From patchwork Tue Jan 18 11:12:37 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ilias Apalodimas <ilias.apalodimas@linaro.org>
X-Patchwork-Id: 532865
Delivered-To: patch@linaro.org
Received: by 2002:ad5:544f:0:0:0:0:0 with SMTP id a15csp3559459imp;
 Tue, 18 Jan 2022 03:12:49 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzn/0HoT9tpSNO3ru9/dMUUqvacCbYt39HW3C8sRnpzOMuv76ETFivNBSjl22pxUpSPqYc/
X-Received: by 2002:aa7:d305:: with SMTP id p5mr25296387edq.201.1642504369164; 
 Tue, 18 Jan 2022 03:12:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1642504369; cv=none;
 d=google.com; s=arc-20160816;
 b=nPS3p+Kn7ywWeRQ4SnItclaQ1WpTdyC6SDTj2rEwEOUt3/aker39bL5+CMnZogZKRM
 e+6LyRhVcZm98shIUp00kc/7UVsl+QhCNyLv8VNQr4SU4g8E2nzdLRiifHbY4Sj9P4Kl
 6LPASC/+UZ6s4oVlHXRagBM8vfwkhm0qL48ko5C8bqlvB+mrK76njFcRn97c339ERqq3
 P9t0tHUsSSESlPbagYqj6WeBdE4g9LLPWK1I4V3Wke380UezlpwYK+x+jUjRK+JECkjs
 T6PG+qdFyuBrxkYIV1KV8/hIIqnhW0WzoS/u/9DomEJxFzddPuhCgA5l8J4X1d7EwAbT
 xgEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:message-id:date:subject:cc:to:from:dkim-signature;
 bh=zHUlaaGtC417YgcysHr1YeUGF95vmW8DHoCzYe2Ps/Y=;
 b=pVdn1fjMYepibZUa6f7VEBb1W+bOVR/MIOh5aR56HotgbmapVvc/qxjDdA8IV69niV
 3IIKp8PyGGU5WV+ukGnBXO1dgGKl3G+b8QkKR1hgLQ6YDwiY6d5uos0ri+GEoVXos3lx
 dopDP0+9iN1T1MqNdeArf2UeIp20d+FbQrnvE01fi2l3Od3/rH6vU6IFbKAvMlfk5szJ
 XpcM5qJz/FKhQnd6BvuF/BGh4G5N9Vx7xtFzrFv+ZmOg2HJLwxzlfKhz9qp+v8v3Ssqj
 pDI06H55E5tmB3G024oA4tcuhTPrOMDW+l4XqGO2C9AMDG0cjZ9eUOFjk/e2NBm731aE
 +AWg==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=nUIVCmiv;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61])
 by mx.google.com with ESMTPS id
 y14si7921150ejo.912.2022.01.18.03.12.48
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 18 Jan 2022 03:12:49 -0800 (PST)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61;
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=nUIVCmiv;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id 56BCE83180;
 Tue, 18 Jan 2022 12:12:46 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org header.b="nUIVCmiv";
 dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 2B7FD83180; Tue, 18 Jan 2022 12:12:44 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
 autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com
 [IPv6:2a00:1450:4864:20::529])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 12D4682F5E
 for <u-boot@lists.denx.de>; Tue, 18 Jan 2022 12:12:41 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org
Received: by mail-ed1-x529.google.com with SMTP id q25so77815570edb.2
 for <u-boot@lists.denx.de>; Tue, 18 Jan 2022 03:12:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=zHUlaaGtC417YgcysHr1YeUGF95vmW8DHoCzYe2Ps/Y=;
 b=nUIVCmiv/G73wjD81OXDZpeNTvMPZKXCrIXQjKn/LuiDKnwCUUZNEjLsJzVphf5MiG
 VL53oUVBgX0wHGfAJv7Oegusgybj7cY9Hsi/tKmeEVOFaMBW0gUSZs1LYZB762oYyIox
 KzGIh3iLVwZJMnqEucxMnmTlEsr8YtrvgLJh2eFebBoP2x2g4XIRrCWn8sNvAUZIvGAd
 OQahbtxTLY1reAn0nd2rBwTbKfxXQ87On/RajwyvJv748tZSZ9toTSb/nLaWgazQ+xWV
 pr97KLknAhAeJuZeRRrSUHHg7xgZN9TWG74W1dWYi61QffTzuASyAwz0rzh9GpyncjM/
 y12Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=zHUlaaGtC417YgcysHr1YeUGF95vmW8DHoCzYe2Ps/Y=;
 b=Gsp+TFXiVr9oV0QOWG9qALTDR+BMgayyhBQTemJjVRHbY2ktW99OPrrjAhPM3V9P2X
 VlbOi72qUAw2Dy0/p2qHKjGz2clz9Nlj5Ha2E5ktHLWey5CIwezkziVHHJ5wMBs+bIoB
 MDAq5wmYy/sOeaq7TgS2Id7F6oTpUuXPfnvNy4Vz+K0IiVtOyYcl4zxmvwEyWdV8B3Xq
 EDJYSNkNXy5Iu7+PCkvODAY4dZWu6EA2Xq40CjEeCCUpVNwXat0mabrDpUgkRUt3qCaX
 npT6Utu5WirjTI8Qpa2CXBOR/EBDblzRe3d0BpVaJGa5BmCgOGjA7kc/fRcOP3vXxOLY
 KdMw==
X-Gm-Message-State: AOAM530q6ir8iSACh1q9dO1GEcjLoENIHhY4lcqvMnAwZQr5RkuyJIKy
 z0wRd4Uwg78NrOQUvyKKL4drMQ==
X-Received: by 2002:a05:6402:3484:: with SMTP id
 v4mr7582128edc.34.1642504360625;
 Tue, 18 Jan 2022 03:12:40 -0800 (PST)
Received: from hades.. ([2a02:587:46a6:e776:230:64ff:fe3b:505d])
 by smtp.gmail.com with ESMTPSA id k12sm5240270ejk.188.2022.01.18.03.12.39
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 18 Jan 2022 03:12:40 -0800 (PST)
From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
To: xypron.glpk@gmx.de,
	takahiro.akashi@linaro.org
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>,
	u-boot@lists.denx.de
Subject: [PATCH] lib/crypto: Enable more algorithms in cert verification
Date: Tue, 18 Jan 2022 13:12:37 +0200
Message-Id: <20220118111238.321742-1-ilias.apalodimas@linaro.org>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de
X-Virus-Status: Clean

Right now the code explicitly limits us to sha1,256 hashes with RSA2048
encryption.  But the limitation is artificial since U-Boot supports
a wider range of algorithms.

The internal image_get_[checksum|crypto]_algo() functions expect an
argument in the format of <checksum>,<crypto>.  So let's remove the size
checking and create the needed string on the fly in order to support
more hash/signing combinations.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 lib/crypto/public_key.c | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c
index df6033cdb499..b783c63f5a51 100644
--- a/lib/crypto/public_key.c
+++ b/lib/crypto/public_key.c
@@ -97,6 +97,7 @@ int public_key_verify_signature(const struct public_key *pkey,
 				const struct public_key_signature *sig)
 {
 	struct image_sign_info info;
+	char algo[256];
 	int ret;
 
 	pr_devel("==>%s()\n", __func__);
@@ -108,29 +109,27 @@ int public_key_verify_signature(const struct public_key *pkey,
 		return -EINVAL;
 
 	memset(&info, '\0', sizeof(info));
+	memset(algo, 0, sizeof(algo));
 	info.padding = image_get_padding_algo("pkcs-1.5");
 	/*
 	 * Note: image_get_[checksum|crypto]_algo takes a string
 	 * argument like "<checksum>,<crypto>"
 	 * TODO: support other hash algorithms
 	 */
-	if (strcmp(sig->pkey_algo, "rsa") || (sig->s_size * 8) != 2048) {
-		pr_warn("Encryption is not RSA2048: %s%d\n",
-			sig->pkey_algo, sig->s_size * 8);
-		return -ENOPKG;
-	}
-	if (!strcmp(sig->hash_algo, "sha1")) {
-		info.checksum = image_get_checksum_algo("sha1,rsa2048");
-		info.name = "sha1,rsa2048";
-	} else if (!strcmp(sig->hash_algo, "sha256")) {
-		info.checksum = image_get_checksum_algo("sha256,rsa2048");
-		info.name = "sha256,rsa2048";
-	} else {
-		pr_warn("unknown msg digest algo: %s\n", sig->hash_algo);
+	if (strcmp(sig->pkey_algo, "rsa")) {
+		pr_err("Encryption is not RSA: %s\n", sig->pkey_algo);
 		return -ENOPKG;
 	}
+	ret = snprintf(algo, sizeof(algo), "%s,%s%d", sig->hash_algo,
+		       sig->pkey_algo, sig->s_size * 8);
+
+	if (ret >= sizeof(algo))
+		return -EINVAL;
+
+	info.checksum = image_get_checksum_algo((const char *)algo);
+	info.name = (const char *)algo;
 	info.crypto = image_get_crypto_algo(info.name);
-	if (IS_ERR(info.checksum) || IS_ERR(info.crypto))
+	if (!info.checksum || !info.crypto)
 		return -ENOPKG;
 
 	info.key = pkey->key;