mirror of
https://github.com/torvalds/linux.git
synced 2024-12-05 10:32:35 +00:00
16ab7cb582
Removes support for sha1 signed kernel modules, importing sha1 signed x.509 certificates. rsa-pkcs1pad keeps sha1 padding support, which seems to be used by virtio driver. sha1 remains available as there are many drivers and subsystems using it. Note only hmac(sha1) with secret keys remains cryptographically secure. In the kernel there are filesystems, IMA, tpm/pcr that appear to be using sha1. Maybe they can all start to be slowly upgraded to something else i.e. blake3, ParallelHash, SHAKE256 as needed. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
160 lines
4.4 KiB
C
160 lines
4.4 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/* Signature verification with an asymmetric key
|
|
*
|
|
* See Documentation/crypto/asymmetric-keys.rst
|
|
*
|
|
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#define pr_fmt(fmt) "SIG: "fmt
|
|
#include <keys/asymmetric-subtype.h>
|
|
#include <linux/export.h>
|
|
#include <linux/err.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/keyctl.h>
|
|
#include <crypto/public_key.h>
|
|
#include <keys/user-type.h>
|
|
#include "asymmetric_keys.h"
|
|
|
|
/*
|
|
* Destroy a public key signature.
|
|
*/
|
|
void public_key_signature_free(struct public_key_signature *sig)
|
|
{
|
|
int i;
|
|
|
|
if (sig) {
|
|
for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++)
|
|
kfree(sig->auth_ids[i]);
|
|
kfree(sig->s);
|
|
kfree(sig->digest);
|
|
kfree(sig);
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(public_key_signature_free);
|
|
|
|
/**
|
|
* query_asymmetric_key - Get information about an asymmetric key.
|
|
* @params: Various parameters.
|
|
* @info: Where to put the information.
|
|
*/
|
|
int query_asymmetric_key(const struct kernel_pkey_params *params,
|
|
struct kernel_pkey_query *info)
|
|
{
|
|
const struct asymmetric_key_subtype *subtype;
|
|
struct key *key = params->key;
|
|
int ret;
|
|
|
|
pr_devel("==>%s()\n", __func__);
|
|
|
|
if (key->type != &key_type_asymmetric)
|
|
return -EINVAL;
|
|
subtype = asymmetric_key_subtype(key);
|
|
if (!subtype ||
|
|
!key->payload.data[0])
|
|
return -EINVAL;
|
|
if (!subtype->query)
|
|
return -ENOTSUPP;
|
|
|
|
ret = subtype->query(params, info);
|
|
|
|
pr_devel("<==%s() = %d\n", __func__, ret);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL_GPL(query_asymmetric_key);
|
|
|
|
/**
|
|
* encrypt_blob - Encrypt data using an asymmetric key
|
|
* @params: Various parameters
|
|
* @data: Data blob to be encrypted, length params->data_len
|
|
* @enc: Encrypted data buffer, length params->enc_len
|
|
*
|
|
* Encrypt the specified data blob using the private key specified by
|
|
* params->key. The encrypted data is wrapped in an encoding if
|
|
* params->encoding is specified (eg. "pkcs1").
|
|
*
|
|
* Returns the length of the data placed in the encrypted data buffer or an
|
|
* error.
|
|
*/
|
|
int encrypt_blob(struct kernel_pkey_params *params,
|
|
const void *data, void *enc)
|
|
{
|
|
params->op = kernel_pkey_encrypt;
|
|
return asymmetric_key_eds_op(params, data, enc);
|
|
}
|
|
EXPORT_SYMBOL_GPL(encrypt_blob);
|
|
|
|
/**
|
|
* decrypt_blob - Decrypt data using an asymmetric key
|
|
* @params: Various parameters
|
|
* @enc: Encrypted data to be decrypted, length params->enc_len
|
|
* @data: Decrypted data buffer, length params->data_len
|
|
*
|
|
* Decrypt the specified data blob using the private key specified by
|
|
* params->key. The decrypted data is wrapped in an encoding if
|
|
* params->encoding is specified (eg. "pkcs1").
|
|
*
|
|
* Returns the length of the data placed in the decrypted data buffer or an
|
|
* error.
|
|
*/
|
|
int decrypt_blob(struct kernel_pkey_params *params,
|
|
const void *enc, void *data)
|
|
{
|
|
params->op = kernel_pkey_decrypt;
|
|
return asymmetric_key_eds_op(params, enc, data);
|
|
}
|
|
EXPORT_SYMBOL_GPL(decrypt_blob);
|
|
|
|
/**
|
|
* create_signature - Sign some data using an asymmetric key
|
|
* @params: Various parameters
|
|
* @data: Data blob to be signed, length params->data_len
|
|
* @enc: Signature buffer, length params->enc_len
|
|
*
|
|
* Sign the specified data blob using the private key specified by params->key.
|
|
* The signature is wrapped in an encoding if params->encoding is specified
|
|
* (eg. "pkcs1"). If the encoding needs to know the digest type, this can be
|
|
* passed through params->hash_algo (eg. "sha512").
|
|
*
|
|
* Returns the length of the data placed in the signature buffer or an error.
|
|
*/
|
|
int create_signature(struct kernel_pkey_params *params,
|
|
const void *data, void *enc)
|
|
{
|
|
params->op = kernel_pkey_sign;
|
|
return asymmetric_key_eds_op(params, data, enc);
|
|
}
|
|
EXPORT_SYMBOL_GPL(create_signature);
|
|
|
|
/**
|
|
* verify_signature - Initiate the use of an asymmetric key to verify a signature
|
|
* @key: The asymmetric key to verify against
|
|
* @sig: The signature to check
|
|
*
|
|
* Returns 0 if successful or else an error.
|
|
*/
|
|
int verify_signature(const struct key *key,
|
|
const struct public_key_signature *sig)
|
|
{
|
|
const struct asymmetric_key_subtype *subtype;
|
|
int ret;
|
|
|
|
pr_devel("==>%s()\n", __func__);
|
|
|
|
if (key->type != &key_type_asymmetric)
|
|
return -EINVAL;
|
|
subtype = asymmetric_key_subtype(key);
|
|
if (!subtype ||
|
|
!key->payload.data[0])
|
|
return -EINVAL;
|
|
if (!subtype->verify_signature)
|
|
return -ENOTSUPP;
|
|
|
|
ret = subtype->verify_signature(key, sig);
|
|
|
|
pr_devel("<==%s() = %d\n", __func__, ret);
|
|
return ret;
|
|
}
|
|
EXPORT_SYMBOL_GPL(verify_signature);
|