[GIT PULL] Miscellaneous keyrings and modsign fixes

[GIT PULL] Miscellaneous keyrings and modsign fixes

[David Howells]

Hi James,

Can you pass these changes on to Linus?  There are four:

 (1) Fix a potential race between keyring destruction and keyring lookup by
     name.

 (2) Remove unneeded headers from extract-cert.c, at least one of which will
     prevent it from compiling if the openssl libs are too old.

 (3) Don't strip leading zeros from the key ID when using it to construct a
     key description lest this make the key not match.

 (4) Downgrade use of CMS-based signatures to PKCS#7-based signatures if the
     openssl libs are too old.  Note that in this case, you are also limited
     to using SHA1 as the pre-1.0.0 openssl libs don't support anything else.

Thanks,
David
---
The following changes since commit ced255c0c5fb9ab52c9465982f23b1c14005ef8b:

  Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux (2015-09-24 20:14:26 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-fixes-20150925

for you to fetch changes up to 283e8ba2dfde54f8f27d7d0f459a07de79a39d55:

  MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old (2015-09-25 16:31:46 +0100)

----------------------------------------------------------------
Keyrings fixes

----------------------------------------------------------------
David Howells (4):
      KEYS: Fix race between key destruction and finding a keyring by name
      KEYS: Remove unnecessary header #inclusions from extract-cert.c
      X.509: Don't strip leading 00's from key ID when constructing key description
      MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old

 Documentation/Changes                    |  2 +-
 crypto/asymmetric_keys/x509_public_key.c |  4 --
 scripts/extract-cert.c                   |  4 --
 scripts/sign-file.c                      | 94 ++++++++++++++++++++++++++------
 security/keys/gc.c                       |  8 +--
 5 files changed, 82 insertions(+), 30 deletions(-)

Re: [GIT PULL] Miscellaneous keyrings and modsign fixes

[James Morris]

On Fri, 25 Sep 2015, David Howells wrote:

> ---
> The following changes since commit ced255c0c5fb9ab52c9465982f23b1c14005ef8b:
> 
>   Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux (2015-09-24 20:14:26 -0700)
> 
> are available in the git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-fixes-20150925
> 

$ git pull  
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git 
tags/keys-fixes-2015092
fatal: Couldn't find remote ref tags/keys-fixes-2015092

Re: [GIT PULL] Miscellaneous keyrings and modsign fixes

[James Morris]

On Tue, 29 Sep 2015, James Morris wrote:

> On Fri, 25 Sep 2015, David Howells wrote:
> 
> > ---
> > The following changes since commit ced255c0c5fb9ab52c9465982f23b1c14005ef8b:
> > 
> >   Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux (2015-09-24 20:14:26 -0700)
> > 
> > are available in the git repository at:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-fixes-20150925
> > 
> 
> $ git pull  
> git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git 
> tags/keys-fixes-2015092
> fatal: Couldn't find remote ref tags/keys-fixes-2015092
> 

Oops, n/m.

-- 
James Morris
<jmorris@namei.org>

Re: [GIT PULL] Miscellaneous keyrings and modsign fixes

[Philipp Hahn]

Hello David, cc:stable, cc:Sasha,

Am 25.09.2015 um 17:54 schrieb David Howells:
> Can you pass these changes on to Linus?  There are four:
...
>  (3) Don't strip leading zeros from the key ID when using it to construct a
>      key description lest this make the key not match.

That commit e7c87bef7de2417b219d4dbfe8d33a0098a8df54 went into v4.3-rc4
and is required to fix dd2f6c4481debfa389c1f2b2b1d5bd6449c42611, which
was introduced with 3.18-rc1. As thus I recommend back-porting that fix
and inclusion into
 4.2
 4.1
 4.0
 3.19
 3.18
The patch is simple enough to be cherry-picked into each branch without
any fuzz.

We hit that bug and Ubuntu did too:
<https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1494943>

Thanks.

Philipp Hahn

Re: [GIT PULL] Miscellaneous keyrings and modsign fixes

[David Howells]

Philipp Hahn <hahn@univention.de> wrote:

> Am 25.09.2015 um 17:54 schrieb David Howells:
> > Can you pass these changes on to Linus?  There are four:
> ...
> >  (3) Don't strip leading zeros from the key ID when using it to construct a
> >      key description lest this make the key not match.
> 
> That commit e7c87bef7de2417b219d4dbfe8d33a0098a8df54 went into v4.3-rc4
> and is required to fix dd2f6c4481debfa389c1f2b2b1d5bd6449c42611, which
> was introduced with 3.18-rc1. As thus I recommend back-porting that fix
> and inclusion into
>  4.2
>  4.1
>  4.0
>  3.19
>  3.18
> The patch is simple enough to be cherry-picked into each branch without
> any fuzz.
> 
> We hit that bug and Ubuntu did too:
> <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1494943>

Sounds good.

David

Re: [GIT PULL] Miscellaneous keyrings and modsign fixes

[Sasha Levin]

On 02/11/2016 03:11 AM, Philipp Hahn wrote:
> Hello David, cc:stable, cc:Sasha,
> 
> Am 25.09.2015 um 17:54 schrieb David Howells:
>> Can you pass these changes on to Linus?  There are four:
> ...
>>  (3) Don't strip leading zeros from the key ID when using it to construct a
>>      key description lest this make the key not match.
> 
> That commit e7c87bef7de2417b219d4dbfe8d33a0098a8df54 went into v4.3-rc4
> and is required to fix dd2f6c4481debfa389c1f2b2b1d5bd6449c42611, which
> was introduced with 3.18-rc1. As thus I recommend back-porting that fix
> and inclusion into
>  4.2
>  4.1
>  4.0
>  3.19
>  3.18
> The patch is simple enough to be cherry-picked into each branch without
> any fuzz.
> 
> We hit that bug and Ubuntu did too:
> <https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1494943>

I've grabbed it for both 3.18 and 4.1.


Thanks,
Sasha