user/sven/linux.git/scripts/sign-file.c, branch v5.3.14

sign-file: fix build error in sign-file.c with libressl

2017-02-10T01:43:47Z

The sign-file tool failed to build against libressl. Fix this by extending the PKCS7 check and thus making sign-file link against libressl without an error. Signed-off-by: John Crispin Signed-off-by: Felix Fietkau Signed-off-by: David Howells Signed-off-by: James Morris

Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

2016-12-15T19:41:37Z

Pull crypto fixes from Herbert Xu: "This fixes the following issues: - a crash regression in the new skcipher walker - incorrect return value in public_key_verify_signature - fix for in-place signing in the sign-file utility" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: skcipher - fix crash in virtual walk sign-file: Fix inplace signing when src and dst names are both specified crypto: asymmetric_keys - set error code on failure

sign-file: Fix inplace signing when src and dst names are both specified

2016-12-14T10:33:14Z

When src and dst both are specified and they point to the same file the sign-file utility will write only signature to the dst file and the module (.ko file) body will not be written. That happens because we open the same file with "rb" and "wb" flags, from fopen man: w Truncate file to zero length or create text file for writing. The stream is positioned at the beginning of the file. ... bm = BIO_new_file(module_name, "rb"); ... bd = BIO_new_file(dest_name, "wb"); ... while ((n = BIO_read(bm, buf, sizeof(buf))), n > 0) { ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name); } ... Signed-off-by: Alex Yashchenko Signed-off-by: David Howells Signed-off-by: Herbert Xu

treewide: Make remaining source files non-executable

2016-12-13T04:41:52Z

.c and .h source files should not be executable, change the permissions to 0644. [ This would normally go through Andrew Morton, but his ancient patch-based toolchain doesn't do permission changes ] Signed-off-by: Joe Perches Acked-by: David Howells Signed-off-by: Linus Torvalds

modsign: Make sign-file determine the format of the X.509 cert

2016-06-14T12:18:33Z

Make sign-file determine the format of the X.509 certificate by reading the first two bytes and seeing if the first byte is 0x30 and the second 0x81-0x84. If this is the case, assume it's DER encoded, otherwise assume it to be PEM encoded. Without this, it gets awkward to deal with the error messages from d2i_X509_bio() when we want to call BIO_reset() and then PEM_read_bio() in case the certificate was PEM encoded rather than X.509 encoded. Reported-by: Ben Hutchings Signed-off-by: David Howells Tested-by: Ben Hutchings cc: David Woodhouse cc: Juerg Haefliger cc: Ben Hutchings

sign-file: fix build with CMS support disabled

2016-03-03T10:50:46Z

Some versions of openssl might have the CMS feature disabled LibreSSL disables this feature too If the feature is disabled, fallback to PKCS7 In file included from scripts/sign-file.c:46:0: /usr/x86_64-pc-linux-gnu/include/openssl/cms.h:62:2: error: #error CMS is disabled. #error CMS is disabled. Signed-off-by: Marc-Antoine Perennou Signed-off-by: David Howells

scripts/sign-file.c: Add support for signing with a raw signature

2016-02-18T17:20:48Z

This patch adds support for signing a kernel module with a raw detached PKCS#7 signature/message. The signature is not converted and is simply appended to the module so it needs to be in the right format. Using openssl, a valid signature can be generated like this: $ openssl smime -sign -nocerts -noattr -binary -in -inkey \ -signer -outform der -out The resulting raw signature from the above command is (more or less) identical to the raw signature that sign-file itself can produce like this: $ scripts/sign-file -d Signed-off-by: Juerg Haefliger Signed-off-by: David Howells

v2 linux-next scripts/sign-file.c Fix LibreSSL support

2016-02-09T16:40:45Z

In file included from scripts/sign-file.c:47:0: /usr/include/openssl/cms.h:62:2: error: #error CMS is disabled. #error CMS is disabled. ^ scripts/Makefile.host:91: recipe for target 'scripts/sign-file' failed make[1]: *** [scripts/sign-file] Error 1 Makefile:567: recipe for target 'scripts' failed make: *** [scripts] Error 2 Fix SSL headers so that the kernel can build with LibreSSL Signed-off-by: Codarren Velvindron Acked-by: David Woodhouse Signed-off-by: David Howells

MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old

2015-09-25T15:31:46Z

The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file since that allows the target X.509 certificate to be specified by subjectKeyId rather than by issuer + serialNumber. However, older versions of the OpenSSL crypto library (such as may be found in CentOS 5.11) don't support CMS. Assume everything prior to OpenSSL-1.0.0 doesn't support CMS and switch to using PKCS#7 in that case. Further, the pre-1.0.0 OpenSSL only supports PKCS#7 signing with SHA1, so give an error from the sign-file script if the caller requests anything other than SHA1. The compiler gives the following error with an OpenSSL crypto library that's too old: HOSTCC scripts/sign-file scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory #include Reported-by: Vinson Lee Signed-off-by: David Howells Acked-by: David Woodhouse

modsign: Fix GPL/OpenSSL licence incompatibility

2015-09-15T20:54:21Z

The GPL does not permit us to link against the OpenSSL library. Use LGPL for sign-file and extract-file instead. [ The whole "openssl isn't compatible with gpl" is really just fear-mongering, but there's no reason not to make modsign LGPL, so nobody cares. - Linus ] Reported-by: Julian Andres Klode Signed-off-by: David Woodhouse Signed-off-by: David Howells Reviewed-by: Julian Andres Klode Signed-off-by: Linus Torvalds