seokj
/
vboot


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340
							/* Copyright (c) 2015 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 *
 * Boot descriptor block firmware RSA
 */

#include <string.h>
#include "bdb.h"

/* Public key structure in RAM */
struct public_key {
	uint32_t arrsize;    /* Size of n[] and rr[] arrays in elements */
	uint32_t n0inv;      /* -1 / n[0] mod 2^32 */
	const uint32_t *n;   /* Modulus as little endian array */
	const uint32_t *rr;  /* R^2 as little endian array */
};

/**
 * a[] -= mod
 */
static void subM(const struct public_key *key, uint32_t *a)
{
	int64_t A = 0;
	uint32_t i;
	for (i = 0; i < key->arrsize; ++i) {
		A += (uint64_t)a[i] - key->n[i];
		a[i] = (uint32_t)A;
		A >>= 32;
	}
}

/**
 * Return a[] >= mod
 */
int vb2_mont_ge(const struct public_key *key, uint32_t *a)
{
	uint32_t i;
	for (i = key->arrsize; i;) {
		--i;
		if (a[i] < key->n[i])
			return 0;
		if (a[i] > key->n[i])
			return 1;
	}
	return 1;  /* equal */
}

/**
 * Montgomery c[] += a * b[] / R % mod
 */
static void montMulAdd(const struct public_key *key,
                       uint32_t *c,
                       const uint32_t a,
                       const uint32_t *b)
{
	uint64_t A = (uint64_t)a * b[0] + c[0];
	uint32_t d0 = (uint32_t)A * key->n0inv;
	uint64_t B = (uint64_t)d0 * key->n[0] + (uint32_t)A;
	uint32_t i;

	for (i = 1; i < key->arrsize; ++i) {
		A = (A >> 32) + (uint64_t)a * b[i] + c[i];
		B = (B >> 32) + (uint64_t)d0 * key->n[i] + (uint32_t)A;
		c[i - 1] = (uint32_t)B;
	}

	A = (A >> 32) + (B >> 32);

	c[i - 1] = (uint32_t)A;

	if (A >> 32) {
		subM(key, c);
	}
}

/**
 * Montgomery c[] = a[] * b[] / R % mod
 */
static void montMul(const struct public_key *key,
                    uint32_t *c,
                    const uint32_t *a,
                    const uint32_t *b)
{
	uint32_t i;
	for (i = 0; i < key->arrsize; ++i) {
		c[i] = 0;
	}
	for (i = 0; i < key->arrsize; ++i) {
		montMulAdd(key, c, a[i], b);
	}
}

int vb2_safe_memcmp(const void *s1, const void *s2, size_t size)
{
	const unsigned char *us1 = s1;
	const unsigned char *us2 = s2;
	int result = 0;

	if (0 == size)
		return 0;

	/*
	 * Code snippet without data-dependent branch due to Nate Lawson
	 * (nate@root.org) of Root Labs.
	 */
	while (size--)
		result |= *us1++ ^ *us2++;

	return result != 0;
}

/*
 * PKCS 1.5 padding (from the RSA PKCS#1 v2.1 standard)
 *
 * Depending on the RSA key size and hash function, the padding is calculated
 * as follows:
 *
 * 0x00 || 0x01 || PS || 0x00 || T
 *
 * T: DER Encoded DigestInfo value which depends on the hash function used.
 *
 * SHA-256: (0x)30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20 || H.
 *
 * Length(T) = 51 octets for SHA-256
 *
 * PS: octet string consisting of {Length(RSA Key) - Length(T) - 3} 0xFF
 */
static const uint8_t sha256_tail[] = {
	0x00,0x30,0x31,0x30,0x0d,0x06,0x09,0x60,
	0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01,
	0x05,0x00,0x04,0x20
};

int vb2_check_padding(const uint8_t *sig, const struct public_key *key,
		      uint32_t pad_size)
{
	/* Determine padding to use depending on the signature type */
	const uint32_t tail_size = sizeof(sha256_tail);
	int result = 0;
	int i;

	/* First 2 bytes are always 0x00 0x01 */
	result |= *sig++ ^ 0x00;
	result |= *sig++ ^ 0x01;

	/* Then 0xff bytes until the tail */
	for (i = 0; i < pad_size - tail_size - 2; i++)
		result |= *sig++ ^ 0xff;

	/*
	 * Then the tail.  Even though there are probably no timing issues
	 * here, we use vb2_safe_memcmp() just to be on the safe side.
	 */
	result |= vb2_safe_memcmp(sig, sha256_tail, tail_size);

	return result ? BDB_ERROR_DIGEST : BDB_SUCCESS;
}

/* Array size for RSA4096 */
#define ARRSIZE4096 (4096 / 32)

/**
 * In-place public exponentiation. (exponent 65537, key size 4096 bits)
 *
 * @param key		Key to use in signing
 * @param inout		Input and output big-endian byte array
 */
static void modpowF4(const struct public_key *key, uint8_t *inout)
{
	uint32_t a[ARRSIZE4096];
	uint32_t aR[ARRSIZE4096];
	uint32_t aaR[ARRSIZE4096];
	uint32_t *aaa = aaR;  /* Re-use location. */
	int i;

	/* Convert from big endian byte array to little endian word array. */
	for (i = 0; i < ARRSIZE4096; ++i) {
		uint32_t tmp =
			(inout[((ARRSIZE4096 - 1 - i) * 4) + 0] << 24) |
			(inout[((ARRSIZE4096 - 1 - i) * 4) + 1] << 16) |
			(inout[((ARRSIZE4096 - 1 - i) * 4) + 2] << 8) |
			(inout[((ARRSIZE4096 - 1 - i) * 4) + 3] << 0);
		a[i] = tmp;
	}

	montMul(key, aR, a, key->rr);  /* aR = a * RR / R mod M   */
	for (i = 0; i < 16; i+=2) {
		montMul(key, aaR, aR, aR);  /* aaR = aR * aR / R mod M */
		montMul(key, aR, aaR, aaR);  /* aR = aaR * aaR / R mod M */
	}
	montMul(key, aaa, aR, a);  /* aaa = aR * a / R mod M */

	/* Make sure aaa < mod; aaa is at most 1x mod too large. */
	if (vb2_mont_ge(key, aaa)) {
		subM(key, aaa);
	}

	/* Convert to bigendian byte array */
	for (i = ARRSIZE4096 - 1; i >= 0; --i) {
		uint32_t tmp = aaa[i];
		*inout++ = (uint8_t)(tmp >> 24);
		*inout++ = (uint8_t)(tmp >> 16);
		*inout++ = (uint8_t)(tmp >>  8);
		*inout++ = (uint8_t)(tmp >>  0);
	}
}

int bdb_rsa4096_verify(const uint8_t *key_data,
		       const uint8_t *sig,
		       const uint8_t *digest)
{
	const uint32_t *kdata32 = (const uint32_t *)key_data;
	struct public_key key;
	uint8_t sig_work[BDB_RSA4096_SIG_SIZE];
	uint32_t pad_size;
	int rv;

	/* Unpack key */
	if (kdata32[0] != ARRSIZE4096)
		return BDB_ERROR_DIGEST;  /* Wrong key size */

	key.arrsize = kdata32[0];
	key.n0inv = kdata32[1];
	key.n = kdata32 + 2;
	key.rr = kdata32 + 2 + key.arrsize;

	/* Copy signature to work buffer */
	memcpy(sig_work, sig, sizeof(sig_work));

	modpowF4(&key, sig_work);

	/*
	 * Check padding.  Continue on to check the digest even if error to
	 * reduce the risk of timing based attacks.
	 */
	pad_size = key.arrsize * sizeof(uint32_t) - BDB_SHA256_DIGEST_SIZE;
	rv = vb2_check_padding(sig_work, &key, pad_size);

	/*
	 * Check digest.  Even though there are probably no timing issues here,
	 * use vb2_safe_memcmp() just to be on the safe side.  (That's also why
	 * we don't return before this check if the padding check failed.)
	 */
	if (vb2_safe_memcmp(sig_work + pad_size, digest,
			    BDB_SHA256_DIGEST_SIZE))
		rv = BDB_ERROR_DIGEST;

	return rv;
}

/* Array size for RSA3072B */
#define ARRSIZE3072B (3072 / 32)

/**
 * In-place public exponentiation. (exponent 3, key size 3072 bits)
 *
 * @param key		Key to use in signing
 * @param inout		Input and output big-endian byte array
 */
static void modpow3(const struct public_key *key, uint8_t *inout)
{
	uint32_t a[ARRSIZE3072B];
	uint32_t aR[ARRSIZE3072B];
	uint32_t aaR[ARRSIZE3072B];
	uint32_t *aaa = aR; /* Re-use location */
	int i;

	/* Convert from big endian byte array to little endian word array. */
	for (i = 0; i < ARRSIZE3072B; ++i) {
		uint32_t tmp =
			(inout[((ARRSIZE3072B - 1 - i) * 4) + 0] << 24) |
			(inout[((ARRSIZE3072B - 1 - i) * 4) + 1] << 16) |
			(inout[((ARRSIZE3072B - 1 - i) * 4) + 2] << 8) |
			(inout[((ARRSIZE3072B - 1 - i) * 4) + 3] << 0);
		a[i] = tmp;
	}

	montMul(key, aR, a, key->rr);  /* aR = a * RR / R mod M   */
	montMul(key, aaR, aR, aR);  /* aaR = aR * aR / R mod M */
	montMul(key, aaa, aaR, a);  /* aaa = aaR * a / R mod M */

	/* Make sure aaa < mod; aaa is at most 1x mod too large. */
	if (vb2_mont_ge(key, aaa)) {
		subM(key, aaa);
	}

	/* Convert to bigendian byte array */
	for (i = ARRSIZE3072B - 1; i >= 0; --i) {
		uint32_t tmp = aaa[i];
		*inout++ = (uint8_t)(tmp >> 24);
		*inout++ = (uint8_t)(tmp >> 16);
		*inout++ = (uint8_t)(tmp >>  8);
		*inout++ = (uint8_t)(tmp >>  0);
	}
}

int bdb_rsa3072b_verify(const uint8_t *key_data,
			const uint8_t *sig,
			const uint8_t *digest)
{
	const uint32_t *kdata32 = (const uint32_t *)key_data;
	struct public_key key;
	uint8_t sig_work[BDB_RSA3072B_SIG_SIZE];
	uint32_t pad_size;
	int rv;

	/* Unpack key */
	if (kdata32[0] != ARRSIZE3072B)
		return BDB_ERROR_DIGEST;  /* Wrong key size */

	key.arrsize = kdata32[0];
	key.n0inv = kdata32[1];
	key.n = kdata32 + 2;
	key.rr = kdata32 + 2 + key.arrsize;

	/* Copy signature to work buffer */
	memcpy(sig_work, sig, sizeof(sig_work));

	modpow3(&key, sig_work);

	/*
	 * Check padding.  Continue on to check the digest even if error to
	 * reduce the risk of timing based attacks.
	 */
	pad_size = key.arrsize * sizeof(uint32_t) - BDB_SHA256_DIGEST_SIZE;
	rv = vb2_check_padding(sig_work, &key, pad_size);

	/*
	 * Check digest.  Even though there are probably no timing issues here,
	 * use vb2_safe_memcmp() just to be on the safe side.  (That's also why
	 * we don't return before this check if the padding check failed.)
	 */
	if (vb2_safe_memcmp(sig_work + pad_size, digest,
			    BDB_SHA256_DIGEST_SIZE))
		rv = BDB_ERROR_DIGEST;

	return rv;
}