github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

pkcs7: Allow authenticatedAttributes for ML-DSA

Browse Source 
Allow the rejection of authenticatedAttributes in PKCS#7 (signedAttrs in
CMS) to be waived in the kernel config for ML-DSA when used for module
signing.  This reflects the issue that openssl < 4.0 cannot do this and
openssl-4 has not yet been released.

This does not permit RSA, ECDSA or ECRDSA to be so waived (behaviour
unchanged).

Signed-off-by: David Howells <dhowells@redhat.com>
cc: Lukas Wunner <lukas@wunner.de>
cc: Ignat Korchagin <ignat@cloudflare.com>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: Stephan Mueller <smueller@chronox.de>
cc: Eric Biggers <ebiggers@kernel.org>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org
This commit is contained in:
David Howells 2026-01-26 11:46:58 +00:00
parent 0ad9a71933
commit 91db696ade
4 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
crypto/asymmetric_keys/Kconfig
View File

@ -53,6 +53,17 @@ config PKCS7_MESSAGE_PARSER
This option provides support for parsing PKCS#7 format messages for This option provides support for parsing PKCS#7 format messages for
signature data and provides the ability to verify the signature. signature data and provides the ability to verify the signature.
config PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
bool "Waive rejection of authenticatedAttributes for ML-DSA"
depends on PKCS7_MESSAGE_PARSER
depends on CRYPTO_MLDSA
help
Due to use of CMS_NOATTR with ML-DSA not being supported in
OpenSSL < 4.0 (and thus any released version), enabling this
allows authenticatedAttributes to be used with ML-DSA for
module signing. Use of authenticatedAttributes in this
context is normally rejected.
config PKCS7_TEST_KEY config PKCS7_TEST_KEY
tristate "PKCS#7 testing key type" tristate "PKCS#7 testing key type"
depends on SYSTEM_DATA_VERIFICATION depends on SYSTEM_DATA_VERIFICATION

8
crypto/asymmetric_keys/pkcs7_parser.c
View File

@ -92,9 +92,17 @@ static int pkcs7_check_authattrs(struct pkcs7_message *msg)
if (!sinfo) if (!sinfo)
goto inconsistent; goto inconsistent;
#ifdef CONFIG_PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
msg->authattrs_rej_waivable = true;
#endif
if (sinfo->authattrs) { if (sinfo->authattrs) {
want = true; want = true;
msg->have_authattrs = true; msg->have_authattrs = true;
#ifdef CONFIG_PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
if (strncmp(sinfo->sig->pkey_algo, "mldsa", 5) != 0)
msg->authattrs_rej_waivable = false;
#endif
} else if (sinfo->sig->algo_takes_data) { } else if (sinfo->sig->algo_takes_data) {
sinfo->sig->hash_algo = "none"; sinfo->sig->hash_algo = "none";
} }

3
crypto/asymmetric_keys/pkcs7_parser.h
View File

@ -55,6 +55,9 @@ struct pkcs7_message {
struct pkcs7_signed_info *signed_infos; struct pkcs7_signed_info *signed_infos;
u8 version; /* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */ u8 version; /* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */
bool have_authattrs; /* T if have authattrs */ bool have_authattrs; /* T if have authattrs */
#ifdef CONFIG_PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
bool authattrs_rej_waivable; /* T if authatts rejection can be waived */
#endif
/* Content Data (or NULL) */ /* Content Data (or NULL) */
enum OID data_type; /* Type of Data */ enum OID data_type; /* Type of Data */

6
crypto/asymmetric_keys/pkcs7_verify.c
View File

@ -425,6 +425,12 @@ int pkcs7_verify(struct pkcs7_message *pkcs7,
return -EKEYREJECTED; return -EKEYREJECTED;
} }
if (pkcs7->have_authattrs) { if (pkcs7->have_authattrs) {
#ifdef CONFIG_PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
if (pkcs7->authattrs_rej_waivable) {
pr_warn("Waived invalid module sig (has authattrs)\n");
break;
}
#endif
pr_warn("Invalid module sig (has authattrs)\n"); pr_warn("Invalid module sig (has authattrs)\n");
return -EKEYREJECTED; return -EKEYREJECTED;
} }