Skip to content

Commit 141e523

Browse files
l0kodjarkkojs
l0kod
authored and
jarkkojs
committed
certs: Factor out the blacklist hash creation
Factor out the blacklist hash creation with the get_raw_hash() helper. This also centralize the "tbs" and "bin" prefixes and make them private, which help to manage them consistently. Cc: David Howells <[email protected]> Cc: David S. Miller <[email protected]> Cc: David Woodhouse <[email protected]> Cc: Eric Snowberg <[email protected]> Cc: Herbert Xu <[email protected]> Cc: Jarkko Sakkinen <[email protected]> Signed-off-by: Mickaël Salaün <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jarkko Sakkinen <[email protected]>
1 parent 58d4163 commit 141e523

File tree

4 files changed

+73
-46
lines changed

4 files changed

+73
-46
lines changed

certs/blacklist.c

Lines changed: 58 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -83,11 +83,43 @@ static struct key_type key_type_blacklist = {
8383
.describe = blacklist_describe,
8484
};
8585

86+
static char *get_raw_hash(const u8 *hash, size_t hash_len,
87+
enum blacklist_hash_type hash_type)
88+
{
89+
size_t type_len;
90+
const char *type_prefix;
91+
char *buffer, *p;
92+
93+
switch (hash_type) {
94+
case BLACKLIST_HASH_X509_TBS:
95+
type_len = sizeof(tbs_prefix) - 1;
96+
type_prefix = tbs_prefix;
97+
break;
98+
case BLACKLIST_HASH_BINARY:
99+
type_len = sizeof(bin_prefix) - 1;
100+
type_prefix = bin_prefix;
101+
break;
102+
default:
103+
WARN_ON_ONCE(1);
104+
return ERR_PTR(-EINVAL);
105+
}
106+
buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL);
107+
if (!buffer)
108+
return ERR_PTR(-ENOMEM);
109+
p = memcpy(buffer, type_prefix, type_len);
110+
p += type_len;
111+
*p++ = ':';
112+
bin2hex(p, hash, hash_len);
113+
p += hash_len * 2;
114+
*p = '\0';
115+
return buffer;
116+
}
117+
86118
/**
87-
* mark_hash_blacklisted - Add a hash to the system blacklist
119+
* mark_raw_hash_blacklisted - Add a hash to the system blacklist
88120
* @hash: The hash as a hex string with a type prefix (eg. "tbs:23aa429783")
89121
*/
90-
int mark_hash_blacklisted(const char *hash)
122+
static int mark_raw_hash_blacklisted(const char *hash)
91123
{
92124
key_ref_t key;
93125

@@ -107,29 +139,36 @@ int mark_hash_blacklisted(const char *hash)
107139
return 0;
108140
}
109141

142+
int mark_hash_blacklisted(const u8 *hash, size_t hash_len,
143+
enum blacklist_hash_type hash_type)
144+
{
145+
const char *buffer;
146+
int err;
147+
148+
buffer = get_raw_hash(hash, hash_len, hash_type);
149+
if (IS_ERR(buffer))
150+
return PTR_ERR(buffer);
151+
err = mark_raw_hash_blacklisted(buffer);
152+
kfree(buffer);
153+
return err;
154+
}
155+
110156
/**
111157
* is_hash_blacklisted - Determine if a hash is blacklisted
112158
* @hash: The hash to be checked as a binary blob
113159
* @hash_len: The length of the binary hash
114-
* @type: Type of hash
160+
* @hash_type: Type of hash
115161
*/
116-
int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
162+
int is_hash_blacklisted(const u8 *hash, size_t hash_len,
163+
enum blacklist_hash_type hash_type)
117164
{
118165
key_ref_t kref;
119-
size_t type_len = strlen(type);
120-
char *buffer, *p;
166+
const char *buffer;
121167
int ret = 0;
122168

123-
buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL);
124-
if (!buffer)
125-
return -ENOMEM;
126-
p = memcpy(buffer, type, type_len);
127-
p += type_len;
128-
*p++ = ':';
129-
bin2hex(p, hash, hash_len);
130-
p += hash_len * 2;
131-
*p = 0;
132-
169+
buffer = get_raw_hash(hash, hash_len, hash_type);
170+
if (IS_ERR(buffer))
171+
return PTR_ERR(buffer);
133172
kref = keyring_search(make_key_ref(blacklist_keyring, true),
134173
&key_type_blacklist, buffer, false);
135174
if (!IS_ERR(kref)) {
@@ -144,7 +183,8 @@ EXPORT_SYMBOL_GPL(is_hash_blacklisted);
144183

145184
int is_binary_blacklisted(const u8 *hash, size_t hash_len)
146185
{
147-
if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
186+
if (is_hash_blacklisted(hash, hash_len, BLACKLIST_HASH_BINARY) ==
187+
-EKEYREJECTED)
148188
return -EPERM;
149189

150190
return 0;
@@ -217,7 +257,7 @@ static int __init blacklist_init(void)
217257
panic("Can't allocate system blacklist keyring\n");
218258

219259
for (bl = blacklist_hashes; *bl; bl++)
220-
if (mark_hash_blacklisted(*bl) < 0)
260+
if (mark_raw_hash_blacklisted(*bl) < 0)
221261
pr_err("- blacklisting failed\n");
222262
return 0;
223263
}

crypto/asymmetric_keys/x509_public_key.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,8 @@ int x509_get_sig_params(struct x509_certificate *cert)
6969
if (ret < 0)
7070
goto error_2;
7171

72-
ret = is_hash_blacklisted(sig->digest, sig->digest_size, "tbs");
72+
ret = is_hash_blacklisted(sig->digest, sig->digest_size,
73+
BLACKLIST_HASH_X509_TBS);
7374
if (ret == -EKEYREJECTED) {
7475
pr_err("Cert %*phN is blacklisted\n",
7576
sig->digest_size, sig->digest);

include/keys/system_keyring.h

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,13 @@
1010

1111
#include <linux/key.h>
1212

13+
enum blacklist_hash_type {
14+
/* TBSCertificate hash */
15+
BLACKLIST_HASH_X509_TBS = 1,
16+
/* Raw data hash */
17+
BLACKLIST_HASH_BINARY = 2,
18+
};
19+
1320
#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
1421

1522
extern int restrict_link_by_builtin_trusted(struct key *keyring,
@@ -54,13 +61,14 @@ static inline void __init set_machine_trusted_keys(struct key *keyring)
5461

5562
extern struct pkcs7_message *pkcs7;
5663
#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
57-
extern int mark_hash_blacklisted(const char *hash);
64+
extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len,
65+
enum blacklist_hash_type hash_type);
5866
extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
59-
const char *type);
67+
enum blacklist_hash_type hash_type);
6068
extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
6169
#else
6270
static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
63-
const char *type)
71+
enum blacklist_hash_type hash_type)
6472
{
6573
return 0;
6674
}

security/integrity/platform_certs/keyring_handler.c

Lines changed: 2 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -16,35 +16,13 @@ static efi_guid_t efi_cert_x509_sha256_guid __initdata =
1616
EFI_CERT_X509_SHA256_GUID;
1717
static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
1818

19-
/*
20-
* Blacklist a hash.
21-
*/
22-
static __init void uefi_blacklist_hash(const char *source, const void *data,
23-
size_t len, const char *type,
24-
size_t type_len)
25-
{
26-
char *hash, *p;
27-
28-
hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
29-
if (!hash)
30-
return;
31-
p = memcpy(hash, type, type_len);
32-
p += type_len;
33-
bin2hex(p, data, len);
34-
p += len * 2;
35-
*p = 0;
36-
37-
mark_hash_blacklisted(hash);
38-
kfree(hash);
39-
}
40-
4119
/*
4220
* Blacklist an X509 TBS hash.
4321
*/
4422
static __init void uefi_blacklist_x509_tbs(const char *source,
4523
const void *data, size_t len)
4624
{
47-
uefi_blacklist_hash(source, data, len, "tbs:", 4);
25+
mark_hash_blacklisted(data, len, BLACKLIST_HASH_X509_TBS);
4826
}
4927

5028
/*
@@ -53,7 +31,7 @@ static __init void uefi_blacklist_x509_tbs(const char *source,
5331
static __init void uefi_blacklist_binary(const char *source,
5432
const void *data, size_t len)
5533
{
56-
uefi_blacklist_hash(source, data, len, "bin:", 4);
34+
mark_hash_blacklisted(data, len, BLACKLIST_HASH_BINARY);
5735
}
5836

5937
/*

0 commit comments

Comments
 (0)