[thirdparty/u-boot.git] / lib / rsa / rsa-verify.c

// SPDX-License-Identifier: GPL-2.0+
/*
 * Copyright (c) 2013, Google Inc.
 */

#ifndef USE_HOSTCC
#include <common.h>
#include <fdtdec.h>
#include <asm/types.h>
#include <asm/byteorder.h>
#include <linux/errno.h>
#include <asm/types.h>
#include <asm/unaligned.h>
#include <dm.h>
#else
#include "fdt_host.h"
#include "mkimage.h"
#include <fdt_support.h>
#endif
#include <u-boot/rsa-mod-exp.h>
#include <u-boot/rsa.h>

/* Default public exponent for backward compatibility */
#define RSA_DEFAULT_PUBEXP	65537

/**
 * rsa_verify_padding() - Verify RSA message padding is valid
 *
 * Verify a RSA message's padding is consistent with PKCS1.5
 * padding as described in the RSA PKCS#1 v2.1 standard.
 *
 * @msg:	Padded message
 * @pad_len:	Number of expected padding bytes
 * @algo:	Checksum algo structure having information on DER encoding etc.
 * @return 0 on success, != 0 on failure
 */
static int rsa_verify_padding(const uint8_t *msg, const int pad_len,
			      struct checksum_algo *algo)
{
	int ff_len;
	int ret;

	/* first byte must be 0x00 */
	ret = *msg++;
	/* second byte must be 0x01 */
	ret |= *msg++ ^ 0x01;
	/* next ff_len bytes must be 0xff */
	ff_len = pad_len - algo->der_len - 3;
	ret |= *msg ^ 0xff;
	ret |= memcmp(msg, msg+1, ff_len-1);
	msg += ff_len;
	/* next byte must be 0x00 */
	ret |= *msg++;
	/* next der_len bytes must match der_prefix */
	ret |= memcmp(msg, algo->der_prefix, algo->der_len);

	return ret;
}

int padding_pkcs_15_verify(struct image_sign_info *info,
			   uint8_t *msg, int msg_len,
			   const uint8_t *hash, int hash_len)
{
	struct checksum_algo *checksum = info->checksum;
	int ret, pad_len = msg_len - checksum->checksum_len;

	/* Check pkcs1.5 padding bytes. */
	ret = rsa_verify_padding(msg, pad_len, checksum);
	if (ret) {
		debug("In RSAVerify(): Padding check failed!\n");
		return -EINVAL;
	}

	/* Check hash. */
	if (memcmp((uint8_t *)msg + pad_len, hash, msg_len - pad_len)) {
		debug("In RSAVerify(): Hash check failed!\n");
		return -EACCES;
	}

	return 0;
}

#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT
static void u32_i2osp(uint32_t val, uint8_t *buf)
{
	buf[0] = (uint8_t)((val >> 24) & 0xff);
	buf[1] = (uint8_t)((val >> 16) & 0xff);
	buf[2] = (uint8_t)((val >>  8) & 0xff);
	buf[3] = (uint8_t)((val >>  0) & 0xff);
}

/**
 * mask_generation_function1() - generate an octet string
 *
 * Generate an octet string used to check rsa signature.
 * It use an input octet string and a hash function.
 *
 * @checksum:	A Hash function
 * @seed:	Specifies an input variable octet string
 * @seed_len:	Size of the input octet string
 * @output:	Specifies the output octet string
 * @output_len:	Size of the output octet string
 * @return 0 if the octet string was correctly generated, others on error
 */
static int mask_generation_function1(struct checksum_algo *checksum,
				     uint8_t *seed, int seed_len,
				     uint8_t *output, int output_len)
{
	struct image_region region[2];
	int ret = 0, i, i_output = 0, region_count = 2;
	uint32_t counter = 0;
	uint8_t buf_counter[4], *tmp;
	int hash_len = checksum->checksum_len;

	memset(output, 0, output_len);

	region[0].data = seed;
	region[0].size = seed_len;
	region[1].data = &buf_counter[0];
	region[1].size = 4;

	tmp = malloc(hash_len);
	if (!tmp) {
		debug("%s: can't allocate array tmp\n", __func__);
		ret = -ENOMEM;
		goto out;
	}

	while (i_output < output_len) {
		u32_i2osp(counter, &buf_counter[0]);

		ret = checksum->calculate(checksum->name,
					  region, region_count,
					  tmp);
		if (ret < 0) {
			debug("%s: Error in checksum calculation\n", __func__);
			goto out;
		}

		i = 0;
		while ((i_output < output_len) && (i < hash_len)) {
			output[i_output] = tmp[i];
			i_output++;
			i++;
		}

		counter++;
	}

out:
	free(tmp);

	return ret;
}

static int compute_hash_prime(struct checksum_algo *checksum,
			      uint8_t *pad, int pad_len,
			      uint8_t *hash, int hash_len,
			      uint8_t *salt, int salt_len,
			      uint8_t *hprime)
{
	struct image_region region[3];
	int ret, region_count = 3;

	region[0].data = pad;
	region[0].size = pad_len;
	region[1].data = hash;
	region[1].size = hash_len;
	region[2].data = salt;
	region[2].size = salt_len;

	ret = checksum->calculate(checksum->name, region, region_count, hprime);
	if (ret < 0) {
		debug("%s: Error in checksum calculation\n", __func__);
		goto out;
	}

out:
	return ret;
}

int padding_pss_verify(struct image_sign_info *info,
		       uint8_t *msg, int msg_len,
		       const uint8_t *hash, int hash_len)
{
	uint8_t *masked_db = NULL;
	int masked_db_len = msg_len - hash_len - 1;
	uint8_t *h = NULL, *hprime = NULL;
	int h_len = hash_len;
	uint8_t *db_mask = NULL;
	int db_mask_len = masked_db_len;
	uint8_t *db = NULL, *salt = NULL;
	int db_len = masked_db_len, salt_len = msg_len - hash_len - 2;
	uint8_t pad_zero[8] = { 0 };
	int ret, i, leftmost_bits = 1;
	uint8_t leftmost_mask;
	struct checksum_algo *checksum = info->checksum;

	/* first, allocate everything */
	masked_db = malloc(masked_db_len);
	h = malloc(h_len);
	db_mask = malloc(db_mask_len);
	db = malloc(db_len);
	salt = malloc(salt_len);
	hprime = malloc(hash_len);
	if (!masked_db || !h || !db_mask || !db || !salt || !hprime) {
		printf("%s: can't allocate some buffer\n", __func__);
		ret = -ENOMEM;
		goto out;
	}

	/* step 4: check if the last byte is 0xbc */
	if (msg[msg_len - 1] != 0xbc) {
		printf("%s: invalid pss padding (0xbc is missing)\n", __func__);
		ret = -EINVAL;
		goto out;
	}

	/* step 5 */
	memcpy(masked_db, msg, masked_db_len);
	memcpy(h, msg + masked_db_len, h_len);

	/* step 6 */
	leftmost_mask = (0xff >> (8 - leftmost_bits)) << (8 - leftmost_bits);
	if (masked_db[0] & leftmost_mask) {
		printf("%s: invalid pss padding ", __func__);
		printf("(leftmost bit of maskedDB not zero)\n");
		ret = -EINVAL;
		goto out;
	}

	/* step 7 */
	mask_generation_function1(checksum, h, h_len, db_mask, db_mask_len);

	/* step 8 */
	for (i = 0; i < db_len; i++)
		db[i] = masked_db[i] ^ db_mask[i];

	/* step 9 */
	db[0] &= 0xff >> leftmost_bits;

	/* step 10 */
	if (db[0] != 0x01) {
		printf("%s: invalid pss padding ", __func__);
		printf("(leftmost byte of db isn't 0x01)\n");
		ret = EINVAL;
		goto out;
	}

	/* step 11 */
	memcpy(salt, &db[1], salt_len);

	/* step 12 & 13 */
	compute_hash_prime(checksum, pad_zero, 8,
			   (uint8_t *)hash, hash_len,
			   salt, salt_len, hprime);

	/* step 14 */
	ret = memcmp(h, hprime, hash_len);

out:
	free(hprime);
	free(salt);
	free(db);
	free(db_mask);
	free(h);
	free(masked_db);

	return ret;
}
#endif

/**
 * rsa_verify_key() - Verify a signature against some data using RSA Key
 *
 * Verify a RSA PKCS1.5 signature against an expected hash using
 * the RSA Key properties in prop structure.
 *
 * @info:	Specifies key and FIT information
 * @prop:	Specifies key
 * @sig:	Signature
 * @sig_len:	Number of bytes in signature
 * @hash:	Pointer to the expected hash
 * @key_len:	Number of bytes in rsa key
 * @return 0 if verified, -ve on error
 */
static int rsa_verify_key(struct image_sign_info *info,
			  struct key_prop *prop, const uint8_t *sig,
			  const uint32_t sig_len, const uint8_t *hash,
			  const uint32_t key_len)
{
	int ret;
#if !defined(USE_HOSTCC)
	struct udevice *mod_exp_dev;
#endif
	struct checksum_algo *checksum = info->checksum;
	struct padding_algo *padding = info->padding;
	int hash_len;

	if (!prop || !sig || !hash || !checksum)
		return -EIO;

	if (sig_len != (prop->num_bits / 8)) {
		debug("Signature is of incorrect length %d\n", sig_len);
		return -EINVAL;
	}

	debug("Checksum algorithm: %s", checksum->name);

	/* Sanity check for stack size */
	if (sig_len > RSA_MAX_SIG_BITS / 8) {
		debug("Signature length %u exceeds maximum %d\n", sig_len,
		      RSA_MAX_SIG_BITS / 8);
		return -EINVAL;
	}

	uint8_t buf[sig_len];
	hash_len = checksum->checksum_len;

#if !defined(USE_HOSTCC)
	ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
	if (ret) {
		printf("RSA: Can't find Modular Exp implementation\n");
		return -EINVAL;
	}

	ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
#else
	ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
#endif
	if (ret) {
		debug("Error in Modular exponentation\n");
		return ret;
	}

	ret = padding->verify(info, buf, key_len, hash, hash_len);
	if (ret) {
		debug("In RSAVerify(): padding check failed!\n");
		return ret;
	}

	return 0;
}

/**
 * rsa_verify_with_keynode() - Verify a signature against some data using
 * information in node with prperties of RSA Key like modulus, exponent etc.
 *
 * Parse sign-node and fill a key_prop structure with properties of the
 * key.  Verify a RSA PKCS1.5 signature against an expected hash using
 * the properties parsed
 *
 * @info:	Specifies key and FIT information
 * @hash:	Pointer to the expected hash
 * @sig:	Signature
 * @sig_len:	Number of bytes in signature
 * @node:	Node having the RSA Key properties
 * @return 0 if verified, -ve on error
 */
static int rsa_verify_with_keynode(struct image_sign_info *info,
				   const void *hash, uint8_t *sig,
				   uint sig_len, int node)
{
	const void *blob = info->fdt_blob;
	struct key_prop prop;
	int length;
	int ret = 0;

	if (node < 0) {
		debug("%s: Skipping invalid node", __func__);
		return -EBADF;
	}

	prop.num_bits = fdtdec_get_int(blob, node, "rsa,num-bits", 0);

	prop.n0inv = fdtdec_get_int(blob, node, "rsa,n0-inverse", 0);

	prop.public_exponent = fdt_getprop(blob, node, "rsa,exponent", &length);
	if (!prop.public_exponent || length < sizeof(uint64_t))
		prop.public_exponent = NULL;

	prop.exp_len = sizeof(uint64_t);

	prop.modulus = fdt_getprop(blob, node, "rsa,modulus", NULL);

	prop.rr = fdt_getprop(blob, node, "rsa,r-squared", NULL);

	if (!prop.num_bits || !prop.modulus) {
		debug("%s: Missing RSA key info", __func__);
		return -EFAULT;
	}

	ret = rsa_verify_key(info, &prop, sig, sig_len, hash,
			     info->crypto->key_len);

	return ret;
}

int rsa_verify(struct image_sign_info *info,
	       const struct image_region region[], int region_count,
	       uint8_t *sig, uint sig_len)
{
	const void *blob = info->fdt_blob;
	/* Reserve memory for maximum checksum-length */
	uint8_t hash[info->crypto->key_len];
	int ndepth, noffset;
	int sig_node, node;
	char name[100];
	int ret;

	/*
	 * Verify that the checksum-length does not exceed the
	 * rsa-signature-length
	 */
	if (info->checksum->checksum_len >
	    info->crypto->key_len) {
		debug("%s: invlaid checksum-algorithm %s for %s\n",
		      __func__, info->checksum->name, info->crypto->name);
		return -EINVAL;
	}

	sig_node = fdt_subnode_offset(blob, 0, FIT_SIG_NODENAME);
	if (sig_node < 0) {
		debug("%s: No signature node found\n", __func__);
		return -ENOENT;
	}

	/* Calculate checksum with checksum-algorithm */
	ret = info->checksum->calculate(info->checksum->name,
					region, region_count, hash);
	if (ret < 0) {
		debug("%s: Error in checksum calculation\n", __func__);
		return -EINVAL;
	}

	/* See if we must use a particular key */
	if (info->required_keynode != -1) {
		ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
			info->required_keynode);
		if (!ret)
			return ret;
	}

	/* Look for a key that matches our hint */
	snprintf(name, sizeof(name), "key-%s", info->keyname);
	node = fdt_subnode_offset(blob, sig_node, name);
	ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node);
	if (!ret)
		return ret;

	/* No luck, so try each of the keys in turn */
	for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node, &ndepth);
			(noffset >= 0) && (ndepth > 0);
			noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
		if (ndepth == 1 && noffset != node) {
			ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
						      noffset);
			if (!ret)
				break;
		}
	}

	return ret;
}
Commit	Line	Data
83d290c5	1	// SPDX-License-Identifier: GPL-2.0+
19c402af SG	2	/*
19c402af SG	3	* Copyright (c) 2013, Google Inc.
19c402af SG	4	*/
19c402af SG	5
29a23f9d	6	#ifndef USE_HOSTCC
19c402af SG	7	#include <common.h>
19c402af SG	8	#include <fdtdec.h>
29a23f9d	9	#include <asm/types.h>
19c402af	10	#include <asm/byteorder.h>
1221ce45	11	#include <linux/errno.h>
29a23f9d	12	#include <asm/types.h>
19c402af	13	#include <asm/unaligned.h>
c937ff6d	14	#include <dm.h>
29a23f9d HS	15	#else
	16	#include "fdt_host.h"
	17	#include "mkimage.h"
	18	#include <fdt_support.h>
	19	#endif
fc2f4246	20	#include <u-boot/rsa-mod-exp.h>
2b9912e6	21	#include <u-boot/rsa.h>
29a23f9d	22
e0f2f155 MW	23	/* Default public exponent for backward compatibility */
	24	#define RSA_DEFAULT_PUBEXP 65537
	25
da29f299 AD	26	/**
	27	* rsa_verify_padding() - Verify RSA message padding is valid
	28	*
	29	* Verify a RSA message's padding is consistent with PKCS1.5
	30	* padding as described in the RSA PKCS#1 v2.1 standard.
	31	*
	32	* @msg: Padded message
	33	* @pad_len: Number of expected padding bytes
	34	* @algo: Checksum algo structure having information on DER encoding etc.
	35	* @return 0 on success, != 0 on failure
	36	*/
	37	static int rsa_verify_padding(const uint8_t *msg, const int pad_len,
	38	struct checksum_algo *algo)
	39	{
	40	int ff_len;
	41	int ret;
	42
	43	/* first byte must be 0x00 */
	44	ret = *msg++;
	45	/* second byte must be 0x01 */
	46	ret \|= *msg++ ^ 0x01;
	47	/* next ff_len bytes must be 0xff */
	48	ff_len = pad_len - algo->der_len - 3;
	49	ret \|= *msg ^ 0xff;
	50	ret \|= memcmp(msg, msg+1, ff_len-1);
	51	msg += ff_len;
	52	/* next byte must be 0x00 */
	53	ret \|= *msg++;
	54	/* next der_len bytes must match der_prefix */
	55	ret \|= memcmp(msg, algo->der_prefix, algo->der_len);
	56
	57	return ret;
	58	}
	59
20031567 PR	60	int padding_pkcs_15_verify(struct image_sign_info *info,
	61	uint8_t *msg, int msg_len,
	62	const uint8_t *hash, int hash_len)
	63	{
	64	struct checksum_algo *checksum = info->checksum;
	65	int ret, pad_len = msg_len - checksum->checksum_len;
	66
	67	/* Check pkcs1.5 padding bytes. */
	68	ret = rsa_verify_padding(msg, pad_len, checksum);
	69	if (ret) {
	70	debug("In RSAVerify(): Padding check failed!\n");
	71	return -EINVAL;
	72	}
	73
	74	/* Check hash. */
	75	if (memcmp((uint8_t *)msg + pad_len, hash, msg_len - pad_len)) {
	76	debug("In RSAVerify(): Hash check failed!\n");
	77	return -EACCES;
	78	}
	79
	80	return 0;
	81	}
	82
061daa0b PR	83	#ifdef CONFIG_FIT_ENABLE_RSASSA_PSS_SUPPORT
	84	static void u32_i2osp(uint32_t val, uint8_t *buf)
	85	{
	86	buf[0] = (uint8_t)((val >> 24) & 0xff);
	87	buf[1] = (uint8_t)((val >> 16) & 0xff);
	88	buf[2] = (uint8_t)((val >> 8) & 0xff);
	89	buf[3] = (uint8_t)((val >> 0) & 0xff);
	90	}
	91
	92	/**
	93	* mask_generation_function1() - generate an octet string
	94	*
	95	* Generate an octet string used to check rsa signature.
	96	* It use an input octet string and a hash function.
	97	*
	98	* @checksum: A Hash function
	99	* @seed: Specifies an input variable octet string
	100	* @seed_len: Size of the input octet string
	101	* @output: Specifies the output octet string
	102	* @output_len: Size of the output octet string
	103	* @return 0 if the octet string was correctly generated, others on error
	104	*/
	105	static int mask_generation_function1(struct checksum_algo *checksum,
	106	uint8_t *seed, int seed_len,
	107	uint8_t *output, int output_len)
	108	{
	109	struct image_region region[2];
	110	int ret = 0, i, i_output = 0, region_count = 2;
	111	uint32_t counter = 0;
	112	uint8_t buf_counter[4], *tmp;
	113	int hash_len = checksum->checksum_len;
	114
	115	memset(output, 0, output_len);
	116
	117	region[0].data = seed;
	118	region[0].size = seed_len;
	119	region[1].data = &buf_counter[0];
	120	region[1].size = 4;
	121
	122	tmp = malloc(hash_len);
	123	if (!tmp) {
	124	debug("%s: can't allocate array tmp\n", __func__);
	125	ret = -ENOMEM;
	126	goto out;
	127	}
	128
	129	while (i_output < output_len) {
	130	u32_i2osp(counter, &buf_counter[0]);
	131
	132	ret = checksum->calculate(checksum->name,
	133	region, region_count,
	134	tmp);
	135	if (ret < 0) {
	136	debug("%s: Error in checksum calculation\n", __func__);
	137	goto out;
	138	}
	139
	140	i = 0;
	141	while ((i_output < output_len) && (i < hash_len)) {
	142	output[i_output] = tmp[i];
	143	i_output++;
	144	i++;
	145	}
	146
147	counter++;
148	}
149
150	out:
151	free(tmp);
152
153	return ret;
154	}
155
156	static int compute_hash_prime(struct checksum_algo *checksum,
157	uint8_t *pad, int pad_len,
158	uint8_t *hash, int hash_len,
159	uint8_t *salt, int salt_len,
160	uint8_t *hprime)
161	{
162	struct image_region region[3];
163	int ret, region_count = 3;
164
165	region[0].data = pad;
166	region[0].size = pad_len;
167	region[1].data = hash;
168	region[1].size = hash_len;
169	region[2].data = salt;
170	region[2].size = salt_len;
171
172	ret = checksum->calculate(checksum->name, region, region_count, hprime);
173	if (ret < 0) {
174	debug("%s: Error in checksum calculation\n", __func__);
175	goto out;
176	}
177
178	out:
179	return ret;
180	}
181
182	int padding_pss_verify(struct image_sign_info *info,
183	uint8_t *msg, int msg_len,
184	const uint8_t *hash, int hash_len)
185	{
186	uint8_t *masked_db = NULL;
187	int masked_db_len = msg_len - hash_len - 1;
188	uint8_t h = NULL, hprime = NULL;
189	int h_len = hash_len;
190	uint8_t *db_mask = NULL;
191	int db_mask_len = masked_db_len;
192	uint8_t db = NULL, salt = NULL;
193	int db_len = masked_db_len, salt_len = msg_len - hash_len - 2;
194	uint8_t pad_zero[8] = { 0 };
195	int ret, i, leftmost_bits = 1;
196	uint8_t leftmost_mask;
197	struct checksum_algo *checksum = info->checksum;
198
199	/* first, allocate everything */
200	masked_db = malloc(masked_db_len);
201	h = malloc(h_len);
202	db_mask = malloc(db_mask_len);
203	db = malloc(db_len);
204	salt = malloc(salt_len);
205	hprime = malloc(hash_len);
206	if (!masked_db \|\| !h \|\| !db_mask \|\| !db \|\| !salt \|\| !hprime) {
207	printf("%s: can't allocate some buffer\n", __func__);
208	ret = -ENOMEM;
209	goto out;
210	}
211
212	/* step 4: check if the last byte is 0xbc */
213	if (msg[msg_len - 1] != 0xbc) {
214	printf("%s: invalid pss padding (0xbc is missing)\n", __func__);
215	ret = -EINVAL;
216	goto out;
217	}
218
219	/* step 5 */
220	memcpy(masked_db, msg, masked_db_len);
221	memcpy(h, msg + masked_db_len, h_len);
222
223	/* step 6 */
224	leftmost_mask = (0xff >> (8 - leftmost_bits)) << (8 - leftmost_bits);
225	if (masked_db[0] & leftmost_mask) {
226	printf("%s: invalid pss padding ", __func__);
227	printf("(leftmost bit of maskedDB not zero)\n");
228	ret = -EINVAL;
229	goto out;
230	}
231
232	/* step 7 */
233	mask_generation_function1(checksum, h, h_len, db_mask, db_mask_len);
234
235	/* step 8 */
236	for (i = 0; i < db_len; i++)
237	db[i] = masked_db[i] ^ db_mask[i];
238
239	/* step 9 */
240	db[0] &= 0xff >> leftmost_bits;
241
242	/* step 10 */
243	if (db[0] != 0x01) {
244	printf("%s: invalid pss padding ", __func__);
245	printf("(leftmost byte of db isn't 0x01)\n");
246	ret = EINVAL;
247	goto out;
248	}
249
250	/* step 11 */
251	memcpy(salt, &db[1], salt_len);
252
253	/* step 12 & 13 */
254	compute_hash_prime(checksum, pad_zero, 8,
255	(uint8_t *)hash, hash_len,
256	salt, salt_len, hprime);
257
258	/* step 14 */
259	ret = memcmp(h, hprime, hash_len);
260
261	out:
262	free(hprime);
263	free(salt);
264	free(db);
265	free(db_mask);
266	free(h);
267	free(masked_db);
268
269	return ret;
270	}
271	#endif
272
19c402af	273	/**
fc2f4246	274	* rsa_verify_key() - Verify a signature against some data using RSA Key
19c402af	275	*
fc2f4246 RG	276	* Verify a RSA PKCS1.5 signature against an expected hash using
fc2f4246 RG	277	* the RSA Key properties in prop structure.
19c402af	278	*
20031567	279	* @info: Specifies key and FIT information
fc2f4246 RG	280	* @prop: Specifies key
	281	* @sig: Signature
	282	* @sig_len: Number of bytes in signature
	283	* @hash: Pointer to the expected hash
0c1d74fd	284	* @key_len: Number of bytes in rsa key
fc2f4246	285	* @return 0 if verified, -ve on error
19c402af	286	*/
20031567 PR	287	static int rsa_verify_key(struct image_sign_info *info,
20031567 PR	288	struct key_prop prop, const uint8_t sig,
646257d1	289	const uint32_t sig_len, const uint8_t *hash,
20031567	290	const uint32_t key_len)
19c402af	291	{
19c402af	292	int ret;
c937ff6d RG	293	#if !defined(USE_HOSTCC)
	294	struct udevice *mod_exp_dev;
	295	#endif
20031567 PR	296	struct checksum_algo *checksum = info->checksum;
20031567 PR	297	struct padding_algo *padding = info->padding;
b02f2e79	298	int hash_len;
19c402af	299
20031567	300	if (!prop \|\| !sig \|\| !hash \|\| !checksum)
19c402af SG	301	return -EIO;
19c402af SG	302
fc2f4246	303	if (sig_len != (prop->num_bits / 8)) {
19c402af SG	304	debug("Signature is of incorrect length %d\n", sig_len);
	305	return -EINVAL;
	306	}
	307
20031567	308	debug("Checksum algorithm: %s", checksum->name);
646257d1	309
19c402af SG	310	/* Sanity check for stack size */
	311	if (sig_len > RSA_MAX_SIG_BITS / 8) {
	312	debug("Signature length %u exceeds maximum %d\n", sig_len,
	313	RSA_MAX_SIG_BITS / 8);
	314	return -EINVAL;
	315	}
	316
fc2f4246	317	uint8_t buf[sig_len];
b02f2e79	318	hash_len = checksum->checksum_len;
19c402af	319
c937ff6d RG	320	#if !defined(USE_HOSTCC)
	321	ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
	322	if (ret) {
	323	printf("RSA: Can't find Modular Exp implementation\n");
	324	return -EINVAL;
	325	}
	326
	327	ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
	328	#else
fc2f4246	329	ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
c937ff6d	330	#endif
fc2f4246 RG	331	if (ret) {
fc2f4246 RG	332	debug("Error in Modular exponentation\n");
19c402af	333	return ret;
fc2f4246	334	}
19c402af	335
20031567	336	ret = padding->verify(info, buf, key_len, hash, hash_len);
da29f299	337	if (ret) {
20031567 PR	338	debug("In RSAVerify(): padding check failed!\n");
20031567 PR	339	return ret;
19c402af SG	340	}
	341
	342	return 0;
	343	}
	344
fc2f4246 RG	345	/**
	346	* rsa_verify_with_keynode() - Verify a signature against some data using
	347	* information in node with prperties of RSA Key like modulus, exponent etc.
	348	*
	349	* Parse sign-node and fill a key_prop structure with properties of the
	350	* key. Verify a RSA PKCS1.5 signature against an expected hash using
	351	* the properties parsed
	352	*
	353	* @info: Specifies key and FIT information
	354	* @hash: Pointer to the expected hash
	355	* @sig: Signature
	356	* @sig_len: Number of bytes in signature
	357	* @node: Node having the RSA Key properties
	358	* @return 0 if verified, -ve on error
	359	*/
19c402af	360	static int rsa_verify_with_keynode(struct image_sign_info *info,
fc2f4246 RG	361	const void hash, uint8_t sig,
fc2f4246 RG	362	uint sig_len, int node)
19c402af SG	363	{
19c402af SG	364	const void *blob = info->fdt_blob;
fc2f4246	365	struct key_prop prop;
e0f2f155	366	int length;
fc2f4246	367	int ret = 0;
19c402af SG	368
	369	if (node < 0) {
	370	debug("%s: Skipping invalid node", __func__);
	371	return -EBADF;
	372	}
19c402af	373
fc2f4246	374	prop.num_bits = fdtdec_get_int(blob, node, "rsa,num-bits", 0);
19c402af	375
fc2f4246	376	prop.n0inv = fdtdec_get_int(blob, node, "rsa,n0-inverse", 0);
19c402af	377
fc2f4246 RG	378	prop.public_exponent = fdt_getprop(blob, node, "rsa,exponent", &length);
	379	if (!prop.public_exponent \|\| length < sizeof(uint64_t))
	380	prop.public_exponent = NULL;
	381
	382	prop.exp_len = sizeof(uint64_t);
	383
	384	prop.modulus = fdt_getprop(blob, node, "rsa,modulus", NULL);
	385
	386	prop.rr = fdt_getprop(blob, node, "rsa,r-squared", NULL);
	387
	388	if (!prop.num_bits \|\| !prop.modulus) {
	389	debug("%s: Missing RSA key info", __func__);
	390	return -EFAULT;
19c402af SG	391	}
19c402af SG	392
20031567 PR	393	ret = rsa_verify_key(info, &prop, sig, sig_len, hash,
20031567 PR	394	info->crypto->key_len);
fc2f4246 RG	395
fc2f4246 RG	396	return ret;
19c402af SG	397	}
	398
	399	int rsa_verify(struct image_sign_info *info,
	400	const struct image_region region[], int region_count,
	401	uint8_t *sig, uint sig_len)
	402	{
	403	const void *blob = info->fdt_blob;
646257d1	404	/* Reserve memory for maximum checksum-length */
83dd98e0	405	uint8_t hash[info->crypto->key_len];
19c402af SG	406	int ndepth, noffset;
	407	int sig_node, node;
	408	char name[100];
646257d1 HS	409	int ret;
	410
	411	/*
	412	* Verify that the checksum-length does not exceed the
	413	* rsa-signature-length
	414	*/
83dd98e0 AD	415	if (info->checksum->checksum_len >
83dd98e0 AD	416	info->crypto->key_len) {
db1b5f3d	417	debug("%s: invlaid checksum-algorithm %s for %s\n",
83dd98e0	418	__func__, info->checksum->name, info->crypto->name);
646257d1 HS	419	return -EINVAL;
646257d1 HS	420	}
19c402af SG	421
	422	sig_node = fdt_subnode_offset(blob, 0, FIT_SIG_NODENAME);
	423	if (sig_node < 0) {
	424	debug("%s: No signature node found\n", __func__);
	425	return -ENOENT;
	426	}
	427
646257d1	428	/* Calculate checksum with checksum-algorithm */
83dd98e0	429	ret = info->checksum->calculate(info->checksum->name,
b37b46f0 RG	430	region, region_count, hash);
	431	if (ret < 0) {
	432	debug("%s: Error in checksum calculation\n", __func__);
	433	return -EINVAL;
	434	}
19c402af SG	435
	436	/* See if we must use a particular key */
	437	if (info->required_keynode != -1) {
	438	ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
	439	info->required_keynode);
	440	if (!ret)
	441	return ret;
	442	}
	443
	444	/* Look for a key that matches our hint */
	445	snprintf(name, sizeof(name), "key-%s", info->keyname);
	446	node = fdt_subnode_offset(blob, sig_node, name);
	447	ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node);
	448	if (!ret)
	449	return ret;
	450
	451	/* No luck, so try each of the keys in turn */
	452	for (ndepth = 0, noffset = fdt_next_node(info->fit, sig_node, &ndepth);
	453	(noffset >= 0) && (ndepth > 0);
	454	noffset = fdt_next_node(info->fit, noffset, &ndepth)) {
	455	if (ndepth == 1 && noffset != node) {
	456	ret = rsa_verify_with_keynode(info, hash, sig, sig_len,
	457	noffset);
	458	if (!ret)
	459	break;
	460	}
	461	}
	462
	463	return ret;
	464	}