|
|
|
|
@@ -4,6 +4,7 @@
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/version.h>
|
|
|
|
|
#include <linux/workqueue.h>
|
|
|
|
|
#ifdef CONFIG_KSU_DEBUG
|
|
|
|
|
#include <linux/moduleparam.h>
|
|
|
|
|
#endif
|
|
|
|
|
@@ -17,13 +18,295 @@
|
|
|
|
|
#include "apk_sign.h"
|
|
|
|
|
#include "klog.h" // IWYU pragma: keep
|
|
|
|
|
#include "kernel_compat.h"
|
|
|
|
|
#include "manager_sign.h"
|
|
|
|
|
|
|
|
|
|
// Expected sizes and hashes for various APK signatures
|
|
|
|
|
#define DYNAMIC_SIGN_FILE_MAGIC 0x7f445347 // 'DSG', u32
|
|
|
|
|
#define DYNAMIC_SIGN_FILE_VERSION 1 // u32
|
|
|
|
|
#define KERNEL_SU_DYNAMIC_SIGN "/data/adb/ksu/.dynamic_sign"
|
|
|
|
|
|
|
|
|
|
static struct dynamic_sign_config dynamic_sign = {
|
|
|
|
|
.size = 0x300,
|
|
|
|
|
.hash = "0000000000000000000000000000000000000000000000000000000000000000",
|
|
|
|
|
.is_set = 0
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static DEFINE_SPINLOCK(dynamic_sign_lock);
|
|
|
|
|
static struct work_struct ksu_save_dynamic_sign_work;
|
|
|
|
|
static struct work_struct ksu_load_dynamic_sign_work;
|
|
|
|
|
static struct work_struct ksu_clear_dynamic_sign_work;
|
|
|
|
|
|
|
|
|
|
static void do_save_dynamic_sign(struct work_struct *work)
|
|
|
|
|
{
|
|
|
|
|
u32 magic = DYNAMIC_SIGN_FILE_MAGIC;
|
|
|
|
|
u32 version = DYNAMIC_SIGN_FILE_VERSION;
|
|
|
|
|
struct dynamic_sign_config config_to_save;
|
|
|
|
|
loff_t off = 0;
|
|
|
|
|
unsigned long flags;
|
|
|
|
|
struct file *fp;
|
|
|
|
|
|
|
|
|
|
spin_lock_irqsave(&dynamic_sign_lock, flags);
|
|
|
|
|
config_to_save = dynamic_sign;
|
|
|
|
|
spin_unlock_irqrestore(&dynamic_sign_lock, flags);
|
|
|
|
|
|
|
|
|
|
if (!config_to_save.is_set) {
|
|
|
|
|
pr_info("Dynamic sign config not set, skipping save\n");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fp = ksu_filp_open_compat(KERNEL_SU_DYNAMIC_SIGN, O_WRONLY | O_CREAT | O_TRUNC, 0644);
|
|
|
|
|
if (IS_ERR(fp)) {
|
|
|
|
|
pr_err("save_dynamic_sign create file failed: %ld\n", PTR_ERR(fp));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
|
|
|
|
|
pr_err("save_dynamic_sign write magic failed.\n");
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ksu_kernel_write_compat(fp, &version, sizeof(version), &off) != sizeof(version)) {
|
|
|
|
|
pr_err("save_dynamic_sign write version failed.\n");
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ksu_kernel_write_compat(fp, &config_to_save, sizeof(config_to_save), &off) != sizeof(config_to_save)) {
|
|
|
|
|
pr_err("save_dynamic_sign write config failed.\n");
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pr_info("Dynamic sign config saved successfully\n");
|
|
|
|
|
|
|
|
|
|
exit:
|
|
|
|
|
filp_close(fp, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Loading dynamic signatures from persistent storage
|
|
|
|
|
static void do_load_dynamic_sign(struct work_struct *work)
|
|
|
|
|
{
|
|
|
|
|
loff_t off = 0;
|
|
|
|
|
ssize_t ret = 0;
|
|
|
|
|
struct file *fp = NULL;
|
|
|
|
|
u32 magic;
|
|
|
|
|
u32 version;
|
|
|
|
|
struct dynamic_sign_config loaded_config;
|
|
|
|
|
unsigned long flags;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
fp = ksu_filp_open_compat(KERNEL_SU_DYNAMIC_SIGN, O_RDONLY, 0);
|
|
|
|
|
if (IS_ERR(fp)) {
|
|
|
|
|
if (PTR_ERR(fp) == -ENOENT) {
|
|
|
|
|
pr_info("No saved dynamic sign config found\n");
|
|
|
|
|
} else {
|
|
|
|
|
pr_err("load_dynamic_sign open file failed: %ld\n", PTR_ERR(fp));
|
|
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
|
|
|
|
|
magic != DYNAMIC_SIGN_FILE_MAGIC) {
|
|
|
|
|
pr_err("dynamic sign file invalid magic: %x!\n", magic);
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ksu_kernel_read_compat(fp, &version, sizeof(version), &off) != sizeof(version)) {
|
|
|
|
|
pr_err("dynamic sign read version failed\n");
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pr_info("dynamic sign file version: %d\n", version);
|
|
|
|
|
|
|
|
|
|
ret = ksu_kernel_read_compat(fp, &loaded_config, sizeof(loaded_config), &off);
|
|
|
|
|
if (ret <= 0) {
|
|
|
|
|
pr_info("load_dynamic_sign read err: %zd\n", ret);
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret != sizeof(loaded_config)) {
|
|
|
|
|
pr_err("load_dynamic_sign read incomplete config: %zd/%zu\n", ret, sizeof(loaded_config));
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (loaded_config.size < 0x100 || loaded_config.size > 0x1000) {
|
|
|
|
|
pr_err("Invalid saved config size: 0x%x\n", loaded_config.size);
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strlen(loaded_config.hash) != 64) {
|
|
|
|
|
pr_err("Invalid saved config hash length: %zu\n", strlen(loaded_config.hash));
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < 64; i++) {
|
|
|
|
|
char c = loaded_config.hash[i];
|
|
|
|
|
if (!((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f'))) {
|
|
|
|
|
pr_err("Invalid saved config hash character at position %d: %c\n", i, c);
|
|
|
|
|
goto exit;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
spin_lock_irqsave(&dynamic_sign_lock, flags);
|
|
|
|
|
dynamic_sign = loaded_config;
|
|
|
|
|
spin_unlock_irqrestore(&dynamic_sign_lock, flags);
|
|
|
|
|
|
|
|
|
|
pr_info("Dynamic sign config loaded: size=0x%x, hash=%.16s...\n",
|
|
|
|
|
loaded_config.size, loaded_config.hash);
|
|
|
|
|
|
|
|
|
|
exit:
|
|
|
|
|
filp_close(fp, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool persistent_dynamic_sign(void)
|
|
|
|
|
{
|
|
|
|
|
return ksu_queue_work(&ksu_save_dynamic_sign_work);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Clear dynamic sign config file using the same method as do_save_dynamic_sign
|
|
|
|
|
static void do_clear_dynamic_sign_file(struct work_struct *work)
|
|
|
|
|
{
|
|
|
|
|
loff_t off = 0;
|
|
|
|
|
struct file *fp;
|
|
|
|
|
char zero_buffer[512];
|
|
|
|
|
|
|
|
|
|
memset(zero_buffer, 0, sizeof(zero_buffer));
|
|
|
|
|
|
|
|
|
|
fp = ksu_filp_open_compat(KERNEL_SU_DYNAMIC_SIGN, O_WRONLY | O_CREAT | O_TRUNC, 0644);
|
|
|
|
|
if (IS_ERR(fp)) {
|
|
|
|
|
pr_err("clear_dynamic_sign create file failed: %ld\n", PTR_ERR(fp));
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Write null bytes to overwrite the file content
|
|
|
|
|
if (ksu_kernel_write_compat(fp, zero_buffer, sizeof(zero_buffer), &off) != sizeof(zero_buffer)) {
|
|
|
|
|
pr_err("clear_dynamic_sign write null bytes failed.\n");
|
|
|
|
|
} else {
|
|
|
|
|
pr_info("Dynamic sign config file cleared successfully\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
filp_close(fp, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool clear_dynamic_sign_file(void)
|
|
|
|
|
{
|
|
|
|
|
return ksu_queue_work(&ksu_clear_dynamic_sign_work);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int ksu_handle_dynamic_sign(struct dynamic_sign_user_config *config)
|
|
|
|
|
{
|
|
|
|
|
unsigned long flags;
|
|
|
|
|
int ret = 0;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
if (!config) {
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (config->operation) {
|
|
|
|
|
case DYNAMIC_SIGN_OP_SET:
|
|
|
|
|
if (config->size < 0x100 || config->size > 0x1000) {
|
|
|
|
|
pr_err("invalid size: 0x%x\n", config->size);
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strlen(config->hash) != 64) {
|
|
|
|
|
pr_err("invalid hash length: %zu\n", strlen(config->hash));
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < 64; i++) {
|
|
|
|
|
char c = config->hash[i];
|
|
|
|
|
if (!((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f'))) {
|
|
|
|
|
pr_err("invalid hash character at position %d: %c\n", i, c);
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
spin_lock_irqsave(&dynamic_sign_lock, flags);
|
|
|
|
|
dynamic_sign.size = config->size;
|
|
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
|
|
|
|
|
strscpy(dynamic_sign.hash, config->hash, sizeof(dynamic_sign.hash));
|
|
|
|
|
#else
|
|
|
|
|
strlcpy(dynamic_sign.hash, config->hash, sizeof(dynamic_sign.hash));
|
|
|
|
|
#endif
|
|
|
|
|
dynamic_sign.is_set = 1;
|
|
|
|
|
spin_unlock_irqrestore(&dynamic_sign_lock, flags);
|
|
|
|
|
|
|
|
|
|
persistent_dynamic_sign();
|
|
|
|
|
pr_info("dynamic sign updated: size=0x%x, hash=%.16s...\n", config->size, config->hash);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case DYNAMIC_SIGN_OP_GET:
|
|
|
|
|
// Getting Dynamic Signatures
|
|
|
|
|
spin_lock_irqsave(&dynamic_sign_lock, flags);
|
|
|
|
|
if (dynamic_sign.is_set) {
|
|
|
|
|
config->size = dynamic_sign.size;
|
|
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
|
|
|
|
|
strscpy(config->hash, dynamic_sign.hash, sizeof(config->hash));
|
|
|
|
|
#else
|
|
|
|
|
strlcpy(config->hash, dynamic_sign.hash, sizeof(config->hash));
|
|
|
|
|
#endif
|
|
|
|
|
ret = 0;
|
|
|
|
|
} else {
|
|
|
|
|
ret = -ENODATA;
|
|
|
|
|
}
|
|
|
|
|
spin_unlock_irqrestore(&dynamic_sign_lock, flags);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case DYNAMIC_SIGN_OP_CLEAR:
|
|
|
|
|
// Clearing dynamic signatures
|
|
|
|
|
spin_lock_irqsave(&dynamic_sign_lock, flags);
|
|
|
|
|
dynamic_sign.size = 0x300;
|
|
|
|
|
strcpy(dynamic_sign.hash, "0000000000000000000000000000000000000000000000000000000000000000");
|
|
|
|
|
dynamic_sign.is_set = 0;
|
|
|
|
|
spin_unlock_irqrestore(&dynamic_sign_lock, flags);
|
|
|
|
|
|
|
|
|
|
// Clear file using the same method as save
|
|
|
|
|
clear_dynamic_sign_file();
|
|
|
|
|
|
|
|
|
|
pr_info("Dynamic sign config cleared\n");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
pr_err("Invalid dynamic sign operation: %d\n", config->operation);
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool ksu_load_dynamic_sign(void)
|
|
|
|
|
{
|
|
|
|
|
return ksu_queue_work(&ksu_load_dynamic_sign_work);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ksu_dynamic_sign_init(void)
|
|
|
|
|
{
|
|
|
|
|
INIT_WORK(&ksu_save_dynamic_sign_work, do_save_dynamic_sign);
|
|
|
|
|
INIT_WORK(&ksu_load_dynamic_sign_work, do_load_dynamic_sign);
|
|
|
|
|
INIT_WORK(&ksu_clear_dynamic_sign_work, do_clear_dynamic_sign_file);
|
|
|
|
|
pr_info("Dynamic sign initialized with persistent storage\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ksu_dynamic_sign_exit(void)
|
|
|
|
|
{
|
|
|
|
|
do_save_dynamic_sign(NULL);
|
|
|
|
|
pr_info("Dynamic sign exited with persistent storage\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct sdesc {
|
|
|
|
|
struct shash_desc shash;
|
|
|
|
|
char ctx[];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct apk_sign_key {
|
|
|
|
|
unsigned size;
|
|
|
|
|
const char *sha256;
|
|
|
|
|
} apk_sign_keys[] = {
|
|
|
|
|
{EXPECTED_SIZE, EXPECTED_HASH},
|
|
|
|
|
{EXPECTED_SIZE_SHIRKNEKO, EXPECTED_HASH_SHIRKNEKO}, // ShirkNeko/SukiSU
|
|
|
|
|
{EXPECTED_SIZE_OTHER, EXPECTED_HASH_OTHER}, // Dynamic Sign
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct sdesc *init_sdesc(struct crypto_shash *alg)
|
|
|
|
|
{
|
|
|
|
|
struct sdesc *sdesc;
|
|
|
|
|
@@ -71,9 +354,11 @@ static int ksu_sha256(const unsigned char *data, unsigned int datalen,
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool check_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset,
|
|
|
|
|
unsigned expected_size, const char *expected_sha256)
|
|
|
|
|
static bool check_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
struct apk_sign_key sign_key;
|
|
|
|
|
|
|
|
|
|
ksu_kernel_read_compat(fp, size4, 0x4, pos); // signer-sequence length
|
|
|
|
|
ksu_kernel_read_compat(fp, size4, 0x4, pos); // signer length
|
|
|
|
|
ksu_kernel_read_compat(fp, size4, 0x4, pos); // signed data length
|
|
|
|
|
@@ -89,7 +374,21 @@ static bool check_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset,
|
|
|
|
|
ksu_kernel_read_compat(fp, size4, 0x4, pos); // certificate length
|
|
|
|
|
*offset += 0x4 * 2;
|
|
|
|
|
|
|
|
|
|
if (*size4 == expected_size) {
|
|
|
|
|
for (i = 0; i < ARRAY_SIZE(apk_sign_keys); i++) {
|
|
|
|
|
sign_key = apk_sign_keys[i];
|
|
|
|
|
|
|
|
|
|
if (i == 2) {
|
|
|
|
|
unsigned long flags;
|
|
|
|
|
spin_lock_irqsave(&dynamic_sign_lock, flags);
|
|
|
|
|
if (dynamic_sign.is_set) {
|
|
|
|
|
sign_key.size = dynamic_sign.size;
|
|
|
|
|
sign_key.sha256 = dynamic_sign.hash;
|
|
|
|
|
}
|
|
|
|
|
spin_unlock_irqrestore(&dynamic_sign_lock, flags);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (*size4 != sign_key.size)
|
|
|
|
|
continue;
|
|
|
|
|
*offset += *size4;
|
|
|
|
|
|
|
|
|
|
#define CERT_MAX_LENGTH 1024
|
|
|
|
|
@@ -110,8 +409,8 @@ static bool check_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset,
|
|
|
|
|
|
|
|
|
|
bin2hex(hash_str, digest, SHA256_DIGEST_SIZE);
|
|
|
|
|
pr_info("sha256: %s, expected: %s\n", hash_str,
|
|
|
|
|
expected_sha256);
|
|
|
|
|
if (strcmp(expected_sha256, hash_str) == 0) {
|
|
|
|
|
sign_key.sha256);
|
|
|
|
|
if (strcmp(sign_key.sha256, hash_str) == 0) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
@@ -171,9 +470,7 @@ static bool has_v1_signature_file(struct file *fp)
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static __always_inline bool check_v2_signature(char *path,
|
|
|
|
|
unsigned expected_size,
|
|
|
|
|
const char *expected_sha256)
|
|
|
|
|
static __always_inline bool check_v2_signature(char *path)
|
|
|
|
|
{
|
|
|
|
|
unsigned char buffer[0x11] = { 0 };
|
|
|
|
|
u32 size4;
|
|
|
|
|
@@ -244,9 +541,7 @@ static __always_inline bool check_v2_signature(char *path,
|
|
|
|
|
offset = 4;
|
|
|
|
|
if (id == 0x7109871au) {
|
|
|
|
|
v2_signing_blocks++;
|
|
|
|
|
v2_signing_valid =
|
|
|
|
|
check_block(fp, &size4, &pos, &offset,
|
|
|
|
|
expected_size, expected_sha256);
|
|
|
|
|
v2_signing_valid = check_block(fp, &size4, &pos, &offset);
|
|
|
|
|
} else if (id == 0xf05368c0u) {
|
|
|
|
|
// http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java#73
|
|
|
|
|
v3_signing_exist = true;
|
|
|
|
|
@@ -316,5 +611,5 @@ module_param_cb(ksu_debug_manager_uid, &expected_size_ops,
|
|
|
|
|
|
|
|
|
|
bool is_manager_apk(char *path)
|
|
|
|
|
{
|
|
|
|
|
return check_v2_signature(path, EXPECTED_SIZE, EXPECTED_HASH);
|
|
|
|
|
return check_v2_signature(path);
|
|
|
|
|
}
|
ShirkNeko