blob: 23fab07b2571cbdca6d725ef4e57cc4740b4b92a [file] [log] [blame]
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -08001/*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "common.h"
18#include "verifier.h"
Doug Zongker28ce47c2011-10-28 10:33:05 -070019#include "ui.h"
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080020
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080021#include "mincrypt/rsa.h"
22#include "mincrypt/sha.h"
Doug Zongkerbac7fba2013-04-10 11:32:17 -070023#include "mincrypt/sha256.h"
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080024
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080025#include <string.h>
Doug Zongker54e2e862009-08-17 13:21:04 -070026#include <stdio.h>
27#include <errno.h>
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080028
Doug Zongker211aebc2011-10-28 15:13:10 -070029extern RecoveryUI* ui;
30
Doug Zongker54e2e862009-08-17 13:21:04 -070031// Look for an RSA signature embedded in the .ZIP file comment given
32// the path to the zip. Verify it matches one of the given public
33// keys.
34//
35// Return VERIFY_SUCCESS, VERIFY_FAILURE (if any error is encountered
36// or no key matches the signature).
37
Doug Zongkerbac7fba2013-04-10 11:32:17 -070038int verify_file(const char* path, const Certificate* pKeys, unsigned int numKeys) {
Doug Zongker211aebc2011-10-28 15:13:10 -070039 ui->SetProgress(0.0);
Doug Zongker54e2e862009-08-17 13:21:04 -070040
41 FILE* f = fopen(path, "rb");
42 if (f == NULL) {
43 LOGE("failed to open %s (%s)\n", path, strerror(errno));
44 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080045 }
46
Doug Zongker54e2e862009-08-17 13:21:04 -070047 // An archive with a whole-file signature will end in six bytes:
48 //
Doug Zongker73ae31c2009-12-09 17:01:45 -080049 // (2-byte signature start) $ff $ff (2-byte comment size)
Doug Zongker54e2e862009-08-17 13:21:04 -070050 //
51 // (As far as the ZIP format is concerned, these are part of the
52 // archive comment.) We start by reading this footer, this tells
53 // us how far back from the end we have to start reading to find
54 // the whole comment.
55
56#define FOOTER_SIZE 6
57
58 if (fseek(f, -FOOTER_SIZE, SEEK_END) != 0) {
59 LOGE("failed to seek in %s (%s)\n", path, strerror(errno));
60 fclose(f);
61 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080062 }
63
Doug Zongker54e2e862009-08-17 13:21:04 -070064 unsigned char footer[FOOTER_SIZE];
65 if (fread(footer, 1, FOOTER_SIZE, f) != FOOTER_SIZE) {
66 LOGE("failed to read footer from %s (%s)\n", path, strerror(errno));
67 fclose(f);
68 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080069 }
70
Doug Zongker54e2e862009-08-17 13:21:04 -070071 if (footer[2] != 0xff || footer[3] != 0xff) {
Doug Zongkerbac7fba2013-04-10 11:32:17 -070072 LOGE("footer is wrong\n");
Doug Zongker54e2e862009-08-17 13:21:04 -070073 fclose(f);
74 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080075 }
76
Doug Zongker28ce47c2011-10-28 10:33:05 -070077 size_t comment_size = footer[4] + (footer[5] << 8);
78 size_t signature_start = footer[0] + (footer[1] << 8);
Doug Zongker54e2e862009-08-17 13:21:04 -070079 LOGI("comment is %d bytes; signature %d bytes from end\n",
80 comment_size, signature_start);
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080081
Tianjie Xuf616da12016-12-16 16:24:09 -080082 if (signature_start > comment_size) {
83 LOGE("signature start: %zu is larger than comment size: %zu\n", signature_start,
84 comment_size);
85 fclose(f);
86 return VERIFY_FAILURE;
87 }
88
Doug Zongker54e2e862009-08-17 13:21:04 -070089 if (signature_start - FOOTER_SIZE < RSANUMBYTES) {
90 // "signature" block isn't big enough to contain an RSA block.
91 LOGE("signature is too short\n");
92 fclose(f);
93 return VERIFY_FAILURE;
94 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080095
Doug Zongker54e2e862009-08-17 13:21:04 -070096#define EOCD_HEADER_SIZE 22
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080097
Doug Zongker54e2e862009-08-17 13:21:04 -070098 // The end-of-central-directory record is 22 bytes plus any
99 // comment length.
100 size_t eocd_size = comment_size + EOCD_HEADER_SIZE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800101
Doug Zongker54e2e862009-08-17 13:21:04 -0700102 if (fseek(f, -eocd_size, SEEK_END) != 0) {
103 LOGE("failed to seek in %s (%s)\n", path, strerror(errno));
104 fclose(f);
105 return VERIFY_FAILURE;
106 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800107
Doug Zongker54e2e862009-08-17 13:21:04 -0700108 // Determine how much of the file is covered by the signature.
109 // This is everything except the signature data and length, which
110 // includes all of the EOCD except for the comment length field (2
111 // bytes) and the comment data.
112 size_t signed_len = ftell(f) + EOCD_HEADER_SIZE - 2;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800113
Doug Zongker28ce47c2011-10-28 10:33:05 -0700114 unsigned char* eocd = (unsigned char*)malloc(eocd_size);
Doug Zongker54e2e862009-08-17 13:21:04 -0700115 if (eocd == NULL) {
116 LOGE("malloc for EOCD record failed\n");
117 fclose(f);
118 return VERIFY_FAILURE;
119 }
120 if (fread(eocd, 1, eocd_size, f) != eocd_size) {
121 LOGE("failed to read eocd from %s (%s)\n", path, strerror(errno));
122 fclose(f);
123 return VERIFY_FAILURE;
124 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800125
Doug Zongker54e2e862009-08-17 13:21:04 -0700126 // If this is really is the EOCD record, it will begin with the
127 // magic number $50 $4b $05 $06.
128 if (eocd[0] != 0x50 || eocd[1] != 0x4b ||
129 eocd[2] != 0x05 || eocd[3] != 0x06) {
130 LOGE("signature length doesn't match EOCD marker\n");
131 fclose(f);
132 return VERIFY_FAILURE;
133 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800134
Doug Zongker28ce47c2011-10-28 10:33:05 -0700135 size_t i;
Doug Zongker54e2e862009-08-17 13:21:04 -0700136 for (i = 4; i < eocd_size-3; ++i) {
137 if (eocd[i ] == 0x50 && eocd[i+1] == 0x4b &&
Doug Zongkerc652e412009-12-08 15:30:09 -0800138 eocd[i+2] == 0x05 && eocd[i+3] == 0x06) {
Doug Zongker54e2e862009-08-17 13:21:04 -0700139 // if the sequence $50 $4b $05 $06 appears anywhere after
140 // the real one, minzip will find the later (wrong) one,
141 // which could be exploitable. Fail verification if
142 // this sequence occurs anywhere after the real one.
143 LOGE("EOCD marker occurs after start of EOCD\n");
144 fclose(f);
145 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800146 }
147 }
148
Doug Zongker54e2e862009-08-17 13:21:04 -0700149#define BUFFER_SIZE 4096
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800150
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700151 bool need_sha1 = false;
152 bool need_sha256 = false;
153 for (i = 0; i < numKeys; ++i) {
154 switch (pKeys[i].hash_len) {
155 case SHA_DIGEST_SIZE: need_sha1 = true; break;
156 case SHA256_DIGEST_SIZE: need_sha256 = true; break;
157 }
158 }
159
160 SHA_CTX sha1_ctx;
161 SHA256_CTX sha256_ctx;
162 SHA_init(&sha1_ctx);
163 SHA256_init(&sha256_ctx);
Doug Zongker28ce47c2011-10-28 10:33:05 -0700164 unsigned char* buffer = (unsigned char*)malloc(BUFFER_SIZE);
Doug Zongker54e2e862009-08-17 13:21:04 -0700165 if (buffer == NULL) {
166 LOGE("failed to alloc memory for sha1 buffer\n");
167 fclose(f);
168 return VERIFY_FAILURE;
169 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800170
Doug Zongker54e2e862009-08-17 13:21:04 -0700171 double frac = -1.0;
172 size_t so_far = 0;
173 fseek(f, 0, SEEK_SET);
174 while (so_far < signed_len) {
Doug Zongker28ce47c2011-10-28 10:33:05 -0700175 size_t size = BUFFER_SIZE;
Doug Zongker54e2e862009-08-17 13:21:04 -0700176 if (signed_len - so_far < size) size = signed_len - so_far;
177 if (fread(buffer, 1, size, f) != size) {
178 LOGE("failed to read data from %s (%s)\n", path, strerror(errno));
179 fclose(f);
180 return VERIFY_FAILURE;
181 }
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700182 if (need_sha1) SHA_update(&sha1_ctx, buffer, size);
183 if (need_sha256) SHA256_update(&sha256_ctx, buffer, size);
Doug Zongker54e2e862009-08-17 13:21:04 -0700184 so_far += size;
185 double f = so_far / (double)signed_len;
186 if (f > frac + 0.02 || size == so_far) {
Doug Zongker211aebc2011-10-28 15:13:10 -0700187 ui->SetProgress(f);
Doug Zongker54e2e862009-08-17 13:21:04 -0700188 frac = f;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800189 }
190 }
Doug Zongker54e2e862009-08-17 13:21:04 -0700191 fclose(f);
192 free(buffer);
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800193
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700194 const uint8_t* sha1 = SHA_final(&sha1_ctx);
195 const uint8_t* sha256 = SHA256_final(&sha256_ctx);
196
Doug Zongker54e2e862009-08-17 13:21:04 -0700197 for (i = 0; i < numKeys; ++i) {
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700198 const uint8_t* hash;
199 switch (pKeys[i].hash_len) {
200 case SHA_DIGEST_SIZE: hash = sha1; break;
201 case SHA256_DIGEST_SIZE: hash = sha256; break;
202 default: continue;
203 }
204
Doug Zongker73ae31c2009-12-09 17:01:45 -0800205 // The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that
Doug Zongker54e2e862009-08-17 13:21:04 -0700206 // the signing tool appends after the signature itself.
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700207 if (RSA_verify(pKeys[i].public_key, eocd + eocd_size - 6 - RSANUMBYTES,
208 RSANUMBYTES, hash, pKeys[i].hash_len)) {
Doug Zongker47626332011-03-15 12:11:08 -0700209 LOGI("whole-file signature verified against key %d\n", i);
Doug Zongker54e2e862009-08-17 13:21:04 -0700210 free(eocd);
211 return VERIFY_SUCCESS;
Doug Zongker6c249f72012-11-02 15:04:05 -0700212 } else {
213 LOGI("failed to verify against key %d\n", i);
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800214 }
215 }
Doug Zongker54e2e862009-08-17 13:21:04 -0700216 free(eocd);
217 LOGE("failed to verify whole-file signature\n");
218 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800219}
Doug Zongker6c249f72012-11-02 15:04:05 -0700220
221// Reads a file containing one or more public keys as produced by
222// DumpPublicKey: this is an RSAPublicKey struct as it would appear
223// as a C source literal, eg:
224//
225// "{64,0xc926ad21,{1795090719,...,-695002876},{-857949815,...,1175080310}}"
226//
227// For key versions newer than the original 2048-bit e=3 keys
228// supported by Android, the string is preceded by a version
229// identifier, eg:
230//
231// "v2 {64,0xc926ad21,{1795090719,...,-695002876},{-857949815,...,1175080310}}"
232//
233// (Note that the braces and commas in this example are actual
234// characters the parser expects to find in the file; the ellipses
235// indicate more numbers omitted from this example.)
236//
237// The file may contain multiple keys in this format, separated by
238// commas. The last key must not be followed by a comma.
239//
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700240// A Certificate is a pair of an RSAPublicKey and a particular hash
241// (we support SHA-1 and SHA-256; we store the hash length to signify
242// which is being used). The hash used is implied by the version number.
243//
244// 1: 2048-bit RSA key with e=3 and SHA-1 hash
245// 2: 2048-bit RSA key with e=65537 and SHA-1 hash
246// 3: 2048-bit RSA key with e=3 and SHA-256 hash
247// 4: 2048-bit RSA key with e=65537 and SHA-256 hash
248//
Doug Zongker6c249f72012-11-02 15:04:05 -0700249// Returns NULL if the file failed to parse, or if it contain zero keys.
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700250Certificate*
Doug Zongker6c249f72012-11-02 15:04:05 -0700251load_keys(const char* filename, int* numKeys) {
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700252 Certificate* out = NULL;
Doug Zongker6c249f72012-11-02 15:04:05 -0700253 *numKeys = 0;
254
255 FILE* f = fopen(filename, "r");
256 if (f == NULL) {
257 LOGE("opening %s: %s\n", filename, strerror(errno));
258 goto exit;
259 }
260
261 {
262 int i;
263 bool done = false;
264 while (!done) {
265 ++*numKeys;
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700266 out = (Certificate*)realloc(out, *numKeys * sizeof(Certificate));
267 Certificate* cert = out + (*numKeys - 1);
268 cert->public_key = (RSAPublicKey*)malloc(sizeof(RSAPublicKey));
Doug Zongker6c249f72012-11-02 15:04:05 -0700269
270 char start_char;
271 if (fscanf(f, " %c", &start_char) != 1) goto exit;
272 if (start_char == '{') {
273 // a version 1 key has no version specifier.
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700274 cert->public_key->exponent = 3;
275 cert->hash_len = SHA_DIGEST_SIZE;
Doug Zongker6c249f72012-11-02 15:04:05 -0700276 } else if (start_char == 'v') {
277 int version;
278 if (fscanf(f, "%d {", &version) != 1) goto exit;
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700279 switch (version) {
280 case 2:
281 cert->public_key->exponent = 65537;
282 cert->hash_len = SHA_DIGEST_SIZE;
283 break;
284 case 3:
285 cert->public_key->exponent = 3;
286 cert->hash_len = SHA256_DIGEST_SIZE;
287 break;
288 case 4:
289 cert->public_key->exponent = 65537;
290 cert->hash_len = SHA256_DIGEST_SIZE;
291 break;
292 default:
293 goto exit;
Doug Zongker6c249f72012-11-02 15:04:05 -0700294 }
295 }
296
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700297 RSAPublicKey* key = cert->public_key;
Doug Zongker6c249f72012-11-02 15:04:05 -0700298 if (fscanf(f, " %i , 0x%x , { %u",
299 &(key->len), &(key->n0inv), &(key->n[0])) != 3) {
300 goto exit;
301 }
302 if (key->len != RSANUMWORDS) {
303 LOGE("key length (%d) does not match expected size\n", key->len);
304 goto exit;
305 }
306 for (i = 1; i < key->len; ++i) {
307 if (fscanf(f, " , %u", &(key->n[i])) != 1) goto exit;
308 }
309 if (fscanf(f, " } , { %u", &(key->rr[0])) != 1) goto exit;
310 for (i = 1; i < key->len; ++i) {
311 if (fscanf(f, " , %u", &(key->rr[i])) != 1) goto exit;
312 }
313 fscanf(f, " } } ");
314
315 // if the line ends in a comma, this file has more keys.
316 switch (fgetc(f)) {
317 case ',':
318 // more keys to come.
319 break;
320
321 case EOF:
322 done = true;
323 break;
324
325 default:
326 LOGE("unexpected character between keys\n");
327 goto exit;
328 }
329
Doug Zongkerbac7fba2013-04-10 11:32:17 -0700330 LOGI("read key e=%d hash=%d\n", key->exponent, cert->hash_len);
Doug Zongker6c249f72012-11-02 15:04:05 -0700331 }
332 }
333
334 fclose(f);
335 return out;
336
337exit:
338 if (f) fclose(f);
339 free(out);
340 *numKeys = 0;
341 return NULL;
342}