[nrf fromtree] bootutil: ed25519 psa: Merge bootutil_verify_sig and bootutil_verify

de-nordic · de-nordic · commit e4bd1b3ba2d5 · 2026-05-07T08:55:45.000Z
Reduce layers of calls. Modified on cherry-pick. (cherry picked from commit 3f69203) Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c
@@ -90,10 +90,9 @@ bootutil_import_key(uint8_t **cp, uint8_t *end)
  * The function does key import and checks whether signature is
  * of expected length.
  */
-static fih_ret
-bootutil_verify(uint8_t *buf, uint32_t blen,
-                uint8_t *sig, size_t slen,
-                uint8_t key_id)
+fih_ret
+bootutil_verify_sig(uint8_t *msg, uint32_t mlen, uint8_t *sig, size_t slen,
+                    uint8_t key_id)
 {
     int rc;
     FIH_DECLARE(fih_rc, FIH_FAILURE);
@@ -102,10 +101,18 @@ bootutil_verify(uint8_t *buf, uint32_t blen,
     uint8_t *end;
 #endif
 
-    BOOT_LOG_DBG("bootutil_verify: ED25519 key_id %d", (int)key_id);
+    BOOT_LOG_DBG("bootutil_verify_sig: ED25519 key_id %d", (int)key_id);
+
+#if !defined(MCUBOOT_SIGN_PURE)
+    if (mlen != IMAGE_HASH_SIZE) {
+        BOOT_LOG_DBG("bootutil_verify_sig: expected hash len %d, got %d",
+                     IMAGE_HASH_SIZE, mlen);
+        goto out;
+    }
+#endif
 
     if (slen != EDDSA_SIGNATURE_LENGTH) {
-        BOOT_LOG_DBG("bootutil_verify: expected slen %d, got %u",
+        BOOT_LOG_DBG("bootutil_verify_sig: expected slen %d, got %u",
                      EDDSA_SIGNATURE_LENGTH, (unsigned int)slen);
         FIH_SET(fih_rc, FIH_FAILURE);
         goto out;
@@ -129,7 +136,7 @@ bootutil_verify(uint8_t *buf, uint32_t blen,
 #if !defined(MCUBOOT_KEY_IMPORT_BYPASS_ASN)
     rc = bootutil_import_key(&pubkey, end);
     if (rc) {
-        BOOT_LOG_DBG("bootutil_verify: import key failed %d", rc);
+        BOOT_LOG_DBG("bootutil_verify_sig: import key failed %d", rc);
         FIH_SET(fih_rc, FIH_FAILURE);
         goto out;
     }
@@ -139,7 +146,7 @@ bootutil_verify(uint8_t *buf, uint32_t blen,
      * There is no check whether this is the correct key,
      * here, by the algorithm selected.
      */
-    BOOT_LOG_DBG("bootutil_verify: bypass ASN1");
+    BOOT_LOG_DBG("bootutil_verify_sig: bypass ASN1");
     if (*bootutil_keys[key_id].len < NUM_ED25519_BYTES) {
         FIH_SET(fih_rc, FIH_FAILURE);
         goto out;
@@ -150,7 +157,7 @@ bootutil_verify(uint8_t *buf, uint32_t blen,
 
 #endif
 
-    rc = ED25519_verify(buf, blen, sig, pubkey);
+    rc = ED25519_verify(msg, mlen, sig, pubkey);
 
     if (rc == 0) {
         /* if verify returns 0, there was an error. */
@@ -164,34 +171,4 @@ bootutil_verify(uint8_t *buf, uint32_t blen,
     FIH_RET(fih_rc);
 }
 
-/* Signature verification function.
- * Verifies message with provided signature.
- * When compiled without  MCUBOOT_SIGN_PURE, the function expects
- * msg to be hash of expected size.
- */
-fih_ret
-bootutil_verify_sig(uint8_t *msg, uint32_t mlen,
-                    uint8_t *sig, size_t slen,
-                    uint8_t key_id)
-{
-    FIH_DECLARE(fih_rc, FIH_FAILURE);
-
-    BOOT_LOG_DBG("bootutil_verify_sig: ED25519 key_id %d", (int)key_id);
-
-#if !defined(MCUBOOT_SIGN_PURE)
-    if (mlen != IMAGE_HASH_SIZE) {
-        BOOT_LOG_DBG("bootutil_verify_sig: expected hash len %d, got %d",
-                     IMAGE_HASH_SIZE, mlen);
-        FIH_SET(fih_rc, FIH_FAILURE);
-        goto out;
-    }
-#endif
-
-    FIH_CALL(bootutil_verify, fih_rc, msg, mlen, sig,
-             slen, key_id);
-
-out:
-    FIH_RET(fih_rc);
-}
-
 #endif /* MCUBOOT_SIGN_ED25519 */
