diff --git a/boot/bootutil/include/bootutil/crypto/ecdh_p256.h b/boot/bootutil/include/bootutil/crypto/ecdh_p256.h index 962535cbc..754466812 100644 --- a/boot/bootutil/include/bootutil/crypto/ecdh_p256.h +++ b/boot/bootutil/include/bootutil/crypto/ecdh_p256.h @@ -35,6 +35,7 @@ extern "C" { #if defined(MCUBOOT_USE_TINYCRYPT) typedef uintptr_t bootutil_ecdh_p256_context; +typedef bootutil_ecdh_p256_context bootutil_key_xchange_ctx; static inline void bootutil_ecdh_p256_init(bootutil_ecdh_p256_context *ctx) { (void)ctx; diff --git a/boot/bootutil/include/bootutil/crypto/ecdh_x25519.h b/boot/bootutil/include/bootutil/crypto/ecdh_x25519.h index 1d11b6473..4fb79eb34 100644 --- a/boot/bootutil/include/bootutil/crypto/ecdh_x25519.h +++ b/boot/bootutil/include/bootutil/crypto/ecdh_x25519.h @@ -26,6 +26,7 @@ extern int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32], const uint8_t peer_public_value[32]); typedef uintptr_t bootutil_ecdh_x25519_context; +typedef bootutil_ecdh_x25519_context bootutil_key_xchange_ctx; static inline void bootutil_ecdh_x25519_init(bootutil_ecdh_x25519_context *ctx) { (void)ctx; diff --git a/boot/bootutil/include/bootutil/crypto/rsa.h b/boot/bootutil/include/bootutil/crypto/rsa.h index 581e4ec9b..6bc8705b0 100644 --- a/boot/bootutil/include/bootutil/crypto/rsa.h +++ b/boot/bootutil/include/bootutil/crypto/rsa.h @@ -68,6 +68,7 @@ extern "C" { typedef struct { psa_key_id_t key_id; } bootutil_rsa_context; +typedef bootutil_rsa_context bootutil_key_xchange_ctx; static inline void bootutil_rsa_init(bootutil_rsa_context *ctx) { @@ -176,6 +177,7 @@ static inline int bootutil_rsassa_pss_verify(const bootutil_rsa_context *ctx, #elif defined(MCUBOOT_USE_MBED_TLS) typedef mbedtls_rsa_context bootutil_rsa_context; +typedef bootutil_rsa_context bootutil_key_xchange_ctx; static inline void bootutil_rsa_init(bootutil_rsa_context *ctx) { diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index b4d0bddde..1c5e02d96 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -264,15 +264,15 @@ parse_x25519_enckey(uint8_t **p, uint8_t *end, uint8_t *private_key) * @param okm_len On input the requested length; on output the generated length */ static int -hkdf(uint8_t *ikm, uint16_t ikm_len, uint8_t *info, uint16_t info_len, - uint8_t *okm, uint16_t *okm_len) +hkdf(const uint8_t *ikm, size_t ikm_len, const uint8_t *info, size_t info_len, + uint8_t *okm, size_t *okm_len) { bootutil_hmac_sha256_context hmac; uint8_t salt[BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE]; uint8_t prk[BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE]; uint8_t T[BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE]; - uint16_t off; - uint16_t len; + size_t off; + size_t len; uint8_t counter; bool first; int rc; @@ -405,29 +405,20 @@ static int fake_rng(void *p_rng, unsigned char *output, size_t len) int boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) { -#if defined(MCUBOOT_ENCRYPT_RSA) - bootutil_rsa_context rsa; - uint8_t *cp; - uint8_t *cpend; - size_t olen; -#endif -#if defined(MCUBOOT_ENCRYPT_EC256) - bootutil_ecdh_p256_context ecdh_p256; -#endif -#if defined(MCUBOOT_ENCRYPT_X25519) - bootutil_ecdh_x25519_context ecdh_x25519; -#endif + bootutil_key_xchange_ctx pk_ctx; #if defined(MCUBOOT_ENCRYPT_EC256) || defined(MCUBOOT_ENCRYPT_X25519) bootutil_hmac_sha256_context hmac; bootutil_aes_ctr_context aes_ctr; uint8_t tag[BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE]; uint8_t shared[SHARED_KEY_LEN]; uint8_t derived_key[BOOT_ENC_KEY_SIZE + BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE]; - uint8_t *cp; - uint8_t *cpend; uint8_t private_key[PRIV_KEY_LEN]; uint8_t counter[BOOT_ENC_BLOCK_SIZE]; - uint16_t len; +#endif +#if !defined(MCUBOOT_ENCRYPT_KW) + uint8_t *cp; + uint8_t *cpend; + size_t len; #endif struct bootutil_key *bootutil_enc_key = NULL; int rc = -1; @@ -441,21 +432,23 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) return rc; } -#if defined(MCUBOOT_ENCRYPT_RSA) - - bootutil_rsa_init(&rsa); +#if !defined(MCUBOOT_ENCRYPT_KW) cp = (uint8_t *)bootutil_enc_key->key; cpend = cp + *bootutil_enc_key->len; +#endif + +#if defined(MCUBOOT_ENCRYPT_RSA) + bootutil_rsa_init(&pk_ctx); /* The enckey is encrypted through RSA so for decryption we need the private key */ - rc = bootutil_rsa_parse_private_key(&rsa, &cp, cpend); + rc = bootutil_rsa_parse_private_key(&pk_ctx, &cp, cpend); if (rc) { - bootutil_rsa_drop(&rsa); + bootutil_rsa_drop(&pk_ctx); return rc; } - rc = bootutil_rsa_oaep_decrypt(&rsa, &olen, buf, enckey, BOOT_ENC_KEY_SIZE); - bootutil_rsa_drop(&rsa); + rc = bootutil_rsa_oaep_decrypt(&pk_ctx, &len, buf, enckey, BOOT_ENC_KEY_SIZE); + bootutil_rsa_drop(&pk_ctx); if (rc) { return rc; } @@ -470,10 +463,6 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) #endif /* defined(MCUBOOT_ENCRYPT_KW) */ #if defined(MCUBOOT_ENCRYPT_EC256) - - cp = (uint8_t *)bootutil_enc_key->key; - cpend = cp + *bootutil_enc_key->len; - /* * Load the stored EC256 decryption private key */ @@ -486,10 +475,10 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) /* * First "element" in the TLV is the curve point (public key) */ - bootutil_ecdh_p256_init(&ecdh_p256); + bootutil_ecdh_p256_init(&pk_ctx); - rc = bootutil_ecdh_p256_shared_secret(&ecdh_p256, &buf[EC_PUBK_INDEX], private_key, shared); - bootutil_ecdh_p256_drop(&ecdh_p256); + rc = bootutil_ecdh_p256_shared_secret(&pk_ctx, &buf[EC_PUBK_INDEX], private_key, shared); + bootutil_ecdh_p256_drop(&pk_ctx); if (rc != 0) { return -1; } @@ -497,10 +486,6 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) #endif /* defined(MCUBOOT_ENCRYPT_EC256) */ #if defined(MCUBOOT_ENCRYPT_X25519) - - cp = (uint8_t *)bootutil_enc_key->key; - cpend = cp + *bootutil_enc_key->len; - /* * Load the stored X25519 decryption private key */ @@ -514,10 +499,10 @@ boot_decrypt_key(const uint8_t *buf, uint8_t *enckey) * First "element" in the TLV is the curve point (public key) */ - bootutil_ecdh_x25519_init(&ecdh_x25519); + bootutil_ecdh_x25519_init(&pk_ctx); - rc = bootutil_ecdh_x25519_shared_secret(&ecdh_x25519, &buf[EC_PUBK_INDEX], private_key, shared); - bootutil_ecdh_x25519_drop(&ecdh_x25519); + rc = bootutil_ecdh_x25519_shared_secret(&pk_ctx, &buf[EC_PUBK_INDEX], private_key, shared); + bootutil_ecdh_x25519_drop(&pk_ctx); if (!rc) { return -1; }