From: Eric Biggers <ebiggers@kernel.org>
To: Jarkko Sakkinen <jarkko@kernel.org>
Cc: keyrings@vger.kernel.org, David Howells <dhowells@redhat.com>,
linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org,
Stefan Berger <stefanb@linux.ibm.com>,
Gilad Ben-Yossef <gilad@benyossef.com>,
Tianjia Zhang <tianjia.zhang@linux.alibaba.com>,
Vitaly Chikunov <vt@altlinux.org>,
Mimi Zohar <zohar@linux.ibm.com>,
stable@vger.kernel.org
Subject: Re: [PATCH 2/2] KEYS: asymmetric: properly validate hash_algo and encoding
Date: Sun, 20 Feb 2022 18:21:36 -0800 [thread overview]
Message-ID: <YhL3MGQcwMujSxCr@sol.localdomain> (raw)
In-Reply-To: <YhLu8gZtdpphy5mB@kernel.org>
On Mon, Feb 21, 2022 at 02:46:26AM +0100, Jarkko Sakkinen wrote:
> On Mon, Jan 31, 2022 at 04:34:14PM -0800, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> >
> > It is insecure to allow arbitrary hash algorithms and signature
> > encodings to be used with arbitrary signature algorithms. Notably,
> > ECDSA, ECRDSA, and SM2 all sign/verify raw hash values and don't
> > disambiguate between different hash algorithms like RSA PKCS#1 v1.5
> > padding does. Therefore, they need to be restricted to certain sets of
> > hash algorithms (ideally just one, but in practice small sets are used).
> > Additionally, the encoding is an integral part of modern signature
> > algorithms, and is not supposed to vary.
> >
> > Therefore, tighten the checks of hash_algo and encoding done by
> > software_key_determine_akcipher().
> >
> > Also rearrange the parameters to software_key_determine_akcipher() to
> > put the public_key first, as this is the most important parameter and it
> > often determines everything else.
> >
> > Fixes: 299f561a6693 ("x509: Add support for parsing x509 certs with ECDSA keys")
> > Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification")
> > Fixes: 0d7a78643f69 ("crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > ---
> > crypto/asymmetric_keys/public_key.c | 111 +++++++++++++++++++---------
> > 1 file changed, 76 insertions(+), 35 deletions(-)
> >
> > diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
> > index aba7113d86c76..a603ee8afdb8d 100644
> > --- a/crypto/asymmetric_keys/public_key.c
> > +++ b/crypto/asymmetric_keys/public_key.c
> > @@ -60,39 +60,83 @@ static void public_key_destroy(void *payload0, void *payload3)
> > }
> >
> > /*
> > - * Determine the crypto algorithm name.
> > + * Given a public_key, and an encoding and hash_algo to be used for signing
> > + * and/or verification with that key, determine the name of the corresponding
> > + * akcipher algorithm. Also check that encoding and hash_algo are allowed.
> > */
> > -static
> > -int software_key_determine_akcipher(const char *encoding,
> > - const char *hash_algo,
> > - const struct public_key *pkey,
> > - char alg_name[CRYPTO_MAX_ALG_NAME])
> > +static int
> > +software_key_determine_akcipher(const struct public_key *pkey,
> > + const char *encoding, const char *hash_algo,
> > + char alg_name[CRYPTO_MAX_ALG_NAME])
>
> Why is changing parameter order necessary?
>
It's mentioned in the commit message. It's obviously not necessary but this way
makes much more sense IMO.
- Eric
next prev parent reply other threads:[~2022-02-21 2:21 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-01 0:34 [PATCH 0/2] Fix bugs in public_key_verify_signature() Eric Biggers
2022-02-01 0:34 ` [PATCH 1/2] KEYS: asymmetric: enforce that sig algo matches key algo Eric Biggers
2022-02-02 2:52 ` Vitaly Chikunov
2022-02-02 3:10 ` Eric Biggers
2022-02-02 3:22 ` Eric Biggers
2022-02-02 5:20 ` Vitaly Chikunov
2022-02-21 1:43 ` Jarkko Sakkinen
2022-03-04 19:26 ` Eric Biggers
2022-03-05 5:51 ` Jarkko Sakkinen
2022-02-01 0:34 ` [PATCH 2/2] KEYS: asymmetric: properly validate hash_algo and encoding Eric Biggers
2022-02-21 1:46 ` Jarkko Sakkinen
2022-02-21 2:21 ` Eric Biggers [this message]
2022-02-21 20:16 ` Jarkko Sakkinen
2022-02-01 2:38 ` [PATCH 0/2] Fix bugs in public_key_verify_signature() Stefan Berger
2022-02-07 7:45 ` Tianjia Zhang
2022-02-07 11:43 ` [PATCH] KEYS: asymmetric: enforce SM2 signature use pkey algo Tianjia Zhang
2022-02-08 5:35 ` Eric Biggers
2022-02-08 9:45 ` Tianjia Zhang
2022-02-21 1:49 ` Jarkko Sakkinen
2022-02-21 2:43 ` Tianjia Zhang
2022-02-21 20:17 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YhL3MGQcwMujSxCr@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=dhowells@redhat.com \
--cc=gilad@benyossef.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stefanb@linux.ibm.com \
--cc=tianjia.zhang@linux.alibaba.com \
--cc=vt@altlinux.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.