From: David Howells <dhowells@redhat.com>
To: unlisted-recipients:; (no To-header on input)
Cc: dhowells@redhat.com, Dmitry Kasatkin <d.kasatkin@samsung.com>,
mmarek@suse.cz, rusty@rustcorp.com.au, vgoyal@redhat.com,
keyrings@linux-nfs.org, linux-security-module@vger.kernel.org,
zohar@linux.vnet.ibm.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures
Date: Mon, 24 Nov 2014 16:13:39 +0000 [thread overview]
Message-ID: <31431.1416845619@warthog.procyon.org.uk> (raw)
In-Reply-To: <14276.1416833541@warthog.procyon.org.uk>
David Howells <dhowells@redhat.com> wrote:
> > Actually after cleaning the tree and re-signing the modules, I get following
> >
> > Unrecognized character \x7F; marked by <-- HERE after <-- HERE near
> > column 1 at ./scripts/sign-file line 1.
> > make[1]: *** [arch/x86/crypto/aes-x86_64.ko] Error 255
>
> warthog>grep -r sign-file Makefile
> mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
>
> Because of that. I need to remove the 'perl' bit.
It's a little more involved than that. The X.509 cert being passed to the
program is binary, whereas the one I've been testing with is PEM encoded - and
libssl has separate routines that don't work out for themselves which encoding
is in force. Proposed changes below.
David
---
diff --git a/Makefile b/Makefile
index b77de27e58fc..8d5624bf96db 100644
--- a/Makefile
+++ b/Makefile
@@ -859,7 +859,7 @@ ifdef CONFIG_MODULE_SIG_ALL
MODSECKEY = ./signing_key.priv
MODPUBKEY = ./signing_key.x509
export MODPUBKEY
-mod_sign_cmd = perl $(srctree)/scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
+mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
else
mod_sign_cmd = true
endif
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 3f9bedbd185f..ff5e78348de0 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -61,14 +61,24 @@ static void display_openssl_errors(int l)
}
}
+static void drain_openssl_errors(void)
+{
+ const char *file;
+ int line;
+
+ if (ERR_peek_error() == 0)
+ return;
+ while (ERR_get_error_line(&file, &line)) {}
+}
-#define ERR(cond, ...) \
- do { \
- bool __cond = (cond); \
- display_openssl_errors(__LINE__); \
- if (__cond) { \
- err(1, ## __VA_ARGS__); \
- } \
+
+#define ERR(cond, ...) \
+ do { \
+ bool __cond = (cond); \
+ display_openssl_errors(__LINE__); \
+ if (__cond) { \
+ err(1, ## __VA_ARGS__); \
+ } \
} while(0)
int main(int argc, char **argv)
@@ -126,8 +136,15 @@ int main(int argc, char **argv)
b = BIO_new_file(x509_name, "rb");
ERR(!b, "%s", x509_name);
- x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
+ x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
+ if (!x509) {
+ BIO_reset(b);
+ x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */
+ if (x509)
+ drain_openssl_errors();
+ }
BIO_free(b);
+ ERR(!x509, "%s", x509_name);
/* Open the destination file now so that we can shovel the module data
* across as we read it.
next prev parent reply other threads:[~2014-11-24 16:14 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-20 16:53 [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures David Howells
2014-11-20 16:54 ` [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier David Howells
2014-11-21 14:42 ` Vivek Goyal
2014-12-04 12:24 ` Dmitry Kasatkin
2014-12-04 13:02 ` David Howells
2014-11-24 13:35 ` David Howells
2014-11-20 16:54 ` [PATCH 2/5] X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier David Howells
2014-11-21 15:33 ` Vivek Goyal
2014-11-24 0:00 ` Mimi Zohar
2014-11-24 11:58 ` [Keyrings] " Mimi Zohar
2014-11-24 16:55 ` David Howells
2014-11-24 17:12 ` Mimi Zohar
2014-11-24 16:58 ` David Howells
2014-11-24 17:33 ` Mimi Zohar
2014-11-24 19:36 ` David Howells
2014-11-20 16:54 ` [PATCH 3/5] PKCS#7: Allow detached data to be supplied for signature checking purposes David Howells
2014-11-24 11:52 ` Mimi Zohar
2014-11-24 12:48 ` David Howells
2014-11-24 13:43 ` Mimi Zohar
2014-11-24 14:41 ` David Howells
2014-11-24 14:59 ` Mimi Zohar
2014-11-24 15:14 ` David Howells
2014-11-20 16:54 ` [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module David Howells
2014-11-20 16:54 ` [PATCH 5/5] MODSIGN: Use PKCS#7 messages as module signatures David Howells
2014-11-24 14:06 ` Mimi Zohar
2014-11-21 12:59 ` [PATCH 0/5] MODSIGN: Use PKCS#7 for " Dmitry Kasatkin
2014-11-24 9:19 ` Dmitry Kasatkin
2014-11-24 12:52 ` David Howells
2014-11-24 16:13 ` David Howells [this message]
2014-11-24 17:14 ` Mimi Zohar
2014-11-24 12:33 ` Dmitry Kasatkin
2014-11-24 12:51 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31431.1416845619@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=d.kasatkin@samsung.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mmarek@suse.cz \
--cc=rusty@rustcorp.com.au \
--cc=vgoyal@redhat.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.