From: Shreenidhi Shedi <yesshedi@gmail.com>
To: dhowells@redhat.com, dwmw2@infradead.org,
gregkh@linuxfoundation.org, masahiroy@kernel.org,
nathan@kernel.org, ndesaulniers@google.com, nicolas@fjasle.eu
Cc: yesshedi@gmail.com, linux-kernel@vger.kernel.org,
sshedi@vmware.com, linux-kbuild@vger.kernel.org
Subject: [PATCH v8 3/8] sign-file: move file signing logic to its own function
Date: Mon, 7 Aug 2023 16:43:11 +0530 [thread overview]
Message-ID: <20230807111316.315836-4-yesshedi@gmail.com> (raw)
In-Reply-To: <20230807111316.315836-1-yesshedi@gmail.com>
Keep the main function bare minimal and do less in main function.
This patch is pre-work for bulk module signing support.
Signed-off-by: Shreenidhi Shedi <yesshedi@gmail.com>
---
scripts/sign-file.c | 115 +++++++++++++++++++++-----------------------
1 file changed, 54 insertions(+), 61 deletions(-)
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index b0f340ea629b..64d5e00f08e2 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -313,10 +313,10 @@ static void parse_args(int argc, char **argv, struct cmd_opts *opts)
} while (opt != -1);
}
-int main(int argc, char **argv)
+static int sign_single_file(struct cmd_opts *opts)
{
struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 };
- unsigned char buf[4096];
+ unsigned char buf[4096] = {};
unsigned long module_size, sig_size;
unsigned int use_signed_attrs;
const EVP_MD *digest_algo;
@@ -329,11 +329,6 @@ int main(int argc, char **argv)
X509 *x509;
BIO *bd, *bm;
int n;
- struct cmd_opts opts = {};
-
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
- ERR_clear_error();
key_pass = getenv("KBUILD_SIGN_PIN");
@@ -342,34 +337,6 @@ int main(int argc, char **argv)
#else
use_signed_attrs = PKCS7_NOATTR;
#endif
- parse_args(argc, argv, &opts);
- argc -= optind;
- argv += optind;
-
- const char *raw_sig_name = opts.raw_sig_name;
- const char *hash_algo = opts.hash_algo;
- const char *private_key_name = opts.private_key_name;
- const char *x509_name = opts.x509_name;
- const char *module_name = opts.module_name;
- const bool save_sig = opts.save_sig;
- const bool raw_sig = opts.raw_sig;
- const bool sign_only = opts.sign_only;
- bool replace_orig = opts.replace_orig;
- char *dest_name = opts.dest_name;
-#ifndef USE_PKCS7
- const unsigned int use_keyid = opts.use_keyid;
-#endif
-
- if (!argv[0] || argc != 1)
- format();
-
- if (dest_name && strcmp(argv[0], dest_name)) {
- replace_orig = false;
- } else {
- ERR(asprintf(&dest_name, "%s.~signed~", module_name) < 0,
- "asprintf");
- replace_orig = true;
- }
#ifdef USE_PKCS7
if (strcmp(hash_algo, "sha1") != 0) {
@@ -380,20 +347,20 @@ int main(int argc, char **argv)
#endif
/* Open the module file */
- bm = BIO_new_file(module_name, "rb");
- ERR(!bm, "%s", module_name);
+ bm = BIO_new_file(opts->module_name, "rb");
+ ERR(!bm, "%s", opts->module_name);
- if (!raw_sig) {
+ if (!opts->raw_sig) {
/* Read the private key and the X.509 cert the PKCS#7 message
* will point to.
*/
- private_key = read_private_key(private_key_name);
- x509 = read_x509(x509_name);
+ private_key = read_private_key(opts->private_key_name);
+ x509 = read_x509(opts->x509_name);
/* Digest the module data. */
OpenSSL_add_all_digests();
display_openssl_errors(__LINE__);
- digest_algo = EVP_get_digestbyname(hash_algo);
+ digest_algo = EVP_get_digestbyname(opts->hash_algo);
ERR(!digest_algo, "EVP_get_digestbyname");
#ifndef USE_PKCS7
@@ -405,7 +372,7 @@ int main(int argc, char **argv)
ERR(!CMS_add1_signer(cms, x509, private_key, digest_algo,
CMS_NOCERTS | CMS_BINARY |
- CMS_NOSMIMECAP | use_keyid |
+ CMS_NOSMIMECAP | opts->use_keyid |
use_signed_attrs),
"CMS_add1_signer");
ERR(CMS_final(cms, bm, NULL, CMS_NOCERTS | CMS_BINARY) < 0,
@@ -418,11 +385,11 @@ int main(int argc, char **argv)
ERR(!pkcs7, "PKCS7_sign");
#endif
- if (save_sig) {
+ if (opts->save_sig) {
char *sig_file_name;
BIO *b;
- ERR(asprintf(&sig_file_name, "%s.p7s", module_name) < 0,
+ ERR(asprintf(&sig_file_name, "%s.p7s", opts->module_name) < 0,
"asprintf");
b = BIO_new_file(sig_file_name, "wb");
ERR(!b, "%s", sig_file_name);
@@ -436,7 +403,7 @@ int main(int argc, char **argv)
BIO_free(b);
}
- if (sign_only) {
+ if (opts->sign_only) {
BIO_free(bm);
return 0;
}
@@ -445,24 +412,24 @@ int main(int argc, char **argv)
/* Open the destination file now so that we can shovel the module data
* across as we read it.
*/
- bd = BIO_new_file(dest_name, "wb");
- ERR(!bd, "%s", dest_name);
+ bd = BIO_new_file(opts->dest_name, "wb");
+ ERR(!bd, "%s", opts->dest_name);
/* Append the marker and the PKCS#7 message to the destination file */
- ERR(BIO_reset(bm) < 0, "%s", module_name);
+ ERR(BIO_reset(bm) < 0, "%s", opts->module_name);
while ((n = BIO_read(bm, buf, sizeof(buf))),
n > 0) {
- ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
+ ERR(BIO_write(bd, buf, n) < 0, "%s", opts->dest_name);
}
BIO_free(bm);
- ERR(n < 0, "%s", module_name);
+ ERR(n < 0, "%s", opts->module_name);
module_size = BIO_number_written(bd);
- if (!raw_sig) {
+ if (!opts->raw_sig) {
#ifndef USE_PKCS7
- ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", dest_name);
+ ERR(i2d_CMS_bio_stream(bd, cms, NULL, 0) < 0, "%s", opts->dest_name);
#else
- ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", dest_name);
+ ERR(i2d_PKCS7_bio(bd, pkcs7) < 0, "%s", opts->dest_name);
#endif
} else {
BIO *b;
@@ -470,23 +437,49 @@ int main(int argc, char **argv)
/* Read the raw signature file and write the data to the
* destination file
*/
- b = BIO_new_file(raw_sig_name, "rb");
- ERR(!b, "%s", raw_sig_name);
+ b = BIO_new_file(opts->raw_sig_name, "rb");
+ ERR(!b, "%s", opts->raw_sig_name);
while ((n = BIO_read(b, buf, sizeof(buf))), n > 0)
- ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
+ ERR(BIO_write(bd, buf, n) < 0, "%s", opts->dest_name);
BIO_free(b);
}
sig_size = BIO_number_written(bd) - module_size;
sig_info.sig_len = htonl(sig_size);
- ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", dest_name);
- ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", dest_name);
+ ERR(BIO_write(bd, &sig_info, sizeof(sig_info)) < 0, "%s", opts->dest_name);
+ ERR(BIO_write(bd, magic_number, sizeof(magic_number) - 1) < 0, "%s", opts->dest_name);
- ERR(BIO_free(bd) < 0, "%s", dest_name);
+ ERR(BIO_free(bd) < 0, "%s", opts->dest_name);
/* Finally, if we're signing in place, replace the original. */
- if (replace_orig)
- ERR(rename(dest_name, module_name) < 0, "%s", dest_name);
+ if (opts->replace_orig)
+ ERR(rename(opts->dest_name, opts->module_name) < 0, "%s", opts->dest_name);
return 0;
}
+
+int main(int argc, char **argv)
+{
+ struct cmd_opts opts = {};
+
+ parse_args(argc, argv, &opts);
+ argc -= optind;
+ argv += optind;
+
+ if (!argv[0] || argc != 1)
+ format();
+
+ if (opts.dest_name && strcmp(argv[0], opts.dest_name)) {
+ opts.replace_orig = false;
+ } else {
+ ERR(asprintf(&opts.dest_name, "%s.~signed~", opts.module_name) < 0,
+ "asprintf");
+ opts.replace_orig = true;
+ }
+
+ OpenSSL_add_all_algorithms();
+ ERR_load_crypto_strings();
+ ERR_clear_error();
+
+ return sign_single_file(&opts);
+}
--
2.41.0
next prev parent reply other threads:[~2023-08-07 11:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-07 11:13 [PATCH v8 0/8] refactor file signing program Shreenidhi Shedi
2023-08-07 11:13 ` [PATCH v8 1/8] sign-file: use getopt_long_only for parsing input args Shreenidhi Shedi
2023-08-07 11:13 ` [PATCH v8 2/8] sign-file: inntroduce few new flags to make argument processing easy Shreenidhi Shedi
2023-08-07 11:13 ` Shreenidhi Shedi [this message]
2023-08-07 11:13 ` [PATCH v8 4/8] sign-file: add support to sign modules in bulk Shreenidhi Shedi
2023-08-07 11:13 ` [PATCH v8 5/8] sign-file: improve help message Shreenidhi Shedi
2023-08-07 11:13 ` [PATCH v8 6/8] sign-file: use const with a global string constant Shreenidhi Shedi
2023-08-07 11:13 ` [PATCH v8 7/8] sign-file: fix do while styling issue Shreenidhi Shedi
2023-08-07 11:13 ` [PATCH v8 8/8] kbuild: modinst: do modules_install step by step Shreenidhi Shedi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230807111316.315836-4-yesshedi@gmail.com \
--to=yesshedi@gmail.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=nicolas@fjasle.eu \
--cc=sshedi@vmware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.