lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240818165756.629203-10-roberto.sassu@huaweicloud.com>
Date: Sun, 18 Aug 2024 18:57:51 +0200
From: Roberto Sassu <roberto.sassu@...weicloud.com>
To: dhowells@...hat.com,
	dwmw2@...radead.org,
	herbert@...dor.apana.org.au,
	davem@...emloft.net
Cc: linux-kernel@...r.kernel.org,
	keyrings@...r.kernel.org,
	linux-crypto@...r.kernel.org,
	zohar@...ux.ibm.com,
	linux-integrity@...r.kernel.org,
	Roberto Sassu <roberto.sassu@...wei.com>
Subject: [PATCH v2 09/14] KEYS: Retry asym key search with partial ID in restrict_link_by_signature()

From: Roberto Sassu <roberto.sassu@...wei.com>

Retry asymmetric key search in restrict_link_by_signature() to support the
case of partial IDs, provided by PGP signatures (only the last 8 bytes).

Although recently draft-ietf-openpgp-rfc4880bis-10 supports the signature
subpacket type 33, which contains the full issuer fingerprint, we cannot
rely on existing signatures to support it.

Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
Signed-off-by: David Howells <dhowells@...hat.com>
---
 crypto/asymmetric_keys/restrict.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index afcd4d101ac5..dd3d4b3405f7 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -97,8 +97,14 @@ int restrict_link_by_signature(struct key *dest_keyring,
 	key = find_asymmetric_key(trust_keyring,
 				  sig->auth_ids[0], sig->auth_ids[1],
 				  sig->auth_ids[2], false);
-	if (IS_ERR(key))
-		return -ENOKEY;
+	if (IS_ERR(key)) {
+		/* Retry with a partial ID. */
+		key = find_asymmetric_key(trust_keyring,
+					  sig->auth_ids[0], sig->auth_ids[1],
+					  sig->auth_ids[2], true);
+		if (IS_ERR(key))
+			return -ENOKEY;
+	}
 
 	if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
 		ret = -ENOKEY;
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ