#define ELF_TARGET_ALL
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <strings.h>
#include <stddef.h>
#include <stdlib.h>
#include <libintl.h>
#include <dirent.h>
#include <errno.h>
#include <libelf.h>
#include <gelf.h>
#include <cryptoutil.h>
#include <sha1.h>
#include <sys/crypto/elfsign.h>
#include <libelfsign.h>
#ifndef SHA1_DIGEST_LENGTH
#define SHA1_DIGEST_LENGTH 20
#endif
const char SUNW_ELF_SIGNATURE_ID[] = ELF_SIGNATURE_SECTION;
const char OID_sha1WithRSAEncryption[] = "1.2.840.113549.1.1.5";
static ELFsign_status_t elfsign_adjustoffsets(ELFsign_t ess,
Elf_Scn *scn, uint64_t new_size);
static uint32_t elfsign_switch_uint32(uint32_t i);
static ELFsign_status_t elfsign_switch(ELFsign_t ess,
struct filesignatures *fssp, enum ES_ACTION action);
struct filesig_extraction {
filesig_vers_t fsx_version;
char *fsx_format;
char fsx_signer_DN[ELFCERT_MAX_DN_LEN];
size_t fsx_signer_DN_len;
uchar_t fsx_signature[SIG_MAX_LENGTH];
size_t fsx_sig_len;
char fsx_sig_oid[100];
size_t fsx_sig_oid_len;
time_t fsx_time;
};
static char *
version_to_str(filesig_vers_t v)
{
char *ret;
switch (v) {
case FILESIG_VERSION1:
ret = "VERSION1";
break;
case FILESIG_VERSION2:
ret = "VERSION2";
break;
case FILESIG_VERSION3:
ret = "VERSION3";
break;
case FILESIG_VERSION4:
ret = "VERSION4";
break;
default:
ret = "UNKNOWN";
break;
}
return (ret);
}
static struct filesignatures *
filesig_insert_dso(struct filesignatures *fssp,
filesig_vers_t version,
const char *dn,
int dn_len,
const uchar_t *sig,
int sig_len,
const char *oid,
int oid_len)
{
struct filesig *fsgp;
char *fsdatap;
if (oid == NULL) {
oid = OID_sha1WithRSAEncryption;
oid_len = strlen(oid);
}
if (fssp != NULL)
free(fssp);
fssp = (struct filesignatures *)
malloc(filesig_ALIGN(sizeof (struct filesignatures) +
dn_len + sig_len + oid_len));
if (fssp == NULL)
return (fssp);
fssp->filesig_cnt = 1;
fssp->filesig_pad = 0;
fsgp = &fssp->filesig_sig;
fsgp->filesig_size = sizeof (struct filesig) +
dn_len + sig_len + oid_len;
fsgp->filesig_version = version;
switch (version) {
case FILESIG_VERSION1:
case FILESIG_VERSION2:
fsgp->filesig_size -= sizeof (struct filesig) -
offsetof(struct filesig, filesig_v1_data[0]);
fsgp->filesig_v1_dnsize = dn_len;
fsgp->filesig_v1_sigsize = sig_len;
fsgp->filesig_v1_oidsize = oid_len;
fsdatap = &fsgp->filesig_v1_data[0];
break;
case FILESIG_VERSION3:
case FILESIG_VERSION4:
fsgp->filesig_size -= sizeof (struct filesig) -
offsetof(struct filesig, filesig_v3_data[0]);
fsgp->filesig_v3_time = time(NULL);
fsgp->filesig_v3_dnsize = dn_len;
fsgp->filesig_v3_sigsize = sig_len;
fsgp->filesig_v3_oidsize = oid_len;
fsdatap = &fsgp->filesig_v3_data[0];
break;
default:
cryptodebug("filesig_insert_dso: unknown version: %d",
version);
free(fssp);
return (NULL);
}
(void) memcpy(fsdatap, dn, dn_len);
fsdatap += dn_len;
(void) memcpy(fsdatap, (char *)sig, sig_len);
fsdatap += sig_len;
(void) memcpy(fsdatap, oid, oid_len);
fsdatap += oid_len;
fsgp = filesig_next(fsgp);
(void) memset(fsdatap, 0, (char *)(fsgp) - fsdatap);
return (fssp);
}
static filesig_vers_t
filesig_extract(struct filesig *fsgp, struct filesig_extraction *fsxp)
{
char *fsdp;
#define filesig_extract_common(cp, field, data_var, len_var, len_limit) { \
len_var = len_limit; \
if (len_var > fsgp->field) \
len_var = fsgp->field; \
(void) memcpy(data_var, cp, len_var); \
cp += fsgp->field; }
#define filesig_extract_str(cp, field, data_var, len_var) \
filesig_extract_common(cp, field, data_var, len_var, \
sizeof (data_var) - 1); \
data_var[len_var] = '\0';
#define filesig_extract_opaque(cp, field, data_var, len_var) \
filesig_extract_common(cp, field, data_var, len_var, sizeof (data_var))
fsxp->fsx_version = fsgp->filesig_version;
cryptodebug("filesig_extract: version=%s",
version_to_str(fsxp->fsx_version));
switch (fsxp->fsx_version) {
case FILESIG_VERSION1:
case FILESIG_VERSION2:
fsdp = fsgp->filesig_v1_data;
fsxp->fsx_format = ES_FMT_RSA_MD5_SHA1;
fsxp->fsx_time = 0;
filesig_extract_str(fsdp, filesig_v1_dnsize,
fsxp->fsx_signer_DN, fsxp->fsx_signer_DN_len);
filesig_extract_opaque(fsdp, filesig_v1_sigsize,
fsxp->fsx_signature, fsxp->fsx_sig_len);
filesig_extract_str(fsdp, filesig_v1_oidsize,
fsxp->fsx_sig_oid, fsxp->fsx_sig_oid_len);
break;
case FILESIG_VERSION3:
case FILESIG_VERSION4:
fsdp = fsgp->filesig_v3_data;
fsxp->fsx_format = ES_FMT_RSA_SHA1;
fsxp->fsx_time = fsgp->filesig_v3_time;
filesig_extract_str(fsdp, filesig_v3_dnsize,
fsxp->fsx_signer_DN, fsxp->fsx_signer_DN_len);
filesig_extract_opaque(fsdp, filesig_v3_sigsize,
fsxp->fsx_signature, fsxp->fsx_sig_len);
filesig_extract_str(fsdp, filesig_v3_oidsize,
fsxp->fsx_sig_oid, fsxp->fsx_sig_oid_len);
break;
default:
break;
}
return (fsxp->fsx_version);
}
ELFsign_status_t
elfsign_begin(const char *filename, enum ES_ACTION action, ELFsign_t *essp)
{
Elf_Cmd elfcmd;
int oflags = 0;
short l_type;
ELFsign_t ess;
struct stat stb;
union {
char c[2];
short s;
} uorder;
GElf_Ehdr elfehdr;
char *ident;
switch (action) {
case ES_GET:
case ES_GET_CRYPTO:
case ES_GET_FIPS140:
cryptodebug("elfsign_begin for get");
elfcmd = ELF_C_READ;
oflags = O_RDONLY | O_NOCTTY | O_NDELAY;
l_type = F_RDLCK;
break;
case ES_UPDATE_RSA_MD5_SHA1:
case ES_UPDATE_RSA_SHA1:
cryptodebug("elfsign_begin for update");
elfcmd = ELF_C_RDWR;
oflags = O_RDWR | O_NOCTTY | O_NDELAY;
l_type = F_WRLCK;
break;
default:
return (ELFSIGN_UNKNOWN);
}
if ((ess = malloc(sizeof (struct ELFsign_s))) == NULL) {
return (ELFSIGN_UNKNOWN);
}
(void) memset((void *)ess, 0, sizeof (struct ELFsign_s));
if (!elfcertlib_init(ess)) {
cryptodebug("elfsign_begin: failed initialization");
return (ELFSIGN_UNKNOWN);
}
ess->es_elf = NULL;
ess->es_action = action;
ess->es_version = FILESIG_UNKNOWN;
ess->es_pathname = NULL;
ess->es_certpath = NULL;
if (filename == NULL) {
*essp = ess;
return (ELFSIGN_SUCCESS);
}
if ((ess->es_fd = open(filename, oflags)) == -1) {
elfsign_end(ess);
return (ELFSIGN_INVALID_ELFOBJ);
}
if ((fstat(ess->es_fd, &stb) == -1) || !S_ISREG(stb.st_mode)) {
elfsign_end(ess);
return (ELFSIGN_INVALID_ELFOBJ);
}
if ((ess->es_pathname = strdup(filename)) == NULL) {
elfsign_end(ess);
return (ELFSIGN_UNKNOWN);
}
ess->es_flock.l_type = l_type;
ess->es_flock.l_whence = SEEK_CUR;
ess->es_flock.l_start = 0;
ess->es_flock.l_len = 0;
if (fcntl(ess->es_fd, F_SETLK, &ess->es_flock) == -1) {
cryptodebug("fcntl(F_SETLK) of %s failed with: %s",
ess->es_pathname, strerror(errno));
elfsign_end(ess);
return (ELFSIGN_UNKNOWN);
}
if (elf_version(EV_CURRENT) == EV_NONE) {
elfsign_end(ess);
return (ELFSIGN_UNKNOWN);
}
if ((ess->es_elf = elf_begin(ess->es_fd, elfcmd,
(Elf *)NULL)) == NULL) {
cryptodebug("elf_begin() failed: %s", elf_errmsg(-1));
elfsign_end(ess);
return (ELFSIGN_INVALID_ELFOBJ);
}
if (gelf_getehdr(ess->es_elf, &elfehdr) == NULL) {
cryptodebug("elf_getehdr() failed: %s", elf_errmsg(-1));
elfsign_end(ess);
return (ELFSIGN_INVALID_ELFOBJ);
}
ess->es_has_phdr = (elfehdr.e_phnum != 0);
uorder.s = ELFDATA2MSB << 8 | ELFDATA2LSB;
ident = elf_getident(ess->es_elf, NULL);
if (ident == NULL) {
cryptodebug("elf_getident() failed: %s", elf_errmsg(-1));
elfsign_end(ess);
return (ELFSIGN_INVALID_ELFOBJ);
}
ess->es_same_endian = (ident[EI_DATA] == uorder.c[0]);
ess->es_ei_class = ident[EI_CLASS];
if (elf_getshstrndx(ess->es_elf, &ess->es_shstrndx) == 0) {
elfsign_end(ess);
cryptodebug("elfsign_begin: elf_getshstrndx failed");
return (ELFSIGN_INVALID_ELFOBJ);
}
(void) elf_flagelf(ess->es_elf, ELF_C_SET, ELF_F_LAYOUT);
*essp = ess;
return (ELFSIGN_SUCCESS);
}
void
elfsign_end(ELFsign_t ess)
{
if (ess == NULL)
return;
if (ess->es_elf != NULL && ES_ACTISUPDATE(ess->es_action)) {
if (elf_update(ess->es_elf, ELF_C_WRITE) == -1) {
cryptodebug("elf_update() failed: %s",
elf_errmsg(-1));
return;
}
}
if (ess->es_fd != -1) {
(void) close(ess->es_fd);
ess->es_fd = -1;
}
if (ess->es_pathname != NULL) {
free(ess->es_pathname);
ess->es_pathname = NULL;
}
if (ess->es_certpath != NULL) {
free(ess->es_certpath);
ess->es_certpath = NULL;
}
if (ess->es_elf != NULL) {
(void) elf_end(ess->es_elf);
ess->es_elf = NULL;
}
elfcertlib_fini(ess);
free(ess);
}
ELFsign_status_t
elfsign_setcertpath(ELFsign_t ess, const char *certpath)
{
if (access(certpath, R_OK) != 0)
return (ELFSIGN_INVALID_CERTPATH);
if ((ess->es_certpath = strdup(certpath)) == NULL)
return (ELFSIGN_FAILED);
if (ES_ACTISUPDATE(ess->es_action)) {
ELFCert_t cert = NULL;
char *subject;
if (elfcertlib_getcert(ess, ess->es_certpath, NULL,
&cert, ess->es_action)) {
if ((subject = elfcertlib_getdn(cert)) != NULL) {
if (strstr(subject, ELFSIGN_CRYPTO))
ess->es_version = (ess->es_action ==
ES_UPDATE_RSA_MD5_SHA1) ?
FILESIG_VERSION1 : FILESIG_VERSION3;
else
ess->es_version = (ess->es_action ==
ES_UPDATE_RSA_MD5_SHA1) ?
FILESIG_VERSION2 : FILESIG_VERSION4;
}
elfcertlib_releasecert(ess, cert);
}
if (ess->es_version == FILESIG_UNKNOWN)
return (ELFSIGN_FAILED);
}
return (ELFSIGN_SUCCESS);
}
void
elfsign_setcallbackctx(ELFsign_t ess, void *ctx)
{
ess->es_callbackctx = ctx;
}
void
elfsign_setsigvercallback(ELFsign_t ess,
void (*cb)(void *, void *, size_t, ELFCert_t))
{
ess->es_sigvercallback = cb;
}
ELFsign_status_t
elfsign_signatures(ELFsign_t ess,
struct filesignatures **fsspp,
size_t *fslen,
enum ES_ACTION action)
{
Elf_Scn *scn = NULL, *sig_scn = NULL;
GElf_Shdr shdr;
Elf_Data *data = NULL;
const char *elf_section = SUNW_ELF_SIGNATURE_ID;
int fscnt, fssize;
struct filesig *fsgp, *fsgpnext;
uint64_t sig_offset = 0;
cryptodebug("elfsign_signature");
if ((ess == NULL) || (fsspp == NULL)) {
cryptodebug("invalid arguments");
return (ELFSIGN_UNKNOWN);
}
cryptodebug("elfsign_signature %s for %s",
ES_ACTISUPDATE(action) ? "ES_UPDATE" : "ES_GET", elf_section);
(void) elf_errno();
while ((scn = elf_nextscn(ess->es_elf, scn)) != NULL) {
const char *sh_name;
if (gelf_getshdr(scn, &shdr) == NULL) {
cryptodebug("gelf_getshdr() failed: %s",
elf_errmsg(-1));
return (ELFSIGN_FAILED);
}
sh_name = elf_strptr(ess->es_elf, ess->es_shstrndx,
(size_t)shdr.sh_name);
if (strcmp(sh_name, elf_section) == 0) {
cryptodebug("elfsign_signature: found %s", elf_section);
sig_scn = scn;
break;
}
if (shdr.sh_type != SHT_NOBITS &&
sig_offset < shdr.sh_offset + shdr.sh_size) {
sig_offset = shdr.sh_offset + shdr.sh_size;
}
}
if (elf_errmsg(0) != NULL) {
cryptodebug("unexpected error: %s", elf_section,
elf_errmsg(-1));
return (ELFSIGN_FAILED);
}
if (ES_ACTISUPDATE(action) && (sig_scn == NULL)) {
size_t old_size, new_size;
char *new_d_buf;
cryptodebug("elfsign_signature: %s not found - creating",
elf_section);
if ((scn = elf_getscn(ess->es_elf, ess->es_shstrndx)) == 0) {
cryptodebug("elf_getscn() failed: %s",
elf_errmsg(-1));
return (ELFSIGN_FAILED);
}
if (gelf_getshdr(scn, &shdr) == NULL) {
cryptodebug("gelf_getshdr() failed: %s",
elf_errmsg(-1));
return (ELFSIGN_FAILED);
}
if ((data = elf_getdata(scn, data)) == NULL) {
cryptodebug("elf_getdata() failed: %s",
elf_errmsg(-1));
return (ELFSIGN_FAILED);
}
old_size = data->d_size;
if (old_size != shdr.sh_size) {
cryptodebug("mismatch between data size %d "
"and section size %lld", old_size, shdr.sh_size);
return (ELFSIGN_FAILED);
}
new_size = old_size + strlen(elf_section) + 1;
if ((new_d_buf = malloc(new_size)) == NULL)
return (ELFSIGN_FAILED);
(void) memcpy(new_d_buf, data->d_buf, old_size);
(void) strlcpy(new_d_buf + old_size, elf_section,
new_size - old_size);
data->d_buf = new_d_buf;
data->d_size = new_size;
data->d_align = 1;
if ((sig_scn = elf_newscn(ess->es_elf)) == 0) {
cryptodebug("elf_newscn() failed: %s",
elf_errmsg(-1));
return (ELFSIGN_FAILED);
}
if (gelf_getshdr(sig_scn, &shdr) == 0) {
cryptodebug("gelf_getshdr() failed: %s",
elf_errmsg(-1));
return (ELFSIGN_FAILED);
}
shdr.sh_name = old_size;
shdr.sh_type = SHT_SUNW_SIGNATURE;
shdr.sh_flags = SHF_EXCLUDE;
shdr.sh_addr = 0;
shdr.sh_link = 0;
shdr.sh_info = 0;
shdr.sh_size = 0;
shdr.sh_offset = sig_offset;
shdr.sh_addralign = 1;
if (gelf_update_shdr(sig_scn, &shdr) == 0) {
cryptodebug("gelf_update_shdr failed");
return (ELFSIGN_FAILED);
}
if ((data = elf_newdata(sig_scn)) == NULL) {
cryptodebug("can't add elf data area for %s: %s",
elf_section, elf_errmsg(-1));
return (ELFSIGN_FAILED);
}
if (elfsign_adjustoffsets(ess, scn,
old_size + strlen(elf_section) + 1) != ELFSIGN_SUCCESS) {
cryptodebug("can't adjust for new section name %s",
elf_section);
return (ELFSIGN_FAILED);
}
} else {
if (sig_scn == NULL) {
cryptodebug("can't find signature section");
*fsspp = NULL;
return (ELFSIGN_NOTSIGNED);
}
if ((data = elf_getdata(sig_scn, NULL)) == 0) {
cryptodebug("can't get section data for %s",
elf_section);
return (ELFSIGN_FAILED);
}
}
if (ES_ACTISUPDATE(action)) {
fssize = offsetof(struct filesignatures, _u1);
if (*fsspp != NULL) {
fsgp = &(*fsspp)->filesig_sig;
for (fscnt = 0; fscnt < (*fsspp)->filesig_cnt;
fscnt++) {
fsgpnext = filesig_next(fsgp);
fssize += (char *)(fsgpnext) - (char *)(fsgp);
fsgp = fsgpnext;
}
}
if (shdr.sh_addr != 0) {
cryptodebug("section %s is part of a loadable segment, "
"it cannot be changed.\n", elf_section);
return (ELFSIGN_FAILED);
}
if ((data->d_buf = malloc(fssize)) == NULL)
return (ELFSIGN_FAILED);
if (*fsspp != NULL) {
(void) memcpy(data->d_buf, *fsspp, fssize);
(void) elfsign_switch(ess,
(struct filesignatures *)data->d_buf, action);
}
data->d_size = fssize;
data->d_align = 1;
data->d_type = ELF_T_BYTE;
cryptodebug("elfsign_signature: data->d_size = %d",
data->d_size);
if (elfsign_adjustoffsets(ess, sig_scn, fssize) !=
ELFSIGN_SUCCESS) {
cryptodebug("can't adjust for revised signature "
"section contents");
return (ELFSIGN_FAILED);
}
} else {
*fsspp = malloc(data->d_size);
if (*fsspp == NULL)
return (ELFSIGN_FAILED);
(void) memcpy(*fsspp, data->d_buf, data->d_size);
if (elfsign_switch(ess, *fsspp, ES_GET) != ELFSIGN_SUCCESS) {
free(*fsspp);
*fsspp = NULL;
return (ELFSIGN_FAILED);
}
*fslen = data->d_size;
}
return (ELFSIGN_SUCCESS);
}
static ELFsign_status_t
elfsign_adjustoffsets(ELFsign_t ess, Elf_Scn *scn, uint64_t new_size)
{
GElf_Ehdr elfehdr;
GElf_Shdr shdr;
uint64_t prev_end, scn_offset;
char *name;
Elf_Scn *scnp;
Elf_Data *data;
ELFsign_status_t retval = ELFSIGN_FAILED;
struct scninfo {
struct scninfo *scni_next;
Elf_Scn *scni_scn;
uint64_t scni_offset;
} *scnip = NULL, *tmpscnip, **scnipp;
if (gelf_getshdr(scn, &shdr) == NULL)
return (ELFSIGN_FAILED);
if (shdr.sh_size == new_size)
return (ELFSIGN_SUCCESS);
scn_offset = shdr.sh_offset;
name = elf_strptr(ess->es_elf, ess->es_shstrndx,
(size_t)shdr.sh_name);
if (shdr.sh_flags & SHF_ALLOC && ess->es_has_phdr) {
cryptodebug("elfsign_adjustoffsets: "
"can't move allocated section %s", name ? name : "NULL");
return (ELFSIGN_FAILED);
}
cryptodebug("elfsign_adjustoffsets: "
"resizing %s at 0x%llx from 0x%llx to 0x%llx",
name ? name : "NULL", shdr.sh_offset, shdr.sh_size, new_size);
shdr.sh_size = new_size;
if (gelf_update_shdr(scn, &shdr) == 0) {
cryptodebug("gelf_update_shdr failed");
goto bad;
}
prev_end = shdr.sh_offset + shdr.sh_size;
scnp = elf_getscn(ess->es_elf, 0);
while ((scnp = elf_nextscn(ess->es_elf, scnp)) != NULL) {
if (gelf_getshdr(scnp, &shdr) == NULL)
goto bad;
if (shdr.sh_offset <= scn_offset)
continue;
name = elf_strptr(ess->es_elf, ess->es_shstrndx,
(size_t)shdr.sh_name);
if (shdr.sh_flags & SHF_ALLOC && ess->es_has_phdr) {
if (shdr.sh_type == SHT_NOBITS) {
continue;
}
cryptodebug("elfsign_adjustoffsets: "
"can't move allocated section %s",
name ? name : "NULL");
goto bad;
}
data = NULL;
while ((data = elf_rawdata(scnp, data)) != NULL)
;
cryptodebug("elfsign_adjustoffsets: "
"may have to adjust section %s, offset 0x%llx",
name ? name : "NULL", shdr.sh_offset);
tmpscnip = (struct scninfo *)malloc(sizeof (struct scninfo));
if (tmpscnip == NULL) {
cryptodebug("elfsign_adjustoffsets: "
"memory allocation failure");
goto bad;
}
tmpscnip->scni_scn = scnp;
tmpscnip->scni_offset = shdr.sh_offset;
for (scnipp = &scnip; *scnipp != NULL;
scnipp = &(*scnipp)->scni_next) {
if ((*scnipp)->scni_offset > tmpscnip->scni_offset)
break;
}
tmpscnip->scni_next = *scnipp;
*scnipp = tmpscnip;
}
for (tmpscnip = scnip; tmpscnip != NULL;
tmpscnip = tmpscnip->scni_next) {
scnp = tmpscnip->scni_scn;
if (gelf_getshdr(scnp, &shdr) == NULL) {
cryptodebug("elfsign_adjustoffsets: "
"elf_getshdr for section %d failed",
elf_ndxscn(scnp));
goto bad;
}
if (shdr.sh_offset >= prev_end)
break;
prev_end = (prev_end + shdr.sh_addralign - 1) &
(-shdr.sh_addralign);
name = elf_strptr(ess->es_elf, ess->es_shstrndx,
(size_t)shdr.sh_name);
cryptodebug("elfsign_adjustoffsets: "
"moving %s size 0x%llx from 0x%llx to 0x%llx",
name ? name : "NULL", shdr.sh_size,
shdr.sh_offset, prev_end);
shdr.sh_offset = prev_end;
if (gelf_update_shdr(scnp, &shdr) == 0) {
cryptodebug("gelf_update_shdr failed");
goto bad;
}
prev_end = shdr.sh_offset + shdr.sh_size;
}
if (gelf_getehdr(ess->es_elf, &elfehdr) == NULL) {
cryptodebug("elf_getehdr() failed: %s", elf_errmsg(-1));
goto bad;
}
if (elfehdr.e_shoff < prev_end) {
if (ess->es_ei_class == ELFCLASS32)
prev_end = (prev_end + ELF32_FSZ_OFF - 1) &
(-ELF32_FSZ_OFF);
else if (ess->es_ei_class == ELFCLASS64)
prev_end = (prev_end + ELF64_FSZ_OFF - 1) &
(-ELF64_FSZ_OFF);
cryptodebug("elfsign_adjustoffsets: "
"move sh_off from 0x%llx to 0x%llx",
elfehdr.e_shoff, prev_end);
elfehdr.e_shoff = prev_end;
if (gelf_update_ehdr(ess->es_elf, &elfehdr) == 0) {
cryptodebug("elf_update_ehdr() failed: %s",
elf_errmsg(-1));
goto bad;
}
}
retval = ELFSIGN_SUCCESS;
bad:
while (scnip != NULL) {
tmpscnip = scnip->scni_next;
free(scnip);
scnip = tmpscnip;
}
return (retval);
}
struct filesignatures *
elfsign_insert_dso(ELFsign_t ess,
struct filesignatures *fssp,
const char *dn,
int dn_len,
const uchar_t *sig,
int sig_len,
const char *oid,
int oid_len)
{
return (filesig_insert_dso(fssp, ess->es_version, dn, dn_len,
sig, sig_len, oid, oid_len));
}
filesig_vers_t
elfsign_extract_sig(ELFsign_t ess,
struct filesignatures *fssp,
uchar_t *sig,
size_t *sig_len)
{
struct filesig_extraction fsx;
filesig_vers_t version;
if (fssp == NULL)
return (FILESIG_UNKNOWN);
if (fssp->filesig_cnt != 1)
return (FILESIG_UNKNOWN);
version = filesig_extract(&fssp->filesig_sig, &fsx);
switch (version) {
case FILESIG_VERSION1:
case FILESIG_VERSION2:
case FILESIG_VERSION3:
case FILESIG_VERSION4:
if (*sig_len >= fsx.fsx_sig_len) {
(void) memcpy((char *)sig, (char *)fsx.fsx_signature,
*sig_len);
*sig_len = fsx.fsx_sig_len;
} else
version = FILESIG_UNKNOWN;
break;
default:
version = FILESIG_UNKNOWN;
break;
}
if (ess->es_version == FILESIG_UNKNOWN) {
ess->es_version = version;
}
return (version);
}
static ELFsign_status_t
elfsign_hash_common(ELFsign_t ess, uchar_t *hash, size_t *hash_len,
boolean_t hash_mem_resident)
{
Elf_Scn *scn = NULL;
ELFsign_status_t elfstat;
GElf_Shdr shdr;
SHA1_CTX ctx;
if (*hash_len < SHA1_DIGEST_LENGTH)
return (ELFSIGN_FAILED);
bzero(hash, *hash_len);
SHA1Init(&ctx);
scn = elf_getscn(ess->es_elf, 0);
(void) elf_errno();
while ((scn = elf_nextscn(ess->es_elf, scn)) != 0) {
char *name = NULL;
Elf_Data *data = NULL;
if (gelf_getshdr(scn, &shdr) == NULL) {
elfstat = ELFSIGN_FAILED;
goto done;
}
name = elf_strptr(ess->es_elf, ess->es_shstrndx,
(size_t)shdr.sh_name);
if (name == NULL)
name = "NULL";
if (!hash_mem_resident &&
(ess->es_version == FILESIG_VERSION1 ||
ess->es_version == FILESIG_VERSION3)) {
if (shdr.sh_type == SHT_SUNW_SIGNATURE) {
cryptodebug("elfsign_hash: skipping %s", name);
continue;
}
} else if (!(shdr.sh_flags & SHF_ALLOC)) {
cryptodebug("elfsign_hash: skipping %s", name);
continue;
}
while ((data = (shdr.sh_type == SHT_STRTAB ?
elf_getdata(scn, data) : elf_rawdata(scn, data))) != NULL) {
if (data->d_buf == NULL) {
cryptodebug("elfsign_hash: %s has NULL data",
name);
continue;
}
cryptodebug("elfsign_hash: updating hash "
"with %s data size=%d", name, data->d_size);
SHA1Update(&ctx, data->d_buf, data->d_size);
}
}
if (elf_errmsg(0) != NULL) {
cryptodebug("elfsign_hash: %s", elf_errmsg(-1));
elfstat = ELFSIGN_FAILED;
goto done;
}
SHA1Final(hash, &ctx);
*hash_len = SHA1_DIGEST_LENGTH;
{
const int hashstr_len = (*hash_len) * 2 + 1;
char *hashstr = malloc(hashstr_len);
if (hashstr != NULL) {
tohexstr(hash, *hash_len, hashstr, hashstr_len);
cryptodebug("hash value is: %s", hashstr);
free(hashstr);
}
}
elfstat = ELFSIGN_SUCCESS;
done:
return (elfstat);
}
ELFsign_status_t
elfsign_hash(ELFsign_t ess, uchar_t *hash, size_t *hash_len)
{
return (elfsign_hash_common(ess, hash, hash_len, B_FALSE));
}
ELFsign_status_t
elfsign_hash_mem_resident(ELFsign_t ess, uchar_t *hash, size_t *hash_len)
{
return (elfsign_hash_common(ess, hash, hash_len, B_TRUE));
}
ELFsign_status_t
elfsign_verify_signature(ELFsign_t ess, struct ELFsign_sig_info **esipp)
{
ELFsign_status_t ret = ELFSIGN_FAILED;
struct filesignatures *fssp;
struct filesig *fsgp;
size_t fslen;
struct filesig_extraction fsx;
uchar_t hash[SIG_MAX_LENGTH];
size_t hash_len;
ELFCert_t cert = NULL;
int sigcnt;
int nocert = 0;
struct ELFsign_sig_info *esip = NULL;
if (esipp != NULL) {
esip = (struct ELFsign_sig_info *)
calloc(1, sizeof (struct ELFsign_sig_info));
*esipp = esip;
}
if (elfsign_signatures(ess, &fssp, &fslen, ES_GET) != ELFSIGN_SUCCESS) {
return (ELFSIGN_NOTSIGNED);
}
if (fssp->filesig_cnt < 1) {
ret = ELFSIGN_FAILED;
goto cleanup;
}
fsgp = &fssp->filesig_sig;
for (sigcnt = 0; sigcnt < fssp->filesig_cnt;
sigcnt++, fsgp = filesig_next(fsgp)) {
ess->es_version = filesig_extract(fsgp, &fsx);
cryptodebug("elfsign_verify_signature: version=%s",
version_to_str(ess->es_version));
switch (ess->es_version) {
case FILESIG_VERSION1:
case FILESIG_VERSION2:
case FILESIG_VERSION3:
case FILESIG_VERSION4:
break;
default:
ret = ELFSIGN_FAILED;
goto cleanup;
}
cryptodebug("elfsign_verify_signature: signer_DN=\"%s\"",
fsx.fsx_signer_DN);
cryptodebug("elfsign_verify_signature: algorithmOID=\"%s\"",
fsx.fsx_sig_oid);
if (esipp != NULL) {
esip->esi_format = fsx.fsx_format;
if (esip->esi_signer != NULL)
free(esip->esi_signer);
esip->esi_signer = strdup(fsx.fsx_signer_DN);
esip->esi_time = fsx.fsx_time;
}
if (cert != NULL)
elfcertlib_releasecert(ess, cert);
if (!elfcertlib_getcert(ess, ess->es_certpath,
fsx.fsx_signer_DN, &cert, ess->es_action)) {
cryptodebug("unable to find certificate "
"with DN=\"%s\" for %s",
fsx.fsx_signer_DN, ess->es_pathname);
nocert++;
continue;
}
if ((ess->es_action == ES_GET_CRYPTO ||
ess->es_action == ES_GET_FIPS140 ||
strstr(fsx.fsx_signer_DN, ELFSIGN_CRYPTO)) &&
!elfcertlib_verifycert(ess, cert)) {
cryptodebug("elfsign_verify_signature: invalid cert");
nocert++;
continue;
}
if (strcmp(fsx.fsx_sig_oid, OID_sha1WithRSAEncryption) != 0) {
continue;
}
nocert = 0;
hash_len = sizeof (hash);
if (elfsign_hash(ess, hash, &hash_len) != ELFSIGN_SUCCESS) {
cryptodebug("elfsign_verify_signature:"
" elfsign_hash failed");
ret = ELFSIGN_FAILED;
break;
}
{
const int sigstr_len = fsx.fsx_sig_len * 2 + 1;
char *sigstr = malloc(sigstr_len);
if (sigstr != NULL) {
tohexstr(fsx.fsx_signature, fsx.fsx_sig_len,
sigstr, sigstr_len);
cryptodebug("signature value is: %s", sigstr);
free(sigstr);
}
}
if (elfcertlib_verifysig(ess, cert,
fsx.fsx_signature, fsx.fsx_sig_len, hash, hash_len)) {
if (ess->es_sigvercallback)
(ess->es_sigvercallback)
(ess->es_callbackctx, fssp, fslen, cert);
ret = ELFSIGN_SUCCESS;
}
cryptodebug("elfsign_verify_signature: invalid signature");
}
cleanup:
if (cert != NULL)
elfcertlib_releasecert(ess, cert);
free(fssp);
if (ret == ELFSIGN_FAILED && nocert)
ret = ELFSIGN_INVALID_CERTPATH;
return (ret);
}
static uint32_t
elfsign_switch_uint32(uint32_t i)
{
return (((i & 0xff) << 24) | ((i & 0xff00) << 8) |
((i >> 8) & 0xff00) | ((i >> 24) & 0xff));
}
static uint64_t
elfsign_switch_uint64(uint64_t i)
{
return (((uint64_t)elfsign_switch_uint32(i) << 32) |
(elfsign_switch_uint32(i >> 32)));
}
static ELFsign_status_t
elfsign_switch(ELFsign_t ess, struct filesignatures *fssp,
enum ES_ACTION action)
{
int fscnt;
filesig_vers_t version;
struct filesig *fsgp, *fsgpnext;
if (ess->es_same_endian)
return (ELFSIGN_SUCCESS);
if (ES_ACTISUPDATE(action))
fscnt = fssp->filesig_cnt;
fssp->filesig_cnt = elfsign_switch_uint32(fssp->filesig_cnt);
if (!ES_ACTISUPDATE(action))
fscnt = fssp->filesig_cnt;
fsgp = &(fssp)->filesig_sig;
for (; fscnt > 0; fscnt--, fsgp = fsgpnext) {
if (ES_ACTISUPDATE(action)) {
version = fsgp->filesig_version;
fsgpnext = filesig_next(fsgp);
}
fsgp->filesig_size =
elfsign_switch_uint32(fsgp->filesig_size);
fsgp->filesig_version =
elfsign_switch_uint32(fsgp->filesig_version);
if (!ES_ACTISUPDATE(action)) {
version = fsgp->filesig_version;
fsgpnext = filesig_next(fsgp);
}
switch (version) {
case FILESIG_VERSION1:
case FILESIG_VERSION2:
fsgp->filesig_v1_dnsize =
elfsign_switch_uint32(fsgp->filesig_v1_dnsize);
fsgp->filesig_v1_sigsize =
elfsign_switch_uint32(fsgp->filesig_v1_sigsize);
fsgp->filesig_v1_oidsize =
elfsign_switch_uint32(fsgp->filesig_v1_oidsize);
break;
case FILESIG_VERSION3:
case FILESIG_VERSION4:
fsgp->filesig_v3_time =
elfsign_switch_uint64(fsgp->filesig_v3_time);
fsgp->filesig_v3_dnsize =
elfsign_switch_uint32(fsgp->filesig_v3_dnsize);
fsgp->filesig_v3_sigsize =
elfsign_switch_uint32(fsgp->filesig_v3_sigsize);
fsgp->filesig_v3_oidsize =
elfsign_switch_uint32(fsgp->filesig_v3_oidsize);
break;
default:
cryptodebug("elfsign_switch: failed");
return (ELFSIGN_FAILED);
}
}
return (ELFSIGN_SUCCESS);
}
void
elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp,
enum ES_ACTION action)
{
uint32_t tmp;
if (!ES_ACTISUPDATE(action)) {
(void) memcpy(&tmp, cp, sizeof (tmp));
if (!ess->es_same_endian) {
tmp = elfsign_switch_uint32(tmp);
}
*ip = tmp;
} else {
tmp = *ip;
if (!ess->es_same_endian) {
tmp = elfsign_switch_uint32(tmp);
}
(void) memcpy(cp, &tmp, sizeof (tmp));
}
}
char const *
elfsign_strerror(ELFsign_status_t elferror)
{
char const *msg = NULL;
switch (elferror) {
case ELFSIGN_SUCCESS:
msg = gettext("sign or verify of ELF object succeeded");
break;
case ELFSIGN_FAILED:
msg = gettext("sign or verify of ELF object failed");
break;
case ELFSIGN_NOTSIGNED:
msg = gettext("ELF object not signed");
break;
case ELFSIGN_INVALID_CERTPATH:
msg = gettext("cannot access certificate");
break;
case ELFSIGN_INVALID_ELFOBJ:
msg = gettext("unable to open as an ELF object");
break;
case ELFSIGN_UNKNOWN:
default:
msg = gettext("Unknown error");
break;
}
return (msg);
}
boolean_t
elfsign_sig_info(struct filesignatures *fssp, struct ELFsign_sig_info **esipp)
{
struct filesig_extraction fsx;
struct ELFsign_sig_info *esip;
esip = (struct ELFsign_sig_info *)
calloc(1, sizeof (struct ELFsign_sig_info));
*esipp = esip;
if (esip == NULL)
return (B_FALSE);
switch (filesig_extract(&fssp->filesig_sig, &fsx)) {
case FILESIG_VERSION1:
case FILESIG_VERSION2:
case FILESIG_VERSION3:
case FILESIG_VERSION4:
esip->esi_format = fsx.fsx_format;
esip->esi_signer = strdup(fsx.fsx_signer_DN);
esip->esi_time = fsx.fsx_time;
break;
default:
free(esip);
*esipp = NULL;
}
return (*esipp != NULL);
}
void
elfsign_sig_info_free(struct ELFsign_sig_info *esip)
{
if (esip != NULL) {
free(esip->esi_signer);
free(esip);
}
}
