X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=crypto%2Fsignature%2Fksign.c;h=b62eb38bebfc321d78b918fcbf501d63df3c451a;hb=refs%2Fheads%2Fvserver;hp=b4adcfb7cc26cfe956d16d9333d58e50be9b4c8c;hpb=76828883507a47dae78837ab5dec5a5b4513c667;p=linux-2.6.git diff --git a/crypto/signature/ksign.c b/crypto/signature/ksign.c index b4adcfb7c..b62eb38be 100644 --- a/crypto/signature/ksign.c +++ b/crypto/signature/ksign.c @@ -19,14 +19,14 @@ #define _debug(FMT, ...) do { ; } while (0) #endif -/*****************************************************************************/ /* * check the signature which is contained in SIG. */ static int ksign_signature_check(const struct ksign_signature *sig, - struct crypto_tfm *sha1_tfm) + struct crypto_hash *sha1_tfm) { struct ksign_public_key *pk; + struct hash_desc sha1_d; uint8_t sha1[SHA1_DIGEST_SIZE]; MPI result = NULL; int rc = 0; @@ -36,7 +36,7 @@ static int ksign_signature_check(const struct ksign_signature *sig, printk("ksign: module signed with unknown public key\n"); printk("- signature keyid: %08x%08x ver=%u\n", sig->keyid[0], sig->keyid[1], sig->version); - return -EPERM; + return -ENOKEY; } if (pk->timestamp > sig->timestamp) @@ -44,26 +44,29 @@ static int ksign_signature_check(const struct ksign_signature *sig, " public key is %lu seconds newer than the signature\n", pk->timestamp - sig->timestamp); + sha1_d.tfm = sha1_tfm; + sha1_d.flags = 0; + /* complete the digest */ if (sig->version >= 4) - SHA1_putc(sha1_tfm, sig->version); - SHA1_putc(sha1_tfm, sig->sig_class); + SHA1_putc(&sha1_d, sig->version); + SHA1_putc(&sha1_d, sig->sig_class); if (sig->version < 4) { u32 a = sig->timestamp; - SHA1_putc(sha1_tfm, (a >> 24) & 0xff); - SHA1_putc(sha1_tfm, (a >> 16) & 0xff); - SHA1_putc(sha1_tfm, (a >> 8) & 0xff); - SHA1_putc(sha1_tfm, (a >> 0) & 0xff); + SHA1_putc(&sha1_d, (a >> 24) & 0xff); + SHA1_putc(&sha1_d, (a >> 16) & 0xff); + SHA1_putc(&sha1_d, (a >> 8) & 0xff); + SHA1_putc(&sha1_d, (a >> 0) & 0xff); } else { uint8_t buf[6]; size_t n; - SHA1_putc(sha1_tfm, PUBKEY_ALGO_DSA); - SHA1_putc(sha1_tfm, DIGEST_ALGO_SHA1); + SHA1_putc(&sha1_d, PUBKEY_ALGO_DSA); + SHA1_putc(&sha1_d, DIGEST_ALGO_SHA1); if (sig->hashed_data) { n = (sig->hashed_data[0] << 8) | sig->hashed_data[1]; - SHA1_write(sha1_tfm, sig->hashed_data, n + 2); + SHA1_write(&sha1_d, sig->hashed_data, n + 2); n += 6; } else { @@ -77,19 +80,15 @@ static int ksign_signature_check(const struct ksign_signature *sig, buf[3] = n >> 16; buf[4] = n >> 8; buf[5] = n; - SHA1_write(sha1_tfm, buf, 6); + SHA1_write(&sha1_d, buf, 6); } - crypto_digest_final(sha1_tfm, sha1); - crypto_free_tfm(sha1_tfm); - - - - - + crypto_hash_final(&sha1_d, sha1); + crypto_free_hash(sha1_tfm); rc = -ENOMEM; - result = mpi_alloc((SHA1_DIGEST_SIZE + BYTES_PER_MPI_LIMB - 1) / BYTES_PER_MPI_LIMB); + result = mpi_alloc((SHA1_DIGEST_SIZE + BYTES_PER_MPI_LIMB - 1) / + BYTES_PER_MPI_LIMB); if (!result) goto cleanup; @@ -104,9 +103,8 @@ static int ksign_signature_check(const struct ksign_signature *sig, ksign_put_public_key(pk); return rc; -} /* end ksign_signature_check() */ +} -/*****************************************************************************/ /* * examine the signatures that are parsed out of the signature data - we keep * the first one that's appropriate and ignore the rest @@ -128,9 +126,8 @@ static int ksign_grab_signature(struct ksign_signature *sig, void *fnxdata) *_sig = sig; return 0; -} /* end ksign_grab_signature() */ +} -/*****************************************************************************/ /* * verify the signature of some data with one of the kernel's known public keys * - the SHA1 context should be currently open with the signed data digested @@ -138,7 +135,7 @@ static int ksign_grab_signature(struct ksign_signature *sig, void *fnxdata) * - the SHA1 context is finalised and freed before returning */ int ksign_verify_signature(const char *sigdata, unsigned sig_size, - struct crypto_tfm *sha1) + struct crypto_hash *sha1) { struct ksign_signature *sig = NULL; int retval; @@ -151,7 +148,8 @@ int ksign_verify_signature(const char *sigdata, unsigned sig_size, goto cleanup; if (!sig) { - printk("Couldn't find valid DSA signature in module\n"); + printk(KERN_NOTICE + "Couldn't find valid DSA signature in module\n"); return -ENOENT; } @@ -160,15 +158,18 @@ int ksign_verify_signature(const char *sigdata, unsigned sig_size, /* check the data SHA1 transformation against the public key */ retval = ksign_signature_check(sig, sha1); - if (retval == 0) { + switch (retval) { + case 0: _debug("ksign: Signature check succeeded\n"); - } - else if (retval != -ENOMEM) { - _debug("ksign: Signature check failed\n"); - retval = -EPERM; - } - else { + break; + case -ENOMEM: _debug("ksign: Signature check ENOMEM\n"); + break; + default: + _debug("ksign: Signature check failed\n"); + if (retval != -ENOKEY) + retval = -EKEYREJECTED; + break; } cleanup: @@ -176,4 +177,4 @@ int ksign_verify_signature(const char *sigdata, unsigned sig_size, ksign_free_signature(sig); return retval; -} /* end ksign_verify_signature() */ +}