lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Sep 2014 21:44:57 +0100 From: David Howells <dhowells@...hat.com> To: vgoyal@...hat.com Cc: dhowells@...hat.com, keyrings@...ux-nfs.org, linux-kernel@...r.kernel.org Subject: [PATCH 00/10] KEYS: Improve asymmetric key and PKCS#7 handling [ver #2] Here are some patches to improve the matching of asymmetric keys and to improve the handling of PKCS#7 certificates: (1) Provide a method to preparse the data supplied for matching a key. This permits they key type to extract out the bits it needs for matching once only. Further, the type of search (direct lookup or iterative) can be set and the function used to actually check the match can be set by preparse rather than being hard coded for the type. (2) Improves asymmetric keys identification. Keys derived from X.509 certs now get labelled with IDs derived from their issuer and certificate number (required to match PKCS#7) and from their SKID and subject (required to match X.509). IDs are now binary and match criterion preparsing is provided so that criteria can be turned into binary blobs to make matching faster. (3) Improves PKCS#7 message handling to permit PKCS#7 messages without X.509 cert lists to be matched to trusted keys, thereby allowing minimally sized PKCS#7 certs to be used. (4) Improves PKCS#7 message handling to better handle certificate chains that are broken due to unsupported crypto that can otherwise by used to intersect a trust keyring. They can be found here also: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-pkcs7 Changes: (*) Documentation for the keys API changes. (*) Doc comments and exports put on new key ID functions that are used across modules. (*) The four debugging 0xff bytes are removed from the middle of key IDs. (*) Attempt to suppress the warning about not checking the redundant return of hex2bin(). (*) pkcs->unsupported_crypto can be removed in favour of working the error code out in pkcs7_validate_trust() from the error codes of pkcs7_validate_trust_one(). (*) bin2hex() now uses hex_byte_pack(). (*) KEYRING_SEARCH_LOOKUP_TYPE is unused and got removed. (*) ctx.match_data.cmp will always be set in keyring_search() so the check for NULL there can be removed. David --- David Howells (10): Provide a binary to hex conversion function KEYS: Preparse match data KEYS: Remove key_type::def_lookup_type KEYS: Remove key_type::match in favour of overriding default by match_preparse KEYS: Make the key matching functions return bool KEYS: Update the keyrings documentation for match changes KEYS: Implement binary asymmetric key ID handling KEYS: Overhaul key identification when searching for asymmetric keys PKCS#7: Better handling of unsupported crypto PKCS#7: Handle PKCS#7 messages that contain no X.509 certs Documentation/security/keys.txt | 65 +++++++- crypto/asymmetric_keys/asymmetric_keys.h | 8 + crypto/asymmetric_keys/asymmetric_type.c | 222 +++++++++++++++++++++-------- crypto/asymmetric_keys/pkcs7_key_type.c | 2 crypto/asymmetric_keys/pkcs7_parser.c | 38 ++++- crypto/asymmetric_keys/pkcs7_parser.h | 6 - crypto/asymmetric_keys/pkcs7_trust.c | 82 +++++++---- crypto/asymmetric_keys/pkcs7_verify.c | 102 +++++++++---- crypto/asymmetric_keys/x509_cert_parser.c | 55 ++++--- crypto/asymmetric_keys/x509_parser.h | 6 + crypto/asymmetric_keys/x509_public_key.c | 102 ++++++++----- fs/cifs/cifs_spnego.c | 1 fs/cifs/cifsacl.c | 1 fs/nfs/idmap.c | 2 include/crypto/public_key.h | 5 - include/keys/asymmetric-type.h | 38 +++++ include/keys/user-type.h | 1 include/linux/kernel.h | 1 include/linux/key-type.h | 34 ++++ lib/hexdump.c | 16 ++ net/ceph/crypto.c | 1 net/dns_resolver/dns_key.c | 18 ++ net/rxrpc/ar-key.c | 2 security/keys/big_key.c | 2 security/keys/encrypted-keys/encrypted.c | 1 security/keys/internal.h | 21 +-- security/keys/key.c | 2 security/keys/keyring.c | 58 +++++--- security/keys/proc.c | 8 + security/keys/process_keys.c | 13 +- security/keys/request_key.c | 21 ++- security/keys/request_key_auth.c | 6 - security/keys/trusted.c | 1 security/keys/user_defined.c | 14 -- 34 files changed, 649 insertions(+), 306 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists