The Tor Browser: comparison modules/libmar/verify/mar

--1:000000000000
+:12a8752ee1ab
+/* This Source Code Form is subject to the terms of the Mozilla Public
+* License, v. 2.0. If a copy of the MPL was not distributed with this
+* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#ifdef XP_WIN
+#ifndef WIN32_LEAN_AND_MEAN
+#define WIN32_LEAN_AND_MEAN
+#endif
+#endif
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include "mar_private.h"
+#include "mar.h"
+#include "cryptox.h"
+int mar_extract_and_verify_signatures_fp(FILE *fp,
+CryptoX_ProviderHandle provider,
+CryptoX_PublicKey *keys,
+uint32_t keyCount);
+int mar_verify_signatures_for_fp(FILE *fp,
+CryptoX_ProviderHandle provider,
+CryptoX_PublicKey *keys,
+const uint8_t * const *extractedSignatures,
+uint32_t keyCount,
+uint32_t *numVerified);
+/**
+* Reads the specified number of bytes from the file pointer and
+* stores them in the passed buffer.
+*
+* @param  fp     The file pointer to read from.
+* @param  buffer The buffer to store the read results.
+* @param  size   The number of bytes to read, buffer must be
+*                at least of this size.
+* @param  ctxs   Pointer to the first element in an array of verify context.
+* @param  count  The number of elements in ctxs
+* @param  err    The name of what is being written to in case of error.
+* @return  0 on success
+*         -1 on read error
+*         -2 on verify update error
+*/
+int
+ReadAndUpdateVerifyContext(FILE *fp,
+void *buffer,
+uint32_t size,
+CryptoX_SignatureHandle *ctxs,
+uint32_t count,
+const char *err)
+{
+uint32_t k;
+if (!fp || !buffer || !ctxs || count == 0 || !err) {
+fprintf(stderr, "ERROR: Invalid parameter specified.\n");
+return CryptoX_Error;
+}
+if (!size) {
+return CryptoX_Success;
+}
+if (fread(buffer, size, 1, fp) != 1) {
+fprintf(stderr, "ERROR: Could not read %s\n", err);
+return CryptoX_Error;
+}
+for (k = 0; k < count; k++) {
+if (CryptoX_Failed(CryptoX_VerifyUpdate(&ctxs[k], buffer, size))) {
+fprintf(stderr, "ERROR: Could not update verify context for %s\n", err);
+return -2;
+}
+}
+return CryptoX_Success;
+}
+/**
+* Verifies a MAR file by verifying each signature with the corresponding
+* certificate. That is, the first signature will be verified using the first
+* certificate given, the second signature will be verified using the second
+* certificate given, etc. The signature count must exactly match the number of
+* certificates given, and all signature verifications must succeed.
+* This is only used by the signmar program when used with arguments to verify
+* a MAR. This should not be used to verify a MAR that will be extracted in the
+* same operation by updater code. This function prints the error message if
+* verification fails.
+*
+* @param pathToMARFile The path of the MAR file to verify.
+* @param certData      Pointer to the first element in an array of certificate
+*                      file data.
+* @param certDataSizes Pointer to the first element in an array for size of the
+*                      cert data.
+* @param certNames     Pointer to the first element in an array of certificate names.
+*                      Used only if compiled as NSS, specifies the certificate names
+* @param certCount     The number of elements in certData, certDataSizes, and certNames
+* @return 0 on success
+*         a negative number if there was an error
+*         a positive number if the signature does not verify
+*/
+int
+mar_verify_signatures(const char *pathToMARFile,
+const uint8_t * const *certData,
+const uint32_t *certDataSizes,
+const char * const *certNames,
+uint32_t certCount) {
+int rv;
+CryptoX_ProviderHandle provider = CryptoX_InvalidHandleValue;
+CryptoX_Certificate certs[MAX_SIGNATURES];
+CryptoX_PublicKey keys[MAX_SIGNATURES];
+FILE *fp;
+uint32_t k;
+memset(certs, 0, sizeof(certs));
+memset(keys, 0, sizeof(keys));
+if (!pathToMARFile || certCount == 0) {
+fprintf(stderr, "ERROR: Invalid parameter specified.\n");
+return CryptoX_Error;
+}
+fp = fopen(pathToMARFile, "rb");
+if (!fp) {
+fprintf(stderr, "ERROR: Could not open MAR file.\n");
+return CryptoX_Error;
+}
+if (CryptoX_Failed(CryptoX_InitCryptoProvider(&provider))) {
+fclose(fp);
+fprintf(stderr, "ERROR: Could not init crytpo library.\n");
+return CryptoX_Error;
+}
+/* Load the certs and keys */
+for (k = 0; k < certCount; k++) {
+if (CryptoX_Failed(CryptoX_LoadPublicKey(provider, certData[k], certDataSizes[k],
+&keys[k], certNames[k], &certs[k]))) {
+fclose(fp);
+fprintf(stderr, "ERROR: Could not load public key.\n");
+return CryptoX_Error;
+}
+}
+rv = mar_extract_and_verify_signatures_fp(fp, provider, keys, certCount);
+fclose(fp);
+/* Cleanup the allocated keys and certs */
+for (k = 0; k < certCount; k++) {
+if (keys[k]) {
+CryptoX_FreePublicKey(&keys[k]);
+}
+if (certs[k]) {
+CryptoX_FreeCertificate(&certs[k]);
+}
+}
+return rv;
+}
+#ifdef XP_WIN
+/**
+* Verifies a MAR file by verifying each signature with the corresponding
+* certificate. That is, the first signature will be verified using the first
+* certificate given, the second signature will be verified using the second
+* certificate given, etc. The signature count must exactly match the number of
+* certificates given, and all signature verifications must succeed.
+*
+* @param  pathToMARFile  The path of the MAR file who's signature
+*                        should be calculated
+* @param  certData       Pointer to the first element in an array of
+*                        certificate data
+* @param  certDataSizes  Pointer to the first element in an array for size of
+*                        the data stored
+* @param  certCount      The number of elements in certData and certDataSizes
+* @return 0 on success
+*/
+int
+mar_verify_signaturesW(MarFile *mar,
+const uint8_t * const *certData,
+const uint32_t *certDataSizes,
+uint32_t certCount) {
+int rv = -1;
+CryptoX_ProviderHandle provider = CryptoX_InvalidHandleValue;
+CryptoX_Certificate certs[MAX_SIGNATURES];
+CryptoX_PublicKey keys[MAX_SIGNATURES];
+uint32_t k;
+memset(certs, 0, sizeof(certs));
+memset(keys, 0, sizeof(keys));
+if (!mar || !certData || !certDataSizes || certCount == 0) {
+fprintf(stderr, "ERROR: Invalid parameter specified.\n");
+goto failure;
+}
+if (!mar->fp) {
+fprintf(stderr, "ERROR: MAR file is not open.\n");
+goto failure;
+}
+if (CryptoX_Failed(CryptoX_InitCryptoProvider(&provider))) {
+fprintf(stderr, "ERROR: Could not init crytpo library.\n");
+goto failure;
+}
+for (k = 0; k < certCount; ++k) {
+if (CryptoX_Failed(CryptoX_LoadPublicKey(provider, certData[k], certDataSizes[k],
+&keys[k], "", &certs[k]))) {
+fprintf(stderr, "ERROR: Could not load public key.\n");
+goto failure;
+}
+}
+rv = mar_extract_and_verify_signatures_fp(mar->fp, provider, keys, certCount);
+failure:
+for (k = 0; k < certCount; ++k) {
+if (keys[k]) {
+CryptoX_FreePublicKey(&keys[k]);
+}
+if (certs[k]) {
+CryptoX_FreeCertificate(&certs[k]);
+}
+}
+return rv;
+}
+#endif
+/**
+* Extracts each signature from the specified MAR file,
+* then calls mar_verify_signatures_for_fp to verify each signature.
+*
+* @param  fp       An opened MAR file handle
+* @param  provider A library provider
+* @param  keys     The public keys to use to verify the MAR
+* @param  keyCount The number of keys pointed to by keys
+* @return 0 on success
+*/
+int
+mar_extract_and_verify_signatures_fp(FILE *fp,
+CryptoX_ProviderHandle provider,
+CryptoX_PublicKey *keys,
+uint32_t keyCount) {
+char buf[5] = {0};
+uint32_t signatureCount, signatureLen, numVerified = 0;
+uint32_t signatureAlgorithmIDs[MAX_SIGNATURES];
+int rv = -1;
+int64_t curPos;
+uint8_t *extractedSignatures[MAX_SIGNATURES];
+uint32_t i;
+memset(signatureAlgorithmIDs, 0, sizeof(signatureAlgorithmIDs));
+memset(extractedSignatures, 0, sizeof(extractedSignatures));
+if (!fp) {
+fprintf(stderr, "ERROR: Invalid file pointer passed.\n");
+return CryptoX_Error;
+}
+/* To protect against invalid MAR files, we assumes that the MAR file
+size is less than or equal to MAX_SIZE_OF_MAR_FILE. */
+if (fseeko(fp, 0, SEEK_END)) {
+fprintf(stderr, "ERROR: Could not seek to the end of the MAR file.\n");
+return CryptoX_Error;
+}
+if (ftello(fp) > MAX_SIZE_OF_MAR_FILE) {
+fprintf(stderr, "ERROR: MAR file is too large to be verified.\n");
+return CryptoX_Error;
+}
+/* Skip to the start of the signature block */
+if (fseeko(fp, SIGNATURE_BLOCK_OFFSET, SEEK_SET)) {
+fprintf(stderr, "ERROR: Could not seek to the signature block.\n");
+return CryptoX_Error;
+}
+/* Get the number of signatures */
+if (fread(&signatureCount, sizeof(signatureCount), 1, fp) != 1) {
+fprintf(stderr, "ERROR: Could not read number of signatures.\n");
+return CryptoX_Error;
+}
+signatureCount = ntohl(signatureCount);
+/* Check that we have less than the max amount of signatures so we don't
+waste too much of either updater's or signmar's time. */
+if (signatureCount > MAX_SIGNATURES) {
+fprintf(stderr, "ERROR: At most %d signatures can be specified.\n",
+MAX_SIGNATURES);
+return CryptoX_Error;
+}
+for (i = 0; i < signatureCount; i++) {
+/* Get the signature algorithm ID */
+if (fread(&signatureAlgorithmIDs[i], sizeof(uint32_t), 1, fp) != 1) {
+fprintf(stderr, "ERROR: Could not read signatures algorithm ID.\n");
+return CryptoX_Error;
+}
+signatureAlgorithmIDs[i] = ntohl(signatureAlgorithmIDs[i]);
+if (fread(&signatureLen, sizeof(uint32_t), 1, fp) != 1) {
+fprintf(stderr, "ERROR: Could not read signatures length.\n");
+return CryptoX_Error;
+}
+signatureLen = ntohl(signatureLen);
+/* To protected against invalid input make sure the signature length
+isn't too big. */
+if (signatureLen > MAX_SIGNATURE_LENGTH) {
+fprintf(stderr, "ERROR: Signature length is too large to verify.\n");
+return CryptoX_Error;
+}
+extractedSignatures[i] = malloc(signatureLen);
+if (!extractedSignatures[i]) {
+fprintf(stderr, "ERROR: Could allocate buffer for signature.\n");
+return CryptoX_Error;
+}
+if (fread(extractedSignatures[i], signatureLen, 1, fp) != 1) {
+fprintf(stderr, "ERROR: Could not read extracted signature.\n");
+for (i = 0; i < signatureCount; ++i) {
+free(extractedSignatures[i]);
+}
+return CryptoX_Error;
+}
+/* We don't try to verify signatures we don't know about */
+if (signatureAlgorithmIDs[i] != 1) {
+fprintf(stderr, "ERROR: Unknown signature algorithm ID.\n");
+for (i = 0; i < signatureCount; ++i) {
+free(extractedSignatures[i]);
+}
+return CryptoX_Error;
+}
+}
+curPos = ftello(fp);
+rv = mar_verify_signatures_for_fp(fp,
+provider,
+keys,
+(const uint8_t * const *)extractedSignatures,
+signatureCount,
+&numVerified);
+for (i = 0; i < signatureCount; ++i) {
+free(extractedSignatures[i]);
+}
+/* If we reached here and we verified every
+signature, return success. */
+if (numVerified == signatureCount && keyCount == numVerified) {
+return CryptoX_Success;
+}
+if (numVerified == 0) {
+fprintf(stderr, "ERROR: Not all signatures were verified.\n");
+} else {
+fprintf(stderr, "ERROR: Only %d of %d signatures were verified.\n",
+numVerified, signatureCount);
+}
+return CryptoX_Error;
+}
+/**
+* Verifies a MAR file by verifying each signature with the corresponding
+* certificate. That is, the first signature will be verified using the first
+* certificate given, the second signature will be verified using the second
+* certificate given, etc. The signature count must exactly match the number of
+* certificates given, and all signature verifications must succeed.
+*
+* @param  fp                   An opened MAR file handle
+* @param  provider             A library provider
+* @param  keys                 A pointer to the first element in an
+*                              array of keys.
+* @param  extractedSignatures  Pointer to the first element in an array
+*                              of extracted signatures.
+* @param  signatureCount       The number of signatures in the MAR file
+* @param numVerified           Out parameter which will be filled with
+*                              the number of verified signatures.
+*                              This information can be useful for printing
+*                              error messages.
+* @return 0 on success, *numVerified == signatureCount.
+*/
+int
+mar_verify_signatures_for_fp(FILE *fp,
+CryptoX_ProviderHandle provider,
+CryptoX_PublicKey *keys,
+const uint8_t * const *extractedSignatures,
+uint32_t signatureCount,
+uint32_t *numVerified)
+{
+CryptoX_SignatureHandle signatureHandles[MAX_SIGNATURES];
+char buf[BLOCKSIZE];
+uint32_t signatureLengths[MAX_SIGNATURES];
+uint32_t i;
+int rv = CryptoX_Error;
+memset(signatureHandles, 0, sizeof(signatureHandles));
+memset(signatureLengths, 0, sizeof(signatureLengths));
+if (!extractedSignatures || !numVerified) {
+fprintf(stderr, "ERROR: Invalid parameter specified.\n");
+goto failure;
+}
+*numVerified = 0;
+/* This function is only called when we have at least one signature,
+but to protected against future people who call this function we
+make sure a non zero value is passed in.
+*/
+if (!signatureCount) {
+fprintf(stderr, "ERROR: There must be at least one signature.\n");
+goto failure;
+}
+for (i = 0; i < signatureCount; i++) {
+if (CryptoX_Failed(CryptoX_VerifyBegin(provider,
+&signatureHandles[i], &keys[i]))) {
+fprintf(stderr, "ERROR: Could not initialize signature handle.\n");
+goto failure;
+}
+}
+/* Skip to the start of the file */
+if (fseeko(fp, 0, SEEK_SET)) {
+fprintf(stderr, "ERROR: Could not seek to start of the file\n");
+goto failure;
+}
+/* Bytes 0-3: MAR1
+Bytes 4-7: index offset
+Bytes 8-15: size of entire MAR
+*/
+if (CryptoX_Failed(ReadAndUpdateVerifyContext(fp, buf,
+SIGNATURE_BLOCK_OFFSET +
+sizeof(uint32_t),
+signatureHandles,
+signatureCount,
+"signature block"))) {
+goto failure;
+}
+/* Read the signature block */
+for (i = 0; i < signatureCount; i++) {
+/* Get the signature algorithm ID */
+if (CryptoX_Failed(ReadAndUpdateVerifyContext(fp,
+&buf,
+sizeof(uint32_t),
+signatureHandles,
+signatureCount,
+"signature algorithm ID"))) {
+goto failure;
+}
+if (CryptoX_Failed(ReadAndUpdateVerifyContext(fp,
+&signatureLengths[i],
+sizeof(uint32_t),
+signatureHandles,
+signatureCount,
+"signature length"))) {
+goto failure;
+}
+signatureLengths[i] = ntohl(signatureLengths[i]);
+if (signatureLengths[i] > MAX_SIGNATURE_LENGTH) {
+fprintf(stderr, "ERROR: Embedded signature length is too large.\n");
+goto failure;
+}
+/* Skip past the signature itself as those are not included */
+if (fseeko(fp, signatureLengths[i], SEEK_CUR)) {
+fprintf(stderr, "ERROR: Could not seek past signature.\n");
+goto failure;
+}
+}
+/* Read the rest of the file after the signature block */
+while (!feof(fp)) {
+int numRead = fread(buf, 1, BLOCKSIZE , fp);
+if (ferror(fp)) {
+fprintf(stderr, "ERROR: Error reading data block.\n");
+goto failure;
+}
+for (i = 0; i < signatureCount; i++) {
+if (CryptoX_Failed(CryptoX_VerifyUpdate(&signatureHandles[i],
+buf, numRead))) {
+fprintf(stderr, "ERROR: Error updating verify context with"
+" data block.\n");
+goto failure;
+}
+}
+}
+/* Verify the signatures */
+for (i = 0; i < signatureCount; i++) {
+if (CryptoX_Failed(CryptoX_VerifySignature(&signatureHandles[i],
+&keys[i],
+extractedSignatures[i],
+signatureLengths[i]))) {
+fprintf(stderr, "ERROR: Error verifying signature.\n");
+goto failure;
+}
+++*numVerified;
+}
+rv = CryptoX_Success;
+failure:
+for (i = 0; i < signatureCount; i++) {
+CryptoX_FreeSignatureHandle(&signatureHandles[i]);
+}
+return rv;
+}

The Tor Browser / file comparison

comparison: modules/libmar/verify/mar_verify.c

modules/libmar/verify/mar_verify.c