lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1416837968.25352.34.camel@dhcp-9-2-203-236.watson.ibm.com>
Date:	Mon, 24 Nov 2014 09:06:08 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	David Howells <dhowells@...hat.com>
Cc:	mmarek@...e.cz, d.kasatkin@...sung.com, rusty@...tcorp.com.au,
	vgoyal@...hat.com, keyrings@...ux-nfs.org,
	linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 5/5] MODSIGN: Use PKCS#7 messages as module signatures

On Thu, 2014-11-20 at 16:54 +0000, David Howells wrote:

> 
>  /*
> @@ -186,12 +81,8 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,
>   */
>  int mod_verify_sig(const void *mod, unsigned long *_modlen)
>  {
> -	struct public_key_signature *pks;
>  	struct module_signature ms;
> -	struct key *key;
> -	const void *sig;
>  	size_t modlen = *_modlen, sig_len;
> -	int ret;
> 
>  	pr_devel("==>%s(,%zu)\n", __func__, modlen);
> 
> @@ -205,46 +96,23 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
>  	if (sig_len >= modlen)
>  		return -EBADMSG;
>  	modlen -= sig_len;
> -	if ((size_t)ms.signer_len + ms.key_id_len >= modlen)
> -		return -EBADMSG;
> -	modlen -= (size_t)ms.signer_len + ms.key_id_len;
> -
>  	*_modlen = modlen;
> -	sig = mod + modlen;
> -
> -	/* For the moment, only support RSA and X.509 identifiers */
> -	if (ms.algo != PKEY_ALGO_RSA ||
> -	    ms.id_type != PKEY_ID_X509)
> -		return -ENOPKG;
> 
> -	if (ms.hash >= PKEY_HASH__LAST ||
> -	    !hash_algo_name[ms.hash])
> +	if (ms.id_type != PKEY_ID_PKCS7) {
> +		pr_err("Module is not signed with expected PKCS#7 message\n");
>  		return -ENOPKG;

Perhaps because modules are resigned with each kernel build, it is
acceptable to totally replace one signature format with another like
this, and fail the old method.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ