#define _debug(FMT, ...) do { ; } while (0)
#endif
-/*****************************************************************************/
/*
* check the signature which is contained in SIG.
*/
static int ksign_signature_check(const struct ksign_signature *sig,
- struct crypto_tfm *sha1_tfm)
+ struct crypto_hash *sha1_tfm)
{
struct ksign_public_key *pk;
+ struct hash_desc sha1_d;
uint8_t sha1[SHA1_DIGEST_SIZE];
MPI result = NULL;
int rc = 0;
printk("ksign: module signed with unknown public key\n");
printk("- signature keyid: %08x%08x ver=%u\n",
sig->keyid[0], sig->keyid[1], sig->version);
- return -EPERM;
+ return -ENOKEY;
}
if (pk->timestamp > sig->timestamp)
" public key is %lu seconds newer than the signature\n",
pk->timestamp - sig->timestamp);
+ sha1_d.tfm = sha1_tfm;
+ sha1_d.flags = 0;
+
/* complete the digest */
if (sig->version >= 4)
- SHA1_putc(sha1_tfm, sig->version);
- SHA1_putc(sha1_tfm, sig->sig_class);
+ SHA1_putc(&sha1_d, sig->version);
+ SHA1_putc(&sha1_d, sig->sig_class);
if (sig->version < 4) {
u32 a = sig->timestamp;
- SHA1_putc(sha1_tfm, (a >> 24) & 0xff);
- SHA1_putc(sha1_tfm, (a >> 16) & 0xff);
- SHA1_putc(sha1_tfm, (a >> 8) & 0xff);
- SHA1_putc(sha1_tfm, (a >> 0) & 0xff);
+ SHA1_putc(&sha1_d, (a >> 24) & 0xff);
+ SHA1_putc(&sha1_d, (a >> 16) & 0xff);
+ SHA1_putc(&sha1_d, (a >> 8) & 0xff);
+ SHA1_putc(&sha1_d, (a >> 0) & 0xff);
}
else {
uint8_t buf[6];
size_t n;
- SHA1_putc(sha1_tfm, PUBKEY_ALGO_DSA);
- SHA1_putc(sha1_tfm, DIGEST_ALGO_SHA1);
+ SHA1_putc(&sha1_d, PUBKEY_ALGO_DSA);
+ SHA1_putc(&sha1_d, DIGEST_ALGO_SHA1);
if (sig->hashed_data) {
n = (sig->hashed_data[0] << 8) | sig->hashed_data[1];
- SHA1_write(sha1_tfm, sig->hashed_data, n + 2);
+ SHA1_write(&sha1_d, sig->hashed_data, n + 2);
n += 6;
}
else {
buf[3] = n >> 16;
buf[4] = n >> 8;
buf[5] = n;
- SHA1_write(sha1_tfm, buf, 6);
+ SHA1_write(&sha1_d, buf, 6);
}
- crypto_digest_final(sha1_tfm, sha1);
- crypto_free_tfm(sha1_tfm);
-
-
-
-
-
+ crypto_hash_final(&sha1_d, sha1);
+ crypto_free_hash(sha1_tfm);
rc = -ENOMEM;
- result = mpi_alloc((SHA1_DIGEST_SIZE + BYTES_PER_MPI_LIMB - 1) / BYTES_PER_MPI_LIMB);
+ result = mpi_alloc((SHA1_DIGEST_SIZE + BYTES_PER_MPI_LIMB - 1) /
+ BYTES_PER_MPI_LIMB);
if (!result)
goto cleanup;
ksign_put_public_key(pk);
return rc;
-} /* end ksign_signature_check() */
+}
-/*****************************************************************************/
/*
* examine the signatures that are parsed out of the signature data - we keep
* the first one that's appropriate and ignore the rest
*_sig = sig;
return 0;
-} /* end ksign_grab_signature() */
+}
-/*****************************************************************************/
/*
* verify the signature of some data with one of the kernel's known public keys
* - the SHA1 context should be currently open with the signed data digested
* - the SHA1 context is finalised and freed before returning
*/
int ksign_verify_signature(const char *sigdata, unsigned sig_size,
- struct crypto_tfm *sha1)
+ struct crypto_hash *sha1)
{
struct ksign_signature *sig = NULL;
int retval;
goto cleanup;
if (!sig) {
- printk("Couldn't find valid DSA signature in module\n");
+ printk(KERN_NOTICE
+ "Couldn't find valid DSA signature in module\n");
return -ENOENT;
}
/* check the data SHA1 transformation against the public key */
retval = ksign_signature_check(sig, sha1);
- if (retval == 0) {
+ switch (retval) {
+ case 0:
_debug("ksign: Signature check succeeded\n");
- }
- else if (retval != -ENOMEM) {
- _debug("ksign: Signature check failed\n");
- retval = -EPERM;
- }
- else {
+ break;
+ case -ENOMEM:
_debug("ksign: Signature check ENOMEM\n");
+ break;
+ default:
+ _debug("ksign: Signature check failed\n");
+ if (retval != -ENOKEY)
+ retval = -EKEYREJECTED;
+ break;
}
cleanup:
ksign_free_signature(sig);
return retval;
-} /* end ksign_verify_signature() */
+}