sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2026-04-04 03:00:20 +03:00
Code Issues Packages Projects Releases Wiki Activity

[crypto] Remove the concept of a public-key algorithm reusable context

Browse Source 
Instances of cipher and digest algorithms tend to get called
repeatedly to process substantial amounts of data.  This is not true
for public-key algorithms, which tend to get called only once or twice
for a given key.

Simplify the public-key algorithm API so that there is no reusable
algorithm context.  In particular, this allows callers to omit the
error handling currently required to handle memory allocation (or key
parsing) errors from pubkey_init(), and to omit the cleanup calls to
pubkey_final().

This change does remove the ability for a caller to distinguish
between a verification failure due to a memory allocation failure and
a verification failure due to a bad signature.  This difference is not
material in practice: in both cases, for whatever reason, the caller
was unable to verify the signature and so cannot proceed further, and
the cause of the error will be visible to the user via the return
status code.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2024-08-21 16:25:10 +01:00
parent acbabdb335
commit 46937a9df6
11 changed files with 304 additions and 398 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/drivers/net/iphone.c
View File

@@ -362,17 +362,9 @@ static int icert_cert ( struct icert *icert, struct asn1_cursor *subject,
struct asn1_builder raw = { NULL, 0 };
uint8_t digest_ctx[SHA256_CTX_SIZE];
uint8_t digest_out[SHA256_DIGEST_SIZE];
uint8_t pubkey_ctx[RSA_CTX_SIZE];
int len;
int rc;
/* Initialise "private" key */
if ( ( rc = pubkey_init ( pubkey, pubkey_ctx, private ) ) != 0 ) {
DBGC ( icert, "ICERT %p could not initialise private key: "
"%s\n", icert, strerror ( rc ) );
goto err_pubkey_init;
}
/* Construct subjectPublicKeyInfo */
if ( ( rc = ( asn1_prepend_raw ( &spki, public->data, public->len ),
asn1_prepend_raw ( &spki, icert_nul,
@@ -406,14 +398,14 @@ static int icert_cert ( struct icert *icert, struct asn1_cursor *subject,
digest_update ( digest, digest_ctx, tbs.data, tbs.len );
digest_final ( digest, digest_ctx, digest_out );
/* Construct signature */
if ( ( rc = asn1_grow ( &raw, pubkey_max_len ( pubkey,
pubkey_ctx ) ) ) != 0 ) {
/* Construct signature using "private" key */
if ( ( rc = asn1_grow ( &raw,
pubkey_max_len ( pubkey, private ) ) ) != 0 ) {
DBGC ( icert, "ICERT %p could not build signature: %s\n",
icert, strerror ( rc ) );
goto err_grow;
}
if ( ( len = pubkey_sign ( pubkey, pubkey_ctx, digest, digest_out,
if ( ( len = pubkey_sign ( pubkey, private, digest, digest_out,
raw.data ) ) < 0 ) {
rc = len;
DBGC ( icert, "ICERT %p could not sign: %s\n",
@@ -452,8 +444,6 @@ static int icert_cert ( struct icert *icert, struct asn1_cursor *subject,
err_tbs:
free ( spki.data );
err_spki:
pubkey_final ( pubkey, pubkey_ctx );
err_pubkey_init:
return rc;
}