From 686598dcff4fd9f91a77b95fb1cf852971283a49 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Wed, 11 Dec 2019 21:17:15 +0300 Subject: [PATCH 4/4] (WIP) Sign modules with GOST by LibreSSL [ work in progress ] --- certs/Makefile | 1 + init/Kconfig | 10 ++++++++++ scripts/sign-file.c | 4 +--- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..39fb3a53bfe3 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -60,6 +60,7 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey @$(kecho) "### needs to be run as root, and uses a hardware random" @$(kecho) "### number generator if one is available." @$(kecho) "###" +# TODO: fix for LibreSSL/OpenSSL + GOST (Streebog) $(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \ -batch -x509 -config $(obj)/x509.genkey \ -outform PEM -out $(obj)/signing_key.pem \ diff --git a/init/Kconfig b/init/Kconfig index b4daad2bac23..0a733a1399e1 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -2119,6 +2119,14 @@ config MODULE_SIG_SHA512 bool "Sign modules with SHA-512" select CRYPTO_SHA512 +config MODULE_SIG_STREEBOG256 + bool "Sign modules with STREEBOG-256" + select CRYPTO_STREEBOG + +config MODULE_SIG_STREEBOG512 + bool "Sign modules with STREEBOG-512" + select CRYPTO_STREEBOG + endchoice config MODULE_SIG_HASH @@ -2129,6 +2137,8 @@ config MODULE_SIG_HASH default "sha256" if MODULE_SIG_SHA256 default "sha384" if MODULE_SIG_SHA384 default "sha512" if MODULE_SIG_SHA512 + default "streebog256" if MODULE_SIG_STREEBOG256 + default "streebog512" if MODULE_SIG_STREEBOG512 config MODULE_COMPRESS bool "Compress modules on installation" diff --git a/scripts/sign-file.c b/scripts/sign-file.c index fbd34b8e8f57..010c5f02ff5e 100644 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -41,9 +41,7 @@ * signing with anything other than SHA1 - so we're stuck with that if such is * the case. */ -#if defined(LIBRESSL_VERSION_NUMBER) || \ - OPENSSL_VERSION_NUMBER < 0x10000000L || \ - defined(OPENSSL_NO_CMS) +#if defined(OPENSSL_NO_CMS) || OPENSSL_VERSION_NUMBER < 0x10000000L #define USE_PKCS7 #endif #ifndef USE_PKCS7 -- 2.20.1