Import gcrypt public-key cryptography and implement signature checking.

2013-01-11 21:32:42 +01:00 · 2013-01-11 21:32:42 +01:00 · 5e3b8dcbb5
commit 5e3b8dcbb5
parent 535714bdcf
238 changed files with 40500 additions and 417 deletions
--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
@ -64,11 +64,13 @@ typedef enum
    GPG_ERR_WEAK_KEY,
    GPG_ERR_WRONG_KEY_USAGE,
    GPG_ERR_WRONG_PUBKEY_ALGO,
-    GPG_ERR_OUT_OF_MEMORY
+    GPG_ERR_OUT_OF_MEMORY,
+    GPG_ERR_TOO_LARGE
  } gcry_err_code_t;
 #define gpg_err_code_t gcry_err_code_t
 #define gpg_error_t gcry_err_code_t
-
+#define gcry_error_t gcry_err_code_t
+#if 0
 enum gcry_cipher_modes 
  {
    GCRY_CIPHER_MODE_NONE   = 0,  /* Not yet specified. */
@ -79,6 +81,7 @@ enum gcry_cipher_modes
    GCRY_CIPHER_MODE_OFB    = 5,  /* Outer feedback. */
    GCRY_CIPHER_MODE_CTR    = 6   /* Counter. */
  };
+#endif

 /* Type for the cipher_setkey function.  */
 typedef gcry_err_code_t (*gcry_cipher_setkey_t) (void *c,
@ -171,6 +174,73 @@ typedef struct gcry_md_spec
  struct gcry_md_spec *next;
 } gcry_md_spec_t;

+typedef struct gcry_mpi *gcry_mpi_t;
+
+/* Type for the pk_generate function.  */
+typedef gcry_err_code_t (*gcry_pk_generate_t) (int algo,
+					       unsigned int nbits,
+					       unsigned long use_e,
+					       gcry_mpi_t *skey,
+					       gcry_mpi_t **retfactors);
+
+/* Type for the pk_check_secret_key function.  */
+typedef gcry_err_code_t (*gcry_pk_check_secret_key_t) (int algo,
+						       gcry_mpi_t *skey);
+
+/* Type for the pk_encrypt function.  */
+typedef gcry_err_code_t (*gcry_pk_encrypt_t) (int algo,
+					      gcry_mpi_t *resarr,
+					      gcry_mpi_t data,
+					      gcry_mpi_t *pkey,
+					      int flags);
+
+/* Type for the pk_decrypt function.  */
+typedef gcry_err_code_t (*gcry_pk_decrypt_t) (int algo,
+					      gcry_mpi_t *result,
+					      gcry_mpi_t *data,
+					      gcry_mpi_t *skey,
+					      int flags);
+
+/* Type for the pk_sign function.  */
+typedef gcry_err_code_t (*gcry_pk_sign_t) (int algo,
+					   gcry_mpi_t *resarr,
+					   gcry_mpi_t data,
+					   gcry_mpi_t *skey);
+
+/* Type for the pk_verify function.  */
+typedef gcry_err_code_t (*gcry_pk_verify_t) (int algo,
+					     gcry_mpi_t hash,
+					     gcry_mpi_t *data,
+					     gcry_mpi_t *pkey,
+					     int (*cmp) (void *, gcry_mpi_t),
+					     void *opaquev);
+
+/* Type for the pk_get_nbits function.  */
+typedef unsigned (*gcry_pk_get_nbits_t) (int algo, gcry_mpi_t *pkey);
+
+/* Module specification structure for message digests.  */
+typedef struct gcry_pk_spec
+{
+  const char *name;
+  const char **aliases;
+  const char *elements_pkey;
+  const char *elements_skey;
+  const char *elements_enc;
+  const char *elements_sig;
+  const char *elements_grip;
+  int use;
+  gcry_pk_generate_t generate;
+  gcry_pk_check_secret_key_t check_secret_key;
+  gcry_pk_encrypt_t encrypt;
+  gcry_pk_decrypt_t decrypt;
+  gcry_pk_sign_t sign;
+  gcry_pk_verify_t verify;
+  gcry_pk_get_nbits_t get_nbits;
+#ifdef GRUB_UTIL
+  const char *modname;
+#endif
+} gcry_pk_spec_t;
+
 struct grub_crypto_cipher_handle
 {
  const struct gcry_cipher_spec *cipher;
@ -256,6 +326,11 @@ void
 grub_md_register (gcry_md_spec_t *digest);
 void 
 grub_md_unregister (gcry_md_spec_t *cipher);
+
+extern struct gcry_pk_spec *grub_crypto_pk_dsa;
+extern struct gcry_pk_spec *grub_crypto_pk_ecdsa;
+extern struct gcry_pk_spec *grub_crypto_pk_rsa;
+
 void
 grub_crypto_hash (const gcry_md_spec_t *hash, void *out, const void *in,
 		  grub_size_t inlen);
@ -319,10 +394,20 @@ grub_password_get (char buf[], unsigned buf_size);

 extern void (*grub_crypto_autoload_hook) (const char *name);

+void _gcry_assert_failed (const char *expr, const char *file, int line,
+                          const char *func) __attribute__ ((noreturn));
+
+void _gcry_burn_stack (int bytes);
+void _gcry_log_error( const char *fmt, ... )  __attribute__ ((format (printf, 1, 2)));
+void _gcry_log_bug( const char *fmt, ... )  __attribute__ ((format (printf, 1, 2)));
+void _gcry_log_printf( const char *fmt, ... )  __attribute__ ((format (printf, 1, 2)));
+void
+_gcry_check_heap (const void *a __attribute__ ((unused)));
+
+
 #ifdef GRUB_UTIL
 void grub_gcry_init_all (void);
 void grub_gcry_fini_all (void);
 #endif

-
 #endif
--- a/include/grub/err.h
+++ b/include/grub/err.h
@ -69,7 +69,8 @@ typedef enum
    GRUB_ERR_NET_UNKNOWN_ERROR,
    GRUB_ERR_NET_PACKET_TOO_BIG,
    GRUB_ERR_NET_NO_DOMAIN,
-    GRUB_ERR_EOF
+    GRUB_ERR_EOF,
+    GRUB_ERR_BAD_SIGNATURE
  }
 grub_err_t;

--- a/include/grub/file.h
+++ b/include/grub/file.h
@ -54,6 +54,7 @@ typedef struct grub_file *grub_file_t;
 /* Filters with lower ID are executed first.  */
 typedef enum grub_file_filter_id
  {
+    GRUB_FILE_FILTER_PUBKEY,
    GRUB_FILE_FILTER_GZIO,
    GRUB_FILE_FILTER_XZIO,
    GRUB_FILE_FILTER_LZOPIO,
@ -62,7 +63,7 @@ typedef enum grub_file_filter_id
    GRUB_FILE_FILTER_COMPRESSION_LAST = GRUB_FILE_FILTER_LZOPIO,
  } grub_file_filter_id_t;

-typedef grub_file_t (*grub_file_filter_t) (grub_file_t in);
+typedef grub_file_t (*grub_file_filter_t) (grub_file_t in, const char *filename);

 extern grub_file_filter_t EXPORT_VAR(grub_file_filters_all)[GRUB_FILE_FILTER_MAX];
 extern grub_file_filter_t EXPORT_VAR(grub_file_filters_enabled)[GRUB_FILE_FILTER_MAX];
@ -72,20 +73,20 @@ grub_file_filter_register (grub_file_filter_id_t id, grub_file_filter_t filter)
 {
  grub_file_filters_all[id] = filter;
  grub_file_filters_enabled[id] = filter;
-};
+}

 static inline void
 grub_file_filter_unregister (grub_file_filter_id_t id)
 {
  grub_file_filters_all[id] = 0;
  grub_file_filters_enabled[id] = 0;
-};
+}

 static inline void
 grub_file_filter_disable (grub_file_filter_id_t id)
 {
  grub_file_filters_enabled[id] = 0;
-};
+}

 static inline void
 grub_file_filter_disable_compression (void)
@ -95,7 +96,23 @@ grub_file_filter_disable_compression (void)
  for (id = GRUB_FILE_FILTER_COMPRESSION_FIRST;
       id <= GRUB_FILE_FILTER_COMPRESSION_LAST; id++)
    grub_file_filters_enabled[id] = 0;
-};
+}
+
+static inline void
+grub_file_filter_disable_all (void)
+{
+  grub_file_filter_id_t id;
+
+  for (id = 0;
+       id < GRUB_FILE_FILTER_MAX; id++)
+    grub_file_filters_enabled[id] = 0;
+}
+
+static inline void
+grub_file_filter_disable_pubkey (void)
+{
+  grub_file_filters_enabled[GRUB_FILE_FILTER_PUBKEY] = 0;
+}

 /* Get a device name from NAME.  */
 char *EXPORT_FUNC(grub_file_get_device_name) (const char *name);
--- a/include/grub/gcry/types.h
+++ b/include/grub/gcry/types.h
@ -0,0 +1,37 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2009  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_GCRY_TYPES_HEADER
+#define GRUB_GCRY_TYPES_HEADER 1
+
+#include <grub/types.h>
+#include <grub/misc.h>
+
+#ifdef GRUB_CPU_WORDS_BIGENDIAN
+#define WORDS_BIGENDIAN
+#else
+#undef WORDS_BIGENDIAN
+#endif
+
+typedef grub_uint64_t u64;
+typedef grub_uint32_t u32;
+typedef grub_uint16_t u16;
+typedef grub_uint8_t byte;
+typedef grub_size_t size_t;
+
+#endif
--- a/include/grub/gcrypt/gcrypt.h
+++ b/include/grub/gcrypt/gcrypt.h
--- a/include/grub/gcrypt/gpg-error.h
+++ b/include/grub/gcrypt/gpg-error.h
@ -0,0 +1,32 @@
+#ifndef GRUB_GPG_ERROR_H
+#define GRUB_GPG_ERROR_H 1
+
+#include <grub/crypto.h>
+typedef enum
+  {
+    GPG_ERR_SOURCE_USER_1
+  }
+  gpg_err_source_t;
+#define GPG_ERR_INLINE inline
+static inline int
+gpg_err_make (gpg_err_source_t source __attribute__ ((unused)), gpg_err_code_t code)
+{
+  return code;
+}
+
+static inline gpg_err_code_t
+gpg_err_code (gpg_error_t err)
+{
+  return err;
+}
+
+static inline gpg_err_source_t
+gpg_err_source (gpg_error_t err __attribute__ ((unused)))
+{
+  return GPG_ERR_SOURCE_USER_1;
+}
+
+gcry_err_code_t
+gpg_error_from_syserror (void);
+
+#endif
--- a/include/grub/kernel.h
+++ b/include/grub/kernel.h
@ -27,7 +27,8 @@ enum
  OBJ_TYPE_ELF,
  OBJ_TYPE_MEMDISK,
  OBJ_TYPE_CONFIG,
-  OBJ_TYPE_PREFIX
+  OBJ_TYPE_PREFIX,
+  OBJ_TYPE_PUBKEY
 };

 /* The module header.  */
@ -77,7 +78,7 @@ extern grub_addr_t EXPORT_VAR (grub_modbase);
  var && (grub_addr_t) var \
    < (grub_modbase + (((struct grub_module_info *) grub_modbase)->size));    \
  var = (struct grub_module_header *)					\
-    ((grub_uint32_t *) var + ((struct grub_module_header *) var)->size / 4))
+    ((void **) var + (((struct grub_module_header *) var)->size + sizeof (void *) - 1) / sizeof (void *)))

 grub_addr_t grub_modules_get_end (void);

--- a/include/grub/pubkey.h
+++ b/include/grub/pubkey.h
@ -0,0 +1,38 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2013  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_PUBKEY_HEADER
+#define GRUB_PUBKEY_HEADER 1
+
+#include <grub/crypto.h>
+
+struct grub_public_key *
+grub_load_public_key (grub_file_t f);
+
+grub_err_t
+grub_verify_signature (grub_file_t f, grub_file_t sig,
+		       struct grub_public_key *pk);
+
+
+struct grub_public_subkey *
+grub_crypto_pk_locate_subkey (grub_uint64_t keyid, struct grub_public_key *pkey);
+
+struct grub_public_subkey *
+grub_crypto_pk_locate_subkey_in_trustdb (grub_uint64_t keyid);
+
+#endif