Commit a79df348 authored by Konstantin Porotchkin's avatar Konstantin Porotchkin Committed by Manish Pandey
Browse files

tools: doimage: migrate to mbedtls v2.8 APIs


Replace deprecated mbedtls_sha256 with mbedtls_sha256_ret
The mbedtls_pk_parse_key does not work correctly anymore
with the DER buffer embedded in the secure image extentson
using the buffer size as the the key length.
Move to mbedtls_pk_parse_subpubkey API that handles such
case correctly.
The DER format already contains the key length, so there
is no particular reason to supply it to the key parser.
Update the doimage version to 3.3

Change-Id: I0ec5ee84b7d1505b43138e0b7a6bdba44a6702b6
Signed-off-by: default avatarKonstantin Porotchkin <kostap@marvell.com>
parent b3be0c70
Showing with 12 additions and 8 deletions
+12 -8
......@@ -51,7 +51,7 @@
/* Number of address pairs in control array */
#define CP_CTRL_EL_ARRAY_SZ 32
#define VERSION_STRING "Marvell(C) doimage utility version 3.2"
#define VERSION_STRING "Marvell(C) doimage utility version 3.3"
/* A8K definitions */
......@@ -303,7 +303,7 @@ int create_rsa_signature(mbedtls_pk_context *pk_ctx,
MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256);
/* First compute the SHA256 hash for the input blob */
mbedtls_sha256(input, ilen, hash, 0);
mbedtls_sha256_ret(input, ilen, hash, 0);
/* Then calculate the hash signature */
rval = mbedtls_rsa_rsassa_pss_sign(mbedtls_pk_rsa(*pk_ctx),
......@@ -354,6 +354,7 @@ int verify_rsa_signature(const unsigned char *pub_key,
mbedtls_pk_context pk_ctx;
unsigned char hash[32];
int rval;
unsigned char *pkey = (unsigned char *)pub_key;
/* Not sure this is required,
* but it's safer to start with empty buffer
......@@ -373,8 +374,7 @@ int verify_rsa_signature(const unsigned char *pub_key,
}
/* Check ability to read the public key */
rval = mbedtls_pk_parse_public_key(&pk_ctx, pub_key,
MAX_RSA_DER_BYTE_LEN);
rval = mbedtls_pk_parse_subpubkey(&pkey, pub_key + klen, &pk_ctx);
if (rval != 0) {
fprintf(stderr, " Failed in pk_parse_public_key (%#x)!\n",
rval);
......@@ -387,7 +387,7 @@ int verify_rsa_signature(const unsigned char *pub_key,
MBEDTLS_MD_SHA256);
/* Compute the SHA256 hash for the input buffer */
mbedtls_sha256(input, ilen, hash, 0);
mbedtls_sha256_ret(input, ilen, hash, 0);
rval = mbedtls_rsa_rsassa_pss_verify(mbedtls_pk_rsa(pk_ctx),
mbedtls_ctr_drbg_random,
......@@ -458,7 +458,7 @@ int image_encrypt(uint8_t *buf, uint32_t blen)
/* compute SHA-256 digest of the results
* and use it as the init vector (IV)
*/
mbedtls_sha256(IV, AES_BLOCK_SZ, digest, 0);
mbedtls_sha256_ret(IV, AES_BLOCK_SZ, digest, 0);
memcpy(IV, digest, AES_BLOCK_SZ);
mbedtls_aes_setkey_enc(&aes_ctx, opts.sec_opts->aes_key,
AES_KEY_BIT_LEN);
......@@ -880,11 +880,13 @@ int format_sec_ext(char *filename, FILE *out_fd)
fname);
return 1;
}
/* Data in the output buffer is aligned to the buffer end */
der_buf_start = output_buf + sizeof(output_buf) - output_len;
/* In the header DER data is aligned
* to the start of appropriate field
*/
bzero(out_der_key, MAX_RSA_DER_BYTE_LEN);
memcpy(out_der_key, der_buf_start, output_len);
} /* for every private key file */
......@@ -899,8 +901,10 @@ int format_sec_ext(char *filename, FILE *out_fd)
fprintf(stderr, "Failed to sign CSK keys block!\n");
return 1;
}
/* Check that everything is correct */
if (verify_rsa_signature(sec_ext.kak_key, MAX_RSA_DER_BYTE_LEN,
if (verify_rsa_signature(sec_ext.kak_key,
MAX_RSA_DER_BYTE_LEN,
&sec_ext.csk_keys[0][0],
sizeof(sec_ext.csk_keys),
opts.sec_opts->kak_key_file,
......@@ -1333,7 +1337,7 @@ int parse_image(uint8_t *buf, int size)
goto error;
}
mbedtls_sha256(sec_entry->kak_key,
mbedtls_sha256_ret(sec_entry->kak_key,
MAX_RSA_DER_BYTE_LEN, hash, 0);
fprintf(stdout,
">>>>>>>>>> KAK KEY HASH >>>>>>>>>>\n");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment