/*! * * Copyright (c) 2023 Diality Inc. - All Rights Reserved. * * \copyright * THIS CODE MAY NOT BE COPIED OR REPRODUCED IN ANY FORM, IN PART OR IN * WHOLE, WITHOUT THE EXPLICIT PERMISSION OF THE COPYRIGHT OWNER. * * \file UpdateProtocol.c * \author (last) Phil Braica * \date (last) 23-Jan-2023 * \author (original) Phil Braica * \date (original) 23-Jan-2023 * */ #include "UpdateProtocol.h" #ifdef __cplusplus extern "C" { #endif #define SECURE_ROT (27) /*! Streaming CRC support. */ uint32 g_crcs_curr[NUM_CAN_TARGETS]; uint32 g_crcs_prev[NUM_CAN_TARGETS]; uint16 g_crcs_index[NUM_CAN_TARGETS]; /** This is a shared secret to whiten the data, they are 4 randomly chosen prime numbers. */ const uint8 g_securitySeeds[4] = { 37, 71, 113, 181 }; /** Unroll CRC by 8 when we can. */ #define CRC_BLOCK_UNROLL (8) // CRC is based on the open source code here: // https://web.mit.edu/freebsd/head/sys/libkern/crc32.c // and // https://wiki.osdev.org/CRC32 /*! * CRC 32 standard table. * * This is computed because it avoids having the obvious CRC32 table * pattern in the file. */ uint32 crc32_tab[256]; /*! * \brief From a command byte extract the target. * * \param cmd The command byte. * * \return The target of the command. */ SwUpdateTargetEnum SwUpdate_getTarget(uint8 cmd) { return (SwUpdateTargetEnum)(cmd >> 4); } /*! * \brief From a command byte extract the command. * * \param cmd The command byte. * * \return The kind of command. */ SwUpdateCmdEnum SwUpdate_getCmd(uint8 cmd) { return (SwUpdateCmdEnum)(cmd & 0xf); } /*! * \brief From target and command kind compose the command byte. * * \param target The processor target. * \param cmd The command kind. * * \return The command byte. */ uint8 SwUpdate_FormCommand(SwUpdateTargetEnum target, SwUpdateCmdEnum cmd) { return ((uint8)target << 4) | ((uint8)cmd & 0xf); } #if 0 const uint32 crc32_table_test = { 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d }; #endif /*! * \brief Generate a CRC32 LUT. * * Ideally we don't want an obvious CRC table in our * source code for cyber reasons. */ void crc32_fill() { static bool once = true; if (once) { once = false; for (uint16 index = 0; index < 256; index++) { uint32 val = index; for (uint8 z = 8; z> 0; z--) { val = (val&1) ? (val>>1) ^ 0xEDB88320:val>>1; } crc32_tab[index] = val; } } } /*! * \brief CRC 32 for a buffer. * * \param pBuf Buffer. * \param size Buffer size. * \param crc Old CRC, use 0xFFFFFFFF to init. * * \return Updated CRC value. */ uint32 crc32Update(const uint8* pBuf, uint32 size, uint32 crc) { crc32_fill(); // Typically 8 bytes or in sets of 8 bytes. while (size > CRC_BLOCK_UNROLL) { crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); size -= CRC_BLOCK_UNROLL; } while (size--) { crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); } return crc; } /*! * \brief CRC 32 for a byte. * * \param val Byte to use. * \param crc Old CRC, use 0xFFFFFFFF to init. * * \return Updated CRC value. */ uint32 crc32UpdateByte(const uint8 val, uint32 crc) { crc32_fill(); return crc32_tab[(crc ^ val) & 0xFF] ^ (crc >> 8); } /*! * \brief CRC 32 for a buffer. * * \note Not named crc32 because on Linux Qt will link * PNG image load to this function with a size of 0xFFFFFFFF. * * \param pBuf Buffer. * \param size Buffer size. * * \return CRC of that buffer. */ uint32 crc32Fast(const uint8* pBuf, uint32 size) { return crc32Update(pBuf, size, 0xFFFFFFFF) ^ 0xFFFFFFFF; } /*! * \brief CRC a packet. * * \param pBuf Buffer. * \param size Buffer size * * \return CRC of that buffer. */ uint32 crc32Packet(const uint8* pBuf, uint32 size, uint32 crc) { crc32_fill(); #if 0 // OLD for (uint32 ii = 0; ii < size; ii++) { // No CRC of the second word of a packet. if ((ii < 4) || (ii >= 8)) { crc = crc32_tab[(crc ^ pBuf[ii]) & 0xFF] ^ (crc >> 8); } } #else // This is unrolled and MUCH faster. // Always the first 4 bytes. crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); // Skip 32 bits pBuf += sizeof (uint32); // We consumed 32 bits and skipped 32 bits. size -= sizeof (uint32) + sizeof(uint32); while (size--) { crc = crc32_tab[(crc ^ *pBuf++) & 0xFF] ^ (crc >> 8); } #endif return crc; } /*! * \brief CRC 32 for a buffer. * * \param crc CRC to finalize. * * \return Updated CRC value. */ uint32 crc32Finalize(uint32 crc) { return crc ^ 0xFFFFFFFF; } /*! * \brief Create and write into the buffer the security token. * * \param pData Packet to verify. * \param size Size in bytes. */ void SwUpdate_createSecurity(uint8* pData, uint32 size) { // This adds 2 bits of whitening which can make analysis of // the byte stream harder to cyber attack. static uint8 seed = 0; seed = seed + 1; // Blank out the 2nd word, it is always the location of the security token. uint32* pWord = (uint32*)pData; // Update the crc. uint32 crc = crc32Packet(pData, size, 0xFFFFFFFF); //printf(" pck: %4x seeded: ", crc); // Use the 2 bit whitening. crc = crc32UpdateByte(g_securitySeeds[seed & 0x3], crc); //printf(" %4x \n", crc); // Write it. pWord[1] = crc32Finalize(crc); } /*! * \brief All packets have the second 32 bit word as security. * * \details If this fails, this function automatically invokes * security features to take note of a potential threat. * * \param pData Packet to verify. * \param size Size in bytes. * * \return True if verified. */ bool SwUpdate_verifySecurity(const uint8* pData, uint32 size) { // Assuming things are often in order, this cuts the work on the verify side statistically. static uint8 nxtSeed = 0; // Update the crc skipping the 2nd word. uint32 crc = crc32Packet(pData, size, 0xFFFFFFFF); // Grab the security token. uint32 token = ((uint32*)pData)[1]; // Use the 2 bit whitening. for (uint8 seed = nxtSeed; seed < 4 + nxtSeed; seed++) { // Check this seeding. uint32 crc_tmp = crc32UpdateByte(g_securitySeeds[seed & 0x3], crc); crc_tmp = crc32Finalize(crc_tmp); // If match use it and cache for next expected seed. if (crc_tmp == token) { nxtSeed = seed + 1; nxtSeed &= 0xF; return true; } } return false; } /*! * \brief Create and write into the buffer the security token for a data transfer * * This is forming a response to the UI, always target of UI. * * \param pResponse Packet responding pointer. * \param pData Data we received pointer. */ void SwUpdate_createSecurityForData(struct SwUpdateResponse* pResponse, uint8 * pData) { static uint32 rand = 0; // Assign the whitening bytes, this should vary, we don't care too much. // This is why no other whitening is required. pResponse->rand = 0xFFFF & crc32Finalize(crc32Update((uint8*)&rand, 4, 0)); uint32 crc = crc32Packet((uint8*)pResponse, sizeof(struct SwUpdateResponse), 0xFFFFFFFF); crc = crc32Update(pData, sizeof(struct SwUpdateDataBuffer), crc); pResponse->token = crc; } /*! * \brief Encode / obfuscate the data. * * \param pData Data to encode. */ void SwUpdate_encodeData(struct SwUpdateDataBuffer* pData) { // We always transfer the whole thing. for (uint32 ii = 0; ii < MAX_TRANSFER_SIZE; ii++) { pData->buffer[ii] = 0xFF & (pData->buffer[ii] + SECURE_ROT); } } /*! * \brief Decode / de-obfuscate the data. * * \param pData Data to decode. */ void SwUpdate_decodeData(struct SwUpdateDataBuffer* pData) { for (uint32 ii = 0; ii < MAX_TRANSFER_SIZE; ii++) { pData->buffer[ii] = 0xFF & (pData->buffer[ii] - SECURE_ROT); } } /*! * \brief After getting a secure response for data UI sent, check the returned security token. * * This checks the response to a data message. * * \param pResponse Packet responding pointer. * \param pData Data we had sent pointer. */ BOOL SwUpdate_checkSecurityForData(const uint8* pResponse, const uint8 * pData) { uint32 crc = crc32Packet(pResponse, sizeof(struct SwUpdateResponse), 0xFFFFFFFF); crc = crc32Update(pData, sizeof(struct SwUpdateDataBuffer), crc); struct SwUpdateResponse* pResponseStruct = (struct SwUpdateResponse*)pResponse; if (pResponseStruct->token == crc) { return TRUE; } return FALSE; } /*! * \brief Go through the data and stream it into the verification code * * \param target Which target is this for? */ void SwUpdate_resetVerificationData(SwUpdateTargetEnum target) { g_crcs_curr[target % NUM_CAN_TARGETS] = 0xFFFFFFFF; g_crcs_prev[target % NUM_CAN_TARGETS] = 0xFFFFFFFF; g_crcs_index[target % NUM_CAN_TARGETS] = 0; } /*! * \brief Go through the data and stream it into the verification code * * This currently streams the data in, allowing for retries of the last item, * by using the index value to roll back and re-apply if needed. * * \param index Index of the data. * \param pData Data pointer. * \param size Size of the data. * \param target Which target is this for? */ void SwUpdate_updateVerificationData( uint16 index, uint8* pData, uint32 size, SwUpdateTargetEnum target) { // State | Action // index = old +1 | previous = current, update current. // index = old | current = previous, update current. uint32 ii = target % NUM_CAN_TARGETS; if (index == g_crcs_index[ii]) { g_crcs_curr[ii] = g_crcs_prev[ii]; } else { g_crcs_prev[ii] = g_crcs_curr[ii]; } g_crcs_index[ii] = index; g_crcs_curr[ii] = crc32Update(pData, size, g_crcs_curr[ii]); } /*! * \brief Compute / get the data for the image. * * \param asVerify If true, verify token else version token. * \param target Which target. * * \return Version/verification token. */ uint32 SwUpdate_computeVerificationData(bool asVerify, SwUpdateTargetEnum target) { uint32 crc = g_crcs_curr[target % NUM_CAN_TARGETS]; crc = crc32Update( asVerify ? (uint8*)"security" : (uint8*)"version", asVerify ? 8 : 7, crc); crc = crc32Finalize(crc); return crc; } typedef unsigned long long rsa64_BigInt; #define SALT_1 (29) #define SALT_2 (73) #define SALT_3 (127) /** * @brief Do the multiply/mod fast. * * Computes (m^key)%n. * * @param m Value. * @param key The key * @param n Modulus. * * @return Value. */ rsa64_BigInt rsa64_multiMod2( rsa64_BigInt m, rsa64_BigInt key, rsa64_BigInt n) { // m is <= 64 bits in size, and <= 64 bits. // n is <= 64 bits. // key <= 32 bits. rsa64_BigInt symbol = 1; while (key > 0) { if (key % 2 == 1) { symbol = (symbol * m) % n; } key = key / 2; m = (m * m) % n; } return symbol; } /*! * \brief Is the cryptography signature valid? * * \param pSignature Pointer to MAX_TRANSFER_SIZE signature. * \param target SwUpdateTargetEnum, 0=HD, 1=HDFPGA, 2=DG, 3=DGFPGA. * * \return 1 if passed else 0. */ uint32 SwUpdate_isCryptoSignedOk(uint8* pSignature, uint8 target) { const rsa64_BigInt n = 0xfd2a058f; const rsa64_BigInt publicKey = 0xe904d9313; uint32 crc1 = SwUpdate_computeVerificationData(true, (SwUpdateTargetEnum)target); uint32 crc2 = SwUpdate_computeVerificationData(false, (SwUpdateTargetEnum)target); uint32 digest[16]; // 64 bytes of digest. for (uint32 ii = 0; ii < 16; ii += 4) { digest[ii + 0] = crc1 + ii; digest[ii + 1] = crc2 + ii; digest[ii + 2] = crc1 + ii + SALT_1; digest[ii + 3] = crc2 + ii + SALT_2; } // Now decode and compare. uint16* pDigestShort = (uint16*)digest; uint32 jj = 0; for (uint32 ii = 0; ii < 32; ii++) { rsa64_BigInt a = pSignature[jj++]; rsa64_BigInt b = pSignature[jj++]; rsa64_BigInt c = pSignature[jj++]; rsa64_BigInt d = pSignature[jj++]; rsa64_BigInt m = a + (b << 8) + (c << 16) + (d << 24); rsa64_BigInt k = rsa64_multiMod2(m, publicKey, n); uint16 kshort = (uint16)k; if (kshort != pDigestShort[ii]) { return 0; } } return 1; } /*! * \brief Make a signature. * * \param crc1 CRC1 to do. * \param crc2 CRC2 to do. * \param pSignature Pointer to MAX_TRANSFER_SIZE signature. * * \return 1 if passed else 0. */ void SwUpdate_makeSignature(uint32 crc1, uint32 crc2, uint8 *pSignature) { const rsa64_BigInt n = 0xfd2a058f; const rsa64_BigInt privateKey = 0xb; uint32 digest[16]; // 4 * 16 = 64 bytes of digest. for (uint32 ii = 0; ii < 16; ii += 4) { digest[ii + 0] = crc1 + ii; digest[ii + 1] = crc2 + ii; digest[ii + 2] = crc1 + ii + SALT_1; digest[ii + 3] = crc2 + ii + SALT_2; } // This outputs 32 items each 64 bits but the top 32 bits are unused. uint16* pShort = (uint16*)digest; uint32 jj = 0; for (uint32 ii = 0; ii < 32; ii++) { rsa64_BigInt m = (rsa64_BigInt)pShort[ii]; rsa64_BigInt k = rsa64_multiMod2(m, privateKey, n); // k is now 64 bits, but the top 32 are zeros. // Copy the lower 32 into pSignature. pSignature[jj++] = k & 0xFF; pSignature[jj++] = (k >> 8) & 0xFF; pSignature[jj++] = (k >> 16) & 0xFF; pSignature[jj++] = (k >> 24) & 0xFF; } } // This is reference code to create your own keys: #if 0 // to find gcd int _rsa64_gcd(rsa64_BigInt a, rsa64_BigInt b) { rsa64_BigInt tmp = a % b; while (tmp > 0) { a = b; b = tmp; tmp = a%b; } return b == 1 ? 1 : 0; } // Compute keys E, D and N from primes p, q. // Make sure int rsa64_computeKeys( rsa64_BigInt p, rsa64_BigInt q, rsa64_BigInt* pE, rsa64_BigInt* pD, rsa64_BigInt* pN) { rsa64_BigInt n = p * q; rsa64_BigInt t = (p-1) * (q-1); // This will fail to be useful or just plain overflow/fail if: // sum_bits > 63 (likely overflow). // t > n (definite overflow) // n < 256 (not usable). if ((t > n) || (n < 256) || (n > 0xFFFFFFFF) { return 0; } int foundPair = 0; const rsa64_BigInt limit = 0xFFFFFFFFFFFFFFFF - t - t; // So that we don't always use the first found pair ... int targetCount = 1 + (t % 7); for (rsa64_BigInt ii = 2; (ii < t) && (!foundPair); ii++) { // ii is not a candidate. if (t % ii == 0) { continue; } // _rsa64_isPrime(ii); is an alternative. int flag = _rsa64_gcd(t, ii); // ii might be a candidate... if (flag && (ii != p) && (ii != q)) { // ii is a possible encryption private key. // does d (public key) exist? for (rsa64_BigInt kk = 1 + t; kk < limit; kk += t) { if (((kk % ii) == 0) && (kk > ii)) { // d exists. *pE = ii; *pD = kk / ii; *pN = n; // Increment number of solutions, we have at least 1 now. foundPair++; // If number of found solutions == target, good. if (targetCount <= foundPair) { break; } } } } } return foundPair > 0 ? 1 : foundPair; } #endif #ifdef __cplusplus } #endif