xref: /titanic_52/usr/src/uts/common/sys/crypto/elfsign.h (revision 948f2876ce2a3010558f4f6937e16086ebcd36f2)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef _SYS_CRYPTO_ELFSIGN_H
27 #define	_SYS_CRYPTO_ELFSIGN_H
28 
29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
30 
31 #ifdef __cplusplus
32 extern "C" {
33 #endif
34 
35 /*
36  * Consolidation Private Interface for elfsign/libpkcs11/kcfd
37  */
38 
39 #include <sys/types.h>
40 #include <sys/param.h>
41 
42 /*
43  * Project Private structures and types used for communication between kcfd
44  * and KCF over the door.
45  */
46 
47 typedef enum ELFsign_status_e {
48 	ELFSIGN_UNKNOWN,
49 	ELFSIGN_SUCCESS,
50 	ELFSIGN_FAILED,
51 	ELFSIGN_NOTSIGNED,
52 	ELFSIGN_INVALID_CERTPATH,
53 	ELFSIGN_INVALID_ELFOBJ,
54 	ELFSIGN_RESTRICTED
55 } ELFsign_status_t;
56 
57 #define	KCF_KCFD_VERSION1	1
58 #define	SIG_MAX_LENGTH		1024
59 
60 #define	ELF_SIGNATURE_SECTION	".SUNW_signature"
61 #define	ELFSIGN_CRYPTO		"Solaris Cryptographic Framework"
62 #define	USAGELIMITED		"OU=UsageLimited"
63 #define	ESA			".esa"
64 #define	ESA_LEN			sizeof (".esa")
65 
66 typedef struct kcf_door_arg_s {
67 	short		da_version;
68 	boolean_t	da_iskernel;
69 
70 	union {
71 		char filename[MAXPATHLEN];	/* For request */
72 
73 		struct kcf_door_result_s {	/* For response */
74 			ELFsign_status_t	status;
75 			uint32_t		siglen;
76 			uchar_t			signature[1];
77 		} result;
78 	} da_u;
79 } kcf_door_arg_t;
80 
81 typedef uint32_t	filesig_vers_t;
82 
83 /*
84  * File Signature Structure
85  *	Applicable to ELF and other file formats
86  */
87 struct filesignatures {
88 	uint32_t	filesig_cnt;	/* count of signatures */
89 	uint32_t	filesig_pad;	/* unused */
90 	union {
91 		char	filesig_data[1];
92 		struct filesig {	/* one of these for each signature */
93 			uint32_t	filesig_size;
94 			filesig_vers_t	filesig_version;
95 			union {
96 				struct filesig_version1 {
97 					uint32_t	filesig_v1_dnsize;
98 					uint32_t	filesig_v1_sigsize;
99 					uint32_t	filesig_v1_oidsize;
100 					char	filesig_v1_data[1];
101 				} filesig_v1;
102 				struct filesig_version3 {
103 					uint64_t	filesig_v3_time;
104 					uint32_t	filesig_v3_dnsize;
105 					uint32_t	filesig_v3_sigsize;
106 					uint32_t	filesig_v3_oidsize;
107 					char	filesig_v3_data[1];
108 				} filesig_v3;
109 			} _u2;
110 		} filesig_sig;
111 		uint64_t filesig_align;
112 	} _u1;
113 };
114 #define	filesig_sig		_u1.filesig_sig
115 
116 #define	filesig_v1_dnsize	_u2.filesig_v1.filesig_v1_dnsize
117 #define	filesig_v1_sigsize	_u2.filesig_v1.filesig_v1_sigsize
118 #define	filesig_v1_oidsize	_u2.filesig_v1.filesig_v1_oidsize
119 #define	filesig_v1_data		_u2.filesig_v1.filesig_v1_data
120 
121 #define	filesig_v3_time		_u2.filesig_v3.filesig_v3_time
122 #define	filesig_v3_dnsize	_u2.filesig_v3.filesig_v3_dnsize
123 #define	filesig_v3_sigsize	_u2.filesig_v3.filesig_v3_sigsize
124 #define	filesig_v3_oidsize	_u2.filesig_v3.filesig_v3_oidsize
125 #define	filesig_v3_data		_u2.filesig_v3.filesig_v3_data
126 
127 #define	filesig_ALIGN(s)	(((s) + sizeof (uint64_t) - 1) & \
128 				    (-sizeof (uint64_t)))
129 #define	filesig_next(ptr)	(struct filesig *)((void *)((char *)(ptr) + \
130 				    filesig_ALIGN((ptr)->filesig_size)))
131 
132 #define	FILESIG_UNKNOWN		0	/* unrecognized version */
133 #define	FILESIG_VERSION1	1	/* version1, all but sig section */
134 #define	FILESIG_VERSION2	2	/* version1 format, SHF_ALLOC only */
135 #define	FILESIG_VERSION3	3	/* version3, all but sig section */
136 #define	FILESIG_VERSION4	4	/* version3 format, SHF_ALLOC only */
137 
138 #ifndef	_KERNEL
139 
140 #define	_PATH_KCFD_DOOR	"/var/run/kcfd_door"
141 
142 #define	ES_FMT_RSA_MD5_SHA1	"rsa_md5_sha1"
143 #define	ES_FMT_RSA_SHA1		"rsa_sha1"
144 enum ES_ACTION {
145 	ES_GET,
146 	ES_GET_CRYPTO,
147 	ES_UPDATE,
148 	ES_UPDATE_RSA_MD5_SHA1,
149 	ES_UPDATE_RSA_SHA1
150 };
151 #define	ES_ACTISUPDATE(a)	((a) >= ES_UPDATE)
152 
153 /*
154  * ELF signature handling
155  */
156 typedef struct ELFsign_s *ELFsign_t;
157 struct ELFsign_sig_info {
158 	char	*esi_format;
159 	char	*esi_signer;
160 	time_t	esi_time;
161 };
162 
163 extern struct filesignatures *elfsign_insert_dso(ELFsign_t ess,
164     struct filesignatures *fsp, const char *dn, int dn_len,
165     const uchar_t *sig, int sig_len, const char *oid, int oid_len);
166 extern filesig_vers_t elfsign_extract_sig(ELFsign_t ess,
167     struct filesignatures *fsp, uchar_t *sig, size_t *sig_len);
168 extern ELFsign_status_t elfsign_begin(const char *,
169     const char *, char *, enum ES_ACTION, ELFsign_t *);
170 extern void elfsign_end(ELFsign_t ess);
171 extern ELFsign_status_t elfsign_verify_signature(ELFsign_t ess,
172     struct ELFsign_sig_info **esipp);
173 extern ELFsign_status_t elfsign_hash(ELFsign_t ess, uchar_t *hash,
174     size_t *hash_len);
175 extern ELFsign_status_t elfsign_hash_mem_resident(ELFsign_t ess,
176     uchar_t *hash, size_t *hash_len);
177 extern ELFsign_status_t elfsign_hash_esa(ELFsign_t ess,
178     uchar_t *esa_buf, size_t esa_buf_len, uchar_t **hash, size_t *hash_len);
179 extern void elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp,
180     enum ES_ACTION action);
181 
182 extern ELFsign_status_t elfsign_signatures(ELFsign_t ess,
183     struct filesignatures **fspp, size_t *fs_len, enum ES_ACTION action);
184 
185 extern char const *elfsign_strerror(ELFsign_status_t);
186 extern boolean_t elfsign_sig_info(struct filesignatures *fssp,
187     struct ELFsign_sig_info **esipp);
188 extern void elfsign_sig_info_free(struct ELFsign_sig_info *);
189 
190 extern ELFsign_t elfsign_new_ess(void);
191 
192 /*
193  * ELF "Certificate Library"
194  */
195 
196 extern const char _PATH_ELFSIGN_CERTS[];
197 
198 #define	ELFCERT_MAX_DN_LEN	255
199 
200 typedef struct ELFCert_s *ELFCert_t;
201 
202 extern boolean_t elfcertlib_init(ELFsign_t, char *);
203 
204 extern boolean_t elfcertlib_getcert(ELFsign_t ess, char *cert_pathname,
205 	char *signer_DN, ELFCert_t *certp, enum ES_ACTION action);
206 extern void elfcertlib_releasecert(ELFsign_t, ELFCert_t);
207 extern char *elfcertlib_getdn(ELFCert_t cert);
208 extern char *elfcertlib_getissuer(ELFCert_t cert);
209 
210 extern boolean_t elfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert,
211 	const char *path);
212 extern boolean_t elfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert,
213 	const char *token_id, const char *pin);
214 
215 extern boolean_t elfcertlib_sign(ELFsign_t ess, ELFCert_t cert,
216 	const uchar_t *data, size_t data_len, uchar_t *sig,
217 	size_t *sig_len);
218 
219 #endif	/* _KERNEL */
220 
221 #ifdef __cplusplus
222 }
223 #endif
224 
225 #endif /* _SYS_CRYPTO_ELFSIGN_H */
226