Re: [PATCH v4 03/10] crypto: pkcs7: add tests for pkcs7_get_authattr

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Blaise Boscaccy" <bboscaccy@linux.microsoft.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v4 03/10] crypto: pkcs7: add tests for pkcs7_get_authattr
Date: Thu, 16 Apr 2026 20:17:45 +0000	[thread overview]
Message-ID: <20260416201746.50505C2BCAF@smtp.kernel.org> (raw)
In-Reply-To: <20260416173500.176716-4-bboscaccy@linux.microsoft.com>

Sashiko AI review found 1 potential issue(s):
- [Medium] Test failures are silently ignored, causing key preparsing to always succeed instead of propagating error codes.
--

commit c10dc39561379c012380a3ebdc109e9849c1a856
Author: James Bottomley <James.Bottomley@HansenPartnership.com>

crypto: pkcs7: add tests for pkcs7_get_authattr

This commit adds example code to the pkcs7_key_type test module. It verifies
a PKCS#7 message and extracts a known authenticated attribute. This helps
validate the pkcs7_get_authattr functionality.

> diff --git a/crypto/asymmetric_keys/pkcs7_key_type.c b/crypto/asymmetric_keys/pkcs7_key_type.c
> --- a/crypto/asymmetric_keys/pkcs7_key_type.c
> +++ b/crypto/asymmetric_keys/pkcs7_key_type.c

[ ... ]

> @@ -51,16 +52,57 @@ static int pkcs7_view_content(void *ctx, const void *data, size_t len,
>  static int pkcs7_preparse(struct key_preparsed_payload *prep)
>  {
>  	enum key_being_used_for usage = pkcs7_usage;
> +	int ret;
> +	struct pkcs7_message *pkcs7;

[ ... ]

> +	/*
> +	 * the parsed message has no trusted signer, so nothing should
> +	 * be returned here
> +	 */
> +	ret = pkcs7_get_authattr(pkcs7, OID_messageDigest, &data, &len);
> +	if (ret == 0) {
> +		pr_err("OID returned when no trust in signer\n");
> +		goto out;
> +	}

If the OID is incorrectly returned without trust, ret is 0 when jumping to
the out label. Would this still result in a success code even if the function
were updated to return ret instead of 0?

Could ret be set to an error code like -EINVAL before the goto?

> +	/* add trust and check again */
> +	ret = verify_pkcs7_message_sig(NULL, 0, pkcs7,
> +				       VERIFY_USE_SECONDARY_KEYRING, usage,
> +				       NULL, NULL);
> +	if (ret) {
> +		pr_err("verify_pkcs7_message_sig failed!!\n");
> +		goto out;
> +	}
> +	/* now we should find the OID */
> +	ret = pkcs7_get_authattr(pkcs7, OID_messageDigest, &data, &len);
> +	if (ret) {
> +		pr_err("Failed to get message digest\n");
> +		goto out;
> +	}
> +	pr_info("Correctly Got message hash, size=%zu\n", len);
> +
> + out:
> +	pkcs7_free_message(pkcs7);
> +	return 0;
>  }

Does this unconditionally return success? 

If a test fails and jumps to the out label, the error code in ret seems to be
discarded. Should this return ret instead?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260416173500.176716-1-bboscaccy@linux.microsoft.com?part=3

next prev parent reply	other threads:[~2026-04-16 20:17 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-16 17:33 [PATCH v4 00/10] Reintroduce Hornet LSM Blaise Boscaccy
2026-04-16 17:33 ` [PATCH v4 01/10] crypto: pkcs7: add flag for validated trust on a signed info block Blaise Boscaccy
2026-04-16 19:26   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 02/10] crypto: pkcs7: add ability to extract signed attributes by OID Blaise Boscaccy
2026-04-16 19:56   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 03/10] crypto: pkcs7: add tests for pkcs7_get_authattr Blaise Boscaccy
2026-04-16 20:17   ` sashiko-bot [this message]
2026-04-16 17:33 ` [PATCH v4 04/10] lsm: framework for BPF integrity verification Blaise Boscaccy
2026-04-16 17:33 ` [PATCH v4 05/10] lsm: security: Add additional enum values for bpf integrity checks Blaise Boscaccy
2026-04-16 17:33 ` [PATCH v4 06/10] security: Hornet LSM Blaise Boscaccy
2026-04-16 21:24   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 07/10] hornet: Introduce gen_sig Blaise Boscaccy
2026-04-16 21:33   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 08/10] hornet: Add a light skeleton data extractor scripts Blaise Boscaccy
2026-04-16 21:44   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 09/10] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2026-04-16 21:55   ` sashiko-bot
2026-04-16 17:33 ` [PATCH v4 10/10] ipe: Add BPF program load policy enforcement via Hornet integration Blaise Boscaccy
2026-04-16 21:03   ` Fan Wu
2026-04-16 22:17   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260416201746.50505C2BCAF@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bboscaccy@linux.microsoft.com \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox