From patchwork Tue Nov 30 11:04:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561596 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=QIttBK8I; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KWq58p3z9t2p for ; Tue, 30 Nov 2021 22:20:22 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms1BC-0002DS-9X; Tue, 30 Nov 2021 11:20:10 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w3-00078y-6C for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:31 +0000 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E76973FFF2 for ; Tue, 30 Nov 2021 11:04:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270270; bh=OSNaJ1QdxOhEhGoYfvRWfgr6PXUGrZBoUEMzjGNZMrE=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=QIttBK8Ivyh5HmER29VZTrzIkCAJRqO3uxyc41KsySyGUwWLGfRbmt8UpEjMa5zrH WrELHCmglrijG7b5xnfQOeHCfy4RvcGvy7+Ee9cNqzPqUNskWHAefjUtXMmjxW+seh IWnOf3fAKROaOSl6+nt+pu/Pu52lvMYlCUzH0uJttxzNDqgWmfi0dgpiVkAHI8QUTk ATxK/2rqpucXxXFBxmv9ehPqy332wJ/pkyKIDIOMGU/jZznlqgbAB0yH3lMIQDn399 NRTQtjyIwRdRpJ9yHsu6ir30evd+P7zkrW2sWC/sSo55JSAqJ+q73o8e4CPSVlW1Zh lmr0ZqZB1mGMw== Received: by mail-ed1-f70.google.com with SMTP id q17-20020aa7da91000000b003e7c0641b9cso16604041eds.12 for ; Tue, 30 Nov 2021 03:04:30 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OSNaJ1QdxOhEhGoYfvRWfgr6PXUGrZBoUEMzjGNZMrE=; b=gMXj/JVTSk+r6lzkHmHjnH29NK+4vOrfX4o68rxT1g9uqhklwS3W6ZtOP7vwlJbpjx Sn5D7vWJb8xR/xZA3J+9vvFji1KOHcmfRgdal5JAVcEJa0eM0a5wfSyrttMWXBQHD2Pa GDzddXLdRjJkskaJIMDqFiLMCyZPXmOcMSR1dCBT1QxMQT07X/9GEPM4hof5/WU1O5ye gMpVTVzKNLayYCe1Gk9AoSNjjEQEOXY9snvmtch8HDxJPtAg00B+5FQCPK7AjKr1HSeV aZ5hZaXj82bGKZ3TxJwz2bUqtSMmoRoBG0rmpoILaaxV/vE/NRAgCRqje9YC/lOWAP4O LlcA== X-Gm-Message-State: AOAM5320M8gBrZFOhzReVgwQEPmi/ICqpHStr4I1eE+Owzi8qGxCr4uL C1WAtda5R03AotkqETi3WDxsHKPJ8HMPyc1yYh0GdX5NnBFSBATha0Z6Tozx4k/Y7kMJxXszUZA esAIQVk07qwXpJhPScVeurB0foGVBSCpez5G9i8Jy4w== X-Received: by 2002:aa7:c78f:: with SMTP id n15mr83058209eds.344.1638270270282; Tue, 30 Nov 2021 03:04:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJwT++V3Sgoct3TH2xVLAZB/Sv+tldVF+mf9xuzw1KwtGWzClZKf10ed4wZ63JorNrff8chD4A== X-Received: by 2002:aa7:c78f:: with SMTP id n15mr83058159eds.344.1638270269842; Tue, 30 Nov 2021 03:04:29 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id qk9sm6369360ejc.68.2021.11.30.03.04.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:29 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 06/16] certs: Move load_system_certificate_list to a common function Date: Tue, 30 Nov 2021 11:04:06 +0000 Message-Id: <20211130110416.171269-7-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg BugLink: https://bugs.launchpad.net/bugs/1936242 [ Upstream commit 2565ca7f5ec1a98d51eea8860c4ab923f1ca2c85 ] Move functionality within load_system_certificate_list to a common function, so it can be reused in the future. DH Changes: - Added inclusion of common.h to common.c (Eric [1]). Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen Signed-off-by: David Howells cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/ [1] Link: https://lore.kernel.org/r/20200930201508.35113-2-eric.snowberg@oracle.com/ Link: https://lore.kernel.org/r/20210122181054.32635-3-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428672825.677100.7545516389752262918.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433311696.902181.3599366124784670368.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529605850.163428.7786675680201528556.stgit@warthog.procyon.org.uk/ # v3 Signed-off-by: Sasha Levin Signed-off-by: Kamal Mostafa Signed-off-by: Stefan Bader --- certs/Makefile | 2 +- certs/common.c | 57 ++++++++++++++++++++++++++++++++++++++++++ certs/common.h | 9 +++++++ certs/system_keyring.c | 50 +++--------------------------------- 4 files changed, 70 insertions(+), 48 deletions(-) create mode 100644 certs/common.c create mode 100644 certs/common.h diff --git a/certs/Makefile b/certs/Makefile index ba3b209678..5a3956b637 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -3,7 +3,7 @@ # Makefile for the linux kernel signature checking certificates. # -obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o +obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o diff --git a/certs/common.c b/certs/common.c new file mode 100644 index 0000000000..16a220887a --- /dev/null +++ b/certs/common.c @@ -0,0 +1,57 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +#include +#include +#include "common.h" + +int load_certificate_list(const u8 cert_list[], + const unsigned long list_size, + const struct key *keyring) +{ + key_ref_t key; + const u8 *p, *end; + size_t plen; + + p = cert_list; + end = p + list_size; + while (p < end) { + /* Each cert begins with an ASN.1 SEQUENCE tag and must be more + * than 256 bytes in size. + */ + if (end - p < 4) + goto dodgy_cert; + if (p[0] != 0x30 && + p[1] != 0x82) + goto dodgy_cert; + plen = (p[2] << 8) | p[3]; + plen += 4; + if (plen > end - p) + goto dodgy_cert; + + key = key_create_or_update(make_key_ref(keyring, 1), + "asymmetric", + NULL, + p, + plen, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ), + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN | + KEY_ALLOC_BYPASS_RESTRICTION); + if (IS_ERR(key)) { + pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", + PTR_ERR(key)); + } else { + pr_notice("Loaded X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); + key_ref_put(key); + } + p += plen; + } + + return 0; + +dodgy_cert: + pr_err("Problem parsing in-kernel X.509 certificate list\n"); + return 0; +} diff --git a/certs/common.h b/certs/common.h new file mode 100644 index 0000000000..abdb579593 --- /dev/null +++ b/certs/common.h @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#ifndef _CERT_COMMON_H +#define _CERT_COMMON_H + +int load_certificate_list(const u8 cert_list[], const unsigned long list_size, + const struct key *keyring); + +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index da3a0c8193..83f6472aaf 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -19,6 +19,7 @@ #include #include #include +#include "common.h" #include "internal.h" static struct key *builtin_trusted_keys; @@ -138,55 +139,10 @@ device_initcall(system_trusted_keyring_init); */ static __init int load_system_certificate_list(void) { - key_ref_t key; - const u8 *p, *end; - size_t plen; - pr_notice("Loading compiled-in X.509 certificates\n"); - p = system_certificate_list; - end = p + system_certificate_list_size; - while (p < end) { - /* Each cert begins with an ASN.1 SEQUENCE tag and must be more - * than 256 bytes in size. - */ - if (end - p < 4) - goto dodgy_cert; - if (p[0] != 0x30 && - p[1] != 0x82) - goto dodgy_cert; - plen = (p[2] << 8) | p[3]; - plen += 4; - if (plen > end - p) - goto dodgy_cert; - - key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), - "asymmetric", - NULL, - p, - plen, - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN | - KEY_ALLOC_BYPASS_RESTRICTION); - if (IS_ERR(key)) { - pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", - PTR_ERR(key)); - WARN_ON_ONCE(1); - } else { - pr_notice("Loaded X.509 cert '%s'\n", - key_ref_to_ptr(key)->description); - key_ref_put(key); - } - p += plen; - } - - return 0; - -dodgy_cert: - pr_err("Problem parsing in-kernel X.509 certificate list\n"); - return 0; + return load_certificate_list(system_certificate_list, system_certificate_list_size, + builtin_trusted_keys); } late_initcall(load_system_certificate_list);