| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Aug 2015 03:11:21 +0100
From: David Howells <dhowells@...hat.com>
To: James Morris <jmorris@...ei.org>
Cc: dhowells@...hat.com, mcgrof@...il.com, zohar@...ux.vnet.ibm.com,
dwmw2@...radead.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: Re: [GIT PULL] MODSIGN: Use PKCS#7 for module signatures [ver #8]
James Morris <jmorris@...ei.org> wrote:
> I'm still seeing these warnings:
>
> scripts/sign-file.c: In function ‘main’:
> scripts/sign-file.c:188: warning: value computed is not used
Ummm... What do you see on line 188? "BIO_reset(b);"? If so, that seems to
be an openssl bug. b is created four lines above and definitely used on the
following line, so the problem must lie with the BIO_reset() function or
macro.
You're using an older version of openssl-devel than I am (1.0.1e rather than
1.0.1k) so I suspect this has been fixed.
Can you have a look how this is defined for you? I see:
/usr/include/openssl/bio.h:#define BIO_reset(b) (int)BIO_ctrl(b,BIO_CTRL_RESET,0,NULL)
and:
/usr/include/openssl/bio.h:long BIO_ctrl(BIO *bp,int cmd,long larg,void *parg);
> WARNING: modpost: missing MODULE_LICENSE() in
> crypto/asymmetric_keys/pkcs7_test_key.o
The issue actually pre-dates this patchset so is independent of it. I can
stack a patch onto the end of my series to fix this. I've pushed a new tag
with this patch (revised request-pull below in case you feel inclined to pull
it - or I can generate a whole new request message if you'd prefer).
David
---
The following changes since commit 459c15e53cf7e4e88a78ecfb109af5a267c5500a:
Merge tag 'asn1-fixes-20150805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next (2015-08-07 13:27:58 +1000)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/modsign-pkcs7-20150812-2
for you to fetch changes up to 772111ab01eace6a7e4cf821a4348cec64a97c92:
PKCS#7: Add MODULE_LICENSE() to test module (2015-08-13 02:51:33 +0100)
----------------------------------------------------------------
Module signing with PKCS#7
----------------------------------------------------------------
David Howells (18):
ASN.1: Add an ASN.1 compiler option to dump the element tree
ASN.1: Copy string names to tokens in ASN.1 compiler
X.509: Extract both parts of the AuthorityKeyIdentifier
X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
PKCS#7: Allow detached data to be supplied for signature checking purposes
MODSIGN: Provide a utility to append a PKCS#7 signature to a module
MODSIGN: Use PKCS#7 messages as module signatures
system_keyring.c doesn't need to #include module-internal.h
MODSIGN: Extract the blob PKCS#7 signature verifier from module signing
PKCS#7: Check content type and versions
X.509: Change recorded SKID & AKID to not include Subject or Issuer
PKCS#7: Support CMS messages also [RFC5652]
sign-file: Generate CMS message as signature instead of PKCS#7
PKCS#7: Improve and export the X.509 ASN.1 time object decoder
KEYS: Add a name for PKEY_ID_PKCS7
PKCS#7: Appropriately restrict authenticated attributes and content type
sign-file: Document dependency on OpenSSL devel libraries
PKCS#7: Add MODULE_LICENSE() to test module
David Woodhouse (9):
modsign: Abort modules_install when signing fails
modsign: Allow password to be specified for signing key
modsign: Allow signing key to be PKCS#11
modsign: Allow external signing key to be specified
modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed
modsign: Use single PEM file for autogenerated key
modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option
extract-cert: Cope with multiple X.509 certificates in a single file
modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
Luis R. Rodriguez (1):
sign-file: Add option to only create signature file
.gitignore | 1 +
Documentation/kbuild/kbuild.txt | 5 +
Documentation/module-signing.txt | 54 +++-
Makefile | 8 +-
arch/x86/kernel/kexec-bzimage64.c | 4 +-
crypto/asymmetric_keys/Makefile | 8 +-
crypto/asymmetric_keys/asymmetric_type.c | 11 +
crypto/asymmetric_keys/pkcs7.asn1 | 22 +-
crypto/asymmetric_keys/pkcs7_key_type.c | 17 +-
crypto/asymmetric_keys/pkcs7_parser.c | 269 ++++++++++++++++++-
crypto/asymmetric_keys/pkcs7_parser.h | 20 +-
crypto/asymmetric_keys/pkcs7_trust.c | 10 +-
crypto/asymmetric_keys/pkcs7_verify.c | 145 ++++++++--
crypto/asymmetric_keys/public_key.c | 1 +
crypto/asymmetric_keys/verify_pefile.c | 7 +-
crypto/asymmetric_keys/x509_akid.asn1 | 35 +++
crypto/asymmetric_keys/x509_cert_parser.c | 231 ++++++++++------
crypto/asymmetric_keys/x509_parser.h | 12 +-
crypto/asymmetric_keys/x509_public_key.c | 95 ++++---
include/crypto/pkcs7.h | 13 +-
include/crypto/public_key.h | 18 +-
include/keys/system_keyring.h | 7 +
include/linux/oid_registry.h | 4 +-
include/linux/verify_pefile.h | 6 +-
init/Kconfig | 59 ++++-
kernel/Makefile | 112 +++++---
kernel/module_signing.c | 213 ++-------------
kernel/system_certificates.S | 3 +
kernel/system_keyring.c | 53 +++-
scripts/Makefile | 4 +
scripts/Makefile.modinst | 2 +-
scripts/asn1_compiler.c | 229 ++++++++++------
scripts/extract-cert.c | 166 ++++++++++++
scripts/sign-file | 421 ------------------------------
scripts/sign-file.c | 260 ++++++++++++++++++
35 files changed, 1597 insertions(+), 928 deletions(-)
create mode 100644 crypto/asymmetric_keys/x509_akid.asn1
create mode 100644 scripts/extract-cert.c
delete mode 100755 scripts/sign-file
create mode 100755 scripts/sign-file.c
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists