Exemplo n.º 1
0
void ERR_load_crypto_strings(void)
{
#ifndef OPENSSL_NO_ERR
    ERR_load_ERR_strings();     /* include error strings for SYSerr */
    ERR_load_BN_strings();
# ifndef OPENSSL_NO_RSA
    ERR_load_RSA_strings();
# endif
# ifndef OPENSSL_NO_DH
    ERR_load_DH_strings();
# endif
    ERR_load_EVP_strings();
    ERR_load_BUF_strings();
    ERR_load_OBJ_strings();
    ERR_load_PEM_strings();
# ifndef OPENSSL_NO_DSA
    ERR_load_DSA_strings();
# endif
    ERR_load_X509_strings();
    ERR_load_ASN1_strings();
    ERR_load_CONF_strings();
    ERR_load_CRYPTO_strings();
# ifndef OPENSSL_NO_COMP
    ERR_load_COMP_strings();
# endif
# ifndef OPENSSL_NO_EC
    ERR_load_EC_strings();
# endif
# ifndef OPENSSL_NO_ECDSA
    ERR_load_ECDSA_strings();
# endif
# ifndef OPENSSL_NO_ECDH
    ERR_load_ECDH_strings();
# endif
    /* skip ERR_load_SSL_strings() because it is not in this library */
    ERR_load_BIO_strings();
    ERR_load_PKCS7_strings();
    ERR_load_X509V3_strings();
    ERR_load_PKCS12_strings();
    ERR_load_RAND_strings();
    ERR_load_DSO_strings();
   // ERR_load_TS_strings();
# ifndef OPENSSL_NO_ENGINE
    ERR_load_ENGINE_strings();
# endif
    ERR_load_OCSP_strings();
    ERR_load_UI_strings();
# ifdef OPENSSL_FIPS
    ERR_load_FIPS_strings();
# endif
/*
# ifndef OPENSSL_NO_CMS
    ERR_load_CMS_strings();
# endif
*/
# ifndef OPENSSL_NO_JPAKE
    ERR_load_JPAKE_strings();
# endif
#endif
}
Exemplo n.º 2
0
void err_load_crypto_strings_intern(void)
{
#ifdef OPENSSL_FIPS
    FIPS_set_error_callbacks(ERR_put_error, ERR_add_error_vdata);
#endif
#ifndef OPENSSL_NO_ERR
    ERR_load_ERR_strings();     /* include error strings for SYSerr */
    ERR_load_BN_strings();
# ifndef OPENSSL_NO_RSA
    ERR_load_RSA_strings();
# endif
# ifndef OPENSSL_NO_DH
    ERR_load_DH_strings();
# endif
    ERR_load_EVP_strings();
    ERR_load_BUF_strings();
    ERR_load_OBJ_strings();
    ERR_load_PEM_strings();
# ifndef OPENSSL_NO_DSA
    ERR_load_DSA_strings();
# endif
    ERR_load_X509_strings();
    ERR_load_ASN1_strings();
    ERR_load_CONF_strings();
    ERR_load_CRYPTO_strings();
# ifndef OPENSSL_NO_COMP
    ERR_load_COMP_strings();
# endif
# ifndef OPENSSL_NO_EC
    ERR_load_EC_strings();
# endif
    /* skip ERR_load_SSL_strings() because it is not in this library */
    ERR_load_BIO_strings();
    ERR_load_PKCS7_strings();
    ERR_load_X509V3_strings();
    ERR_load_PKCS12_strings();
    ERR_load_RAND_strings();
    ERR_load_DSO_strings();
# ifndef OPENSSL_NO_TS
    ERR_load_TS_strings();
# endif
# ifndef OPENSSL_NO_ENGINE
    ERR_load_ENGINE_strings();
# endif
    ERR_load_OCSP_strings();
    ERR_load_UI_strings();
# ifdef OPENSSL_FIPS
    ERR_load_FIPS_strings();
# endif
# ifndef OPENSSL_NO_CMS
    ERR_load_CMS_strings();
# endif
# ifndef OPENSSL_NO_CT
    ERR_load_CT_strings();
# endif
    ERR_load_ASYNC_strings();
#endif
    ERR_load_KDF_strings();
}
Exemplo n.º 3
0
void ERR_load_crypto_strings(void)
  {
  static int done=0;

  if (done) return;
  done=1;
#ifndef OPENSSL_NO_ERR
  ERR_load_ERR_strings(); /* include error strings for SYSerr */
  ERR_load_BN_strings();
#ifndef OPENSSL_NO_RSA
  ERR_load_RSA_strings();
#endif
#ifndef OPENSSL_NO_DH
  ERR_load_DH_strings();
#endif
  ERR_load_EVP_strings();
  ERR_load_BUF_strings();
  ERR_load_OBJ_strings();
  ERR_load_PEM_strings();
#ifndef OPENSSL_NO_DSA
  ERR_load_DSA_strings();
#endif
  ERR_load_X509_strings();
  ERR_load_ASN1_strings();
  ERR_load_CONF_strings();
  ERR_load_CRYPTO_strings();
#ifndef OPENSSL_NO_EC
  ERR_load_EC_strings();
#endif
#ifndef OPENSSL_NO_ECDSA
  ERR_load_ECDSA_strings();
#endif
#ifndef OPENSSL_NO_ECDH
  ERR_load_ECDH_strings();
#endif
  /* skip ERR_load_SSL_strings() because it is not in this library */
  ERR_load_BIO_strings();
  ERR_load_PKCS7_strings();  
  ERR_load_X509V3_strings();
  ERR_load_PKCS12_strings();
  ERR_load_RAND_strings();
  ERR_load_DSO_strings();
#ifndef OPENSSL_NO_ENGINE
  ERR_load_ENGINE_strings();
#endif
  ERR_load_OCSP_strings();
  ERR_load_UI_strings();
#endif
  }
Exemplo n.º 4
0
/* This function must be called before trying to sign any file.
 * It loads string for errors, and ciphers are auto-loaded by OpenSSL now.
 * If this function fails it may be because the certificate cannot
 * be validated.
 *
 * returns: true if can initialize and validate certificates, otherwise false */
bool initialize_signature(void)
{
	int ret = -1;
	time_t mod_sec = 0;
	struct tm *alttime;
	struct stat statt;

	string_or_die(&CERTNAME, "%s/%s", cert_path, SWUPDCERT);

	ERR_load_crypto_strings();
	ERR_load_PKCS7_strings();
	EVP_add_digest(EVP_sha256());

	if (!get_pubkey()) {
		goto fail;
	}

	ret = validate_certificate();
	if (ret) {
		printf("Failed to verify certificate: %s\n", X509_verify_cert_error_string(ret));
		if (ret == X509_V_ERR_CERT_NOT_YET_VALID) {
			/* If we can retrieve an approx. good system time, report out to user */
			if (stat("/usr/lib/os-release", &statt) != -1) {
				mod_sec = statt.st_mtim.tv_sec;
				char timebuf[30];
				alttime = localtime(&mod_sec);
				strftime(timebuf, sizeof(timebuf), "%F", alttime);
				printf("System clock should be at least %s\n", timebuf);
			}
		}
		goto fail;
	}

	/* Push our trust cert(s) to the stack, which is a set of certificates
	 * in which to search for the signer's cert. */
	x509_stack = sk_X509_new_null();
	if (!x509_stack) {
		goto fail;
	}
	sk_X509_push(x509_stack, cert);

	return true;
fail:
	return false;
}
Exemplo n.º 5
0
/* This function must be called before trying to sign any file.
 * It loads string for errors, and ciphers are auto-loaded by OpenSSL now.
 * If this function fails it may be because the certificate cannot
 * be validated.
 *
 * returns: true if can initialize and validate certificates, otherwise false */
bool signature_init(const char *certificate_path, const char *crl)
{
	int ret = -1;
	X509 *cert;

	if (!certificate_path) {
		error("Invalid swupd certificate - Empty");
		return false;
	}

	ERR_load_crypto_strings();
	ERR_load_PKCS7_strings();
	EVP_add_digest(EVP_sha256());

	cert = get_cert_from_path(certificate_path);
	if (!cert) {
		goto fail;
	}

	ret = validate_certificate(cert, certificate_path, crl);
	if (ret) {
		if (ret == X509_V_ERR_CERT_NOT_YET_VALID) {
			BIO *b;
			time_t currtime = 0;
			struct tm *timeinfo;
			char time_str[50];

			/* The system time wasn't sane, print out what it is and the cert validity range */
			time(&currtime);
			timeinfo = localtime(&currtime);

			strftime(time_str, sizeof(time_str), "%a %b %d %H:%M:%S %Y", timeinfo);
			warn("Current time is %s\n", time_str);
			info("Certificate validity is:\n");
			b = BIO_new_fp(stdout, BIO_NOCLOSE);
			if (b == NULL) {
				error("Failed to create BIO wrapping stream\n");
				goto fail;
			}
			/* The ASN1_TIME_print function does not include a newline... */
			if (!ASN1_TIME_print(b, X509_get_notBefore(cert))) {
				info("\n");
				error("Failed to get certificate begin date\n");
				goto fail;
			}
			info("\n");
			if (!ASN1_TIME_print(b, X509_get_notAfter(cert))) {
				info("\n");
				error("Failed to get certificate expiration date\n");
				goto fail;
			}
			info("\n");
			BIO_free(b);
		}
		goto fail;
	}

	/* Push our trust cert(s) to the stack, which is a set of certificates
	 * in which to search for the signer's cert. */
	x509_stack = sk_X509_new_null();
	if (!x509_stack) {
		goto fail;
	}
	sk_X509_push(x509_stack, cert);

	return true;
fail:
	error("Failed to verify certificate: %s\n", X509_verify_cert_error_string(ret));
	return false;
}
Exemplo n.º 6
0
int err_load_crypto_strings_int(void)
{
    if (
#ifndef OPENSSL_NO_ERR
        ERR_load_ERR_strings() == 0 ||    /* include error strings for SYSerr */
        ERR_load_BN_strings() == 0 ||
# ifndef OPENSSL_NO_RSA
        ERR_load_RSA_strings() == 0 ||
# endif
# ifndef OPENSSL_NO_DH
        ERR_load_DH_strings() == 0 ||
# endif
        ERR_load_EVP_strings() == 0 ||
        ERR_load_BUF_strings() == 0 ||
        ERR_load_OBJ_strings() == 0 ||
        ERR_load_PEM_strings() == 0 ||
# ifndef OPENSSL_NO_DSA
        ERR_load_DSA_strings() == 0 ||
# endif
        ERR_load_X509_strings() == 0 ||
        ERR_load_ASN1_strings() == 0 ||
        ERR_load_CONF_strings() == 0 ||
        ERR_load_CRYPTO_strings() == 0 ||
# ifndef OPENSSL_NO_COMP
        ERR_load_COMP_strings() == 0 ||
# endif
# ifndef OPENSSL_NO_EC
        ERR_load_EC_strings() == 0 ||
# endif
        /* skip ERR_load_SSL_strings() because it is not in this library */
        ERR_load_BIO_strings() == 0 ||
        ERR_load_PKCS7_strings() == 0 ||
        ERR_load_X509V3_strings() == 0 ||
        ERR_load_PKCS12_strings() == 0 ||
        ERR_load_RAND_strings() == 0 ||
        ERR_load_DSO_strings() == 0 ||
# ifndef OPENSSL_NO_TS
        ERR_load_TS_strings() == 0 ||
# endif
# ifndef OPENSSL_NO_ENGINE
        ERR_load_ENGINE_strings() == 0 ||
# endif
# ifndef OPENSSL_NO_OCSP
        ERR_load_OCSP_strings() == 0 ||
# endif
#ifndef OPENSSL_NO_UI
        ERR_load_UI_strings() == 0 ||
#endif
# ifndef OPENSSL_NO_CMS
        ERR_load_CMS_strings() == 0 ||
# endif
# ifndef OPENSSL_NO_CT
        ERR_load_CT_strings() == 0 ||
# endif
        ERR_load_ASYNC_strings() == 0 ||
#endif
        ERR_load_KDF_strings() == 0 ||
        ERR_load_OSSL_STORE_strings() == 0)
        return 0;

    return 1;
}
Exemplo n.º 7
0
int
main(int argc, char *argv[])
{
	if (argc < 3) {
		fprintf(stderr, "usage: verify foo.efi cert0 [... certN]\n");
		exit(1);
	}

	OpenSSL_add_all_algorithms();
	ERR_load_PKCS7_strings();
	ERR_load_crypto_strings();

	int binfd = open(argv[1], O_RDONLY);
	if (binfd < 0)
		err(1, "verify: %s", argv[1]);

	struct stat sb;
	fstat(binfd, &sb);
	void *bin = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, binfd, 0);
	size_t bin_size = sb.st_size;

	PE_COFF_LOADER_IMAGE_CONTEXT context;
	int rc = read_header(bin, sb.st_size, &context);
	if (rc < 0) {
		fprintf(stderr, "read_header(): %m\n");
		exit(1);
	}

	UINT8 sha256hash[32];
	rc = generate_hash(bin, sb.st_size, &context, sha256hash);
	if (rc < 0) {
		fprintf(stderr, "you can't handle a hash\n");
		exit(1);
	}

	WIN_CERTIFICATE_EFI_PKCS *efi_pkcs = NULL;

	if (context.SecDir->Size != 0) {
		efi_pkcs = ImageAddress(bin, bin_size,
				context.SecDir->VirtualAddress);
		if (!efi_pkcs) {
			fprintf(stderr, "signature is at invalid "
					"offset\n");
			exit(1);
		}
	}


	int found = 0;
	for (int i = 2; argv[i] != NULL; i++) {
		int fd = open(argv[i], O_RDONLY);
		if (fd < 0)
			err(1, "verify: %s", argv[i]);
		printf("adding cert from \"%s\"\n", argv[i]);

		uint8_t *cert;
		struct stat sb;

		fstat(fd, &sb);
		cert = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
		size_t cert_size = sb.st_size;
		
		rc = AuthenticodeVerify((UINT8 *)&efi_pkcs->CertData,
				efi_pkcs->Hdr.dwLength - sizeof(efi_pkcs->Hdr),
				cert, cert_size,
				sha256hash, 32);
		if (rc == 1) {
			found = 1;
			break;
		}

		char errbuf[120];
		unsigned long err = ERR_get_error();
		ERR_error_string(err, errbuf);
		printf("%s\n", errbuf);

		munmap(cert, sb.st_size);
		close(fd);
	}

	if (!found) {
		fprintf(stderr, "verify failed!\n");
		exit(1);
	}
	printf("Image verifies correctly\n");

	return 0;
}