diff options
| author | Stefan Berger <stefanb@linux.ibm.com> | 2026-04-16 11:40:38 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2026-05-13 08:21:19 -0400 |
| commit | 33aa0c8cf0657b9588f835645cbbcebe44a2a1ee (patch) | |
| tree | 64cacd89d90422e213eb2a4eea217f64e6b78f2a /security | |
| parent | 474c78c26744b6921549f0c679b7507a57cfcbb9 (diff) | |
| download | linux-next-history-33aa0c8cf0657b9588f835645cbbcebe44a2a1ee.tar.gz | |
integrity: Refactor asymmetric_verify for reusability
Refactor asymmetric_verify for reusability. Have it call
asymmetric_verify_common with the signature verification key and the
public_key structure as parameters. sigv3 support for ML-DSA will need to
check the public key type first to decide how to do the signature
verification and therefore will have these parameters available for
calling asymmetric_verify_common.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Kamlesh Kumar <kam@juniper.net>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/integrity/digsig_asymmetric.c | 62 |
1 files changed, 43 insertions, 19 deletions
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c index ed171a627d182..a4eb73bba6d2d 100644 --- a/security/integrity/digsig_asymmetric.c +++ b/security/integrity/digsig_asymmetric.c @@ -79,18 +79,25 @@ static struct key *request_asymmetric_key(struct key *keyring, uint32_t keyid) return key; } -int asymmetric_verify(struct key *keyring, const char *sig, - int siglen, const char *data, int datalen) +/** + * asymmetric_verify_common -- sigv2 and sigv3 common verify function + * @key: The key to use for signature verification; caller must free it + * @pk: The associated public key; must not be NULL + * @sig: The xattr signature + * @siglen: The length of the xattr signature; must be at least + * sizeof(struct signature_v2_hdr) + * @data: The data to verify the signature on + * @datalen: Length of @data + */ +static int asymmetric_verify_common(const struct key *key, + const struct public_key *pk, + const char *sig, int siglen, + const char *data, int datalen) { - struct public_key_signature pks; struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig; - const struct public_key *pk; - struct key *key; + struct public_key_signature pks; int ret; - if (siglen <= sizeof(*hdr)) - return -EBADMSG; - siglen -= sizeof(*hdr); if (siglen != be16_to_cpu(hdr->sig_size)) @@ -99,19 +106,9 @@ int asymmetric_verify(struct key *keyring, const char *sig, if (hdr->hash_algo >= HASH_ALGO__LAST) return -ENOPKG; - key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid)); - if (IS_ERR(key)) - return PTR_ERR(key); - memset(&pks, 0, sizeof(pks)); pks.hash_algo = hash_algo_name[hdr->hash_algo]; - - pk = asymmetric_key_public_key(key); - if (!pk) { - ret = -ENOKEY; - goto out; - } pks.pkey_algo = pk->pkey_algo; if (!strcmp(pk->pkey_algo, "rsa")) { pks.encoding = "pkcs1"; @@ -131,11 +128,38 @@ int asymmetric_verify(struct key *keyring, const char *sig, pks.s_size = siglen; ret = verify_signature(key, &pks); out: - key_put(key); pr_debug("%s() = %d\n", __func__, ret); return ret; } +int asymmetric_verify(struct key *keyring, const char *sig, + int siglen, const char *data, int datalen) +{ + struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig; + const struct public_key *pk; + struct key *key; + int ret; + + if (siglen <= sizeof(*hdr)) + return -EBADMSG; + + key = request_asymmetric_key(keyring, be32_to_cpu(hdr->keyid)); + if (IS_ERR(key)) + return PTR_ERR(key); + pk = asymmetric_key_public_key(key); + if (!pk) { + ret = -ENOKEY; + goto out; + } + + ret = asymmetric_verify_common(key, pk, sig, siglen, data, datalen); + +out: + key_put(key); + + return ret; +} + /* * calc_file_id_hash - calculate the hash of the ima_file_id struct data * @type: xattr type [enum evm_ima_xattr_type] |