security/apparmor/crypto.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * AppArmor security module
0004  *
0005  * This file contains AppArmor policy loading interface function definitions.
0006  *
0007  * Copyright 2013 Canonical Ltd.
0008  *
0009  * Fns to provide a checksum of policy that has been loaded this can be
0010  * compared to userspace policy compiles to check loaded policy is what
0011  * it should be.
0012  */
0013
0014 #include <crypto/hash.h>
0015
0016 #include "include/apparmor.h"
0017 #include "include/crypto.h"
0018
0019 static unsigned int apparmor_hash_size;
0020
0021 static struct crypto_shash *apparmor_tfm;
0022
0023 unsigned int aa_hash_size(void)
0024 {
0025     return apparmor_hash_size;
0026 }
0027
0028 char *aa_calc_hash(void *data, size_t len)
0029 {
0030     SHASH_DESC_ON_STACK(desc, apparmor_tfm);
0031     char *hash = NULL;
0032     int error = -ENOMEM;
0033
0034     if (!apparmor_tfm)
0035         return NULL;
0036
0037     hash = kzalloc(apparmor_hash_size, GFP_KERNEL);
0038     if (!hash)
0039         goto fail;
0040
0041     desc->tfm = apparmor_tfm;
0042
0043     error = crypto_shash_init(desc);
0044     if (error)
0045         goto fail;
0046     error = crypto_shash_update(desc, (u8 *) data, len);
0047     if (error)
0048         goto fail;
0049     error = crypto_shash_final(desc, hash);
0050     if (error)
0051         goto fail;
0052
0053     return hash;
0054
0055 fail:
0056     kfree(hash);
0057
0058     return ERR_PTR(error);
0059 }
0060
0061 int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
0062              size_t len)
0063 {
0064     SHASH_DESC_ON_STACK(desc, apparmor_tfm);
0065     int error = -ENOMEM;
0066     __le32 le32_version = cpu_to_le32(version);
0067
0068     if (!aa_g_hash_policy)
0069         return 0;
0070
0071     if (!apparmor_tfm)
0072         return 0;
0073
0074     profile->hash = kzalloc(apparmor_hash_size, GFP_KERNEL);
0075     if (!profile->hash)
0076         goto fail;
0077
0078     desc->tfm = apparmor_tfm;
0079
0080     error = crypto_shash_init(desc);
0081     if (error)
0082         goto fail;
0083     error = crypto_shash_update(desc, (u8 *) &le32_version, 4);
0084     if (error)
0085         goto fail;
0086     error = crypto_shash_update(desc, (u8 *) start, len);
0087     if (error)
0088         goto fail;
0089     error = crypto_shash_final(desc, profile->hash);
0090     if (error)
0091         goto fail;
0092
0093     return 0;
0094
0095 fail:
0096     kfree(profile->hash);
0097     profile->hash = NULL;
0098
0099     return error;
0100 }
0101
0102 static int __init init_profile_hash(void)
0103 {
0104     struct crypto_shash *tfm;
0105
0106     if (!apparmor_initialized)
0107         return 0;
0108
0109     tfm = crypto_alloc_shash("sha1", 0, 0);
0110     if (IS_ERR(tfm)) {
0111         int error = PTR_ERR(tfm);
0112         AA_ERROR("failed to setup profile sha1 hashing: %d\n", error);
0113         return error;
0114     }
0115     apparmor_tfm = tfm;
0116     apparmor_hash_size = crypto_shash_digestsize(apparmor_tfm);
0117
0118     aa_info_message("AppArmor sha1 policy hashing enabled");
0119
0120     return 0;
0121 }
0122
0123 late_initcall(init_profile_hash);