u-boot/lib/ecdsa/ecdsa-libcrypto.c

// SPDX-License-Identifier: GPL-2.0+
/*
 * ECDSA image signing implementation using libcrypto backend
 *
 * The signature is a binary representation of the (R, S) points, padded to the
 * key size. The signature will be (2 * key_size_bits) / 8 bytes.
 *
 * Deviations from behavior of RSA equivalent:
 *  - Verification uses private key. This is not technically required, but a
 *    limitation on how clumsy the openssl API is to use.
 *  - Handling of keys and key paths:
 *    - The '-K' key directory option must contain path to the key file,
 *      instead of the key directory.
 *    - No assumptions are made about the file extension of the key
 *    - The 'key-name-hint' property is only used for naming devicetree nodes,
 *      but is not used for looking up keys on the filesystem.
 *
 * Copyright (c) 2020,2021, Alexandru Gagniuc <mr.nuke.me@gmail.com>
 */

#include <u-boot/ecdsa.h>
#include <u-boot/fdt-libcrypto.h>
#include <openssl/ssl.h>
#include <openssl/ec.h>
#include <openssl/bn.h>

/* Image signing context for openssl-libcrypto */
struct signer {
	EVP_PKEY *evp_key;	/* Pointer to EVP_PKEY object */
	EC_KEY *ecdsa_key;	/* Pointer to EC_KEY object */
	void *hash;		/* Pointer to hash used for verification */
	void *signature;	/* Pointer to output signature. Do not free()!*/
};

static int alloc_ctx(struct signer *ctx, const struct image_sign_info *info)
{
	memset(ctx, 0, sizeof(*ctx));

	if (!OPENSSL_init_ssl(0, NULL)) {
		fprintf(stderr, "Failure to init SSL library\n");
		return -1;
	}

	ctx->hash = malloc(info->checksum->checksum_len);
	ctx->signature = malloc(info->crypto->key_len * 2);

	if (!ctx->hash || !ctx->signature)
		return -ENOMEM;

	return 0;
}

static void free_ctx(struct signer *ctx)
{
	if (ctx->ecdsa_key)
		EC_KEY_free(ctx->ecdsa_key);

	if (ctx->evp_key)
		EVP_PKEY_free(ctx->evp_key);

	if (ctx->hash)
		free(ctx->hash);
}

/*
 * Convert an ECDSA signature to raw format
 *
 * openssl DER-encodes 'binary' signatures. We want the signature in a raw
 * (R, S) point pair. So we have to dance a bit.
 */
static void ecdsa_sig_encode_raw(void *buf, const ECDSA_SIG *sig, size_t order)
{
	int point_bytes = order;
	const BIGNUM *r, *s;
	uintptr_t s_buf;

	ECDSA_SIG_get0(sig, &r, &s);
	s_buf = (uintptr_t)buf + point_bytes;
	BN_bn2binpad(r, buf, point_bytes);
	BN_bn2binpad(s, (void *)s_buf, point_bytes);
}

/* Get a signature from a raw encoding */
static ECDSA_SIG *ecdsa_sig_from_raw(void *buf, size_t order)
{
	int point_bytes = order;
	uintptr_t s_buf;
	ECDSA_SIG *sig;
	BIGNUM *r, *s;

	sig = ECDSA_SIG_new();
	if (!sig)
		return NULL;

	s_buf = (uintptr_t)buf + point_bytes;
	r = BN_bin2bn(buf, point_bytes, NULL);
	s = BN_bin2bn((void *)s_buf, point_bytes, NULL);
	ECDSA_SIG_set0(sig, r, s);

	return sig;
}

/* ECDSA key size in bytes */
static size_t ecdsa_key_size_bytes(const EC_KEY *key)
{
	const EC_GROUP *group;

	group = EC_KEY_get0_group(key);
	return EC_GROUP_order_bits(group) / 8;
}

static int read_key(struct signer *ctx, const char *key_name)
{
	FILE *f = fopen(key_name, "r");

	if (!f) {
		fprintf(stderr, "Can not get key file '%s'\n", key_name);
		return -ENOENT;
	}

	ctx->evp_key = PEM_read_PrivateKey(f, NULL, NULL, NULL);
	fclose(f);
	if (!ctx->evp_key) {
		fprintf(stderr, "Can not read key from '%s'\n", key_name);
		return -EIO;
	}

	if (EVP_PKEY_id(ctx->evp_key) != EVP_PKEY_EC) {
		fprintf(stderr, "'%s' is not an ECDSA key\n", key_name);
		return -EINVAL;
	}

	ctx->ecdsa_key = EVP_PKEY_get1_EC_KEY(ctx->evp_key);
	if (!ctx->ecdsa_key)
		fprintf(stderr, "Can not extract ECDSA key\n");

	return (ctx->ecdsa_key) ? 0 : -EINVAL;
}

/* Prepare a 'signer' context that's ready to sign and verify. */
static int prepare_ctx(struct signer *ctx, const struct image_sign_info *info)
{
	int key_len_bytes, ret;
	char kname[1024];

	memset(ctx, 0, sizeof(*ctx));

	if (info->keyfile) {
		snprintf(kname,  sizeof(kname), "%s", info->keyfile);
	} else if (info->keydir && info->keyname) {
		snprintf(kname, sizeof(kname), "%s/%s.pem", info->keydir,
			 info->keyname);
	} else {
		fprintf(stderr, "keyfile, keyname, or key-name-hint missing\n");
		return -EINVAL;
	}

	ret = alloc_ctx(ctx, info);
	if (ret)
		return ret;

	ret = read_key(ctx, kname);
	if (ret)
		return ret;

	key_len_bytes = ecdsa_key_size_bytes(ctx->ecdsa_key);
	if (key_len_bytes != info->crypto->key_len) {
		fprintf(stderr, "Expected a %u-bit key, got %u-bit key\n",
			info->crypto->key_len * 8, key_len_bytes * 8);
		return -EINVAL;
	}

	return 0;
}

static int do_sign(struct signer *ctx, struct image_sign_info *info,
		   const struct image_region region[], int region_count)
{
	const struct checksum_algo *algo = info->checksum;
	ECDSA_SIG *sig;

	algo->calculate(algo->name, region, region_count, ctx->hash);
	sig = ECDSA_do_sign(ctx->hash, algo->checksum_len, ctx->ecdsa_key);

	ecdsa_sig_encode_raw(ctx->signature, sig, info->crypto->key_len);

	return 0;
}

static int ecdsa_check_signature(struct signer *ctx, struct image_sign_info *info)
{
	ECDSA_SIG *sig;
	int okay;

	sig = ecdsa_sig_from_raw(ctx->signature, info->crypto->key_len);
	if (!sig)
		return -ENOMEM;

	okay = ECDSA_do_verify(ctx->hash, info->checksum->checksum_len,
			       sig, ctx->ecdsa_key);
	if (!okay)
		fprintf(stderr, "WARNING: Signature is fake news!\n");

	ECDSA_SIG_free(sig);
	return !okay;
}

static int do_verify(struct signer *ctx, struct image_sign_info *info,
		     const struct image_region region[], int region_count,
		     uint8_t *raw_sig, uint sig_len)
{
	const struct checksum_algo *algo = info->checksum;

	if (sig_len != info->crypto->key_len * 2) {
		fprintf(stderr, "Signature has wrong length\n");
		return -EINVAL;
	}

	memcpy(ctx->signature, raw_sig, sig_len);
	algo->calculate(algo->name, region, region_count, ctx->hash);

	return ecdsa_check_signature(ctx, info);
}

int ecdsa_sign(struct image_sign_info *info, const struct image_region region[],
	       int region_count, uint8_t **sigp, uint *sig_len)
{
	struct signer ctx;
	int ret;

	ret = prepare_ctx(&ctx, info);
	if (ret >= 0) {
		do_sign(&ctx, info, region, region_count);
		*sigp = ctx.signature;
		*sig_len = info->crypto->key_len * 2;

		ret = ecdsa_check_signature(&ctx, info);
	}

	free_ctx(&ctx);
	return ret;
}

int ecdsa_verify(struct image_sign_info *info,
		 const struct image_region region[], int region_count,
		 uint8_t *sig, uint sig_len)
{
	struct signer ctx;
	int ret;

	ret = prepare_ctx(&ctx, info);
	if (ret >= 0)
		ret = do_verify(&ctx, info, region, region_count, sig, sig_len);

	free_ctx(&ctx);
	return ret;
}

static int do_add(struct signer *ctx, void *fdt, const char *key_node_name)
{
	int signature_node, key_node, ret, key_bits;
	const char *curve_name;
	const EC_GROUP *group;
	const EC_POINT *point;
	BIGNUM *x, *y;

	signature_node = fdt_subnode_offset(fdt, 0, FIT_SIG_NODENAME);
	if (signature_node < 0) {
		fprintf(stderr, "Could not find 'signature node: %s\n",
			fdt_strerror(signature_node));
		return signature_node;
	}

	key_node = fdt_add_subnode(fdt, signature_node, key_node_name);
	if (key_node < 0) {
		fprintf(stderr, "Could not create '%s' node: %s\n",
			key_node_name, fdt_strerror(key_node));
		return key_node;
	}

	group = EC_KEY_get0_group(ctx->ecdsa_key);
	key_bits = EC_GROUP_order_bits(group);
	curve_name = OBJ_nid2sn(EC_GROUP_get_curve_name(group));
	/* Let 'x' and 'y' memory leak by not BN_free()'ing them. */
	x = BN_new();
	y = BN_new();
	point = EC_KEY_get0_public_key(ctx->ecdsa_key);
	EC_POINT_get_affine_coordinates(group, point, x, y, NULL);

	ret = fdt_setprop_string(fdt, key_node, "ecdsa,curve", curve_name);
	if (ret < 0)
		return ret;

	ret = fdt_add_bignum(fdt, key_node, "ecdsa,x-point", x, key_bits);
	if (ret < 0)
		return ret;

	ret = fdt_add_bignum(fdt, key_node, "ecdsa,y-point", y, key_bits);
	if (ret < 0)
		return ret;

	return 0;
}

int ecdsa_add_verify_data(struct image_sign_info *info, void *fdt)
{
	const char *fdt_key_name;
	struct signer ctx;
	int ret;

	fdt_key_name = info->keyname ? info->keyname : "default-key";
	ret = prepare_ctx(&ctx, info);
	if (ret >= 0)
		do_add(&ctx, fdt, fdt_key_name);

	free_ctx(&ctx);
	return ret;
}