Received: by 10.223.185.116 with SMTP id b49csp2119119wrg; Thu, 22 Feb 2018 08:25:22 -0800 (PST) X-Google-Smtp-Source: AH8x225u86NCC8i5AJuXrh3/RUXIBvRGXBvUWVGwF62IhLWc137Kfd6qe25GY4v/iLemFGkUBuA+ X-Received: by 10.101.67.198 with SMTP id n6mr6114851pgp.150.1519316722514; Thu, 22 Feb 2018 08:25:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519316722; cv=none; d=google.com; s=arc-20160816; b=mk7PvElZ0UKu1XHEMGE+ESWJrv1kT6dHYOi6KdxL5tAXRoBkvnG4VSGzMqKN7yPAXL NMiBfFCbP3Lv7p8Q/fuRb36GXuZrEtLbsmnQ8vLv5iuc6lcbk0YTZIFARAPOt9yp1uli vTXunD1tQvTR2acFnKDV1bimTK18MNdxlWnPuvM50T0zUQe9bxFrTBO+ocRWMbBmWtNL 1IMFRi7ClWSvR+Xp7PTzlweOvD3HqDPoMvltrjx9cc9qTKBSgYnBJBDCF4SI94cISYdW WtIlqcAG9RLx1vvSUyhkk6Mh2OUlhVwzm+DH7bS7bpyNYGGvFLGRJCCP/uiqTI5A9ZYn qkRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:organization:message-id:date :subject:cc:to:from:arc-authentication-results; bh=wcLpE8zKYVFzrkBZaWmTe3ObKsm9jjTm6XfWtpTbjDs=; b=lMGqIF3yfne3T+TFSk6YDIZa4v95C6oVRZRT3eGMldMBci44thp7NQeqM4v3QuAE6m 2sN60Gz1mmUr/uVFh1b69Re3JR4isoIixk08a0P3Sj7VStOWXl1Tpiby0P53ZAREVnG0 26bru0WzlKOCVmXRn3j9B1xT4QgnOXXV/Uiu3enZZsBJZ7FdmX2SoWbNW2jpNqTc1+9b wIvzU5uDjt31f05fTfF9BWFP3Rf9nnPPUFZJUGybqT9dkNIylMd6ey+TEw8U6kSaV0Xw rvy22Ybl4a8Z1TG1XHAuuGZKmxzhJNS3+oTCH5X/rpevSPLXZRu77xwv5z/s2tA/sAox LZ3Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k198si215243pgc.545.2018.02.22.08.25.06; Thu, 22 Feb 2018 08:25:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933345AbeBVQUl (ORCPT + 99 others); Thu, 22 Feb 2018 11:20:41 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:39596 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S933317AbeBVQUg (ORCPT ); Thu, 22 Feb 2018 11:20:36 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B252D818B114; Thu, 22 Feb 2018 16:20:35 +0000 (UTC) Received: from warthog.procyon.org.uk.com (ovpn-120-250.rdu2.redhat.com [10.10.120.250]) by smtp.corp.redhat.com (Postfix) with ESMTP id C19352026E03; Thu, 22 Feb 2018 16:20:34 +0000 (UTC) From: David Howells To: jmorris@namei.org Cc: dhowells@redhat.com, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Eric Biggers Subject: [PATCH 1/6] PKCS#7: fix certificate chain verification Date: Thu, 22 Feb 2018 16:20:34 +0000 Message-Id: <151931643415.27713.4671836834877309737.stgit@warthog.procyon.org.uk> Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 In-Reply-To: <151931642737.27713.5082532296556836948.stgit@warthog.procyon.org.uk> References: <151931642737.27713.5082532296556836948.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 22 Feb 2018 16:20:35 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 22 Feb 2018 16:20:35 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers When pkcs7_verify_sig_chain() is building the certificate chain for a SignerInfo using the certificates in the PKCS#7 message, it is passing the wrong arguments to public_key_verify_signature(). Consequently, when the next certificate is supposed to be used to verify the previous certificate, the next certificate is actually used to verify itself. An attacker can use this bug to create a bogus certificate chain that has no cryptographic relationship between the beginning and end. Fortunately I couldn't quite find a way to use this to bypass the overall signature verification, though it comes very close. Here's the reasoning: due to the bug, every certificate in the chain beyond the first actually has to be self-signed (where "self-signed" here refers to the actual key and signature; an attacker might still manipulate the certificate fields such that the self_signed flag doesn't actually get set, and thus the chain doesn't end immediately). But to pass trust validation (pkcs7_validate_trust()), either the SignerInfo or one of the certificates has to actually be signed by a trusted key. Since only self-signed certificates can be added to the chain, the only way for an attacker to introduce a trusted signature is to include a self-signed trusted certificate. But, when pkcs7_validate_trust_one() reaches that certificate, instead of trying to verify the signature on that certificate, it will actually look up the corresponding trusted key, which will succeed, and then try to verify the *previous* certificate, which will fail. Thus, disaster is narrowly averted (as far as I could tell). Fixes: 6c2dc5ae4ab7 ("X.509: Extract signature digest and make self-signed cert checks earlier") Cc: # v4.7+ Signed-off-by: Eric Biggers Signed-off-by: David Howells --- crypto/asymmetric_keys/pkcs7_verify.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 39e6de0c2761..2f6a768b91d7 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -270,7 +270,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, sinfo->index); return 0; } - ret = public_key_verify_signature(p->pub, p->sig); + ret = public_key_verify_signature(p->pub, x509->sig); if (ret < 0) return ret; x509->signer = p;