diff --git a/makerom/makefile b/makerom/makefile index a20387c..de32f58 100644 --- a/makerom/makefile +++ b/makerom/makefile @@ -24,8 +24,8 @@ ifeq ($(ROOT_PROJECT_NAME),) endif # Project Dependencies -PROJECT_DEPEND = mbedtls polarssl blz yaml -PROJECT_DEPEND_LOCAL_DIR = libmbedtls libpolarssl libblz libyaml +PROJECT_DEPEND = mbedtls blz yaml +PROJECT_DEPEND_LOCAL_DIR = libmbedtls libblz libyaml # Generate compiler flags for including project include path ifneq ($(PROJECT_INCLUDE_PATH),) diff --git a/makerom/src/crypto.c b/makerom/src/crypto.c index f9e0fc1..3eeb15e 100644 --- a/makerom/src/crypto.c +++ b/makerom/src/crypto.c @@ -1,15 +1,16 @@ #include "lib.h" #include "crypto.h" -#include - #include #include +#include +#include +#include #include #include -const u8 RSA_PUB_EXP[0x3] = {0x01,0x00,0x01}; -const int HASH_MAX_LEN = 0x20; +static const u8 RSA_PUB_EXP[0x3] = {0x01,0x00,0x01}; +static const int HASH_MAX_LEN = 0x20; bool VerifySha256(void *data, u64 size, u8 hash[32]) { @@ -65,13 +66,13 @@ void AesCbcCrypt(u8 *key, u8 *iv, u8 *input, u8 *output, u64 length, u8 mode) } } -bool RsaKeyInit(rsa_context* ctx, u8 *modulus, u8 *private_exp, u8 *exponent, u8 rsa_type) +bool RsaKeyInit(mbedtls_rsa_context* ctx, const u8 *modulus, const u8 *private_exp, const u8 *public_exp, u8 rsa_type) { // Sanity Check if(!ctx) return false; - rsa_init(ctx, RSA_PKCS_V15, 0); + mbedtls_rsa_init( ctx, MBEDTLS_RSA_PKCS_V15, 0 ); u16 n_size = 0; u16 d_size = 0; @@ -92,18 +93,20 @@ bool RsaKeyInit(rsa_context* ctx, u8 *modulus, u8 *private_exp, u8 *exponent, u8 break; default: return false; } + + int ret = mbedtls_rsa_import_raw(ctx, \ + modulus ? modulus : NULL, modulus ? n_size : 0, \ + NULL, 0, \ + NULL, 0, \ + private_exp ? private_exp : NULL, private_exp ? d_size : 0, \ + public_exp ? public_exp : NULL, public_exp ? e_size : 0); - if (modulus && mpi_read_binary(&ctx->N, modulus, n_size)) + if (ret != 0) goto clean; - if (exponent && mpi_read_binary(&ctx->E, exponent, e_size)) - goto clean; - if (private_exp && mpi_read_binary(&ctx->D, private_exp, d_size)) - goto clean; - return true; clean: - rsa_free(ctx); + mbedtls_rsa_free(ctx); return false; } @@ -135,19 +138,6 @@ u32 GetSigHashType(u32 sig_type) return 0; } -int GetRsaHashType(u32 sig_type) -{ - switch(sig_type){ - case RSA_4096_SHA1: - case RSA_2048_SHA1: - return SIG_RSA_SHA1; - case RSA_4096_SHA256: - case RSA_2048_SHA256: - return SIG_RSA_SHA256; - } - return 0; -} - u32 GetSigHashLen(u32 sig_type) { switch(sig_type){ @@ -163,6 +153,28 @@ u32 GetSigHashLen(u32 sig_type) return 0; } +mbedtls_md_type_t getMdWrappedHashType(u32 sig_type) +{ + mbedtls_md_type_t md_type = MBEDTLS_MD_NONE; + + switch(sig_type){ + case RSA_4096_SHA1: + case RSA_2048_SHA1: + case ECC_SHA1: + md_type = MBEDTLS_MD_SHA1; + break; + case RSA_4096_SHA256: + case RSA_2048_SHA256: + case ECC_SHA256: + md_type = MBEDTLS_MD_SHA256; + break; + default: + break; + } + + return md_type; +} + bool CalcHashForSign(void *data, u64 len, u8 *hash, u32 sig_type) { if(GetSigHashType(sig_type) == 0) @@ -176,20 +188,46 @@ bool CalcHashForSign(void *data, u64 len, u8 *hash, u32 sig_type) int RsaSignVerify(void *data, u64 len, u8 *sign, u8 *mod, u8 *priv_exp, u32 sig_type, u8 rsa_mode) { int rsa_result = 0; - rsa_context ctx; + mbedtls_rsa_context ctx; u8 hash[HASH_MAX_LEN]; - if(!RsaKeyInit(&ctx, mod, priv_exp, (u8*)RSA_PUB_EXP, GetRsaType(sig_type))) + if(!RsaKeyInit(&ctx, mod, priv_exp, RSA_PUB_EXP, GetRsaType(sig_type))) return -1; if(!CalcHashForSign(data, len, hash, sig_type)) return -1; if(rsa_mode == CTR_RSA_VERIFY) - rsa_result = rsa_pkcs1_verify(&ctx, RSA_PUBLIC, GetRsaHashType(sig_type), 0, hash, sign); + { + //rsa_result = rsa_pkcs1_verify(&ctx, RSA_PUBLIC, GetRsaHashType(sig_type), 0, hash, sign); + rsa_result = mbedtls_rsa_rsassa_pkcs1_v15_verify(&ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, getMdWrappedHashType(sig_type), GetSigHashLen(sig_type), hash, sign); + } else // CTR_RSA_SIGN - rsa_result = rsa_rsassa_pkcs1_v15_sign(&ctx, RSA_PRIVATE, GetRsaHashType(sig_type), 0, hash, sign); + { + // mbedtls API requires we init their PRBG before signing, but it isn't strictly required for the specific signture type we are generating + + mbedtls_entropy_context entropy; + mbedtls_ctr_drbg_context ctr_drbg; + + mbedtls_entropy_init( &entropy ); + mbedtls_ctr_drbg_init( &ctr_drbg ); + + // init PRBG + const char* pers = "RsaSignVerify"; + rsa_result = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const uint8_t*)pers, strlen(pers)); + + // if initing the PRBG succeeded we can sign + if (rsa_result == 0) + { + //rsa_result = rsa_rsassa_pkcs1_v15_sign(&ctx, RSA_PRIVATE, GetRsaHashType(sig_type), 0, hash, sign); + rsa_result = mbedtls_rsa_rsassa_pkcs1_v15_sign(&ctx, mbedtls_ctr_drbg_random, &ctr_drbg, MBEDTLS_RSA_PRIVATE, getMdWrappedHashType(sig_type), GetSigHashLen(sig_type), hash, sign); + } + + mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_entropy_free( &entropy ); + } + - rsa_free(&ctx); + mbedtls_rsa_free(&ctx); return rsa_result; } \ No newline at end of file diff --git a/makerom/src/utils.c b/makerom/src/utils.c index 7c85dad..0f640b5 100644 --- a/makerom/src/utils.c +++ b/makerom/src/utils.c @@ -1,5 +1,5 @@ #include "lib.h" -#include +#include #define IO_BLOCKSIZE 5*MB @@ -110,10 +110,10 @@ bool IsValidB64Char(char chr) return (isalnum(chr) || chr == '+' || chr == '/' || chr == '='); } -u32 b64_strlen(char *str) +size_t b64_strlen(const char *str) { - u32 count = 0; - u32 i = 0; + size_t count = 0; + size_t i = 0; while(str[i] != 0x0){ if(IsValidB64Char(str[i])) { //printf("Is Valid: %c\n",str[i]); @@ -125,11 +125,11 @@ u32 b64_strlen(char *str) return count; } -void b64_strcpy(char *dst, char *src) +void b64_strcpy(char *dst, const char *src) { - u32 src_len = strlen(src); - u32 j = 0; - for(u32 i = 0; i < src_len; i++){ + size_t src_len = strlen(src); + size_t j = 0; + for(size_t i = 0; i < src_len; i++){ if(IsValidB64Char(src[i])){ dst[j] = src[i]; j++; @@ -141,15 +141,15 @@ void b64_strcpy(char *dst, char *src) //memdump(stdout,"dst: ",(u8*)dst,j+1); } -int b64_decode(u8 *dst, char *src, u32 dst_size) +int b64_decode(u8 *dst, const char *src, size_t dst_size) { int ret; - u32 size = dst_size; + size_t size = dst_size; - ret = base64_decode(dst,(size_t*)&size,(const u8*)src,strlen(src)); + ret = mbedtls_base64_decode(dst, size, &size, (const u8*)src, strlen(src)); if(size != dst_size) - ret = POLARSSL_ERR_BASE64_BUFFER_TOO_SMALL; + ret = MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL; return ret; } diff --git a/makerom/src/utils.h b/makerom/src/utils.h index dc8e27c..8373a24 100644 --- a/makerom/src/utils.h +++ b/makerom/src/utils.h @@ -23,9 +23,9 @@ char* replace_filextention(const char *input, const char *extention); // Base64 bool IsValidB64Char(char chr); -u32 b64_strlen(char *str); -void b64_strcpy(char *dst, char *src); -int b64_decode(u8 *dst, char *src, u32 dst_size); +size_t b64_strlen(const char *str); +void b64_strcpy(char *dst, const char *src); +int b64_decode(u8 *dst, const char *src, size_t dst_size); // Pseudo-Random Number Generator void initRand(void);