summaryrefslogtreecommitdiff
path: root/crypto/asymmetric_keys
AgeCommit message (Collapse)AuthorFilesLines
2016-04-05PKCS#7: fix missing break on OID_sha224 caseColin Ian King1-0/+1
The OID_sha224 case is missing a break and it falls through to the -ENOPKG error default. Since HASH_ALGO_SHA224 seems to be supported, this looks like an unintentional missing break. Fixes: 07f081fb5057 ("PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them") Cc: <stable@vger.kernel.org> # 4.2+ Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-03-30Merge branch 'linus' of ↵Linus Torvalds1-0/+2
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fix from Herbert Xu: "This fixes a bug in pkcs7_validate_trust and its users where the output value may in fact be taken from uninitialised memory" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument
2016-03-23PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argumentNicolai Stange1-0/+2
Despite what the DocBook comment to pkcs7_validate_trust() says, the *_trusted argument is never set to false. pkcs7_validate_trust() only positively sets *_trusted upon encountering a trusted PKCS#7 SignedInfo block. This is quite unfortunate since its callers, system_verify_data() for example, depend on pkcs7_validate_trust() clearing *_trusted on non-trust. Indeed, UBSAN splats when attempting to load the uninitialized local variable 'trusted' from system_verify_data() in pkcs7_validate_trust(): UBSAN: Undefined behaviour in crypto/asymmetric_keys/pkcs7_trust.c:194:14 load of value 82 is not a valid value for type '_Bool' [...] Call Trace: [<ffffffff818c4d35>] dump_stack+0xbc/0x117 [<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169 [<ffffffff8194113b>] ubsan_epilogue+0xd/0x4e [<ffffffff819419fa>] __ubsan_handle_load_invalid_value+0x111/0x158 [<ffffffff819418e9>] ? val_to_string.constprop.12+0xcf/0xcf [<ffffffff818334a4>] ? x509_request_asymmetric_key+0x114/0x370 [<ffffffff814b83f0>] ? kfree+0x220/0x370 [<ffffffff818312c2>] ? public_key_verify_signature_2+0x32/0x50 [<ffffffff81835e04>] pkcs7_validate_trust+0x524/0x5f0 [<ffffffff813c391a>] system_verify_data+0xca/0x170 [<ffffffff813c3850>] ? top_trace_array+0x9b/0x9b [<ffffffff81510b29>] ? __vfs_read+0x279/0x3d0 [<ffffffff8129372f>] mod_verify_sig+0x1ff/0x290 [...] The implication is that pkcs7_validate_trust() effectively grants trust when it really shouldn't have. Fix this by explicitly setting *_trusted to false at the very beginning of pkcs7_validate_trust(). Cc: <stable@vger.kernel.org> Signed-off-by: Nicolai Stange <nicstange@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-03-04X.509: Make algo identifiers text instead of enumDavid Howells8-67/+46
Make the identifier public key and digest algorithm fields text instead of enum. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-03-04akcipher: Move the RSA DER encoding check to the crypto layerDavid Howells4-243/+93
Move the RSA EMSA-PKCS1-v1_5 encoding from the asymmetric-key public_key subtype to the rsa crypto module's pkcs1pad template. This means that the public_key subtype no longer has any dependencies on public key type. To make this work, the following changes have been made: (1) The rsa pkcs1pad template is now used for RSA keys. This strips off the padding and returns just the message hash. (2) In a previous patch, the pkcs1pad template gained an optional second parameter that, if given, specifies the hash used. We now give this, and pkcs1pad checks the encoded message E(M) for the EMSA-PKCS1-v1_5 encoding and verifies that the correct digest OID is present. (3) The crypto driver in crypto/asymmetric_keys/rsa.c is now reduced to something that doesn't care about what the encryption actually does and and has been merged into public_key.c. (4) CONFIG_PUBLIC_KEY_ALGO_RSA is gone. Module signing must set CONFIG_CRYPTO_RSA=y instead. Thoughts: (*) Should the encoding style (eg. raw, EMSA-PKCS1-v1_5) also be passed to the padding template? Should there be multiple padding templates registered that share most of the code? Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-02-29X.509: Handle midnight alternative notation in GeneralizedTimeDavid Howells1-1/+1
The ASN.1 GeneralizedTime object carries an ISO 8601 format date and time. The time is permitted to show midnight as 00:00 or 24:00 (the latter being equivalent of 00:00 of the following day). The permitted value is checked in x509_decode_time() but the actual handling is left to mktime64(). Without this patch, certain X.509 certificates will be rejected and could lead to an unbootable kernel. Note that with this patch we also permit any 24:mm:ss time and extend this to UTCTime, which whilst not strictly correct don't permit much leeway in fiddling date strings. Reported-by: Rudolf Polzer <rpolzer@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> cc: David Woodhouse <David.Woodhouse@intel.com> cc: John Stultz <john.stultz@linaro.org>
2016-02-29X.509: Support leap secondsDavid Howells1-1/+1
The format of ASN.1 GeneralizedTime seems to be specified by ISO 8601 [X.680 46.3] and this apparently supports leap seconds (ie. the seconds field is 60). It's not entirely clear that ASN.1 expects it, but we can relax the seconds check slightly for GeneralizedTime. This results in us passing a time with sec as 60 to mktime64(), which handles it as being a duplicate of the 0th second of the next minute. We can't really do otherwise without giving the kernel much greater knowledge of where all the leap seconds are. Unfortunately, this would require change the mapping of the kernel's current-time-in-seconds. UTCTime, however, only supports a seconds value in the range 00-59, but for the sake of simplicity allow this with UTCTime also. Without this patch, certain X.509 certificates will be rejected, potentially making a kernel unbootable. Reported-by: Rudolf Polzer <rpolzer@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> cc: David Woodhouse <David.Woodhouse@intel.com> cc: John Stultz <john.stultz@linaro.org>
2016-02-29X.509: Fix leap year handling againDavid Howells1-4/+4
There are still a couple of minor issues in the X.509 leap year handling: (1) To avoid doing a modulus-by-400 in addition to a modulus-by-100 when determining whether the year is a leap year or not, I divided the year by 100 after doing the modulus-by-100, thereby letting the compiler do one instruction for both, and then did a modulus-by-4. Unfortunately, I then passed the now-modified year value to mktime64() to construct a time value. Since this isn't a fast path and since mktime64() does a bunch of divisions, just condense down to "% 400". It's also easier to read. (2) The default month length for any February where the year doesn't divide by four exactly is obtained from the month_length[] array where the value is 29, not 28. This is fixed by altering the table. Reported-by: Rudolf Polzer <rpolzer@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: David Woodhouse <David.Woodhouse@intel.com> Acked-by: Arnd Bergmann <arnd@arndb.de> cc: stable@vger.kernel.org
2016-02-29PKCS#7: fix unitialized boolean 'want'Colin Ian King1-1/+1
The boolean want is not initialized and hence garbage. The default should be false (later it is only set to true on tne sinfo->authattrs check). Found with static analysis using CoverityScan Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: David Howells <dhowells@redhat.com>
2016-02-10crypto: KEYS: convert public key and digsig asym to the akcipher apiTadeusz Struk11-271/+124
This patch converts the module verification code to the new akcipher API. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David Howells <dhowells@redhat.com>
2016-02-09crypto: keys - Revert "convert public key to akcipher api"Herbert Xu11-124/+272
This needs to go through the security tree so I'm reverting the patches for now. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-02-06crypto: asymmetric_keys - convert public key and digsig asym to the akcipher apiTadeusz Struk11-272/+124
This patch converts the module verification code to the new akcipher API. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-01-25PKCS#7: Don't require SpcSpOpusInfo in Authenticode pkcs7 signaturesPeter Jones1-3/+1
Dave Young reported: > Hi, > > I saw the warning "Missing required AuthAttr" when testing kexec, > known issue? Idea about how to fix it? > > The kernel is latest linus tree plus sevral patches from Toshi to > cleanup io resource structure. > > in function pkcs7_sig_note_set_of_authattrs(): > if (!test_bit(sinfo_has_content_type, &sinfo->aa_set) || > !test_bit(sinfo_has_message_digest, &sinfo->aa_set) || > (ctx->msg->data_type == OID_msIndirectData && > !test_bit(sinfo_has_ms_opus_info, &sinfo->aa_set))) { > pr_warn("Missing required AuthAttr\n"); > return -EBADMSG; > } > > The third condition below is true: > (ctx->msg->data_type == OID_msIndirectData && > !test_bit(sinfo_has_ms_opus_info, &sinfo->aa_set)) > > I signed the kernel with redhat test key like below: > pesign -c 'Red Hat Test Certificate' -i arch/x86/boot/bzImage -o /boot/vmlinuz-4.4.0-rc8+ -s --force And right he is! The Authenticode specification is a paragon amongst technical documents, and has this pearl of wisdom to offer: --------------------------------- Authenticode-Specific SignerInfo UnauthenticatedAttributes Structures The following Authenticode-specific data structures are present in SignerInfo authenticated attributes. SpcSpOpusInfo SpcSpOpusInfo is identified by SPC_SP_OPUS_INFO_OBJID (1.3.6.1.4.1.311.2.1.12) and is defined as follows: SpcSpOpusInfo ::= SEQUENCE { programName [0] EXPLICIT SpcString OPTIONAL, moreInfo [1] EXPLICIT SpcLink OPTIONAL, } --#public-- SpcSpOpusInfo has two fields: programName This field contains the program description: If publisher chooses not to specify a description, the SpcString structure contains a zero-length program name. If the publisher chooses to specify a description, the SpcString structure contains a Unicode string. moreInfo This field is set to an SPCLink structure that contains a URL for a Web site with more information about the signer. The URL is an ASCII string. --------------------------------- Which is to say that this is an optional *unauthenticated* field which may be present in the Authenticated Attribute list. This is not how pkcs7 is supposed to work, so when David implemented this, he didn't appreciate the subtlety the original spec author was working with, and missed the part of the sublime prose that says this Authenticated Attribute is an Unauthenticated Attribute. As a result, the code in question simply takes as given that the Authenticated Attributes should be authenticated. But this one should not, individually. Because it says it's not authenticated. It still has to hash right so the TBS digest is correct. So it is both authenticated and unauthenticated, all at once. Truly, a wonder of technical accomplishment. Additionally, pesign's implementation has always attempted to be compatible with the signatures emitted from contemporary versions of Microsoft's signtool.exe. During the initial implementation, Microsoft signatures always produced the same values for SpcSpOpusInfo - {U"Microsoft Windows", "http://www.microsoft.com"} - without regard to who the signer was. Sometime between Windows 8 and Windows 8.1 they stopped including the field in their signatures altogether, and as such pesign stopped producing them in commits c0c4da6 and d79cb0c, sometime around June of 2012. The theory here is that anything that breaks with pesign signatures would also be breaking with signtool.exe sigs as well, and that'll be a more noticed problem for firmwares parsing it, so it'll get fixed. The fact that we've done exactly this bug in Linux code is first class, grade A irony. So anyway, we should not be checking this field for presence or any particular value: if the field exists, it should be at the right place, but aside from that, as long as the hash matches the field is good. Signed-off-by: Peter Jones <pjones@redhat.com> Tested-by: Dave Young <dyoung@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2016-01-18Merge branch 'for-linus' of ↵Linus Torvalds1-0/+2
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem updates from James Morris: - EVM gains support for loading an x509 cert from the kernel (EVM_LOAD_X509), into the EVM trusted kernel keyring. - Smack implements 'file receive' process-based permission checking for sockets, rather than just depending on inode checks. - Misc enhancments for TPM & TPM2. - Cleanups and bugfixes for SELinux, Keys, and IMA. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (41 commits) selinux: Inode label revalidation performance fix KEYS: refcount bug fix ima: ima_write_policy() limit locking IMA: policy can be updated zero times selinux: rate-limit netlink message warnings in selinux_nlmsg_perm() selinux: export validatetrans decisions gfs2: Invalid security labels of inodes when they go invalid selinux: Revalidate invalid inode security labels security: Add hook to invalidate inode security labels selinux: Add accessor functions for inode->i_security security: Make inode argument of inode_getsecid non-const security: Make inode argument of inode_getsecurity non-const selinux: Remove unused variable in selinux_inode_init_security keys, trusted: seal with a TPM2 authorization policy keys, trusted: select hash algorithm for TPM2 chips keys, trusted: fix: *do not* allow duplicate key options tpm_ibmvtpm: properly handle interrupted packet receptions tpm_tis: Tighten IRQ auto-probing tpm_tis: Refactor the interrupt setup tpm_tis: Get rid of the duplicate IRQ probing code ...
2015-12-15IMA: create machine owner and blacklist keyringsPetko Manolov1-0/+2
This option creates IMA MOK and blacklist keyrings. IMA MOK is an intermediate keyring that sits between .system and .ima keyrings, effectively forming a simple CA hierarchy. To successfully import a key into .ima_mok it must be signed by a key which CA is in .system keyring. On turn any key that needs to go in .ima keyring must be signed by CA in either .system or .ima_mok keyrings. IMA MOK is empty at kernel boot. IMA blacklist keyring contains all revoked IMA keys. It is consulted before any other keyring. If the search is successful the requested operation is rejected and error is returned to the caller. Signed-off-by: Petko Manolov <petkan@mip-labs.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2015-12-11crypto: asymmetric_keys - signature.c does not need <module.h>Paul Gortmaker1-1/+1
This file does not contain any modular related function calls. So get rid of module.h since it drags in a lot of other headers and adds to the preprocessing load. It does export some symbols though, so we'll need to ensure it has export.h present instead. Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "David S. Miller" <davem@davemloft.net> Cc: linux-crypto@vger.kernel.org Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-11-12X.509: Fix the time validation [ver #2]David Howells1-5/+7
This fixes CVE-2015-5327. It affects kernels from 4.3-rc1 onwards. Fix the X.509 time validation to use month number-1 when looking up the number of days in that month. Also put the month number validation before doing the lookup so as not to risk overrunning the array. This can be tested by doing the following: cat <<EOF | openssl x509 -outform DER | keyctl padd asymmetric "" @s -----BEGIN CERTIFICATE----- MIIDbjCCAlagAwIBAgIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNV BAoMCGxvY2FsLWNhMRQwEgYDVQQDDAtzaWduaW5nIGtleTAeFw0xNTA5MDEyMTMw MThaFw0xNjA4MzEyMTMwMThaMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQwEgYDVQQD DAtzaWduaW5nIGtleTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrn crcMfMeG67nagX4+m02Xk9rkmsMKI5XTUxbikROe7GSUVJ27sPVPZp4mgzoWlvhh jfK8CC/qhEhwep8Pgg4EJZyWOjhZb7R97ckGvLIoUC6IO3FC2ZnR7WtmWDgo2Jcj VlXwJdHhKU1VZwulh81O61N8IBKqz2r/kDhIWiicUCUkI/Do/RMRfKAoDBcSh86m gOeIAGfq62vbiZhVsX5dOE8Oo2TK5weAvwUIOR7OuGBl5AqwFlPnXQolewiHzKry THg9e44HfzG4Mi6wUvcJxVaQT1h5SrKD779Z5+8+wf1JLaooetcEUArvWyuxCU59 qxA4lsTjBwl4cmEki+cCAwEAAaOBmDCBlTAMBgNVHRMEBTADAQH/MAsGA1UdDwQE AwIHgDAdBgNVHQ4EFgQUyND/eKUis7ep/hXMJ8iZMdUhI+IwWQYDVR0jBFIwUIAU yND/eKUis7ep/hXMJ8iZMdUhI+KhLaQrMCkxETAPBgNVBAoMCGxvY2FsLWNhMRQw EgYDVQQDDAtzaWduaW5nIGtleYIJAN/lUld+VR4hMA0GCSqGSIb3DQEBCwUAA4IB AQAMqm1N1yD5pimUELLhT5eO2lRdGUfTozljRxc7e2QT3RLk2TtGhg65JFFN6eml XS58AEPVcAsSLDlR6WpOpOLB2giM0+fV/eYFHHmh22yqTJl4YgkdUwyzPdCHNOZL hmSKeY9xliHb6PNrNWWtZwhYYvRaO2DX4GXOMR0Oa2O4vaYu6/qGlZOZv3U6qZLY wwHEJSrqeBDyMuwN+eANHpoSpiBzD77S4e+7hUDJnql4j6xzJ65+nWJ89fCrQypR 4sN5R3aGeIh3QAQUIKpHilwek0CtEaYERgc5m+jGyKSc1rezJW62hWRTaitOc+d5 G5hh+9YpnYcxQHEKnZ7rFNKJ -----END CERTIFICATE----- EOF If it works, it emit a key ID; if it fails, it should give a bad message error. Reported-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Acked-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
2015-11-06Merge branch 'next' of ↵Linus Torvalds6-30/+35
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem update from James Morris: "This is mostly maintenance updates across the subsystem, with a notable update for TPM 2.0, and addition of Jarkko Sakkinen as a maintainer of that" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (40 commits) apparmor: clarify CRYPTO dependency selinux: Use a kmem_cache for allocation struct file_security_struct selinux: ioctl_has_perm should be static selinux: use sprintf return value selinux: use kstrdup() in security_get_bools() selinux: use kmemdup in security_sid_to_context_core() selinux: remove pointless cast in selinux_inode_setsecurity() selinux: introduce security_context_str_to_sid selinux: do not check open perm on ftruncate call selinux: change CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE default KEYS: Merge the type-specific data with the payload data KEYS: Provide a script to extract a module signature KEYS: Provide a script to extract the sys cert list from a vmlinux file keys: Be more consistent in selection of union members used certs: add .gitignore to stop git nagging about x509_certificate_list KEYS: use kvfree() in add_key Smack: limited capability for changing process label TPM: remove unnecessary little endian conversion vTPM: support little endian guests char: Drop owner assignment from i2c_driver ...
2015-11-04Merge branch 'linus' of ↵Linus Torvalds3-7/+9
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto update from Herbert Xu: "API: - Add support for cipher output IVs in testmgr - Add missing crypto_ahash_blocksize helper - Mark authenc and des ciphers as not allowed under FIPS. Algorithms: - Add CRC support to 842 compression - Add keywrap algorithm - A number of changes to the akcipher interface: + Separate functions for setting public/private keys. + Use SG lists. Drivers: - Add Intel SHA Extension optimised SHA1 and SHA256 - Use dma_map_sg instead of custom functions in crypto drivers - Add support for STM32 RNG - Add support for ST RNG - Add Device Tree support to exynos RNG driver - Add support for mxs-dcp crypto device on MX6SL - Add xts(aes) support to caam - Add ctr(aes) and xts(aes) support to qat - A large set of fixes from Russell King for the marvell/cesa driver" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (115 commits) crypto: asymmetric_keys - Fix unaligned access in x509_get_sig_params() crypto: akcipher - Don't #include crypto/public_key.h as the contents aren't used hwrng: exynos - Add Device Tree support hwrng: exynos - Fix missing configuration after suspend to RAM hwrng: exynos - Add timeout for waiting on init done dt-bindings: rng: Describe Exynos4 PRNG bindings crypto: marvell/cesa - use __le32 for hardware descriptors crypto: marvell/cesa - fix missing cpu_to_le32() in mv_cesa_dma_add_op() crypto: marvell/cesa - use memcpy_fromio()/memcpy_toio() crypto: marvell/cesa - use gfp_t for gfp flags crypto: marvell/cesa - use dma_addr_t for cur_dma crypto: marvell/cesa - use readl_relaxed()/writel_relaxed() crypto: caam - fix indentation of close braces crypto: caam - only export the state we really need to export crypto: caam - fix non-block aligned hash calculation crypto: caam - avoid needlessly saving and restoring caam_hash_ctx crypto: caam - print errno code when hash registration fails crypto: marvell/cesa - fix memory leak crypto: marvell/cesa - fix first-fragment handling in mv_cesa_ahash_dma_last_req() crypto: marvell/cesa - rearrange handling for sw padded hashes ...
2015-10-21KEYS: Merge the type-specific data with the payload dataDavid Howells6-30/+35
Merge the type-specific data with the payload data into one four-word chunk as it seems pointless to keep them separate. Use user_key_payload() for accessing the payloads of overloaded user-defined keys. Signed-off-by: David Howells <dhowells@redhat.com> cc: linux-cifs@vger.kernel.org cc: ecryptfs@vger.kernel.org cc: linux-ext4@vger.kernel.org cc: linux-f2fs-devel@lists.sourceforge.net cc: linux-nfs@vger.kernel.org cc: ceph-devel@vger.kernel.org cc: linux-ima-devel@lists.sourceforge.net
2015-10-20crypto: asymmetric_keys - Fix unaligned access in x509_get_sig_params()Sowmini Varadhan1-2/+3
x509_get_sig_params() has the same code pattern as the one in pkcs7_verify() that is fixed by commit 62f57d05e287 ("crypto: pkcs7 - Fix unaligned access in pkcs7_verify()") so apply a similar fix here: make sure that desc is pointing at an algined value past the digest_size, and take alignment values into consideration when doing kzalloc() Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-10-14crypto: pkcs7 - Fix unaligned access in pkcs7_verify()Sowmini Varadhan1-2/+3
On sparc, we see unaligned access messages on each modprobe[-r]: Kernel unaligned access at TPC[6ad9b4] pkcs7_verify [..] Kernel unaligned access at TPC[6a5484] crypto_shash_finup [..] Kernel unaligned access at TPC[6a5390] crypto_shash_update [..] Kernel unaligned access at TPC[10150308] sha1_sparc64_update [..] Kernel unaligned access at TPC[101501ac] __sha1_sparc64_update [..] These ware triggered by mod_verify_sig() invocations of pkcs_verify(), and are are being caused by an unaligned desc at (sha1, digest_size is 0x14) desc = digest + digest_size; To fix this, pkcs7_verify needs to make sure that desc is pointing at an aligned value past the digest_size, and kzalloc appropriately, taking alignment values into consideration. Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-09-25X.509: Don't strip leading 00's from key ID when constructing key descriptionDavid Howells1-4/+0
Don't strip leading zeros from the crypto key ID when using it to construct the struct key description as the signature in kernels up to and including 4.2 matched this aspect of the key. This means that 1 in 256 keys won't actually match if their key ID begins with 00. The key ID is stored in the module signature as binary and so must be converted to text in order to invoke request_key() - but it isn't stripped at this point. Something like this is likely to be observed in dmesg when the key is loaded: [ 1.572423] Loaded X.509 cert 'Build time autogenerated kernel key: 62a7c3d2da278be024da4af8652c071f3fea33' followed by this when we try and use it: [ 1.646153] Request for unknown module key 'Build time autogenerated kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11 The 'Loaded' line should show an extra '00' on the front of the hex string. This problem should not affect 4.3-rc1 and onwards because there the key should be matched on one of its auxiliary identities rather than the key struct's description string. Reported-by: Arjan van de Ven <arjan@linux.intel.com> Reported-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: David Howells <dhowells@redhat.com>
2015-09-21crypto: asymmetric_keys - remove always false comparisonsudip1-3/+3
hour, min and sec are unsigned int and they can never be less than zero. Signed-off-by: Sudip Mukherjee <sudip@vectorindia.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-09-01PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use themDavid Howells2-0/+17
Add OIDs for sha224, sha284 and sha512 hash algos and use them to select the hashing algorithm. Without this, something like the following error might get written to dmesg: [ 31.829322] PKCS7: Unknown OID: [32] 2.16.840.1.101.3.4.2.3 [ 31.829328] PKCS7: Unknown OID: [180] 2.16.840.1.101.3.4.2.3 [ 31.829330] Unsupported digest algo: 55 Where the 55 on the third line is OID__NR indicating an unknown OID. Reported-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Signed-off-by: David Howells <dhowells@redhat.com> Tested-By: Valdis Kletnieks <valdis.kletnieks@vt.edu> Signed-off-by: James Morris <james.l.morris@oracle.com>
2015-08-13PKCS#7: Add MODULE_LICENSE() to test moduleDavid Howells1-0/+3
Add a MODULE_LICENSE() line to the PKCS#7 test key module to fix this warning: WARNING: modpost: missing MODULE_LICENSE() in crypto/asymmetric_keys/pkcs7_test_key.o Whilst we're at it, also add a module description. Reported-by: James Morris <jmorris@namei.org> Signed-off-by: David Howells <dhowells@redhat.com>
2015-08-12PKCS#7: Appropriately restrict authenticated attributes and content typeDavid Howells7-17/+239
A PKCS#7 or CMS message can have per-signature authenticated attributes that are digested as a lump and signed by the authorising key for that signature. If such attributes exist, the content digest isn't itself signed, but rather it is included in a special authattr which then contributes to the signature. Further, we already require the master message content type to be pkcs7_signedData - but there's also a separate content type for the data itself within the SignedData object and this must be repeated inside the authattrs for each signer [RFC2315 9.2, RFC5652 11.1]. We should really validate the authattrs if they exist or forbid them entirely as appropriate. To this end: (1) Alter the PKCS#7 parser to reject any message that has more than one signature where at least one signature has authattrs and at least one that does not. (2) Validate authattrs if they are present and strongly restrict them. Only the following authattrs are permitted and all others are rejected: (a) contentType. This is checked to be an OID that matches the content type in the SignedData object. (b) messageDigest. This must match the crypto digest of the data. (c) signingTime. If present, we check that this is a valid, parseable UTCTime or GeneralTime and that the date it encodes fits within the validity window of the matching X.509 cert. (d) S/MIME capabilities. We don't check the contents. (e) Authenticode SP Opus Info. We don't check the contents. (f) Authenticode Statement Type. We don't check the contents. The message is rejected if (a) or (b) are missing. If the message is an Authenticode type, the message is rejected if (e) is missing; if not Authenticode, the message is rejected if (d) - (f) are present. The S/MIME capabilities authattr (d) unfortunately has to be allowed to support kernels already signed by the pesign program. This only affects kexec. sign-file suppresses them (CMS_NOSMIMECAP). The message is also rejected if an authattr is given more than once or if it contains more than one element in its set of values. (3) Add a parameter to pkcs7_verify() to select one of the following restrictions and pass in the appropriate option from the callers: (*) VERIFYING_MODULE_SIGNATURE This requires that the SignedData content type be pkcs7-data and forbids authattrs. sign-file sets CMS_NOATTR. We could be more flexible and permit authattrs optionally, but only permit minimal content. (*) VERIFYING_FIRMWARE_SIGNATURE This requires that the SignedData content type be pkcs7-data and requires authattrs. In future, this will require an attribute holding the target firmware name in addition to the minimal set. (*) VERIFYING_UNSPECIFIED_SIGNATURE This requires that the SignedData content type be pkcs7-data but allows either no authattrs or only permits the minimal set. (*) VERIFYING_KEXEC_PE_SIGNATURE This only supports the Authenticode SPC_INDIRECT_DATA content type and requires at least an SpcSpOpusInfo authattr in addition to the minimal set. It also permits an SPC_STATEMENT_TYPE authattr (and an S/MIME capabilities authattr because the pesign program doesn't remove these). (*) VERIFYING_KEY_SIGNATURE (*) VERIFYING_KEY_SELF_SIGNATURE These are invalid in this context but are included for later use when limiting the use of X.509 certs. (4) The pkcs7_test key type is given a module parameter to select between the above options for testing purposes. For example: echo 1 >/sys/module/pkcs7_test_key/parameters/usage keyctl padd pkcs7_test foo @s </tmp/stuff.pkcs7 will attempt to check the signature on stuff.pkcs7 as if it contains a firmware blob (1 being VERIFYING_FIRMWARE_SIGNATURE). Suggested-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Marcel Holtmann <marcel@holtmann.org> Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2015-08-12KEYS: Add a name for PKEY_ID_PKCS7David Howells1-0/+1
Add a name for PKEY_ID_PKCS7 into the pkey_id_type_name array. Signed-off-by: David Howells <dhowells@redhat.com>
2015-08-12PKCS#7: Improve and export the X.509 ASN.1 time object decoderDavid Howells3-31/+72
Make the X.509 ASN.1 time object decoder fill in a time64_t rather than a struct tm to make comparison easier (unfortunately, this makes readable display less easy) and export it so that it can be used by the PKCS#7 code too. Further, tighten up its parsing to reject invalid dates (eg. weird characters, non-existent hour numbers) and unsupported dates (eg. timezones other than 'Z' or dates earlier than 1970). Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
2015-08-12PKCS#7: Support CMS messages also [RFC5652]David Howells3-9/+68
Since CMS is an evolution of PKCS#7, with much of the ASN.1 being compatible, add support for CMS signed-data messages also [RFC5652 sec 5]. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-By: David Woodhouse <David.Woodhouse@intel.com>
2015-08-12X.509: Change recorded SKID & AKID to not include Subject or IssuerDavid Howells1-6/+2
The key identifiers fabricated from an X.509 certificate are currently: (A) Concatenation of serial number and issuer (B) Concatenation of subject and subjectKeyID (SKID) When verifying one X.509 certificate with another, the AKID in the target can be used to match the authoritative certificate. The AKID can specify the match in one or both of two ways: (1) Compare authorityCertSerialNumber and authorityCertIssuer from the AKID to identifier (A) above. (2) Compare keyIdentifier from the AKID plus the issuer from the target certificate to identifier (B) above. When verifying a PKCS#7 message, the only available comparison is between the IssuerAndSerialNumber field and identifier (A) above. However, a subsequent patch adds CMS support. Whilst CMS still supports a match on IssuerAndSerialNumber as for PKCS#7, it also supports an alternative - which is the SubjectKeyIdentifier field. This is used to match to an X.509 certificate on the SKID alone. No subject information is available to be used. To this end change the fabrication of (B) above to be from the X.509 SKID alone. The AKID in keyIdentifier form then only matches on that and does not include the issuer. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-By: David Woodhouse <David.Woodhouse@intel.com>
2015-08-12PKCS#7: Check content type and versionsDavid Howells2-4/+77
We only support PKCS#7 signed-data [RFC2315 sec 9] content at the top level, so reject anything else. Further, check that the version numbers in SignedData and SignerInfo are 1 in both cases. Note that we don't restrict the inner content type. In the PKCS#7 code we don't parse the data attached there, but merely verify the signature over it. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-By: David Woodhouse <David.Woodhouse@intel.com>
2015-08-07PKCS#7: Allow detached data to be supplied for signature checking purposesDavid Howells1-0/+25
It is possible for a PKCS#7 message to have detached data. However, to verify the signatures on a PKCS#7 message, we have to be able to digest the data. Provide a function to supply that data. An error is given if the PKCS#7 message included embedded data. This is used in a subsequent patch to supply the data to module signing where the signature is in the form of a PKCS#7 message with detached data, whereby the detached data is the module content that is signed. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Vivek Goyal <vgoyal@redhat.com>
2015-08-07X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifierDavid Howells3-40/+101
If an X.509 certificate has an AuthorityKeyIdentifier extension that provides an issuer and serialNumber, then make it so that these are used in preference to the keyIdentifier field also held therein for searching for the signing certificate. If both the issuer+serialNumber and the keyIdentifier are supplied, then the certificate is looked up by the former but the latter is checked as well. If the latter doesn't match the subjectKeyIdentifier of the parent certificate, EKEYREJECTED is returned. This makes it possible to chain X.509 certificates based on the issuer and serialNumber fields rather than on subjectKeyIdentifier. This is necessary as we are having to deal with keys that are represented by X.509 certificates that lack a subjectKeyIdentifier. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Vivek Goyal <vgoyal@redhat.com>
2015-08-07X.509: Extract both parts of the AuthorityKeyIdentifierDavid Howells7-69/+145
Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, as the second part can be used to match X.509 certificates by issuer and serialNumber. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Vivek Goyal <vgoyal@redhat.com>
2015-07-02Merge tag 'module-implicit-v4.1-rc8' of ↵Linus Torvalds1-0/+1
git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux Pull implicit module.h fixes from Paul Gortmaker: "Fix up implicit <module.h> users that will break later. The files changed here are simply modular source files that are implicitly relying on <module.h> being present. We fix them up now, so that we can decouple some of the module related init code from the core init code in the future. The addition of the module.h include to several files here is also a no-op from a code generation point of view, else there would already be compile issues with these files today. There may be lots more implicit includes of <module.h> in tree, but these are the ones that extensive build test coverage has shown that must be fixed in order to avoid build breakage fallout for the pending module.h <---> init.h code relocation we desire to complete" * tag 'module-implicit-v4.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux: frv: add module.h to mb93090-mb00/flash.c to avoid compile fail drivers/cpufreq: include <module.h> for modular exynos-cpufreq.c code drivers/staging: include <module.h> for modular android tegra_ion code crypto/asymmetric_keys: pkcs7_key_type needs module.h sh: mach-highlander/psw.c is tristate and should use module.h drivers/regulator: include <module.h> for modular max77802 code drivers/pcmcia: include <module.h> for modular xxs1500_ss code drivers/hsi: include <module.h> for modular omap_ssi code drivers/gpu: include <module.h> for modular rockchip code drivers/gpio: include <module.h> for modular crystalcove code drivers/clk: include <module.h> for clk-max77xxx modular code
2015-06-27Merge branch 'next' of ↵Linus Torvalds3-11/+35
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem updates from James Morris: "The main change in this kernel is Casey's generalized LSM stacking work, which removes the hard-coding of Capabilities and Yama stacking, allowing multiple arbitrary "small" LSMs to be stacked with a default monolithic module (e.g. SELinux, Smack, AppArmor). See https://lwn.net/Articles/636056/ This will allow smaller, simpler LSMs to be incorporated into the mainline kernel and arbitrarily stacked by users. Also, this is a useful cleanup of the LSM code in its own right" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits) tpm, tpm_crb: fix le64_to_cpu conversions in crb_acpi_add() vTPM: set virtual device before passing to ibmvtpm_reset_crq tpm_ibmvtpm: remove unneccessary message level. ima: update builtin policies ima: extend "mask" policy matching support ima: add support for new "euid" policy condition ima: fix ima_show_template_data_ascii() Smack: freeing an error pointer in smk_write_revoke_subj() selinux: fix setting of security labels on NFS selinux: Remove unused permission definitions selinux: enable genfscon labeling for sysfs and pstore files selinux: enable per-file labeling for debugfs files. selinux: update netlink socket classes signals: don't abuse __flush_signals() in selinux_bprm_committed_creds() selinux: Print 'sclass' as string when unrecognized netlink message occurs Smack: allow multiple labels in onlycap Smack: fix seq operations in smackfs ima: pass iint to ima_add_violation() ima: wrap event related data to the new ima_event_data structure integrity: add validity checks for 'path' parameter ...
2015-06-25crypto: asymmetric_keys/rsa - Use non-conflicting variable nameGuenter Roeck1-2/+2
arm64:allmodconfig fails to build as follows. In file included from include/acpi/platform/aclinux.h:74:0, from include/acpi/platform/acenv.h:173, from include/acpi/acpi.h:56, from include/linux/acpi.h:37, from ./arch/arm64/include/asm/dma-mapping.h:21, from include/linux/dma-mapping.h:86, from include/linux/skbuff.h:34, from include/crypto/algapi.h:18, from crypto/asymmetric_keys/rsa.c:16: include/linux/ctype.h:15:12: error: expected ‘;’, ‘,’ or ‘)’ before numeric constant #define _X 0x40 /* hex digit */ ^ crypto/asymmetric_keys/rsa.c:123:47: note: in expansion of macro ‘_X’ static int RSA_I2OSP(MPI x, size_t xLen, u8 **_X) ^ crypto/asymmetric_keys/rsa.c: In function ‘RSA_verify_signature’: crypto/asymmetric_keys/rsa.c:256:2: error: implicit declaration of function ‘RSA_I2OSP’ The problem is caused by an unrelated include file change, resulting in the inclusion of ctype.h on arm64. This in turn causes the local variable _X to conflict with macro _X used in ctype.h. Fixes: b6197b93fa4b ("arm64 : Introduce support for ACPI _CCA object") Cc: Suthikulpanit, Suravee <Suravee.Suthikulpanit@amd.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-06-16crypto/asymmetric_keys: pkcs7_key_type needs module.hPaul Gortmaker1-0/+1
This driver builds off of the tristate CONFIG_PKCS7_TEST_KEY and calls module_init and module_exit. So it should explicitly include module.h to avoid compile breakage during header shuffles done in the future. Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "David S. Miller" <davem@davemloft.net> Cc: linux-crypto@vger.kernel.org Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2015-05-21KEYS: fix "ca_keys=" partial key matchingMimi Zohar3-11/+35
The call to asymmetric_key_hex_to_key_id() from ca_keys_setup() silently fails with -ENOMEM. Instead of dynamically allocating memory from a __setup function, this patch defines a variable and calls __asymmetric_key_hex_to_key_id(), a new helper function, directly. This bug was introduced by 'commit 46963b774d44 ("KEYS: Overhaul key identification when searching for asymmetric keys")'. Changelog: - for clarification, rename hexlen to asciihexlen in asymmetric_key_hex_to_key_id() - add size argument to __asymmetric_key_hex_to_key_id() - David Howells - inline __asymmetric_key_hex_to_key_id() - David Howells - remove duplicate strlen() calls Acked-by: David Howells <dhowells@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Cc: stable@vger.kernel.org # 3.18
2014-10-12Merge branch 'next' of ↵Linus Torvalds11-232/+518
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem updates from James Morris. Mostly ima, selinux, smack and key handling updates. * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (65 commits) integrity: do zero padding of the key id KEYS: output last portion of fingerprint in /proc/keys KEYS: strip 'id:' from ca_keyid KEYS: use swapped SKID for performing partial matching KEYS: Restore partial ID matching functionality for asymmetric keys X.509: If available, use the raw subjKeyId to form the key description KEYS: handle error code encoded in pointer selinux: normalize audit log formatting selinux: cleanup error reporting in selinux_nlmsg_perm() KEYS: Check hex2bin()'s return when generating an asymmetric key ID ima: detect violations for mmaped files ima: fix race condition on ima_rdwr_violation_check and process_measurement ima: added ima_policy_flag variable ima: return an error code from ima_add_boot_aggregate() ima: provide 'ima_appraise=log' kernel option ima: move keyring initialization to ima_init() PKCS#7: Handle PKCS#7 messages that contain no X.509 certs PKCS#7: Better handling of unsupported crypto KEYS: Overhaul key identification when searching for asymmetric keys KEYS: Implement binary asymmetric key ID handling ...
2014-10-06KEYS: output last portion of fingerprint in /proc/keysDmitry Kasatkin1-5/+5
Previous version of KEYS used to output last 4 bytes of fingerprint. Now it outputs 8 last bytes of raw subject, which does not make any visual meaning at all. This patch restores old behavior. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
2014-10-06KEYS: strip 'id:' from ca_keyidDmitry Kasatkin1-1/+1
The 'id:' prefix must be stripped for asymmetric_key_hex_to_key_id() to be able to process ca_keyid. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
2014-10-06KEYS: use swapped SKID for performing partial matchingDmitry Kasatkin2-9/+9
Earlier KEYS code used pure subject key identifiers (fingerprint) for searching keys. Latest merged code removed that and broke compatibility with integrity subsytem signatures and original format of module signatures. This patch returns back partial matching on SKID. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
2014-10-06KEYS: Restore partial ID matching functionality for asymmetric keysDmitry Kasatkin4-24/+76
Bring back the functionality whereby an asymmetric key can be matched with a partial match on one of its IDs. Whilst we're at it, allow for the possibility of having an increased number of IDs. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
2014-10-03X.509: If available, use the raw subjKeyId to form the key descriptionDavid Howells3-2/+11
Module signing matches keys by comparing against the key description exactly. However, the way the key description gets constructed got changed to be composed of the subject name plus the certificate serial number instead of the subject name and the subjectKeyId. I changed this to avoid problems with certificates that don't *have* a subjectKeyId. Instead, if available, use the raw subjectKeyId to form the key description and only use the serial number if the subjectKeyId doesn't exist. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
2014-10-03KEYS: handle error code encoded in pointerDmitry Kasatkin1-2/+2
If hexlen is odd then function returns an error. Use IS_ERR to check for error, otherwise invalid pointer is used and kernel gives oops: [ 132.816522] BUG: unable to handle kernel paging request at ffffffffffffffea [ 132.819902] IP: [<ffffffff812bfc20>] asymmetric_key_id_same+0x14/0x36 [ 132.820302] PGD 1a12067 PUD 1a14067 PMD 0 [ 132.820302] Oops: 0000 [#1] SMP [ 132.820302] Modules linked in: bridge(E) stp(E) llc(E) evdev(E) serio_raw(E) i2c_piix4(E) button(E) fuse(E) [ 132.820302] CPU: 0 PID: 2993 Comm: cat Tainted: G E 3.16.0-kds+ #2847 [ 132.820302] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 132.820302] task: ffff88004249a430 ti: ffff880056640000 task.ti: ffff880056640000 [ 132.820302] RIP: 0010:[<ffffffff812bfc20>] [<ffffffff812bfc20>] asymmetric_key_id_same+0x14/0x36 [ 132.820302] RSP: 0018:ffff880056643930 EFLAGS: 00010246 [ 132.820302] RAX: 0000000000000000 RBX: ffffffffffffffea RCX: ffff880056643ae0 [ 132.820302] RDX: 000000000000005e RSI: ffffffffffffffea RDI: ffff88005bac9300 [ 132.820302] RBP: ffff880056643948 R08: 0000000000000003 R09: 00000007504aa01a [ 132.820302] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88005d68ca40 [ 132.820302] R13: 0000000000000101 R14: 0000000000000000 R15: ffff88005bac5280 [ 132.820302] FS: 00007f67a153c740(0000) GS:ffff88005da00000(0000) knlGS:0000000000000000 [ 132.820302] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 132.820302] CR2: ffffffffffffffea CR3: 000000002e663000 CR4: 00000000000006f0 [ 132.820302] Stack: [ 132.820302] ffffffff812bfc66 ffff880056643ae0 ffff88005bac5280 ffff880056643958 [ 132.820302] ffffffff812bfc9d ffff880056643980 ffffffff812971d9 ffff88005ce930c1 [ 132.820302] ffff88005ce930c0 0000000000000000 ffff8800566439c8 ffffffff812fb753 [ 132.820302] Call Trace: [ 132.820302] [<ffffffff812bfc66>] ? asymmetric_match_key_ids+0x24/0x42 [ 132.820302] [<ffffffff812bfc9d>] asymmetric_key_cmp+0x19/0x1b [ 132.820302] [<ffffffff812971d9>] keyring_search_iterator+0x74/0xd7 [ 132.820302] [<ffffffff812fb753>] assoc_array_subtree_iterate+0x67/0xd2 [ 132.820302] [<ffffffff81297165>] ? key_default_cmp+0x20/0x20 [ 132.820302] [<ffffffff812fbaa1>] assoc_array_iterate+0x19/0x1e [ 132.820302] [<ffffffff81297332>] search_nested_keyrings+0xf6/0x2b6 [ 132.820302] [<ffffffff810728da>] ? sched_clock_cpu+0x91/0xa2 [ 132.820302] [<ffffffff810860d2>] ? mark_held_locks+0x58/0x6e [ 132.820302] [<ffffffff810a137d>] ? current_kernel_time+0x77/0xb8 [ 132.820302] [<ffffffff81297871>] keyring_search_aux+0xe1/0x14c [ 132.820302] [<ffffffff812977fc>] ? keyring_search_aux+0x6c/0x14c [ 132.820302] [<ffffffff8129796b>] keyring_search+0x8f/0xb6 [ 132.820302] [<ffffffff812bfc84>] ? asymmetric_match_key_ids+0x42/0x42 [ 132.820302] [<ffffffff81297165>] ? key_default_cmp+0x20/0x20 [ 132.820302] [<ffffffff812ab9e3>] asymmetric_verify+0xa4/0x214 [ 132.820302] [<ffffffff812ab90e>] integrity_digsig_verify+0xb1/0xe2 [ 132.820302] [<ffffffff812abe41>] ? evm_verifyxattr+0x6a/0x7a [ 132.820302] [<ffffffff812b0390>] ima_appraise_measurement+0x160/0x370 [ 132.820302] [<ffffffff81161db2>] ? d_absolute_path+0x5b/0x7a [ 132.820302] [<ffffffff812ada30>] process_measurement+0x322/0x404 Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
2014-09-22KEYS: Check hex2bin()'s return when generating an asymmetric key IDDavid Howells1-7/+8
As it stands, the code to generate an asymmetric key ID prechecks the hex string it is given whilst determining the length, before it allocates the buffer for hex2bin() to translate into - which mean that checking the result of hex2bin() is redundant. Unfortunately, hex2bin() is marked as __must_check, which means that the following warning may be generated if the return value isn't checked: crypto/asymmetric_keys/asymmetric_type.c: In function asymmetric_key_hex_to_key_id: crypto/asymmetric_keys/asymmetric_type.c:110: warning: ignoring return value of hex2bin, declared with attribute warn_unused_result The warning can't be avoided by casting the result to void. Instead, use strlen() to check the length of the string and ignore the fact that the string might not be entirely valid hex until after the allocation has been done - in which case we can use the result of hex2bin() for this. Signed-off-by: David Howells <dhowells@redhat.com>
2014-09-16PKCS#7: Handle PKCS#7 messages that contain no X.509 certsDavid Howells2-17/+47
The X.509 certificate list in a PKCS#7 message is optional. To save space, we can omit the inclusion of any X.509 certificates if we are sure that we can look the relevant public key up by the serial number and issuer given in a signed info block. This also supports use of a signed info block for which we can't find a matching X.509 cert in the certificate list, though it be populated. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com>
2014-09-16PKCS#7: Better handling of unsupported cryptoDavid Howells5-16/+74
Provide better handling of unsupported crypto when verifying a PKCS#7 message. If we can't bridge the gap between a pair of X.509 certs or between a signed info block and an X.509 cert because it involves some crypto we don't support, that's not necessarily the end of the world as there may be other ways points at which we can intersect with a ring of trusted keys. Instead, only produce ENOPKG immediately if all the signed info blocks in a PKCS#7 message require unsupported crypto to bridge to the first X.509 cert. Otherwise, we defer the generation of ENOPKG until we get ENOKEY during trust validation. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com>