bvb_refimpl: Hide SHA and RSA code from application code.

This hides the code implementing the few RSA and SHA bits we're using
from the application, enabling us to change to another crypto
implementation in the future if we so desire.

Since we have limited control over the build system used, this is
best-effort by playing C preprocessor games. The approach used is
similar to how other C libraries do this (GLib, GTK+, D-Bus).

BUG=None
TEST=Manually tested.

Change-Id: Icd3092d44d1b38419b657839c39f27b051bdcebe

15 files changed, 139 insertions, 15 deletions

diff --git a/Android.mk b/Android.mk
index 51800e5..7edbca8 100644
--- a/Android.mk
+++ b/Android.mk
@@ -47,7 +47,7 @@ LOCAL_MODULE := libbvb_refimpl
 LOCAL_MODULE_HOST_OS := linux
 LOCAL_MODULE_CLASS := STATIC_LIBRARIES
 LOCAL_CLANG := true
-LOCAL_CFLAGS := $(bvb_common_cflags) -DBVB_ENABLE_DEBUG
+LOCAL_CFLAGS := $(bvb_common_cflags) -DBVB_ENABLE_DEBUG -DBVB_REFIMPL_COMPILATION
 LOCAL_LDFLAGS := $(bvb_common_ldflags)
 LOCAL_C_INCLUDES :=
 LOCAL_SRC_FILES := \
diff --git a/README b/README
index 6b40c26..d98e32a 100644
--- a/README
+++ b/README
@@ -20,16 +20,20 @@ signing boot images.
 
  bvb_sha.h, bvb_sha{256, 512}.c
 
-   Code for calculating SHA-256 and SHA-512.
+   Code for calculating SHA-256 and SHA-512. Only to be used internally.
 
  bvb_rsa.h, bvb_rsa.c
 
-   Code for verifying RSA signatures.
+   Code for verifying RSA signatures. Only to be used internally.
 
  bvb_util.[ch]
 
    Various utility code.
 
+ bvb_util_internal.h
+
+   Utility code used by bvb internals.
+
  bvb_sysdeps.h
 
    Declarations of system dependencies expected to be provided by the
@@ -78,6 +82,16 @@ If the BVB_ENABLE_DEBUG preprocessor symbol is set, the code will
 include useful debug information and run-time checks. Production
 builds should not use this.
 
+The preprocessor symbol BVB_REFIMPL_COMPILATION should be set when
+compiling the code. The code must be compiled into a separate library.
+
+Applications using the compiled library must only include the
+bvb_refimpl.h file (which will include all public interfaces) and must
+not have the BVB_REFIMPL_COMPILATION preprocessor symbol set. This is
+to ensure that internal code that may be change in the future (for
+example bvb_sha.[ch] and bvb_rsa.[ch]) will not be visible to
+application code.
+
 -- COMPATIBILITY NOTES
 
 The Brillo Boot Image structure (as defined in bvb_boot_image.h)
@@ -140,7 +154,8 @@ BOARD_BVB_ROLLBACK_INDEX variable:
 
 If this is not set, the rollback index defaults to 0.
 
-Additionally, the variables BOARD_BVB_MAKE_BOOT_IMAGE_ARGS and
-BOARD_BVB_SIGN_BOOT_IMAGE_ARGS can be used to specify additional
-options passed to respectively 'bvbtool make_boot_image' and 'bvbtool
-sign_boot_image'.
+Additionally, the variables BOARD_BVB_MAKE_BOOT_IMAGE_ARGS,
+BOARD_BVB_SIGN_BOOT_IMAGE_ARGS, and BOARD_BVB_ADD_IMAGE_HASHES_ARGS
+can be used to specify additional options passed to respectively
+'bvbtool make_boot_image', 'bvbtool sign_boot_image', and 'bvbtool
+add_image_hashes'.
diff --git a/bvb_boot_image_header.h b/bvb_boot_image_header.h
index 69a2174..8f90e5e 100644
--- a/bvb_boot_image_header.h
+++ b/bvb_boot_image_header.h
@@ -14,6 +14,10 @@
  * limitations under the License.
  */
 
+#if !defined (BVB_INSIDE_BVB_REFIMPL_H) && !defined (BVB_REFIMPL_COMPILATION)
+#error "Never include this file directly, include bvb_refimpl.h instead."
+#endif
+
 #ifndef BVB_BOOT_IMAGE_HEADER_H_
 #define BVB_BOOT_IMAGE_HEADER_H_
 
diff --git a/bvb_property.h b/bvb_property.h
index 94b5b28..d105e3e 100644
--- a/bvb_property.h
+++ b/bvb_property.h
@@ -14,6 +14,10 @@
  * limitations under the License.
  */
 
+#if !defined (BVB_INSIDE_BVB_REFIMPL_H) && !defined (BVB_REFIMPL_COMPILATION)
+#error "Never include this file directly, include bvb_refimpl.h instead."
+#endif
+
 #ifndef BVB_PROPERTY_H_
 #define BVB_PROPERTY_H_
 
diff --git a/bvb_refimpl.h b/bvb_refimpl.h
new file mode 100644
index 0000000..e65ad09
--- /dev/null
+++ b/bvb_refimpl.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef BVB_REFIMPL_H_
+#define BVB_REFIMPL_H_
+
+/* The BVB_INSIDE_BVB_REFIMPL_H preprocessor symbol is used to enforce
+ * library users to include only this file. All public interfaces, and
+ * only public interfaces, must be included here.
+ */
+
+#define BVB_INSIDE_BVB_REFIMPL_H
+#include "bvb_boot_image_header.h"
+#include "bvb_property.h"
+#include "bvb_sysdeps.h"
+#include "bvb_util.h"
+#include "bvb_verify.h"
+#undef BVB_INSIDE_BVB_REFIMPL_H
+
+#endif  /* BVB_REFIMPL_H_ */
diff --git a/bvb_rsa.c b/bvb_rsa.c
index 50517b8..e569d81 100644
--- a/bvb_rsa.c
+++ b/bvb_rsa.c
@@ -27,6 +27,7 @@
 #include "bvb_rsa.h"
 #include "bvb_sha.h"
 #include "bvb_util.h"
+#include "bvb_util_internal.h"
 
 typedef struct Key {
   unsigned int len;  /* Length of n[] in number of uint32_t */
diff --git a/bvb_rsa.h b/bvb_rsa.h
index 517fd84..417ee35 100644
--- a/bvb_rsa.h
+++ b/bvb_rsa.h
@@ -19,6 +19,14 @@
  * found in the LICENSE file.
  */
 
+#ifdef BVB_INSIDE_BVB_REFIMPL_H
+#error "You can't include bvb_rsa.h in the public header bvb_refimpl.h."
+#endif
+
+#ifndef BVB_REFIMPL_COMPILATION
+#error "Never include this file, it may only be used from internal bvb code."
+#endif
+
 #ifndef BVB_RSA_H_
 #define BVB_RSA_H_
 
diff --git a/bvb_sha.h b/bvb_sha.h
index 1b335dc..8f8efd7 100644
--- a/bvb_sha.h
+++ b/bvb_sha.h
@@ -14,6 +14,15 @@
  * limitations under the License.
  */
 
+
+#ifdef BVB_INSIDE_BVB_REFIMPL_H
+#error "You can't include bvb_sha.h in the public header bvb_refimpl.h."
+#endif
+
+#ifndef BVB_REFIMPL_COMPILATION
+#error "Never include this file, it may only be used from internal bvb code."
+#endif
+
 #ifndef BVB_SHA_H_
 #define BVB_SHA_H_
 
diff --git a/bvb_sysdeps.h b/bvb_sysdeps.h
index a4cb17f..a1f924e 100644
--- a/bvb_sysdeps.h
+++ b/bvb_sysdeps.h
@@ -14,6 +14,10 @@
  * limitations under the License.
  */
 
+#if !defined (BVB_INSIDE_BVB_REFIMPL_H) && !defined (BVB_REFIMPL_COMPILATION)
+#error "Never include this file directly, include bvb_refimpl.h instead."
+#endif
+
 #ifndef BVB_SYSDEPS_H_
 #define BVB_SYSDEPS_H_
 
diff --git a/bvb_util.h b/bvb_util.h
index 77331fc..951ce83 100644
--- a/bvb_util.h
+++ b/bvb_util.h
@@ -14,11 +14,14 @@
  * limitations under the License.
  */
 
+#if !defined (BVB_INSIDE_BVB_REFIMPL_H) && !defined (BVB_REFIMPL_COMPILATION)
+#error "Never include this file directly, include bvb_refimpl.h instead."
+#endif
+
 #ifndef BVB_UTIL_H_
 #define BVB_UTIL_H_
 
 #include "bvb_boot_image_header.h"
-#include "bvb_rsa.h"
 #include "bvb_sysdeps.h"
 
 #ifdef __cplusplus
diff --git a/bvb_util_internal.h b/bvb_util_internal.h
new file mode 100644
index 0000000..63d1193
--- /dev/null
+++ b/bvb_util_internal.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+#ifndef BVB_REFIMPL_COMPILATION
+#error "Never include this file, it may only be used from internal bvb code."
+#endif
+
+#ifndef BVB_UTIL_INTERNAL_H_
+#define BVB_UTIL_INTERNAL_H_
+
+#include "bvb_rsa.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Copies |header| to |dest|, byte-swapping fields in the process. */
+void bvb_rsa_public_key_header_to_host_byte_order(
+    const BvbRSAPublicKeyHeader* src,
+    BvbRSAPublicKeyHeader* dest);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif  /* BVB_UTIL_INTERNAL_H_ */
diff --git a/bvb_util_unittest.cc b/bvb_util_unittest.cc
index 851e2bd..890158f 100644
--- a/bvb_util_unittest.cc
+++ b/bvb_util_unittest.cc
@@ -18,7 +18,10 @@
 
 #include <gtest/gtest.h>
 
-#include "bvb_util.h"
+#include "bvb_refimpl.h"
+
+#define BVB_REFIMPL_COMPILATION
+#include "bvb_util_internal.h"
 
 TEST(UtilTest, BootImageHeaderByteswap)
 {
diff --git a/bvb_verify.h b/bvb_verify.h
index 8a713e7..0cfd7ba 100644
--- a/bvb_verify.h
+++ b/bvb_verify.h
@@ -14,6 +14,10 @@
  * limitations under the License.
  */
 
+#if !defined (BVB_INSIDE_BVB_REFIMPL_H) && !defined (BVB_REFIMPL_COMPILATION)
+#error "Never include this file directly, include bvb_refimpl.h instead."
+#endif
+
 #ifndef BVB_VERIFY_H_
 #define BVB_VERIFY_H_
 
diff --git a/bvb_verify_unittest.cc b/bvb_verify_unittest.cc
index faa4ae8..fb71777 100644
--- a/bvb_verify_unittest.cc
+++ b/bvb_verify_unittest.cc
@@ -25,9 +25,7 @@
 #include <base/strings/stringprintf.h>
 
 #include "bvb_unittest_util.h"
-#include "bvb_util.h"
-#include "bvb_verify.h"
-#include "bvb_property.h"
+#include "bvb_refimpl.h"
 
 class VerifyTest : public BaseBvbToolTest {
 public:
diff --git a/bvbtool_unittest.cc b/bvbtool_unittest.cc
index d57f2ae..975691a 100644
--- a/bvbtool_unittest.cc
+++ b/bvbtool_unittest.cc
@@ -25,9 +25,7 @@
 #include <base/strings/stringprintf.h>
 
 #include "bvb_unittest_util.h"
-#include "bvb_util.h"
-#include "bvb_verify.h"
-#include "bvb_property.h"
+#include "bvb_refimpl.h"
 
 class BvbToolTest : public BaseBvbToolTest {
 public: