Bug 202159

Summary: sign-file: LibreSSL 2.6.5 only supports SHA1 signing
Product: Other Reporter: Jacekalex (wampir98)
Component: OtherAssignee: other_other
Status: NEW ---    
Severity: normal CC: fsaavedr, m.novosyolov, neotheuser, remarkable.armadillo.odgi, sounderweaver, spiritual.hare.nkii, useless.eel.sgvs
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.19.13 Subsystem:
Regression: No Bisected commit-id:
Attachments: Use CMS if LibreSSL >= 2.6.0 is present

Description Jacekalex 2019-01-05 11:08:33 UTC 
Hi

When I try to sign the kernel driver, I get receives a bug like this:

/usr/src/linux/scripts/sign-file sha512 /usr/src/linux/certs/signing_key.pem /usr/src/linux/certs/signing_key.x509 `modinfo -n sch_codel` 
sign-file: LibreSSL 2.6.5 only supports SHA1 signing


Please update the sign-file.c to the new API of SSL libraries such as Libressl and Openssl.


Libressl 2.6.5 and new have support for these hash protocols:

Message Digest commands (see the `dgst' command for more details)
gost-mac          md4               md5               md_gost94         
ripemd160         sha1              sha224            sha256            
sha384            sha512            streebog256       streebog512       
whirlpool   


Thanks
Comment 1 Alec Ari 2019-02-17 04:45:40 UTC 
Created attachment 281175 [details]
Use CMS if LibreSSL >= 2.6.0 is present

Allows signing of kernel modules with algorithms other
than SHA1 if LibreSSL is greater than or equal to 2.6.0.
Comment 2 Alec Ari 2019-02-17 04:48:24 UTC 
Fixed! Let me know if it works for you, thank you for the report!
Comment 3 Jacekalex 2019-02-17 05:06:13 UTC 
(In reply to Alec Ari from comment #1)
> Created attachment 281175 [details]
> Use CMS if LibreSSL >= 2.6.0 is present
> 
> Allows signing of kernel modules with algorithms other
> than SHA1 if LibreSSL is greater than or equal to 2.6.0.

Realy?

openssl version
LibreSSL 2.6.5

/usr/src/linux/scripts/sign-file sha512 /usr/src/linux/certs/signing_key.pem /usr/src/linux/certs/signing_key.x509 `modinfo -n sch_codel`
sign-file: LibreSSL 2.6.5 only supports SHA1 signing


LibreSSL 2.6.5  is greater than or equal to 2.6.0. 


OS: Gentoo.

qlist -UqCv libressl
dev-libs/libressl-2.6.5 abi_x86_32 abi_x86_64 asm static-libs

Cheers
Comment 4 Alec Ari 2019-02-17 05:12:53 UTC 
It works here, are you sure you applied the patch right? I'm on Gentoo as well but using LibreSSL 2.8.3.
Comment 5 Alec Ari 2019-02-17 05:19:04 UTC 
It's important to run `make mrproper` as sign-file may not be getting recompiled. If you're using emerge to download kernel source, any changes to kernel files will be over-written on re-emerge.
Comment 6 Alec Ari 2019-02-17 05:34:48 UTC 
I see the problem now, the error occurs on module installation, not build. Sorry about this. -Alec
Comment 7 Felipe <Fei Lee> 2019-04-16 06:05:32 UTC 
Yes, the problem occurs after kernel image and modules build process. When try to sign the modules with other hash, it fails.

So far, the patch does not work, because libressl does not have cms.h definitions and has the macro OPENSSL_NO_CMS defined. 

sign-file tries to use old openssl definitions and macros for CMS and thus it will not compile with libressl without a rework.
Comment 8 Mikhail Novosyolov 2019-12-07 23:14:42 UTC 
CMS was enabled in LibreSSL > 3.0.2:
https://github.com/libressl-portable/portable/issues/448
In v3.0.2 OPENSSL_NO_CMS can be manually undefined in include/openssl/opensslfeatures.h
Comment 9 Mikhail Novosyolov 2020-03-20 09:19:15 UTC 
Patch https://patchwork.kernel.org/patch/11446123/ restores ability to use the newest LibreSSL