xref: /openbmc/linux/security/apparmor/crypto.c (revision bc33f5e5)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor policy loading interface function definitions.
6  *
7  * Copyright 2013 Canonical Ltd.
8  *
9  * Fns to provide a checksum of policy that has been loaded this can be
10  * compared to userspace policy compiles to check loaded policy is what
11  * it should be.
12  */
13 
14 #include <crypto/hash.h>
15 
16 #include "include/apparmor.h"
17 #include "include/crypto.h"
18 
19 static unsigned int apparmor_hash_size;
20 
21 static struct crypto_shash *apparmor_tfm;
22 
23 unsigned int aa_hash_size(void)
24 {
25 	return apparmor_hash_size;
26 }
27 
28 char *aa_calc_hash(void *data, size_t len)
29 {
30 	SHASH_DESC_ON_STACK(desc, apparmor_tfm);
31 	char *hash = NULL;
32 	int error = -ENOMEM;
33 
34 	if (!apparmor_tfm)
35 		return NULL;
36 
37 	hash = kzalloc(apparmor_hash_size, GFP_KERNEL);
38 	if (!hash)
39 		goto fail;
40 
41 	desc->tfm = apparmor_tfm;
42 
43 	error = crypto_shash_init(desc);
44 	if (error)
45 		goto fail;
46 	error = crypto_shash_update(desc, (u8 *) data, len);
47 	if (error)
48 		goto fail;
49 	error = crypto_shash_final(desc, hash);
50 	if (error)
51 		goto fail;
52 
53 	return hash;
54 
55 fail:
56 	kfree(hash);
57 
58 	return ERR_PTR(error);
59 }
60 
61 int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
62 			 size_t len)
63 {
64 	SHASH_DESC_ON_STACK(desc, apparmor_tfm);
65 	int error = -ENOMEM;
66 	__le32 le32_version = cpu_to_le32(version);
67 
68 	if (!aa_g_hash_policy)
69 		return 0;
70 
71 	if (!apparmor_tfm)
72 		return 0;
73 
74 	profile->hash = kzalloc(apparmor_hash_size, GFP_KERNEL);
75 	if (!profile->hash)
76 		goto fail;
77 
78 	desc->tfm = apparmor_tfm;
79 
80 	error = crypto_shash_init(desc);
81 	if (error)
82 		goto fail;
83 	error = crypto_shash_update(desc, (u8 *) &le32_version, 4);
84 	if (error)
85 		goto fail;
86 	error = crypto_shash_update(desc, (u8 *) start, len);
87 	if (error)
88 		goto fail;
89 	error = crypto_shash_final(desc, profile->hash);
90 	if (error)
91 		goto fail;
92 
93 	return 0;
94 
95 fail:
96 	kfree(profile->hash);
97 	profile->hash = NULL;
98 
99 	return error;
100 }
101 
102 static int __init init_profile_hash(void)
103 {
104 	struct crypto_shash *tfm;
105 
106 	if (!apparmor_initialized)
107 		return 0;
108 
109 	tfm = crypto_alloc_shash("sha1", 0, 0);
110 	if (IS_ERR(tfm)) {
111 		int error = PTR_ERR(tfm);
112 		AA_ERROR("failed to setup profile sha1 hashing: %d\n", error);
113 		return error;
114 	}
115 	apparmor_tfm = tfm;
116 	apparmor_hash_size = crypto_shash_digestsize(apparmor_tfm);
117 
118 	aa_info_message("AppArmor sha1 policy hashing enabled");
119 
120 	return 0;
121 }
122 
123 late_initcall(init_profile_hash);
124