Skip to content

Commit

Permalink
certs: Fix blacklisted hexadecimal hash string check
Browse files Browse the repository at this point in the history 
When looking for a blacklisted hash, bin2hex() is used to transform a
binary hash to an ascii (lowercase) hexadecimal string.  This string is
then search for in the description of the keys from the blacklist
keyring.  When adding a key to the blacklist keyring,
blacklist_vet_description() checks the hash prefix and the hexadecimal
string, but not that this string is lowercase.  It is then valid to set
hashes with uppercase hexadecimal, which will be silently ignored by the
kernel.

Add an additional check to blacklist_vet_description() to check that
hexadecimal strings are in lowercase.

Signed-off-by: Mickaël Salaün <[email protected]>
Signed-off-by: David Howells <[email protected]>
Reviewed-by: Ben Boeckel <[email protected]>
Cc: David Woodhouse <[email protected]>
  • Loading branch information
@l0kod @dhowells
l0kod authored and dhowells committed Jan 21, 2021
1 parent 0b2d443 commit 84ffbef
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion certs/blacklist.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ static int blacklist_vet_description(const char *desc)
found_colon:
desc++;
for (; *desc; desc++) {
if (!isxdigit(*desc))
if (!isxdigit(*desc) || isupper(*desc))
return -EINVAL;
n++;
}
Expand Down

0 comments on commit 84ffbef

Please sign in to comment.