tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

x509: Separately calculate sha256 for blacklist

Calculate the SHA256 hash for blacklisting purposes independently of the
signature hash (which may be something other than SHA256).

This is necessary because when ML-DSA is used, no digest is calculated.

Note that this represents a change of behaviour in that the hash used for
the blacklist check would previously have been whatever digest was used
for, say, RSA-based signatures. It may be that this is inadvisable.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
cc: Lukas Wunner <lukas@wunner.de>
cc: Ignat Korchagin <ignat@cloudflare.com>
cc: Stephan Mueller <smueller@chronox.de>
cc: Eric Biggers <ebiggers@kernel.org>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org

David Howells 2c62068a d3b6dd90

+15 -9
+2
crypto/asymmetric_keys/x509_parser.h
··· 9 9 #include <linux/time.h> 10 10 #include <crypto/public_key.h> 11 11 #include <keys/asymmetric-type.h> 12 + #include <crypto/sha2.h> 12 13 13 14 struct x509_certificate { 14 15 struct x509_certificate *next; 15 16 struct x509_certificate *signer; /* Certificate that signed this one */ 16 17 struct public_key *pub; /* Public key details */ 17 18 struct public_key_signature *sig; /* Signature parameters */ 19 + u8 sha256[SHA256_DIGEST_SIZE]; /* Hash for blacklist purposes */ 18 20 char *issuer; /* Name of certificate issuer */ 19 21 char *subject; /* Name of certificate subject */ 20 22 struct asymmetric_key_id *id; /* Issuer + Serial number */
+13 -9
crypto/asymmetric_keys/x509_public_key.c
··· 31 31 32 32 pr_devel("==>%s()\n", __func__); 33 33 34 + /* Calculate a SHA256 hash of the TBS and check it against the 35 + * blacklist. 36 + */ 37 + sha256(cert->tbs, cert->tbs_size, cert->sha256); 38 + ret = is_hash_blacklisted(cert->sha256, sizeof(cert->sha256), 39 + BLACKLIST_HASH_X509_TBS); 40 + if (ret == -EKEYREJECTED) { 41 + pr_err("Cert %*phN is blacklisted\n", 42 + (int)sizeof(cert->sha256), cert->sha256); 43 + cert->blacklisted = true; 44 + ret = 0; 45 + } 46 + 34 47 sig->s = kmemdup(cert->raw_sig, cert->raw_sig_size, GFP_KERNEL); 35 48 if (!sig->s) 36 49 return -ENOMEM; ··· 81 68 82 69 if (ret < 0) 83 70 goto error_2; 84 - 85 - ret = is_hash_blacklisted(sig->digest, sig->digest_size, 86 - BLACKLIST_HASH_X509_TBS); 87 - if (ret == -EKEYREJECTED) { 88 - pr_err("Cert %*phN is blacklisted\n", 89 - sig->digest_size, sig->digest); 90 - cert->blacklisted = true; 91 - ret = 0; 92 - } 93 71 94 72 error_2: 95 73 kfree(desc);