4b34968e77
The asymmetric key type allows an X.509 certificate to be added even if
its signature's hash algorithm is not available in the crypto API. In
that case 'payload.data[asym_auth]' will be NULL. But the key
restriction code failed to check for this case before trying to use the
signature, resulting in a NULL pointer dereference in
key_or_keyring_common() or in restrict_link_by_signature().
Fix this by returning -ENOPKG when the signature is unsupported.
Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled and
keyctl has support for the 'restrict_keyring' command:
keyctl new_session
keyctl restrict_keyring @s asymmetric builtin_trusted
openssl req -new -sha512 -x509 -batch -nodes -outform der \
| keyctl padd asymmetric desc @s
Fixes:
|
||
---|---|---|
.. | ||
.gitignore | ||
asymmetric_keys.h | ||
asymmetric_type.c | ||
Kconfig | ||
Makefile | ||
mscode_parser.c | ||
mscode.asn1 | ||
pkcs7_key_type.c | ||
pkcs7_parser.c | ||
pkcs7_parser.h | ||
pkcs7_trust.c | ||
pkcs7_verify.c | ||
pkcs7.asn1 | ||
public_key.c | ||
restrict.c | ||
signature.c | ||
verify_pefile.c | ||
verify_pefile.h | ||
x509_akid.asn1 | ||
x509_cert_parser.c | ||
x509_parser.h | ||
x509_public_key.c | ||
x509.asn1 |