On Sun, May 19, 2019 at 03:42:01AM +0300, Stefan Strogin wrote:
Linux uses either PKCS #7 or CMS for signing modules (see scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL, so PKCS #7 is used on systems with these libcrypto providers. CMS and PKCS #7 formats are very similar. CMS is newer but is as much as possible backward compatible with PKCS #7 [1]. PKCS #7 is supported in the latest OpenSSL as well as CMS. The fields used for signing kernel modules are supported both in PKCS #7 and CMS. For now modinfo uses CMS with no alternative requiring OpenSSL 1.1.0 or newer. Use PKCS #7 for parsing module signature information, so that modinfo could be used both with OpenSSL and LibreSSL. [1] https://tools.ietf.org/html/rfc5652#section-1.1 Changes v1->v2: - Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both with OpenSSL and LibreSSL.
Much better now, thanks! Applied. Lucas De Marchi
Signed-off-by: Stefan Strogin <steils@xxxxxxxxxx> --- libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c index 48d0145..4e8748c 100644 --- a/libkmod/libkmod-signature.c +++ b/libkmod/libkmod-signature.c @@ -20,7 +20,7 @@ #include <endian.h> #include <inttypes.h> #ifdef ENABLE_OPENSSL -#include <openssl/cms.h> +#include <openssl/pkcs7.h> #include <openssl/ssl.h> #endif #include <stdio.h> @@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size, #ifdef ENABLE_OPENSSL struct pkcs7_private { - CMS_ContentInfo *cms; + PKCS7 *pkcs7; unsigned char *key_id; BIGNUM *sno; }; @@ -132,7 +132,7 @@ static void pkcs7_free(void *s) struct kmod_signature_info *si = s; struct pkcs7_private *pvt = si->private; - CMS_ContentInfo_free(pvt->cms); + PKCS7_free(pvt->pkcs7); BN_free(pvt->sno); free(pvt->key_id); free(pvt); @@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size, struct kmod_signature_info *sig_info) { const char *pkcs7_raw; - CMS_ContentInfo *cms; - STACK_OF(CMS_SignerInfo) *sis; - CMS_SignerInfo *si; - int rc; - ASN1_OCTET_STRING *key_id; + PKCS7 *pkcs7; + STACK_OF(PKCS7_SIGNER_INFO) *sis; + PKCS7_SIGNER_INFO *si; + PKCS7_ISSUER_AND_SERIAL *is; X509_NAME *issuer; ASN1_INTEGER *sno; ASN1_OCTET_STRING *sig; @@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size, in = BIO_new_mem_buf(pkcs7_raw, sig_len); - cms = d2i_CMS_bio(in, NULL); - if (cms == NULL) { + pkcs7 = d2i_PKCS7_bio(in, NULL); + if (pkcs7 == NULL) { BIO_free(in); return false; } BIO_free(in); - sis = CMS_get0_SignerInfos(cms); + sis = PKCS7_get_signer_info(pkcs7); if (sis == NULL) goto err; - si = sk_CMS_SignerInfo_value(sis, 0); + si = sk_PKCS7_SIGNER_INFO_value(sis, 0); if (si == NULL) goto err; - rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno); - if (rc == 0) + is = si->issuer_and_serial; + if (is == NULL) goto err; + issuer = is->issuer; + sno = is->serial; - sig = CMS_SignerInfo_get0_signature(si); + sig = si->enc_digest; if (sig == NULL) goto err; - CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg); + PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg); sig_info->sig = (const char *)ASN1_STRING_get0_data(sig); sig_info->sig_len = ASN1_STRING_length(sig); @@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size, if (pvt == NULL) goto err3; - pvt->cms = cms; + pvt->pkcs7 = pkcs7; pvt->key_id = key_id_str; pvt->sno = sno_bn; sig_info->private = pvt; @@ -290,7 +291,7 @@ err3: err2: BN_free(sno_bn); err: - CMS_ContentInfo_free(cms); + PKCS7_free(pkcs7); return false; } -- 2.21.0