This option provides support for parsing PKCS#7 format messages for
signature data and provides the ability to verify the signature.
+config PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
+ bool "Waive rejection of authenticatedAttributes for ML-DSA"
+ depends on PKCS7_MESSAGE_PARSER
+ depends on CRYPTO_MLDSA
+ help
+ Due to use of CMS_NOATTR with ML-DSA not being supported in
+ OpenSSL < 4.0 (and thus any released version), enabling this
+ allows authenticatedAttributes to be used with ML-DSA for
+ module signing. Use of authenticatedAttributes in this
+ context is normally rejected.
+
config PKCS7_TEST_KEY
tristate "PKCS#7 testing key type"
depends on SYSTEM_DATA_VERIFICATION
if (!sinfo)
goto inconsistent;
+#ifdef CONFIG_PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
+ msg->authattrs_rej_waivable = true;
+#endif
+
if (sinfo->authattrs) {
want = true;
msg->have_authattrs = true;
+#ifdef CONFIG_PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
+ if (strncmp(sinfo->sig->pkey_algo, "mldsa", 5) != 0)
+ msg->authattrs_rej_waivable = false;
+#endif
} else if (sinfo->sig->algo_takes_data) {
sinfo->sig->hash_algo = "none";
}
struct pkcs7_signed_info *signed_infos;
u8 version; /* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */
bool have_authattrs; /* T if have authattrs */
+#ifdef CONFIG_PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
+ bool authattrs_rej_waivable; /* T if authatts rejection can be waived */
+#endif
/* Content Data (or NULL) */
enum OID data_type; /* Type of Data */
return -EKEYREJECTED;
}
if (pkcs7->have_authattrs) {
+#ifdef CONFIG_PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
+ if (pkcs7->authattrs_rej_waivable) {
+ pr_warn("Waived invalid module sig (has authattrs)\n");
+ break;
+ }
+#endif
pr_warn("Invalid module sig (has authattrs)\n");
return -EKEYREJECTED;
}
projects / thirdparty / linux.git / commitdiff
