diff options
Diffstat (limited to 'sys-apps/kmod/files')
-rw-r--r-- | sys-apps/kmod/files/kmod-26-libressl.patch | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/sys-apps/kmod/files/kmod-26-libressl.patch b/sys-apps/kmod/files/kmod-26-libressl.patch new file mode 100644 index 000000000000..cb36ab401c21 --- /dev/null +++ b/sys-apps/kmod/files/kmod-26-libressl.patch @@ -0,0 +1,143 @@ +From 628677e066198d8658d7edd5511a5bb27cd229f5 Mon Sep 17 00:00:00 2001 +From: Stefan Strogin <steils@gentoo.org> +Date: Sun, 19 May 2019 03:42:01 +0300 +Subject: [PATCH] libkmod-signature: use PKCS#7 instead of CMS + +Linux uses either PKCS #7 or CMS for signing modules (see +scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL, +so PKCS #7 is used on systems with these libcrypto providers. + +CMS and PKCS #7 formats are very similar. CMS is newer but is as much as +possible backward compatible with PKCS #7 [1]. PKCS #7 is supported in +the latest OpenSSL as well as CMS. The fields used for signing kernel +modules are supported both in PKCS #7 and CMS. + +For now modinfo uses CMS with no alternative requiring OpenSSL 1.1.0 or +newer. + +Use PKCS #7 for parsing module signature information, so that modinfo +could be used both with OpenSSL and LibreSSL. + +[1] https://tools.ietf.org/html/rfc5652#section-1.1 + +Changes v1->v2: +- Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both +with OpenSSL and LibreSSL. + +Upstream-Status: Accepted +[https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git/commit/?id=628677e066198d8658d7edd5511a5bb27cd229f5] +Signed-off-by: Stefan Strogin <steils@gentoo.org> +--- + libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------ + 1 file changed, 19 insertions(+), 18 deletions(-) + +diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c +index 48d0145..4e8748c 100644 +--- a/libkmod/libkmod-signature.c ++++ b/libkmod/libkmod-signature.c +@@ -20,7 +20,7 @@ + #include <endian.h> + #include <inttypes.h> + #ifdef ENABLE_OPENSSL +-#include <openssl/cms.h> ++#include <openssl/pkcs7.h> + #include <openssl/ssl.h> + #endif + #include <stdio.h> +@@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size, + #ifdef ENABLE_OPENSSL + + struct pkcs7_private { +- CMS_ContentInfo *cms; ++ PKCS7 *pkcs7; + unsigned char *key_id; + BIGNUM *sno; + }; +@@ -132,7 +132,7 @@ static void pkcs7_free(void *s) + struct kmod_signature_info *si = s; + struct pkcs7_private *pvt = si->private; + +- CMS_ContentInfo_free(pvt->cms); ++ PKCS7_free(pvt->pkcs7); + BN_free(pvt->sno); + free(pvt->key_id); + free(pvt); +@@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size, + struct kmod_signature_info *sig_info) + { + const char *pkcs7_raw; +- CMS_ContentInfo *cms; +- STACK_OF(CMS_SignerInfo) *sis; +- CMS_SignerInfo *si; +- int rc; +- ASN1_OCTET_STRING *key_id; ++ PKCS7 *pkcs7; ++ STACK_OF(PKCS7_SIGNER_INFO) *sis; ++ PKCS7_SIGNER_INFO *si; ++ PKCS7_ISSUER_AND_SERIAL *is; + X509_NAME *issuer; + ASN1_INTEGER *sno; + ASN1_OCTET_STRING *sig; +@@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size, + + in = BIO_new_mem_buf(pkcs7_raw, sig_len); + +- cms = d2i_CMS_bio(in, NULL); +- if (cms == NULL) { ++ pkcs7 = d2i_PKCS7_bio(in, NULL); ++ if (pkcs7 == NULL) { + BIO_free(in); + return false; + } + + BIO_free(in); + +- sis = CMS_get0_SignerInfos(cms); ++ sis = PKCS7_get_signer_info(pkcs7); + if (sis == NULL) + goto err; + +- si = sk_CMS_SignerInfo_value(sis, 0); ++ si = sk_PKCS7_SIGNER_INFO_value(sis, 0); + if (si == NULL) + goto err; + +- rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno); +- if (rc == 0) ++ is = si->issuer_and_serial; ++ if (is == NULL) + goto err; ++ issuer = is->issuer; ++ sno = is->serial; + +- sig = CMS_SignerInfo_get0_signature(si); ++ sig = si->enc_digest; + if (sig == NULL) + goto err; + +- CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg); ++ PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg); + + sig_info->sig = (const char *)ASN1_STRING_get0_data(sig); + sig_info->sig_len = ASN1_STRING_length(sig); +@@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size, + if (pvt == NULL) + goto err3; + +- pvt->cms = cms; ++ pvt->pkcs7 = pkcs7; + pvt->key_id = key_id_str; + pvt->sno = sno_bn; + sig_info->private = pvt; +@@ -290,7 +291,7 @@ err3: + err2: + BN_free(sno_bn); + err: +- CMS_ContentInfo_free(cms); ++ PKCS7_free(pkcs7); + return false; + } + +-- +2.21.0 + |