aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMattias Nissler2016-04-04 09:17:01 -0500
committerMattias Nissler2016-04-06 08:54:17 -0500
commit452df6d99c81c4eeee3d2c7b2171901e8b7bc54a (patch)
tree2c1e4941bc377422b60ce38baf0681c768691d15 /verifier.cpp
parent81247500d535dac714fad657860b67474e1f6e42 (diff)
downloadplatform-bootable-recovery-452df6d99c81c4eeee3d2c7b2171901e8b7bc54a.tar.gz
platform-bootable-recovery-452df6d99c81c4eeee3d2c7b2171901e8b7bc54a.tar.xz
platform-bootable-recovery-452df6d99c81c4eeee3d2c7b2171901e8b7bc54a.zip
Convert recovery to use BoringSSL instead of mincrypt.
This changes the verification code in bootable/recovery to use BoringSSL instead of mincrypt. Change-Id: I37b37d84b22e81c32ac180cd1240c02150ddf3a7
Diffstat (limited to 'verifier.cpp')
-rw-r--r--verifier.cpp310
1 files changed, 203 insertions, 107 deletions
diff --git a/verifier.cpp b/verifier.cpp
index 9a2d60c6..6e158127 100644
--- a/verifier.cpp
+++ b/verifier.cpp
@@ -14,23 +14,22 @@
14 * limitations under the License. 14 * limitations under the License.
15 */ 15 */
16 16
17#include "asn1_decoder.h"
18#include "common.h"
19#include "ui.h"
20#include "verifier.h"
21
22#include "mincrypt/dsa_sig.h"
23#include "mincrypt/p256.h"
24#include "mincrypt/p256_ecdsa.h"
25#include "mincrypt/rsa.h"
26#include "mincrypt/sha.h"
27#include "mincrypt/sha256.h"
28
29#include <errno.h> 17#include <errno.h>
30#include <malloc.h> 18#include <malloc.h>
31#include <stdio.h> 19#include <stdio.h>
32#include <string.h> 20#include <string.h>
33 21
22#include <algorithm>
23#include <memory>
24
25#include <openssl/ecdsa.h>
26#include <openssl/obj_mac.h>
27
28#include "asn1_decoder.h"
29#include "common.h"
30#include "ui.h"
31#include "verifier.h"
32
34extern RecoveryUI* ui; 33extern RecoveryUI* ui;
35 34
36/* 35/*
@@ -194,15 +193,15 @@ int verify_file(unsigned char* addr, size_t length,
194 bool need_sha256 = false; 193 bool need_sha256 = false;
195 for (const auto& key : keys) { 194 for (const auto& key : keys) {
196 switch (key.hash_len) { 195 switch (key.hash_len) {
197 case SHA_DIGEST_SIZE: need_sha1 = true; break; 196 case SHA_DIGEST_LENGTH: need_sha1 = true; break;
198 case SHA256_DIGEST_SIZE: need_sha256 = true; break; 197 case SHA256_DIGEST_LENGTH: need_sha256 = true; break;
199 } 198 }
200 } 199 }
201 200
202 SHA_CTX sha1_ctx; 201 SHA_CTX sha1_ctx;
203 SHA256_CTX sha256_ctx; 202 SHA256_CTX sha256_ctx;
204 SHA_init(&sha1_ctx); 203 SHA1_Init(&sha1_ctx);
205 SHA256_init(&sha256_ctx); 204 SHA256_Init(&sha256_ctx);
206 205
207 double frac = -1.0; 206 double frac = -1.0;
208 size_t so_far = 0; 207 size_t so_far = 0;
@@ -210,8 +209,8 @@ int verify_file(unsigned char* addr, size_t length,
210 size_t size = signed_len - so_far; 209 size_t size = signed_len - so_far;
211 if (size > BUFFER_SIZE) size = BUFFER_SIZE; 210 if (size > BUFFER_SIZE) size = BUFFER_SIZE;
212 211
213 if (need_sha1) SHA_update(&sha1_ctx, addr + so_far, size); 212 if (need_sha1) SHA1_Update(&sha1_ctx, addr + so_far, size);
214 if (need_sha256) SHA256_update(&sha256_ctx, addr + so_far, size); 213 if (need_sha256) SHA256_Update(&sha256_ctx, addr + so_far, size);
215 so_far += size; 214 so_far += size;
216 215
217 double f = so_far / (double)signed_len; 216 double f = so_far / (double)signed_len;
@@ -221,8 +220,10 @@ int verify_file(unsigned char* addr, size_t length,
221 } 220 }
222 } 221 }
223 222
224 const uint8_t* sha1 = SHA_final(&sha1_ctx); 223 uint8_t sha1[SHA_DIGEST_LENGTH];
225 const uint8_t* sha256 = SHA256_final(&sha256_ctx); 224 SHA1_Final(sha1, &sha1_ctx);
225 uint8_t sha256[SHA256_DIGEST_LENGTH];
226 SHA256_Final(sha256, &sha256_ctx);
226 227
227 uint8_t* sig_der = nullptr; 228 uint8_t* sig_der = nullptr;
228 size_t sig_der_length = 0; 229 size_t sig_der_length = 0;
@@ -242,23 +243,25 @@ int verify_file(unsigned char* addr, size_t length,
242 size_t i = 0; 243 size_t i = 0;
243 for (const auto& key : keys) { 244 for (const auto& key : keys) {
244 const uint8_t* hash; 245 const uint8_t* hash;
246 int hash_nid;
245 switch (key.hash_len) { 247 switch (key.hash_len) {
246 case SHA_DIGEST_SIZE: hash = sha1; break; 248 case SHA_DIGEST_LENGTH:
247 case SHA256_DIGEST_SIZE: hash = sha256; break; 249 hash = sha1;
248 default: continue; 250 hash_nid = NID_sha1;
251 break;
252 case SHA256_DIGEST_LENGTH:
253 hash = sha256;
254 hash_nid = NID_sha256;
255 break;
256 default:
257 continue;
249 } 258 }
250 259
251 // The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that 260 // The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that
252 // the signing tool appends after the signature itself. 261 // the signing tool appends after the signature itself.
253 if (key.key_type == Certificate::RSA) { 262 if (key.key_type == Certificate::KEY_TYPE_RSA) {
254 if (sig_der_length < RSANUMBYTES) { 263 if (!RSA_verify(hash_nid, hash, key.hash_len, sig_der,
255 // "signature" block isn't big enough to contain an RSA block. 264 sig_der_length, key.rsa.get())) {
256 LOGI("signature is too short for RSA key %zu\n", i);
257 continue;
258 }
259
260 if (!RSA_verify(key.rsa.get(), sig_der, RSANUMBYTES,
261 hash, key.hash_len)) {
262 LOGI("failed to verify against RSA key %zu\n", i); 265 LOGI("failed to verify against RSA key %zu\n", i);
263 continue; 266 continue;
264 } 267 }
@@ -266,18 +269,10 @@ int verify_file(unsigned char* addr, size_t length,
266 LOGI("whole-file signature verified against RSA key %zu\n", i); 269 LOGI("whole-file signature verified against RSA key %zu\n", i);
267 free(sig_der); 270 free(sig_der);
268 return VERIFY_SUCCESS; 271 return VERIFY_SUCCESS;
269 } else if (key.key_type == Certificate::EC 272 } else if (key.key_type == Certificate::KEY_TYPE_EC
270 && key.hash_len == SHA256_DIGEST_SIZE) { 273 && key.hash_len == SHA256_DIGEST_LENGTH) {
271 p256_int r, s; 274 if (!ECDSA_verify(0, hash, key.hash_len, sig_der,
272 if (!dsa_sig_unpack(sig_der, sig_der_length, &r, &s)) { 275 sig_der_length, key.ec.get())) {
273 LOGI("Not a DSA signature block for EC key %zu\n", i);
274 continue;
275 }
276
277 p256_int p256_hash;
278 p256_from_bin(hash, &p256_hash);
279 if (!p256_ecdsa_verify(&(key.ec->x), &(key.ec->y),
280 &p256_hash, &r, &s)) {
281 LOGI("failed to verify against EC key %zu\n", i); 276 LOGI("failed to verify against EC key %zu\n", i);
282 continue; 277 continue;
283 } 278 }
@@ -295,6 +290,144 @@ int verify_file(unsigned char* addr, size_t length,
295 return VERIFY_FAILURE; 290 return VERIFY_FAILURE;
296} 291}
297 292
293std::unique_ptr<RSA, RSADeleter> parse_rsa_key(FILE* file, uint32_t exponent) {
294 // Read key length in words and n0inv. n0inv is a precomputed montgomery
295 // parameter derived from the modulus and can be used to speed up
296 // verification. n0inv is 32 bits wide here, assuming the verification logic
297 // uses 32 bit arithmetic. However, BoringSSL may use a word size of 64 bits
298 // internally, in which case we don't have a valid n0inv. Thus, we just
299 // ignore the montgomery parameters and have BoringSSL recompute them
300 // internally. If/When the speedup from using the montgomery parameters
301 // becomes relevant, we can add more sophisticated code here to obtain a
302 // 64-bit n0inv and initialize the montgomery parameters in the key object.
303 uint32_t key_len_words = 0;
304 uint32_t n0inv = 0;
305 if (fscanf(file, " %i , 0x%x", &key_len_words, &n0inv) != 2) {
306 return nullptr;
307 }
308
309 if (key_len_words > 8192 / 32) {
310 LOGE("key length (%d) too large\n", key_len_words);
311 return nullptr;
312 }
313
314 // Read the modulus.
315 std::unique_ptr<uint32_t[]> modulus(new uint32_t[key_len_words]);
316 if (fscanf(file, " , { %u", &modulus[0]) != 1) {
317 return nullptr;
318 }
319 for (uint32_t i = 1; i < key_len_words; ++i) {
320 if (fscanf(file, " , %u", &modulus[i]) != 1) {
321 return nullptr;
322 }
323 }
324
325 // Cconvert from little-endian array of little-endian words to big-endian
326 // byte array suitable as input for BN_bin2bn.
327 std::reverse((uint8_t*)modulus.get(),
328 (uint8_t*)(modulus.get() + key_len_words));
329
330 // The next sequence of values is the montgomery parameter R^2. Since we
331 // generally don't have a valid |n0inv|, we ignore this (see comment above).
332 uint32_t rr_value;
333 if (fscanf(file, " } , { %u", &rr_value) != 1) {
334 return nullptr;
335 }
336 for (uint32_t i = 1; i < key_len_words; ++i) {
337 if (fscanf(file, " , %u", &rr_value) != 1) {
338 return nullptr;
339 }
340 }
341 if (fscanf(file, " } } ") != 0) {
342 return nullptr;
343 }
344
345 // Initialize the key.
346 std::unique_ptr<RSA, RSADeleter> key(RSA_new());
347 if (!key) {
348 return nullptr;
349 }
350
351 key->n = BN_bin2bn((uint8_t*)modulus.get(),
352 key_len_words * sizeof(uint32_t), NULL);
353 if (!key->n) {
354 return nullptr;
355 }
356
357 key->e = BN_new();
358 if (!key->e || !BN_set_word(key->e, exponent)) {
359 return nullptr;
360 }
361
362 return key;
363}
364
365struct BNDeleter {
366 void operator()(BIGNUM* bn) {
367 BN_free(bn);
368 }
369};
370
371std::unique_ptr<EC_KEY, ECKEYDeleter> parse_ec_key(FILE* file) {
372 uint32_t key_len_bytes = 0;
373 if (fscanf(file, " %i", &key_len_bytes) != 1) {
374 return nullptr;
375 }
376
377 std::unique_ptr<EC_GROUP, void (*)(EC_GROUP*)> group(
378 EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1), EC_GROUP_free);
379 if (!group) {
380 return nullptr;
381 }
382
383 // Verify that |key_len| matches the group order.
384 if (key_len_bytes != BN_num_bytes(EC_GROUP_get0_order(group.get()))) {
385 return nullptr;
386 }
387
388 // Read the public key coordinates. Note that the byte order in the file is
389 // little-endian, so we convert to big-endian here.
390 std::unique_ptr<uint8_t[]> bytes(new uint8_t[key_len_bytes]);
391 std::unique_ptr<BIGNUM, BNDeleter> point[2];
392 for (int i = 0; i < 2; ++i) {
393 unsigned int byte = 0;
394 if (fscanf(file, " , { %u", &byte) != 1) {
395 return nullptr;
396 }
397 bytes[key_len_bytes - 1] = byte;
398
399 for (size_t i = 1; i < key_len_bytes; ++i) {
400 if (fscanf(file, " , %u", &byte) != 1) {
401 return nullptr;
402 }
403 bytes[key_len_bytes - i - 1] = byte;
404 }
405
406 point[i].reset(BN_bin2bn(bytes.get(), key_len_bytes, nullptr));
407 if (!point[i]) {
408 return nullptr;
409 }
410
411 if (fscanf(file, " }") != 0) {
412 return nullptr;
413 }
414 }
415
416 if (fscanf(file, " } ") != 0) {
417 return nullptr;
418 }
419
420 // Create and initialize the key.
421 std::unique_ptr<EC_KEY, ECKEYDeleter> key(EC_KEY_new());
422 if (!key || !EC_KEY_set_group(key.get(), group.get()) ||
423 !EC_KEY_set_public_key_affine_coordinates(key.get(), point[0].get(),
424 point[1].get())) {
425 return nullptr;
426 }
427
428 return key;
429}
430
298// Reads a file containing one or more public keys as produced by 431// Reads a file containing one or more public keys as produced by
299// DumpPublicKey: this is an RSAPublicKey struct as it would appear 432// DumpPublicKey: this is an RSAPublicKey struct as it would appear
300// as a C source literal, eg: 433// as a C source literal, eg:
@@ -335,94 +468,57 @@ bool load_keys(const char* filename, std::vector<Certificate>& certs) {
335 } 468 }
336 469
337 while (true) { 470 while (true) {
338 certs.emplace_back(0, Certificate::RSA, nullptr, nullptr); 471 certs.emplace_back(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr);
339 Certificate& cert = certs.back(); 472 Certificate& cert = certs.back();
473 uint32_t exponent = 0;
340 474
341 char start_char; 475 char start_char;
342 if (fscanf(f.get(), " %c", &start_char) != 1) return false; 476 if (fscanf(f.get(), " %c", &start_char) != 1) return false;
343 if (start_char == '{') { 477 if (start_char == '{') {
344 // a version 1 key has no version specifier. 478 // a version 1 key has no version specifier.
345 cert.key_type = Certificate::RSA; 479 cert.key_type = Certificate::KEY_TYPE_RSA;
346 cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey); 480 exponent = 3;
347 cert.rsa->exponent = 3; 481 cert.hash_len = SHA_DIGEST_LENGTH;
348 cert.hash_len = SHA_DIGEST_SIZE;
349 } else if (start_char == 'v') { 482 } else if (start_char == 'v') {
350 int version; 483 int version;
351 if (fscanf(f.get(), "%d {", &version) != 1) return false; 484 if (fscanf(f.get(), "%d {", &version) != 1) return false;
352 switch (version) { 485 switch (version) {
353 case 2: 486 case 2:
354 cert.key_type = Certificate::RSA; 487 cert.key_type = Certificate::KEY_TYPE_RSA;
355 cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey); 488 exponent = 65537;
356 cert.rsa->exponent = 65537; 489 cert.hash_len = SHA_DIGEST_LENGTH;
357 cert.hash_len = SHA_DIGEST_SIZE;
358 break; 490 break;
359 case 3: 491 case 3:
360 cert.key_type = Certificate::RSA; 492 cert.key_type = Certificate::KEY_TYPE_RSA;
361 cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey); 493 exponent = 3;
362 cert.rsa->exponent = 3; 494 cert.hash_len = SHA256_DIGEST_LENGTH;
363 cert.hash_len = SHA256_DIGEST_SIZE;
364 break; 495 break;
365 case 4: 496 case 4:
366 cert.key_type = Certificate::RSA; 497 cert.key_type = Certificate::KEY_TYPE_RSA;
367 cert.rsa = std::unique_ptr<RSAPublicKey>(new RSAPublicKey); 498 exponent = 65537;
368 cert.rsa->exponent = 65537; 499 cert.hash_len = SHA256_DIGEST_LENGTH;
369 cert.hash_len = SHA256_DIGEST_SIZE;
370 break; 500 break;
371 case 5: 501 case 5:
372 cert.key_type = Certificate::EC; 502 cert.key_type = Certificate::KEY_TYPE_EC;
373 cert.ec = std::unique_ptr<ECPublicKey>(new ECPublicKey); 503 cert.hash_len = SHA256_DIGEST_LENGTH;
374 cert.hash_len = SHA256_DIGEST_SIZE;
375 break; 504 break;
376 default: 505 default:
377 return false; 506 return false;
378 } 507 }
379 } 508 }
380 509
381 if (cert.key_type == Certificate::RSA) { 510 if (cert.key_type == Certificate::KEY_TYPE_RSA) {
382 RSAPublicKey* key = cert.rsa.get(); 511 cert.rsa = parse_rsa_key(f.get(), exponent);
383 if (fscanf(f.get(), " %i , 0x%x , { %u", &(key->len), &(key->n0inv), 512 if (!cert.rsa) {
384 &(key->n[0])) != 3) { 513 return false;
385 return false;
386 }
387 if (key->len != RSANUMWORDS) {
388 LOGE("key length (%d) does not match expected size\n", key->len);
389 return false;
390 }
391 for (int i = 1; i < key->len; ++i) {
392 if (fscanf(f.get(), " , %u", &(key->n[i])) != 1) return false;
393 } 514 }
394 if (fscanf(f.get(), " } , { %u", &(key->rr[0])) != 1) return false; 515
395 for (int i = 1; i < key->len; ++i) { 516 LOGI("read key e=%d hash=%d\n", exponent, cert.hash_len);
396 if (fscanf(f.get(), " , %u", &(key->rr[i])) != 1) return false; 517 } else if (cert.key_type == Certificate::KEY_TYPE_EC) {
397 } 518 cert.ec = parse_ec_key(f.get());
398 fscanf(f.get(), " } } "); 519 if (!cert.ec) {
399 520 return false;
400 LOGI("read key e=%d hash=%d\n", key->exponent, cert.hash_len);
401 } else if (cert.key_type == Certificate::EC) {
402 ECPublicKey* key = cert.ec.get();
403 int key_len;
404 unsigned int byte;
405 uint8_t x_bytes[P256_NBYTES];
406 uint8_t y_bytes[P256_NBYTES];
407 if (fscanf(f.get(), " %i , { %u", &key_len, &byte) != 2) return false;
408 if (key_len != P256_NBYTES) {
409 LOGE("Key length (%d) does not match expected size %d\n", key_len, P256_NBYTES);
410 return false;
411 }
412 x_bytes[P256_NBYTES - 1] = byte;
413 for (int i = P256_NBYTES - 2; i >= 0; --i) {
414 if (fscanf(f.get(), " , %u", &byte) != 1) return false;
415 x_bytes[i] = byte;
416 }
417 if (fscanf(f.get(), " } , { %u", &byte) != 1) return false;
418 y_bytes[P256_NBYTES - 1] = byte;
419 for (int i = P256_NBYTES - 2; i >= 0; --i) {
420 if (fscanf(f.get(), " , %u", &byte) != 1) return false;
421 y_bytes[i] = byte;
422 } 521 }
423 fscanf(f.get(), " } } ");
424 p256_from_bin(x_bytes, &key->x);
425 p256_from_bin(y_bytes, &key->y);
426 } else { 522 } else {
427 LOGE("Unknown key type %d\n", cert.key_type); 523 LOGE("Unknown key type %d\n", cert.key_type);
428 return false; 524 return false;