]>
Commit | Line | Data |
---|---|---|
106a4ee2 RR |
1 | /* Module signature checker |
2 | * | |
3 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. | |
4 | * Written by David Howells (dhowells@redhat.com) | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU General Public Licence | |
8 | * as published by the Free Software Foundation; either version | |
9 | * 2 of the Licence, or (at your option) any later version. | |
10 | */ | |
11 | ||
12 | #include <linux/kernel.h> | |
146aa8b1 | 13 | #include <linux/errno.h> |
89053aa9 | 14 | #include <linux/string.h> |
b56e5a17 | 15 | #include <keys/system_keyring.h> |
3f1e1bea | 16 | #include <crypto/public_key.h> |
106a4ee2 RR |
17 | #include "module-internal.h" |
18 | ||
48ba2462 DH |
19 | /* |
20 | * Module signature information block. | |
21 | * | |
22 | * The constituents of the signature section are, in order: | |
23 | * | |
24 | * - Signer's name | |
25 | * - Key identifier | |
26 | * - Signature data | |
27 | * - Information block | |
28 | */ | |
29 | struct module_signature { | |
3f1e1bea DH |
30 | u8 algo; /* Public-key crypto algorithm [0] */ |
31 | u8 hash; /* Digest algorithm [0] */ | |
32 | u8 id_type; /* Key identifier type [PKEY_ID_PKCS7] */ | |
33 | u8 signer_len; /* Length of signer's name [0] */ | |
34 | u8 key_id_len; /* Length of key identifier [0] */ | |
12e130b0 DH |
35 | u8 __pad[3]; |
36 | __be32 sig_len; /* Length of signature data */ | |
48ba2462 DH |
37 | }; |
38 | ||
106a4ee2 RR |
39 | /* |
40 | * Verify the signature on a module. | |
41 | */ | |
caabe240 | 42 | int mod_verify_sig(const void *mod, unsigned long *_modlen) |
106a4ee2 | 43 | { |
48ba2462 | 44 | struct module_signature ms; |
caabe240 | 45 | size_t modlen = *_modlen, sig_len; |
48ba2462 | 46 | |
0390c883 | 47 | pr_devel("==>%s(,%zu)\n", __func__, modlen); |
48ba2462 | 48 | |
caabe240 | 49 | if (modlen <= sizeof(ms)) |
48ba2462 DH |
50 | return -EBADMSG; |
51 | ||
caabe240 DH |
52 | memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); |
53 | modlen -= sizeof(ms); | |
48ba2462 DH |
54 | |
55 | sig_len = be32_to_cpu(ms.sig_len); | |
caabe240 | 56 | if (sig_len >= modlen) |
48ba2462 | 57 | return -EBADMSG; |
caabe240 | 58 | modlen -= sig_len; |
caabe240 | 59 | *_modlen = modlen; |
48ba2462 | 60 | |
3f1e1bea DH |
61 | if (ms.id_type != PKEY_ID_PKCS7) { |
62 | pr_err("Module is not signed with expected PKCS#7 message\n"); | |
48ba2462 | 63 | return -ENOPKG; |
48ba2462 DH |
64 | } |
65 | ||
3f1e1bea DH |
66 | if (ms.algo != 0 || |
67 | ms.hash != 0 || | |
68 | ms.signer_len != 0 || | |
69 | ms.key_id_len != 0 || | |
70 | ms.__pad[0] != 0 || | |
71 | ms.__pad[1] != 0 || | |
72 | ms.__pad[2] != 0) { | |
73 | pr_err("PKCS#7 signature info has unexpected non-zero params\n"); | |
74 | return -EBADMSG; | |
75 | } | |
48ba2462 | 76 | |
99db4435 DH |
77 | return system_verify_data(mod, modlen, mod + modlen, sig_len, |
78 | VERIFYING_MODULE_SIGNATURE); | |
106a4ee2 | 79 | } |