Re: [PATCH v3 06/10] certs: Make blacklist_vet_description() more strict

[PATCH v3 00/10] Enable root to update the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-01-14
[PATCH v3 04/10] certs: Fix blacklist flag type confusion · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 04/10] certs: Fix blacklist flag type confusion · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 04/10] certs: Fix blacklist flag type confusion · Mickaël Salaün <mic@digikod.net> · 2021-01-20
Re: [PATCH v3 04/10] certs: Fix blacklist flag type confusion · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-21
[PATCH v3 07/10] certs: Factor out the blacklist hash creation · Mickaël Salaün <mic@digikod.net> · 2021-01-14
[PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Mickaël Salaün <mic@digikod.net> · 2021-01-20
Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-21
Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Mickaël Salaün <mic@digikod.net> · 2021-01-21
Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-21
[PATCH v3 06/10] certs: Make blacklist_vet_description() more strict · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 06/10] certs: Make blacklist_vet_description() more strict · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 06/10] certs: Make blacklist_vet_description() more strict · Mickaël Salaün <mic@digikod.net> · 2021-01-20
[PATCH v3 01/10] certs/blacklist: fix kernel doc interface issue · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 01/10] certs/blacklist: fix kernel doc interface issue · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
[PATCH v3 03/10] PKCS#7: Fix missing include · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 03/10] PKCS#7: Fix missing include · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
[PATCH v3 05/10] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 05/10] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 05/10] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID · Mickaël Salaün <mic@digikod.net> · 2021-01-20
Re: [PATCH v3 05/10] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-21
[PATCH v3 09/10] certs: Allow root user to append signed hashes to the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 09/10] certs: Allow root user to append signed hashes to the blacklist keyring · Mimi Zohar <zohar@linux.ibm.com> · 2021-01-15
Re: [PATCH v3 09/10] certs: Allow root user to append signed hashes to the blacklist keyring · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 09/10] certs: Allow root user to append signed hashes to the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-01-20
[PATCH v3 10/10] tools/certs: Add print-cert-tbs-hash.sh · Mickaël Salaün <mic@digikod.net> · 2021-01-14
[PATCH v3 02/10] certs: Fix blacklisted hexadecimal hash string check · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 02/10] certs: Fix blacklisted hexadecimal hash string check · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 02/10] certs: Fix blacklisted hexadecimal hash string check · Mickaël Salaün <mic@digikod.net> · 2021-01-20
Re: [PATCH v3 02/10] certs: Fix blacklisted hexadecimal hash string check · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-21
Re: [PATCH v3 00/10] Enable root to update the blacklist keyring · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-15

From: Mickaël Salaün <mic@digikod.net>
Date: 2021-01-20 12:00:13
Also in: keyrings, linux-crypto, linux-security-module, lkml

On 20/01/2021 05:16, Jarkko Sakkinen wrote:

On Thu, Jan 14, 2021 at 04:19:05PM +0100, Mickaël Salaün wrote:

quoted

From: Mickaël Salaün <redacted>

Before exposing this new key type to user space, make sure that only
meaningful blacklisted hashes are accepted.  This is also checked for
builtin blacklisted hashes, but a following commit make sure that the
user will notice (at built time) and will fix the configuration if it
already included errors.

Check that a blacklist key description starts with a valid prefix and
then a valid hexadecimal string.

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Mickaël Salaün <redacted>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>

In this I'm not as worried about ABI, i.e. you don't have any reason
supply any other data, which doesn't follow these ruels, whereas there
could very well be a script that does format hex "incorrectly".

I think I answered this comment in patch 2/10: there is no ABI breakage,
it only prepares for safe dynamic key addition. Patch 10/10 enables to
avoid using incorrect/useless/mis-leading hashes and force users to fix
these hashes (that were not taken into account)

/Jarkko

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help