lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <28281.1439431881@warthog.procyon.org.uk>
Date:	Thu, 13 Aug 2015 03:11:21 +0100
From:	David Howells <dhowells@...hat.com>
To:	James Morris <jmorris@...ei.org>
Cc:	dhowells@...hat.com, mcgrof@...il.com, zohar@...ux.vnet.ibm.com,
	dwmw2@...radead.org, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org
Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #8]

James Morris <jmorris@...ei.org> wrote:

> I'm still seeing these warnings:
> 
> scripts/sign-file.c: In function ‘main’:
> scripts/sign-file.c:188: warning: value computed is not used

Ummm...  What do you see on line 188?  "BIO_reset(b);"?  If so, that seems to
be an openssl bug.  b is created four lines above and definitely used on the
following line, so the problem must lie with the BIO_reset() function or
macro.

You're using an older version of openssl-devel than I am (1.0.1e rather than
1.0.1k) so I suspect this has been fixed.

Can you have a look how this is defined for you?  I see:

   /usr/include/openssl/bio.h:#define BIO_reset(b)         (int)BIO_ctrl(b,BIO_CTRL_RESET,0,NULL)

and:

   /usr/include/openssl/bio.h:long BIO_ctrl(BIO *bp,int cmd,long larg,void *parg);

> WARNING: modpost: missing MODULE_LICENSE() in 
> crypto/asymmetric_keys/pkcs7_test_key.o

The issue actually pre-dates this patchset so is independent of it.  I can
stack a patch onto the end of my series to fix this.  I've pushed a new tag
with this patch (revised request-pull below in case you feel inclined to pull
it - or I can generate a whole new request message if you'd prefer).

David
---
The following changes since commit 459c15e53cf7e4e88a78ecfb109af5a267c5500a:

  Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next (2015-08-07 13:27:58 +1000)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/modsign-pkcs7-20150812-2

for you to fetch changes up to 772111ab01eace6a7e4cf821a4348cec64a97c92:

  PKCS#7: Add MODULE_LICENSE() to test module (2015-08-13 02:51:33 +0100)

----------------------------------------------------------------
Module signing with PKCS#7

----------------------------------------------------------------
David Howells (18):
      ASN.1: Add an ASN.1 compiler option to dump the element tree
      ASN.1: Copy string names to tokens in ASN.1 compiler
      X.509: Extract both parts of the AuthorityKeyIdentifier
      X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
      PKCS#7: Allow detached data to be supplied for signature checking purposes
      MODSIGN: Provide a utility to append a PKCS#7 signature to a module
      MODSIGN: Use PKCS#7 messages as module signatures
      system_keyring.c doesn't need to #include module-internal.h
      MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
      PKCS#7: Check content type and versions
      X.509: Change recorded SKID & AKID to not include Subject or Issuer
      PKCS#7: Support CMS messages also [RFC5652]
      sign-file: Generate CMS message as signature instead of PKCS#7
      PKCS#7: Improve and export the X.509 ASN.1 time object decoder
      KEYS: Add a name for PKEY_ID_PKCS7
      PKCS#7: Appropriately restrict authenticated attributes and content type
      sign-file: Document dependency on OpenSSL devel libraries
      PKCS#7: Add MODULE_LICENSE() to test module

David Woodhouse (9):
      modsign: Abort modules_install when signing fails
      modsign: Allow password to be specified for signing key
      modsign: Allow signing key to be PKCS#11
      modsign: Allow external signing key to be specified
      modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed
      modsign: Use single PEM file for autogenerated key
      modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
      extract-cert: Cope with multiple X.509 certificates in a single file
      modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS

Luis R. Rodriguez (1):
      sign-file: Add option to only create signature file

 .gitignore                                |   1 +
 Documentation/kbuild/kbuild.txt           |   5 +
 Documentation/module-signing.txt          |  54 +++-
 Makefile                                  |   8 +-
 arch/x86/kernel/kexec-bzimage64.c         |   4 +-
 crypto/asymmetric_keys/Makefile           |   8 +-
 crypto/asymmetric_keys/asymmetric_type.c  |  11 +
 crypto/asymmetric_keys/pkcs7.asn1         |  22 +-
 crypto/asymmetric_keys/pkcs7_key_type.c   |  17 +-
 crypto/asymmetric_keys/pkcs7_parser.c     | 269 ++++++++++++++++++-
 crypto/asymmetric_keys/pkcs7_parser.h     |  20 +-
 crypto/asymmetric_keys/pkcs7_trust.c      |  10 +-
 crypto/asymmetric_keys/pkcs7_verify.c     | 145 ++++++++--
 crypto/asymmetric_keys/public_key.c       |   1 +
 crypto/asymmetric_keys/verify_pefile.c    |   7 +-
 crypto/asymmetric_keys/x509_akid.asn1     |  35 +++
 crypto/asymmetric_keys/x509_cert_parser.c | 231 ++++++++++------
 crypto/asymmetric_keys/x509_parser.h      |  12 +-
 crypto/asymmetric_keys/x509_public_key.c  |  95 ++++---
 include/crypto/pkcs7.h                    |  13 +-
 include/crypto/public_key.h               |  18 +-
 include/keys/system_keyring.h             |   7 +
 include/linux/oid_registry.h              |   4 +-
 include/linux/verify_pefile.h             |   6 +-
 init/Kconfig                              |  59 ++++-
 kernel/Makefile                           | 112 +++++---
 kernel/module_signing.c                   | 213 ++-------------
 kernel/system_certificates.S              |   3 +
 kernel/system_keyring.c                   |  53 +++-
 scripts/Makefile                          |   4 +
 scripts/Makefile.modinst                  |   2 +-
 scripts/asn1_compiler.c                   | 229 ++++++++++------
 scripts/extract-cert.c                    | 166 ++++++++++++
 scripts/sign-file                         | 421 ------------------------------
 scripts/sign-file.c                       | 260 ++++++++++++++++++
 35 files changed, 1597 insertions(+), 928 deletions(-)
 create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
 create mode 100644 scripts/extract-cert.c
 delete mode 100755 scripts/sign-file
 create mode 100755 scripts/sign-file.c
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ