Linux Kernels

X.509: Don't strip leading 00's from key ID when constructing key description

This change “X.509: Don't strip leading 00's from key ID when constructing key description” (commit e7c87be) in Linux kernel is authored by David Howells <dhowells [at] redhat.com> on Fri Sep 25 16:31:46 2015 +0100.

Description of "X.509: Don't strip leading 00's from key ID when constructing key description"

The change “X.509: Don't strip leading 00's from key ID when constructing key description” introduces changes as follows.

X.509: Don't strip leading 00's from key ID when constructing key description

Don't strip leading zeros from the crypto key ID when using it to construct
the struct key description as the signature in kernels up to and including
4.2 matched this aspect of the key.  This means that 1 in 256 keys won't
actually match if their key ID begins with 00.

The key ID is stored in the module signature as binary and so must be
converted to text in order to invoke request_key() - but it isn't stripped
at this point.

Something like this is likely to be observed in dmesg when the key is loaded:

[    1.572423] Loaded X.509 cert 'Build time autogenerated kernel
    key: 62a7c3d2da278be024da4af8652c071f3fea33'

followed by this when we try and use it:

  [    1.646153] Request for unknown module key 'Build time autogenerated
    kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11

The 'Loaded' line should show an extra '00' on the front of the hex string.

This problem should not affect 4.3-rc1 and onwards because there the key
should be matched on one of its auxiliary identities rather than the key
struct's description string.

Reported-by: Arjan van de Ven <arjan@linux.intel.com>
Reported-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: David Howells <dhowells@redhat.com>

Linux kernel releases containing commit e7c87be

The Linux kernel releases containing this commit are as follows.

Linux kernel code changes from "X.509: Don't strip leading 00's from key ID when constructing key description"

There are 4 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 crypto/asymmetric_keys/x509_public_key.c | 4 ----
 1 file changed, 4 deletions(-)
 
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 6d88dd15c98d..197096632412 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -332,10 +332,6 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
 		srlen = cert->raw_serial_size;
 		q = cert->raw_serial;
 	}
-	if (srlen > 1 && *q == 0) {
-		srlen--;
-		q++;
-	}
 
 	ret = -ENOMEM;
 	desc = kmalloc(sulen + 2 + srlen * 2 + 1, GFP_KERNEL);

The commit for this change in Linux stable tree is e7c87be (patch).

Last modified: 2020/01/11 06:54