+static uint32_t cs_blob_generation_count = 1;
+
+/*
+ * CODESIGNING
+ * Routines to navigate code signing data structures in the kernel...
+ */
+
+extern int cs_debug;
+
+#define PAGE_SHIFT_4K (12)
+#define PAGE_SIZE_4K ((1<<PAGE_SHIFT_4K))
+#define PAGE_MASK_4K ((PAGE_SIZE_4K-1))
+#define round_page_4K(x) (((vm_offset_t)(x) + PAGE_MASK_4K) & ~((vm_offset_t)PAGE_MASK_4K))
+
+static boolean_t
+cs_valid_range(
+ const void *start,
+ const void *end,
+ const void *lower_bound,
+ const void *upper_bound)
+{
+ if (upper_bound < lower_bound ||
+ end < start) {
+ return FALSE;
+ }
+
+ if (start < lower_bound ||
+ end > upper_bound) {
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+typedef void (*cs_md_init)(void *ctx);
+typedef void (*cs_md_update)(void *ctx, const void *data, size_t size);
+typedef void (*cs_md_final)(void *hash, void *ctx);
+
+struct cs_hash {
+ uint8_t cs_type; /* type code as per code signing */
+ size_t cs_size; /* size of effective hash (may be truncated) */
+ size_t cs_digest_size; /* size of native hash */
+ cs_md_init cs_init;
+ cs_md_update cs_update;
+ cs_md_final cs_final;
+};
+
+static struct cs_hash cs_hash_sha1 = {
+ .cs_type = CS_HASHTYPE_SHA1,
+ .cs_size = CS_SHA1_LEN,
+ .cs_digest_size = SHA_DIGEST_LENGTH,
+ .cs_init = (cs_md_init)SHA1Init,
+ .cs_update = (cs_md_update)SHA1Update,
+ .cs_final = (cs_md_final)SHA1Final,
+};
+#if CRYPTO_SHA2
+static struct cs_hash cs_hash_sha256 = {
+ .cs_type = CS_HASHTYPE_SHA256,
+ .cs_size = SHA256_DIGEST_LENGTH,
+ .cs_digest_size = SHA256_DIGEST_LENGTH,
+ .cs_init = (cs_md_init)SHA256_Init,
+ .cs_update = (cs_md_update)SHA256_Update,
+ .cs_final = (cs_md_final)SHA256_Final,
+};
+static struct cs_hash cs_hash_sha256_truncate = {
+ .cs_type = CS_HASHTYPE_SHA256_TRUNCATED,
+ .cs_size = CS_SHA256_TRUNCATED_LEN,
+ .cs_digest_size = SHA256_DIGEST_LENGTH,
+ .cs_init = (cs_md_init)SHA256_Init,
+ .cs_update = (cs_md_update)SHA256_Update,
+ .cs_final = (cs_md_final)SHA256_Final,
+};
+static struct cs_hash cs_hash_sha384 = {
+ .cs_type = CS_HASHTYPE_SHA384,
+ .cs_size = SHA384_DIGEST_LENGTH,
+ .cs_digest_size = SHA384_DIGEST_LENGTH,
+ .cs_init = (cs_md_init)SHA384_Init,
+ .cs_update = (cs_md_update)SHA384_Update,
+ .cs_final = (cs_md_final)SHA384_Final,
+};
+#endif
+
+static struct cs_hash *
+cs_find_md(uint8_t type)
+{
+ if (type == CS_HASHTYPE_SHA1) {
+ return &cs_hash_sha1;
+#if CRYPTO_SHA2
+ } else if (type == CS_HASHTYPE_SHA256) {
+ return &cs_hash_sha256;
+ } else if (type == CS_HASHTYPE_SHA256_TRUNCATED) {
+ return &cs_hash_sha256_truncate;
+ } else if (type == CS_HASHTYPE_SHA384) {
+ return &cs_hash_sha384;
+#endif
+ }
+ return NULL;
+}
+
+union cs_hash_union {
+ SHA1_CTX sha1ctxt;
+ SHA256_CTX sha256ctx;
+ SHA384_CTX sha384ctx;
+};
+
+
+/*
+ * Choose among different hash algorithms.
+ * Higher is better, 0 => don't use at all.
+ */
+static uint32_t hashPriorities[] = {
+ CS_HASHTYPE_SHA1,
+ CS_HASHTYPE_SHA256_TRUNCATED,
+ CS_HASHTYPE_SHA256,
+ CS_HASHTYPE_SHA384,
+};
+
+static unsigned int
+hash_rank(const CS_CodeDirectory *cd)
+{
+ uint32_t type = cd->hashType;
+ unsigned int n;
+
+ for (n = 0; n < sizeof(hashPriorities) / sizeof(hashPriorities[0]); ++n)
+ if (hashPriorities[n] == type)
+ return n + 1;
+ return 0; /* not supported */
+}
+
+
+/*
+ * Locating a page hash
+ */
+static const unsigned char *
+hashes(
+ const CS_CodeDirectory *cd,
+ uint32_t page,
+ size_t hash_len,
+ const char *lower_bound,
+ const char *upper_bound)
+{
+ const unsigned char *base, *top, *hash;
+ uint32_t nCodeSlots = ntohl(cd->nCodeSlots);
+
+ assert(cs_valid_range(cd, cd + 1, lower_bound, upper_bound));
+
+ if((ntohl(cd->version) >= CS_SUPPORTSSCATTER) && (ntohl(cd->scatterOffset))) {
+ /* Get first scatter struct */
+ const SC_Scatter *scatter = (const SC_Scatter*)
+ ((const char*)cd + ntohl(cd->scatterOffset));
+ uint32_t hashindex=0, scount, sbase=0;
+ /* iterate all scatter structs */
+ do {
+ if((const char*)scatter > (const char*)cd + ntohl(cd->length)) {
+ if(cs_debug) {
+ printf("CODE SIGNING: Scatter extends past Code Directory\n");
+ }
+ return NULL;
+ }
+
+ scount = ntohl(scatter->count);
+ uint32_t new_base = ntohl(scatter->base);
+
+ /* last scatter? */
+ if (scount == 0) {
+ return NULL;
+ }
+
+ if((hashindex > 0) && (new_base <= sbase)) {
+ if(cs_debug) {
+ printf("CODE SIGNING: unordered Scatter, prev base %d, cur base %d\n",
+ sbase, new_base);
+ }
+ return NULL; /* unordered scatter array */
+ }
+ sbase = new_base;
+
+ /* this scatter beyond page we're looking for? */
+ if (sbase > page) {
+ return NULL;
+ }
+
+ if (sbase+scount >= page) {
+ /* Found the scatter struct that is
+ * referencing our page */
+
+ /* base = address of first hash covered by scatter */
+ base = (const unsigned char *)cd + ntohl(cd->hashOffset) +
+ hashindex * hash_len;
+ /* top = address of first hash after this scatter */
+ top = base + scount * hash_len;
+ if (!cs_valid_range(base, top, lower_bound,
+ upper_bound) ||
+ hashindex > nCodeSlots) {
+ return NULL;
+ }
+
+ break;
+ }
+
+ /* this scatter struct is before the page we're looking
+ * for. Iterate. */
+ hashindex+=scount;
+ scatter++;
+ } while(1);
+
+ hash = base + (page - sbase) * hash_len;
+ } else {
+ base = (const unsigned char *)cd + ntohl(cd->hashOffset);
+ top = base + nCodeSlots * hash_len;
+ if (!cs_valid_range(base, top, lower_bound, upper_bound) ||
+ page > nCodeSlots) {
+ return NULL;
+ }
+ assert(page < nCodeSlots);
+
+ hash = base + page * hash_len;
+ }
+
+ if (!cs_valid_range(hash, hash + hash_len,
+ lower_bound, upper_bound)) {
+ hash = NULL;
+ }
+
+ return hash;
+}
+
+/*
+ * cs_validate_codedirectory
+ *
+ * Validate that pointers inside the code directory to make sure that
+ * all offsets and lengths are constrained within the buffer.
+ *
+ * Parameters: cd Pointer to code directory buffer
+ * length Length of buffer
+ *
+ * Returns: 0 Success
+ * EBADEXEC Invalid code signature
+ */
+
+static int
+cs_validate_codedirectory(const CS_CodeDirectory *cd, size_t length)
+{
+ struct cs_hash *hashtype;
+
+ if (length < sizeof(*cd))
+ return EBADEXEC;
+ if (ntohl(cd->magic) != CSMAGIC_CODEDIRECTORY)
+ return EBADEXEC;
+ if (cd->pageSize != PAGE_SHIFT_4K)
+ return EBADEXEC;
+ hashtype = cs_find_md(cd->hashType);
+ if (hashtype == NULL)
+ return EBADEXEC;
+
+ if (cd->hashSize != hashtype->cs_size)
+ return EBADEXEC;
+
+ if (length < ntohl(cd->hashOffset))
+ return EBADEXEC;
+
+ /* check that nSpecialSlots fits in the buffer in front of hashOffset */
+ if (ntohl(cd->hashOffset) / hashtype->cs_size < ntohl(cd->nSpecialSlots))
+ return EBADEXEC;
+
+ /* check that codeslots fits in the buffer */
+ if ((length - ntohl(cd->hashOffset)) / hashtype->cs_size < ntohl(cd->nCodeSlots))
+ return EBADEXEC;
+
+ if (ntohl(cd->version) >= CS_SUPPORTSSCATTER && cd->scatterOffset) {
+
+ if (length < ntohl(cd->scatterOffset))
+ return EBADEXEC;
+
+ const SC_Scatter *scatter = (const SC_Scatter *)
+ (((const uint8_t *)cd) + ntohl(cd->scatterOffset));
+ uint32_t nPages = 0;
+
+ /*
+ * Check each scatter buffer, since we don't know the
+ * length of the scatter buffer array, we have to
+ * check each entry.
+ */
+ while(1) {
+ /* check that the end of each scatter buffer in within the length */
+ if (((const uint8_t *)scatter) + sizeof(scatter[0]) > (const uint8_t *)cd + length)
+ return EBADEXEC;
+ uint32_t scount = ntohl(scatter->count);
+ if (scount == 0)
+ break;
+ if (nPages + scount < nPages)
+ return EBADEXEC;
+ nPages += scount;
+ scatter++;
+
+ /* XXX check that basees doesn't overlap */
+ /* XXX check that targetOffset doesn't overlap */
+ }
+#if 0 /* rdar://12579439 */
+ if (nPages != ntohl(cd->nCodeSlots))
+ return EBADEXEC;
+#endif
+ }
+
+ if (length < ntohl(cd->identOffset))
+ return EBADEXEC;
+
+ /* identifier is NUL terminated string */
+ if (cd->identOffset) {
+ const uint8_t *ptr = (const uint8_t *)cd + ntohl(cd->identOffset);
+ if (memchr(ptr, 0, length - ntohl(cd->identOffset)) == NULL)
+ return EBADEXEC;
+ }
+
+ /* team identifier is NULL terminated string */
+ if (ntohl(cd->version) >= CS_SUPPORTSTEAMID && ntohl(cd->teamOffset)) {
+ if (length < ntohl(cd->teamOffset))
+ return EBADEXEC;
+
+ const uint8_t *ptr = (const uint8_t *)cd + ntohl(cd->teamOffset);
+ if (memchr(ptr, 0, length - ntohl(cd->teamOffset)) == NULL)
+ return EBADEXEC;
+ }
+
+ return 0;
+}
+
+/*
+ *
+ */
+
+static int
+cs_validate_blob(const CS_GenericBlob *blob, size_t length)
+{
+ if (length < sizeof(CS_GenericBlob) || length < ntohl(blob->length))
+ return EBADEXEC;
+ return 0;
+}
+
+/*
+ * cs_validate_csblob
+ *
+ * Validate that superblob/embedded code directory to make sure that
+ * all internal pointers are valid.
+ *
+ * Will validate both a superblob csblob and a "raw" code directory.
+ *
+ *
+ * Parameters: buffer Pointer to code signature
+ * length Length of buffer
+ * rcd returns pointer to code directory
+ *
+ * Returns: 0 Success
+ * EBADEXEC Invalid code signature
+ */
+
+static int
+cs_validate_csblob(const uint8_t *addr, size_t length,
+ const CS_CodeDirectory **rcd)
+{
+ const CS_GenericBlob *blob = (const CS_GenericBlob *)(const void *)addr;
+ int error;
+
+ *rcd = NULL;
+
+ error = cs_validate_blob(blob, length);
+ if (error)
+ return error;
+
+ length = ntohl(blob->length);
+
+ if (ntohl(blob->magic) == CSMAGIC_EMBEDDED_SIGNATURE) {
+ const CS_SuperBlob *sb;
+ uint32_t n, count;
+ const CS_CodeDirectory *best_cd = NULL;
+ unsigned int best_rank = 0;
+
+ if (length < sizeof(CS_SuperBlob))
+ return EBADEXEC;
+
+ sb = (const CS_SuperBlob *)blob;
+ count = ntohl(sb->count);
+
+ /* check that the array of BlobIndex fits in the rest of the data */
+ if ((length - sizeof(CS_SuperBlob)) / sizeof(CS_BlobIndex) < count)
+ return EBADEXEC;
+
+ /* now check each BlobIndex */
+ for (n = 0; n < count; n++) {
+ const CS_BlobIndex *blobIndex = &sb->index[n];
+ uint32_t type = ntohl(blobIndex->type);
+ uint32_t offset = ntohl(blobIndex->offset);
+ if (length < offset)
+ return EBADEXEC;
+
+ const CS_GenericBlob *subBlob =
+ (const CS_GenericBlob *)(const void *)(addr + offset);
+
+ size_t subLength = length - offset;
+
+ if ((error = cs_validate_blob(subBlob, subLength)) != 0)
+ return error;
+ subLength = ntohl(subBlob->length);
+
+ /* extra validation for CDs, that is also returned */
+ if (type == CSSLOT_CODEDIRECTORY || (type >= CSSLOT_ALTERNATE_CODEDIRECTORIES && type < CSSLOT_ALTERNATE_CODEDIRECTORY_LIMIT)) {
+ const CS_CodeDirectory *candidate = (const CS_CodeDirectory *)subBlob;
+ if ((error = cs_validate_codedirectory(candidate, subLength)) != 0)
+ return error;
+ unsigned int rank = hash_rank(candidate);
+ if (cs_debug > 3)
+ printf("CodeDirectory type %d rank %d at slot 0x%x index %d\n", candidate->hashType, (int)rank, (int)type, (int)n);
+ if (best_cd == NULL || rank > best_rank) {
+ best_cd = candidate;
+ best_rank = rank;
+ } else if (best_cd != NULL && rank == best_rank) {
+ /* repeat of a hash type (1:1 mapped to ranks), illegal and suspicious */
+ printf("multiple hash=%d CodeDirectories in signature; rejecting", best_cd->hashType);
+ return EBADEXEC;
+ }
+ }
+ if (best_cd && cs_debug > 2)
+ printf("using CodeDirectory type %d (rank %d)\n", (int)best_cd->hashType, best_rank);
+ *rcd = best_cd;
+ }
+
+ } else if (ntohl(blob->magic) == CSMAGIC_CODEDIRECTORY) {
+
+ if ((error = cs_validate_codedirectory((const CS_CodeDirectory *)(const void *)addr, length)) != 0)
+ return error;
+ *rcd = (const CS_CodeDirectory *)blob;
+ } else {
+ return EBADEXEC;
+ }
+
+ if (*rcd == NULL)
+ return EBADEXEC;
+
+ return 0;
+}
+
+/*
+ * cs_find_blob_bytes
+ *
+ * Find an blob from the superblob/code directory. The blob must have
+ * been been validated by cs_validate_csblob() before calling
+ * this. Use csblob_find_blob() instead.
+ *
+ * Will also find a "raw" code directory if its stored as well as
+ * searching the superblob.
+ *
+ * Parameters: buffer Pointer to code signature
+ * length Length of buffer
+ * type type of blob to find
+ * magic the magic number for that blob
+ *
+ * Returns: pointer Success
+ * NULL Buffer not found
+ */
+
+const CS_GenericBlob *
+csblob_find_blob_bytes(const uint8_t *addr, size_t length, uint32_t type, uint32_t magic)
+{
+ const CS_GenericBlob *blob = (const CS_GenericBlob *)(const void *)addr;
+
+ if (ntohl(blob->magic) == CSMAGIC_EMBEDDED_SIGNATURE) {
+ const CS_SuperBlob *sb = (const CS_SuperBlob *)blob;
+ size_t n, count = ntohl(sb->count);
+
+ for (n = 0; n < count; n++) {
+ if (ntohl(sb->index[n].type) != type)
+ continue;
+ uint32_t offset = ntohl(sb->index[n].offset);
+ if (length - sizeof(const CS_GenericBlob) < offset)
+ return NULL;
+ blob = (const CS_GenericBlob *)(const void *)(addr + offset);
+ if (ntohl(blob->magic) != magic)
+ continue;
+ return blob;
+ }
+ } else if (type == CSSLOT_CODEDIRECTORY
+ && ntohl(blob->magic) == CSMAGIC_CODEDIRECTORY
+ && magic == CSMAGIC_CODEDIRECTORY)
+ return blob;
+ return NULL;
+}
+
+
+const CS_GenericBlob *
+csblob_find_blob(struct cs_blob *csblob, uint32_t type, uint32_t magic)
+{
+ if ((csblob->csb_flags & CS_VALID) == 0)
+ return NULL;
+ return csblob_find_blob_bytes((const uint8_t *)csblob->csb_mem_kaddr, csblob->csb_mem_size, type, magic);
+}
+
+static const uint8_t *
+find_special_slot(const CS_CodeDirectory *cd, size_t slotsize, uint32_t slot)
+{
+ /* there is no zero special slot since that is the first code slot */
+ if (ntohl(cd->nSpecialSlots) < slot || slot == 0)
+ return NULL;
+
+ return ((const uint8_t *)cd + ntohl(cd->hashOffset) - (slotsize * slot));
+}
+
+static uint8_t cshash_zero[CS_HASH_MAX_SIZE] = { 0 };
+
+int
+csblob_get_entitlements(struct cs_blob *csblob, void **out_start, size_t *out_length)
+{
+ uint8_t computed_hash[CS_HASH_MAX_SIZE];
+ const CS_GenericBlob *entitlements;
+ const CS_CodeDirectory *code_dir;
+ const uint8_t *embedded_hash;
+ union cs_hash_union context;
+
+ *out_start = NULL;
+ *out_length = 0;
+
+ if (csblob->csb_hashtype == NULL || csblob->csb_hashtype->cs_digest_size > sizeof(computed_hash))
+ return EBADEXEC;
+
+ code_dir = csblob->csb_cd;
+
+ entitlements = csblob_find_blob(csblob, CSSLOT_ENTITLEMENTS, CSMAGIC_EMBEDDED_ENTITLEMENTS);
+ embedded_hash = find_special_slot(code_dir, csblob->csb_hashtype->cs_size, CSSLOT_ENTITLEMENTS);
+
+ if (embedded_hash == NULL) {
+ if (entitlements)
+ return EBADEXEC;
+ return 0;
+ } else if (entitlements == NULL) {
+ if (memcmp(embedded_hash, cshash_zero, csblob->csb_hashtype->cs_size) != 0) {
+ return EBADEXEC;
+ } else {
+ return 0;
+ }
+ }
+
+ csblob->csb_hashtype->cs_init(&context);
+ csblob->csb_hashtype->cs_update(&context, entitlements, ntohl(entitlements->length));
+ csblob->csb_hashtype->cs_final(computed_hash, &context);
+
+ if (memcmp(computed_hash, embedded_hash, csblob->csb_hashtype->cs_size) != 0)
+ return EBADEXEC;
+
+ *out_start = __DECONST(void *, entitlements);
+ *out_length = ntohl(entitlements->length);
+
+ return 0;
+}
+
+/*
+ * CODESIGNING
+ * End of routines to navigate code signing data structures in the kernel.
+ */
+
+
projects / apple / xnu.git / blobdiff