From 8febafa67e93b2159804b1130a41f15b009de1cd Mon Sep 17 00:00:00 2001 From: Elliott Hughes Date: Wed, 13 Apr 2016 16:39:56 -0700 Subject: Use BoringSSL instead of mincrypt to speed up package verification. This changes the verification code in bootable/recovery to use BoringSSL instead of mincrypt. Cherry-pick of 452df6d99c81c4eeee3d2c7b2171901e8b7bc54a, with merge conflict resolution, extra logging in verifier.cpp, and an increase in the hash chunk size from 4KiB to 1MiB. Bug: http://b/28135231 Change-Id: I1ed7efd52223dd6f6a4629cad187cbc383d5aa84 --- Android.mk | 5 +- fuse_sideload.cpp | 19 +-- install.cpp | 17 +- tests/Android.mk | 1 - tests/component/verifier_test.cpp | 131 +++------------- tests/testdata/test_key_e3.txt | 1 + tests/testdata/test_key_ec.txt | 1 + tests/testdata/test_key_f4.txt | 1 + verifier.cpp | 320 +++++++++++++++++++++++++------------- verifier.h | 46 +++--- 10 files changed, 285 insertions(+), 257 deletions(-) create mode 100644 tests/testdata/test_key_e3.txt create mode 100644 tests/testdata/test_key_ec.txt create mode 100644 tests/testdata/test_key_f4.txt diff --git a/Android.mk b/Android.mk index 6c3ce5642..65d123a86 100644 --- a/Android.mk +++ b/Android.mk @@ -23,7 +23,7 @@ LOCAL_CFLAGS += -D_XOPEN_SOURCE -D_GNU_SOURCE LOCAL_MODULE := libfusesideload -LOCAL_STATIC_LIBRARIES := libcutils libc libmincrypt +LOCAL_STATIC_LIBRARIES := libcutils libc libcrypto_static include $(BUILD_STATIC_LIBRARY) include $(CLEAR_VARS) @@ -71,12 +71,12 @@ LOCAL_STATIC_LIBRARIES := \ libminzip \ libz \ libmtdutils \ - libmincrypt \ libminadbd \ libfusesideload \ libminui \ libpng \ libfs_mgr \ + libcrypto_static \ libbase \ libcutils \ libutils \ @@ -136,6 +136,7 @@ LOCAL_SRC_FILES := \ asn1_decoder.cpp \ verifier.cpp \ ui.cpp +LOCAL_STATIC_LIBRARIES := libcrypto_static include $(BUILD_STATIC_LIBRARY) include $(LOCAL_PATH)/minui/Android.mk \ diff --git a/fuse_sideload.cpp b/fuse_sideload.cpp index 9c3e75f89..1725e8823 100644 --- a/fuse_sideload.cpp +++ b/fuse_sideload.cpp @@ -61,7 +61,8 @@ #include #include -#include "mincrypt/sha256.h" +#include + #include "fuse_sideload.h" #define PACKAGE_FILE_ID (FUSE_ROOT_ID+1) @@ -269,22 +270,22 @@ static int fetch_block(struct fuse_data* fd, uint32_t block) { // block). // - Otherwise, return -EINVAL for the read. - uint8_t hash[SHA256_DIGEST_SIZE]; - SHA256_hash(fd->block_data, fd->block_size, hash); - uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_SIZE; - if (memcmp(hash, blockhash, SHA256_DIGEST_SIZE) == 0) { + uint8_t hash[SHA256_DIGEST_LENGTH]; + SHA256(fd->block_data, fd->block_size, hash); + uint8_t* blockhash = fd->hashes + block * SHA256_DIGEST_LENGTH; + if (memcmp(hash, blockhash, SHA256_DIGEST_LENGTH) == 0) { return 0; } int i; - for (i = 0; i < SHA256_DIGEST_SIZE; ++i) { + for (i = 0; i < SHA256_DIGEST_LENGTH; ++i) { if (blockhash[i] != 0) { fd->curr_block = -1; return -EIO; } } - memcpy(blockhash, hash, SHA256_DIGEST_SIZE); + memcpy(blockhash, hash, SHA256_DIGEST_LENGTH); return 0; } @@ -393,10 +394,10 @@ int run_fuse_sideload(struct provider_vtab* vtab, void* cookie, goto done; } - fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_SIZE); + fd.hashes = (uint8_t*)calloc(fd.file_blocks, SHA256_DIGEST_LENGTH); if (fd.hashes == NULL) { fprintf(stderr, "failed to allocate %d bites for hashes\n", - fd.file_blocks * SHA256_DIGEST_SIZE); + fd.file_blocks * SHA256_DIGEST_LENGTH); result = -1; goto done; } diff --git a/install.cpp b/install.cpp index 8a82d7bc4..d009513c3 100644 --- a/install.cpp +++ b/install.cpp @@ -23,19 +23,19 @@ #include #include +#include #include #include "common.h" #include "install.h" -#include "mincrypt/rsa.h" #include "minui/minui.h" #include "minzip/SysUtil.h" #include "minzip/Zip.h" #include "mtdutils/mounts.h" #include "mtdutils/mtdutils.h" #include "roots.h" -#include "verifier.h" #include "ui.h" +#include "verifier.h" extern RecoveryUI* ui; @@ -229,6 +229,7 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount) return INSTALL_CORRUPT; } + // Load keys. std::vector loadedKeys; if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) { LOGE("Failed to load keys\n"); @@ -236,18 +237,19 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount) } LOGI("%zu key(s) loaded from %s\n", loadedKeys.size(), PUBLIC_KEYS_FILE); + // Verify package. ui->Print("Verifying update package...\n"); - + auto t0 = std::chrono::system_clock::now(); int err = verify_file(map.addr, map.length, loadedKeys); - LOGI("verify_file returned %d\n", err); + std::chrono::duration duration = std::chrono::system_clock::now() - t0; + ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err); if (err != VERIFY_SUCCESS) { LOGE("signature verification failed\n"); sysReleaseMap(&map); return INSTALL_CORRUPT; } - /* Try to open the package. - */ + // Try to open the package. ZipArchive zip; err = mzOpenZipArchive(map.addr, map.length, &zip); if (err != 0) { @@ -256,8 +258,7 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount) return INSTALL_CORRUPT; } - /* Verify and install the contents of the package. - */ + // Verify and install the contents of the package. ui->Print("Installing update...\n"); ui->SetEnableReboot(false); int result = try_update_binary(path, &zip, wipe_cache); diff --git a/tests/Android.mk b/tests/Android.mk index eac3581ae..2da19d7a6 100644 --- a/tests/Android.mk +++ b/tests/Android.mk @@ -45,7 +45,6 @@ LOCAL_STATIC_LIBRARIES := \ libmtdutils \ libbase \ libverifier \ - libmincrypt \ libcrypto_static \ libminui \ libminzip \ diff --git a/tests/component/verifier_test.cpp b/tests/component/verifier_test.cpp index 73f6ac9c4..9ac9657ad 100644 --- a/tests/component/verifier_test.cpp +++ b/tests/component/verifier_test.cpp @@ -19,19 +19,19 @@ #include #include #include -#include #include +#include #include #include #include +#include + #include #include "common.h" #include "common/test_constants.h" -#include "mincrypt/sha.h" -#include "mincrypt/sha256.h" #include "minzip/SysUtil.h" #include "ui.h" #include "verifier.h" @@ -39,94 +39,6 @@ static const char* DATA_PATH = getenv("ANDROID_DATA"); static const char* TESTDATA_PATH = "/recovery/testdata/"; -// This is build/target/product/security/testkey.x509.pem after being -// dumped out by dumpkey.jar. -RSAPublicKey test_key = - { 64, 0xc926ad21, - { 0x6afee91fu, 0x7fa31d5bu, 0x38a0b217u, 0x99df9baeu, - 0xfe72991du, 0x727d3c04u, 0x20943f99u, 0xd08e7826u, - 0x69e7c8a2u, 0xdeeccc8eu, 0x6b9af76fu, 0x553311c4u, - 0x07b9e247u, 0x54c8bbcau, 0x6a540d81u, 0x48dbf567u, - 0x98c92877u, 0x134fbfdeu, 0x01b32564u, 0x24581948u, - 0x6cddc3b8u, 0x0cd444dau, 0xfe0381ccu, 0xf15818dfu, - 0xc06e6d42u, 0x2e2f6412u, 0x093a6737u, 0x94d83b31u, - 0xa466c87au, 0xb3f284a0u, 0xa694ec2cu, 0x053359e6u, - 0x9717ee6au, 0x0732e080u, 0x220d5008u, 0xdc4af350u, - 0x93d0a7c3u, 0xe330c9eau, 0xcac3da1eu, 0x8ebecf8fu, - 0xc2be387fu, 0x38a14e89u, 0x211586f0u, 0x18b846f5u, - 0x43be4c72u, 0xb578c204u, 0x1bbfb230u, 0xf1e267a8u, - 0xa2d3e656u, 0x64b8e4feu, 0xe7e83d4bu, 0x3e77a943u, - 0x3559ffd9u, 0x0ebb0f99u, 0x0aa76ce6u, 0xd3786ea7u, - 0xbca8cd6bu, 0x068ca8e8u, 0xeb1de2ffu, 0x3e3ecd6cu, - 0xe0d9d825u, 0xb1edc762u, 0xdec60b24u, 0xd6931904u}, - { 0xccdcb989u, 0xe19281f9u, 0xa6e80accu, 0xb7f40560u, - 0x0efb0bccu, 0x7f12b0bbu, 0x1e90531au, 0x136d95d0u, - 0x9e660665u, 0x7d54918fu, 0xe3b93ea2u, 0x2f415d10u, - 0x3d2df6e6u, 0x7a627ecfu, 0xa6f22d70u, 0xb995907au, - 0x09de16b2u, 0xfeb8bd61u, 0xf24ec294u, 0x716a427fu, - 0x2e12046fu, 0xeaf3d56au, 0xd9b873adu, 0x0ced340bu, - 0xbc9cec09u, 0x73c65903u, 0xee39ce9bu, 0x3eede25au, - 0x397633b7u, 0x2583c165u, 0x8514f97du, 0xe9166510u, - 0x0b6fae99u, 0xa47139fdu, 0xdb8352f0u, 0xb2ad7f2cu, - 0xa11552e2u, 0xd4d490a7u, 0xe11e8568u, 0xe9e484dau, - 0xd3ef8449u, 0xa47055dau, 0x4edd9557u, 0x03a78ba1u, - 0x770e130du, 0x16762facu, 0x0cbdfcc4u, 0xf3070540u, - 0x008b6515u, 0x60e7e1b7u, 0xa72cf7f9u, 0xaff86e39u, - 0x4296faadu, 0xfc90430eu, 0x6cc8f377u, 0xb398fd43u, - 0x423c5997u, 0x991d59c4u, 0x6464bf73u, 0x96431575u, - 0x15e3d207u, 0x30532a7au, 0x8c4be618u, 0x460a4d76u }, - 3 - }; - -RSAPublicKey test_f4_key = - { 64, 0xc9bd1f21, - { 0x1178db1fu, 0xbf5d0e55u, 0x3393a165u, 0x0ef4c287u, - 0xbc472a4au, 0x383fc5a1u, 0x4a13b7d2u, 0xb1ff2ac3u, - 0xaf66b4d9u, 0x9280acefu, 0xa2165bdbu, 0x6a4d6e5cu, - 0x08ea676bu, 0xb7ac70c7u, 0xcd158139u, 0xa635ccfeu, - 0xa46ab8a8u, 0x445a3e8bu, 0xdc81d9bbu, 0x91ce1a20u, - 0x68021cdeu, 0x4516eda9u, 0x8d43c30cu, 0xed1eff14u, - 0xca387e4cu, 0x58adc233u, 0x4657ab27u, 0xa95b521eu, - 0xdfc0e30cu, 0x394d64a1u, 0xc6b321a1u, 0x2ca22cb8u, - 0xb1892d5cu, 0x5d605f3eu, 0x6025483cu, 0x9afd5181u, - 0x6e1a7105u, 0x03010593u, 0x70acd304u, 0xab957cbfu, - 0x8844abbbu, 0x53846837u, 0x24e98a43u, 0x2ba060c1u, - 0x8b88b88eu, 0x44eea405u, 0xb259fc41u, 0x0907ad9cu, - 0x13003adau, 0xcf79634eu, 0x7d314ec9u, 0xfbbe4c2bu, - 0xd84d0823u, 0xfd30fd88u, 0x68d8a909u, 0xfb4572d9u, - 0xa21301c2u, 0xd00a4785u, 0x6862b50cu, 0xcfe49796u, - 0xdaacbd83u, 0xfb620906u, 0xdf71e0ccu, 0xbbc5b030u }, - { 0x69a82189u, 0x1a8b22f4u, 0xcf49207bu, 0x68cc056au, - 0xb206b7d2u, 0x1d449bbdu, 0xe9d342f2u, 0x29daea58u, - 0xb19d011au, 0xc62f15e4u, 0x9452697au, 0xb62bb87eu, - 0x60f95cc2u, 0x279ebb2du, 0x17c1efd8u, 0xec47558bu, - 0xc81334d1u, 0x88fe7601u, 0x79992eb1u, 0xb4555615u, - 0x2022ac8cu, 0xc79a4b8cu, 0xb288b034u, 0xd6b942f0u, - 0x0caa32fbu, 0xa065ba51u, 0x4de9f154u, 0x29f64f6cu, - 0x7910af5eu, 0x3ed4636au, 0xe4c81911u, 0x9183f37du, - 0x5811e1c4u, 0x29c7a58cu, 0x9715d4d3u, 0xc7e2dce3u, - 0x140972ebu, 0xf4c8a69eu, 0xa104d424u, 0x5dabbdfbu, - 0x41cb4c6bu, 0xd7f44717u, 0x61785ff7u, 0x5e0bc273u, - 0x36426c70u, 0x2aa6f08eu, 0x083badbfu, 0x3cab941bu, - 0x8871da23u, 0x1ab3dbaeu, 0x7115a21du, 0xf5aa0965u, - 0xf766f562u, 0x7f110225u, 0x86d96a04u, 0xc50a120eu, - 0x3a751ca3u, 0xc21aa186u, 0xba7359d0u, 0x3ff2b257u, - 0xd116e8bbu, 0xfc1318c0u, 0x070e5b1du, 0x83b759a6u }, - 65537 - }; - -ECPublicKey test_ec_key = - { - { - {0xd656fa24u, 0x931416cau, 0x1c0278c6u, 0x174ebe4cu, - 0x6018236au, 0x45ba1656u, 0xe8c05d84u, 0x670ed500u} - }, - { - {0x0d179adeu, 0x4c16827du, 0x9f8cb992u, 0x8f69ff8au, - 0x481b1020u, 0x798d91afu, 0x184db8e9u, 0xb5848dd9u} - } - }; - RecoveryUI* ui = NULL; class MockUI : public RecoveryUI { @@ -177,31 +89,34 @@ class VerifierTest : public testing::TestWithParam> { virtual void SetUp() { std::vector args = GetParam(); - std::string package = android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH, - TESTDATA_PATH, args[0].c_str()); + std::string package = + android::base::StringPrintf("%s%s%s%s", DATA_PATH, NATIVE_TEST_PATH, + TESTDATA_PATH, args[0].c_str()); + if (sysMapFile(package.c_str(), &memmap) != 0) { + FAIL() << "Failed to mmap " << package << ": " << strerror(errno) + << "\n"; + } + for (auto it = ++(args.cbegin()); it != args.cend(); ++it) { if (it->substr(it->length() - 3, it->length()) == "256") { if (certs.empty()) { FAIL() << "May only specify -sha256 after key type\n"; } - certs.back().hash_len = SHA256_DIGEST_SIZE; - } else if (*it == "ec") { - certs.emplace_back(SHA_DIGEST_SIZE, Certificate::EC, - nullptr, std::unique_ptr(new ECPublicKey(test_ec_key))); - } else if (*it == "e3") { - certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA, - std::unique_ptr(new RSAPublicKey(test_key)), nullptr); - } else if (*it == "f4") { - certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA, - std::unique_ptr(new RSAPublicKey(test_f4_key)), nullptr); + certs.back().hash_len = SHA256_DIGEST_LENGTH; + } else { + std::string public_key_file = android::base::StringPrintf( + "%s%s%stest_key_%s.txt", DATA_PATH, NATIVE_TEST_PATH, + TESTDATA_PATH, it->c_str()); + ASSERT_TRUE(load_keys(public_key_file.c_str(), certs)); + certs.back().hash_len = SHA_DIGEST_LENGTH; } } if (certs.empty()) { - certs.emplace_back(SHA_DIGEST_SIZE, Certificate::RSA, - std::unique_ptr(new RSAPublicKey(test_key)), nullptr); - } - if (sysMapFile(package.c_str(), &memmap) != 0) { - FAIL() << "Failed to mmap " << package << ": " << strerror(errno) << "\n"; + std::string public_key_file = android::base::StringPrintf( + "%s%s%stest_key_e3.txt", DATA_PATH, NATIVE_TEST_PATH, + TESTDATA_PATH); + ASSERT_TRUE(load_keys(public_key_file.c_str(), certs)); + certs.back().hash_len = SHA_DIGEST_LENGTH; } } diff --git a/tests/testdata/test_key_e3.txt b/tests/testdata/test_key_e3.txt new file mode 100644 index 000000000..53f5297bd --- /dev/null +++ b/tests/testdata/test_key_e3.txt @@ -0,0 +1 @@ +{64,0xc926ad21,{1795090719,2141396315,950055447,2581568430,4268923165,1920809988,546586521,3498997798,1776797858,3740060814,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,2563319927,323993566,28517732,609753416,1826472888,215237850,4261642700,4049082591,3228462402,774857746,154822455,2497198897,2758199418,3019015328,2794777644,87251430,2534927978,120774784,571297800,3695899472,2479925187,3811625450,3401832990,2394869647,3267246207,950095497,555058928,414729973,1136544882,3044590084,465547824,4058146728,2731796054,1689838846,3890756939,1048029507,895090649,247140249,178744550,3547885223,3165179243,109881576,3944604415,1044303212,3772373029,2985150306,3737520932,3599964420},{3437017481,3784475129,2800224972,3086222688,251333580,2131931323,512774938,325948880,2657486437,2102694287,3820568226,792812816,1026422502,2053275343,2800889200,3113586810,165549746,4273519969,4065247892,1902789247,772932719,3941848426,3652744109,216871947,3164400649,1942378755,3996765851,1055777370,964047799,629391717,2232744317,3910558992,191868569,2758883837,3682816752,2997714732,2702529250,3570700455,3776873832,3924067546,3555689545,2758825434,1323144535,61311905,1997411085,376844204,213777604,4077323584,9135381,1625809335,2804742137,2952293945,1117190829,4237312782,1825108855,3013147971,1111251351,2568837572,1684324211,2520978805,367251975,810756730,2353784344,1175080310}} diff --git a/tests/testdata/test_key_ec.txt b/tests/testdata/test_key_ec.txt new file mode 100644 index 000000000..72b4395d9 --- /dev/null +++ b/tests/testdata/test_key_ec.txt @@ -0,0 +1 @@ +v5 {32,{36,250,86,214,202,22,20,147,198,120,2,28,76,190,78,23,106,35,24,96,86,22,186,69,132,93,192,232,0,213,14,103},{222,154,23,13,125,130,22,76,146,185,140,159,138,255,105,143,32,16,27,72,175,145,141,121,233,184,77,24,217,141,132,181}} diff --git a/tests/testdata/test_key_f4.txt b/tests/testdata/test_key_f4.txt new file mode 100644 index 000000000..54ddbbad1 --- /dev/null +++ b/tests/testdata/test_key_f4.txt @@ -0,0 +1 @@ +v2 {64,0xc9bd1f21,{293133087,3210546773,865313125,250921607,3158780490,943703457,1242806226,2986289859,2942743769,2457906415,2719374299,1783459420,149579627,3081531591,3440738617,2788543742,2758457512,1146764939,3699497403,2446203424,1744968926,1159130537,2370028300,3978231572,3392699980,1487782451,1180150567,2841334302,3753960204,961373345,3333628321,748825784,2978557276,1566596926,1613056060,2600292737,1847226629,50398611,1890374404,2878700735,2286201787,1401186359,619285059,731930817,2340993166,1156490245,2992241729,151498140,318782170,3480838990,2100383433,4223552555,3628927011,4247846280,1759029513,4215632601,2719154626,3490334597,1751299340,3487864726,3668753795,4217506054,3748782284,3150295088},{1772626313,445326068,3477676155,1758201194,2986784722,491035581,3922936562,702212696,2979856666,3324974564,2488428922,3056318590,1626954946,664714029,398585816,3964097931,3356701905,2298377729,2040082097,3025491477,539143308,3348777868,2995302452,3602465520,212480763,2691021393,1307177300,704008044,2031136606,1054106474,3838318865,2441343869,1477566916,700949900,2534790355,3353533667,336163563,4106790558,2701448228,1571536379,1103842411,3623110423,1635278839,1577828979,910322800,715583630,138128831,1017877531,2289162787,447994798,1897243165,4121561445,4150719842,2131821093,2262395396,3305771534,980753571,3256525190,3128121808,1072869975,3507939515,4229109952,118381341,2209831334}} diff --git a/verifier.cpp b/verifier.cpp index 9a2d60c66..4004b0228 100644 --- a/verifier.cpp +++ b/verifier.cpp @@ -14,25 +14,26 @@ * limitations under the License. */ -#include "asn1_decoder.h" -#include "common.h" -#include "ui.h" -#include "verifier.h" - -#include "mincrypt/dsa_sig.h" -#include "mincrypt/p256.h" -#include "mincrypt/p256_ecdsa.h" -#include "mincrypt/rsa.h" -#include "mincrypt/sha.h" -#include "mincrypt/sha256.h" - #include #include #include #include +#include +#include + +#include +#include + +#include "asn1_decoder.h" +#include "common.h" +#include "ui.h" +#include "verifier.h" + extern RecoveryUI* ui; +static constexpr size_t MiB = 1024 * 1024; + /* * Simple version of PKCS#7 SignedData extraction. This extracts the * signature OCTET STRING to be used for signature verification. @@ -188,30 +189,30 @@ int verify_file(unsigned char* addr, size_t length, } } -#define BUFFER_SIZE 4096 - bool need_sha1 = false; bool need_sha256 = false; for (const auto& key : keys) { switch (key.hash_len) { - case SHA_DIGEST_SIZE: need_sha1 = true; break; - case SHA256_DIGEST_SIZE: need_sha256 = true; break; + case SHA_DIGEST_LENGTH: need_sha1 = true; break; + case SHA256_DIGEST_LENGTH: need_sha256 = true; break; } } SHA_CTX sha1_ctx; SHA256_CTX sha256_ctx; - SHA_init(&sha1_ctx); - SHA256_init(&sha256_ctx); + SHA1_Init(&sha1_ctx); + SHA256_Init(&sha256_ctx); double frac = -1.0; size_t so_far = 0; while (so_far < signed_len) { - size_t size = signed_len - so_far; - if (size > BUFFER_SIZE) size = BUFFER_SIZE; + // On a Nexus 9, experiment didn't show any performance improvement with + // larger sizes past 1MiB, and they reduce the granularity of the progress + // bar. http://b/28135231. + size_t size = std::min(signed_len - so_far, 1 * MiB); - if (need_sha1) SHA_update(&sha1_ctx, addr + so_far, size); - if (need_sha256) SHA256_update(&sha256_ctx, addr + so_far, size); + if (need_sha1) SHA1_Update(&sha1_ctx, addr + so_far, size); + if (need_sha256) SHA256_Update(&sha256_ctx, addr + so_far, size); so_far += size; double f = so_far / (double)signed_len; @@ -221,8 +222,10 @@ int verify_file(unsigned char* addr, size_t length, } } - const uint8_t* sha1 = SHA_final(&sha1_ctx); - const uint8_t* sha256 = SHA256_final(&sha256_ctx); + uint8_t sha1[SHA_DIGEST_LENGTH]; + SHA1_Final(sha1, &sha1_ctx); + uint8_t sha256[SHA256_DIGEST_LENGTH]; + SHA256_Final(sha256, &sha256_ctx); uint8_t* sig_der = nullptr; size_t sig_der_length = 0; @@ -242,23 +245,25 @@ int verify_file(unsigned char* addr, size_t length, size_t i = 0; for (const auto& key : keys) { const uint8_t* hash; + int hash_nid; switch (key.hash_len) { - case SHA_DIGEST_SIZE: hash = sha1; break; - case SHA256_DIGEST_SIZE: hash = sha256; break; - default: continue; + case SHA_DIGEST_LENGTH: + hash = sha1; + hash_nid = NID_sha1; + break; + case SHA256_DIGEST_LENGTH: + hash = sha256; + hash_nid = NID_sha256; + break; + default: + continue; } // The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that // the signing tool appends after the signature itself. - if (key.key_type == Certificate::RSA) { - if (sig_der_length < RSANUMBYTES) { - // "signature" block isn't big enough to contain an RSA block. - LOGI("signature is too short for RSA key %zu\n", i); - continue; - } - - if (!RSA_verify(key.rsa.get(), sig_der, RSANUMBYTES, - hash, key.hash_len)) { + if (key.key_type == Certificate::KEY_TYPE_RSA) { + if (!RSA_verify(hash_nid, hash, key.hash_len, sig_der, + sig_der_length, key.rsa.get())) { LOGI("failed to verify against RSA key %zu\n", i); continue; } @@ -266,18 +271,10 @@ int verify_file(unsigned char* addr, size_t length, LOGI("whole-file signature verified against RSA key %zu\n", i); free(sig_der); return VERIFY_SUCCESS; - } else if (key.key_type == Certificate::EC - && key.hash_len == SHA256_DIGEST_SIZE) { - p256_int r, s; - if (!dsa_sig_unpack(sig_der, sig_der_length, &r, &s)) { - LOGI("Not a DSA signature block for EC key %zu\n", i); - continue; - } - - p256_int p256_hash; - p256_from_bin(hash, &p256_hash); - if (!p256_ecdsa_verify(&(key.ec->x), &(key.ec->y), - &p256_hash, &r, &s)) { + } else if (key.key_type == Certificate::KEY_TYPE_EC + && key.hash_len == SHA256_DIGEST_LENGTH) { + if (!ECDSA_verify(0, hash, key.hash_len, sig_der, + sig_der_length, key.ec.get())) { LOGI("failed to verify against EC key %zu\n", i); continue; } @@ -295,6 +292,144 @@ int verify_file(unsigned char* addr, size_t length, return VERIFY_FAILURE; } +std::unique_ptr parse_rsa_key(FILE* file, uint32_t exponent) { + // Read key length in words and n0inv. n0inv is a precomputed montgomery + // parameter derived from the modulus and can be used to speed up + // verification. n0inv is 32 bits wide here, assuming the verification logic + // uses 32 bit arithmetic. However, BoringSSL may use a word size of 64 bits + // internally, in which case we don't have a valid n0inv. Thus, we just + // ignore the montgomery parameters and have BoringSSL recompute them + // internally. If/When the speedup from using the montgomery parameters + // becomes relevant, we can add more sophisticated code here to obtain a + // 64-bit n0inv and initialize the montgomery parameters in the key object. + uint32_t key_len_words = 0; + uint32_t n0inv = 0; + if (fscanf(file, " %i , 0x%x", &key_len_words, &n0inv) != 2) { + return nullptr; + } + + if (key_len_words > 8192 / 32) { + LOGE("key length (%d) too large\n", key_len_words); + return nullptr; + } + + // Read the modulus. + std::unique_ptr modulus(new uint32_t[key_len_words]); + if (fscanf(file, " , { %u", &modulus[0]) != 1) { + return nullptr; + } + for (uint32_t i = 1; i < key_len_words; ++i) { + if (fscanf(file, " , %u", &modulus[i]) != 1) { + return nullptr; + } + } + + // Cconvert from little-endian array of little-endian words to big-endian + // byte array suitable as input for BN_bin2bn. + std::reverse((uint8_t*)modulus.get(), + (uint8_t*)(modulus.get() + key_len_words)); + + // The next sequence of values is the montgomery parameter R^2. Since we + // generally don't have a valid |n0inv|, we ignore this (see comment above). + uint32_t rr_value; + if (fscanf(file, " } , { %u", &rr_value) != 1) { + return nullptr; + } + for (uint32_t i = 1; i < key_len_words; ++i) { + if (fscanf(file, " , %u", &rr_value) != 1) { + return nullptr; + } + } + if (fscanf(file, " } } ") != 0) { + return nullptr; + } + + // Initialize the key. + std::unique_ptr key(RSA_new()); + if (!key) { + return nullptr; + } + + key->n = BN_bin2bn((uint8_t*)modulus.get(), + key_len_words * sizeof(uint32_t), NULL); + if (!key->n) { + return nullptr; + } + + key->e = BN_new(); + if (!key->e || !BN_set_word(key->e, exponent)) { + return nullptr; + } + + return key; +} + +struct BNDeleter { + void operator()(BIGNUM* bn) { + BN_free(bn); + } +}; + +std::unique_ptr parse_ec_key(FILE* file) { + uint32_t key_len_bytes = 0; + if (fscanf(file, " %i", &key_len_bytes) != 1) { + return nullptr; + } + + std::unique_ptr group( + EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1), EC_GROUP_free); + if (!group) { + return nullptr; + } + + // Verify that |key_len| matches the group order. + if (key_len_bytes != BN_num_bytes(EC_GROUP_get0_order(group.get()))) { + return nullptr; + } + + // Read the public key coordinates. Note that the byte order in the file is + // little-endian, so we convert to big-endian here. + std::unique_ptr bytes(new uint8_t[key_len_bytes]); + std::unique_ptr point[2]; + for (int i = 0; i < 2; ++i) { + unsigned int byte = 0; + if (fscanf(file, " , { %u", &byte) != 1) { + return nullptr; + } + bytes[key_len_bytes - 1] = byte; + + for (size_t i = 1; i < key_len_bytes; ++i) { + if (fscanf(file, " , %u", &byte) != 1) { + return nullptr; + } + bytes[key_len_bytes - i - 1] = byte; + } + + point[i].reset(BN_bin2bn(bytes.get(), key_len_bytes, nullptr)); + if (!point[i]) { + return nullptr; + } + + if (fscanf(file, " }") != 0) { + return nullptr; + } + } + + if (fscanf(file, " } ") != 0) { + return nullptr; + } + + // Create and initialize the key. + std::unique_ptr key(EC_KEY_new()); + if (!key || !EC_KEY_set_group(key.get(), group.get()) || + !EC_KEY_set_public_key_affine_coordinates(key.get(), point[0].get(), + point[1].get())) { + return nullptr; + } + + return key; +} + // Reads a file containing one or more public keys as produced by // DumpPublicKey: this is an RSAPublicKey struct as it would appear // as a C source literal, eg: @@ -335,94 +470,57 @@ bool load_keys(const char* filename, std::vector& certs) { } while (true) { - certs.emplace_back(0, Certificate::RSA, nullptr, nullptr); + certs.emplace_back(0, Certificate::KEY_TYPE_RSA, nullptr, nullptr); Certificate& cert = certs.back(); + uint32_t exponent = 0; char start_char; if (fscanf(f.get(), " %c", &start_char) != 1) return false; if (start_char == '{') { // a version 1 key has no version specifier. - cert.key_type = Certificate::RSA; - cert.rsa = std::unique_ptr(new RSAPublicKey); - cert.rsa->exponent = 3; - cert.hash_len = SHA_DIGEST_SIZE; + cert.key_type = Certificate::KEY_TYPE_RSA; + exponent = 3; + cert.hash_len = SHA_DIGEST_LENGTH; } else if (start_char == 'v') { int version; if (fscanf(f.get(), "%d {", &version) != 1) return false; switch (version) { case 2: - cert.key_type = Certificate::RSA; - cert.rsa = std::unique_ptr(new RSAPublicKey); - cert.rsa->exponent = 65537; - cert.hash_len = SHA_DIGEST_SIZE; + cert.key_type = Certificate::KEY_TYPE_RSA; + exponent = 65537; + cert.hash_len = SHA_DIGEST_LENGTH; break; case 3: - cert.key_type = Certificate::RSA; - cert.rsa = std::unique_ptr(new RSAPublicKey); - cert.rsa->exponent = 3; - cert.hash_len = SHA256_DIGEST_SIZE; + cert.key_type = Certificate::KEY_TYPE_RSA; + exponent = 3; + cert.hash_len = SHA256_DIGEST_LENGTH; break; case 4: - cert.key_type = Certificate::RSA; - cert.rsa = std::unique_ptr(new RSAPublicKey); - cert.rsa->exponent = 65537; - cert.hash_len = SHA256_DIGEST_SIZE; + cert.key_type = Certificate::KEY_TYPE_RSA; + exponent = 65537; + cert.hash_len = SHA256_DIGEST_LENGTH; break; case 5: - cert.key_type = Certificate::EC; - cert.ec = std::unique_ptr(new ECPublicKey); - cert.hash_len = SHA256_DIGEST_SIZE; + cert.key_type = Certificate::KEY_TYPE_EC; + cert.hash_len = SHA256_DIGEST_LENGTH; break; default: return false; } } - if (cert.key_type == Certificate::RSA) { - RSAPublicKey* key = cert.rsa.get(); - if (fscanf(f.get(), " %i , 0x%x , { %u", &(key->len), &(key->n0inv), - &(key->n[0])) != 3) { - return false; - } - if (key->len != RSANUMWORDS) { - LOGE("key length (%d) does not match expected size\n", key->len); - return false; - } - for (int i = 1; i < key->len; ++i) { - if (fscanf(f.get(), " , %u", &(key->n[i])) != 1) return false; + if (cert.key_type == Certificate::KEY_TYPE_RSA) { + cert.rsa = parse_rsa_key(f.get(), exponent); + if (!cert.rsa) { + return false; } - if (fscanf(f.get(), " } , { %u", &(key->rr[0])) != 1) return false; - for (int i = 1; i < key->len; ++i) { - if (fscanf(f.get(), " , %u", &(key->rr[i])) != 1) return false; - } - fscanf(f.get(), " } } "); - - LOGI("read key e=%d hash=%d\n", key->exponent, cert.hash_len); - } else if (cert.key_type == Certificate::EC) { - ECPublicKey* key = cert.ec.get(); - int key_len; - unsigned int byte; - uint8_t x_bytes[P256_NBYTES]; - uint8_t y_bytes[P256_NBYTES]; - if (fscanf(f.get(), " %i , { %u", &key_len, &byte) != 2) return false; - if (key_len != P256_NBYTES) { - LOGE("Key length (%d) does not match expected size %d\n", key_len, P256_NBYTES); - return false; - } - x_bytes[P256_NBYTES - 1] = byte; - for (int i = P256_NBYTES - 2; i >= 0; --i) { - if (fscanf(f.get(), " , %u", &byte) != 1) return false; - x_bytes[i] = byte; - } - if (fscanf(f.get(), " } , { %u", &byte) != 1) return false; - y_bytes[P256_NBYTES - 1] = byte; - for (int i = P256_NBYTES - 2; i >= 0; --i) { - if (fscanf(f.get(), " , %u", &byte) != 1) return false; - y_bytes[i] = byte; + + LOGI("read key e=%d hash=%d\n", exponent, cert.hash_len); + } else if (cert.key_type == Certificate::KEY_TYPE_EC) { + cert.ec = parse_ec_key(f.get()); + if (!cert.ec) { + return false; } - fscanf(f.get(), " } } "); - p256_from_bin(x_bytes, &key->x); - p256_from_bin(y_bytes, &key->y); } else { LOGE("Unknown key type %d\n", cert.key_type); return false; diff --git a/verifier.h b/verifier.h index 4eafc7565..58083fe14 100644 --- a/verifier.h +++ b/verifier.h @@ -20,32 +20,42 @@ #include #include -#include "mincrypt/p256.h" -#include "mincrypt/rsa.h" +#include +#include +#include -typedef struct { - p256_int x; - p256_int y; -} ECPublicKey; +struct RSADeleter { + void operator()(RSA* rsa) { + RSA_free(rsa); + } +}; + +struct ECKEYDeleter { + void operator()(EC_KEY* ec_key) { + EC_KEY_free(ec_key); + } +}; struct Certificate { typedef enum { - RSA, - EC, + KEY_TYPE_RSA, + KEY_TYPE_EC, } KeyType; - Certificate(int hash_len_, KeyType key_type_, - std::unique_ptr&& rsa_, - std::unique_ptr&& ec_) : - hash_len(hash_len_), - key_type(key_type_), - rsa(std::move(rsa_)), - ec(std::move(ec_)) { } + Certificate(int hash_len_, + KeyType key_type_, + std::unique_ptr&& rsa_, + std::unique_ptr&& ec_) + : hash_len(hash_len_), + key_type(key_type_), + rsa(std::move(rsa_)), + ec(std::move(ec_)) {} - int hash_len; // SHA_DIGEST_SIZE (SHA-1) or SHA256_DIGEST_SIZE (SHA-256) + // SHA_DIGEST_LENGTH (SHA-1) or SHA256_DIGEST_LENGTH (SHA-256) + int hash_len; KeyType key_type; - std::unique_ptr rsa; - std::unique_ptr ec; + std::unique_ptr rsa; + std::unique_ptr ec; }; /* addr and length define a an update package file that has been -- cgit v1.2.3