src/libstrongswan/integrity_checker.c

   1 /*
   2  * Copyright (C) 2009 Martin Willi
   3  * Hochschule fuer Technik Rapperswil
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 #define _GNU_SOURCE
  17
  18 #include "integrity_checker.h"
  19
  20 #include <dlfcn.h>
  21 #include <link.h>
  22 #include <fcntl.h>
  23 #include <errno.h>
  24 #include <unistd.h>
  25 #include <sys/mman.h>
  26 #include <sys/stat.h>
  27 #include <sys/types.h>
  28
  29 #include <debug.h>
  30 #include <library.h>
  31
  32 typedef struct private_integrity_checker_t private_integrity_checker_t;
  33
  34 /**
  35  * Private data of an integrity_checker_t object.
  36  */
  37 struct private_integrity_checker_t {
  38
  39         /**
  40          * Public integrity_checker_t interface.
  41          */
  42         integrity_checker_t public;
  43
  44         /**
  45          * dlopen handle to checksum library
  46          */
  47         void *handle;
  48
  49         /**
  50          * checksum array
  51          */
  52         integrity_checksum_t *checksums;
  53
  54         /**
  55          * number of checksums in array
  56          */
  57         int checksum_count;
  58 };
  59
  60 /**
  61  * Implementation of integrity_checker_t.build_file
  62  */
  63 static u_int32_t build_file(private_integrity_checker_t *this, char *file)
  64 {
  65         u_int32_t checksum;
  66         chunk_t contents;
  67         struct stat sb;
  68         void *addr;
  69         int fd;
  70
  71         fd = open(file, O_RDONLY);
  72         if (fd == -1)
  73         {
  74                 DBG1("opening '%s' failed: %s", file, strerror(errno));
  75                 return 0;
  76         }
  77
  78         if (fstat(fd, &sb) == -1)
  79         {
  80                 DBG1("getting file size of '%s' failed: %s", file, strerror(errno));
  81                 close(fd);
  82                 return 0;
  83         }
  84
  85         addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
  86         if (addr == MAP_FAILED)
  87         {
  88                 DBG1("mapping '%s' failed: %s", file, strerror(errno));
  89                 close(fd);
  90                 return 0;
  91         }
  92
  93         contents = chunk_create(addr, sb.st_size);
  94         checksum = chunk_hash(contents);
  95
  96         munmap(addr, sb.st_size);
  97         close(fd);
  98
  99         return checksum;
 100 }
 101
 102 /**
 103  * dl_iterate_phdr callback function
 104  */
 105 static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli)
 106 {
 107         if (dli->dli_fbase == (void*)dlpi->dlpi_addr)
 108         {
 109                 int i;
 110
 111                 for (i = 0; i < dlpi->dlpi_phnum; i++)
 112                 {
 113                         const Elf32_Phdr *sgmt = &dlpi->dlpi_phdr[i];
 114
 115                         /* we are interested in the executable LOAD segment */
 116                         if (sgmt->p_type == PT_LOAD &&
 117                                 (sgmt->p_flags & (PF_X | PF_R)))
 118                         {
 119                                 /* safe begin of segment in dli_fbase */
 120                                 dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr;
 121                                 /* safe end of segment in dli_saddr */
 122                                 dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz;
 123                                 return 1;
 124                         }
 125                 }
 126         }
 127         return 0;
 128 }
 129
 130 /**
 131  * Implementation of integrity_checker_t.build_segment
 132  */
 133 static u_int32_t build_segment(private_integrity_checker_t *this, void *sym)
 134 {
 135         chunk_t segment;
 136         Dl_info dli;
 137
 138         if (dladdr(sym, &dli) == 0)
 139         {
 140                 DBG1("unable to locate symbol: %s", strerror(errno));
 141                 return 0;
 142         }
 143         /* we reuse the Dl_info struct as in/out parameter */
 144         if (!dl_iterate_phdr((void*)callback, &dli))
 145         {
 146                 DBG1("executable section not found");
 147                 return 0;
 148         }
 149
 150         segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
 151         return chunk_hash(segment);
 152 }
 153
 154 /**
 155  * Find a checksum by its name
 156  */
 157 static integrity_checksum_t *find_checksum(private_integrity_checker_t *this,
 158                                                                                    char *name)
 159 {
 160         int i;
 161
 162         for (i = 0; i < this->checksum_count; i++)
 163         {
 164                 if (streq(this->checksums[i].name, name))
 165                 {
 166                         return &this->checksums[i];
 167                 }
 168         }
 169         DBG1("no checksum found for %s", name);
 170         return NULL;
 171 }
 172
 173 /**
 174  * Implementation of integrity_checker_t.check_file
 175  */
 176 static bool check_file(private_integrity_checker_t *this,
 177                                            char *name, char *file)
 178 {
 179         integrity_checksum_t *cs;
 180         u_int32_t sum;
 181
 182         cs = find_checksum(this, name);
 183         if (!cs)
 184         {
 185                 return FALSE;
 186         }
 187         sum = build_file(this, file);
 188         if (!sum || cs->file != sum)
 189         {
 190                 DBG1("file checksum %s of '%s' invalid (got %08x, expected %08x)",
 191                          name, file, sum, cs->file);
 192                 return FALSE;
 193         }
 194         DBG2("file checksum %s tested successfully", name);
 195         return TRUE;
 196 }
 197
 198 /**
 199  * Implementation of integrity_checker_t.check_segment
 200  */
 201 static bool check_segment(private_integrity_checker_t *this,
 202                                                   char *name, void *sym)
 203 {
 204         integrity_checksum_t *cs;
 205         u_int32_t sum;
 206
 207         cs = find_checksum(this, name);
 208         if (!cs)
 209         {
 210                 return FALSE;
 211         }
 212         sum = build_segment(this, sym);
 213         if (!sum || cs->segment != sum)
 214         {
 215                 DBG1("segment checksum %s invalid (got %08x, expected %08x)",
 216                          name, sum, cs->segment);
 217                 return FALSE;
 218         }
 219         DBG2("segment checksum %s tested successfully", name);
 220         return TRUE;
 221 }
 222
 223 /**
 224  * Implementation of integrity_checker_t.destroy.
 225  */
 226 static void destroy(private_integrity_checker_t *this)
 227 {
 228         if (this->handle)
 229         {
 230                 dlclose(this->handle);
 231         }
 232         free(this);
 233 }
 234
 235 /**
 236  * See header
 237  */
 238 integrity_checker_t *integrity_checker_create(char *checksum_library)
 239 {
 240         private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t);
 241
 242         this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file;
 243         this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file))build_file;
 244         this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment;
 245         this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym))build_segment;
 246         this->public.destroy = (void(*)(integrity_checker_t*))destroy;
 247
 248         this->checksum_count = 0;
 249         this->handle = NULL;
 250         if (checksum_library)
 251         {
 252                 this->handle = dlopen(checksum_library, RTLD_LAZY);
 253                 if (this->handle)
 254                 {
 255                         int *checksum_count;
 256
 257                         this->checksums = dlsym(this->handle, "checksums");
 258                         checksum_count = dlsym(this->handle, "checksum_count");
 259                         if (this->checksums && checksum_count)
 260                         {
 261                                 this->checksum_count = *checksum_count;
 262                         }
 263                         else
 264                         {
 265                                 DBG1("checksum library '%s' invalid", checksum_library);
 266                         }
 267                 }
 268                 else
 269                 {
 270                         DBG1("loading checksum library '%s' failed", checksum_library);
 271                 }
 272         }
 273         return &this->public;
 274 }
 275