Skip to content
Navigation Menu
Toggle navigation
Sign in
In this repository
All GitHub Enterprise
↵
Jump to
↵
No suggested jump to results
In this repository
All GitHub Enterprise
↵
Jump to
↵
In this organization
All GitHub Enterprise
↵
Jump to
↵
In this repository
All GitHub Enterprise
↵
Jump to
↵
Sign in
Reseting focus
You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
Dismiss alert
{{ message }}
mariux64
/
linux
Public
Notifications
You must be signed in to change notification settings
Fork
0
Star
0
Code
Issues
2
Pull requests
0
Actions
Projects
0
Wiki
Security
Insights
Additional navigation options
Code
Issues
Pull requests
Actions
Projects
Wiki
Security
Insights
Files
bc1c373
Documentation
arch
block
crypto
drivers
firmware
fs
include
init
ipc
kernel
lib
mm
net
samples
scripts
basic
coccinelle
dtc
gdb
genksyms
kconfig
ksymoops
mod
package
rt-tester
selinux
tracing
.gitignore
Kbuild.include
Lindent
Makefile
Makefile.asm-generic
Makefile.build
Makefile.clean
Makefile.dtbinst
Makefile.extrawarn
Makefile.fwinst
Makefile.headersinst
Makefile.help
Makefile.host
Makefile.kasan
Makefile.lib
Makefile.modbuiltin
Makefile.modinst
Makefile.modpost
Makefile.modsign
analyze_suspend.py
asn1_compiler.c
bloat-o-meter
bootgraph.pl
check_extable.sh
checkincludes.pl
checkkconfigsymbols.py
checkpatch.pl
checkstack.pl
checksyscalls.sh
checkversion.pl
cleanfile
cleanpatch
coccicheck
config
conmakehash.c
decode_stacktrace.sh
decodecode
depmod.sh
diffconfig
docproc.c
export_report.pl
extract-ikconfig
extract-vmlinux
gcc-goto.sh
gcc-ld
gcc-version.sh
gcc-x86_32-has-stack-protector.sh
gcc-x86_64-has-stack-protector.sh
gen_initramfs_list.sh
get_maintainer.pl
gfp-translate
headerdep.pl
headers.sh
headers_check.pl
headers_install.sh
kallsyms.c
kernel-doc
ld-version.sh
link-vmlinux.sh
makelst
markup_oops.pl
mkcompile_h
mkmakefile
mksysmap
mkuboot.sh
mkversion
module-common.lds
namespace.pl
objdiff
patch-kernel
pnmtologo.c
profile2linkerlist.pl
recordmcount.c
recordmcount.h
recordmcount.pl
setlocalversion
show_delta
sign-file
sign-file.c
sortextable.c
sortextable.h
spelling.txt
tags.sh
unifdef.c
ver_linux
xen-hypercalls.sh
xz_wrap.sh
security
sound
tools
usr
virt
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README
REPORTING-BUGS
Breadcrumbs
linux
/
scripts
/
sign-file.c
Blame
Blame
Latest commit
History
History
executable file
·
205 lines (176 loc) · 5.35 KB
Breadcrumbs
linux
/
scripts
/
sign-file.c
Top
File metadata and controls
Code
Blame
executable file
·
205 lines (176 loc) · 5.35 KB
Raw
/* Sign a module file using the given key. * * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public Licence * as published by the Free Software Foundation; either version * 2 of the Licence, or (at your option) any later version. */ #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <stdbool.h> #include <string.h> #include <getopt.h> #include <err.h> #include <arpa/inet.h> #include <openssl/bio.h> #include <openssl/evp.h> #include <openssl/pem.h> #include <openssl/pkcs7.h> #include <openssl/err.h> struct module_signature { uint8_t algo; /* Public-key crypto algorithm [0] */ uint8_t hash; /* Digest algorithm [0] */ uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */ uint8_t signer_len; /* Length of signer's name [0] */ uint8_t key_id_len; /* Length of key identifier [0] */ uint8_t __pad[3]; uint32_t sig_len; /* Length of signature data */ }; #define PKEY_ID_PKCS7 2 static char magic_number[] = "~Module signature appended~\n"; static __attribute__((noreturn)) void format(void) { fprintf(stderr, "Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]\n"); exit(2); } static void display_openssl_errors(int l) { const char *file; char buf[120]; int e, line; if (ERR_peek_error() == 0) return; fprintf(stderr, "At main.c:%d:\n", l); while ((e = ERR_get_error_line(&file, &line))) { ERR_error_string(e, buf); fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line); } } static void drain_openssl_errors(void) { const char *file; int line; if (ERR_peek_error() == 0) return; while (ERR_get_error_line(&file, &line)) {} } #define ERR(cond, fmt, ...) \ do { \ bool __cond = (cond); \ display_openssl_errors(__LINE__); \ if (__cond) { \ err(1, fmt, ## __VA_ARGS__); \ } \ } while(0) int main(int argc, char **argv) { struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; char *hash_algo = NULL; char *private_key_name, *x509_name, *module_name, *dest_name; bool save_pkcs7 = false, replace_orig; unsigned char buf[4096]; unsigned long module_size, pkcs7_size; const EVP_MD *digest_algo; EVP_PKEY *private_key; PKCS7 *pkcs7; X509 *x509; BIO *b, *bd, *bm; int opt, n; ERR_load_crypto_strings(); ERR_clear_error(); do { opt = getopt(argc, argv, "dp"); switch (opt) { case 'p': save_pkcs7 = true; break; case -1: break; default: format(); } } while (opt != -1); argc -= optind; argv += optind; if (argc < 4 || argc > 5) format(); hash_algo = argv[0]; private_key_name = argv[1]; x509_name = argv[2]; module_name = argv[3]; if (argc == 5) { dest_name = argv[4]; replace_orig = false; } else { ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0, "asprintf"); replace_orig = true; } /* Read the private key and the X.509 cert the PKCS#7 message * will point to. */ b = BIO_new_file(private_key_name, "rb"); ERR(!b, "%s", private_key_name); private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL); BIO_free(b); b = BIO_new_file(x509_name, "rb"); ERR(!b, "%s", x509_name); x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */ if (!x509) { BIO_reset(b); x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */ if (x509) drain_openssl_errors(); } BIO_free(b); ERR(!x509, "%s", x509_name); /* Open the destination file now so that we can shovel the module data * across as we read it. */ bd = BIO_new_file(dest_name, "wb"); ERR(!bd, "%s", dest_name); /* Digest the module data. */ OpenSSL_add_all_digests(); display_openssl_errors(__LINE__); digest_algo = EVP_get_digestbyname(hash_algo); ERR(!digest_algo, "EVP_get_digestbyname"); bm = BIO_new_file(module_name, "rb"); ERR(!bm, "%s", module_name); /* Load the PKCS#7 message from the digest buffer. */ pkcs7 = PKCS7_sign(NULL, NULL, NULL, NULL, PKCS7_NOCERTS | PKCS7_PARTIAL | PKCS7_BINARY | PKCS7_DETACHED | PKCS7_STREAM); ERR(!pkcs7, "PKCS7_sign"); ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo, PKCS7_NOCERTS | PKCS7_BINARY), "PKCS7_sign_add_signer"); ERR(PKCS7_final(pkcs7, bm, PKCS7_NOCERTS | PKCS7_BINARY) < 0, "PKCS7_final"); if (save_pkcs7) { char *pkcs7_name; ERR(asprintf(&pkcs7_name, "%s.pkcs7", module_name) < 0, "asprintf"); b = BIO_new_file(pkcs7_name, "wb"); ERR(!b, "%s", pkcs7_name); ERR(i2d_PKCS7_bio_stream(b, pkcs7, NULL, 0) < 0, "%s", pkcs7_name); BIO_free(b); } /* Append the marker and the PKCS#7 message to the destination file */ ERR(BIO_reset(bm) < 0, "%s", module_name); while ((n = BIO_read(bm, buf, sizeof(buf))), n > 0) { ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name); } ERR(n < 0, "%s", module_name); module_size = BIO_number_written(bd); ERR(i2d_PKCS7_bio_stream(bd, pkcs7, NULL, 0) < 0, "%s", dest_name); pkcs7_size = BIO_number_written(bd) - module_size; sig_info.sig_len = htonl(pkcs7_size); ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name); ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name); ERR(BIO_free(bd) < 0, "%s", dest_name); /* Finally, if we're signing in place, replace the original. */ if (replace_orig) ERR(rename(dest_name, module_name) < 0, "%s", dest_name); return 0; }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
You can’t perform that action at this time.