Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
apparmor: use SHA-256 library API instead of crypto_shash API
This user of SHA-256 does not support any other algorithm, so the
crypto_shash abstraction provides no value. Just use the SHA-256
library API instead, which is much simpler and easier to use.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
authored by
Eric Biggers
and committed by
John Johansen
e9ed1eb8
2b270e2f
+13
-75
+1
-2
security/apparmor/Kconfig
+1
-2
security/apparmor/Kconfig
···
59
59
config SECURITY_APPARMOR_HASH
60
60
bool "Enable introspection of sha256 hashes for loaded profiles"
61
61
depends on SECURITY_APPARMOR_INTROSPECT_POLICY
62
-
select CRYPTO
63
-
select CRYPTO_SHA256
62
+
select CRYPTO_LIB_SHA256
64
63
default y
65
64
help
66
65
This option selects whether introspection of loaded policy
+12
-73
security/apparmor/crypto.c
+12
-73
security/apparmor/crypto.c
···
11
11
* it should be.
12
12
*/
13
13
14
-
#include <crypto/hash.h>
14
+
#include <crypto/sha2.h>
15
15
16
16
#include "include/apparmor.h"
17
17
#include "include/crypto.h"
18
18
19
-
static unsigned int apparmor_hash_size;
20
-
21
-
static struct crypto_shash *apparmor_tfm;
22
-
23
19
unsigned int aa_hash_size(void)
24
20
{
25
-
return apparmor_hash_size;
21
+
return SHA256_DIGEST_SIZE;
26
22
}
27
23
28
24
char *aa_calc_hash(void *data, size_t len)
29
25
{
30
-
SHASH_DESC_ON_STACK(desc, apparmor_tfm);
31
26
char *hash;
32
-
int error;
33
27
34
-
if (!apparmor_tfm)
35
-
return NULL;
36
-
37
-
hash = kzalloc(apparmor_hash_size, GFP_KERNEL);
28
+
hash = kzalloc(SHA256_DIGEST_SIZE, GFP_KERNEL);
38
29
if (!hash)
39
30
return ERR_PTR(-ENOMEM);
40
31
41
-
desc->tfm = apparmor_tfm;
42
-
43
-
error = crypto_shash_init(desc);
44
-
if (error)
45
-
goto fail;
46
-
error = crypto_shash_update(desc, (u8 *) data, len);
47
-
if (error)
48
-
goto fail;
49
-
error = crypto_shash_final(desc, hash);
50
-
if (error)
51
-
goto fail;
52
-
32
+
sha256(data, len, hash);
53
33
return hash;
54
-
55
-
fail:
56
-
kfree(hash);
57
-
58
-
return ERR_PTR(error);
59
34
}
60
35
61
36
int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
62
37
size_t len)
63
38
{
64
-
SHASH_DESC_ON_STACK(desc, apparmor_tfm);
65
-
int error;
39
+
struct sha256_state state;
66
40
__le32 le32_version = cpu_to_le32(version);
67
41
68
42
if (!aa_g_hash_policy)
69
43
return 0;
70
44
71
-
if (!apparmor_tfm)
72
-
return 0;
73
-
74
-
profile->hash = kzalloc(apparmor_hash_size, GFP_KERNEL);
45
+
profile->hash = kzalloc(SHA256_DIGEST_SIZE, GFP_KERNEL);
75
46
if (!profile->hash)
76
47
return -ENOMEM;
77
48
78
-
desc->tfm = apparmor_tfm;
79
-
80
-
error = crypto_shash_init(desc);
81
-
if (error)
82
-
goto fail;
83
-
error = crypto_shash_update(desc, (u8 *) &le32_version, 4);
84
-
if (error)
85
-
goto fail;
86
-
error = crypto_shash_update(desc, (u8 *) start, len);
87
-
if (error)
88
-
goto fail;
89
-
error = crypto_shash_final(desc, profile->hash);
90
-
if (error)
91
-
goto fail;
92
-
49
+
sha256_init(&state);
50
+
sha256_update(&state, (u8 *)&le32_version, 4);
51
+
sha256_update(&state, (u8 *)start, len);
52
+
sha256_final(&state, profile->hash);
93
53
return 0;
94
-
95
-
fail:
96
-
kfree(profile->hash);
97
-
profile->hash = NULL;
98
-
99
-
return error;
100
54
}
101
55
102
56
static int __init init_profile_hash(void)
103
57
{
104
-
struct crypto_shash *tfm;
105
-
106
-
if (!apparmor_initialized)
107
-
return 0;
108
-
109
-
tfm = crypto_alloc_shash("sha256", 0, 0);
110
-
if (IS_ERR(tfm)) {
111
-
int error = PTR_ERR(tfm);
112
-
AA_ERROR("failed to setup profile sha256 hashing: %d\n", error);
113
-
return error;
114
-
}
115
-
apparmor_tfm = tfm;
116
-
apparmor_hash_size = crypto_shash_digestsize(apparmor_tfm);
117
-
118
-
aa_info_message("AppArmor sha256 policy hashing enabled");
119
-
58
+
if (apparmor_initialized)
59
+
aa_info_message("AppArmor sha256 policy hashing enabled");
120
60
return 0;
121
61
}
122
-
123
62
late_initcall(init_profile_hash);