[1/1] x509: only prefix strip raw serial numbers

Message ID	24348.1442442567@warthog.procyon.org.uk (mailing list archive)
State	Not Applicable
Delegated to:	Herbert Xu
Headers	show Return-Path: <linux-crypto-owner@kernel.org> Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells <dhowells@redhat.com> In-Reply-To: <1442218417-24897-1-git-send-email-apw@canonical.com> References: <1442218417-24897-1-git-send-email-apw@canonical.com> To: Andy Whitcroft <apw@canonical.com> Cc: dhowells@redhat.com, Herbert Xu <herbert@gondor.apana.org.au>, arjan@linux.intel.com, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/1] x509: only prefix strip raw serial numbers MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <24347.1442442567.1@warthog.procyon.org.uk> Content-Transfer-Encoding: 8BIT Date: Wed, 16 Sep 2015 23:29:27 +0100 Message-ID: <24348.1442442567@warthog.procyon.org.uk> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk

Message ID

24348.1442442567@warthog.procyon.org.uk (mailing list archive)

State

Not Applicable

Delegated to:

Herbert Xu

Headers

Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
	Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
	Kingdom.
	Registered in England and Wales under Company Registration No.
	3798903
From: David Howells <dhowells@redhat.com>
In-Reply-To: <1442218417-24897-1-git-send-email-apw@canonical.com>
References: <1442218417-24897-1-git-send-email-apw@canonical.com>
To: Andy Whitcroft <apw@canonical.com>
Cc: dhowells@redhat.com, Herbert Xu <herbert@gondor.apana.org.au>,
	arjan@linux.intel.com, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/1] x509: only prefix strip raw serial numbers
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <24347.1442442567.1@warthog.procyon.org.uk>
Content-Transfer-Encoding: 8BIT
Date: Wed, 16 Sep 2015 23:29:27 +0100
Message-ID: <24348.1442442567@warthog.procyon.org.uk>
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk

Commit Message

David Howells Sept. 16, 2015, 10:29 p.m. UTC

Hi Andy,

Okay, it seems that the 00-stripping you pointed out is the problem.  Does
this patch fix it?  Note that patch won't necessarily apply post-4.2.

David
---
commit fefc5570aa2c88985f62f0f3335428c867103763
Author: David Howells <dhowells@redhat.com>
Date:   Wed Sep 16 23:10:24 2015 +0100

    MODSIGN: Don't strip leading 00's from key ID when constructing key description
    
    Don't strip leading zeros from the crypto key ID when using it to construct
    the struct key description as the signature in kernels up to and including
    4.2 matched this aspect of the key.  This means that 1 in 256 keys won't
    actually match if their key ID begins with 00.
    
    The key ID is stored in the module signature as binary and so must be
    converted to text in order to invoke request_key() - but it isn't stripped
    at this point.
    
    Something like this is likely to be observed in dmesg when the key is loaded:
    
    [    1.572423] Loaded X.509 cert 'Build time autogenerated kernel
        key: 62a7c3d2da278be024da4af8652c071f3fea33'
    
    followed by this when we try and use it:
    
      [    1.646153] Request for unknown module key 'Build time autogenerated
        kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11
    
    The 'Loaded' line should show an extra '00' on the front of the hex string.
    
    This problem should not affect 4.3-rc1 and onwards because there the key
    should be matched on one of its auxiliary identities rather than the key
    struct's description string.
    
    Reported-by: Arjan van de Ven <arjan@linux.intel.com>
    Reported-by: Andy Whitcroft <apw@canonical.com>
    Signed-off-by: David Howells <dhowells@redhat.com>

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 24f17e6c5904..4c850ac474e2 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -307,10 +307,6 @@  static int x509_key_preparse(struct key_preparsed_payload *prep)
 		srlen = cert->raw_serial_size;
 		q = cert->raw_serial;
 	}
-	if (srlen > 1 && *q == 0) {
-		srlen--;
-		q++;
-	}
 
 	ret = -ENOMEM;
 	desc = kmalloc(sulen + 2 + srlen * 2 + 1, GFP_KERNEL);

[1/1] x509: only prefix strip raw serial numbers

Commit Message

Patch