tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Revert "apparmor: use SHA-256 library API instead of crypto_shash API"

This reverts commit e9ed1eb8f6217e53843d82ecf2d50f8d1a93e77c.

Eric has requested that this patch be taken through the libcrypto-next
tree, instead.

Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 37a3741d aff426f3

+75 -13
+2 -1
security/apparmor/Kconfig
··· 59 59 config SECURITY_APPARMOR_HASH 60 60 bool "Enable introspection of sha256 hashes for loaded profiles" 61 61 depends on SECURITY_APPARMOR_INTROSPECT_POLICY 62 - select CRYPTO_LIB_SHA256 62 + select CRYPTO 63 + select CRYPTO_SHA256 63 64 default y 64 65 help 65 66 This option selects whether introspection of loaded policy
+73 -12
security/apparmor/crypto.c
··· 11 11 * it should be. 12 12 */ 13 13 14 - #include <crypto/sha2.h> 14 + #include <crypto/hash.h> 15 15 16 16 #include "include/apparmor.h" 17 17 #include "include/crypto.h" 18 18 19 + static unsigned int apparmor_hash_size; 20 + 21 + static struct crypto_shash *apparmor_tfm; 22 + 19 23 unsigned int aa_hash_size(void) 20 24 { 21 - return SHA256_DIGEST_SIZE; 25 + return apparmor_hash_size; 22 26 } 23 27 24 28 char *aa_calc_hash(void *data, size_t len) 25 29 { 30 + SHASH_DESC_ON_STACK(desc, apparmor_tfm); 26 31 char *hash; 32 + int error; 27 33 28 - hash = kzalloc(SHA256_DIGEST_SIZE, GFP_KERNEL); 34 + if (!apparmor_tfm) 35 + return NULL; 36 + 37 + hash = kzalloc(apparmor_hash_size, GFP_KERNEL); 29 38 if (!hash) 30 39 return ERR_PTR(-ENOMEM); 31 40 32 - sha256(data, len, hash); 41 + desc->tfm = apparmor_tfm; 42 + 43 + error = crypto_shash_init(desc); 44 + if (error) 45 + goto fail; 46 + error = crypto_shash_update(desc, (u8 *) data, len); 47 + if (error) 48 + goto fail; 49 + error = crypto_shash_final(desc, hash); 50 + if (error) 51 + goto fail; 52 + 33 53 return hash; 54 + 55 + fail: 56 + kfree(hash); 57 + 58 + return ERR_PTR(error); 34 59 } 35 60 36 61 int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start, 37 62 size_t len) 38 63 { 39 - struct sha256_state state; 64 + SHASH_DESC_ON_STACK(desc, apparmor_tfm); 65 + int error; 40 66 __le32 le32_version = cpu_to_le32(version); 41 67 42 68 if (!aa_g_hash_policy) 43 69 return 0; 44 70 45 - profile->hash = kzalloc(SHA256_DIGEST_SIZE, GFP_KERNEL); 71 + if (!apparmor_tfm) 72 + return 0; 73 + 74 + profile->hash = kzalloc(apparmor_hash_size, GFP_KERNEL); 46 75 if (!profile->hash) 47 76 return -ENOMEM; 48 77 49 - sha256_init(&state); 50 - sha256_update(&state, (u8 *)&le32_version, 4); 51 - sha256_update(&state, (u8 *)start, len); 52 - sha256_final(&state, profile->hash); 78 + desc->tfm = apparmor_tfm; 79 + 80 + error = crypto_shash_init(desc); 81 + if (error) 82 + goto fail; 83 + error = crypto_shash_update(desc, (u8 *) &le32_version, 4); 84 + if (error) 85 + goto fail; 86 + error = crypto_shash_update(desc, (u8 *) start, len); 87 + if (error) 88 + goto fail; 89 + error = crypto_shash_final(desc, profile->hash); 90 + if (error) 91 + goto fail; 92 + 53 93 return 0; 94 + 95 + fail: 96 + kfree(profile->hash); 97 + profile->hash = NULL; 98 + 99 + return error; 54 100 } 55 101 56 102 static int __init init_profile_hash(void) 57 103 { 58 - if (apparmor_initialized) 59 - aa_info_message("AppArmor sha256 policy hashing enabled"); 104 + struct crypto_shash *tfm; 105 + 106 + if (!apparmor_initialized) 107 + return 0; 108 + 109 + tfm = crypto_alloc_shash("sha256", 0, 0); 110 + if (IS_ERR(tfm)) { 111 + int error = PTR_ERR(tfm); 112 + AA_ERROR("failed to setup profile sha256 hashing: %d\n", error); 113 + return error; 114 + } 115 + apparmor_tfm = tfm; 116 + apparmor_hash_size = crypto_shash_digestsize(apparmor_tfm); 117 + 118 + aa_info_message("AppArmor sha256 policy hashing enabled"); 119 + 60 120 return 0; 61 121 } 122 + 62 123 late_initcall(init_profile_hash);