diff options
| author | Ilias Apalodimas <ilias.apalodimas@linaro.org> | 2022-01-19 14:54:41 +0300 |
|---|---|---|
| committer | Heinrich Schuchardt <heinrich.schuchardt@canonical.com> | 2022-01-19 18:16:33 +0300 |
| commit | 8699af63b8a5ea36c415b97079651ca02a0aafa5 (patch) | |
| tree | a6da46dea46cb1be51e356b4fc2aac30a2e2400b /lib | |
| parent | 38040a63a3e838a1eeb56c7d18875be485b14f5c (diff) | |
| download | u-boot-8699af63b8a5ea36c415b97079651ca02a0aafa5.tar.xz | |
lib/crypto: Enable more algorithms in cert verification
Right now the code explicitly limits us to sha1,256 hashes with RSA2048
encryption. But the limitation is artificial since U-Boot supports
a wider range of algorithms.
The internal image_get_[checksum|crypto]_algo() functions expect an
argument in the format of <checksum>,<crypto>. So let's remove the size
checking and create the needed string on the fly in order to support
more hash/signing combinations.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/crypto/public_key.c | 35 |
1 files changed, 16 insertions, 19 deletions
diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c index df6033cdb4..3671ed1385 100644 --- a/lib/crypto/public_key.c +++ b/lib/crypto/public_key.c @@ -97,6 +97,7 @@ int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig) { struct image_sign_info info; + char algo[256]; int ret; pr_devel("==>%s()\n", __func__); @@ -108,30 +109,26 @@ int public_key_verify_signature(const struct public_key *pkey, return -EINVAL; memset(&info, '\0', sizeof(info)); + memset(algo, 0, sizeof(algo)); info.padding = image_get_padding_algo("pkcs-1.5"); - /* - * Note: image_get_[checksum|crypto]_algo takes a string - * argument like "<checksum>,<crypto>" - * TODO: support other hash algorithms - */ - if (strcmp(sig->pkey_algo, "rsa") || (sig->s_size * 8) != 2048) { - pr_warn("Encryption is not RSA2048: %s%d\n", - sig->pkey_algo, sig->s_size * 8); - return -ENOPKG; - } - if (!strcmp(sig->hash_algo, "sha1")) { - info.checksum = image_get_checksum_algo("sha1,rsa2048"); - info.name = "sha1,rsa2048"; - } else if (!strcmp(sig->hash_algo, "sha256")) { - info.checksum = image_get_checksum_algo("sha256,rsa2048"); - info.name = "sha256,rsa2048"; - } else { - pr_warn("unknown msg digest algo: %s\n", sig->hash_algo); + if (strcmp(sig->pkey_algo, "rsa")) { + pr_err("Encryption is not RSA: %s\n", sig->pkey_algo); return -ENOPKG; } + ret = snprintf(algo, sizeof(algo), "%s,%s%d", sig->hash_algo, + sig->pkey_algo, sig->s_size * 8); + + if (ret >= sizeof(algo)) + return -EINVAL; + + info.checksum = image_get_checksum_algo((const char *)algo); + info.name = (const char *)algo; info.crypto = image_get_crypto_algo(info.name); - if (IS_ERR(info.checksum) || IS_ERR(info.crypto)) + if (!info.checksum || !info.crypto) { + pr_err("<%s> not supported on image_get_(checksum|crypto)_algo()\n", + algo); return -ENOPKG; + } info.key = pkey->key; info.keylen = pkey->keylen; |