[PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check
David Howells
dhowells at redhat.com
Fri Dec 4 14:05:59 UTC 2020
Mickaël Salaün <mic at digikod.net> wrote:
> When looking for a blacklisted hash, bin2hex() is used to transform a
> binary hash to an ascii (lowercase) hexadecimal string. This string is
> then search for in the description of the keys from the blacklist
> keyring. When adding a key to the blacklist keyring,
> blacklist_vet_description() checks the hash prefix and the hexadecimal
> string, but not that this string is lowercase. It is then valid to set
> hashes with uppercase hexadecimal, which will be silently ignored by the
> kernel.
>
> Add an additional check to blacklist_vet_description() to check that
> hexadecimal strings are in lowercase.
I wonder if it would be a better idea to allow the keyring type to adjust the
description string - in this instance to change it to all lowercase.
David
More information about the Linux-security-module-archive
mailing list