Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'keys-next-6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd
Pull key updates from Jarkko Sakkinen:
"The bulk of this is OpenSSL 3.0 compatibility fixes for the signing
and certificates"
* tag 'keys-next-6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd:
sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
sign-file,extract-cert: avoid using deprecated ERR_get_error_line()
sign-file,extract-cert: move common SSL helper functions to a header
KEYS: prevent NULL pointer dereference in find_asymmetric_key()
KEYS: Remove unused declarations
+180
-139
+1
MAINTAINERS
+1
MAINTAINERS
+1
-1
certs/Makefile
+1
-1
certs/Makefile
···
84
84
85
85
hostprogs := extract-cert
86
86
87
-
HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null)
87
+
HOSTCFLAGS_extract-cert.o = $(shell $(HOSTPKG_CONFIG) --cflags libcrypto 2> /dev/null) -I$(srctree)/scripts
88
88
HOSTLDLIBS_extract-cert = $(shell $(HOSTPKG_CONFIG) --libs libcrypto 2> /dev/null || echo -lcrypto)
+74
-64
certs/extract-cert.c
+74
-64
certs/extract-cert.c
···
21
21
#include <openssl/bio.h>
22
22
#include <openssl/pem.h>
23
23
#include <openssl/err.h>
24
-
#include <openssl/engine.h>
25
-
26
-
/*
27
-
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
28
-
*
29
-
* Remove this if/when that API is no longer used
30
-
*/
31
-
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
24
+
#if OPENSSL_VERSION_MAJOR >= 3
25
+
# define USE_PKCS11_PROVIDER
26
+
# include <openssl/provider.h>
27
+
# include <openssl/store.h>
28
+
#else
29
+
# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
30
+
# define USE_PKCS11_ENGINE
31
+
# include <openssl/engine.h>
32
+
# endif
33
+
#endif
34
+
#include "ssl-common.h"
32
35
33
36
#define PKEY_ID_PKCS7 2
34
37
···
42
39
"Usage: extract-cert <source> <dest>\n");
43
40
exit(2);
44
41
}
45
-
46
-
static void display_openssl_errors(int l)
47
-
{
48
-
const char *file;
49
-
char buf[120];
50
-
int e, line;
51
-
52
-
if (ERR_peek_error() == 0)
53
-
return;
54
-
fprintf(stderr, "At main.c:%d:\n", l);
55
-
56
-
while ((e = ERR_get_error_line(&file, &line))) {
57
-
ERR_error_string(e, buf);
58
-
fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
59
-
}
60
-
}
61
-
62
-
static void drain_openssl_errors(void)
63
-
{
64
-
const char *file;
65
-
int line;
66
-
67
-
if (ERR_peek_error() == 0)
68
-
return;
69
-
while (ERR_get_error_line(&file, &line)) {}
70
-
}
71
-
72
-
#define ERR(cond, fmt, ...) \
73
-
do { \
74
-
bool __cond = (cond); \
75
-
display_openssl_errors(__LINE__); \
76
-
if (__cond) { \
77
-
err(1, fmt, ## __VA_ARGS__); \
78
-
} \
79
-
} while(0)
80
42
81
43
static const char *key_pass;
82
44
static BIO *wb;
···
60
92
ERR(!i2d_X509_bio(wb, x509), "%s", cert_dst);
61
93
if (verbose)
62
94
fprintf(stderr, "Extracted cert: %s\n", buf);
95
+
}
96
+
97
+
static X509 *load_cert_pkcs11(const char *cert_src)
98
+
{
99
+
X509 *cert = NULL;
100
+
#ifdef USE_PKCS11_PROVIDER
101
+
OSSL_STORE_CTX *store;
102
+
103
+
if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
104
+
ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
105
+
if (!OSSL_PROVIDER_try_load(NULL, "default", true))
106
+
ERR(1, "OSSL_PROVIDER_try_load(default)");
107
+
108
+
store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL);
109
+
ERR(!store, "OSSL_STORE_open");
110
+
111
+
while (!OSSL_STORE_eof(store)) {
112
+
OSSL_STORE_INFO *info = OSSL_STORE_load(store);
113
+
114
+
if (!info) {
115
+
drain_openssl_errors(__LINE__, 0);
116
+
continue;
117
+
}
118
+
if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_CERT) {
119
+
cert = OSSL_STORE_INFO_get1_CERT(info);
120
+
ERR(!cert, "OSSL_STORE_INFO_get1_CERT");
121
+
}
122
+
OSSL_STORE_INFO_free(info);
123
+
if (cert)
124
+
break;
125
+
}
126
+
OSSL_STORE_close(store);
127
+
#elif defined(USE_PKCS11_ENGINE)
128
+
ENGINE *e;
129
+
struct {
130
+
const char *cert_id;
131
+
X509 *cert;
132
+
} parms;
133
+
134
+
parms.cert_id = cert_src;
135
+
parms.cert = NULL;
136
+
137
+
ENGINE_load_builtin_engines();
138
+
drain_openssl_errors(__LINE__, 1);
139
+
e = ENGINE_by_id("pkcs11");
140
+
ERR(!e, "Load PKCS#11 ENGINE");
141
+
if (ENGINE_init(e))
142
+
drain_openssl_errors(__LINE__, 1);
143
+
else
144
+
ERR(1, "ENGINE_init");
145
+
if (key_pass)
146
+
ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
147
+
ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
148
+
ERR(!parms.cert, "Get X.509 from PKCS#11");
149
+
cert = parms.cert;
150
+
#else
151
+
fprintf(stderr, "no pkcs11 engine/provider available\n");
152
+
exit(1);
153
+
#endif
154
+
return cert;
63
155
}
64
156
65
157
int main(int argc, char **argv)
···
150
122
fclose(f);
151
123
exit(0);
152
124
} else if (!strncmp(cert_src, "pkcs11:", 7)) {
153
-
ENGINE *e;
154
-
struct {
155
-
const char *cert_id;
156
-
X509 *cert;
157
-
} parms;
125
+
X509 *cert = load_cert_pkcs11(cert_src);
158
126
159
-
parms.cert_id = cert_src;
160
-
parms.cert = NULL;
161
-
162
-
ENGINE_load_builtin_engines();
163
-
drain_openssl_errors();
164
-
e = ENGINE_by_id("pkcs11");
165
-
ERR(!e, "Load PKCS#11 ENGINE");
166
-
if (ENGINE_init(e))
167
-
drain_openssl_errors();
168
-
else
169
-
ERR(1, "ENGINE_init");
170
-
if (key_pass)
171
-
ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
172
-
ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
173
-
ERR(!parms.cert, "Get X.509 from PKCS#11");
174
-
write_cert(parms.cert);
127
+
ERR(!cert, "load_cert_pkcs11 failed");
128
+
write_cert(cert);
175
129
} else {
176
130
BIO *b;
177
131
X509 *x509;
+4
-3
crypto/asymmetric_keys/asymmetric_type.c
+4
-3
crypto/asymmetric_keys/asymmetric_type.c
···
60
60
char *req, *p;
61
61
int len;
62
62
63
-
WARN_ON(!id_0 && !id_1 && !id_2);
64
-
65
63
if (id_0) {
66
64
lookup = id_0->data;
67
65
len = id_0->len;
68
66
} else if (id_1) {
69
67
lookup = id_1->data;
70
68
len = id_1->len;
71
-
} else {
69
+
} else if (id_2) {
72
70
lookup = id_2->data;
73
71
len = id_2->len;
72
+
} else {
73
+
WARN_ON(1);
74
+
return ERR_PTR(-EINVAL);
74
75
}
75
76
76
77
/* Construct an identifier "id:<keyid>". */
-4
include/keys/dns_resolver-type.h
-4
include/keys/dns_resolver-type.h
-3
include/linux/key.h
-3
include/linux/key.h
+68
-64
scripts/sign-file.c
+68
-64
scripts/sign-file.c
···
27
27
#include <openssl/evp.h>
28
28
#include <openssl/pem.h>
29
29
#include <openssl/err.h>
30
-
#include <openssl/engine.h>
31
-
32
-
/*
33
-
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
34
-
*
35
-
* Remove this if/when that API is no longer used
36
-
*/
37
-
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
30
+
#if OPENSSL_VERSION_MAJOR >= 3
31
+
# define USE_PKCS11_PROVIDER
32
+
# include <openssl/provider.h>
33
+
# include <openssl/store.h>
34
+
#else
35
+
# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
36
+
# define USE_PKCS11_ENGINE
37
+
# include <openssl/engine.h>
38
+
# endif
39
+
#endif
40
+
#include "ssl-common.h"
38
41
39
42
/*
40
43
* Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
···
86
83
exit(2);
87
84
}
88
85
89
-
static void display_openssl_errors(int l)
90
-
{
91
-
const char *file;
92
-
char buf[120];
93
-
int e, line;
94
-
95
-
if (ERR_peek_error() == 0)
96
-
return;
97
-
fprintf(stderr, "At main.c:%d:\n", l);
98
-
99
-
while ((e = ERR_get_error_line(&file, &line))) {
100
-
ERR_error_string(e, buf);
101
-
fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
102
-
}
103
-
}
104
-
105
-
static void drain_openssl_errors(void)
106
-
{
107
-
const char *file;
108
-
int line;
109
-
110
-
if (ERR_peek_error() == 0)
111
-
return;
112
-
while (ERR_get_error_line(&file, &line)) {}
113
-
}
114
-
115
-
#define ERR(cond, fmt, ...) \
116
-
do { \
117
-
bool __cond = (cond); \
118
-
display_openssl_errors(__LINE__); \
119
-
if (__cond) { \
120
-
errx(1, fmt, ## __VA_ARGS__); \
121
-
} \
122
-
} while(0)
123
-
124
86
static const char *key_pass;
125
87
126
88
static int pem_pw_cb(char *buf, int len, int w, void *v)
···
107
139
return pwlen;
108
140
}
109
141
142
+
static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name)
143
+
{
144
+
EVP_PKEY *private_key = NULL;
145
+
#ifdef USE_PKCS11_PROVIDER
146
+
OSSL_STORE_CTX *store;
147
+
148
+
if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
149
+
ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
150
+
if (!OSSL_PROVIDER_try_load(NULL, "default", true))
151
+
ERR(1, "OSSL_PROVIDER_try_load(default)");
152
+
153
+
store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
154
+
ERR(!store, "OSSL_STORE_open");
155
+
156
+
while (!OSSL_STORE_eof(store)) {
157
+
OSSL_STORE_INFO *info = OSSL_STORE_load(store);
158
+
159
+
if (!info) {
160
+
drain_openssl_errors(__LINE__, 0);
161
+
continue;
162
+
}
163
+
if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
164
+
private_key = OSSL_STORE_INFO_get1_PKEY(info);
165
+
ERR(!private_key, "OSSL_STORE_INFO_get1_PKEY");
166
+
}
167
+
OSSL_STORE_INFO_free(info);
168
+
if (private_key)
169
+
break;
170
+
}
171
+
OSSL_STORE_close(store);
172
+
#elif defined(USE_PKCS11_ENGINE)
173
+
ENGINE *e;
174
+
175
+
ENGINE_load_builtin_engines();
176
+
drain_openssl_errors(__LINE__, 1);
177
+
e = ENGINE_by_id("pkcs11");
178
+
ERR(!e, "Load PKCS#11 ENGINE");
179
+
if (ENGINE_init(e))
180
+
drain_openssl_errors(__LINE__, 1);
181
+
else
182
+
ERR(1, "ENGINE_init");
183
+
if (key_pass)
184
+
ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
185
+
private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL);
186
+
ERR(!private_key, "%s", private_key_name);
187
+
#else
188
+
fprintf(stderr, "no pkcs11 engine/provider available\n");
189
+
exit(1);
190
+
#endif
191
+
return private_key;
192
+
}
193
+
110
194
static EVP_PKEY *read_private_key(const char *private_key_name)
111
195
{
112
-
EVP_PKEY *private_key;
113
-
114
196
if (!strncmp(private_key_name, "pkcs11:", 7)) {
115
-
ENGINE *e;
116
-
117
-
ENGINE_load_builtin_engines();
118
-
drain_openssl_errors();
119
-
e = ENGINE_by_id("pkcs11");
120
-
ERR(!e, "Load PKCS#11 ENGINE");
121
-
if (ENGINE_init(e))
122
-
drain_openssl_errors();
123
-
else
124
-
ERR(1, "ENGINE_init");
125
-
if (key_pass)
126
-
ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
127
-
"Set PKCS#11 PIN");
128
-
private_key = ENGINE_load_private_key(e, private_key_name,
129
-
NULL, NULL);
130
-
ERR(!private_key, "%s", private_key_name);
197
+
return read_private_key_pkcs11(private_key_name);
131
198
} else {
199
+
EVP_PKEY *private_key;
132
200
BIO *b;
133
201
134
202
b = BIO_new_file(private_key_name, "rb");
···
173
169
NULL);
174
170
ERR(!private_key, "%s", private_key_name);
175
171
BIO_free(b);
176
-
}
177
172
178
-
return private_key;
173
+
return private_key;
174
+
}
179
175
}
180
176
181
177
static X509 *read_x509(const char *x509_name)
···
310
306
311
307
/* Digest the module data. */
312
308
OpenSSL_add_all_digests();
313
-
display_openssl_errors(__LINE__);
309
+
drain_openssl_errors(__LINE__, 0);
314
310
digest_algo = EVP_get_digestbyname(hash_algo);
315
311
ERR(!digest_algo, "EVP_get_digestbyname");
316
312
+32
scripts/ssl-common.h
+32
scripts/ssl-common.h
···
1
+
/* SPDX-License-Identifier: LGPL-2.1+ */
2
+
/*
3
+
* SSL helper functions shared by sign-file and extract-cert.
4
+
*/
5
+
6
+
static void drain_openssl_errors(int l, int silent)
7
+
{
8
+
const char *file;
9
+
char buf[120];
10
+
int e, line;
11
+
12
+
if (ERR_peek_error() == 0)
13
+
return;
14
+
if (!silent)
15
+
fprintf(stderr, "At main.c:%d:\n", l);
16
+
17
+
while ((e = ERR_peek_error_line(&file, &line))) {
18
+
ERR_error_string(e, buf);
19
+
if (!silent)
20
+
fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
21
+
ERR_get_error();
22
+
}
23
+
}
24
+
25
+
#define ERR(cond, fmt, ...) \
26
+
do { \
27
+
bool __cond = (cond); \
28
+
drain_openssl_errors(__LINE__, 0); \
29
+
if (__cond) { \
30
+
errx(1, fmt, ## __VA_ARGS__); \
31
+
} \
32
+
} while (0)