lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAK7LNATa8jxRzbf7Wec3WYtBW7-DF2c+uMi+wjJddHziWquQ3g@mail.gmail.com>
Date:   Tue, 31 Jan 2023 02:21:37 +0900
From:   Masahiro Yamada <masahiroy@...nel.org>
To:     Jan Lübbe <jlu@...gutronix.de>
Cc:     David Howells <dhowells@...hat.com>,
        David Woodhouse <dwmw2@...radead.org>,
        keyrings@...r.kernel.org, linux-kbuild@...r.kernel.org,
        linux-kernel@...r.kernel.org, kernel@...gutronix.de
Subject: Re: [PATCH 1/2] certs: Fix build error when PKCS#11 URI contains semicolon

On Tue, Jan 31, 2023 at 1:43 AM Jan Lübbe <jlu@...gutronix.de> wrote:
>
> On Tue, 2023-01-31 at 00:18 +0900, Masahiro Yamada wrote:
> > On Mon, Jan 30, 2023 at 11:16 PM Jan Luebbe <jlu@...gutronix.de> wrote:
> > >
> > > When CONFIG_MODULE_SIG_KEY is PKCS#11 URI (pkcs11:*) and contains a
> > > semicolon, signing_key.x509 fails to build:
> > >
> > >   certs/extract-cert pkcs11:token=foo;object=bar;pin-value=1111 certs/signing_key.x509
> > >   Usage: extract-cert <source> <dest>
> > >
> > > Add quotes to the PKCS11_URI variable to avoid splitting by the shell.
> > >
> > > Fixes: 129ab0d2d9f3 ("kbuild: do not quote string values in include/config/auto.conf")
> > > Signed-off-by: Jan Luebbe <jlu@...gutronix.de>
> > > ---
> > >  certs/Makefile | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/certs/Makefile b/certs/Makefile
> > > index 9486ed924731..cda21811ed88 100644
> > > --- a/certs/Makefile
> > > +++ b/certs/Makefile
> > > @@ -67,7 +67,7 @@ $(obj)/system_certificates.o: $(obj)/signing_key.x509
> > >
> > >  PKCS11_URI := $(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY))
> > >  ifdef PKCS11_URI
> > > -$(obj)/signing_key.x509: extract-cert-in := $(PKCS11_URI)
> > > +$(obj)/signing_key.x509: extract-cert-in := "$(PKCS11_URI)"
> > >  endif
> > >
> > >  $(obj)/signing_key.x509: $(filter-out $(PKCS11_URI),$(CONFIG_MODULE_SIG_KEY)) $(obj)/extract-cert FORCE
> > > --
> > > 2.30.2
> > >
> >
> > Instead, how about this?
> >
> >
> >
> >
> > diff --git a/certs/Makefile b/certs/Makefile
> > index 9486ed924731..799ad7b9e68a 100644
> > --- a/certs/Makefile
> > +++ b/certs/Makefile
> > @@ -23,8 +23,8 @@ $(obj)/blacklist_hash_list:
> > $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE
> >  targets += blacklist_hash_list
> >
> >  quiet_cmd_extract_certs  = CERT    $@
> > -      cmd_extract_certs  = $(obj)/extract-cert $(extract-cert-in) $@
> > -extract-cert-in = $(or $(filter-out $(obj)/extract-cert, $(real-prereqs)),"")
> > +      cmd_extract_certs  = $(obj)/extract-cert "$(extract-cert-in)" $@
> > +extract-cert-in = $(filter-out $(obj)/extract-cert, $(real-prereqs))
> >
> >  $(obj)/system_certificates.o: $(obj)/x509_certificate_list
>
> Thanks, this works im my tests, too.



Can you send v2, please?

I do not come up with a cleaner way for 2/2,
so I am fine with it.







>
> Regards,
> Jan
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |



-- 
Best Regards
Masahiro Yamada

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ