[PATCH 0/6] crypto: ecdsa: fix fallout

[PATCH 0/6] crypto: ecdsa: fix fallout

[Ahmad Fatoum]

A number of these commits can be squashed into next, but I leave it to
Sascha whether he wants to do that or just apply them afterwards.

Ahmad Fatoum (6):
  crypto: reorder ECDSA Kconfig entries
  crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled
  keytoc: return error on failure to set PKCS#11 pin
  crypto: ecdsa: make crypto/ecdsa.h header self-containing
  test: self: jwt: regenerate jwt_test.pem.c_shipped
  test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC

 crypto/Kconfig                   | 14 +++++++-------
 crypto/rsa.c                     |  5 +++--
 include/crypto/ecdsa.h           |  4 ++++
 scripts/keytoc.c                 |  1 +
 test/self/Makefile               |  2 +-
 test/self/jwt_test.pem.c_shipped |  2 +-
 6 files changed, 17 insertions(+), 11 deletions(-)

-- 
2.39.5

[PATCH 1/6] crypto: reorder ECDSA Kconfig entries

[Ahmad Fatoum]

barebox now supports two signature algorithms and it makes sense to
group them together in the Kconfig and not have other options like
KEYSTORE or JWT between them.

No functional change.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 crypto/Kconfig | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 45011802e360..191bd5102627 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -115,10 +115,17 @@ config CRYPTO_PBKDF2
 	select DIGEST_HMAC_GENERIC
 	bool
 
+config CRYPTO_ECC
+	bool
+
 config CRYPTO_RSA
 	bool "RSA support"
 	default y if FITIMAGE_SIGNATURE
 
+config CRYPTO_ECDSA
+	bool "ECDSA support"
+	select CRYPTO_ECC
+
 config CRYPTO_BUILTIN_KEYS
 	bool "builtin keys"
 	select KEYTOC
@@ -149,11 +156,4 @@ config JWT
 	select BASE64
 	select CRYPTO_RSA
 
-config CRYPTO_ECC
-	bool
-
-config CRYPTO_ECDSA
-	bool "ECDSA support"
-	select CRYPTO_ECC
-
 endmenu
-- 
2.39.5

[PATCH 2/6] crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled

[Ahmad Fatoum]

Enabling CONFIG_CRYPTO_RSA, but not CONFIG_CRYPTO_BUILTIN_KEYS currently
results in a linker error:

  crypto/rsa.c:484: undefined reference to `public_key_add'

Fix this by only calling public_key_add() if we have
CONFIG_CRYPTO_BUILTIN_KEYS=y. If that option is disabled, it means only
standalone keys can be used.

Fixes: 54caa724c737 ("crypto: add public_key functions")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 crypto/rsa.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/rsa.c b/crypto/rsa.c
index 04b6c9d8c729..d3a48b6809de 100644
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@@ -488,11 +488,12 @@ static void rsa_init_keys_of(void)
 	}
 }
 
-static int rsa_init_keys(void)
+static __maybe_unused int rsa_init_keys(void)
 {
 	rsa_init_keys_of();
 
 	return 0;
 }
-
+#ifdef CONFIG_CRYPTO_BUILTIN_KEYS
 device_initcall(rsa_init_keys);
+#endif
-- 
2.39.5

[PATCH 3/6] keytoc: return error on failure to set PKCS#11 pin

[Ahmad Fatoum]

ret is used uninitialized when ENGINE_ctrl_cmd_string() fails.
Fix this by explicitly setting it to -1 to indicate an error.

Fixes: 128ad3cbe043 ("scripts: Add rsatoc tool")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 scripts/keytoc.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index 5041c09a0e9f..d5c8aa2e1216 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -123,6 +123,7 @@ static int engine_init(ENGINE **pe)
 
 	if (key_pass) {
 		if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
+			ret = -1;
 			fprintf(stderr, "Cannot set PKCS#11 PIN\n");
 			goto err_set_rsa;
 		}
-- 
2.39.5

[PATCH 4/6] crypto: ecdsa: make crypto/ecdsa.h header self-containing

[Ahmad Fatoum]

Currently, generating standalone keys fails, because the header
references symbols that aren't defined within.

Fixes: c949c6ab360c ("crypto: add ECDSA support")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 include/crypto/ecdsa.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/include/crypto/ecdsa.h b/include/crypto/ecdsa.h
index 1d6340c64513..2e2b359d96cf 100644
--- a/include/crypto/ecdsa.h
+++ b/include/crypto/ecdsa.h
@@ -2,6 +2,10 @@
 #ifndef _ECDSA_H
 #define _ECDSA_H
 
+#include <linux/types.h>
+#include <linux/list.h>
+#include <errno.h>
+
 struct ecdsa_public_key {
 	const char *curve_name;	/* Name of curve, e.g. "prime256v1" */
 	const uint64_t *x;	/* x coordinate of public key */
-- 
2.39.5

[PATCH 5/6] test: self: jwt: regenerate jwt_test.pem.c_shipped

[Ahmad Fatoum]

As not to require OpenSSL for normal selftest builds, a pregenerated C
file for the JWT PEM is being shipped in the source code.

This got outdated with recent changes, so let's regenerate it.

Fixes: 54caa724c737 ("crypto: add public_key functions")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/self/jwt_test.pem.c_shipped | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/self/jwt_test.pem.c_shipped b/test/self/jwt_test.pem.c_shipped
index 16248f0ddb1e..5d4df1107cf5 100644
--- a/test/self/jwt_test.pem.c_shipped
+++ b/test/self/jwt_test.pem.c_shipped
@@ -1,3 +1,4 @@
+#include <crypto/ecdsa.h>
 #include <crypto/rsa.h>
 
 static uint32_t jwt_test_modulus[] = {
@@ -45,5 +46,4 @@ struct rsa_public_key __key_jwt_test = {
 	.modulus = jwt_test_modulus,
 	.rr = jwt_test_rr,
 	.exponent = 0x10001,
-	.key_name_hint = "jwt_test",
 };
-- 
2.39.5

[PATCH 6/6] test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC

[Ahmad Fatoum]

Commit 7b51f76a4534 ("rsatoc: rename to keytoc") reflects that the tool
now also supports ECDSA. Therefore, let's rename the environment variable
that we use to regenerate the C code from the JWT PEM accordingly.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 test/self/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/self/Makefile b/test/self/Makefile
index 6390c4afd478..666a8f9ee7e2 100644
--- a/test/self/Makefile
+++ b/test/self/Makefile
@@ -19,7 +19,7 @@ obj-$(CONFIG_SELFTEST_REGULATOR) += regulator.o test_regulator.dtbo.o
 obj-$(CONFIG_SELFTEST_TEST_COMMAND) += test_command.o
 obj-$(CONFIG_SELFTEST_IDR) += idr.o
 
-ifdef REGENERATE_RSATOC
+ifdef REGENERATE_KEYTOC
 
 $(obj)/jwt_test.pem.c_shipped: $(src)/jwt_test.pem FORCE
 	$(call if_changed,public_keys,$(basename $(target-stem)):$<,-s)
-- 
2.39.5

Re: [PATCH 0/6] crypto: ecdsa: fix fallout

[Sascha Hauer]

On Wed, 09 Oct 2024 16:01:49 +0200, Ahmad Fatoum wrote:
> A number of these commits can be squashed into next, but I leave it to
> Sascha whether he wants to do that or just apply them afterwards.
> 
> Ahmad Fatoum (6):
>   crypto: reorder ECDSA Kconfig entries
>   crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled
>   keytoc: return error on failure to set PKCS#11 pin
>   crypto: ecdsa: make crypto/ecdsa.h header self-containing
>   test: self: jwt: regenerate jwt_test.pem.c_shipped
>   test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC
> 
> [...]

Applied, thanks!

[1/6] crypto: reorder ECDSA Kconfig entries
      https://git.pengutronix.de/cgit/barebox/commit/?id=0b8306660f2e (link may not be stable)
[2/6] crypto: rsa: support RSA keys with CONFIG_CRYPTO_BUILTIN_KEYS disabled
      (no commit info)
[3/6] keytoc: return error on failure to set PKCS#11 pin
      https://git.pengutronix.de/cgit/barebox/commit/?id=3c7efb02d7f0 (link may not be stable)
[4/6] crypto: ecdsa: make crypto/ecdsa.h header self-containing
      (no commit info)
[5/6] test: self: jwt: regenerate jwt_test.pem.c_shipped
      https://git.pengutronix.de/cgit/barebox/commit/?id=011c6cc73aa9 (link may not be stable)
[6/6] test: self: rename REGENERATE_RSATOC to REGNERATE_KEYTOC
      https://git.pengutronix.de/cgit/barebox/commit/?id=3c884a974661 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>