Re: [PATCH] kmod: Add FIPS 202 SHA-3 support

From: Dimitri John Ledkov
Date: Tue Dec 12 2023 - 15:11:55 EST

Next message: Waiman Long: "Re: Modifying isolcpus, nohz_full, and rcu_nocb kernel parameters at runtime"
Previous message: Joel Fernandes: "Re: [PATCH v2] srcu: Improve comments about acceleration leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 6 Dec 2023 at 15:26, Lucas De Marchi <lucas.demarchi@xxxxxxxxx> wrote:
>
> On Sun, Oct 22, 2023 at 07:09:28PM +0100, Dimitri John Ledkov wrote:
> >Add support for parsing FIPS 202 SHA-3 signature hashes. Separately,
> >it is not clear why explicit hashes are re-encoded here, instead of
> >trying to generically show any digest openssl supports.
> >
> >Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@xxxxxxxxxxxxx>

NACK

> >---
> > libkmod/libkmod-signature.c | 12 ++++++++++++
> > 1 file changed, 12 insertions(+)
> >
> >diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
> >index b749a818f9..a39059cd7c 100644
> >--- a/libkmod/libkmod-signature.c
> >+++ b/libkmod/libkmod-signature.c
> >@@ -57,6 +57,9 @@ enum pkey_hash_algo {
> > PKEY_HASH_SHA512,
> > PKEY_HASH_SHA224,
> > PKEY_HASH_SM3,
> >+ PKEY_HASH_SHA3_256,
> >+ PKEY_HASH_SHA3_384,
> >+ PKEY_HASH_SHA3_512,
> > PKEY_HASH__LAST
> > };
> >
> >@@ -70,6 +73,9 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> > [PKEY_HASH_SHA512] = "sha512",
> > [PKEY_HASH_SHA224] = "sha224",
> > [PKEY_HASH_SM3] = "sm3",
> >+ [PKEY_HASH_SHA3_256] = "sha3-256",
> >+ [PKEY_HASH_SHA3_384] = "sha3-384",
> >+ [PKEY_HASH_SHA3_512] = "sha3-512",
> > };
> >
> > enum pkey_id_type {
> >@@ -167,6 +173,12 @@ static int obj_to_hash_algo(const ASN1_OBJECT *o)
> > case NID_sm3:
> > return PKEY_HASH_SM3;
> > # endif
> >+ case NID_sha3_256:
> >+ return PKEY_HASH_SHA3_256;
> >+ case NID_sha3_384:
> >+ return PKEY_HASH_SHA3_384;
> >+ case NID_sha3_512:
> >+ return PKEY_HASH_SHA3_512;
>
>
> with your other patch, libkmod: remove pkcs7 obj_to_hash_algo(), this
> hunk is not needed anymore. Do you want to send a new version of this
> patch?

This patch is no longer required, given that
https://lore.kernel.org/all/20231029010319.157390-1-dimitri.ledkov@xxxxxxxxxxxxx/
is applied. Upgrade kmod to the one that has at least that patch
applied, and then pkcs7 signatures are parsed correctly with
everything that a runtime OpenSSL supports. Thus if you want to see
SHA3 signatures, ensure your runtime libssl has SHA3 support.

>
> thanks
> Lucas De Marchi
>
> > default:
> > return -1;
> > }
> >--
> >2.34.1
> >
> >

--
Dimitri

Sent from Ubuntu Pro
https://ubuntu.com/pro

Next message: Waiman Long: "Re: Modifying isolcpus, nohz_full, and rcu_nocb kernel parameters at runtime"
Previous message: Joel Fernandes: "Re: [PATCH v2] srcu: Improve comments about acceleration leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]