From: Paul Menzel <pmenzel@molgen.mpg.de>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-integrity@vger.kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH 2/2] lib/digsig: Use SHA-1 library instead of crypto_shash
Date: Fri, 15 Aug 2025 18:48:07 +0200 [thread overview]
Message-ID: <46e7ff0c-0014-4b0a-b8dd-17feb05a934e@molgen.mpg.de> (raw)
In-Reply-To: <20250815021733.25689-3-ebiggers@kernel.org>
Dear Eric,
Thank you for your patch.
Am 15.08.25 um 04:17 schrieb Eric Biggers:
> Now that a SHA-1 library API is available, use it instead of
> crypto_shash. This is simpler and faster.
>
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
> lib/Kconfig | 3 +--
> lib/digsig.c | 46 ++++++----------------------------------------
> 2 files changed, 7 insertions(+), 42 deletions(-)
>
> diff --git a/lib/Kconfig b/lib/Kconfig
> index c483951b624ff..e629449dd2a36 100644
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -475,12 +475,11 @@ config MPILIB
> which is used by IMA/EVM digital signature extension.
>
> config SIGNATURE
> tristate
> depends on KEYS
> - select CRYPTO
> - select CRYPTO_SHA1
> + select CRYPTO_LIB_SHA1
> select MPILIB
> help
> Digital signature verification. Currently only RSA is supported.
> Implementation is done using GnuPG MPI library
>
> diff --git a/lib/digsig.c b/lib/digsig.c
> index 04b5e55ed95f5..5ddcc52f76863 100644
> --- a/lib/digsig.c
> +++ b/lib/digsig.c
> @@ -16,19 +16,15 @@
>
> #include <linux/err.h>
> #include <linux/module.h>
> #include <linux/slab.h>
> #include <linux/key.h>
> -#include <linux/crypto.h>
> -#include <crypto/hash.h>
> #include <crypto/sha1.h>
> #include <keys/user-type.h>
> #include <linux/mpi.h>
> #include <linux/digsig.h>
>
> -static struct crypto_shash *shash;
> -
> static const char *pkcs_1_v1_5_decode_emsa(const unsigned char *msg,
> unsigned long msglen,
> unsigned long modulus_bitlen,
> unsigned long *outlen)
> {
> @@ -197,16 +193,16 @@ static int digsig_verify_rsa(struct key *key,
> *
> */
> int digsig_verify(struct key *keyring, const char *sig, int siglen,
> const char *data, int datalen)
> {
> - int err = -ENOMEM;
> struct signature_hdr *sh = (struct signature_hdr *)sig;
> - struct shash_desc *desc = NULL;
> + struct sha1_ctx ctx;
> unsigned char hash[SHA1_DIGEST_SIZE];
> struct key *key;
> char name[20];
> + int err;
>
> if (siglen < sizeof(*sh) + 2)
> return -EINVAL;
>
> if (sh->algo != PUBKEY_ALGO_RSA)
> @@ -229,51 +225,21 @@ int digsig_verify(struct key *keyring, const char *sig, int siglen,
> if (IS_ERR(key)) {
> pr_err("key not found, id: %s\n", name);
> return PTR_ERR(key);
> }
>
> - desc = kzalloc(sizeof(*desc) + crypto_shash_descsize(shash),
> - GFP_KERNEL);
> - if (!desc)
> - goto err;
> -
> - desc->tfm = shash;
> -
> - crypto_shash_init(desc);
> - crypto_shash_update(desc, data, datalen);
> - crypto_shash_update(desc, sig, sizeof(*sh));
> - crypto_shash_final(desc, hash);
> -
> - kfree(desc);
> + sha1_init(&ctx);
> + sha1_update(&ctx, data, datalen);
> + sha1_update(&ctx, sig, sizeof(*sh));
> + sha1_final(&ctx, hash);
>
> /* pass signature mpis address */
> err = digsig_verify_rsa(key, sig + sizeof(*sh), siglen - sizeof(*sh),
> hash, sizeof(hash));
>
> -err:
> key_put(key);
>
> return err ? -EINVAL : 0;
> }
> EXPORT_SYMBOL_GPL(digsig_verify);
>
> -static int __init digsig_init(void)
> -{
> - shash = crypto_alloc_shash("sha1", 0, 0);
> - if (IS_ERR(shash)) {
> - pr_err("shash allocation failed\n");
> - return PTR_ERR(shash);
> - }
> -
> - return 0;
> -
> -}
> -
> -static void __exit digsig_cleanup(void)
> -{
> - crypto_free_shash(shash);
> -}
> -
> -module_init(digsig_init);
> -module_exit(digsig_cleanup);
> -
> MODULE_LICENSE("GPL");
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Kind regards,
Paul
next prev parent reply other threads:[~2025-08-15 16:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-15 2:17 [PATCH 0/2] Convert lib/digsig.c to SHA-1 library Eric Biggers
2025-08-15 2:17 ` [PATCH 1/2] integrity: Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS Eric Biggers
2025-08-15 16:48 ` Paul Menzel
2025-08-15 2:17 ` [PATCH 2/2] lib/digsig: Use SHA-1 library instead of crypto_shash Eric Biggers
2025-08-15 16:48 ` Paul Menzel [this message]
2025-08-19 18:11 ` [PATCH 0/2] Convert lib/digsig.c to SHA-1 library Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46e7ff0c-0014-4b0a-b8dd-17feb05a934e@molgen.mpg.de \
--to=pmenzel@molgen.mpg.de \
--cc=dmitry.kasatkin@gmail.com \
--cc=ebiggers@kernel.org \
--cc=eric.snowberg@oracle.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).