* [PATCH 0/3] KEYS: Miscellaneous fixes
@ 2016-07-17 23:10 David Howells
2016-07-17 23:10 ` David Howells
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: David Howells @ 2016-07-17 23:10 UTC (permalink / raw)
To: jmorris
Cc: dhowells, keyring, linux-security-module, linux-kernel, linux-crypto
Hi James,
Here are three miscellaneous fixes:
(1) Fix a panic in some debugging code in PKCS#7. This can only happen by
explicitly inserting a #define DEBUG into the code.
(2) Fix the calculation of the digest length in the PE file parser. This
causes a failure where there should be a success.
(3) Fix the case where an X.509 cert can be added as an asymmetric key to
a trusted keyring with no trust restriction if no AKID is supplied.
Bugs (1) and (2) aren't particularly problematic, but (3) allows a security
check to be bypassed. Bug (3) is added since the 4.6 kernel.
The patches can be found here also:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes
at tag:
keys-fixes-20160718
David
---
Lans Zhang (2):
PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined
pefile: Fix the failure of calculation for digest
Mat Martineau (1):
KEYS: Fix for erroneous trust of incorrectly signed X.509 certs
crypto/asymmetric_keys/mscode_parser.c | 7 ++++++-
crypto/asymmetric_keys/pkcs7_verify.c | 2 +-
crypto/asymmetric_keys/restrict.c | 2 +-
3 files changed, 8 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 1/3] PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined
2016-07-17 23:10 [PATCH 0/3] KEYS: Miscellaneous fixes David Howells
@ 2016-07-17 23:10 ` David Howells
2016-07-17 23:10 ` David Howells
2016-07-17 23:10 ` [PATCH 3/3] KEYS: Fix for erroneous trust of incorrectly signed X.509 certs David Howells
2 siblings, 0 replies; 12+ messages in thread
From: David Howells @ 2016-07-17 23:10 UTC (permalink / raw)
To: jmorris
Cc: keyring, Lans Zhang, Baoquan He, kexec, linux-kernel, dhowells,
linux-security-module, linux-crypto, Dave Young, Vivek Goyal
From: Lans Zhang <jia.zhang@windriver.com>
This fix resolves the following kernel panic if an empty or missing
AuthorityKeyIdentifier is encountered and DEBUG is defined in
pkcs7_verify.c.
[ 459.041989] PKEY: <==public_key_verify_signature() = 0
[ 459.041993] PKCS7: Verified signature 1
[ 459.041995] PKCS7: ==> pkcs7_verify_sig_chain()
[ 459.041999] PKCS7: verify Sample DB Certificate for SCP: 01
[ 459.042002] PKCS7: - issuer Sample KEK Certificate for SCP
[ 459.042014] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 459.042135] IP: [<ffffffff813e7b4c>] pkcs7_verify+0x72c/0x7f0
[ 459.042217] PGD 739e6067 PUD 77719067 PMD 0
[ 459.042286] Oops: 0000 [#1] PREEMPT SMP
[ 459.042328] Modules linked in:
[ 459.042368] CPU: 0 PID: 474 Comm: kexec Not tainted 4.7.0-rc7-WR8.0.0.0_standard+ #18
[ 459.042462] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 10/09/2014
[ 459.042586] task: ffff880073a50000 ti: ffff8800738e8000 task.ti: ffff8800738e8000
[ 459.042675] RIP: 0010:[<ffffffff813e7b4c>] [<ffffffff813e7b4c>] pkcs7_verify+0x72c/0x7f0
[ 459.042784] RSP: 0018:ffff8800738ebd58 EFLAGS: 00010246
[ 459.042845] RAX: 0000000000000000 RBX: ffff880076b7da80 RCX: 0000000000000006
[ 459.042929] RDX: 0000000000000001 RSI: ffffffff81c85001 RDI: ffffffff81ca00a9
[ 459.043014] RBP: ffff8800738ebd98 R08: 0000000000000400 R09: ffff8800788a304c
[ 459.043098] R10: 0000000000000000 R11: 00000000000060ca R12: ffff8800769a2bc0
[ 459.043182] R13: ffff880077358300 R14: 0000000000000000 R15: ffff8800769a2dc0
[ 459.043268] FS: 00007f24cc741700(0000) GS:ffff880074e00000(0000) knlGS:0000000000000000
[ 459.043365] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 459.043431] CR2: 0000000000000000 CR3: 0000000073a36000 CR4: 00000000001006f0
[ 459.043514] Stack:
[ 459.043530] 0000000000000000 ffffffbf00000020 31ffffff813e68b0 0000000000000002
[ 459.043644] ffff8800769a2bc0 0000000000000000 00000000007197b8 0000000000000002
[ 459.043756] ffff8800738ebdd8 ffffffff81153fb1 0000000000000000 0000000000000000
[ 459.043869] Call Trace:
[ 459.043898] [<ffffffff81153fb1>] verify_pkcs7_signature+0x61/0x140
[ 459.043974] [<ffffffff813e7f0b>] verify_pefile_signature+0x2cb/0x830
[ 459.044052] [<ffffffff813e8470>] ? verify_pefile_signature+0x830/0x830
[ 459.044134] [<ffffffff81048e25>] bzImage64_verify_sig+0x15/0x20
[ 459.046332] [<ffffffff81046e09>] arch_kexec_kernel_verify_sig+0x29/0x40
[ 459.048552] [<ffffffff810f10e4>] SyS_kexec_file_load+0x1f4/0x6c0
[ 459.050768] [<ffffffff81050e36>] ? __do_page_fault+0x1b6/0x550
[ 459.052996] [<ffffffff8199241f>] entry_SYSCALL_64_fastpath+0x17/0x93
[ 459.055242] Code: e8 0a d6 ff ff 85 c0 0f 88 7a fb ff ff 4d 39 fd 4d 89 7d 08 74 45 4d 89 fd e9 14 fe ff ff 4d 8b 76 08 31 c0 48 c7 c7 a9 00 ca 81 <41> 0f b7 36 49 8d 56 02 e8 d0 91 d6 ff 4d 8b 3c 24 4d 85 ff 0f
[ 459.060535] RIP [<ffffffff813e7b4c>] pkcs7_verify+0x72c/0x7f0
[ 459.063040] RSP <ffff8800738ebd58>
[ 459.065456] CR2: 0000000000000000
[ 459.075998] ---[ end trace c15f0e897cda28dc ]---
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
cc: linux-crypto@vger.kernel.org
cc: kexec@lists.infradead.org
---
crypto/asymmetric_keys/pkcs7_verify.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index 44b746e9df1b..2ffd69769466 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -227,7 +227,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
if (asymmetric_key_id_same(p->id, auth))
goto found_issuer_check_skid;
}
- } else {
+ } else if (sig->auth_ids[1]) {
auth = sig->auth_ids[1];
pr_debug("- want %*phN\n", auth->len, auth->data);
for (p = pkcs7->certs; p; p = p->next) {
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 1/3] PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined
@ 2016-07-17 23:10 ` David Howells
0 siblings, 0 replies; 12+ messages in thread
From: David Howells @ 2016-07-17 23:10 UTC (permalink / raw)
To: jmorris
Cc: keyring, Lans Zhang, Baoquan He, kexec, linux-kernel, dhowells,
linux-security-module, linux-crypto, Dave Young, Vivek Goyal
From: Lans Zhang <jia.zhang@windriver.com>
This fix resolves the following kernel panic if an empty or missing
AuthorityKeyIdentifier is encountered and DEBUG is defined in
pkcs7_verify.c.
[ 459.041989] PKEY: <==public_key_verify_signature() = 0
[ 459.041993] PKCS7: Verified signature 1
[ 459.041995] PKCS7: ==> pkcs7_verify_sig_chain()
[ 459.041999] PKCS7: verify Sample DB Certificate for SCP: 01
[ 459.042002] PKCS7: - issuer Sample KEK Certificate for SCP
[ 459.042014] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 459.042135] IP: [<ffffffff813e7b4c>] pkcs7_verify+0x72c/0x7f0
[ 459.042217] PGD 739e6067 PUD 77719067 PMD 0
[ 459.042286] Oops: 0000 [#1] PREEMPT SMP
[ 459.042328] Modules linked in:
[ 459.042368] CPU: 0 PID: 474 Comm: kexec Not tainted 4.7.0-rc7-WR8.0.0.0_standard+ #18
[ 459.042462] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 10/09/2014
[ 459.042586] task: ffff880073a50000 ti: ffff8800738e8000 task.ti: ffff8800738e8000
[ 459.042675] RIP: 0010:[<ffffffff813e7b4c>] [<ffffffff813e7b4c>] pkcs7_verify+0x72c/0x7f0
[ 459.042784] RSP: 0018:ffff8800738ebd58 EFLAGS: 00010246
[ 459.042845] RAX: 0000000000000000 RBX: ffff880076b7da80 RCX: 0000000000000006
[ 459.042929] RDX: 0000000000000001 RSI: ffffffff81c85001 RDI: ffffffff81ca00a9
[ 459.043014] RBP: ffff8800738ebd98 R08: 0000000000000400 R09: ffff8800788a304c
[ 459.043098] R10: 0000000000000000 R11: 00000000000060ca R12: ffff8800769a2bc0
[ 459.043182] R13: ffff880077358300 R14: 0000000000000000 R15: ffff8800769a2dc0
[ 459.043268] FS: 00007f24cc741700(0000) GS:ffff880074e00000(0000) knlGS:0000000000000000
[ 459.043365] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 459.043431] CR2: 0000000000000000 CR3: 0000000073a36000 CR4: 00000000001006f0
[ 459.043514] Stack:
[ 459.043530] 0000000000000000 ffffffbf00000020 31ffffff813e68b0 0000000000000002
[ 459.043644] ffff8800769a2bc0 0000000000000000 00000000007197b8 0000000000000002
[ 459.043756] ffff8800738ebdd8 ffffffff81153fb1 0000000000000000 0000000000000000
[ 459.043869] Call Trace:
[ 459.043898] [<ffffffff81153fb1>] verify_pkcs7_signature+0x61/0x140
[ 459.043974] [<ffffffff813e7f0b>] verify_pefile_signature+0x2cb/0x830
[ 459.044052] [<ffffffff813e8470>] ? verify_pefile_signature+0x830/0x830
[ 459.044134] [<ffffffff81048e25>] bzImage64_verify_sig+0x15/0x20
[ 459.046332] [<ffffffff81046e09>] arch_kexec_kernel_verify_sig+0x29/0x40
[ 459.048552] [<ffffffff810f10e4>] SyS_kexec_file_load+0x1f4/0x6c0
[ 459.050768] [<ffffffff81050e36>] ? __do_page_fault+0x1b6/0x550
[ 459.052996] [<ffffffff8199241f>] entry_SYSCALL_64_fastpath+0x17/0x93
[ 459.055242] Code: e8 0a d6 ff ff 85 c0 0f 88 7a fb ff ff 4d 39 fd 4d 89 7d 08 74 45 4d 89 fd e9 14 fe ff ff 4d 8b 76 08 31 c0 48 c7 c7 a9 00 ca 81 <41> 0f b7 36 49 8d 56 02 e8 d0 91 d6 ff 4d 8b 3c 24 4d 85 ff 0f
[ 459.060535] RIP [<ffffffff813e7b4c>] pkcs7_verify+0x72c/0x7f0
[ 459.063040] RSP <ffff8800738ebd58>
[ 459.065456] CR2: 0000000000000000
[ 459.075998] ---[ end trace c15f0e897cda28dc ]---
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
cc: linux-crypto@vger.kernel.org
cc: kexec@lists.infradead.org
---
crypto/asymmetric_keys/pkcs7_verify.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index 44b746e9df1b..2ffd69769466 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -227,7 +227,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
if (asymmetric_key_id_same(p->id, auth))
goto found_issuer_check_skid;
}
- } else {
+ } else if (sig->auth_ids[1]) {
auth = sig->auth_ids[1];
pr_debug("- want %*phN\n", auth->len, auth->data);
for (p = pkcs7->certs; p; p = p->next) {
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/3] pefile: Fix the failure of calculation for digest
2016-07-17 23:10 [PATCH 0/3] KEYS: Miscellaneous fixes David Howells
@ 2016-07-17 23:10 ` David Howells
2016-07-17 23:10 ` David Howells
2016-07-17 23:10 ` [PATCH 3/3] KEYS: Fix for erroneous trust of incorrectly signed X.509 certs David Howells
2 siblings, 0 replies; 12+ messages in thread
From: David Howells @ 2016-07-17 23:10 UTC (permalink / raw)
To: jmorris
Cc: keyring, Lans Zhang, Baoquan He, kexec, linux-kernel, dhowells,
linux-security-module, linux-crypto, Dave Young, Vivek Goyal
From: Lans Zhang <jia.zhang@windriver.com>
Commit e68503bd68 forgot to set digest_len and thus cause the following
error reported by kexec when launching a crash kernel:
kexec_file_load failed: Bad message
Fixes: e68503bd68 (KEYS: Generalise system_verify_data() to provide access to internal content)
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
Tested-by: Dave Young <dyoung@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
cc: kexec@lists.infradead.org
cc: linux-crypto@vger.kernel.org
---
crypto/asymmetric_keys/mscode_parser.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
index 6a76d5c70ef6..9492e1c22d38 100644
--- a/crypto/asymmetric_keys/mscode_parser.c
+++ b/crypto/asymmetric_keys/mscode_parser.c
@@ -124,5 +124,10 @@ int mscode_note_digest(void *context, size_t hdrlen,
struct pefile_context *ctx = context;
ctx->digest = kmemdup(value, vlen, GFP_KERNEL);
- return ctx->digest ? 0 : -ENOMEM;
+ if (!ctx->digest)
+ return -ENOMEM;
+
+ ctx->digest_len = vlen;
+
+ return 0;
}
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/3] pefile: Fix the failure of calculation for digest
@ 2016-07-17 23:10 ` David Howells
0 siblings, 0 replies; 12+ messages in thread
From: David Howells @ 2016-07-17 23:10 UTC (permalink / raw)
To: jmorris
Cc: keyring, Lans Zhang, Baoquan He, kexec, linux-kernel, dhowells,
linux-security-module, linux-crypto, Dave Young, Vivek Goyal
From: Lans Zhang <jia.zhang@windriver.com>
Commit e68503bd68 forgot to set digest_len and thus cause the following
error reported by kexec when launching a crash kernel:
kexec_file_load failed: Bad message
Fixes: e68503bd68 (KEYS: Generalise system_verify_data() to provide access to internal content)
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
Tested-by: Dave Young <dyoung@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
cc: kexec@lists.infradead.org
cc: linux-crypto@vger.kernel.org
---
crypto/asymmetric_keys/mscode_parser.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
index 6a76d5c70ef6..9492e1c22d38 100644
--- a/crypto/asymmetric_keys/mscode_parser.c
+++ b/crypto/asymmetric_keys/mscode_parser.c
@@ -124,5 +124,10 @@ int mscode_note_digest(void *context, size_t hdrlen,
struct pefile_context *ctx = context;
ctx->digest = kmemdup(value, vlen, GFP_KERNEL);
- return ctx->digest ? 0 : -ENOMEM;
+ if (!ctx->digest)
+ return -ENOMEM;
+
+ ctx->digest_len = vlen;
+
+ return 0;
}
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 3/3] KEYS: Fix for erroneous trust of incorrectly signed X.509 certs
2016-07-17 23:10 [PATCH 0/3] KEYS: Miscellaneous fixes David Howells
2016-07-17 23:10 ` David Howells
2016-07-17 23:10 ` David Howells
@ 2016-07-17 23:10 ` David Howells
2 siblings, 0 replies; 12+ messages in thread
From: David Howells @ 2016-07-17 23:10 UTC (permalink / raw)
To: jmorris
Cc: keyring, Petko Manolov, Mat Martineau, linux-kernel, dhowells,
linux-security-module, linux-crypto
From: Mat Martineau <mathew.j.martineau@linux.intel.com>
Arbitrary X.509 certificates without authority key identifiers (AKIs)
can be added to "trusted" keyrings, including IMA or EVM certs loaded
from the filesystem. Signature verification is currently bypassed for
certs without AKIs.
Trusted keys were recently refactored, and this bug is not present in
4.6.
restrict_link_by_signature should return -ENOKEY (no matching parent
certificate found) if the certificate being evaluated has no AKIs,
instead of bypassing signature checks and returning 0 (new certificate
accepted).
Reported-by: Petko Manolov <petkan@mip-labs.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
crypto/asymmetric_keys/restrict.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index ac4bddf669de..19d1afb9890f 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -87,7 +87,7 @@ int restrict_link_by_signature(struct key *trust_keyring,
sig = payload->data[asym_auth];
if (!sig->auth_ids[0] && !sig->auth_ids[1])
- return 0;
+ return -ENOKEY;
if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid))
return -EPERM;
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 0/3] KEYS: Miscellaneous fixes
2018-06-26 15:59 ` David Howells
(?)
@ 2018-06-26 16:39 ` James Morris
-1 siblings, 0 replies; 12+ messages in thread
From: James Morris @ 2018-06-26 16:39 UTC (permalink / raw)
To: linux-security-module
On Tue, 26 Jun 2018, David Howells wrote:
>
> Hi James,
>
> Here's a bunch of miscellaneous fixes:
>
> (1) Fix the handling of the X.509 signature BIT STRING.
>
> (2) Fix a section declaration.
>
> (3) Fix rounding in KDF.
>
> Could you pass these on to Linus please?
Sure, the RSA one is already merged.
>
> The patches can be found here tagged thusly:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
> keys-fixes-20180626
>
> and also on the following branch:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes
>
> David
> ---
> Eric Biggers (1):
> dh key: fix rounding up KDF output length
>
> Maciej S. Szmigiero (1):
> X.509: unpack RSA signatureValue field from BIT STRING
>
> Nick Desaulniers (1):
> certs/blacklist: fix const confusion
>
>
> certs/blacklist.h | 2 +-
> crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
> security/keys/dh.c | 6 ++++--
> 3 files changed, 14 insertions(+), 3 deletions(-)
>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 0/3] KEYS: Miscellaneous fixes
@ 2018-06-26 16:39 ` James Morris
0 siblings, 0 replies; 12+ messages in thread
From: James Morris @ 2018-06-26 16:39 UTC (permalink / raw)
To: David Howells; +Cc: linux-security-module, keyrings, linux-kernel
On Tue, 26 Jun 2018, David Howells wrote:
>
> Hi James,
>
> Here's a bunch of miscellaneous fixes:
>
> (1) Fix the handling of the X.509 signature BIT STRING.
>
> (2) Fix a section declaration.
>
> (3) Fix rounding in KDF.
>
> Could you pass these on to Linus please?
Sure, the RSA one is already merged.
>
> The patches can be found here tagged thusly:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
> keys-fixes-20180626
>
> and also on the following branch:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes
>
> David
> ---
> Eric Biggers (1):
> dh key: fix rounding up KDF output length
>
> Maciej S. Szmigiero (1):
> X.509: unpack RSA signatureValue field from BIT STRING
>
> Nick Desaulniers (1):
> certs/blacklist: fix const confusion
>
>
> certs/blacklist.h | 2 +-
> crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
> security/keys/dh.c | 6 ++++--
> 3 files changed, 14 insertions(+), 3 deletions(-)
>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 0/3] KEYS: Miscellaneous fixes
@ 2018-06-26 16:39 ` James Morris
0 siblings, 0 replies; 12+ messages in thread
From: James Morris @ 2018-06-26 16:39 UTC (permalink / raw)
To: linux-security-module
On Tue, 26 Jun 2018, David Howells wrote:
>
> Hi James,
>
> Here's a bunch of miscellaneous fixes:
>
> (1) Fix the handling of the X.509 signature BIT STRING.
>
> (2) Fix a section declaration.
>
> (3) Fix rounding in KDF.
>
> Could you pass these on to Linus please?
Sure, the RSA one is already merged.
>
> The patches can be found here tagged thusly:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
> keys-fixes-20180626
>
> and also on the following branch:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes
>
> David
> ---
> Eric Biggers (1):
> dh key: fix rounding up KDF output length
>
> Maciej S. Szmigiero (1):
> X.509: unpack RSA signatureValue field from BIT STRING
>
> Nick Desaulniers (1):
> certs/blacklist: fix const confusion
>
>
> certs/blacklist.h | 2 +-
> crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
> security/keys/dh.c | 6 ++++--
> 3 files changed, 14 insertions(+), 3 deletions(-)
>
--
James Morris
<jmorris@namei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 0/3] KEYS: Miscellaneous fixes
@ 2018-06-26 15:59 ` David Howells
0 siblings, 0 replies; 12+ messages in thread
From: David Howells @ 2018-06-26 15:59 UTC (permalink / raw)
To: linux-security-module
Hi James,
Here's a bunch of miscellaneous fixes:
(1) Fix the handling of the X.509 signature BIT STRING.
(2) Fix a section declaration.
(3) Fix rounding in KDF.
Could you pass these on to Linus please?
The patches can be found here tagged thusly:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
keys-fixes-20180626
and also on the following branch:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes
David
---
Eric Biggers (1):
dh key: fix rounding up KDF output length
Maciej S. Szmigiero (1):
X.509: unpack RSA signatureValue field from BIT STRING
Nick Desaulniers (1):
certs/blacklist: fix const confusion
certs/blacklist.h | 2 +-
crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
security/keys/dh.c | 6 ++++--
3 files changed, 14 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 0/3] KEYS: Miscellaneous fixes
@ 2018-06-26 15:59 ` David Howells
0 siblings, 0 replies; 12+ messages in thread
From: David Howells @ 2018-06-26 15:59 UTC (permalink / raw)
To: jmorris; +Cc: dhowells, linux-security-module, keyrings, linux-kernel
Hi James,
Here's a bunch of miscellaneous fixes:
(1) Fix the handling of the X.509 signature BIT STRING.
(2) Fix a section declaration.
(3) Fix rounding in KDF.
Could you pass these on to Linus please?
The patches can be found here tagged thusly:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
keys-fixes-20180626
and also on the following branch:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes
David
---
Eric Biggers (1):
dh key: fix rounding up KDF output length
Maciej S. Szmigiero (1):
X.509: unpack RSA signatureValue field from BIT STRING
Nick Desaulniers (1):
certs/blacklist: fix const confusion
certs/blacklist.h | 2 +-
crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
security/keys/dh.c | 6 ++++--
3 files changed, 14 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 0/3] KEYS: Miscellaneous fixes
@ 2018-06-26 15:59 ` David Howells
0 siblings, 0 replies; 12+ messages in thread
From: David Howells @ 2018-06-26 15:59 UTC (permalink / raw)
To: linux-security-module
Hi James,
Here's a bunch of miscellaneous fixes:
(1) Fix the handling of the X.509 signature BIT STRING.
(2) Fix a section declaration.
(3) Fix rounding in KDF.
Could you pass these on to Linus please?
The patches can be found here tagged thusly:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
keys-fixes-20180626
and also on the following branch:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes
David
---
Eric Biggers (1):
dh key: fix rounding up KDF output length
Maciej S. Szmigiero (1):
X.509: unpack RSA signatureValue field from BIT STRING
Nick Desaulniers (1):
certs/blacklist: fix const confusion
certs/blacklist.h | 2 +-
crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
security/keys/dh.c | 6 ++++--
3 files changed, 14 insertions(+), 3 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2018-06-26 16:39 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-17 23:10 [PATCH 0/3] KEYS: Miscellaneous fixes David Howells
2016-07-17 23:10 ` [PATCH 1/3] PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined David Howells
2016-07-17 23:10 ` David Howells
2016-07-17 23:10 ` [PATCH 2/3] pefile: Fix the failure of calculation for digest David Howells
2016-07-17 23:10 ` David Howells
2016-07-17 23:10 ` [PATCH 3/3] KEYS: Fix for erroneous trust of incorrectly signed X.509 certs David Howells
2018-06-26 15:59 [PATCH 0/3] KEYS: Miscellaneous fixes David Howells
2018-06-26 15:59 ` David Howells
2018-06-26 15:59 ` David Howells
2018-06-26 16:39 ` James Morris
2018-06-26 16:39 ` James Morris
2018-06-26 16:39 ` James Morris
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.