Re: [PATCH v5 02/10] crypto: pkcs7: add ability to extract signed attributes by OID

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Blaise Boscaccy" <bboscaccy@linux.microsoft.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v5 02/10] crypto: pkcs7: add ability to extract signed attributes by OID
Date: Tue, 21 Apr 2026 01:49:14 +0000	[thread overview]
Message-ID: <20260421014914.D56C0C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260420212653.438685-3-bboscaccy@linux.microsoft.com>

Sashiko AI review found 4 potential issue(s):
- [High] API Flaw / Data Corruption with Constructed Types (`SET OF ANY` behavior)
- [High] Early Loop Termination on Missing Authenticated Attributes
- [High] Multi-value Overwrite / Parser Differential
- [Medium] Genuine ASN.1 Decoding Errors are Masked
--

commit 1ec29c2985cc84f3d3e1912ff4626eaa51d31e0c
Author: James Bottomley <James.Bottomley@HansenPartnership.com>

crypto: pkcs7: add ability to extract signed attributes by OID

This patch adds an API to extract the value of an authenticated attribute
by a specific OID. It introduces a new ASN.1 grammar and decoder to parse
the PKCS#7 signed attributes.

> diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
> index 6e3ffdac83ace..d467866f7d930 100644
> --- a/crypto/asymmetric_keys/pkcs7_parser.c
> +++ b/crypto/asymmetric_keys/pkcs7_parser.c

[ ... ]

> @@ -211,6 +212,86 @@ int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
>  }
>  EXPORT_SYMBOL_GPL(pkcs7_get_content_data);
>  
> +struct pkcs7_aa_context {
> +	bool found;
> +	enum OID oid_to_find;
> +	const void *data;
> +	size_t len;
> +};
> +
> +int pkcs7_aa_note_OID(void *context, size_t hdrlen,
> +		      unsigned char tag,
> +		      const void *value, size_t vlen)
> +{
> +	struct pkcs7_aa_context *ctx = context;
> +	enum OID oid = look_up_OID(value, vlen);
> +
> +	ctx->found = (oid == ctx->oid_to_find);
> +
> +	return 0;
> +}
> +
> +int pkcs7_aa_note_attr(void *context, size_t hdrlen,
> +		       unsigned char tag,
> +		       const void *value, size_t vlen)
> +{
> +	struct pkcs7_aa_context *ctx = context;
> +
> +	if (ctx->found) {
> +		ctx->data = value;
> +		ctx->len = vlen;
> +	}

Since the ASN.1 SET OF ANY grammar allows constructed types, does
asn1_ber_decoder() descend into the constructed type and repeatedly call this
action for each nested primitive? If so, this would overwrite ctx->data with
the last inner leaf element rather than capturing the outer bounds.

Also, if multiple attributes with the same OID exist, wouldn't this overwrite
ctx->data with the last matching attribute instead of returning the first one
as the documentation states?

> +
> +	return 0;
> +}
> +
> +/**
> + * pkcs7_get_authattr - get authenticated attribute by OID
> + * @pkcs7: The preparsed PKCS#7 message
> + * @oid: the enum value of the OID to find
> + * @_data: Place to return a pointer to the attribute value
> + * @_len: length of the attribute value
> + *
> + * Searches the authenticated attributes until one is found with a
> + * matching OID.  Note that because the attributes are per signer
> + * there could be multiple signers with different values, but this
> + * routine will simply return the first one in parse order.
> + *
> + * Returns -ENODATA if the attribute can't be found
> + */
> +int pkcs7_get_authattr(const struct pkcs7_message *pkcs7,
> +		       enum OID oid,
> +		       const void **_data, size_t *_len)
> +{
> +	struct pkcs7_signed_info *sinfo = pkcs7->signed_infos;
> +	struct pkcs7_aa_context ctx;
> +
> +	ctx.data = NULL;
> +	ctx.oid_to_find = oid;
> +
> +	for (; sinfo; sinfo = sinfo->next) {
> +		int ret;
> +
> +		/* only extract OIDs from validated signers */
> +		if (!sinfo->verified)
> +			continue;
> +
> +		ret = asn1_ber_decoder(&pkcs7_aa_decoder, &ctx,
> +				       sinfo->authattrs, sinfo->authattrs_len);

If a verified signer omits authenticated attributes, sinfo->authattrs is
NULL and sinfo->authattrs_len is 0. Does passing a 0-length buffer to
asn1_ber_decoder() cause it to return an error?

If so, the loop will break immediately below, meaning we could miss attributes
from subsequent valid signers in the message. Should there be an explicit
continue if !sinfo->authattrs?

> +		if (ret < 0 || ctx.data != NULL)
> +			break;

If asn1_ber_decoder() returns an error due to the constructed type
misalignment, does checking ctx.data != NULL here mask that error and
allow the function to successfully return a corrupted inner pointer?

> +	}
> +
> +	if (!ctx.data)
> +		return -ENODATA;

If asn1_ber_decoder() fails with a genuine structural error like -EBADMSG,
the loop breaks but we unconditionally return -ENODATA here. Does this
incorrectly mask malformed data errors from the caller?

> +
> +	*_data = ctx.data;
> +	*_len = ctx.len;
> +
> +	return 0;
> +}
> +EXPORT_SYMBOL_GPL(pkcs7_get_authattr);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260420212653.438685-1-bboscaccy@linux.microsoft.com?part=2

next prev parent reply	other threads:[~2026-04-21  1:49 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-20 21:26 [PATCH v5 00/10] Reintroduce Hornet LSM Blaise Boscaccy
2026-04-20 21:26 ` [PATCH v5 01/10] crypto: pkcs7: add flag for validated trust on a signed info block Blaise Boscaccy
2026-04-21  1:17   ` sashiko-bot
2026-04-20 21:26 ` [PATCH v5 02/10] crypto: pkcs7: add ability to extract signed attributes by OID Blaise Boscaccy
2026-04-21  1:49   ` sashiko-bot [this message]
2026-04-20 21:26 ` [PATCH v5 03/10] crypto: pkcs7: add tests for pkcs7_get_authattr Blaise Boscaccy
2026-04-21  2:06   ` sashiko-bot
2026-04-20 21:26 ` [PATCH v5 04/10] lsm: framework for BPF integrity verification Blaise Boscaccy
2026-04-20 21:26 ` [PATCH v5 05/10] lsm: security: Add additional enum values for bpf integrity checks Blaise Boscaccy
2026-04-20 21:26 ` [PATCH v5 06/10] security: Hornet LSM Blaise Boscaccy
2026-04-21  0:08   ` Fan Wu
2026-04-21  4:29   ` sashiko-bot
2026-04-20 21:26 ` [PATCH v5 07/10] hornet: Introduce gen_sig Blaise Boscaccy
2026-04-21  0:18   ` Fan Wu
2026-04-21  3:03   ` sashiko-bot
2026-04-20 21:26 ` [PATCH v5 08/10] hornet: Add a light skeleton data extractor scripts Blaise Boscaccy
2026-04-21  3:06   ` sashiko-bot
2026-04-20 21:26 ` [PATCH v5 09/10] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2026-04-21  3:04   ` sashiko-bot
2026-04-20 21:26 ` [PATCH v5 10/10] ipe: Add BPF program load policy enforcement via Hornet integration Blaise Boscaccy
2026-04-21  0:27   ` Fan Wu
2026-04-21  3:23   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260421014914.D56C0C19425@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bboscaccy@linux.microsoft.com \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox