ima: pass full xattr with the signature

For possibility to use xattr type for new signature formats,
pass full xattr to the signature verification function.

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 198e60903685a7034f59973f271dfef88119d17c..b4af4ebc5be284d7f2665a5266be6a5bf267a683 100644 (file)
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -44,9 +44,10 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen,
                }
        }
 
-       switch (sig[0]) {
+       switch (sig[1]) {
        case 1:
-               return digsig_verify(keyring[id], sig, siglen,
+               /* v1 API expect signature without xattr type */
+               return digsig_verify(keyring[id], sig + 1, siglen - 1,
                                     digest, digestlen);
        case 2:
                return asymmetric_verify(keyring[id], sig, siglen,

diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index af9b6852f4e1bf571b55a2010fd6ab0488119cda..336b3ddfe63f5304374f860419cd3f5251bde5b8 100644 (file)
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -123,7 +123,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
                goto out;
        }
 
-       xattr_len = rc - 1;
+       xattr_len = rc;
 
        /* check value type */
        switch (xattr_data->type) {
@@ -143,7 +143,7 @@ static enum integrity_status evm_verify_hmac(struct dentry *dentry,
                if (rc)
                        break;
                rc = integrity_digsig_verify(INTEGRITY_KEYRING_EVM,
-                                       xattr_data->digest, xattr_len,
+                                       (const char *)xattr_data, xattr_len,
                                        calc.digest, sizeof(calc.digest));
                if (!rc) {
                        /* we probably want to replace rsa with hmac here */

diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
index 00708a3052cc3e50c0f4a991e33a2a9858ddddc4..e1865a6e80ecc5d274658706d13fca3bf332dd0d 100644 (file)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -205,7 +205,7 @@ int ima_appraise_measurement(int func, struct integrity_iint_cache *iint,
        case EVM_IMA_XATTR_DIGSIG:
                iint->flags |= IMA_DIGSIG;
                rc = integrity_digsig_verify(INTEGRITY_KEYRING_IMA,
-                                            xattr_value->digest, rc - 1,
+                                            (const char *)xattr_value, rc,
                                             iint->ima_hash.digest,
                                             iint->ima_hash.length);
                if (rc == -EOPNOTSUPP) {

diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index ea2318983d97a933b15c39b5504a58f7427d2731..aead6b2b548846498b4c58bca6e05442d2d83abe 100644 (file)
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -74,6 +74,7 @@ struct ima_digest_data {
  * signature format v2 - for using with asymmetric keys
  */
 struct signature_v2_hdr {
+       uint8_t type;           /* xattr type */
        uint8_t version;        /* signature format version */
        uint8_t hash_algo;      /* Digest algorithm [enum pkey_hash_algo] */
        uint32_t keyid;         /* IMA key identifier - not X509/PGP specific */