From: Heiko Stuebner Date: Fri, 22 May 2020 14:20:33 +0000 (+0200) Subject: lib: rsa: function to verify a signature against a hash X-Git-Url: http://git.dujemihanovic.xyz/?a=commitdiff_plain;h=c89b41b4db4a746647c4f0e6d33c6f4edfe96e38;p=u-boot.git lib: rsa: function to verify a signature against a hash rsa_verify() expects a memory region and wants to do the hashing itself, but there may be cases where the hashing is done via other means, like hashing a squashfs rootfs. So add rsa_verify_hash() to allow verifiying a signature against an existing hash. As this entails the same verification routines we can just move the relevant code over from rsa_verify() and also call rsa_verify_hash() from there. Signed-off-by: Heiko Stuebner --- diff --git a/include/u-boot/rsa.h b/include/u-boot/rsa.h index 2d3024d8b7..a0bae495f0 100644 --- a/include/u-boot/rsa.h +++ b/include/u-boot/rsa.h @@ -82,6 +82,20 @@ static inline int rsa_add_verify_data(struct image_sign_info *info, #endif #if IMAGE_ENABLE_VERIFY +/** + * rsa_verify_hash() - Verify a signature against a hash + * + * Verify a RSA PKCS1.5 signature against an expected hash. + * + * @info: Specifies key and FIT information + * @hash: Hash according to algorithm specified in @info + * @sig: Signature + * @sig_len: Number of bytes in signature + * @return 0 if verified, -ve on error + */ +int rsa_verify_hash(struct image_sign_info *info, + const uint8_t *hash, uint8_t *sig, uint sig_len); + /** * rsa_verify() - Verify a signature against some data * @@ -108,6 +122,13 @@ int padding_pss_verify(struct image_sign_info *info, const uint8_t *hash, int hash_len); #endif /* CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT */ #else +static inline int rsa_verify_hash(struct image_sign_info *info, + const uint8_t *hash, + uint8_t *sig, uint sig_len) +{ + return -ENXIO; +} + static inline int rsa_verify(struct image_sign_info *info, const struct image_region region[], int region_count, uint8_t *sig, uint sig_len) diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 61d98e6e2d..6c4bbc4625 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -478,33 +478,11 @@ static int rsa_verify_with_keynode(struct image_sign_info *info, } #endif -int rsa_verify(struct image_sign_info *info, - const struct image_region region[], int region_count, - uint8_t *sig, uint sig_len) +int rsa_verify_hash(struct image_sign_info *info, + const uint8_t *hash, uint8_t *sig, uint sig_len) { - /* Reserve memory for maximum checksum-length */ - uint8_t hash[info->crypto->key_len]; int ret = -EACCES; - /* - * Verify that the checksum-length does not exceed the - * rsa-signature-length - */ - if (info->checksum->checksum_len > - info->crypto->key_len) { - debug("%s: invlaid checksum-algorithm %s for %s\n", - __func__, info->checksum->name, info->crypto->name); - return -EINVAL; - } - - /* Calculate checksum with checksum-algorithm */ - ret = info->checksum->calculate(info->checksum->name, - region, region_count, hash); - if (ret < 0) { - debug("%s: Error in checksum calculation\n", __func__); - return -EINVAL; - } - if (CONFIG_IS_ENABLED(RSA_VERIFY_WITH_PKEY) && !info->fdt_blob) { /* don't rely on fdt properties */ ret = rsa_verify_with_pkey(info, hash, sig, sig_len); @@ -555,3 +533,33 @@ int rsa_verify(struct image_sign_info *info, return ret; } + +int rsa_verify(struct image_sign_info *info, + const struct image_region region[], int region_count, + uint8_t *sig, uint sig_len) +{ + /* Reserve memory for maximum checksum-length */ + uint8_t hash[info->crypto->key_len]; + int ret = -EACCES; + + /* + * Verify that the checksum-length does not exceed the + * rsa-signature-length + */ + if (info->checksum->checksum_len > + info->crypto->key_len) { + debug("%s: invlaid checksum-algorithm %s for %s\n", + __func__, info->checksum->name, info->crypto->name); + return -EINVAL; + } + + /* Calculate checksum with checksum-algorithm */ + ret = info->checksum->calculate(info->checksum->name, + region, region_count, hash); + if (ret < 0) { + debug("%s: Error in checksum calculation\n", __func__); + return -EINVAL; + } + + return rsa_verify_hash(info, hash, sig, sig_len); +}