03 Aug, 2014
1 commit
-
Need to export x509_request_asymmetric_key() so that PKCS#7 can use it if
compiled as a module.Reported-by: James Morris
Signed-off-by: David Howells
31 Jul, 2014
1 commit
-
X.509 certificate issuer and subject fields are mandatory fields in the ASN.1
and so their existence needn't be tested for. They are guaranteed to end up
with an empty string if the name material has nothing we can use (see
x509_fabricate_name()).Reported-by: Dan Carpenter
Signed-off-by: David Howells
Acked-by: Vivek Goyal
29 Jul, 2014
1 commit
-
pkcs7_request_asymmetric_key() and x509_request_asymmetric_key() do the same
thing, the latter being a copy of the former created by the IMA folks, so drop
the PKCS#7 version as the X.509 location is more general.Whilst we're at it, rename the arguments of x509_request_asymmetric_key() to
better reflect what the values being passed in are intended to match on an
X.509 cert.Signed-off-by: David Howells
Acked-by: Mimi Zohar
28 Jul, 2014
2 commits
-
x509_request_asymmetric_keys() doesn't need the lengths of the NUL-terminated
strings passing in as it can work that out for itself.Signed-off-by: David Howells
Acked-by: Mimi Zohar -
Fixes the following sparse warnings:
crypto/asymmetric_keys/pkcs7_key_type.c:73:17: warning:
symbol 'key_type_pkcs7' was not declared. Should it be static?Signed-off-by: Wei Yongjun
Signed-off-by: David Howells
25 Jul, 2014
1 commit
-
crypto/asymmetric_keys/pkcs7_key_type.c needs to #include linux/err.h rather
than relying on getting it through other headers.Without this, the powerpc allyesconfig build fails.
Reported-by: Stephen Rothwell
Signed-off-by: David Howells
23 Jul, 2014
5 commits
-
Signed-off-by: David Howells
-
Signed-off-by: David Howells
-
Here's a set of changes that implement a PE file signature checker.
This provides the following facility:
(1) Extract the signature from the PE file. This is a PKCS#7 message
containing, as its data, a hash of the signed parts of the file.(2) Digest the signed parts of the file.
(3) Compare the digest with the one from the PKCS#7 message.
(4) Validate the signatures on the PKCS#7 message and indicate
whether it was matched by a trusted key.Signed-off-by: David Howells
-
Here's a set of changes that implement a PKCS#7 message parser in the kernel.
The PKCS#7 message parsing will then be used to limit kexec to authenticated
kernels only if so configured.The changes provide the following facilities:
(1) Parse an ASN.1 PKCS#7 message and pick out useful bits such as the data
content and the X.509 certificates used to sign it and all the data
signatures.(2) Verify all the data signatures against the set of X.509 certificates
available in the message.(3) Follow the certificate chains and verify that:
(a) for every self-signed X.509 certificate, check that it validly signed
itself, and:(b) for every non-self-signed certificate, if we have a 'parent'
certificate, the former is validly signed by the latter.(4) Look for intersections between the certificate chains and the trusted
keyring, if any intersections are found, verify that the trusted
certificates signed the intersection point in the chain.(5) For testing purposes, a key type can be made available that will take a
PKCS#7 message, check that the message is trustworthy, and if so, add its
data content into the key.Note that (5) has to be altered to take account of the preparsing patches
already committed to this branch.Signed-off-by: David Howells
-
struct key_preparsed_payload should have two payload pointers to correspond
with those in struct key.Signed-off-by: David Howells
Acked-by: Steve Dickson
Acked-by: Jeff Layton
Reviewed-by: Sage Weil
19 Jul, 2014
1 commit
-
Provide a generic instantiation function for key types that use the preparse
hook. This makes it easier to prereserve key quota before keyrings get locked
to retain the new key.Signed-off-by: David Howells
Acked-by: Steve Dickson
Acked-by: Jeff Layton
Reviewed-by: Sage Weil
18 Jul, 2014
1 commit
-
You can select MPILIB_EXTRA all you want, it doesn't exist ;-)
Surprised kconfig doesn't complain about that...
Signed-off-by: Jean Delvare
Acked-by: Marek Vasut
Signed-off-by: David Howells
Cc: Herbert Xu
Cc: "David S. Miller"
17 Jul, 2014
4 commits
-
Instead of allowing public keys, with certificates signed by any
key on the system trusted keyring, to be added to a trusted keyring,
this patch further restricts the certificates to those signed only by
builtin keys on the system keyring.This patch defines a new option 'builtin' for the kernel parameter
'keys_ownerid' to allow trust validation using builtin keys.Simplified Mimi's "KEYS: define an owner trusted keyring" patch
Changelog v7:
- rename builtin_keys to use_builtin_keysSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Instead of allowing public keys, with certificates signed by any
key on the system trusted keyring, to be added to a trusted keyring,
this patch further restricts the certificates to those signed by a
particular key on the system keyring.This patch defines a new kernel parameter 'ca_keys' to identify the
specific key which must be used for trust validation of certificates.Simplified Mimi's "KEYS: define an owner trusted keyring" patch.
Changelog:
- support for builtin x509 public keys only
- export "asymmetric_keyid_match"
- remove ifndefs MODULE
- rename kernel boot parameter from keys_ownerid to ca_keysSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
To avoid code duplication this patch refactors asymmetric_key_match(),
making partial ID string match a separate function.This patch also implicitly fixes a bug in the code. asymmetric_key_match()
allows to match the key by its subtype. But subtype matching could be
undone if asymmetric_key_id(key) would return NULL. This patch first
checks for matching spec and then for its value.Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
Only public keys, with certificates signed by an existing
'trusted' key on the system trusted keyring, should be added
to a trusted keyring. This patch adds support for verifying
a certificate's signature.This is derived from David Howells pkcs7_request_asymmetric_key() patch.
Changelog v6:
- on error free key - Dmitry
- validate trust only for not already trusted keys - Dmitry
- formatting cleanupChangelog:
- define get_system_trusted_keyring() to fix kbuild issuesSigned-off-by: Mimi Zohar
Signed-off-by: David Howells
Acked-by: Dmitry Kasatkin
09 Jul, 2014
8 commits
-
Validate the PKCS#7 trust chain against the contents of the system keyring.
Signed-off-by: David Howells
Acked-by: Vivek Goyal -
Digest the signed parts of the PE binary, canonicalising the section table
before we need it, and then compare the the resulting digest to the one in the
PKCS#7 signed content.Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook -
The pesign utility had a bug where it was using OID_msIndividualSPKeyPurpose
instead of OID_msPeImageDataObjId - so allow both OIDs.Signed-off-by: Vivek Goyal
Acked-by: Vivek Goyal -
The PKCS#7 certificate should contain a "Microsoft individual code signing"
data blob as its signed content. This blob contains a digest of the signed
content of the PE binary and the OID of the digest algorithm used (typically
SHA256).Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook -
Parse the content of the certificate blob, presuming it to be PKCS#7 format.
Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook -
The certificate data block in a PE binary has a wrapper around the PKCS#7
signature we actually want to get at. Strip this off and check that we've got
something that appears to be a PKCS#7 signature.Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook -
Parse a PE binary to find a key and a signature contained therein. Later
patches will check the signature and add the key if the signature checks out.Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook -
Signed-off-by: David Howells
Acked-by: Vivek Goyal
08 Jul, 2014
6 commits
-
Provide a key type for testing the PKCS#7 parser. It is given a non-detached
PKCS#7 message as payload:keyctl padd pkcs7_test a @s out
stuff.txt:
echo "The quick red fox jumped over the lazy brown dog" >stuff.txtcerts: key1.x509 key2.x509 key3.x509 key4.x509
cat key{1,3}.x509 >$@###############################################################################
#
# Generate a signed key
#
# openssl x509 -text -inform PEM -noout -in key2.x509
#
###############################################################################
key2.x509: key2.x509_unsigned key1.priv key1.x509
openssl x509 \
-req -in key2.x509_unsigned \
-out key2.x509 \
-extfile key2.genkey -extensions myexts \
-CA key1.x509 \
-CAkey key1.priv \
-CAcreateserialkey2.priv key2.x509_unsigned: key2.genkey
openssl req -new -nodes -utf8 -sha1 -days 36500 \
-batch -outform PEM \
-config key2.genkey \
-keyout key2.priv \
-out key2.x509_unsignedkey2.genkey:
@echo Generating X.509 key generation config
@echo >$@ "[ req ]"
@echo >>$@ "default_bits = 4096"
@echo >>$@ "distinguished_name = req_distinguished_name"
@echo >>$@ "prompt = no"
@echo >>$@ "string_mask = utf8only"
@echo >>$@ "x509_extensions = myexts"
@echo >>$@
@echo >>$@ "[ req_distinguished_name ]"
@echo >>$@ "O = Magrathea"
@echo >>$@ "CN = PKCS7 key 2"
@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
@echo >>$@
@echo >>$@ "[ myexts ]"
@echo >>$@ "basicConstraints=critical,CA:FALSE"
@echo >>$@ "keyUsage=digitalSignature"
@echo >>$@ "subjectKeyIdentifier=hash"
@echo >>$@ "authorityKeyIdentifier=keyid"###############################################################################
#
# Generate a couple of signing keys
#
# openssl x509 -text -inform PEM -noout -in key1.x509
#
###############################################################################
key1.x509: key1.x509_unsigned key4.priv key4.x509
openssl x509 \
-req -in key1.x509_unsigned \
-out key1.x509 \
-extfile key1.genkey -extensions myexts \
-CA key4.x509 \
-CAkey key4.priv \
-CAcreateserialkey1.priv key1.x509_unsigned: key1.genkey
openssl req -new -nodes -utf8 -sha1 -days 36500 \
-batch -outform PEM \
-config key1.genkey \
-keyout key1.priv \
-out key1.x509_unsignedkey1.genkey:
@echo Generating X.509 key generation config
@echo >$@ "[ req ]"
@echo >>$@ "default_bits = 4096"
@echo >>$@ "distinguished_name = req_distinguished_name"
@echo >>$@ "prompt = no"
@echo >>$@ "string_mask = utf8only"
@echo >>$@ "x509_extensions = myexts"
@echo >>$@
@echo >>$@ "[ req_distinguished_name ]"
@echo >>$@ "O = Magrathea"
@echo >>$@ "CN = PKCS7 key 1"
@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
@echo >>$@
@echo >>$@ "[ myexts ]"
@echo >>$@ "basicConstraints=critical,CA:TRUE"
@echo >>$@ "keyUsage=digitalSignature,keyCertSign"
@echo >>$@ "subjectKeyIdentifier=hash"
@echo >>$@ "authorityKeyIdentifier=keyid"###############################################################################
#
# Generate a signed key
#
# openssl x509 -text -inform PEM -noout -in key4.x509
#
###############################################################################
key4.x509: key4.x509_unsigned key3.priv key3.x509
openssl x509 \
-req -in key4.x509_unsigned \
-out key4.x509 \
-extfile key4.genkey -extensions myexts \
-CA key3.x509 \
-CAkey key3.priv \
-CAcreateserialkey4.priv key4.x509_unsigned: key4.genkey
openssl req -new -nodes -utf8 -sha1 -days 36500 \
-batch -outform PEM \
-config key4.genkey \
-keyout key4.priv \
-out key4.x509_unsignedkey4.genkey:
@echo Generating X.509 key generation config
@echo >$@ "[ req ]"
@echo >>$@ "default_bits = 4096"
@echo >>$@ "distinguished_name = req_distinguished_name"
@echo >>$@ "prompt = no"
@echo >>$@ "string_mask = utf8only"
@echo >>$@ "x509_extensions = myexts"
@echo >>$@
@echo >>$@ "[ req_distinguished_name ]"
@echo >>$@ "O = Magrathea"
@echo >>$@ "CN = PKCS7 key 4"
@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
@echo >>$@
@echo >>$@ "[ myexts ]"
@echo >>$@ "basicConstraints=critical,CA:TRUE"
@echo >>$@ "keyUsage=digitalSignature,keyCertSign"
@echo >>$@ "subjectKeyIdentifier=hash"
@echo >>$@ "authorityKeyIdentifier=keyid"###############################################################################
#
# Generate a couple of signing keys
#
# openssl x509 -text -inform PEM -noout -in key3.x509
#
###############################################################################
key3.priv key3.x509: key3.genkey
openssl req -new -nodes -utf8 -sha1 -days 36500 \
-batch -x509 -outform PEM \
-config key3.genkey \
-keyout key3.priv \
-out key3.x509key3.genkey:
@echo Generating X.509 key generation config
@echo >$@ "[ req ]"
@echo >>$@ "default_bits = 4096"
@echo >>$@ "distinguished_name = req_distinguished_name"
@echo >>$@ "prompt = no"
@echo >>$@ "string_mask = utf8only"
@echo >>$@ "x509_extensions = myexts"
@echo >>$@
@echo >>$@ "[ req_distinguished_name ]"
@echo >>$@ "O = Magrathea"
@echo >>$@ "CN = PKCS7 key 3"
@echo >>$@ "emailAddress = slartibartfast@magrathea.h2g2"
@echo >>$@
@echo >>$@ "[ myexts ]"
@echo >>$@ "basicConstraints=critical,CA:TRUE"
@echo >>$@ "keyUsage=digitalSignature,keyCertSign"
@echo >>$@ "subjectKeyIdentifier=hash"
@echo >>$@ "authorityKeyIdentifier=keyid"clean:
$(RM) *~
$(RM) key1.* key2.* key3.* key4.* stuff.* out certsSigned-off-by: David Howells
-
Find the intersection between the X.509 certificate chain contained in a PKCS#7
message and a set of keys that we already know and trust.Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook -
Verify certificate chain in the X.509 certificates contained within the PKCS#7
message as far as possible. If any signature that we should be able to verify
fails, we reject the whole lot.Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook -
Find the appropriate key in the PKCS#7 key list and verify the signature with
it. There may be several keys in there forming a chain. Any link in that
chain or the root of that chain may be in our keyrings.Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook -
Digest the data in a PKCS#7 signed-data message and attach to the
public_key_signature struct contained in the pkcs7_message struct.Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook -
Implement a parser for a PKCS#7 signed-data message as described in part of
RFC 2315.Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook
03 Jul, 2014
1 commit
-
Export certificate parse and free functions for use by modules.
Signed-off-by: David Howells
Acked-by: Vivek Goyal
Reviewed-by: Kees Cook
Reviewed-by: Josh Boyer
01 Jul, 2014
1 commit
-
PKCS#7 validation requires access to the serial number and the raw names in an
X.509 certificate.Signed-off-by: David Howells
Reviewed-by: Kees Cook
Reviewed-by: Josh Boyer
24 Nov, 2013
2 commits
-
This reverts commit 09fbc47373826d67531380662b516de2da120545, which
caused the following build errors:crypto/asymmetric_keys/x509_public_key.c: In function ‘x509_key_preparse’:
crypto/asymmetric_keys/x509_public_key.c:237:35: error: ‘system_trusted_keyring’ undeclared (first use in this function)
ret = x509_validate_trust(cert, system_trusted_keyring);
^
crypto/asymmetric_keys/x509_public_key.c:237:35: note: each undeclared identifier is reported only once for each function it appears inreported by Jim Davis. Mimi says:
"I made the classic mistake of requesting this patch to be upstreamed
at the last second, rather than waiting until the next open window.At this point, the best course would probably be to revert the two
commits and fix them for the next open window"Reported-by: Jim Davis
Acked-by: Mimi Zohar
Signed-off-by: Linus Torvalds -
Pull crypto update from Herbert Xu:
- Made x86 ablk_helper generic for ARM
- Phase out chainiv in favour of eseqiv (affects IPsec)
- Fixed aes-cbc IV corruption on s390
- Added constant-time crypto_memneq which replaces memcmp
- Fixed aes-ctr in omap-aes
- Added OMAP3 ROM RNG support
- Add PRNG support for MSM SoC's
- Add and use Job Ring API in caam
- Misc fixes[ NOTE! This pull request was sent within the merge window, but Herbert
has some questionable email sending setup that makes him public enemy
#1 as far as gmail is concerned. So most of his emails seem to be
trapped by gmail as spam, resulting in me not seeing them. - Linus ]* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (49 commits)
crypto: s390 - Fix aes-cbc IV corruption
crypto: omap-aes - Fix CTR mode counter length
crypto: omap-sham - Add missing modalias
padata: make the sequence counter an atomic_t
crypto: caam - Modify the interface layers to use JR API's
crypto: caam - Add API's to allocate/free Job Rings
crypto: caam - Add Platform driver for Job Ring
hwrng: msm - Add PRNG support for MSM SoC's
ARM: DT: msm: Add Qualcomm's PRNG driver binding document
crypto: skcipher - Use eseqiv even on UP machines
crypto: talitos - Simplify key parsing
crypto: picoxcell - Simplify and harden key parsing
crypto: ixp4xx - Simplify and harden key parsing
crypto: authencesn - Simplify key parsing
crypto: authenc - Export key parsing helper function
crypto: mv_cesa: remove deprecated IRQF_DISABLED
hwrng: OMAP3 ROM Random Number Generator support
crypto: sha256_ssse3 - also test for BMI2
crypto: mv_cesa - Remove redundant of_match_ptr
crypto: sahara - Remove redundant of_match_ptr
...
01 Nov, 2013
1 commit
-
The RSA public key algorithm needs to select MPILIB directly in Kconfig as the
'select' directive is not recursive and is thus MPILIB is not enabled by
selecting MPILIB_EXTRA.Without this, the following errors can occur:
crypto/built-in.o: In function `RSA_verify_signature':
rsa.c:(.text+0x1d347): undefined reference to `mpi_get_nbits'
rsa.c:(.text+0x1d354): undefined reference to `mpi_get_nbits'
rsa.c:(.text+0x1d36e): undefined reference to `mpi_cmp_ui'
rsa.c:(.text+0x1d382): undefined reference to `mpi_cmp'
rsa.c:(.text+0x1d391): undefined reference to `mpi_alloc'
rsa.c:(.text+0x1d3b0): undefined reference to `mpi_powm'
rsa.c:(.text+0x1d3c3): undefined reference to `mpi_free'
rsa.c:(.text+0x1d3d8): undefined reference to `mpi_get_buffer'
rsa.c:(.text+0x1d4d4): undefined reference to `mpi_free'
rsa.c:(.text+0x1d503): undefined reference to `mpi_get_nbits'Reported-by: Randy Dunlap
Signed-off-by: David Howells
Acked-by: Randy Dunlap
26 Oct, 2013
2 commits
-
In preparation of supporting more hash algorithms with larger hash sizes
needed for signature verification, this patch replaces the 20 byte sized
digest, with a more flexible structure. The new structure includes the
hash algorithm, digest size, and digest.Changelog:
- recalculate filedata hash for the measurement list, if the signature
hash digest size is greater than 20 bytes.
- use generic HASH_ALGO_
- make ima_calc_file_hash static
- scripts lindent and checkpatch fixesSigned-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar -
This patch makes use of the newly defined common hash algorithm info,
replacing, for example, PKEY_HASH with HASH_ALGO.Changelog:
- Lindent fixes - MimiCC: David Howells
Signed-off-by: Dmitry Kasatkin
Signed-off-by: Mimi Zohar
07 Oct, 2013
1 commit
-
When comparing MAC hashes, AEAD authentication tags, or other hash
values in the context of authentication or integrity checking, it
is important not to leak timing information to a potential attacker,
i.e. when communication happens over a network.Bytewise memory comparisons (such as memcmp) are usually optimized so
that they return a nonzero value as soon as a mismatch is found. E.g,
on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
and up to ~850 cyc for a full match (cold). This early-return behavior
can leak timing information as a side channel, allowing an attacker to
iteratively guess the correct result.This patch adds a new method crypto_memneq ("memory not equal to each
other") to the crypto API that compares memory areas of the same length
in roughly "constant time" (cache misses could change the timing, but
since they don't reveal information about the content of the strings
being compared, they are effectively benign). Iow, best and worst case
behaviour take the same amount of time to complete (in contrast to
memcmp).Note that crypto_memneq (unlike memcmp) can only be used to test for
equality or inequality, NOT for lexicographical order. This, however,
is not an issue for its use-cases within the crypto API.We tried to locate all of the places in the crypto API where memcmp was
being used for authentication or integrity checking, and convert them
over to crypto_memneq.crypto_memneq is declared noinline, placed in its own source file,
and compiled with optimizations that might increase code size disabled
("Os") because a smart compiler (or LTO) might notice that the return
value is always compared against zero/nonzero, and might then
reintroduce the same early-return optimization that we are trying to
avoid.Using #pragma or __attribute__ optimization annotations of the code
for disabling optimization was avoided as it seems to be considered
broken or unmaintained for long time in GCC [1]. Therefore, we work
around that by specifying the compile flag for memneq.o directly in
the Makefile. We found that this seems to be most appropriate.As we use ("Os"), this patch also provides a loop-free "fast-path" for
frequently used 16 byte digests. Similarly to kernel library string
functions, leave an option for future even further optimized architecture
specific assembler implementations.This was a joint work of James Yonan and Daniel Borkmann. Also thanks
for feedback from Florian Weimer on this and earlier proposals [2].[1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
[2] https://lkml.org/lkml/2013/2/10/131Signed-off-by: James Yonan
Signed-off-by: Daniel Borkmann
Cc: Florian Weimer
Signed-off-by: Herbert Xu
26 Sep, 2013
1 commit
-
This patch fixes lack of license, otherwise x509_key_parser.ko taints kernel.
Signed-off-by: Konstantin Khlebnikov
Signed-off-by: David Howells