Re: [PATCH] kmod: Add FIPS 202 SHA-3 support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 6 Dec 2023 at 15:26, Lucas De Marchi <lucas.demarchi@xxxxxxxxx> wrote:
>
> On Sun, Oct 22, 2023 at 07:09:28PM +0100, Dimitri John Ledkov wrote:
> >Add support for parsing FIPS 202 SHA-3 signature hashes. Separately,
> >it is not clear why explicit hashes are re-encoded here, instead of
> >trying to generically show any digest openssl supports.
> >
> >Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@xxxxxxxxxxxxx>

NACK

> >---
> > libkmod/libkmod-signature.c | 12 ++++++++++++
> > 1 file changed, 12 insertions(+)
> >
> >diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
> >index b749a818f9..a39059cd7c 100644
> >--- a/libkmod/libkmod-signature.c
> >+++ b/libkmod/libkmod-signature.c
> >@@ -57,6 +57,9 @@ enum pkey_hash_algo {
> >       PKEY_HASH_SHA512,
> >       PKEY_HASH_SHA224,
> >       PKEY_HASH_SM3,
> >+      PKEY_HASH_SHA3_256,
> >+      PKEY_HASH_SHA3_384,
> >+      PKEY_HASH_SHA3_512,
> >       PKEY_HASH__LAST
> > };
> >
> >@@ -70,6 +73,9 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> >       [PKEY_HASH_SHA512]      = "sha512",
> >       [PKEY_HASH_SHA224]      = "sha224",
> >       [PKEY_HASH_SM3]         = "sm3",
> >+      [PKEY_HASH_SHA3_256]    = "sha3-256",
> >+      [PKEY_HASH_SHA3_384]    = "sha3-384",
> >+      [PKEY_HASH_SHA3_512]    = "sha3-512",
> > };
> >
> > enum pkey_id_type {
> >@@ -167,6 +173,12 @@ static int obj_to_hash_algo(const ASN1_OBJECT *o)
> >       case NID_sm3:
> >               return PKEY_HASH_SM3;
> > # endif
> >+      case NID_sha3_256:
> >+              return PKEY_HASH_SHA3_256;
> >+      case NID_sha3_384:
> >+              return PKEY_HASH_SHA3_384;
> >+      case NID_sha3_512:
> >+              return PKEY_HASH_SHA3_512;
>
>
> with your other patch, libkmod: remove pkcs7 obj_to_hash_algo(), this
> hunk is not needed anymore. Do you want to send a new version of this
> patch?

This patch is no longer required, given that
https://lore.kernel.org/all/20231029010319.157390-1-dimitri.ledkov@xxxxxxxxxxxxx/
is applied. Upgrade kmod to the one that has at least that patch
applied, and then pkcs7 signatures are parsed correctly with
everything that a runtime OpenSSL supports. Thus if you want to see
SHA3 signatures, ensure your runtime libssl has SHA3 support.

>
> thanks
> Lucas De Marchi
>
> >       default:
> >               return -1;
> >       }
> >--
> >2.34.1
> >
> >

-- 
Dimitri

Sent from Ubuntu Pro
https://ubuntu.com/pro
[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux