X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=kernel%2Fmodule-verify-sig.c;h=45cb967a59180b64828699846d72b3d2e441810f;hb=97bf2856c6014879bd04983a3e9dfcdac1e7fe85;hp=23fad538d72b7f524baa2e8197dfddef3b712f6c;hpb=76828883507a47dae78837ab5dec5a5b4513c667;p=linux-2.6.git diff --git a/kernel/module-verify-sig.c b/kernel/module-verify-sig.c index 23fad538d..45cb967a5 100644 --- a/kernel/module-verify-sig.c +++ b/kernel/module-verify-sig.c @@ -48,7 +48,7 @@ do { \ size_t __n = (N); \ uint8_t *__p = (uint8_t *)(PTR); \ count_and_csum((C), __p, __n); \ - crypto_digest_update_kernel((C)->digest, __p, __n); \ + crypto_hash_update_kernel(&(C)->hash, __p, __n); \ } while(0) #define crypto_digest_update_val(C,VAL) \ @@ -56,7 +56,7 @@ do { \ size_t __n = sizeof(VAL); \ uint8_t *__p = (uint8_t *)&(VAL); \ count_and_csum((C), __p, __n); \ - crypto_digest_update_kernel((C)->digest, __p, __n); \ + crypto_hash_update_kernel(&(C)->hash, __p, __n); \ } while(0) static int module_verify_canonicalise(struct module_verify_data *mvdata); @@ -73,7 +73,13 @@ static int extract_elf_rel(struct module_verify_data *mvdata, static int signedonly; -/*****************************************************************************/ +static int __init sign_setup(char *str) +{ + signedonly = 1; + return 0; +} +__setup("enforcemodulesig", sign_setup); + /* * verify a module's signature */ @@ -113,13 +119,13 @@ int module_verify_signature(struct module_verify_data *mvdata) /* grab an SHA1 transformation context * - !!! if this tries to load the sha1.ko module, we will deadlock!!! */ - mvdata->digest = crypto_alloc_tfm2("sha1", 0, 1); - if (!mvdata->digest) { + mvdata->hash.tfm = crypto_hash_cast(crypto_alloc_tfm2("sha1", 0, 1)); + if (!mvdata->hash.tfm) { printk("Couldn't load module - SHA1 transform unavailable\n"); return -EPERM; } - crypto_digest_init(mvdata->digest); + crypto_hash_init(&mvdata->hash); #ifdef MODSIGN_DEBUG mvdata->xcsum = 0; @@ -200,28 +206,39 @@ int module_verify_signature(struct module_verify_data *mvdata) mvdata->signed_size, mvdata->xcsum); /* do the actual signature verification */ - i = ksign_verify_signature(sig, sig_size, mvdata->digest); - - _debug("verify-sig : %d\n", i); + ret = ksign_verify_signature(sig, sig_size, mvdata->hash.tfm); + + _debug("verify-sig : %d\n", ret); + + switch (ret) { + case 0: /* good signature */ + ret = 1; + break; + case -EKEYREJECTED: /* signature mismatch or number format error */ + printk(KERN_ERR "Module signature verification failed\n"); + break; + case -ENOKEY: /* signed, but we don't have the public key */ + printk(KERN_ERR "Module signed with unknown public key\n"); + break; + default: /* other error (probably ENOMEM) */ + break; + } - if (i == 0) - i = 1; - return i; + return ret; - format_error: - crypto_free_tfm(mvdata->digest); +format_error: + crypto_free_hash(mvdata->hash.tfm); + printk(KERN_ERR "Module format error encountered\n"); return -ELIBBAD; /* deal with the case of an unsigned module */ - no_signature: +no_signature: if (!signedonly) return 0; - printk("An attempt to load unsigned module was rejected\n"); - return -EPERM; - -} /* end module_verify_signature() */ + printk(KERN_ERR "An attempt to load unsigned module was rejected\n"); + return -EKEYREJECTED; +} -/*****************************************************************************/ /* * canonicalise the section table index numbers */ @@ -277,12 +294,10 @@ static int module_verify_canonicalise(struct module_verify_data *mvdata) mvdata->canonmap[mvdata->canonlist[loop]] = loop + 1; return 0; +} -} /* end module_verify_canonicalise() */ - -/*****************************************************************************/ /* - * extract a RELA table + * extract an ELF RELA table * - need to canonicalise the entries in case section addition/removal has * rearranged the symbol table and the section table */ @@ -357,11 +372,12 @@ static int extract_elf_rela(struct module_verify_data *mvdata, mvdata->signed_size, mvdata->csum, sh_name, nrels); return 0; -} /* end extract_elf_rela() */ +} -/*****************************************************************************/ /* - * + * extract an ELF REL table + * - need to canonicalise the entries in case section addition/removal has + * rearranged the symbol table and the section table */ static int extract_elf_rel(struct module_verify_data *mvdata, int secix, @@ -431,11 +447,4 @@ static int extract_elf_rel(struct module_verify_data *mvdata, mvdata->signed_size, mvdata->csum, sh_name, nrels); return 0; -} /* end extract_elf_rel() */ - -static int __init sign_setup(char *str) -{ - signedonly = 1; - return 0; } -__setup("enforcemodulesig", sign_setup);