lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1431708823.4727.11.camel@infradead.org>
Date:	Fri, 15 May 2015 17:53:43 +0100
From:	David Woodhouse <David.Woodhouse@...el.com>
To:	dhowells@...hat.com
Cc:	rusty@...tcorp.com.au, mmarek@...e.cz, mjg59@...f.ucam.org,
	keyrings@...ux-nfs.org, dmitry.kasatkin@...il.com, mcgrof@...e.com,
	linux-kernel@...r.kernel.org, dhowells@...hat.com,
	seth.forshee@...onical.com, linux-security-module@...r.kernel.org
Subject: [PATCH 3/4] modsign: Allow password to be specified for signing key

Signed-off-by: David Woodhouse <David.Woodhouse@...el.com>
---
 Documentation/module-signing.txt |  2 ++
 Makefile                         |  1 +
 init/Kconfig                     |  6 ++++++
 scripts/sign-file.c              | 39 ++++++++++++++++++++++++++++++++++++++-
 4 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/Documentation/module-signing.txt b/Documentation/module-signing.txt
index c72702e..b0ed080 100644
--- a/Documentation/module-signing.txt
+++ b/Documentation/module-signing.txt
@@ -194,6 +194,8 @@ The hash algorithm used does not have to match the one configured, but if it
 doesn't, you should make sure that hash algorithm is either built into the
 kernel or can be loaded without requiring itself.
 
+If the private key requires a passphrase or PIN, it can be provided in the
+$CONFIG_MODULE_SIG_KEY_PASSWORD environment variable.
 
 ============================
 SIGNED MODULES AND STRIPPING
diff --git a/Makefile b/Makefile
index 9590e67..70c066c 100644
--- a/Makefile
+++ b/Makefile
@@ -875,6 +875,7 @@ ifdef CONFIG_MODULE_SIG_ALL
 MODSECKEY = $(CONFIG_MODULE_SIG_KEY)
 MODPUBKEY = ./signing_key.x509
 export MODPUBKEY
+export CONFIG_MODULE_SIG_KEY_PASSWORD
 mod_sign_cmd = scripts/sign-file $(CONFIG_MODULE_SIG_HASH) $(MODSECKEY) $(MODPUBKEY)
 else
 mod_sign_cmd = true
diff --git a/init/Kconfig b/init/Kconfig
index 1ca075a..7bbc857 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1967,6 +1967,12 @@ config MODULE_SIG_KEY
          Provide the file name of a private key in PEM format, or a PKCS#11
          URI according to RFC7512 to specify the key.
 
+config MODULE_SIG_KEY_PASSWORD
+       string "Passphrase or PIN for module signing key if needed" if MODULE_SIG_EXTERNAL_KEY
+       help
+         If a passphrase or PIN is required for the private key, provide
+         it here.
+
 config MODULE_COMPRESS
        bool "Compress modules on installation"
        depends on MODULES
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 39aaabe..9a54acc 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -80,9 +80,32 @@ static void drain_openssl_errors(void)
                }                                       \
        } while(0)
 
+static char *key_pass;
+
+static int pem_pw_cb(char *buf, int len, int w, void *v)
+{
+       int pwlen;
+
+       if (!key_pass)
+               return -1;
+
+       pwlen = strlen(key_pass);
+       if (pwlen >= len)
+               return -1;
+
+       strcpy(buf, key_pass);
+
+       /* If it's wrong, don't keep trying it. */
+       free(key_pass);
+       key_pass = NULL;
+
+       return pwlen;
+}
+
 int main(int argc, char **argv)
 {
        struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
+       const char *pass_env;
        char *hash_algo = NULL;
        char *private_key_name, *x509_name, *module_name, *dest_name;
        bool save_pkcs7 = false, replace_orig;
@@ -96,6 +119,7 @@ int main(int argc, char **argv)
        BIO *b, *bd = NULL, *bm;
        int opt, n;
 
+       OpenSSL_add_all_algorithms();
        ERR_load_crypto_strings();
        ERR_clear_error();
 
@@ -127,12 +151,25 @@ int main(int argc, char **argv)
                replace_orig = true;
        }
 
+       pass_env = getenv("CONFIG_MODULE_SIG_KEY_PASSWORD");
+       if (pass_env) {
+               int pwlen = strlen(pass_env);
+
+               if (pass_env[0] == '\"' && pass_env[pwlen - 1] == '\"') {
+                       pass_env++;
+                       pwlen -= 2;
+               }
+               if (pwlen)
+                       key_pass = strndup(pass_env, pwlen);
+       }
+
        /* Read the private key and the X.509 cert the PKCS#7 message
         * will point to.
         */
        b = BIO_new_file(private_key_name, "rb");
        ERR(!b, "%s", private_key_name);
-        private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
+       private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
+       ERR(!private_key, "%s", private_key_name);
        BIO_free(b);
 
        b = BIO_new_file(x509_name, "rb");
-- 
2.4.0

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@...el.com                              Intel Corporation

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5691 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ