You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1027 lines
27 KiB
1027 lines
27 KiB
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Vladimir Serbinenko <phcoder@gmail.com>
|
|
Date: Sun, 5 Feb 2017 14:25:47 +0100
|
|
Subject: [PATCH] verifiers: Framework core
|
|
|
|
Verifiers framework provides core file verification functionality which
|
|
can be used by various security mechanisms, e.g., UEFI secure boot, TPM,
|
|
PGP signature verification, etc.
|
|
|
|
The patch contains PGP code changes and probably they should be extracted
|
|
to separate patch for the sake of clarity.
|
|
|
|
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
|
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
|
(cherry picked from commit 75a919e334f8514b6adbc024743cfcd9b88fa394)
|
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
---
|
|
grub-core/Makefile.core.def | 5 +
|
|
grub-core/commands/verifiers.c | 197 ++++++++++++++
|
|
grub-core/commands/verify.c | 566 ++++++++++++++++++++---------------------
|
|
include/grub/file.h | 2 +-
|
|
include/grub/list.h | 1 +
|
|
include/grub/verify.h | 65 +++++
|
|
6 files changed, 539 insertions(+), 297 deletions(-)
|
|
create mode 100644 grub-core/commands/verifiers.c
|
|
create mode 100644 include/grub/verify.h
|
|
|
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
|
index c8a50b4fc..29c3bf6cd 100644
|
|
--- a/grub-core/Makefile.core.def
|
|
+++ b/grub-core/Makefile.core.def
|
|
@@ -921,6 +921,11 @@ module = {
|
|
cppflags = '-I$(srcdir)/lib/posix_wrap';
|
|
};
|
|
|
|
+module = {
|
|
+ name = verifiers;
|
|
+ common = commands/verifiers.c;
|
|
+};
|
|
+
|
|
module = {
|
|
name = hdparm;
|
|
common = commands/hdparm.c;
|
|
diff --git a/grub-core/commands/verifiers.c b/grub-core/commands/verifiers.c
|
|
new file mode 100644
|
|
index 000000000..fde88318d
|
|
--- /dev/null
|
|
+++ b/grub-core/commands/verifiers.c
|
|
@@ -0,0 +1,197 @@
|
|
+/*
|
|
+ * GRUB -- GRand Unified Bootloader
|
|
+ * Copyright (C) 2017 Free Software Foundation, Inc.
|
|
+ *
|
|
+ * GRUB is free software: you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation, either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * GRUB is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
+ *
|
|
+ * Verifiers helper.
|
|
+ */
|
|
+
|
|
+#include <grub/file.h>
|
|
+#include <grub/verify.h>
|
|
+#include <grub/dl.h>
|
|
+
|
|
+GRUB_MOD_LICENSE ("GPLv3+");
|
|
+
|
|
+struct grub_file_verifier *grub_file_verifiers;
|
|
+
|
|
+struct grub_verified
|
|
+{
|
|
+ grub_file_t file;
|
|
+ void *buf;
|
|
+};
|
|
+typedef struct grub_verified *grub_verified_t;
|
|
+
|
|
+static void
|
|
+verified_free (grub_verified_t verified)
|
|
+{
|
|
+ if (verified)
|
|
+ {
|
|
+ grub_free (verified->buf);
|
|
+ grub_free (verified);
|
|
+ }
|
|
+}
|
|
+
|
|
+static grub_ssize_t
|
|
+verified_read (struct grub_file *file, char *buf, grub_size_t len)
|
|
+{
|
|
+ grub_verified_t verified = file->data;
|
|
+
|
|
+ grub_memcpy (buf, (char *) verified->buf + file->offset, len);
|
|
+ return len;
|
|
+}
|
|
+
|
|
+static grub_err_t
|
|
+verified_close (struct grub_file *file)
|
|
+{
|
|
+ grub_verified_t verified = file->data;
|
|
+
|
|
+ grub_file_close (verified->file);
|
|
+ verified_free (verified);
|
|
+ file->data = 0;
|
|
+
|
|
+ /* Device and name are freed by parent. */
|
|
+ file->device = 0;
|
|
+ file->name = 0;
|
|
+
|
|
+ return grub_errno;
|
|
+}
|
|
+
|
|
+struct grub_fs verified_fs =
|
|
+{
|
|
+ .name = "verified_read",
|
|
+ .read = verified_read,
|
|
+ .close = verified_close
|
|
+};
|
|
+
|
|
+static grub_file_t
|
|
+grub_verifiers_open (grub_file_t io, enum grub_file_type type)
|
|
+{
|
|
+ grub_verified_t verified = NULL;
|
|
+ struct grub_file_verifier *ver;
|
|
+ void *context;
|
|
+ grub_file_t ret = 0;
|
|
+ grub_err_t err;
|
|
+
|
|
+ grub_dprintf ("verify", "file: %s type: %d\n", io->name, type);
|
|
+
|
|
+ if ((type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_SIGNATURE
|
|
+ || (type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_VERIFY_SIGNATURE
|
|
+ || (type & GRUB_FILE_TYPE_SKIP_SIGNATURE))
|
|
+ return io;
|
|
+
|
|
+ if (io->device->disk &&
|
|
+ (io->device->disk->dev->id == GRUB_DISK_DEVICE_MEMDISK_ID
|
|
+ || io->device->disk->dev->id == GRUB_DISK_DEVICE_PROCFS_ID))
|
|
+ return io;
|
|
+
|
|
+ FOR_LIST_ELEMENTS(ver, grub_file_verifiers)
|
|
+ {
|
|
+ enum grub_verify_flags flags = 0;
|
|
+ err = ver->init (io, type, &context, &flags);
|
|
+ if (err)
|
|
+ goto fail_noclose;
|
|
+ if (!(flags & GRUB_VERIFY_FLAGS_SKIP_VERIFICATION))
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ if (!ver)
|
|
+ /* No verifiers wanted to verify. Just return underlying file. */
|
|
+ return io;
|
|
+
|
|
+ ret = grub_malloc (sizeof (*ret));
|
|
+ if (!ret)
|
|
+ {
|
|
+ goto fail;
|
|
+ }
|
|
+ *ret = *io;
|
|
+
|
|
+ ret->fs = &verified_fs;
|
|
+ ret->not_easily_seekable = 0;
|
|
+ if (ret->size >> (sizeof (grub_size_t) * GRUB_CHAR_BIT - 1))
|
|
+ {
|
|
+ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
|
|
+ N_("big file signature isn't implemented yet"));
|
|
+ goto fail;
|
|
+ }
|
|
+ verified = grub_malloc (sizeof (*verified));
|
|
+ if (!verified)
|
|
+ {
|
|
+ goto fail;
|
|
+ }
|
|
+ verified->buf = grub_malloc (ret->size);
|
|
+ if (!verified->buf)
|
|
+ {
|
|
+ goto fail;
|
|
+ }
|
|
+ if (grub_file_read (io, verified->buf, ret->size) != (grub_ssize_t) ret->size)
|
|
+ {
|
|
+ if (!grub_errno)
|
|
+ grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"),
|
|
+ io->name);
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
+ err = ver->write (context, verified->buf, ret->size);
|
|
+ if (err)
|
|
+ goto fail;
|
|
+
|
|
+ err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE;
|
|
+ if (err)
|
|
+ goto fail;
|
|
+
|
|
+ if (ver->close)
|
|
+ ver->close (context);
|
|
+
|
|
+ FOR_LIST_ELEMENTS_NEXT(ver, grub_file_verifiers)
|
|
+ {
|
|
+ enum grub_verify_flags flags = 0;
|
|
+ err = ver->init (io, type, &context, &flags);
|
|
+ if (err)
|
|
+ goto fail_noclose;
|
|
+ if (flags & GRUB_VERIFY_FLAGS_SKIP_VERIFICATION)
|
|
+ continue;
|
|
+ err = ver->write (context, verified->buf, ret->size);
|
|
+ if (err)
|
|
+ goto fail;
|
|
+
|
|
+ err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE;
|
|
+ if (err)
|
|
+ goto fail;
|
|
+
|
|
+ if (ver->close)
|
|
+ ver->close (context);
|
|
+ }
|
|
+
|
|
+ verified->file = io;
|
|
+ ret->data = verified;
|
|
+ return ret;
|
|
+
|
|
+ fail:
|
|
+ ver->close (context);
|
|
+ fail_noclose:
|
|
+ verified_free (verified);
|
|
+ grub_free (ret);
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
+GRUB_MOD_INIT(verifiers)
|
|
+{
|
|
+ grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
|
|
+}
|
|
+
|
|
+GRUB_MOD_FINI(verifiers)
|
|
+{
|
|
+ grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
|
|
+}
|
|
diff --git a/grub-core/commands/verify.c b/grub-core/commands/verify.c
|
|
index f0dfeceeb..29e74a640 100644
|
|
--- a/grub-core/commands/verify.c
|
|
+++ b/grub-core/commands/verify.c
|
|
@@ -30,16 +30,10 @@
|
|
#include <grub/env.h>
|
|
#include <grub/kernel.h>
|
|
#include <grub/extcmd.h>
|
|
+#include <grub/verify.h>
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
-struct grub_verified
|
|
-{
|
|
- grub_file_t file;
|
|
- void *buf;
|
|
-};
|
|
-typedef struct grub_verified *grub_verified_t;
|
|
-
|
|
enum
|
|
{
|
|
OPTION_SKIP_SIG = 0
|
|
@@ -445,23 +439,27 @@ rsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
|
|
return ret;
|
|
}
|
|
|
|
-static grub_err_t
|
|
-grub_verify_signature_real (char *buf, grub_size_t size,
|
|
- grub_file_t f, grub_file_t sig,
|
|
- struct grub_public_key *pkey)
|
|
+struct grub_pubkey_context
|
|
{
|
|
- grub_size_t len;
|
|
+ grub_file_t sig;
|
|
+ struct signature_v4_header v4;
|
|
grub_uint8_t v;
|
|
+ const gcry_md_spec_t *hash;
|
|
+ void *hash_context;
|
|
+};
|
|
+
|
|
+static grub_err_t
|
|
+grub_verify_signature_init (struct grub_pubkey_context *ctxt, grub_file_t sig)
|
|
+{
|
|
+ grub_size_t len;
|
|
grub_uint8_t h;
|
|
grub_uint8_t t;
|
|
grub_uint8_t pk;
|
|
- const gcry_md_spec_t *hash;
|
|
- struct signature_v4_header v4;
|
|
grub_err_t err;
|
|
- grub_size_t i;
|
|
- gcry_mpi_t mpis[10];
|
|
grub_uint8_t type = 0;
|
|
|
|
+ grub_memset (ctxt, 0, sizeof (*ctxt));
|
|
+
|
|
err = read_packet_header (sig, &type, &len);
|
|
if (err)
|
|
return err;
|
|
@@ -469,18 +467,18 @@ grub_verify_signature_real (char *buf, grub_size_t size,
|
|
if (type != 0x2)
|
|
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
|
|
|
|
- if (grub_file_read (sig, &v, sizeof (v)) != sizeof (v))
|
|
+ if (grub_file_read (sig, &ctxt->v, sizeof (ctxt->v)) != sizeof (ctxt->v))
|
|
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
|
|
|
|
- if (v != 4)
|
|
+ if (ctxt->v != 4)
|
|
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
|
|
|
|
- if (grub_file_read (sig, &v4, sizeof (v4)) != sizeof (v4))
|
|
+ if (grub_file_read (sig, &ctxt->v4, sizeof (ctxt->v4)) != sizeof (ctxt->v4))
|
|
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
|
|
|
|
- h = v4.hash;
|
|
- t = v4.type;
|
|
- pk = v4.pkeyalgo;
|
|
+ h = ctxt->v4.hash;
|
|
+ t = ctxt->v4.type;
|
|
+ pk = ctxt->v4.pkeyalgo;
|
|
|
|
if (t != 0)
|
|
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
|
|
@@ -491,183 +489,233 @@ grub_verify_signature_real (char *buf, grub_size_t size,
|
|
if (pk >= ARRAY_SIZE (pkalgos) || pkalgos[pk].name == NULL)
|
|
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
|
|
|
|
- hash = grub_crypto_lookup_md_by_name (hashes[h]);
|
|
- if (!hash)
|
|
+ ctxt->hash = grub_crypto_lookup_md_by_name (hashes[h]);
|
|
+ if (!ctxt->hash)
|
|
return grub_error (GRUB_ERR_BAD_SIGNATURE, "hash `%s' not loaded", hashes[h]);
|
|
|
|
grub_dprintf ("crypt", "alive\n");
|
|
|
|
- {
|
|
- void *context = NULL;
|
|
- unsigned char *hval;
|
|
- grub_ssize_t rem = grub_be_to_cpu16 (v4.hashed_sub);
|
|
- grub_uint32_t headlen = grub_cpu_to_be32 (rem + 6);
|
|
- grub_uint8_t s;
|
|
- grub_uint16_t unhashed_sub;
|
|
- grub_ssize_t r;
|
|
- grub_uint8_t hash_start[2];
|
|
- gcry_mpi_t hmpi;
|
|
- grub_uint64_t keyid = 0;
|
|
- struct grub_public_subkey *sk;
|
|
- grub_uint8_t *readbuf = NULL;
|
|
+ ctxt->sig = sig;
|
|
|
|
- context = grub_zalloc (hash->contextsize);
|
|
- readbuf = grub_zalloc (READBUF_SIZE);
|
|
- if (!context || !readbuf)
|
|
- goto fail;
|
|
-
|
|
- hash->init (context);
|
|
- if (buf)
|
|
- hash->write (context, buf, size);
|
|
- else
|
|
- while (1)
|
|
- {
|
|
- r = grub_file_read (f, readbuf, READBUF_SIZE);
|
|
- if (r < 0)
|
|
- goto fail;
|
|
- if (r == 0)
|
|
- break;
|
|
- hash->write (context, readbuf, r);
|
|
- }
|
|
-
|
|
- hash->write (context, &v, sizeof (v));
|
|
- hash->write (context, &v4, sizeof (v4));
|
|
- while (rem)
|
|
- {
|
|
- r = grub_file_read (sig, readbuf,
|
|
- rem < READBUF_SIZE ? rem : READBUF_SIZE);
|
|
- if (r < 0)
|
|
- goto fail;
|
|
- if (r == 0)
|
|
- break;
|
|
- hash->write (context, readbuf, r);
|
|
- rem -= r;
|
|
- }
|
|
- hash->write (context, &v, sizeof (v));
|
|
- s = 0xff;
|
|
- hash->write (context, &s, sizeof (s));
|
|
- hash->write (context, &headlen, sizeof (headlen));
|
|
- r = grub_file_read (sig, &unhashed_sub, sizeof (unhashed_sub));
|
|
- if (r != sizeof (unhashed_sub))
|
|
- goto fail;
|
|
- {
|
|
- grub_uint8_t *ptr;
|
|
- grub_uint32_t l;
|
|
- rem = grub_be_to_cpu16 (unhashed_sub);
|
|
- if (rem > READBUF_SIZE)
|
|
- goto fail;
|
|
- r = grub_file_read (sig, readbuf, rem);
|
|
- if (r != rem)
|
|
- goto fail;
|
|
- for (ptr = readbuf; ptr < readbuf + rem; ptr += l)
|
|
- {
|
|
- if (*ptr < 192)
|
|
- l = *ptr++;
|
|
- else if (*ptr < 255)
|
|
- {
|
|
- if (ptr + 1 >= readbuf + rem)
|
|
- break;
|
|
- l = (((ptr[0] & ~192) << GRUB_CHAR_BIT) | ptr[1]) + 192;
|
|
- ptr += 2;
|
|
- }
|
|
- else
|
|
- {
|
|
- if (ptr + 5 >= readbuf + rem)
|
|
- break;
|
|
- l = grub_be_to_cpu32 (grub_get_unaligned32 (ptr + 1));
|
|
- ptr += 5;
|
|
- }
|
|
- if (*ptr == 0x10 && l >= 8)
|
|
- keyid = grub_get_unaligned64 (ptr + 1);
|
|
- }
|
|
- }
|
|
-
|
|
- hash->final (context);
|
|
-
|
|
- grub_dprintf ("crypt", "alive\n");
|
|
-
|
|
- hval = hash->read (context);
|
|
-
|
|
- if (grub_file_read (sig, hash_start, sizeof (hash_start)) != sizeof (hash_start))
|
|
- goto fail;
|
|
- if (grub_memcmp (hval, hash_start, sizeof (hash_start)) != 0)
|
|
- goto fail;
|
|
-
|
|
- grub_dprintf ("crypt", "@ %x\n", (int)grub_file_tell (sig));
|
|
-
|
|
- for (i = 0; i < pkalgos[pk].nmpisig; i++)
|
|
- {
|
|
- grub_uint16_t l;
|
|
- grub_size_t lb;
|
|
- grub_dprintf ("crypt", "alive\n");
|
|
- if (grub_file_read (sig, &l, sizeof (l)) != sizeof (l))
|
|
- goto fail;
|
|
- grub_dprintf ("crypt", "alive\n");
|
|
- lb = (grub_be_to_cpu16 (l) + 7) / 8;
|
|
- grub_dprintf ("crypt", "l = 0x%04x\n", grub_be_to_cpu16 (l));
|
|
- if (lb > READBUF_SIZE - sizeof (grub_uint16_t))
|
|
- goto fail;
|
|
- grub_dprintf ("crypt", "alive\n");
|
|
- if (grub_file_read (sig, readbuf + sizeof (grub_uint16_t), lb) != (grub_ssize_t) lb)
|
|
- goto fail;
|
|
- grub_dprintf ("crypt", "alive\n");
|
|
- grub_memcpy (readbuf, &l, sizeof (l));
|
|
- grub_dprintf ("crypt", "alive\n");
|
|
-
|
|
- if (gcry_mpi_scan (&mpis[i], GCRYMPI_FMT_PGP,
|
|
- readbuf, lb + sizeof (grub_uint16_t), 0))
|
|
- goto fail;
|
|
- grub_dprintf ("crypt", "alive\n");
|
|
- }
|
|
-
|
|
- if (pkey)
|
|
- sk = grub_crypto_pk_locate_subkey (keyid, pkey);
|
|
- else
|
|
- sk = grub_crypto_pk_locate_subkey_in_trustdb (keyid);
|
|
- if (!sk)
|
|
- {
|
|
- /* TRANSLATORS: %08x is 32-bit key id. */
|
|
- grub_error (GRUB_ERR_BAD_SIGNATURE, N_("public key %08x not found"),
|
|
- keyid);
|
|
- goto fail;
|
|
- }
|
|
-
|
|
- if (pkalgos[pk].pad (&hmpi, hval, hash, sk))
|
|
- goto fail;
|
|
- if (!*pkalgos[pk].algo)
|
|
- {
|
|
- grub_dl_load (pkalgos[pk].module);
|
|
- grub_errno = GRUB_ERR_NONE;
|
|
- }
|
|
-
|
|
- if (!*pkalgos[pk].algo)
|
|
- {
|
|
- grub_error (GRUB_ERR_BAD_SIGNATURE, N_("module `%s' isn't loaded"),
|
|
- pkalgos[pk].module);
|
|
- goto fail;
|
|
- }
|
|
- if ((*pkalgos[pk].algo)->verify (0, hmpi, mpis, sk->mpis, 0, 0))
|
|
- goto fail;
|
|
-
|
|
- grub_free (context);
|
|
- grub_free (readbuf);
|
|
-
|
|
- return GRUB_ERR_NONE;
|
|
-
|
|
- fail:
|
|
- grub_free (context);
|
|
- grub_free (readbuf);
|
|
- if (!grub_errno)
|
|
- return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
|
|
+ ctxt->hash_context = grub_zalloc (ctxt->hash->contextsize);
|
|
+ if (!ctxt->hash_context)
|
|
return grub_errno;
|
|
+
|
|
+ ctxt->hash->init (ctxt->hash_context);
|
|
+
|
|
+ return GRUB_ERR_NONE;
|
|
+}
|
|
+
|
|
+static grub_err_t
|
|
+grub_pubkey_write (void *ctxt_, void *buf, grub_size_t size)
|
|
+{
|
|
+ struct grub_pubkey_context *ctxt = ctxt_;
|
|
+ ctxt->hash->write (ctxt->hash_context, buf, size);
|
|
+ return GRUB_ERR_NONE;
|
|
+}
|
|
+
|
|
+static grub_err_t
|
|
+grub_verify_signature_real (struct grub_pubkey_context *ctxt,
|
|
+ struct grub_public_key *pkey)
|
|
+{
|
|
+ gcry_mpi_t mpis[10];
|
|
+ grub_uint8_t pk = ctxt->v4.pkeyalgo;
|
|
+ grub_size_t i;
|
|
+ grub_uint8_t *readbuf = NULL;
|
|
+ unsigned char *hval;
|
|
+ grub_ssize_t rem = grub_be_to_cpu16 (ctxt->v4.hashed_sub);
|
|
+ grub_uint32_t headlen = grub_cpu_to_be32 (rem + 6);
|
|
+ grub_uint8_t s;
|
|
+ grub_uint16_t unhashed_sub;
|
|
+ grub_ssize_t r;
|
|
+ grub_uint8_t hash_start[2];
|
|
+ gcry_mpi_t hmpi;
|
|
+ grub_uint64_t keyid = 0;
|
|
+ struct grub_public_subkey *sk;
|
|
+
|
|
+ readbuf = grub_malloc (READBUF_SIZE);
|
|
+ if (!readbuf)
|
|
+ goto fail;
|
|
+
|
|
+ ctxt->hash->write (ctxt->hash_context, &ctxt->v, sizeof (ctxt->v));
|
|
+ ctxt->hash->write (ctxt->hash_context, &ctxt->v4, sizeof (ctxt->v4));
|
|
+ while (rem)
|
|
+ {
|
|
+ r = grub_file_read (ctxt->sig, readbuf,
|
|
+ rem < READBUF_SIZE ? rem : READBUF_SIZE);
|
|
+ if (r < 0)
|
|
+ goto fail;
|
|
+ if (r == 0)
|
|
+ break;
|
|
+ ctxt->hash->write (ctxt->hash_context, readbuf, r);
|
|
+ rem -= r;
|
|
+ }
|
|
+ ctxt->hash->write (ctxt->hash_context, &ctxt->v, sizeof (ctxt->v));
|
|
+ s = 0xff;
|
|
+ ctxt->hash->write (ctxt->hash_context, &s, sizeof (s));
|
|
+ ctxt->hash->write (ctxt->hash_context, &headlen, sizeof (headlen));
|
|
+ r = grub_file_read (ctxt->sig, &unhashed_sub, sizeof (unhashed_sub));
|
|
+ if (r != sizeof (unhashed_sub))
|
|
+ goto fail;
|
|
+ {
|
|
+ grub_uint8_t *ptr;
|
|
+ grub_uint32_t l;
|
|
+ rem = grub_be_to_cpu16 (unhashed_sub);
|
|
+ if (rem > READBUF_SIZE)
|
|
+ goto fail;
|
|
+ r = grub_file_read (ctxt->sig, readbuf, rem);
|
|
+ if (r != rem)
|
|
+ goto fail;
|
|
+ for (ptr = readbuf; ptr < readbuf + rem; ptr += l)
|
|
+ {
|
|
+ if (*ptr < 192)
|
|
+ l = *ptr++;
|
|
+ else if (*ptr < 255)
|
|
+ {
|
|
+ if (ptr + 1 >= readbuf + rem)
|
|
+ break;
|
|
+ l = (((ptr[0] & ~192) << GRUB_CHAR_BIT) | ptr[1]) + 192;
|
|
+ ptr += 2;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ if (ptr + 5 >= readbuf + rem)
|
|
+ break;
|
|
+ l = grub_be_to_cpu32 (grub_get_unaligned32 (ptr + 1));
|
|
+ ptr += 5;
|
|
+ }
|
|
+ if (*ptr == 0x10 && l >= 8)
|
|
+ keyid = grub_get_unaligned64 (ptr + 1);
|
|
+ }
|
|
}
|
|
+
|
|
+ ctxt->hash->final (ctxt->hash_context);
|
|
+
|
|
+ grub_dprintf ("crypt", "alive\n");
|
|
+
|
|
+ hval = ctxt->hash->read (ctxt->hash_context);
|
|
+
|
|
+ if (grub_file_read (ctxt->sig, hash_start, sizeof (hash_start)) != sizeof (hash_start))
|
|
+ goto fail;
|
|
+ if (grub_memcmp (hval, hash_start, sizeof (hash_start)) != 0)
|
|
+ goto fail;
|
|
+
|
|
+ grub_dprintf ("crypt", "@ %x\n", (int)grub_file_tell (ctxt->sig));
|
|
+
|
|
+ for (i = 0; i < pkalgos[pk].nmpisig; i++)
|
|
+ {
|
|
+ grub_uint16_t l;
|
|
+ grub_size_t lb;
|
|
+ grub_dprintf ("crypt", "alive\n");
|
|
+ if (grub_file_read (ctxt->sig, &l, sizeof (l)) != sizeof (l))
|
|
+ goto fail;
|
|
+ grub_dprintf ("crypt", "alive\n");
|
|
+ lb = (grub_be_to_cpu16 (l) + 7) / 8;
|
|
+ grub_dprintf ("crypt", "l = 0x%04x\n", grub_be_to_cpu16 (l));
|
|
+ if (lb > READBUF_SIZE - sizeof (grub_uint16_t))
|
|
+ goto fail;
|
|
+ grub_dprintf ("crypt", "alive\n");
|
|
+ if (grub_file_read (ctxt->sig, readbuf + sizeof (grub_uint16_t), lb) != (grub_ssize_t) lb)
|
|
+ goto fail;
|
|
+ grub_dprintf ("crypt", "alive\n");
|
|
+ grub_memcpy (readbuf, &l, sizeof (l));
|
|
+ grub_dprintf ("crypt", "alive\n");
|
|
+
|
|
+ if (gcry_mpi_scan (&mpis[i], GCRYMPI_FMT_PGP,
|
|
+ readbuf, lb + sizeof (grub_uint16_t), 0))
|
|
+ goto fail;
|
|
+ grub_dprintf ("crypt", "alive\n");
|
|
+ }
|
|
+
|
|
+ if (pkey)
|
|
+ sk = grub_crypto_pk_locate_subkey (keyid, pkey);
|
|
+ else
|
|
+ sk = grub_crypto_pk_locate_subkey_in_trustdb (keyid);
|
|
+ if (!sk)
|
|
+ {
|
|
+ /* TRANSLATORS: %08x is 32-bit key id. */
|
|
+ grub_error (GRUB_ERR_BAD_SIGNATURE, N_("public key %08x not found"),
|
|
+ keyid);
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
+ if (pkalgos[pk].pad (&hmpi, hval, ctxt->hash, sk))
|
|
+ goto fail;
|
|
+ if (!*pkalgos[pk].algo)
|
|
+ {
|
|
+ grub_dl_load (pkalgos[pk].module);
|
|
+ grub_errno = GRUB_ERR_NONE;
|
|
+ }
|
|
+
|
|
+ if (!*pkalgos[pk].algo)
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_SIGNATURE, N_("module `%s' isn't loaded"),
|
|
+ pkalgos[pk].module);
|
|
+ goto fail;
|
|
+ }
|
|
+ if ((*pkalgos[pk].algo)->verify (0, hmpi, mpis, sk->mpis, 0, 0))
|
|
+ goto fail;
|
|
+
|
|
+ grub_free (readbuf);
|
|
+
|
|
+ return GRUB_ERR_NONE;
|
|
+
|
|
+ fail:
|
|
+ grub_free (readbuf);
|
|
+ if (!grub_errno)
|
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
|
|
+ return grub_errno;
|
|
+}
|
|
+
|
|
+static void
|
|
+grub_pubkey_close_real (struct grub_pubkey_context *ctxt)
|
|
+{
|
|
+ if (ctxt->sig)
|
|
+ grub_file_close (ctxt->sig);
|
|
+ if (ctxt->hash_context)
|
|
+ grub_free (ctxt->hash_context);
|
|
+}
|
|
+
|
|
+static void
|
|
+grub_pubkey_close (void *ctxt)
|
|
+{
|
|
+ grub_pubkey_close_real (ctxt);
|
|
+ grub_free (ctxt);
|
|
}
|
|
|
|
grub_err_t
|
|
grub_verify_signature (grub_file_t f, grub_file_t sig,
|
|
struct grub_public_key *pkey)
|
|
{
|
|
- return grub_verify_signature_real (0, 0, f, sig, pkey);
|
|
+ grub_err_t err;
|
|
+ struct grub_pubkey_context ctxt;
|
|
+ grub_uint8_t *readbuf = NULL;
|
|
+
|
|
+ err = grub_verify_signature_init (&ctxt, sig);
|
|
+ if (err)
|
|
+ return err;
|
|
+
|
|
+ readbuf = grub_zalloc (READBUF_SIZE);
|
|
+ if (!readbuf)
|
|
+ goto fail;
|
|
+
|
|
+ while (1)
|
|
+ {
|
|
+ grub_ssize_t r;
|
|
+ r = grub_file_read (f, readbuf, READBUF_SIZE);
|
|
+ if (r < 0)
|
|
+ goto fail;
|
|
+ if (r == 0)
|
|
+ break;
|
|
+ err = grub_pubkey_write (&ctxt, readbuf, r);
|
|
+ if (err)
|
|
+ return err;
|
|
+ }
|
|
+
|
|
+ grub_verify_signature_real (&ctxt, pkey);
|
|
+ fail:
|
|
+ grub_pubkey_close_real (&ctxt);
|
|
+ return grub_errno;
|
|
}
|
|
|
|
static grub_err_t
|
|
@@ -819,134 +867,52 @@ grub_cmd_verify_signature (grub_extcmd_context_t ctxt,
|
|
|
|
static int sec = 0;
|
|
|
|
-static void
|
|
-verified_free (grub_verified_t verified)
|
|
-{
|
|
- if (verified)
|
|
- {
|
|
- grub_free (verified->buf);
|
|
- grub_free (verified);
|
|
- }
|
|
-}
|
|
-
|
|
-static grub_ssize_t
|
|
-verified_read (struct grub_file *file, char *buf, grub_size_t len)
|
|
-{
|
|
- grub_verified_t verified = file->data;
|
|
-
|
|
- grub_memcpy (buf, (char *) verified->buf + file->offset, len);
|
|
- return len;
|
|
-}
|
|
-
|
|
static grub_err_t
|
|
-verified_close (struct grub_file *file)
|
|
-{
|
|
- grub_verified_t verified = file->data;
|
|
-
|
|
- grub_file_close (verified->file);
|
|
- verified_free (verified);
|
|
- file->data = 0;
|
|
-
|
|
- /* device and name are freed by parent */
|
|
- file->device = 0;
|
|
- file->name = 0;
|
|
-
|
|
- return grub_errno;
|
|
-}
|
|
-
|
|
-struct grub_fs verified_fs =
|
|
-{
|
|
- .name = "verified_read",
|
|
- .read = verified_read,
|
|
- .close = verified_close
|
|
-};
|
|
-
|
|
-static grub_file_t
|
|
-grub_pubkey_open (grub_file_t io, enum grub_file_type type)
|
|
+grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unused)),
|
|
+ void **context, enum grub_verify_flags *flags)
|
|
{
|
|
grub_file_t sig;
|
|
char *fsuf, *ptr;
|
|
grub_err_t err;
|
|
- grub_file_t ret;
|
|
- grub_verified_t verified;
|
|
-
|
|
- if ((type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_SIGNATURE
|
|
- || (type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_VERIFY_SIGNATURE
|
|
- || (type & GRUB_FILE_TYPE_SKIP_SIGNATURE))
|
|
- return io;
|
|
+ struct grub_pubkey_context *ctxt;
|
|
|
|
if (!sec)
|
|
- return io;
|
|
- if (io->device->disk &&
|
|
- (io->device->disk->dev->id == GRUB_DISK_DEVICE_MEMDISK_ID
|
|
- || io->device->disk->dev->id == GRUB_DISK_DEVICE_PROCFS_ID))
|
|
- return io;
|
|
+ {
|
|
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
|
+ return GRUB_ERR_NONE;
|
|
+ }
|
|
+
|
|
fsuf = grub_malloc (grub_strlen (io->name) + sizeof (".sig"));
|
|
if (!fsuf)
|
|
- return NULL;
|
|
+ return grub_errno;
|
|
ptr = grub_stpcpy (fsuf, io->name);
|
|
grub_memcpy (ptr, ".sig", sizeof (".sig"));
|
|
|
|
sig = grub_file_open (fsuf, GRUB_FILE_TYPE_SIGNATURE);
|
|
grub_free (fsuf);
|
|
if (!sig)
|
|
- return NULL;
|
|
+ return grub_errno;
|
|
|
|
- ret = grub_malloc (sizeof (*ret));
|
|
- if (!ret)
|
|
+ ctxt = grub_malloc (sizeof (*ctxt));
|
|
+ if (!ctxt)
|
|
{
|
|
grub_file_close (sig);
|
|
- return NULL;
|
|
+ return grub_errno;
|
|
}
|
|
- *ret = *io;
|
|
-
|
|
- ret->fs = &verified_fs;
|
|
- ret->not_easily_seekable = 0;
|
|
- if (ret->size >> (sizeof (grub_size_t) * GRUB_CHAR_BIT - 1))
|
|
- {
|
|
- grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
|
|
- "big file signature isn't implemented yet");
|
|
- grub_file_close (sig);
|
|
- grub_free (ret);
|
|
- return NULL;
|
|
- }
|
|
- verified = grub_malloc (sizeof (*verified));
|
|
- if (!verified)
|
|
- {
|
|
- grub_file_close (sig);
|
|
- grub_free (ret);
|
|
- return NULL;
|
|
- }
|
|
- verified->buf = grub_malloc (ret->size);
|
|
- if (!verified->buf)
|
|
- {
|
|
- grub_file_close (sig);
|
|
- verified_free (verified);
|
|
- grub_free (ret);
|
|
- return NULL;
|
|
- }
|
|
- if (grub_file_read (io, verified->buf, ret->size) != (grub_ssize_t) ret->size)
|
|
- {
|
|
- if (!grub_errno)
|
|
- grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"),
|
|
- io->name);
|
|
- grub_file_close (sig);
|
|
- verified_free (verified);
|
|
- grub_free (ret);
|
|
- return NULL;
|
|
- }
|
|
-
|
|
- err = grub_verify_signature_real (verified->buf, ret->size, 0, sig, NULL);
|
|
- grub_file_close (sig);
|
|
+ err = grub_verify_signature_init (ctxt, sig);
|
|
if (err)
|
|
{
|
|
- verified_free (verified);
|
|
- grub_free (ret);
|
|
- return NULL;
|
|
+ grub_pubkey_close (ctxt);
|
|
+ return err;
|
|
}
|
|
- verified->file = io;
|
|
- ret->data = verified;
|
|
- return ret;
|
|
+ *context = ctxt;
|
|
+ return GRUB_ERR_NONE;
|
|
+}
|
|
+
|
|
+static grub_err_t
|
|
+grub_pubkey_fini (void *ctxt)
|
|
+{
|
|
+ return grub_verify_signature_real (ctxt, NULL);
|
|
}
|
|
|
|
static char *
|
|
@@ -970,8 +936,16 @@ struct grub_fs pseudo_fs =
|
|
{
|
|
.name = "pseudo",
|
|
.read = pseudo_read
|
|
-};
|
|
+ };
|
|
|
|
+struct grub_file_verifier grub_pubkey_verifier =
|
|
+ {
|
|
+ .name = "pgp",
|
|
+ .init = grub_pubkey_init,
|
|
+ .fini = grub_pubkey_fini,
|
|
+ .write = grub_pubkey_write,
|
|
+ .close = grub_pubkey_close,
|
|
+ };
|
|
|
|
static grub_extcmd_t cmd, cmd_trust;
|
|
static grub_command_t cmd_distrust, cmd_list;
|
|
@@ -986,8 +960,6 @@ GRUB_MOD_INIT(verify)
|
|
sec = 1;
|
|
else
|
|
sec = 0;
|
|
-
|
|
- grub_file_filter_register (GRUB_FILE_FILTER_PUBKEY, grub_pubkey_open);
|
|
|
|
grub_register_variable_hook ("check_signatures", 0, grub_env_write_sec);
|
|
grub_env_export ("check_signatures");
|
|
@@ -1033,11 +1005,13 @@ GRUB_MOD_INIT(verify)
|
|
cmd_distrust = grub_register_command ("distrust", grub_cmd_distrust,
|
|
N_("PUBKEY_ID"),
|
|
N_("Remove PUBKEY_ID from trusted keys."));
|
|
+
|
|
+ grub_verifier_register (&grub_pubkey_verifier);
|
|
}
|
|
|
|
GRUB_MOD_FINI(verify)
|
|
{
|
|
- grub_file_filter_unregister (GRUB_FILE_FILTER_PUBKEY);
|
|
+ grub_verifier_unregister (&grub_pubkey_verifier);
|
|
grub_unregister_extcmd (cmd);
|
|
grub_unregister_extcmd (cmd_trust);
|
|
grub_unregister_command (cmd_list);
|
|
diff --git a/include/grub/file.h b/include/grub/file.h
|
|
index 5b47c5f91..19dda67f6 100644
|
|
--- a/include/grub/file.h
|
|
+++ b/include/grub/file.h
|
|
@@ -171,7 +171,7 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_progress_hook);
|
|
/* Filters with lower ID are executed first. */
|
|
typedef enum grub_file_filter_id
|
|
{
|
|
- GRUB_FILE_FILTER_PUBKEY,
|
|
+ GRUB_FILE_FILTER_VERIFY,
|
|
GRUB_FILE_FILTER_GZIO,
|
|
GRUB_FILE_FILTER_XZIO,
|
|
GRUB_FILE_FILTER_LZOPIO,
|
|
diff --git a/include/grub/list.h b/include/grub/list.h
|
|
index d170ff6da..b13acb962 100644
|
|
--- a/include/grub/list.h
|
|
+++ b/include/grub/list.h
|
|
@@ -35,6 +35,7 @@ void EXPORT_FUNC(grub_list_push) (grub_list_t *head, grub_list_t item);
|
|
void EXPORT_FUNC(grub_list_remove) (grub_list_t item);
|
|
|
|
#define FOR_LIST_ELEMENTS(var, list) for ((var) = (list); (var); (var) = (var)->next)
|
|
+#define FOR_LIST_ELEMENTS_NEXT(var, list) for ((var) = (var)->next; (var); (var) = (var)->next)
|
|
#define FOR_LIST_ELEMENTS_SAFE(var, nxt, list) for ((var) = (list), (nxt) = ((var) ? (var)->next : 0); (var); (var) = (nxt), ((nxt) = (var) ? (var)->next : 0))
|
|
|
|
static inline void *
|
|
diff --git a/include/grub/verify.h b/include/grub/verify.h
|
|
new file mode 100644
|
|
index 000000000..298120f57
|
|
--- /dev/null
|
|
+++ b/include/grub/verify.h
|
|
@@ -0,0 +1,65 @@
|
|
+/*
|
|
+ * GRUB -- GRand Unified Bootloader
|
|
+ * Copyright (C) 2017 Free Software Foundation, Inc.
|
|
+ *
|
|
+ * GRUB is free software: you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation, either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * GRUB is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
+ */
|
|
+
|
|
+#include <grub/file.h>
|
|
+#include <grub/list.h>
|
|
+
|
|
+enum grub_verify_flags
|
|
+ {
|
|
+ GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1,
|
|
+ GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2
|
|
+ };
|
|
+
|
|
+struct grub_file_verifier
|
|
+{
|
|
+ struct grub_file_verifier *next;
|
|
+ struct grub_file_verifier **prev;
|
|
+
|
|
+ const char *name;
|
|
+
|
|
+ /*
|
|
+ * Check if file needs to be verified and set up context.
|
|
+ * init/read/fini is structured in the same way as hash interface.
|
|
+ */
|
|
+ grub_err_t (*init) (grub_file_t io, enum grub_file_type type,
|
|
+ void **context, enum grub_verify_flags *flags);
|
|
+
|
|
+ /*
|
|
+ * Right now we pass the whole file in one call but it may
|
|
+ * change in the future. If you insist on single buffer you
|
|
+ * need to set GRUB_VERIFY_FLAGS_SINGLE_CHUNK in verify_flags.
|
|
+ */
|
|
+ grub_err_t (*write) (void *context, void *buf, grub_size_t size);
|
|
+
|
|
+ grub_err_t (*fini) (void *context);
|
|
+ void (*close) (void *context);
|
|
+};
|
|
+
|
|
+extern struct grub_file_verifier *grub_file_verifiers;
|
|
+
|
|
+static inline void
|
|
+grub_verifier_register (struct grub_file_verifier *ver)
|
|
+{
|
|
+ grub_list_push (GRUB_AS_LIST_P (&grub_file_verifiers), GRUB_AS_LIST (ver));
|
|
+}
|
|
+
|
|
+static inline void
|
|
+grub_verifier_unregister (struct grub_file_verifier *ver)
|
|
+{
|
|
+ grub_list_remove (GRUB_AS_LIST (ver));
|
|
+}
|