mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH 0/6] crypto: ecdsa: fix fallout
@ 2024-10-09 14:01 Ahmad Fatoum
  2024-10-09 14:01 ` [PATCH 1/6] crypto: reorder ECDSA Kconfig entries Ahmad Fatoum
                   ` (6 more replies)
  0 siblings, 7 replies; 8+ messages in thread
From: Ahmad Fatoum @ 2024-10-09 14:01 UTC (permalink / raw)
  To: barebox

A number of these commits can be squashed into next, but I leave it to
Sascha whether he wants to do that or just apply them afterwards.

Ahmad Fatoum (6):
  crypto: reorder ECDSA Kconfig entries
  crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled
  keytoc: return error on failure to set PKCS#11 pin
  crypto: ecdsa: make crypto/ecdsa.h header self-containing
  test: self: jwt: regenerate jwt_test.pem.c_shipped
  test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC

 crypto/Kconfig                   | 14 +++++++-------
 crypto/rsa.c                     |  5 +++--
 include/crypto/ecdsa.h           |  4 ++++
 scripts/keytoc.c                 |  1 +
 test/self/Makefile               |  2 +-
 test/self/jwt_test.pem.c_shipped |  2 +-
 6 files changed, 17 insertions(+), 11 deletions(-)

-- 
2.39.5




^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 1/6] crypto: reorder ECDSA Kconfig entries
  2024-10-09 14:01 [PATCH 0/6] crypto: ecdsa: fix fallout Ahmad Fatoum
@ 2024-10-09 14:01 ` Ahmad Fatoum
  2024-10-09 14:01 ` [PATCH 2/6] crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled Ahmad Fatoum
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Ahmad Fatoum @ 2024-10-09 14:01 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum

barebox now supports two signature algorithms and it makes sense to
group them together in the Kconfig and not have other options like
KEYSTORE or JWT between them.

No functional change.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 crypto/Kconfig | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 45011802e360..191bd5102627 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -115,10 +115,17 @@ config CRYPTO_PBKDF2
 	select DIGEST_HMAC_GENERIC
 	bool
 
+config CRYPTO_ECC
+	bool
+
 config CRYPTO_RSA
 	bool "RSA support"
 	default y if FITIMAGE_SIGNATURE
 
+config CRYPTO_ECDSA
+	bool "ECDSA support"
+	select CRYPTO_ECC
+
 config CRYPTO_BUILTIN_KEYS
 	bool "builtin keys"
 	select KEYTOC
@@ -149,11 +156,4 @@ config JWT
 	select BASE64
 	select CRYPTO_RSA
 
-config CRYPTO_ECC
-	bool
-
-config CRYPTO_ECDSA
-	bool "ECDSA support"
-	select CRYPTO_ECC
-
 endmenu
-- 
2.39.5




^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 2/6] crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled
  2024-10-09 14:01 [PATCH 0/6] crypto: ecdsa: fix fallout Ahmad Fatoum
  2024-10-09 14:01 ` [PATCH 1/6] crypto: reorder ECDSA Kconfig entries Ahmad Fatoum
@ 2024-10-09 14:01 ` Ahmad Fatoum
  2024-10-09 14:01 ` [PATCH 3/6] keytoc: return error on failure to set PKCS#11 pin Ahmad Fatoum
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Ahmad Fatoum @ 2024-10-09 14:01 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum

Enabling CONFIG_CRYPTO_RSA, but not CONFIG_CRYPTO_BUILTIN_KEYS currently
results in a linker error:

  crypto/rsa.c:484: undefined reference to `public_key_add'

Fix this by only calling public_key_add() if we have
CONFIG_CRYPTO_BUILTIN_KEYS=y. If that option is disabled, it means only
standalone keys can be used.

Fixes: 54caa724c737 ("crypto: add public_key functions")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 crypto/rsa.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/rsa.c b/crypto/rsa.c
index 04b6c9d8c729..d3a48b6809de 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -488,11 +488,12 @@ static void rsa_init_keys_of(void)
 	}
 }
 
-static int rsa_init_keys(void)
+static __maybe_unused int rsa_init_keys(void)
 {
 	rsa_init_keys_of();
 
 	return 0;
 }
-
+#ifdef CONFIG_CRYPTO_BUILTIN_KEYS
 device_initcall(rsa_init_keys);
+#endif
-- 
2.39.5




^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 3/6] keytoc: return error on failure to set PKCS#11 pin
  2024-10-09 14:01 [PATCH 0/6] crypto: ecdsa: fix fallout Ahmad Fatoum
  2024-10-09 14:01 ` [PATCH 1/6] crypto: reorder ECDSA Kconfig entries Ahmad Fatoum
  2024-10-09 14:01 ` [PATCH 2/6] crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled Ahmad Fatoum
@ 2024-10-09 14:01 ` Ahmad Fatoum
  2024-10-09 14:01 ` [PATCH 4/6] crypto: ecdsa: make crypto/ecdsa.h header self-containing Ahmad Fatoum
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Ahmad Fatoum @ 2024-10-09 14:01 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum

ret is used uninitialized when ENGINE_ctrl_cmd_string() fails.
Fix this by explicitly setting it to -1 to indicate an error.

Fixes: 128ad3cbe043 ("scripts: Add rsatoc tool")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 scripts/keytoc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index 5041c09a0e9f..d5c8aa2e1216 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -123,6 +123,7 @@ static int engine_init(ENGINE **pe)
 
 	if (key_pass) {
 		if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
+			ret = -1;
 			fprintf(stderr, "Cannot set PKCS#11 PIN\n");
 			goto err_set_rsa;
 		}
-- 
2.39.5




^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 4/6] crypto: ecdsa: make crypto/ecdsa.h header self-containing
  2024-10-09 14:01 [PATCH 0/6] crypto: ecdsa: fix fallout Ahmad Fatoum
                   ` (2 preceding siblings ...)
  2024-10-09 14:01 ` [PATCH 3/6] keytoc: return error on failure to set PKCS#11 pin Ahmad Fatoum
@ 2024-10-09 14:01 ` Ahmad Fatoum
  2024-10-09 14:01 ` [PATCH 5/6] test: self: jwt: regenerate jwt_test.pem.c_shipped Ahmad Fatoum
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: Ahmad Fatoum @ 2024-10-09 14:01 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum

Currently, generating standalone keys fails, because the header
references symbols that aren't defined within.

Fixes: c949c6ab360c ("crypto: add ECDSA support")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 include/crypto/ecdsa.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/include/crypto/ecdsa.h b/include/crypto/ecdsa.h
index 1d6340c64513..2e2b359d96cf 100644
--- a/include/crypto/ecdsa.h
+++ b/include/crypto/ecdsa.h
@@ -2,6 +2,10 @@
 #ifndef _ECDSA_H
 #define _ECDSA_H
 
+#include <linux/types.h>
+#include <linux/list.h>
+#include <errno.h>
+
 struct ecdsa_public_key {
 	const char *curve_name;	/* Name of curve, e.g. "prime256v1" */
 	const uint64_t *x;	/* x coordinate of public key */
-- 
2.39.5




^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 5/6] test: self: jwt: regenerate jwt_test.pem.c_shipped
  2024-10-09 14:01 [PATCH 0/6] crypto: ecdsa: fix fallout Ahmad Fatoum
                   ` (3 preceding siblings ...)
  2024-10-09 14:01 ` [PATCH 4/6] crypto: ecdsa: make crypto/ecdsa.h header self-containing Ahmad Fatoum
@ 2024-10-09 14:01 ` Ahmad Fatoum
  2024-10-09 14:01 ` [PATCH 6/6] test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC Ahmad Fatoum
  2024-10-14 11:31 ` [PATCH 0/6] crypto: ecdsa: fix fallout Sascha Hauer
  6 siblings, 0 replies; 8+ messages in thread
From: Ahmad Fatoum @ 2024-10-09 14:01 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum

As not to require OpenSSL for normal selftest builds, a pregenerated C
file for the JWT PEM is being shipped in the source code.

This got outdated with recent changes, so let's regenerate it.

Fixes: 54caa724c737 ("crypto: add public_key functions")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/self/jwt_test.pem.c_shipped | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/self/jwt_test.pem.c_shipped b/test/self/jwt_test.pem.c_shipped
index 16248f0ddb1e..5d4df1107cf5 100644
--- a/test/self/jwt_test.pem.c_shipped
+++ b/test/self/jwt_test.pem.c_shipped
@@ -1,3 +1,4 @@
+#include <crypto/ecdsa.h>
 #include <crypto/rsa.h>
 
 static uint32_t jwt_test_modulus[] = {
@@ -45,5 +46,4 @@ struct rsa_public_key __key_jwt_test = {
 	.modulus = jwt_test_modulus,
 	.rr = jwt_test_rr,
 	.exponent = 0x10001,
-	.key_name_hint = "jwt_test",
 };
-- 
2.39.5




^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH 6/6] test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC
  2024-10-09 14:01 [PATCH 0/6] crypto: ecdsa: fix fallout Ahmad Fatoum
                   ` (4 preceding siblings ...)
  2024-10-09 14:01 ` [PATCH 5/6] test: self: jwt: regenerate jwt_test.pem.c_shipped Ahmad Fatoum
@ 2024-10-09 14:01 ` Ahmad Fatoum
  2024-10-14 11:31 ` [PATCH 0/6] crypto: ecdsa: fix fallout Sascha Hauer
  6 siblings, 0 replies; 8+ messages in thread
From: Ahmad Fatoum @ 2024-10-09 14:01 UTC (permalink / raw)
  To: barebox; +Cc: Ahmad Fatoum

Commit 7b51f76a4534 ("rsatoc: rename to keytoc") reflects that the tool
now also supports ECDSA. Therefore, let's rename the environment variable
that we use to regenerate the C code from the JWT PEM accordingly.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/self/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/self/Makefile b/test/self/Makefile
index 6390c4afd478..666a8f9ee7e2 100644
--- a/test/self/Makefile
+++ b/test/self/Makefile
@@ -19,7 +19,7 @@ obj-$(CONFIG_SELFTEST_REGULATOR) += regulator.o test_regulator.dtbo.o
 obj-$(CONFIG_SELFTEST_TEST_COMMAND) += test_command.o
 obj-$(CONFIG_SELFTEST_IDR) += idr.o
 
-ifdef REGENERATE_RSATOC
+ifdef REGENERATE_KEYTOC
 
 $(obj)/jwt_test.pem.c_shipped: $(src)/jwt_test.pem FORCE
 	$(call if_changed,public_keys,$(basename $(target-stem)):$<,-s)
-- 
2.39.5




^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH 0/6] crypto: ecdsa: fix fallout
  2024-10-09 14:01 [PATCH 0/6] crypto: ecdsa: fix fallout Ahmad Fatoum
                   ` (5 preceding siblings ...)
  2024-10-09 14:01 ` [PATCH 6/6] test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC Ahmad Fatoum
@ 2024-10-14 11:31 ` Sascha Hauer
  6 siblings, 0 replies; 8+ messages in thread
From: Sascha Hauer @ 2024-10-14 11:31 UTC (permalink / raw)
  To: barebox, Ahmad Fatoum


On Wed, 09 Oct 2024 16:01:49 +0200, Ahmad Fatoum wrote:
> A number of these commits can be squashed into next, but I leave it to
> Sascha whether he wants to do that or just apply them afterwards.
> 
> Ahmad Fatoum (6):
>   crypto: reorder ECDSA Kconfig entries
>   crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled
>   keytoc: return error on failure to set PKCS#11 pin
>   crypto: ecdsa: make crypto/ecdsa.h header self-containing
>   test: self: jwt: regenerate jwt_test.pem.c_shipped
>   test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC
> 
> [...]

Applied, thanks!

[1/6] crypto: reorder ECDSA Kconfig entries
      https://git.pengutronix.de/cgit/barebox/commit/?id=0b8306660f2e (link may not be stable)
[2/6] crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled
      (no commit info)
[3/6] keytoc: return error on failure to set PKCS#11 pin
      https://git.pengutronix.de/cgit/barebox/commit/?id=3c7efb02d7f0 (link may not be stable)
[4/6] crypto: ecdsa: make crypto/ecdsa.h header self-containing
      (no commit info)
[5/6] test: self: jwt: regenerate jwt_test.pem.c_shipped
      https://git.pengutronix.de/cgit/barebox/commit/?id=011c6cc73aa9 (link may not be stable)
[6/6] test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC
      https://git.pengutronix.de/cgit/barebox/commit/?id=3c884a974661 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>




^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2024-10-14 13:23 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-10-09 14:01 [PATCH 0/6] crypto: ecdsa: fix fallout Ahmad Fatoum
2024-10-09 14:01 ` [PATCH 1/6] crypto: reorder ECDSA Kconfig entries Ahmad Fatoum
2024-10-09 14:01 ` [PATCH 2/6] crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled Ahmad Fatoum
2024-10-09 14:01 ` [PATCH 3/6] keytoc: return error on failure to set PKCS#11 pin Ahmad Fatoum
2024-10-09 14:01 ` [PATCH 4/6] crypto: ecdsa: make crypto/ecdsa.h header self-containing Ahmad Fatoum
2024-10-09 14:01 ` [PATCH 5/6] test: self: jwt: regenerate jwt_test.pem.c_shipped Ahmad Fatoum
2024-10-09 14:01 ` [PATCH 6/6] test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC Ahmad Fatoum
2024-10-14 11:31 ` [PATCH 0/6] crypto: ecdsa: fix fallout Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox