Re: [PATCH v3 3/5] crypto: pkcs7: allow pkcs7_digest() to be called from pkcs7_trust

[Eric Biggers <ebiggers@kernel.org>]

On Thu, Feb 26, 2026 at 10:50:10PM -0500, James Bottomley wrote:
> On Thu, 2026-02-26 at 12:31 -0800, Eric Biggers wrote:
> > On Wed, Feb 25, 2026 at 04:19:05PM -0500, James Bottomley wrote:
> > > +	/*
> > > +	 * if we're being called immediately after parse, the
> > > +	 * signature won't have a calculated digest yet, so
> > > calculate
> > > +	 * one.  This function returns immediately if a digest has
> > > +	 * already been calculated
> > > +	 */
> > > +	pkcs7_digest(pkcs7, sinfo);
> > 
> > pkcs7_digest() can fail, returning an error code and leaving sig->m
> > == NULL && sig->m_size == 0.  Here, the error is just being ignored.
> 
> That's right.  Basically I wasn't sure what to return on error
> (although -ENOKEY looks about right since it will cause retries on a
> different sig chain).
> 
> > Doesn't that then cause the signature verification to proceed against
> > an empty message, rather than anything related to the data provided?
> 
> Not if sig->m is NULL, no, because the verifier will try to reget the
> digest in that case (and error out if it fails).

Can you point to where that happens?  It still looks like it just
proceeds with an empty message.

I would think verifying the message is kind of the point, right?

- Eric