Commit 897473fc authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull key handling fixes from James Morris:
 "Quoting David Howells:

  Here are three miscellaneous fixes:

  (1) Fix a panic in some debugging code in PKCS#7.  This can only
      happen by explicitly inserting a #define DEBUG into the code.

  (2) Fix the calculation of the digest length in the PE file parser.
      This causes a failure where there should be a success.

  (3) Fix the case where an X.509 cert can be added as an asymmetric key
      to a trusted keyring with no trust restriction if no AKID is
      supplied.

  Bugs (1) and (2) aren't particularly problematic, but (3) allows a
  security check to be bypassed.  Happily, this is a recent regression
  and never made it into a released kernel"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  KEYS: Fix for erroneous trust of incorrectly signed X.509 certs
  pefile: Fix the failure of calculation for digest
  PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined
parents 3aa536d9 acddc720
...@@ -124,5 +124,10 @@ int mscode_note_digest(void *context, size_t hdrlen, ...@@ -124,5 +124,10 @@ int mscode_note_digest(void *context, size_t hdrlen,
struct pefile_context *ctx = context; struct pefile_context *ctx = context;
ctx->digest = kmemdup(value, vlen, GFP_KERNEL); ctx->digest = kmemdup(value, vlen, GFP_KERNEL);
return ctx->digest ? 0 : -ENOMEM; if (!ctx->digest)
return -ENOMEM;
ctx->digest_len = vlen;
return 0;
} }
...@@ -227,7 +227,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, ...@@ -227,7 +227,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
if (asymmetric_key_id_same(p->id, auth)) if (asymmetric_key_id_same(p->id, auth))
goto found_issuer_check_skid; goto found_issuer_check_skid;
} }
} else { } else if (sig->auth_ids[1]) {
auth = sig->auth_ids[1]; auth = sig->auth_ids[1];
pr_debug("- want %*phN\n", auth->len, auth->data); pr_debug("- want %*phN\n", auth->len, auth->data);
for (p = pkcs7->certs; p; p = p->next) { for (p = pkcs7->certs; p; p = p->next) {
......
...@@ -87,7 +87,7 @@ int restrict_link_by_signature(struct key *trust_keyring, ...@@ -87,7 +87,7 @@ int restrict_link_by_signature(struct key *trust_keyring,
sig = payload->data[asym_auth]; sig = payload->data[asym_auth];
if (!sig->auth_ids[0] && !sig->auth_ids[1]) if (!sig->auth_ids[0] && !sig->auth_ids[1])
return 0; return -ENOKEY;
if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid))
return -EPERM; return -EPERM;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment