From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932094AbcASLbQ (ORCPT ); Tue, 19 Jan 2016 06:31:16 -0500 Received: from mx1.redhat.com ([209.132.183.28]:37628 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753502AbcASLaw (ORCPT ); Tue, 19 Jan 2016 06:30:52 -0500 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [RFC PATCH 03/20] X.509: Allow X.509 certs to be blacklisted [ver #2] From: David Howells To: zohar@linux.vnet.ibm.com Cc: dhowells@redhat.com, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, petkan@mip-labs.com, linux-kernel@vger.kernel.org Date: Tue, 19 Jan 2016 11:30:49 +0000 Message-ID: <20160119113049.23238.92240.stgit@warthog.procyon.org.uk> In-Reply-To: <20160119113026.23238.4498.stgit@warthog.procyon.org.uk> References: <20160119113026.23238.4498.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Allow X.509 certs to be blacklisted based on their TBS hash. This is convenient since we have to determine this anyway to be able to check the signature on an X.509 certificate. If a certificate built into the kernel is blacklisted, something like the following might then be seen during boot: X.509: Cert 123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46 is blacklisted Problem loading in-kernel X.509 certificate (-129) where the hex string shown is the blacklisted hash. Signed-off-by: David Howells --- crypto/asymmetric_keys/x509_parser.h | 1 + crypto/asymmetric_keys/x509_public_key.c | 19 +++++++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index dbeed6018e63..be7cf2eae3bd 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -43,6 +43,7 @@ struct x509_certificate { bool verified; bool trusted; bool unsupported_crypto; /* T if can't be verified due to missing crypto */ + bool blacklisted; }; /* diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 9e9e5a6a9ed6..c4f3c40a4ab9 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -92,7 +92,7 @@ struct key *x509_request_asymmetric_key(struct key *keyring, lookup = skid->data; len = skid->len; } - + /* Construct an identifier "id:". */ p = req = kmalloc(2 + 1 + len * 2 + 1, GFP_KERNEL); if (!req) @@ -141,7 +141,7 @@ struct key *x509_request_asymmetric_key(struct key *keyring, goto reject; } } - + pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key)); return key; @@ -211,6 +211,16 @@ int x509_get_sig_params(struct x509_certificate *cert) goto error; might_sleep(); ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, digest); + if (ret < 0) + goto error; + + ret = is_bin_hash_blacklisted(digest, digest_size); + if (ret == -EKEYREJECTED) { + pr_err("Cert %*phN is blacklisted\n", (int)digest_size, digest); + cert->blacklisted = true; + ret = 0; + } + error: crypto_free_shash(tfm); pr_devel("<==%s() = %d\n", __func__, ret); @@ -327,6 +337,11 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) prep->trusted = 1; } + /* Don't permit addition of blacklisted keys */ + ret = -EKEYREJECTED; + if (cert->blacklisted) + goto error_free_cert; + /* Propose a description */ sulen = strlen(cert->subject); if (cert->raw_skid) {