Re: [PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check

From: David Howells
Date: Fri Dec 04 2020 - 09:07:52 EST

Next message: David Howells: "Re: [PATCH v1 5/9] PKCS#7: Fix missing include"
Previous message: David Sterba: "Re: [PATCH v6 3/3] lib: zstd: Upgrade to latest upstream zstd version 1.4.6"
Next in thread: Mickaël Salaün: "Re: [PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mickaël Salaün <mic@xxxxxxxxxxx> wrote:

> When looking for a blacklisted hash, bin2hex() is used to transform a
> binary hash to an ascii (lowercase) hexadecimal string. This string is
> then search for in the description of the keys from the blacklist
> keyring. When adding a key to the blacklist keyring,
> blacklist_vet_description() checks the hash prefix and the hexadecimal
> string, but not that this string is lowercase. It is then valid to set
> hashes with uppercase hexadecimal, which will be silently ignored by the
> kernel.
>
> Add an additional check to blacklist_vet_description() to check that
> hexadecimal strings are in lowercase.

I wonder if it would be a better idea to allow the keyring type to adjust the
description string - in this instance to change it to all lowercase.

David

Next message: David Howells: "Re: [PATCH v1 5/9] PKCS#7: Fix missing include"
Previous message: David Sterba: "Re: [PATCH v6 3/3] lib: zstd: Upgrade to latest upstream zstd version 1.4.6"
Next in thread: Mickaël Salaün: "Re: [PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]