Convert recovery to use BoringSSL instead of mincrypt.
This changes the verification code in bootable/recovery to use BoringSSL instead of mincrypt. Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
This commit is contained in:
parent
81247500d5
commit
452df6d99c
11 changed files with 274 additions and 246 deletions
|
@ -23,7 +23,7 @@ LOCAL_CLANG := true
|
|||
LOCAL_CFLAGS := -O2 -g -DADB_HOST=0 -Wall -Wno-unused-parameter
|
||||
LOCAL_CFLAGS += -D_XOPEN_SOURCE -D_GNU_SOURCE
|
||||
LOCAL_MODULE := libfusesideload
|
||||
LOCAL_STATIC_LIBRARIES := libcutils libc libmincrypt
|
||||
LOCAL_STATIC_LIBRARIES := libcutils libc libcrypto_static
|
||||
include $(BUILD_STATIC_LIBRARY)
|
||||
|
||||
# recovery (static executable)
|
||||
|
@ -72,12 +72,13 @@ LOCAL_STATIC_LIBRARIES := \
|
|||
libminzip \
|
||||
libz \
|
||||
libmtdutils \
|
||||
libmincrypt \
|
||||
libminadbd \
|
||||
libfusesideload \
|
||||
libminui \
|
||||
libpng \
|
||||
libfs_mgr \
|
||||
libcrypto_utils_static \
|
||||
libcrypto_static \
|
||||
libbase \
|
||||
libcutils \
|
||||
libutils \
|
||||
|
@ -138,6 +139,7 @@ LOCAL_SRC_FILES := \
|
|||
asn1_decoder.cpp \
|
||||
verifier.cpp \
|
||||
ui.cpp
|
||||
LOCAL_STATIC_LIBRARIES := libcrypto_utils_static libcrypto_static
|
||||
include $(BUILD_STATIC_LIBRARY)
|
||||
|
||||
include $(LOCAL_PATH)/minui/Android.mk \
|
||||
|
|
|
@ -61,7 +61,8 @@
|
|||
#include <sys/uio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "mincrypt/sha256.h"
|
||||
#include <openssl/sha.h>
|
||||
|
||||
#include "fuse_sideload.h"
|
||||
|
||||
#define PACKAGE_FILE_ID (FUSE_ROOT_ID+1)
|
||||
|
@ -269,22 +270,22 @@ static int fetch_block(struct fuse_data* fd, uint32_t block) {
|
|||
// block).
|
||||
// - Otherwise, return -EINVAL for the read.
|
||||
|
||||
uint8_t hash[SHA256_DIGEST_SIZE];
|
||||
SHA256_hash(fd->block_data, fd->block_size, hash);
|
||||
uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_SIZE;
|
||||
if (memcmp(hash, blockhash, SHA256_DIGEST_SIZE) == 0) {
|
||||
uint8_t hash[SHA256_DIGEST_LENGTH];
|
||||
SHA256(fd->block_data, fd->block_size, hash);
|
||||
uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_LENGTH;
|
||||
if (memcmp(hash, blockhash, SHA256_DIGEST_LENGTH) == 0) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int i;
|
||||
for (i = 0; i < SHA256_DIGEST_SIZE; ++i) {
|
||||
for (i = 0; i < SHA256_DIGEST_LENGTH; ++i) {
|
||||
if (blockhash[i] != 0) {
|
||||
fd->curr_block = -1;
|
||||
return -EIO;
|
||||
}
|
||||
}
|
||||
|
||||
memcpy(blockhash, hash, SHA256_DIGEST_SIZE);
|
||||
memcpy(blockhash, hash, SHA256_DIGEST_LENGTH);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -393,10 +394,10 @@ int run_fuse_sideload(struct provider_vtab* vtab, void* cookie,
|
|||
goto done;
|
||||
}
|
||||
|
||||
fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_SIZE);
|
||||
fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_LENGTH);
|
||||
if (fd.hashes == NULL) {
|
||||
fprintf(stderr, "failed to allocate %d bites for hashes\n",
|
||||
fd.file_blocks * SHA256_DIGEST_SIZE);
|
||||
fd.file_blocks * SHA256_DIGEST_LENGTH);
|
||||
result = -1;
|
||||
goto done;
|
||||
}
|
||||
|
|
|
@ -27,15 +27,14 @@
|
|||
|
||||
#include "common.h"
|
||||
#include "install.h"
|
||||
#include "mincrypt/rsa.h"
|
||||
#include "minui/minui.h"
|
||||
#include "minzip/SysUtil.h"
|
||||
#include "minzip/Zip.h"
|
||||
#include "mtdutils/mounts.h"
|
||||
#include "mtdutils/mtdutils.h"
|
||||
#include "roots.h"
|
||||
#include "verifier.h"
|
||||
#include "ui.h"
|
||||
#include "verifier.h"
|
||||
|
||||
extern RecoveryUI* ui;
|
||||
|
||||
|
|
|
@ -39,7 +39,8 @@ LOCAL_FORCE_STATIC_EXECUTABLE := true
|
|||
LOCAL_STATIC_LIBRARIES := \
|
||||
libbase \
|
||||
libverifier \
|
||||
libmincrypt \
|
||||
libcrypto_utils_static \
|
||||
libcrypto_static \
|
||||
libminui \
|
||||
libminzip \
|
||||
libcutils \
|
||||
|
|
|
@ -19,18 +19,18 @@
|
|||
#include <gtest/gtest.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <memory>
|
||||
#include <string>
|
||||
#include <vector>
|
||||
|
||||
#include <openssl/sha.h>
|
||||
|
||||
#include <android-base/stringprintf.h>
|
||||
|
||||
#include "common.h"
|
||||
#include "mincrypt/sha.h"
|
||||
#include "mincrypt/sha256.h"
|
||||
#include "minzip/SysUtil.h"
|
||||
#include "ui.h"
|
||||
#include "verifier.h"
|
||||
|
@ -44,94 +44,6 @@
|
|||
static const char* DATA_PATH = getenv("ANDROID_DATA");
|
||||
static const char* TESTDATA_PATH = "/recovery/testdata/";
|
||||
|
||||
// This is build/target/product/security/testkey.x509.pem after being
|
||||
// dumped out by dumpkey.jar.
|
||||
RSAPublicKey test_key =
|
||||
{ 64, 0xc926ad21,
|
||||
{ 0x6afee91fu, 0x7fa31d5bu, 0x38a0b217u, 0x99df9baeu,
|
||||
0xfe72991du, 0x727d3c04u, 0x20943f99u, 0xd08e7826u,
|
||||
0x69e7c8a2u, 0xdeeccc8eu, 0x6b9af76fu, 0x553311c4u,
|
||||
0x07b9e247u, 0x54c8bbcau, 0x6a540d81u, 0x48dbf567u,
|
||||
0x98c92877u, 0x134fbfdeu, 0x01b32564u, 0x24581948u,
|
||||
0x6cddc3b8u, 0x0cd444dau, 0xfe0381ccu, 0xf15818dfu,
|
||||
0xc06e6d42u, 0x2e2f6412u, 0x093a6737u, 0x94d83b31u,
|
||||
0xa466c87au, 0xb3f284a0u, 0xa694ec2cu, 0x053359e6u,
|
||||
0x9717ee6au, 0x0732e080u, 0x220d5008u, 0xdc4af350u,
|
||||
0x93d0a7c3u, 0xe330c9eau, 0xcac3da1eu, 0x8ebecf8fu,
|
||||
0xc2be387fu, 0x38a14e89u, 0x211586f0u, 0x18b846f5u,
|
||||
0x43be4c72u, 0xb578c204u, 0x1bbfb230u, 0xf1e267a8u,
|
||||
0xa2d3e656u, 0x64b8e4feu, 0xe7e83d4bu, 0x3e77a943u,
|
||||
0x3559ffd9u, 0x0ebb0f99u, 0x0aa76ce6u, 0xd3786ea7u,
|
||||
0xbca8cd6bu, 0x068ca8e8u, 0xeb1de2ffu, 0x3e3ecd6cu,
|
||||
0xe0d9d825u, 0xb1edc762u, 0xdec60b24u, 0xd6931904u},
|
||||
{ 0xccdcb989u, 0xe19281f9u, 0xa6e80accu, 0xb7f40560u,
|
||||
0x0efb0bccu, 0x7f12b0bbu, 0x1e90531au, 0x136d95d0u,
|
||||
0x9e660665u, 0x7d54918fu, 0xe3b93ea2u, 0x2f415d10u,
|
||||
0x3d2df6e6u, 0x7a627ecfu, 0xa6f22d70u, 0xb995907au,
|
||||
0x09de16b2u, 0xfeb8bd61u, 0xf24ec294u, 0x716a427fu,
|
||||
0x2e12046fu, 0xeaf3d56au, 0xd9b873adu, 0x0ced340bu,
|
||||
0xbc9cec09u, 0x73c65903u, 0xee39ce9bu, 0x3eede25au,
|
||||
0x397633b7u, 0x2583c165u, 0x8514f97du, 0xe9166510u,
|
||||
0x0b6fae99u, 0xa47139fdu, 0xdb8352f0u, 0xb2ad7f2cu,
|
||||
0xa11552e2u, 0xd4d490a7u, 0xe11e8568u, 0xe9e484dau,
|
||||
0xd3ef8449u, 0xa47055dau, 0x4edd9557u, 0x03a78ba1u,
|
||||
0x770e130du, 0x16762facu, 0x0cbdfcc4u, 0xf3070540u,
|
||||
0x008b6515u, 0x60e7e1b7u, 0xa72cf7f9u, 0xaff86e39u,
|
||||
0x4296faadu, 0xfc90430eu, 0x6cc8f377u, 0xb398fd43u,
|
||||
0x423c5997u, 0x991d59c4u, 0x6464bf73u, 0x96431575u,
|
||||
0x15e3d207u, 0x30532a7au, 0x8c4be618u, 0x460a4d76u },
|
||||
3
|
||||
};
|
||||
|
||||
RSAPublicKey test_f4_key =
|
||||
{ 64, 0xc9bd1f21,
|
||||
{ 0x1178db1fu, 0xbf5d0e55u, 0x3393a165u, 0x0ef4c287u,
|
||||
0xbc472a4au, 0x383fc5a1u, 0x4a13b7d2u, 0xb1ff2ac3u,
|
||||
0xaf66b4d9u, 0x9280acefu, 0xa2165bdbu, 0x6a4d6e5cu,
|
||||
0x08ea676bu, 0xb7ac70c7u, 0xcd158139u, 0xa635ccfeu,
|
||||
0xa46ab8a8u, 0x445a3e8bu, 0xdc81d9bbu, 0x91ce1a20u,
|
||||
0x68021cdeu, 0x4516eda9u, 0x8d43c30cu, 0xed1eff14u,
|
||||
0xca387e4cu, 0x58adc233u, 0x4657ab27u, 0xa95b521eu,
|
||||
0xdfc0e30cu, 0x394d64a1u, 0xc6b321a1u, 0x2ca22cb8u,
|
||||
0xb1892d5cu, 0x5d605f3eu, 0x6025483cu, 0x9afd5181u,
|
||||
0x6e1a7105u, 0x03010593u, 0x70acd304u, 0xab957cbfu,
|
||||
0x8844abbbu, 0x53846837u, 0x24e98a43u, 0x2ba060c1u,
|
||||
0x8b88b88eu, 0x44eea405u, 0xb259fc41u, 0x0907ad9cu,
|
||||
0x13003adau, 0xcf79634eu, 0x7d314ec9u, 0xfbbe4c2bu,
|
||||
0xd84d0823u, 0xfd30fd88u, 0x68d8a909u, 0xfb4572d9u,
|
||||
0xa21301c2u, 0xd00a4785u, 0x6862b50cu, 0xcfe49796u,
|
||||
0xdaacbd83u, 0xfb620906u, 0xdf71e0ccu, 0xbbc5b030u },
|
||||
{ 0x69a82189u, 0x1a8b22f4u, 0xcf49207bu, 0x68cc056au,
|
||||
0xb206b7d2u, 0x1d449bbdu, 0xe9d342f2u, 0x29daea58u,
|
||||
0xb19d011au, 0xc62f15e4u, 0x9452697au, 0xb62bb87eu,
|
||||
0x60f95cc2u, 0x279ebb2du, 0x17c1efd8u, 0xec47558bu,
|
||||
0xc81334d1u, 0x88fe7601u, 0x79992eb1u, 0xb4555615u,
|
||||
0x2022ac8cu, 0xc79a4b8cu, 0xb288b034u, 0xd6b942f0u,
|
||||
0x0caa32fbu, 0xa065ba51u, 0x4de9f154u, 0x29f64f6cu,
|
||||
0x7910af5eu, 0x3ed4636au, 0xe4c81911u, 0x9183f37du,
|
||||
0x5811e1c4u, 0x29c7a58cu, 0x9715d4d3u, 0xc7e2dce3u,
|
||||
0x140972ebu, 0xf4c8a69eu, 0xa104d424u, 0x5dabbdfbu,
|
||||
0x41cb4c6bu, 0xd7f44717u, 0x61785ff7u, 0x5e0bc273u,
|
||||
0x36426c70u, 0x2aa6f08eu, 0x083badbfu, 0x3cab941bu,
|
||||
0x8871da23u, 0x1ab3dbaeu, 0x7115a21du, 0xf5aa0965u,
|
||||
0xf766f562u, 0x7f110225u, 0x86d96a04u, 0xc50a120eu,
|
||||
0x3a751ca3u, 0xc21aa186u, 0xba7359d0u, 0x3ff2b257u,
|
||||
0xd116e8bbu, 0xfc1318c0u, 0x070e5b1du, 0x83b759a6u },
|
||||
65537
|
||||
};
|
||||
|
||||
ECPublicKey test_ec_key =
|
||||
{
|
||||
{
|
||||
{0xd656fa24u, 0x931416cau, 0x1c0278c6u, 0x174ebe4cu,
|
||||
0x6018236au, 0x45ba1656u, 0xe8c05d84u, 0x670ed500u}
|
||||
},
|
||||
{
|
||||
{0x0d179adeu, 0x4c16827du, 0x9f8cb992u, 0x8f69ff8au,
|
||||
0x481b1020u, 0x798d91afu, 0x184db8e9u, 0xb5848dd9u}
|
||||
}
|
||||
};
|
||||
|
||||
RecoveryUI* ui = NULL;
|
||||
|
||||
class MockUI : public RecoveryUI {
|
||||
|
@ -183,31 +95,34 @@ class VerifierTest : public testing::TestWithParam<std::vector<std::string>> {
|
|||
|
||||
virtual void SetUp() {
|
||||
std::vector<std::string> args = GetParam();
|
||||
std::string package = android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH,
|
||||
TESTDATA_PATH, args[0].c_str());
|
||||
std::string package =
|
||||
android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH,
|
||||
TESTDATA_PATH, args[0].c_str());
|
||||
if (sysMapFile(package.c_str(), &memmap) != 0) {
|
||||
FAIL() << "Failed to mmap " << package << ": " << strerror(errno)
|
||||
<< "\n";
|
||||
}
|
||||
|
||||
for (auto it = ++(args.cbegin()); it != args.cend(); ++it) {
|
||||
if (it->substr(it->length() - 3, it->length()) == "256") {
|
||||
if (certs.empty()) {
|
||||
FAIL() << "May only specify -sha256 after key type\n";
|
||||
}
|
||||
certs.back().hash_len = SHA256_DIGEST_SIZE;
|
||||
} else if (*it == "ec") {
|
||||
certs.emplace_back(SHA_DIGEST_SIZE, Certificate::EC,
|
||||
nullptr, std::unique_ptr<ECPublicKey>(new ECPublicKey(test_ec_key)));
|
||||
} else if (*it == "e3") {
|
||||
certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
|
||||
std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_key)), nullptr);
|
||||
} else if (*it == "f4") {
|
||||
certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
|
||||
std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_f4_key)), nullptr);
|
||||
certs.back().hash_len = SHA256_DIGEST_LENGTH;
|
||||
} else {
|
||||
std::string public_key_file = android::base::StringPrintf(
|
||||
"%s%s%stest_key_%s.txt", DATA_PATH, NATIVE_TEST_PATH,
|
||||
TESTDATA_PATH, it->c_str());
|
||||
ASSERT_TRUE(load_keys(public_key_file.c_str(), certs));
|
||||
certs.back().hash_len = SHA_DIGEST_LENGTH;
|
||||
}
|
||||
}
|
||||
if (certs.empty()) {
|
||||
certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA,
|
||||
std::unique_ptr<RSAPublicKey>(new RSAPublicKey(test_key)), nullptr);
|
||||
}
|
||||
if (sysMapFile(package.c_str(), &memmap) != 0) {
|
||||
FAIL() << "Failed to mmap " << package << ": " << strerror(errno) << "\n";
|
||||
std::string public_key_file = android::base::StringPrintf(
|
||||
"%s%s%stest_key_e3.txt", DATA_PATH, NATIVE_TEST_PATH,
|
||||
TESTDATA_PATH);
|
||||
ASSERT_TRUE(load_keys(public_key_file.c_str(), certs));
|
||||
certs.back().hash_len = SHA_DIGEST_LENGTH;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
1
tests/testdata/test_key_e3.txt
vendored
Normal file
1
tests/testdata/test_key_e3.txt
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
{64,0xc926ad21,{1795090719,2141396315,950055447,2581568430,4268923165,1920809988,546586521,3498997798,1776797858,3740060814,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,2563319927,323993566,28517732,609753416,1826472888,215237850,4261642700,4049082591,3228462402,774857746,154822455,2497198897,2758199418,3019015328,2794777644,87251430,2534927978,120774784,571297800,3695899472,2479925187,3811625450,3401832990,2394869647,3267246207,950095497,555058928,414729973,1136544882,3044590084,465547824,4058146728,2731796054,1689838846,3890756939,1048029507,895090649,247140249,178744550,3547885223,3165179243,109881576,3944604415,1044303212,3772373029,2985150306,3737520932,3599964420},{3437017481,3784475129,2800224972,3086222688,251333580,2131931323,512774938,325948880,2657486437,2102694287,3820568226,792812816,1026422502,2053275343,2800889200,3113586810,165549746,4273519969,4065247892,1902789247,772932719,3941848426,3652744109,216871947,3164400649,1942378755,3996765851,1055777370,964047799,629391717,2232744317,3910558992,191868569,2758883837,3682816752,2997714732,2702529250,3570700455,3776873832,3924067546,3555689545,2758825434,1323144535,61311905,1997411085,376844204,213777604,4077323584,9135381,1625809335,2804742137,2952293945,1117190829,4237312782,1825108855,3013147971,1111251351,2568837572,1684324211,2520978805,367251975,810756730,2353784344,1175080310}}
|
1
tests/testdata/test_key_ec.txt
vendored
Normal file
1
tests/testdata/test_key_ec.txt
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
v5 {32,{36,250,86,214,202,22,20,147,198,120,2,28,76,190,78,23,106,35,24,96,86,22,186,69,132,93,192,232,0,213,14,103},{222,154,23,13,125,130,22,76,146,185,140,159,138,255,105,143,32,16,27,72,175,145,141,121,233,184,77,24,217,141,132,181}}
|
1
tests/testdata/test_key_f4.txt
vendored
Normal file
1
tests/testdata/test_key_f4.txt
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
v2 {64,0xc9bd1f21,{293133087,3210546773,865313125,250921607,3158780490,943703457,1242806226,2986289859,2942743769,2457906415,2719374299,1783459420,149579627,3081531591,3440738617,2788543742,2758457512,1146764939,3699497403,2446203424,1744968926,1159130537,2370028300,3978231572,3392699980,1487782451,1180150567,2841334302,3753960204,961373345,3333628321,748825784,2978557276,1566596926,1613056060,2600292737,1847226629,50398611,1890374404,2878700735,2286201787,1401186359,619285059,731930817,2340993166,1156490245,2992241729,151498140,318782170,3480838990,2100383433,4223552555,3628927011,4247846280,1759029513,4215632601,2719154626,3490334597,1751299340,3487864726,3668753795,4217506054,3748782284,3150295088},{1772626313,445326068,3477676155,1758201194,2986784722,491035581,3922936562,702212696,2979856666,3324974564,2488428922,3056318590,1626954946,664714029,398585816,3964097931,3356701905,2298377729,2040082097,3025491477,539143308,3348777868,2995302452,3602465520,212480763,2691021393,1307177300,704008044,2031136606,1054106474,3838318865,2441343869,1477566916,700949900,2534790355,3353533667,336163563,4106790558,2701448228,1571536379,1103842411,3623110423,1635278839,1577828979,910322800,715583630,138128831,1017877531,2289162787,447994798,1897243165,4121561445,4150719842,2131821093,2262395396,3305771534,980753571,3256525190,3128121808,1072869975,3507939515,4229109952,118381341,2209831334}}
|
|
@ -34,6 +34,7 @@ LOCAL_STATIC_LIBRARIES += \
|
|||
libfec_rs \
|
||||
libext4_utils_static \
|
||||
libsquashfs_utils \
|
||||
libcrypto_utils_static \
|
||||
libcrypto_static \
|
||||
libapplypatch \
|
||||
libbase \
|
||||
|
|
308
verifier.cpp
308
verifier.cpp
|
@ -14,23 +14,22 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "asn1_decoder.h"
|
||||
#include "common.h"
|
||||
#include "ui.h"
|
||||
#include "verifier.h"
|
||||
|
||||
#include "mincrypt/dsa_sig.h"
|
||||
#include "mincrypt/p256.h"
|
||||
#include "mincrypt/p256_ecdsa.h"
|
||||
#include "mincrypt/rsa.h"
|
||||
#include "mincrypt/sha.h"
|
||||
#include "mincrypt/sha256.h"
|
||||
|
||||
#include <errno.h>
|
||||
#include <malloc.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <algorithm>
|
||||
#include <memory>
|
||||
|
||||
#include <openssl/ecdsa.h>
|
||||
#include <openssl/obj_mac.h>
|
||||
|
||||
#include "asn1_decoder.h"
|
||||
#include "common.h"
|
||||
#include "ui.h"
|
||||
#include "verifier.h"
|
||||
|
||||
extern RecoveryUI* ui;
|
||||
|
||||
/*
|
||||
|
@ -194,15 +193,15 @@ int verify_file(unsigned char* addr, size_t length,
|
|||
bool need_sha256 = false;
|
||||
for (const auto& key : keys) {
|
||||
switch (key.hash_len) {
|
||||
case SHA_DIGEST_SIZE: need_sha1 = true; break;
|
||||
case SHA256_DIGEST_SIZE: need_sha256 = true; break;
|
||||
case SHA_DIGEST_LENGTH: need_sha1 = true; break;
|
||||
case SHA256_DIGEST_LENGTH: need_sha256 = true; break;
|
||||
}
|
||||
}
|
||||
|
||||
SHA_CTX sha1_ctx;
|
||||
SHA256_CTX sha256_ctx;
|
||||
SHA_init(&sha1_ctx);
|
||||
SHA256_init(&sha256_ctx);
|
||||
SHA1_Init(&sha1_ctx);
|
||||
SHA256_Init(&sha256_ctx);
|
||||
|
||||
double frac = -1.0;
|
||||
size_t so_far = 0;
|
||||
|
@ -210,8 +209,8 @@ int verify_file(unsigned char* addr, size_t length,
|
|||
size_t size = signed_len - so_far;
|
||||
if (size > BUFFER_SIZE) size = BUFFER_SIZE;
|
||||
|
||||
if (need_sha1) SHA_update(&sha1_ctx, addr + so_far, size);
|
||||
if (need_sha256) SHA256_update(&sha256_ctx, addr + so_far, size);
|
||||
if (need_sha1) SHA1_Update(&sha1_ctx, addr + so_far, size);
|
||||
if (need_sha256) SHA256_Update(&sha256_ctx, addr + so_far, size);
|
||||
so_far += size;
|
||||
|
||||
double f = so_far / (double)signed_len;
|
||||
|
@ -221,8 +220,10 @@ int verify_file(unsigned char* addr, size_t length,
|
|||
}
|
||||
}
|
||||
|
||||
const uint8_t* sha1 = SHA_final(&sha1_ctx);
|
||||
const uint8_t* sha256 = SHA256_final(&sha256_ctx);
|
||||
uint8_t sha1[SHA_DIGEST_LENGTH];
|
||||
SHA1_Final(sha1, &sha1_ctx);
|
||||
uint8_t sha256[SHA256_DIGEST_LENGTH];
|
||||
SHA256_Final(sha256, &sha256_ctx);
|
||||
|
||||
uint8_t* sig_der = nullptr;
|
||||
size_t sig_der_length = 0;
|
||||
|
@ -242,23 +243,25 @@ int verify_file(unsigned char* addr, size_t length,
|
|||
size_t i = 0;
|
||||
for (const auto& key : keys) {
|
||||
const uint8_t* hash;
|
||||
int hash_nid;
|
||||
switch (key.hash_len) {
|
||||
case SHA_DIGEST_SIZE: hash = sha1; break;
|
||||
case SHA256_DIGEST_SIZE: hash = sha256; break;
|
||||
default: continue;
|
||||
case SHA_DIGEST_LENGTH:
|
||||
hash = sha1;
|
||||
hash_nid = NID_sha1;
|
||||
break;
|
||||
case SHA256_DIGEST_LENGTH:
|
||||
hash = sha256;
|
||||
hash_nid = NID_sha256;
|
||||
break;
|
||||
default:
|
||||
continue;
|
||||
}
|
||||
|
||||
// The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that
|
||||
// the signing tool appends after the signature itself.
|
||||
if (key.key_type == Certificate::RSA) {
|
||||
if (sig_der_length < RSANUMBYTES) {
|
||||
// "signature" block isn't big enough to contain an RSA block.
|
||||
LOGI("signature is too short for RSA key %zu\n", i);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!RSA_verify(key.rsa.get(), sig_der, RSANUMBYTES,
|
||||
hash, key.hash_len)) {
|
||||
if (key.key_type == Certificate::KEY_TYPE_RSA) {
|
||||
if (!RSA_verify(hash_nid, hash, key.hash_len, sig_der,
|
||||
sig_der_length, key.rsa.get())) {
|
||||
LOGI("failed to verify against RSA key %zu\n", i);
|
||||
continue;
|
||||
}
|
||||
|
@ -266,18 +269,10 @@ int verify_file(unsigned char* addr, size_t length,
|
|||
LOGI("whole-file signature verified against RSA key %zu\n", i);
|
||||
free(sig_der);
|
||||
return VERIFY_SUCCESS;
|
||||
} else if (key.key_type == Certificate::EC
|
||||
&& key.hash_len == SHA256_DIGEST_SIZE) {
|
||||
p256_int r, s;
|
||||
if (!dsa_sig_unpack(sig_der, sig_der_length, &r, &s)) {
|
||||
LOGI("Not a DSA signature block for EC key %zu\n", i);
|
||||
continue;
|
||||
}
|
||||
|
||||
p256_int p256_hash;
|
||||
p256_from_bin(hash, &p256_hash);
|
||||
if (!p256_ecdsa_verify(&(key.ec->x), &(key.ec->y),
|
||||
&p256_hash, &r, &s)) {
|
||||
} else if (key.key_type == Certificate::KEY_TYPE_EC
|
||||
&& key.hash_len == SHA256_DIGEST_LENGTH) {
|
||||
if (!ECDSA_verify(0, hash, key.hash_len, sig_der,
|
||||
sig_der_length, key.ec.get())) {
|
||||
LOGI("failed to verify against EC key %zu\n", i);
|
||||
continue;
|
||||
}
|
||||
|
@ -295,6 +290,144 @@ int verify_file(unsigned char* addr, size_t length,
|
|||
return VERIFY_FAILURE;
|
||||
}
|
||||
|
||||
std::unique_ptr<RSA, RSADeleter> parse_rsa_key(FILE* file, uint32_t exponent) {
|
||||
// Read key length in words and n0inv. n0inv is a precomputed montgomery
|
||||
// parameter derived from the modulus and can be used to speed up
|
||||
// verification. n0inv is 32 bits wide here, assuming the verification logic
|
||||
// uses 32 bit arithmetic. However, BoringSSL may use a word size of 64 bits
|
||||
// internally, in which case we don't have a valid n0inv. Thus, we just
|
||||
// ignore the montgomery parameters and have BoringSSL recompute them
|
||||
// internally. If/When the speedup from using the montgomery parameters
|
||||
// becomes relevant, we can add more sophisticated code here to obtain a
|
||||
// 64-bit n0inv and initialize the montgomery parameters in the key object.
|
||||
uint32_t key_len_words = 0;
|
||||
uint32_t n0inv = 0;
|
||||
if (fscanf(file, " %i , 0x%x", &key_len_words, &n0inv) != 2) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
if (key_len_words > 8192 / 32) {
|
||||
LOGE("key length (%d) too large\n", key_len_words);
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
// Read the modulus.
|
||||
std::unique_ptr<uint32_t[]> modulus(new uint32_t[key_len_words]);
|
||||
if (fscanf(file, " , { %u", &modulus[0]) != 1) {
|
||||
return nullptr;
|
||||
}
|
||||
for (uint32_t i = 1; i < key_len_words; ++i) {
|
||||
if (fscanf(file, " , %u", &modulus[i]) != 1) {
|
||||
return nullptr;
|
||||
}
|
||||
}
|
||||
|
||||
// Cconvert from little-endian array of little-endian words to big-endian
|
||||
// byte array suitable as input for BN_bin2bn.
|
||||
std::reverse((uint8_t*)modulus.get(),
|
||||
(uint8_t*)(modulus.get() + key_len_words));
|
||||
|
||||
// The next sequence of values is the montgomery parameter R^2. Since we
|
||||
// generally don't have a valid |n0inv|, we ignore this (see comment above).
|
||||
uint32_t rr_value;
|
||||
if (fscanf(file, " } , { %u", &rr_value) != 1) {
|
||||
return nullptr;
|
||||
}
|
||||
for (uint32_t i = 1; i < key_len_words; ++i) {
|
||||
if (fscanf(file, " , %u", &rr_value) != 1) {
|
||||
return nullptr;
|
||||
}
|
||||
}
|
||||
if (fscanf(file, " } } ") != 0) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
// Initialize the key.
|
||||
std::unique_ptr<RSA, RSADeleter> key(RSA_new());
|
||||
if (!key) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
key->n = BN_bin2bn((uint8_t*)modulus.get(),
|
||||
key_len_words * sizeof(uint32_t), NULL);
|
||||
if (!key->n) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
key->e = BN_new();
|
||||
if (!key->e || !BN_set_word(key->e, exponent)) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
return key;
|
||||
}
|
||||
|
||||
struct BNDeleter {
|
||||
void operator()(BIGNUM* bn) {
|
||||
BN_free(bn);
|
||||
}
|
||||
};
|
||||
|
||||
std::unique_ptr<EC_KEY, ECKEYDeleter> parse_ec_key(FILE* file) {
|
||||
uint32_t key_len_bytes = 0;
|
||||
if (fscanf(file, " %i", &key_len_bytes) != 1) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
std::unique_ptr<EC_GROUP, void (*)(EC_GROUP*)> group(
|
||||
EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1), EC_GROUP_free);
|
||||
if (!group) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
// Verify that |key_len| matches the group order.
|
||||
if (key_len_bytes != BN_num_bytes(EC_GROUP_get0_order(group.get()))) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
// Read the public key coordinates. Note that the byte order in the file is
|
||||
// little-endian, so we convert to big-endian here.
|
||||
std::unique_ptr<uint8_t[]> bytes(new uint8_t[key_len_bytes]);
|
||||
std::unique_ptr<BIGNUM, BNDeleter> point[2];
|
||||
for (int i = 0; i < 2; ++i) {
|
||||
unsigned int byte = 0;
|
||||
if (fscanf(file, " , { %u", &byte) != 1) {
|
||||
return nullptr;
|
||||
}
|
||||
bytes[key_len_bytes - 1] = byte;
|
||||
|
||||
for (size_t i = 1; i < key_len_bytes; ++i) {
|
||||
if (fscanf(file, " , %u", &byte) != 1) {
|
||||
return nullptr;
|
||||
}
|
||||
bytes[key_len_bytes - i - 1] = byte;
|
||||
}
|
||||
|
||||
point[i].reset(BN_bin2bn(bytes.get(), key_len_bytes, nullptr));
|
||||
if (!point[i]) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
if (fscanf(file, " }") != 0) {
|
||||
return nullptr;
|
||||
}
|
||||
}
|
||||
|
||||
if (fscanf(file, " } ") != 0) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
// Create and initialize the key.
|
||||
std::unique_ptr<EC_KEY, ECKEYDeleter> key(EC_KEY_new());
|
||||
if (!key || !EC_KEY_set_group(key.get(), group.get()) ||
|
||||
!EC_KEY_set_public_key_affine_coordinates(key.get(), point[0].get(),
|
||||
point[1].get())) {
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
return key;
|
||||
}
|
||||
|
||||
// Reads a file containing one or more public keys as produced by
|
||||
// DumpPublicKey: this is an RSAPublicKey struct as it would appear
|
||||
// as a C source literal, eg:
|
||||
|
@ -335,94 +468,57 @@ bool load_keys(const char* filename, std::vector<Certificate>& certs) {
|
|||
}
|
||||
|
||||
while (true) {
|
||||
certs.emplace_back(0, Certificate::RSA, nullptr, nullptr);
|
||||
certs.emplace_back(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);
|
||||
Certificate& cert = certs.back();
|
||||
uint32_t exponent = 0;
|
||||
|
||||
char start_char;
|
||||
if (fscanf(f.get(), " %c", &start_char) != 1) return false;
|
||||
if (start_char == '{') {
|
||||
// a version 1 key has no version specifier.
|
||||
cert.key_type = Certificate::RSA;
|
||||
cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
|
||||
cert.rsa->exponent = 3;
|
||||
cert.hash_len = SHA_DIGEST_SIZE;
|
||||
cert.key_type = Certificate::KEY_TYPE_RSA;
|
||||
exponent = 3;
|
||||
cert.hash_len = SHA_DIGEST_LENGTH;
|
||||
} else if (start_char == 'v') {
|
||||
int version;
|
||||
if (fscanf(f.get(), "%d {", &version) != 1) return false;
|
||||
switch (version) {
|
||||
case 2:
|
||||
cert.key_type = Certificate::RSA;
|
||||
cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
|
||||
cert.rsa->exponent = 65537;
|
||||
cert.hash_len = SHA_DIGEST_SIZE;
|
||||
cert.key_type = Certificate::KEY_TYPE_RSA;
|
||||
exponent = 65537;
|
||||
cert.hash_len = SHA_DIGEST_LENGTH;
|
||||
break;
|
||||
case 3:
|
||||
cert.key_type = Certificate::RSA;
|
||||
cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
|
||||
cert.rsa->exponent = 3;
|
||||
cert.hash_len = SHA256_DIGEST_SIZE;
|
||||
cert.key_type = Certificate::KEY_TYPE_RSA;
|
||||
exponent = 3;
|
||||
cert.hash_len = SHA256_DIGEST_LENGTH;
|
||||
break;
|
||||
case 4:
|
||||
cert.key_type = Certificate::RSA;
|
||||
cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey);
|
||||
cert.rsa->exponent = 65537;
|
||||
cert.hash_len = SHA256_DIGEST_SIZE;
|
||||
cert.key_type = Certificate::KEY_TYPE_RSA;
|
||||
exponent = 65537;
|
||||
cert.hash_len = SHA256_DIGEST_LENGTH;
|
||||
break;
|
||||
case 5:
|
||||
cert.key_type = Certificate::EC;
|
||||
cert.ec = std::unique_ptr<ECPublicKey>(new ECPublicKey);
|
||||
cert.hash_len = SHA256_DIGEST_SIZE;
|
||||
cert.key_type = Certificate::KEY_TYPE_EC;
|
||||
cert.hash_len = SHA256_DIGEST_LENGTH;
|
||||
break;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
if (cert.key_type == Certificate::RSA) {
|
||||
RSAPublicKey* key = cert.rsa.get();
|
||||
if (fscanf(f.get(), " %i , 0x%x , { %u", &(key->len), &(key->n0inv),
|
||||
&(key->n[0])) != 3) {
|
||||
return false;
|
||||
if (cert.key_type == Certificate::KEY_TYPE_RSA) {
|
||||
cert.rsa = parse_rsa_key(f.get(), exponent);
|
||||
if (!cert.rsa) {
|
||||
return false;
|
||||
}
|
||||
if (key->len != RSANUMWORDS) {
|
||||
LOGE("key length (%d) does not match expected size\n", key->len);
|
||||
return false;
|
||||
}
|
||||
for (int i = 1; i < key->len; ++i) {
|
||||
if (fscanf(f.get(), " , %u", &(key->n[i])) != 1) return false;
|
||||
}
|
||||
if (fscanf(f.get(), " } , { %u", &(key->rr[0])) != 1) return false;
|
||||
for (int i = 1; i < key->len; ++i) {
|
||||
if (fscanf(f.get(), " , %u", &(key->rr[i])) != 1) return false;
|
||||
}
|
||||
fscanf(f.get(), " } } ");
|
||||
|
||||
LOGI("read key e=%d hash=%d\n", key->exponent, cert.hash_len);
|
||||
} else if (cert.key_type == Certificate::EC) {
|
||||
ECPublicKey* key = cert.ec.get();
|
||||
int key_len;
|
||||
unsigned int byte;
|
||||
uint8_t x_bytes[P256_NBYTES];
|
||||
uint8_t y_bytes[P256_NBYTES];
|
||||
if (fscanf(f.get(), " %i , { %u", &key_len, &byte) != 2) return false;
|
||||
if (key_len != P256_NBYTES) {
|
||||
LOGE("Key length (%d) does not match expected size %d\n", key_len, P256_NBYTES);
|
||||
return false;
|
||||
LOGI("read key e=%d hash=%d\n", exponent, cert.hash_len);
|
||||
} else if (cert.key_type == Certificate::KEY_TYPE_EC) {
|
||||
cert.ec = parse_ec_key(f.get());
|
||||
if (!cert.ec) {
|
||||
return false;
|
||||
}
|
||||
x_bytes[P256_NBYTES - 1] = byte;
|
||||
for (int i = P256_NBYTES - 2; i >= 0; --i) {
|
||||
if (fscanf(f.get(), " , %u", &byte) != 1) return false;
|
||||
x_bytes[i] = byte;
|
||||
}
|
||||
if (fscanf(f.get(), " } , { %u", &byte) != 1) return false;
|
||||
y_bytes[P256_NBYTES - 1] = byte;
|
||||
for (int i = P256_NBYTES - 2; i >= 0; --i) {
|
||||
if (fscanf(f.get(), " , %u", &byte) != 1) return false;
|
||||
y_bytes[i] = byte;
|
||||
}
|
||||
fscanf(f.get(), " } } ");
|
||||
p256_from_bin(x_bytes, &key->x);
|
||||
p256_from_bin(y_bytes, &key->y);
|
||||
} else {
|
||||
LOGE("Unknown key type %d\n", cert.key_type);
|
||||
return false;
|
||||
|
|
46
verifier.h
46
verifier.h
|
@ -20,32 +20,42 @@
|
|||
#include <memory>
|
||||
#include <vector>
|
||||
|
||||
#include "mincrypt/p256.h"
|
||||
#include "mincrypt/rsa.h"
|
||||
#include <openssl/ec_key.h>
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/sha.h>
|
||||
|
||||
typedef struct {
|
||||
p256_int x;
|
||||
p256_int y;
|
||||
} ECPublicKey;
|
||||
struct RSADeleter {
|
||||
void operator()(RSA* rsa) {
|
||||
RSA_free(rsa);
|
||||
}
|
||||
};
|
||||
|
||||
struct ECKEYDeleter {
|
||||
void operator()(EC_KEY* ec_key) {
|
||||
EC_KEY_free(ec_key);
|
||||
}
|
||||
};
|
||||
|
||||
struct Certificate {
|
||||
typedef enum {
|
||||
RSA,
|
||||
EC,
|
||||
KEY_TYPE_RSA,
|
||||
KEY_TYPE_EC,
|
||||
} KeyType;
|
||||
|
||||
Certificate(int hash_len_, KeyType key_type_,
|
||||
std::unique_ptr<RSAPublicKey>&& rsa_,
|
||||
std::unique_ptr<ECPublicKey>&& ec_) :
|
||||
hash_len(hash_len_),
|
||||
key_type(key_type_),
|
||||
rsa(std::move(rsa_)),
|
||||
ec(std::move(ec_)) { }
|
||||
Certificate(int hash_len_,
|
||||
KeyType key_type_,
|
||||
std::unique_ptr<RSA, RSADeleter>&& rsa_,
|
||||
std::unique_ptr<EC_KEY, ECKEYDeleter>&& ec_)
|
||||
: hash_len(hash_len_),
|
||||
key_type(key_type_),
|
||||
rsa(std::move(rsa_)),
|
||||
ec(std::move(ec_)) {}
|
||||
|
||||
int hash_len; // SHA_DIGEST_SIZE (SHA-1) or SHA256_DIGEST_SIZE (SHA-256)
|
||||
// SHA_DIGEST_LENGTH (SHA-1) or SHA256_DIGEST_LENGTH (SHA-256)
|
||||
int hash_len;
|
||||
KeyType key_type;
|
||||
std::unique_ptr<RSAPublicKey> rsa;
|
||||
std::unique_ptr<ECPublicKey> ec;
|
||||
std::unique_ptr<RSA, RSADeleter> rsa;
|
||||
std::unique_ptr<EC_KEY, ECKEYDeleter> ec;
|
||||
};
|
||||
|
||||
/* addr and length define a an update package file that has been
|
||||
|
|
Loading…
Reference in a new issue