = pefile_digest_pe(pebuf, pelen, &ctx);
if (ret < 0)
goto error;
ret = pkcs7_verify(pkcs7, usage);
if (ret < 0)
goto error;
ret = pkcs7_validate_trust(pkcs7, trusted_keyring, _trusted);
error: error:
pkcs7_free_message(ctx.pkcs7); kfree(ctx.digest);
return ret; return ret;
} }
...@@ -9,7 +9,6 @@ ...@@ -9,7 +9,6 @@
* 2 of the Licence, or (at your option) any later version. * 2 of the Licence, or (at your option) any later version.
*/ */
#include <linux/verify_pefile.h>
#include <crypto/pkcs7.h> #include <crypto/pkcs7.h>
#include <crypto/hash_info.h> #include <crypto/hash_info.h>
...@@ -23,7 +22,6 @@ struct pefile_context { ...@@ -23,7 +22,6 @@ struct pefile_context {
unsigned sig_offset; unsigned sig_offset;
unsigned sig_len; unsigned sig_len;
const struct section_header *secs; const struct section_header *secs;
struct pkcs7_message *pkcs7;
/* PKCS#7 MS Individual Code Signing content */ /* PKCS#7 MS Individual Code Signing content */
const void *digest; /* Digest */ const void *digest; /* Digest */
...@@ -39,4 +37,5 @@ struct pefile_context { ...@@ -39,4 +37,5 @@ struct pefile_context {
/* /*
* mscode_parser.c * mscode_parser.c
*/ */
extern int mscode_parse(struct pefile_context *ctx); extern int mscode_parse(void *_ctx, const void *content_data, size_t data_len,
size_t asn1hdrlen);
...@@ -12,6 +12,7 @@ ...@@ -12,6 +12,7 @@
#ifndef _CRYPTO_PKCS7_H #ifndef _CRYPTO_PKCS7_H
#define _CRYPTO_PKCS7_H #define _CRYPTO_PKCS7_H
#include <linux/verification.h>
#include <crypto/public_key.h> #include <crypto/public_key.h>
struct key; struct key;
...@@ -26,7 +27,7 @@ extern void pkcs7_free_message(struct pkcs7_message *pkcs7); ...@@ -26,7 +27,7 @@ extern void pkcs7_free_message(struct pkcs7_message *pkcs7);
extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
const void **_data, size_t *_datalen, const void **_data, size_t *_datalen,
bool want_wrapper); size_t *_headerlen);
/* /*
* pkcs7_trust.c * pkcs7_trust.c
......
...@@ -38,20 +38,6 @@ enum pkey_id_type { ...@@ -38,20 +38,6 @@ enum pkey_id_type {
extern const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST]; extern const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST];
/*
* The use to which an asymmetric key is being put.
*/
enum key_being_used_for {
VERIFYING_MODULE_SIGNATURE,
VERIFYING_FIRMWARE_SIGNATURE,
VERIFYING_KEXEC_PE_SIGNATURE,
VERIFYING_KEY_SIGNATURE,
VERIFYING_KEY_SELF_SIGNATURE,
VERIFYING_UNSPECIFIED_SIGNATURE,
NR__KEY_BEING_USED_FOR
};
extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
/* /*
* Cryptographic data for the public-key subtype of the asymmetric key type. * Cryptographic data for the public-key subtype of the asymmetric key type.
* *
......
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
#define _KEYS_ASYMMETRIC_TYPE_H #define _KEYS_ASYMMETRIC_TYPE_H
#include <linux/key-type.h> #include <linux/key-type.h>
#include <linux/verification.h>
extern struct key_type key_type_asymmetric; extern struct key_type key_type_asymmetric;
......
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
#include <linux/key.h> #include <linux/key.h>
#include <linux/verification.h>
#include <crypto/public_key.h> #include <crypto/public_key.h>
extern struct key *system_trusted_keyring; extern struct key *system_trusted_keyring;
...@@ -29,10 +30,4 @@ static inline struct key *get_system_trusted_keyring(void) ...@@ -29,10 +30,4 @@ static inline struct key *get_system_trusted_keyring(void)
} }
#endif #endif
#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
extern int system_verify_data(const void *data, unsigned long len,
const void *raw_pkcs7, size_t pkcs7_len,
enum key_being_used_for usage);
#endif
#endif /* _KEYS_SYSTEM_KEYRING_H */ #endif /* _KEYS_SYSTEM_KEYRING_H */
/* Signed PE file verification /* Signature verification
* *
* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved. * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com) * Written by David Howells (dhowells@redhat.com)
...@@ -9,14 +9,42 @@ ...@@ -9,14 +9,42 @@
* 2 of the Licence, or (at your option) any later version. * 2 of the Licence, or (at your option) any later version.
*/ */
#ifndef _LINUX_VERIFY_PEFILE_H #ifndef _LINUX_VERIFICATION_H
#define _LINUX_VERIFY_PEFILE_H #define _LINUX_VERIFICATION_H
#include <crypto/public_key.h> /*
* The use to which an asymmetric key is being put.
*/
enum key_being_used_for {
VERIFYING_MODULE_SIGNATURE,
VERIFYING_FIRMWARE_SIGNATURE,
VERIFYING_KEXEC_PE_SIGNATURE,
VERIFYING_KEY_SIGNATURE,
VERIFYING_KEY_SELF_SIGNATURE,
VERIFYING_UNSPECIFIED_SIGNATURE,
NR__KEY_BEING_USED_FOR
};
extern const char *const key_being_used_for[NR__KEY_BEING_USED_FOR];
#ifdef CONFIG_SYSTEM_DATA_VERIFICATION
struct key;
extern int verify_pkcs7_signature(const void *data, size_t len,
const void *raw_pkcs7, size_t pkcs7_len,
struct key *trusted_keys,
int untrusted_error,
enum key_being_used_for usage,
int (*view_content)(void *ctx,
const void *data, size_t len,
size_t asn1hdrlen),
void *ctx);
#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
extern int verify_pefile_signature(const void *pebuf, unsigned pelen, extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
struct key *trusted_keyring, struct key *trusted_keys,
enum key_being_used_for usage, enum key_being_used_for usage);
bool *_trusted); #endif
#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
#endif /* _LINUX_VERIFY_PEFILE_H */ #endif /* _LINUX_VERIFY_PEFILE_H */
...@@ -73,6 +73,7 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen) ...@@ -73,6 +73,7 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
return -EBADMSG; return -EBADMSG;
} }
return system_verify_data(mod, modlen, mod + modlen, sig_len, return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
VERIFYING_MODULE_SIGNATURE); NULL, -ENOKEY, VERIFYING_MODULE_SIGNATURE,
NULL, NULL);
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment