Commit c03c21ba authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'keys-misc-20210126' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs 

Pull keyring updates from David Howells:
 "Here's a set of minor keyrings fixes/cleanups that I've collected from
  various people for the upcoming merge window.

  A couple of them might, in theory, be visible to userspace:

   - Make blacklist_vet_description() reject uppercase letters as they
     don't match the all-lowercase hex string generated for a blacklist
     search.

     This may want reconsideration in the future, but, currently, you
     can't add to the blacklist keyring from userspace and the only
     source of blacklist keys generates lowercase descriptions.

   - Fix blacklist_init() to use a new KEY_ALLOC_* flag to indicate that
     it wants KEY_FLAG_KEEP to be set rather than passing KEY_FLAG_KEEP
     into keyring_alloc() as KEY_FLAG_KEEP isn't a valid alloc flag.

     This isn't currently a problem as the blacklist keyring isn't
     currently writable by userspace.

  The rest of the patches are cleanups and I don't think they should
  have any visible effect"

* tag 'keys-misc-20210126' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  watch_queue: rectify kernel-doc for init_watch()
  certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID
  certs: Fix blacklist flag type confusion
  PKCS#7: Fix missing include
  certs: Fix blacklisted hexadecimal hash string check
  certs/blacklist: fix kernel doc interface issue
  crypto: public_key: Remove redundant header file from public_key.h
  keys: remove trailing semicolon in macro definition
  crypto: pkcs7: Use match_string() helper to simplify the code
  PKCS#7: drop function from kernel-doc pkcs7_validate_trust_one
  encrypted-keys: Replace HTTP links with HTTPS ones
  crypto: asymmetric_keys: fix some comments in pkcs7_parser.h
  KEYS: remove redundant memset
  security: keys: delete repeated words in comments
  KEYS: asymmetric: Fix kerneldoc
  security/keys: use kvfree_sensitive()
  watch_queue: Drop references to /dev/watch_queue
  keys: Remove outdated __user annotations
  security: keys: Fix fall-through warnings for Clang
parents 414eece9 8f0bfc25

Documentation/security/keys/core.rst

+2 −2
Original line number Diff line number Diff line
@@ -1040,8 +1040,8 @@ The keyctl syscall functions are: 


     "key" is the ID of the key to be watched.



     "queue_fd" is a file descriptor referring to an open "/dev/watch_queue"

     which manages the buffer into which notifications will be delivered.

     "queue_fd" is a file descriptor referring to an open pipe which

     manages the buffer into which notifications will be delivered.



     "filter" is either NULL to remove a watch or a filter specification to

     indicate what events are required from the key.

certs/blacklist.c

+5 −5
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
#include <linux/ctype.h>

#include <linux/err.h>

#include <linux/seq_file.h>

#include <linux/uidgid.h>

#include <keys/system_keyring.h>

#include "blacklist.h"
@@ -37,7 +38,7 @@ static int blacklist_vet_description(const char *desc) 
found_colon:

	desc++;

	for (; *desc; desc++) {

		if (!isxdigit(*desc))

		if (!isxdigit(*desc) || isupper(*desc))

			return -EINVAL;

		n++;

	}
@@ -78,7 +79,7 @@ static struct key_type key_type_blacklist = { 


/**

 * mark_hash_blacklisted - Add a hash to the system blacklist

 * @hash - The hash as a hex string with a type prefix (eg. "tbs:23aa429783")

 * @hash: The hash as a hex string with a type prefix (eg. "tbs:23aa429783")

 */

int mark_hash_blacklisted(const char *hash)

{
@@ -156,13 +157,12 @@ static int __init blacklist_init(void) 


	blacklist_keyring =

		keyring_alloc(".blacklist",

			      KUIDT_INIT(0), KGIDT_INIT(0),

			      current_cred(),

			      GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),

			      (KEY_POS_ALL & ~KEY_POS_SETATTR) |

			      KEY_USR_VIEW | KEY_USR_READ |

			      KEY_USR_SEARCH,

			      KEY_ALLOC_NOT_IN_QUOTA |

			      KEY_FLAG_KEEP,

			      KEY_ALLOC_SET_KEEP,

			      NULL, NULL);

	if (IS_ERR(blacklist_keyring))

		panic("Can't allocate system blacklist keyring\n");

certs/system_keyring.c

+3 −2
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ 
#include <linux/cred.h>

#include <linux/err.h>

#include <linux/slab.h>

#include <linux/uidgid.h>

#include <linux/verification.h>

#include <keys/asymmetric-type.h>

#include <keys/system_keyring.h>
@@ -98,7 +99,7 @@ static __init int system_trusted_keyring_init(void) 


	builtin_trusted_keys =

		keyring_alloc(".builtin_trusted_keys",

			      KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),

			      GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),

			      ((KEY_POS_ALL & ~KEY_POS_SETATTR) |

			      KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH),

			      KEY_ALLOC_NOT_IN_QUOTA,
@@ -109,7 +110,7 @@ static __init int system_trusted_keyring_init(void) 
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING

	secondary_trusted_keys =

		keyring_alloc(".secondary_trusted_keys",

			      KUIDT_INIT(0), KGIDT_INIT(0), current_cred(),

			      GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),

			      ((KEY_POS_ALL & ~KEY_POS_SETATTR) |

			       KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH |

			       KEY_USR_WRITE),

crypto/asymmetric_keys/asymmetric_type.c

+4 −2
Original line number Diff line number Diff line
@@ -152,7 +152,8 @@ EXPORT_SYMBOL_GPL(asymmetric_key_generate_id); 


/**

 * asymmetric_key_id_same - Return true if two asymmetric keys IDs are the same.

 * @kid_1, @kid_2: The key IDs to compare

 * @kid1: The key ID to compare

 * @kid2: The key ID to compare

 */

bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,

			    const struct asymmetric_key_id *kid2)
@@ -168,7 +169,8 @@ EXPORT_SYMBOL_GPL(asymmetric_key_id_same); 
/**

 * asymmetric_key_id_partial - Return true if two asymmetric keys IDs

 * partially match

 * @kid_1, @kid_2: The key IDs to compare

 * @kid1: The key ID to compare

 * @kid2: The key ID to compare

 */

bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1,

			       const struct asymmetric_key_id *kid2)

crypto/asymmetric_keys/pkcs7_parser.h

+2 −3
Original line number Diff line number Diff line
@@ -41,10 +41,9 @@ struct pkcs7_signed_info { 
	 *

	 * This contains the generated digest of _either_ the Content Data or

	 * the Authenticated Attributes [RFC2315 9.3].  If the latter, one of

	 * the attributes contains the digest of the the Content Data within

	 * it.

	 * the attributes contains the digest of the Content Data within it.

	 *

	 * THis also contains the issuing cert serial number and issuer's name

	 * This also contains the issuing cert serial number and issuer's name

	 * [PKCS#7 or CMS ver 1] or issuing cert's SKID [CMS ver 3].

	 */

	struct public_key_signature *sig;