* [GIT PULL] KEYS: Blacklisting, restrictions and DH
@ 2017-04-12 14:44 David Howells
2017-04-17 21:38 ` James Morris
0 siblings, 1 reply; 2+ messages in thread
From: David Howells @ 2017-04-12 14:44 UTC (permalink / raw)
To: jmorris; +Cc: dhowells, keyrings, linux-security-module, linux-kernel
Hi James,
Could you pull these changes into security/next please:
(1) Provide a blacklist keyring and a blacklist key type such that X.509
keys and PKCS#7 certs can be blacklisted. It is possible to load the
blacklist from a file at compile time. A future patch will
additionally load the blacklist from the UEFI blacklist if available.
(2) Make it possible to create a userspace keyring and to apply a
restriction to it such that no new keys can be added unless they meet
the criteria.
(3) Add SP800-56A KDF support for the DH operation.
David
---
The following changes since commit ddb99e118e37f324a4be65a411bb60ae62795cf9:
security, keys: convert key_user.usage from atomic_t to refcount_t (2017-04-03 10:49:06 +1000)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-next-20170412
for you to fetch changes up to 4cd4ca7cc848bedc70b5d0acac9d1ae33d73513a:
keys: select CONFIG_CRYPTO when selecting DH / KDF (2017-04-11 23:18:09 +0100)
----------------------------------------------------------------
Keyrings changes for next
----------------------------------------------------------------
David Howells (5):
KEYS: Add a system blacklist keyring
X.509: Allow X.509 certs to be blacklisted
PKCS#7: Handle blacklisted certificates
Merge branch 'keys-blacklist' into keys-next
Merge branch 'keyctl-restrict' of git://git.kernel.org/.../martineau/linux into keys-next
Mat Martineau (10):
KEYS: Use a typedef for restrict_link function pointers
KEYS: Split role of the keyring pointer for keyring restrict functions
KEYS: Add a key restriction struct
KEYS: Use structure to capture key restriction function and data
KEYS: Add an optional lookup_restriction hook to key_type
KEYS: Consistent ordering for __key_link_begin and restrict check
KEYS: Add KEYCTL_RESTRICT_KEYRING
KEYS: Add a lookup_restriction function for the asymmetric key type
KEYS: Restrict asymmetric key linkage using a specific keychain
KEYS: Keyring asymmetric key restrict method with chaining
Stephan Mueller (1):
KEYS: add SP800-56A KDF support for DH
Stephan Müller (1):
keys: select CONFIG_CRYPTO when selecting DH / KDF
Documentation/crypto/asymmetric-keys.txt | 51 +++++++
Documentation/security/keys.txt | 100 ++++++++++----
certs/Kconfig | 18 +++
certs/Makefile | 6 +
certs/blacklist.c | 174 ++++++++++++++++++++++++
certs/blacklist.h | 3 +
certs/blacklist_hashes.c | 6 +
certs/blacklist_nohashes.c | 5 +
certs/system_keyring.c | 39 ++++--
crypto/asymmetric_keys/asymmetric_type.c | 102 ++++++++++++--
crypto/asymmetric_keys/pkcs7_parser.h | 1 +
crypto/asymmetric_keys/pkcs7_verify.c | 32 +++--
crypto/asymmetric_keys/restrict.c | 161 +++++++++++++++++++++-
crypto/asymmetric_keys/x509_parser.h | 1 +
crypto/asymmetric_keys/x509_public_key.c | 15 +++
include/crypto/public_key.h | 15 ++-
include/keys/system_keyring.h | 18 ++-
include/linux/compat.h | 7 +
include/linux/key-type.h | 8 ++
include/linux/key.h | 34 +++--
include/uapi/linux/keyctl.h | 8 ++
security/integrity/digsig.c | 9 +-
security/integrity/ima/ima_mok.c | 11 +-
security/keys/Kconfig | 2 +
security/keys/Makefile | 3 +-
security/keys/compat.c | 9 +-
security/keys/compat_dh.c | 38 ++++++
security/keys/dh.c | 220 +++++++++++++++++++++++++++++--
security/keys/gc.c | 11 ++
security/keys/internal.h | 29 +++-
security/keys/key.c | 46 ++++---
security/keys/keyctl.c | 60 ++++++++-
security/keys/keyring.c | 179 +++++++++++++++++++++++--
33 files changed, 1305 insertions(+), 116 deletions(-)
create mode 100644 certs/blacklist.c
create mode 100644 certs/blacklist.h
create mode 100644 certs/blacklist_hashes.c
create mode 100644 certs/blacklist_nohashes.c
create mode 100644 security/keys/compat_dh.c
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [GIT PULL] KEYS: Blacklisting, restrictions and DH
2017-04-12 14:44 [GIT PULL] KEYS: Blacklisting, restrictions and DH David Howells
@ 2017-04-17 21:38 ` James Morris
0 siblings, 0 replies; 2+ messages in thread
From: James Morris @ 2017-04-17 21:38 UTC (permalink / raw)
To: David Howells; +Cc: keyrings, linux-security-module, linux-kernel
On Wed, 12 Apr 2017, David Howells wrote:
>
> Hi James,
>
> Could you pull these changes into security/next please:
>
> (1) Provide a blacklist keyring and a blacklist key type such that X.509
> keys and PKCS#7 certs can be blacklisted. It is possible to load the
> blacklist from a file at compile time. A future patch will
> additionally load the blacklist from the UEFI blacklist if available.
>
> (2) Make it possible to create a userspace keyring and to apply a
> restriction to it such that no new keys can be added unless they meet
> the criteria.
>
> (3) Add SP800-56A KDF support for the DH operation.
>
Pulled, thanks.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-04-17 21:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-12 14:44 [GIT PULL] KEYS: Blacklisting, restrictions and DH David Howells
2017-04-17 21:38 ` James Morris
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).