Revert "Mix non-GOST RSA keys with GOST buildtime key in the kernel keyring"

mirror of https://abf.rosa.ru/djam/kernel-6.6.git synced 2025-02-25 20:02:47 +00:00

The 1st certificate from PEM - GOST - is loaded correctly, others (RSA) are not

Loaded X.509 cert 'ROSA rpmbuild: Build time autogenerated kernel key: bb12e555ee1aa3718c7cbff4033d6f08ddc514af'
Loaded X.509 cert 'ROSA rpmbuild: Build time autogenerated kernel key: bb12e555ee1aa3718c7cbff4033d6f08ddc514af'

Thread 1 "linux-uml-5.4.2" hit Breakpoint 1, pkcs1pad_verify (req=0x6197a600) at crypto/rsa-pkcs1pad.c:538
538		if (WARN_ON(req->dst) ||
(gdb) n
539		    WARN_ON(!req->dst_len) ||
(gdb) n
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at crypto/rsa-pkcs1pad.c:539 pkcs1pad_verify+0x4e/0x146
Modules linked in:
CPU: 0 PID: 1 Comm: swapper Not tainted 5.4.0 #1
Stack:
 6182b9e0 602e6a39 00000009 00000000
 00000000 61969580 6182b9f0 602e6a7e
 6182ba30 60037f79 00000200 61981409
Call Trace:
 [<600677ed>] ? printk+0x0/0x94
 [<601e1d29>] ? sg_set_buf+0x0/0x92
 [<6001d383>] show_stack+0x13b/0x155
 [<602e6a39>] ? dump_stack_print_info+0xe2/0xeb
 [<602e6a7e>] dump_stack+0x2a/0x2c
 [<60037f79>] __warn+0xed/0x116
 [<60038431>] warn_slowpath_fmt+0xd1/0xdf
 [<601dab29>] ? rsa_free_mpi_key+0x0/0x44
 [<601dab29>] ? rsa_free_mpi_key+0x0/0x44
 [<60211d2c>] ? mpi_read_raw_data+0x0/0x105
 [<601dad3e>] ? rsa_set_pub_key+0xb9/0xe7
 [<60038360>] ? warn_slowpath_fmt+0x0/0xdf
 [<601db6d3>] pkcs1pad_verify+0x4e/0x146
 [<601e2667>] public_key_verify_signature+0x2ae/0x366
 [<601d3a45>] ? crypto_find_alg+0x0/0x2a
 [<6002eebe>] ? set_signals+0x30/0x36
 [<6002eebe>] ? set_signals+0x30/0x36
 [<600d082f>] ? __kmalloc+0xa6/0xd0
 [<600d10ee>] ? kfree+0x0/0x65
 [<601e37ea>] x509_check_for_self_signed+0xd9/0xff
 [<600d10ee>] ? kfree+0x0/0x65
 [<601e2e48>] x509_cert_parse+0x1ed/0x22d
 [<601e33de>] x509_key_preparse+0x28/0x20a
 [<601e0e66>] asymmetric_key_preparse+0x4a/0x87
 [<601ca333>] ? key_type_lookup+0x5a/0x97
 [<601ca509>] key_create_or_update+0x199/0x43a
 [<600677ed>] ? printk+0x0/0x94
 [<6000a549>] load_system_certificate_list+0xc2/0x134
 [<6000a487>] ? load_system_certificate_list+0x0/0x134
 [<6001aa19>] do_one_initcall+0x8e/0x1d0
 [<6001a98b>] ? do_one_initcall+0x0/0x1d0
 [<6001a98b>] ? do_one_initcall+0x0/0x1d0
 [<60001e26>] kernel_init_freeable+0x18c/0x254
 [<600677ed>] ? printk+0x0/0x94
 [<602f55bd>] kernel_init+0x27/0x136
 [<6001c1b5>] new_thread_handler+0x81/0xb2

---[ end trace 9cd4d0bf1a354d26 ]---
public_key_verify_signature (pkey=0x61969580, sig=<optimized out>) at crypto/asymmetric_keys/public_key.c:309
309		ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait);
(gdb) p req
$1 = (struct akcipher_request *) 0x6197a600
(gdb) p &req
Address requested for identifier "req" which is in register $rbx
(gdb) p $req
$2 = void
(gdb) p req->src_len
$3 = 512
(gdb) p ctx->key_size
No symbol "ctx" in current context.
(gdb)

Problems happen here:

static int pkcs1pad_verify(struct akcipher_request *req)
{
	struct crypto_akcipher *tfm = crypto_akcipher_reqtfm(req);
	struct pkcs1pad_ctx *ctx = akcipher_tfm_ctx(tfm);
	struct pkcs1pad_request *req_ctx = akcipher_request_ctx(req);
	int err;

	if (WARN_ON(req->dst) ||
	    WARN_ON(!req->dst_len) ||
	    !ctx->key_size || req->src_len < ctx->key_size)
		return -EINVAL;

For now let's just disable this and debug this later if I have wish and time.

This reverts commit 89974eea5f.

This commit is contained in:

Mikhail Novosyolov

2020-03-15 17:08:18 +03:00

parent 89974eea5f

commit c98134ffc6

1 changed files with 3 additions and 3 deletions

									
										6

kernel.spec
									
										View file
										
				@ -11,7 +11,7 @@

				%define sublevel	25

				# Release number. Increase this before a rebuild.

				%define rpmrel		4

				%define rpmrel		3

				%define fullrpmrel	%{rpmrel}

				%define rpmtag		%{disttag}

				@ -1022,8 +1022,8 @@ sed -i %{src_dir}/scripts/Makefile \

				%if %{with additional_keys}

				# Add additional public keys to the list of trusted keys for kernel modules

				# Build kernel --without additional_keys if you do not want to trust them

				cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \

					>> "%{certs_public_keys}"

				##cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \

				##	>> "%{certs_public_keys}"

				%endif #endif additional_keys

				cat %{certs_public_keys}

				%endif #endif enhanced_security

Rows
Columns

Revert "Mix non-GOST RSA keys with GOST buildtime key in the kernel keyring"

6 kernel.spec Unescape Escape View file

6

kernel.spec

View file