Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp3497552pxb; Sun, 20 Feb 2022 22:19:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJzGzH16qIkrGAjRaNAw515y53NzwfsmGaZbqQn96ZeuGsLwphwSGA8meHA8g+3wgrWSLBnz X-Received: by 2002:a17:902:ab09:b0:14f:c4aa:16e2 with SMTP id ik9-20020a170902ab0900b0014fc4aa16e2mr2138314plb.85.1645424390619; Sun, 20 Feb 2022 22:19:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645424390; cv=none; d=google.com; s=arc-20160816; b=KnbOWW5Gd8m4wiIVwbs0Cj2nknW1WpUZn+vslMIWCe41OGclREDTIagE94k5JKXnFS ckcSx5MmsznuA2jAHr9m3NjchuJnrCdUlKJvCjXny714HPq7EjbgIY6Kl7CYvvWittHH hgQnfbN6FdyD3T6FATzj1OvlP5SXXpChaLUhPmQxI7pFGft9bujy0apLR3QTHSeDjWfe 99rQrtTpJfcZ8qp/zJTF4RljevzG/EHbq+1nRMpMnc07UtjMEseGCAsxfCi4mv7gk9TZ XIy9Fly28oe5wiQMpO/rdAS1232J/JRpq0P+HlnnSkH6N3XvADnAZf88x13fQnqYOoaN 1TzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=CHvyabSYuxhS8UcaJEyZcZnnk0G1sEz81FdmTK5eY+0=; b=nt8JejSyAgaao2Ekkl5diaT8z5g5+IF0m19TZ3lFlNwu4T6HGDhlQKfgLVo/ZnvXLv rZ2TYSBDNUnaQVQWKzuJQjEMqqWalE5mzVk0ugml7kkjGPAGJs2ICamIb7vC7hyiH8kK YEb2F36JovorhrajcSYMU2P7Gthwu+dUpsao2Vk7gJsnXlJMNVnt7V7STrkNhSeHJqH8 weXYazZ2Xq94i7QKehFhk7z8NtzY671CeocVPj4Z540eAyeTzvZbx6SlMMA0QY9nYSev JtHhlqgCJFRVd16o7XSNo54VvpBH/wONdGrPcdE1Ua1y0sH5hoSS8g0ngMGJJYUW6rK9 uCrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XgO+kEDv; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l62si17322341pge.729.2022.02.20.22.19.26; Sun, 20 Feb 2022 22:19:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=XgO+kEDv; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245471AbiBUBqN (ORCPT + 99 others); Sun, 20 Feb 2022 20:46:13 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:50106 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245467AbiBUBqN (ORCPT ); Sun, 20 Feb 2022 20:46:13 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D5B95517CC; Sun, 20 Feb 2022 17:45:49 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 518846101A; Mon, 21 Feb 2022 01:45:49 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E9B0DC340E8; Mon, 21 Feb 2022 01:45:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1645407948; bh=33KkTmZUCFrZDC4MSXVCMJpi9jP7GBSc9fXQNM6W5xc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=XgO+kEDvmWyECWfvJYNR9L29Nv99GLA2dy4Ln0atgeOdSEntwiRsafY7uTJzNARmK x+OTCvunnZPFUAO7R0e9UeE0aHq6ETfEYxpK1FEy/X5p5NKVE+uvlls0Wa5/RiJtca Ex9CS5JbZK8cxN7z9Uyrl88IvX0kgt+1JqOJ5OLXA1JgJsScKjiwyU2GbRTJYxOb5b 08/VxPEF6enr4FttftMVwOj8UqD1ArZSHVfW3Kpl6dm9jG2WhpE15zWadXlqZ2CGqs 0WCxxvuzyEB1NJj3FboGzsETjdbBg7gPORZDAF6BuFALWzbjNwwV7WbMgx2px5ROsb X6T3+Di9hI2Ig== Date: Mon, 21 Feb 2022 02:46:26 +0100 From: Jarkko Sakkinen To: Eric Biggers Cc: keyrings@vger.kernel.org, David Howells , linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, Stefan Berger , Gilad Ben-Yossef , Tianjia Zhang , Vitaly Chikunov , Mimi Zohar , stable@vger.kernel.org Subject: Re: [PATCH 2/2] KEYS: asymmetric: properly validate hash_algo and encoding Message-ID: References: <20220201003414.55380-1-ebiggers@kernel.org> <20220201003414.55380-3-ebiggers@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220201003414.55380-3-ebiggers@kernel.org> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, Jan 31, 2022 at 04:34:14PM -0800, Eric Biggers wrote: > From: Eric Biggers > > It is insecure to allow arbitrary hash algorithms and signature > encodings to be used with arbitrary signature algorithms. Notably, > ECDSA, ECRDSA, and SM2 all sign/verify raw hash values and don't > disambiguate between different hash algorithms like RSA PKCS#1 v1.5 > padding does. Therefore, they need to be restricted to certain sets of > hash algorithms (ideally just one, but in practice small sets are used). > Additionally, the encoding is an integral part of modern signature > algorithms, and is not supposed to vary. > > Therefore, tighten the checks of hash_algo and encoding done by > software_key_determine_akcipher(). > > Also rearrange the parameters to software_key_determine_akcipher() to > put the public_key first, as this is the most important parameter and it > often determines everything else. > > Fixes: 299f561a6693 ("x509: Add support for parsing x509 certs with ECDSA keys") > Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") > Fixes: 0d7a78643f69 ("crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm") > Cc: stable@vger.kernel.org > Signed-off-by: Eric Biggers > --- > crypto/asymmetric_keys/public_key.c | 111 +++++++++++++++++++--------- > 1 file changed, 76 insertions(+), 35 deletions(-) > > diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c > index aba7113d86c76..a603ee8afdb8d 100644 > --- a/crypto/asymmetric_keys/public_key.c > +++ b/crypto/asymmetric_keys/public_key.c > @@ -60,39 +60,83 @@ static void public_key_destroy(void *payload0, void *payload3) > } > > /* > - * Determine the crypto algorithm name. > + * Given a public_key, and an encoding and hash_algo to be used for signing > + * and/or verification with that key, determine the name of the corresponding > + * akcipher algorithm. Also check that encoding and hash_algo are allowed. > */ > -static > -int software_key_determine_akcipher(const char *encoding, > - const char *hash_algo, > - const struct public_key *pkey, > - char alg_name[CRYPTO_MAX_ALG_NAME]) > +static int > +software_key_determine_akcipher(const struct public_key *pkey, > + const char *encoding, const char *hash_algo, > + char alg_name[CRYPTO_MAX_ALG_NAME]) Why is changing parameter order necessary? BR, Jarkko