Re: [RFC v2 1/7] integrity: added digest calculation function

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Serge Hallyn <serge.hallyn@canonical.com>
To: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Cc: zohar@linux.vnet.ibm.com, jmorris@namei.org,
	rusty@rustcorp.com.au, dhowells@redhat.com,
	linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [RFC v2 1/7] integrity: added digest calculation function
Date: Wed, 15 Aug 2012 15:11:35 -0500	[thread overview]
Message-ID: <20120815201135.GA10088@amd1> (raw)
In-Reply-To: <f5c7c0f9ef113263bf17c39e9b7927f085872107.1345055639.git.dmitry.kasatkin@intel.com>

Quoting Dmitry Kasatkin (dmitry.kasatkin@intel.com):
> There are several functions, that need to calculate digest.
> This patch adds common function for use by integrity subsystem.
> 
> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
> ---
>  security/integrity/digsig.c    |   31 +++++++++++++++++++++++++++++--
>  security/integrity/integrity.h |    3 +++
>  2 files changed, 32 insertions(+), 2 deletions(-)
> 
> diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> index 2dc167d..61a0c92 100644
> --- a/security/integrity/digsig.c
> +++ b/security/integrity/digsig.c
> @@ -13,9 +13,9 @@
>  #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
>  
>  #include <linux/err.h>
> -#include <linux/rbtree.h>
>  #include <linux/key-type.h>
>  #include <linux/digsig.h>
> +#include <crypto/hash.h>
>  
>  #include "integrity.h"
>  
> @@ -28,7 +28,7 @@ static const char *keyring_name[INTEGRITY_KEYRING_MAX] = {
>  };
>  
>  int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
> -					const char *digest, int digestlen)
> +			    const char *digest, int digestlen)
>  {
>  	if (id >= INTEGRITY_KEYRING_MAX)
>  		return -EINVAL;
> @@ -46,3 +46,30 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
>  
>  	return digsig_verify(keyring[id], sig, siglen, digest, digestlen);
>  }
> +
> +int integrity_calc_digest(const char *algo, const void *data, const int len,
> +			  char *digest)
> +{
> +	int rc = -ENOMEM;
> +	struct crypto_shash *tfm;
> +
> +	tfm = crypto_alloc_shash(algo, 0, 0);
> +	if (IS_ERR(tfm)) {
> +		rc = PTR_ERR(tfm);
> +		pr_err("Can not allocate %s (reason: %d)\n", algo, rc);
> +		return rc;
> +	} else {
> +		struct {
> +			struct shash_desc shash;
> +			char ctx[crypto_shash_descsize(tfm)];
> +		} desc;

Needless confusing indentation here.  Just move the struct {} desc; to the
top and drop the else.  That will make it much more readable.

> +		desc.shash.tfm = tfm;
> +		desc.shash.flags = 0;
> +
> +		rc = crypto_shash_digest(&desc.shash, data, len, digest);
> +	}
> +
> +	crypto_free_shash(tfm);
> +	return rc;
> +}
> diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
> index e21362a..48ee2d4 100644
> --- a/security/integrity/integrity.h
> +++ b/security/integrity/integrity.h
> @@ -59,6 +59,9 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode);
>  
>  #ifdef CONFIG_INTEGRITY_SIGNATURE
>  
> +int integrity_calc_digest(const char *algo, const void *data, const int len,
> +			  char *digest);
> +
>  int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
>  					const char *digest, int digestlen);
>  
> -- 
> 1.7.9.5
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2012-08-15 20:11 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-15 18:43 [RFC v2 0/7] modsig: signature based kernel module integrity verfication Dmitry Kasatkin
2012-08-15 18:43 ` [RFC v2 1/7] integrity: added digest calculation function Dmitry Kasatkin
2012-08-15 20:11   ` Serge Hallyn [this message]
2012-08-15 21:11     ` Kasatkin, Dmitry
2012-08-16 20:32       ` Kasatkin, Dmitry
2012-08-16 21:39         ` Serge Hallyn
2012-08-20  2:59   ` Rusty Russell
2012-08-22 16:38     ` Kasatkin, Dmitry
2012-08-15 18:43 ` [RFC v2 2/7] keys: initialize root uid and session keyrings early Dmitry Kasatkin
2012-08-16 18:26   ` Josh Boyer
2012-08-16 19:08     ` Mimi Zohar
2012-08-16 19:13       ` Josh Boyer
2012-08-16 19:45         ` Mimi Zohar
2012-08-16 19:59           ` Josh Boyer
2012-08-16 20:01             ` Mimi Zohar
2012-08-17 21:27               ` Eric W. Biederman
2012-08-15 18:43 ` [RFC v2 3/7] integrity: create and inititialize a keyring with builtin public key Dmitry Kasatkin
2012-08-16 18:37   ` Josh Boyer
2012-08-16 19:28     ` Mimi Zohar
2012-08-17  6:06       ` Kasatkin, Dmitry
2012-08-16 21:11     ` Kasatkin, Dmitry
2012-08-15 18:43 ` [RFC v2 4/7] modsig: add integrity_module_check hook Dmitry Kasatkin
2012-08-15 20:16   ` Serge Hallyn
2012-08-15 21:13     ` Kasatkin, Dmitry
2012-08-17  5:45       ` Kasatkin, Dmitry
2012-08-16 18:49   ` Josh Boyer
2012-08-16 19:56     ` Kasatkin, Dmitry
2012-09-03 23:06   ` Rusty Russell
2012-08-15 18:43 ` [RFC v2 5/7] modsig: verify module integrity based on signature Dmitry Kasatkin
2012-08-15 18:43 ` [RFC v2 6/7] modsig: initialize the _module public key keyring Dmitry Kasatkin
2012-08-16 18:54   ` Josh Boyer
2012-08-16 19:57     ` Mimi Zohar
2012-08-15 18:43 ` [RFC v2 7/7] modsig: build rules and scripts to generate keys and sign modules Dmitry Kasatkin
2012-08-16 19:10   ` Josh Boyer
2012-08-16 20:12     ` Kasatkin, Dmitry
2012-08-16 20:31       ` Josh Boyer
2012-08-16 21:04         ` Kasatkin, Dmitry
2012-08-17  0:53           ` Mimi Zohar
2012-08-17 11:40             ` Josh Boyer
2012-08-17 17:08               ` Mimi Zohar
2012-08-17 17:44                 ` Josh Boyer
2012-08-17 17:52                   ` Josh Boyer
2012-08-20  1:05                   ` Mimi Zohar
2012-08-20 12:32                     ` Josh Boyer
2012-08-20 13:13                       ` Mimi Zohar
2012-08-20 14:23                         ` Josh Boyer
2012-08-16 20:12     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120815201135.GA10088@amd1 \
    --to=serge.hallyn@canonical.com \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@intel.com \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=rusty@rustcorp.com.au \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.