6a402b358dc4a480754e77fb96eebf837295f7e6
[strongswan.git] / src / libstrongswan / integrity_checker.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #define _GNU_SOURCE
17
18 #include "integrity_checker.h"
19
20 #include <dlfcn.h>
21 #include <link.h>
22 #include <fcntl.h>
23 #include <errno.h>
24 #include <unistd.h>
25 #include <sys/mman.h>
26 #include <sys/stat.h>
27 #include <sys/types.h>
28
29 #include <debug.h>
30 #include <library.h>
31
32 typedef struct private_integrity_checker_t private_integrity_checker_t;
33
34 /**
35 * Private data of an integrity_checker_t object.
36 */
37 struct private_integrity_checker_t {
38
39 /**
40 * Public integrity_checker_t interface.
41 */
42 integrity_checker_t public;
43
44 /**
45 * dlopen handle to checksum library
46 */
47 void *handle;
48
49 /**
50 * checksum array
51 */
52 integrity_checksum_t *checksums;
53
54 /**
55 * number of checksums in array
56 */
57 int checksum_count;
58 };
59
60 /**
61 * Implementation of integrity_checker_t.build_file
62 */
63 static u_int32_t build_file(private_integrity_checker_t *this, char *file)
64 {
65 u_int32_t checksum;
66 chunk_t contents;
67 struct stat sb;
68 void *addr;
69 int fd;
70
71 fd = open(file, O_RDONLY);
72 if (fd == -1)
73 {
74 DBG1("opening '%s' failed: %s", file, strerror(errno));
75 return 0;
76 }
77
78 if (fstat(fd, &sb) == -1)
79 {
80 DBG1("getting file size of '%s' failed: %s", file, strerror(errno));
81 close(fd);
82 return 0;
83 }
84
85 addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
86 if (addr == MAP_FAILED)
87 {
88 DBG1("mapping '%s' failed: %s", file, strerror(errno));
89 close(fd);
90 return 0;
91 }
92
93 contents = chunk_create(addr, sb.st_size);
94 checksum = chunk_hash(contents);
95
96 munmap(addr, sb.st_size);
97 close(fd);
98
99 return checksum;
100 }
101
102 /**
103 * dl_iterate_phdr callback function
104 */
105 static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli)
106 {
107 if (dli->dli_fbase == (void*)dlpi->dlpi_addr)
108 {
109 int i;
110
111 for (i = 0; i < dlpi->dlpi_phnum; i++)
112 {
113 const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i];
114
115 /* we are interested in the executable LOAD segment */
116 if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X))
117 {
118 /* safe begin of segment in dli_fbase */
119 dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr;
120 /* safe end of segment in dli_saddr */
121 dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz;
122 return 1;
123 }
124 }
125 }
126 return 0;
127 }
128
129 /**
130 * Implementation of integrity_checker_t.build_segment
131 */
132 static u_int32_t build_segment(private_integrity_checker_t *this, void *sym)
133 {
134 chunk_t segment;
135 Dl_info dli;
136
137 if (dladdr(sym, &dli) == 0)
138 {
139 DBG1("unable to locate symbol: %s", dlerror());
140 return 0;
141 }
142 /* we reuse the Dl_info struct as in/out parameter */
143 if (!dl_iterate_phdr((void*)callback, &dli))
144 {
145 DBG1("executable section not found");
146 return 0;
147 }
148
149 segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
150 return chunk_hash(segment);
151 }
152
153 /**
154 * Find a checksum by its name
155 */
156 static integrity_checksum_t *find_checksum(private_integrity_checker_t *this,
157 char *name)
158 {
159 int i;
160
161 for (i = 0; i < this->checksum_count; i++)
162 {
163 if (streq(this->checksums[i].name, name))
164 {
165 return &this->checksums[i];
166 }
167 }
168 return NULL;
169 }
170
171 /**
172 * Implementation of integrity_checker_t.check_file
173 */
174 static bool check_file(private_integrity_checker_t *this,
175 char *name, char *file)
176 {
177 integrity_checksum_t *cs;
178 u_int32_t sum;
179
180 cs = find_checksum(this, name);
181 if (!cs)
182 {
183 DBG1(" '%s' file checksum not found", name);
184 return FALSE;
185 }
186 sum = build_file(this, file);
187 if (!sum || cs->file != sum)
188 {
189 DBG1(" invalid '%s' file checksum: %08x, expected %08x",
190 name, sum, cs->file);
191 return FALSE;
192 }
193 DBG2(" valid '%s' file checksum: %08x", name, sum);
194 return TRUE;
195 }
196
197 /**
198 * Implementation of integrity_checker_t.check_segment
199 */
200 static bool check_segment(private_integrity_checker_t *this,
201 char *name, void *sym)
202 {
203 integrity_checksum_t *cs;
204 u_int32_t sum;
205
206 cs = find_checksum(this, name);
207 if (!cs)
208 {
209 DBG1(" '%s' segment checksum not found", name);
210 return FALSE;
211 }
212 sum = build_segment(this, sym);
213 if (!sum || cs->segment != sum)
214 {
215 DBG1(" invalid '%s' segment checksum: %08x, expected %08x",
216 name, sum, cs->segment);
217 return FALSE;
218 }
219 DBG2(" valid '%s' segment checksum: %08x", name, sum);
220 return TRUE;
221 }
222
223 /**
224 * Implementation of integrity_checker_t.check
225 */
226 static bool check(private_integrity_checker_t *this, char *name, void *sym)
227 {
228 Dl_info dli;
229
230 if (dladdr(sym, &dli) == 0)
231 {
232 DBG1("unable to locate symbol: %s", dlerror());
233 return FALSE;
234 }
235 if (!check_file(this, name, (char*)dli.dli_fname))
236 {
237 return FALSE;
238 }
239 if (!check_segment(this, name, sym))
240 {
241 return FALSE;
242 }
243 return TRUE;
244 }
245
246 /**
247 * Implementation of integrity_checker_t.destroy.
248 */
249 static void destroy(private_integrity_checker_t *this)
250 {
251 if (this->handle)
252 {
253 dlclose(this->handle);
254 }
255 free(this);
256 }
257
258 /**
259 * See header
260 */
261 integrity_checker_t *integrity_checker_create(char *checksum_library)
262 {
263 private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t);
264
265 this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file;
266 this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file))build_file;
267 this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment;
268 this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym))build_segment;
269 this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check;
270 this->public.destroy = (void(*)(integrity_checker_t*))destroy;
271
272 this->checksum_count = 0;
273 this->handle = NULL;
274 if (checksum_library)
275 {
276 this->handle = dlopen(checksum_library, RTLD_LAZY);
277 if (this->handle)
278 {
279 int *checksum_count;
280
281 this->checksums = dlsym(this->handle, "checksums");
282 checksum_count = dlsym(this->handle, "checksum_count");
283 if (this->checksums && checksum_count)
284 {
285 this->checksum_count = *checksum_count;
286 }
287 else
288 {
289 DBG1("checksum library '%s' invalid", checksum_library);
290 }
291 }
292 else
293 {
294 DBG1("loading checksum library '%s' failed", checksum_library);
295 }
296 }
297 return &this->public;
298 }
299