Linux-Modules Archive on lore.kernel.org
 help / Atom feed
* [PATCH v2] libkmod-signature: use PKCS#7 instead of CMS
@ 2019-05-19  0:42 Stefan Strogin
  2019-05-26 10:11 ` Yauheni Kaliuta
  2019-05-28 22:25 ` Lucas De Marchi
  0 siblings, 2 replies; 3+ messages in thread
From: Stefan Strogin @ 2019-05-19  0:42 UTC (permalink / raw)
  To: linux-modules
  Cc: Stefan Strogin, Lucas De Marchi, Yauheni Kaliuta, Aaron Bauman

Linux uses either PKCS #7 or CMS for signing modules (see
scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL,
so PKCS #7 is used on systems with these libcrypto providers.

CMS and PKCS #7 formats are very similar. CMS is newer but is as much as
possible backward compatible with PKCS #7 [1]. PKCS #7 is supported in
the latest OpenSSL as well as CMS. The fields used for signing kernel
modules are supported both in PKCS #7 and CMS.

For now modinfo uses CMS with no alternative requiring OpenSSL 1.1.0 or
newer.

Use PKCS #7 for parsing module signature information, so that modinfo
could be used both with OpenSSL and LibreSSL.

[1] https://tools.ietf.org/html/rfc5652#section-1.1

Changes v1->v2:
- Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both
with OpenSSL and LibreSSL.

Signed-off-by: Stefan Strogin <steils@gentoo.org>
---
 libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
index 48d0145..4e8748c 100644
--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
@@ -20,7 +20,7 @@
 #include <endian.h>
 #include <inttypes.h>
 #ifdef ENABLE_OPENSSL
-#include <openssl/cms.h>
+#include <openssl/pkcs7.h>
 #include <openssl/ssl.h>
 #endif
 #include <stdio.h>
@@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size,
 #ifdef ENABLE_OPENSSL
 
 struct pkcs7_private {
-	CMS_ContentInfo *cms;
+	PKCS7 *pkcs7;
 	unsigned char *key_id;
 	BIGNUM *sno;
 };
@@ -132,7 +132,7 @@ static void pkcs7_free(void *s)
 	struct kmod_signature_info *si = s;
 	struct pkcs7_private *pvt = si->private;
 
-	CMS_ContentInfo_free(pvt->cms);
+	PKCS7_free(pvt->pkcs7);
 	BN_free(pvt->sno);
 	free(pvt->key_id);
 	free(pvt);
@@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size,
 		       struct kmod_signature_info *sig_info)
 {
 	const char *pkcs7_raw;
-	CMS_ContentInfo *cms;
-	STACK_OF(CMS_SignerInfo) *sis;
-	CMS_SignerInfo *si;
-	int rc;
-	ASN1_OCTET_STRING *key_id;
+	PKCS7 *pkcs7;
+	STACK_OF(PKCS7_SIGNER_INFO) *sis;
+	PKCS7_SIGNER_INFO *si;
+	PKCS7_ISSUER_AND_SERIAL *is;
 	X509_NAME *issuer;
 	ASN1_INTEGER *sno;
 	ASN1_OCTET_STRING *sig;
@@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size,
 
 	in = BIO_new_mem_buf(pkcs7_raw, sig_len);
 
-	cms = d2i_CMS_bio(in, NULL);
-	if (cms == NULL) {
+	pkcs7 = d2i_PKCS7_bio(in, NULL);
+	if (pkcs7 == NULL) {
 		BIO_free(in);
 		return false;
 	}
 
 	BIO_free(in);
 
-	sis = CMS_get0_SignerInfos(cms);
+	sis = PKCS7_get_signer_info(pkcs7);
 	if (sis == NULL)
 		goto err;
 
-	si = sk_CMS_SignerInfo_value(sis, 0);
+	si = sk_PKCS7_SIGNER_INFO_value(sis, 0);
 	if (si == NULL)
 		goto err;
 
-	rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno);
-	if (rc == 0)
+	is = si->issuer_and_serial;
+	if (is == NULL)
 		goto err;
+	issuer = is->issuer;
+	sno = is->serial;
 
-	sig = CMS_SignerInfo_get0_signature(si);
+	sig = si->enc_digest;
 	if (sig == NULL)
 		goto err;
 
-	CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
+	PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg);
 
 	sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
 	sig_info->sig_len = ASN1_STRING_length(sig);
@@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size,
 	if (pvt == NULL)
 		goto err3;
 
-	pvt->cms = cms;
+	pvt->pkcs7 = pkcs7;
 	pvt->key_id = key_id_str;
 	pvt->sno = sno_bn;
 	sig_info->private = pvt;
@@ -290,7 +291,7 @@ err3:
 err2:
 	BN_free(sno_bn);
 err:
-	CMS_ContentInfo_free(cms);
+	PKCS7_free(pkcs7);
 	return false;
 }
 
-- 
2.21.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] libkmod-signature: use PKCS#7 instead of CMS
  2019-05-19  0:42 [PATCH v2] libkmod-signature: use PKCS#7 instead of CMS Stefan Strogin
@ 2019-05-26 10:11 ` Yauheni Kaliuta
  2019-05-28 22:25 ` Lucas De Marchi
  1 sibling, 0 replies; 3+ messages in thread
From: Yauheni Kaliuta @ 2019-05-26 10:11 UTC (permalink / raw)
  To: Stefan Strogin; +Cc: linux-modules, Lucas De Marchi, Aaron Bauman

Hi, Stefan!

Just in case, I have no objections.

>>>>> On Sun, 19 May 2019 03:42:01 +0300, Stefan Strogin  wrote:

 > Linux uses either PKCS #7 or CMS for signing modules (see
 > scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL,
 > so PKCS #7 is used on systems with these libcrypto providers.

 > CMS and PKCS #7 formats are very similar. CMS is newer but is
 > as much as possible backward compatible with PKCS #7 [1]. PKCS
 > #7 is supported in the latest OpenSSL as well as CMS. The
 > fields used for signing kernel modules are supported both in
 > PKCS #7 and CMS.

 > For now modinfo uses CMS with no alternative requiring OpenSSL
 > 1.1.0 or newer.

 > Use PKCS #7 for parsing module signature information, so that
 > modinfo could be used both with OpenSSL and LibreSSL.

 > [1] https://tools.ietf.org/html/rfc5652#section-1.1

 > Changes v1->v2:
 > - Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both
 > with OpenSSL and LibreSSL.

 > Signed-off-by: Stefan Strogin <steils@gentoo.org>
 > ---
 >  libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------
 >  1 file changed, 19 insertions(+), 18 deletions(-)

 > diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
 > index 48d0145..4e8748c 100644
 > --- a/libkmod/libkmod-signature.c
 > +++ b/libkmod/libkmod-signature.c
 > @@ -20,7 +20,7 @@
 >  #include <endian.h>
 >  #include <inttypes.h>
 >  #ifdef ENABLE_OPENSSL
 > -#include <openssl/cms.h>
 > +#include <openssl/pkcs7.h>
 >  #include <openssl/ssl.h>
 >  #endif
 >  #include <stdio.h>
 > @@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size,
 >  #ifdef ENABLE_OPENSSL
 
 >  struct pkcs7_private {
 > -	CMS_ContentInfo *cms;
 > +	PKCS7 *pkcs7;
 >  	unsigned char *key_id;
 >  	BIGNUM *sno;
 >  };
 > @@ -132,7 +132,7 @@ static void pkcs7_free(void *s)
 >  	struct kmod_signature_info *si = s;
 >  	struct pkcs7_private *pvt = si->private;
 
 > -	CMS_ContentInfo_free(pvt->cms);
 > +	PKCS7_free(pvt->pkcs7);
 >  	BN_free(pvt->sno);
 >  	free(pvt->key_id);
 >  	free(pvt);
 > @@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size,
 >  		       struct kmod_signature_info *sig_info)
 >  {
 >  	const char *pkcs7_raw;
 > -	CMS_ContentInfo *cms;
 > -	STACK_OF(CMS_SignerInfo) *sis;
 > -	CMS_SignerInfo *si;
 > -	int rc;
 > -	ASN1_OCTET_STRING *key_id;
 > +	PKCS7 *pkcs7;
 > +	STACK_OF(PKCS7_SIGNER_INFO) *sis;
 > +	PKCS7_SIGNER_INFO *si;
 > +	PKCS7_ISSUER_AND_SERIAL *is;
 >  	X509_NAME *issuer;
 >  	ASN1_INTEGER *sno;
 >  	ASN1_OCTET_STRING *sig;
 > @@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size,
 
 >  	in = BIO_new_mem_buf(pkcs7_raw, sig_len);
 
 > -	cms = d2i_CMS_bio(in, NULL);
 > -	if (cms == NULL) {
 > +	pkcs7 = d2i_PKCS7_bio(in, NULL);
 > +	if (pkcs7 == NULL) {
 >  		BIO_free(in);
 >  		return false;
 >  	}
 
 >  	BIO_free(in);
 
 > -	sis = CMS_get0_SignerInfos(cms);
 > +	sis = PKCS7_get_signer_info(pkcs7);
 >  	if (sis == NULL)
 >  		goto err;
 
 > -	si = sk_CMS_SignerInfo_value(sis, 0);
 > +	si = sk_PKCS7_SIGNER_INFO_value(sis, 0);
 >  	if (si == NULL)
 >  		goto err;
 
 > -	rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno);
 > -	if (rc == 0)
 > +	is = si->issuer_and_serial;
 > +	if (is == NULL)
 >  		goto err;
 > +	issuer = is->issuer;
 > +	sno = is->serial;
 
 > -	sig = CMS_SignerInfo_get0_signature(si);
 > +	sig = si->enc_digest;
 >  	if (sig == NULL)
 >  		goto err;
 
 > -	CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
 > +	PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg);
 
 sig_info-> sig = (const char *)ASN1_STRING_get0_data(sig);
 sig_info-> sig_len = ASN1_STRING_length(sig);
 > @@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size,
 >  	if (pvt == NULL)
 >  		goto err3;
 
 > -	pvt->cms = cms;
 > +	pvt->pkcs7 = pkcs7;
 pvt-> key_id = key_id_str;
 pvt-> sno = sno_bn;
 sig_info-> private = pvt;
 > @@ -290,7 +291,7 @@ err3:
 >  err2:
 >  	BN_free(sno_bn);
 >  err:
 > -	CMS_ContentInfo_free(cms);
 > +	PKCS7_free(pkcs7);
 >  	return false;
 >  }
 
 > -- 
 > 2.21.0


-- 
WBR,
Yauheni Kaliuta

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] libkmod-signature: use PKCS#7 instead of CMS
  2019-05-19  0:42 [PATCH v2] libkmod-signature: use PKCS#7 instead of CMS Stefan Strogin
  2019-05-26 10:11 ` Yauheni Kaliuta
@ 2019-05-28 22:25 ` Lucas De Marchi
  1 sibling, 0 replies; 3+ messages in thread
From: Lucas De Marchi @ 2019-05-28 22:25 UTC (permalink / raw)
  To: Stefan Strogin; +Cc: linux-modules, Yauheni Kaliuta, Aaron Bauman

On Sun, May 19, 2019 at 03:42:01AM +0300, Stefan Strogin wrote:
>Linux uses either PKCS #7 or CMS for signing modules (see
>scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL,
>so PKCS #7 is used on systems with these libcrypto providers.
>
>CMS and PKCS #7 formats are very similar. CMS is newer but is as much as
>possible backward compatible with PKCS #7 [1]. PKCS #7 is supported in
>the latest OpenSSL as well as CMS. The fields used for signing kernel
>modules are supported both in PKCS #7 and CMS.
>
>For now modinfo uses CMS with no alternative requiring OpenSSL 1.1.0 or
>newer.
>
>Use PKCS #7 for parsing module signature information, so that modinfo
>could be used both with OpenSSL and LibreSSL.
>
>[1] https://tools.ietf.org/html/rfc5652#section-1.1
>
>Changes v1->v2:
>- Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both
>with OpenSSL and LibreSSL.

Much better now, thanks!

Applied.

Lucas De Marchi

>
>Signed-off-by: Stefan Strogin <steils@gentoo.org>
>---
> libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------
> 1 file changed, 19 insertions(+), 18 deletions(-)
>
>diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
>index 48d0145..4e8748c 100644
>--- a/libkmod/libkmod-signature.c
>+++ b/libkmod/libkmod-signature.c
>@@ -20,7 +20,7 @@
> #include <endian.h>
> #include <inttypes.h>
> #ifdef ENABLE_OPENSSL
>-#include <openssl/cms.h>
>+#include <openssl/pkcs7.h>
> #include <openssl/ssl.h>
> #endif
> #include <stdio.h>
>@@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size,
> #ifdef ENABLE_OPENSSL
>
> struct pkcs7_private {
>-	CMS_ContentInfo *cms;
>+	PKCS7 *pkcs7;
> 	unsigned char *key_id;
> 	BIGNUM *sno;
> };
>@@ -132,7 +132,7 @@ static void pkcs7_free(void *s)
> 	struct kmod_signature_info *si = s;
> 	struct pkcs7_private *pvt = si->private;
>
>-	CMS_ContentInfo_free(pvt->cms);
>+	PKCS7_free(pvt->pkcs7);
> 	BN_free(pvt->sno);
> 	free(pvt->key_id);
> 	free(pvt);
>@@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size,
> 		       struct kmod_signature_info *sig_info)
> {
> 	const char *pkcs7_raw;
>-	CMS_ContentInfo *cms;
>-	STACK_OF(CMS_SignerInfo) *sis;
>-	CMS_SignerInfo *si;
>-	int rc;
>-	ASN1_OCTET_STRING *key_id;
>+	PKCS7 *pkcs7;
>+	STACK_OF(PKCS7_SIGNER_INFO) *sis;
>+	PKCS7_SIGNER_INFO *si;
>+	PKCS7_ISSUER_AND_SERIAL *is;
> 	X509_NAME *issuer;
> 	ASN1_INTEGER *sno;
> 	ASN1_OCTET_STRING *sig;
>@@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size,
>
> 	in = BIO_new_mem_buf(pkcs7_raw, sig_len);
>
>-	cms = d2i_CMS_bio(in, NULL);
>-	if (cms == NULL) {
>+	pkcs7 = d2i_PKCS7_bio(in, NULL);
>+	if (pkcs7 == NULL) {
> 		BIO_free(in);
> 		return false;
> 	}
>
> 	BIO_free(in);
>
>-	sis = CMS_get0_SignerInfos(cms);
>+	sis = PKCS7_get_signer_info(pkcs7);
> 	if (sis == NULL)
> 		goto err;
>
>-	si = sk_CMS_SignerInfo_value(sis, 0);
>+	si = sk_PKCS7_SIGNER_INFO_value(sis, 0);
> 	if (si == NULL)
> 		goto err;
>
>-	rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno);
>-	if (rc == 0)
>+	is = si->issuer_and_serial;
>+	if (is == NULL)
> 		goto err;
>+	issuer = is->issuer;
>+	sno = is->serial;
>
>-	sig = CMS_SignerInfo_get0_signature(si);
>+	sig = si->enc_digest;
> 	if (sig == NULL)
> 		goto err;
>
>-	CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
>+	PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg);
>
> 	sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
> 	sig_info->sig_len = ASN1_STRING_length(sig);
>@@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size,
> 	if (pvt == NULL)
> 		goto err3;
>
>-	pvt->cms = cms;
>+	pvt->pkcs7 = pkcs7;
> 	pvt->key_id = key_id_str;
> 	pvt->sno = sno_bn;
> 	sig_info->private = pvt;
>@@ -290,7 +291,7 @@ err3:
> err2:
> 	BN_free(sno_bn);
> err:
>-	CMS_ContentInfo_free(cms);
>+	PKCS7_free(pkcs7);
> 	return false;
> }
>
>-- 
>2.21.0
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-19  0:42 [PATCH v2] libkmod-signature: use PKCS#7 instead of CMS Stefan Strogin
2019-05-26 10:11 ` Yauheni Kaliuta
2019-05-28 22:25 ` Lucas De Marchi

Linux-Modules Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-modules/0 linux-modules/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-modules linux-modules/ https://lore.kernel.org/linux-modules \
		linux-modules@vger.kernel.org linux-modules@archiver.kernel.org
	public-inbox-index linux-modules


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-modules


AGPL code for this site: git clone https://public-inbox.org/ public-inbox