From: Jarkko Sakkinen <jarkko@kernel.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH v2 3/4] KEYS: x509: remove never-set ->unsupported_key flag
Date: Wed, 26 Jan 2022 16:13:53 +0200 [thread overview]
Message-ID: <YfFXIY29zlIfQTcH@iki.fi> (raw)
In-Reply-To: <20220119005436.119072-4-ebiggers@kernel.org>
On Tue, Jan 18, 2022 at 04:54:35PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> The X.509 parser always sets cert->pub->pkey_algo on success, since
> x509_extract_key_data() is a mandatory action in the X.509 ASN.1
> grammar, and it returns an error if the algorithm is unknown. Thus,
> remove the dead code which handled this field being NULL. This results
> in the ->unsupported_key flag never being set, so remove that too.
>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> crypto/asymmetric_keys/pkcs7_verify.c | 7 ++-----
> crypto/asymmetric_keys/x509_parser.h | 1 -
> crypto/asymmetric_keys/x509_public_key.c | 9 ---------
> 3 files changed, 2 insertions(+), 15 deletions(-)
>
> diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
> index 0b4d07aa88111..d37b187faf9ae 100644
> --- a/crypto/asymmetric_keys/pkcs7_verify.c
> +++ b/crypto/asymmetric_keys/pkcs7_verify.c
> @@ -226,9 +226,6 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> return 0;
> }
>
> - if (x509->unsupported_key)
> - goto unsupported_crypto_in_x509;
> -
> pr_debug("- issuer %s\n", x509->issuer);
> sig = x509->sig;
> if (sig->auth_ids[0])
> @@ -245,7 +242,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> * authority.
> */
> if (x509->unsupported_sig)
> - goto unsupported_crypto_in_x509;
> + goto unsupported_sig_in_x509;
> x509->signer = x509;
> pr_debug("- self-signed\n");
> return 0;
> @@ -309,7 +306,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> might_sleep();
> }
>
> -unsupported_crypto_in_x509:
> +unsupported_sig_in_x509:
> /* Just prune the certificate chain at this point if we lack some
> * crypto module to go further. Note, however, we don't want to set
> * sinfo->unsupported_crypto as the signed info block may still be
> diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
> index c233f136fb354..da854c94f1115 100644
> --- a/crypto/asymmetric_keys/x509_parser.h
> +++ b/crypto/asymmetric_keys/x509_parser.h
> @@ -36,7 +36,6 @@ struct x509_certificate {
> bool seen; /* Infinite recursion prevention */
> bool verified;
> bool self_signed; /* T if self-signed (check unsupported_sig too) */
> - bool unsupported_key; /* T if key uses unsupported crypto */
> bool unsupported_sig; /* T if signature uses unsupported crypto */
> bool blacklisted;
> };
> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
> index fe14cae115b51..b03d04d78eb9d 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -33,9 +33,6 @@ int x509_get_sig_params(struct x509_certificate *cert)
> sig->data = cert->tbs;
> sig->data_size = cert->tbs_size;
>
> - if (!cert->pub->pkey_algo)
> - cert->unsupported_key = true;
> -
> if (!sig->pkey_algo)
> cert->unsupported_sig = true;
>
> @@ -173,12 +170,6 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
>
> pr_devel("Cert Issuer: %s\n", cert->issuer);
> pr_devel("Cert Subject: %s\n", cert->subject);
> -
> - if (cert->unsupported_key) {
> - ret = -ENOPKG;
> - goto error_free_cert;
> - }
> -
> pr_devel("Cert Key Algo: %s\n", cert->pub->pkey_algo);
> pr_devel("Cert Valid period: %lld-%lld\n", cert->valid_from, cert->valid_to);
>
> --
> 2.34.1
>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
next prev parent reply other threads:[~2022-01-26 14:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-19 0:54 [PATCH v2 0/4] KEYS: x509: various cleanups Eric Biggers
2022-01-19 0:54 ` [PATCH v2 1/4] KEYS: x509: clearly distinguish between key and signature algorithms Eric Biggers
2022-01-26 14:16 ` Jarkko Sakkinen
2022-01-19 0:54 ` [PATCH v2 2/4] KEYS: x509: remove unused fields Eric Biggers
2022-01-26 14:14 ` Jarkko Sakkinen
2022-01-19 0:54 ` [PATCH v2 3/4] KEYS: x509: remove never-set ->unsupported_key flag Eric Biggers
2022-01-26 14:13 ` Jarkko Sakkinen [this message]
2022-01-19 0:54 ` [PATCH v2 4/4] KEYS: x509: remove dead code that set ->unsupported_sig Eric Biggers
2022-01-26 14:14 ` Jarkko Sakkinen
2022-01-26 14:16 ` [PATCH v2 0/4] KEYS: x509: various cleanups Jarkko Sakkinen
2022-01-26 14:19 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YfFXIY29zlIfQTcH@iki.fi \
--to=jarkko@kernel.org \
--cc=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.