9ad87833e30512e68d1177c65d5cfca0c0b80e13
[strongswan.git] / src / libstrongswan / integrity_checker.c
1 /*
2 * Copyright (C) 2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #define _GNU_SOURCE
17
18 #include "integrity_checker.h"
19
20 #include <dlfcn.h>
21 #include <link.h>
22 #include <fcntl.h>
23 #include <errno.h>
24 #include <unistd.h>
25 #include <sys/mman.h>
26 #include <sys/stat.h>
27 #include <sys/types.h>
28
29 #include <debug.h>
30 #include <library.h>
31
32 typedef struct private_integrity_checker_t private_integrity_checker_t;
33
34 /**
35 * Private data of an integrity_checker_t object.
36 */
37 struct private_integrity_checker_t {
38
39 /**
40 * Public integrity_checker_t interface.
41 */
42 integrity_checker_t public;
43
44 /**
45 * dlopen handle to checksum library
46 */
47 void *handle;
48
49 /**
50 * checksum array
51 */
52 integrity_checksum_t *checksums;
53
54 /**
55 * number of checksums in array
56 */
57 int checksum_count;
58 };
59
60 /**
61 * Implementation of integrity_checker_t.build_file
62 */
63 static u_int32_t build_file(private_integrity_checker_t *this, char *file)
64 {
65 u_int32_t checksum;
66 chunk_t contents;
67 struct stat sb;
68 void *addr;
69 int fd;
70
71 fd = open(file, O_RDONLY);
72 if (fd == -1)
73 {
74 DBG1("opening '%s' failed: %s", file, strerror(errno));
75 return 0;
76 }
77
78 if (fstat(fd, &sb) == -1)
79 {
80 DBG1("getting file size of '%s' failed: %s", file, strerror(errno));
81 close(fd);
82 return 0;
83 }
84
85 addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
86 if (addr == MAP_FAILED)
87 {
88 DBG1("mapping '%s' failed: %s", file, strerror(errno));
89 close(fd);
90 return 0;
91 }
92
93 contents = chunk_create(addr, sb.st_size);
94 checksum = chunk_hash(contents);
95
96 munmap(addr, sb.st_size);
97 close(fd);
98
99 return checksum;
100 }
101
102 /**
103 * dl_iterate_phdr callback function
104 */
105 static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli)
106 {
107 if (dli->dli_fbase == (void*)dlpi->dlpi_addr)
108 {
109 int i;
110
111 for (i = 0; i < dlpi->dlpi_phnum; i++)
112 {
113 const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i];
114
115 /* we are interested in the executable LOAD segment */
116 if (sgmt->p_type == PT_LOAD &&
117 (sgmt->p_flags & (PF_X | PF_R)))
118 {
119 /* safe begin of segment in dli_fbase */
120 dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr;
121 /* safe end of segment in dli_saddr */
122 dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz;
123 return 1;
124 }
125 }
126 }
127 return 0;
128 }
129
130 /**
131 * Implementation of integrity_checker_t.build_segment
132 */
133 static u_int32_t build_segment(private_integrity_checker_t *this, void *sym)
134 {
135 chunk_t segment;
136 Dl_info dli;
137
138 if (dladdr(sym, &dli) == 0)
139 {
140 DBG1("unable to locate symbol: %s", dlerror());
141 return 0;
142 }
143 /* we reuse the Dl_info struct as in/out parameter */
144 if (!dl_iterate_phdr((void*)callback, &dli))
145 {
146 DBG1("executable section not found");
147 return 0;
148 }
149
150 segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
151 return chunk_hash(segment);
152 }
153
154 /**
155 * Find a checksum by its name
156 */
157 static integrity_checksum_t *find_checksum(private_integrity_checker_t *this,
158 char *name)
159 {
160 int i;
161
162 for (i = 0; i < this->checksum_count; i++)
163 {
164 if (streq(this->checksums[i].name, name))
165 {
166 return &this->checksums[i];
167 }
168 }
169 return NULL;
170 }
171
172 /**
173 * Implementation of integrity_checker_t.check_file
174 */
175 static bool check_file(private_integrity_checker_t *this,
176 char *name, char *file)
177 {
178 integrity_checksum_t *cs;
179 u_int32_t sum;
180
181 cs = find_checksum(this, name);
182 if (!cs)
183 {
184 DBG1(" '%s' file checksum not found", name);
185 return FALSE;
186 }
187 sum = build_file(this, file);
188 if (!sum || cs->file != sum)
189 {
190 DBG1(" invalid '%s' file checksum: %08x, expected %08x",
191 name, sum, cs->file);
192 return FALSE;
193 }
194 DBG2(" valid '%s' file checksum: %08x", name, sum);
195 return TRUE;
196 }
197
198 /**
199 * Implementation of integrity_checker_t.check_segment
200 */
201 static bool check_segment(private_integrity_checker_t *this,
202 char *name, void *sym)
203 {
204 integrity_checksum_t *cs;
205 u_int32_t sum;
206
207 cs = find_checksum(this, name);
208 if (!cs)
209 {
210 DBG1(" '%s' segment checksum not found", name);
211 return FALSE;
212 }
213 sum = build_segment(this, sym);
214 if (!sum || cs->segment != sum)
215 {
216 DBG1(" invalid '%s' segment checksum: %08x, expected %08x",
217 name, sum, cs->segment);
218 return FALSE;
219 }
220 DBG2(" valid '%s' segment checksum: %08x", name, sum);
221 return TRUE;
222 }
223
224 /**
225 * Implementation of integrity_checker_t.check
226 */
227 static bool check(private_integrity_checker_t *this, char *name, void *sym)
228 {
229 Dl_info dli;
230
231 if (dladdr(sym, &dli) == 0)
232 {
233 DBG1("unable to locate symbol: %s", dlerror());
234 return FALSE;
235 }
236 if (!check_file(this, name, (char*)dli.dli_fname))
237 {
238 return FALSE;
239 }
240 if (!check_segment(this, name, sym))
241 {
242 return FALSE;
243 }
244 return TRUE;
245 }
246
247 /**
248 * Implementation of integrity_checker_t.destroy.
249 */
250 static void destroy(private_integrity_checker_t *this)
251 {
252 if (this->handle)
253 {
254 dlclose(this->handle);
255 }
256 free(this);
257 }
258
259 /**
260 * See header
261 */
262 integrity_checker_t *integrity_checker_create(char *checksum_library)
263 {
264 private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t);
265
266 this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file;
267 this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file))build_file;
268 this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment;
269 this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym))build_segment;
270 this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check;
271 this->public.destroy = (void(*)(integrity_checker_t*))destroy;
272
273 this->checksum_count = 0;
274 this->handle = NULL;
275 if (checksum_library)
276 {
277 this->handle = dlopen(checksum_library, RTLD_LAZY);
278 if (this->handle)
279 {
280 int *checksum_count;
281
282 this->checksums = dlsym(this->handle, "checksums");
283 checksum_count = dlsym(this->handle, "checksum_count");
284 if (this->checksums && checksum_count)
285 {
286 this->checksum_count = *checksum_count;
287 }
288 else
289 {
290 DBG1("checksum library '%s' invalid", checksum_library);
291 }
292 }
293 else
294 {
295 DBG1("loading checksum library '%s' failed", checksum_library);
296 }
297 }
298 return &this->public;
299 }
300