| Message ID | 20231022180928.180437-1-dimitri.ledkov@canonical.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | kmod: Add FIPS 202 SHA-3 support | expand |
On Sun, Oct 22, 2023 at 07:09:28PM +0100, Dimitri John Ledkov wrote: >Add support for parsing FIPS 202 SHA-3 signature hashes. Separately, >it is not clear why explicit hashes are re-encoded here, instead of >trying to generically show any digest openssl supports. > >Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> >--- > libkmod/libkmod-signature.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c >index b749a818f9..a39059cd7c 100644 >--- a/libkmod/libkmod-signature.c >+++ b/libkmod/libkmod-signature.c >@@ -57,6 +57,9 @@ enum pkey_hash_algo { > PKEY_HASH_SHA512, > PKEY_HASH_SHA224, > PKEY_HASH_SM3, >+ PKEY_HASH_SHA3_256, >+ PKEY_HASH_SHA3_384, >+ PKEY_HASH_SHA3_512, > PKEY_HASH__LAST > }; > >@@ -70,6 +73,9 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > [PKEY_HASH_SHA512] = "sha512", > [PKEY_HASH_SHA224] = "sha224", > [PKEY_HASH_SM3] = "sm3", >+ [PKEY_HASH_SHA3_256] = "sha3-256", >+ [PKEY_HASH_SHA3_384] = "sha3-384", >+ [PKEY_HASH_SHA3_512] = "sha3-512", > }; > > enum pkey_id_type { >@@ -167,6 +173,12 @@ static int obj_to_hash_algo(const ASN1_OBJECT *o) > case NID_sm3: > return PKEY_HASH_SM3; > # endif >+ case NID_sha3_256: >+ return PKEY_HASH_SHA3_256; >+ case NID_sha3_384: >+ return PKEY_HASH_SHA3_384; >+ case NID_sha3_512: >+ return PKEY_HASH_SHA3_512; with your other patch, libkmod: remove pkcs7 obj_to_hash_algo(), this hunk is not needed anymore. Do you want to send a new version of this patch? thanks Lucas De Marchi > default: > return -1; > } >-- >2.34.1 > >
On Wed, 6 Dec 2023 at 15:26, Lucas De Marchi <lucas.demarchi@intel.com> wrote: > > On Sun, Oct 22, 2023 at 07:09:28PM +0100, Dimitri John Ledkov wrote: > >Add support for parsing FIPS 202 SHA-3 signature hashes. Separately, > >it is not clear why explicit hashes are re-encoded here, instead of > >trying to generically show any digest openssl supports. > > > >Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> NACK > >--- > > libkmod/libkmod-signature.c | 12 ++++++++++++ > > 1 file changed, 12 insertions(+) > > > >diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c > >index b749a818f9..a39059cd7c 100644 > >--- a/libkmod/libkmod-signature.c > >+++ b/libkmod/libkmod-signature.c > >@@ -57,6 +57,9 @@ enum pkey_hash_algo { > > PKEY_HASH_SHA512, > > PKEY_HASH_SHA224, > > PKEY_HASH_SM3, > >+ PKEY_HASH_SHA3_256, > >+ PKEY_HASH_SHA3_384, > >+ PKEY_HASH_SHA3_512, > > PKEY_HASH__LAST > > }; > > > >@@ -70,6 +73,9 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > > [PKEY_HASH_SHA512] = "sha512", > > [PKEY_HASH_SHA224] = "sha224", > > [PKEY_HASH_SM3] = "sm3", > >+ [PKEY_HASH_SHA3_256] = "sha3-256", > >+ [PKEY_HASH_SHA3_384] = "sha3-384", > >+ [PKEY_HASH_SHA3_512] = "sha3-512", > > }; > > > > enum pkey_id_type { > >@@ -167,6 +173,12 @@ static int obj_to_hash_algo(const ASN1_OBJECT *o) > > case NID_sm3: > > return PKEY_HASH_SM3; > > # endif > >+ case NID_sha3_256: > >+ return PKEY_HASH_SHA3_256; > >+ case NID_sha3_384: > >+ return PKEY_HASH_SHA3_384; > >+ case NID_sha3_512: > >+ return PKEY_HASH_SHA3_512; > > > with your other patch, libkmod: remove pkcs7 obj_to_hash_algo(), this > hunk is not needed anymore. Do you want to send a new version of this > patch? This patch is no longer required, given that https://lore.kernel.org/all/20231029010319.157390-1-dimitri.ledkov@canonical.com/ is applied. Upgrade kmod to the one that has at least that patch applied, and then pkcs7 signatures are parsed correctly with everything that a runtime OpenSSL supports. Thus if you want to see SHA3 signatures, ensure your runtime libssl has SHA3 support. > > thanks > Lucas De Marchi > > > default: > > return -1; > > } > >-- > >2.34.1 > > > >
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c index b749a818f9..a39059cd7c 100644 --- a/libkmod/libkmod-signature.c +++ b/libkmod/libkmod-signature.c @@ -57,6 +57,9 @@ enum pkey_hash_algo { PKEY_HASH_SHA512, PKEY_HASH_SHA224, PKEY_HASH_SM3, + PKEY_HASH_SHA3_256, + PKEY_HASH_SHA3_384, + PKEY_HASH_SHA3_512, PKEY_HASH__LAST }; @@ -70,6 +73,9 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_SHA512] = "sha512", [PKEY_HASH_SHA224] = "sha224", [PKEY_HASH_SM3] = "sm3", + [PKEY_HASH_SHA3_256] = "sha3-256", + [PKEY_HASH_SHA3_384] = "sha3-384", + [PKEY_HASH_SHA3_512] = "sha3-512", }; enum pkey_id_type { @@ -167,6 +173,12 @@ static int obj_to_hash_algo(const ASN1_OBJECT *o) case NID_sm3: return PKEY_HASH_SM3; # endif + case NID_sha3_256: + return PKEY_HASH_SHA3_256; + case NID_sha3_384: + return PKEY_HASH_SHA3_384; + case NID_sha3_512: + return PKEY_HASH_SHA3_512; default: return -1; }
Add support for parsing FIPS 202 SHA-3 signature hashes. Separately, it is not clear why explicit hashes are re-encoded here, instead of trying to generically show any digest openssl supports. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> --- libkmod/libkmod-signature.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)