| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 05 Jan 2016 15:55:40 +0000 From: David Howells <dhowells@...hat.com> To: unlisted-recipients:; (no To-header on input) Cc: dhowells@...hat.com, dwmw2@...radead.org, David Woodhouse <David.Woodhouse@...el.com>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, keyrings@...r.kernel.org, Mimi Zohar <zohar@...ux.vnet.ibm.com> Subject: Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2] David Howells <dhowells@...hat.com> wrote: > If a certificate is self-signed, don't bother checking the validity of the > signature. The cert cannot be checked by validation against the next one > in the chain as this is the root of the chain. Trust for this certificate > can only be determined by whether we obtained it from a trusted location > (ie. it was built into the kernel at compile time). > > This also fixes a bug whereby certificates were being assumed to be > self-signed if they had neither AKID nor SKID, the symptoms of which show > up as an attempt to load a certificate failing with -ERANGE or -EBADMSG. > This is produced from the RSA module when the result of calculating "m = > s^e mod n" is checked. Oops - I forgot to change the patch description. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists