diff options
| author | David Woodhouse <David.Woodhouse@intel.com> | 2015-07-20 16:16:28 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2015-08-07 11:26:14 -0400 |
| commit | af1eb2913275c3ab1598b0c24c893499092df08a (patch) | |
| tree | e176ad5867a4d4ca3db433e62fb362e5fff00be8 /scripts/sign-file.c | |
| parent | caf6fe91ddf62a96401e21e9b7a07227440f4185 (diff) | |
modsign: Allow password to be specified for signing key
We don't want this in the Kconfig since it might then get exposed in
/proc/config.gz. So make it a parameter to Kbuild instead. This also
means we don't have to jump through hoops to strip quotes from it, as
we would if it was a config option.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'scripts/sign-file.c')
| -rwxr-xr-x | scripts/sign-file.c | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 39aaabe89388..720b9bc933ae 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c | |||
| @@ -80,6 +80,27 @@ static void drain_openssl_errors(void) | |||
| 80 | } \ | 80 | } \ |
| 81 | } while(0) | 81 | } while(0) |
| 82 | 82 | ||
| 83 | static const char *key_pass; | ||
| 84 | |||
| 85 | static int pem_pw_cb(char *buf, int len, int w, void *v) | ||
| 86 | { | ||
| 87 | int pwlen; | ||
| 88 | |||
| 89 | if (!key_pass) | ||
| 90 | return -1; | ||
| 91 | |||
| 92 | pwlen = strlen(key_pass); | ||
| 93 | if (pwlen >= len) | ||
| 94 | return -1; | ||
| 95 | |||
| 96 | strcpy(buf, key_pass); | ||
| 97 | |||
| 98 | /* If it's wrong, don't keep trying it. */ | ||
| 99 | key_pass = NULL; | ||
| 100 | |||
| 101 | return pwlen; | ||
| 102 | } | ||
| 103 | |||
| 83 | int main(int argc, char **argv) | 104 | int main(int argc, char **argv) |
| 84 | { | 105 | { |
| 85 | struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; | 106 | struct module_signature sig_info = { .id_type = PKEY_ID_PKCS7 }; |
| @@ -96,9 +117,12 @@ int main(int argc, char **argv) | |||
| 96 | BIO *b, *bd = NULL, *bm; | 117 | BIO *b, *bd = NULL, *bm; |
| 97 | int opt, n; | 118 | int opt, n; |
| 98 | 119 | ||
| 120 | OpenSSL_add_all_algorithms(); | ||
| 99 | ERR_load_crypto_strings(); | 121 | ERR_load_crypto_strings(); |
| 100 | ERR_clear_error(); | 122 | ERR_clear_error(); |
| 101 | 123 | ||
| 124 | key_pass = getenv("KBUILD_SIGN_PIN"); | ||
| 125 | |||
| 102 | do { | 126 | do { |
| 103 | opt = getopt(argc, argv, "dp"); | 127 | opt = getopt(argc, argv, "dp"); |
| 104 | switch (opt) { | 128 | switch (opt) { |
| @@ -132,7 +156,8 @@ int main(int argc, char **argv) | |||
| 132 | */ | 156 | */ |
| 133 | b = BIO_new_file(private_key_name, "rb"); | 157 | b = BIO_new_file(private_key_name, "rb"); |
| 134 | ERR(!b, "%s", private_key_name); | 158 | ERR(!b, "%s", private_key_name); |
| 135 | private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL); | 159 | private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL); |
| 160 | ERR(!private_key, "%s", private_key_name); | ||
| 136 | BIO_free(b); | 161 | BIO_free(b); |
| 137 | 162 | ||
| 138 | b = BIO_new_file(x509_name, "rb"); | 163 | b = BIO_new_file(x509_name, "rb"); |