From 8c7c084e0fa83588df743c4e84b02e3a09738e2b Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Wed, 29 Apr 2026 15:05:20 +0100 Subject: [PATCH] [crypto] Fail all operations for the null public-key algorithm The null crypto algorithms are intended to do nothing: the null digest algorithm accepts all input and generates a zero-length digest, and the null cipher algorithm simply copies the input unmodifed to the output. The null public-key algorithm currently does nothing successfully. Unlike the null digest and cipher algorithms, the null public-key algorithm's methods are never called. Change the null public-key algorithm to fail all operations, thereby allowing its methods to be used as stubs by algorithms such as ECDSA that do not implement all of the possible public-key operations. Signed-off-by: Michael Brown --- src/crypto/crypto_null.c | 9 +++++---- src/crypto/ecdsa.c | 36 ++---------------------------------- src/include/ipxe/errfile.h | 1 + 3 files changed, 8 insertions(+), 38 deletions(-) diff --git a/src/crypto/crypto_null.c b/src/crypto/crypto_null.c index 8637987b1..687083be9 100644 --- a/src/crypto/crypto_null.c +++ b/src/crypto/crypto_null.c @@ -31,6 +31,7 @@ FILE_SECBOOT ( PERMITTED ); */ #include +#include #include void digest_null_init ( void *ctx __unused ) { @@ -97,27 +98,27 @@ struct cipher_algorithm cipher_null = { int pubkey_null_encrypt ( const struct asn1_cursor *key __unused, const struct asn1_cursor *plaintext __unused, struct asn1_builder *ciphertext __unused ) { - return 0; + return -ENOTTY; } int pubkey_null_decrypt ( const struct asn1_cursor *key __unused, const struct asn1_cursor *ciphertext __unused, struct asn1_builder *plaintext __unused ) { - return 0; + return -ENOTTY; } int pubkey_null_sign ( const struct asn1_cursor *key __unused, struct digest_algorithm *digest __unused, const void *value __unused, struct asn1_builder *signature __unused ) { - return 0; + return -ENOTTY; } int pubkey_null_verify ( const struct asn1_cursor *key __unused, struct digest_algorithm *digest __unused, const void *value __unused, const struct asn1_cursor *signature __unused ) { - return 0; + return -ENOTTY; } struct pubkey_algorithm pubkey_null = { diff --git a/src/crypto/ecdsa.c b/src/crypto/ecdsa.c index 6f10a1a0f..5be4b4b21 100644 --- a/src/crypto/ecdsa.c +++ b/src/crypto/ecdsa.c @@ -765,38 +765,6 @@ static int ecdsa_verify_rs ( struct ecdsa_context *ctx ) { return ( valid ? 0 : -EINVAL_SIGNATURE ); } -/** - * Encrypt using ECDSA - * - * @v key Key - * @v plaintext Plaintext - * @v ciphertext Ciphertext - * @ret rc Return status code - */ -static int ecdsa_encrypt ( const struct asn1_cursor *key __unused, - const struct asn1_cursor *plaintext __unused, - struct asn1_builder *ciphertext __unused ) { - - /* Not a defined operation for ECDSA */ - return -ENOTTY; -} - -/** - * Decrypt using ECDSA - * - * @v key Key - * @v ciphertext Ciphertext - * @v plaintext Plaintext - * @ret rc Return status code - */ -static int ecdsa_decrypt ( const struct asn1_cursor *key __unused, - const struct asn1_cursor *ciphertext __unused, - struct asn1_builder *plaintext __unused ) { - - /* Not a defined operation for ECDSA */ - return -ENOTTY; -} - /** * Sign digest value using ECDSA * @@ -936,8 +904,8 @@ static int ecdsa_match ( const struct asn1_cursor *private_key, /** ECDSA public-key algorithm */ struct pubkey_algorithm ecdsa_algorithm = { .name = "ecdsa", - .encrypt = ecdsa_encrypt, - .decrypt = ecdsa_decrypt, + .encrypt = pubkey_null_encrypt, + .decrypt = pubkey_null_decrypt, .sign = ecdsa_sign, .verify = ecdsa_verify, .match = ecdsa_match, diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h index dbd3c9963..a2e3ff891 100644 --- a/src/include/ipxe/errfile.h +++ b/src/include/ipxe/errfile.h @@ -449,6 +449,7 @@ FILE_SECBOOT ( PERMITTED ); #define ERRFILE_efi_cacert ( ERRFILE_OTHER | 0x00670000 ) #define ERRFILE_ecdhe ( ERRFILE_OTHER | 0x00680000 ) #define ERRFILE_ecdsa ( ERRFILE_OTHER | 0x00690000 ) +#define ERRFILE_crypto_null ( ERRFILE_OTHER | 0x006a0000 ) /** @} */