mirror of
https://github.com/torvalds/linux.git
synced 2024-11-10 14:11:52 +00:00
X.509: Remove certificate date checks
Remove the certificate date checks that are performed when a certificate is parsed. There are two checks: a valid from and a valid to. The first check is causing a lot of problems with system clocks that don't keep good time and the second places an implicit expiry date upon the kernel when used for module signing, so do we really need them? Signed-off-by: David Howells <dhowells@redhat.com> cc: David Woodhouse <dwmw2@infradead.org> cc: Rusty Russell <rusty@rustcorp.com.au> cc: Josh Boyer <jwboyer@redhat.com> cc: Alexander Holler <holler@ahsoftware.de> cc: stable@vger.kernel.org
This commit is contained in:
parent
17334cabc8
commit
124df92609
@ -108,7 +108,6 @@ EXPORT_SYMBOL_GPL(x509_check_signature);
|
||||
static int x509_key_preparse(struct key_preparsed_payload *prep)
|
||||
{
|
||||
struct x509_certificate *cert;
|
||||
struct tm now;
|
||||
size_t srlen, sulen;
|
||||
char *desc = NULL;
|
||||
int ret;
|
||||
@ -150,43 +149,6 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
|
||||
goto error_free_cert;
|
||||
}
|
||||
|
||||
time_to_tm(CURRENT_TIME.tv_sec, 0, &now);
|
||||
pr_devel("Now: %04ld-%02d-%02d %02d:%02d:%02d\n",
|
||||
now.tm_year + 1900, now.tm_mon + 1, now.tm_mday,
|
||||
now.tm_hour, now.tm_min, now.tm_sec);
|
||||
if (now.tm_year < cert->valid_from.tm_year ||
|
||||
(now.tm_year == cert->valid_from.tm_year &&
|
||||
(now.tm_mon < cert->valid_from.tm_mon ||
|
||||
(now.tm_mon == cert->valid_from.tm_mon &&
|
||||
(now.tm_mday < cert->valid_from.tm_mday ||
|
||||
(now.tm_mday == cert->valid_from.tm_mday &&
|
||||
(now.tm_hour < cert->valid_from.tm_hour ||
|
||||
(now.tm_hour == cert->valid_from.tm_hour &&
|
||||
(now.tm_min < cert->valid_from.tm_min ||
|
||||
(now.tm_min == cert->valid_from.tm_min &&
|
||||
(now.tm_sec < cert->valid_from.tm_sec
|
||||
))))))))))) {
|
||||
pr_warn("Cert %s is not yet valid\n", cert->fingerprint);
|
||||
ret = -EKEYREJECTED;
|
||||
goto error_free_cert;
|
||||
}
|
||||
if (now.tm_year > cert->valid_to.tm_year ||
|
||||
(now.tm_year == cert->valid_to.tm_year &&
|
||||
(now.tm_mon > cert->valid_to.tm_mon ||
|
||||
(now.tm_mon == cert->valid_to.tm_mon &&
|
||||
(now.tm_mday > cert->valid_to.tm_mday ||
|
||||
(now.tm_mday == cert->valid_to.tm_mday &&
|
||||
(now.tm_hour > cert->valid_to.tm_hour ||
|
||||
(now.tm_hour == cert->valid_to.tm_hour &&
|
||||
(now.tm_min > cert->valid_to.tm_min ||
|
||||
(now.tm_min == cert->valid_to.tm_min &&
|
||||
(now.tm_sec > cert->valid_to.tm_sec
|
||||
))))))))))) {
|
||||
pr_warn("Cert %s has expired\n", cert->fingerprint);
|
||||
ret = -EKEYEXPIRED;
|
||||
goto error_free_cert;
|
||||
}
|
||||
|
||||
cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
|
||||
cert->pub->id_type = PKEY_ID_X509;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user