lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260115215100.312611-11-dhowells@redhat.com>
Date: Thu, 15 Jan 2026 21:50:52 +0000
From: David Howells <dhowells@...hat.com>
To: Lukas Wunner <lukas@...ner.de>,
	Ignat Korchagin <ignat@...udflare.com>
Cc: David Howells <dhowells@...hat.com>,
	Jarkko Sakkinen <jarkko@...nel.org>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Eric Biggers <ebiggers@...nel.org>,
	Luis Chamberlain <mcgrof@...nel.org>,
	Petr Pavlu <petr.pavlu@...e.com>,
	Daniel Gomez <da.gomez@...nel.org>,
	Sami Tolvanen <samitolvanen@...gle.com>,
	"Jason A . Donenfeld" <Jason@...c4.com>,
	Ard Biesheuvel <ardb@...nel.org>,
	Stephan Mueller <smueller@...onox.de>,
	linux-crypto@...r.kernel.org,
	keyrings@...r.kernel.org,
	linux-modules@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH v12 10/10] x509, pkcs7: Limit crypto combinations that may be used for module signing

Limit the set of crypto combinations that may be used for module signing as
no indication of hash algorithm used for signing is added to the hash of
the data, so in theory a data blob hashed with a different algorithm can be
substituted provided it has the same hash output.

This also rejects the use of less secure algorithms.

Signed-off-by: David Howells <dhowells@...hat.com>
cc: Lukas Wunner <lukas@...ner.de>
cc: Ignat Korchagin <ignat@...udflare.com>
cc: Stephan Mueller <smueller@...onox.de>
cc: Eric Biggers <ebiggers@...nel.org>
cc: Herbert Xu <herbert@...dor.apana.org.au>
cc: keyrings@...r.kernel.org
cc: linux-crypto@...r.kernel.org
---
 crypto/asymmetric_keys/public_key.c | 51 +++++++++++++++++++++++++++--
 1 file changed, 49 insertions(+), 2 deletions(-)

diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 13a5616becaa..78e1194de71c 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -24,6 +24,48 @@ MODULE_DESCRIPTION("In-software asymmetric public-key subtype");
 MODULE_AUTHOR("Red Hat, Inc.");
 MODULE_LICENSE("GPL");
 
+struct public_key_restriction {
+	const char	*pkey_algo;	/* Signing algorithm (e.g. "rsa") */
+	const char	*pkey_enc;	/* Signature encoding (e.g. "pkcs1") */
+	const char	*hash_algo;	/* Content hash algorithm (e.g. "sha256") */
+};
+
+static const struct public_key_restriction public_key_restrictions[] = {
+	/* algo			encoding	hash */
+	{ "rsa",		"pkcs1",	"sha256" },
+	{ "rsa",		"pkcs1",	"sha384" },
+	{ "rsa",		"pkcs1",	"sha512" },
+	{ "rsa",		"emsa-pss",	"sha512" },
+	{ "ecdsa",		"x962",		"sha512" },
+	{ "ecrdsa",		"raw",		"sha512" },
+	{ "mldsa44",		"raw",		"sha512" },
+	{ "mldsa65",		"raw",		"sha512" },
+	{ "mldsa87",		"raw",		"sha512" },
+	/* ML-DSA may also do its own hashing over the entire message. */
+	{ "mldsa44",		"raw",		"-" },
+	{ "mldsa65",		"raw",		"-" },
+	{ "mldsa87",		"raw",		"-" },
+};
+
+/*
+ * Determine if a particular key/hash combination is allowed.
+ */
+static int is_public_key_sig_allowed(const struct public_key_signature *sig)
+{
+	for (int i = 0; i < ARRAY_SIZE(public_key_restrictions); i++) {
+		if (strcmp(public_key_restrictions[i].pkey_algo, sig->pkey_algo) != 0)
+			continue;
+		if (strcmp(public_key_restrictions[i].pkey_enc, sig->encoding) != 0)
+			continue;
+		if (strcmp(public_key_restrictions[i].hash_algo, sig->hash_algo) != 0)
+			continue;
+		return 0;
+	}
+	pr_warn_once("Public key signature combo (%s,%s,%s) rejected\n",
+		     sig->pkey_algo, sig->encoding, sig->hash_algo);
+	return -EKEYREJECTED;
+}
+
 /*
  * Provide a part of a description of the key for /proc/keys.
  */
@@ -391,12 +433,17 @@ int public_key_verify_signature(const struct public_key *pkey,
 	bool issig;
 	int ret;
 
-	pr_devel("==>%s()\n", __func__);
-
 	BUG_ON(!pkey);
 	BUG_ON(!sig);
 	BUG_ON(!sig->s);
 
+	ret = is_public_key_sig_allowed(sig);
+	if (ret < 0)
+		return ret;
+
+	pr_devel("==>%s(%s,%s,%s)\n",
+		 __func__, sig->pkey_algo, sig->encoding, sig->hash_algo);
+
 	/*
 	 * If the signature specifies a public key algorithm, it *must* match
 	 * the key's actual public key algorithm.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ