Re: [PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check

[PATCH v1 0/9] Enable root to update the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2020-11-20
[PATCH v1 3/9] certs: Factor out the blacklist hash creation · Mickaël Salaün <mic@digikod.net> · 2020-11-20
[PATCH v1 6/9] certs: Fix blacklist flag type confusion · Mickaël Salaün <mic@digikod.net> · 2020-11-20
[PATCH v1 4/9] certs: Check that builtin blacklist hashes are valid · Mickaël Salaün <mic@digikod.net> · 2020-11-20
Re: [PATCH v1 4/9] certs: Check that builtin blacklist hashes are valid · David Howells <dhowells@redhat.com> · 2020-12-09
Re: [PATCH v1 4/9] certs: Check that builtin blacklist hashes are valid · Mickaël Salaün <mic@digikod.net> · 2020-12-11
[PATCH v1 8/9] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID · Mickaël Salaün <mic@digikod.net> · 2020-11-20
Re: [PATCH v1 8/9] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID · David Howells <dhowells@redhat.com> · 2020-12-04
[PATCH v1 5/9] PKCS#7: Fix missing include · Mickaël Salaün <mic@digikod.net> · 2020-11-20
Re: [PATCH v1 5/9] PKCS#7: Fix missing include · David Howells <dhowells@redhat.com> · 2020-12-04
Re: [PATCH v1 5/9] PKCS#7: Fix missing include · Mickaël Salaün <mic@digikod.net> · 2020-12-04
[PATCH v1 7/9] certs: Allow root user to append signed hashes to the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2020-11-20
[PATCH v1 9/9] tools/certs: Add print-cert-tbs-hash.sh · Mickaël Salaün <mic@digikod.net> · 2020-11-20
[PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check · Mickaël Salaün <mic@digikod.net> · 2020-11-20
Re: [PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check · David Howells <dhowells@redhat.com> · 2020-12-04
Re: [PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check · Mickaël Salaün <mic@digikod.net> · 2020-12-04
[PATCH v1 2/9] certs: Make blacklist_vet_description() more strict · Mickaël Salaün <mic@digikod.net> · 2020-11-20
Re: [PATCH v1 2/9] certs: Make blacklist_vet_description() more strict · David Howells <dhowells@redhat.com> · 2020-12-04
Re: [PATCH v1 2/9] certs: Make blacklist_vet_description() more strict · Mickaël Salaün <mic@digikod.net> · 2020-12-04
Re: [PATCH v1 2/9] certs: Make blacklist_vet_description() more strict · Mickaël Salaün <mic@digikod.net> · 2020-12-11
Re: [PATCH v1 0/9] Enable root to update the blacklist keyring · Jarkko Sakkinen <jarkko@kernel.org> · 2020-11-30
Re: [PATCH v1 0/9] Enable root to update the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2020-11-30
Re: [PATCH v1 0/9] Enable root to update the blacklist keyring · Jarkko Sakkinen <jarkko@kernel.org> · 2020-12-02
Re: [PATCH v1 0/9] Enable root to update the blacklist keyring · David Howells <dhowells@redhat.com> · 2020-12-04
Re: [PATCH v1 0/9] Enable root to update the blacklist keyring · Jarkko Sakkinen <jarkko@kernel.org> · 2020-12-04

From: David Howells <dhowells@redhat.com>
Date: 2020-12-04 14:07:51
Also in: keyrings, linux-crypto, linux-integrity, lkml

Mickaël Salaün [off-list ref] wrote:

When looking for a blacklisted hash, bin2hex() is used to transform a
binary hash to an ascii (lowercase) hexadecimal string.  This string is
then search for in the description of the keys from the blacklist
keyring.  When adding a key to the blacklist keyring,
blacklist_vet_description() checks the hash prefix and the hexadecimal
string, but not that this string is lowercase.  It is then valid to set
hashes with uppercase hexadecimal, which will be silently ignored by the
kernel.

Add an additional check to blacklist_vet_description() to check that
hexadecimal strings are in lowercase.

I wonder if it would be a better idea to allow the keyring type to adjust the
description string - in this instance to change it to all lowercase.

David

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help