Changeset 86549 in vbox for trunk/src/VBox/HostDrivers/Support

Timestamp:

Oct 12, 2020 11:59:53 PM (5 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

140868

Message:

SUPHardNt,IPRT: If there are nested signatures (i.e. more than one signature), don't get grumpy if there are time or cert path issues with some of them, as long as one or more checks out perfectly. (Mind, all the signature data must check out, it's just the cert path or signing time we're relaxing here.) ticketref:19743 bugref:3103

Location:

trunk/src/VBox/HostDrivers/Support

Files:

• darwin/SUPDrv-darwin.cpp (modified) (2 diffs)
• win/SUPHardenedVerify-win.h (modified) (2 diffs)
• win/SUPHardenedVerifyImage-win.cpp (modified) (4 diffs)

trunk/src/VBox/HostDrivers/Support/darwin/SUPDrv-darwin.cpp

@@ -1353 +1353 @@
  * @callback_method_impl{FNRTLDRVALIDATESIGNEDDATA}
  */
-static DECLCALLBACK(int) supdrvDarwinLdrOpenVerifyCallback(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature,
-                                                           void const *pvSignature, size_t cbSignature,
-                                                           void const *pvExternalData, size_t cbExternalData,
+static DECLCALLBACK(int) supdrvDarwinLdrOpenVerifyCallback(RTLDRMOD hLdrMod, PCRTLDRSIGNATUREINFO pInfo,
                                                            PRTERRINFO pErrInfo, void *pvUser)
 {
     PSUPDRVDEVEXT pDevExt = (PSUPDRVDEVEXT)pvUser;
-    RT_NOREF_PV(hLdrMod); RT_NOREF_PV(cbSignature);
-
-    switch (enmSignature)
+    RT_NOREF_PV(hLdrMod);
+
+    switch (pInfo->enmType)
     {
         case RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA:
-            if (pvExternalData)
+            if (pInfo->pvExternalData)
             {
-                PCRTCRPKCS7CONTENTINFO pContentInfo = (PCRTCRPKCS7CONTENTINFO)pvSignature;
+                PCRTCRPKCS7CONTENTINFO pContentInfo = (PCRTCRPKCS7CONTENTINFO)pInfo->pvSignature;
                 RTTIMESPEC             ValidationTime;
                 RTTimeNow(&ValidationTime);
@@ -1376 +1374 @@
                                                                  pDevExt->hAdditionalStore, pDevExt->hRootStore, &ValidationTime,
                                                                  supdrvDarwinLdrOpenVerifyCertificatCallback, pDevExt,
-                                                                 pvExternalData, cbExternalData, pErrInfo);
+                                                                 pInfo->pvExternalData, pInfo->cbExternalData, pErrInfo);
             }
             return RTErrInfoSetF(pErrInfo, VERR_NOT_SUPPORTED, "Expected external data with signature!");
 
         default:
-            return RTErrInfoSetF(pErrInfo, VERR_NOT_SUPPORTED, "Unsupported signature type: %d", enmSignature);
+            return RTErrInfoSetF(pErrInfo, VERR_NOT_SUPPORTED, "Unsupported signature type: %d", pInfo->enmType);
     }
 }

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h

@@ -98 +98 @@
     /** The file handle. */
     HANDLE      hFile;
-    /** Handle to event sempahore in case we're force to deal with asynchronous
-     * I/O. */
+    /** Handle to event sempahore in case we're force to deal with asynchronous I/O. */
     HANDLE      hEvent;
     /** Current file offset. */
@@ -107 +106 @@
     /** Flags for the verification callback, SUPHNTVI_F_XXX. */
     uint32_t    fFlags;
-    /** The executable timstamp in second since unix epoch. */
-    uint64_t    uTimestamp;
+    /** Number of signatures that verified okay. */
+    uint16_t    cOkaySignatures;
+    /** Number of signatures that couldn't be successfully verified (time stamp
+     * issues, no certificate path, etc) but weren't fatal. */
+    uint16_t    cNokSignatures;
+    /** Total number of signatures. */
+    uint16_t    cTotalSignatures;
+    /** The last non-fatal signature failure. */
+    int         rcLastSignatureFailure;
     /** Log name. */
     char        szFilename[1];

trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp

@@ -1059 +1059 @@
 
 
-static DECLCALLBACK(int) supHardNtViCallback(RTLDRMOD hLdrMod, RTLDRSIGNATURETYPE enmSignature,
-                                             void const *pvSignature, size_t cbSignature,
-                                             void const *pvExternalData, size_t cbExternalData,
-                                             PRTERRINFO pErrInfo, void *pvUser)
-{
-    RT_NOREF(hLdrMod, enmSignature, pvExternalData, cbExternalData);
+/**
+ * RTTimeNow equivaltent that handles ring-3 where we cannot use it.
+ *
+ * @returns pNow
+ * @param   pNow                Where to return the current time.
+ */
+static PRTTIMESPEC supHardNtTimeNow(PRTTIMESPEC pNow)
+{
+#ifdef IN_RING3
+    /*
+     * Just read system time.
+     */
+    KUSER_SHARED_DATA volatile *pUserSharedData = (KUSER_SHARED_DATA volatile *)MM_SHARED_USER_DATA_VA;
+# ifdef RT_ARCH_AMD64
+    uint64_t uRet = *(uint64_t volatile *)&pUserSharedData->SystemTime; /* This is what KeQuerySystemTime does (missaligned). */
+    return RTTimeSpecSetNtTime(pNow, uRet);
+# else
+
+    LARGE_INTEGER NtTime;
+    do
+    {
+        NtTime.HighPart = pUserSharedData->SystemTime.High1Time;
+        NtTime.LowPart  = pUserSharedData->SystemTime.LowPart;
+    } while (pUserSharedData->SystemTime.High2Time != NtTime.HighPart);
+    return RTTimeSpecSetNtTime(pNow, NtTime.QuadPart);
+# endif
+#else  /* IN_RING0 */
+    return RTTimeNow(pNow);
+#endif /* IN_RING0 */
+}
+
+
+/**
+ * @callback_method_impl{FNRTLDRVALIDATESIGNEDDATA}
+ */
+static DECLCALLBACK(int) supHardNtViCallback(RTLDRMOD hLdrMod, PCRTLDRSIGNATUREINFO pInfo, PRTERRINFO pErrInfo, void *pvUser)
+{
+    RT_NOREF(hLdrMod);
 
     /*
@@ -1071 +1103 @@
     PSUPHNTVIRDR pNtViRdr = (PSUPHNTVIRDR)pvUser;
     Assert(pNtViRdr->Core.uMagic == RTLDRREADER_MAGIC);
-
-    AssertReturn(cbSignature == sizeof(RTCRPKCS7CONTENTINFO), VERR_INTERNAL_ERROR_5);
-    PCRTCRPKCS7CONTENTINFO pContentInfo = (PCRTCRPKCS7CONTENTINFO)pvSignature;
+    pNtViRdr->cTotalSignatures = pInfo->cSignatures;
+
+    AssertReturn(pInfo->enmType == RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA, VERR_INTERNAL_ERROR_5);
+    AssertReturn(!pInfo->pvExternalData, VERR_INTERNAL_ERROR_5);
+    AssertReturn(pInfo->cbSignature == sizeof(RTCRPKCS7CONTENTINFO), VERR_INTERNAL_ERROR_5);
+    PCRTCRPKCS7CONTENTINFO pContentInfo = (PCRTCRPKCS7CONTENTINFO)pInfo->pvSignature;
     AssertReturn(RTCrPkcs7ContentInfo_IsSignedData(pContentInfo), VERR_INTERNAL_ERROR_5);
     AssertReturn(pContentInfo->u.pSignedData->SignerInfos.cItems == 1, VERR_INTERNAL_ERROR_5);
     PCRTCRPKCS7SIGNERINFO pSignerInfo = pContentInfo->u.pSignedData->SignerInfos.papItems[0];
 
-    AssertReturn(!pvExternalData, VERR_INTERNAL_ERROR_5);
 
     /*
      * If special certificate requirements, check them out before validating
-     * the signature.
-     */
-    if (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_BUILD_CERT)
+     * the signature.  These only apply to the first signature (for now).
+     */
+    if (   (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_BUILD_CERT)
+        && pInfo->iSignature == 0)
     {
         if (!RTCrX509Certificate_MatchIssuerAndSerialNumber(&g_BuildX509Cert,
@@ -1098 +1133 @@
 
     /*
-     * Verify the signature.  We instruct the verifier to use the signing time
-     * counter signature present when present, falling back on the timestamp
-     * planted by the linker when absent.  In ring-0 we don't have all the
-     * necessary timestamp server root certificate info, so we have to allow
-     * using counter signatures unverified there.  Ditto for the early period
-     * of ring-3 hardened stub execution.
-     */
-    RTTIMESPEC ValidationTime;
-    RTTimeSpecSetSeconds(&ValidationTime, pNtViRdr->uTimestamp);
-
+     * We instruction the verifier to use the signing time counter signature
+     * when present, but provides the linker time then the current time as
+     * fallbacks should the timestamp be missing or unusable.
+     *
+     * Update: Save the first timestamp we validate with build cert and
+     *         use this as a minimum timestamp for further build cert
+     *         validations.  This works around issues with old DLLs that
+     *         we sign against with our certificate (crt, sdl, qt).
+     *
+     * Update: If the validation fails, retry with the current timestamp. This
+     *         is a workaround for NTDLL.DLL in build 14971 having a weird
+     *         timestamp: 0xDF1E957E (Sat Aug 14 14:05:18 2088).
+     */
     uint32_t fFlags = RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT
                     | RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT
                     | RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY;
+
+    /* In ring-0 we don't have all the necessary timestamp server root certificate
+     * info, so we have to allow using counter signatures unverified there.
+     * Ditto for the early period of ring-3 hardened stub execution. */
 #ifndef IN_RING0
     if (!g_fHaveOtherRoots)
 #endif
         fFlags |= RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED | RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED;
-    return RTCrPkcs7VerifySignedData(pContentInfo, fFlags, g_hSpcAndNtKernelSuppStore, g_hSpcAndNtKernelRootStore,
-                                     &ValidationTime, supHardNtViCertVerifyCallback, pNtViRdr, pErrInfo);
-}
-
-
-/**
- * RTTimeNow equivaltent that handles ring-3 where we cannot use it.
- *
- * @returns pNow
- * @param   pNow                Where to return the current time.
- */
-static PRTTIMESPEC supHardNtTimeNow(PRTTIMESPEC pNow)
-{
-#ifdef IN_RING3
-    /*
-     * Just read system time.
-     */
-    KUSER_SHARED_DATA volatile *pUserSharedData = (KUSER_SHARED_DATA volatile *)MM_SHARED_USER_DATA_VA;
-# ifdef RT_ARCH_AMD64
-    uint64_t uRet = *(uint64_t volatile *)&pUserSharedData->SystemTime; /* This is what KeQuerySystemTime does (missaligned). */
-    return RTTimeSpecSetNtTime(pNow, uRet);
-# else
-
-    LARGE_INTEGER NtTime;
-    do
-    {
-        NtTime.HighPart = pUserSharedData->SystemTime.High1Time;
-        NtTime.LowPart  = pUserSharedData->SystemTime.LowPart;
-    } while (pUserSharedData->SystemTime.High2Time != NtTime.HighPart);
-    return RTTimeSpecSetNtTime(pNow, NtTime.QuadPart);
-# endif
-#else  /* IN_RING0 */
-    return RTTimeNow(pNow);
-#endif /* IN_RING0 */
+
+    /* Fallback timestamps to try: */
+    struct { RTTIMESPEC TimeSpec; const char *pszDesc; } aTimes[2];
+    unsigned cTimes = 0;
+
+    /* 1. The linking timestamp: */
+    uint64_t uTimestamp = 0;
+    int rc = RTLdrQueryProp(hLdrMod, RTLDRPROP_TIMESTAMP_SECONDS, &uTimestamp, sizeof(uTimestamp));
+    if (RT_SUCCESS(rc))
+    {
+#ifdef IN_RING3 /* Hack alert! (see above) */
+        if (   (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING)
+            && (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT)
+            && uTimestamp < g_uBuildTimestampHack)
+            uTimestamp = g_uBuildTimestampHack;
+#endif
+        RTTimeSpecSetSeconds(&aTimes[0].TimeSpec, uTimestamp);
+        aTimes[0].pszDesc = "link";
+        cTimes++;
+    }
+    else
+        SUP_DPRINTF(("RTLdrQueryProp/RTLDRPROP_TIMESTAMP_SECONDS failed on %s: %Rrc", pNtViRdr->szFilename, rc));
+
+    /* 2. Current time. */
+    supHardNtTimeNow(&aTimes[cTimes].TimeSpec);
+    aTimes[cTimes].pszDesc = "now";
+    cTimes++;
+
+    /* Make the verfication attempts. */
+    for (unsigned i = 0; ; i++)
+    {
+        Assert(i < cTimes);
+        rc = RTCrPkcs7VerifySignedData(pContentInfo, fFlags, g_hSpcAndNtKernelSuppStore, g_hSpcAndNtKernelRootStore,
+                                       &aTimes[i].TimeSpec, supHardNtViCertVerifyCallback, pNtViRdr, pErrInfo);
+        if (RT_SUCCESS(rc))
+        {
+            if (rc != VINF_SUCCESS)
+            {
+                SUP_DPRINTF(("%s: Signature #%u/%u: info status: %d\n", pNtViRdr->szFilename, pInfo->iSignature, pInfo->cbSignature, rc));
+                if (pNtViRdr->rcLastSignatureFailure == VINF_SUCCESS)
+                    pNtViRdr->rcLastSignatureFailure = rc;
+            }
+            pNtViRdr->cOkaySignatures++;
+
+#ifdef IN_RING3 /* Hack alert! (see above) */
+            if ((pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_BUILD_CERT) && g_uBuildTimestampHack == 0 && cTimes > 1)
+                g_uBuildTimestampHack = uTimestamp;
+#endif
+            return VINF_SUCCESS;
+        }
+
+        if (rc == VERR_CR_X509_CPV_NOT_VALID_AT_TIME && i + 1 < cTimes)
+            SUP_DPRINTF(("%s: Signature #%u/%u: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for %#RX64; retrying against current time: %#RX64.\n",
+                         pNtViRdr->szFilename, pInfo->iSignature, pInfo->cbSignature,
+                         RTTimeSpecGetSeconds(&aTimes[0].TimeSpec), RTTimeSpecGetSeconds(&aTimes[1].TimeSpec)));
+        else
+        {
+            /* There are a couple of failures we can tollerate if there are more than
+               one signature and one of them works out fine.  The RTLdrVerifySignature
+               caller will have to check the failure counts though to make sure
+               something succeeded. */
+            pNtViRdr->rcLastSignatureFailure = rc;
+            if (   rc == VERR_CR_X509_CPV_NOT_VALID_AT_TIME
+                || rc == VERR_CR_X509_CPV_NO_TRUSTED_PATHS)
+            {
+                SUP_DPRINTF(("%s: Signature #%u/%u: %s (%d) w/ timestamp=%#RX64/%s.\n", pNtViRdr->szFilename, pInfo->iSignature, pInfo->cbSignature,
+                             rc == VERR_CR_X509_CPV_NOT_VALID_AT_TIME ? "VERR_CR_X509_CPV_NOT_VALID_AT_TIME" : "VERR_CR_X509_CPV_NO_TRUSTED_PATHS", rc,
+                             RTTimeSpecGetSeconds(&aTimes[i].TimeSpec), aTimes[i].pszDesc));
+
+                /* This leniency is not applicable to build certificate requirements (signature #1 only). */
+                if (  !(pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_BUILD_CERT)
+                    || pInfo->iSignature != 0)
+                {
+                    pNtViRdr->cNokSignatures++;
+                    rc = VINF_SUCCESS;
+                }
+            }
+            else
+                SUP_DPRINTF(("%s: Signature #%u/%u: %Rrc w/ timestamp=%#RX64/%s.\n", pNtViRdr->szFilename, pInfo->iSignature, pInfo->cbSignature,
+                             rc, RTTimeSpecGetSeconds(&aTimes[i].TimeSpec), aTimes[i].pszDesc));
+            return rc;
+        }
+    }
 }
 
@@ -1222 +1313 @@
      * The PKCS #7 SignedData signature is checked in the callback. Any
      * signing certificate restrictions are also enforced there.
-     *
-     * For the time being, we use the executable timestamp as the
-     * certificate validation date.  We must query that first to avoid
-     * potential issues re-entering the loader code from the callback.
-     *
-     * Update: Save the first timestamp we validate with build cert and
-     *         use this as a minimum timestamp for further build cert
-     *         validations.  This works around issues with old DLLs that
-     *         we sign against with our certificate (crt, sdl, qt).
-     *
-     * Update: If the validation fails, retry with the current timestamp. This
-     *         is a workaround for NTDLL.DLL in build 14971 having a weird
-     *         timestamp: 0xDF1E957E (Sat Aug 14 14:05:18 2088).
-     */
-    int rc = RTLdrQueryProp(hLdrMod, RTLDRPROP_TIMESTAMP_SECONDS, &pNtViRdr->uTimestamp, sizeof(pNtViRdr->uTimestamp));
+     */
+    pNtViRdr->cOkaySignatures        = 0;
+    pNtViRdr->cNokSignatures         = 0;
+    pNtViRdr->cTotalSignatures       = 0;
+    pNtViRdr->rcLastSignatureFailure = VINF_SUCCESS;
+    int rc = RTLdrVerifySignature(hLdrMod, supHardNtViCallback, pNtViRdr, pErrInfo);
     if (RT_SUCCESS(rc))
     {
-#ifdef IN_RING3 /* Hack alert! (see above) */
-        if (   (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING)
-            && (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT)
-            && pNtViRdr->uTimestamp < g_uBuildTimestampHack)
-            pNtViRdr->uTimestamp = g_uBuildTimestampHack;
-#endif
-
-        rc = RTLdrVerifySignature(hLdrMod, supHardNtViCallback, pNtViRdr, pErrInfo);
-
-#ifdef IN_RING3 /* Hack alert! (see above) */
-        if ((pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_BUILD_CERT) && g_uBuildTimestampHack == 0 && RT_SUCCESS(rc))
-            g_uBuildTimestampHack = pNtViRdr->uTimestamp;
-#endif
-
-        if (rc == VERR_CR_X509_CPV_NOT_VALID_AT_TIME)
+        Assert(pNtViRdr->cOkaySignatures + pNtViRdr->cNokSignatures == pNtViRdr->cTotalSignatures);
+        if (   !pNtViRdr->cOkaySignatures
+            || pNtViRdr->cOkaySignatures + pNtViRdr->cNokSignatures < pNtViRdr->cTotalSignatures /* paranoia */)
         {
-            RTTIMESPEC Now;
-            uint64_t uOld = pNtViRdr->uTimestamp;
-            pNtViRdr->uTimestamp = RTTimeSpecGetSeconds(supHardNtTimeNow(&Now));
-            SUP_DPRINTF(("%ls: VERR_CR_X509_CPV_NOT_VALID_AT_TIME for %#RX64; retrying against current time: %#RX64.\n",
-                         pwszName, uOld, pNtViRdr->uTimestamp)); NOREF(uOld);
-            rc = RTLdrVerifySignature(hLdrMod, supHardNtViCallback, pNtViRdr, pErrInfo);
+            rc = pNtViRdr->rcLastSignatureFailure;
+            AssertStmt(RT_FAILURE_NP(rc), rc = VERR_INTERNAL_ERROR_3);
         }
-
-        /*
-         * Microsoft doesn't sign a whole bunch of DLLs, so we have to
-         * ASSUME that a bunch of system DLLs are fine.
-         */
-        if (rc == VERR_LDRVI_NOT_SIGNED)
-            rc = supHardNtViCheckIfNotSignedOk(hLdrMod, pwszName, pNtViRdr->fFlags, pNtViRdr->hFile, rc);
-        if (RT_FAILURE(rc))
-            RTErrInfoAddF(pErrInfo, rc, ": %ls", pwszName);
-
-        /*
-         * Check for the signature checking enforcement, if requested to do so.
-         */
-        if (RT_SUCCESS(rc) && (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT))
-        {
-            bool fEnforced = false;
-            int rc2 = RTLdrQueryProp(hLdrMod, RTLDRPROP_SIGNATURE_CHECKS_ENFORCED, &fEnforced, sizeof(fEnforced));
-            if (RT_FAILURE(rc2))
-                rc = RTErrInfoSetF(pErrInfo, rc2, "Querying RTLDRPROP_SIGNATURE_CHECKS_ENFORCED failed on %ls: %Rrc.",
-                                   pwszName, rc2);
-            else if (!fEnforced)
-                rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_SIGNATURE_CHECKS_NOT_ENFORCED,
-                                   "The image '%ls' was not linked with /IntegrityCheck.", pwszName);
-        }
-    }
-    else
-        RTErrInfoSetF(pErrInfo, rc, "RTLdrQueryProp/RTLDRPROP_TIMESTAMP_SECONDS failed on %ls: %Rrc", pwszName, rc);
+        else if (rc == VINF_SUCCESS && RT_SUCCESS(pNtViRdr->rcLastSignatureFailure))
+            rc = pNtViRdr->rcLastSignatureFailure;
+    }
+
+    /*
+     * Microsoft doesn't sign a whole bunch of DLLs, so we have to
+     * ASSUME that a bunch of system DLLs are fine.
+     */
+    if (rc == VERR_LDRVI_NOT_SIGNED)
+        rc = supHardNtViCheckIfNotSignedOk(hLdrMod, pwszName, pNtViRdr->fFlags, pNtViRdr->hFile, rc);
+    if (RT_FAILURE(rc))
+        RTErrInfoAddF(pErrInfo, rc, ": %ls", pwszName);
+
+    /*
+     * Check for the signature checking enforcement, if requested to do so.
+     */
+    if (RT_SUCCESS(rc) && (pNtViRdr->fFlags & SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT))
+    {
+        bool fEnforced = false;
+        int rc2 = RTLdrQueryProp(hLdrMod, RTLDRPROP_SIGNATURE_CHECKS_ENFORCED, &fEnforced, sizeof(fEnforced));
+        if (RT_FAILURE(rc2))
+            rc = RTErrInfoSetF(pErrInfo, rc2, "Querying RTLDRPROP_SIGNATURE_CHECKS_ENFORCED failed on %ls: %Rrc.",
+                               pwszName, rc2);
+        else if (!fEnforced)
+            rc = RTErrInfoSetF(pErrInfo, VERR_SUP_VP_SIGNATURE_CHECKS_NOT_ENFORCED,
+                               "The image '%ls' was not linked with /IntegrityCheck.", pwszName);
+    }
 
 #ifdef IN_RING3