]> git.dujemihanovic.xyz Git - u-boot.git/commitdiff
image: Add crypto_algo struct for RSA info
authorAndrew Duda <aduda@meraki.com>
Tue, 8 Nov 2016 18:53:41 +0000 (18:53 +0000)
committerTom Rini <trini@konsulko.com>
Mon, 21 Nov 2016 19:07:31 +0000 (14:07 -0500)
Cut down on the repetition of algorithm information by defining separate
checksum and crypto structs. image_sig_algos are now simply pairs of
unique checksum and crypto algos.

Signed-off-by: Andrew Duda <aduda@meraki.com>
Signed-off-by: aduda <aduda@meraki.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
common/image-sig.c
include/image.h
lib/rsa/rsa-verify.c
tools/image-host.c

index 008d2c56d1d17745fef5222f8f416ee227ae56ce..8b4314de09ded29dcc6c6322fb5ed835eab201f5 100644 (file)
@@ -36,7 +36,6 @@ struct checksum_algo checksum_algos[] = {
                SHA1_SUM_LEN,
                SHA1_DER_LEN,
                sha1_der_prefix,
-               RSA2048_BYTES,
 #if IMAGE_ENABLE_SIGN
                EVP_sha1,
 #endif
@@ -47,22 +46,28 @@ struct checksum_algo checksum_algos[] = {
                SHA256_SUM_LEN,
                SHA256_DER_LEN,
                sha256_der_prefix,
-               RSA2048_BYTES,
 #if IMAGE_ENABLE_SIGN
                EVP_sha256,
 #endif
                hash_calculate,
+       }
+
+};
+
+struct crypto_algo crypto_algos[] = {
+       {
+               "rsa2048",
+               RSA2048_BYTES,
+               rsa_sign,
+               rsa_add_verify_data,
+               rsa_verify,
        },
        {
-               "sha256",
-               SHA256_SUM_LEN,
-               SHA256_DER_LEN,
-               sha256_der_prefix,
+               "rsa4096",
                RSA4096_BYTES,
-#if IMAGE_ENABLE_SIGN
-               EVP_sha256,
-#endif
-               hash_calculate,
+               rsa_sign,
+               rsa_add_verify_data,
+               rsa_verify,
        }
 
 };
@@ -70,24 +75,18 @@ struct checksum_algo checksum_algos[] = {
 struct image_sig_algo image_sig_algos[] = {
        {
                "sha1,rsa2048",
-               rsa_sign,
-               rsa_add_verify_data,
-               rsa_verify,
+               &crypto_algos[0],
                &checksum_algos[0],
        },
        {
                "sha256,rsa2048",
-               rsa_sign,
-               rsa_add_verify_data,
-               rsa_verify,
+               &crypto_algos[0],
                &checksum_algos[1],
        },
        {
                "sha256,rsa4096",
-               rsa_sign,
-               rsa_add_verify_data,
-               rsa_verify,
-               &checksum_algos[2],
+               &crypto_algos[1],
+               &checksum_algos[1],
        }
 
 };
@@ -197,7 +196,8 @@ int fit_image_check_sig(const void *fit, int noffset, const void *data,
        region.data = data;
        region.size = size;
 
-       if (info.algo->verify(&info, &region, 1, fit_value, fit_value_len)) {
+       if (info.algo->crypto->verify(&info, &region, 1, fit_value,
+                                     fit_value_len)) {
                *err_msgp = "Verification failed";
                return -1;
        }
@@ -378,8 +378,8 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
        struct image_region region[count];
 
        fit_region_make_list(fit, fdt_regions, count, region);
-       if (info.algo->verify(&info, region, count, fit_value,
-                             fit_value_len)) {
+       if (info.algo->crypto->verify(&info, region, count, fit_value,
+                                     fit_value_len)) {
                *err_msgp = "Verification failed";
                return -1;
        }
index de73a071d983b3915aa9d0694853358b1df98282..c3c98667381685dffab676ea04fe5eb0a84ed1c6 100644 (file)
@@ -1072,7 +1072,6 @@ struct checksum_algo {
        const int checksum_len;
        const int der_len;
        const uint8_t *der_prefix;
-       const int key_len;
 #if IMAGE_ENABLE_SIGN
        const EVP_MD *(*calculate_sign)(void);
 #endif
@@ -1081,8 +1080,9 @@ struct checksum_algo {
                         int region_count, uint8_t *checksum);
 };
 
-struct image_sig_algo {
+struct crypto_algo {
        const char *name;               /* Name of algorithm */
+       const int key_len;
 
        /**
         * sign() - calculate and return signature for given input data
@@ -1131,7 +1131,12 @@ struct image_sig_algo {
        int (*verify)(struct image_sign_info *info,
                      const struct image_region region[], int region_count,
                      uint8_t *sig, uint sig_len);
+};
 
+struct image_sig_algo {
+       const char *name;
+       /* pointer to cryptosystem algorithm */
+       struct crypto_algo *crypto;
        /* pointer to checksum algorithm */
        struct checksum_algo *checksum;
 };
index ee8988d646348220d4497c4ea4e0e50a446be422..61dc4c2e706037ab6071d0142af00953a5b97806 100644 (file)
@@ -68,14 +68,14 @@ static int rsa_verify_padding(const uint8_t *msg, const int pad_len,
  * @sig:       Signature
  * @sig_len:   Number of bytes in signature
  * @hash:      Pointer to the expected hash
- * @algo:      Checksum algo structure having information on RSA padding etc.
+ * @key_len:   Number of bytes in rsa key
+ * @algo:      Checksum algo structure having information on DER encoding etc.
  * @return 0 if verified, -ve on error
  */
 static int rsa_verify_key(struct key_prop *prop, const uint8_t *sig,
                          const uint32_t sig_len, const uint8_t *hash,
-                         struct checksum_algo *algo)
+                         const uint32_t key_len, struct checksum_algo *algo)
 {
-       const uint8_t *padding;
        int pad_len;
        int ret;
 #if !defined(USE_HOSTCC)
@@ -117,7 +117,7 @@ static int rsa_verify_key(struct key_prop *prop, const uint8_t *sig,
                return ret;
        }
 
-       pad_len = algo->key_len - algo->checksum_len;
+       pad_len = key_len - algo->checksum_len;
 
        /* Check pkcs1.5 padding bytes. */
        ret = rsa_verify_padding(buf, pad_len, algo);
@@ -183,7 +183,9 @@ static int rsa_verify_with_keynode(struct image_sign_info *info,
                return -EFAULT;
        }
 
-       ret = rsa_verify_key(&prop, sig, sig_len, hash, info->algo->checksum);
+       ret = rsa_verify_key(&prop, sig, sig_len, hash,
+                            info->algo->crypto->key_len,
+                            info->algo->checksum);
 
        return ret;
 }
@@ -194,7 +196,7 @@ int rsa_verify(struct image_sign_info *info,
 {
        const void *blob = info->fdt_blob;
        /* Reserve memory for maximum checksum-length */
-       uint8_t hash[info->algo->checksum->key_len];
+       uint8_t hash[info->algo->crypto->key_len];
        int ndepth, noffset;
        int sig_node, node;
        char name[100];
@@ -205,9 +207,10 @@ int rsa_verify(struct image_sign_info *info,
         * rsa-signature-length
         */
        if (info->algo->checksum->checksum_len >
-           info->algo->checksum->key_len) {
+           info->algo->crypto->key_len) {
                debug("%s: invlaid checksum-algorithm %s for %s\n",
-                     __func__, info->algo->checksum->name, info->algo->name);
+                     __func__, info->algo->checksum->name,
+                     info->algo->crypto->name);
                return -EINVAL;
        }
 
index 11046952fcf0d4b65cdd85bd1362d5bc43c25c23..dac85b4b747ed312f6683c1a46674fab3a171c47 100644 (file)
@@ -213,7 +213,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
        node_name = fit_get_name(fit, noffset, NULL);
        region.data = data;
        region.size = size;
-       ret = info.algo->sign(&info, &region, 1, &value, &value_len);
+       ret = info.algo->crypto->sign(&info, &region, 1, &value, &value_len);
        if (ret) {
                printf("Failed to sign '%s' signature node in '%s' image node: %d\n",
                       node_name, image_name, ret);
@@ -239,7 +239,7 @@ static int fit_image_process_sig(const char *keydir, void *keydest,
        info.keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
 
        if (keydest)
-               ret = info.algo->add_verify_data(&info, keydest);
+               ret = info.algo->crypto->add_verify_data(&info, keydest);
        else
                return -1;
 
@@ -588,7 +588,8 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
                                require_keys ? "conf" : NULL))
                return -1;
 
-       ret = info.algo->sign(&info, region, region_count, &value, &value_len);
+       ret = info.algo->crypto->sign(&info, region, region_count, &value,
+                                     &value_len);
        free(region);
        if (ret) {
                printf("Failed to sign '%s' signature node in '%s' conf node\n",
@@ -617,7 +618,7 @@ static int fit_config_process_sig(const char *keydir, void *keydest,
 
        /* Write the public key into the supplied FDT file */
        if (keydest) {
-               ret = info.algo->add_verify_data(&info, keydest);
+               ret = info.algo->crypto->add_verify_data(&info, keydest);
                if (ret == -ENOSPC)
                        return -ENOSPC;
                if (ret) {