You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
144 lines
3.9 KiB
144 lines
3.9 KiB
4 years ago
|
From 628677e066198d8658d7edd5511a5bb27cd229f5 Mon Sep 17 00:00:00 2001
|
||
|
From: Stefan Strogin <steils@gentoo.org>
|
||
|
Date: Sun, 19 May 2019 03:42:01 +0300
|
||
|
Subject: [PATCH] libkmod-signature: use PKCS#7 instead of CMS
|
||
|
|
||
|
Linux uses either PKCS #7 or CMS for signing modules (see
|
||
|
scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL,
|
||
|
so PKCS #7 is used on systems with these libcrypto providers.
|
||
|
|
||
|
CMS and PKCS #7 formats are very similar. CMS is newer but is as much as
|
||
|
possible backward compatible with PKCS #7 [1]. PKCS #7 is supported in
|
||
|
the latest OpenSSL as well as CMS. The fields used for signing kernel
|
||
|
modules are supported both in PKCS #7 and CMS.
|
||
|
|
||
|
For now modinfo uses CMS with no alternative requiring OpenSSL 1.1.0 or
|
||
|
newer.
|
||
|
|
||
|
Use PKCS #7 for parsing module signature information, so that modinfo
|
||
|
could be used both with OpenSSL and LibreSSL.
|
||
|
|
||
|
[1] https://tools.ietf.org/html/rfc5652#section-1.1
|
||
|
|
||
|
Changes v1->v2:
|
||
|
- Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both
|
||
|
with OpenSSL and LibreSSL.
|
||
|
|
||
|
Upstream-Status: Accepted
|
||
|
[https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/?id=628677e066198d8658d7edd5511a5bb27cd229f5]
|
||
|
Signed-off-by: Stefan Strogin <steils@gentoo.org>
|
||
|
---
|
||
|
libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------
|
||
|
1 file changed, 19 insertions(+), 18 deletions(-)
|
||
|
|
||
|
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
|
||
|
index 48d0145..4e8748c 100644
|
||
|
--- a/libkmod/libkmod-signature.c
|
||
|
+++ b/libkmod/libkmod-signature.c
|
||
|
@@ -20,7 +20,7 @@
|
||
|
#include <endian.h>
|
||
|
#include <inttypes.h>
|
||
|
#ifdef ENABLE_OPENSSL
|
||
|
-#include <openssl/cms.h>
|
||
|
+#include <openssl/pkcs7.h>
|
||
|
#include <openssl/ssl.h>
|
||
|
#endif
|
||
|
#include <stdio.h>
|
||
|
@@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size,
|
||
|
#ifdef ENABLE_OPENSSL
|
||
|
|
||
|
struct pkcs7_private {
|
||
|
- CMS_ContentInfo *cms;
|
||
|
+ PKCS7 *pkcs7;
|
||
|
unsigned char *key_id;
|
||
|
BIGNUM *sno;
|
||
|
};
|
||
|
@@ -132,7 +132,7 @@ static void pkcs7_free(void *s)
|
||
|
struct kmod_signature_info *si = s;
|
||
|
struct pkcs7_private *pvt = si->private;
|
||
|
|
||
|
- CMS_ContentInfo_free(pvt->cms);
|
||
|
+ PKCS7_free(pvt->pkcs7);
|
||
|
BN_free(pvt->sno);
|
||
|
free(pvt->key_id);
|
||
|
free(pvt);
|
||
|
@@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size,
|
||
|
struct kmod_signature_info *sig_info)
|
||
|
{
|
||
|
const char *pkcs7_raw;
|
||
|
- CMS_ContentInfo *cms;
|
||
|
- STACK_OF(CMS_SignerInfo) *sis;
|
||
|
- CMS_SignerInfo *si;
|
||
|
- int rc;
|
||
|
- ASN1_OCTET_STRING *key_id;
|
||
|
+ PKCS7 *pkcs7;
|
||
|
+ STACK_OF(PKCS7_SIGNER_INFO) *sis;
|
||
|
+ PKCS7_SIGNER_INFO *si;
|
||
|
+ PKCS7_ISSUER_AND_SERIAL *is;
|
||
|
X509_NAME *issuer;
|
||
|
ASN1_INTEGER *sno;
|
||
|
ASN1_OCTET_STRING *sig;
|
||
|
@@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size,
|
||
|
|
||
|
in = BIO_new_mem_buf(pkcs7_raw, sig_len);
|
||
|
|
||
|
- cms = d2i_CMS_bio(in, NULL);
|
||
|
- if (cms == NULL) {
|
||
|
+ pkcs7 = d2i_PKCS7_bio(in, NULL);
|
||
|
+ if (pkcs7 == NULL) {
|
||
|
BIO_free(in);
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
BIO_free(in);
|
||
|
|
||
|
- sis = CMS_get0_SignerInfos(cms);
|
||
|
+ sis = PKCS7_get_signer_info(pkcs7);
|
||
|
if (sis == NULL)
|
||
|
goto err;
|
||
|
|
||
|
- si = sk_CMS_SignerInfo_value(sis, 0);
|
||
|
+ si = sk_PKCS7_SIGNER_INFO_value(sis, 0);
|
||
|
if (si == NULL)
|
||
|
goto err;
|
||
|
|
||
|
- rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno);
|
||
|
- if (rc == 0)
|
||
|
+ is = si->issuer_and_serial;
|
||
|
+ if (is == NULL)
|
||
|
goto err;
|
||
|
+ issuer = is->issuer;
|
||
|
+ sno = is->serial;
|
||
|
|
||
|
- sig = CMS_SignerInfo_get0_signature(si);
|
||
|
+ sig = si->enc_digest;
|
||
|
if (sig == NULL)
|
||
|
goto err;
|
||
|
|
||
|
- CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
|
||
|
+ PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg);
|
||
|
|
||
|
sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
|
||
|
sig_info->sig_len = ASN1_STRING_length(sig);
|
||
|
@@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size,
|
||
|
if (pvt == NULL)
|
||
|
goto err3;
|
||
|
|
||
|
- pvt->cms = cms;
|
||
|
+ pvt->pkcs7 = pkcs7;
|
||
|
pvt->key_id = key_id_str;
|
||
|
pvt->sno = sno_bn;
|
||
|
sig_info->private = pvt;
|
||
|
@@ -290,7 +291,7 @@ err3:
|
||
|
err2:
|
||
|
BN_free(sno_bn);
|
||
|
err:
|
||
|
- CMS_ContentInfo_free(cms);
|
||
|
+ PKCS7_free(pkcs7);
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
--
|
||
|
2.21.0
|
||
|
|