Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/tools/bpf/bpftool/sign.c
50376 views
1
// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)

2
/*

3
 * Copyright (C) 2025 Google LLC.

4
 */

5


6
#ifndef _GNU_SOURCE

7
#define _GNU_SOURCE

8
#endif

9
#include <stdio.h>

10
#include <stdlib.h>

11
#include <stdint.h>

12
#include <stdbool.h>

13
#include <string.h>

14
#include <getopt.h>

15
#include <err.h>

16
#include <openssl/opensslv.h>

17
#include <openssl/bio.h>

18
#include <openssl/evp.h>

19
#include <openssl/pem.h>

20
#include <openssl/err.h>

21
#include <openssl/cms.h>

22
#include <linux/keyctl.h>

23
#include <errno.h>

24


25
#include <bpf/skel_internal.h>

26


27
#include "main.h"

28


29
#define OPEN_SSL_ERR_BUF_LEN 256

30


31
/* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */

32
#if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)

33
#define ERR_get_error_all(file, line, func, data, flags) \

34
	ERR_get_error_line_data(file, line, data, flags)

35
#endif

36


37
static void display_openssl_errors(int l)

38
{

39
	char buf[OPEN_SSL_ERR_BUF_LEN];

40
	const char *file;

41
	const char *data;

42
	unsigned long e;

43
	int flags;

44
	int line;

45


46
	while ((e = ERR_get_error_all(&file, &line, NULL, &data, &flags))) {

47
		ERR_error_string_n(e, buf, sizeof(buf));

48
		if (data && (flags & ERR_TXT_STRING)) {

49
			p_err("OpenSSL %s: %s:%d: %s", buf, file, line, data);

50
		} else {

51
			p_err("OpenSSL %s: %s:%d", buf, file, line);

52
		}

53
	}

54
}

55


56
#define DISPLAY_OSSL_ERR(cond)				 \

57
	do {						 \

58
		bool __cond = (cond);			 \

59
		if (__cond && ERR_peek_error())		 \

60
			display_openssl_errors(__LINE__);\

61
	} while (0)

62


63
static EVP_PKEY *read_private_key(const char *pkey_path)

64
{

65
	EVP_PKEY *private_key = NULL;

66
	BIO *b;

67


68
	b = BIO_new_file(pkey_path, "rb");

69
	private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);

70
	BIO_free(b);

71
	DISPLAY_OSSL_ERR(!private_key);

72
	return private_key;

73
}

74


75
static X509 *read_x509(const char *x509_name)

76
{

77
	unsigned char buf[2];

78
	X509 *x509 = NULL;

79
	BIO *b;

80
	int n;

81


82
	b = BIO_new_file(x509_name, "rb");

83
	if (!b)

84
		goto cleanup;

85


86
	/* Look at the first two bytes of the file to determine the encoding */

87
	n = BIO_read(b, buf, 2);

88
	if (n != 2)

89
		goto cleanup;

90


91
	if (BIO_reset(b) != 0)

92
		goto cleanup;

93


94
	if (buf[0] == 0x30 && buf[1] >= 0x81 && buf[1] <= 0x84)

95
		/* Assume raw DER encoded X.509 */

96
		x509 = d2i_X509_bio(b, NULL);

97
	else

98
		/* Assume PEM encoded X.509 */

99
		x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);

100


101
cleanup:

102
	BIO_free(b);

103
	DISPLAY_OSSL_ERR(!x509);

104
	return x509;

105
}

106


107
__u32 register_session_key(const char *key_der_path)

108
{

109
	unsigned char *der_buf = NULL;

110
	X509 *x509 = NULL;

111
	int key_id = -1;

112
	int der_len;

113


114
	if (!key_der_path)

115
		return key_id;

116
	x509 = read_x509(key_der_path);

117
	if (!x509)

118
		goto cleanup;

119
	der_len = i2d_X509(x509, &der_buf);

120
	if (der_len < 0)

121
		goto cleanup;

122
	key_id = syscall(__NR_add_key, "asymmetric", key_der_path, der_buf,

123
			     (size_t)der_len, KEY_SPEC_SESSION_KEYRING);

124
cleanup:

125
	X509_free(x509);

126
	OPENSSL_free(der_buf);

127
	DISPLAY_OSSL_ERR(key_id == -1);

128
	return key_id;

129
}

130


131
int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)

132
{

133
	BIO *bd_in = NULL, *bd_out = NULL;

134
	EVP_PKEY *private_key = NULL;

135
	CMS_ContentInfo *cms = NULL;

136
	long actual_sig_len = 0;

137
	X509 *x509 = NULL;

138
	int err = 0;

139


140
	bd_in = BIO_new_mem_buf(opts->insns, opts->insns_sz);

141
	if (!bd_in) {

142
		err = -ENOMEM;

143
		goto cleanup;

144
	}

145


146
	private_key = read_private_key(private_key_path);

147
	if (!private_key) {

148
		err = -EINVAL;

149
		goto cleanup;

150
	}

151


152
	x509 = read_x509(cert_path);

153
	if (!x509) {

154
		err = -EINVAL;

155
		goto cleanup;

156
	}

157


158
	cms = CMS_sign(NULL, NULL, NULL, NULL,

159
		       CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED |

160
			       CMS_STREAM);

161
	if (!cms) {

162
		err = -EINVAL;

163
		goto cleanup;

164
	}

165


166
	if (!CMS_add1_signer(cms, x509, private_key, EVP_sha256(),

167
			     CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |

168
			     CMS_USE_KEYID | CMS_NOATTR)) {

169
		err = -EINVAL;

170
		goto cleanup;

171
	}

172


173
	if (CMS_final(cms, bd_in, NULL, CMS_NOCERTS | CMS_BINARY) != 1) {

174
		err = -EIO;

175
		goto cleanup;

176
	}

177


178
	EVP_Digest(opts->insns, opts->insns_sz, opts->excl_prog_hash,

179
		   &opts->excl_prog_hash_sz, EVP_sha256(), NULL);

180


181
		bd_out = BIO_new(BIO_s_mem());

182
	if (!bd_out) {

183
		err = -ENOMEM;

184
		goto cleanup;

185
	}

186


187
	if (!i2d_CMS_bio_stream(bd_out, cms, NULL, 0)) {

188
		err = -EIO;

189
		goto cleanup;

190
	}

191


192
	actual_sig_len = BIO_get_mem_data(bd_out, NULL);

193
	if (actual_sig_len <= 0) {

194
		err = -EIO;

195
		goto cleanup;

196
	}

197


198
	if ((size_t)actual_sig_len > opts->signature_sz) {

199
		err = -ENOSPC;

200
		goto cleanup;

201
	}

202


203
	if (BIO_read(bd_out, opts->signature, actual_sig_len) != actual_sig_len) {

204
		err = -EIO;

205
		goto cleanup;

206
	}

207


208
	opts->signature_sz = actual_sig_len;

209
cleanup:

210
	BIO_free(bd_out);

211
	CMS_ContentInfo_free(cms);

212
	X509_free(x509);

213
	EVP_PKEY_free(private_key);

214
	BIO_free(bd_in);

215
	DISPLAY_OSSL_ERR(err < 0);

216
	return err;

217
}

218


219