From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4E701C433E6 for ; Wed, 20 Jan 2021 04:19:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 08BAF23131 for ; Wed, 20 Jan 2021 04:19:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726672AbhATES1 (ORCPT ); Tue, 19 Jan 2021 23:18:27 -0500 Received: from mail.kernel.org ([198.145.29.99]:48862 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728134AbhATERL (ORCPT ); Tue, 19 Jan 2021 23:17:11 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3C8E623131; Wed, 20 Jan 2021 04:16:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1611116190; bh=xyjnizKJKYbTRv0UN0+Gwt4VTaFiAxMHtX+9p9eYe1s=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ah7CzMikRzj9W9tCn1AXbZZE8R1ZZweT7ziyrwOtDpZNF2g4cVOr6PlWh5KRAFxsC AsbyuxEJ7GBuwoXPbRq9GiQePaNVne4UT+gu7x4YV6Ov8TvIZ0Z/FAHEm6WoCE8U/o x3tNJU7WNAdOBS6eYKCR3szPJBlq0AI3sjlazIcwBrqsJWGeK4ORLPxH3rMihm1ykE Lr0r4acf4K5C7MoADs+SRSfn/OeKJ4tTs7cNgaqo330SvD6nYRKcsjP8u3Vf0m2zqy Rs0SpKX5xSvb/Rg6JYz14DF23Yy5LF9BUa8F30nt64fgx+JITef2DSwaq5iXNc6OAk XDQUGoZNZjTsA== Date: Wed, 20 Jan 2021 06:16:23 +0200 From: Jarkko Sakkinen To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Cc: David Howells , David Woodhouse , "David S . Miller" , Herbert Xu , James Morris , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , Mimi Zohar , "Serge E . Hallyn" , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v3 06/10] certs: Make blacklist_vet_description() more strict Message-ID: References: <20210114151909.2344974-1-mic@digikod.net> <20210114151909.2344974-7-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20210114151909.2344974-7-mic@digikod.net> Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org On Thu, Jan 14, 2021 at 04:19:05PM +0100, Mickaël Salaün wrote: > From: Mickaël Salaün > > Before exposing this new key type to user space, make sure that only > meaningful blacklisted hashes are accepted. This is also checked for > builtin blacklisted hashes, but a following commit make sure that the > user will notice (at built time) and will fix the configuration if it > already included errors. > > Check that a blacklist key description starts with a valid prefix and > then a valid hexadecimal string. > > Cc: David Howells > Cc: David Woodhouse > Signed-off-by: Mickaël Salaün > Acked-by: Jarkko Sakkinen In this I'm not as worried about ABI, i.e. you don't have any reason supply any other data, which doesn't follow these ruels, whereas there could very well be a script that does format hex "incorrectly". /Jarkko