ldrPE.cpp

Timestamp:

Oct 12, 2020 11:59:53 PM (4 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

140868

Message:

SUPHardNt,IPRT: If there are nested signatures (i.e. more than one signature), don't get grumpy if there are time or cert path issues with some of them, as long as one or more checks out perfectly. (Mind, all the signature data must check out, it's just the cert path or signing time we're relaxing here.) ticketref:19743 bugref:3103

File:

: 1 edited

trunk/src/VBox/Runtime/common/ldr/ldrPE.cpp (modified) (16 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/src/VBox/Runtime/common/ldr/ldrPE.cpp

-              r85121
+              r86549
 #ifndef IPRT_WITHOUT_LDR_VERIFY
 /**
  * Parsed signature data.
  */
 typedef struct RTLDRPESIGNATURE
+ * Parsed data for one signature.
+ */
+typedef struct RTLDRPESIGNATUREONE
+{
     /** The outer content info wrapper. */
     RTCRPKCS7CONTENTINFO        ContentInfo;
+    PRTCRPKCS7CONTENTINFO       pContentInfo;
     /** Pointer to the decoded SignedData inside the ContentInfo member. */
     PRTCRPKCS7SIGNEDDATA        pSignedData;
 …
     /** The digest type employed by the signature. */
     RTDIGESTTYPE                enmDigest;
+    /** Set if we've already validate the image hash. */
+    bool                        fValidatedImageHash;
+    /** The signature number. */
+    uint16_t                    iSignature;
+    /** Hash result. */
+    RTLDRPEHASHRESUNION         HashRes;
+} RTLDRPESIGNATUREONE;
+/** Pointer to the parsed data of one signature. */
+typedef RTLDRPESIGNATUREONE *PRTLDRPESIGNATUREONE;
+/**
+ * Parsed signature data.
+ */
+typedef struct RTLDRPESIGNATURE
+{
     /** Pointer to the raw signatures.  This is allocated in the continuation of
      * this structure to keep things simple.  The size is given by  the security
      * export directory. */
     WIN_CERTIFICATE const      *pRawData;
+    /** The outer content info wrapper (primary signature). */
+    RTCRPKCS7CONTENTINFO        PrimaryContentInfo;
+    /** The info for the primary signature. */
+    RTLDRPESIGNATUREONE         Primary;
+    /** Number of nested signatures (zero if none). */
+    uint16_t                    cNested;
+    /** Pointer to an array of nested signatures (NULL if none). */
+    PRTLDRPESIGNATUREONE        paNested;
     /** Hash scratch data. */
     RTLDRPEHASHCTXUNION         HashCtx;
-    /** Hash result. */
-    RTLDRPEHASHRESUNION         HashRes;
 } RTLDRPESIGNATURE;
 /** Pointed to SigneData parsing stat and output. */
 …
+{
     RT_NOREF_PV(pModPe);
+    RTCrPkcs7ContentInfo_Delete(&pSignature->ContentInfo);
+    RTCrPkcs7ContentInfo_Delete(&pSignature->PrimaryContentInfo);
+    if (pSignature->paNested > 0)
+    {
+        RTMemTmpFree(pSignature->paNested);
+        pSignature->paNested = NULL;
+    }
     RTMemTmpFree(pSignature);
+}
+/**
+ * Handles nested signatures.
+ *
+ * @returns IPRT status code.
+ * @param   pSignature          The signature status structure.  Returns with
+ *                              cNested = 0 and paNested = NULL if no nested
+ *                              signatures.
+ * @param   pErrInfo            Where to return extended error info (optional).
+ */
+static int rtldrPE_VerifySignatureDecodeNested(PRTLDRPESIGNATURE pSignature, PRTERRINFO pErrInfo)
+{
+    Assert(pSignature->cNested == 0);
+    Assert(pSignature->paNested == NULL);
+    /*
+     * Count nested signatures.
+     */
+    uint32_t cNested = 0;
+    for (uint32_t iSignerInfo = 0; iSignerInfo < pSignature->Primary.pSignedData->SignerInfos.cItems; iSignerInfo++)
+    {
+        PCRTCRPKCS7SIGNERINFO pSignerInfo = pSignature->Primary.pSignedData->SignerInfos.papItems[iSignerInfo];
+        for (uint32_t iAttrib = 0; iAttrib < pSignerInfo->UnauthenticatedAttributes.cItems; iAttrib++)
+        {
+            PCRTCRPKCS7ATTRIBUTE pAttrib = pSignerInfo->UnauthenticatedAttributes.papItems[iAttrib];
+            if (pAttrib->enmType == RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE)
+            {
+                Assert(pAttrib->uValues.pContentInfos);
+                cNested += pAttrib->uValues.pContentInfos->cItems;
+            }
+        }
+    }
+    if (!cNested)
+        return VINF_SUCCESS;
+    /*
+     * Allocate and populate the info structures.
+     */
+    pSignature->paNested = (PRTLDRPESIGNATUREONE)RTMemTmpAllocZ(sizeof(pSignature->paNested[0]) * cNested);
+    if (!pSignature->paNested)
+        return RTErrInfoSetF(pErrInfo, VERR_NO_TMP_MEMORY, "Failed to allocate space for %u nested signatures", cNested);
+    pSignature->cNested = cNested;
+    cNested = 0;
+    for (uint32_t iSignerInfo = 0; iSignerInfo < pSignature->Primary.pSignedData->SignerInfos.cItems; iSignerInfo++)
+    {
+        PCRTCRPKCS7SIGNERINFO pSignerInfo = pSignature->Primary.pSignedData->SignerInfos.papItems[iSignerInfo];
+        for (uint32_t iAttrib = 0; iAttrib < pSignerInfo->UnauthenticatedAttributes.cItems; iAttrib++)
+        {
+            PCRTCRPKCS7ATTRIBUTE pAttrib = pSignerInfo->UnauthenticatedAttributes.papItems[iAttrib];
+            if (pAttrib->enmType == RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE)
+            {
+                for (uint32_t iItem = 0; iItem < pAttrib->uValues.pContentInfos->cItems; iItem++, cNested++)
+                {
+                    PRTLDRPESIGNATUREONE  pInfo        = &pSignature->paNested[cNested];
+                    PRTCRPKCS7CONTENTINFO pContentInfo = pAttrib->uValues.pContentInfos->papItems[iItem];
+                    pInfo->pContentInfo = pContentInfo;
+                    pInfo->iSignature   = cNested;
+                    if (RTCrPkcs7ContentInfo_IsSignedData(pInfo->pContentInfo))
+                    { /* likely */ }
+                    else
+                        return RTErrInfoSetF(pErrInfo, VERR_LDRVI_EXPECTED_INDIRECT_DATA_CONTENT_OID, /** @todo error code*/
+                                             "Nested#%u: PKCS#7 is not 'signedData': %s", cNested, pInfo->pContentInfo->ContentType.szObjId);
+                    PRTCRPKCS7SIGNEDDATA pSignedData = pContentInfo->u.pSignedData;
+                    pInfo->pSignedData = pSignedData;
+                    /*
+                     * Check the authenticode bits.
+                     */
+                    if (!strcmp(pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID))
+                    { /* likely */ }
+                    else
+                        return RTErrInfoSetF(pErrInfo, VERR_LDRVI_EXPECTED_INDIRECT_DATA_CONTENT_OID,
+                                             "Nested#%u: Unknown pSignedData.ContentInfo.ContentType.szObjId value: %s (expected %s)",
+                                             cNested, pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID);
+                    pInfo->pIndData = pSignedData->ContentInfo.u.pIndirectDataContent;
+                    Assert(pInfo->pIndData);
+                    /*
+                     * Check that things add up.
+                     */
+                    int rc = RTCrPkcs7SignedData_CheckSanity(pSignedData,
+                                                             RTCRPKCS7SIGNEDDATA_SANITY_F_AUTHENTICODE
+                                                             | RTCRPKCS7SIGNEDDATA_SANITY_F_ONLY_KNOWN_HASH
+                                                             | RTCRPKCS7SIGNEDDATA_SANITY_F_SIGNING_CERT_PRESENT,
+                                                             pErrInfo, "SD");
+                    if (RT_SUCCESS(rc))
+                        rc = RTCrSpcIndirectDataContent_CheckSanityEx(pInfo->pIndData,
+                                                                      pSignedData,
+                                                                      RTCRSPCINDIRECTDATACONTENT_SANITY_F_ONLY_KNOWN_HASH,
+                                                                      pErrInfo);
+                    if (RT_SUCCESS(rc))
+                    {
+                        PCRTCRX509ALGORITHMIDENTIFIER pDigestAlgorithm = &pInfo->pIndData->DigestInfo.DigestAlgorithm;
+                        pInfo->enmDigest = RTCrX509AlgorithmIdentifier_QueryDigestType(pDigestAlgorithm);
+                        AssertReturn(pInfo->enmDigest != RTDIGESTTYPE_INVALID, VERR_INTERNAL_ERROR_4); /* Checked above! */
+                    }
+                    else
+                        return rc;
+                }
+            }
+        }
+    }
+    return VINF_SUCCESS;
+}
 …
                             "WinCert");
+    int rc = RTCrPkcs7ContentInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, &pSignature->ContentInfo, "CI");
+    PRTLDRPESIGNATUREONE pInfo = &pSignature->Primary;
+    pInfo->pContentInfo = &pSignature->PrimaryContentInfo;
+    int rc = RTCrPkcs7ContentInfo_DecodeAsn1(&PrimaryCursor.Cursor, 0, pInfo->pContentInfo, "CI");
     if (RT_SUCCESS(rc))
+    {
         if (RTCrPkcs7ContentInfo_IsSignedData(&pSignature->ContentInfo))
+        {
             pSignature->pSignedData = pSignature->ContentInfo.u.pSignedData;
+        if (RTCrPkcs7ContentInfo_IsSignedData(pInfo->pContentInfo))
+        {
+            pInfo->pSignedData = pInfo->pContentInfo->u.pSignedData;
             /*
              * Decode the authenticode bits.
              */
             if (!strcmp(pSignature->pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID))
+            {
                 pSignature->pIndData = pSignature->pSignedData->ContentInfo.u.pIndirectDataContent;
                 Assert(pSignature->pIndData);
+            if (!strcmp(pInfo->pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID))
+            {
+                pInfo->pIndData = pInfo->pSignedData->ContentInfo.u.pIndirectDataContent;
+                Assert(pInfo->pIndData);
                 /*
                  * Check that things add up.
                  */
+                rc = RTCrPkcs7SignedData_CheckSanity(pInfo->pSignedData,
+                                                     RTCRPKCS7SIGNEDDATA_SANITY_F_AUTHENTICODE
+                                                     | RTCRPKCS7SIGNEDDATA_SANITY_F_ONLY_KNOWN_HASH
+                                                     | RTCRPKCS7SIGNEDDATA_SANITY_F_SIGNING_CERT_PRESENT,
+                                                     pErrInfo, "SD");
                 if (RT_SUCCESS(rc))
+                    rc = RTCrPkcs7SignedData_CheckSanity(pSignature->pSignedData,
+                                                         RTCRPKCS7SIGNEDDATA_SANITY_F_AUTHENTICODE
+                                                         | RTCRPKCS7SIGNEDDATA_SANITY_F_ONLY_KNOWN_HASH
+                                                         | RTCRPKCS7SIGNEDDATA_SANITY_F_SIGNING_CERT_PRESENT,
+                                                         pErrInfo, "SD");
+                if (RT_SUCCESS(rc))
+                    rc = RTCrSpcIndirectDataContent_CheckSanityEx(pSignature->pIndData,
+                                                                  pSignature->pSignedData,
+                    rc = RTCrSpcIndirectDataContent_CheckSanityEx(pInfo->pIndData,
+                                                                  pInfo->pSignedData,
                                                                   RTCRSPCINDIRECTDATACONTENT_SANITY_F_ONLY_KNOWN_HASH,
                                                                   pErrInfo);
                 if (RT_SUCCESS(rc))
+                {
+                    PCRTCRX509ALGORITHMIDENTIFIER pDigestAlgorithm = &pSignature->pIndData->DigestInfo.DigestAlgorithm;
+                    pSignature->enmDigest = RTCrX509AlgorithmIdentifier_QueryDigestType(pDigestAlgorithm);
+                    AssertReturn(pSignature->enmDigest != RTDIGESTTYPE_INVALID, VERR_INTERNAL_ERROR_4); /* Checked above! */
+                    PCRTCRX509ALGORITHMIDENTIFIER pDigestAlgorithm = &pInfo->pIndData->DigestInfo.DigestAlgorithm;
+                    pInfo->enmDigest = RTCrX509AlgorithmIdentifier_QueryDigestType(pDigestAlgorithm);
+                    AssertReturn(pInfo->enmDigest != RTDIGESTTYPE_INVALID, VERR_INTERNAL_ERROR_4); /* Checked above! */
+                    /*
+                     * Deal with nested signatures.
+                     */
+                    rc = rtldrPE_VerifySignatureDecodeNested(pSignature, pErrInfo);
+                }
+            }
 …
                 rc = RTErrInfoSetF(pErrInfo, VERR_LDRVI_EXPECTED_INDIRECT_DATA_CONTENT_OID,
                                    "Unknown pSignedData.ContentInfo.ContentType.szObjId value: %s (expected %s)",
                                    pSignature->pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID);
+                                   pInfo->pSignedData->ContentInfo.ContentType.szObjId, RTCRSPCINDIRECTDATACONTENT_OID);
+        }
         else
             rc = RTErrInfoSetF(pErrInfo, VERR_LDRVI_EXPECTED_INDIRECT_DATA_CONTENT_OID, /** @todo error code*/
                                "PKCS#7 is not 'signedData': %s", pSignature->ContentInfo.ContentType.szObjId);
+                               "PKCS#7 is not 'signedData': %s", pInfo->pContentInfo->ContentType.szObjId);
+    }
     return rc;
 …
 static int rtldrPE_VerifyAllPageHashes(PRTLDRMODPE pModPe, PCRTCRSPCSERIALIZEDOBJECTATTRIBUTE pAttrib, RTDIGESTTYPE enmDigest,
                                        void *pvScratch, size_t cbScratch, PRTERRINFO pErrInfo)
+                                       void *pvScratch, size_t cbScratch, uint32_t iSignature, PRTERRINFO pErrInfo)
+{
     AssertReturn(cbScratch >= _4K, VERR_INTERNAL_ERROR_3);
 …
     if (cPages * (cbHash + 4) != pAttrib->u.pPageHashes->RawData.Asn1Core.cb)
         return RTErrInfoSetF(pErrInfo, VERR_LDRVI_PAGE_HASH_TAB_SIZE_OVERFLOW,
                              "Page hashes size issue: cb=%#x cbHash=%#x",
                              pAttrib->u.pPageHashes->RawData.Asn1Core.cb, cbHash);
+                             "Signature #%u - Page hashes size issue in: cb=%#x cbHash=%#x",
+                             iSignature, pAttrib->u.pPageHashes->RawData.Asn1Core.cb, cbHash);
     /*
 …
         if (RT_UNLIKELY(offPageInFile >= SpecialPlaces.cbToHash))
             return RTErrInfoSetF(pErrInfo, VERR_LDRVI_PAGE_HASH_TAB_TOO_LONG,
                                  "Page hash entry #%u is beyond the signature table start: %#x, %#x",
                                  iPage, offPageInFile, SpecialPlaces.cbToHash);
+                                 "Signature #%u - Page hash entry #%u is beyond the signature table start: %#x, %#x",
+                                 iSignature, iPage, offPageInFile, SpecialPlaces.cbToHash);
         if (RT_UNLIKELY(offPageInFile < offPrev))
             return RTErrInfoSetF(pErrInfo, VERR_LDRVI_PAGE_HASH_TAB_NOT_STRICTLY_SORTED,
                                  "Page hash table is not strictly sorted: entry #%u @%#x, previous @%#x\n",
                                  iPage, offPageInFile, offPrev);
+                                 "Signature #%u - Page hash table is not strictly sorted: entry #%u @%#x, previous @%#x\n",
+                                 iSignature, iPage, offPageInFile, offPrev);
 #ifdef COMPLICATED_AND_WRONG
 …
                 else
                     return RTErrInfoSetF(pErrInfo, VERR_PAGE_HASH_TAB_HASHES_NON_SECTION_DATA,
+                                         "Page hash entry #%u isn't in any section: %#x", iPage, offPageInFile);
+                                         "Signature #%u - Page hash entry #%u isn't in any section: %#x",
+                                         iSignature, iPage, offPageInFile);
+            }
+        }
 …
             if (RT_FAILURE(rc))
                 return RTErrInfoSetF(pErrInfo, VERR_LDRVI_READ_ERROR_HASH,
                                      "Page hash read error at %#x: %Rrc (cbScratchRead=%#zx)",
                                      offScratchRead, rc, cbScratchRead);
+                                     "Signature #%u - Page hash read error at %#x: %Rrc (cbScratchRead=%#zx)",
+                                     iSignature, offScratchRead, rc, cbScratchRead);
+        }
 …
         if (memcmp(pbHashTab, &HashRes, cbHash) != 0)
             return RTErrInfoSetF(pErrInfo, VERR_LDRVI_PAGE_HASH_MISMATCH,
+                                 "Page hash failed for page #%u, @%#x, %#x bytes: %.*Rhxs != %.*Rhxs",
+                                 iPage, offPageInFile, cbPageInFile, (size_t)cbHash, pbHashTab, (size_t)cbHash, &HashRes);
+                                 "Signature #%u - Page hash failed for page #%u, @%#x, %#x bytes: %.*Rhxs != %.*Rhxs",
+                                 iSignature, iPage, offPageInFile, cbPageInFile, (size_t)cbHash, pbHashTab,
+                                 (size_t)cbHash, &HashRes);
         pbHashTab += cbHash;
         offPrev = offPageInFile;
 …
     if (!ASMMemIsZero(pbHashTab + 4, cbHash))
         return RTErrInfoSetF(pErrInfo, VERR_LDRVI_PAGE_HASH_TAB_TOO_LONG,
                              "Maltform final page hash table entry: #%u %#010x %.*Rhxs",
                              cPages - 1, RT_MAKE_U32_FROM_U8(pbHashTab[0], pbHashTab[1], pbHashTab[2], pbHashTab[3]),
+                             "Signature #%u - Malformed final page hash table entry: #%u %#010x %.*Rhxs",
+                             iSignature, cPages - 1, RT_MAKE_U32_FROM_U8(pbHashTab[0], pbHashTab[1], pbHashTab[2], pbHashTab[3]),
                              (size_t)cbHash, pbHashTab + 4);
     return VINF_SUCCESS;
+}
+static int rtldrPE_VerifySignatureValidateOnePageHashes(PRTLDRMODPE pModPe, PRTLDRPESIGNATUREONE pInfo,
+                                                        void *pvScratch, uint32_t cbScratch, PRTERRINFO pErrInfo)
+{
+    /*
+     * Compare the page hashes if present.
+     *
+     * Seems the difference between V1 and V2 page hash attributes is
+     * that v1 uses SHA-1 while v2 uses SHA-256. The data structures
+     * seems to be identical otherwise.  Initially we assumed the digest
+     * algorithm was supposed to be RTCRSPCINDIRECTDATACONTENT::DigestInfo,
+     * i.e. the same as for the whole image hash.  The initial approach
+     * worked just fine, but this makes more sense.
+     *
+     * (See also comments in osslsigncode.c (google it).)
+     */
+    PCRTCRSPCSERIALIZEDOBJECTATTRIBUTE pAttrib;
+    /* V2 - SHA-256: */
+    pAttrib = RTCrSpcIndirectDataContent_GetPeImageObjAttrib(pInfo->pIndData,
+                                                             RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V2);
+    if (pAttrib)
+        return rtldrPE_VerifyAllPageHashes(pModPe, pAttrib, RTDIGESTTYPE_SHA256, pvScratch, cbScratch,
+                                           pInfo->iSignature + 1, pErrInfo);
+    /* V1 - SHA-1: */
+    pAttrib = RTCrSpcIndirectDataContent_GetPeImageObjAttrib(pInfo->pIndData,
+                                                             RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V1);
+    if (pAttrib)
+        return rtldrPE_VerifyAllPageHashes(pModPe, pAttrib, RTDIGESTTYPE_SHA1, pvScratch, cbScratch,
+                                           pInfo->iSignature + 1, pErrInfo);
+    /* No page hashes: */
+    return VINF_SUCCESS;
+}
+static int rtldrPE_VerifySignatureValidateOneImageHash(PRTLDRMODPE pModPe, PRTLDRPESIGNATURE pSignature,
+                                                       PRTLDRPESIGNATUREONE pInfo, void *pvScratch, uint32_t cbScratch,
+                                                       PRTERRINFO pErrInfo)
+{
+    /*
+     * Assert sanity.
+     */
+    AssertReturn(pInfo->enmDigest > RTDIGESTTYPE_INVALID && pInfo->enmDigest < RTDIGESTTYPE_END, VERR_INTERNAL_ERROR_4);
+    AssertPtrReturn(pInfo->pIndData, VERR_INTERNAL_ERROR_5);
+    AssertReturn(RTASN1CORE_IS_PRESENT(&pInfo->pIndData->DigestInfo.Digest.Asn1Core), VERR_INTERNAL_ERROR_5);
+    AssertPtrReturn(pInfo->pIndData->DigestInfo.Digest.Asn1Core.uData.pv, VERR_INTERNAL_ERROR_5);
+    /*
+     * Skip it if we've already verified it.
+     */
+    if (pInfo->fValidatedImageHash)
+        return VINF_SUCCESS;
+    /*
+     * Calculate it.
+     */
+    uint32_t const cbHash = rtLdrPE_HashGetHashSize(pInfo->enmDigest);
+    AssertReturn(pInfo->pIndData->DigestInfo.Digest.Asn1Core.cb == cbHash, VERR_INTERNAL_ERROR_5);
+    int rc = rtldrPE_HashImageCommon(pModPe, pvScratch, cbScratch, pInfo->enmDigest,
+                                     &pSignature->HashCtx, &pInfo->HashRes, pErrInfo);
+    if (RT_SUCCESS(rc))
+    {
+        pInfo->fValidatedImageHash = true;
+        if (memcmp(&pInfo->HashRes, pInfo->pIndData->DigestInfo.Digest.Asn1Core.uData.pv, cbHash) == 0)
+        {
+            /*
+             * Verify other signatures with the same digest type.
+             */
+            RTLDRPEHASHRESUNION const * const pHashRes = &pInfo->HashRes;
+            for (uint32_t i = 0; i < pSignature->cNested; i++)
+            {
+                pInfo = &pSignature->paNested[i]; /* Note! pInfo changes! */
+                if (   !pInfo->fValidatedImageHash
+                    && pInfo->enmDigest == pInfo->enmDigest
+                    /* paranoia from the top of this function: */
+                    && pInfo->pIndData
+                    && RTASN1CORE_IS_PRESENT(&pInfo->pIndData->DigestInfo.Digest.Asn1Core)
+                    && pInfo->pIndData->DigestInfo.Digest.Asn1Core.uData.pv
+                    && pInfo->pIndData->DigestInfo.Digest.Asn1Core.cb == cbHash)
+                {
+                    pInfo->fValidatedImageHash = true;
+                    if (memcmp(pHashRes, pInfo->pIndData->DigestInfo.Digest.Asn1Core.uData.pv, cbHash) != 0)
+                    {
+                        rc = RTErrInfoSetF(pErrInfo, VERR_LDRVI_IMAGE_HASH_MISMATCH,
+                                           "Full image signature #%u mismatch: %.*Rhxs, expected %.*Rhxs", pInfo->iSignature + 1,
+                                           cbHash, pHashRes,
+                                           cbHash, pInfo->pIndData->DigestInfo.Digest.Asn1Core.uData.pv);
+                        break;
+                    }
+                }
+            }
+        }
+        else
+            rc = RTErrInfoSetF(pErrInfo, VERR_LDRVI_IMAGE_HASH_MISMATCH,
+                               "Full image signature #%u mismatch: %.*Rhxs, expected %.*Rhxs", pInfo->iSignature + 1,
+                               cbHash, &pInfo->HashRes,
+                               cbHash, pInfo->pIndData->DigestInfo.Digest.Asn1Core.uData.pv);
+    }
+    return rc;
+}
 …
 static int rtldrPE_VerifySignatureValidateHash(PRTLDRMODPE pModPe, PRTLDRPESIGNATURE pSignature, PRTERRINFO pErrInfo)
+{
-    AssertReturn(pSignature->enmDigest > RTDIGESTTYPE_INVALID && pSignature->enmDigest < RTDIGESTTYPE_END, VERR_INTERNAL_ERROR_4);
-    AssertPtrReturn(pSignature->pIndData, VERR_INTERNAL_ERROR_5);
-    AssertReturn(RTASN1CORE_IS_PRESENT(&pSignature->pIndData->DigestInfo.Digest.Asn1Core), VERR_INTERNAL_ERROR_5);
-    AssertPtrReturn(pSignature->pIndData->DigestInfo.Digest.Asn1Core.uData.pv, VERR_INTERNAL_ERROR_5);
-    uint32_t const cbHash = rtLdrPE_HashGetHashSize(pSignature->enmDigest);
-    AssertReturn(pSignature->pIndData->DigestInfo.Digest.Asn1Core.cb == cbHash, VERR_INTERNAL_ERROR_5);
     /*
      * Allocate a temporary memory buffer.
 …
      *       heap fragmentation.
      */
 #ifdef IN_RING0
+# ifdef IN_RING0
     uint32_t    cbScratch = _256K - _4K;
 #else
+# else
     uint32_t    cbScratch = _1M;
 #endif
+# endif
     void       *pvScratch = RTMemTmpAlloc(cbScratch);
     if (!pvScratch)
 …
     /*
+     * Calculate and compare the full image hash.
+     */
+    int rc = rtldrPE_HashImageCommon(pModPe, pvScratch, cbScratch, pSignature->enmDigest,
+                                     &pSignature->HashCtx, &pSignature->HashRes, pErrInfo);
+     * Verify signatures.
+     */
+    /* Image hashes: */
+    int rc = rtldrPE_VerifySignatureValidateOneImageHash(pModPe, pSignature, &pSignature->Primary,
+                                                         pvScratch, cbScratch, pErrInfo);
+    for (unsigned i = 0; i < pSignature->cNested && RT_SUCCESS(rc); i++)
+        rc = rtldrPE_VerifySignatureValidateOneImageHash(pModPe, pSignature, &pSignature->paNested[i],
+                                                         pvScratch, cbScratch, pErrInfo);
+    /* Page hashes: */
     if (RT_SUCCESS(rc))
+    {
+        if (!memcmp(&pSignature->HashRes, pSignature->pIndData->DigestInfo.Digest.Asn1Core.uData.pv, cbHash))
+        {
+            /*
+             * Compare the page hashes if present.
+             *
+             * Seems the difference between V1 and V2 page hash attributes is
+             * that v1 uses SHA-1 while v2 uses SHA-256. The data structures
+             * seems to be identical otherwise.  Initially we assumed the digest
+             * algorithm was supposed to be RTCRSPCINDIRECTDATACONTENT::DigestInfo,
+             * i.e. the same as for the whole image hash.  The initial approach
+             * worked just fine, but this makes more sense.
+             *
+             * (See also comments in osslsigncode.c (google it).)
+             */
+            PCRTCRSPCSERIALIZEDOBJECTATTRIBUTE pAttrib;
+            pAttrib = RTCrSpcIndirectDataContent_GetPeImageObjAttrib(pSignature->pIndData,
+                                                                     RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V2);
+            if (pAttrib)
+                rc = rtldrPE_VerifyAllPageHashes(pModPe, pAttrib, RTDIGESTTYPE_SHA256, pvScratch, cbScratch, pErrInfo);
+            else
+            {
+                pAttrib = RTCrSpcIndirectDataContent_GetPeImageObjAttrib(pSignature->pIndData,
+                                                                         RTCRSPCSERIALIZEDOBJECTATTRIBUTETYPE_PAGE_HASHES_V1);
+                if (pAttrib)
+                    rc = rtldrPE_VerifyAllPageHashes(pModPe, pAttrib, RTDIGESTTYPE_SHA1, pvScratch, cbScratch, pErrInfo);
+            }
+        }
+        else
+            rc = RTErrInfoSetF(pErrInfo, VERR_LDRVI_IMAGE_HASH_MISMATCH,
+                               "Full image signature mismatch: %.*Rhxs, expected %.*Rhxs",
+                               cbHash, &pSignature->HashRes,
+                               cbHash, pSignature->pIndData->DigestInfo.Digest.Asn1Core.uData.pv);
+    }
+        rc = rtldrPE_VerifySignatureValidateOnePageHashes(pModPe, &pSignature->Primary, pvScratch, cbScratch, pErrInfo);
+        for (unsigned i = 0; i < pSignature->cNested && RT_SUCCESS(rc); i++)
+            rc = rtldrPE_VerifySignatureValidateOnePageHashes(pModPe, &pSignature->paNested[i], pvScratch, cbScratch, pErrInfo);
+    }
+    /*
+     * Ditch the scratch buffer.
+     */
     RTMemTmpFree(pvScratch);
     return rc;
 …
             if (RT_SUCCESS(rc))
+            {
+                rc = pfnCallback(&pModPe->Core, RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA,
+                                 &pSignature->ContentInfo, sizeof(pSignature->ContentInfo),
+                                 NULL /*pvExternalData*/, 0 /*cbExternalData*/,
+                                 pErrInfo, pvUser);
+                /*
+                 * Work the callback.
+                 */
+                /* The primary signature: */
+                RTLDRSIGNATUREINFO Info;
+                Info.iSignature     = 0;
+                Info.cSignatures    = (uint16_t)(1 + pSignature->cNested);
+                Info.enmType        = RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA;
+                Info.pvSignature    = pSignature->Primary.pContentInfo;
+                Info.cbSignature    = sizeof(*pSignature->Primary.pContentInfo);
+                Info.pvExternalData = NULL;
+                Info.cbExternalData = 0;
+                rc = pfnCallback(&pModPe->Core, &Info, pErrInfo, pvUser);
+                /* The nested signatures: */
+                for (uint32_t iNested = 0; iNested < pSignature->cNested && rc == VINF_SUCCESS; iNested++)
+                {
+                    Info.iSignature     = (uint16_t)(1 + iNested);
+                    Info.cSignatures    = (uint16_t)(1 + pSignature->cNested);
+                    Info.enmType        = RTLDRSIGNATURETYPE_PKCS7_SIGNED_DATA;
+                    Info.pvSignature    = pSignature->paNested[iNested].pContentInfo;
+                    Info.cbSignature    = sizeof(*pSignature->paNested[iNested].pContentInfo);
+                    Info.pvExternalData = NULL;
+                    Info.cbExternalData = 0;
+                    rc = pfnCallback(&pModPe->Core, &Info, pErrInfo, pvUser);
+                }
+            }
             rtldrPE_VerifySignatureDestroy(pModPe, pSignature);

Note: See TracChangeset for help on using the changeset viewer.

Changeset 86549 in vbox for trunk/src/VBox/Runtime/common/ldr/ldrPE.cpp

Legend:

trunk/src/VBox/Runtime/common/ldr/ldrPE.cpp

Download in other formats: