1 /*- 2 * Copyright (c) 2017-2018, Juniper Networks, Inc. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 14 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 15 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 16 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 17 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 18 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 19 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 #include <sys/cdefs.h> 26 __FBSDID("$FreeBSD$"); 27 #include <sys/queue.h> 28 29 #include "libsecureboot-priv.h" 30 31 32 struct fingerprint_info { 33 char *fi_prefix; /**< manifest entries relative to */ 34 char *fi_skip; /**< manifest entries prefixed with */ 35 const char *fi_data; /**< manifest data */ 36 size_t fi_prefix_len; /**< length of prefix */ 37 size_t fi_skip_len; /**< length of skip */ 38 dev_t fi_dev; /**< device id */ 39 LIST_ENTRY(fingerprint_info) entries; 40 }; 41 42 static LIST_HEAD(, fingerprint_info) fi_list; 43 44 static void 45 fingerprint_info_init(void) 46 { 47 static int once; 48 49 if (once) 50 return; 51 LIST_INIT(&fi_list); 52 once = 1; 53 } 54 55 /** 56 * @brief 57 * add manifest data to list 58 * 59 * list is kept sorted by longest prefix. 60 * 61 * @param[in] prefix 62 * path that all manifest entries are resolved via 63 * 64 * @param[in] skip 65 * optional prefix within manifest entries which should be skipped 66 * 67 * @param[in] data 68 * manifest data 69 */ 70 void 71 fingerprint_info_add(const char *filename, const char *prefix, 72 const char *skip, const char *data, struct stat *stp) 73 { 74 struct fingerprint_info *fip, *nfip, *lfip; 75 char *cp; 76 int n; 77 78 fingerprint_info_init(); 79 nfip = malloc(sizeof(struct fingerprint_info)); 80 if (prefix) { 81 nfip->fi_prefix = strdup(prefix); 82 } else { 83 if (!filename) { 84 free(nfip); 85 return; 86 } 87 nfip->fi_prefix = strdup(filename); 88 cp = strrchr(nfip->fi_prefix, '/'); 89 if (cp) 90 *cp = '\0'; 91 else { 92 free(nfip->fi_prefix); 93 free(nfip); 94 return; 95 } 96 } 97 /* collapse any trailing ..[/] */ 98 n = 0; 99 while ((cp = strrchr(nfip->fi_prefix, '/')) != NULL) { 100 if (cp[1] == '\0') { /* trailing "/" */ 101 *cp = '\0'; 102 continue; 103 } 104 if (strcmp(&cp[1], "..") == 0) { 105 n++; 106 *cp = '\0'; 107 continue; 108 } 109 if (n > 0) { 110 n--; 111 *cp = '\0'; 112 } 113 if (n == 0) 114 break; 115 } 116 #ifdef UNIT_TEST 117 nfip->fi_dev = 0; 118 #else 119 nfip->fi_dev = stp->st_dev; 120 #endif 121 nfip->fi_data = data; 122 nfip->fi_prefix_len = strlen(nfip->fi_prefix); 123 if (skip) { 124 nfip->fi_skip_len = strlen(skip); 125 if (nfip->fi_skip_len) 126 nfip->fi_skip = strdup(skip); 127 else 128 nfip->fi_skip = NULL; 129 } else { 130 nfip->fi_skip = NULL; 131 nfip->fi_skip_len = 0; 132 } 133 134 if (LIST_EMPTY(&fi_list)) { 135 LIST_INSERT_HEAD(&fi_list, nfip, entries); 136 DEBUG_PRINTF(4, ("inserted %zu %s at head\n", 137 nfip->fi_prefix_len, nfip->fi_prefix)); 138 return; 139 } 140 LIST_FOREACH(fip, &fi_list, entries) { 141 if (nfip->fi_prefix_len >= fip->fi_prefix_len) { 142 LIST_INSERT_BEFORE(fip, nfip, entries); 143 DEBUG_PRINTF(4, ("inserted %zu %s before %zu %s\n", 144 nfip->fi_prefix_len, nfip->fi_prefix, 145 fip->fi_prefix_len, fip->fi_prefix)); 146 return; 147 } 148 lfip = fip; 149 } 150 LIST_INSERT_AFTER(lfip, nfip, entries); 151 DEBUG_PRINTF(4, ("inserted %zu %s after %zu %s\n", 152 nfip->fi_prefix_len, nfip->fi_prefix, 153 lfip->fi_prefix_len, lfip->fi_prefix)); 154 } 155 156 #ifdef MANIFEST_SKIP_MAYBE 157 /* 158 * Deal with old incompatible boot/manifest 159 * if fp[-1] is '/' and start of entry matches 160 * MANIFEST_SKIP_MAYBE, we want it. 161 */ 162 static char * 163 maybe_skip(char *fp, struct fingerprint_info *fip, size_t *nplenp) 164 { 165 char *tp; 166 167 tp = fp - sizeof(MANIFEST_SKIP_MAYBE); 168 169 if (tp >= fip->fi_data) { 170 DEBUG_PRINTF(3, ("maybe: %.48s\n", tp)); 171 if ((tp == fip->fi_data || tp[-1] == '\n') && 172 strncmp(tp, MANIFEST_SKIP_MAYBE, 173 sizeof(MANIFEST_SKIP_MAYBE) - 1) == 0) { 174 fp = tp; 175 *nplenp += sizeof(MANIFEST_SKIP_MAYBE); 176 } 177 } 178 return (fp); 179 } 180 #endif 181 182 char * 183 fingerprint_info_lookup(int fd, const char *path) 184 { 185 char pbuf[MAXPATHLEN+1]; 186 char nbuf[MAXPATHLEN+1]; 187 struct stat st; 188 struct fingerprint_info *fip; 189 char *cp, *ep, *fp, *np; 190 const char *prefix; 191 size_t n, plen, nlen, nplen; 192 dev_t dev = 0; 193 194 fingerprint_info_init(); 195 196 n = strlcpy(pbuf, path, sizeof(pbuf)); 197 if (n >= sizeof(pbuf)) 198 return (NULL); 199 #ifndef UNIT_TEST 200 if (fstat(fd, &st) == 0) 201 dev = st.st_dev; 202 #endif 203 /* 204 * get the first entry - it will have longest prefix 205 * so we can can work out how to initially split path 206 */ 207 fip = LIST_FIRST(&fi_list); 208 if (!fip) 209 return (NULL); 210 prefix = pbuf; 211 ep = NULL; 212 cp = &pbuf[fip->fi_prefix_len]; 213 do { 214 if (ep) { 215 *ep = '/'; 216 cp -= 2; 217 if (cp < pbuf) 218 break; 219 } 220 nlen = plen = 0; /* keep gcc quiet */ 221 if (cp > pbuf) { 222 for ( ; cp >= pbuf && *cp != '/'; cp--) 223 ; /* nothing */ 224 if (cp > pbuf) { 225 ep = cp++; 226 *ep = '\0'; 227 } else { 228 cp = pbuf; 229 } 230 if (ep) { 231 plen = ep - pbuf; 232 nlen = n - plen - 1; 233 } 234 } 235 if (cp == pbuf) { 236 prefix = "/"; 237 plen = 1; 238 if (*cp == '/') { 239 nlen = n - 1; 240 cp++; 241 } else 242 nlen = n; 243 ep = NULL; 244 } 245 246 DEBUG_PRINTF(2, ("looking for %s %zu %s\n", prefix, plen, cp)); 247 248 LIST_FOREACH(fip, &fi_list, entries) { 249 DEBUG_PRINTF(4, ("at %zu %s\n", 250 fip->fi_prefix_len, fip->fi_prefix)); 251 252 if (fip->fi_prefix_len < plen) { 253 DEBUG_PRINTF(3, ("skipping prefix=%s %zu %zu\n", 254 fip->fi_prefix, fip->fi_prefix_len, 255 plen)); 256 break; 257 } 258 if (fip->fi_prefix_len == plen) { 259 if (fip->fi_dev != 0 && fip->fi_dev != dev) { 260 DEBUG_PRINTF(3, ( 261 "skipping dev=%ld != %ld\n", 262 (long)fip->fi_dev, 263 (long)dev)); 264 continue; 265 } 266 if (strcmp(prefix, fip->fi_prefix)) { 267 DEBUG_PRINTF(3, ( 268 "skipping prefix=%s\n", 269 fip->fi_prefix)); 270 continue; 271 } 272 DEBUG_PRINTF(3, ("checking prefix=%s\n", 273 fip->fi_prefix)); 274 if (fip->fi_skip_len) { 275 np = nbuf; 276 nplen = snprintf(nbuf, sizeof(nbuf), 277 "%s/%s", 278 fip->fi_skip, cp); 279 nplen = MIN(nplen, sizeof(nbuf) - 1); 280 } else { 281 np = cp; 282 nplen = nlen; 283 } 284 DEBUG_PRINTF(3, ("lookup: '%s'\n", np)); 285 if (!(fp = strstr(fip->fi_data, np))) 286 continue; 287 #ifdef MANIFEST_SKIP_MAYBE 288 if (fip->fi_skip_len == 0 && 289 fp > fip->fi_data && fp[-1] == '/') { 290 fp = maybe_skip(fp, fip, &nplen); 291 } 292 #endif 293 /* 294 * when we find a match: 295 * fp[nplen] will be space and 296 * fp will be fip->fi_data or 297 * fp[-1] will be \n 298 */ 299 if (!((fp == fip->fi_data || fp[-1] == '\n') && 300 fp[nplen] == ' ')) { 301 do { 302 fp++; 303 fp = strstr(fp, np); 304 if (fp) { 305 #ifdef MANIFEST_SKIP_MAYBE 306 if (fip->fi_skip_len == 0 && 307 fp > fip->fi_data && 308 fp[-1] == '/') { 309 fp = maybe_skip(fp, fip, &nplen); 310 } 311 #endif 312 DEBUG_PRINTF(3, 313 ("fp[-1]=%#x fp[%zu]=%#x fp=%.78s\n", 314 fp[-1], nplen, 315 fp[nplen], 316 fp)); 317 } 318 } while (fp != NULL && 319 !(fp[-1] == '\n' && 320 fp[nplen] == ' ')); 321 if (!fp) 322 continue; 323 } 324 DEBUG_PRINTF(2, ("found %.78s\n", fp)); 325 /* we have a match! */ 326 for (cp = &fp[nplen]; *cp == ' '; cp++) 327 ; /* nothing */ 328 return (cp); 329 } else { 330 DEBUG_PRINTF(3, 331 ("Ignoring prefix=%s\n", fip->fi_prefix)); 332 } 333 } 334 } while (cp > &pbuf[1]); 335 336 return (NULL); 337 } 338 339 static int 340 verify_fingerprint(int fd, const char *path, const char *cp, off_t off) 341 { 342 unsigned char buf[PAGE_SIZE]; 343 const br_hash_class *md; 344 br_hash_compat_context mctx; 345 size_t hlen; 346 int n; 347 348 if (strncmp(cp, "sha256=", 7) == 0) { 349 md = &br_sha256_vtable; 350 hlen = br_sha256_SIZE; 351 cp += 7; 352 #ifdef VE_SHA1_SUPPORT 353 } else if (strncmp(cp, "sha1=", 5) == 0) { 354 md = &br_sha1_vtable; 355 hlen = br_sha1_SIZE; 356 cp += 5; 357 #endif 358 #ifdef VE_SHA384_SUPPORT 359 } else if (strncmp(cp, "sha384=", 7) == 0) { 360 md = &br_sha384_vtable; 361 hlen = br_sha384_SIZE; 362 cp += 7; 363 #endif 364 #ifdef VE_SHA512_SUPPORT 365 } else if (strncmp(cp, "sha512=", 7) == 0) { 366 md = &br_sha512_vtable; 367 hlen = br_sha512_SIZE; 368 cp += 7; 369 #endif 370 } else { 371 ve_error_set("%s: no supported fingerprint", path); 372 return (VE_FINGERPRINT_UNKNOWN); 373 } 374 375 md->init(&mctx.vtable); 376 if (off) 377 lseek(fd, 0, SEEK_SET); 378 do { 379 n = read(fd, buf, sizeof(buf)); 380 if (n < 0) 381 return (n); 382 if (n > 0) 383 md->update(&mctx.vtable, buf, n); 384 } while (n > 0); 385 lseek(fd, off, SEEK_SET); 386 return (ve_check_hash(&mctx, md, path, cp, hlen)); 387 } 388 389 390 /** 391 * @brief 392 * verify an open file 393 * 394 * @param[in] fd 395 * open descriptor 396 * 397 * @param[in] path 398 * pathname to open 399 * 400 * @param[in] off 401 * current offset 402 * 403 * @return 0, VE_FINGERPRINT_OK or VE_FINGERPRINT_NONE, VE_FINGERPRINT_WRONG 404 */ 405 int 406 verify_fd(int fd, const char *path, off_t off, struct stat *stp) 407 { 408 struct stat st; 409 char *cp; 410 int rc; 411 412 if (!stp) { 413 if (fstat(fd, &st) == 0) 414 stp = &st; 415 } 416 if (stp && !S_ISREG(stp->st_mode)) 417 return (0); /* not relevant */ 418 cp = fingerprint_info_lookup(fd, path); 419 if (!cp) { 420 ve_error_set("%s: no entry", path); 421 return (VE_FINGERPRINT_NONE); 422 } 423 rc = verify_fingerprint(fd, path, cp, off); 424 switch (rc) { 425 case VE_FINGERPRINT_OK: 426 case VE_FINGERPRINT_UNKNOWN: 427 return (rc); 428 default: 429 return (VE_FINGERPRINT_WRONG); 430 } 431 } 432 433 /** 434 * @brief 435 * open a file if it can be verified 436 * 437 * @param[in] path 438 * pathname to open 439 * 440 * @param[in] flags 441 * flags for open 442 * 443 * @return fd or VE_FINGERPRINT_NONE, VE_FINGERPRINT_WRONG 444 */ 445 int 446 verify_open(const char *path, int flags) 447 { 448 int fd; 449 int rc; 450 451 if ((fd = open(path, flags)) >= 0) { 452 if ((rc = verify_fd(fd, path, 0, NULL)) < 0) { 453 close(fd); 454 fd = rc; 455 } 456 } 457 return (fd); 458 } 459