1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
2 /*
3 * Copyright (C) 2025 Google LLC.
4 */
5
6 #ifndef _GNU_SOURCE
7 #define _GNU_SOURCE
8 #endif
9 #include <stdio.h>
10 #include <stdlib.h>
11 #include <stdint.h>
12 #include <stdbool.h>
13 #include <string.h>
14 #include <getopt.h>
15 #include <err.h>
16 #include <openssl/opensslv.h>
17 #include <openssl/bio.h>
18 #include <openssl/evp.h>
19 #include <openssl/pem.h>
20 #include <openssl/err.h>
21 #include <openssl/cms.h>
22 #include <linux/keyctl.h>
23 #include <errno.h>
24
25 #include <bpf/skel_internal.h>
26
27 #include "main.h"
28
29 #define OPEN_SSL_ERR_BUF_LEN 256
30
31 /* Use deprecated in 3.0 ERR_get_error_line_data for openssl < 3 */
32 #if !defined(OPENSSL_VERSION_MAJOR) || (OPENSSL_VERSION_MAJOR < 3)
33 #define ERR_get_error_all(file, line, func, data, flags) \
34 ERR_get_error_line_data(file, line, data, flags)
35 #endif
36
display_openssl_errors(int l)37 static void display_openssl_errors(int l)
38 {
39 char buf[OPEN_SSL_ERR_BUF_LEN];
40 const char *file;
41 const char *data;
42 unsigned long e;
43 int flags;
44 int line;
45
46 while ((e = ERR_get_error_all(&file, &line, NULL, &data, &flags))) {
47 ERR_error_string_n(e, buf, sizeof(buf));
48 if (data && (flags & ERR_TXT_STRING)) {
49 p_err("OpenSSL %s: %s:%d: %s", buf, file, line, data);
50 } else {
51 p_err("OpenSSL %s: %s:%d", buf, file, line);
52 }
53 }
54 }
55
56 #define DISPLAY_OSSL_ERR(cond) \
57 do { \
58 bool __cond = (cond); \
59 if (__cond && ERR_peek_error()) \
60 display_openssl_errors(__LINE__);\
61 } while (0)
62
read_private_key(const char * pkey_path)63 static EVP_PKEY *read_private_key(const char *pkey_path)
64 {
65 EVP_PKEY *private_key = NULL;
66 BIO *b;
67
68 b = BIO_new_file(pkey_path, "rb");
69 private_key = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
70 BIO_free(b);
71 DISPLAY_OSSL_ERR(!private_key);
72 return private_key;
73 }
74
read_x509(const char * x509_name)75 static X509 *read_x509(const char *x509_name)
76 {
77 unsigned char buf[2];
78 X509 *x509 = NULL;
79 BIO *b;
80 int n;
81
82 b = BIO_new_file(x509_name, "rb");
83 if (!b)
84 goto cleanup;
85
86 /* Look at the first two bytes of the file to determine the encoding */
87 n = BIO_read(b, buf, 2);
88 if (n != 2)
89 goto cleanup;
90
91 if (BIO_reset(b) != 0)
92 goto cleanup;
93
94 if (buf[0] == 0x30 && buf[1] >= 0x81 && buf[1] <= 0x84)
95 /* Assume raw DER encoded X.509 */
96 x509 = d2i_X509_bio(b, NULL);
97 else
98 /* Assume PEM encoded X.509 */
99 x509 = PEM_read_bio_X509(b, NULL, NULL, NULL);
100
101 cleanup:
102 BIO_free(b);
103 DISPLAY_OSSL_ERR(!x509);
104 return x509;
105 }
106
register_session_key(const char * key_der_path)107 __u32 register_session_key(const char *key_der_path)
108 {
109 unsigned char *der_buf = NULL;
110 X509 *x509 = NULL;
111 int key_id = -1;
112 int der_len;
113
114 if (!key_der_path)
115 return key_id;
116 x509 = read_x509(key_der_path);
117 if (!x509)
118 goto cleanup;
119 der_len = i2d_X509(x509, &der_buf);
120 if (der_len < 0)
121 goto cleanup;
122 key_id = syscall(__NR_add_key, "asymmetric", key_der_path, der_buf,
123 (size_t)der_len, KEY_SPEC_SESSION_KEYRING);
124 cleanup:
125 X509_free(x509);
126 OPENSSL_free(der_buf);
127 DISPLAY_OSSL_ERR(key_id == -1);
128 return key_id;
129 }
130
bpftool_prog_sign(struct bpf_load_and_run_opts * opts)131 int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
132 {
133 BIO *bd_in = NULL, *bd_out = NULL;
134 EVP_PKEY *private_key = NULL;
135 CMS_ContentInfo *cms = NULL;
136 long actual_sig_len = 0;
137 X509 *x509 = NULL;
138 int err = 0;
139
140 bd_in = BIO_new_mem_buf(opts->insns, opts->insns_sz);
141 if (!bd_in) {
142 err = -ENOMEM;
143 goto cleanup;
144 }
145
146 private_key = read_private_key(private_key_path);
147 if (!private_key) {
148 err = -EINVAL;
149 goto cleanup;
150 }
151
152 x509 = read_x509(cert_path);
153 if (!x509) {
154 err = -EINVAL;
155 goto cleanup;
156 }
157
158 cms = CMS_sign(NULL, NULL, NULL, NULL,
159 CMS_NOCERTS | CMS_PARTIAL | CMS_BINARY | CMS_DETACHED |
160 CMS_STREAM);
161 if (!cms) {
162 err = -EINVAL;
163 goto cleanup;
164 }
165
166 if (!CMS_add1_signer(cms, x509, private_key, EVP_sha256(),
167 CMS_NOCERTS | CMS_BINARY | CMS_NOSMIMECAP |
168 CMS_USE_KEYID | CMS_NOATTR)) {
169 err = -EINVAL;
170 goto cleanup;
171 }
172
173 if (CMS_final(cms, bd_in, NULL, CMS_NOCERTS | CMS_BINARY) != 1) {
174 err = -EIO;
175 goto cleanup;
176 }
177
178 EVP_Digest(opts->insns, opts->insns_sz, opts->excl_prog_hash,
179 &opts->excl_prog_hash_sz, EVP_sha256(), NULL);
180
181 bd_out = BIO_new(BIO_s_mem());
182 if (!bd_out) {
183 err = -ENOMEM;
184 goto cleanup;
185 }
186
187 if (!i2d_CMS_bio_stream(bd_out, cms, NULL, 0)) {
188 err = -EIO;
189 goto cleanup;
190 }
191
192 actual_sig_len = BIO_get_mem_data(bd_out, NULL);
193 if (actual_sig_len <= 0) {
194 err = -EIO;
195 goto cleanup;
196 }
197
198 if ((size_t)actual_sig_len > opts->signature_sz) {
199 err = -ENOSPC;
200 goto cleanup;
201 }
202
203 if (BIO_read(bd_out, opts->signature, actual_sig_len) != actual_sig_len) {
204 err = -EIO;
205 goto cleanup;
206 }
207
208 opts->signature_sz = actual_sig_len;
209 cleanup:
210 BIO_free(bd_out);
211 CMS_ContentInfo_free(cms);
212 X509_free(x509);
213 EVP_PKEY_free(private_key);
214 BIO_free(bd_in);
215 DISPLAY_OSSL_ERR(err < 0);
216 return err;
217 }
218