[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210210120410.471693-4-mic@digikod.net>
Date: Wed, 10 Feb 2021 13:04:08 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
Jarkko Sakkinen <jarkko@...nel.org>
Cc: Mickaël Salaün <mic@...ikod.net>,
"David S . Miller" <davem@...emloft.net>,
Eric Snowberg <eric.snowberg@...cle.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
James Morris <jmorris@...ei.org>,
Mickaël Salaün <mic@...ux.microsoft.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
"Serge E . Hallyn" <serge@...lyn.com>,
Tyler Hicks <tyhicks@...ux.microsoft.com>,
keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: [PATCH v6 3/5] certs: Make blacklist_vet_description() more strict
From: Mickaël Salaün <mic@...ux.microsoft.com>
Before exposing this new key type to user space, make sure that only
meaningful blacklisted hashes are accepted. This is also checked for
builtin blacklisted hashes, but a following commit make sure that the
user will notice (at built time) and will fix the configuration if it
already included errors.
Check that a blacklist key description starts with a valid prefix and
then a valid hexadecimal string.
Cc: David Howells <dhowells@...hat.com>
Cc: David Woodhouse <dwmw2@...radead.org>
Cc: Eric Snowberg <eric.snowberg@...cle.com>
Signed-off-by: Mickaël Salaün <mic@...ux.microsoft.com>
Reviewed-by: Jarkko Sakkinen <jarkko@...nel.org>
---
Changes since v5:
* Add Reviewed-by Jarkko.
Changes since v2:
* Fix typo in blacklist_vet_description() comment, spotted by Tyler
Hicks.
* Add Jarkko's Acked-by.
Changes since v1:
* Return ENOPKG (instead of EINVAL) when a hash is greater than the
maximum currently known hash (suggested by David Howells).
---
certs/blacklist.c | 46 ++++++++++++++++++++++++++++++++++++----------
1 file changed, 36 insertions(+), 10 deletions(-)
diff --git a/certs/blacklist.c b/certs/blacklist.c
index f467b10030fb..069d1dd0fa05 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -19,6 +19,16 @@
#include "blacklist.h"
#include "common.h"
+/*
+ * According to crypto/asymmetric_keys/x509_cert_parser.c:x509_note_pkey_algo(),
+ * the size of the currently longest supported hash algorithm is 512 bits,
+ * which translates into 128 hex characters.
+ */
+#define MAX_HASH_LEN 128
+
+static const char tbs_prefix[] = "tbs";
+static const char bin_prefix[] = "bin";
+
static struct key *blacklist_keyring;
extern __initconst const u8 revocation_certificate_list[];
@@ -30,24 +40,40 @@ extern __initconst const unsigned long revocation_certificate_list_size;
*/
static int blacklist_vet_description(const char *desc)
{
- int n = 0;
-
- if (*desc == ':')
- return -EINVAL;
- for (; *desc; desc++)
- if (*desc == ':')
- goto found_colon;
+ int i, prefix_len, tbs_step = 0, bin_step = 0;
+
+ /* The following algorithm only works if prefix lengths match. */
+ BUILD_BUG_ON(sizeof(tbs_prefix) != sizeof(bin_prefix));
+ prefix_len = sizeof(tbs_prefix) - 1;
+ for (i = 0; *desc; desc++, i++) {
+ if (*desc == ':') {
+ if (tbs_step == prefix_len)
+ goto found_colon;
+ if (bin_step == prefix_len)
+ goto found_colon;
+ return -EINVAL;
+ }
+ if (i >= prefix_len)
+ return -EINVAL;
+ if (*desc == tbs_prefix[i])
+ tbs_step++;
+ if (*desc == bin_prefix[i])
+ bin_step++;
+ }
return -EINVAL;
found_colon:
desc++;
- for (; *desc; desc++) {
+ for (i = 0; *desc && i < MAX_HASH_LEN; desc++, i++) {
if (!isxdigit(*desc) || isupper(*desc))
return -EINVAL;
- n++;
}
+ if (*desc)
+ /* The hash is greater than MAX_HASH_LEN. */
+ return -ENOPKG;
- if (n == 0 || n & 1)
+ /* Checks for an even number of hexadecimal characters. */
+ if (i == 0 || i & 1)
return -EINVAL;
return 0;
}
--
2.30.0
Powered by blists - more mailing lists