| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CABCJKueCeHDpu+KMTT9z_iNP2Ljipt6r4KkJ-8h4ysoTRoCW4A@mail.gmail.com>
Date: Fri, 30 Jan 2026 09:53:07 -0800
From: Sami Tolvanen <samitolvanen@...gle.com>
To: Mark Brown <broonie@...nel.org>
Cc: David Howells <dhowells@...hat.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Next Mailing List <linux-next@...r.kernel.org>, Petr Pavlu <petr.pavlu@...e.com>
Subject: Re: linux-next: manual merge of the keys-next tree with the modules tree
On Fri, Jan 30, 2026 at 9:20 AM Mark Brown <broonie@...nel.org> wrote:
>
> Hi all,
>
> Today's linux-next merge of the keys-next tree got a conflict in:
>
> scripts/sign-file.c
>
> between commit:
>
> d7afd65b4acc7 ("sign-file: Use only the OpenSSL CMS API for signing")
>
> from the modules tree and commit:
>
> 7ca1c9dcb7b0c ("modsign: Enable ML-DSA module signing")
>
> from the keys-next tree.
>
> I fixed it up (see below) and can carry the fix as necessary. This
> is now fixed as far as linux-next is concerned, but any non trivial
> conflicts should be mentioned to your upstream maintainer when your tree
> is submitted for merging. You may also want to consider cooperating
> with the maintainer of the conflicting tree to minimise any particularly
> complex conflicts.
>
> diff --cc scripts/sign-file.c
> index 16f2bf2e1e3ce,547b970972301..0000000000000
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@@ -271,20 -314,46 +271,37 @@@ int main(int argc, char **argv
> digest_algo = EVP_get_digestbyname(hash_algo);
> ERR(!digest_algo, "EVP_get_digestbyname");
>
> -#ifndef USE_PKCS7
> -
> + unsigned int flags =
> + CMS_NOCERTS |
> + CMS_PARTIAL |
> + CMS_BINARY |
> + CMS_DETACHED |
> + CMS_STREAM |
> + CMS_NOSMIMECAP |
> + CMS_NO_SIGNING_TIME |
> + use_keyid;
> +
> + if ((EVP_PKEY_is_a(private_key, "ML-DSA-44") ||
> + EVP_PKEY_is_a(private_key, "ML-DSA-65") ||
> + EVP_PKEY_is_a(private_key, "ML-DSA-87")) &&
> + OPENSSL_VERSION_MAJOR < 4) {
> + /* ML-DSA + CMS_NOATTR is not supported in openssl-3.5
> + * and before.
> + */
> + use_signed_attrs = 0;
> + }
> +
> + flags |= use_signed_attrs;
> +
> /* Load the signature message from the digest buffer. */
> - cms = CMS_sign(NULL, NULL, NULL, NULL,
> - CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY |
> - CMS_DETACHED | CMS_STREAM);
> + cms = CMS_sign(NULL, NULL, NULL, NULL, flags);
> ERR(!cms, "CMS_sign");
>
> - ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
> - CMS_NOCERTS | CMS_BINARY |
> - CMS_NOSMIMECAP | CMS_NOATTR |
> - use_keyid),
> + ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, flags),
> "CMS_add1_signer");
> - ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1,
> + ERR(CMS_final(cms, bm, NULL, flags) != 1,
> "CMS_final");
>
> -#else
> - pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
> - PKCS7_NOCERTS | PKCS7_BINARY |
> - PKCS7_DETACHED | use_signed_attrs);
> - ERR(!pkcs7, "PKCS7_sign");
> -#endif
> -
> if (save_sig) {
> char *sig_file_name;
> BIO *b;
Thanks, Mark. David, I see the patches in keys-next were updated just
a few hours ago. Would it make sense for you to rebase them on top of
next-20260129? Petr's patch removed the use_signed_attrs variable, so
we should ensure it's still initialized correctly. Otherwise the
resolution looks trivial.
Sami
Powered by blists - more mailing lists