lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20170203013118.14634-1-antony@vennard.ch>
Date:   Fri,  3 Feb 2017 02:31:17 +0100
From:   Antony Vennard <antony@...nard.ch>
To:     David Howells <dhowells@...hat.com>,
        David Woodhouse <dwmw2@...radead.org>
Cc:     keyrings@...r.kernel.org, linux-kernel@...r.kernel.org,
        Antony Vennard <antony@...nard.ch>
Subject: [PATCH 0/1] Load OpenSSL config if present in sign-file.c

sign-file documentation on kernel.org advertises the fact that 
sign-file can use OpenSSL loadable engine support using pkcs#11 uri 
syntax (rfc 7512) for loading private keys from hardware tokens, if 
openssl loadable engine support is present.

Unfortunately, if openssl configuration files are not loaded there is 
no way (to my knowledge) for openssl to load third party pkcs#11 
libraries as specified by openssl configuration.

This patch enables loading of openssl configuration files such that, 
with an appropriate OPENSSL_CONF environment variable, an openssl 
config snippet such as: 

    openssl_conf = openssl_init

    [openssl_init]
    engines = engine_section

    [engine_section]
    pkcs11 = pkcs11_cardos

    [pkcs11_cardos]
    engine_id = pkcs11
    dynamic_path = /usr/lib64/openssl/engines/libpkcs11.so
    MODULE_PATH = /path/to/pkcs11.so

Can be used to utilize any third party PKCS#11 library for 
any available hardware token. Any other engine configuration 
customizations should also work. An end-user can either specify this 
particular snippet with OPENSSL_CONF=/path/to/file, or they may 
edit their distribution's ssl configuration file located at, for 
example, /etc/pki/tls/openssl.cnf (Redhat derivatives).

Notes for reviewers:

 * OPENSSL_Conf(NULL) is marked in current documentation as deprecated. 
   As such I used CONF_modules_load_file in the manner OPENSSL_Conf does.
 * It seemed to me that "ignore no config file, but fail if 
   file found and there are parsing errors" was the most logical choice 
   - this is CONF_MFLAGS_IGNORE_MISSING_FILE.
 * CONF_MFLAGS_DEFAULT_SECTION and appname=NULL require the config file 
   have an openssl_conf = something section as in the sample above.
   This makes sign-file act exactly like the standalone openssl utility. 
   I chose this as the path of least resistance but it could be easily 
   dropped not require an explicit "openssl_conf=?" line, or we could 
   select an app name. 

Since the certificate handling git repo appears out of date, this patch 
was based on Torvald's linux.git. If this is incorrect please let me know 
and I will resubmit.

Antony Vennard (1):
  Load OpenSSL config if present in sign-file.c

 scripts/sign-file.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

-- 
2.9.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ