[PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check

David Howells dhowells at redhat.com
Fri Dec 4 14:05:59 UTC 2020

Mickaël Salaün <mic at digikod.net> wrote:

> When looking for a blacklisted hash, bin2hex() is used to transform a
> binary hash to an ascii (lowercase) hexadecimal string.  This string is
> then search for in the description of the keys from the blacklist
> keyring.  When adding a key to the blacklist keyring,
> blacklist_vet_description() checks the hash prefix and the hexadecimal
> string, but not that this string is lowercase.  It is then valid to set
> hashes with uppercase hexadecimal, which will be silently ignored by the
> kernel.
> Add an additional check to blacklist_vet_description() to check that
> hexadecimal strings are in lowercase.

I wonder if it would be a better idea to allow the keyring type to adjust the
description string - in this instance to change it to all lowercase.


More information about the Linux-security-module-archive mailing list