]>
Commit | Line | Data |
---|---|---|
8fe1681c MM |
1 | /* |
2 | * libkmod - module signature display | |
3 | * | |
4 | * Copyright (C) 2013 Michal Marek, SUSE | |
5 | * | |
6 | * This library is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU Lesser General Public | |
8 | * License as published by the Free Software Foundation; either | |
9 | * version 2.1 of the License, or (at your option) any later version. | |
10 | * | |
11 | * This library is distributed in the hope that it will be useful, | |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 | * Lesser General Public License for more details. | |
15 | * | |
16 | * You should have received a copy of the GNU Lesser General Public | |
dea2dfee | 17 | * License along with this library; if not, see <http://www.gnu.org/licenses/>. |
8fe1681c MM |
18 | */ |
19 | ||
20 | #include <endian.h> | |
b18979b7 | 21 | #include <inttypes.h> |
391b4714 | 22 | #ifdef ENABLE_OPENSSL |
628677e0 | 23 | #include <openssl/pkcs7.h> |
391b4714 YK |
24 | #include <openssl/ssl.h> |
25 | #endif | |
c2e4286b | 26 | #include <stdio.h> |
8fe1681c MM |
27 | #include <stdlib.h> |
28 | #include <string.h> | |
8fe1681c | 29 | |
8b7189bc | 30 | #include <shared/missing.h> |
96573a02 | 31 | #include <shared/util.h> |
8b7189bc | 32 | |
83b855a6 | 33 | #include "libkmod-internal.h" |
8fe1681c MM |
34 | |
35 | /* These types and tables were copied from the 3.7 kernel sources. | |
36 | * As this is just description of the signature format, it should not be | |
37 | * considered derived work (so libkmod can use the LGPL license). | |
38 | */ | |
39 | enum pkey_algo { | |
40 | PKEY_ALGO_DSA, | |
41 | PKEY_ALGO_RSA, | |
42 | PKEY_ALGO__LAST | |
43 | }; | |
44 | ||
45 | static const char *const pkey_algo[PKEY_ALGO__LAST] = { | |
46 | [PKEY_ALGO_DSA] = "DSA", | |
47 | [PKEY_ALGO_RSA] = "RSA", | |
48 | }; | |
49 | ||
50 | enum pkey_hash_algo { | |
51 | PKEY_HASH_MD4, | |
52 | PKEY_HASH_MD5, | |
53 | PKEY_HASH_SHA1, | |
54 | PKEY_HASH_RIPE_MD_160, | |
55 | PKEY_HASH_SHA256, | |
56 | PKEY_HASH_SHA384, | |
57 | PKEY_HASH_SHA512, | |
58 | PKEY_HASH_SHA224, | |
f609cb51 | 59 | PKEY_HASH_SM3, |
8fe1681c MM |
60 | PKEY_HASH__LAST |
61 | }; | |
62 | ||
63 | const char *const pkey_hash_algo[PKEY_HASH__LAST] = { | |
64 | [PKEY_HASH_MD4] = "md4", | |
65 | [PKEY_HASH_MD5] = "md5", | |
66 | [PKEY_HASH_SHA1] = "sha1", | |
67 | [PKEY_HASH_RIPE_MD_160] = "rmd160", | |
68 | [PKEY_HASH_SHA256] = "sha256", | |
69 | [PKEY_HASH_SHA384] = "sha384", | |
70 | [PKEY_HASH_SHA512] = "sha512", | |
71 | [PKEY_HASH_SHA224] = "sha224", | |
f609cb51 | 72 | [PKEY_HASH_SM3] = "sm3", |
8fe1681c MM |
73 | }; |
74 | ||
75 | enum pkey_id_type { | |
76 | PKEY_ID_PGP, /* OpenPGP generated key ID */ | |
77 | PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */ | |
75f45d9b | 78 | PKEY_ID_PKCS7, /* Signature in PKCS#7 message */ |
8fe1681c MM |
79 | PKEY_ID_TYPE__LAST |
80 | }; | |
81 | ||
82 | const char *const pkey_id_type[PKEY_ID_TYPE__LAST] = { | |
83 | [PKEY_ID_PGP] = "PGP", | |
84 | [PKEY_ID_X509] = "X509", | |
75f45d9b | 85 | [PKEY_ID_PKCS7] = "PKCS#7", |
8fe1681c MM |
86 | }; |
87 | ||
88 | /* | |
89 | * Module signature information block. | |
8fe1681c MM |
90 | */ |
91 | struct module_signature { | |
92 | uint8_t algo; /* Public-key crypto algorithm [enum pkey_algo] */ | |
93 | uint8_t hash; /* Digest algorithm [enum pkey_hash_algo] */ | |
94 | uint8_t id_type; /* Key identifier type [enum pkey_id_type] */ | |
95 | uint8_t signer_len; /* Length of signer's name */ | |
96 | uint8_t key_id_len; /* Length of key identifier */ | |
97 | uint8_t __pad[3]; | |
98 | uint32_t sig_len; /* Length of signature data (big endian) */ | |
99 | }; | |
100 | ||
a1105720 YK |
101 | static bool fill_default(const char *mem, off_t size, |
102 | const struct module_signature *modsig, size_t sig_len, | |
103 | struct kmod_signature_info *sig_info) | |
104 | { | |
105 | size -= sig_len; | |
106 | sig_info->sig = mem + size; | |
107 | sig_info->sig_len = sig_len; | |
108 | ||
109 | size -= modsig->key_id_len; | |
110 | sig_info->key_id = mem + size; | |
111 | sig_info->key_id_len = modsig->key_id_len; | |
112 | ||
113 | size -= modsig->signer_len; | |
114 | sig_info->signer = mem + size; | |
115 | sig_info->signer_len = modsig->signer_len; | |
116 | ||
117 | sig_info->algo = pkey_algo[modsig->algo]; | |
118 | sig_info->hash_algo = pkey_hash_algo[modsig->hash]; | |
119 | sig_info->id_type = pkey_id_type[modsig->id_type]; | |
120 | ||
121 | return true; | |
122 | } | |
123 | ||
391b4714 YK |
124 | #ifdef ENABLE_OPENSSL |
125 | ||
126 | struct pkcs7_private { | |
628677e0 | 127 | PKCS7 *pkcs7; |
391b4714 YK |
128 | unsigned char *key_id; |
129 | BIGNUM *sno; | |
510c8b7f | 130 | char *hash_algo; |
391b4714 YK |
131 | }; |
132 | ||
133 | static void pkcs7_free(void *s) | |
134 | { | |
135 | struct kmod_signature_info *si = s; | |
136 | struct pkcs7_private *pvt = si->private; | |
137 | ||
628677e0 | 138 | PKCS7_free(pvt->pkcs7); |
391b4714 YK |
139 | BN_free(pvt->sno); |
140 | free(pvt->key_id); | |
510c8b7f | 141 | free(pvt->hash_algo); |
391b4714 YK |
142 | free(pvt); |
143 | si->private = NULL; | |
144 | } | |
145 | ||
391b4714 YK |
146 | static const char *x509_name_to_str(X509_NAME *name) |
147 | { | |
148 | int i; | |
149 | X509_NAME_ENTRY *e; | |
150 | ASN1_STRING *d; | |
151 | ASN1_OBJECT *o; | |
152 | int nid = -1; | |
153 | const char *str; | |
154 | ||
155 | for (i = 0; i < X509_NAME_entry_count(name); i++) { | |
156 | e = X509_NAME_get_entry(name, i); | |
157 | o = X509_NAME_ENTRY_get_object(e); | |
158 | nid = OBJ_obj2nid(o); | |
159 | if (nid == NID_commonName) | |
160 | break; | |
161 | } | |
162 | if (nid == -1) | |
163 | return NULL; | |
164 | ||
165 | d = X509_NAME_ENTRY_get_data(e); | |
166 | str = (const char *)ASN1_STRING_get0_data(d); | |
167 | ||
168 | return str; | |
169 | } | |
170 | ||
171 | static bool fill_pkcs7(const char *mem, off_t size, | |
172 | const struct module_signature *modsig, size_t sig_len, | |
173 | struct kmod_signature_info *sig_info) | |
174 | { | |
175 | const char *pkcs7_raw; | |
628677e0 SS |
176 | PKCS7 *pkcs7; |
177 | STACK_OF(PKCS7_SIGNER_INFO) *sis; | |
178 | PKCS7_SIGNER_INFO *si; | |
179 | PKCS7_ISSUER_AND_SERIAL *is; | |
391b4714 YK |
180 | X509_NAME *issuer; |
181 | ASN1_INTEGER *sno; | |
182 | ASN1_OCTET_STRING *sig; | |
183 | BIGNUM *sno_bn; | |
184 | X509_ALGOR *dig_alg; | |
185 | X509_ALGOR *sig_alg; | |
186 | const ASN1_OBJECT *o; | |
187 | BIO *in; | |
188 | int len; | |
189 | unsigned char *key_id_str; | |
190 | struct pkcs7_private *pvt; | |
191 | const char *issuer_str; | |
510c8b7f DJL |
192 | char *hash_algo; |
193 | int hash_algo_len; | |
391b4714 YK |
194 | |
195 | size -= sig_len; | |
196 | pkcs7_raw = mem + size; | |
197 | ||
198 | in = BIO_new_mem_buf(pkcs7_raw, sig_len); | |
199 | ||
628677e0 SS |
200 | pkcs7 = d2i_PKCS7_bio(in, NULL); |
201 | if (pkcs7 == NULL) { | |
391b4714 YK |
202 | BIO_free(in); |
203 | return false; | |
204 | } | |
205 | ||
206 | BIO_free(in); | |
207 | ||
628677e0 | 208 | sis = PKCS7_get_signer_info(pkcs7); |
391b4714 YK |
209 | if (sis == NULL) |
210 | goto err; | |
211 | ||
628677e0 | 212 | si = sk_PKCS7_SIGNER_INFO_value(sis, 0); |
391b4714 YK |
213 | if (si == NULL) |
214 | goto err; | |
215 | ||
628677e0 SS |
216 | is = si->issuer_and_serial; |
217 | if (is == NULL) | |
391b4714 | 218 | goto err; |
628677e0 SS |
219 | issuer = is->issuer; |
220 | sno = is->serial; | |
391b4714 | 221 | |
628677e0 | 222 | sig = si->enc_digest; |
391b4714 YK |
223 | if (sig == NULL) |
224 | goto err; | |
225 | ||
628677e0 | 226 | PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg); |
391b4714 YK |
227 | |
228 | sig_info->sig = (const char *)ASN1_STRING_get0_data(sig); | |
229 | sig_info->sig_len = ASN1_STRING_length(sig); | |
230 | ||
231 | sno_bn = ASN1_INTEGER_to_BN(sno, NULL); | |
232 | if (sno_bn == NULL) | |
233 | goto err; | |
234 | ||
235 | len = BN_num_bytes(sno_bn); | |
236 | key_id_str = malloc(len); | |
237 | if (key_id_str == NULL) | |
238 | goto err2; | |
239 | BN_bn2bin(sno_bn, key_id_str); | |
240 | ||
241 | sig_info->key_id = (const char *)key_id_str; | |
242 | sig_info->key_id_len = len; | |
243 | ||
244 | issuer_str = x509_name_to_str(issuer); | |
245 | if (issuer_str != NULL) { | |
246 | sig_info->signer = issuer_str; | |
247 | sig_info->signer_len = strlen(issuer_str); | |
248 | } | |
249 | ||
250 | X509_ALGOR_get0(&o, NULL, NULL, dig_alg); | |
251 | ||
510c8b7f DJL |
252 | // Use OBJ_obj2txt to calculate string length |
253 | hash_algo_len = OBJ_obj2txt(NULL, 0, o, 0); | |
254 | if (hash_algo_len < 0) | |
b9605c63 | 255 | goto err3; |
510c8b7f DJL |
256 | hash_algo = malloc(hash_algo_len + 1); |
257 | if (hash_algo == NULL) | |
d5950b0b | 258 | goto err3; |
510c8b7f DJL |
259 | hash_algo_len = OBJ_obj2txt(hash_algo, hash_algo_len + 1, o, 0); |
260 | if (hash_algo_len < 0) | |
261 | goto err4; | |
262 | ||
263 | // Assign libcrypto hash algo string or number | |
264 | sig_info->hash_algo = hash_algo; | |
265 | ||
391b4714 YK |
266 | sig_info->id_type = pkey_id_type[modsig->id_type]; |
267 | ||
268 | pvt = malloc(sizeof(*pvt)); | |
269 | if (pvt == NULL) | |
510c8b7f | 270 | goto err4; |
391b4714 | 271 | |
628677e0 | 272 | pvt->pkcs7 = pkcs7; |
391b4714 YK |
273 | pvt->key_id = key_id_str; |
274 | pvt->sno = sno_bn; | |
510c8b7f | 275 | pvt->hash_algo = hash_algo; |
391b4714 YK |
276 | sig_info->private = pvt; |
277 | ||
278 | sig_info->free = pkcs7_free; | |
279 | ||
280 | return true; | |
510c8b7f DJL |
281 | err4: |
282 | free(hash_algo); | |
391b4714 YK |
283 | err3: |
284 | free(key_id_str); | |
285 | err2: | |
286 | BN_free(sno_bn); | |
287 | err: | |
628677e0 | 288 | PKCS7_free(pkcs7); |
391b4714 YK |
289 | return false; |
290 | } | |
291 | ||
292 | #else /* ENABLE OPENSSL */ | |
293 | ||
294 | static bool fill_pkcs7(const char *mem, off_t size, | |
295 | const struct module_signature *modsig, size_t sig_len, | |
296 | struct kmod_signature_info *sig_info) | |
a1105720 YK |
297 | { |
298 | sig_info->hash_algo = "unknown"; | |
299 | sig_info->id_type = pkey_id_type[modsig->id_type]; | |
300 | return true; | |
301 | } | |
302 | ||
391b4714 YK |
303 | #endif /* ENABLE OPENSSL */ |
304 | ||
8fe1681c MM |
305 | #define SIG_MAGIC "~Module signature appended~\n" |
306 | ||
885e90b6 LDM |
307 | /* |
308 | * A signed module has the following layout: | |
309 | * | |
310 | * [ module ] | |
311 | * [ signer's name ] | |
312 | * [ key identifier ] | |
313 | * [ signature data ] | |
314 | * [ struct module_signature ] | |
315 | * [ SIG_MAGIC ] | |
316 | */ | |
317 | ||
8fe1681c MM |
318 | bool kmod_module_signature_info(const struct kmod_file *file, struct kmod_signature_info *sig_info) |
319 | { | |
320 | const char *mem; | |
321 | off_t size; | |
322 | const struct module_signature *modsig; | |
323 | size_t sig_len; | |
324 | ||
8fe1681c MM |
325 | size = kmod_file_get_size(file); |
326 | mem = kmod_file_get_contents(file); | |
327 | if (size < (off_t)strlen(SIG_MAGIC)) | |
328 | return false; | |
329 | size -= strlen(SIG_MAGIC); | |
330 | if (memcmp(SIG_MAGIC, mem + size, strlen(SIG_MAGIC)) != 0) | |
331 | return false; | |
332 | ||
333 | if (size < (off_t)sizeof(struct module_signature)) | |
334 | return false; | |
335 | size -= sizeof(struct module_signature); | |
336 | modsig = (struct module_signature *)(mem + size); | |
337 | if (modsig->algo >= PKEY_ALGO__LAST || | |
338 | modsig->hash >= PKEY_HASH__LAST || | |
339 | modsig->id_type >= PKEY_ID_TYPE__LAST) | |
340 | return false; | |
f87dc57a | 341 | sig_len = be32toh(get_unaligned(&modsig->sig_len)); |
dcbe1846 LDM |
342 | if (sig_len == 0 || |
343 | size < (int64_t)(modsig->signer_len + modsig->key_id_len + sig_len)) | |
8fe1681c MM |
344 | return false; |
345 | ||
a1105720 YK |
346 | switch (modsig->id_type) { |
347 | case PKEY_ID_PKCS7: | |
391b4714 | 348 | return fill_pkcs7(mem, size, modsig, sig_len, sig_info); |
a1105720 YK |
349 | default: |
350 | return fill_default(mem, size, modsig, sig_len, sig_info); | |
351 | } | |
8fe1681c | 352 | } |
391b4714 YK |
353 | |
354 | void kmod_module_signature_info_free(struct kmod_signature_info *sig_info) | |
355 | { | |
356 | if (sig_info->free) | |
357 | sig_info->free(sig_info); | |
358 | } |