1 // SPDX-License-Identifier: GPL-2.0-or-later
48 		public_key_signature_free(sinfo->sig);  in pkcs7_free_signed_info()
54  * pkcs7_free_message - Free a PKCS#7 message
63 		while (pkcs7->certs) {  in pkcs7_free_message()
64 			cert = pkcs7->certs;  in pkcs7_free_message()
65 			pkcs7->certs = cert->next;  in pkcs7_free_message()
68 		while (pkcs7->crl) {  in pkcs7_free_message()
69 			cert = pkcs7->crl;  in pkcs7_free_message()
70 			pkcs7->crl = cert->next;  in pkcs7_free_message()
73 		while (pkcs7->signed_infos) {  in pkcs7_free_message()
74 			sinfo = pkcs7->signed_infos;  in pkcs7_free_message()
75 			pkcs7->signed_infos = sinfo->next;  in pkcs7_free_message()
91 	sinfo = msg->signed_infos;  in pkcs7_check_authattrs()
95 	if (sinfo->authattrs) {  in pkcs7_check_authattrs()
97 		msg->have_authattrs = true;  in pkcs7_check_authattrs()
100 	for (sinfo = sinfo->next; sinfo; sinfo = sinfo->next)  in pkcs7_check_authattrs()
101 		if (!!sinfo->authattrs != want)  in pkcs7_check_authattrs()
107 	return -EINVAL;  in pkcs7_check_authattrs()
111  * pkcs7_parse_message - Parse a PKCS#7 message
118 	struct pkcs7_message *msg = ERR_PTR(-ENOMEM);  in pkcs7_parse_message()
124 	ctx->msg = kzalloc(sizeof(struct pkcs7_message), GFP_KERNEL);  in pkcs7_parse_message()
125 	if (!ctx->msg)  in pkcs7_parse_message()
127 	ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);  in pkcs7_parse_message()
128 	if (!ctx->sinfo)  in pkcs7_parse_message()
130 	ctx->sinfo->sig = kzalloc(sizeof(struct public_key_signature),  in pkcs7_parse_message()
132 	if (!ctx->sinfo->sig)  in pkcs7_parse_message()
135 	ctx->data = (unsigned long)data;  in pkcs7_parse_message()
136 	ctx->ppcerts = &ctx->certs;  in pkcs7_parse_message()
137 	ctx->ppsinfo = &ctx->msg->signed_infos;  in pkcs7_parse_message()
146 	ret = pkcs7_check_authattrs(ctx->msg);  in pkcs7_parse_message()
152 	msg = ctx->msg;  in pkcs7_parse_message()
153 	ctx->msg = NULL;  in pkcs7_parse_message()
156 	while (ctx->certs) {  in pkcs7_parse_message()
157 		struct x509_certificate *cert = ctx->certs;  in pkcs7_parse_message()
158 		ctx->certs = cert->next;  in pkcs7_parse_message()
162 	pkcs7_free_signed_info(ctx->sinfo);  in pkcs7_parse_message()
164 	pkcs7_free_message(ctx->msg);  in pkcs7_parse_message()
173  * pkcs7_get_content_data - Get access to the PKCS#7 content
183  * Returns -ENODATA if the data object was missing from the message.
189 	if (!pkcs7->data)  in pkcs7_get_content_data()
190 		return -ENODATA;  in pkcs7_get_content_data()
192 	*_data = pkcs7->data;  in pkcs7_get_content_data()
193 	*_data_len = pkcs7->data_len;  in pkcs7_get_content_data()
195 		*_headerlen = pkcs7->data_hdrlen;  in pkcs7_get_content_data()
210 	ctx->last_oid = look_up_OID(value, vlen);  in pkcs7_note_OID()
211 	if (ctx->last_oid == OID__NR) {  in pkcs7_note_OID()
215 		       (unsigned long)value - ctx->data, buffer);  in pkcs7_note_OID()
229 	switch (ctx->last_oid) {  in pkcs7_sig_note_digest_algo()
231 		ctx->sinfo->sig->hash_algo = "sha1";  in pkcs7_sig_note_digest_algo()
234 		ctx->sinfo->sig->hash_algo = "sha256";  in pkcs7_sig_note_digest_algo()
237 		ctx->sinfo->sig->hash_algo = "sha384";  in pkcs7_sig_note_digest_algo()
240 		ctx->sinfo->sig->hash_algo = "sha512";  in pkcs7_sig_note_digest_algo()
243 		ctx->sinfo->sig->hash_algo = "sha224";  in pkcs7_sig_note_digest_algo()
246 		ctx->sinfo->sig->hash_algo = "sm3";  in pkcs7_sig_note_digest_algo()
249 		ctx->sinfo->sig->hash_algo = "streebog256";  in pkcs7_sig_note_digest_algo()
252 		ctx->sinfo->sig->hash_algo = "streebog512";  in pkcs7_sig_note_digest_algo()
255 		ctx->sinfo->sig->hash_algo = "sha3-256";  in pkcs7_sig_note_digest_algo()
258 		ctx->sinfo->sig->hash_algo = "sha3-384";  in pkcs7_sig_note_digest_algo()
261 		ctx->sinfo->sig->hash_algo = "sha3-512";  in pkcs7_sig_note_digest_algo()
264 		printk("Unsupported digest algo: %u\n", ctx->last_oid);  in pkcs7_sig_note_digest_algo()
265 		return -ENOPKG;  in pkcs7_sig_note_digest_algo()
279 	switch (ctx->last_oid) {  in pkcs7_sig_note_pkey_algo()
281 		ctx->sinfo->sig->pkey_algo = "rsa";  in pkcs7_sig_note_pkey_algo()
282 		ctx->sinfo->sig->encoding = "pkcs1";  in pkcs7_sig_note_pkey_algo()
292 		ctx->sinfo->sig->pkey_algo = "ecdsa";  in pkcs7_sig_note_pkey_algo()
293 		ctx->sinfo->sig->encoding = "x962";  in pkcs7_sig_note_pkey_algo()
297 		ctx->sinfo->sig->pkey_algo = "ecrdsa";  in pkcs7_sig_note_pkey_algo()
298 		ctx->sinfo->sig->encoding = "raw";  in pkcs7_sig_note_pkey_algo()
301 		printk("Unsupported pkey algo: %u\n", ctx->last_oid);  in pkcs7_sig_note_pkey_algo()
302 		return -ENOPKG;  in pkcs7_sig_note_pkey_algo()
316 	if (ctx->last_oid != OID_signed_data) {  in pkcs7_check_content_type()
318 		return -EINVAL;  in pkcs7_check_content_type()
337 	ctx->msg->version = version = *(const u8 *)value;  in pkcs7_note_signeddata_version()
355 	return -EINVAL;  in pkcs7_note_signeddata_version()
377 		if (ctx->msg->version != 1)  in pkcs7_note_signerinfo_version()
379 		ctx->expect_skid = false;  in pkcs7_note_signerinfo_version()
383 		if (ctx->msg->version == 1)  in pkcs7_note_signerinfo_version()
385 		ctx->expect_skid = true;  in pkcs7_note_signerinfo_version()
395 	return -EINVAL;  in pkcs7_note_signerinfo_version()
397 	pr_warn("SignedData-SignerInfo version mismatch\n");  in pkcs7_note_signerinfo_version()
398 	return -EBADMSG;  in pkcs7_note_signerinfo_version()
413 			 tag, (unsigned long)ctx - ctx->data);  in pkcs7_extract_cert()
414 		return -EBADMSG;  in pkcs7_extract_cert()
419 	 * probably shouldn't be an EOC trailer - but it is in PKCS#7 (which  in pkcs7_extract_cert()
422 	value -= hdrlen;  in pkcs7_extract_cert()
426 		vlen += 2; /* Indefinite length - there should be an EOC */  in pkcs7_extract_cert()
432 	x509->index = ++ctx->x509_index;  in pkcs7_extract_cert()
433 	pr_debug("Got cert %u for %s\n", x509->index, x509->subject);  in pkcs7_extract_cert()
434 	pr_debug("- fingerprint %*phN\n", x509->id->len, x509->id->data);  in pkcs7_extract_cert()
436 	*ctx->ppcerts = x509;  in pkcs7_extract_cert()
437 	ctx->ppcerts = &x509->next;  in pkcs7_extract_cert()
452 	*ctx->ppcerts = ctx->msg->certs;  in pkcs7_note_certificate_list()
453 	ctx->msg->certs = ctx->certs;  in pkcs7_note_certificate_list()
454 	ctx->certs = NULL;  in pkcs7_note_certificate_list()
455 	ctx->ppcerts = &ctx->certs;  in pkcs7_note_certificate_list()
468 	if (ctx->last_oid != OID_data &&  in pkcs7_note_content()
469 	    ctx->last_oid != OID_msIndirectData) {  in pkcs7_note_content()
470 		pr_warn("Unsupported data type %d\n", ctx->last_oid);  in pkcs7_note_content()
471 		return -EINVAL;  in pkcs7_note_content()
474 	ctx->msg->data_type = ctx->last_oid;  in pkcs7_note_content()
490 	ctx->msg->data = value;  in pkcs7_note_data()
491 	ctx->msg->data_len = vlen;  in pkcs7_note_data()
492 	ctx->msg->data_hdrlen = hdrlen;  in pkcs7_note_data()
504 	struct pkcs7_signed_info *sinfo = ctx->sinfo;  in pkcs7_sig_note_authenticated_attr()
509 	switch (ctx->last_oid) {  in pkcs7_sig_note_authenticated_attr()
511 		if (__test_and_set_bit(sinfo_has_content_type, &sinfo->aa_set))  in pkcs7_sig_note_authenticated_attr()
514 		if (content_type != ctx->msg->data_type) {  in pkcs7_sig_note_authenticated_attr()
516 				ctx->msg->data_type, sinfo->index,  in pkcs7_sig_note_authenticated_attr()
518 			return -EBADMSG;  in pkcs7_sig_note_authenticated_attr()
523 		if (__test_and_set_bit(sinfo_has_signing_time, &sinfo->aa_set))  in pkcs7_sig_note_authenticated_attr()
528 		return x509_decode_time(&sinfo->signing_time,  in pkcs7_sig_note_authenticated_attr()
532 		if (__test_and_set_bit(sinfo_has_message_digest, &sinfo->aa_set))  in pkcs7_sig_note_authenticated_attr()
535 			return -EBADMSG;  in pkcs7_sig_note_authenticated_attr()
536 		sinfo->msgdigest = value;  in pkcs7_sig_note_authenticated_attr()
537 		sinfo->msgdigest_len = vlen;  in pkcs7_sig_note_authenticated_attr()
541 		if (__test_and_set_bit(sinfo_has_smime_caps, &sinfo->aa_set))  in pkcs7_sig_note_authenticated_attr()
543 		if (ctx->msg->data_type != OID_msIndirectData) {  in pkcs7_sig_note_authenticated_attr()
545 			return -EKEYREJECTED;  in pkcs7_sig_note_authenticated_attr()
549 		/* Microsoft SpOpusInfo seems to be contain cont[0] 16-bit BE  in pkcs7_sig_note_authenticated_attr()
550 		 * char URLs and cont[1] 8-bit char URLs.  in pkcs7_sig_note_authenticated_attr()
556 		if (__test_and_set_bit(sinfo_has_ms_opus_info, &sinfo->aa_set))  in pkcs7_sig_note_authenticated_attr()
560 		if (__test_and_set_bit(sinfo_has_ms_statement_type, &sinfo->aa_set))  in pkcs7_sig_note_authenticated_attr()
563 		if (ctx->msg->data_type != OID_msIndirectData) {  in pkcs7_sig_note_authenticated_attr()
565 			return -EKEYREJECTED;  in pkcs7_sig_note_authenticated_attr()
576 	return -EKEYREJECTED;  in pkcs7_sig_note_authenticated_attr()
587 	struct pkcs7_signed_info *sinfo = ctx->sinfo;  in pkcs7_sig_note_set_of_authattrs()
589 	if (!test_bit(sinfo_has_content_type, &sinfo->aa_set) ||  in pkcs7_sig_note_set_of_authattrs()
590 	    !test_bit(sinfo_has_message_digest, &sinfo->aa_set)) {  in pkcs7_sig_note_set_of_authattrs()
592 		return -EBADMSG;  in pkcs7_sig_note_set_of_authattrs()
595 	if (ctx->msg->data_type != OID_msIndirectData &&  in pkcs7_sig_note_set_of_authattrs()
596 	    test_bit(sinfo_has_ms_opus_info, &sinfo->aa_set)) {  in pkcs7_sig_note_set_of_authattrs()
598 		return -EBADMSG;  in pkcs7_sig_note_set_of_authattrs()
602 	sinfo->authattrs = value - (hdrlen - 1);  in pkcs7_sig_note_set_of_authattrs()
603 	sinfo->authattrs_len = vlen + (hdrlen - 1);  in pkcs7_sig_note_set_of_authattrs()
615 	ctx->raw_serial = value;  in pkcs7_sig_note_serial()
616 	ctx->raw_serial_size = vlen;  in pkcs7_sig_note_serial()
628 	ctx->raw_issuer = value;  in pkcs7_sig_note_issuer()
629 	ctx->raw_issuer_size = vlen;  in pkcs7_sig_note_issuer()
644 	ctx->raw_skid = value;  in pkcs7_sig_note_skid()
645 	ctx->raw_skid_size = vlen;  in pkcs7_sig_note_skid()
658 	ctx->sinfo->sig->s = kmemdup(value, vlen, GFP_KERNEL);  in pkcs7_sig_note_signature()
659 	if (!ctx->sinfo->sig->s)  in pkcs7_sig_note_signature()
660 		return -ENOMEM;  in pkcs7_sig_note_signature()
662 	ctx->sinfo->sig->s_size = vlen;  in pkcs7_sig_note_signature()
674 	struct pkcs7_signed_info *sinfo = ctx->sinfo;  in pkcs7_note_signed_info()
677 	if (ctx->msg->data_type == OID_msIndirectData && !sinfo->authattrs) {  in pkcs7_note_signed_info()
679 		return -EBADMSG;  in pkcs7_note_signed_info()
683 	if (!ctx->expect_skid) {  in pkcs7_note_signed_info()
684 		kid = asymmetric_key_generate_id(ctx->raw_serial,  in pkcs7_note_signed_info()
685 						 ctx->raw_serial_size,  in pkcs7_note_signed_info()
686 						 ctx->raw_issuer,  in pkcs7_note_signed_info()
687 						 ctx->raw_issuer_size);  in pkcs7_note_signed_info()
689 		kid = asymmetric_key_generate_id(ctx->raw_skid,  in pkcs7_note_signed_info()
690 						 ctx->raw_skid_size,  in pkcs7_note_signed_info()
696 	pr_devel("SINFO KID: %u [%*phN]\n", kid->len, kid->len, kid->data);  in pkcs7_note_signed_info()
698 	sinfo->sig->auth_ids[0] = kid;  in pkcs7_note_signed_info()
699 	sinfo->index = ++ctx->sinfo_index;  in pkcs7_note_signed_info()
700 	*ctx->ppsinfo = sinfo;  in pkcs7_note_signed_info()
701 	ctx->ppsinfo = &sinfo->next;  in pkcs7_note_signed_info()
702 	ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);  in pkcs7_note_signed_info()
703 	if (!ctx->sinfo)  in pkcs7_note_signed_info()
704 		return -ENOMEM;  in pkcs7_note_signed_info()
705 	ctx->sinfo->sig = kzalloc(sizeof(struct public_key_signature),  in pkcs7_note_signed_info()
707 	if (!ctx->sinfo->sig)  in pkcs7_note_signed_info()
708 		return -ENOMEM;  in pkcs7_note_signed_info()