202159 – sign-file: LibreSSL 2.6.5 only supports SHA1 signing

Bug 202159 - sign-file: LibreSSL 2.6.5 only supports SHA1 signing

Summary: sign-file: LibreSSL 2.6.5 only supports SHA1 signing

Status:	NEW

Alias:	None

Product:	Other
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	other_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-01-05 11:08 UTC by Jacekalex
Modified:	2025-01-16 07:38 UTC (History)
CC List:	7 users (show)

See Also:
Kernel Version:	4.19.13
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Use CMS if LibreSSL >= 2.6.0 is present (1.74 KB, patch) 2019-02-17 04:45 UTC, Alec Ari	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Jacekalex 2019-01-05 11:08:33 UTC

Hi

When I try to sign the kernel driver, I get receives a bug like this:

/usr/src/linux/scripts/sign-file sha512 /usr/src/linux/certs/signing_key.pem /usr/src/linux/certs/signing_key.x509 `modinfo -n sch_codel` 
sign-file: LibreSSL 2.6.5 only supports SHA1 signing


Please update the sign-file.c to the new API of SSL libraries such as Libressl and Openssl.


Libressl 2.6.5 and new have support for these hash protocols:

Message Digest commands (see the `dgst' command for more details)
gost-mac          md4               md5               md_gost94         
ripemd160         sha1              sha224            sha256            
sha384            sha512            streebog256       streebog512       
whirlpool   


Thanks

Comment 1 Alec Ari 2019-02-17 04:45:40 UTC

Created attachment 281175 [details]
Use CMS if LibreSSL >= 2.6.0 is present

Allows signing of kernel modules with algorithms other
than SHA1 if LibreSSL is greater than or equal to 2.6.0.

Comment 2 Alec Ari 2019-02-17 04:48:24 UTC

Fixed! Let me know if it works for you, thank you for the report!

Comment 3 Jacekalex 2019-02-17 05:06:13 UTC

(In reply to Alec Ari from comment #1)
> Created attachment 281175 [details]
> Use CMS if LibreSSL >= 2.6.0 is present
> 
> Allows signing of kernel modules with algorithms other
> than SHA1 if LibreSSL is greater than or equal to 2.6.0.

Realy?

openssl version
LibreSSL 2.6.5

/usr/src/linux/scripts/sign-file sha512 /usr/src/linux/certs/signing_key.pem /usr/src/linux/certs/signing_key.x509 `modinfo -n sch_codel`
sign-file: LibreSSL 2.6.5 only supports SHA1 signing


LibreSSL 2.6.5  is greater than or equal to 2.6.0. 


OS: Gentoo.

qlist -UqCv libressl
dev-libs/libressl-2.6.5 abi_x86_32 abi_x86_64 asm static-libs

Cheers

Comment 4 Alec Ari 2019-02-17 05:12:53 UTC

It works here, are you sure you applied the patch right? I'm on Gentoo as well but using LibreSSL 2.8.3.

Comment 5 Alec Ari 2019-02-17 05:19:04 UTC

It's important to run `make mrproper` as sign-file may not be getting recompiled. If you're using emerge to download kernel source, any changes to kernel files will be over-written on re-emerge.

Comment 6 Alec Ari 2019-02-17 05:34:48 UTC

I see the problem now, the error occurs on module installation, not build. Sorry about this. -Alec

Comment 7 Felipe <Fei Lee> 2019-04-16 06:05:32 UTC

Yes, the problem occurs after kernel image and modules build process. When try to sign the modules with other hash, it fails.

So far, the patch does not work, because libressl does not have cms.h definitions and has the macro OPENSSL_NO_CMS defined. 

sign-file tries to use old openssl definitions and macros for CMS and thus it will not compile with libressl without a rework.

Comment 8 Mikhail Novosyolov 2019-12-07 23:14:42 UTC

CMS was enabled in LibreSSL > 3.0.2:
https://github.com/libressl-portable/portable/issues/448
In v3.0.2 OPENSSL_NO_CMS can be manually undefined in include/openssl/opensslfeatures.h

Comment 9 Mikhail Novosyolov 2020-03-20 09:19:15 UTC

Patch https://patchwork.kernel.org/patch/11446123/ restores ability to use the newest LibreSSL

Note You need to log in before you can comment on or make changes to this bug.