From: Stefan Strogin <stefan.strogin@gmail.com>
To: linux-modules@vger.kernel.org
Cc: stefan.strogin@gmail.com, ykaliuta@redhat.com, lucas.demarchi@intel.com
Subject: [PATCH] libkmod-signature: use PKCS7 for LibreSSL or older OpenSSL
Date: Fri, 15 Feb 2019 06:13:40 +0200 [thread overview]
Message-ID: <20190215041340.29258-1-stefan.strogin@gmail.com> (raw)
Linux kernel uses either PKCS #7 or CMS signing modules (scripts/sign-file.c).
CMS is not supported by LibreSSL, PKCS #7 is used instead.
For now modinfo used CMS with no altenative requiring >=openssl-1.1.0
built with CMS support.
Use PKCS #7 for parsing module signature information when CMS is not available.
Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>
---
libkmod/libkmod-signature.c | 78 +++++++++++++++++++++++++++++++++++--
1 file changed, 75 insertions(+), 3 deletions(-)
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
index 48d0145..aa2a60e 100644
--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
@@ -20,9 +20,16 @@
#include <endian.h>
#include <inttypes.h>
#ifdef ENABLE_OPENSSL
-#include <openssl/cms.h>
-#include <openssl/ssl.h>
-#endif
+# include <openssl/ssl.h>
+# if defined(LIBRESSL_VERSION_NUMBER) || \
+ OPENSSL_VERSION_NUMBER < 0x10100000L || \
+ defined(OPENSSL_NO_CMS)
+# define USE_PKCS7
+# include <openssl/pkcs7.h>
+# else
+# include <openssl/cms.h>
+# endif /* LIBRESSL_VERSION_NUMBER */
+#endif /* ENABLE_OPENSSL */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -122,7 +129,11 @@ static bool fill_default(const char *mem, off_t size,
#ifdef ENABLE_OPENSSL
struct pkcs7_private {
+#ifndef USE_PKCS7
CMS_ContentInfo *cms;
+#else
+ PKCS7 *pkcs7;
+#endif
unsigned char *key_id;
BIGNUM *sno;
};
@@ -132,7 +143,11 @@ static void pkcs7_free(void *s)
struct kmod_signature_info *si = s;
struct pkcs7_private *pvt = si->private;
+#ifndef USE_PKCS7
CMS_ContentInfo_free(pvt->cms);
+#else
+ PKCS7_free(pvt->pkcs7);
+#endif
BN_free(pvt->sno);
free(pvt->key_id);
free(pvt);
@@ -187,7 +202,13 @@ static const char *x509_name_to_str(X509_NAME *name)
return NULL;
d = X509_NAME_ENTRY_get_data(e);
+#if (defined(LIBRESSL_VERSION_NUMBER) && \
+ LIBRESSL_VERSION_NUMBER < 0x20700000L) || \
+ OPENSSL_VERSION_NUMBER < 0x10100000L
+ str = (const char *)ASN1_STRING_data(d);
+#else
str = (const char *)ASN1_STRING_get0_data(d);
+#endif
return str;
}
@@ -197,11 +218,18 @@ static bool fill_pkcs7(const char *mem, off_t size,
struct kmod_signature_info *sig_info)
{
const char *pkcs7_raw;
+#ifndef USE_PKCS7
CMS_ContentInfo *cms;
STACK_OF(CMS_SignerInfo) *sis;
CMS_SignerInfo *si;
int rc;
ASN1_OCTET_STRING *key_id;
+#else
+ PKCS7 *pkcs7;
+ STACK_OF(PKCS7_SIGNER_INFO) *sis;
+ PKCS7_SIGNER_INFO *si;
+ PKCS7_ISSUER_AND_SERIAL *is;
+#endif
X509_NAME *issuer;
ASN1_INTEGER *sno;
ASN1_OCTET_STRING *sig;
@@ -220,14 +248,23 @@ static bool fill_pkcs7(const char *mem, off_t size,
in = BIO_new_mem_buf(pkcs7_raw, sig_len);
+#ifndef USE_PKCS7
cms = d2i_CMS_bio(in, NULL);
if (cms == NULL) {
BIO_free(in);
return false;
}
+#else
+ pkcs7 = d2i_PKCS7_bio(in, NULL);
+ if (pkcs7 == NULL) {
+ BIO_free(in);
+ return false;
+ }
+#endif
BIO_free(in);
+#ifndef USE_PKCS7
sis = CMS_get0_SignerInfos(cms);
if (sis == NULL)
goto err;
@@ -245,8 +282,35 @@ static bool fill_pkcs7(const char *mem, off_t size,
goto err;
CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
+#else
+ sis = PKCS7_get_signer_info(pkcs7);
+ if (sis == NULL)
+ goto err;
+
+ si = sk_PKCS7_SIGNER_INFO_value(sis, 0);
+ if (si == NULL)
+ goto err;
+
+ is = si->issuer_and_serial;
+ if (is == NULL)
+ goto err;
+ issuer = is->issuer;
+ sno = is->serial;
+
+ sig = si->enc_digest;
+ if (sig == NULL)
+ goto err;
+
+ PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg);
+#endif
+#if (defined(LIBRESSL_VERSION_NUMBER) && \
+ LIBRESSL_VERSION_NUMBER < 0x20700000L) || \
+ OPENSSL_VERSION_NUMBER < 0x10100000L
+ sig_info->sig = (const char *)ASN1_STRING_data(sig);
+#else
sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
+#endif
sig_info->sig_len = ASN1_STRING_length(sig);
sno_bn = ASN1_INTEGER_to_BN(sno, NULL);
@@ -277,7 +341,11 @@ static bool fill_pkcs7(const char *mem, off_t size,
if (pvt == NULL)
goto err3;
+#ifndef USE_PKCS7
pvt->cms = cms;
+#else
+ pvt->pkcs7 = pkcs7;
+#endif
pvt->key_id = key_id_str;
pvt->sno = sno_bn;
sig_info->private = pvt;
@@ -290,7 +358,11 @@ err3:
err2:
BN_free(sno_bn);
err:
+#ifndef USE_PKCS7
CMS_ContentInfo_free(cms);
+#else
+ PKCS7_free(pkcs7);
+#endif
return false;
}
--
2.20.1
next reply other threads:[~2019-02-15 4:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 4:13 Stefan Strogin [this message]
2019-02-15 8:04 ` [PATCH] libkmod-signature: use PKCS7 for LibreSSL or older OpenSSL Lucas De Marchi
2019-02-15 13:30 ` Stefan Strogin
2019-03-01 5:37 ` Stefan Strogin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190215041340.29258-1-stefan.strogin@gmail.com \
--to=stefan.strogin@gmail.com \
--cc=linux-modules@vger.kernel.org \
--cc=lucas.demarchi@intel.com \
--cc=ykaliuta@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.