From: Thore Sommer <public@thson.de>
To: Jarkko Sakkinen <jarkko@kernel.org>,
dhowells@redhat.com, herbert@gondor.apana.org.au,
davem@davemloft.net
Cc: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] X.509: if signature is unsupported skip validation
Date: Mon, 21 Aug 2023 13:30:15 +0300 [thread overview]
Message-ID: <03cfdcc9-716f-4690-b400-c8da59ca1ef6@thson.de> (raw)
In-Reply-To: <CUU9O4ZKMDAV.20Q9VINXK6DI0@suppilovahvero>
On 16.08.23 23:54, Jarkko Sakkinen wrote:
> On Tue Aug 15, 2023 at 2:29 PM EEST, Thore Sommer wrote:
>> When the hash algorithm for the signature is not available the digest size
>> is 0 and the signature in the certificate is marked as unsupported.
>>
>> When validating a self-signed certificate, this needs to be checked,
>> because otherwise trying to validate the signature will fail with an
>> warning:
>>
>> Loading compiled-in X.509 certificates
>> WARNING: CPU: 0 PID: 1 at crypto/rsa-pkcs1pad.c:537 \
>> pkcs1pad_verify+0x46/0x12c
>> ...
>> Problem loading in-kernel X.509 certificate (-22)
>>
>> Signed-off-by: Thore Sommer <public@thson.de>
>> ---
>> crypto/asymmetric_keys/x509_public_key.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
>> index 6fdfc82e23a8..7c71db3ac23d 100644
>> --- a/crypto/asymmetric_keys/x509_public_key.c
>> +++ b/crypto/asymmetric_keys/x509_public_key.c
>> @@ -130,6 +130,11 @@ int x509_check_for_self_signed(struct x509_certificate *cert)
>> goto out;
>> }
>>
>> + if (cert->unsupported_sig) {
>> + ret = 0;
>> + goto out;
>> + }
>> +
>> ret = public_key_verify_signature(cert->pub, cert->sig);
>> if (ret < 0) {
>> if (ret == -ENOPKG) {
>> --
>> 2.41.0
>
> Should have:
>
> Cc: stable@vger.kernel.org # v4.7+
> Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier")
>
> BR, Jarkko
Hi Jarkko,
should I resend it with the stable mailing list in CC or will it be
added when a maintainer includes the change?
Best regards,
Thore
next prev parent reply other threads:[~2023-08-21 10:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-15 11:29 [PATCH] X.509: if signature is unsupported skip validation Thore Sommer
2023-08-16 20:54 ` Jarkko Sakkinen
2023-08-21 10:30 ` Thore Sommer [this message]
2023-08-22 11:36 ` Jarkko Sakkinen
2023-08-25 11:05 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03cfdcc9-716f-4690-b400-c8da59ca1ef6@thson.de \
--to=public@thson.de \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox