mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-11-10 07:04:28 +00:00
image: Add crypto_algo struct for RSA info
Cut down on the repetition of algorithm information by defining separate checksum and crypto structs. image_sig_algos are now simply pairs of unique checksum and crypto algos. Signed-off-by: Andrew Duda <aduda@meraki.com> Signed-off-by: aduda <aduda@meraki.com> Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Andrew Duda
Tom Rini
parent
da29f2991d
commit
0c1d74fda7
4 changed files with 48 additions and 39 deletions
|
|
@ -36,7 +36,6 @@ struct checksum_algo checksum_algos[] = {
|
|||
SHA1_SUM_LEN,
|
||||
SHA1_DER_LEN,
|
||||
sha1_der_prefix,
|
||||
RSA2048_BYTES,
|
||||
#if IMAGE_ENABLE_SIGN
|
||||
EVP_sha1,
|
||||
#endif
|
||||
|
|
@ -47,18 +46,6 @@ struct checksum_algo checksum_algos[] = {
|
|||
SHA256_SUM_LEN,
|
||||
SHA256_DER_LEN,
|
||||
sha256_der_prefix,
|
||||
RSA2048_BYTES,
|
||||
#if IMAGE_ENABLE_SIGN
|
||||
EVP_sha256,
|
||||
#endif
|
||||
hash_calculate,
|
||||
},
|
||||
{
|
||||
"sha256",
|
||||
SHA256_SUM_LEN,
|
||||
SHA256_DER_LEN,
|
||||
sha256_der_prefix,
|
||||
RSA4096_BYTES,
|
||||
#if IMAGE_ENABLE_SIGN
|
||||
EVP_sha256,
|
||||
#endif
|
||||
|
|
@ -67,27 +54,39 @@ struct checksum_algo checksum_algos[] = {
|
|||
|
||||
};
|
||||
|
||||
struct image_sig_algo image_sig_algos[] = {
|
||||
struct crypto_algo crypto_algos[] = {
|
||||
{
|
||||
"sha1,rsa2048",
|
||||
"rsa2048",
|
||||
RSA2048_BYTES,
|
||||
rsa_sign,
|
||||
rsa_add_verify_data,
|
||||
rsa_verify,
|
||||
},
|
||||
{
|
||||
"rsa4096",
|
||||
RSA4096_BYTES,
|
||||
rsa_sign,
|
||||
rsa_add_verify_data,
|
||||
rsa_verify,
|
||||
}
|
||||
|
||||
};
|
||||
|
||||
struct image_sig_algo image_sig_algos[] = {
|
||||
{
|
||||
"sha1,rsa2048",
|
||||
&crypto_algos[0],
|
||||
&checksum_algos[0],
|
||||
},
|
||||
{
|
||||
"sha256,rsa2048",
|
||||
rsa_sign,
|
||||
rsa_add_verify_data,
|
||||
rsa_verify,
|
||||
&crypto_algos[0],
|
||||
&checksum_algos[1],
|
||||
},
|
||||
{
|
||||
"sha256,rsa4096",
|
||||
rsa_sign,
|
||||
rsa_add_verify_data,
|
||||
rsa_verify,
|
||||
&checksum_algos[2],
|
||||
&crypto_algos[1],
|
||||
&checksum_algos[1],
|
||||
}
|
||||
|
||||
};
|
||||
|
|
@ -197,7 +196,8 @@ int fit_image_check_sig(const void *fit, int noffset, const void *data,
|
|||
region.data = data;
|
||||
region.size = size;
|
||||
|
||||
if (info.algo->verify(&info, ®ion, 1, fit_value, fit_value_len)) {
|
||||
if (info.algo->crypto->verify(&info, ®ion, 1, fit_value,
|
||||
fit_value_len)) {
|
||||
*err_msgp = "Verification failed";
|
||||
return -1;
|
||||
}
|
||||
|
|
@ -378,7 +378,7 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
|
|||
struct image_region region[count];
|
||||
|
||||
fit_region_make_list(fit, fdt_regions, count, region);
|
||||
if (info.algo->verify(&info, region, count, fit_value,
|
||||
if (info.algo->crypto->verify(&info, region, count, fit_value,
|
||||
fit_value_len)) {
|
||||
*err_msgp = "Verification failed";
|
||||
return -1;
|
||||
|
|
|
|||
|
|
@ -1072,7 +1072,6 @@ struct checksum_algo {
|
|||
const int checksum_len;
|
||||
const int der_len;
|
||||
const uint8_t *der_prefix;
|
||||
const int key_len;
|
||||
#if IMAGE_ENABLE_SIGN
|
||||
const EVP_MD *(*calculate_sign)(void);
|
||||
#endif
|
||||
|
|
@ -1081,8 +1080,9 @@ struct checksum_algo {
|
|||
int region_count, uint8_t *checksum);
|
||||
};
|
||||
|
||||
struct image_sig_algo {
|
||||
struct crypto_algo {
|
||||
const char *name; /* Name of algorithm */
|
||||
const int key_len;
|
||||
|
||||
/**
|
||||
* sign() - calculate and return signature for given input data
|
||||
|
|
@ -1131,7 +1131,12 @@ struct image_sig_algo {
|
|||
int (*verify)(struct image_sign_info *info,
|
||||
const struct image_region region[], int region_count,
|
||||
uint8_t *sig, uint sig_len);
|
||||
};
|
||||
|
||||
struct image_sig_algo {
|
||||
const char *name;
|
||||
/* pointer to cryptosystem algorithm */
|
||||
struct crypto_algo *crypto;
|
||||
/* pointer to checksum algorithm */
|
||||
struct checksum_algo *checksum;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -68,14 +68,14 @@ static int rsa_verify_padding(const uint8_t *msg, const int pad_len,
|
|||
* @sig: Signature
|
||||
* @sig_len: Number of bytes in signature
|
||||
* @hash: Pointer to the expected hash
|
||||
* @algo: Checksum algo structure having information on RSA padding etc.
|
||||
* @key_len: Number of bytes in rsa key
|
||||
* @algo: Checksum algo structure having information on DER encoding etc.
|
||||
* @return 0 if verified, -ve on error
|
||||
*/
|
||||
static int rsa_verify_key(struct key_prop *prop, const uint8_t *sig,
|
||||
const uint32_t sig_len, const uint8_t *hash,
|
||||
struct checksum_algo *algo)
|
||||
const uint32_t key_len, struct checksum_algo *algo)
|
||||
{
|
||||
const uint8_t *padding;
|
||||
int pad_len;
|
||||
int ret;
|
||||
#if !defined(USE_HOSTCC)
|
||||
|
|
@ -117,7 +117,7 @@ static int rsa_verify_key(struct key_prop *prop, const uint8_t *sig,
|
|||
return ret;
|
||||
}
|
||||
|
||||
pad_len = algo->key_len - algo->checksum_len;
|
||||
pad_len = key_len - algo->checksum_len;
|
||||
|
||||
/* Check pkcs1.5 padding bytes. */
|
||||
ret = rsa_verify_padding(buf, pad_len, algo);
|
||||
|
|
@ -183,7 +183,9 @@ static int rsa_verify_with_keynode(struct image_sign_info *info,
|
|||
return -EFAULT;
|
||||
}
|
||||
|
||||
ret = rsa_verify_key(&prop, sig, sig_len, hash, info->algo->checksum);
|
||||
ret = rsa_verify_key(&prop, sig, sig_len, hash,
|
||||
info->algo->crypto->key_len,
|
||||
info->algo->checksum);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
|
@ -194,7 +196,7 @@ int rsa_verify(struct image_sign_info *info,
|
|||
{
|
||||
const void *blob = info->fdt_blob;
|
||||
/* Reserve memory for maximum checksum-length */
|
||||
uint8_t hash[info->algo->checksum->key_len];
|
||||
uint8_t hash[info->algo->crypto->key_len];
|
||||
int ndepth, noffset;
|
||||
int sig_node, node;
|
||||
char name[100];
|
||||
|
|
@ -205,9 +207,10 @@ int rsa_verify(struct image_sign_info *info,
|
|||
* rsa-signature-length
|
||||
*/
|
||||
if (info->algo->checksum->checksum_len >
|
||||
info->algo->checksum->key_len) {
|
||||
info->algo->crypto->key_len) {
|
||||
debug("%s: invlaid checksum-algorithm %s for %s\n",
|
||||
__func__, info->algo->checksum->name, info->algo->name);
|
||||
__func__, info->algo->checksum->name,
|
||||
info->algo->crypto->name);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -213,7 +213,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
|
|||
node_name = fit_get_name(fit, noffset, NULL);
|
||||
region.data = data;
|
||||
region.size = size;
|
||||
ret = info.algo->sign(&info, ®ion, 1, &value, &value_len);
|
||||
ret = info.algo->crypto->sign(&info, ®ion, 1, &value, &value_len);
|
||||
if (ret) {
|
||||
printf("Failed to sign '%s' signature node in '%s' image node: %d\n",
|
||||
node_name, image_name, ret);
|
||||
|
|
@ -239,7 +239,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
|
|||
info.keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
|
||||
|
||||
if (keydest)
|
||||
ret = info.algo->add_verify_data(&info, keydest);
|
||||
ret = info.algo->crypto->add_verify_data(&info, keydest);
|
||||
else
|
||||
return -1;
|
||||
|
||||
|
|
@ -588,7 +588,8 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
|
|||
require_keys ? "conf" : NULL))
|
||||
return -1;
|
||||
|
||||
ret = info.algo->sign(&info, region, region_count, &value, &value_len);
|
||||
ret = info.algo->crypto->sign(&info, region, region_count, &value,
|
||||
&value_len);
|
||||
free(region);
|
||||
if (ret) {
|
||||
printf("Failed to sign '%s' signature node in '%s' conf node\n",
|
||||
|
|
@ -617,7 +618,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
|
|||
|
||||
/* Write the public key into the supplied FDT file */
|
||||
if (keydest) {
|
||||
ret = info.algo->add_verify_data(&info, keydest);
|
||||
ret = info.algo->crypto->add_verify_data(&info, keydest);
|
||||
if (ret == -ENOSPC)
|
||||
return -ENOSPC;
|
||||
if (ret) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue