Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp633495pxb; Tue, 5 Apr 2022 16:41:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJygpmJEvd+t1acnZOpsFjFhRuWWsFpAaX4N3bLOFO1ZRbnf71i/NDETqAqHV/7/NvGW8buB X-Received: by 2002:a17:90b:124c:b0:1bc:369b:7db5 with SMTP id gx12-20020a17090b124c00b001bc369b7db5mr6746801pjb.179.1649202088281; Tue, 05 Apr 2022 16:41:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649202088; cv=none; d=google.com; s=arc-20160816; b=w6qcC6qhdIRJiNn3V+cZ5/J87BpBGmnd4hDT7NxJn9O1RZ1fQAtTlf8YN9vWrXq/Lf hfg2wzlBB10vE747dumgzQetw21+96uRS7U+295/5VJq5uu4cL79fPXM4ZY3nwLp+ixN AjQTE7OHBUth6rsNhfj6+G+XH5v8nWC2feFy5uL0o84jnNPTw/tVi2M2Cs5R41O/YdfN cSkFTztJMpmig4pS1izSmFoaZRWg1tUQl2evTQItUz10tp3/kqKRPI6qK2otcQKb36Uv 3XIqxgBDDaHmvs6X5mkYgNGv1B7b9ZHepsNcsrjmJ8+ra1fp6R9YJUmvDR2eBKqT/wsi Dhbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=XgJSru4Z/TApeRSJqDw80NETE5Z2puqEGjLG4oFaCFU=; b=qz5xwpkao9XA+0IUt0DEaoT4EWgBF+EcAt9YcK8qUnk3jrKOL6GQBBuKWxoys6540n JSi+n1cVko5Sz/LSJ4sRFSPAGrEoeM16glo3lb2sXwXODjldvGodG+lutpMgCu7+8kbR DyaJ8q3sHr5bNFHeFvGvjHl+TFoXmmAYieaq7h6mHaYZDhE2B7M10wyFfUIXU1RzVln0 LVCLIMo1TCxLED7VMdqUChHWdZztPLnlfnKNy8KcLXi7+79/Uu9lSaHIqDalFehANj2t PWE294xS5yPvTRA5rIgIJkMykazcavewUfmrnkhy8L9fXLOcVIQB+WD4BCOSLIBdjVu9 V2LQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=slGYqOvd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id ng10-20020a17090b1a8a00b001ca8b863365si3320286pjb.147.2022.04.05.16.41.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 16:41:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=slGYqOvd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3CA301D4182; Tue, 5 Apr 2022 16:25:40 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345884AbiDELA4 (ORCPT + 99 others); Tue, 5 Apr 2022 07:00:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235505AbiDEIjy (ORCPT ); Tue, 5 Apr 2022 04:39:54 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8D066B78; Tue, 5 Apr 2022 01:33:36 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 40016B81B13; Tue, 5 Apr 2022 08:33:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A297EC385A0; Tue, 5 Apr 2022 08:33:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649147614; bh=S5JSbPs7QsysBWhnR3G8MjqokpkFfZdd3XOVDP5puGs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=slGYqOvdnKruYiWPeixrrGS+PuHkCNfh5kbjRCh3p8AZ/c/swW+yIogg5mBE17d/K saAnNsbWa2mDl0esMmTaW00ppi20hbKEc+e1GWylshKGEpuP+1xHgAS4+CWyWv23/t gZ/G1/c/aIfdOJ3bFiCJZ1e+mAEAOYmBWmR0hUtE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Stefan Berger , Tianjia Zhang , Eric Biggers , Vitaly Chikunov , Jarkko Sakkinen Subject: [PATCH 5.16 0058/1017] KEYS: asymmetric: enforce that sig algo matches key algo Date: Tue, 5 Apr 2022 09:16:11 +0200 Message-Id: <20220405070355.907534859@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070354.155796697@linuxfoundation.org> References: <20220405070354.155796697@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 2abc9c246e0548e52985b10440c9ea3e9f65f793 upstream. Most callers of public_key_verify_signature(), including most indirect callers via verify_signature() as well as pkcs7_verify_sig_chain(), don't check that public_key_signature::pkey_algo matches public_key::pkey_algo. These should always match. However, a malicious signature could intentionally declare an unintended algorithm. It is essential that such signatures be rejected outright, or that the algorithm of the *key* be used -- not the algorithm of the signature as that would allow attackers to choose the algorithm used. Currently, public_key_verify_signature() correctly uses the key's algorithm when deciding which akcipher to allocate. That's good. However, it uses the signature's algorithm when deciding whether to do the first step of SM2, which is incorrect. Also, v4.19 and older kernels used the signature's algorithm for the entire process. Prevent such errors by making public_key_verify_signature() enforce that the signature's algorithm (if given) matches the key's algorithm. Also remove two checks of this done by callers, which are now redundant. Cc: stable@vger.kernel.org Tested-by: Stefan Berger Tested-by: Tianjia Zhang Signed-off-by: Eric Biggers Reviewed-by: Vitaly Chikunov Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman --- crypto/asymmetric_keys/pkcs7_verify.c | 6 ------ crypto/asymmetric_keys/public_key.c | 15 +++++++++++++++ crypto/asymmetric_keys/x509_public_key.c | 6 ------ 3 files changed, 15 insertions(+), 12 deletions(-) --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -174,12 +174,6 @@ static int pkcs7_find_key(struct pkcs7_m pr_devel("Sig %u: Found cert serial match X.509[%u]\n", sinfo->index, certix); - if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo) != 0) { - pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n", - sinfo->index); - continue; - } - sinfo->signer = x509; return 0; } --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -325,6 +325,21 @@ int public_key_verify_signature(const st BUG_ON(!sig); BUG_ON(!sig->s); + /* + * If the signature specifies a public key algorithm, it *must* match + * the key's actual public key algorithm. + * + * Small exception: ECDSA signatures don't specify the curve, but ECDSA + * keys do. So the strings can mismatch slightly in that case: + * "ecdsa-nist-*" for the key, but "ecdsa" for the signature. + */ + if (sig->pkey_algo) { + if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 && + (strncmp(pkey->pkey_algo, "ecdsa-", 6) != 0 || + strcmp(sig->pkey_algo, "ecdsa") != 0)) + return -EKEYREJECTED; + } + ret = software_key_determine_akcipher(sig->encoding, sig->hash_algo, pkey, alg_name); --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -128,12 +128,6 @@ int x509_check_for_self_signed(struct x5 goto out; } - ret = -EKEYREJECTED; - if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 && - (strncmp(cert->pub->pkey_algo, "ecdsa-", 6) != 0 || - strcmp(cert->sig->pkey_algo, "ecdsa") != 0)) - goto out; - ret = public_key_verify_signature(cert->pub, cert->sig); if (ret < 0) { if (ret == -ENOPKG) {