summaryrefslogtreecommitdiffstats
path: root/verifier.cpp
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--verifier.cpp27
1 files changed, 21 insertions, 6 deletions
diff --git a/verifier.cpp b/verifier.cpp
index 1d6cf811a..996a1fdf9 100644
--- a/verifier.cpp
+++ b/verifier.cpp
@@ -28,11 +28,14 @@
#include "asn1_decoder.h"
#include "common.h"
+#include "print_sha1.h"
#include "ui.h"
#include "verifier.h"
extern RecoveryUI* ui;
+static constexpr size_t MiB = 1024 * 1024;
+
/*
* Simple version of PKCS#7 SignedData extraction. This extracts the
* signature OCTET STRING to be used for signature verification.
@@ -188,8 +191,6 @@ int verify_file(unsigned char* addr, size_t length,
}
}
-#define BUFFER_SIZE 4096
-
bool need_sha1 = false;
bool need_sha256 = false;
for (const auto& key : keys) {
@@ -207,8 +208,10 @@ int verify_file(unsigned char* addr, size_t length,
double frac = -1.0;
size_t so_far = 0;
while (so_far < signed_len) {
- size_t size = signed_len - so_far;
- if (size > BUFFER_SIZE) size = BUFFER_SIZE;
+ // On a Nexus 5X, experiment showed 16MiB beat 1MiB by 6% faster for a
+ // 1196MiB full OTA and 60% for an 89MiB incremental OTA.
+ // http://b/28135231.
+ size_t size = std::min(signed_len - so_far, 16 * MiB);
if (need_sha1) SHA1_Update(&sha1_ctx, addr + so_far, size);
if (need_sha256) SHA256_Update(&sha256_ctx, addr + so_far, size);
@@ -229,9 +232,14 @@ int verify_file(unsigned char* addr, size_t length,
uint8_t* sig_der = nullptr;
size_t sig_der_length = 0;
+ uint8_t* signature = eocd + eocd_size - signature_start;
size_t signature_size = signature_start - FOOTER_SIZE;
- if (!read_pkcs7(eocd + eocd_size - signature_start, signature_size, &sig_der,
- &sig_der_length)) {
+
+ LOGI("signature (offset: 0x%zx, length: %zu): %s\n",
+ length - signature_start, signature_size,
+ print_hex(signature, signature_size).c_str());
+
+ if (!read_pkcs7(signature, signature_size, &sig_der, &sig_der_length)) {
LOGE("Could not find signature DER block\n");
return VERIFY_FAILURE;
}
@@ -286,6 +294,13 @@ int verify_file(unsigned char* addr, size_t length,
}
i++;
}
+
+ if (need_sha1) {
+ LOGI("SHA-1 digest: %s\n", print_hex(sha1, SHA_DIGEST_LENGTH).c_str());
+ }
+ if (need_sha256) {
+ LOGI("SHA-256 digest: %s\n", print_hex(sha256, SHA256_DIGEST_LENGTH).c_str());
+ }
free(sig_der);
LOGE("failed to verify whole-file signature\n");
return VERIFY_FAILURE;