diff options
author | Randall Spangler <rspangler@chromium.org> | 2016-05-11 13:50:18 -0700 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2016-07-22 18:40:04 -0700 |
commit | 7c3ae42e045935728a63a6d592ecf6c5bdbd005a (patch) | |
tree | b03c1bde6af714d2229b2362ad1d64b99c8f581d /host | |
parent | b3a625f8fef1768d78eab4cfaaea270cb3fbd0c3 (diff) | |
download | vboot-7c3ae42e045935728a63a6d592ecf6c5bdbd005a.tar.gz |
vboot: Convert vboot1 SHA calls to use vboot2
This change replaces all calls to the old vboot1 SHA library with their
vboot2 equivalents.
This is the first in a long series of changes to move the core vboot kernel
verification into vb2, and the control/display loop out to depthcharge.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; build samus firmware and boot it
Change-Id: I31986eb766176c0e39a192c5ce15730471c3cf94
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/344342
Tested-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Diffstat (limited to 'host')
-rw-r--r-- | host/lib/file_keys.c | 39 | ||||
-rw-r--r-- | host/lib/host_keyblock.c | 15 | ||||
-rw-r--r-- | host/lib/host_signature.c | 70 | ||||
-rw-r--r-- | host/lib/include/file_keys.h | 10 | ||||
-rw-r--r-- | host/lib/signature_digest.c | 18 | ||||
-rw-r--r-- | host/lib/util_misc.c | 21 | ||||
-rw-r--r-- | host/linktest/main.c | 2 |
7 files changed, 96 insertions, 79 deletions
diff --git a/host/lib/file_keys.c b/host/lib/file_keys.c index ac9af17d..fd07752b 100644 --- a/host/lib/file_keys.c +++ b/host/lib/file_keys.c @@ -13,6 +13,10 @@ #include <sys/types.h> #include <unistd.h> +#include "2sysincludes.h" + +#include "2common.h" +#include "2sha.h" #include "cryptolib.h" #include "file_keys.h" #include "host_common.h" @@ -59,23 +63,22 @@ RSAPublicKey* RSAPublicKeyFromFile(const char* input_file) { return key; } -uint8_t* DigestFile(char* input_file, int sig_algorithm) { - int input_fd, len; - uint8_t data[SHA1_BLOCK_SIZE]; - uint8_t* digest = NULL; - DigestContext ctx; +int DigestFile(char *input_file, enum vb2_hash_algorithm alg, + uint8_t *digest, uint32_t digest_size) { + int input_fd, len; + uint8_t data[VB2_SHA1_BLOCK_SIZE]; + struct vb2_digest_context ctx; - if( (input_fd = open(input_file, O_RDONLY)) == -1 ) { - VBDEBUG(("Couldn't open %s\n", input_file)); - return NULL; - } - DigestInit(&ctx, sig_algorithm); - while ( (len = read(input_fd, data, SHA1_BLOCK_SIZE)) == - SHA1_BLOCK_SIZE) - DigestUpdate(&ctx, data, len); - if (len != -1) - DigestUpdate(&ctx, data, len); - digest = DigestFinal(&ctx); - close(input_fd); - return digest; + if( (input_fd = open(input_file, O_RDONLY)) == -1 ) { + VBDEBUG(("Couldn't open %s\n", input_file)); + return VB2_ERROR_UNKNOWN; + } + vb2_digest_init(&ctx, alg); + while ((len = read(input_fd, data, sizeof(data))) == sizeof(data)) + vb2_digest_extend(&ctx, data, len); + if (len != -1) + vb2_digest_extend(&ctx, data, len); + close(input_fd); + + return vb2_digest_finalize(&ctx, digest, digest_size); } diff --git a/host/lib/host_keyblock.c b/host/lib/host_keyblock.c index e1dd95be..333b7d4f 100644 --- a/host/lib/host_keyblock.c +++ b/host/lib/host_keyblock.c @@ -5,7 +5,10 @@ * Host functions for verified boot. */ +#include "2sysincludes.h" +#include "2common.h" +#include "2sha.h" #include "cryptolib.h" #include "host_common.h" #include "host_keyblock.h" @@ -18,7 +21,7 @@ VbKeyBlockHeader* KeyBlockCreate(const VbPublicKey* data_key, VbKeyBlockHeader* h; uint64_t signed_size = sizeof(VbKeyBlockHeader) + data_key->key_size; - uint64_t block_size = (signed_size + SHA512_DIGEST_SIZE + + uint64_t block_size = (signed_size + VB2_SHA512_DIGEST_SIZE + (signing_key ? siglen_map[signing_key->algorithm] : 0)); uint8_t* data_key_dest; @@ -32,7 +35,7 @@ VbKeyBlockHeader* KeyBlockCreate(const VbPublicKey* data_key, return NULL; data_key_dest = (uint8_t*)(h + 1); block_chk_dest = data_key_dest + data_key->key_size; - block_sig_dest = block_chk_dest + SHA512_DIGEST_SIZE; + block_sig_dest = block_chk_dest + VB2_SHA512_DIGEST_SIZE; Memcpy(h->magic, KEY_BLOCK_MAGIC, KEY_BLOCK_MAGIC_SIZE); h->header_version_major = KEY_BLOCK_HEADER_VERSION_MAJOR; @@ -46,7 +49,7 @@ VbKeyBlockHeader* KeyBlockCreate(const VbPublicKey* data_key, /* Set up signature structs so we can calculate the signatures */ SignatureInit(&h->key_block_checksum, block_chk_dest, - SHA512_DIGEST_SIZE, signed_size); + VB2_SHA512_DIGEST_SIZE, signed_size); if (signing_key) SignatureInit(&h->key_block_signature, block_sig_dest, siglen_map[signing_key->algorithm], signed_size); @@ -79,7 +82,7 @@ VbKeyBlockHeader* KeyBlockCreate_external(const VbPublicKey* data_key, const char* external_signer) { VbKeyBlockHeader* h; uint64_t signed_size = sizeof(VbKeyBlockHeader) + data_key->key_size; - uint64_t block_size = (signed_size + SHA512_DIGEST_SIZE + + uint64_t block_size = (signed_size + VB2_SHA512_DIGEST_SIZE + siglen_map[algorithm]); uint8_t* data_key_dest; uint8_t* block_sig_dest; @@ -95,7 +98,7 @@ VbKeyBlockHeader* KeyBlockCreate_external(const VbPublicKey* data_key, data_key_dest = (uint8_t*)(h + 1); block_chk_dest = data_key_dest + data_key->key_size; - block_sig_dest = block_chk_dest + SHA512_DIGEST_SIZE; + block_sig_dest = block_chk_dest + VB2_SHA512_DIGEST_SIZE; Memcpy(h->magic, KEY_BLOCK_MAGIC, KEY_BLOCK_MAGIC_SIZE); h->header_version_major = KEY_BLOCK_HEADER_VERSION_MAJOR; @@ -109,7 +112,7 @@ VbKeyBlockHeader* KeyBlockCreate_external(const VbPublicKey* data_key, /* Set up signature structs so we can calculate the signatures */ SignatureInit(&h->key_block_checksum, block_chk_dest, - SHA512_DIGEST_SIZE, signed_size); + VB2_SHA512_DIGEST_SIZE, signed_size); SignatureInit(&h->key_block_signature, block_sig_dest, siglen_map[algorithm], signed_size); diff --git a/host/lib/host_signature.c b/host/lib/host_signature.c index 68eba295..57676842 100644 --- a/host/lib/host_signature.c +++ b/host/lib/host_signature.c @@ -15,6 +15,10 @@ #include <sys/wait.h> #include <unistd.h> +#include "2sysincludes.h" + +#include "2common.h" +#include "2sha.h" #include "cryptolib.h" #include "file_keys.h" #include "host_common.h" @@ -53,49 +57,46 @@ int SignatureCopy(VbSignature* dest, const VbSignature* src) { VbSignature* CalculateChecksum(const uint8_t* data, uint64_t size) { - uint8_t* header_checksum; + uint8_t header_checksum[VB2_SHA512_DIGEST_SIZE]; VbSignature* sig; - header_checksum = DigestBuf(data, size, SHA512_DIGEST_ALGORITHM); - if (!header_checksum) + if (VB2_SUCCESS != vb2_digest_buffer(data, size, VB2_HASH_SHA512, + header_checksum, + sizeof(header_checksum))) return NULL; - sig = SignatureAlloc(SHA512_DIGEST_SIZE, 0); - if (!sig) { - VbExFree(header_checksum); + sig = SignatureAlloc(VB2_SHA512_DIGEST_SIZE, 0); + if (!sig) return NULL; - } + sig->sig_offset = sizeof(VbSignature); - sig->sig_size = SHA512_DIGEST_SIZE; + sig->sig_size = VB2_SHA512_DIGEST_SIZE; sig->data_size = size; /* Signature data immediately follows the header */ - Memcpy(GetSignatureData(sig), header_checksum, SHA512_DIGEST_SIZE); - VbExFree(header_checksum); + Memcpy(GetSignatureData(sig), header_checksum, VB2_SHA512_DIGEST_SIZE); return sig; } VbSignature* CalculateHash(const uint8_t* data, uint64_t size, const VbPrivateKey* key) { - uint8_t* digest = NULL; - int digest_size = hash_size_map[key->algorithm]; + int vb2_alg = vb2_crypto_to_hash(key->algorithm); + uint8_t digest[VB2_MAX_DIGEST_SIZE]; + int digest_size = vb2_digest_size(vb2_alg); VbSignature* sig = NULL; /* Calculate the digest */ - digest = DigestBuf(data, size, key->algorithm); - if (!digest) + if (VB2_SUCCESS != vb2_digest_buffer(data, size, vb2_alg, + digest, sizeof(digest))) return NULL; /* Allocate output signature */ sig = SignatureAlloc(digest_size, size); - if (!sig) { - free(digest); + if (!sig) return NULL; - } /* The digest itself is the signature data */ Memcpy(GetSignatureData(sig), digest, digest_size); - free(digest); /* Return the signature */ return sig; @@ -103,9 +104,9 @@ VbSignature* CalculateHash(const uint8_t* data, uint64_t size, VbSignature* CalculateSignature(const uint8_t* data, uint64_t size, const VbPrivateKey* key) { - - uint8_t* digest; - int digest_size = hash_size_map[key->algorithm]; + int vb2_alg = vb2_crypto_to_hash(key->algorithm); + uint8_t digest[VB2_MAX_DIGEST_SIZE]; + int digest_size = vb2_digest_size(vb2_alg); const uint8_t* digestinfo = hash_digestinfo_map[key->algorithm]; int digestinfo_size = digestinfo_size_map[key->algorithm]; @@ -117,20 +118,17 @@ VbSignature* CalculateSignature(const uint8_t* data, uint64_t size, int rv; /* Calculate the digest */ - /* TODO: rename param 3 of DigestBuf to hash_type */ - digest = DigestBuf(data, size, hash_type_map[key->algorithm]); - if (!digest) + if (VB2_SUCCESS != vb2_digest_buffer(data, size, vb2_alg, + digest, sizeof(digest))) return NULL; /* Prepend the digest info to the digest */ signature_digest = malloc(signature_digest_len); - if (!signature_digest) { - VbExFree(digest); + if (!signature_digest) return NULL; - } + Memcpy(signature_digest, digestinfo, digestinfo_size); Memcpy(signature_digest + digestinfo_size, digest, digest_size); - VbExFree(digest); /* Allocate output signature */ sig = SignatureAlloc(siglen_map[key->algorithm], size); @@ -249,8 +247,9 @@ VbSignature* CalculateSignature_external(const uint8_t* data, uint64_t size, const char* key_file, uint64_t key_algorithm, const char* external_signer) { - uint8_t* digest; - uint64_t digest_size = hash_size_map[key_algorithm]; + int vb2_alg = vb2_crypto_to_hash(key_algorithm); + uint8_t digest[VB2_MAX_DIGEST_SIZE]; + int digest_size = vb2_digest_size(vb2_alg); const uint8_t* digestinfo = hash_digestinfo_map[key_algorithm]; uint64_t digestinfo_size = digestinfo_size_map[key_algorithm]; @@ -262,20 +261,17 @@ VbSignature* CalculateSignature_external(const uint8_t* data, uint64_t size, int rv; /* Calculate the digest */ - /* TODO: rename param 3 of DigestBuf to hash_type */ - digest = DigestBuf(data, size, hash_type_map[key_algorithm]); - if (!digest) + if (VB2_SUCCESS != vb2_digest_buffer(data, size, vb2_alg, + digest, sizeof(digest))) return NULL; /* Prepend the digest info to the digest */ signature_digest = malloc(signature_digest_len); - if (!signature_digest) { - free(digest); + if (!signature_digest) return NULL; - } + Memcpy(signature_digest, digestinfo, digestinfo_size); Memcpy(signature_digest + digestinfo_size, digest, digest_size); - free(digest); /* Allocate output signature */ sig = SignatureAlloc(siglen_map[key_algorithm], size); diff --git a/host/lib/include/file_keys.h b/host/lib/include/file_keys.h index ac6f9ee4..e783c85e 100644 --- a/host/lib/include/file_keys.h +++ b/host/lib/include/file_keys.h @@ -9,6 +9,7 @@ #define VBOOT_REFERENCE_FILE_KEYS_H_ #include "cryptolib.h" +#include "2sha.h" /* Read file named [input_file] into a buffer and stores the length into * [len]. @@ -25,10 +26,11 @@ uint8_t* BufferFromFile(const char* input_file, uint64_t* len); */ RSAPublicKey* RSAPublicKeyFromFile(const char* input_file); -/* Returns the appropriate digest for the data in [input_file] - * based on the signature [algorithm]. - * Caller owns the returned digest and must free it. +/* Calculates the appropriate digest for the data in [input_file] based on the + * hash algorithm [alg] and stores it into [digest], which is of size + * [digest_size]. Returns VB2_SUCCESS, or non-zero on error. */ -uint8_t* DigestFile(char* input_file, int sig_algorithm); +int DigestFile(char *input_file, enum vb2_hash_algorithm alg, + uint8_t *digest, uint32_t digest_size); #endif /* VBOOT_REFERENCE_FILE_KEYS_H_ */ diff --git a/host/lib/signature_digest.c b/host/lib/signature_digest.c index dcc2cf26..b56233a0 100644 --- a/host/lib/signature_digest.c +++ b/host/lib/signature_digest.c @@ -9,13 +9,17 @@ #include <stdlib.h> #include <unistd.h> +#include "2sysincludes.h" + +#include "2common.h" +#include "2sha.h" #include "cryptolib.h" #include "host_common.h" #include "signature_digest.h" uint8_t* PrependDigestInfo(unsigned int algorithm, uint8_t* digest) { - const int digest_size = hash_size_map[algorithm]; + const int digest_size = vb2_digest_size(vb2_crypto_to_hash(algorithm)); const int digestinfo_size = digestinfo_size_map[algorithm]; const uint8_t* digestinfo = hash_digestinfo_map[algorithm]; uint8_t* p = malloc(digestinfo_size + digest_size); @@ -27,14 +31,16 @@ uint8_t* PrependDigestInfo(unsigned int algorithm, uint8_t* digest) { uint8_t* SignatureDigest(const uint8_t* buf, uint64_t len, unsigned int algorithm) { uint8_t* info_digest = NULL; - uint8_t* digest = NULL; + + uint8_t digest[VB2_SHA512_DIGEST_SIZE]; /* Longest digest */ if (algorithm >= kNumAlgorithms) { VBDEBUG(("SignatureDigest() called with invalid algorithm!\n")); - } else if ((digest = DigestBuf(buf, len, algorithm))) { + } else if (VB2_SUCCESS == vb2_digest_buffer(buf, len, + vb2_crypto_to_hash(algorithm), + digest, sizeof(digest))) { info_digest = PrependDigestInfo(algorithm, digest); } - free(digest); return info_digest; } @@ -44,8 +50,8 @@ uint8_t* SignatureBuf(const uint8_t* buf, uint64_t len, const char* key_file, RSA* key = NULL; uint8_t* signature = NULL; uint8_t* signature_digest = SignatureDigest(buf, len, algorithm); - int signature_digest_len = (hash_size_map[algorithm] + - digestinfo_size_map[algorithm]); + const int digest_size = vb2_digest_size(vb2_crypto_to_hash(algorithm)); + int signature_digest_len = (digest_size + digestinfo_size_map[algorithm]); key_fp = fopen(key_file, "r"); if (!key_fp) { VBDEBUG(("SignatureBuf(): Couldn't open key file: %s\n", key_file)); diff --git a/host/lib/util_misc.c b/host/lib/util_misc.c index 03ec683f..dbcdc6e1 100644 --- a/host/lib/util_misc.c +++ b/host/lib/util_misc.c @@ -13,6 +13,10 @@ #include <string.h> #include <unistd.h> +#include "2sysincludes.h" + +#include "2common.h" +#include "2sha.h" #include "cryptolib.h" #include "host_common.h" #include "util_misc.h" @@ -22,17 +26,20 @@ void PrintPubKeySha1Sum(VbPublicKey *key) { uint8_t *buf = ((uint8_t *)key) + key->key_offset; uint64_t buflen = key->key_size; - uint8_t *digest = DigestBuf(buf, buflen, SHA1_DIGEST_ALGORITHM); + uint8_t digest[VB2_SHA1_DIGEST_SIZE]; + + vb2_digest_buffer(buf, buflen, VB2_HASH_SHA1, digest, sizeof(digest)); + int i; - for (i = 0; i < SHA1_DIGEST_SIZE; i++) + for (i = 0; i < sizeof(digest); i++) printf("%02x", digest[i]); - free(digest); } void PrintPrivKeySha1Sum(VbPrivateKey *key) { - uint8_t *buf, *digest; + uint8_t *buf; uint32_t buflen; + uint8_t digest[VB2_SHA1_DIGEST_SIZE]; int i; if (vb_keyb_from_rsa(key->rsa_private_key, &buf, &buflen)) { @@ -40,11 +47,11 @@ void PrintPrivKeySha1Sum(VbPrivateKey *key) return; } - digest = DigestBuf(buf, buflen, SHA1_DIGEST_ALGORITHM); - for (i = 0; i < SHA1_DIGEST_SIZE; i++) + vb2_digest_buffer(buf, buflen, VB2_HASH_SHA1, digest, sizeof(digest)); + + for (i = 0; i < sizeof(digest); i++) printf("%02x", digest[i]); - free(digest); free(buf); } diff --git a/host/linktest/main.c b/host/linktest/main.c index 8e1525fa..5e7aa275 100644 --- a/host/linktest/main.c +++ b/host/linktest/main.c @@ -46,7 +46,7 @@ int main(void) /* file_keys.h */ BufferFromFile(0, 0); RSAPublicKeyFromFile(0); - DigestFile(0, 0); + DigestFile(0, 0, 0, 0); /* signature_digest.h */ PrependDigestInfo(0, 0); |