Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp16474pxb; Fri, 5 Mar 2021 13:04:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJzY9tloIfIZTPXaM82q688TYCcpl+VcWeeReMZczaUxB0KYoq39yxLpZDKImX3JrkvDbqsC X-Received: by 2002:a05:6402:11c6:: with SMTP id j6mr11451885edw.138.1614978245121; Fri, 05 Mar 2021 13:04:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614978245; cv=none; d=google.com; s=arc-20160816; b=QBRLoDDYF0y/5ck4OIlSHCgynGTUAigj2nE44GF7RhOM0QqhJuDJdapp5yzeSXdMmT ROf8Ug1zJ7aW7yxwkPwKk7EIbfoY+LCb22T5lGi0RXekiGJwKLBAf1TiQ2nbmK8Ec2wH 6Wmtf+054F1CaS+YDjVm7TNqvGxLBnuz2Lur/gt2U3VsFUtVVnUmNClcEix7NY6x1Qm7 gWwVOKhljGl68OtOQbiSC4Gb5kEhM6wsGmS8DRWSSqw/a6a8xczYjnDosCec/SySw++G cCbOuKFQTl4Bq8kXTiy19xMDjnXCoQAqT19ZxwHUgiP1GOVi1hUVqnWCFBkAnnyJgQw1 /lVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=MXfCX1wk9BIZ68gGWhcDaFwNYVRHvKY3ZF4SIXiWy20=; b=I61z/D5JSPHNxQ9O63GBHyk+Ji0o0lbn6wlmUcxfW3GsNTQVQeZyvxpT6En/YA1qAD N6W7/r0pemh5koG/ICLYeN0VePPvzPlrzyua2+UjvfMsVMfX8Ham/2FKb6AXzEa2R8o7 NIHBmSYB4SQa6e8i9piGOHdea3kNl44cdSb/7Y9gQYlwsmIdhexhdR6DVySIxK3wEIdS 2DXGdiJivMJv5R4gj1Hl4PObTmXa3sc0C/X9N8dtwhtgurLralUfSM92IH41CzrzRgc9 B1Ag4WMR5zlfm4cJeYOlX9TjsqSeUL635FDdUQ3KPD7ZJsCXZwVL1PSAlPf95nJs/8QI 91Ew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=FY7YV2vF; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id be2si2337567edb.153.2021.03.05.13.03.37; Fri, 05 Mar 2021 13:04:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=FY7YV2vF; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230027AbhCEVA0 (ORCPT + 99 others); Fri, 5 Mar 2021 16:00:26 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:40772 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229697AbhCEVAT (ORCPT ); Fri, 5 Mar 2021 16:00:19 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 125KXLht106243; Fri, 5 Mar 2021 16:00:11 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=MXfCX1wk9BIZ68gGWhcDaFwNYVRHvKY3ZF4SIXiWy20=; b=FY7YV2vFs89mzhDHL1LAHoYTJ596KLRBS7L7B8E20nCxCa7dG1BIwa9vEpQ+IkQOWuhQ K7akISMo/V2+M6vyej7HSde156UZx4iDyW/lWPeLJMy4pzs9tHBXRJiyqCRBE3WXBgJk lRvsUHjNm3SUDE71HprdfcY76Tc6DuRefD9+gzXoLoOCqcHBsX3nLekzmMThu/c4tbKP 5mlfkWyxfIEjWU7XVE/uHX23u4XVJNdQZsP36Kfb772mIEskggFXuP2aMIjRVEzXeEvT wGjRaeq2Qb58jpsbfFZEWhW0ed5OpiI20P5J4NFLv4qCAf60zX58yqE3kJyr3tr/CX2Z ng== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 373u6e9ccw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 05 Mar 2021 16:00:10 -0500 Received: from m0098421.ppops.net (m0098421.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 125KXVIf106918; Fri, 5 Mar 2021 16:00:10 -0500 Received: from ppma03dal.us.ibm.com (b.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.11]) by mx0a-001b2d01.pphosted.com with ESMTP id 373u6e9ccb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 05 Mar 2021 16:00:10 -0500 Received: from pps.filterd (ppma03dal.us.ibm.com [127.0.0.1]) by ppma03dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 125KqNRx014061; Fri, 5 Mar 2021 21:00:09 GMT Received: from b03cxnp07027.gho.boulder.ibm.com (b03cxnp07027.gho.boulder.ibm.com [9.17.130.14]) by ppma03dal.us.ibm.com with ESMTP id 3720r14beg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 05 Mar 2021 21:00:09 +0000 Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp07027.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 125L07n019988988 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 5 Mar 2021 21:00:07 GMT Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8ECE2BE054; Fri, 5 Mar 2021 21:00:07 +0000 (GMT) Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A2347BE05B; Fri, 5 Mar 2021 21:00:06 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP; Fri, 5 Mar 2021 21:00:06 +0000 (GMT) From: Stefan Berger To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, davem@davemloft.net, herbert@gondor.apana.org.au, dhowells@redhat.com, zohar@linux.ibm.com, jarkko@kernel.org Cc: linux-kernel@vger.kernel.org, patrick@puiterwijk.org, linux-integrity@vger.kernel.org, Stefan Berger , Dmitry Kasatkin , Vitaly Chikunov , Tianjia Zhang Subject: [PATCH v11 08/10] ima: Support EC keys for signature verification Date: Fri, 5 Mar 2021 15:59:54 -0500 Message-Id: <20210305205956.3594375-9-stefanb@linux.vnet.ibm.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210305205956.3594375-1-stefanb@linux.vnet.ibm.com> References: <20210305205956.3594375-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761 definitions=2021-03-05_14:2021-03-03,2021-03-05 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 spamscore=0 impostorscore=0 malwarescore=0 phishscore=0 priorityscore=1501 adultscore=0 mlxscore=0 clxscore=1015 lowpriorityscore=0 suspectscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103050103 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Stefan Berger Add support for IMA signature verification for EC keys. Since SHA type of hashes can be used by RSA and ECDSA signature schemes we need to look at the key and derive from the key which signature scheme to use. Since this can be applied to all types of keys, we change the selection of the encoding type to be driven by the key's signature scheme rather than by the hash type. Cc: Dmitry Kasatkin Cc: linux-integrity@vger.kernel.org Cc: David Howells Cc: keyrings@vger.kernel.org Signed-off-by: Stefan Berger Reviewed-by: Vitaly Chikunov Reviewed-by: Tianjia Zhang Acked-by: Mimi Zohar --- v7->v8: - use strncmp to check for 'ecdsa-' to match 'ecdsa-nist-p192' and 'ecdsa-nist-p256' key types; previously they were just 'ecdsa' --- include/keys/asymmetric-type.h | 6 ++++++ security/integrity/digsig_asymmetric.c | 30 ++++++++++++-------------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h index a29d3ff2e7e8..c432fdb8547f 100644 --- a/include/keys/asymmetric-type.h +++ b/include/keys/asymmetric-type.h @@ -72,6 +72,12 @@ const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key) return key->payload.data[asym_key_ids]; } +static inline +const struct public_key *asymmetric_key_public_key(const struct key *key) +{ + return key->payload.data[asym_crypto]; +} + extern struct key *find_asymmetric_key(struct key *keyring, const struct asymmetric_key_id *id_0, const struct asymmetric_key_id *id_1, diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c index a662024b4c70..23240d793b07 100644 --- a/security/integrity/digsig_asymmetric.c +++ b/security/integrity/digsig_asymmetric.c @@ -84,6 +84,7 @@ int asymmetric_verify(struct key *keyring, const char *sig, { struct public_key_signature pks; struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig; + const struct public_key *pk; struct key *key; int ret; @@ -105,23 +106,20 @@ int asymmetric_verify(struct key *keyring, const char *sig, memset(&pks, 0, sizeof(pks)); pks.hash_algo = hash_algo_name[hdr->hash_algo]; - switch (hdr->hash_algo) { - case HASH_ALGO_STREEBOG_256: - case HASH_ALGO_STREEBOG_512: - /* EC-RDSA and Streebog should go together. */ - pks.pkey_algo = "ecrdsa"; - pks.encoding = "raw"; - break; - case HASH_ALGO_SM3_256: - /* SM2 and SM3 should go together. */ - pks.pkey_algo = "sm2"; - pks.encoding = "raw"; - break; - default: - pks.pkey_algo = "rsa"; + + pk = asymmetric_key_public_key(key); + pks.pkey_algo = pk->pkey_algo; + if (!strcmp(pk->pkey_algo, "rsa")) pks.encoding = "pkcs1"; - break; - } + else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) + /* edcsa-nist-p192 etc. */ + pks.encoding = "x962"; + else if (!strcmp(pk->pkey_algo, "ecrdsa") || + !strcmp(pk->pkey_algo, "sm2")) + pks.encoding = "raw"; + else + return -ENOPKG; + pks.digest = (u8 *)data; pks.digest_size = datalen; pks.s = hdr->sig; -- 2.29.2