From patchwork Wed Sep 23 17:11:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthieu CASTET X-Patchwork-Id: 1370072 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=free.fr Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=MgYHn9fh; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BxTf158bMz9sS8 for ; Thu, 24 Sep 2020 06:04:09 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 241CF824B9; Wed, 23 Sep 2020 22:04:05 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=free.fr Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="MgYHn9fh"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 7D51382480; Wed, 23 Sep 2020 19:11:54 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_FROM,SPF_HELO_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E97368244B for ; Wed, 23 Sep 2020 19:11:51 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=none (p=none dis=none) header.from=free.fr Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=matthieu.castet@gmail.com Received: by mail-wr1-x444.google.com with SMTP id s12so812015wrw.11 for ; Wed, 23 Sep 2020 10:11:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Tj4BsR1ZhxS9HRYy7Vg79yIPFm3sCL0pIW/7g2tXk+Q=; b=MgYHn9fhfXq5TAoxCHun8qTdu61eRsmqo6/NNVgIjrdMdPeFzxmktcU3qjIypYedHp p8DUFKSPOKLG3+i4S2hpljFWuWfZKjMrcF1fR+rhFBVrMsWOZ6CFlsP768rNzEbsEWeN Lrut5cU7BHniiOjtGq46Qh1+4r8FIdSfWsl2Fz7xWlFc3Grc8Z2QBdMdTl58aWj0pWOE sJsxT24i02rOVaVY8d0Bg7I5kYzG4Bx8y7d0Ij6mzbCuImgTlWIqLTAtjB20TvXjEtRU RWKCPIVf7Qvs7TqBS9yyk5JMs8sWEZwZ5PChU5E0W0SJA3rmwqYkq7oWuUfTc0128EWo 0MOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=Tj4BsR1ZhxS9HRYy7Vg79yIPFm3sCL0pIW/7g2tXk+Q=; b=nMq/bCIXDlpSs5/4gH7TI5nW6LuXOxVV73O4DBXOMZRrBUShXJV1o8Jb1jdTWcThR2 L4GmWDvDSEYhQjl7i0S3wGhCrrem8tF+Mqk8gK5WBZWpAz/OqGpDDxjO+KF6l+XfGDlA yOxzVwcFzCvTOCxuTM+80CheuurrIkL5xQdW0+DGIz74m2VTqhM0MlysZOCBmeO7T8HT w9qZeY+YU9rdCx0PSPr9VJ9XjdD2nVhKKhUSotNCuYNywgDV5rV+CCcgPJSmSaYR4w9c mWCG78Ka9lY8mbBsJwMB5jZqC96bnvvE1ZZdb7p9MH+ZpmG/1sAnXnKFblN/mxVIJirz 1lWQ== X-Gm-Message-State: AOAM532OVfgpu3MdSra3UVrRCjKpNjNYRVjSB7O/Ntbktjt0DvBBQA9c MJutbeim96EubNuaUGunUNZnU0tt5A== X-Google-Smtp-Source: ABdhPJx6LjKDsaO3EdO0Ban5amM9FoG/5LfDwR5YmagoTZr/Gxdvm3cVUmGBm1ZaqWIg0kH7a8lesQ== X-Received: by 2002:adf:ea44:: with SMTP id j4mr679396wrn.368.1600881111394; Wed, 23 Sep 2020 10:11:51 -0700 (PDT) Received: from perruche.parrot.biz ([2a01:e35:2e1c:8d40:452:f2aa:30d1:4af2]) by smtp.gmail.com with ESMTPSA id y5sm464953wrh.6.2020.09.23.10.11.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Sep 2020 10:11:50 -0700 (PDT) From: Matthieu CASTET To: u-boot@lists.denx.de Cc: Matthieu CASTET Subject: [PATCH] lib: rsa: check algo match in rsa_verify_with_keynode Date: Wed, 23 Sep 2020 19:11:44 +0200 Message-Id: <20200923171144.2786596-1-castet.matthieu@free.fr> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 X-Mailman-Approved-At: Wed, 23 Sep 2020 22:04:03 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The algo name should match between the FIT's signature node and the U-Boot's control FDT. If we do not check it, U-Boot's control FDT can expect sha512 hash but nothing will prevent to accept image with sha1 hash if the signature is correct. Signed-off-by: Matthieu CASTET --- lib/rsa/rsa-verify.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 2057f6819d..b9c800c7dc 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -439,12 +439,17 @@ static int rsa_verify_with_keynode(struct image_sign_info *info, struct key_prop prop; int length; int ret = 0; + const char *algo; if (node < 0) { debug("%s: Skipping invalid node", __func__); return -EBADF; } + algo = fdt_getprop(blob, node, "algo", NULL); + if (strcmp(info->name, algo)) + return -EFAULT; + prop.num_bits = fdtdec_get_int(blob, node, "rsa,num-bits", 0); prop.n0inv = fdtdec_get_int(blob, node, "rsa,n0-inverse", 0);