From patchwork Wed Jul 13 17:57:54 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mat Martineau X-Patchwork-Id: 9228325 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5B87D6088F for ; Wed, 13 Jul 2016 18:00:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 51CF327F94 for ; Wed, 13 Jul 2016 18:00:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 464072807B; Wed, 13 Jul 2016 18:00:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B87502804C for ; Wed, 13 Jul 2016 18:00:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752386AbcGMR64 (ORCPT ); Wed, 13 Jul 2016 13:58:56 -0400 Received: from mga03.intel.com ([134.134.136.65]:13869 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751725AbcGMR6z (ORCPT ); Wed, 13 Jul 2016 13:58:55 -0400 Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga103.jf.intel.com with ESMTP; 13 Jul 2016 10:58:01 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.28,358,1464678000"; d="scan'208";a="1016231946" Received: from mjmartin-nuc01.wa.intel.com ([10.232.97.131]) by orsmga002.jf.intel.com with ESMTP; 13 Jul 2016 10:58:01 -0700 From: Mat Martineau To: dhowells@redhat.com, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, jmorris@namei.org Cc: Mat Martineau , zohar@linux.vnet.ibm.com, petkan@mip-labs.com Subject: [PATCH BUGFIX v2] KEYS: Fix for erroneous trust of incorrectly signed X.509 certs Date: Wed, 13 Jul 2016 10:57:54 -0700 Message-Id: <20160713175754.541-1-mathew.j.martineau@linux.intel.com> X-Mailer: git-send-email 2.9.1 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Arbitrary X.509 certificates without authority key identifiers (AKIs) can be added to "trusted" keyrings, including IMA or EVM certs loaded from the filesystem. Signature verification is currently bypassed for certs without AKIs. Trusted keys were recently refactored, and this bug is not present in 4.6. restrict_link_by_signature should return -ENOKEY (no matching parent certificate found) if the certificate being evaluated has no AKIs, instead of bypassing signature checks and returning 0 (new certificate accepted). Reported-by: Petko Manolov Signed-off-by: Mat Martineau --- The subject line for v1 was "Do not trust certs with missing auth IDs". I've only updated the commit message for v2 to clarify the scope and consequences of the bug. crypto/asymmetric_keys/restrict.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index ac4bddf..19d1afb9 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -87,7 +87,7 @@ int restrict_link_by_signature(struct key *trust_keyring, sig = payload->data[asym_auth]; if (!sig->auth_ids[0] && !sig->auth_ids[1]) - return 0; + return -ENOKEY; if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) return -EPERM;