SHA1_SUM_LEN,
SHA1_DER_LEN,
sha1_der_prefix,
- RSA2048_BYTES,
#if IMAGE_ENABLE_SIGN
EVP_sha1,
#endif
SHA256_SUM_LEN,
SHA256_DER_LEN,
sha256_der_prefix,
- RSA2048_BYTES,
#if IMAGE_ENABLE_SIGN
EVP_sha256,
#endif
hash_calculate,
+ }
+
+};
+
+struct crypto_algo crypto_algos[] = {
+ {
+ "rsa2048",
+ RSA2048_BYTES,
+ rsa_sign,
+ rsa_add_verify_data,
+ rsa_verify,
},
{
- "sha256",
- SHA256_SUM_LEN,
- SHA256_DER_LEN,
- sha256_der_prefix,
+ "rsa4096",
RSA4096_BYTES,
-#if IMAGE_ENABLE_SIGN
- EVP_sha256,
-#endif
- hash_calculate,
+ rsa_sign,
+ rsa_add_verify_data,
+ rsa_verify,
}
};
struct image_sig_algo image_sig_algos[] = {
{
"sha1,rsa2048",
- rsa_sign,
- rsa_add_verify_data,
- rsa_verify,
+ &crypto_algos[0],
&checksum_algos[0],
},
{
"sha256,rsa2048",
- rsa_sign,
- rsa_add_verify_data,
- rsa_verify,
+ &crypto_algos[0],
&checksum_algos[1],
},
{
"sha256,rsa4096",
- rsa_sign,
- rsa_add_verify_data,
- rsa_verify,
- &checksum_algos[2],
+ &crypto_algos[1],
+ &checksum_algos[1],
}
};
region.data = data;
region.size = size;
- if (info.algo->verify(&info, ®ion, 1, fit_value, fit_value_len)) {
+ if (info.algo->crypto->verify(&info, ®ion, 1, fit_value,
+ fit_value_len)) {
*err_msgp = "Verification failed";
return -1;
}
struct image_region region[count];
fit_region_make_list(fit, fdt_regions, count, region);
- if (info.algo->verify(&info, region, count, fit_value,
- fit_value_len)) {
+ if (info.algo->crypto->verify(&info, region, count, fit_value,
+ fit_value_len)) {
*err_msgp = "Verification failed";
return -1;
}
const int checksum_len;
const int der_len;
const uint8_t *der_prefix;
- const int key_len;
#if IMAGE_ENABLE_SIGN
const EVP_MD *(*calculate_sign)(void);
#endif
int region_count, uint8_t *checksum);
};
-struct image_sig_algo {
+struct crypto_algo {
const char *name; /* Name of algorithm */
+ const int key_len;
/**
* sign() - calculate and return signature for given input data
int (*verify)(struct image_sign_info *info,
const struct image_region region[], int region_count,
uint8_t *sig, uint sig_len);
+};
+struct image_sig_algo {
+ const char *name;
+ /* pointer to cryptosystem algorithm */
+ struct crypto_algo *crypto;
/* pointer to checksum algorithm */
struct checksum_algo *checksum;
};
* @sig: Signature
* @sig_len: Number of bytes in signature
* @hash: Pointer to the expected hash
- * @algo: Checksum algo structure having information on RSA padding etc.
+ * @key_len: Number of bytes in rsa key
+ * @algo: Checksum algo structure having information on DER encoding etc.
* @return 0 if verified, -ve on error
*/
static int rsa_verify_key(struct key_prop *prop, const uint8_t *sig,
const uint32_t sig_len, const uint8_t *hash,
- struct checksum_algo *algo)
+ const uint32_t key_len, struct checksum_algo *algo)
{
- const uint8_t *padding;
int pad_len;
int ret;
#if !defined(USE_HOSTCC)
return ret;
}
- pad_len = algo->key_len - algo->checksum_len;
+ pad_len = key_len - algo->checksum_len;
/* Check pkcs1.5 padding bytes. */
ret = rsa_verify_padding(buf, pad_len, algo);
return -EFAULT;
}
- ret = rsa_verify_key(&prop, sig, sig_len, hash, info->algo->checksum);
+ ret = rsa_verify_key(&prop, sig, sig_len, hash,
+ info->algo->crypto->key_len,
+ info->algo->checksum);
return ret;
}
{
const void *blob = info->fdt_blob;
/* Reserve memory for maximum checksum-length */
- uint8_t hash[info->algo->checksum->key_len];
+ uint8_t hash[info->algo->crypto->key_len];
int ndepth, noffset;
int sig_node, node;
char name[100];
* rsa-signature-length
*/
if (info->algo->checksum->checksum_len >
- info->algo->checksum->key_len) {
+ info->algo->crypto->key_len) {
debug("%s: invlaid checksum-algorithm %s for %s\n",
- __func__, info->algo->checksum->name, info->algo->name);
+ __func__, info->algo->checksum->name,
+ info->algo->crypto->name);
return -EINVAL;
}
node_name = fit_get_name(fit, noffset, NULL);
region.data = data;
region.size = size;
- ret = info.algo->sign(&info, ®ion, 1, &value, &value_len);
+ ret = info.algo->crypto->sign(&info, ®ion, 1, &value, &value_len);
if (ret) {
printf("Failed to sign '%s' signature node in '%s' image node: %d\n",
node_name, image_name, ret);
info.keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
if (keydest)
- ret = info.algo->add_verify_data(&info, keydest);
+ ret = info.algo->crypto->add_verify_data(&info, keydest);
else
return -1;
require_keys ? "conf" : NULL))
return -1;
- ret = info.algo->sign(&info, region, region_count, &value, &value_len);
+ ret = info.algo->crypto->sign(&info, region, region_count, &value,
+ &value_len);
free(region);
if (ret) {
printf("Failed to sign '%s' signature node in '%s' conf node\n",
/* Write the public key into the supplied FDT file */
if (keydest) {
- ret = info.algo->add_verify_data(&info, keydest);
+ ret = info.algo->crypto->add_verify_data(&info, keydest);
if (ret == -ENOSPC)
return -ENOSPC;
if (ret) {
projects / project / bcm63xx / u-boot.git / commitdiff