From patchwork Mon Sep 14 08:13:37 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 7173741
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
X-Original-To: patchwork-linux-crypto@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 21F8E9F326
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Mon, 14 Sep 2015 08:14:04 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 4FEC32060F
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Mon, 14 Sep 2015 08:14:03 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 63C192060D
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Mon, 14 Sep 2015 08:14:02 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753363AbbININn (ORCPT
	<rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
	Mon, 14 Sep 2015 04:13:43 -0400
Received: from mail-wi0-f169.google.com ([209.85.212.169]:35957 "EHLO
	mail-wi0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752161AbbININm (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Mon, 14 Sep 2015 04:13:42 -0400
Received: by wicgb1 with SMTP id gb1so130209078wic.1
	for <linux-crypto@vger.kernel.org>;
	Mon, 14 Sep 2015 01:13:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=0ym/HeTOuBQiPA8Re88fW7FqRaAPcrDVysr/A59p0t0=;
	b=DkoAEAHPaXmNg+bkkmThJ3W5AwFDwsyciyv0XkDM8Z6r/mL5k/ahTwYoYunDBbrvte
	2DBxTJsIoGoInh4A7JNcAa/mL3XULRVjLmRVkO4lGLdsnR5dx4DfaJtzh4ulXr3yETnO
	GsOTnb6Fpa+U997SLXl6CRmGStTnBe3QCTk6vWU4t2HkUhCwsML81wQf1OCvnZcnI+id
	gr50uRtbpfZUO7y6s1AoZWZKDs7RUU7+Ewh+3IDTt4XmCjDc9DCofULW4xd7bhVLRB1L
	K8vHoNK8fS8srj9MgT5ymXv5LSEZi/ck9VApqksNt763crzyP9q1csZCMwEcXjblNgU0
	N/Sw==
X-Gm-Message-State: 
 ALoCoQkan7nk/QfspMwxF6S+3bdFXM7vhKhlh7BFlCmJbqbGLM4bddPJQBHaQ0XCviVXEwIwK+6+
X-Received: by 10.194.121.232 with SMTP id ln8mr28019798wjb.76.1442218420231;
	Mon, 14 Sep 2015 01:13:40 -0700 (PDT)
Received: from localhost ([2001:470:6973:2:60b6:3326:351e:56db])
	by smtp.gmail.com with ESMTPSA id
	jf3sm12977514wic.8.2015.09.14.01.13.38
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 14 Sep 2015 01:13:38 -0700 (PDT)
From: Andy Whitcroft <apw@canonical.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>
Cc: David Howells <dhowells@redhat.com>, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 1/1] x509: only prefix strip raw serial numbers
Date: Mon, 14 Sep 2015 09:13:37 +0100
Message-Id: <1442218417-24897-1-git-send-email-apw@canonical.com>
X-Mailer: git-send-email 2.5.0
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

In the commit below we added support for use of the subKeyId rather than
the raw serial number when forming the in kernel ID:

  commit dd2f6c4481debfa389c1f2b2b1d5bd6449c42611
  Author: David Howells <dhowells@redhat.com>
  Date:   Fri Oct 3 16:17:02 2014 +0100

    X.509: If available, use the raw subjKeyId to form the key description

However as part of this we subject the subjKeyId to the below prefix strip:

    if (srlen > 1 && *q == 0) {
	    srlen--;
	    q++;
    }

This leads us to truncate the id for kernel module signing keys and to
fail to recognise our own modules:

  [    1.572423] Loaded X.509 cert 'Build time autogenerated kernel
    key: 62a7c3d2da278be024da4af8652c071f3fea33'
  [    1.646153] Request for unknown module key 'Build time autogenerated
    kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11

Only apply the prefix strip to raw serial number.

Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 crypto/asymmetric_keys/x509_public_key.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

	While we are here the prefix strip seems pretty odd, only removing
	just one 0 byte.  Is this meant to strip them all (as a while),
	or was the intent to strip leading 0s from the hex form?  Do we
	have any background to this change?

	-apw

diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 24f17e6..0e16d5e 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -306,10 +306,10 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
 	} else {
 		srlen = cert->raw_serial_size;
 		q = cert->raw_serial;
-	}
-	if (srlen > 1 && *q == 0) {
-		srlen--;
-		q++;
+		if (srlen > 1 && *q == 0) {
+			srlen--;
+			q++;
+		}
 	}
 
 	ret = -ENOMEM;