From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757725AbcBXFEV (ORCPT <rfc822;w@1wt.eu>);
	Wed, 24 Feb 2016 00:04:21 -0500
Received: from e28smtp07.in.ibm.com ([125.16.236.7]:42554 "EHLO
	e28smtp07.in.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1757677AbcBXFES (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Wed, 24 Feb 2016 00:04:18 -0500
X-IBM-Helo: d28relay01.in.ibm.com
X-IBM-MailFrom: zohar@linux.vnet.ibm.com
X-IBM-RcptTo: linux-kernel@vger.kernel.org;linux-security-module@vger.kernel.org;keyrings@vger.kernel.org
Message-ID: <1456290244.2651.10.camel@linux.vnet.ibm.com>
Subject: Re: [PATCH 4/8] akcipher: Move the RSA DER encoding to the crypto
 layer
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, tadeusz.struk@intel.com
Date: Wed, 24 Feb 2016 00:04:04 -0500
In-Reply-To: <20160219171836.17223.9507.stgit@warthog.procyon.org.uk>
References: <20160219171806.17223.91381.stgit@warthog.procyon.org.uk>
	 <20160219171836.17223.9507.stgit@warthog.procyon.org.uk>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-TM-AS-MML: disable
x-cbid: 16022405-0025-0000-0000-00000A1B3AEF
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 2016-02-19 at 17:18 +0000, David Howells wrote:

>  /*
>   * Verify a signature using a public key.
>   */
>  int public_key_verify_signature(const struct public_key *pkey,
>  				const struct public_key_signature *sig)
>  {
> +	struct public_key_completion compl;
> +	struct crypto_akcipher *tfm;
> +	struct akcipher_request *req;
> +	struct scatterlist sig_sg, digest_sg;
> +	int ret = -ENOMEM;
> +
> +	pr_devel("==>%s()\n", __func__);
> +
>  	BUG_ON(!pkey);
>  	BUG_ON(!sig);
>  	BUG_ON(!sig->digest);
>  	BUG_ON(!sig->s);
> 
> -	if (pkey->pkey_algo >= PKEY_ALGO__LAST)
> -		return -ENOPKG;
> +	tfm = crypto_alloc_akcipher(pkey_algo_name[sig->pkey_algo], 0, 0);
> +	if (IS_ERR(tfm))
> +		return PTR_ERR(tfm);

IMA fails here.   The security.ima xattr header includes the hash
algorithm as defined in 
include/uapi/linux/hash_info.h.

struct signature_v2_hdr {
        uint8_t type;           /* xattr type */
        uint8_t version;        /* signature format version */
        uint8_t hash_algo;      /* Digest algorithm [enum pkey_hash_algo] */
        uint32_t keyid;         /* IMA key identifier - not X509/PGP specific */
        uint16_t sig_size;      /* signature size */
        uint8_t sig[0];         /* signature payload */
} __packed;

Mimi