Skip to content

Commit c390fec

Browse files
danielinuxdanielinux
committed
Bigger header size when policy signature is added
1 parent 9819520 commit c390fec

File tree

1 file changed

+48
-30
lines changed

1 file changed

+48
-30
lines changed

tools/keytools/sign.c

Lines changed: 48 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -308,6 +308,51 @@ static struct cmd_options CMD = {
308308
.hybrid = 0
309309
};
310310

311+
static void set_header_size(void)
312+
{
313+
uint32_t hdr_sz = CMD.header_sz;
314+
/* get header and signature sizes */
315+
if (CMD.sign == SIGN_ED25519) {
316+
if (hdr_sz < 256)
317+
hdr_sz = 256;
318+
}
319+
else if (CMD.sign == SIGN_ED448) {
320+
if (hdr_sz < 512)
321+
hdr_sz = 512;
322+
}
323+
else if (CMD.sign == SIGN_ECC256) {
324+
if (hdr_sz < 256)
325+
hdr_sz = 256;
326+
}
327+
else if (CMD.sign == SIGN_ECC384) {
328+
if (hdr_sz < 512)
329+
hdr_sz = 512;
330+
}
331+
else if (CMD.sign == SIGN_ECC521) {
332+
if (hdr_sz < 512)
333+
hdr_sz = 512;
334+
}
335+
else if (CMD.sign == SIGN_RSA2048) {
336+
if (hdr_sz < 512)
337+
hdr_sz = 512;
338+
}
339+
else if (CMD.sign == SIGN_RSA3072) {
340+
if ((hdr_sz < 1024) && (CMD.hash_algo != HASH_SHA256))
341+
hdr_sz = 1024;
342+
if (hdr_sz < 512)
343+
hdr_sz = 512;
344+
}
345+
else if (CMD.sign == SIGN_RSA4096) {
346+
if (hdr_sz < 1024)
347+
hdr_sz = 1024;
348+
}
349+
if (CMD.policy_sign)
350+
hdr_sz += 512;
351+
352+
if (hdr_sz > CMD.header_sz)
353+
CMD.header_sz = hdr_sz;
354+
}
355+
311356
static int load_key_ecc(int sign_type, uint32_t curve_sz, int curve_id,
312357
int header_sz,
313358
uint8_t **key_buffer, uint32_t *key_buffer_sz,
@@ -425,12 +470,6 @@ static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz
425470

426471
if (*pubkey_sz <= rsa_pubkeysz) {
427472
CMD.header_sz = header_sz;
428-
if (CMD.policy_sign) {
429-
CMD.header_sz += 512;
430-
}
431-
else if (sign_type == SIGN_RSA3072 && CMD.hash_algo != HASH_SHA256) {
432-
CMD.header_sz += 512;
433-
}
434473
if (secondary) {
435474
CMD.secondary_signature_sz = rsa_keysz;
436475
CMD.secondary_sign = sign_type;
@@ -469,12 +508,6 @@ static int load_key_rsa(int sign_type, uint32_t rsa_keysz, uint32_t rsa_pubkeysz
469508

470509
if (ret == 0 || CMD.sign != SIGN_AUTO) {
471510
CMD.header_sz = header_sz;
472-
if (CMD.policy_sign) {
473-
CMD.header_sz += 512;
474-
}
475-
else if (sign_type == SIGN_RSA3072 && CMD.hash_algo != HASH_SHA256) {
476-
CMD.header_sz += 512;
477-
}
478511
if (secondary) {
479512
CMD.secondary_sign = sign_type;
480513
CMD.secondary_signature_sz = keySzOut;
@@ -861,6 +894,7 @@ static uint8_t *load_key(uint8_t **key_buffer, uint32_t *key_buffer_sz,
861894
goto failure;
862895
}
863896

897+
set_header_size();
864898
if (CMD.header_sz < IMAGE_HEADER_SIZE) {
865899
printf("image header size overridden by config value (%u bytes)\n", IMAGE_HEADER_SIZE);
866900
CMD.header_sz = IMAGE_HEADER_SIZE;
@@ -2028,6 +2062,7 @@ uint64_t arg2num(const char *arg, size_t len)
20282062
return ret;
20292063
}
20302064

2065+
20312066
static void set_signature_sizes(int secondary)
20322067
{
20332068
uint32_t *sz = &CMD.signature_sz;
@@ -2036,47 +2071,30 @@ static void set_signature_sizes(int secondary)
20362071
sz = &CMD.secondary_signature_sz;
20372072
sign = &CMD.secondary_sign;
20382073
}
2074+
set_header_size();
20392075
/* get header and signature sizes */
20402076
if (*sign == SIGN_ED25519) {
2041-
if (CMD.header_sz < 256)
2042-
CMD.header_sz = 256;
20432077
*sz = 64;
20442078
}
20452079
else if (*sign == SIGN_ED448) {
2046-
if (CMD.header_sz < 512)
2047-
CMD.header_sz = 512;
20482080
*sz = 114;
20492081
}
20502082
else if (*sign == SIGN_ECC256) {
2051-
if (CMD.header_sz < 256)
2052-
CMD.header_sz = 256;
20532083
*sz = 64;
20542084
}
20552085
else if (*sign == SIGN_ECC384) {
2056-
if (CMD.header_sz < 512)
2057-
CMD.header_sz = 512;
20582086
*sz = 96;
20592087
}
20602088
else if (*sign == SIGN_ECC521) {
2061-
if (CMD.header_sz < 512)
2062-
CMD.header_sz = 512;
20632089
*sz = 132;
20642090
}
20652091
else if (*sign == SIGN_RSA2048) {
2066-
if (CMD.header_sz < 512)
2067-
CMD.header_sz = 512;
20682092
*sz = 256;
20692093
}
20702094
else if (*sign == SIGN_RSA3072) {
2071-
if ((CMD.header_sz < 1024) && (CMD.hash_algo != HASH_SHA256))
2072-
CMD.header_sz = 1024;
2073-
if (CMD.header_sz < 512)
2074-
CMD.header_sz = 512;
20752095
*sz = 384;
20762096
}
20772097
else if (*sign == SIGN_RSA4096) {
2078-
if (CMD.header_sz < 1024)
2079-
CMD.header_sz = 1024;
20802098
*sz = 512;
20812099
}
20822100
#ifdef WOLFSSL_HAVE_LMS

0 commit comments

Comments
 (0)