@@ -137,7 +137,7 @@ int copyfile(int fdin, void *out, unsigned int nbytes, unsigned long *offs, unsi
}
if (IsValidHash(hash)) {
- dgst = swupdate_HASH_init();
+ dgst = swupdate_HASH_init(SHA_DEFAULT);
if (!dgst)
return -EFAULT;
}
@@ -29,12 +29,12 @@
#define BUFSIZE (1024 * 8)
-static int dgst_init(struct swupdate_digest *dgst)
+static int dgst_init(struct swupdate_digest *dgst, const EVP_MD *md)
{
int rc;
ERR_clear_error();
- rc = EVP_DigestInit_ex(dgst->ctx, EVP_sha256(), NULL);
+ rc = EVP_DigestInit_ex(dgst->ctx, md, NULL);
if (rc != 1) {
ERROR("EVP_DigestInit_ex failed: %s\n", ERR_error_string(ERR_get_error(), NULL));
return -EINVAL; /* failed */
@@ -158,7 +158,7 @@ int swupdate_verify_file(struct swupdate_digest *dgst, const char *sigfile,
goto out;
}
- if ((dgst_init(dgst) < 0) || (dgst_verify_init(dgst) < 0)) {
+ if ((dgst_init(dgst, EVP_sha256()) < 0) || (dgst_verify_init(dgst) < 0)) {
status = -ENOKEY;
goto out;
}
@@ -331,9 +331,10 @@ out:
return status;
}
#endif
-struct swupdate_digest *swupdate_HASH_init(void)
+struct swupdate_digest *swupdate_HASH_init(const char *SHAlength)
{
struct swupdate_digest *dgst;
+ const EVP_MD *md;
int ret;
dgst = calloc(1, sizeof(*dgst));
@@ -341,6 +342,11 @@ struct swupdate_digest *swupdate_HASH_init(void)
return NULL;
}
+ if ((!SHAlength) || strcmp(SHAlength, "sha1"))
+ md = EVP_sha256();
+ else
+ md = EVP_sha1();
+
dgst->ctx = EVP_MD_CTX_create();
if(dgst->ctx == NULL) {
ERROR("EVP_MD_CTX_create failed, error 0x%lx\n", ERR_get_error());
@@ -348,7 +354,7 @@ struct swupdate_digest *swupdate_HASH_init(void)
return NULL;
}
- ret = dgst_init(dgst);
+ ret = dgst_init(dgst, md);
if (ret) {
free(dgst);
return NULL;
@@ -363,7 +369,8 @@ int swupdate_HASH_update(struct swupdate_digest *dgst, unsigned char *buf,
if (!dgst)
return -EFAULT;
- EVP_DigestUpdate (dgst->ctx, buf, len);
+ if (EVP_DigestUpdate (dgst->ctx, buf, len) != 1)
+ return -EIO;
return 0;
}
@@ -20,12 +20,14 @@
#ifndef _SWUPDATE_SSL_H
#define _SWUPDATE_SSL_H
+#define SHA_DEFAULT "sha256"
+
/*
* openSSL is not mandatory
* Let compile when openSSL is not activated
*/
-#if defined(CONFIG_HASH_VERIFY) || defined(CONFIG_ENCRYPTED_IMAGES)
-
+#if defined(CONFIG_HASH_VERIFY) || defined(CONFIG_ENCRYPTED_IMAGES) || \
+ defined(CONFIG_SURICATTA_SSL)
#include <openssl/bio.h>
#include <openssl/objects.h>
#include <openssl/err.h>
@@ -35,6 +37,7 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/aes.h>
+
#ifdef CONFIG_SIGALG_CMS
#if defined(LIBRESSL_VERSION_NUMBER)
#error "LibreSSL does not support CMS, please select RSA PKCS"
@@ -42,6 +45,7 @@
#include <openssl/cms.h>
#endif
#endif
+
#include <openssl/opensslv.h>
struct swupdate_digest {
@@ -84,7 +88,7 @@ struct swupdate_digest {
#if defined(CONFIG_HASH_VERIFY)
int swupdate_dgst_init(struct swupdate_cfg *sw, const char *keyfile);
-struct swupdate_digest *swupdate_HASH_init(void);
+struct swupdate_digest *swupdate_HASH_init(const char *SHALength);
int swupdate_HASH_update(struct swupdate_digest *dgst, unsigned char *buf,
size_t len);
int swupdate_HASH_final(struct swupdate_digest *dgst, unsigned char *md_value,
@@ -99,8 +103,8 @@ int swupdate_HASH_compare(unsigned char *hash1, unsigned char *hash2);
#define swupdate_dgst_init(sw, keyfile) ( 0 )
#define swupdate_HASH_init(p) ( NULL )
#define swupdate_verify_file(dgst, sigfile, file) ( 0 )
-#define swupdate_HASH_update(p, buf, len)
-#define swupdate_HASH_final(p, result, len)
+#define swupdate_HASH_update(p, buf, len) (-1)
+#define swupdate_HASH_final(p, result, len) (-1)
#define swupdate_HASH_cleanup(sw)
#define swupdate_HASH_compare(hash1,hash2) (0)
#endif
@@ -123,5 +127,12 @@ void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst);
#define swupdate_DECRYPT_cleanup(p)
#endif
+/*
+ * if openSSL is not selected
+ */
+#ifndef SHA_DIGEST_LENGTH
+#define SHA_DIGEST_LENGTH 20
+#endif
+
#endif
SWUpdate uses only sha256 to compute hashes. Add a parameter to swupdate_HASH_init to let decide the caller the alg to be used. Signed-off-by: Stefano Babic <sbabic@denx.de> --- core/cpio_utils.c | 2 +- corelib/verify_signature.c | 19 +++++++++++++------ include/sslapi.h | 21 ++++++++++++++++----- 3 files changed, 30 insertions(+), 12 deletions(-)