diff options
author | Stefan Strogin <steils@gentoo.org> | 2019-05-19 03:42:01 +0300 |
---|---|---|
committer | Lucas De Marchi <lucas.demarchi@intel.com> | 2019-05-28 15:22:18 -0700 |
commit | 628677e066198d8658d7edd5511a5bb27cd229f5 (patch) | |
tree | 312d7109691faeb2df3bb818a6924fb6d0fbda49 | |
parent | ea3e508f61251b16567f888042f6c4c60b48a4e0 (diff) | |
download | kmod-628677e066198d8658d7edd5511a5bb27cd229f5.tar.gz kmod-628677e066198d8658d7edd5511a5bb27cd229f5.tar.bz2 kmod-628677e066198d8658d7edd5511a5bb27cd229f5.zip |
libkmod-signature: use PKCS#7 instead of CMS
Linux uses either PKCS #7 or CMS for signing modules (see
scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL,
so PKCS #7 is used on systems with these libcrypto providers.
CMS and PKCS #7 formats are very similar. CMS is newer but is as much as
possible backward compatible with PKCS #7 [1]. PKCS #7 is supported in
the latest OpenSSL as well as CMS. The fields used for signing kernel
modules are supported both in PKCS #7 and CMS.
For now modinfo uses CMS with no alternative requiring OpenSSL 1.1.0 or
newer.
Use PKCS #7 for parsing module signature information, so that modinfo
could be used both with OpenSSL and LibreSSL.
[1] https://tools.ietf.org/html/rfc5652#section-1.1
Changes v1->v2:
- Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both
with OpenSSL and LibreSSL.
Signed-off-by: Stefan Strogin <steils@gentoo.org>
-rw-r--r-- | libkmod/libkmod-signature.c | 37 |
1 files changed, 19 insertions, 18 deletions
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c index 48d0145..4e8748c 100644 --- a/libkmod/libkmod-signature.c +++ b/libkmod/libkmod-signature.c @@ -20,7 +20,7 @@ #include <endian.h> #include <inttypes.h> #ifdef ENABLE_OPENSSL -#include <openssl/cms.h> +#include <openssl/pkcs7.h> #include <openssl/ssl.h> #endif #include <stdio.h> @@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size, #ifdef ENABLE_OPENSSL struct pkcs7_private { - CMS_ContentInfo *cms; + PKCS7 *pkcs7; unsigned char *key_id; BIGNUM *sno; }; @@ -132,7 +132,7 @@ static void pkcs7_free(void *s) struct kmod_signature_info *si = s; struct pkcs7_private *pvt = si->private; - CMS_ContentInfo_free(pvt->cms); + PKCS7_free(pvt->pkcs7); BN_free(pvt->sno); free(pvt->key_id); free(pvt); @@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size, struct kmod_signature_info *sig_info) { const char *pkcs7_raw; - CMS_ContentInfo *cms; - STACK_OF(CMS_SignerInfo) *sis; - CMS_SignerInfo *si; - int rc; - ASN1_OCTET_STRING *key_id; + PKCS7 *pkcs7; + STACK_OF(PKCS7_SIGNER_INFO) *sis; + PKCS7_SIGNER_INFO *si; + PKCS7_ISSUER_AND_SERIAL *is; X509_NAME *issuer; ASN1_INTEGER *sno; ASN1_OCTET_STRING *sig; @@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size, in = BIO_new_mem_buf(pkcs7_raw, sig_len); - cms = d2i_CMS_bio(in, NULL); - if (cms == NULL) { + pkcs7 = d2i_PKCS7_bio(in, NULL); + if (pkcs7 == NULL) { BIO_free(in); return false; } BIO_free(in); - sis = CMS_get0_SignerInfos(cms); + sis = PKCS7_get_signer_info(pkcs7); if (sis == NULL) goto err; - si = sk_CMS_SignerInfo_value(sis, 0); + si = sk_PKCS7_SIGNER_INFO_value(sis, 0); if (si == NULL) goto err; - rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno); - if (rc == 0) + is = si->issuer_and_serial; + if (is == NULL) goto err; + issuer = is->issuer; + sno = is->serial; - sig = CMS_SignerInfo_get0_signature(si); + sig = si->enc_digest; if (sig == NULL) goto err; - CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg); + PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg); sig_info->sig = (const char *)ASN1_STRING_get0_data(sig); sig_info->sig_len = ASN1_STRING_length(sig); @@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size, if (pvt == NULL) goto err3; - pvt->cms = cms; + pvt->pkcs7 = pkcs7; pvt->key_id = key_id_str; pvt->sno = sno_bn; sig_info->private = pvt; @@ -290,7 +291,7 @@ err3: err2: BN_free(sno_bn); err: - CMS_ContentInfo_free(cms); + PKCS7_free(pkcs7); return false; } |