| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Sep 2015 23:45:15 +0100
From: David Howells <dhowells@...hat.com>
To: Vinson Lee <vlee@...pensource.com>
Cc: dhowells@...hat.com, David Woodhouse <David.Woodhouse@...el.com>,
"Luis R. Rodriguez" <mcgrof@...e.com>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>,
Marcel Holtmann <marcel@...tmann.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: Linux 4.3-rc1 build error on CentOS 5.11 "scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory"
David Howells <dhowells@...hat.com> wrote:
> Hmmm... Tricky. I'll have to think about it. I'm using PKCS7_NOCERTS with
> PKCS7_sign_add_signer() (or the CMS equivalents) to leave the cert list out of
> the message - but it's then necessary to manually specify the signers - at
> least so I recall.
It's worse than that. The PKCS7_sign() function in pre-1.0.0 OpenSSL crypto
libs will only do SHA1.
Now, it will work, and SHA1 might be just about acceptable for something based
on that old an OpenSSL library.
With this in mind, does the attached additional patch (on top of the one I
gave you yesterday) work for you? You need to set CONFIG_MODULE_SIG_SHA1=y in
your config.
David
---
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 0765141c3150..f65120e2aa03 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -32,7 +32,14 @@
* assume that it's not available and its header file is missing and that we
* should use PKCS#7 instead. Switching to the older PKCS#7 format restricts
* the options we have on specifying the X.509 certificate we want.
+ *
+ * Further, older versions of OpenSSL don't support manually adding signers to
+ * the PKCS#7 message so have to accept that we get a certificate included in
+ * the signature message. Nor do such older versions of OpenSSL support
+ * signing with anything other than SHA1 - so we're stuck with that if such is
+ * the case.
*/
+#define USE_PKCS7
#if OPENSSL_VERSION_NUMBER < 0x10000000L
#define USE_PKCS7
#endif
@@ -184,6 +191,14 @@ int main(int argc, char **argv)
replace_orig = true;
}
+#ifdef USE_PKCS7
+ if (strcmp(hash_algo, "sha1") != 0) {
+ fprintf(stderr, "sign-file: %s only supports SHA1 signing\n",
+ OPENSSL_VERSION_TEXT);
+ exit(3);
+ }
+#endif
+
/* Read the private key and the X.509 cert the PKCS#7 message
* will point to.
*/
@@ -240,8 +255,8 @@ int main(int argc, char **argv)
bm = BIO_new_file(module_name, "rb");
ERR(!bm, "%s", module_name);
- /* Load the signature message from the digest buffer. */
#ifndef USE_PKCS7
+ /* Load the signature message from the digest buffer. */
cms = CMS_sign(NULL, NULL, NULL, NULL,
CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM);
ERR(!cms, "CMS_sign");
@@ -254,17 +269,10 @@ int main(int argc, char **argv)
"CMS_final");
#else
- pkcs7 = PKCS7_sign(NULL, NULL, NULL, NULL,
- PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY |
- PKCS7_DETACHED | PKCS7_STREAM);
+ pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
+ PKCS7_NOCERTS | PKCS7_BINARY |
+ PKCS7_DETACHED | PKCS7_STREAM | use_signed_attrs);
ERR(!pkcs7, "PKCS7_sign");
-
- ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo,
- PKCS7_NOCERTS | PKCS7_BINARY | PKCS7_NOSMIMECAP |
- use_signed_attrs),
- "PKCS7_sign_add_signer");
- ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0,
- "PKCS7_final");
#endif
if (save_sig) {
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists