47 #define EACCES_NON_SIGNING \ 48 __einfo_error ( EINFO_EACCES_NON_SIGNING ) 49 #define EINFO_EACCES_NON_SIGNING \ 50 __einfo_uniqify ( EINFO_EACCES, 0x01, "Not a signing certificate" ) 51 #define EACCES_NON_CODE_SIGNING \ 52 __einfo_error ( EINFO_EACCES_NON_CODE_SIGNING ) 53 #define EINFO_EACCES_NON_CODE_SIGNING \ 54 __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a code-signing certificate" ) 55 #define EACCES_WRONG_NAME \ 56 __einfo_error ( EINFO_EACCES_WRONG_NAME ) 57 #define EINFO_EACCES_WRONG_NAME \ 58 __einfo_uniqify ( EINFO_EACCES, 0x04, "Incorrect certificate name" ) 59 #define EACCES_NO_SIGNATURES \ 60 __einfo_error ( EINFO_EACCES_NO_SIGNATURES ) 61 #define EINFO_EACCES_NO_SIGNATURES \ 62 __einfo_uniqify ( EINFO_EACCES, 0x05, "No signatures present" ) 63 #define EACCES_NO_RECIPIENTS \ 64 __einfo_error ( EINFO_EACCES_NO_RECIPIENTS ) 65 #define EINFO_EACCES_NO_RECIPIENTS \ 66 __einfo_uniqify ( EINFO_EACCES, 0x06, "No usable recipients" ) 68 __einfo_error ( EINFO_EACCES_LEN ) 69 #define EINFO_EACCES_LEN \ 70 __einfo_uniqify ( EINFO_EACCES, 0x07, "Bad file length" ) 72 __einfo_error ( EINFO_EACCES_PAD ) 73 #define EINFO_EACCES_PAD \ 74 __einfo_uniqify ( EINFO_EACCES, 0x08, "Bad block padding" ) 76 __einfo_error ( EINFO_EACCES_MAC ) 77 #define EINFO_EACCES_MAC \ 78 __einfo_uniqify ( EINFO_EACCES, 0x09, "Invalid MAC" ) 79 #define ENOTSUP_TYPE \ 80 __einfo_error ( EINFO_ENOTSUP_TYPE ) 81 #define EINFO_ENOTSUP_TYPE \ 82 __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unrecognised message type" ) 89 #define CMS_DECRYPT_BLKSZ 2048 118 .name =
"authEnveloped",
138 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
142 for ( i = 0 ; i < (
sizeof (
cms_types ) /
147 DBGC ( cms,
"CMS %p contains %sData\n",
153 DBGC ( cms,
"CMS %p is not a recognised message type:\n", cms );
172 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
176 while ( cursor.
len ) {
180 cursor.
len ) ) != 0 ) {
181 DBGC ( cms,
"CMS %p could not append certificate: %s\n",
187 DBGC ( cms,
"CMS %p found certificate %s\n",
215 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
221 DBGC ( cms,
"CMS %p/%p could not locate issuer: %s\n",
226 DBGC ( cms,
"CMS %p/%p issuer is:\n", cms, part );
233 DBGC ( cms,
"CMS %p/%p could not locate serialNumber: %s\n",
238 DBGC ( cms,
"CMS %p/%p serial number is:\n", cms, part );
244 DBGC ( cms,
"CMS %p/%p could not identify certificate\n",
251 DBGC ( cms,
"CMS %p/%p could not append certificate: %s\n",
259 DBGC ( cms,
"CMS %p/%p could not append certificates: %s\n",
283 DBGC ( cms,
"CMS %p/%p could not identify digest algorithm: " 291 DBGC ( cms,
"CMS %p/%p digest algorithm is %s\n",
313 DBGC ( cms,
"CMS %p/%p could not identify public-key " 314 "algorithm: %s\n", cms, part,
strerror (
rc ) );
321 DBGC ( cms,
"CMS %p/%p public-key algorithm is %s\n",
341 &cms->
iv ) ) != 0 ) {
342 DBGC ( cms,
"CMS %p could not identify cipher algorithm: %s\n",
350 DBGC ( cms,
"CMS %p cipher algorithm is %s\n", cms,
algorithm->name );
371 DBGC ( cms,
"CMS %p/%p could not locate value:\n",
376 DBGC ( cms,
"CMS %p/%p value is:\n", cms, part );
397 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
447 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
454 while ( cursor.
len ) {
457 part =
zalloc (
sizeof ( *part ) );
490 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
517 DBGC ( cms,
"CMS %p could not locate mac: %s\n",
522 DBGC ( cms,
"CMS %p mac is:\n", cms );
546 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
586 memcpy ( &cursor,
raw,
sizeof ( cursor ) );
628 memcpy ( &cursor, cms->
raw, sizeof ( cursor ) );
640 if ( (
rc = cms->
type->
parse ( cms, &cursor ) ) != 0 )
682 *cms =
zalloc (
sizeof ( **cms ) );
695 DBGC ( *cms,
"CMS %p could not get raw ASN.1 data: %s\n",
740 if ( frag_len >
sizeof (
block ) )
741 frag_len =
sizeof (
block );
751 DBGC ( cms,
"CMS %p/%p digest value:\n", cms, part );
782 DBGC ( cms,
"CMS %p/%p signature verification failed: %s\n",
813 DBGC ( cms,
"CMS %p/%p could not validate chain: %s\n",
824 DBGC ( cms,
"CMS %p/%p certificate cannot create signatures\n",
831 DBGC ( cms,
"CMS %p/%p certificate is not code-signing\n",
884 DBGC ( cms,
"CMS %p had no signatures matching name " 888 DBGC ( cms,
"CMS %p had no signatures\n", cms );
951 DBGC ( cms,
"CMS %p/%p could not decrypt cipher key: %s\n",
956 DBGC ( cms,
"CMS %p/%p cipher key:\n", cms, part );
961 DBGC ( cms,
"CMS %p could not set cipher key: %s\n",
969 DBGC ( cms,
"CMS %p cipher IV:\n", cms );
992 DBGC ( cms,
"CMS %p had no usable recipients\n", cms );
1024 DBGC ( cms,
"CMS %p invalid empty padding\n", cms );
1035 DBGC ( cms,
"CMS %p invalid padding length %zd\n",
1039 for ( i = 0 ; i <
pad_len ; i++ ) {
1041 DBGC ( cms,
"CMS %p invalid padding\n", cms );
1062 const unsigned int original_flags =
image->
flags;
1081 DBGC ( cms,
"CMS %p invalid length %zd\n", cms,
image->
len );
1117 while ( remaining ) {
1120 frag_len = remaining;
1129 if ( remaining > frag_len )
1133 remaining -= frag_len;
1141 DBGC ( cms,
"CMS %p invalid authentication tag\n", cms );
1192 remaining = (
offset - frag_len );
static void x509_chain_put(struct x509_chain *chain)
Drop reference to X.509 certificate chain.
struct x509_chain * certificates
List of all certificates (for signature messages)
size_t blocksize
Block size.
An ASN.1 OID-identified algorithm.
struct asn1_cursor raw
Raw public key information.
struct arbelprm_rc_send_wqe rc
static void digest_update(struct digest_algorithm *digest, void *ctx, const void *data, size_t len)
struct x509_extended_key_usage ext_usage
Extended key usage.
#define EACCES_NO_SIGNATURES
static int pubkey_verify(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, struct digest_algorithm *digest, const void *value, const void *signature, size_t signature_len)
userptr_t data
Raw file image.
struct asn1_cursor value
Signature or key value.
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
#define ASN1_IMPLICIT_TAG(number)
ASN.1 implicit tag.
#define EACCES_WRONG_NAME
static int cms_parse_participants(struct cms_message *cms, const struct asn1_cursor *raw)
Parse CMS message participants information.
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
struct stp_switch root
Root switch.
#define list_add(new, head)
Add a new entry to the head of a list.
unsigned int bits
Usage bits.
uint32_t next
Next descriptor address.
static int cms_parse_digest_algorithm(struct cms_message *cms, struct cms_participant *part, const struct asn1_cursor *raw)
Parse CMS message digest algorithm.
#define ref_init(refcnt, free)
Initialise a reference counter.
int x509_check_name(struct x509_certificate *cert, const char *name)
Check X.509 certificate name.
static int cms_parse_cipher_algorithm(struct cms_message *cms, const struct asn1_cursor *raw)
Parse CMS message cipher algorithm.
static int cms_cipher_key(struct cms_message *cms, struct cms_participant *part, struct private_key *private_key, void *ctx)
Set CMS cipher key.
char * image_strip_suffix(struct image *image)
Strip dot suffix from image name, if present.
int cms_verify(struct cms_message *cms, struct image *image, const char *name, time_t time, struct x509_chain *store, struct x509_root *root)
Verify CMS signature.
struct image_type * type
Image type, if known.
static void digest_final(struct digest_algorithm *digest, void *ctx, void *out)
uint32_t type
Operating system type.
struct x509_issuer issuer
Issuer.
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
static __always_inline void copy_from_user(void *dest, userptr_t src, off_t src_off, size_t len)
Copy data from user buffer.
static struct image * image_get(struct image *image)
Increment reference count on an image.
const void * data
Start of data.
int asn1_digest_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified digest algorithm.
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
#define ENOENT
No such file or directory.
struct x509_chain * x509_alloc_chain(void)
Allocate X.509 certificate chain.
static int cms_parse_signed(struct cms_message *cms, const struct asn1_cursor *raw)
Parse CMS signed data.
struct digest_algorithm * digest
Digest algorithm (for signature messages)
static int cms_parse_value(struct cms_message *cms, struct cms_participant *part, const struct asn1_cursor *raw)
Parse CMS message signature or key value.
int image_asn1(struct image *image, size_t offset, struct asn1_cursor **cursor)
Extract ASN.1 object from image.
static int pubkey_decrypt(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key, const void *data, size_t len, void *out)
struct pubkey_algorithm * pubkey
Public-key algorithm.
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
struct golan_eq_context ctx
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Access to external ("user") memory.
#define ASN1_OID_ENVELOPEDDATA
ASN.1 OID for id-envelopedData (1.2.840.113549.1.7.3)
#define ASN1_SET
ASN.1 set.
Dynamic memory allocation.
size_t len
Length of data.
static struct asn1_cursor * privkey_cursor(struct private_key *key)
Get private key ASN.1 cursor.
#define cipher_encrypt(cipher, ctx, src, dst, len)
size_t authsize
Authentication tag size.
#define list_del(list)
Delete an entry from a list.
size_t blocksize
Block size.
An X.509 certificate chain.
#define ENOMEM
Not enough space.
int asn1_shrink(struct asn1_cursor *cursor, unsigned int type)
Shrink ASN.1 cursor to fit object.
void * memcpy(void *dest, const void *src, size_t len) __nonnull
CMS participant information.
uint32_t userptr_t
A pointer to a user buffer.
#define ASN1_OID_SIGNEDDATA
ASN.1 OID for id-signedData (1.2.840.113549.1.7.2)
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
#define container_of(ptr, type, field)
Get containing structure.
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
#define EACCES_NO_RECIPIENTS
struct cms_type * type
Message type.
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
pseudo_bit_t value[0x00020]
#define CMS_DECRYPT_BLKSZ
Buffer size for decryption.
#define IMAGE_REGISTERED
Image is registered.
uint16_t count
Number of entries.
#define EACCES_NON_SIGNING
int cms_message(struct image *image, struct cms_message **cms)
Create CMS message.
static int cms_parse_enveloped(struct cms_message *cms, const struct asn1_cursor *raw)
Parse CMS enveloped data.
static struct cms_participant * cms_recipient(struct cms_message *cms, struct private_key *private_key)
Identify CMS recipient corresponding to private key.
#define list_for_each_entry_safe(pos, tmp, head, member)
Iterate over entries in a list, safe against deletion of the current entry.
struct x509_public_key public_key
Public key information.
int x509_validate_chain(struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root)
Validate X.509 certificate chain.
static void digest_init(struct digest_algorithm *digest, void *ctx)
static void image_untrust(struct image *image)
Set image as untrusted.
int(* parse)(struct cms_message *cms, const struct asn1_cursor *raw)
Parse content.
int register_image(struct image *image)
Register executable image.
int x509_auto_append(struct x509_chain *chain, struct x509_chain *store)
Append X.509 certificates to X.509 certificate chain.
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
char * strerror(int errno)
Retrieve string representation of error number.
static void(* free)(struct refcnt *refcnt))
static int cms_parse(struct cms_message *cms)
Parse CMS message from ASN.1 data.
void * zalloc(size_t size)
Allocate cleared memory.
struct x509_subject subject
Subject.
struct cipher_algorithm * cipher
Cipher algorithm.
size_t len
Length of raw file image.
int asn1_pubkey_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified public-key algorithm.
struct x509_certificate * x509_find_issuer_serial(struct x509_chain *store, const struct asn1_cursor *issuer, const struct asn1_cursor *serial)
Identify X.509 certificate by issuer and serial number.
int image_set_name(struct image *image, const char *name)
Set image name.
struct asn1_cursor * raw
Raw ASN.1 data.
static __always_inline void copy_to_user(userptr_t dest, off_t dest_off, const void *src, size_t len)
Copy data to user buffer.
static void cipher_setiv(struct cipher_algorithm *cipher, void *ctx, const void *iv, size_t ivlen)
uint64_t serial
Serial number.
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
void(* auth)(void *ctx, void *auth)
Generate authentication tag.
static void image_put(struct image *image)
Decrement reference count on an image.
static int cms_is_signature(struct cms_message *cms)
Check if CMS message is a signature message.
static uint8_t oid_authenvelopeddata[]
"id-authEnvelopedData" object identifier
static struct cms_type cms_types[]
CMS message types.
static int cms_parse_certificates(struct cms_message *cms, const struct asn1_cursor *raw)
Parse CMS message certificate list.
size_t ctxsize
Context size.
#define cipher_decrypt(cipher, ctx, src, dst, len)
#define ASN1_SEQUENCE
ASN.1 sequence.
void * malloc(size_t size)
Allocate memory.
struct cipher_algorithm cipher_null
#define ASN1_INTEGER
ASN.1 integer.
#define EACCES_NON_CODE_SIGNING
An X.509 root certificate list.
u16 algorithm
Authentication algorithm (Open System or Shared Key)
static int cms_parse_encrypted(struct cms_message *cms, const struct asn1_cursor *raw)
Parse CMS message encrypted content information.
static void cms_free(struct refcnt *refcnt)
Free CMS message.
#define INIT_LIST_HEAD(list)
Initialise a list head.
void unregister_image(struct image *image)
Unregister executable image.
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
#define ASN1_OID
ASN.1 object identifier.
static void cms_put(struct cms_message *cms)
Drop reference to CMS message.
static int cms_parse_identifier(struct cms_message *cms, struct cms_participant *part, const struct asn1_cursor *raw)
Parse CMS message participant identifier.
struct list_head participants
List of participant information blocks.
int asn1_skip_if_exists(struct asn1_cursor *cursor, unsigned int type)
Skip ASN.1 object if present.
size_t ctxsize
Context size.
static int cms_cipher(struct cms_message *cms, struct private_key *private_key, void *ctx)
Initialise cipher for CMS decryption.
int asn1_cipher_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm, struct asn1_cursor *params)
Parse ASN.1 OID-identified cipher algorithm.
uint8_t block[3][8]
DES-encrypted blocks.
#define ENOTTY
Inappropriate I/O control operation.
unsigned int bits
Usage bits.
size_t digestsize
Digest size.
static void cms_digest(struct cms_message *cms, struct cms_participant *part, userptr_t data, size_t len, void *out)
Calculate digest of CMS-signed data.
struct list_head list
List of participant information blocks.
static struct x509_certificate * x509_first(struct x509_chain *chain)
Get first certificate in X.509 certificate chain.
int asn1_skip(struct asn1_cursor *cursor, unsigned int type)
Skip ASN.1 object.
int cms_decrypt(struct cms_message *cms, struct image *image, const char *name, struct private_key *private_key)
Decrypt CMS message.
static int cms_parse_participant(struct cms_message *cms, struct cms_participant *part, const struct asn1_cursor *raw)
Parse CMS message participant information.
struct x509_chain * chain
Certificate chain.
static int cms_parse_pubkey_algorithm(struct cms_message *cms, struct cms_participant *part, const struct asn1_cursor *raw)
Parse CMS message public-key algorithm.
A message digest algorithm.
struct asn1_cursor iv
Cipher initialization vector.
struct x509_link store
Link in certificate store.
uint8_t data[48]
Additional event data.
#define ASN1_OID_AUTHENVELOPEDDATA
ASN.1 OID for id-authEnvelopedData (1.2.840.113549.1.9.16.1.23)
struct x509_certificate * x509_find_key(struct x509_chain *store, struct private_key *key)
Identify X.509 certificate by corresponding public key.
static int cms_parse_mac(struct cms_message *cms, const struct asn1_cursor *raw)
Parse CMS message MAC.
static uint8_t oid_signeddata[]
"id-signedData" object identifier
static void cipher_auth(struct cipher_algorithm *cipher, void *ctx, void *auth)
uint16_t offset
Offset to command line.
static int cms_verify_signer(struct cms_message *cms, struct cms_participant *part, userptr_t data, size_t len, time_t time, struct x509_chain *store, struct x509_root *root)
Verify CMS message signer.
struct asn1_cursor mac
Cipher authentication tag.
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
static void image_trust(struct image *image)
Set image as trusted.
static int cms_verify_padding(struct cms_message *cms, const void *data, size_t len)
Check CMS padding.
static size_t pubkey_max_len(struct pubkey_algorithm *pubkey, const struct asn1_cursor *key)
struct x509_key_usage usage
Key usage.
int64_t time_t
Seconds since the Epoch.
#define ASN1_OCTET_STRING
ASN.1 octet string.
int memcmp(const void *first, const void *second, size_t len)
Compare memory regions.
Cryptographic Message Syntax (PKCS #7)
#define NULL
NULL pointer (VOID *)
static int cms_verify_digest(struct cms_message *cms, struct cms_participant *part, struct x509_certificate *cert, userptr_t data, size_t len)
Verify digest of CMS-signed data.
struct x509_extensions extensions
Extensions.
static int cipher_setkey(struct cipher_algorithm *cipher, void *ctx, const void *key, size_t keylen)
static uint8_t oid_envelopeddata[]
"id-envelopedData" object identifier
static int cms_parse_content_type(struct cms_message *cms, const struct asn1_cursor *raw)
Parse CMS message content type.
static int is_block_cipher(struct cipher_algorithm *cipher)