certs: Move load_system_certificate_list to a common function (9011aaab) · Commits · e / devices / android_kernel_fairphone_FP5

certs/Makefile

+1 −1

Original line number	Diff line number	Diff line
		@@ -3,7 +3,7 @@
		# Makefile for the linux kernel signature checking certificates.
		#

		obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
		obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
		obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
		ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
		obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o

0 → 100644

+57 −0

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-or-later

		#include <linux/kernel.h>
		#include <linux/key.h>
		#include "common.h"

		int load_certificate_list(const u8 cert_list[],
		const unsigned long list_size,
		const struct key *keyring)
		{
		key_ref_t key;
		const u8 p, end;
		size_t plen;

		p = cert_list;
		end = p + list_size;
		while (p < end) {
		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
		* than 256 bytes in size.
		*/
		if (end - p < 4)
		goto dodgy_cert;
		if (p[0] != 0x30 &&
		p[1] != 0x82)
		goto dodgy_cert;
		plen = (p[2] << 8) \| p[3];
		plen += 4;
		if (plen > end - p)
		goto dodgy_cert;

		key = key_create_or_update(make_key_ref(keyring, 1),
		"asymmetric",
		NULL,
		p,
		plen,
		((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
		KEY_USR_VIEW \| KEY_USR_READ),
		KEY_ALLOC_NOT_IN_QUOTA \|
		KEY_ALLOC_BUILT_IN \|
		KEY_ALLOC_BYPASS_RESTRICTION);
		if (IS_ERR(key)) {
		pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
		PTR_ERR(key));
		} else {
		pr_notice("Loaded X.509 cert '%s'\n",
		key_ref_to_ptr(key)->description);
		key_ref_put(key);
		}
		p += plen;
		}

		return 0;

		dodgy_cert:
		pr_err("Problem parsing in-kernel X.509 certificate list\n");
		return 0;
		}

0 → 100644

+9 −0

Original line number	Diff line number	Diff line
		/* SPDX-License-Identifier: GPL-2.0-or-later */

		#ifndef _CERT_COMMON_H
		#define _CERT_COMMON_H

		int load_certificate_list(const u8 cert_list[], const unsigned long list_size,
		const struct key *keyring);

		#endif

+3 −46

Original line number	Diff line number	Diff line
		@@ -15,6 +15,7 @@
		#include <keys/asymmetric-type.h>
		#include <keys/system_keyring.h>
		#include <crypto/pkcs7.h>
		#include "common.h"

		static struct key *builtin_trusted_keys;
		#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
		@@ -136,54 +137,10 @@ device_initcall(system_trusted_keyring_init);
		*/
		static __init int load_system_certificate_list(void)
		{
		key_ref_t key;
		const u8 p, end;
		size_t plen;

		pr_notice("Loading compiled-in X.509 certificates\n");

		p = system_certificate_list;
		end = p + system_certificate_list_size;
		while (p < end) {
		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
		* than 256 bytes in size.
		*/
		if (end - p < 4)
		goto dodgy_cert;
		if (p[0] != 0x30 &&
		p[1] != 0x82)
		goto dodgy_cert;
		plen = (p[2] << 8) \| p[3];
		plen += 4;
		if (plen > end - p)
		goto dodgy_cert;

		key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
		"asymmetric",
		NULL,
		p,
		plen,
		((KEY_POS_ALL & ~KEY_POS_SETATTR) \|
		KEY_USR_VIEW \| KEY_USR_READ),
		KEY_ALLOC_NOT_IN_QUOTA \|
		KEY_ALLOC_BUILT_IN \|
		KEY_ALLOC_BYPASS_RESTRICTION);
		if (IS_ERR(key)) {
		pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
		PTR_ERR(key));
		} else {
		pr_notice("Loaded X.509 cert '%s'\n",
		key_ref_to_ptr(key)->description);
		key_ref_put(key);
		}
		p += plen;
		}

		return 0;

		dodgy_cert:
		pr_err("Problem parsing in-kernel X.509 certificate list\n");
		return 0;
		return load_certificate_list(system_certificate_list, system_certificate_list_size,
		builtin_trusted_keys);
		}
		late_initcall(load_system_certificate_list);