Message ID | 20181115212945.24690-1-yauheni.kaliuta@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | signature: do not report wrong data for pkc#7 signature | expand |
On 11/15/18 1:29 PM, Yauheni Kaliuta wrote: > when PKC#7 signing method is used the old structure doesn't contain > any useful data, but the data are encoded in the certificate. > > The info getting/showing code is not aware of that at the moment and > since 0 is a valid constant, shows, for example, wrong "md4" for the > hash algo. > > The patch splits the 2 mothods of gethering the info and reports > "unknown" for the algo. > > Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com> > --- > libkmod/libkmod-module.c | 2 +- > libkmod/libkmod-signature.c | 69 +++++++++++++++++++++++++++---------- > 2 files changed, 52 insertions(+), 19 deletions(-) > > diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c > index ee420f4ec2bf..889f26479a98 100644 > --- a/libkmod/libkmod-module.c > +++ b/libkmod/libkmod-module.c > @@ -2273,7 +2273,7 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_ > struct kmod_elf *elf; > char **strings; > int i, count, ret = -ENOMEM; > - struct kmod_signature_info sig_info; > + struct kmod_signature_info sig_info = {}; > > if (mod == NULL || list == NULL) > return -ENOENT; > diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c > index 1f3e26dea203..2ec2dc1a1a73 100644 > --- a/libkmod/libkmod-signature.c > +++ b/libkmod/libkmod-signature.c > @@ -92,6 +92,44 @@ struct module_signature { > uint32_t sig_len; /* Length of signature data (big endian) */ > }; > > +static bool > +kmod_module_signature_info_default(const char *mem, > + off_t size, > + const struct module_signature *modsig, > + size_t sig_len, > + struct kmod_signature_info *sig_info) > +{ > + size -= sig_len; > + sig_info->sig = mem + size; > + sig_info->sig_len = sig_len; > + > + size -= modsig->key_id_len; > + sig_info->key_id = mem + size; > + sig_info->key_id_len = modsig->key_id_len; > + > + size -= modsig->signer_len; > + sig_info->signer = mem + size; > + sig_info->signer_len = modsig->signer_len; > + > + sig_info->algo = pkey_algo[modsig->algo]; > + sig_info->hash_algo = pkey_hash_algo[modsig->hash]; > + sig_info->id_type = pkey_id_type[modsig->id_type]; > + > + return true; > +} > + > +static bool > +kmod_module_signature_info_pkcs7(const char *mem, I miss a verb in these function names. Those seem more reasonable: static bool fill_default() { } static bool fill_unknown() { } Otherwise looks good. thanks Lucas De Marchi > + off_t size, > + const struct module_signature *modsig, > + size_t sig_len, > + struct kmod_signature_info *sig_info) > +{ > + sig_info->hash_algo = "unknown"; > + sig_info->id_type = pkey_id_type[modsig->id_type]; > + return true; > +} > + > #define SIG_MAGIC "~Module signature appended~\n" > > /* > @@ -111,7 +149,7 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat > off_t size; > const struct module_signature *modsig; > size_t sig_len; > - > + bool ret; > > size = kmod_file_get_size(file); > mem = kmod_file_get_contents(file); > @@ -134,21 +172,16 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat > size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len)) > return false; > > - size -= sig_len; > - sig_info->sig = mem + size; > - sig_info->sig_len = sig_len; > - > - size -= modsig->key_id_len; > - sig_info->key_id = mem + size; > - sig_info->key_id_len = modsig->key_id_len; > - > - size -= modsig->signer_len; > - sig_info->signer = mem + size; > - sig_info->signer_len = modsig->signer_len; > - > - sig_info->algo = pkey_algo[modsig->algo]; > - sig_info->hash_algo = pkey_hash_algo[modsig->hash]; > - sig_info->id_type = pkey_id_type[modsig->id_type]; > - > - return true; > + switch (modsig->id_type) { > + case PKEY_ID_PKCS7: > + ret = kmod_module_signature_info_pkcs7(mem, size, > + modsig, sig_len, > + sig_info); > + break; > + default: > + ret = kmod_module_signature_info_default(mem, size, > + modsig, sig_len, > + sig_info); > + } > + return ret; > } >
diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c index ee420f4ec2bf..889f26479a98 100644 --- a/libkmod/libkmod-module.c +++ b/libkmod/libkmod-module.c @@ -2273,7 +2273,7 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_ struct kmod_elf *elf; char **strings; int i, count, ret = -ENOMEM; - struct kmod_signature_info sig_info; + struct kmod_signature_info sig_info = {}; if (mod == NULL || list == NULL) return -ENOENT; diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c index 1f3e26dea203..2ec2dc1a1a73 100644 --- a/libkmod/libkmod-signature.c +++ b/libkmod/libkmod-signature.c @@ -92,6 +92,44 @@ struct module_signature { uint32_t sig_len; /* Length of signature data (big endian) */ }; +static bool +kmod_module_signature_info_default(const char *mem, + off_t size, + const struct module_signature *modsig, + size_t sig_len, + struct kmod_signature_info *sig_info) +{ + size -= sig_len; + sig_info->sig = mem + size; + sig_info->sig_len = sig_len; + + size -= modsig->key_id_len; + sig_info->key_id = mem + size; + sig_info->key_id_len = modsig->key_id_len; + + size -= modsig->signer_len; + sig_info->signer = mem + size; + sig_info->signer_len = modsig->signer_len; + + sig_info->algo = pkey_algo[modsig->algo]; + sig_info->hash_algo = pkey_hash_algo[modsig->hash]; + sig_info->id_type = pkey_id_type[modsig->id_type]; + + return true; +} + +static bool +kmod_module_signature_info_pkcs7(const char *mem, + off_t size, + const struct module_signature *modsig, + size_t sig_len, + struct kmod_signature_info *sig_info) +{ + sig_info->hash_algo = "unknown"; + sig_info->id_type = pkey_id_type[modsig->id_type]; + return true; +} + #define SIG_MAGIC "~Module signature appended~\n" /* @@ -111,7 +149,7 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat off_t size; const struct module_signature *modsig; size_t sig_len; - + bool ret; size = kmod_file_get_size(file); mem = kmod_file_get_contents(file); @@ -134,21 +172,16 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len)) return false; - size -= sig_len; - sig_info->sig = mem + size; - sig_info->sig_len = sig_len; - - size -= modsig->key_id_len; - sig_info->key_id = mem + size; - sig_info->key_id_len = modsig->key_id_len; - - size -= modsig->signer_len; - sig_info->signer = mem + size; - sig_info->signer_len = modsig->signer_len; - - sig_info->algo = pkey_algo[modsig->algo]; - sig_info->hash_algo = pkey_hash_algo[modsig->hash]; - sig_info->id_type = pkey_id_type[modsig->id_type]; - - return true; + switch (modsig->id_type) { + case PKEY_ID_PKCS7: + ret = kmod_module_signature_info_pkcs7(mem, size, + modsig, sig_len, + sig_info); + break; + default: + ret = kmod_module_signature_info_default(mem, size, + modsig, sig_len, + sig_info); + } + return ret; }
when PKC#7 signing method is used the old structure doesn't contain any useful data, but the data are encoded in the certificate. The info getting/showing code is not aware of that at the moment and since 0 is a valid constant, shows, for example, wrong "md4" for the hash algo. The patch splits the 2 mothods of gethering the info and reports "unknown" for the algo. Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com> --- libkmod/libkmod-module.c | 2 +- libkmod/libkmod-signature.c | 69 +++++++++++++++++++++++++++---------- 2 files changed, 52 insertions(+), 19 deletions(-)