From patchwork Tue Jul 21 10:35:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 1332911 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=KgbSm8sM; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B9w4S6Mpsz9sR4 for ; Tue, 21 Jul 2020 20:36:24 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E42BB81E4B; Tue, 21 Jul 2020 12:36:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="KgbSm8sM"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A3F9081C40; Tue, 21 Jul 2020 12:36:13 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pl1-x642.google.com (mail-pl1-x642.google.com [IPv6:2607:f8b0:4864:20::642]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3828181C17 for ; Tue, 21 Jul 2020 12:36:08 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pl1-x642.google.com with SMTP id w17so10063870ply.11 for ; Tue, 21 Jul 2020 03:36:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=16ThbJOvZgyOV3+zJToP60B6zcdPopU97amU1tiWYf8=; b=KgbSm8sMeqFtMLfylSwH+YH3RagbUzQK/BXD1/DS3SXAhLaOLtFv8sNqc8A8ERcgws zogw50p8Nkya3nwu6QX19kRW+mSchHFR33l81/W5xcZ3HYM3rCO0cXJ2uJ1gxrXukz+W DstaKWnyR9+d0m79b8ho/3p5ub16Wm9JCDBaOkO82fZ9qa3wKmwBV0HSKht0K9Omc5si Nceokm/QN1YsOk4YR6mtNkMVu+BCjcdX36aVzofFMXxOJazjDkmntEzuqyL7EqeG6gpz pBbTc78YKHZbgUnm/f2X5DQHcWUTZ8U6dS4hfoOUpRmCppMzoxUZz0hJ682fafmt/iDy GM6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=16ThbJOvZgyOV3+zJToP60B6zcdPopU97amU1tiWYf8=; b=mAwoV2leaoxjOgkvQC/YapUp56WZyCbNGBb3UFZIkvDZIDybqjMEjw+Yt6k3NWvLRO ipEEfdxdfa7B4CPFDoR9D//17zdEILgVkIqDo5Zw6Rg0w0aB3tIeBjge2zRdGdlZy/Zd RCc9VQDheKM6/Y2qgDagWs2ziqQUO1PighOkr1j5jLYxMUBd34hu+DrxVOa67rib81eJ dq58eiVlokxucjZQrr0S0H0S4mz6Gd/WdTkXABd3eYQcYGdi3u0ltlCjCupBaV8Bb6kE B32qXM/dBDNjjhyDHMWbxUuo4UlOww5TUvay884yDxHNZ8qDU1AovDVjHYhmhOEzvWNE UNBQ== X-Gm-Message-State: AOAM531VLfISbWG22TJLra7r553TIcFu2PH4vdcCYMGbmlGsnL/4/qPb 4oGI56VoHyRQxg+GS3R3QS4dgA== X-Google-Smtp-Source: ABdhPJzXj9saOa+p6RFJDejh1k0o3ih/G2DFAcURAQS7mzzmBLiceJQBBfxZrNBXcwJADt0NuvTH6w== X-Received: by 2002:a17:902:6b43:: with SMTP id g3mr20135871plt.319.1595327766579; Tue, 21 Jul 2020 03:36:06 -0700 (PDT) Received: from localhost.localdomain (p6e424d9a.tkyea130.ap.so-net.ne.jp. [110.66.77.154]) by smtp.gmail.com with ESMTPSA id q20sm19838276pfn.111.2020.07.21.03.36.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Jul 2020 03:36:05 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sughosh.ganu@linaro.org, mail@patrick-wildt.de, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v5 1/8] lib: crypto: add public_key_verify_signature() Date: Tue, 21 Jul 2020 19:35:17 +0900 Message-Id: <20200721103524.5956-2-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200721103524.5956-1-takahiro.akashi@linaro.org> References: <20200721103524.5956-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean This function will be called from x509_check_for_self_signed() and pkcs7_verify_one(), which will be imported from linux in a later patch. While it does exist in linux code and has a similar functionality of rsa_verify(), it calls further linux-specific interfaces inside. That could lead to more files being imported from linux. So simply re-implement it here instead of re-using the code. Signed-off-by: AKASHI Takahiro --- include/crypto/public_key.h | 2 +- lib/crypto/public_key.c | 70 ++++++++++++++++++++++++++++++++++++- 2 files changed, 70 insertions(+), 2 deletions(-) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 436a1ee1ee64..3ba90fcc3483 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -82,9 +82,9 @@ extern int decrypt_blob(struct kernel_pkey_params *, const void *, void *); extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#endif /* __UBOOT__ */ int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); -#endif /* !__UBOOT__ */ #endif /* _LINUX_PUBLIC_KEY_H */ diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c index e12ebbb3d0c5..a8f7fbed458a 100644 --- a/lib/crypto/public_key.c +++ b/lib/crypto/public_key.c @@ -25,7 +25,10 @@ #include #endif #include -#ifndef __UBOOT__ +#ifdef __UBOOT__ +#include +#include +#else #include #endif @@ -80,6 +83,71 @@ void public_key_signature_free(struct public_key_signature *sig) } EXPORT_SYMBOL_GPL(public_key_signature_free); +/** + * public_key_verify_signature - Verify a signature using a public key. + * + * @pkey: Public key + * @sig: Signature + * + * Verify a signature, @sig, using a RSA public key, @pkey. + * + * Return: 0 - verified, non-zero error code - otherwise + */ +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + struct image_sign_info info; + struct image_region region; + int ret; + + pr_devel("==>%s()\n", __func__); + + if (!pkey || !sig) + return -EINVAL; + + if (pkey->key_is_private) + return -EINVAL; + + memset(&info, '\0', sizeof(info)); + info.padding = image_get_padding_algo("pkcs-1.5"); + /* + * Note: image_get_[checksum|crypto]_algo takes a string + * argument like "," + * TODO: support other hash algorithms + */ + if (strcmp(sig->pkey_algo, "rsa") || (sig->s_size * 8) != 2048) { + pr_warn("Encryption is not RSA2048: %s%d\n", + sig->pkey_algo, sig->s_size * 8); + return -ENOPKG; + } + if (!strcmp(sig->hash_algo, "sha1")) { + info.checksum = image_get_checksum_algo("sha1,rsa2048"); + info.name = "sha1,rsa2048"; + } else if (!strcmp(sig->hash_algo, "sha256")) { + info.checksum = image_get_checksum_algo("sha256,rsa2048"); + info.name = "sha256,rsa2048"; + } else { + pr_warn("unknown msg digest algo: %s\n", sig->hash_algo); + return -ENOPKG; + } + info.crypto = image_get_crypto_algo(info.name); + if (IS_ERR(info.checksum) || IS_ERR(info.crypto)) + return -ENOPKG; + + info.key = pkey->key; + info.keylen = pkey->keylen; + + region.data = sig->digest; + region.size = sig->digest_size; + + if (rsa_verify_with_pkey(&info, sig->digest, sig->s, sig->s_size)) + ret = -EKEYREJECTED; + else + ret = 0; + + pr_devel("<==%s() = %d\n", __func__, ret); + return ret; +} #else /* * Destroy a public key algorithm key.