1 /*- 2 * Copyright (c) 2014 The FreeBSD Foundation 3 * All rights reserved. 4 * 5 * This software was developed by Edward Tomasz Napierala under sponsorship 6 * from the FreeBSD Foundation. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31 #include <sys/cdefs.h> 32 __FBSDID("$FreeBSD$"); 33 34 #include <sys/param.h> 35 #include <sys/capsicum.h> 36 #include <sys/types.h> 37 #include <sys/stat.h> 38 #include <assert.h> 39 #include <err.h> 40 #include <errno.h> 41 #include <stdio.h> 42 #include <stdlib.h> 43 #include <string.h> 44 #include <unistd.h> 45 46 #include <openssl/evp.h> 47 #include <openssl/err.h> 48 #include <openssl/pem.h> 49 50 #include "uefisign.h" 51 52 static void 53 load(struct executable *x) 54 { 55 int error, fd; 56 struct stat sb; 57 char *buf; 58 size_t nread, len; 59 60 fd = fileno(x->x_fp); 61 62 error = fstat(fd, &sb); 63 if (error != 0) 64 err(1, "%s: fstat", x->x_path); 65 66 len = sb.st_size; 67 if (len <= 0) 68 errx(1, "%s: file is empty", x->x_path); 69 70 buf = malloc(len); 71 if (buf == NULL) 72 err(1, "%s: cannot malloc %zd bytes", x->x_path, len); 73 74 nread = fread(buf, len, 1, x->x_fp); 75 if (nread != 1) 76 err(1, "%s: fread", x->x_path); 77 78 x->x_buf = buf; 79 x->x_len = len; 80 } 81 82 static void 83 digest_range(struct executable *x, EVP_MD_CTX *mdctx, off_t off, size_t len) 84 { 85 int ok; 86 87 range_check(x, off, len, "chunk"); 88 89 ok = EVP_DigestUpdate(mdctx, x->x_buf + off, len); 90 if (ok == 0) { 91 ERR_print_errors_fp(stderr); 92 errx(1, "EVP_DigestUpdate(3) failed"); 93 } 94 } 95 96 static void 97 digest(struct executable *x) 98 { 99 EVP_MD_CTX *mdctx; 100 const EVP_MD *md; 101 size_t sum_of_bytes_hashed; 102 int i, ok; 103 104 /* 105 * Windows Authenticode Portable Executable Signature Format 106 * spec version 1.0 specifies MD5 and SHA1. However, pesign 107 * and sbsign both use SHA256, so do the same. 108 */ 109 md = EVP_get_digestbyname(DIGEST); 110 if (md == NULL) { 111 ERR_print_errors_fp(stderr); 112 errx(1, "EVP_get_digestbyname(\"%s\") failed", DIGEST); 113 } 114 115 mdctx = EVP_MD_CTX_create(); 116 if (mdctx == NULL) { 117 ERR_print_errors_fp(stderr); 118 errx(1, "EVP_MD_CTX_create(3) failed"); 119 } 120 121 ok = EVP_DigestInit_ex(mdctx, md, NULL); 122 if (ok == 0) { 123 ERR_print_errors_fp(stderr); 124 errx(1, "EVP_DigestInit_ex(3) failed"); 125 } 126 127 /* 128 * According to the Authenticode spec, we need to compute 129 * the digest in a rather... specific manner; see "Calculating 130 * the PE Image Hash" part of the spec for details. 131 * 132 * First, everything from 0 to before the PE checksum. 133 */ 134 digest_range(x, mdctx, 0, x->x_checksum_off); 135 136 /* 137 * Second, from after the PE checksum to before the Certificate 138 * entry in Data Directory. 139 */ 140 digest_range(x, mdctx, x->x_checksum_off + x->x_checksum_len, 141 x->x_certificate_entry_off - 142 (x->x_checksum_off + x->x_checksum_len)); 143 144 /* 145 * Then, from after the Certificate entry to the end of headers. 146 */ 147 digest_range(x, mdctx, 148 x->x_certificate_entry_off + x->x_certificate_entry_len, 149 x->x_headers_len - 150 (x->x_certificate_entry_off + x->x_certificate_entry_len)); 151 152 /* 153 * Then, each section in turn, as specified in the PE Section Table. 154 * 155 * XXX: Sorting. 156 */ 157 sum_of_bytes_hashed = x->x_headers_len; 158 for (i = 0; i < x->x_nsections; i++) { 159 digest_range(x, mdctx, 160 x->x_section_off[i], x->x_section_len[i]); 161 sum_of_bytes_hashed += x->x_section_len[i]; 162 } 163 164 /* 165 * I believe this can happen with overlapping sections. 166 */ 167 if (sum_of_bytes_hashed > x->x_len) 168 errx(1, "number of bytes hashed is larger than file size"); 169 170 /* 171 * I can't really explain this one; just do what the spec says. 172 */ 173 if (sum_of_bytes_hashed < x->x_len) { 174 digest_range(x, mdctx, sum_of_bytes_hashed, 175 x->x_len - (signature_size(x) + sum_of_bytes_hashed)); 176 } 177 178 ok = EVP_DigestFinal_ex(mdctx, x->x_digest, &x->x_digest_len); 179 if (ok == 0) { 180 ERR_print_errors_fp(stderr); 181 errx(1, "EVP_DigestFinal_ex(3) failed"); 182 } 183 184 EVP_MD_CTX_destroy(mdctx); 185 } 186 187 static void 188 show_digest(const struct executable *x) 189 { 190 int i; 191 192 printf("computed %s digest ", DIGEST); 193 for (i = 0; i < (int)x->x_digest_len; i++) 194 printf("%02x", (unsigned char)x->x_digest[i]); 195 printf("; digest len %u\n", x->x_digest_len); 196 } 197 198 static void 199 send_digest(const struct executable *x, int pipefd) 200 { 201 202 send_chunk(x->x_digest, x->x_digest_len, pipefd); 203 } 204 205 static void 206 receive_signature(struct executable *x, int pipefd) 207 { 208 209 receive_chunk(&x->x_signature, &x->x_signature_len, pipefd); 210 } 211 212 static void 213 save(struct executable *x, FILE *fp, const char *path) 214 { 215 size_t nwritten; 216 217 assert(fp != NULL); 218 assert(path != NULL); 219 220 nwritten = fwrite(x->x_buf, x->x_len, 1, fp); 221 if (nwritten != 1) 222 err(1, "%s: fwrite", path); 223 } 224 225 int 226 child(const char *inpath, const char *outpath, int pipefd, 227 bool Vflag, bool vflag) 228 { 229 int error; 230 FILE *outfp = NULL, *infp = NULL; 231 struct executable *x; 232 233 infp = checked_fopen(inpath, "r"); 234 if (outpath != NULL) 235 outfp = checked_fopen(outpath, "w"); 236 237 error = cap_enter(); 238 if (error != 0 && errno != ENOSYS) 239 err(1, "cap_enter"); 240 241 x = calloc(1, sizeof(*x)); 242 if (x == NULL) 243 err(1, "calloc"); 244 x->x_path = inpath; 245 x->x_fp = infp; 246 247 load(x); 248 parse(x); 249 if (Vflag) { 250 if (signature_size(x) == 0) 251 errx(1, "file not signed"); 252 253 printf("file contains signature\n"); 254 if (vflag) { 255 digest(x); 256 show_digest(x); 257 show_certificate(x); 258 } 259 } else { 260 if (signature_size(x) != 0) 261 errx(1, "file already signed"); 262 263 digest(x); 264 if (vflag) 265 show_digest(x); 266 send_digest(x, pipefd); 267 receive_signature(x, pipefd); 268 update(x); 269 save(x, outfp, outpath); 270 } 271 272 return (0); 273 } 274