25af5a11f1
Changes in 5.10.155
fuse: fix readdir cache race
hwspinlock: qcom: correct MMIO max register for newer SoCs
phy: stm32: fix an error code in probe
wifi: cfg80211: silence a sparse RCU warning
wifi: cfg80211: fix memory leak in query_regdb_file()
bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues
bpftool: Fix NULL pointer dereference when pin {PROG, MAP, LINK} without FILE
HID: hyperv: fix possible memory leak in mousevsc_probe()
bpf: Support for pointers beyond pkt_end.
bpf: Add helper macro bpf_for_each_reg_in_vstate
bpf: Fix wrong reg type conversion in release_reference()
net: gso: fix panic on frag_list with mixed head alloc types
macsec: delete new rxsc when offload fails
macsec: fix secy->n_rx_sc accounting
macsec: fix detection of RXSCs when toggling offloading
macsec: clear encryption keys from the stack after setting up offload
net: tun: Fix memory leaks of napi_get_frags
bnxt_en: Fix possible crash in bnxt_hwrm_set_coal()
bnxt_en: fix potentially incorrect return value for ndo_rx_flow_steer
net: fman: Unregister ethernet device on removal
capabilities: fix undefined behavior in bit shift for CAP_TO_MASK
KVM: s390x: fix SCK locking
KVM: s390: pv: don't allow userspace to set the clock under PV
net: lapbether: fix issue of dev reference count leakage in lapbeth_device_event()
hamradio: fix issue of dev reference count leakage in bpq_device_event()
drm/vc4: Fix missing platform_unregister_drivers() call in vc4_drm_register()
tcp: prohibit TCP_REPAIR_OPTIONS if data was already sent
ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network
can: af_can: fix NULL pointer dereference in can_rx_register()
net: stmmac: dwmac-meson8b: fix meson8b_devm_clk_prepare_enable()
net: broadcom: Fix BCMGENET Kconfig
tipc: fix the msg->req tlv len check in tipc_nl_compat_name_table_dump_header
dmaengine: pxa_dma: use platform_get_irq_optional
dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove()
drivers: net: xgene: disable napi when register irq failed in xgene_enet_open()
perf stat: Fix printing os->prefix in CSV metrics output
net: marvell: prestera: fix memory leak in prestera_rxtx_switch_init()
net: nixge: disable napi when enable interrupts failed in nixge_open()
net/mlx5: Allow async trigger completion execution on single CPU systems
net/mlx5e: E-Switch, Fix comparing termination table instance
net: cpsw: disable napi in cpsw_ndo_open()
net: cxgb3_main: disable napi when bind qsets failed in cxgb_up()
cxgb4vf: shut down the adapter when t4vf_update_port_info() failed in cxgb4vf_open()
net: phy: mscc: macsec: clear encryption keys when freeing a flow
net: atlantic: macsec: clear encryption keys from the stack
ethernet: s2io: disable napi when start nic failed in s2io_card_up()
net: mv643xx_eth: disable napi when init rxq or txq failed in mv643xx_eth_open()
ethernet: tundra: free irq when alloc ring failed in tsi108_open()
net: macvlan: fix memory leaks of macvlan_common_newlink
riscv: process: fix kernel info leakage
riscv: vdso: fix build with llvm
riscv: Enable CMA support
riscv: Separate memory init from paging init
riscv: fix reserved memory setup
arm64: efi: Fix handling of misaligned runtime regions and drop warning
MIPS: jump_label: Fix compat branch range check
mmc: cqhci: Provide helper for resetting both SDHCI and CQHCI
mmc: sdhci-of-arasan: Fix SDHCI_RESET_ALL for CQHCI
mmc: sdhci_am654: Fix SDHCI_RESET_ALL for CQHCI
mmc: sdhci-tegra: Fix SDHCI_RESET_ALL for CQHCI
ALSA: hda/hdmi - enable runtime pm for more AMD display audio
ALSA: hda/ca0132: add quirk for EVGA Z390 DARK
ALSA: hda: fix potential memleak in 'add_widget_node'
ALSA: hda/realtek: Add Positivo C6300 model quirk
ALSA: usb-audio: Add quirk entry for M-Audio Micro
ALSA: usb-audio: Add DSD support for Accuphase DAC-60
vmlinux.lds.h: Fix placement of '.data..decrypted' section
ata: libata-scsi: fix SYNCHRONIZE CACHE (16) command failure
nilfs2: fix deadlock in nilfs_count_free_blocks()
nilfs2: fix use-after-free bug of ns_writer on remount
drm/i915/dmabuf: fix sg_table handling in map_dma_buf
platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi
btrfs: selftests: fix wrong error check in btrfs_free_dummy_root()
mms: sdhci-esdhc-imx: Fix SDHCI_RESET_ALL for CQHCI
udf: Fix a slab-out-of-bounds write bug in udf_find_entry()
mm/memremap.c: map FS_DAX device memory as decrypted
can: j1939: j1939_send_one(): fix missing CAN header initialization
cert host tools: Stop complaining about deprecated OpenSSL functions
dmaengine: at_hdmac: Fix at_lli struct definition
dmaengine: at_hdmac: Don't start transactions at tx_submit level
dmaengine: at_hdmac: Start transfer for cyclic channels in issue_pending
dmaengine: at_hdmac: Fix premature completion of desc in issue_pending
dmaengine: at_hdmac: Do not call the complete callback on device_terminate_all
dmaengine: at_hdmac: Protect atchan->status with the channel lock
dmaengine: at_hdmac: Fix concurrency problems by removing atc_complete_all()
dmaengine: at_hdmac: Fix concurrency over descriptor
dmaengine: at_hdmac: Free the memset buf without holding the chan lock
dmaengine: at_hdmac: Fix concurrency over the active list
dmaengine: at_hdmac: Fix descriptor handling when issuing it to hardware
dmaengine: at_hdmac: Fix completion of unissued descriptor in case of errors
dmaengine: at_hdmac: Don't allow CPU to reorder channel enable
dmaengine: at_hdmac: Fix impossible condition
dmaengine: at_hdmac: Check return code of dma_async_device_register
net: tun: call napi_schedule_prep() to ensure we own a napi
mmc: sdhci-esdhc-imx: Convert the driver to DT-only
x86/cpu: Restore AMD's DE_CFG MSR after resume
io_uring: kill goto error handling in io_sqpoll_wait_sq()
Linux 5.10.155
Change-Id: Id7d803ed2db044ef465aab7e80fca8b4b07df258
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
177 lines
3.8 KiB
C
177 lines
3.8 KiB
C
/* Extract X.509 certificate in DER form from PKCS#11 or PEM.
|
|
*
|
|
* Copyright © 2014-2015 Red Hat, Inc. All Rights Reserved.
|
|
* Copyright © 2015 Intel Corporation.
|
|
*
|
|
* Authors: David Howells <dhowells@redhat.com>
|
|
* David Woodhouse <dwmw2@infradead.org>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public License
|
|
* as published by the Free Software Foundation; either version 2.1
|
|
* of the licence, or (at your option) any later version.
|
|
*/
|
|
#define _GNU_SOURCE
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <stdint.h>
|
|
#include <stdbool.h>
|
|
#include <string.h>
|
|
#include <err.h>
|
|
#include <openssl/bio.h>
|
|
#include <openssl/pem.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/engine.h>
|
|
|
|
/*
|
|
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
|
|
*
|
|
* Remove this if/when that API is no longer used
|
|
*/
|
|
#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
|
|
|
|
#define PKEY_ID_PKCS7 2
|
|
|
|
static __attribute__((noreturn))
|
|
void format(void)
|
|
{
|
|
fprintf(stderr,
|
|
"Usage: scripts/extract-cert <source> <dest>\n");
|
|
exit(2);
|
|
}
|
|
|
|
static void display_openssl_errors(int l)
|
|
{
|
|
const char *file;
|
|
char buf[120];
|
|
int e, line;
|
|
|
|
if (ERR_peek_error() == 0)
|
|
return;
|
|
fprintf(stderr, "At main.c:%d:\n", l);
|
|
|
|
while ((e = ERR_get_error_line(&file, &line))) {
|
|
ERR_error_string(e, buf);
|
|
fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
|
|
}
|
|
}
|
|
|
|
#ifndef OPENSSL_IS_BORINGSSL
|
|
static void drain_openssl_errors(void)
|
|
{
|
|
const char *file;
|
|
int line;
|
|
|
|
if (ERR_peek_error() == 0)
|
|
return;
|
|
while (ERR_get_error_line(&file, &line)) {}
|
|
}
|
|
#endif
|
|
|
|
#define ERR(cond, fmt, ...) \
|
|
do { \
|
|
bool __cond = (cond); \
|
|
display_openssl_errors(__LINE__); \
|
|
if (__cond) { \
|
|
err(1, fmt, ## __VA_ARGS__); \
|
|
} \
|
|
} while(0)
|
|
|
|
static const char *key_pass;
|
|
static BIO *wb;
|
|
static char *cert_dst;
|
|
static int kbuild_verbose;
|
|
|
|
static void write_cert(X509 *x509)
|
|
{
|
|
char buf[200];
|
|
|
|
if (!wb) {
|
|
wb = BIO_new_file(cert_dst, "wb");
|
|
ERR(!wb, "%s", cert_dst);
|
|
}
|
|
X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf));
|
|
ERR(!i2d_X509_bio(wb, x509), "%s", cert_dst);
|
|
if (kbuild_verbose)
|
|
fprintf(stderr, "Extracted cert: %s\n", buf);
|
|
}
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
char *cert_src;
|
|
|
|
OpenSSL_add_all_algorithms();
|
|
ERR_load_crypto_strings();
|
|
ERR_clear_error();
|
|
|
|
kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0");
|
|
|
|
key_pass = getenv("KBUILD_SIGN_PIN");
|
|
|
|
if (argc != 3)
|
|
format();
|
|
|
|
cert_src = argv[1];
|
|
cert_dst = argv[2];
|
|
|
|
if (!cert_src[0]) {
|
|
/* Invoked with no input; create empty file */
|
|
FILE *f = fopen(cert_dst, "wb");
|
|
ERR(!f, "%s", cert_dst);
|
|
fclose(f);
|
|
exit(0);
|
|
} else if (!strncmp(cert_src, "pkcs11:", 7)) {
|
|
#ifdef OPENSSL_IS_BORINGSSL
|
|
ERR(1, "BoringSSL does not support extracting from PKCS#11");
|
|
exit(1);
|
|
#else
|
|
ENGINE *e;
|
|
struct {
|
|
const char *cert_id;
|
|
X509 *cert;
|
|
} parms;
|
|
|
|
parms.cert_id = cert_src;
|
|
parms.cert = NULL;
|
|
|
|
ENGINE_load_builtin_engines();
|
|
drain_openssl_errors();
|
|
e = ENGINE_by_id("pkcs11");
|
|
ERR(!e, "Load PKCS#11 ENGINE");
|
|
if (ENGINE_init(e))
|
|
drain_openssl_errors();
|
|
else
|
|
ERR(1, "ENGINE_init");
|
|
if (key_pass)
|
|
ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
|
|
ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
|
|
ERR(!parms.cert, "Get X.509 from PKCS#11");
|
|
write_cert(parms.cert);
|
|
#endif
|
|
} else {
|
|
BIO *b;
|
|
X509 *x509;
|
|
|
|
b = BIO_new_file(cert_src, "rb");
|
|
ERR(!b, "%s", cert_src);
|
|
|
|
while (1) {
|
|
x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
|
|
if (wb && !x509) {
|
|
unsigned long err = ERR_peek_last_error();
|
|
if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
|
|
ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
|
|
ERR_clear_error();
|
|
break;
|
|
}
|
|
}
|
|
ERR(!x509, "%s", cert_src);
|
|
write_cert(x509);
|
|
}
|
|
}
|
|
|
|
BIO_free(wb);
|
|
|
|
return 0;
|
|
}
|