verify_pefile.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456
  1. /* Parse a signed PE binary
  2. *
  3. * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
  4. * Written by David Howells (dhowells@redhat.com)
  5. *
  6. * This program is free software; you can redistribute it and/or
  7. * modify it under the terms of the GNU General Public Licence
  8. * as published by the Free Software Foundation; either version
  9. * 2 of the Licence, or (at your option) any later version.
  10. */
  11. #define pr_fmt(fmt) "PEFILE: "fmt
  12. #include <linux/module.h>
  13. #include <linux/kernel.h>
  14. #include <linux/slab.h>
  15. #include <linux/err.h>
  16. #include <linux/pe.h>
  17. #include <linux/asn1.h>
  18. #include <linux/verification.h>
  19. #include <crypto/hash.h>
  20. #include "verify_pefile.h"
  21. /*
  22. * Parse a PE binary.
  23. */
  24. static int pefile_parse_binary(const void *pebuf, unsigned int pelen,
  25. struct pefile_context *ctx)
  26. {
  27. const struct mz_hdr *mz = pebuf;
  28. const struct pe_hdr *pe;
  29. const struct pe32_opt_hdr *pe32;
  30. const struct pe32plus_opt_hdr *pe64;
  31. const struct data_directory *ddir;
  32. const struct data_dirent *dde;
  33. const struct section_header *secs, *sec;
  34. size_t cursor, datalen = pelen;
  35. kenter("");
  36. #define chkaddr(base, x, s) \
  37. do { \
  38. if ((x) < base || (s) >= datalen || (x) > datalen - (s)) \
  39. return -ELIBBAD; \
  40. } while (0)
  41. chkaddr(0, 0, sizeof(*mz));
  42. if (mz->magic != MZ_MAGIC)
  43. return -ELIBBAD;
  44. cursor = sizeof(*mz);
  45. chkaddr(cursor, mz->peaddr, sizeof(*pe));
  46. pe = pebuf + mz->peaddr;
  47. if (pe->magic != PE_MAGIC)
  48. return -ELIBBAD;
  49. cursor = mz->peaddr + sizeof(*pe);
  50. chkaddr(0, cursor, sizeof(pe32->magic));
  51. pe32 = pebuf + cursor;
  52. pe64 = pebuf + cursor;
  53. switch (pe32->magic) {
  54. case PE_OPT_MAGIC_PE32:
  55. chkaddr(0, cursor, sizeof(*pe32));
  56. ctx->image_checksum_offset =
  57. (unsigned long)&pe32->csum - (unsigned long)pebuf;
  58. ctx->header_size = pe32->header_size;
  59. cursor += sizeof(*pe32);
  60. ctx->n_data_dirents = pe32->data_dirs;
  61. break;
  62. case PE_OPT_MAGIC_PE32PLUS:
  63. chkaddr(0, cursor, sizeof(*pe64));
  64. ctx->image_checksum_offset =
  65. (unsigned long)&pe64->csum - (unsigned long)pebuf;
  66. ctx->header_size = pe64->header_size;
  67. cursor += sizeof(*pe64);
  68. ctx->n_data_dirents = pe64->data_dirs;
  69. break;
  70. default:
  71. pr_debug("Unknown PEOPT magic = %04hx\n", pe32->magic);
  72. return -ELIBBAD;
  73. }
  74. pr_debug("checksum @ %x\n", ctx->image_checksum_offset);
  75. pr_debug("header size = %x\n", ctx->header_size);
  76. if (cursor >= ctx->header_size || ctx->header_size >= datalen)
  77. return -ELIBBAD;
  78. if (ctx->n_data_dirents > (ctx->header_size - cursor) / sizeof(*dde))
  79. return -ELIBBAD;
  80. ddir = pebuf + cursor;
  81. cursor += sizeof(*dde) * ctx->n_data_dirents;
  82. ctx->cert_dirent_offset =
  83. (unsigned long)&ddir->certs - (unsigned long)pebuf;
  84. ctx->certs_size = ddir->certs.size;
  85. if (!ddir->certs.virtual_address || !ddir->certs.size) {
  86. pr_debug("Unsigned PE binary\n");
  87. return -EKEYREJECTED;
  88. }
  89. chkaddr(ctx->header_size, ddir->certs.virtual_address,
  90. ddir->certs.size);
  91. ctx->sig_offset = ddir->certs.virtual_address;
  92. ctx->sig_len = ddir->certs.size;
  93. pr_debug("cert = %x @%x [%*ph]\n",
  94. ctx->sig_len, ctx->sig_offset,
  95. ctx->sig_len, pebuf + ctx->sig_offset);
  96. ctx->n_sections = pe->sections;
  97. if (ctx->n_sections > (ctx->header_size - cursor) / sizeof(*sec))
  98. return -ELIBBAD;
  99. ctx->secs = secs = pebuf + cursor;
  100. return 0;
  101. }
  102. /*
  103. * Check and strip the PE wrapper from around the signature and check that the
  104. * remnant looks something like PKCS#7.
  105. */
  106. static int pefile_strip_sig_wrapper(const void *pebuf,
  107. struct pefile_context *ctx)
  108. {
  109. struct win_certificate wrapper;
  110. const u8 *pkcs7;
  111. unsigned len;
  112. if (ctx->sig_len < sizeof(wrapper)) {
  113. pr_debug("Signature wrapper too short\n");
  114. return -ELIBBAD;
  115. }
  116. memcpy(&wrapper, pebuf + ctx->sig_offset, sizeof(wrapper));
  117. pr_debug("sig wrapper = { %x, %x, %x }\n",
  118. wrapper.length, wrapper.revision, wrapper.cert_type);
  119. /* Both pesign and sbsign round up the length of certificate table
  120. * (in optional header data directories) to 8 byte alignment.
  121. */
  122. if (round_up(wrapper.length, 8) != ctx->sig_len) {
  123. pr_debug("Signature wrapper len wrong\n");
  124. return -ELIBBAD;
  125. }
  126. if (wrapper.revision != WIN_CERT_REVISION_2_0) {
  127. pr_debug("Signature is not revision 2.0\n");
  128. return -ENOTSUPP;
  129. }
  130. if (wrapper.cert_type != WIN_CERT_TYPE_PKCS_SIGNED_DATA) {
  131. pr_debug("Signature certificate type is not PKCS\n");
  132. return -ENOTSUPP;
  133. }
  134. /* It looks like the pkcs signature length in wrapper->length and the
  135. * size obtained from the data dir entries, which lists the total size
  136. * of certificate table, are both aligned to an octaword boundary, so
  137. * we may have to deal with some padding.
  138. */
  139. ctx->sig_len = wrapper.length;
  140. ctx->sig_offset += sizeof(wrapper);
  141. ctx->sig_len -= sizeof(wrapper);
  142. if (ctx->sig_len < 4) {
  143. pr_debug("Signature data missing\n");
  144. return -EKEYREJECTED;
  145. }
  146. /* What's left should be a PKCS#7 cert */
  147. pkcs7 = pebuf + ctx->sig_offset;
  148. if (pkcs7[0] != (ASN1_CONS_BIT | ASN1_SEQ))
  149. goto not_pkcs7;
  150. switch (pkcs7[1]) {
  151. case 0 ... 0x7f:
  152. len = pkcs7[1] + 2;
  153. goto check_len;
  154. case ASN1_INDEFINITE_LENGTH:
  155. return 0;
  156. case 0x81:
  157. len = pkcs7[2] + 3;
  158. goto check_len;
  159. case 0x82:
  160. len = ((pkcs7[2] << 8) | pkcs7[3]) + 4;
  161. goto check_len;
  162. case 0x83 ... 0xff:
  163. return -EMSGSIZE;
  164. default:
  165. goto not_pkcs7;
  166. }
  167. check_len:
  168. if (len <= ctx->sig_len) {
  169. /* There may be padding */
  170. ctx->sig_len = len;
  171. return 0;
  172. }
  173. not_pkcs7:
  174. pr_debug("Signature data not PKCS#7\n");
  175. return -ELIBBAD;
  176. }
  177. /*
  178. * Compare two sections for canonicalisation.
  179. */
  180. static int pefile_compare_shdrs(const void *a, const void *b)
  181. {
  182. const struct section_header *shdra = a;
  183. const struct section_header *shdrb = b;
  184. int rc;
  185. if (shdra->data_addr > shdrb->data_addr)
  186. return 1;
  187. if (shdrb->data_addr > shdra->data_addr)
  188. return -1;
  189. if (shdra->virtual_address > shdrb->virtual_address)
  190. return 1;
  191. if (shdrb->virtual_address > shdra->virtual_address)
  192. return -1;
  193. rc = strcmp(shdra->name, shdrb->name);
  194. if (rc != 0)
  195. return rc;
  196. if (shdra->virtual_size > shdrb->virtual_size)
  197. return 1;
  198. if (shdrb->virtual_size > shdra->virtual_size)
  199. return -1;
  200. if (shdra->raw_data_size > shdrb->raw_data_size)
  201. return 1;
  202. if (shdrb->raw_data_size > shdra->raw_data_size)
  203. return -1;
  204. return 0;
  205. }
  206. /*
  207. * Load the contents of the PE binary into the digest, leaving out the image
  208. * checksum and the certificate data block.
  209. */
  210. static int pefile_digest_pe_contents(const void *pebuf, unsigned int pelen,
  211. struct pefile_context *ctx,
  212. struct shash_desc *desc)
  213. {
  214. unsigned *canon, tmp, loop, i, hashed_bytes;
  215. int ret;
  216. /* Digest the header and data directory, but leave out the image
  217. * checksum and the data dirent for the signature.
  218. */
  219. ret = crypto_shash_update(desc, pebuf, ctx->image_checksum_offset);
  220. if (ret < 0)
  221. return ret;
  222. tmp = ctx->image_checksum_offset + sizeof(uint32_t);
  223. ret = crypto_shash_update(desc, pebuf + tmp,
  224. ctx->cert_dirent_offset - tmp);
  225. if (ret < 0)
  226. return ret;
  227. tmp = ctx->cert_dirent_offset + sizeof(struct data_dirent);
  228. ret = crypto_shash_update(desc, pebuf + tmp, ctx->header_size - tmp);
  229. if (ret < 0)
  230. return ret;
  231. canon = kcalloc(ctx->n_sections, sizeof(unsigned), GFP_KERNEL);
  232. if (!canon)
  233. return -ENOMEM;
  234. /* We have to canonicalise the section table, so we perform an
  235. * insertion sort.
  236. */
  237. canon[0] = 0;
  238. for (loop = 1; loop < ctx->n_sections; loop++) {
  239. for (i = 0; i < loop; i++) {
  240. if (pefile_compare_shdrs(&ctx->secs[canon[i]],
  241. &ctx->secs[loop]) > 0) {
  242. memmove(&canon[i + 1], &canon[i],
  243. (loop - i) * sizeof(canon[0]));
  244. break;
  245. }
  246. }
  247. canon[i] = loop;
  248. }
  249. hashed_bytes = ctx->header_size;
  250. for (loop = 0; loop < ctx->n_sections; loop++) {
  251. i = canon[loop];
  252. if (ctx->secs[i].raw_data_size == 0)
  253. continue;
  254. ret = crypto_shash_update(desc,
  255. pebuf + ctx->secs[i].data_addr,
  256. ctx->secs[i].raw_data_size);
  257. if (ret < 0) {
  258. kfree(canon);
  259. return ret;
  260. }
  261. hashed_bytes += ctx->secs[i].raw_data_size;
  262. }
  263. kfree(canon);
  264. if (pelen > hashed_bytes) {
  265. tmp = hashed_bytes + ctx->certs_size;
  266. ret = crypto_shash_update(desc,
  267. pebuf + hashed_bytes,
  268. pelen - tmp);
  269. if (ret < 0)
  270. return ret;
  271. }
  272. return 0;
  273. }
  274. /*
  275. * Digest the contents of the PE binary, leaving out the image checksum and the
  276. * certificate data block.
  277. */
  278. static int pefile_digest_pe(const void *pebuf, unsigned int pelen,
  279. struct pefile_context *ctx)
  280. {
  281. struct crypto_shash *tfm;
  282. struct shash_desc *desc;
  283. size_t digest_size, desc_size;
  284. void *digest;
  285. int ret;
  286. kenter(",%s", ctx->digest_algo);
  287. /* Allocate the hashing algorithm we're going to need and find out how
  288. * big the hash operational data will be.
  289. */
  290. tfm = crypto_alloc_shash(ctx->digest_algo, 0, 0);
  291. if (IS_ERR(tfm))
  292. return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
  293. desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
  294. digest_size = crypto_shash_digestsize(tfm);
  295. if (digest_size != ctx->digest_len) {
  296. pr_debug("Digest size mismatch (%zx != %x)\n",
  297. digest_size, ctx->digest_len);
  298. ret = -EBADMSG;
  299. goto error_no_desc;
  300. }
  301. pr_debug("Digest: desc=%zu size=%zu\n", desc_size, digest_size);
  302. ret = -ENOMEM;
  303. desc = kzalloc(desc_size + digest_size, GFP_KERNEL);
  304. if (!desc)
  305. goto error_no_desc;
  306. desc->tfm = tfm;
  307. desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
  308. ret = crypto_shash_init(desc);
  309. if (ret < 0)
  310. goto error;
  311. ret = pefile_digest_pe_contents(pebuf, pelen, ctx, desc);
  312. if (ret < 0)
  313. goto error;
  314. digest = (void *)desc + desc_size;
  315. ret = crypto_shash_final(desc, digest);
  316. if (ret < 0)
  317. goto error;
  318. pr_debug("Digest calc = [%*ph]\n", ctx->digest_len, digest);
  319. /* Check that the PE file digest matches that in the MSCODE part of the
  320. * PKCS#7 certificate.
  321. */
  322. if (memcmp(digest, ctx->digest, ctx->digest_len) != 0) {
  323. pr_debug("Digest mismatch\n");
  324. ret = -EKEYREJECTED;
  325. } else {
  326. pr_debug("The digests match!\n");
  327. }
  328. error:
  329. kfree(desc);
  330. error_no_desc:
  331. crypto_free_shash(tfm);
  332. kleave(" = %d", ret);
  333. return ret;
  334. }
  335. /**
  336. * verify_pefile_signature - Verify the signature on a PE binary image
  337. * @pebuf: Buffer containing the PE binary image
  338. * @pelen: Length of the binary image
  339. * @trust_keys: Signing certificate(s) to use as starting points
  340. * @usage: The use to which the key is being put.
  341. *
  342. * Validate that the certificate chain inside the PKCS#7 message inside the PE
  343. * binary image intersects keys we already know and trust.
  344. *
  345. * Returns, in order of descending priority:
  346. *
  347. * (*) -ELIBBAD if the image cannot be parsed, or:
  348. *
  349. * (*) -EKEYREJECTED if a signature failed to match for which we have a valid
  350. * key, or:
  351. *
  352. * (*) 0 if at least one signature chain intersects with the keys in the trust
  353. * keyring, or:
  354. *
  355. * (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
  356. * chain.
  357. *
  358. * (*) -ENOKEY if we couldn't find a match for any of the signature chains in
  359. * the message.
  360. *
  361. * May also return -ENOMEM.
  362. */
  363. int verify_pefile_signature(const void *pebuf, unsigned pelen,
  364. struct key *trusted_keys,
  365. enum key_being_used_for usage)
  366. {
  367. struct pefile_context ctx;
  368. int ret;
  369. kenter("");
  370. memset(&ctx, 0, sizeof(ctx));
  371. ret = pefile_parse_binary(pebuf, pelen, &ctx);
  372. if (ret < 0)
  373. return ret;
  374. ret = pefile_strip_sig_wrapper(pebuf, &ctx);
  375. if (ret < 0)
  376. return ret;
  377. ret = verify_pkcs7_signature(NULL, 0,
  378. pebuf + ctx.sig_offset, ctx.sig_len,
  379. trusted_keys, usage,
  380. mscode_parse, &ctx);
  381. if (ret < 0)
  382. goto error;
  383. pr_debug("Digest: %u [%*ph]\n",
  384. ctx.digest_len, ctx.digest_len, ctx.digest);
  385. /* Generate the digest and check against the PKCS7 certificate
  386. * contents.
  387. */
  388. ret = pefile_digest_pe(pebuf, pelen, &ctx);
  389. error:
  390. kfree(ctx.digest);
  391. return ret;
  392. }