Switch fs_mgr and adb to libcrypto_utils.
Update code and dependencies to use BoringSSL + libcrypto_utils
instead of mincrypt.
Change-Id: Ic75164bd50c84b81b6310e27a67d4b3c174984f9
diff --git a/fs_mgr/Android.mk b/fs_mgr/Android.mk
index 28fff3f..d0d5630 100644
--- a/fs_mgr/Android.mk
+++ b/fs_mgr/Android.mk
@@ -7,7 +7,7 @@
libfec \
libfec_rs \
libbase \
- libmincrypt \
+ libcrypto_utils_static \
libcrypto_static \
libext4_utils_static \
libsquashfs_utils
diff --git a/fs_mgr/fs_mgr.c b/fs_mgr/fs_mgr.c
index 02aff55..4b1e016 100644
--- a/fs_mgr/fs_mgr.c
+++ b/fs_mgr/fs_mgr.c
@@ -14,35 +14,32 @@
* limitations under the License.
*/
+#include <ctype.h>
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <libgen.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <ctype.h>
#include <sys/mount.h>
#include <sys/stat.h>
-#include <errno.h>
+#include <sys/swap.h>
#include <sys/types.h>
#include <sys/wait.h>
-#include <libgen.h>
#include <time.h>
-#include <sys/swap.h>
-#include <dirent.h>
-#include <ext4.h>
-#include <ext4_sb.h>
-#include <ext4_crypt_init_extensions.h>
+#include <unistd.h>
-#include <linux/loop.h>
-#include <private/android_filesystem_config.h>
+#include <ext4.h>
+#include <ext4_crypt_init_extensions.h>
+#include <ext4_sb.h>
+
#include <cutils/android_reboot.h>
#include <cutils/partition_utils.h>
#include <cutils/properties.h>
+#include <linux/loop.h>
#include <logwrap/logwrap.h>
-
-#include "mincrypt/rsa.h"
-#include "mincrypt/sha.h"
-#include "mincrypt/sha256.h"
+#include <private/android_filesystem_config.h>
#include "ext4_utils.h"
#include "wipe.h"
diff --git a/fs_mgr/fs_mgr_verity.cpp b/fs_mgr/fs_mgr_verity.cpp
index b5141c9..129a5bb 100644
--- a/fs_mgr/fs_mgr_verity.cpp
+++ b/fs_mgr/fs_mgr_verity.cpp
@@ -14,29 +14,29 @@
* limitations under the License.
*/
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
#include <inttypes.h>
+#include <libgen.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <ctype.h>
#include <sys/mount.h>
#include <sys/stat.h>
-#include <errno.h>
#include <sys/types.h>
#include <sys/wait.h>
-#include <libgen.h>
#include <time.h>
+#include <unistd.h>
#include <android-base/file.h>
-#include <private/android_filesystem_config.h>
+#include <crypto_utils/android_pubkey.h>
#include <cutils/properties.h>
#include <logwrap/logwrap.h>
-
-#include "mincrypt/rsa.h"
-#include "mincrypt/sha.h"
-#include "mincrypt/sha256.h"
+#include <openssl/obj_mac.h>
+#include <openssl/rsa.h>
+#include <openssl/sha.h>
+#include <private/android_filesystem_config.h>
#include "fec/io.h"
@@ -83,48 +83,45 @@
extern struct fs_info info;
-static RSAPublicKey *load_key(const char *path)
+static RSA *load_key(const char *path)
{
- RSAPublicKey* key = static_cast<RSAPublicKey*>(malloc(sizeof(RSAPublicKey)));
- if (!key) {
- ERROR("Can't malloc key\n");
- return NULL;
- }
+ uint8_t key_data[ANDROID_PUBKEY_ENCODED_SIZE];
FILE* f = fopen(path, "r");
if (!f) {
ERROR("Can't open '%s'\n", path);
- free(key);
+ free(key_data);
return NULL;
}
- if (!fread(key, sizeof(*key), 1, f)) {
+ if (!fread(key_data, sizeof(key_data), 1, f)) {
ERROR("Could not read key!\n");
fclose(f);
- free(key);
- return NULL;
- }
-
- if (key->len != RSANUMWORDS) {
- ERROR("Invalid key length %d\n", key->len);
- fclose(f);
- free(key);
+ free(key_data);
return NULL;
}
fclose(f);
+
+ RSA* key = NULL;
+ if (!android_pubkey_decode(key_data, sizeof(key_data), &key)) {
+ ERROR("Could not parse key!\n");
+ free(key_data);
+ return NULL;
+ }
+
return key;
}
-static int verify_table(const uint8_t *signature, const char *table,
- uint32_t table_length)
+static int verify_table(const uint8_t *signature, size_t signature_size,
+ const char *table, uint32_t table_length)
{
- RSAPublicKey *key;
- uint8_t hash_buf[SHA256_DIGEST_SIZE];
+ RSA *key;
+ uint8_t hash_buf[SHA256_DIGEST_LENGTH];
int retval = -1;
// Hash the table
- SHA256_hash((uint8_t*)table, table_length, hash_buf);
+ SHA256((uint8_t*)table, table_length, hash_buf);
// Now get the public key from the keyfile
key = load_key(VERITY_TABLE_RSA_KEY);
@@ -134,11 +131,8 @@
}
// verify the result
- if (!RSA_verify(key,
- signature,
- RSANUMBYTES,
- (uint8_t*) hash_buf,
- SHA256_DIGEST_SIZE)) {
+ if (!RSA_verify(NID_sha256, hash_buf, sizeof(hash_buf), signature,
+ signature_size, key)) {
ERROR("Couldn't verify table\n");
goto out;
}
@@ -146,7 +140,7 @@
retval = 0;
out:
- free(key);
+ RSA_free(key);
return retval;
}
@@ -610,8 +604,8 @@
off64_t offset = 0;
struct fec_handle *f = NULL;
struct fec_verity_metadata verity;
- uint8_t curr[SHA256_DIGEST_SIZE];
- uint8_t prev[SHA256_DIGEST_SIZE];
+ uint8_t curr[SHA256_DIGEST_LENGTH];
+ uint8_t prev[SHA256_DIGEST_LENGTH];
*match = 1;
@@ -629,7 +623,7 @@
goto out;
}
- SHA256_hash(verity.signature, RSANUMBYTES, curr);
+ SHA256(verity.signature, sizeof(verity.signature), curr);
if (snprintf(tag, sizeof(tag), VERITY_LASTSIG_TAG "_%s",
basename(fstab->mount_point)) >= (int)sizeof(tag)) {
@@ -637,7 +631,7 @@
goto out;
}
- if (metadata_find(fstab->verity_loc, tag, SHA256_DIGEST_SIZE,
+ if (metadata_find(fstab->verity_loc, tag, SHA256_DIGEST_LENGTH,
&offset) < 0) {
goto out;
}
@@ -656,7 +650,7 @@
goto out;
}
- *match = !memcmp(curr, prev, SHA256_DIGEST_SIZE);
+ *match = !memcmp(curr, prev, SHA256_DIGEST_LENGTH);
if (!*match) {
/* update current signature hash */
@@ -919,7 +913,7 @@
}
// verify the signature on the table
- if (verify_table(verity.signature, verity.table,
+ if (verify_table(verity.signature, sizeof(verity.signature), verity.table,
verity.table_length) < 0) {
if (params.mode == VERITY_MODE_LOGGING) {
// the user has been warned, allow mounting without dm-verity