Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[Vinson Lee]

Hi.

With the latest Linux 4.3-rc1, I am hitting this build error on CentOS 5.11.

  HOSTCC  scripts/sign-file
scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
 #include <openssl/cms.h>
                         ^

CentOS 5.11 toolchain has openssl-0.9.8e and does not have openssl/cms.h.

Cheers,
Vinson

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[Davidlohr Bueso]

On Fri, 11 Sep 2015, Vinson Lee wrote:

>Hi.
>
>With the latest Linux 4.3-rc1, I am hitting this build error on CentOS 5.11.
>
>  HOSTCC  scripts/sign-file
>scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
> #include <openssl/cms.h>

fwiw/rant, I have run into kernel build issues recently due to lack of openssl libs.
The solution is trivial, in my case just intalling my distros openssl-devel
package, but this will probably break things for more people. And this is with default
configs... annoying.

Thanks,
Davidlohr

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[Jim Davis]

On Fri, Sep 11, 2015 at 4:22 PM, Davidlohr Bueso <dave@stgolabs.net> wrote:
> On Fri, 11 Sep 2015, Vinson Lee wrote:
>
>> Hi.
>>
>> With the latest Linux 4.3-rc1, I am hitting this build error on CentOS
>> 5.11.
>>
>>  HOSTCC  scripts/sign-file
>> scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or
>> directory
>> #include <openssl/cms.h>
>
>
> fwiw/rant, I have run into kernel build issues recently due to lack of
> openssl libs.
> The solution is trivial, in my case just intalling my distros openssl-devel
> package

Though in this case it looks like the openssl-devel rpm for CentOS
5.11 doesn't provide a cms.h file.   When I checked on a CentOS 7
system, installing the openssl-devel package did install cms.h in
/usr/include/openssl.  Maybe something didn't get backported to CentOS
5.11?

-- 
Jim

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[Dongsheng Yang]

On 09/12/2015 07:22 AM, Davidlohr Bueso wrote:
> On Fri, 11 Sep 2015, Vinson Lee wrote:
>
>> Hi.
>>
>> With the latest Linux 4.3-rc1, I am hitting this build error on CentOS
>> 5.11.
>>
>>  HOSTCC  scripts/sign-file
>> scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or
>> directory
>> #include <openssl/cms.h>
>
> fwiw/rant, I have run into kernel build issues recently due to lack of
> openssl libs.
> The solution is trivial, in my case just intalling my distros openssl-devel
> package,

Even I install-ed the openssl-devel, I can compile it but I met a
problem in `make modules_install`

At main.c:178:
- SSL error:02001002:system library:fopen:No such file or directory: 
bss_file.c:169
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:172
sign-file: : No such file or directory

> but this will probably break things for more people. And this
> is with default
> configs... annoying.
>
> Thanks,
> Davidlohr
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> .
>

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[David Howells]

Does this patch fix the problem?

David
---
commit 8c8ed9de80bc1bbfd0f1e9a018a0feffcf3c11f8
Author: David Howells <dhowells@redhat.com>
Date:   Tue Sep 15 13:57:08 2015 +0100

    MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old
    
    The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file
    since that allows the target X.509 certificate to be specified by
    subjectKeyId rather than by issuer + serialNumber.
    
    However, older versions of the OpenSSL crypto library (such as may be found
    in CentOS 5.11) don't support CMS.  Assume everything prior to OpenSSL-1.0.0
    doesn't support CMS and switch to using PKCS#7 in that case.
    
    The compiler gives the following error:
    
      HOSTCC  scripts/sign-file
    scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
     #include <openssl/cms.h>
    
    Reported-by: Vinson Lee <vlee@twopensource.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Acked-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index c3899ca4811c..0765141c3150 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -20,13 +20,28 @@
 #include <getopt.h>
 #include <err.h>
 #include <arpa/inet.h>
+#include <openssl/opensslv.h>
 #include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
-#include <openssl/cms.h>
 #include <openssl/err.h>
 #include <openssl/engine.h>
 
+/*
+ * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
+ * assume that it's not available and its header file is missing and that we
+ * should use PKCS#7 instead.  Switching to the older PKCS#7 format restricts
+ * the options we have on specifying the X.509 certificate we want.
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+#define USE_PKCS7
+#endif
+#ifndef USE_PKCS7
+#include <openssl/cms.h>
+#else
+#include <openssl/pkcs7.h>
+#endif
+
 struct module_signature {
 	uint8_t		algo;		/* Public-key crypto algorithm [0] */
 	uint8_t		hash;		/* Digest algorithm [0] */
@@ -110,30 +125,42 @@ int main(int argc, char **argv)
 	struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
 	char *hash_algo = NULL;
 	char *private_key_name, *x509_name, *module_name, *dest_name;
-	bool save_cms = false, replace_orig;
+	bool save_sig = false, replace_orig;
 	bool sign_only = false;
 	unsigned char buf[4096];
-	unsigned long module_size, cms_size;
-	unsigned int use_keyid = 0, use_signed_attrs = CMS_NOATTR;
+	unsigned long module_size, sig_size;
+	unsigned int use_signed_attrs;
 	const EVP_MD *digest_algo;
 	EVP_PKEY *private_key;
+#ifndef USE_PKCS7
 	CMS_ContentInfo *cms;
+	unsigned int use_keyid = 0;
+#else
+	PKCS7 *pkcs7;
+#endif
 	X509 *x509;
 	BIO *b, *bd = NULL, *bm;
 	int opt, n;
-
 	OpenSSL_add_all_algorithms();
 	ERR_load_crypto_strings();
 	ERR_clear_error();
 
 	key_pass = getenv("KBUILD_SIGN_PIN");
 
+#ifndef USE_PKCS7
+	use_signed_attrs = CMS_NOATTR;
+#else
+	use_signed_attrs = PKCS7_NOATTR;
+#endif
+
 	do {
 		opt = getopt(argc, argv, "dpk");
 		switch (opt) {
-		case 'p': save_cms = true; break;
-		case 'd': sign_only = true; save_cms = true; break;
+		case 'p': save_sig = true; break;
+		case 'd': sign_only = true; save_sig = true; break;
+#ifndef USE_PKCS7
 		case 'k': use_keyid = CMS_USE_KEYID; break;
+#endif
 		case -1: break;
 		default: format();
 		}
@@ -213,7 +240,8 @@ int main(int argc, char **argv)
 	bm = BIO_new_file(module_name, "rb");
 	ERR(!bm, "%s", module_name);
 
-	/* Load the CMS message from the digest buffer. */
+	/* Load the signature message from the digest buffer. */
+#ifndef USE_PKCS7
 	cms = CMS_sign(NULL, NULL, NULL, NULL,
 		       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM);
 	ERR(!cms, "CMS_sign");
@@ -221,17 +249,38 @@ int main(int argc, char **argv)
 	ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
 			     CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |
 			     use_keyid | use_signed_attrs),
-	    "CMS_sign_add_signer");
+	    "CMS_add1_signer");
 	ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
 	    "CMS_final");
 
-	if (save_cms) {
-		char *cms_name;
+#else
+	pkcs7 = PKCS7_sign(NULL, NULL, NULL, NULL,
+			   PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
+			   PKCS7_DETACHED | PKCS7_STREAM);
+	ERR(!pkcs7, "PKCS7_sign");
+
+	ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
+				   PKCS7_NOCERTS | PKCS7_BINARY | PKCS7_NOSMIMECAP |
+				   use_signed_attrs),
+	    "PKCS7_sign_add_signer");
+	ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
+	    "PKCS7_final");
+#endif
 
-		ERR(asprintf(&cms_name, "%s.p7s", module_name) < 0, "asprintf");
-		b = BIO_new_file(cms_name, "wb");
-		ERR(!b, "%s", cms_name);
-		ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, "%s", cms_name);
+	if (save_sig) {
+		char *sig_file_name;
+
+		ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0,
+		    "asprintf");
+		b = BIO_new_file(sig_file_name, "wb");
+		ERR(!b, "%s", sig_file_name);
+#ifndef USE_PKCS7
+		ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
+		    "%s", sig_file_name);
+#else
+		ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
+			"%s", sig_file_name);
+#endif
 		BIO_free(b);
 	}
 
@@ -247,9 +296,13 @@ int main(int argc, char **argv)
 	ERR(n < 0, "%s", module_name);
 	module_size = BIO_number_written(bd);
 
+#ifndef USE_PKCS7
 	ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
-	cms_size = BIO_number_written(bd) - module_size;
-	sig_info.sig_len = htonl(cms_size);
+#else
+	ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name);
+#endif
+	sig_size = BIO_number_written(bd) - module_size;
+	sig_info.sig_len = htonl(sig_size);
 	ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
 	ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
 

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[Vinson Lee]

On Tue, Sep 15, 2015 at 6:40 AM, David Howells <dhowells@redhat.com> wrote:
> Does this patch fix the problem?
>
> David
> ---
> commit 8c8ed9de80bc1bbfd0f1e9a018a0feffcf3c11f8
> Author: David Howells <dhowells@redhat.com>
> Date:   Tue Sep 15 13:57:08 2015 +0100
>
>     MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old
>
>     The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file
>     since that allows the target X.509 certificate to be specified by
>     subjectKeyId rather than by issuer + serialNumber.
>
>     However, older versions of the OpenSSL crypto library (such as may be found
>     in CentOS 5.11) don't support CMS.  Assume everything prior to OpenSSL-1.0.0
>     doesn't support CMS and switch to using PKCS#7 in that case.
>
>     The compiler gives the following error:
>
>       HOSTCC  scripts/sign-file
>     scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
>      #include <openssl/cms.h>
>
>     Reported-by: Vinson Lee <vlee@twopensource.com>
>     Signed-off-by: David Howells <dhowells@redhat.com>
>     Acked-by: David Woodhouse <David.Woodhouse@intel.com>
>

This patch results in this build error on CentOS 5.11.

  HOSTCC  scripts/sign-file
scripts/sign-file.c: In function ‘main’:
scripts/sign-file.c:255:23: error: ‘PKCS7_PARTIAL’ undeclared (first
use in this function)
       PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
                       ^
scripts/sign-file.c:255:23: note: each undeclared identifier is
reported only once for each function it appears in
scripts/sign-file.c:259:2: warning: implicit declaration of function
‘PKCS7_sign_add_signer’ [-Wimplicit-function-declaration]
  ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
  ^
scripts/sign-file.c:263:2: warning: implicit declaration of function
‘PKCS7_final’ [-Wimplicit-function-declaration]
  ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
  ^
scripts/sign-file.c:278:3: warning: implicit declaration of function
‘i2d_PKCS7_bio_stream’ [-Wimplicit-function-declaration]
   ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
   ^

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[David Howells]

Vinson Lee <vlee@twopensource.com> wrote:

> This patch results in this build error on CentOS 5.11.
> 
>   HOSTCC  scripts/sign-file
> scripts/sign-file.c: In function ‘main’:
> scripts/sign-file.c:255:23: error: ‘PKCS7_PARTIAL’ undeclared (first
> use in this function)
>        PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
>                        ^
> scripts/sign-file.c:255:23: note: each undeclared identifier is
> reported only once for each function it appears in
> scripts/sign-file.c:259:2: warning: implicit declaration of function
> ‘PKCS7_sign_add_signer’ [-Wimplicit-function-declaration]
>   ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
>   ^
> scripts/sign-file.c:263:2: warning: implicit declaration of function
> ‘PKCS7_final’ [-Wimplicit-function-declaration]
>   ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
>   ^
> scripts/sign-file.c:278:3: warning: implicit declaration of function
> ‘i2d_PKCS7_bio_stream’ [-Wimplicit-function-declaration]
>    ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
>    ^

Hmmm...  Tricky.  I'll have to think about it.  I'm using PKCS7_NOCERTS with
PKCS7_sign_add_signer() (or the CMS equivalents) to leave the cert list out of
the message - but it's then necessary to manually specify the signers - at
least so I recall.

David

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[David Howells]

David Howells <dhowells@redhat.com> wrote:

> Hmmm...  Tricky.  I'll have to think about it.  I'm using PKCS7_NOCERTS with
> PKCS7_sign_add_signer() (or the CMS equivalents) to leave the cert list out of
> the message - but it's then necessary to manually specify the signers - at
> least so I recall.

It's worse than that.  The PKCS7_sign() function in pre-1.0.0 OpenSSL crypto
libs will only do SHA1.

Now, it will work, and SHA1 might be just about acceptable for something based
on that old an OpenSSL library.

With this in mind, does the attached additional patch (on top of the one I
gave you yesterday) work for you?  You need to set CONFIG_MODULE_SIG_SHA1=y in
your config.

David
---
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 0765141c3150..f65120e2aa03 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -32,7 +32,14 @@
  * assume that it's not available and its header file is missing and that we
  * should use PKCS#7 instead.  Switching to the older PKCS#7 format restricts
  * the options we have on specifying the X.509 certificate we want.
+ *
+ * Further, older versions of OpenSSL don't support manually adding signers to
+ * the PKCS#7 message so have to accept that we get a certificate included in
+ * the signature message.  Nor do such older versions of OpenSSL support
+ * signing with anything other than SHA1 - so we're stuck with that if such is
+ * the case.
  */
+#define USE_PKCS7
 #if OPENSSL_VERSION_NUMBER < 0x10000000L
 #define USE_PKCS7
 #endif
@@ -184,6 +191,14 @@ int main(int argc, char **argv)
 		replace_orig = true;
 	}
 
+#ifdef USE_PKCS7
+	if (strcmp(hash_algo, "sha1") != 0) {
+		fprintf(stderr, "sign-file: %s only supports SHA1 signing\n",
+			OPENSSL_VERSION_TEXT);
+		exit(3);
+	}
+#endif
+
 	/* Read the private key and the X.509 cert the PKCS#7 message
 	 * will point to.
 	 */
@@ -240,8 +255,8 @@ int main(int argc, char **argv)
 	bm = BIO_new_file(module_name, "rb");
 	ERR(!bm, "%s", module_name);
 
-	/* Load the signature message from the digest buffer. */
 #ifndef USE_PKCS7
+	/* Load the signature message from the digest buffer. */
 	cms = CMS_sign(NULL, NULL, NULL, NULL,
 		       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM);
 	ERR(!cms, "CMS_sign");
@@ -254,17 +269,10 @@ int main(int argc, char **argv)
 	    "CMS_final");
 
 #else
-	pkcs7 = PKCS7_sign(NULL, NULL, NULL, NULL,
-			   PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
-			   PKCS7_DETACHED | PKCS7_STREAM);
+	pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
+			   PKCS7_NOCERTS | PKCS7_BINARY |
+			   PKCS7_DETACHED | PKCS7_STREAM | use_signed_attrs);
 	ERR(!pkcs7, "PKCS7_sign");
-
-	ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
-				   PKCS7_NOCERTS | PKCS7_BINARY | PKCS7_NOSMIMECAP |
-				   use_signed_attrs),
-	    "PKCS7_sign_add_signer");
-	ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
-	    "PKCS7_final");
 #endif
 
 	if (save_sig) {

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[Vinson Lee]

On Wed, Sep 16, 2015 at 3:45 PM, David Howells <dhowells@redhat.com> wrote:
> David Howells <dhowells@redhat.com> wrote:
>
>> Hmmm...  Tricky.  I'll have to think about it.  I'm using PKCS7_NOCERTS with
>> PKCS7_sign_add_signer() (or the CMS equivalents) to leave the cert list out of
>> the message - but it's then necessary to manually specify the signers - at
>> least so I recall.
>
> It's worse than that.  The PKCS7_sign() function in pre-1.0.0 OpenSSL crypto
> libs will only do SHA1.
>
> Now, it will work, and SHA1 might be just about acceptable for something based
> on that old an OpenSSL library.
>
> With this in mind, does the attached additional patch (on top of the one I
> gave you yesterday) work for you?  You need to set CONFIG_MODULE_SIG_SHA1=y in
> your config.
>

I'm now getting this build warning and error after applying the
additional patch on top of the previous patch.

  HOSTCC  scripts/sign-file
scripts/sign-file.c: In function ‘main’:
scripts/sign-file.c:289:3: warning: implicit declaration of function
‘i2d_PKCS7_bio_stream’ [-Wimplicit-function-declaration]
   ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
   ^

sign-file.c:(.text.startup+0x3e7): undefined reference to `i2d_PKCS7_bio_stream'


scripts/sign-file.c
   285  #ifndef USE_PKCS7
   286                  ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
   287                      "%s", sig_file_name);
   288  #else
   289                  ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
   290                          "%s", sig_file_name);
   291  #endif

Vinson

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[David Howells]

Vinson Lee <vlee@twopensource.com> wrote:

>   HOSTCC  scripts/sign-file
> scripts/sign-file.c: In function ‘main’:
> scripts/sign-file.c:289:3: warning: implicit declaration of function
> ‘i2d_PKCS7_bio_stream’ [-Wimplicit-function-declaration]
>    ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
>    ^
> 
> sign-file.c:(.text.startup+0x3e7): undefined reference to `i2d_PKCS7_bio_stream'

Does this addition help?

David
---
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index f65120e2aa03..33c098225a57 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -307,7 +307,7 @@ int main(int argc, char **argv)
 #ifndef USE_PKCS7
 	ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
 #else
-	ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name);
+	ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
 #endif
 	sig_size = BIO_number_written(bd) - module_size;
 	sig_info.sig_len = htonl(sig_size);

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[David Howells]

David Howells <dhowells@redhat.com> wrote:

> Does this addition help?

Rather, this.  Seems I shouldn't pass PKCS7_STREAM.

David
---
commit 227ccb6a71bd9a04d1aaff08a52fcb5ae4149d1e
Author: David Howells <dhowells@redhat.com>
Date:   Thu Sep 24 12:15:06 2015 +0100

    Further pkcs7 signing changes

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index f65120e2aa03..811a37a1c6e3 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -271,7 +271,7 @@ int main(int argc, char **argv)
 #else
 	pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
 			   PKCS7_NOCERTS | PKCS7_BINARY |
-			   PKCS7_DETACHED | PKCS7_STREAM | use_signed_attrs);
+			   PKCS7_DETACHED | use_signed_attrs);
 	ERR(!pkcs7, "PKCS7_sign");
 #endif
 
@@ -307,7 +307,7 @@ int main(int argc, char **argv)
 #ifndef USE_PKCS7
 	ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
 #else
-	ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name);
+	ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
 #endif
 	sig_size = BIO_number_written(bd) - module_size;
 	sig_info.sig_len = htonl(sig_size);

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[Vinson Lee]

On Thu, Sep 24, 2015 at 4:21 AM, David Howells <dhowells@redhat.com> wrote:
> David Howells <dhowells@redhat.com> wrote:
>
>> Does this addition help?
>
> Rather, this.  Seems I shouldn't pass PKCS7_STREAM.
>
> David
> ---
> commit 227ccb6a71bd9a04d1aaff08a52fcb5ae4149d1e
> Author: David Howells <dhowells@redhat.com>
> Date:   Thu Sep 24 12:15:06 2015 +0100
>
>     Further pkcs7 signing changes
>

With this additional 3rd patch, I get this build error.

  HOSTCC  scripts/sign-file
scripts/sign-file.c: In function ‘main’:
scripts/sign-file.c:289:3: warning: implicit declaration of function
‘i2d_PKCS7_bio_stream’ [-Wimplicit-function-declaration]
   ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
   ^

   285  #ifndef USE_PKCS7
   286                  ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
   287                      "%s", sig_file_name);
   288  #else
   289                  ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
   290                          "%s", sig_file_name);
   291  #endif

After a similar edit to line 289, replacing i2d_PKCS7_bio_stream with
i2d_PKCS7_bio, sign-file.c builds for me on CentOS 5.11.

Cheers,
Vinson

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[David Howells]

Vinson Lee <vlee@twopensource.com> wrote:

> After a similar edit to line 289, replacing i2d_PKCS7_bio_stream with
> i2d_PKCS7_bio, sign-file.c builds for me on CentOS 5.11.

Okay, thanks.  Does it then work?

David

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[David Howells]

Here's my patch with the changes squashed into it for reference.

David
---
commit 81852354cf81402ae69fda4d67138accab2702d5
Author: David Howells <dhowells@redhat.com>
Date:   Thu Sep 24 14:06:02 2015 +0100

    MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old
    
    The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file
    since that allows the target X.509 certificate to be specified by
    subjectKeyId rather than by issuer + serialNumber.
    
    However, older versions of the OpenSSL crypto library (such as may be found
    in CentOS 5.11) don't support CMS.  Assume everything prior to
    OpenSSL-1.0.0 doesn't support CMS and switch to using PKCS#7 in that case.
    
    Further, the pre-1.0.0 OpenSSL only supports PKCS#7 signing with SHA1, so
    give an error from the sign-file script if the caller requests anything
    other than SHA1.
    
    The compiler gives the following error with an OpenSSL crypto library
    that's too old:
    
      HOSTCC  scripts/sign-file
    scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
     #include <openssl/cms.h>
    
    Reported-by: Vinson Lee <vlee@twopensource.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Acked-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/Documentation/Changes b/Documentation/Changes
index 6d8863004858..f447f0516f07 100644
--- a/Documentation/Changes
+++ b/Documentation/Changes
@@ -43,7 +43,7 @@ o  udev                   081                     # udevd --version
 o  grub                   0.93                    # grub --version || grub-install --version
 o  mcelog                 0.6                     # mcelog --version
 o  iptables               1.4.2                   # iptables -V
-o  openssl & libcrypto    1.0.1k                  # openssl version
+o  openssl & libcrypto    1.0.0                   # openssl version
 
 
 Kernel compilation
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index c3899ca4811c..250a7a645033 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -20,13 +20,34 @@
 #include <getopt.h>
 #include <err.h>
 #include <arpa/inet.h>
+#include <openssl/opensslv.h>
 #include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
-#include <openssl/cms.h>
 #include <openssl/err.h>
 #include <openssl/engine.h>
 
+/*
+ * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
+ * assume that it's not available and its header file is missing and that we
+ * should use PKCS#7 instead.  Switching to the older PKCS#7 format restricts
+ * the options we have on specifying the X.509 certificate we want.
+ *
+ * Further, older versions of OpenSSL don't support manually adding signers to
+ * the PKCS#7 message so have to accept that we get a certificate included in
+ * the signature message.  Nor do such older versions of OpenSSL support
+ * signing with anything other than SHA1 - so we're stuck with that if such is
+ * the case.
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+#define USE_PKCS7
+#endif
+#ifndef USE_PKCS7
+#include <openssl/cms.h>
+#else
+#include <openssl/pkcs7.h>
+#endif
+
 struct module_signature {
 	uint8_t		algo;		/* Public-key crypto algorithm [0] */
 	uint8_t		hash;		/* Digest algorithm [0] */
@@ -110,30 +131,42 @@ int main(int argc, char **argv)
 	struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
 	char *hash_algo = NULL;
 	char *private_key_name, *x509_name, *module_name, *dest_name;
-	bool save_cms = false, replace_orig;
+	bool save_sig = false, replace_orig;
 	bool sign_only = false;
 	unsigned char buf[4096];
-	unsigned long module_size, cms_size;
-	unsigned int use_keyid = 0, use_signed_attrs = CMS_NOATTR;
+	unsigned long module_size, sig_size;
+	unsigned int use_signed_attrs;
 	const EVP_MD *digest_algo;
 	EVP_PKEY *private_key;
+#ifndef USE_PKCS7
 	CMS_ContentInfo *cms;
+	unsigned int use_keyid = 0;
+#else
+	PKCS7 *pkcs7;
+#endif
 	X509 *x509;
 	BIO *b, *bd = NULL, *bm;
 	int opt, n;
-
 	OpenSSL_add_all_algorithms();
 	ERR_load_crypto_strings();
 	ERR_clear_error();
 
 	key_pass = getenv("KBUILD_SIGN_PIN");
 
+#ifndef USE_PKCS7
+	use_signed_attrs = CMS_NOATTR;
+#else
+	use_signed_attrs = PKCS7_NOATTR;
+#endif
+
 	do {
 		opt = getopt(argc, argv, "dpk");
 		switch (opt) {
-		case 'p': save_cms = true; break;
-		case 'd': sign_only = true; save_cms = true; break;
+		case 'p': save_sig = true; break;
+		case 'd': sign_only = true; save_sig = true; break;
+#ifndef USE_PKCS7
 		case 'k': use_keyid = CMS_USE_KEYID; break;
+#endif
 		case -1: break;
 		default: format();
 		}
@@ -157,6 +190,14 @@ int main(int argc, char **argv)
 		replace_orig = true;
 	}
 
+#ifdef USE_PKCS7
+	if (strcmp(hash_algo, "sha1") != 0) {
+		fprintf(stderr, "sign-file: %s only supports SHA1 signing\n",
+			OPENSSL_VERSION_TEXT);
+		exit(3);
+	}
+#endif
+
 	/* Read the private key and the X.509 cert the PKCS#7 message
 	 * will point to.
 	 */
@@ -213,7 +254,8 @@ int main(int argc, char **argv)
 	bm = BIO_new_file(module_name, "rb");
 	ERR(!bm, "%s", module_name);
 
-	/* Load the CMS message from the digest buffer. */
+#ifndef USE_PKCS7
+	/* Load the signature message from the digest buffer. */
 	cms = CMS_sign(NULL, NULL, NULL, NULL,
 		       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM);
 	ERR(!cms, "CMS_sign");
@@ -221,17 +263,31 @@ int main(int argc, char **argv)
 	ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
 			     CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |
 			     use_keyid | use_signed_attrs),
-	    "CMS_sign_add_signer");
+	    "CMS_add1_signer");
 	ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
 	    "CMS_final");
 
-	if (save_cms) {
-		char *cms_name;
+#else
+	pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
+			   PKCS7_NOCERTS | PKCS7_BINARY |
+			   PKCS7_DETACHED | use_signed_attrs);
+	ERR(!pkcs7, "PKCS7_sign");
+#endif
 
-		ERR(asprintf(&cms_name, "%s.p7s", module_name) < 0, "asprintf");
-		b = BIO_new_file(cms_name, "wb");
-		ERR(!b, "%s", cms_name);
-		ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, "%s", cms_name);
+	if (save_sig) {
+		char *sig_file_name;
+
+		ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0,
+		    "asprintf");
+		b = BIO_new_file(sig_file_name, "wb");
+		ERR(!b, "%s", sig_file_name);
+#ifndef USE_PKCS7
+		ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
+		    "%s", sig_file_name);
+#else
+		ERR(i2d_PKCS7_bio(b, pkcs7) < 0,
+			"%s", sig_file_name);
+#endif
 		BIO_free(b);
 	}
 
@@ -247,9 +303,13 @@ int main(int argc, char **argv)
 	ERR(n < 0, "%s", module_name);
 	module_size = BIO_number_written(bd);
 
+#ifndef USE_PKCS7
 	ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
-	cms_size = BIO_number_written(bd) - module_size;
-	sig_info.sig_len = htonl(cms_size);
+#else
+	ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
+#endif
+	sig_size = BIO_number_written(bd) - module_size;
+	sig_info.sig_len = htonl(sig_size);
 	ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
 	ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
 

Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"

[Vinson Lee]

On Fri, Sep 25, 2015 at 7:24 AM, David Howells <dhowells@redhat.com> wrote:
> Here's my patch with the changes squashed into it for reference.
>
> David
> ---
> commit 81852354cf81402ae69fda4d67138accab2702d5
> Author: David Howells <dhowells@redhat.com>
> Date:   Thu Sep 24 14:06:02 2015 +0100
>
>     MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old
>
>     The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file
>     since that allows the target X.509 certificate to be specified by
>     subjectKeyId rather than by issuer + serialNumber.
>
>     However, older versions of the OpenSSL crypto library (such as may be found
>     in CentOS 5.11) don't support CMS.  Assume everything prior to
>     OpenSSL-1.0.0 doesn't support CMS and switch to using PKCS#7 in that case.
>
>     Further, the pre-1.0.0 OpenSSL only supports PKCS#7 signing with SHA1, so
>     give an error from the sign-file script if the caller requests anything
>     other than SHA1.
>
>     The compiler gives the following error with an OpenSSL crypto library
>     that's too old:
>
>       HOSTCC  scripts/sign-file
>     scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
>      #include <openssl/cms.h>
>
>     Reported-by: Vinson Lee <vlee@twopensource.com>
>     Signed-off-by: David Howells <dhowells@redhat.com>
>     Acked-by: David Woodhouse <David.Woodhouse@intel.com>
>

This squashed patch also builds for me on CentOS 5.11.

Linux 4.2-rc2 plus this patch booted up without issue and it appears
this feature is available.

$ dmesg | grep -i 'x.*509'
[    1.888412] Asymmetric key parser 'x509' registered
[    3.485152] Loading compiled-in X.509 certificates
[    3.490659] Loaded X.509 cert 'Build time autogenerated kernel key:
ea8ef2f666280e4d429a8ff8a2056069bbb55979'

Vinson