kmod/SOURCES/kmod-signature-do-not-report-wrong-data-for-pkc-7-signatu.patch

From a11057201ed326a9e65e757202da960735e45799 Mon Sep 17 00:00:00 2001
From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
Date: Fri, 16 Nov 2018 10:56:34 +0200
Subject: [PATCH] signature: do not report wrong data for pkc#7 signature

when PKC#7 signing method is used the old structure doesn't contain
any useful data, but the data are encoded in the certificate.

The info getting/showing code is not aware of that at the moment and
since 0 is a valid constant, shows, for example, wrong "md4" for the
hash algo.

The patch splits the 2 mothods of gethering the info and reports
"unknown" for the algo.

Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>
---
 libkmod/libkmod-module.c    |  2 +-
 libkmod/libkmod-signature.c | 56 +++++++++++++++++++++++++------------
 2 files changed, 39 insertions(+), 19 deletions(-)

diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c
index ee420f4ec2bf..889f26479a98 100644
--- a/libkmod/libkmod-module.c
+++ b/libkmod/libkmod-module.c
@@ -2273,7 +2273,7 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_
 	struct kmod_elf *elf;
 	char **strings;
 	int i, count, ret = -ENOMEM;
-	struct kmod_signature_info sig_info;
+	struct kmod_signature_info sig_info = {};
 
 	if (mod == NULL || list == NULL)
 		return -ENOENT;
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
index 1f3e26dea203..429ffbd8a957 100644
--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
@@ -92,6 +92,38 @@ struct module_signature {
 	uint32_t sig_len;    /* Length of signature data (big endian) */
 };
 
+static bool fill_default(const char *mem, off_t size,
+			 const struct module_signature *modsig, size_t sig_len,
+			 struct kmod_signature_info *sig_info)
+{
+	size -= sig_len;
+	sig_info->sig = mem + size;
+	sig_info->sig_len = sig_len;
+
+	size -= modsig->key_id_len;
+	sig_info->key_id = mem + size;
+	sig_info->key_id_len = modsig->key_id_len;
+
+	size -= modsig->signer_len;
+	sig_info->signer = mem + size;
+	sig_info->signer_len = modsig->signer_len;
+
+	sig_info->algo = pkey_algo[modsig->algo];
+	sig_info->hash_algo = pkey_hash_algo[modsig->hash];
+	sig_info->id_type = pkey_id_type[modsig->id_type];
+
+	return true;
+}
+
+static bool fill_unknown(const char *mem, off_t size,
+			 const struct module_signature *modsig, size_t sig_len,
+			 struct kmod_signature_info *sig_info)
+{
+	sig_info->hash_algo = "unknown";
+	sig_info->id_type = pkey_id_type[modsig->id_type];
+	return true;
+}
+
 #define SIG_MAGIC "~Module signature appended~\n"
 
 /*
@@ -112,7 +144,6 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
 	const struct module_signature *modsig;
 	size_t sig_len;
 
-
 	size = kmod_file_get_size(file);
 	mem = kmod_file_get_contents(file);
 	if (size < (off_t)strlen(SIG_MAGIC))
@@ -134,21 +165,10 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat
 	    size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len))
 		return false;
 
-	size -= sig_len;
-	sig_info->sig = mem + size;
-	sig_info->sig_len = sig_len;
-
-	size -= modsig->key_id_len;
-	sig_info->key_id = mem + size;
-	sig_info->key_id_len = modsig->key_id_len;
-
-	size -= modsig->signer_len;
-	sig_info->signer = mem + size;
-	sig_info->signer_len = modsig->signer_len;
-
-	sig_info->algo = pkey_algo[modsig->algo];
-	sig_info->hash_algo = pkey_hash_algo[modsig->hash];
-	sig_info->id_type = pkey_id_type[modsig->id_type];
-
-	return true;
+	switch (modsig->id_type) {
+	case PKEY_ID_PKCS7:
+		return fill_unknown(mem, size, modsig, sig_len, sig_info);
+	default:
+		return fill_default(mem, size, modsig, sig_len, sig_info);
+	}
 }
-- 
2.20.1
import kmod-25-11.el8_0.2 2019-05-07 19:24:22 +00:00			`From a11057201ed326a9e65e757202da960735e45799 Mon Sep 17 00:00:00 2001`
			`From: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>`
			`Date: Fri, 16 Nov 2018 10:56:34 +0200`
			`Subject: [PATCH] signature: do not report wrong data for pkc#7 signature`

			`when PKC#7 signing method is used the old structure doesn't contain`
			`any useful data, but the data are encoded in the certificate.`

			`The info getting/showing code is not aware of that at the moment and`
			`since 0 is a valid constant, shows, for example, wrong "md4" for the`
			`hash algo.`

			`The patch splits the 2 mothods of gethering the info and reports`
			`"unknown" for the algo.`

			`Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@redhat.com>`
			`---`
			`libkmod/libkmod-module.c \| 2 +-`
			`libkmod/libkmod-signature.c \| 56 +++++++++++++++++++++++++------------`
			`2 files changed, 39 insertions(+), 19 deletions(-)`

			`diff --git a/libkmod/libkmod-module.c b/libkmod/libkmod-module.c`
			`index ee420f4ec2bf..889f26479a98 100644`
			`--- a/libkmod/libkmod-module.c`
			`+++ b/libkmod/libkmod-module.c`
			`@@ -2273,7 +2273,7 @@ KMOD_EXPORT int kmod_module_get_info(const struct kmod_module *mod, struct kmod_`
			`struct kmod_elf *elf;`
			`char **strings;`
			`int i, count, ret = -ENOMEM;`
			`- struct kmod_signature_info sig_info;`
			`+ struct kmod_signature_info sig_info = {};`

			`if (mod == NULL \|\| list == NULL)`
			`return -ENOENT;`
			`diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c`
			`index 1f3e26dea203..429ffbd8a957 100644`
			`--- a/libkmod/libkmod-signature.c`
			`+++ b/libkmod/libkmod-signature.c`
			`@@ -92,6 +92,38 @@ struct module_signature {`
			`uint32_t sig_len; /* Length of signature data (big endian) */`
			`};`

			`+static bool fill_default(const char *mem, off_t size,`
			`+ const struct module_signature *modsig, size_t sig_len,`
			`+ struct kmod_signature_info *sig_info)`
			`+{`
			`+ size -= sig_len;`
			`+ sig_info->sig = mem + size;`
			`+ sig_info->sig_len = sig_len;`
			`+`
			`+ size -= modsig->key_id_len;`
			`+ sig_info->key_id = mem + size;`
			`+ sig_info->key_id_len = modsig->key_id_len;`
			`+`
			`+ size -= modsig->signer_len;`
			`+ sig_info->signer = mem + size;`
			`+ sig_info->signer_len = modsig->signer_len;`
			`+`
			`+ sig_info->algo = pkey_algo[modsig->algo];`
			`+ sig_info->hash_algo = pkey_hash_algo[modsig->hash];`
			`+ sig_info->id_type = pkey_id_type[modsig->id_type];`
			`+`
			`+ return true;`
			`+}`
			`+`
			`+static bool fill_unknown(const char *mem, off_t size,`
			`+ const struct module_signature *modsig, size_t sig_len,`
			`+ struct kmod_signature_info *sig_info)`
			`+{`
			`+ sig_info->hash_algo = "unknown";`
			`+ sig_info->id_type = pkey_id_type[modsig->id_type];`
			`+ return true;`
			`+}`
			`+`
			`#define SIG_MAGIC "~Module signature appended~\n"`

			`/*`
			`@@ -112,7 +144,6 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat`
			`const struct module_signature *modsig;`
			`size_t sig_len;`

			`-`
			`size = kmod_file_get_size(file);`
			`mem = kmod_file_get_contents(file);`
			`if (size < (off_t)strlen(SIG_MAGIC))`
			`@@ -134,21 +165,10 @@ bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signat`
			`size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len))`
			`return false;`

			`- size -= sig_len;`
			`- sig_info->sig = mem + size;`
			`- sig_info->sig_len = sig_len;`
			`-`
			`- size -= modsig->key_id_len;`
			`- sig_info->key_id = mem + size;`
			`- sig_info->key_id_len = modsig->key_id_len;`
			`-`
			`- size -= modsig->signer_len;`
			`- sig_info->signer = mem + size;`
			`- sig_info->signer_len = modsig->signer_len;`
			`-`
			`- sig_info->algo = pkey_algo[modsig->algo];`
			`- sig_info->hash_algo = pkey_hash_algo[modsig->hash];`
			`- sig_info->id_type = pkey_id_type[modsig->id_type];`
			`-`
			`- return true;`
			`+ switch (modsig->id_type) {`
			`+ case PKEY_ID_PKCS7:`
			`+ return fill_unknown(mem, size, modsig, sig_len, sig_info);`
			`+ default:`
			`+ return fill_default(mem, size, modsig, sig_len, sig_info);`
			`+ }`
			`}`
			`--`
			`2.20.1`