From c755aa8a1dc2f2b819ce36148248ebe93bbc7f86 Mon Sep 17 00:00:00 2001 From: SESA644425 Date: Wed, 9 Mar 2022 01:27:15 -0800 Subject: lib: rsa: Fix const-correctness of rsassa_pss functions Prior to introduction of modifications in rsassa_pss functions related to padding verification, doing a pass to update const-correctness in targeted functions to comply with coding-rules and avoid const-cast Signed-off-by: SESA644425 Reviewed-by: Simon Glass --- lib/rsa/rsa-verify.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'lib') diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 112664059c9..c2c7248f902 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -73,7 +73,7 @@ static int rsa_verify_padding(const uint8_t *msg, const int pad_len, } int padding_pkcs_15_verify(struct image_sign_info *info, - uint8_t *msg, int msg_len, + const uint8_t *msg, int msg_len, const uint8_t *hash, int hash_len) { struct checksum_algo *checksum = info->checksum; @@ -125,7 +125,7 @@ static void u32_i2osp(uint32_t val, uint8_t *buf) * Return: 0 if the octet string was correctly generated, others on error */ static int mask_generation_function1(struct checksum_algo *checksum, - uint8_t *seed, int seed_len, + const uint8_t *seed, int seed_len, uint8_t *output, int output_len) { struct image_region region[2]; @@ -176,9 +176,9 @@ out: } static int compute_hash_prime(struct checksum_algo *checksum, - uint8_t *pad, int pad_len, - uint8_t *hash, int hash_len, - uint8_t *salt, int salt_len, + const uint8_t *pad, int pad_len, + const uint8_t *hash, int hash_len, + const uint8_t *salt, int salt_len, uint8_t *hprime) { struct image_region region[3]; @@ -215,7 +215,7 @@ out: * @hash_len: Length of the hash */ int padding_pss_verify(struct image_sign_info *info, - uint8_t *msg, int msg_len, + const uint8_t *msg, int msg_len, const uint8_t *hash, int hash_len) { uint8_t *masked_db = NULL; @@ -287,7 +287,7 @@ int padding_pss_verify(struct image_sign_info *info, /* step 12 & 13 */ compute_hash_prime(checksum, pad_zero, 8, - (uint8_t *)hash, hash_len, + hash, hash_len, salt, salt_len, hprime); /* step 14 */ -- cgit v1.2.3 From fb7330545e08876e26dae155f6f6d6788e4a102e Mon Sep 17 00:00:00 2001 From: SESA644425 Date: Wed, 9 Mar 2022 01:27:16 -0800 Subject: lib: rsa: Leverage existing data buffer instead of systematic copy Prior to introduction of modifications in rsassa_pss functions related to padding verification, doing a pass to reduce memory consumption of function by replacing memory copies of parts of const buffer by pointers to the original buffer (masked_db and h are subparts of msg buffer which is declared const, salt is a subpart of db which is a working buffer, unmodified after being filled). New pointers scope is limited to the function where they are declared (not returned to caller by any mean), zeroing risk of memory fault related to the change. Signed-off-by: SESA644425 Reviewed-by: Simon Glass --- lib/rsa/rsa-verify.c | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) (limited to 'lib') diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index c2c7248f902..de71234cfb8 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -208,6 +208,10 @@ out: * saltlen:-1 "set the salt length to the digest length" is currently * not supported. * + * msg is a concatenation of : masked_db + h + 0xbc + * Once unmasked, db is a concatenation of : [0x00]* + 0x01 + salt + * Length of 0-padding at begin of db depends on salt length. + * * @info: Specifies key and FIT information * @msg: byte array of message, len equal to msg_len * @msg_len: Message length @@ -218,27 +222,25 @@ int padding_pss_verify(struct image_sign_info *info, const uint8_t *msg, int msg_len, const uint8_t *hash, int hash_len) { - uint8_t *masked_db = NULL; - int masked_db_len = msg_len - hash_len - 1; - uint8_t *h = NULL, *hprime = NULL; - int h_len = hash_len; + const uint8_t *masked_db = NULL; uint8_t *db_mask = NULL; - int db_mask_len = masked_db_len; - uint8_t *db = NULL, *salt = NULL; - int db_len = masked_db_len, salt_len = msg_len - hash_len - 2; + uint8_t *db = NULL; + int db_len = msg_len - hash_len - 1; + const uint8_t *h = NULL; + uint8_t *hprime = NULL; + int h_len = hash_len; + uint8_t *salt = NULL; + int salt_len = msg_len - hash_len - 2; uint8_t pad_zero[8] = { 0 }; int ret, i, leftmost_bits = 1; uint8_t leftmost_mask; struct checksum_algo *checksum = info->checksum; /* first, allocate everything */ - masked_db = malloc(masked_db_len); - h = malloc(h_len); - db_mask = malloc(db_mask_len); + db_mask = malloc(db_len); db = malloc(db_len); - salt = malloc(salt_len); hprime = malloc(hash_len); - if (!masked_db || !h || !db_mask || !db || !salt || !hprime) { + if (!db_mask || !db || !hprime) { printf("%s: can't allocate some buffer\n", __func__); ret = -ENOMEM; goto out; @@ -252,8 +254,8 @@ int padding_pss_verify(struct image_sign_info *info, } /* step 5 */ - memcpy(masked_db, msg, masked_db_len); - memcpy(h, msg + masked_db_len, h_len); + masked_db = &msg[0]; + h = &msg[db_len]; /* step 6 */ leftmost_mask = (0xff >> (8 - leftmost_bits)) << (8 - leftmost_bits); @@ -265,7 +267,7 @@ int padding_pss_verify(struct image_sign_info *info, } /* step 7 */ - mask_generation_function1(checksum, h, h_len, db_mask, db_mask_len); + mask_generation_function1(checksum, h, h_len, db_mask, db_len); /* step 8 */ for (i = 0; i < db_len; i++) @@ -283,7 +285,7 @@ int padding_pss_verify(struct image_sign_info *info, } /* step 11 */ - memcpy(salt, &db[1], salt_len); + salt = &db[1]; /* step 12 & 13 */ compute_hash_prime(checksum, pad_zero, 8, @@ -295,11 +297,8 @@ int padding_pss_verify(struct image_sign_info *info, out: free(hprime); - free(salt); free(db); free(db_mask); - free(h); - free(masked_db); return ret; } -- cgit v1.2.3 From 81eff51047e2fb29f518f8a3721f539a68a11b6d Mon Sep 17 00:00:00 2001 From: SESA644425 Date: Wed, 9 Mar 2022 01:27:17 -0800 Subject: lib: rsa: Update function padding_pss_verify (any-salt) Modify function to support any salt length instead of max length only. Function now detects salt length by parsing the content of db buffer. Note that it works with (but is not limited to) zero-length, digest-length and max-length Signed-off-by: SESA644425 Reviewed-by: Simon Glass --- lib/rsa/rsa-verify.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'lib') diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index de71234cfb8..1d95cfbdee0 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -204,9 +204,7 @@ out: /* * padding_pss_verify() - verify the pss padding of a signature * - * Only works with a rsa_pss_saltlen:-2 (default value) right now - * saltlen:-1 "set the salt length to the digest length" is currently - * not supported. + * Works with any salt length * * msg is a concatenation of : masked_db + h + 0xbc * Once unmasked, db is a concatenation of : [0x00]* + 0x01 + salt @@ -229,8 +227,8 @@ int padding_pss_verify(struct image_sign_info *info, const uint8_t *h = NULL; uint8_t *hprime = NULL; int h_len = hash_len; - uint8_t *salt = NULL; - int salt_len = msg_len - hash_len - 2; + uint8_t *db_nopad = NULL, *salt = NULL; + int db_padlen, salt_len; uint8_t pad_zero[8] = { 0 }; int ret, i, leftmost_bits = 1; uint8_t leftmost_mask; @@ -277,15 +275,20 @@ int padding_pss_verify(struct image_sign_info *info, db[0] &= 0xff >> leftmost_bits; /* step 10 */ - if (db[0] != 0x01) { + db_padlen = 0; + while (db[db_padlen] == 0x00 && db_padlen < (db_len - 1)) + db_padlen++; + db_nopad = &db[db_padlen]; + if (db_nopad[0] != 0x01) { printf("%s: invalid pss padding ", __func__); - printf("(leftmost byte of db isn't 0x01)\n"); + printf("(leftmost byte of db after 0-padding isn't 0x01)\n"); ret = EINVAL; goto out; } /* step 11 */ - salt = &db[1]; + salt_len = db_len - db_padlen - 1; + salt = &db_nopad[1]; /* step 12 & 13 */ compute_hash_prime(checksum, pad_zero, 8, -- cgit v1.2.3 From e146a2c12ff1e9138f564ae6815a131bd850d8ef Mon Sep 17 00:00:00 2001 From: Dhananjay Phadke Date: Tue, 15 Mar 2022 10:19:32 -0700 Subject: lib/crypto: support sha384/sha512 in x509/pkcs7 Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509, (not set by ported linux code, but needed by __UBOOT__ part). EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for correctness if certificates contain sha384WithRSAEncryption or sha512WithRSAEncryption OIDs. Signed-off-by: Dhananjay Phadke Reviewed-by: Ilias Apalodimas --- lib/crypto/pkcs7_verify.c | 4 ++++ lib/crypto/x509_public_key.c | 4 ++++ 2 files changed, 8 insertions(+) (limited to 'lib') diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c index 82c5c745d49..b832f013566 100644 --- a/lib/crypto/pkcs7_verify.c +++ b/lib/crypto/pkcs7_verify.c @@ -65,6 +65,10 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, return -ENOPKG; if (!strcmp(sinfo->sig->hash_algo, "sha256")) sig->digest_size = SHA256_SUM_LEN; + else if (!strcmp(sinfo->sig->hash_algo, "sha384")) + sig->digest_size = SHA384_SUM_LEN; + else if (!strcmp(sinfo->sig->hash_algo, "sha512")) + sig->digest_size = SHA512_SUM_LEN; else if (!strcmp(sinfo->sig->hash_algo, "sha1")) sig->digest_size = SHA1_SUM_LEN; else diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c index d557ab27ae3..5c0e2b622db 100644 --- a/lib/crypto/x509_public_key.c +++ b/lib/crypto/x509_public_key.c @@ -71,6 +71,10 @@ int x509_get_sig_params(struct x509_certificate *cert) return -ENOPKG; if (!strcmp(sig->hash_algo, "sha256")) sig->digest_size = SHA256_SUM_LEN; + else if (!strcmp(sig->hash_algo, "sha384")) + sig->digest_size = SHA384_SUM_LEN; + else if (!strcmp(sig->hash_algo, "sha512")) + sig->digest_size = SHA512_SUM_LEN; else if (!strcmp(sig->hash_algo, "sha1")) sig->digest_size = SHA1_SUM_LEN; else -- cgit v1.2.3