From 8239be61bdeb228863734a890b02d10006360a65 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Wed, 6 May 2020 08:03:56 -0600 Subject: lib: Allow MD5 to be enabled in SPL At present the MD5 option cannot be enabled by board configs since it has no Kconfig name. It is generally enabled, so long as FIT support is present. But not all boards use FIT, particularly in SPL Fix this and add an option for SPL as well. This allows board code to call md5() even if FIT support is not enabled. Signed-off-by: Simon Glass --- lib/Kconfig | 17 ++++++++++++++++- lib/Makefile | 2 +- 2 files changed, 17 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/lib/Kconfig b/lib/Kconfig index 868de3bf3b..c3f694afc0 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -363,7 +363,22 @@ config SHA_PROG_HW_ACCEL is performed in hardware. config MD5 - bool + bool "Support MD5 algorithm" + help + This option enables MD5 support. MD5 is an algorithm designed + in 1991 that produces a 16-byte digest (or checksum) from its input + data. It has a number of vulnerabilities which preclude its use in + security applications, but it can be useful for providing a quick + checksum of a block of data. + +config SPL_MD5 + bool "Support MD5 algorithm in SPL" + help + This option enables MD5 support in SPL. MD5 is an algorithm designed + in 1991 that produces a 16-byte digest (or checksum) from its input + data. It has a number of vulnerabilities which preclude its use in + security applications, but it can be useful for providing a quick + checksum of a block of data. config CRC32C bool diff --git a/lib/Makefile b/lib/Makefile index c6f862b0c2..6e688afa68 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -40,7 +40,6 @@ obj-$(CONFIG_GZIP_COMPRESSED) += gzip.o obj-$(CONFIG_GENERATE_SMBIOS_TABLE) += smbios.o obj-$(CONFIG_IMAGE_SPARSE) += image-sparse.o obj-y += ldiv.o -obj-$(CONFIG_MD5) += md5.o obj-$(CONFIG_XXHASH) += xxhash.o obj-y += net_utils.o obj-$(CONFIG_PHYSMEM) += physmem.o @@ -59,6 +58,7 @@ obj-$(CONFIG_TPM_V2) += tpm-v2.o endif obj-$(CONFIG_$(SPL_)ACPIGEN) += acpi/ +obj-$(CONFIG_$(SPL_)MD5) += md5.o obj-$(CONFIG_$(SPL_)RSA) += rsa/ obj-$(CONFIG_SHA1) += sha1.o obj-$(CONFIG_SHA256) += sha256.o -- cgit From 0ff042d836f2a40b2104d4501111fbb340293c5c Mon Sep 17 00:00:00 2001 From: Jonathan Gray Date: Fri, 15 May 2020 22:20:34 +1000 Subject: rsa: don't use malloc.h in rsa-sign.c stdlib.h is the header for malloc since at least c89/c90. There is no system malloc.h on OpenBSD and trying to use malloc.h here falls back to the U-Boot malloc.h breaking the build of qemu_arm64. Fixes: 336d4615f8 ("dm: core: Create a new header file for 'compat' features") Signed-off-by: Jonathan Gray --- lib/rsa/rsa-sign.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 580c744709..621ddc4350 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -4,7 +4,7 @@ */ #include "mkimage.h" -#include +#include #include #include #include -- cgit From 48069ff84fe5e5e0ad733bef4718e02600b518c4 Mon Sep 17 00:00:00 2001 From: Jan Kiszka Date: Thu, 7 May 2020 20:36:13 +0200 Subject: lib: rsa: Also check for presence of r-squared property Better than crashing later if it is missing. Signed-off-by: Jan Kiszka --- lib/rsa/rsa-verify.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index 80e817314b..f7ae174cb0 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -445,7 +445,7 @@ static int rsa_verify_with_keynode(struct image_sign_info *info, prop.rr = fdt_getprop(blob, node, "rsa,r-squared", NULL); - if (!prop.num_bits || !prop.modulus) { + if (!prop.num_bits || !prop.modulus || !prop.rr) { debug("%s: Missing RSA key info", __func__); return -EFAULT; } -- cgit From 24bf6e84ce22cd1b53cb79e4f89a4036af7e9c6b Mon Sep 17 00:00:00 2001 From: Jan Luebbe Date: Wed, 13 May 2020 12:26:24 +0200 Subject: lib: rsa: avoid overriding the object name when already specified If "object=" is specified in "keydir" when using the pkcs11 engine do not append another "object=". This makes it possible to use object names other than the key name hint. These two string identifiers are not necessarily equal. Signed-off-by: Jan Luebbe Signed-off-by: Bastian Krause Reviewed-by: George McCollister --- lib/rsa/rsa-sign.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'lib') diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 621ddc4350..40ca1e1f57 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, if (engine_id && !strcmp(engine_id, "pkcs11")) { if (keydir) - snprintf(key_id, sizeof(key_id), - "pkcs11:%s;object=%s;type=public", - keydir, name); + if (strstr(keydir, "object=")) + snprintf(key_id, sizeof(key_id), + "pkcs11:%s;type=public", + keydir); + else + snprintf(key_id, sizeof(key_id), + "pkcs11:%s;object=%s;type=public", + keydir, name); else snprintf(key_id, sizeof(key_id), "pkcs11:object=%s;type=public", @@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, if (engine_id && !strcmp(engine_id, "pkcs11")) { if (keydir) - snprintf(key_id, sizeof(key_id), - "pkcs11:%s;object=%s;type=private", - keydir, name); + if (strstr(keydir, "object=")) + snprintf(key_id, sizeof(key_id), + "pkcs11:%s;type=private", + keydir); + else + snprintf(key_id, sizeof(key_id), + "pkcs11:%s;object=%s;type=private", + keydir, name); else snprintf(key_id, sizeof(key_id), "pkcs11:object=%s;type=private", -- cgit