From bc1c373dd2a5113800360f7152be729c9da996cc Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 20 Jul 2015 21:16:27 +0100 Subject: MODSIGN: Provide a utility to append a PKCS#7 signature to a module Provide a utility that: (1) Digests a module using the specified hash algorithm (typically sha256). [The digest can be dumped into a file by passing the '-d' flag] (2) Generates a PKCS#7 message that: (a) Has detached data (ie. the module content). (b) Is signed with the specified private key. (c) Refers to the specified X.509 certificate. (d) Has an empty X.509 certificate list. [The PKCS#7 message can be dumped into a file by passing the '-p' flag] (3) Generates a signed module by concatenating the old module, the PKCS#7 message, a descriptor and a magic string. The descriptor contains the size of the PKCS#7 message and indicates the id_type as PKEY_ID_PKCS7. (4) Either writes the signed module to the specified destination or renames it over the source module. This allows module signing to reuse the PKCS#7 handling code that was added for PE file parsing for signed kexec. Note that the utility is written in C and must be linked against the OpenSSL crypto library. Note further that I have temporarily dropped support for handling externally created signatures until we can work out the best way to do those. Hopefully, whoever creates the signature can give me a PKCS#7 certificate. Signed-off-by: David Howells Tested-by: Vivek Goyal --- scripts/sign-file.c | 205 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 205 insertions(+) create mode 100755 scripts/sign-file.c (limited to 'scripts/sign-file.c') diff --git a/scripts/sign-file.c b/scripts/sign-file.c new file mode 100755 index 000000000000..5b8a6dda3235 --- /dev/null +++ b/scripts/sign-file.c @@ -0,0 +1,205 @@ +/* Sign a module file using the given key. + * + * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +struct module_signature { + uint8_t algo; /* Public-key crypto algorithm [0] */ + uint8_t hash; /* Digest algorithm [0] */ + uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */ + uint8_t signer_len; /* Length of signer's name [0] */ + uint8_t key_id_len; /* Length of key identifier [0] */ + uint8_t __pad[3]; + uint32_t sig_len; /* Length of signature data */ +}; + +#define PKEY_ID_PKCS7 2 + +static char magic_number[] = "~Module signature appended~\n"; + +static __attribute__((noreturn)) +void format(void) +{ + fprintf(stderr, + "Usage: scripts/sign-file [-dp] []\n"); + exit(2); +} + +static void display_openssl_errors(int l) +{ + const char *file; + char buf[120]; + int e, line; + + if (ERR_peek_error() == 0) + return; + fprintf(stderr, "At main.c:%d:\n", l); + + while ((e = ERR_get_error_line(&file, &line))) { + ERR_error_string(e, buf); + fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); + } +} + +static void drain_openssl_errors(void) +{ + const char *file; + int line; + + if (ERR_peek_error() == 0) + return; + while (ERR_get_error_line(&file, &line)) {} +} + +#define ERR(cond, fmt, ...) \ + do { \ + bool __cond = (cond); \ + display_openssl_errors(__LINE__); \ + if (__cond) { \ + err(1, fmt, ## __VA_ARGS__); \ + } \ + } while(0) + +int main(int argc, char **argv) +{ + struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; + char *hash_algo = NULL; + char *private_key_name, *x509_name, *module_name, *dest_name; + bool save_pkcs7 = false, replace_orig; + unsigned char buf[4096]; + unsigned long module_size, pkcs7_size; + const EVP_MD *digest_algo; + EVP_PKEY *private_key; + PKCS7 *pkcs7; + X509 *x509; + BIO *b, *bd, *bm; + int opt, n; + + ERR_load_crypto_strings(); + ERR_clear_error(); + + do { + opt = getopt(argc, argv, "dp"); + switch (opt) { + case 'p': save_pkcs7 = true; break; + case -1: break; + default: format(); + } + } while (opt != -1); + + argc -= optind; + argv += optind; + if (argc < 4 || argc > 5) + format(); + + hash_algo = argv[0]; + private_key_name = argv[1]; + x509_name = argv[2]; + module_name = argv[3]; + if (argc == 5) { + dest_name = argv[4]; + replace_orig = false; + } else { + ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0, + "asprintf"); + replace_orig = true; + } + + /* Read the private key and the X.509 cert the PKCS#7 message + * will point to. + */ + b = BIO_new_file(private_key_name, "rb"); + ERR(!b, "%s", private_key_name); + private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL); + BIO_free(b); + + b = BIO_new_file(x509_name, "rb"); + ERR(!b, "%s", x509_name); + x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */ + if (!x509) { + BIO_reset(b); + x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */ + if (x509) + drain_openssl_errors(); + } + BIO_free(b); + ERR(!x509, "%s", x509_name); + + /* Open the destination file now so that we can shovel the module data + * across as we read it. + */ + bd = BIO_new_file(dest_name, "wb"); + ERR(!bd, "%s", dest_name); + + /* Digest the module data. */ + OpenSSL_add_all_digests(); + display_openssl_errors(__LINE__); + digest_algo = EVP_get_digestbyname(hash_algo); + ERR(!digest_algo, "EVP_get_digestbyname"); + + bm = BIO_new_file(module_name, "rb"); + ERR(!bm, "%s", module_name); + + /* Load the PKCS#7 message from the digest buffer. */ + pkcs7 = PKCS7_sign(NULL, NULL, NULL, NULL, + PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM); + ERR(!pkcs7, "PKCS7_sign"); + + ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo, PKCS7_NOCERTS | PKCS7_BINARY), + "PKCS7_sign_add_signer"); + ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0, + "PKCS7_final"); + + if (save_pkcs7) { + char *pkcs7_name; + + ERR(asprintf(&pkcs7_name, "%s.pkcs7", module_name) < 0, "asprintf"); + b = BIO_new_file(pkcs7_name, "wb"); + ERR(!b, "%s", pkcs7_name); + ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, "%s", pkcs7_name); + BIO_free(b); + } + + /* Append the marker and the PKCS#7 message to the destination file */ + ERR(BIO_reset(bm) < 0, "%s", module_name); + while ((n = BIO_read(bm, buf, sizeof(buf))), + n > 0) { + ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name); + } + ERR(n < 0, "%s", module_name); + module_size = BIO_number_written(bd); + + ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name); + pkcs7_size = BIO_number_written(bd) - module_size; + sig_info.sig_len = htonl(pkcs7_size); + ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name); + ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name); + + ERR(BIO_free(bd) < 0, "%s", dest_name); + + /* Finally, if we're signing in place, replace the original. */ + if (replace_orig) + ERR(rename(dest_name, module_name) < 0, "%s", dest_name); + + return 0; +} -- cgit v1.2.1 From 23dfbbabbb3a62104b040b422121c84800312ad0 Mon Sep 17 00:00:00 2001 From: "Luis R. Rodriguez" Date: Mon, 20 Jul 2015 21:16:27 +0100 Subject: sign-file: Add option to only create signature file Make the -d option (which currently isn't actually wired to anything) write out the PKCS#7 message as per the -p option and then exit without either modifying the source or writing out a compound file of the source, signature and metadata. This will be useful when firmware signature support is added upstream as firmware will be left intact, and we'll only require the signature file. The descriptor is implicit by file extension and the file's own size. Signed-off-by: Luis R. Rodriguez Signed-off-by: David Howells --- scripts/sign-file.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'scripts/sign-file.c') diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 5b8a6dda3235..39aaabe89388 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -86,13 +86,14 @@ int main(int argc, char **argv) char *hash_algo = NULL; char *private_key_name, *x509_name, *module_name, *dest_name; bool save_pkcs7 = false, replace_orig; + bool sign_only = false; unsigned char buf[4096]; unsigned long module_size, pkcs7_size; const EVP_MD *digest_algo; EVP_PKEY *private_key; PKCS7 *pkcs7; X509 *x509; - BIO *b, *bd, *bm; + BIO *b, *bd = NULL, *bm; int opt, n; ERR_load_crypto_strings(); @@ -102,6 +103,7 @@ int main(int argc, char **argv) opt = getopt(argc, argv, "dp"); switch (opt) { case 'p': save_pkcs7 = true; break; + case 'd': sign_only = true; save_pkcs7 = true; break; case -1: break; default: format(); } @@ -148,8 +150,10 @@ int main(int argc, char **argv) /* Open the destination file now so that we can shovel the module data * across as we read it. */ - bd = BIO_new_file(dest_name, "wb"); - ERR(!bd, "%s", dest_name); + if (!sign_only) { + bd = BIO_new_file(dest_name, "wb"); + ERR(!bd, "%s", dest_name); + } /* Digest the module data. */ OpenSSL_add_all_digests(); @@ -180,6 +184,9 @@ int main(int argc, char **argv) BIO_free(b); } + if (sign_only) + return 0; + /* Append the marker and the PKCS#7 message to the destination file */ ERR(BIO_reset(bm) < 0, "%s", module_name); while ((n = BIO_read(bm, buf, sizeof(buf))), -- cgit v1.2.1 From af1eb2913275c3ab1598b0c24c893499092df08a Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 20 Jul 2015 21:16:28 +0100 Subject: modsign: Allow password to be specified for signing key We don't want this in the Kconfig since it might then get exposed in /proc/config.gz. So make it a parameter to Kbuild instead. This also means we don't have to jump through hoops to strip quotes from it, as we would if it was a config option. Signed-off-by: David Woodhouse Signed-off-by: David Howells Reviewed-by: Mimi Zohar --- scripts/sign-file.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) (limited to 'scripts/sign-file.c') diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 39aaabe89388..720b9bc933ae 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -80,6 +80,27 @@ static void drain_openssl_errors(void) } \ } while(0) +static const char *key_pass; + +static int pem_pw_cb(char *buf, int len, int w, void *v) +{ + int pwlen; + + if (!key_pass) + return -1; + + pwlen = strlen(key_pass); + if (pwlen >= len) + return -1; + + strcpy(buf, key_pass); + + /* If it's wrong, don't keep trying it. */ + key_pass = NULL; + + return pwlen; +} + int main(int argc, char **argv) { struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; @@ -96,9 +117,12 @@ int main(int argc, char **argv) BIO *b, *bd = NULL, *bm; int opt, n; + OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); ERR_clear_error(); + key_pass = getenv("KBUILD_SIGN_PIN"); + do { opt = getopt(argc, argv, "dp"); switch (opt) { @@ -132,7 +156,8 @@ int main(int argc, char **argv) */ b = BIO_new_file(private_key_name, "rb"); ERR(!b, "%s", private_key_name); - private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL); + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL); + ERR(!private_key, "%s", private_key_name); BIO_free(b); b = BIO_new_file(x509_name, "rb"); -- cgit v1.2.1 From 6e3e281f39af78bd680b82d9762bf6c4f8f3f5f4 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 20 Jul 2015 21:16:29 +0100 Subject: modsign: Allow signing key to be PKCS#11 This is only the key; the corresponding *cert* still needs to be in $(topdir)/signing_key.x509. And there's no way to actually use this from the build system yet. Signed-off-by: David Woodhouse Signed-off-by: David Howells --- scripts/sign-file.c | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) (limited to 'scripts/sign-file.c') diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 720b9bc933ae..ad0aa21bd3ac 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -22,6 +22,7 @@ #include #include #include +#include struct module_signature { uint8_t algo; /* Public-key crypto algorithm [0] */ @@ -154,11 +155,29 @@ int main(int argc, char **argv) /* Read the private key and the X.509 cert the PKCS#7 message * will point to. */ - b = BIO_new_file(private_key_name, "rb"); - ERR(!b, "%s", private_key_name); - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL); - ERR(!private_key, "%s", private_key_name); - BIO_free(b); + if (!strncmp(private_key_name, "pkcs11:", 7)) { + ENGINE *e; + + ENGINE_load_builtin_engines(); + drain_openssl_errors(); + e = ENGINE_by_id("pkcs11"); + ERR(!e, "Load PKCS#11 ENGINE"); + if (ENGINE_init(e)) + drain_openssl_errors(); + else + ERR(1, "ENGINE_init"); + if (key_pass) + ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); + private_key = ENGINE_load_private_key(e, private_key_name, NULL, + NULL); + ERR(!private_key, "%s", private_key_name); + } else { + b = BIO_new_file(private_key_name, "rb"); + ERR(!b, "%s", private_key_name); + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL); + ERR(!private_key, "%s", private_key_name); + BIO_free(b); + } b = BIO_new_file(x509_name, "rb"); ERR(!b, "%s", x509_name); -- cgit v1.2.1 From ed8c20762a314124cbdd62e9d3e8aa7aa2a16020 Mon Sep 17 00:00:00 2001 From: David Howells Date: Mon, 20 Jul 2015 21:16:33 +0100 Subject: sign-file: Generate CMS message as signature instead of PKCS#7 Make sign-file use the OpenSSL CMS routines to generate a message to be used as the signature blob instead of the PKCS#7 routines. This allows us to change how the matching X.509 certificate is selected. With PKCS#7 the only option is to match on the serial number and issuer fields of an X.509 certificate; with CMS, we also have the option of matching by subjectKeyId extension. The new behaviour is selected with the "-k" flag. Without the -k flag specified, the output is pretty much identical to the PKCS#7 output. Whilst we're at it, don't include the S/MIME capability list in the message as it's irrelevant to us. Signed-off-by: David Howells Reviewed-By: David Woodhouse #include #include -#include +#include #include #include @@ -107,13 +107,14 @@ int main(int argc, char **argv) struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; char *hash_algo = NULL; char *private_key_name, *x509_name, *module_name, *dest_name; - bool save_pkcs7 = false, replace_orig; + bool save_cms = false, replace_orig; bool sign_only = false; unsigned char buf[4096]; - unsigned long module_size, pkcs7_size; + unsigned long module_size, cms_size; + unsigned int use_keyid = 0; const EVP_MD *digest_algo; EVP_PKEY *private_key; - PKCS7 *pkcs7; + CMS_ContentInfo *cms; X509 *x509; BIO *b, *bd = NULL, *bm; int opt, n; @@ -125,10 +126,11 @@ int main(int argc, char **argv) key_pass = getenv("KBUILD_SIGN_PIN"); do { - opt = getopt(argc, argv, "dp"); + opt = getopt(argc, argv, "dpk"); switch (opt) { - case 'p': save_pkcs7 = true; break; - case 'd': sign_only = true; save_pkcs7 = true; break; + case 'p': save_cms = true; break; + case 'd': sign_only = true; save_cms = true; break; + case 'k': use_keyid = CMS_USE_KEYID; break; case -1: break; default: format(); } @@ -208,23 +210,24 @@ int main(int argc, char **argv) bm = BIO_new_file(module_name, "rb"); ERR(!bm, "%s", module_name); - /* Load the PKCS#7 message from the digest buffer. */ - pkcs7 = PKCS7_sign(NULL, NULL, NULL, NULL, - PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM); - ERR(!pkcs7, "PKCS7_sign"); + /* Load the CMS message from the digest buffer. */ + cms = CMS_sign(NULL, NULL, NULL, NULL, + CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED | CMS_STREAM); + ERR(!cms, "CMS_sign"); - ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo, PKCS7_NOCERTS | PKCS7_BINARY), - "PKCS7_sign_add_signer"); - ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0, - "PKCS7_final"); + ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, + CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP | use_keyid), + "CMS_sign_add_signer"); + ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0, + "CMS_final"); - if (save_pkcs7) { - char *pkcs7_name; + if (save_cms) { + char *cms_name; - ERR(asprintf(&pkcs7_name, "%s.pkcs7", module_name) < 0, "asprintf"); - b = BIO_new_file(pkcs7_name, "wb"); - ERR(!b, "%s", pkcs7_name); - ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, "%s", pkcs7_name); + ERR(asprintf(&cms_name, "%s.p7s", module_name) < 0, "asprintf"); + b = BIO_new_file(cms_name, "wb"); + ERR(!b, "%s", cms_name); + ERR(i2d_CMS_bio_stream(b, cms, NULL, 0) < 0, "%s", cms_name); BIO_free(b); } @@ -240,9 +243,9 @@ int main(int argc, char **argv) ERR(n < 0, "%s", module_name); module_size = BIO_number_written(bd); - ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name); - pkcs7_size = BIO_number_written(bd) - module_size; - sig_info.sig_len = htonl(pkcs7_size); + ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name); + cms_size = BIO_number_written(bd) - module_size; + sig_info.sig_len = htonl(cms_size); ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name); ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name); -- cgit v1.2.1 From 99db44350672c8a5ee9a7b0a6f4cd6ff10136065 Mon Sep 17 00:00:00 2001 From: David Howells Date: Wed, 5 Aug 2015 15:22:27 +0100 Subject: PKCS#7: Appropriately restrict authenticated attributes and content type A PKCS#7 or CMS message can have per-signature authenticated attributes that are digested as a lump and signed by the authorising key for that signature. If such attributes exist, the content digest isn't itself signed, but rather it is included in a special authattr which then contributes to the signature. Further, we already require the master message content type to be pkcs7_signedData - but there's also a separate content type for the data itself within the SignedData object and this must be repeated inside the authattrs for each signer [RFC2315 9.2, RFC5652 11.1]. We should really validate the authattrs if they exist or forbid them entirely as appropriate. To this end: (1) Alter the PKCS#7 parser to reject any message that has more than one signature where at least one signature has authattrs and at least one that does not. (2) Validate authattrs if they are present and strongly restrict them. Only the following authattrs are permitted and all others are rejected: (a) contentType. This is checked to be an OID that matches the content type in the SignedData object. (b) messageDigest. This must match the crypto digest of the data. (c) signingTime. If present, we check that this is a valid, parseable UTCTime or GeneralTime and that the date it encodes fits within the validity window of the matching X.509 cert. (d) S/MIME capabilities. We don't check the contents. (e) Authenticode SP Opus Info. We don't check the contents. (f) Authenticode Statement Type. We don't check the contents. The message is rejected if (a) or (b) are missing. If the message is an Authenticode type, the message is rejected if (e) is missing; if not Authenticode, the message is rejected if (d) - (f) are present. The S/MIME capabilities authattr (d) unfortunately has to be allowed to support kernels already signed by the pesign program. This only affects kexec. sign-file suppresses them (CMS_NOSMIMECAP). The message is also rejected if an authattr is given more than once or if it contains more than one element in its set of values. (3) Add a parameter to pkcs7_verify() to select one of the following restrictions and pass in the appropriate option from the callers: (*) VERIFYING_MODULE_SIGNATURE This requires that the SignedData content type be pkcs7-data and forbids authattrs. sign-file sets CMS_NOATTR. We could be more flexible and permit authattrs optionally, but only permit minimal content. (*) VERIFYING_FIRMWARE_SIGNATURE This requires that the SignedData content type be pkcs7-data and requires authattrs. In future, this will require an attribute holding the target firmware name in addition to the minimal set. (*) VERIFYING_UNSPECIFIED_SIGNATURE This requires that the SignedData content type be pkcs7-data but allows either no authattrs or only permits the minimal set. (*) VERIFYING_KEXEC_PE_SIGNATURE This only supports the Authenticode SPC_INDIRECT_DATA content type and requires at least an SpcSpOpusInfo authattr in addition to the minimal set. It also permits an SPC_STATEMENT_TYPE authattr (and an S/MIME capabilities authattr because the pesign program doesn't remove these). (*) VERIFYING_KEY_SIGNATURE (*) VERIFYING_KEY_SELF_SIGNATURE These are invalid in this context but are included for later use when limiting the use of X.509 certs. (4) The pkcs7_test key type is given a module parameter to select between the above options for testing purposes. For example: echo 1 >/sys/module/pkcs7_test_key/parameters/usage keyctl padd pkcs7_test foo @s Signed-off-by: David Howells Reviewed-by: Marcel Holtmann Reviewed-by: David Woodhouse --- scripts/sign-file.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'scripts/sign-file.c') diff --git a/scripts/sign-file.c b/scripts/sign-file.c index de213e5c0cd3..e9741e879bbd 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -111,7 +111,7 @@ int main(int argc, char **argv) bool sign_only = false; unsigned char buf[4096]; unsigned long module_size, cms_size; - unsigned int use_keyid = 0; + unsigned int use_keyid = 0, use_signed_attrs = CMS_NOATTR; const EVP_MD *digest_algo; EVP_PKEY *private_key; CMS_ContentInfo *cms; @@ -216,7 +216,8 @@ int main(int argc, char **argv) ERR(!cms, "CMS_sign"); ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo, - CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP | use_keyid), + CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP | + use_keyid | use_signed_attrs), "CMS_sign_add_signer"); ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0, "CMS_final"); -- cgit v1.2.1 From e9a5e8cc55286941503f36c5b7485a5aa923b3f1 Mon Sep 17 00:00:00 2001 From: David Howells Date: Thu, 13 Aug 2015 04:03:12 +0100 Subject: sign-file: Fix warning about BIO_reset() return value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix the following warning: scripts/sign-file.c: In function ‘main’: scripts/sign-file.c:188: warning: value computed is not used whereby the result of BIO_ctrl() is cast inside of BIO_reset() to an integer of a different size - which we're not checking but probably should. Reported-by: James Morris Signed-off-by: David Howells --- scripts/sign-file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'scripts/sign-file.c') diff --git a/scripts/sign-file.c b/scripts/sign-file.c index e9741e879bbd..058bba3103e2 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -185,7 +185,7 @@ int main(int argc, char **argv) ERR(!b, "%s", x509_name); x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */ if (!x509) { - BIO_reset(b); + ERR(BIO_reset(b) != 1, "%s", x509_name); x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */ if (x509) drain_openssl_errors(); -- cgit v1.2.1