diff options
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/extract-cert.c | 4 | ||||
| -rwxr-xr-x | scripts/package/builddeb | 4 | ||||
| -rwxr-xr-x | scripts/sign-file.c | 94 | 
3 files changed, 79 insertions, 23 deletions
| diff --git a/scripts/extract-cert.c b/scripts/extract-cert.c index 6ce5945a0b89..b071bf476fea 100644 --- a/scripts/extract-cert.c +++ b/scripts/extract-cert.c @@ -17,13 +17,9 @@  #include <stdint.h>  #include <stdbool.h>  #include <string.h> -#include <getopt.h>  #include <err.h> -#include <arpa/inet.h>  #include <openssl/bio.h> -#include <openssl/evp.h>  #include <openssl/pem.h> -#include <openssl/pkcs7.h>  #include <openssl/err.h>  #include <openssl/engine.h> diff --git a/scripts/package/builddeb b/scripts/package/builddeb index 0cd46e129920..b967e4f9fed2 100755 --- a/scripts/package/builddeb +++ b/scripts/package/builddeb @@ -115,7 +115,7 @@ esac  BUILD_DEBUG="$(grep -s '^CONFIG_DEBUG_INFO=y' $KCONFIG_CONFIG || true)"  # Setup the directory structure -rm -rf "$tmpdir" "$fwdir" "$kernel_headers_dir" "$libc_headers_dir" "$dbg_dir" +rm -rf "$tmpdir" "$fwdir" "$kernel_headers_dir" "$libc_headers_dir" "$dbg_dir" $objtree/debian/files  mkdir -m 755 -p "$tmpdir/DEBIAN"  mkdir -p "$tmpdir/lib" "$tmpdir/boot"  mkdir -p "$fwdir/lib/firmware/$version/" @@ -408,7 +408,7 @@ binary-arch:  	\$(MAKE) KDEB_SOURCENAME=${sourcename} KDEB_PKGVERSION=${packageversion} bindeb-pkg  clean: -	rm -rf debian/*tmp +	rm -rf debian/*tmp debian/files  	mv debian/ debian.backup # debian/ might be cleaned away  	\$(MAKE) clean  	mv debian.backup debian diff --git a/scripts/sign-file.c b/scripts/sign-file.c index c3899ca4811c..250a7a645033 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -20,13 +20,34 @@  #include <getopt.h>  #include <err.h>  #include <arpa/inet.h> +#include <openssl/opensslv.h>  #include <openssl/bio.h>  #include <openssl/evp.h>  #include <openssl/pem.h> -#include <openssl/cms.h>  #include <openssl/err.h>  #include <openssl/engine.h> +/* + * Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to + * assume that it's not available and its header file is missing and that we + * should use PKCS#7 instead.  Switching to the older PKCS#7 format restricts + * the options we have on specifying the X.509 certificate we want. + * + * Further, older versions of OpenSSL don't support manually adding signers to + * the PKCS#7 message so have to accept that we get a certificate included in + * the signature message.  Nor do such older versions of OpenSSL support + * signing with anything other than SHA1 - so we're stuck with that if such is + * the case. + */ +#if OPENSSL_VERSION_NUMBER < 0x10000000L +#define USE_PKCS7 +#endif +#ifndef USE_PKCS7 +#include <openssl/cms.h> +#else +#include <openssl/pkcs7.h> +#endif +  struct module_signature {  	uint8_t		algo;		/* Public-key crypto algorithm [0] */  	uint8_t		hash;		/* Digest algorithm [0] */ @@ -110,30 +131,42 @@ int main(int argc, char **argv)  	struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };  	char *hash_algo = NULL;  	char *private_key_name, *x509_name, *module_name, *dest_name; -	bool save_cms = false, replace_orig; +	bool save_sig = false, replace_orig;  	bool sign_only = false;  	unsigned char buf[4096]; -	unsigned long module_size, cms_size; -	unsigned int use_keyid = 0, use_signed_attrs = CMS_NOATTR; +	unsigned long module_size, sig_size; +	unsigned int use_signed_attrs;  	const EVP_MD *digest_algo;  	EVP_PKEY *private_key; +#ifndef USE_PKCS7  	CMS_ContentInfo *cms; +	unsigned int use_keyid = 0; +#else +	PKCS7 *pkcs7; +#endif  	X509 *x509;  	BIO *b, *bd = NULL, *bm;  	int opt, n; -  	OpenSSL_add_all_algorithms();  	ERR_load_crypto_strings();  	ERR_clear_error();  	key_pass = getenv("KBUILD_SIGN_PIN"); +#ifndef USE_PKCS7 +	use_signed_attrs = CMS_NOATTR; +#else +	use_signed_attrs = PKCS7_NOATTR; +#endif +  	do {  		opt = getopt(argc, argv, "dpk");  		switch (opt) { -		case 'p': save_cms = true; break; -		case 'd': sign_only = true; save_cms = true; break; +		case 'p': save_sig = true; break; +		case 'd': sign_only = true; save_sig = true; break; +#ifndef USE_PKCS7  		case 'k': use_keyid = CMS_USE_KEYID; break; +#endif  		case -1: break;  		default: format();  		} @@ -157,6 +190,14 @@ int main(int argc, char **argv)  		replace_orig = true;  	} +#ifdef USE_PKCS7 +	if (strcmp(hash_algo, "sha1") != 0) { +		fprintf(stderr, "sign-file: %s only supports SHA1 signing\n", +			OPENSSL_VERSION_TEXT); +		exit(3); +	} +#endif +  	/* Read the private key and the X.509 cert the PKCS#7 message  	 * will point to.  	 */ @@ -213,7 +254,8 @@ int main(int argc, char **argv)  	bm = BIO_new_file(module_name, "rb");  	ERR(!bm, "%s", module_name); -	/* Load the CMS message from the digest buffer. */ +#ifndef USE_PKCS7 +	/* Load the signature message from the digest buffer. */  	cms = CMS_sign(NULL, NULL, NULL, NULL,  		       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM);  	ERR(!cms, "CMS_sign"); @@ -221,17 +263,31 @@ int main(int argc, char **argv)  	ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,  			     CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |  			     use_keyid | use_signed_attrs), -	    "CMS_sign_add_signer"); +	    "CMS_add1_signer");  	ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,  	    "CMS_final"); -	if (save_cms) { -		char *cms_name; +#else +	pkcs7 = PKCS7_sign(x509, private_key, NULL, bm, +			   PKCS7_NOCERTS | PKCS7_BINARY | +			   PKCS7_DETACHED | use_signed_attrs); +	ERR(!pkcs7, "PKCS7_sign"); +#endif -		ERR(asprintf(&cms_name, "%s.p7s", module_name) < 0, "asprintf"); -		b = BIO_new_file(cms_name, "wb"); -		ERR(!b, "%s", cms_name); -		ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, "%s", cms_name); +	if (save_sig) { +		char *sig_file_name; + +		ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0, +		    "asprintf"); +		b = BIO_new_file(sig_file_name, "wb"); +		ERR(!b, "%s", sig_file_name); +#ifndef USE_PKCS7 +		ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, +		    "%s", sig_file_name); +#else +		ERR(i2d_PKCS7_bio(b, pkcs7) < 0, +			"%s", sig_file_name); +#endif  		BIO_free(b);  	} @@ -247,9 +303,13 @@ int main(int argc, char **argv)  	ERR(n < 0, "%s", module_name);  	module_size = BIO_number_written(bd); +#ifndef USE_PKCS7  	ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name); -	cms_size = BIO_number_written(bd) - module_size; -	sig_info.sig_len = htonl(cms_size); +#else +	ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name); +#endif +	sig_size = BIO_number_written(bd) - module_size; +	sig_info.sig_len = htonl(sig_size);  	ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);  	ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name); | 
