lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 03 Oct 2014 16:54:29 +0100
From:	David Howells <dhowells@...hat.com>
To:	Dmitry Kasatkin <d.kasatkin@...sung.com>
Cc:	dhowells@...hat.com, zohar@...ux.vnet.ibm.com,
	linux-ima-devel@...ts.sourceforge.net,
	linux-security-module@...r.kernel.org, jmorris@...ei.org,
	rusty@...tcorp.com.au, keyrings@...ux-nfs.org,
	linux-kernel@...r.kernel.org, dmitry.kasatkin@...il.com
Subject: [PATCH] X.509: If available, use the raw subjKeyId to form the key description

Module signing matches keys by comparing against the key description exactly.
However, the way the key description gets constructed got changed to be
composed of the subject name plus the certificate serial number instead of the
subject name and the subjectKeyId.  I changed this to avoid problems with
certificates that don't *have* a subjectKeyId.

Instead, if available, use the raw subjectKeyId to form the key description
and only use the serial number if the subjectKeyId doesn't exist.

Reported-by: Dmitry Kasatkin <d.kasatkin@...sung.com>
Signed-off-by: David Howells <dhowells@...hat.com>
---
 x509_cert_parser.c |    2 ++
 x509_parser.h      |    2 ++
 x509_public_key.c  |    9 +++++++--
 3 files changed, 11 insertions(+), 2 deletions(-)


diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 96151b2b91a2..393706f33fa5 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -435,6 +435,8 @@ int x509_process_extension(void *context, size_t hdrlen,
 		v += 2;
 		vlen -= 2;
 
+		ctx->cert->raw_skid_size = vlen;
+		ctx->cert->raw_skid = v;
 		kid = asymmetric_key_generate_id(v, vlen,
 						 ctx->cert->raw_subject,
 						 ctx->cert->raw_subject_size);
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 4e1a384901ed..3f0f0f081621 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -34,6 +34,8 @@ struct x509_certificate {
 	const void	*raw_issuer;		/* Raw issuer name in ASN.1 */
 	const void	*raw_subject;		/* Raw subject name in ASN.1 */
 	unsigned	raw_subject_size;
+	unsigned	raw_skid_size;
+	const void	*raw_skid;		/* Raw subjectKeyId in ASN.1 */
 	unsigned	index;
 	bool		seen;			/* Infinite recursion prevention */
 	bool		verified;
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 1d9a4c555376..8bffb06b2683 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -279,8 +279,13 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
 
 	/* Propose a description */
 	sulen = strlen(cert->subject);
-	srlen = cert->raw_serial_size;
-	q = cert->raw_serial;
+	if (cert->raw_skid) {
+		srlen = cert->raw_skid_size;
+		q = cert->raw_skid;
+	} else {
+		srlen = cert->raw_serial_size;
+		q = cert->raw_serial;
+	}
 	if (srlen > 1 && *q == 0) {
 		srlen--;
 		q++;

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ