| Message ID | 20160713175754.541-1-mathew.j.martineau@linux.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, 13 Jul 2016, Mat Martineau wrote: > Arbitrary X.509 certificates without authority key identifiers (AKIs) > can be added to "trusted" keyrings, including IMA or EVM certs loaded > from the filesystem. Signature verification is currently bypassed for > certs without AKIs. > > Trusted keys were recently refactored, and this bug is not present in > 4.6. Which kernel is this patch for?
Mat Martineau <mathew.j.martineau@linux.intel.com> wrote: > Arbitrary X.509 certificates without authority key identifiers (AKIs) > can be added to "trusted" keyrings, including IMA or EVM certs loaded > from the filesystem. Signature verification is currently bypassed for > certs without AKIs. > > Trusted keys were recently refactored, and this bug is not present in > 4.6. > > restrict_link_by_signature should return -ENOKEY (no matching parent > certificate found) if the certificate being evaluated has no AKIs, > instead of bypassing signature checks and returning 0 (new certificate > accepted). > > Reported-by: Petko Manolov <petkan@mip-labs.com> > Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Applied. -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, 14 Jul 2016, James Morris wrote: > On Wed, 13 Jul 2016, Mat Martineau wrote: > >> Arbitrary X.509 certificates without authority key identifiers (AKIs) >> can be added to "trusted" keyrings, including IMA or EVM certs loaded >> from the filesystem. Signature verification is currently bypassed for >> certs without AKIs. >> >> Trusted keys were recently refactored, and this bug is not present in >> 4.6. > > Which kernel is this patch for? It's for 4.7. David just sent an email saying he's applied it. I'm not sure where, but it's likely work-in-process. -- Mat Martineau Intel OTC -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Mat Martineau <mathew.j.martineau@linux.intel.com> wrote: > David just sent an email saying he's applied it. I'm not sure where, but it's > likely work-in-process. I'm just collecting some fixes together. Will send later on. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index ac4bddf..19d1afb9 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -87,7 +87,7 @@ int restrict_link_by_signature(struct key *trust_keyring, sig = payload->data[asym_auth]; if (!sig->auth_ids[0] && !sig->auth_ids[1]) - return 0; + return -ENOKEY; if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) return -EPERM;
Arbitrary X.509 certificates without authority key identifiers (AKIs) can be added to "trusted" keyrings, including IMA or EVM certs loaded from the filesystem. Signature verification is currently bypassed for certs without AKIs. Trusted keys were recently refactored, and this bug is not present in 4.6. restrict_link_by_signature should return -ENOKEY (no matching parent certificate found) if the certificate being evaluated has no AKIs, instead of bypassing signature checks and returning 0 (new certificate accepted). Reported-by: Petko Manolov <petkan@mip-labs.com> Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com> --- The subject line for v1 was "Do not trust certs with missing auth IDs". I've only updated the commit message for v2 to clarify the scope and consequences of the bug. crypto/asymmetric_keys/restrict.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)