[PATCH 03/41] Group all cryptographic functions
2 views
Skip to first unread message
Stefano Babic
Jul 22, 2025, 2:00:34 AM7/22/25
to swup...@googlegroups.com, Stefano Babic
Create a directory to collect all functions related to security,
decryption and verification.
Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---
Makefile | 2 +-
corelib/Makefile | 27 ----------------
crypto/Makefile | 31 +++++++++++++++++++
{corelib => crypto}/swupdate_cms_verify.c | 0
.../swupdate_decrypt_mbedtls.c | 22 ++++++++++---
.../swupdate_decrypt_openssl.c | 24 +++++++++++---
{corelib => crypto}/swupdate_decrypt_pkcs11.c | 21 ++++++++++---
{corelib => crypto}/swupdate_gpg_verify.c | 0
{corelib => crypto}/swupdate_pkcs7_verify.c | 0
{corelib => crypto}/swupdate_rsa_verify.c | 0
.../swupdate_rsa_verify_mbedtls.c | 0
{corelib => crypto}/swupdate_verify_private.h | 0
{corelib => crypto}/verify_signature.c | 0
.../verify_signature_mbedtls.c | 0
14 files changed, 86 insertions(+), 41 deletions(-)
create mode 100644 crypto/Makefile
rename {corelib => crypto}/swupdate_cms_verify.c (100%)
rename {corelib => crypto}/swupdate_decrypt_mbedtls.c (78%)
rename {corelib => crypto}/swupdate_decrypt_openssl.c (76%)
rename {corelib => crypto}/swupdate_decrypt_pkcs11.c (86%)
rename {corelib => crypto}/swupdate_gpg_verify.c (100%)
rename {corelib => crypto}/swupdate_pkcs7_verify.c (100%)
rename {corelib => crypto}/swupdate_rsa_verify.c (100%)
rename {corelib => crypto}/swupdate_rsa_verify_mbedtls.c (100%)
rename {corelib => crypto}/swupdate_verify_private.h (100%)
rename {corelib => crypto}/verify_signature.c (100%)
rename {corelib => crypto}/verify_signature_mbedtls.c (100%)
diff --git a/Makefile b/Makefile
index de54f187..2a715f72 100644
--- a/Makefile
+++ b/Makefile
@@ -369,7 +369,7 @@ include $(srctree)/Makefile.flags
# This allow a user to issue only 'make' to build a kernel including modules
# Defaults to vmlinux, but the arch makefile usually adds further targets
-objs-y := core handlers bootloader suricatta
+objs-y := core handlers crypto bootloader suricatta
libs-y := corelib mongoose parser fs containers
bindings-y := bindings
tools-y := tools
diff --git a/corelib/Makefile b/corelib/Makefile
index b07c42f3..6aae1d53 100644
--- a/corelib/Makefile
+++ b/corelib/Makefile
@@ -11,31 +11,4 @@ lib-y += emmc_utils.o \
lib-$(CONFIG_DOWNLOAD) += downloader.o
lib-$(CONFIG_MTD) += mtd-interface.o
lib-$(CONFIG_LUA) += lua_interface.o lua_compat.o
-ifeq ($(CONFIG_SSL_IMPL_OPENSSL)$(CONFIG_SSL_IMPL_WOLFSSL),y)
-lib-$(CONFIG_HASH_VERIFY) += verify_signature.o
-ifeq ($(CONFIG_PKCS11),y)
-lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
-else
-lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_openssl.o
-endif
-lib-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify.o
-lib-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify.o
-endif
-ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
-lib-$(CONFIG_SIGALG_CMS) += swupdate_cms_verify.o
-endif
-ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
-lib-$(CONFIG_SIGALG_CMS) += swupdate_pkcs7_verify.o
-endif
-ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
-lib-$(CONFIG_HASH_VERIFY) += verify_signature_mbedtls.o
-ifeq ($(CONFIG_PKCS11),y)
-lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
-else
-lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_mbedtls.o
-endif
-lib-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_mbedtls.o
-lib-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_mbedtls.o
-endif
-lib-$(CONFIG_SIGALG_GPG) += swupdate_gpg_verify.o
lib-$(CONFIG_CHANNEL_CURL) += channel_curl.o
diff --git a/crypto/Makefile b/crypto/Makefile
new file mode 100644
index 00000000..6ee3b4d0
--- /dev/null
+++ b/crypto/Makefile
@@ -0,0 +1,31 @@
+# Copyright (C) 2014-2018 Stefano Babic <stefan...@swupdate.org>
+#
+# SPDX-License-Identifier: GPL-2.0-only
+
+ifeq ($(CONFIG_SSL_IMPL_OPENSSL)$(CONFIG_SSL_IMPL_WOLFSSL),y)
+obj-$(CONFIG_HASH_VERIFY) += verify_signature.o
+ifeq ($(CONFIG_PKCS11),y)
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
+else
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_openssl.o
+endif
+obj-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify.o
+obj-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify.o
+endif
+ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
+obj-$(CONFIG_SIGALG_CMS) += swupdate_cms_verify.o
+endif
+ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
+obj-$(CONFIG_SIGALG_CMS) += swupdate_pkcs7_verify.o
+endif
+ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
+obj-$(CONFIG_HASH_VERIFY) += verify_signature_mbedtls.o
+ifeq ($(CONFIG_PKCS11),y)
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
+else
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_mbedtls.o
+endif
+obj-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_mbedtls.o
+obj-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_mbedtls.o
+endif
+obj-$(CONFIG_SIGALG_GPG) += swupdate_gpg_verify.o
diff --git a/corelib/swupdate_cms_verify.c b/crypto/swupdate_cms_verify.c
similarity index 100%
rename from corelib/swupdate_cms_verify.c
rename to crypto/swupdate_cms_verify.c
diff --git a/corelib/swupdate_decrypt_mbedtls.c b/crypto/swupdate_decrypt_mbedtls.c
similarity index 78%
rename from corelib/swupdate_decrypt_mbedtls.c
rename to crypto/swupdate_decrypt_mbedtls.c
index ce11dc01..7ca8bb55 100644
--- a/corelib/swupdate_decrypt_mbedtls.c
+++ b/crypto/swupdate_decrypt_mbedtls.c
@@ -6,8 +6,12 @@
#include "sslapi.h"
#include "util.h"
+#include "swupdate_crypto.h"
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
+
+static swupdate_decrypt_lib mbedtls;
+
+static struct swupdate_digest *mbedtls_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
mbedtls_cipher_type_t cipher_type;
@@ -89,7 +93,7 @@ fail:
return NULL;
}
-int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
+static int mbedtls_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen)
{
int error;
@@ -105,7 +109,7 @@ int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
return 0;
}
-int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
+static int mbedtls_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen)
{
int error;
@@ -128,7 +132,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
}
-void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
+static void mbedtls_DECRYPT_cleanup(struct swupdate_digest *dgst)
{
if (!dgst) {
return;
@@ -137,3 +141,13 @@ void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
mbedtls_cipher_free(&dgst->mbedtls_cipher_context);
free(dgst);
}
+
+__attribute__((constructor))
+static void mbedtls_probe(void)
+{
+ mbedtls.DECRYPT_init = mbedtls_DECRYPT_init;
+ mbedtls.DECRYPT_update = mbedtls_DECRYPT_update;
+ mbedtls.DECRYPT_final = mbedtls_DECRYPT_final;
+ mbedtls.DECRYPT_cleanup = mbedtls_DECRYPT_cleanup;
+ (void)register_cryptolib("mbedtls", &mbedtls);
+}
diff --git a/corelib/swupdate_decrypt_openssl.c b/crypto/swupdate_decrypt_openssl.c
similarity index 76%
rename from corelib/swupdate_decrypt_openssl.c
rename to crypto/swupdate_decrypt_openssl.c
index 2ab3f864..c9befe1c 100644
--- a/corelib/swupdate_decrypt_openssl.c
+++ b/crypto/swupdate_decrypt_openssl.c
@@ -7,16 +7,20 @@
* Code mostly taken from openssl examples
*
*/
-
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdbool.h>
+#include <unistd.h>
#include "swupdate.h"
#include "sslapi.h"
#include "util.h"
+#include "swupdate_crypto.h"
+
+static void openssl_probe(void);
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
+static swupdate_decrypt_lib openssl;
+static struct swupdate_digest *openssl_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
const EVP_CIPHER *cipher;
@@ -78,7 +82,7 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, u
return dgst;
}
-int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
+static int openssl_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen)
{
if (EVP_DecryptUpdate(SSL_GET_CTXDEC(dgst), buf, outlen, cryptbuf, inlen) != 1) {
@@ -91,7 +95,7 @@ int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
return 0;
}
-int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
+static int openssl_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen)
{
if (!dgst)
@@ -110,7 +114,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
}
-void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
+static void openssl_DECRYPT_cleanup(struct swupdate_digest *dgst)
{
if (dgst) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -122,3 +126,13 @@ void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
dgst = NULL;
}
}
+
+__attribute__((constructor))
+static void openssl_probe(void)
+{
+ openssl.DECRYPT_init = openssl_DECRYPT_init;
+ openssl.DECRYPT_update = openssl_DECRYPT_update;
+ openssl.DECRYPT_final = openssl_DECRYPT_final;
+ openssl.DECRYPT_cleanup = openssl_DECRYPT_cleanup;
+ (void)register_cryptolib("openssl", &openssl);
+}
diff --git a/corelib/swupdate_decrypt_pkcs11.c b/crypto/swupdate_decrypt_pkcs11.c
similarity index 86%
rename from corelib/swupdate_decrypt_pkcs11.c
rename to crypto/swupdate_decrypt_pkcs11.c
index b16d59ee..7a4fd272 100644
--- a/corelib/swupdate_decrypt_pkcs11.c
+++ b/crypto/swupdate_decrypt_pkcs11.c
@@ -14,6 +14,9 @@
#include "util.h"
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/logging.h>
+#include "swupdate_crypto.h"
+
+static swupdate_decrypt_lib wolfssl;
#ifdef DEBUG_WOLFSSL
static void wolfssl_debug(int __attribute__ ((__unused__)) level, const char *const msg)
@@ -22,7 +25,7 @@ static void wolfssl_debug(int __attribute__ ((__unused__)) level, const char *co
}
#endif
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *uri,
+static struct swupdate_digest *wolfssl_DECRYPT_init(unsigned char *uri,
char __attribute__ ((__unused__)) keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
@@ -116,7 +119,7 @@ err_free:
return NULL;
}
-int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
+static int wolfssl_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen)
{
// precondition: len(buf) >= inlen + AES_BLK_SIZE
@@ -153,7 +156,7 @@ int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
}
// Gets rid of PKCS#7 padding
-int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, int *outlen)
+static int wolfssl_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, int *outlen)
{
unsigned char last_oct = dgst->last_decr[AES_BLK_SIZE - 1];
if (last_oct > AES_BLK_SIZE || last_oct == 0) {
@@ -178,7 +181,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, int
return 0;
}
-void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
+static void wolfssl_DECRYPT_cleanup(struct swupdate_digest *dgst)
{
if (dgst) {
if (&dgst->pktoken)
@@ -193,3 +196,13 @@ void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
wolfCrypt_Cleanup();
}
+
+__attribute__((constructor))
+static void wolfssl_probe(void)
+{
+ wolfssl.DECRYPT_init = wolfssl_DECRYPT_init;
+ wolfssl.DECRYPT_update = wolfssl_DECRYPT_update;
+ wolfssl.DECRYPT_final = wolfssl_DECRYPT_final;
+ wolfssl.DECRYPT_cleanup = wolfssl_DECRYPT_cleanup;
+ (void)register_cryptolib("wolfssl", &wolfssl);
+}
diff --git a/corelib/swupdate_gpg_verify.c b/crypto/swupdate_gpg_verify.c
similarity index 100%
rename from corelib/swupdate_gpg_verify.c
rename to crypto/swupdate_gpg_verify.c
diff --git a/corelib/swupdate_pkcs7_verify.c b/crypto/swupdate_pkcs7_verify.c
similarity index 100%
rename from corelib/swupdate_pkcs7_verify.c
rename to crypto/swupdate_pkcs7_verify.c
diff --git a/corelib/swupdate_rsa_verify.c b/crypto/swupdate_rsa_verify.c
similarity index 100%
rename from corelib/swupdate_rsa_verify.c
rename to crypto/swupdate_rsa_verify.c
diff --git a/corelib/swupdate_rsa_verify_mbedtls.c b/crypto/swupdate_rsa_verify_mbedtls.c
similarity index 100%
rename from corelib/swupdate_rsa_verify_mbedtls.c
rename to crypto/swupdate_rsa_verify_mbedtls.c
diff --git a/corelib/swupdate_verify_private.h b/crypto/swupdate_verify_private.h
similarity index 100%
rename from corelib/swupdate_verify_private.h
rename to crypto/swupdate_verify_private.h
diff --git a/corelib/verify_signature.c b/crypto/verify_signature.c
similarity index 100%
rename from corelib/verify_signature.c
rename to crypto/verify_signature.c
diff --git a/corelib/verify_signature_mbedtls.c b/crypto/verify_signature_mbedtls.c
similarity index 100%
rename from corelib/verify_signature_mbedtls.c
rename to crypto/verify_signature_mbedtls.c
--
2.43.0
decryption and verification.
Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---
Makefile | 2 +-
corelib/Makefile | 27 ----------------
crypto/Makefile | 31 +++++++++++++++++++
{corelib => crypto}/swupdate_cms_verify.c | 0
.../swupdate_decrypt_mbedtls.c | 22 ++++++++++---
.../swupdate_decrypt_openssl.c | 24 +++++++++++---
{corelib => crypto}/swupdate_decrypt_pkcs11.c | 21 ++++++++++---
{corelib => crypto}/swupdate_gpg_verify.c | 0
{corelib => crypto}/swupdate_pkcs7_verify.c | 0
{corelib => crypto}/swupdate_rsa_verify.c | 0
.../swupdate_rsa_verify_mbedtls.c | 0
{corelib => crypto}/swupdate_verify_private.h | 0
{corelib => crypto}/verify_signature.c | 0
.../verify_signature_mbedtls.c | 0
14 files changed, 86 insertions(+), 41 deletions(-)
create mode 100644 crypto/Makefile
rename {corelib => crypto}/swupdate_cms_verify.c (100%)
rename {corelib => crypto}/swupdate_decrypt_mbedtls.c (78%)
rename {corelib => crypto}/swupdate_decrypt_openssl.c (76%)
rename {corelib => crypto}/swupdate_decrypt_pkcs11.c (86%)
rename {corelib => crypto}/swupdate_gpg_verify.c (100%)
rename {corelib => crypto}/swupdate_pkcs7_verify.c (100%)
rename {corelib => crypto}/swupdate_rsa_verify.c (100%)
rename {corelib => crypto}/swupdate_rsa_verify_mbedtls.c (100%)
rename {corelib => crypto}/swupdate_verify_private.h (100%)
rename {corelib => crypto}/verify_signature.c (100%)
rename {corelib => crypto}/verify_signature_mbedtls.c (100%)
diff --git a/Makefile b/Makefile
index de54f187..2a715f72 100644
--- a/Makefile
+++ b/Makefile
@@ -369,7 +369,7 @@ include $(srctree)/Makefile.flags
# This allow a user to issue only 'make' to build a kernel including modules
# Defaults to vmlinux, but the arch makefile usually adds further targets
-objs-y := core handlers bootloader suricatta
+objs-y := core handlers crypto bootloader suricatta
libs-y := corelib mongoose parser fs containers
bindings-y := bindings
tools-y := tools
diff --git a/corelib/Makefile b/corelib/Makefile
index b07c42f3..6aae1d53 100644
--- a/corelib/Makefile
+++ b/corelib/Makefile
@@ -11,31 +11,4 @@ lib-y += emmc_utils.o \
lib-$(CONFIG_DOWNLOAD) += downloader.o
lib-$(CONFIG_MTD) += mtd-interface.o
lib-$(CONFIG_LUA) += lua_interface.o lua_compat.o
-ifeq ($(CONFIG_SSL_IMPL_OPENSSL)$(CONFIG_SSL_IMPL_WOLFSSL),y)
-lib-$(CONFIG_HASH_VERIFY) += verify_signature.o
-ifeq ($(CONFIG_PKCS11),y)
-lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
-else
-lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_openssl.o
-endif
-lib-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify.o
-lib-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify.o
-endif
-ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
-lib-$(CONFIG_SIGALG_CMS) += swupdate_cms_verify.o
-endif
-ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
-lib-$(CONFIG_SIGALG_CMS) += swupdate_pkcs7_verify.o
-endif
-ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
-lib-$(CONFIG_HASH_VERIFY) += verify_signature_mbedtls.o
-ifeq ($(CONFIG_PKCS11),y)
-lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
-else
-lib-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_mbedtls.o
-endif
-lib-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_mbedtls.o
-lib-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_mbedtls.o
-endif
-lib-$(CONFIG_SIGALG_GPG) += swupdate_gpg_verify.o
lib-$(CONFIG_CHANNEL_CURL) += channel_curl.o
diff --git a/crypto/Makefile b/crypto/Makefile
new file mode 100644
index 00000000..6ee3b4d0
--- /dev/null
+++ b/crypto/Makefile
@@ -0,0 +1,31 @@
+# Copyright (C) 2014-2018 Stefano Babic <stefan...@swupdate.org>
+#
+# SPDX-License-Identifier: GPL-2.0-only
+
+ifeq ($(CONFIG_SSL_IMPL_OPENSSL)$(CONFIG_SSL_IMPL_WOLFSSL),y)
+obj-$(CONFIG_HASH_VERIFY) += verify_signature.o
+ifeq ($(CONFIG_PKCS11),y)
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
+else
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_openssl.o
+endif
+obj-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify.o
+obj-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify.o
+endif
+ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
+obj-$(CONFIG_SIGALG_CMS) += swupdate_cms_verify.o
+endif
+ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
+obj-$(CONFIG_SIGALG_CMS) += swupdate_pkcs7_verify.o
+endif
+ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
+obj-$(CONFIG_HASH_VERIFY) += verify_signature_mbedtls.o
+ifeq ($(CONFIG_PKCS11),y)
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
+else
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_mbedtls.o
+endif
+obj-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_mbedtls.o
+obj-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_mbedtls.o
+endif
+obj-$(CONFIG_SIGALG_GPG) += swupdate_gpg_verify.o
diff --git a/corelib/swupdate_cms_verify.c b/crypto/swupdate_cms_verify.c
similarity index 100%
rename from corelib/swupdate_cms_verify.c
rename to crypto/swupdate_cms_verify.c
diff --git a/corelib/swupdate_decrypt_mbedtls.c b/crypto/swupdate_decrypt_mbedtls.c
similarity index 78%
rename from corelib/swupdate_decrypt_mbedtls.c
rename to crypto/swupdate_decrypt_mbedtls.c
index ce11dc01..7ca8bb55 100644
--- a/corelib/swupdate_decrypt_mbedtls.c
+++ b/crypto/swupdate_decrypt_mbedtls.c
@@ -6,8 +6,12 @@
#include "sslapi.h"
#include "util.h"
+#include "swupdate_crypto.h"
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
+
+static swupdate_decrypt_lib mbedtls;
+
+static struct swupdate_digest *mbedtls_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
mbedtls_cipher_type_t cipher_type;
@@ -89,7 +93,7 @@ fail:
return NULL;
}
-int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
+static int mbedtls_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen)
{
int error;
@@ -105,7 +109,7 @@ int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
return 0;
}
-int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
+static int mbedtls_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen)
{
int error;
@@ -128,7 +132,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
}
-void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
+static void mbedtls_DECRYPT_cleanup(struct swupdate_digest *dgst)
{
if (!dgst) {
return;
@@ -137,3 +141,13 @@ void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
mbedtls_cipher_free(&dgst->mbedtls_cipher_context);
free(dgst);
}
+
+__attribute__((constructor))
+static void mbedtls_probe(void)
+{
+ mbedtls.DECRYPT_init = mbedtls_DECRYPT_init;
+ mbedtls.DECRYPT_update = mbedtls_DECRYPT_update;
+ mbedtls.DECRYPT_final = mbedtls_DECRYPT_final;
+ mbedtls.DECRYPT_cleanup = mbedtls_DECRYPT_cleanup;
+ (void)register_cryptolib("mbedtls", &mbedtls);
+}
diff --git a/corelib/swupdate_decrypt_openssl.c b/crypto/swupdate_decrypt_openssl.c
similarity index 76%
rename from corelib/swupdate_decrypt_openssl.c
rename to crypto/swupdate_decrypt_openssl.c
index 2ab3f864..c9befe1c 100644
--- a/corelib/swupdate_decrypt_openssl.c
+++ b/crypto/swupdate_decrypt_openssl.c
@@ -7,16 +7,20 @@
* Code mostly taken from openssl examples
*
*/
-
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdbool.h>
+#include <unistd.h>
#include "swupdate.h"
#include "sslapi.h"
#include "util.h"
+#include "swupdate_crypto.h"
+
+static void openssl_probe(void);
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
+static swupdate_decrypt_lib openssl;
+static struct swupdate_digest *openssl_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
const EVP_CIPHER *cipher;
@@ -78,7 +82,7 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, u
return dgst;
}
-int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
+static int openssl_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen)
{
if (EVP_DecryptUpdate(SSL_GET_CTXDEC(dgst), buf, outlen, cryptbuf, inlen) != 1) {
@@ -91,7 +95,7 @@ int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
return 0;
}
-int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
+static int openssl_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen)
{
if (!dgst)
@@ -110,7 +114,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
}
-void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
+static void openssl_DECRYPT_cleanup(struct swupdate_digest *dgst)
{
if (dgst) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -122,3 +126,13 @@ void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
dgst = NULL;
}
}
+
+__attribute__((constructor))
+static void openssl_probe(void)
+{
+ openssl.DECRYPT_init = openssl_DECRYPT_init;
+ openssl.DECRYPT_update = openssl_DECRYPT_update;
+ openssl.DECRYPT_final = openssl_DECRYPT_final;
+ openssl.DECRYPT_cleanup = openssl_DECRYPT_cleanup;
+ (void)register_cryptolib("openssl", &openssl);
+}
diff --git a/corelib/swupdate_decrypt_pkcs11.c b/crypto/swupdate_decrypt_pkcs11.c
similarity index 86%
rename from corelib/swupdate_decrypt_pkcs11.c
rename to crypto/swupdate_decrypt_pkcs11.c
index b16d59ee..7a4fd272 100644
--- a/corelib/swupdate_decrypt_pkcs11.c
+++ b/crypto/swupdate_decrypt_pkcs11.c
@@ -14,6 +14,9 @@
#include "util.h"
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/logging.h>
+#include "swupdate_crypto.h"
+
+static swupdate_decrypt_lib wolfssl;
#ifdef DEBUG_WOLFSSL
static void wolfssl_debug(int __attribute__ ((__unused__)) level, const char *const msg)
@@ -22,7 +25,7 @@ static void wolfssl_debug(int __attribute__ ((__unused__)) level, const char *co
}
#endif
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *uri,
+static struct swupdate_digest *wolfssl_DECRYPT_init(unsigned char *uri,
char __attribute__ ((__unused__)) keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
@@ -116,7 +119,7 @@ err_free:
return NULL;
}
-int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
+static int wolfssl_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen)
{
// precondition: len(buf) >= inlen + AES_BLK_SIZE
@@ -153,7 +156,7 @@ int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
}
// Gets rid of PKCS#7 padding
-int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, int *outlen)
+static int wolfssl_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, int *outlen)
{
unsigned char last_oct = dgst->last_decr[AES_BLK_SIZE - 1];
if (last_oct > AES_BLK_SIZE || last_oct == 0) {
@@ -178,7 +181,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf, int
return 0;
}
-void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
+static void wolfssl_DECRYPT_cleanup(struct swupdate_digest *dgst)
{
if (dgst) {
if (&dgst->pktoken)
@@ -193,3 +196,13 @@ void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
wolfCrypt_Cleanup();
}
+
+__attribute__((constructor))
+static void wolfssl_probe(void)
+{
+ wolfssl.DECRYPT_init = wolfssl_DECRYPT_init;
+ wolfssl.DECRYPT_update = wolfssl_DECRYPT_update;
+ wolfssl.DECRYPT_final = wolfssl_DECRYPT_final;
+ wolfssl.DECRYPT_cleanup = wolfssl_DECRYPT_cleanup;
+ (void)register_cryptolib("wolfssl", &wolfssl);
+}
diff --git a/corelib/swupdate_gpg_verify.c b/crypto/swupdate_gpg_verify.c
similarity index 100%
rename from corelib/swupdate_gpg_verify.c
rename to crypto/swupdate_gpg_verify.c
diff --git a/corelib/swupdate_pkcs7_verify.c b/crypto/swupdate_pkcs7_verify.c
similarity index 100%
rename from corelib/swupdate_pkcs7_verify.c
rename to crypto/swupdate_pkcs7_verify.c
diff --git a/corelib/swupdate_rsa_verify.c b/crypto/swupdate_rsa_verify.c
similarity index 100%
rename from corelib/swupdate_rsa_verify.c
rename to crypto/swupdate_rsa_verify.c
diff --git a/corelib/swupdate_rsa_verify_mbedtls.c b/crypto/swupdate_rsa_verify_mbedtls.c
similarity index 100%
rename from corelib/swupdate_rsa_verify_mbedtls.c
rename to crypto/swupdate_rsa_verify_mbedtls.c
diff --git a/corelib/swupdate_verify_private.h b/crypto/swupdate_verify_private.h
similarity index 100%
rename from corelib/swupdate_verify_private.h
rename to crypto/swupdate_verify_private.h
diff --git a/corelib/verify_signature.c b/crypto/verify_signature.c
similarity index 100%
rename from corelib/verify_signature.c
rename to crypto/verify_signature.c
diff --git a/corelib/verify_signature_mbedtls.c b/crypto/verify_signature_mbedtls.c
similarity index 100%
rename from corelib/verify_signature_mbedtls.c
rename to crypto/verify_signature_mbedtls.c
--
2.43.0
Stefano Babic
Jul 24, 2025, 9:21:23 AM7/24/25
to swup...@googlegroups.com, Stefano Babic, Michael Glembotzki
Create a directory to collect all functions related to security,
decryption and verification.
Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
decryption and verification.
Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---
Makefile | 2 +-
corelib/Makefile | 27 ----------------
crypto/Makefile | 31 +++++++++++++++++++
{corelib => crypto}/swupdate_cms_verify.c | 0
.../swupdate_decrypt_mbedtls.c | 24 +++++++++++---
Makefile | 2 +-
corelib/Makefile | 27 ----------------
crypto/Makefile | 31 +++++++++++++++++++
{corelib => crypto}/swupdate_cms_verify.c | 0
.../swupdate_decrypt_openssl.c | 26 +++++++++++++---
{corelib => crypto}/swupdate_decrypt_pkcs11.c | 21 ++++++++++---
{corelib => crypto}/swupdate_gpg_verify.c | 0
{corelib => crypto}/swupdate_pkcs7_verify.c | 0
{corelib => crypto}/swupdate_rsa_verify.c | 0
.../swupdate_rsa_verify_mbedtls.c | 0
{corelib => crypto}/swupdate_verify_private.h | 0
{corelib => crypto}/verify_signature.c | 0
.../verify_signature_mbedtls.c | 0
14 files changed, 90 insertions(+), 41 deletions(-)
{corelib => crypto}/swupdate_gpg_verify.c | 0
{corelib => crypto}/swupdate_pkcs7_verify.c | 0
{corelib => crypto}/swupdate_rsa_verify.c | 0
.../swupdate_rsa_verify_mbedtls.c | 0
{corelib => crypto}/swupdate_verify_private.h | 0
{corelib => crypto}/verify_signature.c | 0
.../verify_signature_mbedtls.c | 0
--- a/corelib/swupdate_decrypt_mbedtls.c
+++ b/crypto/swupdate_decrypt_mbedtls.c
@@ -6,8 +6,14 @@
#include "sslapi.h"
#include "util.h"
+#include "swupdate_crypto.h"
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
+
+
+static swupdate_decrypt_lib mbedtls;
+
+static struct swupdate_digest *mbedtls_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
mbedtls_cipher_type_t cipher_type;
@@ -89,7 +95,7 @@ fail:
+static swupdate_decrypt_lib mbedtls;
+
+static struct swupdate_digest *mbedtls_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
mbedtls_cipher_type_t cipher_type;
return NULL;
}
-int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
+static int mbedtls_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen)
{
int error;
@@ -105,7 +111,7 @@ int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
}
-int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
+static int mbedtls_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen)
{
int error;
return 0;
}
-int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
+static int mbedtls_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen)
{
int error;
@@ -128,7 +134,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
}
-int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
+static int mbedtls_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen)
{
int error;
}
-void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
+static void mbedtls_DECRYPT_cleanup(struct swupdate_digest *dgst)
{
if (!dgst) {
return;
mbedtls_cipher_free(&dgst->mbedtls_cipher_context);
free(dgst);
}
+
+__attribute__((constructor))
+static void mbedtls_probe(void)
+{
+ mbedtls.DECRYPT_init = mbedtls_DECRYPT_init;
+ mbedtls.DECRYPT_update = mbedtls_DECRYPT_update;
+ mbedtls.DECRYPT_final = mbedtls_DECRYPT_final;
+ mbedtls.DECRYPT_cleanup = mbedtls_DECRYPT_cleanup;
+ (void)register_cryptolib(MODNAME, &mbedtls);
free(dgst);
}
+
+__attribute__((constructor))
+static void mbedtls_probe(void)
+{
+ mbedtls.DECRYPT_init = mbedtls_DECRYPT_init;
+ mbedtls.DECRYPT_update = mbedtls_DECRYPT_update;
+ mbedtls.DECRYPT_final = mbedtls_DECRYPT_final;
+ mbedtls.DECRYPT_cleanup = mbedtls_DECRYPT_cleanup;
+}
diff --git a/corelib/swupdate_decrypt_openssl.c b/crypto/swupdate_decrypt_openssl.c
similarity index 76%
rename from corelib/swupdate_decrypt_openssl.c
rename to crypto/swupdate_decrypt_openssl.c
index 2ab3f864..edad5f94 100644
diff --git a/corelib/swupdate_decrypt_openssl.c b/crypto/swupdate_decrypt_openssl.c
similarity index 76%
rename from corelib/swupdate_decrypt_openssl.c
rename to crypto/swupdate_decrypt_openssl.c
--- a/corelib/swupdate_decrypt_openssl.c
+++ b/crypto/swupdate_decrypt_openssl.c
@@ -7,16 +7,22 @@
* Code mostly taken from openssl examples
*
*/
-
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdbool.h>
+#include <unistd.h>
#include "swupdate.h"
#include "sslapi.h"
#include "util.h"
+#include "swupdate_crypto.h"
+
+#define MODNAME "opensslAES"
*
*/
-
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdbool.h>
+#include <unistd.h>
#include "swupdate.h"
#include "sslapi.h"
#include "util.h"
+#include "swupdate_crypto.h"
+
+
+static void openssl_probe(void);
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
+static swupdate_decrypt_lib openssl;
+static struct swupdate_digest *openssl_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
const EVP_CIPHER *cipher;
@@ -78,7 +84,7 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, u
+static void openssl_probe(void);
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
+static swupdate_decrypt_lib openssl;
+static struct swupdate_digest *openssl_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
const EVP_CIPHER *cipher;
return dgst;
}
-int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
+static int openssl_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen)
{
if (EVP_DecryptUpdate(SSL_GET_CTXDEC(dgst), buf, outlen, cryptbuf, inlen) != 1) {
@@ -91,7 +97,7 @@ int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
}
-int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
+static int openssl_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen)
{
if (EVP_DecryptUpdate(SSL_GET_CTXDEC(dgst), buf, outlen, cryptbuf, inlen) != 1) {
return 0;
}
-int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
+static int openssl_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen)
{
if (!dgst)
@@ -110,7 +116,7 @@ int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
}
-int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
+static int openssl_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen)
{
if (!dgst)
}
-void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst)
+static void openssl_DECRYPT_cleanup(struct swupdate_digest *dgst)
{
if (dgst) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L
dgst = NULL;
}
}
+
+__attribute__((constructor))
+static void openssl_probe(void)
+{
+ openssl.DECRYPT_init = openssl_DECRYPT_init;
+ openssl.DECRYPT_update = openssl_DECRYPT_update;
+ openssl.DECRYPT_final = openssl_DECRYPT_final;
+ openssl.DECRYPT_cleanup = openssl_DECRYPT_cleanup;
+ (void)register_cryptolib(MODNAME, &openssl);
}
}
+
+__attribute__((constructor))
+static void openssl_probe(void)
+{
+ openssl.DECRYPT_init = openssl_DECRYPT_init;
+ openssl.DECRYPT_update = openssl_DECRYPT_update;
+ openssl.DECRYPT_final = openssl_DECRYPT_final;
+ openssl.DECRYPT_cleanup = openssl_DECRYPT_cleanup;
Reply all
Reply to author
Forward
0 new messages