commit 2f045a252efaf69a330efbb30fcb8664d129b810
author Roman Okhrimenko <roman.okhrimenko@infineon.com> Fri Mar 05 14:06:33 2021 +0200
committer David Brown <davidb@davidb.org> Fri Mar 12 14:17:28 2021 -0700
tree 769e340d3b73ae8c8e656964d54f3a6f4602213f
parent 26edaf3d125e5c0725a2076202945af4c89eb98f

bootutil: Align mbedtls_ecdsa signature verification with cypress mbedtls hw accel implementation

Signed-off-by: Roman Okhrimenko <roman.okhrimenko@cypress.com>
Signed-off-by: Roman Okhrimenko <roman.okhrimenko@infineon.com>

boot/bootutil/src/image_ec256.c

diff --git a/boot/bootutil/src/image_ec256.c b/boot/bootutil/src/image_ec256.c
index ccb67f3..5d73c9f 100644
--- a/boot/bootutil/src/image_ec256.c
+++ b/boot/bootutil/src/image_ec256.c
@@ -51,6 +51,53 @@
 /*
  * Parse the public key used for signing.
  */
+#ifdef CY_MBEDTLS_HW_ACCELERATION
+static int
+bootutil_parse_eckey(mbedtls_ecdsa_context *ctx, uint8_t **p, uint8_t *end)
+{
+    size_t len;
+    mbedtls_asn1_buf alg;
+    mbedtls_asn1_buf param;
+
+    if (mbedtls_asn1_get_tag(p, end, &len,
+        MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) {
+        return -1;
+    }
+    end = *p + len;
+
+    if (mbedtls_asn1_get_alg(p, end, &alg, &param)) {
+        return -2;
+    }
+    if (alg.len != sizeof(ec_pubkey_oid) - 1 ||
+      memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
+        return -3;
+    }
+    if (param.len != sizeof(ec_secp256r1_oid) - 1||
+      memcmp(param.p, ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) {
+        return -4;
+    }
+
+    if (mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1)) {
+        return -5;
+    }
+
+    if (mbedtls_asn1_get_bitstring_null(p, end, &len)) {
+        return -6;
+    }
+    if (*p + len != end) {
+        return -7;
+    }
+
+    if (mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, *p, end - *p)) {
+        return -8;
+    }
+
+    if (mbedtls_ecp_check_pubkey(&ctx->grp, &ctx->Q)) {
+        return -9;
+    }
+    return 0;
+}
+#endif /* CY_MBEDTLS_HW_ACCELERATION */
 static int
 bootutil_import_key(uint8_t **cp, uint8_t *end)
 {
@@ -163,7 +210,12 @@
     pubkey = (uint8_t *)bootutil_keys[key_id].key;
     end = pubkey + *bootutil_keys[key_id].len;
 
+#ifdef CY_MBEDTLS_HW_ACCELERATION
+    mbedtls_ecdsa_init(&ctx);
+    rc = bootutil_parse_eckey(&ctx, &pubkey, end);
+#else
     rc = bootutil_import_key(&pubkey, end);
+#endif
     if (rc) {
         return -1;
     }
@@ -178,6 +230,13 @@
     /*
      * This is simplified, as the hash length is also 32 bytes.
      */
+#ifdef CY_MBEDTLS_HW_ACCELERATION
+    while (sig[slen - 1] == '\0') {
+        slen--;
+    }
+    rc = mbedtls_ecdsa_read_signature(&ctx, hash, hlen, sig, slen);
+
+#else /* CY_MBEDTLS_HW_ACCELERATION */
     if (hlen != NUM_ECC_BYTES) {
         return -1;
     }
@@ -189,7 +248,10 @@
     rc = bootutil_ecdsa_p256_verify(&ctx, pubkey, end - pubkey, hash, signature,
                                     2 * NUM_ECC_BYTES);
 #endif
+#endif /* CY_MBEDTLS_HW_ACCELERATION */
+
     bootutil_ecdsa_p256_drop(&ctx);
+
     return rc;
 }