@@ -453,7 +453,7 @@ int copyfile(int fdin, void *out, unsigned int nbytes, unsigned long *offs, unsi
ivt = ivtbuf;
} else
ivt = get_aes_ivt();
- decrypt_state.dcrypt = swupdate_DECRYPT_init(aes_key, ivt);
+ decrypt_state.dcrypt = swupdate_DECRYPT_init(aes_key, get_aes_keylen(), ivt);
if (!decrypt_state.dcrypt) {
ERROR("decrypt initialization failure, aborting");
ret = -EFAULT;
@@ -17,9 +17,10 @@
#include "sslapi.h"
#include "util.h"
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char *iv)
+struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
+ const EVP_CIPHER *cipher;
int ret;
if ((key == NULL) || (iv == NULL)) {
@@ -27,7 +28,19 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char
return NULL;
}
- const EVP_CIPHER *cipher = EVP_aes_256_cbc();
+ switch (keylen) {
+ case AES_128_KEY_LEN:
+ cipher = EVP_aes_128_cbc();
+ break;
+ case AES_192_KEY_LEN:
+ cipher = EVP_aes_192_cbc();
+ break;
+ case AES_256_KEY_LEN:
+ cipher = EVP_aes_256_cbc();
+ break;
+ default:
+ return NULL;
+ }
dgst = calloc(1, sizeof(*dgst));
if (!dgst) {
@@ -3,10 +3,12 @@
#include "sslapi.h"
#include "util.h"
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char *iv)
+struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
+ mbedtls_cipher_type_t cipher_type;
const mbedtls_cipher_info_t *cipher_info;
+ int key_bitlen;
int error;
if ((key == NULL) || (iv == NULL)) {
@@ -14,7 +16,24 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char
return NULL;
}
- cipher_info = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_256_CBC);
+ switch (keylen) {
+ case AES_128_KEY_LEN:
+ cipher_type = MBEDTLS_CIPHER_AES_128_CBC;
+ key_bitlen = 128;
+ break;
+ case AES_192_KEY_LEN:
+ cipher_type = MBEDTLS_CIPHER_AES_192_CBC;
+ key_bitlen = 192;
+ break;
+ case AES_256_KEY_LEN:
+ cipher_type = MBEDTLS_CIPHER_AES_256_CBC;
+ key_bitlen = 256;
+ break;
+ default:
+ return NULL;
+ }
+
+ cipher_info = mbedtls_cipher_info_from_type(cipher_type);
if (!cipher_info) {
ERROR("mbedtls_cipher_info_from_type");
return NULL;
@@ -33,7 +52,7 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char
goto fail;
}
- error = mbedtls_cipher_setkey(&dgst->mbedtls_cipher_context, key, 256, MBEDTLS_DECRYPT);
+ error = mbedtls_cipher_setkey(&dgst->mbedtls_cipher_context, key, key_bitlen, MBEDTLS_DECRYPT);
if (error) {
ERROR("mbedtls_cipher_setkey: %d", error);
goto fail;
@@ -22,7 +22,8 @@ static void wolfssl_debug(int __attribute__ ((__unused__)) level, const char *co
}
#endif
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *uri, unsigned char *iv)
+struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *uri,
+ char __attribute__ ((__unused__)) keylen, unsigned char *iv)
{
struct swupdate_digest *dgst;
const char *library;
@@ -179,7 +179,7 @@ int swupdate_HASH_compare(const unsigned char *hash1, const unsigned char *hash2
#endif
#ifdef CONFIG_ENCRYPTED_IMAGES
-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char *iv);
+struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, char keylen, unsigned char *iv);
int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
int *outlen, const unsigned char *cryptbuf, int inlen);
int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,
@@ -190,7 +190,7 @@ void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst);
* Note: macro for swupdate_DECRYPT_init is
* just to avoid compiler warnings
*/
-#define swupdate_DECRYPT_init(key, iv) (((key != NULL) | (ivt != NULL)) ? NULL : NULL)
+#define swupdate_DECRYPT_init(key, keylen, iv) (((key != NULL) | (ivt != NULL)) ? NULL : NULL)
#define swupdate_DECRYPT_update(p, buf, len, cbuf, inlen) (-1)
#define swupdate_DECRYPT_final(p, buf, len) (-1)
#define swupdate_DECRYPT_cleanup(p)
@@ -43,7 +43,7 @@ static void hex2bin(unsigned char *dest, const unsigned char *source)
static void do_crypt(struct cryptdata *crypt, unsigned char *CRYPTTEXT, unsigned char *PLAINTEXT)
{
int len;
- void *dcrypt = swupdate_DECRYPT_init(crypt->key, crypt->iv);
+ void *dcrypt = swupdate_DECRYPT_init(crypt->key, 32, crypt->iv);
assert_non_null(dcrypt);
unsigned char *buffer = calloc(1, strlen((const char *)CRYPTTEXT) + EVP_MAX_BLOCK_LENGTH);
@@ -114,7 +114,7 @@ static void test_crypt_failure(void **state)
hex2bin((crypt.crypttext = calloc(1, strlen((const char *)CRYPTTEXT))), CRYPTTEXT);
int len;
- void *dcrypt = swupdate_DECRYPT_init(crypt.key, crypt.iv);
+ void *dcrypt = swupdate_DECRYPT_init(crypt.key, 32, crypt.iv);
assert_non_null(dcrypt);
unsigned char *buffer = calloc(1, strlen((const char *)CRYPTTEXT) + EVP_MAX_BLOCK_LENGTH);