From 04fc3749ff2a07afd2382980c762a2953bee5a8f Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Sun, 25 Oct 2020 15:33:02 +0800
Subject: [PATCH] kABI: Fix kABI after add CodeSigning extended key usage
Patch-mainline: Never, kABI fix only
References: bsc#1177353
- pkcs7_validate_trust() as the wrapper of __kabi__pkcs7_validate_trust().
- Use __GENKSYMS__ on eku field of public_key struct.
- Removed OID_codeSigning to avoid that OID__NR be changed. Direct compare
octets of codeSigning OID.
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
certs/system_keyring.c | 2 +-
crypto/asymmetric_keys/pkcs7_trust.c | 11 +++++++++--
crypto/asymmetric_keys/x509_cert_parser.c | 6 +++---
include/crypto/pkcs7.h | 7 +++++--
include/crypto/public_key.h | 2 ++
include/linux/oid_registry.h | 3 ---
6 files changed, 20 insertions(+), 11 deletions(-)
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -242,7 +242,7 @@ int verify_pkcs7_message_sig(const void
goto error;
}
}
- ret = pkcs7_validate_trust(pkcs7, trusted_keys, usage);
+ ret = __kabi__pkcs7_validate_trust(pkcs7, trusted_keys, usage);
if (ret < 0) {
if (ret == -ENOKEY)
pr_devel("PKCS#7 signature not signed with a trusted key\n");
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -186,8 +186,15 @@ verified:
* May also return -ENOMEM.
*/
int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
- struct key *trust_keyring,
- enum key_being_used_for usage)
+ struct key *trust_keyring)
+{
+ return __kabi__pkcs7_validate_trust(pkcs7, trust_keyring,
+ NR__KEY_BEING_USED_FOR);
+}
+
+int __kabi__pkcs7_validate_trust(struct pkcs7_message *pkcs7,
+ struct key *trust_keyring,
+ enum key_being_used_for usage)
{
struct pkcs7_signed_info *sinfo;
struct x509_certificate *p;
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -470,6 +470,8 @@ int x509_extract_key_data(void *context,
/* The keyIdentifier in AuthorityKeyIdentifier SEQUENCE is tag(CONT,PRIM,0) */
#define SEQ_TAG_KEYID (ASN1_CONT << 6)
+static const unsigned char codesign_oid[8] = {43, 6, 1, 5, 5, 7, 3, 3};
+
/*
* Process certificate extensions that are used to qualify the certificate.
*/
@@ -481,7 +483,6 @@ int x509_process_extension(void *context
struct asymmetric_key_id *kid;
const unsigned char *v = value;
int i = 0;
- enum OID oid;
pr_debug("Extension: %u\n", ctx->last_oid);
@@ -523,8 +524,7 @@ int x509_process_extension(void *context
if (v[i] != ASN1_OID || v[i + 1] != 8 || (i + 10) > vlen)
return -EBADMSG;
- oid = look_up_OID(v + i + 2, v[i + 1]);
- if (oid == OID_codeSigning) {
+ if (!memcmp(codesign_oid, v + i + 2, 8)) {
ctx->cert->pub->eku |= EKU_codeSigning;
}
i += 10;
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -30,8 +30,11 @@ extern int pkcs7_get_content_data(const
* pkcs7_trust.c
*/
extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
- struct key *trust_keyring,
- enum key_being_used_for usage);
+ struct key *trust_keyring);
+
+extern int __kabi__pkcs7_validate_trust(struct pkcs7_message *pkcs7,
+ struct key *trust_keyring,
+ enum key_being_used_for usage);
/*
* pkcs7_verify.c
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -28,7 +28,9 @@ struct public_key {
bool key_is_private;
const char *id_type;
const char *pkey_algo;
+#ifndef __GENKSYMS__
unsigned int eku : 9; /* Extended Key Usage (9-bit) */
+#endif
};
extern void public_key_free(struct public_key *key);
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -107,9 +107,6 @@ enum OID {
OID_gostTC26Sign512B, /* 1.2.643.7.1.2.1.2.2 */
OID_gostTC26Sign512C, /* 1.2.643.7.1.2.1.2.3 */
- /* Extended key purpose OIDs [RFC 5280] */
- OID_codeSigning, /* 1.3.6.1.5.5.7.3.3 */
-
OID__NR
};