* [PATCH] crda: do not embed crypto data when USE_OPENSSL=1
@ 2010-03-04 14:08 Kel Modderman
2010-03-04 15:31 ` John W. Linville
0 siblings, 1 reply; 10+ messages in thread
From: Kel Modderman @ 2010-03-04 14:08 UTC (permalink / raw)
To: linux-wireless
When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR
variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR
for signature verification at runtime. Remove ssl support from
utils/key2pub.py.
This allows wireless-regdb to be built from source and upgraded independently
of crda and is _crucial_ for distributions who want to build their own
regulatory.bin.
This change does remove support for alternate runtime pubkey dir
/etc/wireless-regdb/pubkeys, but wireless-regdb does not currently install
custom pubkeys to /etc/wireless-regdb/pubkeys, and I couldn't care less
about that feature atm :)
When verification fails provide information about the PUBKEY_DIR variable.
Fix typo (s/make noverify/make all_noverify/).
Signed-off-by: Kel Modderman <kel@otaku42.de>
---
--- a/Makefile
+++ b/Makefile
@@ -16,13 +16,6 @@ UDEV_LEVEL=$(CRDA_UDEV_LEVEL)-
# a different location.
UDEV_RULE_DIR?=/lib/udev/rules.d/
-# If your distribution requires a custom pubkeys dir
-# you must update this variable to reflect where the
-# keys are put when building. For example you can run
-# with make PUBKEY_DIR=/usr/lib/crda/pubkeys
-PUBKEY_DIR?=pubkeys
-RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys
-
CFLAGS += -Wall -g
all: all_noverify verify
@@ -30,17 +23,22 @@ all: all_noverify verify
all_noverify: crda intersect regdbdump
ifeq ($(USE_OPENSSL),1)
-CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl`
+PUBKEY_DIR?=$(PREFIX)/lib/crda/pubkeys
+CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(PUBKEY_DIR)\" `pkg-config --cflags openssl`
LDLIBS += `pkg-config --libs openssl`
-reglib.o: keys-ssl.c
-
else
+PUBKEY_DIR?=pubkeys
CFLAGS += -DUSE_GCRYPT
LDLIBS += -lgcrypt
reglib.o: keys-gcrypt.c
+keys-gcrypt.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem)
+ $(NQ) ' GEN ' $@
+ $(NQ) ' Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem)
+ $(Q)./utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem) $@
+
endif
MKDIR ?= mkdir -p
INSTALL ?= install
@@ -82,15 +80,10 @@ $(REG_BIN):
$(NQ) $(REG_GIT)
$(NQ)
$(NQ) "Once cloned (no need to build) cp regulatory.bin to $(REG_BIN)"
- $(NQ) "Use \"make noverify\" to disable verification"
+ $(NQ) "Use \"make all_noverify\" to disable verification"
$(NQ)
$(Q) exit 1
-keys-%.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem)
- $(NQ) ' GEN ' $@
- $(NQ) ' Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem)
- $(Q)./utils/key2pub.py --$* $(wildcard $(PUBKEY_DIR)/*.pem) $@
-
%.o: %.c regdb.h
$(NQ) ' CC ' $@
$(Q)$(CC) -c $(CPPFLAGS) $(CFLAGS) -o $@ $<
@@ -109,7 +102,15 @@ intersect: reglib.o intersect.o print-re
verify: $(REG_BIN) regdbdump
$(NQ) ' CHK $(REG_BIN)'
- $(Q)./regdbdump $(REG_BIN) >/dev/null
+ @if ! ./regdbdump $(REG_BIN) >/dev/null; then \
+ echo; \
+ echo "If your distribution requires a custom pubkeys dir you must set"; \
+ echo "PUBKEY_DIR to path where the keys are installed by wireless-regdb."; \
+ echo "For example:"; \
+ echo " make PUBKEY_DIR=/lib/crda/pubkeys"; \
+ echo; \
+ exit 1; \
+ fi
%.gz: %
@$(NQ) ' GZIP' $<
--- a/reglib.c
+++ b/reglib.c
@@ -18,10 +18,6 @@
#include "reglib.h"
-#ifdef USE_OPENSSL
-#include "keys-ssl.c"
-#endif
-
#ifdef USE_GCRYPT
#include "keys-gcrypt.c"
#endif
@@ -49,7 +45,6 @@ int crda_verify_db_signature(__u8 *db, i
#ifdef USE_OPENSSL
RSA *rsa;
__u8 hash[SHA_DIGEST_LENGTH];
- unsigned int i;
int ok = 0;
DIR *pubkey_dir;
struct dirent *nextfile;
@@ -61,24 +56,7 @@ int crda_verify_db_signature(__u8 *db, i
goto out;
}
- for (i = 0; (i < sizeof(keys)/sizeof(keys[0])) && (!ok); i++) {
- rsa = RSA_new();
- if (!rsa) {
- fprintf(stderr, "Failed to create RSA key.\n");
- goto out;
- }
-
- rsa->e = &keys[i].e;
- rsa->n = &keys[i].n;
-
- ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH,
- db + dblen, siglen, rsa) == 1;
-
- rsa->e = NULL;
- rsa->n = NULL;
- RSA_free(rsa);
- }
- if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) {
+ if ((pubkey_dir = opendir(PUBKEY_DIR))) {
while (!ok && (nextfile = readdir(pubkey_dir))) {
snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR,
nextfile->d_name);
--- a/utils/key2pub.py
+++ b/utils/key2pub.py
@@ -9,81 +9,6 @@ except ImportError, e:
sys.stderr.write('On Debian GNU/Linux the package is called "python-m2crypto".\n')
sys.exit(1)
-def print_ssl_64(output, name, val):
- while val[0] == '\0':
- val = val[1:]
- while len(val) % 8:
- val = '\0' + val
- vnew = []
- while len(val):
- vnew.append((val[0], val[1], val[2], val[3], val[4], val[5], val[6], val[7]))
- val = val[8:]
- vnew.reverse()
- output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew)))
- idx = 0
- for v1, v2, v3, v4, v5, v6, v7, v8 in vnew:
- if not idx:
- output.write('\t')
- output.write('0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4), ord(v5), ord(v6), ord(v7), ord(v8)))
- idx += 1
- if idx == 2:
- idx = 0
- output.write('\n')
- if idx:
- output.write('\n')
- output.write('};\n\n')
-
-def print_ssl_32(output, name, val):
- while val[0] == '\0':
- val = val[1:]
- while len(val) % 4:
- val = '\0' + val
- vnew = []
- while len(val):
- vnew.append((val[0], val[1], val[2], val[3], ))
- val = val[4:]
- vnew.reverse()
- output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew)))
- idx = 0
- for v1, v2, v3, v4 in vnew:
- if not idx:
- output.write('\t')
- output.write('0x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4)))
- idx += 1
- if idx == 4:
- idx = 0
- output.write('\n')
- if idx:
- output.write('\n')
- output.write('};\n\n')
-
-def print_ssl(output, name, val):
- import struct
- if len(struct.pack('@L', 0)) == 8:
- return print_ssl_64(output, name, val)
- else:
- return print_ssl_32(output, name, val)
-
-def print_ssl_keys(output, n):
- output.write(r'''
-struct pubkey {
- struct bignum_st e, n;
-};
-
-#define KEY(data) { \
- .d = data, \
- .top = sizeof(data)/sizeof(data[0]), \
-}
-
-#define KEYS(e,n) { KEY(e), KEY(n), }
-
-static struct pubkey keys[] = {
-''')
- for n in xrange(n + 1):
- output.write(' KEYS(e_%d, n_%d),\n' % (n, n))
- output.write('};\n')
- pass
-
def print_gcrypt(output, name, val):
while val[0] == '\0':
val = val[1:]
@@ -118,24 +43,10 @@ static const struct key_params keys[] =
for n in xrange(n + 1):
output.write(' KEYS(e_%d, n_%d),\n' % (n, n))
output.write('};\n')
-
-
-modes = {
- '--ssl': (print_ssl, print_ssl_keys),
- '--gcrypt': (print_gcrypt, print_gcrypt_keys),
-}
-try:
- mode = sys.argv[1]
- files = sys.argv[2:-1]
- outfile = sys.argv[-1]
-except IndexError:
- mode = None
-
-if not mode in modes:
- print 'Usage: %s [%s] input-file... output-file' % (sys.argv[0], '|'.join(modes.keys()))
- sys.exit(2)
+files = sys.argv[1:-1]
+outfile = sys.argv[-1]
output = open(outfile, 'w')
# load key
@@ -146,8 +57,8 @@ for f in files:
except RSA.RSAError:
key = RSA.load_key(f)
- modes[mode][0](output, 'e_%d' % idx, key.e[4:])
- modes[mode][0](output, 'n_%d' % idx, key.n[4:])
+ print_gcrypt(output, 'e_%d' % idx, key.e[4:])
+ print_gcrypt(output, 'n_%d' % idx, key.n[4:])
idx += 1
-modes[mode][1](output, idx - 1)
+print_gcrypt_keys(output, idx - 1)
---
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 2010-03-04 14:08 [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 Kel Modderman @ 2010-03-04 15:31 ` John W. Linville 2010-03-05 0:27 ` Kel Modderman 0 siblings, 1 reply; 10+ messages in thread From: John W. Linville @ 2010-03-04 15:31 UTC (permalink / raw) To: Kel Modderman; +Cc: linux-wireless On Fri, Mar 05, 2010 at 12:08:50AM +1000, Kel Modderman wrote: > When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR > variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR > for signature verification at runtime. Remove ssl support from > utils/key2pub.py. > > This allows wireless-regdb to be built from source and upgraded independently > of crda and is _crucial_ for distributions who want to build their own > regulatory.bin. I don't understand -- isn't this possible already? > This change does remove support for alternate runtime pubkey dir > /etc/wireless-regdb/pubkeys, but wireless-regdb does not currently install > custom pubkeys to /etc/wireless-regdb/pubkeys, and I couldn't care less > about that feature atm :) > > When verification fails provide information about the PUBKEY_DIR variable. > > Fix typo (s/make noverify/make all_noverify/). > > Signed-off-by: Kel Modderman <kel@otaku42.de> So you want to remove this feature simply because you don't use it yourself? What problem is it causing? John -- John W. Linville Someday the world will need a hero, and you linville@tuxdriver.com might be all we have. Be ready. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 2010-03-04 15:31 ` John W. Linville @ 2010-03-05 0:27 ` Kel Modderman 2010-03-05 1:37 ` John W. Linville 0 siblings, 1 reply; 10+ messages in thread From: Kel Modderman @ 2010-03-05 0:27 UTC (permalink / raw) To: John W. Linville; +Cc: linux-wireless On Friday 05 March 2010 01:31:28 John W. Linville wrote: > On Fri, Mar 05, 2010 at 12:08:50AM +1000, Kel Modderman wrote: > > When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR > > variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR > > for signature verification at runtime. Remove ssl support from > > utils/key2pub.py. > > > > This allows wireless-regdb to be built from source and upgraded independently > > of crda and is _crucial_ for distributions who want to build their own > > regulatory.bin. > > I don't understand -- isn't this possible already? No. > > > This change does remove support for alternate runtime pubkey dir > > /etc/wireless-regdb/pubkeys, but wireless-regdb does not currently install > > custom pubkeys to /etc/wireless-regdb/pubkeys, and I couldn't care less > > about that feature atm :) > > > > When verification fails provide information about the PUBKEY_DIR variable. > > > > Fix typo (s/make noverify/make all_noverify/). > > > > Signed-off-by: Kel Modderman <kel@otaku42.de> > > So you want to remove this feature simply because you don't use > it yourself? What problem is it causing? New patch attached which doesn't remove the feature. When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR for signature verification at runtime. Remove ssl support from utils/key2pub.py. This allows wireless-regdb to be built from source and upgraded independently of crda and is _crucial_ for distributions who want to build their own regulatory.bin. When verification fails provide information about the PUBKEY_DIR variable. Fix typo (s/make noverify/make all_noverify/). Signed-off-by: Kel Modderman <kel@otaku42.de> --- --- a/Makefile +++ b/Makefile @@ -16,13 +16,6 @@ UDEV_LEVEL=$(CRDA_UDEV_LEVEL)- # a different location. UDEV_RULE_DIR?=/lib/udev/rules.d/ -# If your distribution requires a custom pubkeys dir -# you must update this variable to reflect where the -# keys are put when building. For example you can run -# with make PUBKEY_DIR=/usr/lib/crda/pubkeys -PUBKEY_DIR?=pubkeys -RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys - CFLAGS += -Wall -g all: all_noverify verify @@ -30,17 +23,24 @@ all: all_noverify verify all_noverify: crda intersect regdbdump ifeq ($(USE_OPENSSL),1) -CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl` +PUBKEY_DIR?=$(PREFIX)/lib/crda/pubkeys +RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys +CFLAGS += -DUSE_OPENSSL `pkg-config --cflags openssl` +CFLAGS += -DPUBKEY_DIR=\"$(PUBKEY_DIR)\" -DALT_PUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" LDLIBS += `pkg-config --libs openssl` -reglib.o: keys-ssl.c - else +PUBKEY_DIR?=pubkeys CFLAGS += -DUSE_GCRYPT LDLIBS += -lgcrypt reglib.o: keys-gcrypt.c +keys-gcrypt.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem) + $(NQ) ' GEN ' $@ + $(NQ) ' Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem) + $(Q)./utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem) $@ + endif MKDIR ?= mkdir -p INSTALL ?= install @@ -82,15 +82,10 @@ $(REG_BIN): $(NQ) $(REG_GIT) $(NQ) $(NQ) "Once cloned (no need to build) cp regulatory.bin to $(REG_BIN)" - $(NQ) "Use \"make noverify\" to disable verification" + $(NQ) "Use \"make all_noverify\" to disable verification" $(NQ) $(Q) exit 1 -keys-%.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem) - $(NQ) ' GEN ' $@ - $(NQ) ' Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem) - $(Q)./utils/key2pub.py --$* $(wildcard $(PUBKEY_DIR)/*.pem) $@ - %.o: %.c regdb.h $(NQ) ' CC ' $@ $(Q)$(CC) -c $(CPPFLAGS) $(CFLAGS) -o $@ $< @@ -109,7 +104,15 @@ intersect: reglib.o intersect.o print-re verify: $(REG_BIN) regdbdump $(NQ) ' CHK $(REG_BIN)' - $(Q)./regdbdump $(REG_BIN) >/dev/null + @if ! ./regdbdump $(REG_BIN) >/dev/null; then \ + echo; \ + echo "If your distribution requires a custom pubkeys dir you must set"; \ + echo "PUBKEY_DIR to path where the keys are installed by wireless-regdb."; \ + echo "For example:"; \ + echo " make PUBKEY_DIR=/lib/crda/pubkeys"; \ + echo; \ + exit 1; \ + fi %.gz: % @$(NQ) ' GZIP' $< --- a/reglib.c +++ b/reglib.c @@ -18,10 +18,6 @@ #include "reglib.h" -#ifdef USE_OPENSSL -#include "keys-ssl.c" -#endif - #ifdef USE_GCRYPT #include "keys-gcrypt.c" #endif @@ -49,7 +45,6 @@ int crda_verify_db_signature(__u8 *db, i #ifdef USE_OPENSSL RSA *rsa; __u8 hash[SHA_DIGEST_LENGTH]; - unsigned int i; int ok = 0; DIR *pubkey_dir; struct dirent *nextfile; @@ -61,26 +56,26 @@ int crda_verify_db_signature(__u8 *db, i goto out; } - for (i = 0; (i < sizeof(keys)/sizeof(keys[0])) && (!ok); i++) { - rsa = RSA_new(); - if (!rsa) { - fprintf(stderr, "Failed to create RSA key.\n"); - goto out; + if ((pubkey_dir = opendir(PUBKEY_DIR))) { + while (!ok && (nextfile = readdir(pubkey_dir))) { + snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR, + nextfile->d_name); + if ((keyfile = fopen(filename, "rb"))) { + rsa = PEM_read_RSA_PUBKEY(keyfile, + NULL, NULL, NULL); + if (rsa) + ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH, + db + dblen, siglen, rsa) == 1; + RSA_free(rsa); + fclose(keyfile); + } } - - rsa->e = &keys[i].e; - rsa->n = &keys[i].n; - - ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH, - db + dblen, siglen, rsa) == 1; - - rsa->e = NULL; - rsa->n = NULL; - RSA_free(rsa); + closedir(pubkey_dir); } - if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) { + + if (!ok && (pubkey_dir = opendir(ALT_PUBKEY_DIR))) { while (!ok && (nextfile = readdir(pubkey_dir))) { - snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR, + snprintf(filename, PATH_MAX, "%s/%s", ALT_PUBKEY_DIR, nextfile->d_name); if ((keyfile = fopen(filename, "rb"))) { rsa = PEM_read_RSA_PUBKEY(keyfile, --- a/utils/key2pub.py +++ b/utils/key2pub.py @@ -9,81 +9,6 @@ except ImportError, e: sys.stderr.write('On Debian GNU/Linux the package is called "python-m2crypto".\n') sys.exit(1) -def print_ssl_64(output, name, val): - while val[0] == '\0': - val = val[1:] - while len(val) % 8: - val = '\0' + val - vnew = [] - while len(val): - vnew.append((val[0], val[1], val[2], val[3], val[4], val[5], val[6], val[7])) - val = val[8:] - vnew.reverse() - output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew))) - idx = 0 - for v1, v2, v3, v4, v5, v6, v7, v8 in vnew: - if not idx: - output.write('\t') - output.write('0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4), ord(v5), ord(v6), ord(v7), ord(v8))) - idx += 1 - if idx == 2: - idx = 0 - output.write('\n') - if idx: - output.write('\n') - output.write('};\n\n') - -def print_ssl_32(output, name, val): - while val[0] == '\0': - val = val[1:] - while len(val) % 4: - val = '\0' + val - vnew = [] - while len(val): - vnew.append((val[0], val[1], val[2], val[3], )) - val = val[4:] - vnew.reverse() - output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew))) - idx = 0 - for v1, v2, v3, v4 in vnew: - if not idx: - output.write('\t') - output.write('0x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4))) - idx += 1 - if idx == 4: - idx = 0 - output.write('\n') - if idx: - output.write('\n') - output.write('};\n\n') - -def print_ssl(output, name, val): - import struct - if len(struct.pack('@L', 0)) == 8: - return print_ssl_64(output, name, val) - else: - return print_ssl_32(output, name, val) - -def print_ssl_keys(output, n): - output.write(r''' -struct pubkey { - struct bignum_st e, n; -}; - -#define KEY(data) { \ - .d = data, \ - .top = sizeof(data)/sizeof(data[0]), \ -} - -#define KEYS(e,n) { KEY(e), KEY(n), } - -static struct pubkey keys[] = { -''') - for n in xrange(n + 1): - output.write(' KEYS(e_%d, n_%d),\n' % (n, n)) - output.write('};\n') - pass - def print_gcrypt(output, name, val): while val[0] == '\0': val = val[1:] @@ -118,24 +43,10 @@ static const struct key_params keys[] = for n in xrange(n + 1): output.write(' KEYS(e_%d, n_%d),\n' % (n, n)) output.write('};\n') - - -modes = { - '--ssl': (print_ssl, print_ssl_keys), - '--gcrypt': (print_gcrypt, print_gcrypt_keys), -} -try: - mode = sys.argv[1] - files = sys.argv[2:-1] - outfile = sys.argv[-1] -except IndexError: - mode = None - -if not mode in modes: - print 'Usage: %s [%s] input-file... output-file' % (sys.argv[0], '|'.join(modes.keys())) - sys.exit(2) +files = sys.argv[1:-1] +outfile = sys.argv[-1] output = open(outfile, 'w') # load key @@ -146,8 +57,8 @@ for f in files: except RSA.RSAError: key = RSA.load_key(f) - modes[mode][0](output, 'e_%d' % idx, key.e[4:]) - modes[mode][0](output, 'n_%d' % idx, key.n[4:]) + print_gcrypt(output, 'e_%d' % idx, key.e[4:]) + print_gcrypt(output, 'n_%d' % idx, key.n[4:]) idx += 1 -modes[mode][1](output, idx - 1) +print_gcrypt_keys(output, idx - 1) --- ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 2010-03-05 0:27 ` Kel Modderman @ 2010-03-05 1:37 ` John W. Linville 2010-03-05 1:56 ` Kel Modderman 0 siblings, 1 reply; 10+ messages in thread From: John W. Linville @ 2010-03-05 1:37 UTC (permalink / raw) To: Kel Modderman; +Cc: linux-wireless On Fri, Mar 05, 2010 at 10:27:03AM +1000, Kel Modderman wrote: > On Friday 05 March 2010 01:31:28 John W. Linville wrote: > > On Fri, Mar 05, 2010 at 12:08:50AM +1000, Kel Modderman wrote: > > > When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR > > > variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR > > > for signature verification at runtime. Remove ssl support from > > > utils/key2pub.py. > > > > > > This allows wireless-regdb to be built from source and upgraded independently > > > of crda and is _crucial_ for distributions who want to build their own > > > regulatory.bin. > > > > I don't understand -- isn't this possible already? > > No. Perhaps you could use a few more words? It seems to me that what limits you is the policies of some distributions. Certainly crda and wireless-regdb can be maintained separately so long as the key doesn't change between builds or with alternate keys installed in the proper locations. Am I missing something? John -- John W. Linville Someday the world will need a hero, and you linville@tuxdriver.com might be all we have. Be ready. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 2010-03-05 1:37 ` John W. Linville @ 2010-03-05 1:56 ` Kel Modderman 2010-03-05 2:00 ` Kel Modderman 2010-03-05 4:08 ` John W. Linville 0 siblings, 2 replies; 10+ messages in thread From: Kel Modderman @ 2010-03-05 1:56 UTC (permalink / raw) To: John W. Linville; +Cc: linux-wireless On Friday 05 March 2010 11:37:22 John W. Linville wrote: > On Fri, Mar 05, 2010 at 10:27:03AM +1000, Kel Modderman wrote: > > On Friday 05 March 2010 01:31:28 John W. Linville wrote: > > > On Fri, Mar 05, 2010 at 12:08:50AM +1000, Kel Modderman wrote: > > > > When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR > > > > variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR > > > > for signature verification at runtime. Remove ssl support from > > > > utils/key2pub.py. > > > > > > > > This allows wireless-regdb to be built from source and upgraded independently > > > > of crda and is _crucial_ for distributions who want to build their own > > > > regulatory.bin. > > > > > > I don't understand -- isn't this possible already? > > > > No. > > Perhaps you could use a few more words? It seems to me that what > limits you is the policies of some distributions. Certainly crda > and wireless-regdb can be maintained separately so long as the key > doesn't change between builds or with alternate keys installed in > the proper locations. Am I missing something? Yes you are missing something. Its not the policy of my distribution which is limiting its the design of the crda/wireless-regdb build systems. Now that openssl support allows reading pubkeys at runtime, the embedding of crypto data into binaries can be totally removed when built with openssl. wireless-regdb can be built from source, when it does so it generates a new custom key which is installed to /lib/crda/pubkeys/<key>. Your key is also installed here, oh but hang on, its also embedded into the binary so why bother installing it at all? Alright, so we can manually move our custom generated key from /lib/crda/pubkeys/<key> to /etc/wireless-regdb/pubkeys/<key> and things will probably be okay next time we build wireless-regdb and upgrade it independently of crda, except for: 1. we now have /lib/crda/pubkeys/linville.pub.pem for no reason at all 2. the distribution is installing to /etc/wireless-regdb/pubkeys/ which should be reserved for the admin 3. you're maintaining a bunch of useless code which embeds openssl data into binaries when you do not have to These 3 points is what my patch attempts to address. Thanks, Kel. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 2010-03-05 1:56 ` Kel Modderman @ 2010-03-05 2:00 ` Kel Modderman 2010-03-05 4:08 ` John W. Linville 1 sibling, 0 replies; 10+ messages in thread From: Kel Modderman @ 2010-03-05 2:00 UTC (permalink / raw) To: John W. Linville; +Cc: linux-wireless On Friday 05 March 2010 11:56:11 Kel Modderman wrote: > On Friday 05 March 2010 11:37:22 John W. Linville wrote: > > On Fri, Mar 05, 2010 at 10:27:03AM +1000, Kel Modderman wrote: > > > On Friday 05 March 2010 01:31:28 John W. Linville wrote: > > > > On Fri, Mar 05, 2010 at 12:08:50AM +1000, Kel Modderman wrote: > > > > > When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR > > > > > variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR > > > > > for signature verification at runtime. Remove ssl support from > > > > > utils/key2pub.py. > > > > > > > > > > This allows wireless-regdb to be built from source and upgraded independently > > > > > of crda and is _crucial_ for distributions who want to build their own > > > > > regulatory.bin. > > > > > > > > I don't understand -- isn't this possible already? > > > > > > No. > > > > Perhaps you could use a few more words? It seems to me that what > > limits you is the policies of some distributions. Certainly crda > > and wireless-regdb can be maintained separately so long as the key > > doesn't change between builds or with alternate keys installed in > > the proper locations. Am I missing something? > > Yes you are missing something. Its not the policy of my distribution which > is limiting its the design of the crda/wireless-regdb build systems. > > Now that openssl support allows reading pubkeys at runtime, the embedding > of crypto data into binaries can be totally removed when built with openssl. > > wireless-regdb can be built from source, when it does so it generates a new > custom key which is installed to /lib/crda/pubkeys/<key>. Your key is also > installed here, oh but hang on, its also embedded into the binary so why bother > installing it at all? Alright, so we can manually move our custom generated > key from /lib/crda/pubkeys/<key> to /etc/wireless-regdb/pubkeys/<key> and things > will probably be okay next time we build wireless-regdb and upgrade it > independently of crda, except for: > 1. we now have /lib/crda/pubkeys/linville.pub.pem for no reason at all > 2. the distribution is installing to /etc/wireless-regdb/pubkeys/ which should > be reserved for the admin > 3. you're maintaining a bunch of useless code which embeds openssl data into > binaries when you do not have to 4. if your key changes, and we have built and upgraded wireless-regdb and not crda then the embedded crypto data and /lib/crda/pubkeys/linville.pub.pem won't help > > These 3 points is what my patch attempts to address. 4 points Thanks, Kel. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 2010-03-05 1:56 ` Kel Modderman 2010-03-05 2:00 ` Kel Modderman @ 2010-03-05 4:08 ` John W. Linville 2010-03-05 14:59 ` Kel Modderman 1 sibling, 1 reply; 10+ messages in thread From: John W. Linville @ 2010-03-05 4:08 UTC (permalink / raw) To: Kel Modderman; +Cc: linux-wireless On Fri, Mar 05, 2010 at 11:56:11AM +1000, Kel Modderman wrote: > On Friday 05 March 2010 11:37:22 John W. Linville wrote: > > On Fri, Mar 05, 2010 at 10:27:03AM +1000, Kel Modderman wrote: > > > On Friday 05 March 2010 01:31:28 John W. Linville wrote: > > > > On Fri, Mar 05, 2010 at 12:08:50AM +1000, Kel Modderman wrote: > > > > > This allows wireless-regdb to be built from source and upgraded independently > > > > > of crda and is _crucial_ for distributions who want to build their own > > > > > regulatory.bin. > > > > > > > > I don't understand -- isn't this possible already? > > > > > > No. > > > > Perhaps you could use a few more words? It seems to me that what > > limits you is the policies of some distributions. Certainly crda > > and wireless-regdb can be maintained separately so long as the key > > doesn't change between builds or with alternate keys installed in > > the proper locations. Am I missing something? > > Yes you are missing something. Its not the policy of my distribution which > is limiting its the design of the crda/wireless-regdb build systems. > > Now that openssl support allows reading pubkeys at runtime, the embedding > of crypto data into binaries can be totally removed when built with openssl. I don't think anyone said that this change could not be made. I merely challenged the flawed reasoning you asserted for its need. > wireless-regdb can be built from source, when it does so it generates a new > custom key which is installed to /lib/crda/pubkeys/<key>. Your key is also > installed here, oh but hang on, its also embedded into the binary so why bother > installing it at all? Alright, so we can manually move our custom generated > key from /lib/crda/pubkeys/<key> to /etc/wireless-regdb/pubkeys/<key> and things > will probably be okay next time we build wireless-regdb and upgrade it > independently of crda, except for: Why would you need to move it? Did someone break the code that uses regdb_paths in crda.c? Does PUBKEY_DIR not work? > 1. we now have /lib/crda/pubkeys/linville.pub.pem for no reason at all If you don't want my key (or any other) in your binary then simply delete it from crda/pubkeys in your build scripts...? > 2. the distribution is installing to /etc/wireless-regdb/pubkeys/ which should > be reserved for the admin "make PUBKEY_DIR=/lib/crda/pubkeys"? > 3. you're maintaining a bunch of useless code which embeds openssl data into > binaries when you do not have to See rebuttal to #1...just because you don't use some functionality doesn't mean no one else wants it or uses it. > These 3 points is what my patch attempts to address. It seems to me that you address the points by simply removing functionality rather than using other means that already exist to address the same concerns. John -- John W. Linville Someday the world will need a hero, and you linville@tuxdriver.com might be all we have. Be ready. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 2010-03-05 4:08 ` John W. Linville @ 2010-03-05 14:59 ` Kel Modderman 2010-03-08 8:08 ` Johannes Berg 0 siblings, 1 reply; 10+ messages in thread From: Kel Modderman @ 2010-03-05 14:59 UTC (permalink / raw) To: John W. Linville; +Cc: linux-wireless [-- Attachment #1: Type: Text/Plain, Size: 3838 bytes --] Hi John, On Friday 05 March 2010 14:08:53 John W. Linville wrote: > On Fri, Mar 05, 2010 at 11:56:11AM +1000, Kel Modderman wrote: > > On Friday 05 March 2010 11:37:22 John W. Linville wrote: > > > On Fri, Mar 05, 2010 at 10:27:03AM +1000, Kel Modderman wrote: > > > > On Friday 05 March 2010 01:31:28 John W. Linville wrote: > > > > > On Fri, Mar 05, 2010 at 12:08:50AM +1000, Kel Modderman wrote: > > > > > > > This allows wireless-regdb to be built from source and upgraded independently > > > > > > of crda and is _crucial_ for distributions who want to build their own > > > > > > regulatory.bin. > > > > > > > > > > I don't understand -- isn't this possible already? > > > > > > > > No. > > > > > > Perhaps you could use a few more words? It seems to me that what > > > limits you is the policies of some distributions. Certainly crda > > > and wireless-regdb can be maintained separately so long as the key > > > doesn't change between builds or with alternate keys installed in > > > the proper locations. Am I missing something? > > > > Yes you are missing something. Its not the policy of my distribution which > > is limiting its the design of the crda/wireless-regdb build systems. > > > > Now that openssl support allows reading pubkeys at runtime, the embedding > > of crypto data into binaries can be totally removed when built with openssl. > > I don't think anyone said that this change could not be made. > I merely challenged the flawed reasoning you asserted for its need. > > > wireless-regdb can be built from source, when it does so it generates a new > > custom key which is installed to /lib/crda/pubkeys/<key>. Your key is also > > installed here, oh but hang on, its also embedded into the binary so why bother > > installing it at all? Alright, so we can manually move our custom generated > > key from /lib/crda/pubkeys/<key> to /etc/wireless-regdb/pubkeys/<key> and things > > will probably be okay next time we build wireless-regdb and upgrade it > > independently of crda, except for: > > Why would you need to move it? Did someone break the code that uses > regdb_paths in crda.c? Does PUBKEY_DIR not work? > > > 1. we now have /lib/crda/pubkeys/linville.pub.pem for no reason at all > > If you don't want my key (or any other) in your binary then simply > delete it from crda/pubkeys in your build scripts...? > > > 2. the distribution is installing to /etc/wireless-regdb/pubkeys/ which should > > be reserved for the admin > > "make PUBKEY_DIR=/lib/crda/pubkeys"? > > > 3. you're maintaining a bunch of useless code which embeds openssl data into > > binaries when you do not have to > > See rebuttal to #1...just because you don't use some functionality > doesn't mean no one else wants it or uses it. > > > These 3 points is what my patch attempts to address. > > It seems to me that you address the points by simply removing > functionality rather than using other means that already exist to > address the same concerns. I am obviously having hard time clearly communicating what I think is wrong, so attached is 2 files demonstrating the problem with step by step reproducible commands with output. regdb-upgrade-does-not-work.txt shows the current behaviour which must be improved, regdb-upgrade-does-work.txt shows the behaviour with my patch applied. The patch which was used is also attached. The steps simulate the independent upgrade/re-installation of wireless-regdb after rebuilding regulatory.bin and signing with a new key. This is a simulation of the expected upgrade path when wireless-regdb and crda are packaged separately and one-time ssl keys are used when building wireless-regdb. I hope that these logs, along with the patch, help show that I am not removing any current interface from crda, just trying to fix up its current ones. Thanks, Kel. [-- Attachment #2: openssl_runtime_verification_tuneup.patch --] [-- Type: text/x-patch, Size: 8063 bytes --] When USE_OPENSSL=1 do not embed crypto data into binary, use the PUBKEY_DIR variable just as it is when USE_GCRYPT=1 and just load certs from PUBKEY_DIR for signature verification at runtime. Remove ssl support from utils/key2pub.py. This allows wireless-regdb to be built from source and upgraded independently of crda and is _crucial_ for distributions who want to build their own regulatory.bin. When verification fails provide information about the PUBKEY_DIR variable. Fix typo (s/make noverify/make all_noverify/). Signed-off-by: Kel Modderman <kel@otaku42.de> --- --- a/Makefile +++ b/Makefile @@ -16,13 +16,6 @@ UDEV_LEVEL=$(CRDA_UDEV_LEVEL)- # a different location. UDEV_RULE_DIR?=/lib/udev/rules.d/ -# If your distribution requires a custom pubkeys dir -# you must update this variable to reflect where the -# keys are put when building. For example you can run -# with make PUBKEY_DIR=/usr/lib/crda/pubkeys -PUBKEY_DIR?=pubkeys -RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys - CFLAGS += -Wall -g all: all_noverify verify @@ -30,17 +23,24 @@ all: all_noverify verify all_noverify: crda intersect regdbdump ifeq ($(USE_OPENSSL),1) -CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl` +PUBKEY_DIR?=$(PREFIX)/lib/crda/pubkeys +RUNTIME_PUBKEY_DIR?=/etc/wireless-regdb/pubkeys +CFLAGS += -DUSE_OPENSSL `pkg-config --cflags openssl` +CFLAGS += -DPUBKEY_DIR=\"$(PUBKEY_DIR)\" -DALT_PUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" LDLIBS += `pkg-config --libs openssl` -reglib.o: keys-ssl.c - else +PUBKEY_DIR?=pubkeys CFLAGS += -DUSE_GCRYPT LDLIBS += -lgcrypt reglib.o: keys-gcrypt.c +keys-gcrypt.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem) + $(NQ) ' GEN ' $@ + $(NQ) ' Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem) + $(Q)./utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem) $@ + endif MKDIR ?= mkdir -p INSTALL ?= install @@ -82,15 +82,10 @@ $(REG_BIN): $(NQ) $(REG_GIT) $(NQ) $(NQ) "Once cloned (no need to build) cp regulatory.bin to $(REG_BIN)" - $(NQ) "Use \"make noverify\" to disable verification" + $(NQ) "Use \"make all_noverify\" to disable verification" $(NQ) $(Q) exit 1 -keys-%.c: utils/key2pub.py $(wildcard $(PUBKEY_DIR)/*.pem) - $(NQ) ' GEN ' $@ - $(NQ) ' Trusted pubkeys:' $(wildcard $(PUBKEY_DIR)/*.pem) - $(Q)./utils/key2pub.py --$* $(wildcard $(PUBKEY_DIR)/*.pem) $@ - %.o: %.c regdb.h $(NQ) ' CC ' $@ $(Q)$(CC) -c $(CPPFLAGS) $(CFLAGS) -o $@ $< @@ -109,7 +104,15 @@ intersect: reglib.o intersect.o print-re verify: $(REG_BIN) regdbdump $(NQ) ' CHK $(REG_BIN)' - $(Q)./regdbdump $(REG_BIN) >/dev/null + @if ! ./regdbdump $(REG_BIN) >/dev/null; then \ + echo; \ + echo "If your distribution requires a custom pubkeys dir you must set"; \ + echo "PUBKEY_DIR to path where the keys are installed by wireless-regdb."; \ + echo "For example:"; \ + echo " make PUBKEY_DIR=/lib/crda/pubkeys"; \ + echo; \ + exit 1; \ + fi %.gz: % @$(NQ) ' GZIP' $< --- a/reglib.c +++ b/reglib.c @@ -18,10 +18,6 @@ #include "reglib.h" -#ifdef USE_OPENSSL -#include "keys-ssl.c" -#endif - #ifdef USE_GCRYPT #include "keys-gcrypt.c" #endif @@ -49,7 +45,6 @@ int crda_verify_db_signature(__u8 *db, i #ifdef USE_OPENSSL RSA *rsa; __u8 hash[SHA_DIGEST_LENGTH]; - unsigned int i; int ok = 0; DIR *pubkey_dir; struct dirent *nextfile; @@ -61,26 +56,26 @@ int crda_verify_db_signature(__u8 *db, i goto out; } - for (i = 0; (i < sizeof(keys)/sizeof(keys[0])) && (!ok); i++) { - rsa = RSA_new(); - if (!rsa) { - fprintf(stderr, "Failed to create RSA key.\n"); - goto out; + if ((pubkey_dir = opendir(PUBKEY_DIR))) { + while (!ok && (nextfile = readdir(pubkey_dir))) { + snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR, + nextfile->d_name); + if ((keyfile = fopen(filename, "rb"))) { + rsa = PEM_read_RSA_PUBKEY(keyfile, + NULL, NULL, NULL); + if (rsa) + ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH, + db + dblen, siglen, rsa) == 1; + RSA_free(rsa); + fclose(keyfile); + } } - - rsa->e = &keys[i].e; - rsa->n = &keys[i].n; - - ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH, - db + dblen, siglen, rsa) == 1; - - rsa->e = NULL; - rsa->n = NULL; - RSA_free(rsa); + closedir(pubkey_dir); } - if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) { + + if (!ok && (pubkey_dir = opendir(ALT_PUBKEY_DIR))) { while (!ok && (nextfile = readdir(pubkey_dir))) { - snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR, + snprintf(filename, PATH_MAX, "%s/%s", ALT_PUBKEY_DIR, nextfile->d_name); if ((keyfile = fopen(filename, "rb"))) { rsa = PEM_read_RSA_PUBKEY(keyfile, --- a/utils/key2pub.py +++ b/utils/key2pub.py @@ -9,81 +9,6 @@ except ImportError, e: sys.stderr.write('On Debian GNU/Linux the package is called "python-m2crypto".\n') sys.exit(1) -def print_ssl_64(output, name, val): - while val[0] == '\0': - val = val[1:] - while len(val) % 8: - val = '\0' + val - vnew = [] - while len(val): - vnew.append((val[0], val[1], val[2], val[3], val[4], val[5], val[6], val[7])) - val = val[8:] - vnew.reverse() - output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew))) - idx = 0 - for v1, v2, v3, v4, v5, v6, v7, v8 in vnew: - if not idx: - output.write('\t') - output.write('0x%.2x%.2x%.2x%.2x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4), ord(v5), ord(v6), ord(v7), ord(v8))) - idx += 1 - if idx == 2: - idx = 0 - output.write('\n') - if idx: - output.write('\n') - output.write('};\n\n') - -def print_ssl_32(output, name, val): - while val[0] == '\0': - val = val[1:] - while len(val) % 4: - val = '\0' + val - vnew = [] - while len(val): - vnew.append((val[0], val[1], val[2], val[3], )) - val = val[4:] - vnew.reverse() - output.write('static BN_ULONG %s[%d] = {\n' % (name, len(vnew))) - idx = 0 - for v1, v2, v3, v4 in vnew: - if not idx: - output.write('\t') - output.write('0x%.2x%.2x%.2x%.2x, ' % (ord(v1), ord(v2), ord(v3), ord(v4))) - idx += 1 - if idx == 4: - idx = 0 - output.write('\n') - if idx: - output.write('\n') - output.write('};\n\n') - -def print_ssl(output, name, val): - import struct - if len(struct.pack('@L', 0)) == 8: - return print_ssl_64(output, name, val) - else: - return print_ssl_32(output, name, val) - -def print_ssl_keys(output, n): - output.write(r''' -struct pubkey { - struct bignum_st e, n; -}; - -#define KEY(data) { \ - .d = data, \ - .top = sizeof(data)/sizeof(data[0]), \ -} - -#define KEYS(e,n) { KEY(e), KEY(n), } - -static struct pubkey keys[] = { -''') - for n in xrange(n + 1): - output.write(' KEYS(e_%d, n_%d),\n' % (n, n)) - output.write('};\n') - pass - def print_gcrypt(output, name, val): while val[0] == '\0': val = val[1:] @@ -118,24 +43,10 @@ static const struct key_params keys[] = for n in xrange(n + 1): output.write(' KEYS(e_%d, n_%d),\n' % (n, n)) output.write('};\n') - - -modes = { - '--ssl': (print_ssl, print_ssl_keys), - '--gcrypt': (print_gcrypt, print_gcrypt_keys), -} -try: - mode = sys.argv[1] - files = sys.argv[2:-1] - outfile = sys.argv[-1] -except IndexError: - mode = None - -if not mode in modes: - print 'Usage: %s [%s] input-file... output-file' % (sys.argv[0], '|'.join(modes.keys())) - sys.exit(2) +files = sys.argv[1:-1] +outfile = sys.argv[-1] output = open(outfile, 'w') # load key @@ -146,8 +57,8 @@ for f in files: except RSA.RSAError: key = RSA.load_key(f) - modes[mode][0](output, 'e_%d' % idx, key.e[4:]) - modes[mode][0](output, 'n_%d' % idx, key.n[4:]) + print_gcrypt(output, 'e_%d' % idx, key.e[4:]) + print_gcrypt(output, 'n_%d' % idx, key.n[4:]) idx += 1 -modes[mode][1](output, idx - 1) +print_gcrypt_keys(output, idx - 1) [-- Attachment #3: regdb-upgrade-does-not-work.txt --] [-- Type: text/plain, Size: 7957 bytes --] # wget -q -O/tmp/wireless-regdb-2009.11.25.tar.bz2 http://wireless.kernel.org/download/wireless-regdb/wireless-regdb-2009.11.25.tar.bz2 # wget -q -O/tmp/crda-1.1.1.tar.bz2 http://wireless.kernel.org/download/crda/crda-1.1.1.tar.bz2 # tar -C /tmp -xjf /tmp/wireless-regdb-2009.11.25.tar.bz2 # make -C /tmp/wireless-regdb-2009.11.25 all make: Entering directory `/tmp/wireless-regdb-2009.11.25' Generating private key for root... openssl genrsa -out ~/.wireless-regdb-root.key.priv.pem 2048 Generating RSA private key, 2048 bit long modulus ...................................................................................................................................................................................+++ ................................................................+++ e is 65537 (0x10001) Generating public key for root... openssl rsa -in ~/.wireless-regdb-root.key.priv.pem -out root.key.pub.pem -pubout -outform PEM writing RSA key Generating regulatory.bin digitally signed by root... ./db2bin.py regulatory.bin db.txt ~/.wireless-regdb-root.key.priv.pem make: Leaving directory `/tmp/wireless-regdb-2009.11.25' # make -C /tmp/wireless-regdb-2009.11.25 install make: Entering directory `/tmp/wireless-regdb-2009.11.25' gzip < regulatory.bin.5 > regulatory.bin.5.gz install -m 755 -d //usr/lib/crda install -m 755 -d //usr/lib/crda/pubkeys if [ -f .custom ]; then \ install -m 644 -t //usr/lib/crda/pubkeys/ root.key.pub.pem; \ fi install -m 644 -t //usr/lib/crda/pubkeys/ linville.key.pub.pem install -m 644 -t //usr/lib/crda/ regulatory.bin install -m 755 -d //usr/share/man//man5/ install -m 644 -t //usr/share/man//man5/ regulatory.bin.5.gz make: Leaving directory `/tmp/wireless-regdb-2009.11.25' # tar -C /tmp -xjf /tmp/crda-1.1.1.tar.bz2 # make -C /tmp/crda-1.1.1 all USE_OPENSSL=1 PUBKEY_DIR=/usr/lib/crda/pubkeys/ make: Entering directory `/tmp/crda-1.1.1' GEN keys-ssl.c Trusted pubkeys: /usr/lib/crda/pubkeys//linville.key.pub.pem /usr/lib/crda/pubkeys//root.key.pub.pem CC reglib.o CC crda.o LD crda CC intersect.o CC print-regdom.o LD intersect CC regdbdump.o LD regdbdump CHK /usr/lib/crda/regulatory.bin make: Leaving directory `/tmp/crda-1.1.1' # make -C /tmp/crda-1.1.1 install USE_OPENSSL=1 PUBKEY_DIR=/usr/lib/crda/pubkeys/ make: Entering directory `/tmp/crda-1.1.1' GZIP crda.8 GZIP regdbdump.8 INSTALL crda INSTALL regdbdump INSTALL 85-regulatory.rules INSTALL crda.8.gz INSTALL regdbdump.8.gz make: Leaving directory `/tmp/crda-1.1.1' # rm -v /root/.wireless-regdb-root.key.priv.pem removed `/root/.wireless-regdb-root.key.priv.pem' # make -C /tmp/wireless-regdb-2009.11.25 all make: Entering directory `/tmp/wireless-regdb-2009.11.25' Generating private key for root... openssl genrsa -out ~/.wireless-regdb-root.key.priv.pem 2048 Generating RSA private key, 2048 bit long modulus ...........................+++ .....................................+++ e is 65537 (0x10001) Generating public key for root... openssl rsa -in ~/.wireless-regdb-root.key.priv.pem -out root.key.pub.pem -pubout -outform PEM writing RSA key Generating regulatory.bin digitally signed by root... ./db2bin.py regulatory.bin db.txt ~/.wireless-regdb-root.key.priv.pem make: Leaving directory `/tmp/wireless-regdb-2009.11.25' # make -C /tmp/wireless-regdb-2009.11.25 install make: Entering directory `/tmp/wireless-regdb-2009.11.25' gzip < regulatory.bin.5 > regulatory.bin.5.gz install -m 755 -d //usr/lib/crda install -m 755 -d //usr/lib/crda/pubkeys if [ -f .custom ]; then \ install -m 644 -t //usr/lib/crda/pubkeys/ root.key.pub.pem; \ fi install -m 644 -t //usr/lib/crda/pubkeys/ linville.key.pub.pem install -m 644 -t //usr/lib/crda/ regulatory.bin install -m 755 -d //usr/share/man//man5/ install -m 644 -t //usr/share/man//man5/ regulatory.bin.5.gz make: Leaving directory `/tmp/wireless-regdb-2009.11.25' # regdbdump /usr/lib/crda/regulatory.bin Database signature verification failed. [-- Attachment #4: regdb-upgrade-does-work.txt --] [-- Type: text/plain, Size: 13428 bytes --] # wget -q -O/tmp/wireless-regdb-2009.11.25.tar.bz2 http://wireless.kernel.org/download/wireless-regdb/wireless-regdb-2009.11.25.tar.bz2 # wget -q -O/tmp/crda-1.1.1.tar.bz2 http://wireless.kernel.org/download/crda/crda-1.1.1.tar.bz2 # tar -C /tmp -xjf /tmp/wireless-regdb-2009.11.25.tar.bz2 # make -C /tmp/wireless-regdb-2009.11.25 all make: Entering directory `/tmp/wireless-regdb-2009.11.25' Generating private key for root... openssl genrsa -out ~/.wireless-regdb-root.key.priv.pem 2048 Generating RSA private key, 2048 bit long modulus ..............+++ ....................................................................................................................................................................................+++ e is 65537 (0x10001) Generating public key for root... openssl rsa -in ~/.wireless-regdb-root.key.priv.pem -out root.key.pub.pem -pubout -outform PEM writing RSA key Generating regulatory.bin digitally signed by root... ./db2bin.py regulatory.bin db.txt ~/.wireless-regdb-root.key.priv.pem make: Leaving directory `/tmp/wireless-regdb-2009.11.25' # make -C /tmp/wireless-regdb-2009.11.25 install make: Entering directory `/tmp/wireless-regdb-2009.11.25' gzip < regulatory.bin.5 > regulatory.bin.5.gz install -m 755 -d //usr/lib/crda install -m 755 -d //usr/lib/crda/pubkeys if [ -f .custom ]; then \ install -m 644 -t //usr/lib/crda/pubkeys/ root.key.pub.pem; \ fi install -m 644 -t //usr/lib/crda/pubkeys/ linville.key.pub.pem install -m 644 -t //usr/lib/crda/ regulatory.bin install -m 755 -d //usr/share/man//man5/ install -m 644 -t //usr/share/man//man5/ regulatory.bin.5.gz make: Leaving directory `/tmp/wireless-regdb-2009.11.25' # tar -C /tmp -xjf /tmp/crda-1.1.1.tar.bz2 # wget -q -O/tmp/crda.patch http://users.tpg.com.au/sigm/patches/openssl_runtime_verification_tuneup.patch # patch -d /tmp/crda-1.1.1 -p1 -i /tmp/crda.patch patching file Makefile patching file reglib.c patching file utils/key2pub.py # make -C /tmp/crda-1.1.1 all USE_OPENSSL=1 make: Entering directory `/tmp/crda-1.1.1' CC reglib.o CC crda.o LD crda CC intersect.o CC print-regdom.o LD intersect CC regdbdump.o LD regdbdump CHK /usr/lib/crda/regulatory.bin make: Leaving directory `/tmp/crda-1.1.1' # make -C /tmp/crda-1.1.1 install USE_OPENSSL=1 make: Entering directory `/tmp/crda-1.1.1' GZIP crda.8 GZIP regdbdump.8 INSTALL crda INSTALL regdbdump INSTALL 85-regulatory.rules INSTALL crda.8.gz INSTALL regdbdump.8.gz make: Leaving directory `/tmp/crda-1.1.1' # rm -v /root/.wireless-regdb-root.key.priv.pem removed `/root/.wireless-regdb-root.key.priv.pem' # make -C /tmp/wireless-regdb-2009.11.25 all make: Entering directory `/tmp/wireless-regdb-2009.11.25' Generating private key for root... openssl genrsa -out ~/.wireless-regdb-root.key.priv.pem 2048 Generating RSA private key, 2048 bit long modulus .....................................+++ .........................+++ e is 65537 (0x10001) Generating public key for root... openssl rsa -in ~/.wireless-regdb-root.key.priv.pem -out root.key.pub.pem -pubout -outform PEM writing RSA key Generating regulatory.bin digitally signed by root... ./db2bin.py regulatory.bin db.txt ~/.wireless-regdb-root.key.priv.pem make: Leaving directory `/tmp/wireless-regdb-2009.11.25' # make -C /tmp/wireless-regdb-2009.11.25 install make: Entering directory `/tmp/wireless-regdb-2009.11.25' gzip < regulatory.bin.5 > regulatory.bin.5.gz install -m 755 -d //usr/lib/crda install -m 755 -d //usr/lib/crda/pubkeys if [ -f .custom ]; then \ install -m 644 -t //usr/lib/crda/pubkeys/ root.key.pub.pem; \ fi install -m 644 -t //usr/lib/crda/pubkeys/ linville.key.pub.pem install -m 644 -t //usr/lib/crda/ regulatory.bin install -m 755 -d //usr/share/man//man5/ install -m 644 -t //usr/share/man//man5/ regulatory.bin.5.gz make: Leaving directory `/tmp/wireless-regdb-2009.11.25' # regdbdump /usr/lib/crda/regulatory.bin country 00: (2402.000 - 2472.000 @ 40.000), (3.00, 20.00) (2457.000 - 2482.000 @ 20.000), (3.00, 20.00), PASSIVE-SCAN, NO-IBSS (2474.000 - 2494.000 @ 20.000), (3.00, 20.00), NO-OFDM, PASSIVE-SCAN, NO-IBSS (5170.000 - 5250.000 @ 40.000), (3.00, 20.00), PASSIVE-SCAN, NO-IBSS (5735.000 - 5835.000 @ 40.000), (3.00, 20.00), PASSIVE-SCAN, NO-IBSS ... ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 2010-03-05 14:59 ` Kel Modderman @ 2010-03-08 8:08 ` Johannes Berg 2010-03-21 10:46 ` Kel Modderman 0 siblings, 1 reply; 10+ messages in thread From: Johannes Berg @ 2010-03-08 8:08 UTC (permalink / raw) To: Kel Modderman; +Cc: John W. Linville, linux-wireless On Sat, 2010-03-06 at 00:59 +1000, Kel Modderman wrote: > I am obviously having hard time clearly communicating what I think is wrong, Yes. > so attached is 2 files demonstrating the problem with step by step reproducible > commands with output. regdb-upgrade-does-not-work.txt shows the current > behaviour which must be improved, regdb-upgrade-does-work.txt shows > the behaviour with my patch applied. The patch which was used is also attached. That isn't helping, we don't want to do your work of digging through :) The building-in keys code should NOT be removed, it should be possible to build in keys AND use external keys (and I still think the external key code should be optional since it is _quite_ different from internal keys). What exactly happens when you build in keys and use external ones? The code I originally wrote should try to validate the database using all available keys, it seems like that was broken and you're trying to fix the symptom rather than the cause. johannes ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 2010-03-08 8:08 ` Johannes Berg @ 2010-03-21 10:46 ` Kel Modderman 0 siblings, 0 replies; 10+ messages in thread From: Kel Modderman @ 2010-03-21 10:46 UTC (permalink / raw) To: Johannes Berg; +Cc: John W. Linville, linux-wireless On Monday 08 March 2010 18:08:55 Johannes Berg wrote: > On Sat, 2010-03-06 at 00:59 +1000, Kel Modderman wrote: > > > I am obviously having hard time clearly communicating what I think is wrong, > > Yes. > > > so attached is 2 files demonstrating the problem with step by step reproducible > > commands with output. regdb-upgrade-does-not-work.txt shows the current > > behaviour which must be improved, regdb-upgrade-does-work.txt shows > > the behaviour with my patch applied. The patch which was used is also attached. > > That isn't helping, we don't want to do your work of digging through :) > > The building-in keys code should NOT be removed, it should be possible > to build in keys AND use external keys (and I still think the external > key code should be optional since it is _quite_ different from internal > keys). I'd prefer to use external keys only. If the correct paths are searched I don't see any need to embed the pubkey data into binary. > > What exactly happens when you build in keys and use external ones? The > code I originally wrote should try to validate the database using all > available keys, it seems like that was broken and you're trying to fix > the symptom rather than the cause. > I fucked up the subject and got two issues all mixed up. The issue which is most important is that crda should search PUBKEY_DIR (eg. /lib/crda/pubkeys) as well as the so called RUNTIME_PUBKEY_DIR (/etc/wireless-regdb/pubkeys) because when wireless-regdb is updated it will install any new custom pubkeys to PUBKEY_DIR and crda is still able to verify the new regulatory.bin after loading the new pubkey at runtime. Attached a new patch. Thanks, Kel. --- a/Makefile +++ b/Makefile @@ -30,7 +30,8 @@ all: all_noverify verify all_noverify: crda intersect regdbdump ifeq ($(USE_OPENSSL),1) -CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" `pkg-config --cflags openssl` +CFLAGS += -DPUBKEY_DIR=\"$(PUBKEY_DIR)\" -DRUNTIME_PUBKEY_DIR=\"$(RUNTIME_PUBKEY_DIR)\" +CFLAGS += -DUSE_OPENSSL `pkg-config --cflags openssl` LDLIBS += `pkg-config --libs openssl` reglib.o: keys-ssl.c --- a/reglib.c +++ b/reglib.c @@ -38,6 +38,40 @@ void *crda_get_file_ptr(__u8 *db, int db return (void *)(db + p); } +#ifdef USE_OPENSSL +static int crda_pubkeydir_verification(const char *dir, __u8 *hash, __u8 *db, + int dblen, int siglen) +{ + RSA *rsa; + DIR *pubkey_dir; + struct dirent *nextfile; + FILE *keyfile; + char filename[PATH_MAX]; + int retv = 0; + + if ((pubkey_dir = opendir(dir))) { + while (!retv && (nextfile = readdir(pubkey_dir))) { + snprintf(filename, PATH_MAX, "%s/%s", dir, + nextfile->d_name); + if ((keyfile = fopen(filename, "rb"))) { + rsa = PEM_read_RSA_PUBKEY(keyfile, + NULL, NULL, NULL); + if (rsa) + retv = RSA_verify(NID_sha1, hash, + SHA_DIGEST_LENGTH, + db + dblen, siglen, + rsa) == 1; + RSA_free(rsa); + fclose(keyfile); + } + } + closedir(pubkey_dir); + } + + return retv; +} +#endif + /* * Checks the validity of the signature found on the regulatory * database against the array 'keys'. Returns 1 if there exists @@ -51,10 +85,6 @@ int crda_verify_db_signature(__u8 *db, i __u8 hash[SHA_DIGEST_LENGTH]; unsigned int i; int ok = 0; - DIR *pubkey_dir; - struct dirent *nextfile; - FILE *keyfile; - char filename[PATH_MAX]; if (SHA1(db, dblen, hash) != hash) { fprintf(stderr, "Failed to calculate SHA1 sum.\n"); @@ -78,22 +108,12 @@ int crda_verify_db_signature(__u8 *db, i rsa->n = NULL; RSA_free(rsa); } - if (!ok && (pubkey_dir = opendir(PUBKEY_DIR))) { - while (!ok && (nextfile = readdir(pubkey_dir))) { - snprintf(filename, PATH_MAX, "%s/%s", PUBKEY_DIR, - nextfile->d_name); - if ((keyfile = fopen(filename, "rb"))) { - rsa = PEM_read_RSA_PUBKEY(keyfile, - NULL, NULL, NULL); - if (rsa) - ok = RSA_verify(NID_sha1, hash, SHA_DIGEST_LENGTH, - db + dblen, siglen, rsa) == 1; - RSA_free(rsa); - fclose(keyfile); - } - } - closedir(pubkey_dir); - } + if (!ok) + ok = crda_pubkeydir_verification(PUBKEY_DIR, hash, db, + dblen, siglen); + if (!ok) + ok = crda_pubkeydir_verification(RUNTIME_PUBKEY_DIR, hash, db, + dblen, siglen); #endif #ifdef USE_GCRYPT --- ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2010-03-21 10:47 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-03-04 14:08 [PATCH] crda: do not embed crypto data when USE_OPENSSL=1 Kel Modderman 2010-03-04 15:31 ` John W. Linville 2010-03-05 0:27 ` Kel Modderman 2010-03-05 1:37 ` John W. Linville 2010-03-05 1:56 ` Kel Modderman 2010-03-05 2:00 ` Kel Modderman 2010-03-05 4:08 ` John W. Linville 2010-03-05 14:59 ` Kel Modderman 2010-03-08 8:08 ` Johannes Berg 2010-03-21 10:46 ` Kel Modderman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).