From patchwork Fri Feb 15 04:13:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Strogin X-Patchwork-Id: 10814147 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C19F213B4 for ; Fri, 15 Feb 2019 04:13:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 98E8B2D69D for ; Fri, 15 Feb 2019 04:13:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8AC8B2D69E; Fri, 15 Feb 2019 04:13:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 014962EC75 for ; Fri, 15 Feb 2019 04:13:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726604AbfBOENu (ORCPT ); Thu, 14 Feb 2019 23:13:50 -0500 Received: from mail-wr1-f66.google.com ([209.85.221.66]:33182 "EHLO mail-wr1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726403AbfBOENu (ORCPT ); Thu, 14 Feb 2019 23:13:50 -0500 Received: by mail-wr1-f66.google.com with SMTP id i12so8890502wrw.0 for ; Thu, 14 Feb 2019 20:13:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=3+f52+D5qlzttYIYZV4F9ifb0CZTtvQaWjM2svphsd0=; b=qVNn7tw40AGpJJAEHjYdT9hVIucvdGxerYwESAXL1eYudWlYj+E19GQGwvYEuRGG9z UoIR4wb/BOPdrlQNVWlrM4FlHrl+AGkavQevsOFDZOd77Y0E76K1swrQrltBT+Kzmlce /4pN8bH0XStSTg4TCoDFlqbbe2yTUN5R+rpkZISwliMeAKNaM7rP+UQ9VrjcPMb8QSpb sUdYF8W8ZrmpwI2YxMbUNxaCKg6udzlMUfCWmK6Fr/XZzqmLbiL/xrYhzTrXC/cW+LJT eoySU/mSoqm33sWFpto90/VdDzsv0hncGJJ9/ikg0Pvy8px1QDTnQHcXWDyBUF2Q5gBy VRwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=3+f52+D5qlzttYIYZV4F9ifb0CZTtvQaWjM2svphsd0=; b=JIuoHmzO7A5vPgCPgLIQ2woMUhvOwO2X9hGL5tOhOuuwjtqkgwtfF2amtij9t786il M1+Bj/Q6oj0igeVNhSJLP7vGqfX6OGtNWq5t/daYcAAdA/9cbXxdQXc98ARyLDxCJD6K HOBASXl04JFjeX0fjGYA9cFrkZy0F/o+Me4n8/KT1BhEuIFemYNIHd/XKCBxOEyU9QTe RBkR0c2oGuCOKIs4PSdTw3JITWsH4I6wAjCNAx95Z1khkCujULj0u899Zeju1Mw38VC/ q9i599zaCa0A9aMRAvKepZpeeybxUaMGalnC68U7mDRFJMYMnZTbQ78Rqkyq/dTJxDYE 2nAQ== X-Gm-Message-State: AHQUAuYx/MS9LeL75VuNjxeM+a8Rpwv63ng6MVbXxT41nTcan5BwZJtQ mbW505wpt+lH5yJPEn9WFzYwbKJvcsKv X-Google-Smtp-Source: AHgI3IaQ//rXUMEzeasiOe8YmtAUL6QT7u8FLErdsZyCrcO+QfcnSPYNOSAlmJNhV1UDvJEoXgsVZQ== X-Received: by 2002:a5d:550f:: with SMTP id b15mr5431783wrv.251.1550204027784; Thu, 14 Feb 2019 20:13:47 -0800 (PST) Received: from localhost.localdomain (pripet.hukot.net. [46.36.39.187]) by smtp.gmail.com with ESMTPSA id e17sm2266719wrs.79.2019.02.14.20.13.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Feb 2019 20:13:47 -0800 (PST) From: Stefan Strogin To: linux-modules@vger.kernel.org Cc: stefan.strogin@gmail.com, ykaliuta@redhat.com, lucas.demarchi@intel.com Subject: [PATCH] libkmod-signature: use PKCS7 for LibreSSL or older OpenSSL Date: Fri, 15 Feb 2019 06:13:40 +0200 Message-Id: <20190215041340.29258-1-stefan.strogin@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Sender: owner-linux-modules@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Linux kernel uses either PKCS #7 or CMS signing modules (scripts/sign-file.c). CMS is not supported by LibreSSL, PKCS #7 is used instead. For now modinfo used CMS with no altenative requiring >=openssl-1.1.0 built with CMS support. Use PKCS #7 for parsing module signature information when CMS is not available. Signed-off-by: Stefan Strogin --- libkmod/libkmod-signature.c | 78 +++++++++++++++++++++++++++++++++++-- 1 file changed, 75 insertions(+), 3 deletions(-) diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c index 48d0145..aa2a60e 100644 --- a/libkmod/libkmod-signature.c +++ b/libkmod/libkmod-signature.c @@ -20,9 +20,16 @@ #include #include #ifdef ENABLE_OPENSSL -#include -#include -#endif +# include +# if defined(LIBRESSL_VERSION_NUMBER) || \ + OPENSSL_VERSION_NUMBER < 0x10100000L || \ + defined(OPENSSL_NO_CMS) +# define USE_PKCS7 +# include +# else +# include +# endif /* LIBRESSL_VERSION_NUMBER */ +#endif /* ENABLE_OPENSSL */ #include #include #include @@ -122,7 +129,11 @@ static bool fill_default(const char *mem, off_t size, #ifdef ENABLE_OPENSSL struct pkcs7_private { +#ifndef USE_PKCS7 CMS_ContentInfo *cms; +#else + PKCS7 *pkcs7; +#endif unsigned char *key_id; BIGNUM *sno; }; @@ -132,7 +143,11 @@ static void pkcs7_free(void *s) struct kmod_signature_info *si = s; struct pkcs7_private *pvt = si->private; +#ifndef USE_PKCS7 CMS_ContentInfo_free(pvt->cms); +#else + PKCS7_free(pvt->pkcs7); +#endif BN_free(pvt->sno); free(pvt->key_id); free(pvt); @@ -187,7 +202,13 @@ static const char *x509_name_to_str(X509_NAME *name) return NULL; d = X509_NAME_ENTRY_get_data(e); +#if (defined(LIBRESSL_VERSION_NUMBER) && \ + LIBRESSL_VERSION_NUMBER < 0x20700000L) || \ + OPENSSL_VERSION_NUMBER < 0x10100000L + str = (const char *)ASN1_STRING_data(d); +#else str = (const char *)ASN1_STRING_get0_data(d); +#endif return str; } @@ -197,11 +218,18 @@ static bool fill_pkcs7(const char *mem, off_t size, struct kmod_signature_info *sig_info) { const char *pkcs7_raw; +#ifndef USE_PKCS7 CMS_ContentInfo *cms; STACK_OF(CMS_SignerInfo) *sis; CMS_SignerInfo *si; int rc; ASN1_OCTET_STRING *key_id; +#else + PKCS7 *pkcs7; + STACK_OF(PKCS7_SIGNER_INFO) *sis; + PKCS7_SIGNER_INFO *si; + PKCS7_ISSUER_AND_SERIAL *is; +#endif X509_NAME *issuer; ASN1_INTEGER *sno; ASN1_OCTET_STRING *sig; @@ -220,14 +248,23 @@ static bool fill_pkcs7(const char *mem, off_t size, in = BIO_new_mem_buf(pkcs7_raw, sig_len); +#ifndef USE_PKCS7 cms = d2i_CMS_bio(in, NULL); if (cms == NULL) { BIO_free(in); return false; } +#else + pkcs7 = d2i_PKCS7_bio(in, NULL); + if (pkcs7 == NULL) { + BIO_free(in); + return false; + } +#endif BIO_free(in); +#ifndef USE_PKCS7 sis = CMS_get0_SignerInfos(cms); if (sis == NULL) goto err; @@ -245,8 +282,35 @@ static bool fill_pkcs7(const char *mem, off_t size, goto err; CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg); +#else + sis = PKCS7_get_signer_info(pkcs7); + if (sis == NULL) + goto err; + + si = sk_PKCS7_SIGNER_INFO_value(sis, 0); + if (si == NULL) + goto err; + + is = si->issuer_and_serial; + if (is == NULL) + goto err; + issuer = is->issuer; + sno = is->serial; + + sig = si->enc_digest; + if (sig == NULL) + goto err; + + PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg); +#endif +#if (defined(LIBRESSL_VERSION_NUMBER) && \ + LIBRESSL_VERSION_NUMBER < 0x20700000L) || \ + OPENSSL_VERSION_NUMBER < 0x10100000L + sig_info->sig = (const char *)ASN1_STRING_data(sig); +#else sig_info->sig = (const char *)ASN1_STRING_get0_data(sig); +#endif sig_info->sig_len = ASN1_STRING_length(sig); sno_bn = ASN1_INTEGER_to_BN(sno, NULL); @@ -277,7 +341,11 @@ static bool fill_pkcs7(const char *mem, off_t size, if (pvt == NULL) goto err3; +#ifndef USE_PKCS7 pvt->cms = cms; +#else + pvt->pkcs7 = pkcs7; +#endif pvt->key_id = key_id_str; pvt->sno = sno_bn; sig_info->private = pvt; @@ -290,7 +358,11 @@ err3: err2: BN_free(sno_bn); err: +#ifndef USE_PKCS7 CMS_ContentInfo_free(cms); +#else + PKCS7_free(pkcs7); +#endif return false; }