Message ID | 20230815112942.392572-1-public@thson.de |
---|---|
State | Accepted |
Commit | ef5b52a631f8c18353e80ccab8408b963305510c |
Headers | show |
Series | X.509: if signature is unsupported skip validation | expand |
On Tue Aug 15, 2023 at 2:29 PM EEST, Thore Sommer wrote: > When the hash algorithm for the signature is not available the digest size > is 0 and the signature in the certificate is marked as unsupported. > > When validating a self-signed certificate, this needs to be checked, > because otherwise trying to validate the signature will fail with an > warning: > > Loading compiled-in X.509 certificates > WARNING: CPU: 0 PID: 1 at crypto/rsa-pkcs1pad.c:537 \ > pkcs1pad_verify+0x46/0x12c > ... > Problem loading in-kernel X.509 certificate (-22) > > Signed-off-by: Thore Sommer <public@thson.de> > --- > crypto/asymmetric_keys/x509_public_key.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c > index 6fdfc82e23a8..7c71db3ac23d 100644 > --- a/crypto/asymmetric_keys/x509_public_key.c > +++ b/crypto/asymmetric_keys/x509_public_key.c > @@ -130,6 +130,11 @@ int x509_check_for_self_signed(struct x509_certificate *cert) > goto out; > } > > + if (cert->unsupported_sig) { > + ret = 0; > + goto out; > + } > + > ret = public_key_verify_signature(cert->pub, cert->sig); > if (ret < 0) { > if (ret == -ENOPKG) { > -- > 2.41.0 Should have: Cc: stable@vger.kernel.org # v4.7+ Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier") BR, Jarkko
On 16.08.23 23:54, Jarkko Sakkinen wrote: > On Tue Aug 15, 2023 at 2:29 PM EEST, Thore Sommer wrote: >> When the hash algorithm for the signature is not available the digest size >> is 0 and the signature in the certificate is marked as unsupported. >> >> When validating a self-signed certificate, this needs to be checked, >> because otherwise trying to validate the signature will fail with an >> warning: >> >> Loading compiled-in X.509 certificates >> WARNING: CPU: 0 PID: 1 at crypto/rsa-pkcs1pad.c:537 \ >> pkcs1pad_verify+0x46/0x12c >> ... >> Problem loading in-kernel X.509 certificate (-22) >> >> Signed-off-by: Thore Sommer <public@thson.de> >> --- >> crypto/asymmetric_keys/x509_public_key.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c >> index 6fdfc82e23a8..7c71db3ac23d 100644 >> --- a/crypto/asymmetric_keys/x509_public_key.c >> +++ b/crypto/asymmetric_keys/x509_public_key.c >> @@ -130,6 +130,11 @@ int x509_check_for_self_signed(struct x509_certificate *cert) >> goto out; >> } >> >> + if (cert->unsupported_sig) { >> + ret = 0; >> + goto out; >> + } >> + >> ret = public_key_verify_signature(cert->pub, cert->sig); >> if (ret < 0) { >> if (ret == -ENOPKG) { >> -- >> 2.41.0 > > Should have: > > Cc: stable@vger.kernel.org # v4.7+ > Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier") > > BR, Jarkko Hi Jarkko, should I resend it with the stable mailing list in CC or will it be added when a maintainer includes the change? Best regards, Thore
On Mon Aug 21, 2023 at 1:30 PM EEST, Thore Sommer wrote: > On 16.08.23 23:54, Jarkko Sakkinen wrote: > > On Tue Aug 15, 2023 at 2:29 PM EEST, Thore Sommer wrote: > >> When the hash algorithm for the signature is not available the digest size > >> is 0 and the signature in the certificate is marked as unsupported. > >> > >> When validating a self-signed certificate, this needs to be checked, > >> because otherwise trying to validate the signature will fail with an > >> warning: > >> > >> Loading compiled-in X.509 certificates > >> WARNING: CPU: 0 PID: 1 at crypto/rsa-pkcs1pad.c:537 \ > >> pkcs1pad_verify+0x46/0x12c > >> ... > >> Problem loading in-kernel X.509 certificate (-22) > >> > >> Signed-off-by: Thore Sommer <public@thson.de> > >> --- > >> crypto/asymmetric_keys/x509_public_key.c | 5 +++++ > >> 1 file changed, 5 insertions(+) > >> > >> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c > >> index 6fdfc82e23a8..7c71db3ac23d 100644 > >> --- a/crypto/asymmetric_keys/x509_public_key.c > >> +++ b/crypto/asymmetric_keys/x509_public_key.c > >> @@ -130,6 +130,11 @@ int x509_check_for_self_signed(struct x509_certificate *cert) > >> goto out; > >> } > >> > >> + if (cert->unsupported_sig) { > >> + ret = 0; > >> + goto out; > >> + } > >> + > >> ret = public_key_verify_signature(cert->pub, cert->sig); > >> if (ret < 0) { > >> if (ret == -ENOPKG) { > >> -- > >> 2.41.0 > > > > Should have: > > > > Cc: stable@vger.kernel.org # v4.7+ > > Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier") > > > > BR, Jarkko > > Hi Jarkko, > > should I resend it with the stable mailing list in CC or will it be > added when a maintainer includes the change? AFAIK the correct tags, and automation takes care of the rest. If there is a merge conflict to some stable branch, the bots will call back to you :-) BR, Jarkko
On Tue, Aug 15, 2023 at 02:29:42PM +0300, Thore Sommer wrote: > When the hash algorithm for the signature is not available the digest size > is 0 and the signature in the certificate is marked as unsupported. > > When validating a self-signed certificate, this needs to be checked, > because otherwise trying to validate the signature will fail with an > warning: > > Loading compiled-in X.509 certificates > WARNING: CPU: 0 PID: 1 at crypto/rsa-pkcs1pad.c:537 \ > pkcs1pad_verify+0x46/0x12c > ... > Problem loading in-kernel X.509 certificate (-22) > > Signed-off-by: Thore Sommer <public@thson.de> > --- > crypto/asymmetric_keys/x509_public_key.c | 5 +++++ > 1 file changed, 5 insertions(+) Patch applied. Thanks.
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 6fdfc82e23a8..7c71db3ac23d 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -130,6 +130,11 @@ int x509_check_for_self_signed(struct x509_certificate *cert) goto out; } + if (cert->unsupported_sig) { + ret = 0; + goto out; + } + ret = public_key_verify_signature(cert->pub, cert->sig); if (ret < 0) { if (ret == -ENOPKG) {
When the hash algorithm for the signature is not available the digest size is 0 and the signature in the certificate is marked as unsupported. When validating a self-signed certificate, this needs to be checked, because otherwise trying to validate the signature will fail with an warning: Loading compiled-in X.509 certificates WARNING: CPU: 0 PID: 1 at crypto/rsa-pkcs1pad.c:537 \ pkcs1pad_verify+0x46/0x12c ... Problem loading in-kernel X.509 certificate (-22) Signed-off-by: Thore Sommer <public@thson.de> --- crypto/asymmetric_keys/x509_public_key.c | 5 +++++ 1 file changed, 5 insertions(+)