aheinecke@579: /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik aheinecke@579: * Software engineering by Intevation GmbH aheinecke@579: * aheinecke@579: * This file is Free Software under the GNU GPL (v>=2) aheinecke@579: * and comes with ABSOLUTELY NO WARRANTY! aheinecke@579: * See LICENSE.txt for details. aheinecke@579: */ aheinecke@579: aheinecke@579: #ifndef BINVERIFY_H aheinecke@579: #define BINVERIFY_H aheinecke@579: /* @file binverify.h aheinecke@579: * @brief Verification of binary files aheinecke@579: */ aheinecke@579: #include aheinecke@579: #include aheinecke@579: aheinecke@579: #ifdef __cplusplus aheinecke@579: extern "C" { aheinecke@579: #endif aheinecke@579: aheinecke@579: /** aheinecke@579: * @enum bin_verify_result aheinecke@579: * @brief Result of a verification aheinecke@579: */ aheinecke@579: typedef enum { aheinecke@586: VerifyValid = 100, /*! Could be read and signature matched */ aheinecke@586: VerifyUnknownError = 1, /*! The expected unexpected */ aheinecke@586: VerifyInvalidSignature = 4, /*! Signature was invalid */ andre@629: VerifyInvalidCertificate = 5, /*! Certificate mismatch */ aheinecke@586: VerifyReadFailed = 6, /*! File exists but could not read the file */ aheinecke@579: } bin_verify_result; aheinecke@579: aheinecke@579: /** aheinecke@579: * @brief verify a binary aheinecke@579: * aheinecke@579: * This function checks that a binary is signed by a built aheinecke@579: * in certificate. aheinecke@579: * aheinecke@579: * Caution: This function works on file names only which could aheinecke@579: * be modified after this check. aheinecke@579: * andre@771: * Windows verification is done using Windows crypto API based on aheinecke@579: * embedded PKCS 7 "authenticode" signatures embedded into the aheinecke@579: * file. aheinecke@579: * andre@904: * On Linux the file is epxected to and with the pattern of andre@774: * \r\nS: (0x0d0a533A) followed by a 3072 Bit Base64 encoded RSA andre@774: * signature. andre@771: * The signature is verified against the built in codesigning key in andre@771: * the same certificate that is used for windows verification. andre@774: * If the pattern is not found the verification fails. andre@771: * aheinecke@579: * @param[in] filename absolute null terminated UTF-8 encoded path to the file. aheinecke@579: * @param[in] name_len length of the filename. aheinecke@579: * aheinecke@579: * @returns the verification result. aheinecke@579: */ aheinecke@586: bin_verify_result verify_binary(const char *filename, size_t name_len); aheinecke@586: aheinecke@586: #ifdef WIN32 aheinecke@586: /** aheinecke@586: * @brief windows implementation of verify_binary aheinecke@586: */ aheinecke@579: bin_verify_result verify_binary_win(const char *filename, size_t name_len); andre@771: #else /* WIN32 */ andre@771: /**@def Max size of a valid binary in byte */ andre@771: #define MAX_VALID_BIN_SIZE (32 * 1024 * 1024) andre@771: andre@771: /** andre@771: * @brief linux implementation of verify_binary andre@771: */ andre@771: bin_verify_result verify_binary_linux(const char *filename, size_t name_len); andre@771: #endif aheinecke@579: aheinecke@579: #ifdef __cplusplus aheinecke@579: } aheinecke@579: #endif aheinecke@579: aheinecke@579: #endif /* BINVERIFY_H */