4b34968e77
The asymmetric key type allows an X.509 certificate to be added even if
its signature's hash algorithm is not available in the crypto API. In
that case 'payload.data[asym_auth]' will be NULL. But the key
restriction code failed to check for this case before trying to use the
signature, resulting in a NULL pointer dereference in
key_or_keyring_common() or in restrict_link_by_signature().
Fix this by returning -ENOPKG when the signature is unsupported.
Reproducer when all the CONFIG_CRYPTO_SHA512* options are disabled and
keyctl has support for the 'restrict_keyring' command:
keyctl new_session
keyctl restrict_keyring @s asymmetric builtin_trusted
openssl req -new -sha512 -x509 -batch -nodes -outform der \
| keyctl padd asymmetric desc @s
Fixes:
|
||
|---|---|---|
| .. | ||
| .gitignore | ||
| Kconfig | ||
| Makefile | ||
| asymmetric_keys.h | ||
| asymmetric_type.c | ||
| mscode.asn1 | ||
| mscode_parser.c | ||
| pkcs7.asn1 | ||
| pkcs7_key_type.c | ||
| pkcs7_parser.c | ||
| pkcs7_parser.h | ||
| pkcs7_trust.c | ||
| pkcs7_verify.c | ||
| public_key.c | ||
| restrict.c | ||
| signature.c | ||
| verify_pefile.c | ||
| verify_pefile.h | ||
| x509.asn1 | ||
| x509_akid.asn1 | ||
| x509_cert_parser.c | ||
| x509_parser.h | ||
| x509_public_key.c | ||