Hi, Stefan! Just in case, I have no objections. >>>>> On Sun, 19 May 2019 03:42:01 +0300, Stefan Strogin wrote: > Linux uses either PKCS #7 or CMS for signing modules (see > scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL, > so PKCS #7 is used on systems with these libcrypto providers. > CMS and PKCS #7 formats are very similar. CMS is newer but is > as much as possible backward compatible with PKCS #7 [1]. PKCS > #7 is supported in the latest OpenSSL as well as CMS. The > fields used for signing kernel modules are supported both in > PKCS #7 and CMS. > For now modinfo uses CMS with no alternative requiring OpenSSL > 1.1.0 or newer. > Use PKCS #7 for parsing module signature information, so that > modinfo could be used both with OpenSSL and LibreSSL. > [1] https://tools.ietf.org/html/rfc5652#section-1.1 > Changes v1->v2: > - Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both > with OpenSSL and LibreSSL. > Signed-off-by: Stefan Strogin <steils@xxxxxxxxxx> > --- > libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------ > 1 file changed, 19 insertions(+), 18 deletions(-) > diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c > index 48d0145..4e8748c 100644 > --- a/libkmod/libkmod-signature.c > +++ b/libkmod/libkmod-signature.c > @@ -20,7 +20,7 @@ > #include <endian.h> > #include <inttypes.h> > #ifdef ENABLE_OPENSSL > -#include <openssl/cms.h> > +#include <openssl/pkcs7.h> > #include <openssl/ssl.h> > #endif > #include <stdio.h> > @@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size, > #ifdef ENABLE_OPENSSL > struct pkcs7_private { > - CMS_ContentInfo *cms; > + PKCS7 *pkcs7; > unsigned char *key_id; > BIGNUM *sno; > }; > @@ -132,7 +132,7 @@ static void pkcs7_free(void *s) > struct kmod_signature_info *si = s; > struct pkcs7_private *pvt = si->private; > - CMS_ContentInfo_free(pvt->cms); > + PKCS7_free(pvt->pkcs7); > BN_free(pvt->sno); > free(pvt->key_id); > free(pvt); > @@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size, > struct kmod_signature_info *sig_info) > { > const char *pkcs7_raw; > - CMS_ContentInfo *cms; > - STACK_OF(CMS_SignerInfo) *sis; > - CMS_SignerInfo *si; > - int rc; > - ASN1_OCTET_STRING *key_id; > + PKCS7 *pkcs7; > + STACK_OF(PKCS7_SIGNER_INFO) *sis; > + PKCS7_SIGNER_INFO *si; > + PKCS7_ISSUER_AND_SERIAL *is; > X509_NAME *issuer; > ASN1_INTEGER *sno; > ASN1_OCTET_STRING *sig; > @@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size, > in = BIO_new_mem_buf(pkcs7_raw, sig_len); > - cms = d2i_CMS_bio(in, NULL); > - if (cms == NULL) { > + pkcs7 = d2i_PKCS7_bio(in, NULL); > + if (pkcs7 == NULL) { > BIO_free(in); > return false; > } > BIO_free(in); > - sis = CMS_get0_SignerInfos(cms); > + sis = PKCS7_get_signer_info(pkcs7); > if (sis == NULL) > goto err; > - si = sk_CMS_SignerInfo_value(sis, 0); > + si = sk_PKCS7_SIGNER_INFO_value(sis, 0); > if (si == NULL) > goto err; > - rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno); > - if (rc == 0) > + is = si->issuer_and_serial; > + if (is == NULL) > goto err; > + issuer = is->issuer; > + sno = is->serial; > - sig = CMS_SignerInfo_get0_signature(si); > + sig = si->enc_digest; > if (sig == NULL) > goto err; > - CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg); > + PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg); sig_info-> sig = (const char *)ASN1_STRING_get0_data(sig); sig_info-> sig_len = ASN1_STRING_length(sig); > @@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size, > if (pvt == NULL) > goto err3; > - pvt->cms = cms; > + pvt->pkcs7 = pkcs7; pvt-> key_id = key_id_str; pvt-> sno = sno_bn; sig_info-> private = pvt; > @@ -290,7 +291,7 @@ err3: > err2: > BN_free(sno_bn); > err: > - CMS_ContentInfo_free(cms); > + PKCS7_free(pkcs7); > return false; > } > -- > 2.21.0 -- WBR, Yauheni Kaliuta