From patchwork Tue Jun 16 05:26:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 1309994 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=ObfLYk1Q; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49mGvS4vJMz9sSc for ; Tue, 16 Jun 2020 15:28:36 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2B99A81EB6; Tue, 16 Jun 2020 07:28:24 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ObfLYk1Q"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8FBD781EAD; Tue, 16 Jun 2020 07:28:21 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 27C1281EAD for ; Tue, 16 Jun 2020 07:28:11 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pf1-x432.google.com with SMTP id a127so8944355pfa.12 for ; Mon, 15 Jun 2020 22:28:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=P2MYFycP5PBrCsPfgLUy7oktK/yz6cXlTxU/HRMWKKw=; b=ObfLYk1Qv/SDcZv33qMigN9lvN1yePrLaOAoOt6MGp9DS3I7m03gQTd6tJTr9kwAfR oyMWQO0WZjJhZsLmApUK0atQPX97Oxqqu4gl8p528gsd/iBBYN8aO8bI5CR9Xk+yDZ7M 5hnxGDoP/OIt8X3qalRY8qzOlNVz956ohoyI7rcdv9AhO3HABOdpC01o6YOvVreaf/JV muF2Q0bVBfsbBxQJ6PD8Dn5xqjAlAv4jbaXaQc4KEBIK/XCMNUlYRu+SJUxSzite0GPi TicTpP1sHauATLSBGsNdDXN3CTgq6SNuqudRRBZvZEFc8TWOOUypeFcQIAn/6M4/49nU R3MQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=P2MYFycP5PBrCsPfgLUy7oktK/yz6cXlTxU/HRMWKKw=; b=L7Ch3wVYVQpLwTx47R53FpGnUG/GXknxj5J3DQRp7cXmqfbQGu/Jq2D1i/85f5zSRE OH1nqu/jpppoqA9Nz5GIIdu0NTLpBbiQxszxvPtZ4bZ6tnkv/i+AUF5ZjigNM1HiNyXR Vk7Z+MzGw6nIHVh9H0p1zKisHwRZUaEf2LbxjQsPOFKcnnxj3yjHyumCf8Uolra+YlIf JEeThChylbkENNRwU6Y724+giyDYybUkOnvOdPjJsJxgqe0nMTJOpPvOgd1/5TGrSDCu wZb2LEo36e10OlA7ydKxCnfxgn5NMWYdCigo4ELu8Qolm9xrck5rlxfoe8aaJpBoNW5S fQXQ== X-Gm-Message-State: AOAM530N71VTOKduR6FbfWMYsSuCVV/mmR4xNUgelCMMymK0oy3H3NxC Ysv5cGu4LydZ7fqlAnh5uiPTDA== X-Google-Smtp-Source: ABdhPJwcSaJ/7CGgR2OIHBesclzsoza4iYW3iJO8ltVBKcLbs56s769dlyP9F0lXXdshv4hFvdnDaQ== X-Received: by 2002:a62:aa0a:: with SMTP id e10mr640377pff.91.1592285289178; Mon, 15 Jun 2020 22:28:09 -0700 (PDT) Received: from localhost.localdomain (p6e421564.tkyea130.ap.so-net.ne.jp. [110.66.21.100]) by smtp.gmail.com with ESMTPSA id ds11sm1080789pjb.0.2020.06.15.22.28.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Jun 2020 22:28:08 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sughosh.ganu@linaro.org, mail@patrick-wildt.de, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v2 2/8] lib: crypto: add public_key_verify_signature() Date: Tue, 16 Jun 2020 14:26:49 +0900 Message-Id: <20200616052655.4845-3-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200616052655.4845-1-takahiro.akashi@linaro.org> References: <20200616052655.4845-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de X-Virus-Status: Clean This function will be called from x509_check_for_self_signed() and pkcs7_verify_one(), which will be imported from linux in a later patch. While it does exist in linux code and has a similar functionality of rsa_verify(), it calls further linux-specific interfaces inside. That could lead to more files being imported from linux. So simply re-implement it here instead of re-using the code. Signed-off-by: AKASHI Takahiro --- include/crypto/public_key.h | 2 +- lib/crypto/public_key.c | 63 ++++++++++++++++++++++++++++++++++++- 2 files changed, 63 insertions(+), 2 deletions(-) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 436a1ee1ee64..3ba90fcc3483 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -82,9 +82,9 @@ extern int decrypt_blob(struct kernel_pkey_params *, const void *, void *); extern int create_signature(struct kernel_pkey_params *, const void *, void *); extern int verify_signature(const struct key *, const struct public_key_signature *); +#endif /* __UBOOT__ */ int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig); -#endif /* !__UBOOT__ */ #endif /* _LINUX_PUBLIC_KEY_H */ diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c index e12ebbb3d0c5..013ea71a180f 100644 --- a/lib/crypto/public_key.c +++ b/lib/crypto/public_key.c @@ -25,7 +25,10 @@ #include #endif #include -#ifndef __UBOOT__ +#ifdef __UBOOT__ +#include +#include +#else #include #endif @@ -80,6 +83,64 @@ void public_key_signature_free(struct public_key_signature *sig) } EXPORT_SYMBOL_GPL(public_key_signature_free); +/** + * public_key_verify_signature - Verify a signature using a public key. + * + * @pkey: Public key + * @sig: Signature + * + * Verify a signature, @sig, using a RSA public key, @pkey. + * + * Return: 0 - verified, non-zero error code - otherwise + */ +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + struct image_sign_info info; + struct image_region region; + int ret; + + pr_devel("==>%s()\n", __func__); + + if (!pkey || !sig) + return -EINVAL; + + if (pkey->key_is_private) + return -EINVAL; + + memset(&info, '\0', sizeof(info)); + info.padding = image_get_padding_algo("pkcs-1.5"); + /* + * Note: image_get_[checksum|crypto]_algo takes an string + * argument like "," + * TODO: support other hash algorithms + */ + if (!strcmp(sig->hash_algo, "sha1")) { + info.checksum = image_get_checksum_algo("sha1,rsa2048"); + info.name = "sha1,rsa2048"; + } else if (!strcmp(sig->hash_algo, "sha256")) { + info.checksum = image_get_checksum_algo("sha256,rsa2048"); + info.name = "sha256,rsa2048"; + } else { + pr_warn("unknown msg digest algo: %s\n", sig->hash_algo); + return -ENOPKG; + } + info.crypto = image_get_crypto_algo(info.name); + + info.key = pkey->key; + info.keylen = pkey->keylen; + + region.data = sig->digest; + region.size = sig->digest_size; + + if (rsa_verify_with_pkey(&info, sig->digest, sig->s, sig->s_size)) + ret = -EKEYREJECTED; + else + ret = 0; + + pr_devel("<==%s() = %d\n", __func__, ret); + return ret; +} #else /* * Destroy a public key algorithm key.