From: Joachim Vandersmissen <git@jvdsn.com>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Howells <dhowells@redhat.com>, Simo Sorce <simo@redhat.com>,
Stephan Mueller <smueller@chronox.de>,
Joachim Vandersmissen <git@jvdsn.com>
Subject: [PATCH 2/2] certs: Guard RSA signature verification self-test
Date: Mon, 15 Apr 2024 22:23:47 -0500 [thread overview]
Message-ID: <20240416032347.72663-2-git@jvdsn.com> (raw)
In-Reply-To: <20240416032347.72663-1-git@jvdsn.com>
Currently it is possible to configure the kernel (albeit in a very
contrived manner) such that CRYPTO_RSA is not set, yet
FIPS_SIGNATURE_SELFTEST is set. This would cause a false kernel panic
when executing the RSA PKCS#7 self-test. Guard against this by
introducing a compile-time check.
Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
---
crypto/asymmetric_keys/selftest.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/crypto/asymmetric_keys/selftest.c b/crypto/asymmetric_keys/selftest.c
index 68620a9ab974..d2781d0b87d9 100644
--- a/crypto/asymmetric_keys/selftest.c
+++ b/crypto/asymmetric_keys/selftest.c
@@ -23,6 +23,7 @@ struct certs_test {
* be loaded into a temporary keyring for the duration of the testing.
*/
static const u8 certs_selftest_keys[] __initconst = {
+#if IS_ENABLED(CONFIG_CRYPTO_RSA)
/* 4096-bit RSA certificate */
"\x30\x82\x05\x55\x30\x82\x03\x3d\xa0\x03\x02\x01\x02\x02\x14\x73"
"\x98\xea\x98\x2d\xd0\x2e\xa8\xb1\xcf\x57\xc7\xf2\x97\xb3\xe6\x1a"
@@ -110,6 +111,7 @@ static const u8 certs_selftest_keys[] __initconst = {
"\xad\x5a\xf5\xb3\xdb\x69\x21\x04\xfd\xd3\x1c\xdf\x94\x9d\x56\xb0"
"\x0a\xd1\x95\x76\x8d\xec\x9e\xdd\x0b\x15\x97\x64\xad\xe5\xf2\x62"
"\x02\xfc\x9e\x5f\x56\x42\x39\x05\xb3"
+#endif
#if IS_ENABLED(CONFIG_CRYPTO_ECDSA)
/* P-256 ECDSA certificate */
"\x30\x82\x01\xd4\x30\x82\x01\x7b\xa0\x03\x02\x01\x02\x02\x14\x2e"
@@ -228,7 +230,9 @@ static const u8 certs_selftest_ecdsa_pkcs7[] __initconst = {
*/
#define TEST(data, pkcs7) { data, sizeof(data) - 1, pkcs7, sizeof(pkcs7) - 1 }
static const struct certs_test certs_tests[] __initconst = {
+#if IS_ENABLED(CONFIG_CRYPTO_RSA)
TEST(certs_selftest_data, certs_selftest_rsa_pkcs7),
+#endif
#if IS_ENABLED(CONFIG_CRYPTO_ECDSA)
TEST(certs_selftest_data, certs_selftest_ecdsa_pkcs7),
#endif
--
2.44.0
next prev parent reply other threads:[~2024-04-16 3:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-16 3:23 [PATCH 1/2] certs: Add ECDSA signature verification self-test Joachim Vandersmissen
2024-04-16 3:23 ` Joachim Vandersmissen [this message]
2024-04-16 8:59 ` [PATCH 2/2] certs: Guard RSA " Herbert Xu
2024-04-16 13:39 ` Joachim Vandersmissen
2024-04-18 4:01 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240416032347.72663-2-git@jvdsn.com \
--to=git@jvdsn.com \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=simo@redhat.com \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox