]>
Commit | Line | Data |
---|---|---|
b4d0d230 | 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
106a4ee2 RR |
2 | /* Module signature checker |
3 | * | |
4 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. | |
5 | * Written by David Howells (dhowells@redhat.com) | |
106a4ee2 RR |
6 | */ |
7 | ||
8 | #include <linux/kernel.h> | |
146aa8b1 | 9 | #include <linux/errno.h> |
89053aa9 | 10 | #include <linux/string.h> |
a511e1af | 11 | #include <linux/verification.h> |
3f1e1bea | 12 | #include <crypto/public_key.h> |
106a4ee2 RR |
13 | #include "module-internal.h" |
14 | ||
4e8ae72a DH |
15 | enum pkey_id_type { |
16 | PKEY_ID_PGP, /* OpenPGP generated key ID */ | |
17 | PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ | |
18 | PKEY_ID_PKCS7, /* Signature in PKCS#7 message */ | |
19 | }; | |
20 | ||
48ba2462 DH |
21 | /* |
22 | * Module signature information block. | |
23 | * | |
24 | * The constituents of the signature section are, in order: | |
25 | * | |
26 | * - Signer's name | |
27 | * - Key identifier | |
28 | * - Signature data | |
29 | * - Information block | |
30 | */ | |
31 | struct module_signature { | |
3f1e1bea DH |
32 | u8 algo; /* Public-key crypto algorithm [0] */ |
33 | u8 hash; /* Digest algorithm [0] */ | |
34 | u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */ | |
35 | u8 signer_len; /* Length of signer's name [0] */ | |
36 | u8 key_id_len; /* Length of key identifier [0] */ | |
12e130b0 DH |
37 | u8 __pad[3]; |
38 | __be32 sig_len; /* Length of signature data */ | |
48ba2462 DH |
39 | }; |
40 | ||
106a4ee2 RR |
41 | /* |
42 | * Verify the signature on a module. | |
43 | */ | |
f314dfea | 44 | int mod_verify_sig(const void *mod, struct load_info *info) |
106a4ee2 | 45 | { |
48ba2462 | 46 | struct module_signature ms; |
f314dfea | 47 | size_t sig_len, modlen = info->len; |
48ba2462 | 48 | |
0390c883 | 49 | pr_devel("==>%s(,%zu)\n", __func__, modlen); |
48ba2462 | 50 | |
caabe240 | 51 | if (modlen <= sizeof(ms)) |
48ba2462 DH |
52 | return -EBADMSG; |
53 | ||
caabe240 DH |
54 | memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); |
55 | modlen -= sizeof(ms); | |
48ba2462 DH |
56 | |
57 | sig_len = be32_to_cpu(ms.sig_len); | |
caabe240 | 58 | if (sig_len >= modlen) |
48ba2462 | 59 | return -EBADMSG; |
caabe240 | 60 | modlen -= sig_len; |
f314dfea | 61 | info->len = modlen; |
48ba2462 | 62 | |
3f1e1bea | 63 | if (ms.id_type != PKEY_ID_PKCS7) { |
f314dfea JY |
64 | pr_err("%s: Module is not signed with expected PKCS#7 message\n", |
65 | info->name); | |
48ba2462 | 66 | return -ENOPKG; |
48ba2462 DH |
67 | } |
68 | ||
3f1e1bea DH |
69 | if (ms.algo != 0 || |
70 | ms.hash != 0 || | |
71 | ms.signer_len != 0 || | |
72 | ms.key_id_len != 0 || | |
73 | ms.__pad[0] != 0 || | |
74 | ms.__pad[1] != 0 || | |
75 | ms.__pad[2] != 0) { | |
f314dfea JY |
76 | pr_err("%s: PKCS#7 signature info has unexpected non-zero params\n", |
77 | info->name); | |
3f1e1bea DH |
78 | return -EBADMSG; |
79 | } | |
48ba2462 | 80 | |
e68503bd | 81 | return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, |
e84cd7ee KW |
82 | VERIFY_USE_SECONDARY_KEYRING, |
83 | VERIFYING_MODULE_SIGNATURE, | |
e68503bd | 84 | NULL, NULL); |
106a4ee2 | 85 | } |