From: David Howells <dhowells@redhat.com>
To: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
Cc: dhowells@redhat.com, "David Woodhouse" <dwmw2@infradead.org>,
"David S . Miller" <davem@davemloft.net>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"James Morris" <jmorris@namei.org>,
"Jarkko Sakkinen" <jarkko@kernel.org>,
=?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@linux.microsoft.com>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check
Date: Fri, 04 Dec 2020 14:05:59 +0000 [thread overview]
Message-ID: <113785.1607090759@warthog.procyon.org.uk> (raw)
In-Reply-To: <20201120180426.922572-2-mic@digikod.net>
Mickaël Salaün <mic@digikod.net> wrote:
> When looking for a blacklisted hash, bin2hex() is used to transform a
> binary hash to an ascii (lowercase) hexadecimal string. This string is
> then search for in the description of the keys from the blacklist
> keyring. When adding a key to the blacklist keyring,
> blacklist_vet_description() checks the hash prefix and the hexadecimal
> string, but not that this string is lowercase. It is then valid to set
> hashes with uppercase hexadecimal, which will be silently ignored by the
> kernel.
>
> Add an additional check to blacklist_vet_description() to check that
> hexadecimal strings are in lowercase.
I wonder if it would be a better idea to allow the keyring type to adjust the
description string - in this instance to change it to all lowercase.
David
next prev parent reply other threads:[~2020-12-04 14:07 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-20 18:04 [PATCH v1 0/9] Enable root to update the blacklist keyring Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check Mickaël Salaün
2020-12-04 14:05 ` David Howells [this message]
2020-12-04 14:48 ` Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 2/9] certs: Make blacklist_vet_description() more strict Mickaël Salaün
2020-12-04 14:09 ` David Howells
2020-12-04 14:59 ` Mickaël Salaün
2020-12-11 18:35 ` Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 3/9] certs: Factor out the blacklist hash creation Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 4/9] certs: Check that builtin blacklist hashes are valid Mickaël Salaün
2020-12-09 11:58 ` David Howells
2020-12-11 18:32 ` Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 5/9] PKCS#7: Fix missing include Mickaël Salaün
2020-12-04 14:06 ` David Howells
2020-12-04 14:58 ` Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 6/9] certs: Fix blacklist flag type confusion Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 7/9] certs: Allow root user to append signed hashes to the blacklist keyring Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 8/9] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID Mickaël Salaün
2020-12-04 14:11 ` David Howells
2020-11-20 18:04 ` [PATCH v1 9/9] tools/certs: Add print-cert-tbs-hash.sh Mickaël Salaün
2020-11-30 2:40 ` [PATCH v1 0/9] Enable root to update the blacklist keyring Jarkko Sakkinen
2020-11-30 8:23 ` Mickaël Salaün
2020-12-02 16:44 ` Jarkko Sakkinen
2020-12-04 14:01 ` David Howells
2020-12-04 15:38 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=113785.1607090759@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=davem@davemloft.net \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=mic@linux.microsoft.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox