tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

sign-file: Use only the OpenSSL CMS API for signing

The USE_PKCS7 code in sign-file utilizes PKCS7_sign(), which allows signing
only with SHA-1. Since SHA-1 support for module signing has been removed,
drop the use of the OpenSSL PKCS7 API by the tool in favor of using only
the newer CMS API.

The use of the PKCS7 API is selected by the following:

#if defined(LIBRESSL_VERSION_NUMBER) || \
OPENSSL_VERSION_NUMBER < 0x10000000L || \
defined(OPENSSL_NO_CMS)
#define USE_PKCS7
#endif

Looking at the individual ifdefs:

* LIBRESSL_VERSION_NUMBER: LibreSSL added the CMS API implementation from
OpenSSL in 3.1.0, making the ifdef no longer relevant. This version was
released on April 8, 2020.

* OPENSSL_VERSION_NUMBER < 0x10000000L: OpenSSL 1.0.0 was released on March
29, 2010. Supporting earlier versions should no longer be necessary. The
file Documentation/process/changes.rst already states that at least
version 1.0.0 is required to build the kernel.

* OPENSSL_NO_CMS: OpenSSL can be configured with "no-cms" to disable CMS
support. In this case, sign-file will no longer be usable. The CMS API
support is now required.

In practice, since distributions now typically sign modules with SHA-2, for
which sign-file already required CMS API support, removing the USE_PKCS7
code shouldn't cause any issues.

Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
[Sami: Used Petr's updated commit message]
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>

authored by

Petr Pavlu and committed by
Sami Tolvanen d7afd65b 148519a0

+3 -63
+3 -63
scripts/sign-file.c
··· 24 24 #include <arpa/inet.h> 25 25 #include <openssl/opensslv.h> 26 26 #include <openssl/bio.h> 27 + #include <openssl/cms.h> 27 28 #include <openssl/evp.h> 28 29 #include <openssl/pem.h> 29 30 #include <openssl/err.h> ··· 39 38 # endif 40 39 #endif 41 40 #include "ssl-common.h" 42 - 43 - /* 44 - * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to 45 - * assume that it's not available and its header file is missing and that we 46 - * should use PKCS#7 instead. Switching to the older PKCS#7 format restricts 47 - * the options we have on specifying the X.509 certificate we want. 48 - * 49 - * Further, older versions of OpenSSL don't support manually adding signers to 50 - * the PKCS#7 message so have to accept that we get a certificate included in 51 - * the signature message. Nor do such older versions of OpenSSL support 52 - * signing with anything other than SHA1 - so we're stuck with that if such is 53 - * the case. 54 - */ 55 - #if defined(LIBRESSL_VERSION_NUMBER) || \ 56 - OPENSSL_VERSION_NUMBER < 0x10000000L || \ 57 - defined(OPENSSL_NO_CMS) 58 - #define USE_PKCS7 59 - #endif 60 - #ifndef USE_PKCS7 61 - #include <openssl/cms.h> 62 - #else 63 - #include <openssl/pkcs7.h> 64 - #endif 65 41 66 42 struct module_signature { 67 43 uint8_t algo; /* Public-key crypto algorithm [0] */ ··· 206 228 bool raw_sig = false; 207 229 unsigned char buf[4096]; 208 230 unsigned long module_size, sig_size; 209 - unsigned int use_signed_attrs; 210 231 const EVP_MD *digest_algo; 211 232 EVP_PKEY *private_key; 212 - #ifndef USE_PKCS7 213 233 CMS_ContentInfo *cms = NULL; 214 234 unsigned int use_keyid = 0; 215 - #else 216 - PKCS7 *pkcs7 = NULL; 217 - #endif 218 235 X509 *x509; 219 236 BIO *bd, *bm; 220 237 int opt, n; ··· 219 246 220 247 key_pass = getenv("KBUILD_SIGN_PIN"); 221 248 222 - #ifndef USE_PKCS7 223 - use_signed_attrs = CMS_NOATTR; 224 - #else 225 - use_signed_attrs = PKCS7_NOATTR; 226 - #endif 227 - 228 249 do { 229 250 opt = getopt(argc, argv, "sdpk"); 230 251 switch (opt) { 231 252 case 's': raw_sig = true; break; 232 253 case 'p': save_sig = true; break; 233 254 case 'd': sign_only = true; save_sig = true; break; 234 - #ifndef USE_PKCS7 235 255 case 'k': use_keyid = CMS_USE_KEYID; break; 236 - #endif 237 256 case -1: break; 238 257 default: format(); 239 258 } ··· 254 289 replace_orig = true; 255 290 } 256 291 257 - #ifdef USE_PKCS7 258 - if (strcmp(hash_algo, "sha1") != 0) { 259 - fprintf(stderr, "sign-file: %s only supports SHA1 signing\n", 260 - OPENSSL_VERSION_TEXT); 261 - exit(3); 262 - } 263 - #endif 264 - 265 292 /* Open the module file */ 266 293 bm = BIO_new_file(module_name, "rb"); 267 294 ERR(!bm, "%s", module_name); ··· 271 314 digest_algo = EVP_get_digestbyname(hash_algo); 272 315 ERR(!digest_algo, "EVP_get_digestbyname"); 273 316 274 - #ifndef USE_PKCS7 275 317 /* Load the signature message from the digest buffer. */ 276 318 cms = CMS_sign(NULL, NULL, NULL, NULL, 277 319 CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | ··· 279 323 280 324 ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, 281 325 CMS_NOCERTS | CMS_BINARY | 282 - CMS_NOSMIMECAP | use_keyid | 283 - use_signed_attrs), 326 + CMS_NOSMIMECAP | CMS_NOATTR | 327 + use_keyid), 284 328 "CMS_add1_signer"); 285 329 ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) != 1, 286 330 "CMS_final"); 287 - 288 - #else 289 - pkcs7 = PKCS7_sign(x509, private_key, NULL, bm, 290 - PKCS7_NOCERTS | PKCS7_BINARY | 291 - PKCS7_DETACHED | use_signed_attrs); 292 - ERR(!pkcs7, "PKCS7_sign"); 293 - #endif 294 331 295 332 if (save_sig) { 296 333 char *sig_file_name; ··· 293 344 "asprintf"); 294 345 b = BIO_new_file(sig_file_name, "wb"); 295 346 ERR(!b, "%s", sig_file_name); 296 - #ifndef USE_PKCS7 297 347 ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) != 1, 298 348 "%s", sig_file_name); 299 - #else 300 - ERR(i2d_PKCS7_bio(b, pkcs7) != 1, 301 - "%s", sig_file_name); 302 - #endif 303 349 BIO_free(b); 304 350 } 305 351 ··· 321 377 module_size = BIO_number_written(bd); 322 378 323 379 if (!raw_sig) { 324 - #ifndef USE_PKCS7 325 380 ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) != 1, "%s", dest_name); 326 - #else 327 - ERR(i2d_PKCS7_bio(bd, pkcs7) != 1, "%s", dest_name); 328 - #endif 329 381 } else { 330 382 BIO *b; 331 383