lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210210074554.81100-1-songyang@linux.alibaba.com>
Date:   Wed, 10 Feb 2021 15:45:54 +0800
From:   Yang Song <songyang@...ux.alibaba.com>
To:     dhowells@...hat.com, dwmw2@...radead.org, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org
Cc:     zhang.jia@...ux.alibaba.com, tianjia.zhang@...ux.alibaba.com,
        songyang@...ux.alibaba.com
Subject: [PATCH] sign-file: add openssl engine support

Use a customized signature service supported by openssl engine
to sign the kernel module.
Add command line parameters that support engine for sign-file
to use the customized openssl engine service to sign kernel modules.

Signed-off-by: Yang Song <songyang@...ux.alibaba.com>
---
 scripts/sign-file.c | 65 ++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 62 insertions(+), 3 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index fbd34b8e8f57..276068e9b595 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -70,7 +70,7 @@ static __attribute__((noreturn))
 void format(void)
 {
 	fprintf(stderr,
-		"Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n");
+		"Usage: scripts/sign-file [-edp] [<openssl engine>] <hash algo> <key> <x509> <module> [<dest>]\n");
 	fprintf(stderr,
 		"       scripts/sign-file -s <raw sig> <hash algo> <x509> <module> [<dest>]\n");
 	exit(2);
@@ -206,12 +206,54 @@ static X509 *read_x509(const char *x509_name)
 	return x509;
 }
 
+/* Try to load an engine in a shareable library */
+static ENGINE *try_load_engine(const char *engine)
+{
+	ENGINE *e = ENGINE_by_id("dynamic");
+	if (e) {
+		if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
+			|| !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
+			ENGINE_free(e);
+			e = NULL;
+		}
+	}
+	return e;
+}
+
+static ENGINE *setup_engine(const char *engine)
+{
+	ENGINE *e = NULL;
+
+	if (engine) {
+		e = ENGINE_by_id(engine);
+		if (e == NULL) {
+			e = try_load_engine(engine);
+			if (e == NULL) {
+				ERR(1, "invalid engine \"%s\"\n", engine);
+				return NULL;
+			}
+		}
+
+		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+			ERR(1, "can't use that engine\n");
+			ENGINE_free(e);
+			return NULL;
+		}
+
+		fprintf(stdout,  "engine \"%s\" set.\n", ENGINE_get_id(e));
+	}
+
+	return e;
+}
+
 int main(int argc, char **argv)
 {
 	struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
+	char *ossl_engine = NULL;
 	char *hash_algo = NULL;
 	char *private_key_name = NULL, *raw_sig_name = NULL;
 	char *x509_name, *module_name, *dest_name;
+	bool use_engine = false;
 	bool save_sig = false, replace_orig;
 	bool sign_only = false;
 	bool raw_sig = false;
@@ -242,8 +284,9 @@ int main(int argc, char **argv)
 #endif
 
 	do {
-		opt = getopt(argc, argv, "sdpk");
+		opt = getopt(argc, argv, "sedpk");
 		switch (opt) {
+		case 'e': use_engine = true; break;
 		case 's': raw_sig = true; break;
 		case 'p': save_sig = true; break;
 		case 'd': sign_only = true; save_sig = true; break;
@@ -257,13 +300,18 @@ int main(int argc, char **argv)
 
 	argc -= optind;
 	argv += optind;
-	if (argc < 4 || argc > 5)
+	if (argc < 4 || argc > 6)
 		format();
 
 	if (raw_sig) {
 		raw_sig_name = argv[0];
 		hash_algo = argv[1];
 	} else {
+		if (use_engine) {
+			ossl_engine = argv[0];
+			argc--;
+			argv++;
+		}
 		hash_algo = argv[0];
 		private_key_name = argv[1];
 	}
@@ -291,6 +339,17 @@ int main(int argc, char **argv)
 	ERR(!bm, "%s", module_name);
 
 	if (!raw_sig) {
+		if (use_engine) {
+			if (ossl_engine == NULL) {
+				fprintf(stderr, "Input openssl engine is null\n");
+				exit(1);
+			}
+
+			// Engine setup
+			ENGINE_load_builtin_engines();
+			setup_engine(ossl_engine);
+		}
+
 		/* Read the private key and the X.509 cert the PKCS#7 message
 		 * will point to.
 		 */
-- 
2.19.1.3.ge56e4f7

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ