Message ID | 20171127071724.25874-1-ebiggers3@gmail.com (mailing list archive) |
---|---|
State | Not Applicable |
Delegated to: | Herbert Xu |
Headers | show |
On Sun, 26 Nov 2017, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > ->pkey_algo used to be an enum, but was changed to a string by commit > 4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum"). But > two comparisons were not updated. Fix them to use strcmp(). > > This bug broke signature verification in certain configurations, > depending on whether the string constants were deduplicated or not. > > Fixes: 4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum") > Cc: <stable@vger.kernel.org> # v4.6+ > Signed-off-by: Eric Biggers <ebiggers@google.com> > --- > crypto/asymmetric_keys/pkcs7_verify.c | 2 +- > crypto/asymmetric_keys/x509_public_key.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Reviewed-by: James Morris <james.l.morris@oracle.com>
Eric Biggers <ebiggers3@gmail.com> wrote:
> if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo))
Can you make this strcmp(...) != 0? I know it may seem picky, but checking
strcmp() in this way kind of inverts the true/false thing.
Thanks,
David
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 2d93d9eccb4d..063d6745c741 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -150,7 +150,7 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7, pr_devel("Sig %u: Found cert serial match X.509[%u]\n", sinfo->index, certix); - if (x509->pub->pkey_algo != sinfo->sig->pkey_algo) { + if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo)) { pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n", sinfo->index); continue; diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index c9013582c026..9db20abe78a0 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -135,7 +135,7 @@ int x509_check_for_self_signed(struct x509_certificate *cert) } ret = -EKEYREJECTED; - if (cert->pub->pkey_algo != cert->sig->pkey_algo) + if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo)) goto out; ret = public_key_verify_signature(cert->pub, cert->sig);