xref: /linux/certs/blacklist.c (revision 56c5812623f95313f6a46fbf0beee7fa17c68bbf) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* System hash blacklist.
3  *
4  * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #define pr_fmt(fmt) "blacklist: "fmt
9 #include <linux/module.h>
10 #include <linux/slab.h>
11 #include <linux/key.h>
12 #include <linux/key-type.h>
13 #include <linux/sched.h>
14 #include <linux/ctype.h>
15 #include <linux/err.h>
16 #include <linux/seq_file.h>
17 #include <linux/uidgid.h>
18 #include <keys/system_keyring.h>
19 #include "blacklist.h"
20 
21 static struct key *blacklist_keyring;
22 
23 /*
24  * The description must be a type prefix, a colon and then an even number of
25  * hex digits.  The hash is kept in the description.
26  */
27 static int blacklist_vet_description(const char *desc)
28 {
29 	int n = 0;
30 
31 	if (*desc == ':')
32 		return -EINVAL;
33 	for (; *desc; desc++)
34 		if (*desc == ':')
35 			goto found_colon;
36 	return -EINVAL;
37 
38 found_colon:
39 	desc++;
40 	for (; *desc; desc++) {
41 		if (!isxdigit(*desc) || isupper(*desc))
42 			return -EINVAL;
43 		n++;
44 	}
45 
46 	if (n == 0 || n & 1)
47 		return -EINVAL;
48 	return 0;
49 }
50 
51 /*
52  * The hash to be blacklisted is expected to be in the description.  There will
53  * be no payload.
54  */
55 static int blacklist_preparse(struct key_preparsed_payload *prep)
56 {
57 	if (prep->datalen > 0)
58 		return -EINVAL;
59 	return 0;
60 }
61 
62 static void blacklist_free_preparse(struct key_preparsed_payload *prep)
63 {
64 }
65 
66 static void blacklist_describe(const struct key *key, struct seq_file *m)
67 {
68 	seq_puts(m, key->description);
69 }
70 
71 static struct key_type key_type_blacklist = {
72 	.name			= "blacklist",
73 	.vet_description	= blacklist_vet_description,
74 	.preparse		= blacklist_preparse,
75 	.free_preparse		= blacklist_free_preparse,
76 	.instantiate		= generic_key_instantiate,
77 	.describe		= blacklist_describe,
78 };
79 
80 /**
81  * mark_hash_blacklisted - Add a hash to the system blacklist
82  * @hash: The hash as a hex string with a type prefix (eg. "tbs:23aa429783")
83  */
84 int mark_hash_blacklisted(const char *hash)
85 {
86 	key_ref_t key;
87 
88 	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
89 				   "blacklist",
90 				   hash,
91 				   NULL,
92 				   0,
93 				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
94 				    KEY_USR_VIEW),
95 				   KEY_ALLOC_NOT_IN_QUOTA |
96 				   KEY_ALLOC_BUILT_IN);
97 	if (IS_ERR(key)) {
98 		pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key));
99 		return PTR_ERR(key);
100 	}
101 	return 0;
102 }
103 
104 /**
105  * is_hash_blacklisted - Determine if a hash is blacklisted
106  * @hash: The hash to be checked as a binary blob
107  * @hash_len: The length of the binary hash
108  * @type: Type of hash
109  */
110 int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
111 {
112 	key_ref_t kref;
113 	size_t type_len = strlen(type);
114 	char *buffer, *p;
115 	int ret = 0;
116 
117 	buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL);
118 	if (!buffer)
119 		return -ENOMEM;
120 	p = memcpy(buffer, type, type_len);
121 	p += type_len;
122 	*p++ = ':';
123 	bin2hex(p, hash, hash_len);
124 	p += hash_len * 2;
125 	*p = 0;
126 
127 	kref = keyring_search(make_key_ref(blacklist_keyring, true),
128 			      &key_type_blacklist, buffer, false);
129 	if (!IS_ERR(kref)) {
130 		key_ref_put(kref);
131 		ret = -EKEYREJECTED;
132 	}
133 
134 	kfree(buffer);
135 	return ret;
136 }
137 EXPORT_SYMBOL_GPL(is_hash_blacklisted);
138 
139 int is_binary_blacklisted(const u8 *hash, size_t hash_len)
140 {
141 	if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
142 		return -EPERM;
143 
144 	return 0;
145 }
146 EXPORT_SYMBOL_GPL(is_binary_blacklisted);
147 
148 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
149 /**
150  * add_key_to_revocation_list - Add a revocation certificate to the blacklist
151  * @data: The data blob containing the certificate
152  * @size: The size of data blob
153  */
154 int add_key_to_revocation_list(const char *data, size_t size)
155 {
156 	key_ref_t key;
157 
158 	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
159 				   "asymmetric",
160 				   NULL,
161 				   data,
162 				   size,
163 				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
164 				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
165 
166 	if (IS_ERR(key)) {
167 		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
168 		return PTR_ERR(key);
169 	}
170 
171 	return 0;
172 }
173 
174 /**
175  * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
176  * @pkcs7: The PKCS#7 message to check
177  */
178 int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
179 {
180 	int ret;
181 
182 	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
183 
184 	if (ret == 0)
185 		return -EKEYREJECTED;
186 
187 	return -ENOKEY;
188 }
189 #endif
190 
191 /*
192  * Initialise the blacklist
193  */
194 static int __init blacklist_init(void)
195 {
196 	const char *const *bl;
197 
198 	if (register_key_type(&key_type_blacklist) < 0)
199 		panic("Can't allocate system blacklist key type\n");
200 
201 	blacklist_keyring =
202 		keyring_alloc(".blacklist",
203 			      GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
204 			      (KEY_POS_ALL & ~KEY_POS_SETATTR) |
205 			      KEY_USR_VIEW | KEY_USR_READ |
206 			      KEY_USR_SEARCH,
207 			      KEY_ALLOC_NOT_IN_QUOTA |
208 			      KEY_ALLOC_SET_KEEP,
209 			      NULL, NULL);
210 	if (IS_ERR(blacklist_keyring))
211 		panic("Can't allocate system blacklist keyring\n");
212 
213 	for (bl = blacklist_hashes; *bl; bl++)
214 		if (mark_hash_blacklisted(*bl) < 0)
215 			pr_err("- blacklisting failed\n");
216 	return 0;
217 }
218 
219 /*
220  * Must be initialised before we try and load the keys into the keyring.
221  */
222 device_initcall(blacklist_init);
223