summaryrefslogtreecommitdiff
path: root/lib/crypto
diff options
context:
space:
mode:
authorIlias Apalodimas <ilias.apalodimas@linaro.org>2022-01-19 13:54:41 +0200
committerHeinrich Schuchardt <heinrich.schuchardt@canonical.com>2022-01-19 16:16:33 +0100
commit8699af63b8a5ea36c415b97079651ca02a0aafa5 (patch)
treea6da46dea46cb1be51e356b4fc2aac30a2e2400b /lib/crypto
parent38040a63a3e838a1eeb56c7d18875be485b14f5c (diff)
downloadu-boot-8699af63b8a5ea36c415b97079651ca02a0aafa5.tar.gz
u-boot-8699af63b8a5ea36c415b97079651ca02a0aafa5.tar.bz2
u-boot-8699af63b8a5ea36c415b97079651ca02a0aafa5.zip
lib/crypto: Enable more algorithms in cert verification
Right now the code explicitly limits us to sha1,256 hashes with RSA2048 encryption. But the limitation is artificial since U-Boot supports a wider range of algorithms. The internal image_get_[checksum|crypto]_algo() functions expect an argument in the format of <checksum>,<crypto>. So let's remove the size checking and create the needed string on the fly in order to support more hash/signing combinations. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Diffstat (limited to 'lib/crypto')
-rw-r--r--lib/crypto/public_key.c35
1 files changed, 16 insertions, 19 deletions
diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c
index df6033cdb4..3671ed1385 100644
--- a/lib/crypto/public_key.c
+++ b/lib/crypto/public_key.c
@@ -97,6 +97,7 @@ int public_key_verify_signature(const struct public_key *pkey,
const struct public_key_signature *sig)
{
struct image_sign_info info;
+ char algo[256];
int ret;
pr_devel("==>%s()\n", __func__);
@@ -108,30 +109,26 @@ int public_key_verify_signature(const struct public_key *pkey,
return -EINVAL;
memset(&info, '\0', sizeof(info));
+ memset(algo, 0, sizeof(algo));
info.padding = image_get_padding_algo("pkcs-1.5");
- /*
- * Note: image_get_[checksum|crypto]_algo takes a string
- * argument like "<checksum>,<crypto>"
- * TODO: support other hash algorithms
- */
- if (strcmp(sig->pkey_algo, "rsa") || (sig->s_size * 8) != 2048) {
- pr_warn("Encryption is not RSA2048: %s%d\n",
- sig->pkey_algo, sig->s_size * 8);
- return -ENOPKG;
- }
- if (!strcmp(sig->hash_algo, "sha1")) {
- info.checksum = image_get_checksum_algo("sha1,rsa2048");
- info.name = "sha1,rsa2048";
- } else if (!strcmp(sig->hash_algo, "sha256")) {
- info.checksum = image_get_checksum_algo("sha256,rsa2048");
- info.name = "sha256,rsa2048";
- } else {
- pr_warn("unknown msg digest algo: %s\n", sig->hash_algo);
+ if (strcmp(sig->pkey_algo, "rsa")) {
+ pr_err("Encryption is not RSA: %s\n", sig->pkey_algo);
return -ENOPKG;
}
+ ret = snprintf(algo, sizeof(algo), "%s,%s%d", sig->hash_algo,
+ sig->pkey_algo, sig->s_size * 8);
+
+ if (ret >= sizeof(algo))
+ return -EINVAL;
+
+ info.checksum = image_get_checksum_algo((const char *)algo);
+ info.name = (const char *)algo;
info.crypto = image_get_crypto_algo(info.name);
- if (IS_ERR(info.checksum) || IS_ERR(info.crypto))
+ if (!info.checksum || !info.crypto) {
+ pr_err("<%s> not supported on image_get_(checksum|crypto)_algo()\n",
+ algo);
return -ENOPKG;
+ }
info.key = pkey->key;
info.keylen = pkey->keylen;