lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3739954.1614170410@warthog.procyon.org.uk>
Date:   Wed, 24 Feb 2021 12:40:10 +0000
From:   David Howells <dhowells@...hat.com>
To:     =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@...ikod.net>
Cc:     dhowells@...hat.com, Eric Snowberg <eric.snowberg@...cle.com>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@...ux.microsoft.com>,
        David Woodhouse <dwmw2@...radead.org>,
        keyrings@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cert: Add kconfig dependency for validate_trust

Mickaël Salaün <mic@...ikod.net> wrote:

> > +config SYSTEM_REVOCATION_LIST
> > +	bool "Provide system-wide ring of revocation certificates"
> > +	depends on SYSTEM_BLACKLIST_KEYRING
> > +	depends on PKCS7_MESSAGE_PARSER=y
> 
> The function verify_pkcs7_message_sig() (which is patched) is only
> available if CONFIG_SYSTEM_DATA_VERIFICATION is defined.

That shouldn't matter, at least from a building point of view, since
verify_pkcs7_message_sig() uses the new facility rather than being a
dependency of it - and there's a fallback in place in case you don't want
SYSTEM_REVOCATION_LIST.  Note that SYSTEM_DATA_VERIFICATION also doesn't
depend on or select SYSTEM_BLACKLIST_KEYRING - it will use it if it's enabled,
but not otherwise.

> I suggest to use the same dependencies as for my dynamic authenticated
> blacklist keyring patchset.

This, you mean?

	config SYSTEM_BLACKLIST_AUTH_UPDATE
		bool "Allow root to add signed blacklist keys"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on SYSTEM_DATA_VERIFICATION

I.e.:

	config SYSTEM_REVOCATION_LIST
		bool "Provide system-wide ring of revocation certificates"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on SYSTEM_DATA_VERIFICATION
		depends on PKCS7_MESSAGE_PARSER=y

I suppose you could argue the it that way since it's only used for that
purpose.  Note that it does need the PKCS7 dep since it explicitly uses that
code.

> Could you please not move those functions? It makes the patch more
> readable and avoids merge conflicts (e.g. with the dynamic authenticated
> blacklist keyring patchset). Thanks.

I would suggest merging these changes in so that the error is not found by
bisection.  But the functions really are mislocated:-/

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ