Adding upstream version 6.0.4-dfsg.upstream/6.0.4-dfsgupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 167 insertions, 0 deletions

diff --git a/src/VBox/Runtime/common/crypto/spc-sanity.cpp b/src/VBox/Runtime/common/crypto/spc-sanity.cpp
new file mode 100644
index 00000000..9426579a
--- /dev/null
+++ b/src/VBox/Runtime/common/crypto/spc-sanity.cpp
@@ -0,0 +1,167 @@
+/* $Id: spc-sanity.cpp $ */
+/** @file
+ * IPRT - Crypto - Microsoft SPC / Authenticode, Sanity Checkers.
+ */
+
+/*
+ * Copyright (C) 2006-2019 Oracle Corporation
+ *
+ * This file is part of VirtualBox Open Source Edition (OSE), as
+ * available from http://www.virtualbox.org. This file is free software;
+ * you can redistribute it and/or modify it under the terms of the GNU
+ * General Public License (GPL) as published by the Free Software
+ * Foundation, in version 2 as it comes in the "COPYING" file of the
+ * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
+ * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
+ *
+ * The contents of this file may alternatively be used under the terms
+ * of the Common Development and Distribution License Version 1.0
+ * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
+ * VirtualBox OSE distribution, in which case the provisions of the
+ * CDDL are applicable instead of those of the GPL.
+ *
+ * You may elect to license modified versions of this file under the
+ * terms and conditions of either the GPL or the CDDL or both.
+ */
+
+
+/*********************************************************************************************************************************
+*   Header Files                                                                                                                 *
+*********************************************************************************************************************************/
+#include "internal/iprt.h"
+#include <iprt/crypto/spc.h>
+
+#include <iprt/assert.h>
+#include <iprt/err.h>
+#include <iprt/uuid.h>
+
+#include "spc-internal.h"
+
+
+RTDECL(int) RTCrSpcIndirectDataContent_CheckSanityEx(PCRTCRSPCINDIRECTDATACONTENT pIndData,
+                                                     PCRTCRPKCS7SIGNEDDATA pSignedData,
+                                                     uint32_t fFlags,
+                                                     PRTERRINFO pErrInfo)
+{
+    /*
+     * Match up the digest algorithms (page 8, v1.0).
+     */
+    if (pSignedData->SignerInfos.cItems != 1)
+        return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_NOT_EXACTLY_ONE_SIGNER_INFOS,
+                             "SpcIndirectDataContent expects SignedData to have exactly one SignerInfos entries, found: %u",
+                             pSignedData->SignerInfos.cItems);
+    if (pSignedData->DigestAlgorithms.cItems != 1)
+        return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_NOT_EXACTLY_ONE_DIGEST_ALGO,
+                             "SpcIndirectDataContent expects SignedData to have exactly one DigestAlgorithms entries, found: %u",
+                             pSignedData->DigestAlgorithms.cItems);
+
+    if (RTCrX509AlgorithmIdentifier_Compare(&pIndData->DigestInfo.DigestAlgorithm, /** @todo not entirely sure about this check... */
+                                            &pSignedData->SignerInfos.papItems[0]->DigestAlgorithm) != 0)
+        return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_SIGNED_IND_DATA_DIGEST_ALGO_MISMATCH,
+                             "SpcIndirectDataContent DigestInfo and SignerInfos algorithms mismatch: %s vs %s",
+                             pIndData->DigestInfo.DigestAlgorithm.Algorithm.szObjId,
+                             pSignedData->SignerInfos.papItems[0]->DigestAlgorithm.Algorithm.szObjId);
+
+    if (RTCrX509AlgorithmIdentifier_Compare(&pIndData->DigestInfo.DigestAlgorithm,
+                                            pSignedData->DigestAlgorithms.papItems[0]) != 0)
+        return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_IND_DATA_DIGEST_ALGO_NOT_IN_DIGEST_ALGOS,
+                             "SpcIndirectDataContent DigestInfo and SignedData.DigestAlgorithms[0] mismatch: %s vs %s",
+                             pIndData->DigestInfo.DigestAlgorithm.Algorithm.szObjId,
+                             pSignedData->DigestAlgorithms.papItems[0]->Algorithm.szObjId);
+
+    if (fFlags & RTCRSPCINDIRECTDATACONTENT_SANITY_F_ONLY_KNOWN_HASH)
+    {
+        if (RTCrX509AlgorithmIdentifier_QueryDigestType(&pIndData->DigestInfo.DigestAlgorithm) == RTDIGESTTYPE_INVALID)
+            return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_UNKNOWN_DIGEST_ALGO,
+                                 "SpcIndirectDataContent DigestAlgortihm is not known: %s",
+                                 pIndData->DigestInfo.DigestAlgorithm.Algorithm.szObjId);
+    }
+
+    uint32_t cbDigest = RTCrX509AlgorithmIdentifier_QueryDigestSize(&pIndData->DigestInfo.DigestAlgorithm);
+    if (   pIndData->DigestInfo.Digest.Asn1Core.cb != cbDigest
+        && (cbDigest != UINT32_MAX || (fFlags & RTCRSPCINDIRECTDATACONTENT_SANITY_F_ONLY_KNOWN_HASH)))
+        return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_IND_DATA_DIGEST_SIZE_MISMATCH,
+                             "SpcIndirectDataContent Digest size mismatch with algorithm: %u, expected %u (%s)",
+                             pIndData->DigestInfo.Digest.Asn1Core.cb, cbDigest,
+                             pIndData->DigestInfo.DigestAlgorithm.Algorithm.szObjId);
+
+    /*
+     * Data.
+     */
+    if (fFlags & RTCRSPCINDIRECTDATACONTENT_SANITY_F_PE_IMAGE)
+    {
+        if (   pIndData->Data.enmType != RTCRSPCAAOVTYPE_PE_IMAGE_DATA
+            || RTAsn1ObjId_CompareWithString(&pIndData->Data.Type, RTCRSPCPEIMAGEDATA_OID) != 0)
+            return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_EXPECTED_PE_IMAGE_DATA,
+                                 "SpcIndirectDataContent.Data.Type is %s, expected %s (SpcPeImageData) [enmType=%d]",
+                                 pIndData->Data.Type.szObjId, RTCRSPCPEIMAGEDATA_OID, pIndData->Data.enmType);
+        if (   pIndData->Data.uValue.pPeImage
+            || !RTCrSpcPeImageData_IsPresent(pIndData->Data.uValue.pPeImage) )
+            return RTErrInfoSet(pErrInfo, VERR_CR_SPC_PEIMAGE_DATA_NOT_PRESENT,
+                                "SpcIndirectDataContent.Data.uValue/PEImage is missing");
+
+        if (   pIndData->Data.uValue.pPeImage->T0.File.enmChoice == RTCRSPCLINKCHOICE_MONIKER
+            && RTCrSpcSerializedObject_IsPresent(pIndData->Data.uValue.pPeImage->T0.File.u.pMoniker) )
+        {
+            PCRTCRSPCSERIALIZEDOBJECT pObj = pIndData->Data.uValue.pPeImage->T0.File.u.pMoniker;
+
+            if (pObj->Uuid.Asn1Core.cb != sizeof(RTUUID))
+                return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_BAD_MONIKER_UUID,
+                                     "SpcIndirectDataContent...MonikerT1.Uuid incorrect size: %u, expected %u.",
+                                     pObj->Uuid.Asn1Core.cb, sizeof(RTUUID));
+            if (RTUuidCompareStr(pObj->Uuid.Asn1Core.uData.pUuid, RTCRSPCSERIALIZEDOBJECT_UUID_STR) != 0)
+                return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_UNKNOWN_MONIKER_UUID,
+                                     "SpcIndirectDataContent...MonikerT1.Uuid mismatch: %RTuuid, expected %s.",
+                                     pObj->Uuid.Asn1Core.uData.pUuid, RTCRSPCSERIALIZEDOBJECT_UUID_STR);
+
+            if (pObj->enmType != RTCRSPCSERIALIZEDOBJECTTYPE_ATTRIBUTES)
+                return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_BAD_MONIKER_CHOICE,
+                                     "SpcIndirectDataContent...pMoniker->enmType=%d, expected %d.",
+                                     pObj->enmType, RTCRSPCSERIALIZEDOBJECTTYPE_ATTRIBUTES);
+            if (!pObj->u.pData)
+                return RTErrInfoSet(pErrInfo, VERR_CR_SPC_MONIKER_BAD_DATA,
+                                    "SpcIndirectDataContent...pMoniker->pData is NULL.");
+
+            uint32_t cPageHashTabs = 0;
+            for (uint32_t i = 0; i < pObj->u.pData->cItems; i++)
+            {
+                PCRTCRSPCSERIALIZEDOBJECTATTRIBUTE pAttr = pObj->u.pData->papItems[i];
+                if (   RTAsn1ObjId_CompareWithString(&pAttr->Type, RTCRSPC_PE_IMAGE_HASHES_V1_OID) == 0
+                    || RTAsn1ObjId_CompareWithString(&pAttr->Type, RTCRSPC_PE_IMAGE_HASHES_V2_OID) == 0 )
+                {
+                    cPageHashTabs++;
+                    AssertPtr(pAttr->u.pPageHashes->pData);
+                }
+                else
+                    return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_PEIMAGE_UNKNOWN_ATTRIBUTE,
+                                         "SpcIndirectDataContent...MonikerT1 unknown attribute %u: %s.",
+                                         i, pAttr->Type.szObjId);
+            }
+            if (cPageHashTabs > 0)
+                return RTErrInfoSetF(pErrInfo, VERR_CR_SPC_PEIMAGE_MULTIPLE_HASH_TABS,
+                                     "SpcIndirectDataContent...MonikerT1 multiple page hash attributes (%u).", cPageHashTabs);
+
+        }
+        else if (   pIndData->Data.uValue.pPeImage->T0.File.enmChoice == RTCRSPCLINKCHOICE_FILE
+                 && RTCrSpcString_IsPresent(&pIndData->Data.uValue.pPeImage->T0.File.u.pT2->File) )
+        {
+            /* Could check for "<<<Obsolete>>>" here, but it's really irrelevant. */
+        }
+        else if (   pIndData->Data.uValue.pPeImage->T0.File.enmChoice == RTCRSPCLINKCHOICE_URL
+                 && RTAsn1String_IsPresent(pIndData->Data.uValue.pPeImage->T0.File.u.pUrl) )
+            return RTErrInfoSet(pErrInfo, VERR_CR_SPC_PEIMAGE_URL_UNEXPECTED,
+                                "SpcIndirectDataContent.Data.uValue.pPeImage->File is an URL, expected object Moniker or File.");
+        else
+            return RTErrInfoSet(pErrInfo, VERR_CR_SPC_PEIMAGE_NO_CONTENT,
+                                "SpcIndirectDataContent.Data.uValue.pPeImage->File has no content");
+    }
+
+    return VINF_SUCCESS;
+}
+
+
+/*
+ * Generate the standard core code.
+ */
+#include <iprt/asn1-generator-sanity.h>
+