lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1358955044-27407-4-git-send-email-mmarek@suse.cz>
Date:	Wed, 23 Jan 2013 16:30:43 +0100
From:	Michal Marek <mmarek@...e.cz>
To:	dhowells@...hat.com, rusty@...abs.org
Cc:	linux-kernel@...r.kernel.org
Subject: [PATCH 3/4] MODSIGN: Add -s <signature> option to sign-file

This option allows to append an externally computed singature to the
module. This is needed in setups, where the private key is not directly
available, but a service exists that returns signatures for given files.

Signed-off-by: Michal Marek <mmarek@...e.cz>
---
 scripts/sign-file |   92 ++++++++++++++++++++++++++++++-----------------------
 1 file changed, 53 insertions(+), 39 deletions(-)

diff --git a/scripts/sign-file b/scripts/sign-file
index eefdec4..51e3b7b 100755
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -2,31 +2,42 @@
 #
 # Sign a module file using the given key.
 #
-# Format:
-#
-#	./scripts/sign-file [-v] <key> <x509> <module> [<dest>]
-#
-#
+
+my $USAGE =
+"Usage: scripts/sign-file [-v] -a <hash algo> <key> <x509> <module> [<dest>]\n" .
+"       scripts/sign-file [-v] -a <hash algo> -s <raw sig> <x509> ...\n";
+
 use strict;
 use FileHandle;
 use IPC::Open2;
 use Getopt::Std;
 
-our ($opt_v, $opt_a);
+our ($opt_v, $opt_a, $opt_s);
 
-my $res = getopts('va:');
+getopts('va:s:') or die $USAGE;
 my $verbose = $opt_v;
 my $dgst = $opt_a;
+my $signature_file = $opt_s;
 
-die "Format: ./scripts/sign-file [-v] -a <hash algo> <key> <x509> <module> [<dest>]\n"
-    if (!$res || !$dgst || $#ARGV != 2 && $#ARGV != 3);
+die $USAGE if !$dgst || $#ARGV > 3;
+die $USAGE if !$signature_file && $#ARGV < 2 || $signature_file && $#ARGV < 1;
 
-my $private_key = $ARGV[0];
-my $x509 = $ARGV[1];
-my $module = $ARGV[2];
-my $dest = ($#ARGV == 3) ? $ARGV[3] : $ARGV[2] . "~";
+my $private_key;
+if (!$signature_file) {
+	$private_key = shift @ARGV;
+}
+my $x509 = shift @ARGV;
+my $module = shift @ARGV;
+my ($dest, $keep_orig);
+if (@ARGV) {
+	$dest = $ARGV[0];
+	$keep_orig = 1;
+} else {
+	$dest = $module . "~";
+}
 
-die "Can't read private key\n" unless (-r $private_key);
+die "Can't read private key\n" if !$signature_file && !-r $private_key;
+die "Can't read signature file\n" if $signature_file && !-r $signature_file;
 die "Can't read X.509 certificate\n" unless (-r $x509);
 die "Can't read module\n" unless (-r $module);
 
@@ -340,33 +351,36 @@ if ($dgst eq "sha1") {
     die "Unknown hash algorithm: $dgst\n";
 }
 
-#
-# Generate the digest and read from openssl's stdout
-#
-my $digest;
-$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
-
-#
-# Generate the binary signature, which will be just the integer that comprises
-# the signature with no metadata attached.
-#
-my $pid;
-$pid = open2(*read_from, *write_to,
-	     "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
-    die "openssl rsautl";
-binmode write_to;
-print write_to $prologue . $digest || die "pipe to openssl rsautl";
-close(write_to) || die "pipe to openssl rsautl";
-
-binmode read_from;
 my $signature;
-read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
-close(read_from) || die "pipe from openssl rsautl";
+if ($signature_file) {
+	$signature = read_file($signature_file);
+} else {
+	#
+	# Generate the digest and read from openssl's stdout
+	#
+	my $digest;
+	$digest = readpipe("openssl dgst -$dgst -binary $module") || die "openssl dgst";
+
+	#
+	# Generate the binary signature, which will be just the integer that
+	# comprises the signature with no metadata attached.
+	#
+	my $pid;
+	$pid = open2(*read_from, *write_to,
+		     "openssl rsautl -sign -inkey $private_key -keyform PEM") ||
+	    die "openssl rsautl";
+	binmode write_to;
+	print write_to $prologue . $digest || die "pipe to openssl rsautl";
+	close(write_to) || die "pipe to openssl rsautl";
+
+	binmode read_from;
+	read(read_from, $signature, 4096) || die "pipe from openssl rsautl";
+	close(read_from) || die "pipe from openssl rsautl";
+	waitpid($pid, 0) || die;
+	die "openssl rsautl died: $?" if ($? >> 8);
+}
 $signature = pack("n", length($signature)) . $signature,
 
-waitpid($pid, 0) || die;
-die "openssl rsautl died: $?" if ($? >> 8);
-
 #
 # Build the signed binary
 #
@@ -403,6 +417,6 @@ print FD
     ;
 close FD || die $dest;
 
-if ($#ARGV != 3) {
+if (!$keep_orig) {
     rename($dest, $module) || die $module;
 }
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ