libkmod-signature: use PKCS7 for LibreSSL or older OpenSSL
diff mbox series

Message ID 20190215041340.29258-1-stefan.strogin@gmail.com
State New
Headers show
Series
  • libkmod-signature: use PKCS7 for LibreSSL or older OpenSSL
Related show

Commit Message

Stefan Strogin Feb. 15, 2019, 4:13 a.m. UTC
Linux kernel uses either PKCS #7 or CMS signing modules (scripts/sign-file.c).
CMS is not supported by LibreSSL, PKCS #7 is used instead.
For now modinfo used CMS with no altenative requiring >=openssl-1.1.0
built with CMS support.

Use PKCS #7 for parsing module signature information when CMS is not available.

Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>
---
 libkmod/libkmod-signature.c | 78 +++++++++++++++++++++++++++++++++++--
 1 file changed, 75 insertions(+), 3 deletions(-)

Comments

Lucas De Marchi Feb. 15, 2019, 8:04 a.m. UTC | #1
On Fri, Feb 15, 2019 at 06:13:40AM +0200, Stefan Strogin wrote:
>Linux kernel uses either PKCS #7 or CMS signing modules (scripts/sign-file.c).
>CMS is not supported by LibreSSL, PKCS #7 is used instead.
>For now modinfo used CMS with no altenative requiring >=openssl-1.1.0
>built with CMS support.
>
>Use PKCS #7 for parsing module signature information when CMS is not available.
>
>Signed-off-by: Stefan Strogin <stefan.strogin@gmail.com>

ooh, this ifdef is messy. Why do we want both libressl and openssl? What
distro is requiring that?

if in the end we end up with ifdefs for N different libs I'd rather just
add the implementation in kmod itself or convince kernel guys to just
fill out the struct they are supposed to fill.

Lucas De Marchi

>---
> libkmod/libkmod-signature.c | 78 +++++++++++++++++++++++++++++++++++--
> 1 file changed, 75 insertions(+), 3 deletions(-)
>
>diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
>index 48d0145..aa2a60e 100644
>--- a/libkmod/libkmod-signature.c
>+++ b/libkmod/libkmod-signature.c
>@@ -20,9 +20,16 @@
> #include <endian.h>
> #include <inttypes.h>
> #ifdef ENABLE_OPENSSL
>-#include <openssl/cms.h>
>-#include <openssl/ssl.h>
>-#endif
>+# include <openssl/ssl.h>
>+# if defined(LIBRESSL_VERSION_NUMBER) || \
>+	OPENSSL_VERSION_NUMBER < 0x10100000L || \
>+	defined(OPENSSL_NO_CMS)
>+#  define USE_PKCS7
>+#  include <openssl/pkcs7.h>
>+# else
>+#  include <openssl/cms.h>
>+# endif /* LIBRESSL_VERSION_NUMBER */
>+#endif /* ENABLE_OPENSSL */
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
>@@ -122,7 +129,11 @@ static bool fill_default(const char *mem, off_t size,
> #ifdef ENABLE_OPENSSL
>
> struct pkcs7_private {
>+#ifndef USE_PKCS7
> 	CMS_ContentInfo *cms;
>+#else
>+	PKCS7 *pkcs7;
>+#endif
> 	unsigned char *key_id;
> 	BIGNUM *sno;
> };
>@@ -132,7 +143,11 @@ static void pkcs7_free(void *s)
> 	struct kmod_signature_info *si = s;
> 	struct pkcs7_private *pvt = si->private;
>
>+#ifndef USE_PKCS7
> 	CMS_ContentInfo_free(pvt->cms);
>+#else
>+	PKCS7_free(pvt->pkcs7);
>+#endif
> 	BN_free(pvt->sno);
> 	free(pvt->key_id);
> 	free(pvt);
>@@ -187,7 +202,13 @@ static const char *x509_name_to_str(X509_NAME *name)
> 		return NULL;
>
> 	d = X509_NAME_ENTRY_get_data(e);
>+#if (defined(LIBRESSL_VERSION_NUMBER) && \
>+		LIBRESSL_VERSION_NUMBER < 0x20700000L) || \
>+	OPENSSL_VERSION_NUMBER < 0x10100000L
>+	str = (const char *)ASN1_STRING_data(d);
>+#else
> 	str = (const char *)ASN1_STRING_get0_data(d);
>+#endif
>
> 	return str;
> }
>@@ -197,11 +218,18 @@ static bool fill_pkcs7(const char *mem, off_t size,
> 		       struct kmod_signature_info *sig_info)
> {
> 	const char *pkcs7_raw;
>+#ifndef USE_PKCS7
> 	CMS_ContentInfo *cms;
> 	STACK_OF(CMS_SignerInfo) *sis;
> 	CMS_SignerInfo *si;
> 	int rc;
> 	ASN1_OCTET_STRING *key_id;
>+#else
>+	PKCS7 *pkcs7;
>+	STACK_OF(PKCS7_SIGNER_INFO) *sis;
>+	PKCS7_SIGNER_INFO *si;
>+	PKCS7_ISSUER_AND_SERIAL *is;
>+#endif
> 	X509_NAME *issuer;
> 	ASN1_INTEGER *sno;
> 	ASN1_OCTET_STRING *sig;
>@@ -220,14 +248,23 @@ static bool fill_pkcs7(const char *mem, off_t size,
>
> 	in = BIO_new_mem_buf(pkcs7_raw, sig_len);
>
>+#ifndef USE_PKCS7
> 	cms = d2i_CMS_bio(in, NULL);
> 	if (cms == NULL) {
> 		BIO_free(in);
> 		return false;
> 	}
>+#else
>+	pkcs7 = d2i_PKCS7_bio(in, NULL);
>+	if (pkcs7 == NULL) {
>+		BIO_free(in);
>+		return false;
>+	}
>+#endif
>
> 	BIO_free(in);
>
>+#ifndef USE_PKCS7
> 	sis = CMS_get0_SignerInfos(cms);
> 	if (sis == NULL)
> 		goto err;
>@@ -245,8 +282,35 @@ static bool fill_pkcs7(const char *mem, off_t size,
> 		goto err;
>
> 	CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
>+#else
>+	sis = PKCS7_get_signer_info(pkcs7);
>+	if (sis == NULL)
>+		goto err;
>+
>+	si = sk_PKCS7_SIGNER_INFO_value(sis, 0);
>+	if (si == NULL)
>+		goto err;
>+
>+	is = si->issuer_and_serial;
>+	if (is == NULL)
>+		goto err;
>+	issuer = is->issuer;
>+	sno = is->serial;
>+
>+	sig = si->enc_digest;
>+	if (sig == NULL)
>+		goto err;
>+
>+	PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg);
>+#endif
>
>+#if (defined(LIBRESSL_VERSION_NUMBER) && \
>+		LIBRESSL_VERSION_NUMBER < 0x20700000L) || \
>+	OPENSSL_VERSION_NUMBER < 0x10100000L
>+	sig_info->sig = (const char *)ASN1_STRING_data(sig);
>+#else
> 	sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
>+#endif
> 	sig_info->sig_len = ASN1_STRING_length(sig);
>
> 	sno_bn = ASN1_INTEGER_to_BN(sno, NULL);
>@@ -277,7 +341,11 @@ static bool fill_pkcs7(const char *mem, off_t size,
> 	if (pvt == NULL)
> 		goto err3;
>
>+#ifndef USE_PKCS7
> 	pvt->cms = cms;
>+#else
>+	pvt->pkcs7 = pkcs7;
>+#endif
> 	pvt->key_id = key_id_str;
> 	pvt->sno = sno_bn;
> 	sig_info->private = pvt;
>@@ -290,7 +358,11 @@ err3:
> err2:
> 	BN_free(sno_bn);
> err:
>+#ifndef USE_PKCS7
> 	CMS_ContentInfo_free(cms);
>+#else
>+	PKCS7_free(pkcs7);
>+#endif
> 	return false;
> }
>
>-- 
>2.20.1
>
Stefan Strogin Feb. 15, 2019, 1:30 p.m. UTC | #2
On 15/02/2019 10:04, Lucas De Marchi wrote:
> 
> ooh, this ifdef is messy. Why do we want both libressl and openssl? What
> distro is requiring that?

Well, in the kernel in scripts/sign-file.c the same ifdefs are used.

Every distro that tries to support LibreSSL requires that. I know at least
Gentoo [1], Alpine and Void.

> if in the end we end up with ifdefs for N different libs I'd rather just
> add the implementation in kmod itself or convince kernel guys to just
> fill out the struct they are supposed to fill.

If you don't like ifdefs at all I would say that CMS is not needed. CMS and
PKCS#7 formats are very similar. CMS is newer but is as much as possible
backward compatible [2], but PKCS#7 is better supported. PKCS#7 has all the same
fields that are used when a kernel module is signed using CMS (and otherwise).
For example I can sign a module using OpenSSL-1.1.1 and CMS (even with hashes
other than sha1) and read its signing information with modinfo and PKCS#7 on a
system with LibreSSL, and otherwise.

So we can just replace CMS with PKCS#7 in fill_pkcs7().

[1] https://bugs.gentoo.org/677960
[2] https://tools.ietf.org/html/rfc5652#section-1.1

--
Stefan
Stefan Strogin March 1, 2019, 5:37 a.m. UTC | #3
Hi Lucas,

Is there any chance for accepting this patch?
Or could you tell me how it can be reworked so that modinfo would support PKCS#7
(and LibreSSL)?

--
Stefan

On 15/02/2019 15:30, Stefan Strogin wrote:
> On 15/02/2019 10:04, Lucas De Marchi wrote:
>>
>> ooh, this ifdef is messy. Why do we want both libressl and openssl? What
>> distro is requiring that?
> 
> Well, in the kernel in scripts/sign-file.c the same ifdefs are used.
> 
> Every distro that tries to support LibreSSL requires that. I know at least
> Gentoo [1], Alpine and Void.
> 
>> if in the end we end up with ifdefs for N different libs I'd rather just
>> add the implementation in kmod itself or convince kernel guys to just
>> fill out the struct they are supposed to fill.
> 
> If you don't like ifdefs at all I would say that CMS is not needed. CMS and
> PKCS#7 formats are very similar. CMS is newer but is as much as possible
> backward compatible [2], but PKCS#7 is better supported. PKCS#7 has all the same
> fields that are used when a kernel module is signed using CMS (and otherwise).
> For example I can sign a module using OpenSSL-1.1.1 and CMS (even with hashes
> other than sha1) and read its signing information with modinfo and PKCS#7 on a
> system with LibreSSL, and otherwise.
> 
> So we can just replace CMS with PKCS#7 in fill_pkcs7().
> 
> [1] https://bugs.gentoo.org/677960
> [2] https://tools.ietf.org/html/rfc5652#section-1.1
> 
> --
> Stefan
>

Patch
diff mbox series

diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
index 48d0145..aa2a60e 100644
--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
@@ -20,9 +20,16 @@ 
 #include <endian.h>
 #include <inttypes.h>
 #ifdef ENABLE_OPENSSL
-#include <openssl/cms.h>
-#include <openssl/ssl.h>
-#endif
+# include <openssl/ssl.h>
+# if defined(LIBRESSL_VERSION_NUMBER) || \
+	OPENSSL_VERSION_NUMBER < 0x10100000L || \
+	defined(OPENSSL_NO_CMS)
+#  define USE_PKCS7
+#  include <openssl/pkcs7.h>
+# else
+#  include <openssl/cms.h>
+# endif /* LIBRESSL_VERSION_NUMBER */
+#endif /* ENABLE_OPENSSL */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -122,7 +129,11 @@  static bool fill_default(const char *mem, off_t size,
 #ifdef ENABLE_OPENSSL
 
 struct pkcs7_private {
+#ifndef USE_PKCS7
 	CMS_ContentInfo *cms;
+#else
+	PKCS7 *pkcs7;
+#endif
 	unsigned char *key_id;
 	BIGNUM *sno;
 };
@@ -132,7 +143,11 @@  static void pkcs7_free(void *s)
 	struct kmod_signature_info *si = s;
 	struct pkcs7_private *pvt = si->private;
 
+#ifndef USE_PKCS7
 	CMS_ContentInfo_free(pvt->cms);
+#else
+	PKCS7_free(pvt->pkcs7);
+#endif
 	BN_free(pvt->sno);
 	free(pvt->key_id);
 	free(pvt);
@@ -187,7 +202,13 @@  static const char *x509_name_to_str(X509_NAME *name)
 		return NULL;
 
 	d = X509_NAME_ENTRY_get_data(e);
+#if (defined(LIBRESSL_VERSION_NUMBER) && \
+		LIBRESSL_VERSION_NUMBER < 0x20700000L) || \
+	OPENSSL_VERSION_NUMBER < 0x10100000L
+	str = (const char *)ASN1_STRING_data(d);
+#else
 	str = (const char *)ASN1_STRING_get0_data(d);
+#endif
 
 	return str;
 }
@@ -197,11 +218,18 @@  static bool fill_pkcs7(const char *mem, off_t size,
 		       struct kmod_signature_info *sig_info)
 {
 	const char *pkcs7_raw;
+#ifndef USE_PKCS7
 	CMS_ContentInfo *cms;
 	STACK_OF(CMS_SignerInfo) *sis;
 	CMS_SignerInfo *si;
 	int rc;
 	ASN1_OCTET_STRING *key_id;
+#else
+	PKCS7 *pkcs7;
+	STACK_OF(PKCS7_SIGNER_INFO) *sis;
+	PKCS7_SIGNER_INFO *si;
+	PKCS7_ISSUER_AND_SERIAL *is;
+#endif
 	X509_NAME *issuer;
 	ASN1_INTEGER *sno;
 	ASN1_OCTET_STRING *sig;
@@ -220,14 +248,23 @@  static bool fill_pkcs7(const char *mem, off_t size,
 
 	in = BIO_new_mem_buf(pkcs7_raw, sig_len);
 
+#ifndef USE_PKCS7
 	cms = d2i_CMS_bio(in, NULL);
 	if (cms == NULL) {
 		BIO_free(in);
 		return false;
 	}
+#else
+	pkcs7 = d2i_PKCS7_bio(in, NULL);
+	if (pkcs7 == NULL) {
+		BIO_free(in);
+		return false;
+	}
+#endif
 
 	BIO_free(in);
 
+#ifndef USE_PKCS7
 	sis = CMS_get0_SignerInfos(cms);
 	if (sis == NULL)
 		goto err;
@@ -245,8 +282,35 @@  static bool fill_pkcs7(const char *mem, off_t size,
 		goto err;
 
 	CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg);
+#else
+	sis = PKCS7_get_signer_info(pkcs7);
+	if (sis == NULL)
+		goto err;
+
+	si = sk_PKCS7_SIGNER_INFO_value(sis, 0);
+	if (si == NULL)
+		goto err;
+
+	is = si->issuer_and_serial;
+	if (is == NULL)
+		goto err;
+	issuer = is->issuer;
+	sno = is->serial;
+
+	sig = si->enc_digest;
+	if (sig == NULL)
+		goto err;
+
+	PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg);
+#endif
 
+#if (defined(LIBRESSL_VERSION_NUMBER) && \
+		LIBRESSL_VERSION_NUMBER < 0x20700000L) || \
+	OPENSSL_VERSION_NUMBER < 0x10100000L
+	sig_info->sig = (const char *)ASN1_STRING_data(sig);
+#else
 	sig_info->sig = (const char *)ASN1_STRING_get0_data(sig);
+#endif
 	sig_info->sig_len = ASN1_STRING_length(sig);
 
 	sno_bn = ASN1_INTEGER_to_BN(sno, NULL);
@@ -277,7 +341,11 @@  static bool fill_pkcs7(const char *mem, off_t size,
 	if (pvt == NULL)
 		goto err3;
 
+#ifndef USE_PKCS7
 	pvt->cms = cms;
+#else
+	pvt->pkcs7 = pkcs7;
+#endif
 	pvt->key_id = key_id_str;
 	pvt->sno = sno_bn;
 	sig_info->private = pvt;
@@ -290,7 +358,11 @@  err3:
 err2:
 	BN_free(sno_bn);
 err:
+#ifndef USE_PKCS7
 	CMS_ContentInfo_free(cms);
+#else
+	PKCS7_free(pkcs7);
+#endif
 	return false;
 }