Skip to content

Commit

Permalink
bootutil: Add SHA-512 support to Ed25519
Browse files Browse the repository at this point in the history
When Ed25519 signatures are used, the bootutil_verify_sig responsible
for verifying a signature was expecting as argument the SHA-256 digest
of the firmware image. This commit slightly modifies this routine to
make possible to use Ed25519 with SHA-512 digests.

Signed-off-by: Thomas Altenbach <[email protected]>
  • Loading branch information
taltenbach authored and d3zd3z committed Oct 10, 2024
1 parent 601463d commit a5f28c1
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions boot/bootutil/src/image_ed25519.c
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

#include "bootutil_priv.h"
#include "bootutil/crypto/common.h"
#include "bootutil/crypto/sha.h"

static const uint8_t ed25519_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG "\x65\x70";
#define NUM_ED25519_BYTES 32
Expand Down Expand Up @@ -73,7 +74,7 @@ bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
uint8_t *pubkey;
uint8_t *end;

if (hlen != 32 || slen != 64) {
if (hlen != IMAGE_HASH_SIZE || slen != 64) {
FIH_SET(fih_rc, FIH_FAILURE);
goto out;
}
Expand All @@ -87,7 +88,7 @@ bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
goto out;
}

rc = ED25519_verify(hash, 32, sig, pubkey);
rc = ED25519_verify(hash, IMAGE_HASH_SIZE, sig, pubkey);

if (rc == 0) {
/* if verify returns 0, there was an error. */
Expand Down

0 comments on commit a5f28c1

Please sign in to comment.