Blame - lib/rsa/rsa-verify.c - platform/external/u-boot

blob: fbb2d35a7d5585f2b12f9d1028fe5b0f45db269f [file] [log] [blame]

Tom Rini	83d290c	2018-05-06 17:58:06 -0400	[diff] [blame]	1	// SPDX-License-Identifier: GPL-2.0+
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	2	/*
				3	* Copyright (c) 2013, Google Inc.
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	4	*/
				5
Heiko Schocher	29a23f9	2014-03-03 12:19:30 +0100	[diff] [blame]	6	#ifndef USE_HOSTCC
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	7	#include <common.h>
				8	#include <fdtdec.h>
Simon Glass	f7ae49f	2020-05-10 11:40:05 -0600	[diff] [blame]	9	#include <log.h>
Simon Glass	336d461	2020-02-03 07:36:16 -0700	[diff] [blame]	10	#include <malloc.h>
Heiko Schocher	29a23f9	2014-03-03 12:19:30 +0100	[diff] [blame]	11	#include <asm/types.h>
				12	#include <asm/byteorder.h>
Masahiro Yamada	1221ce4	2016-09-21 11:28:55 +0900	[diff] [blame]	13	#include <linux/errno.h>
Heiko Schocher	29a23f9	2014-03-03 12:19:30 +0100	[diff] [blame]	14	#include <asm/types.h>
				15	#include <asm/unaligned.h>
Ruchika Gupta	c937ff6	2015-01-23 16:01:54 +0530	[diff] [blame]	16	#include <dm.h>
Heiko Schocher	29a23f9	2014-03-03 12:19:30 +0100	[diff] [blame]	17	#else
				18	#include "fdt_host.h"
				19	#include "mkimage.h"
				20	#include <fdt_support.h>
				21	#endif
AKASHI Takahiro	0cc7a75	2020-02-21 15:12:59 +0900	[diff] [blame]	22	#include <linux/kconfig.h>
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	23	#include <u-boot/rsa-mod-exp.h>
Jeroen Hofstee	2b9912e	2014-06-12 22:27:12 +0200	[diff] [blame]	24	#include <u-boot/rsa.h>
Heiko Schocher	29a23f9	2014-03-03 12:19:30 +0100	[diff] [blame]	25
AKASHI Takahiro	0cc7a75	2020-02-21 15:12:59 +0900	[diff] [blame]	26	#ifndef __UBOOT__
				27	/*
				28	* NOTE:
				29	* Since host tools, like mkimage, make use of openssl library for
				30	* RSA encryption, rsa_verify_with_pkey()/rsa_gen_key_prop() are
				31	* of no use and should not be compiled in.
				32	* So just turn off CONFIG_RSA_VERIFY_WITH_PKEY.
				33	*/
				34
				35	#undef CONFIG_RSA_VERIFY_WITH_PKEY
				36	#endif
				37
Michael van der Westhuizen	e0f2f15	2014-07-02 10:17:26 +0200	[diff] [blame]	38	/* Default public exponent for backward compatibility */
				39	#define RSA_DEFAULT_PUBEXP 65537
				40
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	41	/**
Andrew Duda	da29f29	2016-11-08 18:53:40 +0000	[diff] [blame]	42	* rsa_verify_padding() - Verify RSA message padding is valid
				43	*
				44	* Verify a RSA message's padding is consistent with PKCS1.5
				45	* padding as described in the RSA PKCS#1 v2.1 standard.
				46	*
				47	* @msg: Padded message
				48	* @pad_len: Number of expected padding bytes
				49	* @algo: Checksum algo structure having information on DER encoding etc.
Heinrich Schuchardt	185f812	2022-01-19 18:05:50 +0100	[diff] [blame^]	50	* Return: 0 on success, != 0 on failure
Andrew Duda	da29f29	2016-11-08 18:53:40 +0000	[diff] [blame]	51	*/
				52	static int rsa_verify_padding(const uint8_t *msg, const int pad_len,
				53	struct checksum_algo *algo)
				54	{
				55	int ff_len;
				56	int ret;
				57
				58	/* first byte must be 0x00 */
				59	ret = *msg++;
				60	/* second byte must be 0x01 */
				61	ret \|= *msg++ ^ 0x01;
				62	/* next ff_len bytes must be 0xff */
				63	ff_len = pad_len - algo->der_len - 3;
				64	ret \|= *msg ^ 0xff;
				65	ret \|= memcmp(msg, msg+1, ff_len-1);
				66	msg += ff_len;
				67	/* next byte must be 0x00 */
				68	ret \|= *msg++;
				69	/* next der_len bytes must match der_prefix */
				70	ret \|= memcmp(msg, algo->der_prefix, algo->der_len);
				71
				72	return ret;
				73	}
				74
Philippe Reynes	2003156	2018-11-14 13:51:00 +0100	[diff] [blame]	75	int padding_pkcs_15_verify(struct image_sign_info *info,
				76	uint8_t *msg, int msg_len,
				77	const uint8_t *hash, int hash_len)
				78	{
				79	struct checksum_algo *checksum = info->checksum;
				80	int ret, pad_len = msg_len - checksum->checksum_len;
				81
				82	/* Check pkcs1.5 padding bytes. */
				83	ret = rsa_verify_padding(msg, pad_len, checksum);
				84	if (ret) {
				85	debug("In RSAVerify(): Padding check failed!\n");
				86	return -EINVAL;
				87	}
				88
				89	/* Check hash. */
				90	if (memcmp((uint8_t *)msg + pad_len, hash, msg_len - pad_len)) {
				91	debug("In RSAVerify(): Hash check failed!\n");
				92	return -EACCES;
				93	}
				94
				95	return 0;
				96	}
				97
Alexandru Gagniuc	de41f0e	2021-08-18 17:49:02 -0500	[diff] [blame]	98	#ifndef USE_HOSTCC
				99	U_BOOT_PADDING_ALGO(pkcs_15) = {
				100	.name = "pkcs-1.5",
				101	.verify = padding_pkcs_15_verify,
				102	};
				103	#endif
				104
Simon Glass	2bbed3f	2021-09-25 19:43:23 -0600	[diff] [blame]	105	#if CONFIG_IS_ENABLED(FIT_RSASSA_PSS)
Philippe Reynes	061daa0	2018-11-14 13:51:01 +0100	[diff] [blame]	106	static void u32_i2osp(uint32_t val, uint8_t *buf)
				107	{
				108	buf[0] = (uint8_t)((val >> 24) & 0xff);
				109	buf[1] = (uint8_t)((val >> 16) & 0xff);
				110	buf[2] = (uint8_t)((val >> 8) & 0xff);
				111	buf[3] = (uint8_t)((val >> 0) & 0xff);
				112	}
				113
				114	/**
				115	* mask_generation_function1() - generate an octet string
				116	*
				117	* Generate an octet string used to check rsa signature.
				118	* It use an input octet string and a hash function.
				119	*
				120	* @checksum: A Hash function
				121	* @seed: Specifies an input variable octet string
				122	* @seed_len: Size of the input octet string
				123	* @output: Specifies the output octet string
				124	* @output_len: Size of the output octet string
Heinrich Schuchardt	185f812	2022-01-19 18:05:50 +0100	[diff] [blame^]	125	* Return: 0 if the octet string was correctly generated, others on error
Philippe Reynes	061daa0	2018-11-14 13:51:01 +0100	[diff] [blame]	126	*/
				127	static int mask_generation_function1(struct checksum_algo *checksum,
				128	uint8_t *seed, int seed_len,
				129	uint8_t *output, int output_len)
				130	{
				131	struct image_region region[2];
				132	int ret = 0, i, i_output = 0, region_count = 2;
				133	uint32_t counter = 0;
				134	uint8_t buf_counter[4], *tmp;
				135	int hash_len = checksum->checksum_len;
				136
				137	memset(output, 0, output_len);
				138
				139	region[0].data = seed;
				140	region[0].size = seed_len;
				141	region[1].data = &buf_counter[0];
				142	region[1].size = 4;
				143
				144	tmp = malloc(hash_len);
				145	if (!tmp) {
				146	debug("%s: can't allocate array tmp\n", __func__);
				147	ret = -ENOMEM;
				148	goto out;
				149	}
				150
				151	while (i_output < output_len) {
				152	u32_i2osp(counter, &buf_counter[0]);
				153
				154	ret = checksum->calculate(checksum->name,
				155	region, region_count,
				156	tmp);
				157	if (ret < 0) {
				158	debug("%s: Error in checksum calculation\n", __func__);
				159	goto out;
				160	}
				161
				162	i = 0;
				163	while ((i_output < output_len) && (i < hash_len)) {
				164	output[i_output] = tmp[i];
				165	i_output++;
				166	i++;
				167	}
				168
				169	counter++;
				170	}
				171
				172	out:
				173	free(tmp);
				174
				175	return ret;
				176	}
				177
				178	static int compute_hash_prime(struct checksum_algo *checksum,
				179	uint8_t *pad, int pad_len,
				180	uint8_t *hash, int hash_len,
				181	uint8_t *salt, int salt_len,
				182	uint8_t *hprime)
				183	{
				184	struct image_region region[3];
				185	int ret, region_count = 3;
				186
				187	region[0].data = pad;
				188	region[0].size = pad_len;
				189	region[1].data = hash;
				190	region[1].size = hash_len;
				191	region[2].data = salt;
				192	region[2].size = salt_len;
				193
				194	ret = checksum->calculate(checksum->name, region, region_count, hprime);
				195	if (ret < 0) {
				196	debug("%s: Error in checksum calculation\n", __func__);
				197	goto out;
				198	}
				199
				200	out:
				201	return ret;
				202	}
				203
Heiko Stuebner	1a62c23	2020-06-18 16:23:26 +0200	[diff] [blame]	204	/*
				205	* padding_pss_verify() - verify the pss padding of a signature
				206	*
				207	* Only works with a rsa_pss_saltlen:-2 (default value) right now
				208	* saltlen:-1 "set the salt length to the digest length" is currently
				209	* not supported.
				210	*
				211	* @info: Specifies key and FIT information
				212	* @msg: byte array of message, len equal to msg_len
				213	* @msg_len: Message length
				214	* @hash: Pointer to the expected hash
				215	* @hash_len: Length of the hash
				216	*/
Philippe Reynes	061daa0	2018-11-14 13:51:01 +0100	[diff] [blame]	217	int padding_pss_verify(struct image_sign_info *info,
				218	uint8_t *msg, int msg_len,
				219	const uint8_t *hash, int hash_len)
				220	{
				221	uint8_t *masked_db = NULL;
				222	int masked_db_len = msg_len - hash_len - 1;
				223	uint8_t h = NULL, hprime = NULL;
				224	int h_len = hash_len;
				225	uint8_t *db_mask = NULL;
				226	int db_mask_len = masked_db_len;
				227	uint8_t db = NULL, salt = NULL;
				228	int db_len = masked_db_len, salt_len = msg_len - hash_len - 2;
				229	uint8_t pad_zero[8] = { 0 };
				230	int ret, i, leftmost_bits = 1;
				231	uint8_t leftmost_mask;
				232	struct checksum_algo *checksum = info->checksum;
				233
				234	/* first, allocate everything */
				235	masked_db = malloc(masked_db_len);
				236	h = malloc(h_len);
				237	db_mask = malloc(db_mask_len);
				238	db = malloc(db_len);
				239	salt = malloc(salt_len);
				240	hprime = malloc(hash_len);
				241	if (!masked_db \|\| !h \|\| !db_mask \|\| !db \|\| !salt \|\| !hprime) {
				242	printf("%s: can't allocate some buffer\n", __func__);
				243	ret = -ENOMEM;
				244	goto out;
				245	}
				246
				247	/* step 4: check if the last byte is 0xbc */
				248	if (msg[msg_len - 1] != 0xbc) {
				249	printf("%s: invalid pss padding (0xbc is missing)\n", __func__);
				250	ret = -EINVAL;
				251	goto out;
				252	}
				253
				254	/* step 5 */
				255	memcpy(masked_db, msg, masked_db_len);
				256	memcpy(h, msg + masked_db_len, h_len);
				257
				258	/* step 6 */
				259	leftmost_mask = (0xff >> (8 - leftmost_bits)) << (8 - leftmost_bits);
				260	if (masked_db[0] & leftmost_mask) {
				261	printf("%s: invalid pss padding ", __func__);
				262	printf("(leftmost bit of maskedDB not zero)\n");
				263	ret = -EINVAL;
				264	goto out;
				265	}
				266
				267	/* step 7 */
				268	mask_generation_function1(checksum, h, h_len, db_mask, db_mask_len);
				269
				270	/* step 8 */
				271	for (i = 0; i < db_len; i++)
				272	db[i] = masked_db[i] ^ db_mask[i];
				273
				274	/* step 9 */
				275	db[0] &= 0xff >> leftmost_bits;
				276
				277	/* step 10 */
				278	if (db[0] != 0x01) {
				279	printf("%s: invalid pss padding ", __func__);
				280	printf("(leftmost byte of db isn't 0x01)\n");
				281	ret = EINVAL;
				282	goto out;
				283	}
				284
				285	/* step 11 */
				286	memcpy(salt, &db[1], salt_len);
				287
				288	/* step 12 & 13 */
				289	compute_hash_prime(checksum, pad_zero, 8,
				290	(uint8_t *)hash, hash_len,
				291	salt, salt_len, hprime);
				292
				293	/* step 14 */
				294	ret = memcmp(h, hprime, hash_len);
				295
				296	out:
				297	free(hprime);
				298	free(salt);
				299	free(db);
				300	free(db_mask);
				301	free(h);
				302	free(masked_db);
				303
				304	return ret;
				305	}
Alexandru Gagniuc	de41f0e	2021-08-18 17:49:02 -0500	[diff] [blame]	306
				307	#ifndef USE_HOSTCC
				308	U_BOOT_PADDING_ALGO(pss) = {
				309	.name = "pss",
				310	.verify = padding_pss_verify,
				311	};
				312	#endif
				313
Philippe Reynes	061daa0	2018-11-14 13:51:01 +0100	[diff] [blame]	314	#endif
				315
Andrew Duda	da29f29	2016-11-08 18:53:40 +0000	[diff] [blame]	316	/**
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	317	* rsa_verify_key() - Verify a signature against some data using RSA Key
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	318	*
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	319	* Verify a RSA PKCS1.5 signature against an expected hash using
				320	* the RSA Key properties in prop structure.
				321	*
Philippe Reynes	2003156	2018-11-14 13:51:00 +0100	[diff] [blame]	322	* @info: Specifies key and FIT information
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	323	* @prop: Specifies key
				324	* @sig: Signature
				325	* @sig_len: Number of bytes in signature
				326	* @hash: Pointer to the expected hash
Andrew Duda	0c1d74f	2016-11-08 18:53:41 +0000	[diff] [blame]	327	* @key_len: Number of bytes in rsa key
Heinrich Schuchardt	185f812	2022-01-19 18:05:50 +0100	[diff] [blame^]	328	* Return: 0 if verified, -ve on error
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	329	*/
Philippe Reynes	2003156	2018-11-14 13:51:00 +0100	[diff] [blame]	330	static int rsa_verify_key(struct image_sign_info *info,
				331	struct key_prop prop, const uint8_t sig,
Heiko Schocher	646257d	2014-03-03 12:19:26 +0100	[diff] [blame]	332	const uint32_t sig_len, const uint8_t *hash,
Philippe Reynes	2003156	2018-11-14 13:51:00 +0100	[diff] [blame]	333	const uint32_t key_len)
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	334	{
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	335	int ret;
Ruchika Gupta	c937ff6	2015-01-23 16:01:54 +0530	[diff] [blame]	336	#if !defined(USE_HOSTCC)
				337	struct udevice *mod_exp_dev;
				338	#endif
Philippe Reynes	2003156	2018-11-14 13:51:00 +0100	[diff] [blame]	339	struct checksum_algo *checksum = info->checksum;
				340	struct padding_algo *padding = info->padding;
Philippe Reynes	b02f2e7	2019-03-19 10:55:40 +0100	[diff] [blame]	341	int hash_len;
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	342
Philippe Reynes	b560c70	2021-10-15 11:28:47 +0200	[diff] [blame]	343	if (!prop \|\| !sig \|\| !hash \|\| !checksum \|\| !padding)
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	344	return -EIO;
				345
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	346	if (sig_len != (prop->num_bits / 8)) {
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	347	debug("Signature is of incorrect length %d\n", sig_len);
				348	return -EINVAL;
				349	}
				350
Philippe Reynes	2003156	2018-11-14 13:51:00 +0100	[diff] [blame]	351	debug("Checksum algorithm: %s", checksum->name);
Heiko Schocher	646257d	2014-03-03 12:19:26 +0100	[diff] [blame]	352
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	353	/* Sanity check for stack size */
				354	if (sig_len > RSA_MAX_SIG_BITS / 8) {
				355	debug("Signature length %u exceeds maximum %d\n", sig_len,
				356	RSA_MAX_SIG_BITS / 8);
				357	return -EINVAL;
				358	}
				359
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	360	uint8_t buf[sig_len];
Philippe Reynes	b02f2e7	2019-03-19 10:55:40 +0100	[diff] [blame]	361	hash_len = checksum->checksum_len;
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	362
Ruchika Gupta	c937ff6	2015-01-23 16:01:54 +0530	[diff] [blame]	363	#if !defined(USE_HOSTCC)
				364	ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
				365	if (ret) {
				366	printf("RSA: Can't find Modular Exp implementation\n");
				367	return -EINVAL;
				368	}
				369
				370	ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
				371	#else
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	372	ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
Ruchika Gupta	c937ff6	2015-01-23 16:01:54 +0530	[diff] [blame]	373	#endif
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	374	if (ret) {
				375	debug("Error in Modular exponentation\n");
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	376	return ret;
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	377	}
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	378
Philippe Reynes	2003156	2018-11-14 13:51:00 +0100	[diff] [blame]	379	ret = padding->verify(info, buf, key_len, hash, hash_len);
Andrew Duda	da29f29	2016-11-08 18:53:40 +0000	[diff] [blame]	380	if (ret) {
Philippe Reynes	2003156	2018-11-14 13:51:00 +0100	[diff] [blame]	381	debug("In RSAVerify(): padding check failed!\n");
				382	return ret;
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	383	}
				384
				385	return 0;
				386	}
				387
AKASHI Takahiro	0cc7a75	2020-02-21 15:12:59 +0900	[diff] [blame]	388	/**
				389	* rsa_verify_with_pkey() - Verify a signature against some data using
				390	* only modulus and exponent as RSA key properties.
				391	* @info: Specifies key information
				392	* @hash: Pointer to the expected hash
				393	* @sig: Signature
				394	* @sig_len: Number of bytes in signature
				395	*
				396	* Parse a RSA public key blob in DER format pointed to in @info and fill
				397	* a key_prop structure with properties of the key. Then verify a RSA PKCS1.5
				398	* signature against an expected hash using the calculated properties.
				399	*
				400	* Return 0 if verified, -ve on error
				401	*/
AKASHI Takahiro	491bfe8	2020-06-16 14:26:48 +0900	[diff] [blame]	402	int rsa_verify_with_pkey(struct image_sign_info *info,
				403	const void hash, uint8_t sig, uint sig_len)
AKASHI Takahiro	0cc7a75	2020-02-21 15:12:59 +0900	[diff] [blame]	404	{
				405	struct key_prop *prop;
				406	int ret;
				407
Simon Glass	2bbed3f	2021-09-25 19:43:23 -0600	[diff] [blame]	408	if (!CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY))
				409	return -EACCES;
				410
AKASHI Takahiro	0cc7a75	2020-02-21 15:12:59 +0900	[diff] [blame]	411	/* Public key is self-described to fill key_prop */
				412	ret = rsa_gen_key_prop(info->key, info->keylen, &prop);
				413	if (ret) {
				414	debug("Generating necessary parameter for decoding failed\n");
				415	return ret;
				416	}
				417
				418	ret = rsa_verify_key(info, prop, sig, sig_len, hash,
				419	info->crypto->key_len);
				420
				421	rsa_free_key_prop(prop);
				422
				423	return ret;
				424	}
AKASHI Takahiro	0cc7a75	2020-02-21 15:12:59 +0900	[diff] [blame]	425
AKASHI Takahiro	b983cc2	2020-02-21 15:12:55 +0900	[diff] [blame]	426	#if CONFIG_IS_ENABLED(FIT_SIGNATURE)
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	427	/**
				428	* rsa_verify_with_keynode() - Verify a signature against some data using
				429	* information in node with prperties of RSA Key like modulus, exponent etc.
				430	*
				431	* Parse sign-node and fill a key_prop structure with properties of the
				432	* key. Verify a RSA PKCS1.5 signature against an expected hash using
				433	* the properties parsed
				434	*
				435	* @info: Specifies key and FIT information
				436	* @hash: Pointer to the expected hash
				437	* @sig: Signature
				438	* @sig_len: Number of bytes in signature
				439	* @node: Node having the RSA Key properties
Heinrich Schuchardt	185f812	2022-01-19 18:05:50 +0100	[diff] [blame^]	440	* Return: 0 if verified, -ve on error
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	441	*/
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	442	static int rsa_verify_with_keynode(struct image_sign_info *info,
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	443	const void hash, uint8_t sig,
				444	uint sig_len, int node)
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	445	{
				446	const void *blob = info->fdt_blob;
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	447	struct key_prop prop;
Michael van der Westhuizen	e0f2f15	2014-07-02 10:17:26 +0200	[diff] [blame]	448	int length;
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	449	int ret = 0;
Matthieu CASTET	167fb1f	2020-09-23 19:11:44 +0200	[diff] [blame]	450	const char *algo;
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	451
				452	if (node < 0) {
				453	debug("%s: Skipping invalid node", __func__);
				454	return -EBADF;
				455	}
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	456
Matthieu CASTET	167fb1f	2020-09-23 19:11:44 +0200	[diff] [blame]	457	algo = fdt_getprop(blob, node, "algo", NULL);
Sean Anderson	8f684bc	2021-02-16 11:40:15 -0500	[diff] [blame]	458	if (strcmp(info->name, algo)) {
				459	debug("%s: Wrong algo: have %s, expected %s", __func__,
				460	info->name, algo);
Matthieu CASTET	167fb1f	2020-09-23 19:11:44 +0200	[diff] [blame]	461	return -EFAULT;
Sean Anderson	8f684bc	2021-02-16 11:40:15 -0500	[diff] [blame]	462	}
Matthieu CASTET	167fb1f	2020-09-23 19:11:44 +0200	[diff] [blame]	463
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	464	prop.num_bits = fdtdec_get_int(blob, node, "rsa,num-bits", 0);
				465
				466	prop.n0inv = fdtdec_get_int(blob, node, "rsa,n0-inverse", 0);
				467
				468	prop.public_exponent = fdt_getprop(blob, node, "rsa,exponent", &length);
				469	if (!prop.public_exponent \|\| length < sizeof(uint64_t))
				470	prop.public_exponent = NULL;
				471
				472	prop.exp_len = sizeof(uint64_t);
				473
				474	prop.modulus = fdt_getprop(blob, node, "rsa,modulus", NULL);
				475
				476	prop.rr = fdt_getprop(blob, node, "rsa,r-squared", NULL);
				477
Jan Kiszka	48069ff	2020-05-07 20:36:13 +0200	[diff] [blame]	478	if (!prop.num_bits \|\| !prop.modulus \|\| !prop.rr) {
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	479	debug("%s: Missing RSA key info", __func__);
				480	return -EFAULT;
				481	}
				482
Philippe Reynes	2003156	2018-11-14 13:51:00 +0100	[diff] [blame]	483	ret = rsa_verify_key(info, &prop, sig, sig_len, hash,
				484	info->crypto->key_len);
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	485
Ruchika Gupta	fc2f424	2015-01-23 16:01:50 +0530	[diff] [blame]	486	return ret;
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	487	}
AKASHI Takahiro	b983cc2	2020-02-21 15:12:55 +0900	[diff] [blame]	488	#else
				489	static int rsa_verify_with_keynode(struct image_sign_info *info,
				490	const void hash, uint8_t sig,
				491	uint sig_len, int node)
				492	{
				493	return -EACCES;
				494	}
				495	#endif
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	496
Heiko Stuebner	c89b41b	2020-05-22 16:20:33 +0200	[diff] [blame]	497	int rsa_verify_hash(struct image_sign_info *info,
				498	const uint8_t hash, uint8_t sig, uint sig_len)
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	499	{
AKASHI Takahiro	b983cc2	2020-02-21 15:12:55 +0900	[diff] [blame]	500	int ret = -EACCES;
Heiko Schocher	646257d	2014-03-03 12:19:26 +0100	[diff] [blame]	501
Heiko Stuebner	447b1d7	2020-06-18 16:23:22 +0200	[diff] [blame]	502	if (CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY) && !info->fdt_blob) {
AKASHI Takahiro	0cc7a75	2020-02-21 15:12:59 +0900	[diff] [blame]	503	/* don't rely on fdt properties */
				504	ret = rsa_verify_with_pkey(info, hash, sig, sig_len);
				505
				506	return ret;
				507	}
				508
AKASHI Takahiro	b983cc2	2020-02-21 15:12:55 +0900	[diff] [blame]	509	if (CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
				510	const void *blob = info->fdt_blob;
				511	int ndepth, noffset;
				512	int sig_node, node;
				513	char name[100];
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	514
AKASHI Takahiro	b983cc2	2020-02-21 15:12:55 +0900	[diff] [blame]	515	sig_node = fdt_subnode_offset(blob, 0, FIT_SIG_NODENAME);
				516	if (sig_node < 0) {
				517	debug("%s: No signature node found\n", __func__);
				518	return -ENOENT;
				519	}
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	520
AKASHI Takahiro	b983cc2	2020-02-21 15:12:55 +0900	[diff] [blame]	521	/* See if we must use a particular key */
				522	if (info->required_keynode != -1) {
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	523	ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
AKASHI Takahiro	b983cc2	2020-02-21 15:12:55 +0900	[diff] [blame]	524	info->required_keynode);
				525	return ret;
				526	}
				527
				528	/* Look for a key that matches our hint */
				529	snprintf(name, sizeof(name), "key-%s", info->keyname);
				530	node = fdt_subnode_offset(blob, sig_node, name);
				531	ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node);
				532	if (!ret)
				533	return ret;
				534
				535	/* No luck, so try each of the keys in turn */
Philippe Reynes	040fad3	2021-01-12 19:18:54 +0100	[diff] [blame]	536	for (ndepth = 0, noffset = fdt_next_node(blob, sig_node,
AKASHI Takahiro	b983cc2	2020-02-21 15:12:55 +0900	[diff] [blame]	537	&ndepth);
				538	(noffset >= 0) && (ndepth > 0);
Philippe Reynes	040fad3	2021-01-12 19:18:54 +0100	[diff] [blame]	539	noffset = fdt_next_node(blob, noffset, &ndepth)) {
AKASHI Takahiro	b983cc2	2020-02-21 15:12:55 +0900	[diff] [blame]	540	if (ndepth == 1 && noffset != node) {
				541	ret = rsa_verify_with_keynode(info, hash,
				542	sig, sig_len,
				543	noffset);
				544	if (!ret)
				545	break;
				546	}
Simon Glass	19c402a	2013-06-13 15:10:02 -0700	[diff] [blame]	547	}
				548	}
				549
				550	return ret;
				551	}
Heiko Stuebner	c89b41b	2020-05-22 16:20:33 +0200	[diff] [blame]	552
				553	int rsa_verify(struct image_sign_info *info,
				554	const struct image_region region[], int region_count,
				555	uint8_t *sig, uint sig_len)
				556	{
				557	/* Reserve memory for maximum checksum-length */
				558	uint8_t hash[info->crypto->key_len];
Heinrich Schuchardt	ec71cc3	2020-10-08 20:53:13 +0200	[diff] [blame]	559	int ret;
Heiko Stuebner	c89b41b	2020-05-22 16:20:33 +0200	[diff] [blame]	560
				561	/*
				562	* Verify that the checksum-length does not exceed the
				563	* rsa-signature-length
				564	*/
				565	if (info->checksum->checksum_len >
				566	info->crypto->key_len) {
Thomas Perrot	0eadb2b	2021-07-19 16:04:44 +0200	[diff] [blame]	567	debug("%s: invalid checksum-algorithm %s for %s\n",
Heiko Stuebner	c89b41b	2020-05-22 16:20:33 +0200	[diff] [blame]	568	__func__, info->checksum->name, info->crypto->name);
				569	return -EINVAL;
				570	}
				571
				572	/* Calculate checksum with checksum-algorithm */
				573	ret = info->checksum->calculate(info->checksum->name,
				574	region, region_count, hash);
				575	if (ret < 0) {
				576	debug("%s: Error in checksum calculation\n", __func__);
				577	return -EINVAL;
				578	}
				579
				580	return rsa_verify_hash(info, hash, sig, sig_len);
				581	}
Alexandru Gagniuc	6909edb	2021-07-14 17:05:40 -0500	[diff] [blame]	582
				583	#ifndef USE_HOSTCC
				584
				585	U_BOOT_CRYPTO_ALGO(rsa2048) = {
				586	.name = "rsa2048",
				587	.key_len = RSA2048_BYTES,
				588	.verify = rsa_verify,
				589	};
				590
				591	U_BOOT_CRYPTO_ALGO(rsa4096) = {
				592	.name = "rsa4096",
				593	.key_len = RSA4096_BYTES,
				594	.verify = rsa_verify,
				595	};
				596
				597	#endif