Recent patches to cryptodev removed support for insecure, broken or
weak x509/pkcs7 signing hashes MD4, MD5, SHA1, SHA-224. This opens
room to add SHA-3 family of hashes, which are not yet broken.
Add support for FIPS 202 SHA-3 in x509 RSA & ECC certs, pkcs7
signatures, hash info structs. And adjust documentation.
This enables using SHA-3 family of hashes for kernel module signing.
For SHA3+ECC signing openssl with this patch [0] is needed, currently
in openssl development tip. SHA3+RSA signing is supported by stable
openssl.
kmod needs a patch to recognise SHA3 hash names [1], submitted
separately.
This patch series is on top of tip of cryptodev git repository commit
a2786e8bdd ("crypto: qcom-rng - Add missing dependency on hw_random")
[0] https://github.com/openssl/openssl/pull/22147/files
[1] https://lore.kernel.org/all/[email protected]/
Dimitri John Ledkov (6):
x509: Add OIDs for FIPS 202 SHA-3 hash and signatures
crypto: FIPS 202 SHA-3 register in hash info for IMA
crypto: rsa-pkcs1pad - Add FIPS 202 SHA-3 support
crypto: x509 pkcs7 - allow FIPS 202 SHA-3 signatures
crypto: enable automatic module signing with FIPS 202 SHA-3
Documentation/module-signing.txt: bring up to date
Documentation/admin-guide/module-signing.rst | 17 ++++++++-----
certs/Kconfig | 2 +-
crypto/asymmetric_keys/mscode_parser.c | 9 +++++++
crypto/asymmetric_keys/pkcs7_parser.c | 12 ++++++++++
crypto/asymmetric_keys/public_key.c | 5 +++-
crypto/asymmetric_keys/x509_cert_parser.c | 24 +++++++++++++++++++
crypto/hash_info.c | 6 +++++
crypto/rsa-pkcs1pad.c | 25 +++++++++++++++++++-
crypto/testmgr.c | 12 ++++++++++
include/crypto/hash_info.h | 1 +
include/linux/oid_registry.h | 11 +++++++++
include/uapi/linux/hash_info.h | 3 +++
kernel/module/Kconfig | 15 ++++++++++++
13 files changed, 133 insertions(+), 9 deletions(-)
--
2.34.1
Register FIPS 202 SHA-3 hashes in hash info for IMA and other
users. Sizes 256 and up, as 224 is too weak for any practical
purposes.
Signed-off-by: Dimitri John Ledkov <[email protected]>
---
crypto/hash_info.c | 6 ++++++
include/crypto/hash_info.h | 1 +
include/uapi/linux/hash_info.h | 3 +++
3 files changed, 10 insertions(+)
diff --git a/crypto/hash_info.c b/crypto/hash_info.c
index a49ff96bde..9a467638c9 100644
--- a/crypto/hash_info.c
+++ b/crypto/hash_info.c
@@ -29,6 +29,9 @@ const char *const hash_algo_name[HASH_ALGO__LAST] = {
[HASH_ALGO_SM3_256] = "sm3",
[HASH_ALGO_STREEBOG_256] = "streebog256",
[HASH_ALGO_STREEBOG_512] = "streebog512",
+ [HASH_ALGO_SHA3_256] = "sha3-256",
+ [HASH_ALGO_SHA3_384] = "sha3-384",
+ [HASH_ALGO_SHA3_512] = "sha3-512",
};
EXPORT_SYMBOL_GPL(hash_algo_name);
@@ -53,5 +56,8 @@ const int hash_digest_size[HASH_ALGO__LAST] = {
[HASH_ALGO_SM3_256] = SM3256_DIGEST_SIZE,
[HASH_ALGO_STREEBOG_256] = STREEBOG256_DIGEST_SIZE,
[HASH_ALGO_STREEBOG_512] = STREEBOG512_DIGEST_SIZE,
+ [HASH_ALGO_SHA3_256] = SHA3_256_DIGEST_SIZE,
+ [HASH_ALGO_SHA3_384] = SHA3_384_DIGEST_SIZE,
+ [HASH_ALGO_SHA3_512] = SHA3_512_DIGEST_SIZE,
};
EXPORT_SYMBOL_GPL(hash_digest_size);
diff --git a/include/crypto/hash_info.h b/include/crypto/hash_info.h
index dd4f067850..d6927739f8 100644
--- a/include/crypto/hash_info.h
+++ b/include/crypto/hash_info.h
@@ -10,6 +10,7 @@
#include <crypto/sha1.h>
#include <crypto/sha2.h>
+#include <crypto/sha3.h>
#include <crypto/md5.h>
#include <crypto/streebog.h>
diff --git a/include/uapi/linux/hash_info.h b/include/uapi/linux/hash_info.h
index 74a8609fcb..0af23ec196 100644
--- a/include/uapi/linux/hash_info.h
+++ b/include/uapi/linux/hash_info.h
@@ -35,6 +35,9 @@ enum hash_algo {
HASH_ALGO_SM3_256,
HASH_ALGO_STREEBOG_256,
HASH_ALGO_STREEBOG_512,
+ HASH_ALGO_SHA3_256,
+ HASH_ALGO_SHA3_384,
+ HASH_ALGO_SHA3_512,
HASH_ALGO__LAST
};
--
2.34.1
Add support in rsa-pkcs1pad for FIPS 202 SHA-3 hashes, sizes 256 and
up. As 224 is too weak for any practical purposes.
Signed-off-by: Dimitri John Ledkov <[email protected]>
---
crypto/rsa-pkcs1pad.c | 25 ++++++++++++++++++++++++-
crypto/testmgr.c | 12 ++++++++++++
2 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c
index d2e5e104f8..e32e497d29 100644
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -61,6 +61,24 @@ static const u8 rsa_digest_info_sha512[] = {
0x05, 0x00, 0x04, 0x40
};
+static const u8 rsa_digest_info_sha3_256[] = {
+ 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x08,
+ 0x05, 0x00, 0x04, 0x20
+};
+
+static const u8 rsa_digest_info_sha3_384[] = {
+ 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x09,
+ 0x05, 0x00, 0x04, 0x30
+};
+
+static const u8 rsa_digest_info_sha3_512[] = {
+ 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0A,
+ 0x05, 0x00, 0x04, 0x40
+};
+
static const struct rsa_asn1_template {
const char *name;
const u8 *data;
@@ -74,8 +92,13 @@ static const struct rsa_asn1_template {
_(sha384),
_(sha512),
_(sha224),
- { NULL }
#undef _
+#define _(X) { "sha3-" #X, rsa_digest_info_sha3_##X, sizeof(rsa_digest_info_sha3_##X) }
+ _(256),
+ _(384),
+ _(512),
+#undef _
+ { NULL }
};
static const struct rsa_asn1_template *rsa_lookup_asn1(const char *name)
diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 54135c7610..a074430223 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -5468,6 +5468,18 @@ static const struct alg_test_desc alg_test_descs[] = {
.alg = "pkcs1pad(rsa,sha512)",
.test = alg_test_null,
.fips_allowed = 1,
+ }, {
+ .alg = "pkcs1pad(rsa,sha3-256)",
+ .test = alg_test_null,
+ .fips_allowed = 1,
+ }, {
+ .alg = "pkcs1pad(rsa,sha3-384)",
+ .test = alg_test_null,
+ .fips_allowed = 1,
+ }, {
+ .alg = "pkcs1pad(rsa,sha3-512)",
+ .test = alg_test_null,
+ .fips_allowed = 1,
}, {
.alg = "poly1305",
.test = alg_test_hash,
--
2.34.1
Add OID for FIPS 202 SHA-3 family of hash functions, RSA & ECDSA
signatures using those. Limit to 256 or larger sizes, for
interoperability reasons. 224 is too weak for any practical uses.
Signed-off-by: Dimitri John Ledkov <[email protected]>
---
include/linux/oid_registry.h | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index 8b79e55cfc..3921fbed0b 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -129,6 +129,17 @@ enum OID {
OID_TPMImportableKey, /* 2.23.133.10.1.4 */
OID_TPMSealedData, /* 2.23.133.10.1.5 */
+ /* CSOR FIPS-202 SHA-3 */
+ OID_sha3_256, /* 2.16.840.1.101.3.4.2.8 */
+ OID_sha3_384, /* 2.16.840.1.101.3.4.2.9 */
+ OID_sha3_512, /* 2.16.840.1.101.3.4.2.10 */
+ OID_id_ecdsa_with_sha3_256, /* 2.16.840.1.101.3.4.3.10 */
+ OID_id_ecdsa_with_sha3_384, /* 2.16.840.1.101.3.4.3.11 */
+ OID_id_ecdsa_with_sha3_512, /* 2.16.840.1.101.3.4.3.12 */
+ OID_id_rsassa_pkcs1_v1_5_with_sha3_256, /* 2.16.840.1.101.3.4.3.14 */
+ OID_id_rsassa_pkcs1_v1_5_with_sha3_384, /* 2.16.840.1.101.3.4.3.15 */
+ OID_id_rsassa_pkcs1_v1_5_with_sha3_512, /* 2.16.840.1.101.3.4.3.16 */
+
OID__NR
};
--
2.34.1
Add Kconfig options to use SHA-3 for kernel module signing. 256 size
for RSA only, and higher sizes for RSA and NIST P-384.
Signed-off-by: Dimitri John Ledkov <[email protected]>
---
certs/Kconfig | 2 +-
kernel/module/Kconfig | 15 +++++++++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/certs/Kconfig b/certs/Kconfig
index 84582de66b..69d192a32d 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -30,7 +30,7 @@ config MODULE_SIG_KEY_TYPE_RSA
config MODULE_SIG_KEY_TYPE_ECDSA
bool "ECDSA"
select CRYPTO_ECDSA
- depends on MODULE_SIG_SHA384 || MODULE_SIG_SHA512
+ depends on !(MODULE_SIG_SHA256 || MODULE_SIG_SHA3_256)
help
Use an elliptic curve key (NIST P384) for module signing. Use
a strong hash of same or higher bit length, i.e. sha384 or
diff --git a/kernel/module/Kconfig b/kernel/module/Kconfig
index 9d7d45525f..0ea1b2970a 100644
--- a/kernel/module/Kconfig
+++ b/kernel/module/Kconfig
@@ -248,6 +248,18 @@ config MODULE_SIG_SHA512
bool "Sign modules with SHA-512"
select CRYPTO_SHA512
+config MODULE_SIG_SHA3_256
+ bool "Sign modules with SHA3-256"
+ select CRYPTO_SHA3
+
+config MODULE_SIG_SHA3_384
+ bool "Sign modules with SHA3-384"
+ select CRYPTO_SHA3
+
+config MODULE_SIG_SHA3_512
+ bool "Sign modules with SHA3-512"
+ select CRYPTO_SHA3
+
endchoice
config MODULE_SIG_HASH
@@ -256,6 +268,9 @@ config MODULE_SIG_HASH
default "sha256" if MODULE_SIG_SHA256
default "sha384" if MODULE_SIG_SHA384
default "sha512" if MODULE_SIG_SHA512
+ default "sha3-256" if MODULE_SIG_SHA3_256
+ default "sha3-384" if MODULE_SIG_SHA3_384
+ default "sha3-512" if MODULE_SIG_SHA3_512
choice
prompt "Module compression mode"
--
2.34.1
Update the documentation to mention that ECC NIST P-384 automatic
keypair generation is available to use ECDSA signature type, in
addition to the RSA.
Drop mentions of the now removed SHA-1 and SHA-224 options.
Add the just added FIPS 202 SHA-3 module signature hashes.
Signed-off-by: Dimitri John Ledkov <[email protected]>
---
Documentation/admin-guide/module-signing.rst | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
index 2898b27032..a8667a7774 100644
--- a/Documentation/admin-guide/module-signing.rst
+++ b/Documentation/admin-guide/module-signing.rst
@@ -28,10 +28,10 @@ trusted userspace bits.
This facility uses X.509 ITU-T standard certificates to encode the public keys
involved. The signatures are not themselves encoded in any industrial standard
-type. The facility currently only supports the RSA public key encryption
-standard (though it is pluggable and permits others to be used). The possible
-hash algorithms that can be used are SHA-1, SHA-224, SHA-256, SHA-384, and
-SHA-512 (the algorithm is selected by data in the signature).
+type. The built-in facility currently only supports the RSA & NIST P-384 ECDSA
+public key signing standard (though it is pluggable and permits others to be
+used). The possible hash algorithms that can be used are SHA-2 and SHA-3 of
+sizes 256, 384, and 512 (the algorithm is selected by data in the signature).
==========================
@@ -81,11 +81,12 @@ This has a number of options available:
sign the modules with:
=============================== ==========================================
- ``CONFIG_MODULE_SIG_SHA1`` :menuselection:`Sign modules with SHA-1`
- ``CONFIG_MODULE_SIG_SHA224`` :menuselection:`Sign modules with SHA-224`
``CONFIG_MODULE_SIG_SHA256`` :menuselection:`Sign modules with SHA-256`
``CONFIG_MODULE_SIG_SHA384`` :menuselection:`Sign modules with SHA-384`
``CONFIG_MODULE_SIG_SHA512`` :menuselection:`Sign modules with SHA-512`
+ ``CONFIG_MODULE_SIG_SHA3_256`` :menuselection:`Sign modules with SHA3-256`
+ ``CONFIG_MODULE_SIG_SHA3_384`` :menuselection:`Sign modules with SHA3-384`
+ ``CONFIG_MODULE_SIG_SHA3_512`` :menuselection:`Sign modules with SHA3-512`
=============================== ==========================================
The algorithm selected here will also be built into the kernel (rather
@@ -145,6 +146,10 @@ into vmlinux) using parameters in the::
file (which is also generated if it does not already exist).
+One can select between RSA (``MODULE_SIG_KEY_TYPE_RSA``) and ECDSA
+(``MODULE_SIG_KEY_TYPE_ECDSA``) to generate either RSA 4k or NIST
+P-384 keypair.
+
It is strongly recommended that you provide your own x509.genkey file.
Most notably, in the x509.genkey file, the req_distinguished_name section
--
2.34.1
On Sun, Oct 22, 2023 at 07:22:02PM +0100, Dimitri John Ledkov wrote:
> Recent patches to cryptodev removed support for insecure, broken or
> weak x509/pkcs7 signing hashes MD4, MD5, SHA1, SHA-224. This opens
> room to add SHA-3 family of hashes, which are not yet broken.
>
> Add support for FIPS 202 SHA-3 in x509 RSA & ECC certs, pkcs7
> signatures, hash info structs. And adjust documentation.
>
> This enables using SHA-3 family of hashes for kernel module signing.
>
> For SHA3+ECC signing openssl with this patch [0] is needed, currently
> in openssl development tip. SHA3+RSA signing is supported by stable
> openssl.
>
> kmod needs a patch to recognise SHA3 hash names [1], submitted
> separately.
>
> This patch series is on top of tip of cryptodev git repository commit
> a2786e8bdd ("crypto: qcom-rng - Add missing dependency on hw_random")
>
> [0] https://github.com/openssl/openssl/pull/22147/files
> [1] https://lore.kernel.org/all/[email protected]/
>
> Dimitri John Ledkov (6):
> x509: Add OIDs for FIPS 202 SHA-3 hash and signatures
> crypto: FIPS 202 SHA-3 register in hash info for IMA
> crypto: rsa-pkcs1pad - Add FIPS 202 SHA-3 support
> crypto: x509 pkcs7 - allow FIPS 202 SHA-3 signatures
> crypto: enable automatic module signing with FIPS 202 SHA-3
> Documentation/module-signing.txt: bring up to date
>
> Documentation/admin-guide/module-signing.rst | 17 ++++++++-----
> certs/Kconfig | 2 +-
> crypto/asymmetric_keys/mscode_parser.c | 9 +++++++
> crypto/asymmetric_keys/pkcs7_parser.c | 12 ++++++++++
> crypto/asymmetric_keys/public_key.c | 5 +++-
> crypto/asymmetric_keys/x509_cert_parser.c | 24 +++++++++++++++++++
> crypto/hash_info.c | 6 +++++
> crypto/rsa-pkcs1pad.c | 25 +++++++++++++++++++-
> crypto/testmgr.c | 12 ++++++++++
> include/crypto/hash_info.h | 1 +
> include/linux/oid_registry.h | 11 +++++++++
> include/uapi/linux/hash_info.h | 3 +++
> kernel/module/Kconfig | 15 ++++++++++++
> 13 files changed, 133 insertions(+), 9 deletions(-)
>
> --
> 2.34.1
All applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt