lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALrw=nGSr7F-NJri+UFgBVz5J+KFAS6OXa9EFvYo-qitX9R2bg@mail.gmail.com>
Date: Tue, 20 Jan 2026 18:31:02 +0000
From: Ignat Korchagin <ignat@...udflare.com>
To: David Howells <dhowells@...hat.com>
Cc: Lukas Wunner <lukas@...ner.de>, Jarkko Sakkinen <jarkko@...nel.org>, 
	Herbert Xu <herbert@...dor.apana.org.au>, Eric Biggers <ebiggers@...nel.org>, 
	Luis Chamberlain <mcgrof@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>, 
	Daniel Gomez <da.gomez@...nel.org>, Sami Tolvanen <samitolvanen@...gle.com>, 
	"Jason A . Donenfeld" <Jason@...c4.com>, Ard Biesheuvel <ardb@...nel.org>, Stephan Mueller <smueller@...onox.de>, 
	linux-crypto@...r.kernel.org, keyrings@...r.kernel.org, 
	linux-modules@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v13 11/12] x509, pkcs7: Limit crypto combinations that may
 be used for module signing

Hi David,

On Tue, Jan 20, 2026 at 2:52 PM David Howells <dhowells@...hat.com> wrote:
>
> Limit the set of crypto combinations that may be used for module signing as
> no indication of hash algorithm used for signing is added to the hash of
> the data, so in theory a data blob hashed with a different algorithm can be
> substituted provided it has the same hash output.
>
> This also rejects the use of less secure algorithms.
>
> Signed-off-by: David Howells <dhowells@...hat.com>
> cc: Lukas Wunner <lukas@...ner.de>
> cc: Ignat Korchagin <ignat@...udflare.com>
> cc: Stephan Mueller <smueller@...onox.de>
> cc: Eric Biggers <ebiggers@...nel.org>
> cc: Herbert Xu <herbert@...dor.apana.org.au>
> cc: keyrings@...r.kernel.org
> cc: linux-crypto@...r.kernel.org
> ---
>  crypto/asymmetric_keys/public_key.c | 55 +++++++++++++++++++++++++++--
>  1 file changed, 53 insertions(+), 2 deletions(-)
>
> diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
> index 13a5616becaa..90b98e1a952d 100644
> --- a/crypto/asymmetric_keys/public_key.c
> +++ b/crypto/asymmetric_keys/public_key.c
> @@ -24,6 +24,52 @@ MODULE_DESCRIPTION("In-software asymmetric public-key subtype");
>  MODULE_AUTHOR("Red Hat, Inc.");
>  MODULE_LICENSE("GPL");
>
> +struct public_key_restriction {
> +       const char      *pkey_algo;     /* Signing algorithm (e.g. "rsa") */
> +       const char      *pkey_enc;      /* Signature encoding (e.g. "pkcs1") */
> +       const char      *hash_algo;     /* Content hash algorithm (e.g. "sha256") */
> +};
> +
> +static const struct public_key_restriction public_key_restrictions[] = {
> +       /* algo                 encoding        hash */
> +       { "rsa",                "pkcs1",        "sha256" },
> +       { "rsa",                "pkcs1",        "sha384" },
> +       { "rsa",                "pkcs1",        "sha512" },
> +       { "rsa",                "emsa-pss",     "sha512" },

Don't we want to allow sha256 for emsa-pss?

> +       { "ecdsa",              "x962",         "sha256" },
> +       { "ecdsa",              "x962",         "sha384" },
> +       { "ecdsa",              "x962",         "sha512" },
> +       { "ecrdsa",             "raw",          "sha256" },
> +       { "ecrdsa",             "raw",          "sha384" },
> +       { "ecrdsa",             "raw",          "sha512" },
> +       { "mldsa44",            "raw",          "sha512" },
> +       { "mldsa65",            "raw",          "sha512" },
> +       { "mldsa87",            "raw",          "sha512" },
> +       /* ML-DSA may also do its own hashing over the entire message. */
> +       { "mldsa44",            "raw",          "-" },
> +       { "mldsa65",            "raw",          "-" },
> +       { "mldsa87",            "raw",          "-" },
> +};
> +
> +/*
> + * Determine if a particular key/hash combination is allowed.
> + */
> +static int is_public_key_sig_allowed(const struct public_key_signature *sig)
> +{
> +       for (int i = 0; i < ARRAY_SIZE(public_key_restrictions); i++) {
> +               if (strcmp(public_key_restrictions[i].pkey_algo, sig->pkey_algo) != 0)
> +                       continue;
> +               if (strcmp(public_key_restrictions[i].pkey_enc, sig->encoding) != 0)
> +                       continue;
> +               if (strcmp(public_key_restrictions[i].hash_algo, sig->hash_algo) != 0)
> +                       continue;
> +               return 0;
> +       }
> +       pr_warn_once("Public key signature combo (%s,%s,%s) rejected\n",
> +                    sig->pkey_algo, sig->encoding, sig->hash_algo);
> +       return -EKEYREJECTED;
> +}
> +
>  /*
>   * Provide a part of a description of the key for /proc/keys.
>   */
> @@ -391,12 +437,17 @@ int public_key_verify_signature(const struct public_key *pkey,
>         bool issig;
>         int ret;
>
> -       pr_devel("==>%s()\n", __func__);
> -
>         BUG_ON(!pkey);
>         BUG_ON(!sig);
>         BUG_ON(!sig->s);
>
> +       ret = is_public_key_sig_allowed(sig);
> +       if (ret < 0)
> +               return ret;
> +
> +       pr_devel("==>%s(%s,%s,%s)\n",
> +                __func__, sig->pkey_algo, sig->encoding, sig->hash_algo);
> +
>         /*
>          * If the signature specifies a public key algorithm, it *must* match
>          * the key's actual public key algorithm.
>

Ignat

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ