1 /*-
2 * Copyright (c) 2018, Juniper Networks, Inc.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
15 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
16 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
17 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
18 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
19 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25 #include <sys/cdefs.h>
26 #ifndef _STANDALONE
27 /* Avoid unwanted userlandish components */
28 #define _KERNEL
29 #include <sys/errno.h>
30 #undef _KERNEL
31 #endif
32
33 #ifdef VECTX_DEBUG
34 static int vectx_debug = VECTX_DEBUG;
35 # define DEBUG_PRINTF(n, x) if (vectx_debug >= n) printf x
36 #endif
37
38 #include "libsecureboot-priv.h"
39 #include <verify_file.h>
40
41 /**
42 * @file vectx.c
43 * @brief api to verify file while reading
44 *
45 * This API allows the hash of a file to be computed as it is read.
46 * Key to this is seeking by reading.
47 *
48 * On close an indication of the verification result is returned.
49 */
50
51 struct vectx {
52 br_hash_compat_context vec_ctx; /* hash ctx */
53 const br_hash_class *vec_md; /* hash method */
54 const char *vec_path; /* path we are verifying */
55 const char *vec_want; /* hash value we want */
56 off_t vec_off; /* current offset */
57 off_t vec_hashed; /* where we have hashed to */
58 off_t vec_size; /* size of path */
59 size_t vec_hashsz; /* size of hash */
60 int vec_fd; /* file descriptor */
61 int vec_status; /* verification status */
62 int vec_closing; /* we are closing */
63 };
64
65
66 /**
67 * @brief
68 * verify an open file as we read it
69 *
70 * If the file has no fingerprint to match, we will still return a
71 * verification context containing little more than the file
72 * descriptor, and an error code in @c error.
73 *
74 * @param[in] fd
75 * open descriptor
76 *
77 * @param[in] path
78 * pathname to open
79 *
80 * @param[in] off
81 * current offset
82 *
83 * @param[in] stp
84 * pointer to struct stat
85 *
86 * @param[out] error
87 * @li 0 all is good
88 * @li ENOMEM out of memory
89 * @li VE_FINGERPRINT_NONE no entry found
90 * @li VE_FINGERPRINT_UNKNOWN no fingerprint in entry
91 *
92 * @return ctx or NULL on error.
93 * NULL is only returned for non-files or out-of-memory.
94 */
95 struct vectx *
vectx_open(int fd,const char * path,off_t off,struct stat * stp,int * error,const char * caller)96 vectx_open(int fd, const char *path, off_t off, struct stat *stp,
97 int *error, const char *caller)
98 {
99 struct vectx *ctx;
100 struct stat st;
101 size_t hashsz;
102 char *cp;
103 int rc;
104
105 if (!stp)
106 stp = &st;
107
108 rc = verify_prep(fd, path, off, stp, __func__);
109
110 DEBUG_PRINTF(2,
111 ("vectx_open: caller=%s,fd=%d,name='%s',prep_rc=%d\n",
112 caller, fd, path, rc));
113
114 switch (rc) {
115 case VE_FINGERPRINT_NONE:
116 case VE_FINGERPRINT_UNKNOWN:
117 case VE_FINGERPRINT_WRONG:
118 *error = rc;
119 return (NULL);
120 }
121 ctx = malloc(sizeof(struct vectx));
122 if (!ctx)
123 goto enomem;
124 ctx->vec_fd = fd;
125 ctx->vec_path = path;
126 ctx->vec_size = stp->st_size;
127 ctx->vec_off = 0;
128 ctx->vec_hashed = 0;
129 ctx->vec_want = NULL;
130 ctx->vec_status = 0;
131 ctx->vec_hashsz = hashsz = 0;
132 ctx->vec_closing = 0;
133
134 if (rc == 0) {
135 /* we are not verifying this */
136 *error = 0;
137 return (ctx);
138 }
139 cp = fingerprint_info_lookup(fd, path);
140 if (!cp) {
141 ctx->vec_status = VE_FINGERPRINT_NONE;
142 ve_error_set("%s: no entry", path);
143 } else {
144 if (strncmp(cp, "no_hash", 7) == 0) {
145 ctx->vec_status = VE_FINGERPRINT_IGNORE;
146 hashsz = 0;
147 } else if (strncmp(cp, "sha256=", 7) == 0) {
148 ctx->vec_md = &br_sha256_vtable;
149 hashsz = br_sha256_SIZE;
150 cp += 7;
151 #ifdef VE_SHA1_SUPPORT
152 } else if (strncmp(cp, "sha1=", 5) == 0) {
153 ctx->vec_md = &br_sha1_vtable;
154 hashsz = br_sha1_SIZE;
155 cp += 5;
156 #endif
157 #ifdef VE_SHA384_SUPPORT
158 } else if (strncmp(cp, "sha384=", 7) == 0) {
159 ctx->vec_md = &br_sha384_vtable;
160 hashsz = br_sha384_SIZE;
161 cp += 7;
162 #endif
163 #ifdef VE_SHA512_SUPPORT
164 } else if (strncmp(cp, "sha512=", 7) == 0) {
165 ctx->vec_md = &br_sha512_vtable;
166 hashsz = br_sha512_SIZE;
167 cp += 7;
168 #endif
169 } else {
170 ctx->vec_status = VE_FINGERPRINT_UNKNOWN;
171 ve_error_set("%s: no supported fingerprint", path);
172 }
173 }
174 *error = ctx->vec_status;
175 ctx->vec_hashsz = hashsz;
176 ctx->vec_want = cp;
177 if (hashsz > 0) {
178 ctx->vec_md->init(&ctx->vec_ctx.vtable);
179
180 if (off > 0) {
181 lseek(fd, 0, SEEK_SET);
182 vectx_lseek(ctx, off, SEEK_SET);
183 }
184 }
185 DEBUG_PRINTF(2,
186 ("vectx_open: caller=%s,name='%s',hashsz=%lu,status=%d\n",
187 caller, path, (unsigned long)ctx->vec_hashsz,
188 ctx->vec_status));
189 return (ctx);
190
191 enomem: /* unlikely */
192 *error = ENOMEM;
193 free(ctx);
194 return (NULL);
195 }
196
197 /**
198 * @brief
199 * read bytes from file and update hash
200 *
201 * It is critical that all file I/O comes through here.
202 * We keep track of current offset.
203 * We also track what offset we have hashed to,
204 * so we won't replay data if we seek backwards.
205 *
206 * @param[in] pctx
207 * pointer to ctx
208 *
209 * @param[in] buf
210 *
211 * @param[in] nbytes
212 *
213 * @return bytes read or error.
214 */
215 ssize_t
vectx_read(struct vectx * ctx,void * buf,size_t nbytes)216 vectx_read(struct vectx *ctx, void *buf, size_t nbytes)
217 {
218 unsigned char *bp = buf;
219 int d;
220 int n;
221 int delta;
222 int x;
223 size_t off;
224
225 if (ctx->vec_hashsz == 0) /* nothing to do */
226 return (read(ctx->vec_fd, buf, nbytes));
227
228 off = 0;
229 do {
230 /*
231 * Do this in reasonable chunks so
232 * we don't timeout if doing tftp
233 */
234 x = nbytes - off;
235 x = MIN(PAGE_SIZE, x);
236 d = n = read(ctx->vec_fd, &bp[off], x);
237 if (ctx->vec_closing && n < x) {
238 DEBUG_PRINTF(3,
239 ("%s: read %d off=%ld hashed=%ld size=%ld\n",
240 __func__, n, (long)ctx->vec_off,
241 (long)ctx->vec_hashed, (long)ctx->vec_size));
242 }
243 if (n < 0) {
244 return (n);
245 }
246 if (d > 0) {
247 /* we may have seeked backwards! */
248 delta = ctx->vec_hashed - ctx->vec_off;
249 if (delta > 0) {
250 x = MIN(delta, d);
251 off += x;
252 d -= x;
253 ctx->vec_off += x;
254 }
255 if (d > 0) {
256 if (ctx->vec_closing && d < PAGE_SIZE) {
257 DEBUG_PRINTF(3,
258 ("%s: update %ld + %d\n",
259 __func__,
260 (long)ctx->vec_hashed, d));
261 }
262 ctx->vec_md->update(&ctx->vec_ctx.vtable, &bp[off], d);
263 off += d;
264 ctx->vec_off += d;
265 ctx->vec_hashed += d;
266 }
267 }
268 } while (n > 0 && off < nbytes);
269 return (off);
270 }
271
272 /**
273 * @brief
274 * vectx equivalent of lseek
275 *
276 * When seeking forwards we actually call vectx_read
277 * to reach the desired offset.
278 *
279 * We support seeking backwards.
280 *
281 * @param[in] pctx
282 * pointer to ctx
283 *
284 * @param[in] off
285 * desired offset
286 *
287 * @param[in] whence
288 * We try to convert whence to ``SEEK_SET``.
289 * We do not support ``SEEK_DATA`` or ``SEEK_HOLE``.
290 *
291 * @return offset or error.
292 */
293 off_t
vectx_lseek(struct vectx * ctx,off_t off,int whence)294 vectx_lseek(struct vectx *ctx, off_t off, int whence)
295 {
296 unsigned char buf[PAGE_SIZE];
297 size_t delta;
298 ssize_t n;
299
300 if (ctx->vec_hashsz == 0) /* nothing to do */
301 return (lseek(ctx->vec_fd, off, whence));
302
303 /*
304 * Convert whence to SEEK_SET
305 */
306 DEBUG_PRINTF(3,
307 ("%s(%s, %ld, %d)\n", __func__, ctx->vec_path, (long)off, whence));
308 if (whence == SEEK_END && off <= 0) {
309 if (ctx->vec_closing && ctx->vec_hashed < ctx->vec_size) {
310 DEBUG_PRINTF(3, ("%s: SEEK_END %ld\n",
311 __func__,
312 (long)(ctx->vec_size - ctx->vec_hashed)));
313 }
314 whence = SEEK_SET;
315 off += ctx->vec_size;
316 } else if (whence == SEEK_CUR) {
317 whence = SEEK_SET;
318 off += ctx->vec_off;
319 }
320 if (whence != SEEK_SET ||
321 off > ctx->vec_size) {
322 printf("ERROR: %s: unsupported operation: whence=%d off=%ld -> %ld\n",
323 __func__, whence, (long)ctx->vec_off, (long)off);
324 return (-1);
325 }
326 if (off < ctx->vec_hashed) {
327 #ifdef _STANDALONE
328 struct open_file *f = fd2open_file(ctx->vec_fd);
329
330 if (f != NULL &&
331 strncmp(f->f_ops->fs_name, "tftp", 4) == 0) {
332 /* we cannot rewind if we've hashed much of the file */
333 if (ctx->vec_hashed > ctx->vec_size / 5)
334 return (-1); /* refuse! */
335 }
336 #endif
337 /* seeking backwards! just do it */
338 ctx->vec_off = lseek(ctx->vec_fd, off, whence);
339 return (ctx->vec_off);
340 }
341 n = 0;
342 do {
343 delta = off - ctx->vec_off;
344 if (delta > 0) {
345 delta = MIN(PAGE_SIZE, delta);
346 n = vectx_read(ctx, buf, delta);
347 if (n < 0)
348 return (n);
349 }
350 } while (ctx->vec_off < off && n > 0);
351 return (ctx->vec_off);
352 }
353
354 /**
355 * @brief
356 * check that hashes match and cleanup
357 *
358 * We have finished reading file, compare the hash with what
359 * we wanted.
360 *
361 * Be sure to call this before closing the file, since we may
362 * need to seek to the end to ensure hashing is complete.
363 *
364 * @param[in] pctx
365 * pointer to ctx
366 *
367 * @return 0 or an error.
368 */
369 int
vectx_close(struct vectx * ctx,int severity,const char * caller)370 vectx_close(struct vectx *ctx, int severity, const char *caller)
371 {
372 int rc;
373
374 ctx->vec_closing = 1;
375 if (ctx->vec_hashsz == 0) {
376 rc = ctx->vec_status;
377 } else {
378 #ifdef VE_PCR_SUPPORT
379 /*
380 * Only update pcr with things that must verify
381 * these tend to be processed in a more deterministic
382 * order, which makes our pseudo pcr more useful.
383 */
384 ve_pcr_updating_set((severity == VE_MUST));
385 #endif
386 /* make sure we have hashed it all */
387 vectx_lseek(ctx, 0, SEEK_END);
388 rc = ve_check_hash(&ctx->vec_ctx, ctx->vec_md,
389 ctx->vec_path, ctx->vec_want, ctx->vec_hashsz);
390 }
391 DEBUG_PRINTF(2,
392 ("vectx_close: caller=%s,name='%s',rc=%d,severity=%d\n",
393 caller,ctx->vec_path, rc, severity));
394 verify_report(ctx->vec_path, severity, rc, NULL);
395 if (rc == VE_FINGERPRINT_WRONG) {
396 #if !defined(UNIT_TEST) && !defined(DEBUG_VECTX)
397 /* we are generally called with VE_MUST */
398 if (severity > VE_WANT)
399 panic("cannot continue");
400 #endif
401 }
402 free(ctx);
403 return ((rc < 0) ? rc : 0);
404 }
405