* Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
@ 2015-09-11 22:41 Vinson Lee
2015-09-11 23:22 ` Davidlohr Bueso
2015-09-15 13:40 ` David Howells
0 siblings, 2 replies; 15+ messages in thread
From: Vinson Lee @ 2015-09-11 22:41 UTC (permalink / raw)
To: David Howells, David Woodhouse, Luis R. Rodriguez, Mimi Zohar,
Marcel Holtmann
Cc: LKML
Hi.
With the latest Linux 4.3-rc1, I am hitting this build error on CentOS 5.11.
HOSTCC scripts/sign-file
scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
#include <openssl/cms.h>
^
CentOS 5.11 toolchain has openssl-0.9.8e and does not have openssl/cms.h.
Cheers,
Vinson
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-11 22:41 Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory" Vinson Lee
@ 2015-09-11 23:22 ` Davidlohr Bueso
2015-09-12 21:40 ` Jim Davis
2015-09-14 2:14 ` Dongsheng Yang
2015-09-15 13:40 ` David Howells
1 sibling, 2 replies; 15+ messages in thread
From: Davidlohr Bueso @ 2015-09-11 23:22 UTC (permalink / raw)
To: Vinson Lee
Cc: David Howells, David Woodhouse, Luis R. Rodriguez, Mimi Zohar,
Marcel Holtmann, LKML
On Fri, 11 Sep 2015, Vinson Lee wrote:
>Hi.
>
>With the latest Linux 4.3-rc1, I am hitting this build error on CentOS 5.11.
>
> HOSTCC scripts/sign-file
>scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
> #include <openssl/cms.h>
fwiw/rant, I have run into kernel build issues recently due to lack of openssl libs.
The solution is trivial, in my case just intalling my distros openssl-devel
package, but this will probably break things for more people. And this is with default
configs... annoying.
Thanks,
Davidlohr
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-11 23:22 ` Davidlohr Bueso
@ 2015-09-12 21:40 ` Jim Davis
2015-09-14 2:14 ` Dongsheng Yang
1 sibling, 0 replies; 15+ messages in thread
From: Jim Davis @ 2015-09-12 21:40 UTC (permalink / raw)
To: Davidlohr Bueso
Cc: Vinson Lee, David Howells, David Woodhouse, Luis R. Rodriguez,
Mimi Zohar, Marcel Holtmann, LKML
On Fri, Sep 11, 2015 at 4:22 PM, Davidlohr Bueso <dave@stgolabs.net> wrote:
> On Fri, 11 Sep 2015, Vinson Lee wrote:
>
>> Hi.
>>
>> With the latest Linux 4.3-rc1, I am hitting this build error on CentOS
>> 5.11.
>>
>> HOSTCC scripts/sign-file
>> scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or
>> directory
>> #include <openssl/cms.h>
>
>
> fwiw/rant, I have run into kernel build issues recently due to lack of
> openssl libs.
> The solution is trivial, in my case just intalling my distros openssl-devel
> package
Though in this case it looks like the openssl-devel rpm for CentOS
5.11 doesn't provide a cms.h file. When I checked on a CentOS 7
system, installing the openssl-devel package did install cms.h in
/usr/include/openssl. Maybe something didn't get backported to CentOS
5.11?
--
Jim
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-11 23:22 ` Davidlohr Bueso
2015-09-12 21:40 ` Jim Davis
@ 2015-09-14 2:14 ` Dongsheng Yang
1 sibling, 0 replies; 15+ messages in thread
From: Dongsheng Yang @ 2015-09-14 2:14 UTC (permalink / raw)
To: Davidlohr Bueso, Vinson Lee
Cc: David Howells, David Woodhouse, Luis R. Rodriguez, Mimi Zohar,
Marcel Holtmann, LKML
On 09/12/2015 07:22 AM, Davidlohr Bueso wrote:
> On Fri, 11 Sep 2015, Vinson Lee wrote:
>
>> Hi.
>>
>> With the latest Linux 4.3-rc1, I am hitting this build error on CentOS
>> 5.11.
>>
>> HOSTCC scripts/sign-file
>> scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or
>> directory
>> #include <openssl/cms.h>
>
> fwiw/rant, I have run into kernel build issues recently due to lack of
> openssl libs.
> The solution is trivial, in my case just intalling my distros openssl-devel
> package,
Even I install-ed the openssl-devel, I can compile it but I met a
problem in `make modules_install`
At main.c:178:
- SSL error:02001002:system library:fopen:No such file or directory:
bss_file.c:169
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:172
sign-file: : No such file or directory
> but this will probably break things for more people. And this
> is with default
> configs... annoying.
>
> Thanks,
> Davidlohr
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
> .
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-11 22:41 Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory" Vinson Lee
2015-09-11 23:22 ` Davidlohr Bueso
@ 2015-09-15 13:40 ` David Howells
2015-09-15 22:01 ` Vinson Lee
` (2 more replies)
1 sibling, 3 replies; 15+ messages in thread
From: David Howells @ 2015-09-15 13:40 UTC (permalink / raw)
To: Vinson Lee
Cc: dhowells, David Woodhouse, Luis R. Rodriguez, Mimi Zohar,
Marcel Holtmann, LKML
Does this patch fix the problem?
David
---
commit 8c8ed9de80bc1bbfd0f1e9a018a0feffcf3c11f8
Author: David Howells <dhowells@redhat.com>
Date: Tue Sep 15 13:57:08 2015 +0100
MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old
The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file
since that allows the target X.509 certificate to be specified by
subjectKeyId rather than by issuer + serialNumber.
However, older versions of the OpenSSL crypto library (such as may be found
in CentOS 5.11) don't support CMS. Assume everything prior to OpenSSL-1.0.0
doesn't support CMS and switch to using PKCS#7 in that case.
The compiler gives the following error:
HOSTCC scripts/sign-file
scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
#include <openssl/cms.h>
Reported-by: Vinson Lee <vlee@twopensource.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index c3899ca4811c..0765141c3150 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -20,13 +20,28 @@
#include <getopt.h>
#include <err.h>
#include <arpa/inet.h>
+#include <openssl/opensslv.h>
#include <openssl/bio.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
-#include <openssl/cms.h>
#include <openssl/err.h>
#include <openssl/engine.h>
+/*
+ * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
+ * assume that it's not available and its header file is missing and that we
+ * should use PKCS#7 instead. Switching to the older PKCS#7 format restricts
+ * the options we have on specifying the X.509 certificate we want.
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+#define USE_PKCS7
+#endif
+#ifndef USE_PKCS7
+#include <openssl/cms.h>
+#else
+#include <openssl/pkcs7.h>
+#endif
+
struct module_signature {
uint8_t algo; /* Public-key crypto algorithm [0] */
uint8_t hash; /* Digest algorithm [0] */
@@ -110,30 +125,42 @@ int main(int argc, char **argv)
struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
char *hash_algo = NULL;
char *private_key_name, *x509_name, *module_name, *dest_name;
- bool save_cms = false, replace_orig;
+ bool save_sig = false, replace_orig;
bool sign_only = false;
unsigned char buf[4096];
- unsigned long module_size, cms_size;
- unsigned int use_keyid = 0, use_signed_attrs = CMS_NOATTR;
+ unsigned long module_size, sig_size;
+ unsigned int use_signed_attrs;
const EVP_MD *digest_algo;
EVP_PKEY *private_key;
+#ifndef USE_PKCS7
CMS_ContentInfo *cms;
+ unsigned int use_keyid = 0;
+#else
+ PKCS7 *pkcs7;
+#endif
X509 *x509;
BIO *b, *bd = NULL, *bm;
int opt, n;
-
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
ERR_clear_error();
key_pass = getenv("KBUILD_SIGN_PIN");
+#ifndef USE_PKCS7
+ use_signed_attrs = CMS_NOATTR;
+#else
+ use_signed_attrs = PKCS7_NOATTR;
+#endif
+
do {
opt = getopt(argc, argv, "dpk");
switch (opt) {
- case 'p': save_cms = true; break;
- case 'd': sign_only = true; save_cms = true; break;
+ case 'p': save_sig = true; break;
+ case 'd': sign_only = true; save_sig = true; break;
+#ifndef USE_PKCS7
case 'k': use_keyid = CMS_USE_KEYID; break;
+#endif
case -1: break;
default: format();
}
@@ -213,7 +240,8 @@ int main(int argc, char **argv)
bm = BIO_new_file(module_name, "rb");
ERR(!bm, "%s", module_name);
- /* Load the CMS message from the digest buffer. */
+ /* Load the signature message from the digest buffer. */
+#ifndef USE_PKCS7
cms = CMS_sign(NULL, NULL, NULL, NULL,
CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM);
ERR(!cms, "CMS_sign");
@@ -221,17 +249,38 @@ int main(int argc, char **argv)
ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |
use_keyid | use_signed_attrs),
- "CMS_sign_add_signer");
+ "CMS_add1_signer");
ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
"CMS_final");
- if (save_cms) {
- char *cms_name;
+#else
+ pkcs7 = PKCS7_sign(NULL, NULL, NULL, NULL,
+ PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
+ PKCS7_DETACHED | PKCS7_STREAM);
+ ERR(!pkcs7, "PKCS7_sign");
+
+ ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
+ PKCS7_NOCERTS | PKCS7_BINARY | PKCS7_NOSMIMECAP |
+ use_signed_attrs),
+ "PKCS7_sign_add_signer");
+ ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
+ "PKCS7_final");
+#endif
- ERR(asprintf(&cms_name, "%s.p7s", module_name) < 0, "asprintf");
- b = BIO_new_file(cms_name, "wb");
- ERR(!b, "%s", cms_name);
- ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, "%s", cms_name);
+ if (save_sig) {
+ char *sig_file_name;
+
+ ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0,
+ "asprintf");
+ b = BIO_new_file(sig_file_name, "wb");
+ ERR(!b, "%s", sig_file_name);
+#ifndef USE_PKCS7
+ ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
+ "%s", sig_file_name);
+#else
+ ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
+ "%s", sig_file_name);
+#endif
BIO_free(b);
}
@@ -247,9 +296,13 @@ int main(int argc, char **argv)
ERR(n < 0, "%s", module_name);
module_size = BIO_number_written(bd);
+#ifndef USE_PKCS7
ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
- cms_size = BIO_number_written(bd) - module_size;
- sig_info.sig_len = htonl(cms_size);
+#else
+ ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name);
+#endif
+ sig_size = BIO_number_written(bd) - module_size;
+ sig_info.sig_len = htonl(sig_size);
ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-15 13:40 ` David Howells
@ 2015-09-15 22:01 ` Vinson Lee
2015-09-15 22:56 ` David Howells
2015-09-16 22:45 ` David Howells
2 siblings, 0 replies; 15+ messages in thread
From: Vinson Lee @ 2015-09-15 22:01 UTC (permalink / raw)
To: David Howells
Cc: David Woodhouse, Luis R. Rodriguez, Mimi Zohar, Marcel Holtmann, LKML
On Tue, Sep 15, 2015 at 6:40 AM, David Howells <dhowells@redhat.com> wrote:
> Does this patch fix the problem?
>
> David
> ---
> commit 8c8ed9de80bc1bbfd0f1e9a018a0feffcf3c11f8
> Author: David Howells <dhowells@redhat.com>
> Date: Tue Sep 15 13:57:08 2015 +0100
>
> MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old
>
> The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file
> since that allows the target X.509 certificate to be specified by
> subjectKeyId rather than by issuer + serialNumber.
>
> However, older versions of the OpenSSL crypto library (such as may be found
> in CentOS 5.11) don't support CMS. Assume everything prior to OpenSSL-1.0.0
> doesn't support CMS and switch to using PKCS#7 in that case.
>
> The compiler gives the following error:
>
> HOSTCC scripts/sign-file
> scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
> #include <openssl/cms.h>
>
> Reported-by: Vinson Lee <vlee@twopensource.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Acked-by: David Woodhouse <David.Woodhouse@intel.com>
>
This patch results in this build error on CentOS 5.11.
HOSTCC scripts/sign-file
scripts/sign-file.c: In function ‘main’:
scripts/sign-file.c:255:23: error: ‘PKCS7_PARTIAL’ undeclared (first
use in this function)
PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
^
scripts/sign-file.c:255:23: note: each undeclared identifier is
reported only once for each function it appears in
scripts/sign-file.c:259:2: warning: implicit declaration of function
‘PKCS7_sign_add_signer’ [-Wimplicit-function-declaration]
ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
^
scripts/sign-file.c:263:2: warning: implicit declaration of function
‘PKCS7_final’ [-Wimplicit-function-declaration]
ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
^
scripts/sign-file.c:278:3: warning: implicit declaration of function
‘i2d_PKCS7_bio_stream’ [-Wimplicit-function-declaration]
ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
^
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-15 13:40 ` David Howells
2015-09-15 22:01 ` Vinson Lee
@ 2015-09-15 22:56 ` David Howells
2015-09-16 22:45 ` David Howells
2 siblings, 0 replies; 15+ messages in thread
From: David Howells @ 2015-09-15 22:56 UTC (permalink / raw)
To: Vinson Lee
Cc: dhowells, David Woodhouse, Luis R. Rodriguez, Mimi Zohar,
Marcel Holtmann, LKML
Vinson Lee <vlee@twopensource.com> wrote:
> This patch results in this build error on CentOS 5.11.
>
> HOSTCC scripts/sign-file
> scripts/sign-file.c: In function ‘main’:
> scripts/sign-file.c:255:23: error: ‘PKCS7_PARTIAL’ undeclared (first
> use in this function)
> PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
> ^
> scripts/sign-file.c:255:23: note: each undeclared identifier is
> reported only once for each function it appears in
> scripts/sign-file.c:259:2: warning: implicit declaration of function
> ‘PKCS7_sign_add_signer’ [-Wimplicit-function-declaration]
> ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
> ^
> scripts/sign-file.c:263:2: warning: implicit declaration of function
> ‘PKCS7_final’ [-Wimplicit-function-declaration]
> ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
> ^
> scripts/sign-file.c:278:3: warning: implicit declaration of function
> ‘i2d_PKCS7_bio_stream’ [-Wimplicit-function-declaration]
> ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
> ^
Hmmm... Tricky. I'll have to think about it. I'm using PKCS7_NOCERTS with
PKCS7_sign_add_signer() (or the CMS equivalents) to leave the cert list out of
the message - but it's then necessary to manually specify the signers - at
least so I recall.
David
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-15 13:40 ` David Howells
2015-09-15 22:01 ` Vinson Lee
2015-09-15 22:56 ` David Howells
@ 2015-09-16 22:45 ` David Howells
2015-09-18 6:48 ` Vinson Lee
` (2 more replies)
2 siblings, 3 replies; 15+ messages in thread
From: David Howells @ 2015-09-16 22:45 UTC (permalink / raw)
To: Vinson Lee
Cc: dhowells, David Woodhouse, Luis R. Rodriguez, Mimi Zohar,
Marcel Holtmann, LKML
David Howells <dhowells@redhat.com> wrote:
> Hmmm... Tricky. I'll have to think about it. I'm using PKCS7_NOCERTS with
> PKCS7_sign_add_signer() (or the CMS equivalents) to leave the cert list out of
> the message - but it's then necessary to manually specify the signers - at
> least so I recall.
It's worse than that. The PKCS7_sign() function in pre-1.0.0 OpenSSL crypto
libs will only do SHA1.
Now, it will work, and SHA1 might be just about acceptable for something based
on that old an OpenSSL library.
With this in mind, does the attached additional patch (on top of the one I
gave you yesterday) work for you? You need to set CONFIG_MODULE_SIG_SHA1=y in
your config.
David
---
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 0765141c3150..f65120e2aa03 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -32,7 +32,14 @@
* assume that it's not available and its header file is missing and that we
* should use PKCS#7 instead. Switching to the older PKCS#7 format restricts
* the options we have on specifying the X.509 certificate we want.
+ *
+ * Further, older versions of OpenSSL don't support manually adding signers to
+ * the PKCS#7 message so have to accept that we get a certificate included in
+ * the signature message. Nor do such older versions of OpenSSL support
+ * signing with anything other than SHA1 - so we're stuck with that if such is
+ * the case.
*/
+#define USE_PKCS7
#if OPENSSL_VERSION_NUMBER < 0x10000000L
#define USE_PKCS7
#endif
@@ -184,6 +191,14 @@ int main(int argc, char **argv)
replace_orig = true;
}
+#ifdef USE_PKCS7
+ if (strcmp(hash_algo, "sha1") != 0) {
+ fprintf(stderr, "sign-file: %s only supports SHA1 signing\n",
+ OPENSSL_VERSION_TEXT);
+ exit(3);
+ }
+#endif
+
/* Read the private key and the X.509 cert the PKCS#7 message
* will point to.
*/
@@ -240,8 +255,8 @@ int main(int argc, char **argv)
bm = BIO_new_file(module_name, "rb");
ERR(!bm, "%s", module_name);
- /* Load the signature message from the digest buffer. */
#ifndef USE_PKCS7
+ /* Load the signature message from the digest buffer. */
cms = CMS_sign(NULL, NULL, NULL, NULL,
CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM);
ERR(!cms, "CMS_sign");
@@ -254,17 +269,10 @@ int main(int argc, char **argv)
"CMS_final");
#else
- pkcs7 = PKCS7_sign(NULL, NULL, NULL, NULL,
- PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
- PKCS7_DETACHED | PKCS7_STREAM);
+ pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
+ PKCS7_NOCERTS | PKCS7_BINARY |
+ PKCS7_DETACHED | PKCS7_STREAM | use_signed_attrs);
ERR(!pkcs7, "PKCS7_sign");
-
- ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
- PKCS7_NOCERTS | PKCS7_BINARY | PKCS7_NOSMIMECAP |
- use_signed_attrs),
- "PKCS7_sign_add_signer");
- ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
- "PKCS7_final");
#endif
if (save_sig) {
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-16 22:45 ` David Howells
@ 2015-09-18 6:48 ` Vinson Lee
2015-09-24 11:18 ` David Howells
2015-09-24 11:21 ` David Howells
2 siblings, 0 replies; 15+ messages in thread
From: Vinson Lee @ 2015-09-18 6:48 UTC (permalink / raw)
To: David Howells
Cc: David Woodhouse, Luis R. Rodriguez, Mimi Zohar, Marcel Holtmann, LKML
On Wed, Sep 16, 2015 at 3:45 PM, David Howells <dhowells@redhat.com> wrote:
> David Howells <dhowells@redhat.com> wrote:
>
>> Hmmm... Tricky. I'll have to think about it. I'm using PKCS7_NOCERTS with
>> PKCS7_sign_add_signer() (or the CMS equivalents) to leave the cert list out of
>> the message - but it's then necessary to manually specify the signers - at
>> least so I recall.
>
> It's worse than that. The PKCS7_sign() function in pre-1.0.0 OpenSSL crypto
> libs will only do SHA1.
>
> Now, it will work, and SHA1 might be just about acceptable for something based
> on that old an OpenSSL library.
>
> With this in mind, does the attached additional patch (on top of the one I
> gave you yesterday) work for you? You need to set CONFIG_MODULE_SIG_SHA1=y in
> your config.
>
I'm now getting this build warning and error after applying the
additional patch on top of the previous patch.
HOSTCC scripts/sign-file
scripts/sign-file.c: In function ‘main’:
scripts/sign-file.c:289:3: warning: implicit declaration of function
‘i2d_PKCS7_bio_stream’ [-Wimplicit-function-declaration]
ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
^
sign-file.c:(.text.startup+0x3e7): undefined reference to `i2d_PKCS7_bio_stream'
scripts/sign-file.c
285 #ifndef USE_PKCS7
286 ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
287 "%s", sig_file_name);
288 #else
289 ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
290 "%s", sig_file_name);
291 #endif
Vinson
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-16 22:45 ` David Howells
2015-09-18 6:48 ` Vinson Lee
@ 2015-09-24 11:18 ` David Howells
2015-09-24 11:21 ` David Howells
2 siblings, 0 replies; 15+ messages in thread
From: David Howells @ 2015-09-24 11:18 UTC (permalink / raw)
To: Vinson Lee
Cc: dhowells, David Woodhouse, Luis R. Rodriguez, Mimi Zohar,
Marcel Holtmann, LKML
Vinson Lee <vlee@twopensource.com> wrote:
> HOSTCC scripts/sign-file
> scripts/sign-file.c: In function ‘main’:
> scripts/sign-file.c:289:3: warning: implicit declaration of function
> ‘i2d_PKCS7_bio_stream’ [-Wimplicit-function-declaration]
> ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
> ^
>
> sign-file.c:(.text.startup+0x3e7): undefined reference to `i2d_PKCS7_bio_stream'
Does this addition help?
David
---
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index f65120e2aa03..33c098225a57 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -307,7 +307,7 @@ int main(int argc, char **argv)
#ifndef USE_PKCS7
ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
#else
- ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name);
+ ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
#endif
sig_size = BIO_number_written(bd) - module_size;
sig_info.sig_len = htonl(sig_size);
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-16 22:45 ` David Howells
2015-09-18 6:48 ` Vinson Lee
2015-09-24 11:18 ` David Howells
@ 2015-09-24 11:21 ` David Howells
2015-09-24 22:24 ` Vinson Lee
` (2 more replies)
2 siblings, 3 replies; 15+ messages in thread
From: David Howells @ 2015-09-24 11:21 UTC (permalink / raw)
Cc: dhowells, Vinson Lee, David Woodhouse, Luis R. Rodriguez,
Mimi Zohar, Marcel Holtmann, LKML
David Howells <dhowells@redhat.com> wrote:
> Does this addition help?
Rather, this. Seems I shouldn't pass PKCS7_STREAM.
David
---
commit 227ccb6a71bd9a04d1aaff08a52fcb5ae4149d1e
Author: David Howells <dhowells@redhat.com>
Date: Thu Sep 24 12:15:06 2015 +0100
Further pkcs7 signing changes
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index f65120e2aa03..811a37a1c6e3 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -271,7 +271,7 @@ int main(int argc, char **argv)
#else
pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
PKCS7_NOCERTS | PKCS7_BINARY |
- PKCS7_DETACHED | PKCS7_STREAM | use_signed_attrs);
+ PKCS7_DETACHED | use_signed_attrs);
ERR(!pkcs7, "PKCS7_sign");
#endif
@@ -307,7 +307,7 @@ int main(int argc, char **argv)
#ifndef USE_PKCS7
ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
#else
- ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name);
+ ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
#endif
sig_size = BIO_number_written(bd) - module_size;
sig_info.sig_len = htonl(sig_size);
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-24 11:21 ` David Howells
@ 2015-09-24 22:24 ` Vinson Lee
2015-09-25 6:16 ` David Howells
2015-09-25 14:24 ` David Howells
2 siblings, 0 replies; 15+ messages in thread
From: Vinson Lee @ 2015-09-24 22:24 UTC (permalink / raw)
To: David Howells
Cc: David Woodhouse, Luis R. Rodriguez, Mimi Zohar, Marcel Holtmann, LKML
On Thu, Sep 24, 2015 at 4:21 AM, David Howells <dhowells@redhat.com> wrote:
> David Howells <dhowells@redhat.com> wrote:
>
>> Does this addition help?
>
> Rather, this. Seems I shouldn't pass PKCS7_STREAM.
>
> David
> ---
> commit 227ccb6a71bd9a04d1aaff08a52fcb5ae4149d1e
> Author: David Howells <dhowells@redhat.com>
> Date: Thu Sep 24 12:15:06 2015 +0100
>
> Further pkcs7 signing changes
>
With this additional 3rd patch, I get this build error.
HOSTCC scripts/sign-file
scripts/sign-file.c: In function ‘main’:
scripts/sign-file.c:289:3: warning: implicit declaration of function
‘i2d_PKCS7_bio_stream’ [-Wimplicit-function-declaration]
ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
^
285 #ifndef USE_PKCS7
286 ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
287 "%s", sig_file_name);
288 #else
289 ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0,
290 "%s", sig_file_name);
291 #endif
After a similar edit to line 289, replacing i2d_PKCS7_bio_stream with
i2d_PKCS7_bio, sign-file.c builds for me on CentOS 5.11.
Cheers,
Vinson
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-24 11:21 ` David Howells
2015-09-24 22:24 ` Vinson Lee
@ 2015-09-25 6:16 ` David Howells
2015-09-25 14:24 ` David Howells
2 siblings, 0 replies; 15+ messages in thread
From: David Howells @ 2015-09-25 6:16 UTC (permalink / raw)
To: Vinson Lee
Cc: dhowells, David Woodhouse, Luis R. Rodriguez, Mimi Zohar,
Marcel Holtmann, LKML
Vinson Lee <vlee@twopensource.com> wrote:
> After a similar edit to line 289, replacing i2d_PKCS7_bio_stream with
> i2d_PKCS7_bio, sign-file.c builds for me on CentOS 5.11.
Okay, thanks. Does it then work?
David
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-24 11:21 ` David Howells
2015-09-24 22:24 ` Vinson Lee
2015-09-25 6:16 ` David Howells
@ 2015-09-25 14:24 ` David Howells
2015-09-26 1:43 ` Vinson Lee
2 siblings, 1 reply; 15+ messages in thread
From: David Howells @ 2015-09-25 14:24 UTC (permalink / raw)
To: Vinson Lee
Cc: dhowells, David Woodhouse, Luis R. Rodriguez, Mimi Zohar,
Marcel Holtmann, LKML
Here's my patch with the changes squashed into it for reference.
David
---
commit 81852354cf81402ae69fda4d67138accab2702d5
Author: David Howells <dhowells@redhat.com>
Date: Thu Sep 24 14:06:02 2015 +0100
MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old
The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file
since that allows the target X.509 certificate to be specified by
subjectKeyId rather than by issuer + serialNumber.
However, older versions of the OpenSSL crypto library (such as may be found
in CentOS 5.11) don't support CMS. Assume everything prior to
OpenSSL-1.0.0 doesn't support CMS and switch to using PKCS#7 in that case.
Further, the pre-1.0.0 OpenSSL only supports PKCS#7 signing with SHA1, so
give an error from the sign-file script if the caller requests anything
other than SHA1.
The compiler gives the following error with an OpenSSL crypto library
that's too old:
HOSTCC scripts/sign-file
scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
#include <openssl/cms.h>
Reported-by: Vinson Lee <vlee@twopensource.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
diff --git a/Documentation/Changes b/Documentation/Changes
index 6d8863004858..f447f0516f07 100644
--- a/Documentation/Changes
+++ b/Documentation/Changes
@@ -43,7 +43,7 @@ o udev 081 # udevd --version
o grub 0.93 # grub --version || grub-install --version
o mcelog 0.6 # mcelog --version
o iptables 1.4.2 # iptables -V
-o openssl & libcrypto 1.0.1k # openssl version
+o openssl & libcrypto 1.0.0 # openssl version
Kernel compilation
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index c3899ca4811c..250a7a645033 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -20,13 +20,34 @@
#include <getopt.h>
#include <err.h>
#include <arpa/inet.h>
+#include <openssl/opensslv.h>
#include <openssl/bio.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
-#include <openssl/cms.h>
#include <openssl/err.h>
#include <openssl/engine.h>
+/*
+ * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
+ * assume that it's not available and its header file is missing and that we
+ * should use PKCS#7 instead. Switching to the older PKCS#7 format restricts
+ * the options we have on specifying the X.509 certificate we want.
+ *
+ * Further, older versions of OpenSSL don't support manually adding signers to
+ * the PKCS#7 message so have to accept that we get a certificate included in
+ * the signature message. Nor do such older versions of OpenSSL support
+ * signing with anything other than SHA1 - so we're stuck with that if such is
+ * the case.
+ */
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+#define USE_PKCS7
+#endif
+#ifndef USE_PKCS7
+#include <openssl/cms.h>
+#else
+#include <openssl/pkcs7.h>
+#endif
+
struct module_signature {
uint8_t algo; /* Public-key crypto algorithm [0] */
uint8_t hash; /* Digest algorithm [0] */
@@ -110,30 +131,42 @@ int main(int argc, char **argv)
struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
char *hash_algo = NULL;
char *private_key_name, *x509_name, *module_name, *dest_name;
- bool save_cms = false, replace_orig;
+ bool save_sig = false, replace_orig;
bool sign_only = false;
unsigned char buf[4096];
- unsigned long module_size, cms_size;
- unsigned int use_keyid = 0, use_signed_attrs = CMS_NOATTR;
+ unsigned long module_size, sig_size;
+ unsigned int use_signed_attrs;
const EVP_MD *digest_algo;
EVP_PKEY *private_key;
+#ifndef USE_PKCS7
CMS_ContentInfo *cms;
+ unsigned int use_keyid = 0;
+#else
+ PKCS7 *pkcs7;
+#endif
X509 *x509;
BIO *b, *bd = NULL, *bm;
int opt, n;
-
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
ERR_clear_error();
key_pass = getenv("KBUILD_SIGN_PIN");
+#ifndef USE_PKCS7
+ use_signed_attrs = CMS_NOATTR;
+#else
+ use_signed_attrs = PKCS7_NOATTR;
+#endif
+
do {
opt = getopt(argc, argv, "dpk");
switch (opt) {
- case 'p': save_cms = true; break;
- case 'd': sign_only = true; save_cms = true; break;
+ case 'p': save_sig = true; break;
+ case 'd': sign_only = true; save_sig = true; break;
+#ifndef USE_PKCS7
case 'k': use_keyid = CMS_USE_KEYID; break;
+#endif
case -1: break;
default: format();
}
@@ -157,6 +190,14 @@ int main(int argc, char **argv)
replace_orig = true;
}
+#ifdef USE_PKCS7
+ if (strcmp(hash_algo, "sha1") != 0) {
+ fprintf(stderr, "sign-file: %s only supports SHA1 signing\n",
+ OPENSSL_VERSION_TEXT);
+ exit(3);
+ }
+#endif
+
/* Read the private key and the X.509 cert the PKCS#7 message
* will point to.
*/
@@ -213,7 +254,8 @@ int main(int argc, char **argv)
bm = BIO_new_file(module_name, "rb");
ERR(!bm, "%s", module_name);
- /* Load the CMS message from the digest buffer. */
+#ifndef USE_PKCS7
+ /* Load the signature message from the digest buffer. */
cms = CMS_sign(NULL, NULL, NULL, NULL,
CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM);
ERR(!cms, "CMS_sign");
@@ -221,17 +263,31 @@ int main(int argc, char **argv)
ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |
use_keyid | use_signed_attrs),
- "CMS_sign_add_signer");
+ "CMS_add1_signer");
ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
"CMS_final");
- if (save_cms) {
- char *cms_name;
+#else
+ pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
+ PKCS7_NOCERTS | PKCS7_BINARY |
+ PKCS7_DETACHED | use_signed_attrs);
+ ERR(!pkcs7, "PKCS7_sign");
+#endif
- ERR(asprintf(&cms_name, "%s.p7s", module_name) < 0, "asprintf");
- b = BIO_new_file(cms_name, "wb");
- ERR(!b, "%s", cms_name);
- ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, "%s", cms_name);
+ if (save_sig) {
+ char *sig_file_name;
+
+ ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0,
+ "asprintf");
+ b = BIO_new_file(sig_file_name, "wb");
+ ERR(!b, "%s", sig_file_name);
+#ifndef USE_PKCS7
+ ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0,
+ "%s", sig_file_name);
+#else
+ ERR(i2d_PKCS7_bio(b, pkcs7) < 0,
+ "%s", sig_file_name);
+#endif
BIO_free(b);
}
@@ -247,9 +303,13 @@ int main(int argc, char **argv)
ERR(n < 0, "%s", module_name);
module_size = BIO_number_written(bd);
+#ifndef USE_PKCS7
ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
- cms_size = BIO_number_written(bd) - module_size;
- sig_info.sig_len = htonl(cms_size);
+#else
+ ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
+#endif
+ sig_size = BIO_number_written(bd) - module_size;
+ sig_info.sig_len = htonl(sig_size);
ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
2015-09-25 14:24 ` David Howells
@ 2015-09-26 1:43 ` Vinson Lee
0 siblings, 0 replies; 15+ messages in thread
From: Vinson Lee @ 2015-09-26 1:43 UTC (permalink / raw)
To: David Howells
Cc: David Woodhouse, Luis R. Rodriguez, Mimi Zohar, Marcel Holtmann, LKML
On Fri, Sep 25, 2015 at 7:24 AM, David Howells <dhowells@redhat.com> wrote:
> Here's my patch with the changes squashed into it for reference.
>
> David
> ---
> commit 81852354cf81402ae69fda4d67138accab2702d5
> Author: David Howells <dhowells@redhat.com>
> Date: Thu Sep 24 14:06:02 2015 +0100
>
> MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old
>
> The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file
> since that allows the target X.509 certificate to be specified by
> subjectKeyId rather than by issuer + serialNumber.
>
> However, older versions of the OpenSSL crypto library (such as may be found
> in CentOS 5.11) don't support CMS. Assume everything prior to
> OpenSSL-1.0.0 doesn't support CMS and switch to using PKCS#7 in that case.
>
> Further, the pre-1.0.0 OpenSSL only supports PKCS#7 signing with SHA1, so
> give an error from the sign-file script if the caller requests anything
> other than SHA1.
>
> The compiler gives the following error with an OpenSSL crypto library
> that's too old:
>
> HOSTCC scripts/sign-file
> scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
> #include <openssl/cms.h>
>
> Reported-by: Vinson Lee <vlee@twopensource.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Acked-by: David Woodhouse <David.Woodhouse@intel.com>
>
This squashed patch also builds for me on CentOS 5.11.
Linux 4.2-rc2 plus this patch booted up without issue and it appears
this feature is available.
$ dmesg | grep -i 'x.*509'
[ 1.888412] Asymmetric key parser 'x509' registered
[ 3.485152] Loading compiled-in X.509 certificates
[ 3.490659] Loaded X.509 cert 'Build time autogenerated kernel key:
ea8ef2f666280e4d429a8ff8a2056069bbb55979'
Vinson
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2015-09-26 1:43 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-11 22:41 Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory" Vinson Lee
2015-09-11 23:22 ` Davidlohr Bueso
2015-09-12 21:40 ` Jim Davis
2015-09-14 2:14 ` Dongsheng Yang
2015-09-15 13:40 ` David Howells
2015-09-15 22:01 ` Vinson Lee
2015-09-15 22:56 ` David Howells
2015-09-16 22:45 ` David Howells
2015-09-18 6:48 ` Vinson Lee
2015-09-24 11:18 ` David Howells
2015-09-24 11:21 ` David Howells
2015-09-24 22:24 ` Vinson Lee
2015-09-25 6:16 ` David Howells
2015-09-25 14:24 ` David Howells
2015-09-26 1:43 ` Vinson Lee
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.