1
2
3
4
5
6
7
8#include <linux/kernel.h>
9#include <linux/errno.h>
10#include <linux/string.h>
11#include <linux/verification.h>
12#include <crypto/public_key.h>
13#include "module-internal.h"
14
15enum pkey_id_type {
16 PKEY_ID_PGP,
17 PKEY_ID_X509,
18 PKEY_ID_PKCS7,
19};
20
21
22
23
24
25
26
27
28
29
30
31struct module_signature {
32 u8 algo;
33 u8 hash;
34 u8 id_type;
35 u8 signer_len;
36 u8 key_id_len;
37 u8 __pad[3];
38 __be32 sig_len;
39};
40
41
42
43
44int mod_verify_sig(const void *mod, struct load_info *info)
45{
46 struct module_signature ms;
47 size_t sig_len, modlen = info->len;
48
49 pr_devel("==>%s(,%zu)\n", __func__, modlen);
50
51 if (modlen <= sizeof(ms))
52 return -EBADMSG;
53
54 memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms));
55 modlen -= sizeof(ms);
56
57 sig_len = be32_to_cpu(ms.sig_len);
58 if (sig_len >= modlen)
59 return -EBADMSG;
60 modlen -= sig_len;
61 info->len = modlen;
62
63 if (ms.id_type != PKEY_ID_PKCS7) {
64 pr_err("%s: Module is not signed with expected PKCS#7 message\n",
65 info->name);
66 return -ENOPKG;
67 }
68
69 if (ms.algo != 0 ||
70 ms.hash != 0 ||
71 ms.signer_len != 0 ||
72 ms.key_id_len != 0 ||
73 ms.__pad[0] != 0 ||
74 ms.__pad[1] != 0 ||
75 ms.__pad[2] != 0) {
76 pr_err("%s: PKCS#7 signature info has unexpected non-zero params\n",
77 info->name);
78 return -EBADMSG;
79 }
80
81 return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
82 VERIFY_USE_SECONDARY_KEYRING,
83 VERIFYING_MODULE_SIGNATURE,
84 NULL, NULL);
85}
86