• David Howells's avatar
    X.509: Don't strip leading 00's from key ID when constructing key description · 0479b826
    David Howells authored
    [ Upstream commit e7c87bef ]
    
    Don't strip leading zeros from the crypto key ID when using it to construct
    the struct key description as the signature in kernels up to and including
    4.2 matched this aspect of the key.  This means that 1 in 256 keys won't
    actually match if their key ID begins with 00.
    
    The key ID is stored in the module signature as binary and so must be
    converted to text in order to invoke request_key() - but it isn't stripped
    at this point.
    
    Something like this is likely to be observed in dmesg when the key is loaded:
    
    [    1.572423] Loaded X.509 cert 'Build time autogenerated kernel
        key: 62a7c3d2da278be024da4af8652c071f3fea33'
    
    followed by this when we try and use it:
    
      [    1.646153] Request for unknown module key 'Build time autogenerated
        kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11
    
    The 'Loaded' line should show an extra '00' on the front of the hex string.
    
    This problem should not affect 4.3-rc1 and onwards because there the key
    should be matched on one of its auxiliary identities rather than the key
    struct's description string.
    Reported-by: default avatarArjan van de Ven <arjan@linux.intel.com>
    Reported-by: default avatarAndy Whitcroft <apw@canonical.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
    0479b826
x509_public_key.c 9.39 KB