diff mbox series

[1/2] pkcs11: Eliminate additional buffer

Message ID 20201213202037.88310-2-bage@linutronix.de
State Accepted
Headers show
Series pkcs11: Fix decryption for files larger than 16KiB | expand

Commit Message

Bastian Germann Dec. 13, 2020, 8:20 p.m. UTC
From: Bastian Germann <bage@linutronix.de>

The additional buffer in the update step is not needed.
Make the decryption operate on the buffer that is given to the function.

Signed-off-by: Bastian Germann <bage@linutronix.de>
---
 corelib/swupdate_decrypt_pkcs11.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

Comments

Stefano Babic Dec. 15, 2020, 2:23 p.m. UTC | #1
Hi Bastian,

On 13.12.20 21:20, bage@linutronix.de wrote:
> From: Bastian Germann <bage@linutronix.de>
> 
> The additional buffer in the update step is not needed.
> Make the decryption operate on the buffer that is given to the function.
> 
> Signed-off-by: Bastian Germann <bage@linutronix.de>
> ---
>  corelib/swupdate_decrypt_pkcs11.c | 20 ++++++++++----------
>  1 file changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/corelib/swupdate_decrypt_pkcs11.c b/corelib/swupdate_decrypt_pkcs11.c
> index 203eea6..a34003b 100644
> --- a/corelib/swupdate_decrypt_pkcs11.c
> +++ b/corelib/swupdate_decrypt_pkcs11.c
> @@ -114,7 +114,8 @@ err_free:
>  int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
>  				int *outlen, const unsigned char *cryptbuf, int inlen)
>  {
> -	unsigned char pad_buf[inlen];
> +	// precondition: len(buf) >= inlen + AES_BLK_SIZE
> +	unsigned char *pad_buf = &buf[AES_BLK_SIZE];
>  	const char *msg;
>  	int err;
>  	int one_off_sz = inlen - AES_BLK_SIZE;
> @@ -122,23 +123,22 @@ int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
>  	if (inlen < AES_BLK_SIZE)
>  		return -EFAULT;
>  
> -	err = wc_AesCbcDecrypt(&dgst->ctxdec, pad_buf, cryptbuf, inlen);
> -	if (err) {
> -		msg = wc_GetErrorString(err);
> -		ERROR("PKCS#11 AES decryption failed: %s", msg);
> -		return -EFAULT;
> -	}
> -
>  	if (dgst->last_decr[AES_BLK_SIZE]) {
>  		// This is for the first decryption operation
> -		memcpy(buf, pad_buf, one_off_sz);
> +		pad_buf = buf;
>  		dgst->last_decr[AES_BLK_SIZE] = 0;
>  		*outlen = one_off_sz;
>  	} else {
>  		memcpy(buf, dgst->last_decr, AES_BLK_SIZE);
> -		memcpy(buf[AES_BLK_SIZE], pad_buf, one_off_sz);
>  		*outlen = inlen;
>  	}
> +
> +	err = wc_AesCbcDecrypt(&dgst->ctxdec, pad_buf, cryptbuf, inlen);
> +	if (err) {
> +		msg = wc_GetErrorString(err);
> +		ERROR("PKCS#11 AES decryption failed: %s", msg);
> +		return -EFAULT;
> +	}
>  	// Remember the last decrypted block which might contain padding
>  	memcpy(dgst->last_decr, &pad_buf[one_off_sz], AES_BLK_SIZE);
>  
> 

Fine with me.

Acked-by: Stefano Babic <sbabic@denx.de>

Best regards,
Stefano Babic
diff mbox series

Patch

diff --git a/corelib/swupdate_decrypt_pkcs11.c b/corelib/swupdate_decrypt_pkcs11.c
index 203eea6..a34003b 100644
--- a/corelib/swupdate_decrypt_pkcs11.c
+++ b/corelib/swupdate_decrypt_pkcs11.c
@@ -114,7 +114,8 @@  err_free:
 int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
 				int *outlen, const unsigned char *cryptbuf, int inlen)
 {
-	unsigned char pad_buf[inlen];
+	// precondition: len(buf) >= inlen + AES_BLK_SIZE
+	unsigned char *pad_buf = &buf[AES_BLK_SIZE];
 	const char *msg;
 	int err;
 	int one_off_sz = inlen - AES_BLK_SIZE;
@@ -122,23 +123,22 @@  int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf,
 	if (inlen < AES_BLK_SIZE)
 		return -EFAULT;
 
-	err = wc_AesCbcDecrypt(&dgst->ctxdec, pad_buf, cryptbuf, inlen);
-	if (err) {
-		msg = wc_GetErrorString(err);
-		ERROR("PKCS#11 AES decryption failed: %s", msg);
-		return -EFAULT;
-	}
-
 	if (dgst->last_decr[AES_BLK_SIZE]) {
 		// This is for the first decryption operation
-		memcpy(buf, pad_buf, one_off_sz);
+		pad_buf = buf;
 		dgst->last_decr[AES_BLK_SIZE] = 0;
 		*outlen = one_off_sz;
 	} else {
 		memcpy(buf, dgst->last_decr, AES_BLK_SIZE);
-		memcpy(buf[AES_BLK_SIZE], pad_buf, one_off_sz);
 		*outlen = inlen;
 	}
+
+	err = wc_AesCbcDecrypt(&dgst->ctxdec, pad_buf, cryptbuf, inlen);
+	if (err) {
+		msg = wc_GetErrorString(err);
+		ERROR("PKCS#11 AES decryption failed: %s", msg);
+		return -EFAULT;
+	}
 	// Remember the last decrypted block which might contain padding
 	memcpy(dgst->last_decr, &pad_buf[one_off_sz], AES_BLK_SIZE);