bootutil: Add SHA-512 support to Ed25519

taltenbach · d3zd3z · commit a5f28c133dcf · 2024-10-10T11:34:29.000-06:00
When Ed25519 signatures are used, the bootutil_verify_sig responsible
for verifying a signature was expecting as argument the SHA-256 digest
of the firmware image. This commit slightly modifies this routine to
make possible to use Ed25519 with SHA-512 digests.

Signed-off-by: Thomas Altenbach &lt;thomas.altenbach@legrand.com&gt;
diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c
@@ -17,6 +17,7 @@
 
 #include "bootutil_priv.h"
 #include "bootutil/crypto/common.h"
+#include "bootutil/crypto/sha.h"
 
 static const uint8_t ed25519_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG "\x65\x70";
 #define NUM_ED25519_BYTES 32
@@ -73,7 +74,7 @@ bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
     uint8_t *pubkey;
     uint8_t *end;
 
-    if (hlen != 32 || slen != 64) {
+    if (hlen != IMAGE_HASH_SIZE || slen != 64) {
         FIH_SET(fih_rc, FIH_FAILURE);
         goto out;
     }
@@ -87,7 +88,7 @@ bootutil_verify_sig(uint8_t *hash, uint32_t hlen, uint8_t *sig, size_t slen,
         goto out;
     }
 
-    rc = ED25519_verify(hash, 32, sig, pubkey);
+    rc = ED25519_verify(hash, IMAGE_HASH_SIZE, sig, pubkey);
 
     if (rc == 0) {
         /* if verify returns 0, there was an error. */
