diff options
-rw-r--r-- | firmware/lib/include/vboot_common.h | 10 | ||||
-rw-r--r-- | firmware/lib/vboot_common.c | 16 | ||||
-rw-r--r-- | firmware/lib/vboot_firmware.c | 6 | ||||
-rw-r--r-- | firmware/lib/vboot_kernel.c | 3 | ||||
-rw-r--r-- | firmware/linktest/main.c | 6 | ||||
-rw-r--r-- | firmware/version.c | 2 | ||||
-rw-r--r-- | tests/vboot_common2_tests.c | 64 | ||||
-rw-r--r-- | tests/vboot_common3_tests.c | 54 | ||||
-rw-r--r-- | utility/vbutil_firmware.c | 4 | ||||
-rw-r--r-- | utility/vbutil_kernel.c | 8 |
10 files changed, 94 insertions, 79 deletions
diff --git a/firmware/lib/include/vboot_common.h b/firmware/lib/include/vboot_common.h index b7998a7a..74d85800 100644 --- a/firmware/lib/include/vboot_common.h +++ b/firmware/lib/include/vboot_common.h @@ -70,8 +70,10 @@ int PublicKeyCopy(VbPublicKey* dest, const VbPublicKey* src); RSAPublicKey* PublicKeyToRSA(const VbPublicKey* key); -/* Verifies [data] matches signature [sig] using [key]. */ -int VerifyData(const uint8_t* data, const VbSignature* sig, +/* Verifies [data] matches signature [sig] using [key]. [size] is the size + * of the data buffer; the amount of data to be validated is contained in + * sig->data_size. */ +int VerifyData(const uint8_t* data, uint64_t size, const VbSignature* sig, const RSAPublicKey* key); @@ -93,7 +95,7 @@ int KeyBlockVerify(const VbKeyBlockHeader* block, uint64_t size, * using public key [key]. * * Returns VBOOT_SUCCESS if successful. */ -int VerifyFirmwarePreamble2(const VbFirmwarePreambleHeader* preamble, +int VerifyFirmwarePreamble(const VbFirmwarePreambleHeader* preamble, uint64_t size, const RSAPublicKey* key); @@ -101,7 +103,7 @@ int VerifyFirmwarePreamble2(const VbFirmwarePreambleHeader* preamble, * using public key [key]. * * Returns VBOOT_SUCCESS if successful. */ -int VerifyKernelPreamble2(const VbKernelPreambleHeader* preamble, +int VerifyKernelPreamble(const VbKernelPreambleHeader* preamble, uint64_t size, const RSAPublicKey* key); diff --git a/firmware/lib/vboot_common.c b/firmware/lib/vboot_common.c index be5a34de..a2a5d9f5 100644 --- a/firmware/lib/vboot_common.c +++ b/firmware/lib/vboot_common.c @@ -126,13 +126,17 @@ RSAPublicKey* PublicKeyToRSA(const VbPublicKey* key) { } -int VerifyData(const uint8_t* data, const VbSignature *sig, +int VerifyData(const uint8_t* data, uint64_t size, const VbSignature *sig, const RSAPublicKey* key) { if (sig->sig_size != siglen_map[key->algorithm]) { VBDEBUG(("Wrong signature size for algorithm.\n")); return 1; } + if (sig->data_size > size) { + VBDEBUG(("Data buffer smaller than length of signed data.\n")); + return 1; + } if (!RSAVerifyBinary_f(NULL, key, data, sig->data_size, GetSignatureDataC(sig), key->algorithm)) @@ -201,7 +205,7 @@ int KeyBlockVerify(const VbKeyBlockHeader* block, uint64_t size, VBDEBUG(("Signature calculated past end of the block\n")); return VBOOT_KEY_BLOCK_INVALID; } - rv = VerifyData((const uint8_t*)block, sig, rsa); + rv = VerifyData((const uint8_t*)block, size, sig, rsa); RSAPublicKeyFree(rsa); if (rv) return VBOOT_KEY_BLOCK_SIGNATURE; @@ -253,7 +257,7 @@ int KeyBlockVerify(const VbKeyBlockHeader* block, uint64_t size, } -int VerifyFirmwarePreamble2(const VbFirmwarePreambleHeader* preamble, +int VerifyFirmwarePreamble(const VbFirmwarePreambleHeader* preamble, uint64_t size, const RSAPublicKey* key) { const VbSignature* sig = &preamble->preamble_signature; @@ -281,7 +285,7 @@ int VerifyFirmwarePreamble2(const VbFirmwarePreambleHeader* preamble, return VBOOT_PREAMBLE_INVALID; } - if (VerifyData((const uint8_t*)preamble, sig, key)) { + if (VerifyData((const uint8_t*)preamble, size, sig, key)) { VBDEBUG(("Preamble signature validation failed\n")); return VBOOT_PREAMBLE_SIGNATURE; } @@ -311,7 +315,7 @@ int VerifyFirmwarePreamble2(const VbFirmwarePreambleHeader* preamble, } -int VerifyKernelPreamble2(const VbKernelPreambleHeader* preamble, +int VerifyKernelPreamble(const VbKernelPreambleHeader* preamble, uint64_t size, const RSAPublicKey* key) { const VbSignature* sig = &preamble->preamble_signature; @@ -331,7 +335,7 @@ int VerifyKernelPreamble2(const VbKernelPreambleHeader* preamble, VBDEBUG(("Preamble signature off end of preamble\n")); return VBOOT_PREAMBLE_INVALID; } - if (VerifyData((const uint8_t*)preamble, sig, key)) { + if (VerifyData((const uint8_t*)preamble, size, sig, key)) { VBDEBUG(("Preamble signature validation failed\n")); return VBOOT_PREAMBLE_SIGNATURE; } diff --git a/firmware/lib/vboot_firmware.c b/firmware/lib/vboot_firmware.c index e5d6f79e..307b3621 100644 --- a/firmware/lib/vboot_firmware.c +++ b/firmware/lib/vboot_firmware.c @@ -124,9 +124,9 @@ int LoadFirmware(LoadFirmwareParams* params) { /* Verify the preamble, which follows the key block. */ preamble = (VbFirmwarePreambleHeader*)((uint8_t*)key_block + key_block->key_block_size); - if ((0 != VerifyFirmwarePreamble2(preamble, - vblock_size - key_block->key_block_size, - data_key))) { + if ((0 != VerifyFirmwarePreamble(preamble, + vblock_size - key_block->key_block_size, + data_key))) { VBDEBUG(("Preamble verfication failed.\n")); RSAPublicKeyFree(data_key); continue; diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c index 03e4da81..7996564c 100644 --- a/firmware/lib/vboot_kernel.c +++ b/firmware/lib/vboot_kernel.c @@ -241,7 +241,7 @@ int LoadKernel(LoadKernelParams* params) { /* Verify the preamble, which follows the key block */ preamble = (VbKernelPreambleHeader*)(kbuf + key_block->key_block_size); - if ((0 != VerifyKernelPreamble2(preamble, + if ((0 != VerifyKernelPreamble(preamble, KBUF_SIZE - key_block->key_block_size, data_key))) { VBDEBUG(("Preamble verification failed.\n")); @@ -313,6 +313,7 @@ int LoadKernel(LoadKernelParams* params) { /* Verify kernel data */ if (0 != VerifyData((const uint8_t*)params->kernel_buffer, + params->kernel_buffer_size, &preamble->body_signature, data_key)) { VBDEBUG(("Kernel data verification failed.\n")); RSAPublicKeyFree(data_key); diff --git a/firmware/linktest/main.c b/firmware/linktest/main.c index bff8f006..966a345e 100644 --- a/firmware/linktest/main.c +++ b/firmware/linktest/main.c @@ -67,11 +67,11 @@ int main(void) PublicKeyInit(0, 0, 0); PublicKeyCopy(0, 0); PublicKeyToRSA(0); - VerifyData(0, 0, 0); + VerifyData(0, 0, 0, 0); VerifyDigest(0, 0, 0); KeyBlockVerify(0, 0, 0); - VerifyFirmwarePreamble2(0, 0, 0); - VerifyKernelPreamble2(0, 0, 0); + VerifyFirmwarePreamble(0, 0, 0); + VerifyKernelPreamble(0, 0, 0); return 0; } diff --git a/firmware/version.c b/firmware/version.c index 978e65ec..c40f4e97 100644 --- a/firmware/version.c +++ b/firmware/version.c @@ -1 +1 @@ -char* VbootVersion = "VBOOv=5f9c5921"; +char* VbootVersion = "VBOOv=45bbe227"; diff --git a/tests/vboot_common2_tests.c b/tests/vboot_common2_tests.c index f5815741..d03b60e3 100644 --- a/tests/vboot_common2_tests.c +++ b/tests/vboot_common2_tests.c @@ -45,23 +45,29 @@ static void VerifyDataTest(const VbPublicKey* public_key, const VbPrivateKey* private_key) { const uint8_t test_data[] = "This is some test data to sign."; + const uint64_t test_size = sizeof(test_data); VbSignature* sig; RSAPublicKey* rsa; - sig = CalculateSignature(test_data, sizeof(test_data), private_key); + sig = CalculateSignature(test_data, test_size, private_key); rsa = PublicKeyToRSA(public_key); TEST_NEQ(sig && rsa, 0, "VerifyData() prerequisites"); if (!sig || !rsa) return; - TEST_EQ(VerifyData(test_data, sig, rsa), 0, "VerifyData() ok"); + TEST_EQ(VerifyData(test_data, test_size, sig, rsa), 0, "VerifyData() ok"); sig->sig_size -= 16; - TEST_EQ(VerifyData(test_data, sig, rsa), 1, "VerifyData() wrong sig size"); + TEST_EQ(VerifyData(test_data, test_size, sig, rsa), 1, + "VerifyData() wrong sig size"); sig->sig_size += 16; + TEST_EQ(VerifyData(test_data, test_size - 1, sig, rsa), 1, + "VerifyData() input buffer too small"); + GetSignatureData(sig)[0] ^= 0x5A; - TEST_EQ(VerifyData(test_data, sig, rsa), 1, "VerifyData() wrong sig"); + TEST_EQ(VerifyData(test_data, test_size, sig, rsa), 1, + "VerifyData() wrong sig"); RSAPublicKeyFree(rsa); Free(sig); @@ -118,61 +124,61 @@ static void VerifyKernelPreambleTest(const VbPublicKey* public_key, rsa = PublicKeyToRSA(public_key); hdr = CreateKernelPreamble(0x1234, 0x100000, 0x300000, 0x4000, body_sig, 0, private_key); - TEST_NEQ(hdr && rsa, 0, "VerifyKernelPreamble2() prerequisites"); + TEST_NEQ(hdr && rsa, 0, "VerifyKernelPreamble() prerequisites"); if (!hdr) return; hsize = (unsigned) hdr->preamble_size; h = (VbKernelPreambleHeader*)Malloc(hsize + 16384); - TEST_EQ(VerifyKernelPreamble2(hdr, hsize, rsa), 0, - "VerifyKernelPreamble2() ok using key"); - TEST_NEQ(VerifyKernelPreamble2(hdr, hsize - 1, rsa), 0, - "VerifyKernelPreamble2() size--"); - TEST_EQ(VerifyKernelPreamble2(hdr, hsize + 1, rsa), 0, - "VerifyKernelPreamble2() size++"); + TEST_EQ(VerifyKernelPreamble(hdr, hsize, rsa), 0, + "VerifyKernelPreamble() ok using key"); + TEST_NEQ(VerifyKernelPreamble(hdr, hsize - 1, rsa), 0, + "VerifyKernelPreamble() size--"); + TEST_EQ(VerifyKernelPreamble(hdr, hsize + 1, rsa), 0, + "VerifyKernelPreamble() size++"); /* Care about major version but not minor */ Memcpy(h, hdr, hsize); h->header_version_major++; ReSignKernelPreamble(h, private_key); - TEST_NEQ(VerifyKernelPreamble2(h, hsize, rsa), 0, - "VerifyKernelPreamble2() major++"); + TEST_NEQ(VerifyKernelPreamble(h, hsize, rsa), 0, + "VerifyKernelPreamble() major++"); Memcpy(h, hdr, hsize); h->header_version_major--; ReSignKernelPreamble(h, private_key); - TEST_NEQ(VerifyKernelPreamble2(h, hsize, rsa), 0, - "VerifyKernelPreamble2() major--"); + TEST_NEQ(VerifyKernelPreamble(h, hsize, rsa), 0, + "VerifyKernelPreamble() major--"); Memcpy(h, hdr, hsize); h->header_version_minor++; ReSignKernelPreamble(h, private_key); - TEST_EQ(VerifyKernelPreamble2(h, hsize, rsa), 0, - "VerifyKernelPreamble2() minor++"); + TEST_EQ(VerifyKernelPreamble(h, hsize, rsa), 0, + "VerifyKernelPreamble() minor++"); Memcpy(h, hdr, hsize); h->header_version_minor--; ReSignKernelPreamble(h, private_key); - TEST_EQ(VerifyKernelPreamble2(h, hsize, rsa), 0, - "VerifyKernelPreamble2() minor--"); + TEST_EQ(VerifyKernelPreamble(h, hsize, rsa), 0, + "VerifyKernelPreamble() minor--"); /* Check signature */ Memcpy(h, hdr, hsize); h->preamble_signature.sig_offset = hsize; ReSignKernelPreamble(h, private_key); - TEST_NEQ(VerifyKernelPreamble2(h, hsize, rsa), 0, - "VerifyKernelPreamble2() sig off end"); + TEST_NEQ(VerifyKernelPreamble(h, hsize, rsa), 0, + "VerifyKernelPreamble() sig off end"); Memcpy(h, hdr, hsize); h->preamble_signature.sig_size--; ReSignKernelPreamble(h, private_key); - TEST_NEQ(VerifyKernelPreamble2(h, hsize, rsa), 0, - "VerifyKernelPreamble2() sig too small"); + TEST_NEQ(VerifyKernelPreamble(h, hsize, rsa), 0, + "VerifyKernelPreamble() sig too small"); Memcpy(h, hdr, hsize); GetSignatureData(&h->body_signature)[0] ^= 0x34; - TEST_NEQ(VerifyKernelPreamble2(h, hsize, rsa), 0, - "VerifyKernelPreamble2() sig mismatch"); + TEST_NEQ(VerifyKernelPreamble(h, hsize, rsa), 0, + "VerifyKernelPreamble() sig mismatch"); /* Check that we signed header and body sig */ Memcpy(h, hdr, hsize); @@ -180,14 +186,14 @@ static void VerifyKernelPreambleTest(const VbPublicKey* public_key, h->body_signature.sig_offset = 0; h->body_signature.sig_size = 0; ReSignKernelPreamble(h, private_key); - TEST_NEQ(VerifyKernelPreamble2(h, hsize, rsa), 0, - "VerifyKernelPreamble2() didn't sign header"); + TEST_NEQ(VerifyKernelPreamble(h, hsize, rsa), 0, + "VerifyKernelPreamble() didn't sign header"); Memcpy(h, hdr, hsize); h->body_signature.sig_offset = hsize; ReSignKernelPreamble(h, private_key); - TEST_NEQ(VerifyKernelPreamble2(h, hsize, rsa), 0, - "VerifyKernelPreamble2() body sig off end"); + TEST_NEQ(VerifyKernelPreamble(h, hsize, rsa), 0, + "VerifyKernelPreamble() body sig off end"); /* TODO: verify parser can support a bigger header. */ diff --git a/tests/vboot_common3_tests.c b/tests/vboot_common3_tests.c index 8b7e4702..ba0e058c 100644 --- a/tests/vboot_common3_tests.c +++ b/tests/vboot_common3_tests.c @@ -156,61 +156,61 @@ static void VerifyFirmwarePreambleTest(const VbPublicKey* public_key, rsa = PublicKeyToRSA(public_key); hdr = CreateFirmwarePreamble(0x1234, kernel_subkey, body_sig, private_key); - TEST_NEQ(hdr && rsa, 0, "VerifyFirmwarePreamble2() prerequisites"); + TEST_NEQ(hdr && rsa, 0, "VerifyFirmwarePreamble() prerequisites"); if (!hdr) return; hsize = (unsigned) hdr->preamble_size; h = (VbFirmwarePreambleHeader*)Malloc(hsize + 16384); - TEST_EQ(VerifyFirmwarePreamble2(hdr, hsize, rsa), 0, - "VerifyFirmwarePreamble2() ok using key"); - TEST_NEQ(VerifyFirmwarePreamble2(hdr, hsize - 1, rsa), 0, - "VerifyFirmwarePreamble2() size--"); - TEST_EQ(VerifyFirmwarePreamble2(hdr, hsize + 1, rsa), 0, - "VerifyFirmwarePreamble2() size++"); + TEST_EQ(VerifyFirmwarePreamble(hdr, hsize, rsa), 0, + "VerifyFirmwarePreamble() ok using key"); + TEST_NEQ(VerifyFirmwarePreamble(hdr, hsize - 1, rsa), 0, + "VerifyFirmwarePreamble() size--"); + TEST_EQ(VerifyFirmwarePreamble(hdr, hsize + 1, rsa), 0, + "VerifyFirmwarePreamble() size++"); /* Care about major version but not minor */ Memcpy(h, hdr, hsize); h->header_version_major++; ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble2(h, hsize, rsa), 0, - "VerifyFirmwarePreamble2() major++"); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() major++"); Memcpy(h, hdr, hsize); h->header_version_major--; ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble2(h, hsize, rsa), 0, - "VerifyFirmwarePreamble2() major--"); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() major--"); Memcpy(h, hdr, hsize); h->header_version_minor++; ReSignFirmwarePreamble(h, private_key); - TEST_EQ(VerifyFirmwarePreamble2(h, hsize, rsa), 0, - "VerifyFirmwarePreamble2() minor++"); + TEST_EQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() minor++"); Memcpy(h, hdr, hsize); h->header_version_minor--; ReSignFirmwarePreamble(h, private_key); - TEST_EQ(VerifyFirmwarePreamble2(h, hsize, rsa), 0, - "VerifyFirmwarePreamble2() minor--"); + TEST_EQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() minor--"); /* Check signature */ Memcpy(h, hdr, hsize); h->preamble_signature.sig_offset = hsize; ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble2(h, hsize, rsa), 0, - "VerifyFirmwarePreamble2() sig off end"); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() sig off end"); Memcpy(h, hdr, hsize); h->preamble_signature.sig_size--; ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble2(h, hsize, rsa), 0, - "VerifyFirmwarePreamble2() sig too small"); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() sig too small"); Memcpy(h, hdr, hsize); GetPublicKeyData(&h->kernel_subkey)[0] ^= 0x34; - TEST_NEQ(VerifyFirmwarePreamble2(h, hsize, rsa), 0, - "VerifyFirmwarePreamble2() sig mismatch"); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() sig mismatch"); /* Check that we signed header, kernel subkey, and body sig */ Memcpy(h, hdr, hsize); @@ -220,20 +220,20 @@ static void VerifyFirmwarePreambleTest(const VbPublicKey* public_key, h->body_signature.sig_offset = 0; h->body_signature.sig_size = 0; ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble2(h, hsize, rsa), 0, - "VerifyFirmwarePreamble2() didn't sign header"); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() didn't sign header"); Memcpy(h, hdr, hsize); h->kernel_subkey.key_offset = hsize; ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble2(h, hsize, rsa), 0, - "VerifyFirmwarePreamble2() kernel subkey off end"); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() kernel subkey off end"); Memcpy(h, hdr, hsize); h->body_signature.sig_offset = hsize; ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble2(h, hsize, rsa), 0, - "VerifyFirmwarePreamble2() body sig off end"); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() body sig off end"); /* TODO: verify parser can support a bigger header. */ diff --git a/utility/vbutil_firmware.c b/utility/vbutil_firmware.c index cdeed265..3992a3a8 100644 --- a/utility/vbutil_firmware.c +++ b/utility/vbutil_firmware.c @@ -224,7 +224,7 @@ static int Verify(const char* infile, const char* signpubkey, /* Verify preamble */ preamble = (VbFirmwarePreambleHeader*)(blob + now); - if (0 != VerifyFirmwarePreamble2(preamble, blob_size - now, rsa)) { + if (0 != VerifyFirmwarePreamble(preamble, blob_size - now, rsa)) { error("Error verifying preamble.\n"); return 1; } @@ -247,7 +247,7 @@ static int Verify(const char* infile, const char* signpubkey, /* TODO: verify body size same as signature size */ /* Verify body */ - if (0 != VerifyData(fv_data, &preamble->body_signature, rsa)) { + if (0 != VerifyData(fv_data, fv_size, &preamble->body_signature, rsa)) { error("Error verifying firmware body.\n"); return 1; } diff --git a/utility/vbutil_kernel.c b/utility/vbutil_kernel.c index d688e61f..893f889c 100644 --- a/utility/vbutil_kernel.c +++ b/utility/vbutil_kernel.c @@ -661,7 +661,7 @@ static int Verify(const char* infile, const char* signpubkey, int verbose) { /* Verify preamble */ preamble = bp->preamble; - if (0 != VerifyKernelPreamble2( + if (0 != VerifyKernelPreamble( preamble, bp->blob_size - key_block->key_block_size, rsa)) { error("Error verifying preamble.\n"); goto verify_exit; @@ -676,11 +676,13 @@ static int Verify(const char* infile, const char* signpubkey, int verbose) { printf(" Body load address: 0x%" PRIx64 "\n", preamble->body_load_address); printf(" Body size: 0x%" PRIx64 "\n", preamble->body_signature.data_size); - printf(" Bootloader address: 0x%" PRIx64 "\n", preamble->bootloader_address); + printf(" Bootloader address: 0x%" PRIx64 "\n", + preamble->bootloader_address); printf(" Bootloader size: 0x%" PRIx64 "\n", preamble->bootloader_size); /* Verify body */ - if (0 != VerifyData(bp->blob, &preamble->body_signature, rsa)) { + if (0 != VerifyData(bp->blob, bp->blob_size, &preamble->body_signature, + rsa)) { error("Error verifying kernel body.\n"); goto verify_exit; } |