blob: 5f4c981e5bec8f4c4124bf04a8a07967b43498e8 [file] [log] [blame]
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -08001/*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "common.h"
18#include "verifier.h"
Doug Zongker28ce47c2011-10-28 10:33:05 -070019#include "ui.h"
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080020
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080021#include "mincrypt/rsa.h"
22#include "mincrypt/sha.h"
23
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080024#include <string.h>
Doug Zongker54e2e862009-08-17 13:21:04 -070025#include <stdio.h>
26#include <errno.h>
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080027
Doug Zongker211aebc2011-10-28 15:13:10 -070028extern RecoveryUI* ui;
29
Doug Zongker54e2e862009-08-17 13:21:04 -070030// Look for an RSA signature embedded in the .ZIP file comment given
31// the path to the zip. Verify it matches one of the given public
32// keys.
33//
34// Return VERIFY_SUCCESS, VERIFY_FAILURE (if any error is encountered
35// or no key matches the signature).
36
37int verify_file(const char* path, const RSAPublicKey *pKeys, unsigned int numKeys) {
Doug Zongker211aebc2011-10-28 15:13:10 -070038 ui->SetProgress(0.0);
Doug Zongker54e2e862009-08-17 13:21:04 -070039
40 FILE* f = fopen(path, "rb");
41 if (f == NULL) {
42 LOGE("failed to open %s (%s)\n", path, strerror(errno));
43 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080044 }
45
Doug Zongker54e2e862009-08-17 13:21:04 -070046 // An archive with a whole-file signature will end in six bytes:
47 //
Doug Zongker73ae31c2009-12-09 17:01:45 -080048 // (2-byte signature start) $ff $ff (2-byte comment size)
Doug Zongker54e2e862009-08-17 13:21:04 -070049 //
50 // (As far as the ZIP format is concerned, these are part of the
51 // archive comment.) We start by reading this footer, this tells
52 // us how far back from the end we have to start reading to find
53 // the whole comment.
54
55#define FOOTER_SIZE 6
56
57 if (fseek(f, -FOOTER_SIZE, SEEK_END) != 0) {
58 LOGE("failed to seek in %s (%s)\n", path, strerror(errno));
59 fclose(f);
60 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080061 }
62
Doug Zongker54e2e862009-08-17 13:21:04 -070063 unsigned char footer[FOOTER_SIZE];
64 if (fread(footer, 1, FOOTER_SIZE, f) != FOOTER_SIZE) {
65 LOGE("failed to read footer from %s (%s)\n", path, strerror(errno));
66 fclose(f);
67 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080068 }
69
Doug Zongker54e2e862009-08-17 13:21:04 -070070 if (footer[2] != 0xff || footer[3] != 0xff) {
71 fclose(f);
72 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080073 }
74
Doug Zongker28ce47c2011-10-28 10:33:05 -070075 size_t comment_size = footer[4] + (footer[5] << 8);
76 size_t signature_start = footer[0] + (footer[1] << 8);
Doug Zongker54e2e862009-08-17 13:21:04 -070077 LOGI("comment is %d bytes; signature %d bytes from end\n",
78 comment_size, signature_start);
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080079
Doug Zongker54e2e862009-08-17 13:21:04 -070080 if (signature_start - FOOTER_SIZE < RSANUMBYTES) {
81 // "signature" block isn't big enough to contain an RSA block.
82 LOGE("signature is too short\n");
83 fclose(f);
84 return VERIFY_FAILURE;
85 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080086
Doug Zongker54e2e862009-08-17 13:21:04 -070087#define EOCD_HEADER_SIZE 22
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080088
Doug Zongker54e2e862009-08-17 13:21:04 -070089 // The end-of-central-directory record is 22 bytes plus any
90 // comment length.
91 size_t eocd_size = comment_size + EOCD_HEADER_SIZE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080092
Doug Zongker54e2e862009-08-17 13:21:04 -070093 if (fseek(f, -eocd_size, SEEK_END) != 0) {
94 LOGE("failed to seek in %s (%s)\n", path, strerror(errno));
95 fclose(f);
96 return VERIFY_FAILURE;
97 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -080098
Doug Zongker54e2e862009-08-17 13:21:04 -070099 // Determine how much of the file is covered by the signature.
100 // This is everything except the signature data and length, which
101 // includes all of the EOCD except for the comment length field (2
102 // bytes) and the comment data.
103 size_t signed_len = ftell(f) + EOCD_HEADER_SIZE - 2;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800104
Doug Zongker28ce47c2011-10-28 10:33:05 -0700105 unsigned char* eocd = (unsigned char*)malloc(eocd_size);
Doug Zongker54e2e862009-08-17 13:21:04 -0700106 if (eocd == NULL) {
107 LOGE("malloc for EOCD record failed\n");
108 fclose(f);
109 return VERIFY_FAILURE;
110 }
111 if (fread(eocd, 1, eocd_size, f) != eocd_size) {
112 LOGE("failed to read eocd from %s (%s)\n", path, strerror(errno));
113 fclose(f);
114 return VERIFY_FAILURE;
115 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800116
Doug Zongker54e2e862009-08-17 13:21:04 -0700117 // If this is really is the EOCD record, it will begin with the
118 // magic number $50 $4b $05 $06.
119 if (eocd[0] != 0x50 || eocd[1] != 0x4b ||
120 eocd[2] != 0x05 || eocd[3] != 0x06) {
121 LOGE("signature length doesn't match EOCD marker\n");
122 fclose(f);
123 return VERIFY_FAILURE;
124 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800125
Doug Zongker28ce47c2011-10-28 10:33:05 -0700126 size_t i;
Doug Zongker54e2e862009-08-17 13:21:04 -0700127 for (i = 4; i < eocd_size-3; ++i) {
128 if (eocd[i ] == 0x50 && eocd[i+1] == 0x4b &&
Doug Zongkerc652e412009-12-08 15:30:09 -0800129 eocd[i+2] == 0x05 && eocd[i+3] == 0x06) {
Doug Zongker54e2e862009-08-17 13:21:04 -0700130 // if the sequence $50 $4b $05 $06 appears anywhere after
131 // the real one, minzip will find the later (wrong) one,
132 // which could be exploitable. Fail verification if
133 // this sequence occurs anywhere after the real one.
134 LOGE("EOCD marker occurs after start of EOCD\n");
135 fclose(f);
136 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800137 }
138 }
139
Doug Zongker54e2e862009-08-17 13:21:04 -0700140#define BUFFER_SIZE 4096
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800141
Doug Zongker54e2e862009-08-17 13:21:04 -0700142 SHA_CTX ctx;
143 SHA_init(&ctx);
Doug Zongker28ce47c2011-10-28 10:33:05 -0700144 unsigned char* buffer = (unsigned char*)malloc(BUFFER_SIZE);
Doug Zongker54e2e862009-08-17 13:21:04 -0700145 if (buffer == NULL) {
146 LOGE("failed to alloc memory for sha1 buffer\n");
147 fclose(f);
148 return VERIFY_FAILURE;
149 }
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800150
Doug Zongker54e2e862009-08-17 13:21:04 -0700151 double frac = -1.0;
152 size_t so_far = 0;
153 fseek(f, 0, SEEK_SET);
154 while (so_far < signed_len) {
Doug Zongker28ce47c2011-10-28 10:33:05 -0700155 size_t size = BUFFER_SIZE;
Doug Zongker54e2e862009-08-17 13:21:04 -0700156 if (signed_len - so_far < size) size = signed_len - so_far;
157 if (fread(buffer, 1, size, f) != size) {
158 LOGE("failed to read data from %s (%s)\n", path, strerror(errno));
159 fclose(f);
160 return VERIFY_FAILURE;
161 }
162 SHA_update(&ctx, buffer, size);
163 so_far += size;
164 double f = so_far / (double)signed_len;
165 if (f > frac + 0.02 || size == so_far) {
Doug Zongker211aebc2011-10-28 15:13:10 -0700166 ui->SetProgress(f);
Doug Zongker54e2e862009-08-17 13:21:04 -0700167 frac = f;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800168 }
169 }
Doug Zongker54e2e862009-08-17 13:21:04 -0700170 fclose(f);
171 free(buffer);
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800172
Doug Zongker54e2e862009-08-17 13:21:04 -0700173 const uint8_t* sha1 = SHA_final(&ctx);
174 for (i = 0; i < numKeys; ++i) {
Doug Zongker73ae31c2009-12-09 17:01:45 -0800175 // The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that
Doug Zongker54e2e862009-08-17 13:21:04 -0700176 // the signing tool appends after the signature itself.
177 if (RSA_verify(pKeys+i, eocd + eocd_size - 6 - RSANUMBYTES,
178 RSANUMBYTES, sha1)) {
Doug Zongker47626332011-03-15 12:11:08 -0700179 LOGI("whole-file signature verified against key %d\n", i);
Doug Zongker54e2e862009-08-17 13:21:04 -0700180 free(eocd);
181 return VERIFY_SUCCESS;
Doug Zongker6c249f72012-11-02 15:04:05 -0700182 } else {
183 LOGI("failed to verify against key %d\n", i);
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800184 }
185 }
Doug Zongker54e2e862009-08-17 13:21:04 -0700186 free(eocd);
187 LOGE("failed to verify whole-file signature\n");
188 return VERIFY_FAILURE;
The Android Open Source Projectc24a8e62009-03-03 19:28:42 -0800189}
Doug Zongker6c249f72012-11-02 15:04:05 -0700190
191// Reads a file containing one or more public keys as produced by
192// DumpPublicKey: this is an RSAPublicKey struct as it would appear
193// as a C source literal, eg:
194//
195// "{64,0xc926ad21,{1795090719,...,-695002876},{-857949815,...,1175080310}}"
196//
197// For key versions newer than the original 2048-bit e=3 keys
198// supported by Android, the string is preceded by a version
199// identifier, eg:
200//
201// "v2 {64,0xc926ad21,{1795090719,...,-695002876},{-857949815,...,1175080310}}"
202//
203// (Note that the braces and commas in this example are actual
204// characters the parser expects to find in the file; the ellipses
205// indicate more numbers omitted from this example.)
206//
207// The file may contain multiple keys in this format, separated by
208// commas. The last key must not be followed by a comma.
209//
210// Returns NULL if the file failed to parse, or if it contain zero keys.
211RSAPublicKey*
212load_keys(const char* filename, int* numKeys) {
213 RSAPublicKey* out = NULL;
214 *numKeys = 0;
215
216 FILE* f = fopen(filename, "r");
217 if (f == NULL) {
218 LOGE("opening %s: %s\n", filename, strerror(errno));
219 goto exit;
220 }
221
222 {
223 int i;
224 bool done = false;
225 while (!done) {
226 ++*numKeys;
227 out = (RSAPublicKey*)realloc(out, *numKeys * sizeof(RSAPublicKey));
228 RSAPublicKey* key = out + (*numKeys - 1);
229
230 char start_char;
231 if (fscanf(f, " %c", &start_char) != 1) goto exit;
232 if (start_char == '{') {
233 // a version 1 key has no version specifier.
234 key->exponent = 3;
235 } else if (start_char == 'v') {
236 int version;
237 if (fscanf(f, "%d {", &version) != 1) goto exit;
238 if (version == 2) {
239 key->exponent = 65537;
240 } else {
241 goto exit;
242 }
243 }
244
245 if (fscanf(f, " %i , 0x%x , { %u",
246 &(key->len), &(key->n0inv), &(key->n[0])) != 3) {
247 goto exit;
248 }
249 if (key->len != RSANUMWORDS) {
250 LOGE("key length (%d) does not match expected size\n", key->len);
251 goto exit;
252 }
253 for (i = 1; i < key->len; ++i) {
254 if (fscanf(f, " , %u", &(key->n[i])) != 1) goto exit;
255 }
256 if (fscanf(f, " } , { %u", &(key->rr[0])) != 1) goto exit;
257 for (i = 1; i < key->len; ++i) {
258 if (fscanf(f, " , %u", &(key->rr[i])) != 1) goto exit;
259 }
260 fscanf(f, " } } ");
261
262 // if the line ends in a comma, this file has more keys.
263 switch (fgetc(f)) {
264 case ',':
265 // more keys to come.
266 break;
267
268 case EOF:
269 done = true;
270 break;
271
272 default:
273 LOGE("unexpected character between keys\n");
274 goto exit;
275 }
276
277 LOGI("read key e=%d\n", key->exponent);
278 }
279 }
280
281 fclose(f);
282 return out;
283
284exit:
285 if (f) fclose(f);
286 free(out);
287 *numKeys = 0;
288 return NULL;
289}