From: Stefan Strogin <stefan.strogin@gmail.com>
To: linux-modules@vger.kernel.org
Cc: stefan.strogin@gmail.com, ykaliuta@redhat.com, lucas.demarchi@intel.com
Subject: [PATCH] libkmod-signature: use PKCS7 for LibreSSL or older OpenSSL
Date: Fri, 15 Feb 2019 06:13:40 +0200 [thread overview]
Message-ID: <20190215041340.29258-1-stefan.strogin@gmail.com> (raw)
Linux kernel uses either PKCS #7 or CMS signing modules (scripts/sign-file.c).
CMS is not supported by LibreSSL, PKCS #7 is used instead.
For now modinfo used CMS with no altenative requiring >=openssl-1.1.0
built with CMS support.
Use PKCS #7 for parsing module signature information when CMS is not available.
Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>
---
libkmod/libkmod-signature.c | 78 +++++++++++++++++++++++++++++++++++--
1 file changed, 75 insertions(+), 3 deletions(-)
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
index 48d0145..aa2a60e 100644
--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
@@ -20,9 +20,16 @@
#include <endian.h>
#include <inttypes.h>
#ifdef ENABLE_OPENSSL
-#include <openssl/cms.h>
-#include <openssl/ssl.h>
-#endif
+# include <openssl/ssl.h>
+# if defined(LIBRESSL_VERSION_NUMBER) || \
+ OPENSSL_VERSION_NUMBER < 0x10100000L || \
+ defined(OPENSSL_NO_CMS)
+# define USE_PKCS7
+# include <openssl/pkcs7.h>
+# else
+# include <openssl/cms.h>
+# endif /* LIBRESSL_VERSION_NUMBER */
+#endif /* ENABLE_OPENSSL */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -122,7 +129,11 @@ static bool fill_default(const char *mem, off_t size,
#ifdef ENABLE_OPENSSL
struct pkcs7_private {
+#ifndef USE_PKCS7
CMS_ContentInfo *cms;
+#else
+ PKCS7 *pkcs7;
+#endif
unsigned char *key_id;
BIGNUM *sno;
};
@@ -132,7 +143,11 @@ static void pkcs7_free(void *s)
struct kmod_signature_info *si = s;
struct pkcs7_private *pvt = si->private;
+#ifndef USE_PKCS7
CMS_ContentInfo_free(pvt->cms);
+#else
+ PKCS7_free(pvt->pkcs7);
+#endif
BN_free(pvt->sno);
free(pvt->key_id);
free(pvt);
@@ -187,7 +202,13 @@ static const char *x509_name_to_str(X509_NAME *name)
return NULL;
d = X509_NAME_ENTRY_get_data(e);
+#if (defined(LIBRESSL_VERSION_NUMBER) && \
+ LIBRESSL_VERSION_NUMBER < 0x20700000L) || \
+ OPENSSL_VERSION_NUMBER < 0x10100000L
+ str = (const char *)ASN1_STRING_data(d);
+#else
str = (const char *)ASN1_STRING_get0_data(d);
+#endif
return str;
}
@@ -197,11 +218,18 @@ static bool fill_pkcs7(const char *mem, off_t size,
struct kmod_signature_info *sig_info)
{
const char *pkcs7_raw;
+#ifndef USE_PKCS7
CMS_ContentInfo *cms;
STACK_OF(CMS_SignerInfo) *sis;
CMS_SignerInfo *si;
int rc;
ASN1_OCTET_STRING *key_id;
+#else
+ PKCS7 *pkcs7;
+ STACK_OF(PKCS7_SIGNER_INFO) *sis;
+ PKCS7_SIGNER_INFO *si;
+ PKCS7_ISSUER_AND_SERIAL *is;
+#endif
X509_NAME *issuer;
ASN1_INTEGER *sno;
ASN1_OCTET_STRING *sig;
@@ -220,14 +248,23 @@ static bool fill_pkcs7(const char *mem, off_t size,
in = BIO_new_mem_buf(pkcs7_raw, sig_len);
+#ifndef USE_PKCS7
cms = d2i_CMS_bio(in, NULL);
if (cms == NULL) {
BIO_free(in);
return false;
}
+#else
+ pkcs7 = d2i_PKCS7_bio(in, NULL);
+ if (pkcs7 == NULL) {
+ BIO_free(in);
+ return false;
+ }
+#endif
BIO_free(in);
+#ifndef USE_PKCS7
sis = CMS_get0_SignerInfos(cms);
if (sis == NULL)
goto err;
@@ -245,8 +282,35 @@ static bool fill_pkcs7(const char *mem, off_t size,
goto err;
CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
+#else
+ sis = PKCS7_get_signer_info(pkcs7);
+ if (sis == NULL)
+ goto err;
+
+ si = sk_PKCS7_SIGNER_INFO_value(sis, 0);
+ if (si == NULL)
+ goto err;
+
+ is = si->issuer_and_serial;
+ if (is == NULL)
+ goto err;
+ issuer = is->issuer;
+ sno = is->serial;
+
+ sig = si->enc_digest;
+ if (sig == NULL)
+ goto err;
+
+ PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg);
+#endif
+#if (defined(LIBRESSL_VERSION_NUMBER) && \
+ LIBRESSL_VERSION_NUMBER < 0x20700000L) || \
+ OPENSSL_VERSION_NUMBER < 0x10100000L
+ sig_info->sig = (const char *)ASN1_STRING_data(sig);
+#else
sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
+#endif
sig_info->sig_len = ASN1_STRING_length(sig);
sno_bn = ASN1_INTEGER_to_BN(sno, NULL);
@@ -277,7 +341,11 @@ static bool fill_pkcs7(const char *mem, off_t size,
if (pvt == NULL)
goto err3;
+#ifndef USE_PKCS7
pvt->cms = cms;
+#else
+ pvt->pkcs7 = pkcs7;
+#endif
pvt->key_id = key_id_str;
pvt->sno = sno_bn;
sig_info->private = pvt;
@@ -290,7 +358,11 @@ err3:
err2:
BN_free(sno_bn);
err:
+#ifndef USE_PKCS7
CMS_ContentInfo_free(cms);
+#else
+ PKCS7_free(pkcs7);
+#endif
return false;
}
--
2.20.1
next reply other threads:[~2019-02-15 4:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 4:13 Stefan Strogin [this message]
2019-02-15 8:04 ` [PATCH] libkmod-signature: use PKCS7 for LibreSSL or older OpenSSL Lucas De Marchi
2019-02-15 13:30 ` Stefan Strogin
2019-03-01 5:37 ` Stefan Strogin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190215041340.29258-1-stefan.strogin@gmail.com \
--to=stefan.strogin@gmail.com \
--cc=linux-modules@vger.kernel.org \
--cc=lucas.demarchi@intel.com \
--cc=ykaliuta@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).