diff options
Diffstat (limited to 'refimpl')
-rw-r--r-- | refimpl/bvb_boot_image_header.h | 302 | ||||
-rw-r--r-- | refimpl/bvb_property.c | 176 | ||||
-rw-r--r-- | refimpl/bvb_property.h | 69 | ||||
-rw-r--r-- | refimpl/bvb_refimpl.h | 33 | ||||
-rw-r--r-- | refimpl/bvb_rsa.c | 276 | ||||
-rw-r--r-- | refimpl/bvb_rsa.h | 69 | ||||
-rw-r--r-- | refimpl/bvb_sha.h | 87 | ||||
-rw-r--r-- | refimpl/bvb_sha256.c | 310 | ||||
-rw-r--r-- | refimpl/bvb_sha512.c | 333 | ||||
-rw-r--r-- | refimpl/bvb_sysdeps.h | 126 | ||||
-rw-r--r-- | refimpl/bvb_sysdeps_stub.c | 84 | ||||
-rw-r--r-- | refimpl/bvb_util.c | 114 | ||||
-rw-r--r-- | refimpl/bvb_util.h | 68 | ||||
-rw-r--r-- | refimpl/bvb_verify.c | 303 | ||||
-rw-r--r-- | refimpl/bvb_verify.h | 102 |
15 files changed, 0 insertions, 2452 deletions
diff --git a/refimpl/bvb_boot_image_header.h b/refimpl/bvb_boot_image_header.h deleted file mode 100644 index 8f90e5e..0000000 --- a/refimpl/bvb_boot_image_header.h +++ /dev/null @@ -1,302 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#if !defined (BVB_INSIDE_BVB_REFIMPL_H) && !defined (BVB_REFIMPL_COMPILATION) -#error "Never include this file directly, include bvb_refimpl.h instead." -#endif - -#ifndef BVB_BOOT_IMAGE_HEADER_H_ -#define BVB_BOOT_IMAGE_HEADER_H_ - -#include "bvb_sysdeps.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Size of the Brillo boot image header. */ -#define BVB_BOOT_IMAGE_HEADER_SIZE 8192 - -/* Magic for the Brillo boot image header. */ -#define BVB_MAGIC "BVB0" -#define BVB_MAGIC_LEN 4 - -/* The current MAJOR and MINOR versions used - keep in sync with bvbtool. */ -#define BVB_MAJOR_VERSION 1 -#define BVB_MINOR_VERSION 0 - -/* Maximum number of bytes in the kernel command-line before substitution. */ -#define BVB_KERNEL_CMDLINE_MAX_LEN 4096 - -/* Algorithms that can be used in the Brillo boot image for - * verification. An algorithm consists of a hash type and a signature - * type. - * - * The data used to calculate the hash is the four blocks mentioned in - * the documentation for |BvbBootImageHeader| except for the data in - * the "Authentication data" block. - * - * For signatures with RSA keys, PKCS v1.5 padding is used. The public - * key data is stored in the auxilary data block, see - * |BvbRSAPublicKeyHeader| for the serialization format. - * - * Each algorithm type is described below: - * - * BVB_ALGORITHM_TYPE_NONE: There is no hash, no signature of the - * data, and no public key. The data cannot be verified. The fields - * |hash_size|, |signature_size|, and |public_key_size| must be zero. - * - * BVB_ALGORITHM_TYPE_SHA256_RSA2048: The hash function used is - * SHA-256, resulting in 32 bytes of hash digest data. This hash is - * signed with a 2048-bit RSA key. The field |hash_size| must be 32, - * |signature_size| must be 256, and the public key data must have - * |key_num_bits| set to 2048. - * - * BVB_ALGORITHM_TYPE_SHA256_RSA4096: Like above, but only with - * a 4096-bit RSA key and |signature_size| set to 512. - * - * BVB_ALGORITHM_TYPE_SHA256_RSA8192: Like above, but only with - * a 8192-bit RSA key and |signature_size| set to 1024. - * - * BVB_ALGORITHM_TYPE_SHA512_RSA2048: The hash function used is - * SHA-512, resulting in 64 bytes of hash digest data. This hash is - * signed with a 2048-bit RSA key. The field |hash_size| must be 64, - * |signature_size| must be 256, and the public key data must have - * |key_num_bits| set to 2048. - * - * BVB_ALGORITHM_TYPE_SHA512_RSA4096: Like above, but only with - * a 4096-bit RSA key and |signature_size| set to 512. - * - * BVB_ALGORITHM_TYPE_SHA512_RSA8192: Like above, but only with - * a 8192-bit RSA key and |signature_size| set to 1024. - */ -typedef enum { - BVB_ALGORITHM_TYPE_NONE, - BVB_ALGORITHM_TYPE_SHA256_RSA2048, - BVB_ALGORITHM_TYPE_SHA256_RSA4096, - BVB_ALGORITHM_TYPE_SHA256_RSA8192, - BVB_ALGORITHM_TYPE_SHA512_RSA2048, - BVB_ALGORITHM_TYPE_SHA512_RSA4096, - BVB_ALGORITHM_TYPE_SHA512_RSA8192, - _BVB_ALGORITHM_NUM_TYPES -} BvbAlgorithmType; - -/* The header for a serialized RSA public key. - * - * The size of the key is given by |key_num_bits|, for example 2048 - * for a RSA-2048 key. By definition, a RSA public key is the pair (n, - * e) where |n| is the modulus (which can be represented in - * |key_num_bits| bits) and |e| is the public exponent. The exponent - * is not stored since it's assumed to always be 65537. - * - * To optimize verification, the key block includes two precomputed - * values, |n0inv| (fits in 32 bits) and |rr| and can always be - * represented in |key_num_bits|. - - * The value |n0inv| is the value -1/n[0] (mod 2^32). The value |rr| - * is (2^key_num_bits)^2 (mod n). - * - * Following this header is |key_num_bits| bits of |n|, then - * |key_num_bits| bits of |rr|. Both values are stored with most - * significant bit first. Each serialized number takes up - * |key_num_bits|/8 bytes. - * - * All fields in this struct are stored in network byte order when - * serialized. To generate a copy with fields swapped to native byte - * order, use the function bvb_rsa_public_key_header_to_host_byte_order(). - * - * The bvb_RSAVerify() function expects a key in this serialized - * format. - * - * The 'bvbtool extract_public_key' command can be used to generate a - * serialized RSA public key. - */ -typedef struct BvbRSAPublicKeyHeader { - uint32_t key_num_bits; - uint32_t n0inv; -} __attribute__((packed)) BvbRSAPublicKeyHeader; - -/* The header for a serialized property. - * - * Following this header is |key_num_bytes| bytes of key data, - * followed by a NUL byte, then |value_num_bytes| bytes of value data, - * followed by a NUL byte and then enough padding to make the combined - * size a multiple of 8. - * - * Headers with keys beginning with "brillo." are reserved for use in - * the Brillo project and must not be used by others. Well-known - * headers include - * - * brillo.device_tree: The property value is a device-tree blob. - */ -typedef struct BvbPropertyHeader { - uint64_t key_num_bytes; - uint64_t value_num_bytes; -} __attribute__((packed)) BvbPropertyHeader; - -/* Binary format for header of the boot image used in Brillo. - * - * The Brillo boot image consists of four blocks: - * - * +-----------------------------------------+ - * | Header data - fixed size | - * +-----------------------------------------+ - * | Authentication data - variable size | - * +-----------------------------------------+ - * | Auxilary data - variable size | - * +-----------------------------------------+ - * | Payload data - variable size | - * +-----------------------------------------+ - * - * The "Header data" block is described by this struct and is always - * |BVB_BOOT_IMAGE_HEADER_SIZE| bytes long. - * - * The "Authentication data" block is |authentication_data_block_size| - * bytes long and contains the hash and signature used to authenticate - * the boot image. The type of the hash and signature is defined by - * the |algorithm_type| field. - * - * The "Auxilary data" is |auxilary_data_block_size| bytes long and - * contains the auxilary data including the public key used to make - * the signature and properties. - * - * The public key is at offset |public_key_offset| with size - * |public_key_size| in this block. The size of the public key data is - * defined by the |algorithm_type| field. The format of the public key - * data is described in the |BvbRSAPublicKeyHeader| struct. - * - * The properties starts at |properties_offset| from the beginning of - * the "Auxliary Data" block and take up |properties_size| bytes. Each - * property is stored as |BvbPropertyHeader| with key, NUL, value, - * NUL, and padding following. The number of properties can be - * determined by walking this data until |properties_size| is - * exhausted. - * - * The "Payload data" block is |payload_data_block_size| bytes - * long. This is where the kernel, initramfs, and other data is - * stored. - * - * The size of each of the "Authentication data" and "Auxilary data" - * blocks must be divisible by 64. This is to ensure proper alignment. - * - * Properties are free-form key/value pairs stored in a part of the - * boot partition subject to the same integrity checks as the rest of - * the boot partition. See the documentation for |BvbPropertyHeader| - * for well-known properties. See bvb_property_lookup() and - * bvb_property_lookup_uint64() for convenience functions to look up - * property values. - * - * This struct is versioned, see the |header_version_major| and - * |header_version_minor| fields. Compatibility is guaranteed only - * within the same major version. - * - * All fields are stored in network byte order when serialized. To - * generate a copy with fields swapped to native byte order, use the - * function bvb_boot_image_header_to_host_byte_order(). - * - * Before reading and/or using any of this data, you MUST verify it - * using bvb_verify_boot_image() and reject it unless it's signed by a - * known good public key. - */ -typedef struct BvbBootImageHeader { - /* 0: Four bytes equal to "BVB0" (BVB_MAGIC). */ - uint8_t magic[BVB_MAGIC_LEN]; - /* 4: The major version of the boot image header. */ - uint32_t header_version_major; - /* 8: The minor version of the boot image header. */ - uint32_t header_version_minor; - - /* 12: The size of the signature block. */ - uint64_t authentication_data_block_size; - /* 20: The size of the public key block. */ - uint64_t auxilary_data_block_size; - /* 28: The size of the payload block. */ - uint64_t payload_data_block_size; - - /* 36: The verification algorithm used, see |BvbAlgorithmType| enum. */ - uint32_t algorithm_type; - - /* 40: Offset into the "Authentication data" block of hash data. */ - uint64_t hash_offset; - /* 48: Length of the hash data. */ - uint64_t hash_size; - - /* 56: Offset into the "Authentication data" block of signature data. */ - uint64_t signature_offset; - /* 64: Length of the signature data. */ - uint64_t signature_size; - - /* 72: Offset into the "Auxilary data" block of public key data. */ - uint64_t public_key_offset; - /* 80: Length of the public key data. */ - uint64_t public_key_size; - - /* 88: Offset into the "Auxilary data" block of property data. */ - uint64_t properties_offset; - /* 96: Length of property data. */ - uint64_t properties_size; - - /* 104: The rollback index which can be used to prevent rollback to - * older versions. - */ - uint64_t rollback_index; - - /* 112: Offset into the "Payload data" block of kernel image. */ - uint64_t kernel_offset; - /* 120: Length of the kernel image. */ - uint64_t kernel_size; - - /* 128: Offset into the "Payload data" block of initial ramdisk. */ - uint64_t initrd_offset; - /* 136: Length of the initial ramdisk. */ - uint64_t initrd_size; - - /* 144: Physical kernel load address. */ - uint64_t kernel_addr; - - /* 152: Physical initial ramdisk load address. */ - uint64_t initrd_addr; - - /* 160: The NUL-terminated kernel command-line string, passed to the - * Linux kernel. - * - * Limited substitution will be performed by the boot loader - the - * following variables are supported: - * - * $(ANDROID_SYSTEM_PARTUUID) - this place-holder will be replaced - * with the image UUID/GUID of the corresponding system_X image of - * the booted slot (where _X is the slot to boot). - * - * $(ANDROID_BOOT_PARTUUID) - this place-holder will be replaced - * with the image UUID/GUID of the boot image of the booted slot. - * - * For example, the snippet "root=PARTUUID=$(ANDROID_SYSTEM_PARTUUID)" - * in this field can be used to instruct the Linux kernel to use the - * system image in the booted slot as the root filesystem. - */ - uint8_t kernel_cmdline[BVB_KERNEL_CMDLINE_MAX_LEN]; - - /* 4256: Padding to ensure struct is size BVB_BOOT_IMAGE_HEADER_SIZE - * bytes. This must be set to zeroes. - */ - uint8_t reserved[3936]; -} __attribute__((packed)) BvbBootImageHeader; - -#ifdef __cplusplus -} -#endif - -#endif /* BVB_BOOT_IMAGE_HEADER_H_ */ diff --git a/refimpl/bvb_property.c b/refimpl/bvb_property.c deleted file mode 100644 index 8b3ac3d..0000000 --- a/refimpl/bvb_property.c +++ /dev/null @@ -1,176 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "bvb_boot_image_header.h" -#include "bvb_util.h" - -const char* bvb_lookup_property(const uint8_t* image_data, size_t image_size, - const char* key, size_t key_size, - size_t* out_value_size) { - const BvbBootImageHeader *header = NULL; - const char* ret = NULL; - const uint8_t* image_end; - const uint8_t* prop_start; - const uint8_t* prop_end; - const uint8_t* p; - - if (out_value_size != NULL) - *out_value_size = 0; - - if (image_data == NULL) { - bvb_debug("image_data is NULL\n."); - goto out; - } - - if (key == NULL) { - bvb_debug("key is NULL\n."); - goto out; - } - - if (image_size < sizeof(BvbBootImageHeader)) { - bvb_debug("Length is smaller than header.\n"); - goto out; - } - - // Ensure magic is correct. - if (bvb_memcmp(image_data, BVB_MAGIC, BVB_MAGIC_LEN) != 0) { - bvb_debug("Magic is incorrect.\n"); - goto out; - } - - if (key_size == 0) - key_size = bvb_strlen(key); - - // Careful, not byteswapped - also ensure it's aligned properly. - bvb_assert_word_aligned(image_data); - header = (const BvbBootImageHeader *) image_data; - image_end = image_data + image_size; - - prop_start = image_data + sizeof(BvbBootImageHeader) + - bvb_be64toh(header->authentication_data_block_size) + - bvb_be64toh(header->properties_offset); - - prop_end = prop_start + bvb_be64toh(header->properties_size); - - if (prop_start < image_data || prop_start > image_end || - prop_end < image_data || prop_end > image_end || - prop_end < prop_start) { - bvb_debug("Properties not inside passed-in data.\n"); - goto out; - } - - for (p = prop_start; p < prop_end; ) { - const BvbPropertyHeader *ph = (const BvbPropertyHeader *) p; - bvb_assert_word_aligned(ph); - uint64_t key_nb = bvb_be64toh(ph->key_num_bytes); - uint64_t value_nb = bvb_be64toh(ph->value_num_bytes); - uint64_t total = sizeof(BvbPropertyHeader) + 2 /* NUL bytes */ - + key_nb + value_nb; - uint64_t remainder = total % 8; - - if (remainder != 0) - total += 8 - remainder; - - if (total + p < prop_start || total + p > prop_end) { - bvb_debug("Invalid data in properties array.\n"); - goto out; - } - if (p[sizeof(BvbPropertyHeader) + key_nb] != 0) { - bvb_debug("No terminating NUL byte in key.\n"); - goto out; - } - if (p[sizeof(BvbPropertyHeader) + key_nb + 1 + value_nb] != 0) { - bvb_debug("No terminating NUL byte in value.\n"); - goto out; - } - if (key_size == key_nb) { - if (bvb_memcmp(p + sizeof(BvbPropertyHeader), key, key_size) == 0) { - ret = (const char *) (p + sizeof(BvbPropertyHeader) + key_nb + 1); - if (out_value_size != NULL) - *out_value_size = value_nb; - goto out; - } - } - p += total; - } - -out: - return ret; -} - -int bvb_lookup_property_uint64(const uint8_t* image_data, size_t image_size, - const char* key, size_t key_size, - uint64_t* out_value) { - const char *value; - int ret = 0; - uint64_t parsed_val; - int base; - int n; - - value = bvb_lookup_property(image_data, image_size, key, key_size, NULL); - if (value == NULL) - goto out; - - base = 10; - if (bvb_memcmp(value, "0x", 2) == 0) { - base = 16; - value += 2; - } - - parsed_val = 0; - for (n = 0; value[n] != '\0'; n++) { - int c = value[n]; - int digit; - - parsed_val *= base; - - switch (base) { - case 10: - if (c >= '0' && c <= '9') { - digit = c - '0'; - } else { - bvb_debug("Invalid digit.\n"); - goto out; - } - break; - - case 16: - if (c >= '0' && c <= '9') { - digit = c - '0'; - } else if (c >= 'a' && c <= 'f') { - digit = c - 'a' + 10; - } else if (c >= 'A' && c <= 'F') { - digit = c - 'A' + 10; - } else { - bvb_debug("Invalid digit.\n"); - goto out; - } - break; - - default: - goto out; - } - - parsed_val += digit; - } - - ret = 1; - if (out_value != NULL) - *out_value = parsed_val; - -out: - return ret; -} diff --git a/refimpl/bvb_property.h b/refimpl/bvb_property.h deleted file mode 100644 index d105e3e..0000000 --- a/refimpl/bvb_property.h +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#if !defined (BVB_INSIDE_BVB_REFIMPL_H) && !defined (BVB_REFIMPL_COMPILATION) -#error "Never include this file directly, include bvb_refimpl.h instead." -#endif - -#ifndef BVB_PROPERTY_H_ -#define BVB_PROPERTY_H_ - -#ifdef __cplusplus -extern "C" { -#endif - -#include "bvb_boot_image_header.h" - -/* Convenience function for looking up the value for a property with - * name |key| in a Brillo boot image. If |key| is NUL-terminated, - * |key_size| may be set to 0. - * - * The |image_data| parameter must be a pointer to a Brillo Boot Image - * of size |image_size|. - * - * This function returns a pointer to the value inside the passed-in - * image or NULL if not found. Note that the value is always - * guaranteed to be followed by a NUL byte. - * - * If the value was found and |out_value_size| is not NULL, the size - * of the value is returned there. - * - * This function is O(n) in number of properties so if you need to - * look up a lot of values, you may want to build a more efficient - * lookup-table by manually walking all properties yourself. - * - * Before using this function, you MUST verify |image_data| with - * bvb_verify_boot_image() and reject it unless it's signed by a known - * good public key. - */ -const char* bvb_lookup_property(const uint8_t* image_data, size_t image_size, - const char* key, size_t key_size, - size_t* out_value_size); - -/* Like bvb_lookup_property() but parses the value as an unsigned - * 64-bit integer. Both decimal and hexadecimal representations - * (e.g. "0x2a") are supported. Returns 0 on failure and non-zero on - * success. On success, the parsed value is returned in |out_value|. - */ -int bvb_lookup_property_uint64(const uint8_t* image_data, size_t image_size, - const char* key, size_t key_size, - uint64_t* out_value); - -#ifdef __cplusplus -} -#endif - -#endif /* BVB_PROPERTY_H_ */ diff --git a/refimpl/bvb_refimpl.h b/refimpl/bvb_refimpl.h deleted file mode 100644 index e65ad09..0000000 --- a/refimpl/bvb_refimpl.h +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef BVB_REFIMPL_H_ -#define BVB_REFIMPL_H_ - -/* The BVB_INSIDE_BVB_REFIMPL_H preprocessor symbol is used to enforce - * library users to include only this file. All public interfaces, and - * only public interfaces, must be included here. - */ - -#define BVB_INSIDE_BVB_REFIMPL_H -#include "bvb_boot_image_header.h" -#include "bvb_property.h" -#include "bvb_sysdeps.h" -#include "bvb_util.h" -#include "bvb_verify.h" -#undef BVB_INSIDE_BVB_REFIMPL_H - -#endif /* BVB_REFIMPL_H_ */ diff --git a/refimpl/bvb_rsa.c b/refimpl/bvb_rsa.c deleted file mode 100644 index 50517b8..0000000 --- a/refimpl/bvb_rsa.c +++ /dev/null @@ -1,276 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - -/* Implementation of RSA signature verification which uses a pre-processed - * key for computation. The code extends Android's RSA verification code to - * support multiple RSA key lengths and hash digest algorithms. - */ - -#include "bvb_rsa.h" -#include "bvb_sha.h" -#include "bvb_util.h" - -typedef struct Key { - unsigned int len; /* Length of n[] in number of uint32_t */ - uint32_t n0inv; /* -1 / n[0] mod 2^32 */ - uint32_t* n; /* modulus as little endian array */ - uint32_t* rr; /* R^2 as little endian array */ -} Key; - -Key* parse_key_data(const uint8_t* data, size_t length) { - BvbRSAPublicKeyHeader h; - Key* key = NULL; - size_t expected_length; - unsigned int i; - const uint8_t* n; - const uint8_t *rr; - - bvb_rsa_public_key_header_to_host_byte_order( - (const BvbRSAPublicKeyHeader *) data, &h); - - if (!(h.key_num_bits == 2048 || - h.key_num_bits == 4096 || - h.key_num_bits == 8192)) { - bvb_debug("Unexpected key length.\n"); - goto fail; - } - - expected_length = sizeof(BvbRSAPublicKeyHeader) + 2*h.key_num_bits/8; - if (length != expected_length) { - bvb_debug("Key does not match expected length.\n"); - goto fail; - } - - n = data + sizeof(BvbRSAPublicKeyHeader); - rr = data + sizeof(BvbRSAPublicKeyHeader) + h.key_num_bits/8; - - // Store n and rr following the key header so we only have to do one - // allocation. - key = (Key *) (bvb_malloc(sizeof(Key) + 2*h.key_num_bits/8)); - if (key == NULL) - goto fail; - - key->len = h.key_num_bits/32; - key->n0inv = h.n0inv; - key->n = (uint32_t *) (key + 1); // Skip ahead sizeof(Key) bytes. - key->rr = key->n + key->len; - - // Crypto-code below (modpowF4() and friends) expects the key in - // little-endian format (rather than the format we're storing the - // key in), so convert it. - for (i = 0; i < key->len; i++) { - key->n[i] = bvb_be32toh(((uint32_t *) n)[key->len - i - 1]); - key->rr[i] = bvb_be32toh(((uint32_t *) rr)[key->len - i - 1]); - } - return key; - -fail: - if (key != NULL) - bvb_free(key); - return NULL; -} - -void free_parsed_key(Key* key) { - bvb_free(key); -} - -/* a[] -= mod */ -static void subM(const Key* key, uint32_t* a) { - int64_t A = 0; - uint32_t i; - for (i = 0; i < key->len; ++i) { - A += (uint64_t)a[i] - key->n[i]; - a[i] = (uint32_t)A; - A >>= 32; - } -} - -/* return a[] >= mod */ -static int geM(const Key* key, uint32_t *a) { - uint32_t i; - for (i = key->len; i;) { - --i; - if (a[i] < key->n[i]) return 0; - if (a[i] > key->n[i]) return 1; - } - return 1; /* equal */ - } - -/* montgomery c[] += a * b[] / R % mod */ -static void montMulAdd(const Key* key, - uint32_t* c, - const uint32_t a, - const uint32_t* b) { - uint64_t A = (uint64_t)a * b[0] + c[0]; - uint32_t d0 = (uint32_t)A * key->n0inv; - uint64_t B = (uint64_t)d0 * key->n[0] + (uint32_t)A; - uint32_t i; - - for (i = 1; i < key->len; ++i) { - A = (A >> 32) + (uint64_t)a * b[i] + c[i]; - B = (B >> 32) + (uint64_t)d0 * key->n[i] + (uint32_t)A; - c[i - 1] = (uint32_t)B; - } - - A = (A >> 32) + (B >> 32); - - c[i - 1] = (uint32_t)A; - - if (A >> 32) { - subM(key, c); - } -} - -/* montgomery c[] = a[] * b[] / R % mod */ -static void montMul(const Key* key, - uint32_t* c, - uint32_t* a, - uint32_t* b) { - uint32_t i; - for (i = 0; i < key->len; ++i) { - c[i] = 0; - } - for (i = 0; i < key->len; ++i) { - montMulAdd(key, c, a[i], b); - } -} - -/* In-place public exponentiation. (65537} - * Input and output big-endian byte array in inout. - */ -static void modpowF4(const Key *key, - uint8_t* inout) { - uint32_t* a = (uint32_t*) bvb_malloc(key->len * sizeof(uint32_t)); - uint32_t* aR = (uint32_t*) bvb_malloc(key->len * sizeof(uint32_t)); - uint32_t* aaR = (uint32_t*) bvb_malloc(key->len * sizeof(uint32_t)); - if (a == NULL || aR == NULL || aaR == NULL) - goto out; - - uint32_t* aaa = aaR; /* Re-use location. */ - int i; - - /* Convert from big endian byte array to little endian word array. */ - for (i = 0; i < (int)key->len; ++i) { - uint32_t tmp = - (inout[((key->len - 1 - i) * 4) + 0] << 24) | - (inout[((key->len - 1 - i) * 4) + 1] << 16) | - (inout[((key->len - 1 - i) * 4) + 2] << 8) | - (inout[((key->len - 1 - i) * 4) + 3] << 0); - a[i] = tmp; - } - - montMul(key, aR, a, key->rr); /* aR = a * RR / R mod M */ - for (i = 0; i < 16; i+=2) { - montMul(key, aaR, aR, aR); /* aaR = aR * aR / R mod M */ - montMul(key, aR, aaR, aaR); /* aR = aaR * aaR / R mod M */ - } - montMul(key, aaa, aR, a); /* aaa = aR * a / R mod M */ - - - /* Make sure aaa < mod; aaa is at most 1x mod too large. */ - if (geM(key, aaa)) { - subM(key, aaa); - } - - /* Convert to bigendian byte array */ - for (i = (int)key->len - 1; i >= 0; --i) { - uint32_t tmp = aaa[i]; - *inout++ = (uint8_t)(tmp >> 24); - *inout++ = (uint8_t)(tmp >> 16); - *inout++ = (uint8_t)(tmp >> 8); - *inout++ = (uint8_t)(tmp >> 0); - } - -out: - if (a != NULL) - bvb_free(a); - if (aR != NULL) - bvb_free(aR); - if (aaR != NULL) - bvb_free(aaR); -} - -/* Verify a RSA PKCS1.5 signature against an expected hash. - * Returns 0 on failure, 1 on success. - */ -int bvb_rsa_verify(const uint8_t* key, size_t key_num_bytes, - const uint8_t* sig, size_t sig_num_bytes, - const uint8_t* hash, size_t hash_num_bytes, - const uint8_t* padding, size_t padding_num_bytes) { - uint8_t* buf = NULL; - Key* parsed_key = NULL; - int success = 0; - - if (key == NULL || sig == NULL || hash == NULL || padding == NULL) { - bvb_debug("Invalid input.\n"); - goto out; - } - - parsed_key = parse_key_data(key, key_num_bytes); - if (parsed_key == NULL) { - bvb_debug("Error parsing key.\n"); - goto out; - } - - if (sig_num_bytes != (parsed_key->len * sizeof(uint32_t))) { - bvb_debug("Signature length does not match key length.\n"); - goto out; - } - - if (padding_num_bytes != sig_num_bytes - hash_num_bytes) { - bvb_debug("Padding length does not match hash and signature lengths.\n"); - goto out; - } - - buf = (uint8_t *) bvb_malloc(sig_num_bytes); - if (buf == NULL) { - bvb_debug("Error allocating %d bytes.\n", (int) sig_num_bytes); - goto out; - } - bvb_memcpy(buf, sig, sig_num_bytes); - - modpowF4(parsed_key, buf); - - /* Check padding bytes. - * - * Even though there are probably no timing issues here, we use - * bvb_safe_memcmp() just to be on the safe side. - */ - if (bvb_safe_memcmp(buf, padding, padding_num_bytes)) { - bvb_debug("Padding check failed.\n"); - goto out; - } - - /* Check hash. */ - if (bvb_safe_memcmp(buf + padding_num_bytes, hash, hash_num_bytes)) { - bvb_debug("Hash check failed.\n"); - goto out; - } - - success = 1; - -out: - if (parsed_key != NULL) - free_parsed_key(parsed_key); - if (buf != NULL) - bvb_free(buf); - return success; -} diff --git a/refimpl/bvb_rsa.h b/refimpl/bvb_rsa.h deleted file mode 100644 index 417ee35..0000000 --- a/refimpl/bvb_rsa.h +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - -#ifdef BVB_INSIDE_BVB_REFIMPL_H -#error "You can't include bvb_rsa.h in the public header bvb_refimpl.h." -#endif - -#ifndef BVB_REFIMPL_COMPILATION -#error "Never include this file, it may only be used from internal bvb code." -#endif - -#ifndef BVB_RSA_H_ -#define BVB_RSA_H_ - -#ifdef __cplusplus -extern "C" { -#endif - -#include "bvb_sysdeps.h" - -/* Size of a RSA-2048 signature. */ -#define BVB_RSA2048_NUM_BYTES 256 - -/* Size of a RSA-4096 signature. */ -#define BVB_RSA4096_NUM_BYTES 512 - -/* Size of a RSA-8192 signature. */ -#define BVB_RSA8192_NUM_BYTES 1024 - -/* Using the key given by |key_header|, verify a RSA signature |sig| - * of length |sig_num_bytes| against an expected |hash| of length - * |hash_num_bytes|. The padding to expect must be passed in using - * |padding| of length |padding_num_bytes|. - * - * The data in |key| must match the format defined in - * |BvbRSAPublicKeyHeader|, including the two large numbers - * following. The |key_num_bytes| must be the size of the entire - * serialized key. - * - * Returns zero if verification fails, non-zero otherwise. - */ -int bvb_rsa_verify(const uint8_t* key, size_t key_num_bytes, - const uint8_t* sig, size_t sig_num_bytes, - const uint8_t* hash, size_t hash_num_bytes, - const uint8_t* padding, size_t padding_num_bytes); - -#ifdef __cplusplus -} -#endif - -#endif /* BVB_RSA_H_ */ diff --git a/refimpl/bvb_sha.h b/refimpl/bvb_sha.h deleted file mode 100644 index 8f8efd7..0000000 --- a/refimpl/bvb_sha.h +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - -#ifdef BVB_INSIDE_BVB_REFIMPL_H -#error "You can't include bvb_sha.h in the public header bvb_refimpl.h." -#endif - -#ifndef BVB_REFIMPL_COMPILATION -#error "Never include this file, it may only be used from internal bvb code." -#endif - -#ifndef BVB_SHA_H_ -#define BVB_SHA_H_ - -#ifdef __cplusplus -extern "C" { -#endif - -#include "bvb_sysdeps.h" - -/* Size in bytes of a SHA-256 digest. */ -#define BVB_SHA256_DIGEST_SIZE 32 - -/* Block size in bytes of a SHA-256 digest. */ -#define BVB_SHA256_BLOCK_SIZE 64 - -/* Size in bytes of a SHA-512 digest. */ -#define BVB_SHA512_DIGEST_SIZE 64 - -/* Block size in bytes of a SHA-512 digest. */ -#define BVB_SHA512_BLOCK_SIZE 128 - -/* Data structure used for SHA-256. */ -typedef struct { - uint32_t h[8]; - uint32_t tot_len; - uint32_t len; - uint8_t block[2 * BVB_SHA256_BLOCK_SIZE]; - uint8_t buf[BVB_SHA256_DIGEST_SIZE]; /* Used for storing the final digest. */ -} BvbSHA256Ctx; - -/* Data structure used for SHA-512. */ -typedef struct { - uint64_t h[8]; - uint32_t tot_len; - uint32_t len; - uint8_t block[2 * BVB_SHA512_BLOCK_SIZE]; - uint8_t buf[BVB_SHA512_DIGEST_SIZE]; /* Used for storing the final digest. */ -} BvbSHA512Ctx; - -/* Initializes the SHA-256 context. */ -void bvb_sha256_init(BvbSHA256Ctx* ctx); - -/* Updates the SHA-256 context with |len| bytes from |data|. */ -void bvb_sha256_update(BvbSHA256Ctx* ctx, const uint8_t* data, uint32_t len); - -/* Returns the SHA-256 digest. */ -uint8_t* bvb_sha256_final(BvbSHA256Ctx* ctx); - -/* Initializes the SHA-512 context. */ -void bvb_sha512_init(BvbSHA512Ctx* ctx); - -/* Updates the SHA-512 context with |len| bytes from |data|. */ -void bvb_sha512_update(BvbSHA512Ctx* ctx, const uint8_t* data, uint32_t len); - -/* Returns the SHA-512 digest. */ -uint8_t* bvb_sha512_final(BvbSHA512Ctx* ctx); - -#ifdef __cplusplus -} -#endif - -#endif /* BVB_SHA_H_ */ diff --git a/refimpl/bvb_sha256.c b/refimpl/bvb_sha256.c deleted file mode 100644 index 53e5f6b..0000000 --- a/refimpl/bvb_sha256.c +++ /dev/null @@ -1,310 +0,0 @@ -/* SHA-256 and SHA-512 implementation based on code by Oliver Gay - * <olivier.gay@a3.epfl.ch> under a BSD-style license. See below. - */ - -/* - * FIPS 180-2 SHA-224/256/384/512 implementation - * Last update: 02/02/2007 - * Issue date: 04/30/2005 - * - * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "bvb_sha.h" - -#define SHFR(x, n) (x >> n) -#define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n))) -#define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n))) -#define CH(x, y, z) ((x & y) ^ (~x & z)) -#define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) - -#define SHA256_F1(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) -#define SHA256_F2(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) -#define SHA256_F3(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHFR(x, 3)) -#define SHA256_F4(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHFR(x, 10)) - -#define UNPACK32(x, str) \ - { \ - *((str) + 3) = (uint8_t) ((x) ); \ - *((str) + 2) = (uint8_t) ((x) >> 8); \ - *((str) + 1) = (uint8_t) ((x) >> 16); \ - *((str) + 0) = (uint8_t) ((x) >> 24); \ - } - -#define PACK32(str, x) \ - { \ - *(x) = ((uint32_t) *((str) + 3) ) \ - | ((uint32_t) *((str) + 2) << 8) \ - | ((uint32_t) *((str) + 1) << 16) \ - | ((uint32_t) *((str) + 0) << 24); \ - } - -/* Macros used for loops unrolling */ - -#define SHA256_SCR(i) \ - { \ - w[i] = SHA256_F4(w[i - 2]) + w[i - 7] \ - + SHA256_F3(w[i - 15]) + w[i - 16]; \ - } - -#define SHA256_EXP(a, b, c, d, e, f, g, h, j) \ - { \ - t1 = wv[h] + SHA256_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \ - + sha256_k[j] + w[j]; \ - t2 = SHA256_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \ - wv[d] += t1; \ - wv[h] = t1 + t2; \ - } - -static const uint32_t sha256_h0[8] = { - 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, - 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19}; - -static const uint32_t sha256_k[64] = { - 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, - 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, - 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, - 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, - 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, - 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, - 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, - 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, - 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, - 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, - 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, - 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, - 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, - 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, - 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, - 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2}; - - -/* SHA-256 implementation */ -void bvb_sha256_init(BvbSHA256Ctx *ctx) { -#ifndef UNROLL_LOOPS - int i; - for (i = 0; i < 8; i++) { - ctx->h[i] = sha256_h0[i]; - } -#else - ctx->h[0] = sha256_h0[0]; ctx->h[1] = sha256_h0[1]; - ctx->h[2] = sha256_h0[2]; ctx->h[3] = sha256_h0[3]; - ctx->h[4] = sha256_h0[4]; ctx->h[5] = sha256_h0[5]; - ctx->h[6] = sha256_h0[6]; ctx->h[7] = sha256_h0[7]; -#endif /* !UNROLL_LOOPS */ - - ctx->len = 0; - ctx->tot_len = 0; -} - - -static void SHA256_transform(BvbSHA256Ctx* ctx, const uint8_t* message, - unsigned int block_nb) { - uint32_t w[64]; - uint32_t wv[8]; - uint32_t t1, t2; - const unsigned char *sub_block; - int i; - -#ifndef UNROLL_LOOPS - int j; -#endif - - for (i = 0; i < (int) block_nb; i++) { - sub_block = message + (i << 6); - -#ifndef UNROLL_LOOPS - for (j = 0; j < 16; j++) { - PACK32(&sub_block[j << 2], &w[j]); - } - - for (j = 16; j < 64; j++) { - SHA256_SCR(j); - } - - for (j = 0; j < 8; j++) { - wv[j] = ctx->h[j]; - } - - for (j = 0; j < 64; j++) { - t1 = wv[7] + SHA256_F2(wv[4]) + CH(wv[4], wv[5], wv[6]) - + sha256_k[j] + w[j]; - t2 = SHA256_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]); - wv[7] = wv[6]; - wv[6] = wv[5]; - wv[5] = wv[4]; - wv[4] = wv[3] + t1; - wv[3] = wv[2]; - wv[2] = wv[1]; - wv[1] = wv[0]; - wv[0] = t1 + t2; - } - - for (j = 0; j < 8; j++) { - ctx->h[j] += wv[j]; - } -#else - PACK32(&sub_block[ 0], &w[ 0]); PACK32(&sub_block[ 4], &w[ 1]); - PACK32(&sub_block[ 8], &w[ 2]); PACK32(&sub_block[12], &w[ 3]); - PACK32(&sub_block[16], &w[ 4]); PACK32(&sub_block[20], &w[ 5]); - PACK32(&sub_block[24], &w[ 6]); PACK32(&sub_block[28], &w[ 7]); - PACK32(&sub_block[32], &w[ 8]); PACK32(&sub_block[36], &w[ 9]); - PACK32(&sub_block[40], &w[10]); PACK32(&sub_block[44], &w[11]); - PACK32(&sub_block[48], &w[12]); PACK32(&sub_block[52], &w[13]); - PACK32(&sub_block[56], &w[14]); PACK32(&sub_block[60], &w[15]); - - SHA256_SCR(16); SHA256_SCR(17); SHA256_SCR(18); SHA256_SCR(19); - SHA256_SCR(20); SHA256_SCR(21); SHA256_SCR(22); SHA256_SCR(23); - SHA256_SCR(24); SHA256_SCR(25); SHA256_SCR(26); SHA256_SCR(27); - SHA256_SCR(28); SHA256_SCR(29); SHA256_SCR(30); SHA256_SCR(31); - SHA256_SCR(32); SHA256_SCR(33); SHA256_SCR(34); SHA256_SCR(35); - SHA256_SCR(36); SHA256_SCR(37); SHA256_SCR(38); SHA256_SCR(39); - SHA256_SCR(40); SHA256_SCR(41); SHA256_SCR(42); SHA256_SCR(43); - SHA256_SCR(44); SHA256_SCR(45); SHA256_SCR(46); SHA256_SCR(47); - SHA256_SCR(48); SHA256_SCR(49); SHA256_SCR(50); SHA256_SCR(51); - SHA256_SCR(52); SHA256_SCR(53); SHA256_SCR(54); SHA256_SCR(55); - SHA256_SCR(56); SHA256_SCR(57); SHA256_SCR(58); SHA256_SCR(59); - SHA256_SCR(60); SHA256_SCR(61); SHA256_SCR(62); SHA256_SCR(63); - - wv[0] = ctx->h[0]; wv[1] = ctx->h[1]; - wv[2] = ctx->h[2]; wv[3] = ctx->h[3]; - wv[4] = ctx->h[4]; wv[5] = ctx->h[5]; - wv[6] = ctx->h[6]; wv[7] = ctx->h[7]; - - SHA256_EXP(0,1,2,3,4,5,6,7, 0); SHA256_EXP(7,0,1,2,3,4,5,6, 1); - SHA256_EXP(6,7,0,1,2,3,4,5, 2); SHA256_EXP(5,6,7,0,1,2,3,4, 3); - SHA256_EXP(4,5,6,7,0,1,2,3, 4); SHA256_EXP(3,4,5,6,7,0,1,2, 5); - SHA256_EXP(2,3,4,5,6,7,0,1, 6); SHA256_EXP(1,2,3,4,5,6,7,0, 7); - SHA256_EXP(0,1,2,3,4,5,6,7, 8); SHA256_EXP(7,0,1,2,3,4,5,6, 9); - SHA256_EXP(6,7,0,1,2,3,4,5,10); SHA256_EXP(5,6,7,0,1,2,3,4,11); - SHA256_EXP(4,5,6,7,0,1,2,3,12); SHA256_EXP(3,4,5,6,7,0,1,2,13); - SHA256_EXP(2,3,4,5,6,7,0,1,14); SHA256_EXP(1,2,3,4,5,6,7,0,15); - SHA256_EXP(0,1,2,3,4,5,6,7,16); SHA256_EXP(7,0,1,2,3,4,5,6,17); - SHA256_EXP(6,7,0,1,2,3,4,5,18); SHA256_EXP(5,6,7,0,1,2,3,4,19); - SHA256_EXP(4,5,6,7,0,1,2,3,20); SHA256_EXP(3,4,5,6,7,0,1,2,21); - SHA256_EXP(2,3,4,5,6,7,0,1,22); SHA256_EXP(1,2,3,4,5,6,7,0,23); - SHA256_EXP(0,1,2,3,4,5,6,7,24); SHA256_EXP(7,0,1,2,3,4,5,6,25); - SHA256_EXP(6,7,0,1,2,3,4,5,26); SHA256_EXP(5,6,7,0,1,2,3,4,27); - SHA256_EXP(4,5,6,7,0,1,2,3,28); SHA256_EXP(3,4,5,6,7,0,1,2,29); - SHA256_EXP(2,3,4,5,6,7,0,1,30); SHA256_EXP(1,2,3,4,5,6,7,0,31); - SHA256_EXP(0,1,2,3,4,5,6,7,32); SHA256_EXP(7,0,1,2,3,4,5,6,33); - SHA256_EXP(6,7,0,1,2,3,4,5,34); SHA256_EXP(5,6,7,0,1,2,3,4,35); - SHA256_EXP(4,5,6,7,0,1,2,3,36); SHA256_EXP(3,4,5,6,7,0,1,2,37); - SHA256_EXP(2,3,4,5,6,7,0,1,38); SHA256_EXP(1,2,3,4,5,6,7,0,39); - SHA256_EXP(0,1,2,3,4,5,6,7,40); SHA256_EXP(7,0,1,2,3,4,5,6,41); - SHA256_EXP(6,7,0,1,2,3,4,5,42); SHA256_EXP(5,6,7,0,1,2,3,4,43); - SHA256_EXP(4,5,6,7,0,1,2,3,44); SHA256_EXP(3,4,5,6,7,0,1,2,45); - SHA256_EXP(2,3,4,5,6,7,0,1,46); SHA256_EXP(1,2,3,4,5,6,7,0,47); - SHA256_EXP(0,1,2,3,4,5,6,7,48); SHA256_EXP(7,0,1,2,3,4,5,6,49); - SHA256_EXP(6,7,0,1,2,3,4,5,50); SHA256_EXP(5,6,7,0,1,2,3,4,51); - SHA256_EXP(4,5,6,7,0,1,2,3,52); SHA256_EXP(3,4,5,6,7,0,1,2,53); - SHA256_EXP(2,3,4,5,6,7,0,1,54); SHA256_EXP(1,2,3,4,5,6,7,0,55); - SHA256_EXP(0,1,2,3,4,5,6,7,56); SHA256_EXP(7,0,1,2,3,4,5,6,57); - SHA256_EXP(6,7,0,1,2,3,4,5,58); SHA256_EXP(5,6,7,0,1,2,3,4,59); - SHA256_EXP(4,5,6,7,0,1,2,3,60); SHA256_EXP(3,4,5,6,7,0,1,2,61); - SHA256_EXP(2,3,4,5,6,7,0,1,62); SHA256_EXP(1,2,3,4,5,6,7,0,63); - - ctx->h[0] += wv[0]; ctx->h[1] += wv[1]; - ctx->h[2] += wv[2]; ctx->h[3] += wv[3]; - ctx->h[4] += wv[4]; ctx->h[5] += wv[5]; - ctx->h[6] += wv[6]; ctx->h[7] += wv[7]; -#endif /* !UNROLL_LOOPS */ - } -} - - - -void bvb_sha256_update(BvbSHA256Ctx* ctx, const uint8_t* data, uint32_t len) { - unsigned int block_nb; - unsigned int new_len, rem_len, tmp_len; - const uint8_t *shifted_data; - - tmp_len = BVB_SHA256_BLOCK_SIZE - ctx->len; - rem_len = len < tmp_len ? len : tmp_len; - - bvb_memcpy(&ctx->block[ctx->len], data, rem_len); - - if (ctx->len + len < BVB_SHA256_BLOCK_SIZE) { - ctx->len += len; - return; - } - - new_len = len - rem_len; - block_nb = new_len / BVB_SHA256_BLOCK_SIZE; - - shifted_data = data + rem_len; - - SHA256_transform(ctx, ctx->block, 1); - SHA256_transform(ctx, shifted_data, block_nb); - - rem_len = new_len % BVB_SHA256_BLOCK_SIZE; - - bvb_memcpy(ctx->block, &shifted_data[block_nb << 6], - rem_len); - - ctx->len = rem_len; - ctx->tot_len += (block_nb + 1) << 6; -} - -uint8_t* bvb_sha256_final(BvbSHA256Ctx* ctx) { - unsigned int block_nb; - unsigned int pm_len; - unsigned int len_b; -#ifndef UNROLL_LOOPS - int i; -#endif - - block_nb = (1 + ((BVB_SHA256_BLOCK_SIZE - 9) - < (ctx->len % BVB_SHA256_BLOCK_SIZE))); - - len_b = (ctx->tot_len + ctx->len) << 3; - pm_len = block_nb << 6; - - bvb_memset(ctx->block + ctx->len, 0, pm_len - ctx->len); - ctx->block[ctx->len] = 0x80; - UNPACK32(len_b, ctx->block + pm_len - 4); - - SHA256_transform(ctx, ctx->block, block_nb); - -#ifndef UNROLL_LOOPS - for (i = 0 ; i < 8; i++) { - UNPACK32(ctx->h[i], &ctx->buf[i << 2]); - } -#else - UNPACK32(ctx->h[0], &ctx->buf[ 0]); - UNPACK32(ctx->h[1], &ctx->buf[ 4]); - UNPACK32(ctx->h[2], &ctx->buf[ 8]); - UNPACK32(ctx->h[3], &ctx->buf[12]); - UNPACK32(ctx->h[4], &ctx->buf[16]); - UNPACK32(ctx->h[5], &ctx->buf[20]); - UNPACK32(ctx->h[6], &ctx->buf[24]); - UNPACK32(ctx->h[7], &ctx->buf[28]); -#endif /* !UNROLL_LOOPS */ - - return ctx->buf; -} diff --git a/refimpl/bvb_sha512.c b/refimpl/bvb_sha512.c deleted file mode 100644 index 0f1b385..0000000 --- a/refimpl/bvb_sha512.c +++ /dev/null @@ -1,333 +0,0 @@ -/* SHA-256 and SHA-512 implementation based on code by Oliver Gay - * <olivier.gay@a3.epfl.ch> under a BSD-style license. See below. - */ - -/* - * FIPS 180-2 SHA-224/256/384/512 implementation - * Last update: 02/02/2007 - * Issue date: 04/30/2005 - * - * Copyright (C) 2005, 2007 Olivier Gay <olivier.gay@a3.epfl.ch> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include "bvb_sha.h" - -#define SHFR(x, n) (x >> n) -#define ROTR(x, n) ((x >> n) | (x << ((sizeof(x) << 3) - n))) -#define ROTL(x, n) ((x << n) | (x >> ((sizeof(x) << 3) - n))) -#define CH(x, y, z) ((x & y) ^ (~x & z)) -#define MAJ(x, y, z) ((x & y) ^ (x & z) ^ (y & z)) - -#define SHA512_F1(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) -#define SHA512_F2(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) -#define SHA512_F3(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHFR(x, 7)) -#define SHA512_F4(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHFR(x, 6)) - -#define UNPACK32(x, str) \ - { \ - *((str) + 3) = (uint8_t) ((x) ); \ - *((str) + 2) = (uint8_t) ((x) >> 8); \ - *((str) + 1) = (uint8_t) ((x) >> 16); \ - *((str) + 0) = (uint8_t) ((x) >> 24); \ - } - -#define UNPACK64(x, str) \ - { \ - *((str) + 7) = (uint8_t) x; \ - *((str) + 6) = (uint8_t) ((uint64_t)x >> 8); \ - *((str) + 5) = (uint8_t) ((uint64_t)x >> 16); \ - *((str) + 4) = (uint8_t) ((uint64_t)x >> 24); \ - *((str) + 3) = (uint8_t) ((uint64_t)x >> 32); \ - *((str) + 2) = (uint8_t) ((uint64_t)x >> 40); \ - *((str) + 1) = (uint8_t) ((uint64_t)x >> 48); \ - *((str) + 0) = (uint8_t) ((uint64_t)x >> 56); \ - } - -#define PACK64(str, x) \ - { \ - *(x) = ((uint64_t) *((str) + 7) ) \ - | ((uint64_t) *((str) + 6) << 8) \ - | ((uint64_t) *((str) + 5) << 16) \ - | ((uint64_t) *((str) + 4) << 24) \ - | ((uint64_t) *((str) + 3) << 32) \ - | ((uint64_t) *((str) + 2) << 40) \ - | ((uint64_t) *((str) + 1) << 48) \ - | ((uint64_t) *((str) + 0) << 56); \ - } - -/* Macros used for loops unrolling */ - -#define SHA512_SCR(i) \ - { \ - w[i] = SHA512_F4(w[i - 2]) + w[i - 7] \ - + SHA512_F3(w[i - 15]) + w[i - 16]; \ - } - -#define SHA512_EXP(a, b, c, d, e, f, g ,h, j) \ - { \ - t1 = wv[h] + SHA512_F2(wv[e]) + CH(wv[e], wv[f], wv[g]) \ - + sha512_k[j] + w[j]; \ - t2 = SHA512_F1(wv[a]) + MAJ(wv[a], wv[b], wv[c]); \ - wv[d] += t1; \ - wv[h] = t1 + t2; \ - } - -static const uint64_t sha512_h0[8] = { - 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, - 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, - 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, - 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL}; - -static const uint64_t sha512_k[80] = { - 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, - 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, - 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, - 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, - 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, - 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, - 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, - 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, - 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, - 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, - 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, - 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, - 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, - 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, - 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, - 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, - 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, - 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, - 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, - 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, - 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, - 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, - 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, - 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, - 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, - 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, - 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, - 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, - 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, - 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, - 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, - 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, - 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, - 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, - 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, - 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, - 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, - 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, - 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, - 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL}; - - -/* SHA-512 implementation */ - -void bvb_sha512_init(BvbSHA512Ctx *ctx) { -#ifdef UNROLL_LOOPS_SHA512 - ctx->h[0] = sha512_h0[0]; ctx->h[1] = sha512_h0[1]; - ctx->h[2] = sha512_h0[2]; ctx->h[3] = sha512_h0[3]; - ctx->h[4] = sha512_h0[4]; ctx->h[5] = sha512_h0[5]; - ctx->h[6] = sha512_h0[6]; ctx->h[7] = sha512_h0[7]; -#else - int i; - - for (i = 0; i < 8; i++) - ctx->h[i] = sha512_h0[i]; -#endif /* UNROLL_LOOPS_SHA512 */ - - ctx->len = 0; - ctx->tot_len = 0; -} - - -static void SHA512_transform(BvbSHA512Ctx* ctx, const uint8_t* message, - unsigned int block_nb) { - uint64_t w[80]; - uint64_t wv[8]; - uint64_t t1, t2; - const uint8_t *sub_block; - int i, j; - - for (i = 0; i < (int) block_nb; i++) { - sub_block = message + (i << 7); - -#ifdef UNROLL_LOOPS_SHA512 - PACK64(&sub_block[ 0], &w[ 0]); PACK64(&sub_block[ 8], &w[ 1]); - PACK64(&sub_block[ 16], &w[ 2]); PACK64(&sub_block[ 24], &w[ 3]); - PACK64(&sub_block[ 32], &w[ 4]); PACK64(&sub_block[ 40], &w[ 5]); - PACK64(&sub_block[ 48], &w[ 6]); PACK64(&sub_block[ 56], &w[ 7]); - PACK64(&sub_block[ 64], &w[ 8]); PACK64(&sub_block[ 72], &w[ 9]); - PACK64(&sub_block[ 80], &w[10]); PACK64(&sub_block[ 88], &w[11]); - PACK64(&sub_block[ 96], &w[12]); PACK64(&sub_block[104], &w[13]); - PACK64(&sub_block[112], &w[14]); PACK64(&sub_block[120], &w[15]); - - SHA512_SCR(16); SHA512_SCR(17); SHA512_SCR(18); SHA512_SCR(19); - SHA512_SCR(20); SHA512_SCR(21); SHA512_SCR(22); SHA512_SCR(23); - SHA512_SCR(24); SHA512_SCR(25); SHA512_SCR(26); SHA512_SCR(27); - SHA512_SCR(28); SHA512_SCR(29); SHA512_SCR(30); SHA512_SCR(31); - SHA512_SCR(32); SHA512_SCR(33); SHA512_SCR(34); SHA512_SCR(35); - SHA512_SCR(36); SHA512_SCR(37); SHA512_SCR(38); SHA512_SCR(39); - SHA512_SCR(40); SHA512_SCR(41); SHA512_SCR(42); SHA512_SCR(43); - SHA512_SCR(44); SHA512_SCR(45); SHA512_SCR(46); SHA512_SCR(47); - SHA512_SCR(48); SHA512_SCR(49); SHA512_SCR(50); SHA512_SCR(51); - SHA512_SCR(52); SHA512_SCR(53); SHA512_SCR(54); SHA512_SCR(55); - SHA512_SCR(56); SHA512_SCR(57); SHA512_SCR(58); SHA512_SCR(59); - SHA512_SCR(60); SHA512_SCR(61); SHA512_SCR(62); SHA512_SCR(63); - SHA512_SCR(64); SHA512_SCR(65); SHA512_SCR(66); SHA512_SCR(67); - SHA512_SCR(68); SHA512_SCR(69); SHA512_SCR(70); SHA512_SCR(71); - SHA512_SCR(72); SHA512_SCR(73); SHA512_SCR(74); SHA512_SCR(75); - SHA512_SCR(76); SHA512_SCR(77); SHA512_SCR(78); SHA512_SCR(79); - - wv[0] = ctx->h[0]; wv[1] = ctx->h[1]; - wv[2] = ctx->h[2]; wv[3] = ctx->h[3]; - wv[4] = ctx->h[4]; wv[5] = ctx->h[5]; - wv[6] = ctx->h[6]; wv[7] = ctx->h[7]; - - j = 0; - - do { - SHA512_EXP(0,1,2,3,4,5,6,7,j); j++; - SHA512_EXP(7,0,1,2,3,4,5,6,j); j++; - SHA512_EXP(6,7,0,1,2,3,4,5,j); j++; - SHA512_EXP(5,6,7,0,1,2,3,4,j); j++; - SHA512_EXP(4,5,6,7,0,1,2,3,j); j++; - SHA512_EXP(3,4,5,6,7,0,1,2,j); j++; - SHA512_EXP(2,3,4,5,6,7,0,1,j); j++; - SHA512_EXP(1,2,3,4,5,6,7,0,j); j++; - } while (j < 80); - - ctx->h[0] += wv[0]; ctx->h[1] += wv[1]; - ctx->h[2] += wv[2]; ctx->h[3] += wv[3]; - ctx->h[4] += wv[4]; ctx->h[5] += wv[5]; - ctx->h[6] += wv[6]; ctx->h[7] += wv[7]; -#else - for (j = 0; j < 16; j++) { - PACK64(&sub_block[j << 3], &w[j]); - } - - for (j = 16; j < 80; j++) { - SHA512_SCR(j); - } - - for (j = 0; j < 8; j++) { - wv[j] = ctx->h[j]; - } - - for (j = 0; j < 80; j++) { - t1 = wv[7] + SHA512_F2(wv[4]) + CH(wv[4], wv[5], wv[6]) - + sha512_k[j] + w[j]; - t2 = SHA512_F1(wv[0]) + MAJ(wv[0], wv[1], wv[2]); - wv[7] = wv[6]; - wv[6] = wv[5]; - wv[5] = wv[4]; - wv[4] = wv[3] + t1; - wv[3] = wv[2]; - wv[2] = wv[1]; - wv[1] = wv[0]; - wv[0] = t1 + t2; - } - - for (j = 0; j < 8; j++) - ctx->h[j] += wv[j]; -#endif /* UNROLL_LOOPS_SHA512 */ - } -} - - -void bvb_sha512_update(BvbSHA512Ctx* ctx, const uint8_t* data, - uint32_t len) { - unsigned int block_nb; - unsigned int new_len, rem_len, tmp_len; - const uint8_t* shifted_data; - - tmp_len = BVB_SHA512_BLOCK_SIZE - ctx->len; - rem_len = len < tmp_len ? len : tmp_len; - - bvb_memcpy(&ctx->block[ctx->len], data, rem_len); - - if (ctx->len + len < BVB_SHA512_BLOCK_SIZE) { - ctx->len += len; - return; - } - - new_len = len - rem_len; - block_nb = new_len / BVB_SHA512_BLOCK_SIZE; - - shifted_data = data + rem_len; - - SHA512_transform(ctx, ctx->block, 1); - SHA512_transform(ctx, shifted_data, block_nb); - - rem_len = new_len % BVB_SHA512_BLOCK_SIZE; - - bvb_memcpy(ctx->block, &shifted_data[block_nb << 7], - rem_len); - - ctx->len = rem_len; - ctx->tot_len += (block_nb + 1) << 7; -} - -uint8_t* bvb_sha512_final(BvbSHA512Ctx* ctx) -{ - unsigned int block_nb; - unsigned int pm_len; - unsigned int len_b; - -#ifndef UNROLL_LOOPS_SHA512 - int i; -#endif - - block_nb = 1 + ((BVB_SHA512_BLOCK_SIZE - 17) - < (ctx->len % BVB_SHA512_BLOCK_SIZE)); - - len_b = (ctx->tot_len + ctx->len) << 3; - pm_len = block_nb << 7; - - bvb_memset(ctx->block + ctx->len, 0, pm_len - ctx->len); - ctx->block[ctx->len] = 0x80; - UNPACK32(len_b, ctx->block + pm_len - 4); - - SHA512_transform(ctx, ctx->block, block_nb); - -#ifdef UNROLL_LOOPS_SHA512 - UNPACK64(ctx->h[0], &ctx->buf[ 0]); - UNPACK64(ctx->h[1], &ctx->buf[ 8]); - UNPACK64(ctx->h[2], &ctx->buf[16]); - UNPACK64(ctx->h[3], &ctx->buf[24]); - UNPACK64(ctx->h[4], &ctx->buf[32]); - UNPACK64(ctx->h[5], &ctx->buf[40]); - UNPACK64(ctx->h[6], &ctx->buf[48]); - UNPACK64(ctx->h[7], &ctx->buf[56]); -#else - for (i = 0 ; i < 8; i++) - UNPACK64(ctx->h[i], &ctx->buf[i << 3]); -#endif /* UNROLL_LOOPS_SHA512 */ - - return ctx->buf; -} diff --git a/refimpl/bvb_sysdeps.h b/refimpl/bvb_sysdeps.h deleted file mode 100644 index a1f924e..0000000 --- a/refimpl/bvb_sysdeps.h +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#if !defined (BVB_INSIDE_BVB_REFIMPL_H) && !defined (BVB_REFIMPL_COMPILATION) -#error "Never include this file directly, include bvb_refimpl.h instead." -#endif - -#ifndef BVB_SYSDEPS_H_ -#define BVB_SYSDEPS_H_ - -#ifdef __cplusplus -extern "C" { -#endif - -/* Change these includes to match your platform to bring in the - * equivalent types available in a normal C runtime, as well as - * printf()-format specifiers such as PRIx64. - */ -#include <stddef.h> -#include <stdint.h> -#include <inttypes.h> - -#ifdef BVB_ENABLE_DEBUG -/* Aborts the program if |expr| is false. - * - * This has no effect unless BVB_ENABLE_DEBUG is defined. - */ -#define bvb_assert(expr) do { if (!(expr)) { \ - bvb_error("assert fail: %s at %s:%d\n", \ - #expr, __FILE__, __LINE__); }} while(0) -#else -#define bvb_assert(expr) -#endif - -/* Size in bytes used for word-alignment. - * - * Change this to match your architecture - must be a power of two. - */ -#define BVB_WORD_ALIGNMENT_SIZE 8 - -/* Aborts the program if |addr| is not word-aligned. - * - * This has no effect unless BVB_ENABLE_DEBUG is defined. - */ -#define bvb_assert_word_aligned(addr) \ - bvb_assert((((uintptr_t) addr) & (BVB_WORD_ALIGNMENT_SIZE-1)) == 0) - -/* Compare |n| bytes in |src1| and |src2|. - * - * Returns an integer less than, equal to, or greater than zero if the - * first |n| bytes of |src1| is found, respectively, to be less than, - * to match, or be greater than the first |n| bytes of |src2|. */ -int bvb_memcmp(const void* src1, const void* src2, size_t n); - -/* Copy |n| bytes from |src| to |dest|. */ -void* bvb_memcpy(void* dest, const void* src, size_t n); - -/* Set |n| bytes starting at |s| to |c|. Returns |dest|. */ -void* bvb_memset(void* dest, const int c, size_t n); - -/* Compare |n| bytes starting at |s1| with |s2| and return 0 if they - * match, 1 if they don't. Returns 0 if |n|==0, since no bytes - * mismatched. - * - * Time taken to perform the comparison is only dependent on |n| and - * not on the relationship of the match between |s1| and |s2|. - * - * Note that unlike bvb_memcmp(), this only indicates inequality, not - * whether |s1| is less than or greater than |s2|. - */ -int bvb_safe_memcmp(const void* s1, const void* s2, size_t n); - -#ifdef BVB_ENABLE_DEBUG -/* printf()-style function, used for diagnostics. - * - * This has no effect unless BVB_ENABLE_DEBUG is defined. - */ -void bvb_debug(const char* format, ...) __attribute__((format(printf, 1, 2))); -#else -static inline void bvb_debug(const char* format, ...) - __attribute__((format(printf, 1, 2))); -static inline void bvb_debug(const char* format, ...) {} -#endif - -/* Prints out a message (defined by |format|, printf()-style) and - * aborts the program or reboots the device. - * - * Unlike bvb_debug(), this function does not depend on BVB_ENABLE_DEBUG. - */ -void bvb_error(const char* format, ...) __attribute__((format(printf, 1, 2))); - -/* Allocates |size| bytes. Returns NULL if no memory is available, - * otherwise a pointer to the allocated memory. - * - * The memory is not initialized. - * - * The pointer returned is guaranteed to be word-aligned. - * - * The memory should be freed with bvb_free() when you are done with it. - */ -void* bvb_malloc(size_t size); - -/* Frees memory previously allocated with bvb_malloc(). */ -void bvb_free(void* ptr); - -/* Returns the lenght of |str|, excluding the terminating NUL-byte. */ -size_t bvb_strlen(const char* str); - -#ifdef __cplusplus -} -#endif - -#endif /* BVB_SYSDEPS_H_ */ diff --git a/refimpl/bvb_sysdeps_stub.c b/refimpl/bvb_sysdeps_stub.c deleted file mode 100644 index c7cd076..0000000 --- a/refimpl/bvb_sysdeps_stub.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <endian.h> -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "bvb_sysdeps.h" - -int bvb_memcmp(const void* src1, const void* src2, size_t n) { - return memcmp(src1, src2, n); -} - -void* bvb_memcpy(void* dest, const void* src, size_t n) { - return memcpy(dest, src, (size_t)n); -} - -void* bvb_memset(void* dest, const int c, size_t n) { - return memset(dest, c, n); -} - -size_t bvb_strlen(const char* str) { - return strlen(str); -} - -int bvb_safe_memcmp(const void* s1, const void* s2, size_t n) { - const unsigned char* us1 = s1; - const unsigned char* us2 = s2; - int result = 0; - - if (0 == n) - return 0; - - /* - * Code snippet without data-dependent branch due to Nate Lawson - * (nate@root.org) of Root Labs. - */ - while (n--) - result |= *us1++ ^ *us2++; - - return result != 0; -} - -void bvb_error(const char* format, ...) { - va_list ap; - va_start(ap, format); - fprintf(stderr, "ERROR: "); - vfprintf(stderr, format, ap); - va_end(ap); - exit(1); -} - -#ifdef BVB_ENABLE_DEBUG -void bvb_debug(const char* format, ...) { - va_list ap; - va_start(ap, format); - fprintf(stderr, "DEBUG: "); - vfprintf(stderr, format, ap); - va_end(ap); -} -#endif - -void* bvb_malloc(size_t size) { - return malloc(size); -} - -void bvb_free(void* ptr) { - free(ptr); -} diff --git a/refimpl/bvb_util.c b/refimpl/bvb_util.c deleted file mode 100644 index fff8e96..0000000 --- a/refimpl/bvb_util.c +++ /dev/null @@ -1,114 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - - -#include "bvb_util.h" - -uint32_t bvb_be32toh(uint32_t in) { - uint8_t* d = (uint8_t*) ∈ - uint32_t ret; - ret = ((uint32_t) d[0]) << 24; - ret |= ((uint32_t) d[1]) << 16; - ret |= ((uint32_t) d[2]) << 8; - ret |= ((uint32_t) d[3]); - return ret; -} - -uint64_t bvb_be64toh(uint64_t in) { - uint8_t* d = (uint8_t*) ∈ - uint64_t ret; - ret = ((uint64_t) d[0]) << 56; - ret |= ((uint64_t) d[1]) << 48; - ret |= ((uint64_t) d[2]) << 40; - ret |= ((uint64_t) d[3]) << 32; - ret |= ((uint64_t) d[4]) << 24; - ret |= ((uint64_t) d[5]) << 16; - ret |= ((uint64_t) d[6]) << 8; - ret |= ((uint64_t) d[7]); - return ret; -} - -void bvb_boot_image_header_to_host_byte_order(const BvbBootImageHeader* src, - BvbBootImageHeader* dest) { - bvb_memcpy(dest, src, sizeof(BvbBootImageHeader)); - - dest->header_version_major = bvb_be32toh(dest->header_version_major); - dest->header_version_minor = bvb_be32toh(dest->header_version_minor); - - dest->authentication_data_block_size = - bvb_be64toh(dest->authentication_data_block_size); - dest->auxilary_data_block_size = bvb_be64toh(dest->auxilary_data_block_size); - dest->payload_data_block_size = bvb_be64toh(dest->payload_data_block_size); - - dest->algorithm_type = bvb_be32toh(dest->algorithm_type); - - dest->hash_offset = bvb_be64toh(dest->hash_offset); - dest->hash_size = bvb_be64toh(dest->hash_size); - - dest->signature_offset = bvb_be64toh(dest->signature_offset); - dest->signature_size = bvb_be64toh(dest->signature_size); - - dest->public_key_offset = bvb_be64toh(dest->public_key_offset); - dest->public_key_size = bvb_be64toh(dest->public_key_size); - - dest->properties_offset = bvb_be64toh(dest->properties_offset); - dest->properties_size = bvb_be64toh(dest->properties_size); - - dest->rollback_index = bvb_be64toh(dest->rollback_index); - - dest->kernel_offset = bvb_be64toh(dest->kernel_offset); - dest->kernel_size = bvb_be64toh(dest->kernel_size); - - dest->initrd_offset = bvb_be64toh(dest->initrd_offset); - dest->initrd_size = bvb_be64toh(dest->initrd_size); - - dest->kernel_addr = bvb_be64toh(dest->kernel_addr); - dest->initrd_addr = bvb_be64toh(dest->initrd_addr); -} - -void bvb_rsa_public_key_header_to_host_byte_order( - const BvbRSAPublicKeyHeader* src, - BvbRSAPublicKeyHeader* dest) { - bvb_memcpy(dest, src, sizeof(BvbRSAPublicKeyHeader)); - - dest->key_num_bits = bvb_be32toh(dest->key_num_bits); - dest->n0inv = bvb_be32toh(dest->n0inv); -} - -int bvb_safe_add_to(uint64_t *value, uint64_t value_to_add) { - uint64_t original_value; - - bvb_assert(value != NULL); - - original_value = *value; - - *value += value_to_add; - if (*value < original_value) { - bvb_debug("%s: overflow: 0x%016" PRIx64 " + 0x%016" PRIx64 "\n", - __FUNCTION__, original_value, value_to_add); - return 0; - } - - return 1; -} - -int bvb_safe_add(uint64_t* out_result, uint64_t a, uint64_t b) { - uint64_t dummy; - if (out_result == NULL) - out_result = &dummy; - *out_result = a; - return bvb_safe_add_to(out_result, b); -} diff --git a/refimpl/bvb_util.h b/refimpl/bvb_util.h deleted file mode 100644 index 951ce83..0000000 --- a/refimpl/bvb_util.h +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#if !defined (BVB_INSIDE_BVB_REFIMPL_H) && !defined (BVB_REFIMPL_COMPILATION) -#error "Never include this file directly, include bvb_refimpl.h instead." -#endif - -#ifndef BVB_UTIL_H_ -#define BVB_UTIL_H_ - -#include "bvb_boot_image_header.h" -#include "bvb_sysdeps.h" - -#ifdef __cplusplus -extern "C" { -#endif - -/* Converts a 32-bit unsigned integer from big-endian to host byte order. */ -uint32_t bvb_be32toh(uint32_t in); - -/* Converts a 64-bit unsigned integer from big-endian to host byte order. */ -uint64_t bvb_be64toh(uint64_t in); - -/* Adds |value_to_add| to |value| with overflow protection. - * - * Returns zero if the addition overflows, non-zero otherwise. In - * either case, |value| is always modified. - */ -int bvb_safe_add_to(uint64_t *value, uint64_t value_to_add); - -/* Adds |a| and |b| with overflow protection, returning the value in - * |out_result|. - * - * It's permissible to pass NULL for |out_result| if you just want to - * check that the addition would not overflow. - * - * Returns zero if the addition overflows, non-zero otherwise. - */ -int bvb_safe_add(uint64_t *out_result, uint64_t a, uint64_t b); - -/* Copies |src| to |dest|, byte-swapping fields in the process. */ -void bvb_boot_image_header_to_host_byte_order( - const BvbBootImageHeader* src, - BvbBootImageHeader* dest); - -/* Copies |header| to |dest|, byte-swapping fields in the process. */ -void bvb_rsa_public_key_header_to_host_byte_order( - const BvbRSAPublicKeyHeader* src, - BvbRSAPublicKeyHeader* dest); - -#ifdef __cplusplus -} -#endif - -#endif /* BVB_UTIL_H_ */ diff --git a/refimpl/bvb_verify.c b/refimpl/bvb_verify.c deleted file mode 100644 index dc05580..0000000 --- a/refimpl/bvb_verify.c +++ /dev/null @@ -1,303 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "bvb_rsa.h" -#include "bvb_sha.h" -#include "bvb_util.h" -#include "bvb_verify.h" - -static const uint8_t padding_RSA2048_SHA256[BVB_RSA2048_NUM_BYTES - BVB_SHA256_DIGEST_SIZE] = { -0x00,0x01,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x30,0x31,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0x04,0x20 -}; - -static const uint8_t padding_RSA4096_SHA256[BVB_RSA4096_NUM_BYTES - BVB_SHA256_DIGEST_SIZE] = { -0x00,0x01,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x30,0x31,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0x04,0x20 -}; - -static const uint8_t padding_RSA8192_SHA256[BVB_RSA8192_NUM_BYTES - BVB_SHA256_DIGEST_SIZE] = { -0x00,0x01,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x30,0x31,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x05,0x00,0x04,0x20 -}; - -static const uint8_t padding_RSA2048_SHA512[BVB_RSA2048_NUM_BYTES - BVB_SHA512_DIGEST_SIZE] = { -0x00,0x01,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x30,0x51,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0x04,0x40 -}; - -static const uint8_t padding_RSA4096_SHA512[BVB_RSA4096_NUM_BYTES - BVB_SHA512_DIGEST_SIZE] = { -0x00,0x01,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x30,0x51,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0x04,0x40 -}; - -static const uint8_t padding_RSA8192_SHA512[BVB_RSA8192_NUM_BYTES - BVB_SHA512_DIGEST_SIZE] = { -0x00,0x01,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x30,0x51,0x30,0x0d,0x06,0x09,0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03,0x05,0x00,0x04,0x40 -}; - -typedef struct { - const uint8_t *padding; - size_t padding_len; - size_t hash_len; -} BvbAlgorithmData; - -static BvbAlgorithmData algorithm_data[_BVB_ALGORITHM_NUM_TYPES] = { - /* BVB_ALGORITHM_TYPE_NONE */ - { - .padding = NULL, - .padding_len = 0, - .hash_len = 0 - }, - /* BVB_ALGORITHM_TYPE_SHA256_RSA2048 */ - { - .padding = padding_RSA2048_SHA256, - .padding_len = sizeof(padding_RSA2048_SHA256), - .hash_len = BVB_SHA256_DIGEST_SIZE - }, - /* BVB_ALGORITHM_TYPE_SHA256_RSA4096 */ - { - .padding = padding_RSA4096_SHA256, - .padding_len = sizeof(padding_RSA4096_SHA256), - .hash_len = BVB_SHA256_DIGEST_SIZE - }, - /* BVB_ALGORITHM_TYPE_SHA256_RSA8192 */ - { - .padding = padding_RSA8192_SHA256, - .padding_len = sizeof(padding_RSA8192_SHA256), - .hash_len = BVB_SHA256_DIGEST_SIZE - }, - /* BVB_ALGORITHM_TYPE_SHA512_RSA2048 */ - { - .padding = padding_RSA2048_SHA512, - .padding_len = sizeof(padding_RSA2048_SHA512), - .hash_len = BVB_SHA512_DIGEST_SIZE - }, - /* BVB_ALGORITHM_TYPE_SHA512_RSA4096 */ - { - .padding = padding_RSA4096_SHA512, - .padding_len = sizeof(padding_RSA4096_SHA512), - .hash_len = BVB_SHA512_DIGEST_SIZE - }, - /* BVB_ALGORITHM_TYPE_SHA512_RSA8192 */ - { - .padding = padding_RSA8192_SHA512, - .padding_len = sizeof(padding_RSA8192_SHA512), - .hash_len = BVB_SHA512_DIGEST_SIZE - }, -}; - -BvbVerifyResult bvb_verify_boot_image(const uint8_t* data, - size_t length, - const uint8_t** out_public_key_data, - size_t* out_public_key_length) { - BvbVerifyResult ret; - BvbBootImageHeader *h = NULL; - uint8_t* computed_hash; - BvbAlgorithmData* algorithm; - BvbSHA256Ctx sha256_ctx; - BvbSHA512Ctx sha512_ctx; - const uint8_t* header_block; - const uint8_t* authentication_block; - const uint8_t* auxilary_block; - const uint8_t* payload_block; - int verification_result; - - ret = BVB_VERIFY_RESULT_INVALID_BOOT_IMAGE_HEADER; - - if (out_public_key_data != NULL) - *out_public_key_data = NULL; - if (out_public_key_length != NULL) - *out_public_key_length = 0; - - /* Ensure magic is correct. */ - if (bvb_safe_memcmp(data, BVB_MAGIC, BVB_MAGIC_LEN) != 0) { - bvb_debug("Magic is incorrect.\n"); - goto out; - } - - /* Before we byteswap, ensure length is long enough. */ - if (length < sizeof(BvbBootImageHeader)) { - bvb_debug("Length is smaller than header.\n"); - goto out; - } - h = bvb_malloc(sizeof(BvbBootImageHeader)); - if (h == NULL) { - bvb_debug("Error allocating byteswapped header.\n"); - goto out; - } - bvb_boot_image_header_to_host_byte_order( - (const BvbBootImageHeader *) data, h); - - /* Ensure we don't attempt to access any fields if the major version - * is not supported. - */ - if (h->header_version_major > BVB_MAJOR_VERSION) { - bvb_debug("No support for version %d.\n", h->header_version_major); - goto out; - } - - /* Ensure inner block sizes are multiple of 64. */ - if ((h->authentication_data_block_size & 0x3f) != 0 || - (h->auxilary_data_block_size & 0x3f) != 0) { - bvb_debug("Block size is not a multiple of 64.\n"); - goto out; - } - - /* Ensure block sizes all add up to at least |length|. */ - uint64_t block_total = sizeof(BvbBootImageHeader); - if (!bvb_safe_add_to(&block_total, h->authentication_data_block_size) || - !bvb_safe_add_to(&block_total, h->auxilary_data_block_size) || - !bvb_safe_add_to(&block_total, h->payload_data_block_size)) { - bvb_debug("Overflow while computing size of boot image.\n"); - goto out; - } - if (block_total > length) { - bvb_debug("Block sizes add up to more than given length.\n"); - goto out; - } - - uintptr_t data_ptr = (uintptr_t) data; - /* Ensure passed in memory doesn't wrap. */ - if (!bvb_safe_add(NULL, (uint64_t) data_ptr, length)) { - bvb_debug("Boot image location and length mismatch.\n"); - goto out; - } - - /* Ensure hash and signature are entirely in the Authentication data block. */ - uint64_t hash_end; - if (!bvb_safe_add(&hash_end, h->hash_offset, h->hash_size) || - hash_end > h->authentication_data_block_size) { - bvb_debug("Hash is not entirely in its block.\n"); - goto out; - } - uint64_t signature_end; - if (!bvb_safe_add(&signature_end, h->signature_offset, h->signature_size) || - signature_end > h->authentication_data_block_size) { - bvb_debug("Signature is not entirely in its block.\n"); - goto out; - } - - /* Ensure public key is entirely in the Auxilary data block. */ - uint64_t pubkey_end; - if (!bvb_safe_add(&pubkey_end, h->public_key_offset, h->public_key_size) || - pubkey_end > h->auxilary_data_block_size) { - bvb_debug("Public key is not entirely in its block.\n"); - goto out; - } - - /* Ensure kernel and initramfs are entirely in the Payload data - * block. - */ - uint64_t kernel_end; - if (!bvb_safe_add(&kernel_end, h->kernel_offset, h->kernel_size) || - kernel_end > h->payload_data_block_size) { - bvb_debug("Kernel is not entirely in its block.\n"); - goto out; - } - if (h->initrd_size > 0) { - uint64_t initrd_end; - if (!bvb_safe_add(&initrd_end, h->initrd_offset, h->initrd_size) || - initrd_end > h->payload_data_block_size) { - bvb_debug("Initrd is not entirely in its block.\n"); - goto out; - } - } - - /* Ensure algorithm field is supported. */ - if (h->algorithm_type >= _BVB_ALGORITHM_NUM_TYPES) { - bvb_debug("Invalid or unknown algorithm.\n"); - goto out; - } - algorithm = &algorithm_data[h->algorithm_type]; - - /* Bail early if there's no hash or signature. */ - if (h->algorithm_type == BVB_ALGORITHM_TYPE_NONE) { - ret = BVB_VERIFY_RESULT_OK_NOT_SIGNED; - goto out; - } - - /* Bail if the embedded hash size doesn't match the chosen algorithm. */ - if (h->hash_size != algorithm->hash_len) { - bvb_debug("Embedded hash has wrong size.\n"); - goto out; - } - - /* No overflow checks needed from here-on after since all block - * sizes and offsets have been verified above. - */ - - header_block = data; - authentication_block = header_block + sizeof(BvbBootImageHeader); - auxilary_block = authentication_block + h->authentication_data_block_size; - payload_block = auxilary_block + h->auxilary_data_block_size; - - switch (h->algorithm_type) { - /* Explicit fall-through: */ - case BVB_ALGORITHM_TYPE_SHA256_RSA2048: - case BVB_ALGORITHM_TYPE_SHA256_RSA4096: - case BVB_ALGORITHM_TYPE_SHA256_RSA8192: - bvb_sha256_init(&sha256_ctx); - bvb_sha256_update(&sha256_ctx, header_block, - sizeof(BvbBootImageHeader)); - bvb_sha256_update(&sha256_ctx, auxilary_block, - h->auxilary_data_block_size); - bvb_sha256_update(&sha256_ctx, payload_block, - h->payload_data_block_size); - computed_hash = bvb_sha256_final(&sha256_ctx); - break; - /* Explicit fall-through: */ - case BVB_ALGORITHM_TYPE_SHA512_RSA2048: - case BVB_ALGORITHM_TYPE_SHA512_RSA4096: - case BVB_ALGORITHM_TYPE_SHA512_RSA8192: - bvb_sha512_init(&sha512_ctx); - bvb_sha512_update(&sha512_ctx, header_block, - sizeof(BvbBootImageHeader)); - bvb_sha512_update(&sha512_ctx, auxilary_block, - h->auxilary_data_block_size); - bvb_sha512_update(&sha512_ctx, payload_block, - h->payload_data_block_size); - computed_hash = bvb_sha512_final(&sha512_ctx); - break; - default: - bvb_debug("Unknown algorithm %d.\n", h->algorithm_type); - goto out; - } - - if (bvb_safe_memcmp(authentication_block + h->hash_offset, - computed_hash, h->hash_size) != 0) { - bvb_debug("Hash does not match!\n"); - ret = BVB_VERIFY_RESULT_HASH_MISMATCH; - goto out; - } - - verification_result = bvb_rsa_verify( - auxilary_block + h->public_key_offset, h->public_key_size, - authentication_block + h->signature_offset, h->signature_size, - authentication_block + h->hash_offset, h->hash_size, - algorithm->padding, algorithm->padding_len); - - if (verification_result == 0) { - ret = BVB_VERIFY_RESULT_SIGNATURE_MISMATCH; - goto out; - } - - if (out_public_key_data != NULL) - *out_public_key_data = auxilary_block + h->public_key_offset; - if (out_public_key_length != NULL) - *out_public_key_length = h->public_key_size; - - ret = BVB_VERIFY_RESULT_OK; - -out: - if (h != NULL) - bvb_free(h); - return ret; -} diff --git a/refimpl/bvb_verify.h b/refimpl/bvb_verify.h deleted file mode 100644 index 0cfd7ba..0000000 --- a/refimpl/bvb_verify.h +++ /dev/null @@ -1,102 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#if !defined (BVB_INSIDE_BVB_REFIMPL_H) && !defined (BVB_REFIMPL_COMPILATION) -#error "Never include this file directly, include bvb_refimpl.h instead." -#endif - -#ifndef BVB_VERIFY_H_ -#define BVB_VERIFY_H_ - -#ifdef __cplusplus -extern "C" { -#endif - -#include "bvb_boot_image_header.h" - -/* Return codes used in bvb_verify_boot_image(). - * - * BVB_VERIFY_RESULT_OK is returned if the boot image header is valid, - * the hash is correct and the signature is correct. Keep in mind that - * you still need to check that you know the public key used to sign - * the image, see bvb_verify_boot_image() for details. - * - * BVB_VERIFY_RESULT_OK_NOT_SIGNED is returned if the boot image - * header is valid but there is no signature or hash. - * - * BVB_VERIFY_INVALID_BOOT_IMAGE_HEADER is returned if the header of - * the boot image is invalid, for example, invalid magic or - * inconsistent data. - * - * BVB_VERIFY_HASH_MISMATCH is returned if the hash stored in the - * "Authentication data" block does not match the calculated hash. - * - * BVB_VERIFY_SIGNATURE_MISMATCH is returned if the signature stored - * in the "Authentication data" block is invalid or doesn't match the - * public key stored in the boot image. - */ -typedef enum { - BVB_VERIFY_RESULT_OK, - BVB_VERIFY_RESULT_OK_NOT_SIGNED, - BVB_VERIFY_RESULT_INVALID_BOOT_IMAGE_HEADER, - BVB_VERIFY_RESULT_HASH_MISMATCH, - BVB_VERIFY_RESULT_SIGNATURE_MISMATCH, -} BvbVerifyResult; - -/* - * Checks that raw boot image at |data| of size |length| is a valid - * Brillo boot image. The complete contents of the boot image must be - * passed in. It's fine if |length| is bigger than the actual image, - * typically callers of this function will load the entire contents of - * the 'boot_a' or 'boot_b' partition and pass in its length (for - * example, 32 MiB). - * - * See the |BvbBootImageHeader| struct for information about the four - * blocks (header, authentication, auxilary, payload) that make up a - * boot image. - * - * If the function returns |BVB_VERIFY_RESULT_OK| and - * |out_public_key_data| is non-NULL, it will be set to point inside - * |data| for where the serialized public key data is stored and - * |out_public_key_length|, if non-NULL, will be set to the length of - * the public key data. - * - * See the |BvbVerifyResult| enum for possible return values. - * - * VERY IMPORTANT: - * - * 1. Even if |BVB_VERIFY_RESULT_OK| is returned, you still need to - * check that the public key embedded in the image matches a - * known key! You can use 'bvbtool extract_public_key' to extract - * the key at build time and compare it to what is returned in - * |out_public_key_data|. - * - * 2. You need to check the |rollback_index| field against a stored - * value in NVRAM and reject the boot image if the value in NVRAM - * is bigger than |rollback_index|. You must also update the - * value stored in NVRAM to the smallest value of - * |rollback_index| field from boot images in all bootable and - * authentic slots marked as GOOD. - */ -BvbVerifyResult bvb_verify_boot_image( - const uint8_t* data, size_t length, - const uint8_t** out_public_key_data, size_t* out_public_key_length); - -#ifdef __cplusplus -} -#endif - -#endif /* BVB_VERIFY_H_ */ |