Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp1455937rdb; Mon, 2 Oct 2023 09:59:58 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGkfjrcO9wGYWvtZcmZ/1Gue5Lzb8hnD7XKSBpb8nL/tPbsLQXFz/AG6jFWdZ/fUbSdV3YY X-Received: by 2002:a05:6a20:4425:b0:14d:5580:8ff0 with SMTP id ce37-20020a056a20442500b0014d55808ff0mr13257753pzb.25.1696265997912; Mon, 02 Oct 2023 09:59:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696265997; cv=none; d=google.com; s=arc-20160816; b=0UOBeIg5x4Gs8VHHgYwnjYTjTD5vwWLKFZNVMFGhUWoWP8hE7VkRuiJrXl7wosa5vi xnEklbXJpe1YU7gdrifhwPNXcJTDX0ERVyD1G22xD932u8CjEXLwfWfWxSBxNI1WiGHq Uk/5pwV2WH/i2cJIx2zfUr1cV3XR2TT2Vl+KzYl46+f4P1VagGeHULm9NQv8nNDREzd5 /kov7+/fT2kQOD95GVy9KEQbuAxNLXVI07LjpeX7N7lL9pFuVofKZUWSxWUnvsmVIiTo LHRTuGVFwvo9Dl/Sf7U1a70Qh5k9qGEPEnpCvCMx+Wdq7D0zidMWhoGV09SCsZV5LAmK OJWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=dGPAODzObes1U0cw8/DlYcRXyIYHuM5STGytm3cVOF4=; fh=VytaWnrtIe6rQzSTidyaXKVP21CYVB05Erb1vcNmZ/4=; b=qGXk7gwJ4Z5G8Fpipv21oUTSsoV0juOH9uBa6NocwOQMuuo9E7WRC2A7+9OB+GLdf+ fSLOL9/cIMyc0ulwrj6d2psLRno3CdvKAKlDFuF1rsPvplt6Z1xcO8ZpWCfDWB58E78T mJGsHuA8LtUsrBhvHU3vwON6sBWZuykw0dRn5m7QUZdj9JLLUqs5s/bbu2OzMOhexXlo gYPudOlKvC+3+jnduSgX9f48UhTsBqx+gSGZKnIL3GY0RpPiAtwDdUqtHq2kL7hFUTo7 50St7ZvJuB0iMA9AbpjlCPA1AVS2CbmpJQa8EJHgCLH8jG8Mq/xCQb6R1BXmxPrDPnLY +FzA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id z13-20020a6553cd000000b00574166b7d34si26887205pgr.881.2023.10.02.09.59.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Oct 2023 09:59:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 9E2A4809848E; Mon, 2 Oct 2023 09:45:13 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238053AbjJBQpF (ORCPT + 99 others); Mon, 2 Oct 2023 12:45:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55128 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237844AbjJBQpD (ORCPT ); Mon, 2 Oct 2023 12:45:03 -0400 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22A2A9B; Mon, 2 Oct 2023 09:44:59 -0700 (PDT) Received: from lhrpeml500005.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4RzmyS5506z6K6gc; Tue, 3 Oct 2023 00:44:48 +0800 (CST) Received: from localhost (10.202.227.76) by lhrpeml500005.china.huawei.com (7.191.163.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Mon, 2 Oct 2023 17:44:55 +0100 Date: Mon, 2 Oct 2023 17:44:54 +0100 From: Jonathan Cameron To: Lukas Wunner CC: Bjorn Helgaas , David Howells , David Woodhouse , Herbert Xu , "David S. Miller" , Alex Williamson , , , , , , , , David Box , Dan Williams , Dave Jiang , "Li, Ming" , Zhi Wang , Alistair Francis , Wilfred Mallawa , Alexey Kardashevskiy , Tom Lendacky , Sean Christopherson , Alexander Graf Subject: Re: [PATCH 03/12] X.509: Move certificate length retrieval into new helper Message-ID: <20231002174454.000025c5@Huawei.com> In-Reply-To: <16c06528d13b2c0081229a45cacd4b1b9cdff738.1695921657.git.lukas@wunner.de> References: <16c06528d13b2c0081229a45cacd4b1b9cdff738.1695921657.git.lukas@wunner.de> Organization: Huawei Technologies Research and Development (UK) Ltd. X-Mailer: Claws Mail 4.1.0 (GTK 3.24.33; x86_64-w64-mingw32) MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.202.227.76] X-ClientProxiedBy: lhrpeml100005.china.huawei.com (7.191.160.25) To lhrpeml500005.china.huawei.com (7.191.163.240) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 02 Oct 2023 09:45:13 -0700 (PDT) On Thu, 28 Sep 2023 19:32:32 +0200 Lukas Wunner wrote: > The upcoming in-kernel SPDM library (Security Protocol and Data Model, > https://www.dmtf.org/dsp/DSP0274) needs to retrieve the length from > ASN.1 DER-encoded X.509 certificates. > > Such code already exists in x509_load_certificate_list(), so move it > into a new helper for reuse by SPDM. > > No functional change intended. > > Signed-off-by: Lukas Wunner Good find :) I vaguely remember carrying a hack for this so good to do something more general + save on the duplication. Reviewed-by: Jonathan Cameron > --- > crypto/asymmetric_keys/x509_loader.c | 38 +++++++++++++++++++--------- > include/keys/asymmetric-type.h | 2 ++ > 2 files changed, 28 insertions(+), 12 deletions(-) > > diff --git a/crypto/asymmetric_keys/x509_loader.c b/crypto/asymmetric_keys/x509_loader.c > index a41741326998..121460a0de46 100644 > --- a/crypto/asymmetric_keys/x509_loader.c > +++ b/crypto/asymmetric_keys/x509_loader.c > @@ -4,28 +4,42 @@ > #include > #include > > +int x509_get_certificate_length(const u8 *p, unsigned long buflen) > +{ > + int plen; > + > + /* Each cert begins with an ASN.1 SEQUENCE tag and must be more > + * than 256 bytes in size. > + */ > + if (buflen < 4) > + return -EINVAL; > + > + if (p[0] != 0x30 && > + p[1] != 0x82) > + return -EINVAL; > + > + plen = (p[2] << 8) | p[3]; > + plen += 4; > + if (plen > buflen) > + return -EINVAL; > + > + return plen; > +} > +EXPORT_SYMBOL_GPL(x509_get_certificate_length); > + > int x509_load_certificate_list(const u8 cert_list[], > const unsigned long list_size, > const struct key *keyring) > { > key_ref_t key; > const u8 *p, *end; > - size_t plen; > + int plen; > > p = cert_list; > end = p + list_size; > while (p < end) { > - /* Each cert begins with an ASN.1 SEQUENCE tag and must be more > - * than 256 bytes in size. > - */ > - if (end - p < 4) > - goto dodgy_cert; > - if (p[0] != 0x30 && > - p[1] != 0x82) > - goto dodgy_cert; > - plen = (p[2] << 8) | p[3]; > - plen += 4; > - if (plen > end - p) > + plen = x509_get_certificate_length(p, end - p); > + if (plen < 0) > goto dodgy_cert; > > key = key_create_or_update(make_key_ref(keyring, 1), > diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h > index 69a13e1e5b2e..6705cfde25b9 100644 > --- a/include/keys/asymmetric-type.h > +++ b/include/keys/asymmetric-type.h > @@ -84,6 +84,8 @@ extern struct key *find_asymmetric_key(struct key *keyring, > const struct asymmetric_key_id *id_2, > bool partial); > > +int x509_get_certificate_length(const u8 *p, unsigned long buflen); > + > int x509_load_certificate_list(const u8 cert_list[], const unsigned long list_size, > const struct key *keyring); >