lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171118044711.GA7352@dhcp-128-65.nay.redhat.com>
Date:   Sat, 18 Nov 2017 12:47:11 +0800
From:   Dave Young <dyoung@...hat.com>
To:     David Howells <dhowells@...hat.com>
Cc:     keyrings@...r.kernel.org, linux-kernel@...r.kernel.org,
        kexec@...ts.infradead.org
Subject: [PATCH] certs: always use secondary keyring first if possible

Commit d3bfe84129f6 introduced secondary_trusted_keys keyring, current
users of verify_pkcs7_signature are below:
net/wireless/reg.c : uses its own trusted_keys
kernel/module_signing.c : pass NULL trusted_keys 
crypto/asymmetric_keys/verify_pefile.c : pass NULL trusted_keys

For both module and pefile verification, there is no reason to use builtin
keys only. Actually in Fedora kernel module signing code passes 1UL, but
kexec code does not pass 1UL for pefile verification thus we have below bug
https://bugzilla.redhat.com/show_bug.cgi?id=1470995

Drop the hard code 1UL checking so that pefile verification can use
secondary keyring as well.

Signed-off-by: Dave Young <dyoung@...hat.com>
---
 certs/system_keyring.c |    2 --
 1 file changed, 2 deletions(-)

--- linux-x86.orig/certs/system_keyring.c
+++ linux-x86/certs/system_keyring.c
@@ -229,8 +229,6 @@ int verify_pkcs7_signature(const void *d
 		goto error;
 
 	if (!trusted_keys) {
-		trusted_keys = builtin_trusted_keys;
-	} else if (trusted_keys == (void *)1UL) {
 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
 		trusted_keys = secondary_trusted_keys;
 #else

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ