tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'keys-fixes-20171208' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into keys-for-linus

Assorted fixes for keyrings, ASN.1, X.509 and PKCS#7.

James Morris 4ded3bec f335195a

+101 -69
+3 -1
crypto/asymmetric_keys/pkcs7_parser.c
··· 148 148 } 149 149 150 150 ret = pkcs7_check_authattrs(ctx->msg); 151 - if (ret < 0) 151 + if (ret < 0) { 152 + msg = ERR_PTR(ret); 152 153 goto out; 154 + } 153 155 154 156 msg = ctx->msg; 155 157 ctx->msg = NULL;
+1 -1
crypto/asymmetric_keys/pkcs7_trust.c
··· 69 69 /* Self-signed certificates form roots of their own, and if we 70 70 * don't know them, then we can't accept them. 71 71 */ 72 - if (x509->next == x509) { 72 + if (x509->signer == x509) { 73 73 kleave(" = -ENOKEY [unknown self-signed]"); 74 74 return -ENOKEY; 75 75 }
+3 -6
crypto/asymmetric_keys/pkcs7_verify.c
··· 59 59 desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 60 60 61 61 /* Digest the message [RFC2315 9.3] */ 62 - ret = crypto_shash_init(desc); 63 - if (ret < 0) 64 - goto error; 65 - ret = crypto_shash_finup(desc, pkcs7->data, pkcs7->data_len, 66 - sig->digest); 62 + ret = crypto_shash_digest(desc, pkcs7->data, pkcs7->data_len, 63 + sig->digest); 67 64 if (ret < 0) 68 65 goto error; 69 66 pr_devel("MsgDigest = [%*ph]\n", 8, sig->digest); ··· 147 150 pr_devel("Sig %u: Found cert serial match X.509[%u]\n", 148 151 sinfo->index, certix); 149 152 150 - if (x509->pub->pkey_algo != sinfo->sig->pkey_algo) { 153 + if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo) != 0) { 151 154 pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n", 152 155 sinfo->index); 153 156 continue;
+5 -2
crypto/asymmetric_keys/public_key.c
··· 73 73 char alg_name_buf[CRYPTO_MAX_ALG_NAME]; 74 74 void *output; 75 75 unsigned int outlen; 76 - int ret = -ENOMEM; 76 + int ret; 77 77 78 78 pr_devel("==>%s()\n", __func__); 79 79 ··· 99 99 if (IS_ERR(tfm)) 100 100 return PTR_ERR(tfm); 101 101 102 + ret = -ENOMEM; 102 103 req = akcipher_request_alloc(tfm, GFP_KERNEL); 103 104 if (!req) 104 105 goto error_free_tfm; ··· 128 127 * signature and returns that to us. 129 128 */ 130 129 ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait); 131 - if (ret < 0) 130 + if (ret) 132 131 goto out_free_output; 133 132 134 133 /* Do the actual verification step. */ ··· 143 142 error_free_tfm: 144 143 crypto_free_akcipher(tfm); 145 144 pr_devel("<==%s() = %d\n", __func__, ret); 145 + if (WARN_ON_ONCE(ret > 0)) 146 + ret = -EINVAL; 146 147 return ret; 147 148 } 148 149 EXPORT_SYMBOL_GPL(public_key_verify_signature);
+2
crypto/asymmetric_keys/x509_cert_parser.c
··· 409 409 ctx->cert->pub->pkey_algo = "rsa"; 410 410 411 411 /* Discard the BIT STRING metadata */ 412 + if (vlen < 1 || *(const u8 *)value != 0) 413 + return -EBADMSG; 412 414 ctx->key = value + 1; 413 415 ctx->key_size = vlen - 1; 414 416 return 0;
+2 -6
crypto/asymmetric_keys/x509_public_key.c
··· 79 79 desc->tfm = tfm; 80 80 desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; 81 81 82 - ret = crypto_shash_init(desc); 83 - if (ret < 0) 84 - goto error_2; 85 - might_sleep(); 86 - ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, sig->digest); 82 + ret = crypto_shash_digest(desc, cert->tbs, cert->tbs_size, sig->digest); 87 83 if (ret < 0) 88 84 goto error_2; 89 85 ··· 131 135 } 132 136 133 137 ret = -EKEYREJECTED; 134 - if (cert->pub->pkey_algo != cert->sig->pkey_algo) 138 + if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0) 135 139 goto out; 136 140 137 141 ret = public_key_verify_signature(cert->pub, cert->sig);
+28 -21
lib/asn1_decoder.c
··· 313 313 314 314 /* Decide how to handle the operation */ 315 315 switch (op) { 316 - case ASN1_OP_MATCH_ANY_ACT: 317 - case ASN1_OP_MATCH_ANY_ACT_OR_SKIP: 318 - case ASN1_OP_COND_MATCH_ANY_ACT: 319 - case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP: 320 - ret = actions[machine[pc + 1]](context, hdr, tag, data + dp, len); 321 - if (ret < 0) 322 - return ret; 323 - goto skip_data; 324 - 325 - case ASN1_OP_MATCH_ACT: 326 - case ASN1_OP_MATCH_ACT_OR_SKIP: 327 - case ASN1_OP_COND_MATCH_ACT_OR_SKIP: 328 - ret = actions[machine[pc + 2]](context, hdr, tag, data + dp, len); 329 - if (ret < 0) 330 - return ret; 331 - goto skip_data; 332 - 333 316 case ASN1_OP_MATCH: 334 317 case ASN1_OP_MATCH_OR_SKIP: 318 + case ASN1_OP_MATCH_ACT: 319 + case ASN1_OP_MATCH_ACT_OR_SKIP: 335 320 case ASN1_OP_MATCH_ANY: 336 321 case ASN1_OP_MATCH_ANY_OR_SKIP: 322 + case ASN1_OP_MATCH_ANY_ACT: 323 + case ASN1_OP_MATCH_ANY_ACT_OR_SKIP: 337 324 case ASN1_OP_COND_MATCH_OR_SKIP: 325 + case ASN1_OP_COND_MATCH_ACT_OR_SKIP: 338 326 case ASN1_OP_COND_MATCH_ANY: 339 327 case ASN1_OP_COND_MATCH_ANY_OR_SKIP: 340 - skip_data: 328 + case ASN1_OP_COND_MATCH_ANY_ACT: 329 + case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP: 330 + 341 331 if (!(flags & FLAG_CONS)) { 342 332 if (flags & FLAG_INDEFINITE_LENGTH) { 333 + size_t tmp = dp; 334 + 343 335 ret = asn1_find_indefinite_length( 344 - data, datalen, &dp, &len, &errmsg); 336 + data, datalen, &tmp, &len, &errmsg); 345 337 if (ret < 0) 346 338 goto error; 347 - } else { 348 - dp += len; 349 339 } 350 340 pr_debug("- LEAF: %zu\n", len); 351 341 } 342 + 343 + if (op & ASN1_OP_MATCH__ACT) { 344 + unsigned char act; 345 + 346 + if (op & ASN1_OP_MATCH__ANY) 347 + act = machine[pc + 1]; 348 + else 349 + act = machine[pc + 2]; 350 + ret = actions[act](context, hdr, tag, data + dp, len); 351 + if (ret < 0) 352 + return ret; 353 + } 354 + 355 + if (!(flags & FLAG_CONS)) 356 + dp += len; 352 357 pc += asn1_op_lengths[op]; 353 358 goto next_op; 354 359 ··· 439 434 else 440 435 act = machine[pc + 1]; 441 436 ret = actions[act](context, hdr, 0, data + tdp, len); 437 + if (ret < 0) 438 + return ret; 442 439 } 443 440 pc += asn1_op_lengths[op]; 444 441 goto next_op;
+10 -6
lib/oid_registry.c
··· 116 116 int count; 117 117 118 118 if (v >= end) 119 - return -EBADMSG; 119 + goto bad; 120 120 121 121 n = *v++; 122 122 ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40); 123 + if (count >= bufsize) 124 + return -ENOBUFS; 123 125 buffer += count; 124 126 bufsize -= count; 125 - if (bufsize == 0) 126 - return -ENOBUFS; 127 127 128 128 while (v < end) { 129 129 num = 0; ··· 134 134 num = n & 0x7f; 135 135 do { 136 136 if (v >= end) 137 - return -EBADMSG; 137 + goto bad; 138 138 n = *v++; 139 139 num <<= 7; 140 140 num |= n & 0x7f; 141 141 } while (n & 0x80); 142 142 } 143 143 ret += count = snprintf(buffer, bufsize, ".%lu", num); 144 - buffer += count; 145 - if (bufsize <= count) 144 + if (count >= bufsize) 146 145 return -ENOBUFS; 146 + buffer += count; 147 147 bufsize -= count; 148 148 } 149 149 150 150 return ret; 151 + 152 + bad: 153 + snprintf(buffer, bufsize, "(bad)"); 154 + return -EBADMSG; 151 155 } 152 156 EXPORT_SYMBOL_GPL(sprint_oid); 153 157
-1
security/keys/key.c
··· 833 833 834 834 key_check(keyring); 835 835 836 - key_ref = ERR_PTR(-EPERM); 837 836 if (!(flags & KEY_ALLOC_BYPASS_RESTRICTION)) 838 837 restrict_link = keyring->restrict_link; 839 838
+10 -14
security/keys/keyctl.c
··· 1588 1588 * The caller must have Setattr permission to change keyring restrictions. 1589 1589 * 1590 1590 * The requested type name may be a NULL pointer to reject all attempts 1591 - * to link to the keyring. If _type is non-NULL, _restriction can be 1592 - * NULL or a pointer to a string describing the restriction. If _type is 1593 - * NULL, _restriction must also be NULL. 1591 + * to link to the keyring. In this case, _restriction must also be NULL. 1592 + * Otherwise, both _type and _restriction must be non-NULL. 1594 1593 * 1595 1594 * Returns 0 if successful. 1596 1595 */ ··· 1597 1598 const char __user *_restriction) 1598 1599 { 1599 1600 key_ref_t key_ref; 1600 - bool link_reject = !_type; 1601 1601 char type[32]; 1602 1602 char *restriction = NULL; 1603 1603 long ret; ··· 1605 1607 if (IS_ERR(key_ref)) 1606 1608 return PTR_ERR(key_ref); 1607 1609 1610 + ret = -EINVAL; 1608 1611 if (_type) { 1612 + if (!_restriction) 1613 + goto error; 1614 + 1609 1615 ret = key_get_type_from_user(type, _type, sizeof(type)); 1610 1616 if (ret < 0) 1611 1617 goto error; 1612 - } 1613 - 1614 - if (_restriction) { 1615 - if (!_type) { 1616 - ret = -EINVAL; 1617 - goto error; 1618 - } 1619 1618 1620 1619 restriction = strndup_user(_restriction, PAGE_SIZE); 1621 1620 if (IS_ERR(restriction)) { 1622 1621 ret = PTR_ERR(restriction); 1623 1622 goto error; 1624 1623 } 1624 + } else { 1625 + if (_restriction) 1626 + goto error; 1625 1627 } 1626 1628 1627 - ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction); 1629 + ret = keyring_restrict(key_ref, _type ? type : NULL, restriction); 1628 1630 kfree(restriction); 1629 - 1630 1631 error: 1631 1632 key_ref_put(key_ref); 1632 - 1633 1633 return ret; 1634 1634 } 1635 1635
+37 -11
security/keys/request_key.c
··· 251 251 * The keyring selected is returned with an extra reference upon it which the 252 252 * caller must release. 253 253 */ 254 - static void construct_get_dest_keyring(struct key **_dest_keyring) 254 + static int construct_get_dest_keyring(struct key **_dest_keyring) 255 255 { 256 256 struct request_key_auth *rka; 257 257 const struct cred *cred = current_cred(); 258 258 struct key *dest_keyring = *_dest_keyring, *authkey; 259 + int ret; 259 260 260 261 kenter("%p", dest_keyring); 261 262 ··· 265 264 /* the caller supplied one */ 266 265 key_get(dest_keyring); 267 266 } else { 267 + bool do_perm_check = true; 268 + 268 269 /* use a default keyring; falling through the cases until we 269 270 * find one that we actually have */ 270 271 switch (cred->jit_keyring) { ··· 281 278 dest_keyring = 282 279 key_get(rka->dest_keyring); 283 280 up_read(&authkey->sem); 284 - if (dest_keyring) 281 + if (dest_keyring) { 282 + do_perm_check = false; 285 283 break; 284 + } 286 285 } 287 286 288 287 case KEY_REQKEY_DEFL_THREAD_KEYRING: ··· 319 314 default: 320 315 BUG(); 321 316 } 317 + 318 + /* 319 + * Require Write permission on the keyring. This is essential 320 + * because the default keyring may be the session keyring, and 321 + * joining a keyring only requires Search permission. 322 + * 323 + * However, this check is skipped for the "requestor keyring" so 324 + * that /sbin/request-key can itself use request_key() to add 325 + * keys to the original requestor's destination keyring. 326 + */ 327 + if (dest_keyring && do_perm_check) { 328 + ret = key_permission(make_key_ref(dest_keyring, 1), 329 + KEY_NEED_WRITE); 330 + if (ret) { 331 + key_put(dest_keyring); 332 + return ret; 333 + } 334 + } 322 335 } 323 336 324 337 *_dest_keyring = dest_keyring; 325 338 kleave(" [dk %d]", key_serial(dest_keyring)); 326 - return; 339 + return 0; 327 340 } 328 341 329 342 /* ··· 467 444 if (ctx->index_key.type == &key_type_keyring) 468 445 return ERR_PTR(-EPERM); 469 446 470 - user = key_user_lookup(current_fsuid()); 471 - if (!user) 472 - return ERR_PTR(-ENOMEM); 447 + ret = construct_get_dest_keyring(&dest_keyring); 448 + if (ret) 449 + goto error; 473 450 474 - construct_get_dest_keyring(&dest_keyring); 451 + user = key_user_lookup(current_fsuid()); 452 + if (!user) { 453 + ret = -ENOMEM; 454 + goto error_put_dest_keyring; 455 + } 475 456 476 457 ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key); 477 458 key_user_put(user); ··· 490 463 } else if (ret == -EINPROGRESS) { 491 464 ret = 0; 492 465 } else { 493 - goto couldnt_alloc_key; 466 + goto error_put_dest_keyring; 494 467 } 495 468 496 469 key_put(dest_keyring); ··· 500 473 construction_failed: 501 474 key_negate_and_link(key, key_negative_timeout, NULL, NULL); 502 475 key_put(key); 503 - couldnt_alloc_key: 476 + error_put_dest_keyring: 504 477 key_put(dest_keyring); 478 + error: 505 479 kleave(" = %d", ret); 506 480 return ERR_PTR(ret); 507 481 } ··· 574 546 if (!IS_ERR(key_ref)) { 575 547 key = key_ref_to_ptr(key_ref); 576 548 if (dest_keyring) { 577 - construct_get_dest_keyring(&dest_keyring); 578 549 ret = key_link(dest_keyring, key); 579 - key_put(dest_keyring); 580 550 if (ret < 0) { 581 551 key_put(key); 582 552 key = ERR_PTR(ret);