[crypto] Fail all operations for the null public-key algorithm

The null crypto algorithms are intended to do nothing: the null digest
algorithm accepts all input and generates a zero-length digest, and
the null cipher algorithm simply copies the input unmodifed to the
output.

The null public-key algorithm currently does nothing successfully.
Unlike the null digest and cipher algorithms, the null public-key
algorithm's methods are never called.

Change the null public-key algorithm to fail all operations, thereby
allowing its methods to be used as stubs by algorithms such as ECDSA
that do not implement all of the possible public-key operations.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/crypto_null.c b/src/crypto/crypto_null.c
index 8637987b181d7156881fe9a0c504a859459dbf18..687083be94c05c490981b9042b1bfbb82e8fe046 100644 (file)
--- a/src/crypto/crypto_null.c
+++ b/src/crypto/crypto_null.c
@@ -31,6 +31,7 @@ FILE_SECBOOT ( PERMITTED );
  */
 
 #include <string.h>
+#include <errno.h>
 #include <ipxe/crypto.h>
 
 void digest_null_init ( void *ctx __unused ) {
@@ -97,27 +98,27 @@ struct cipher_algorithm cipher_null = {
 int pubkey_null_encrypt ( const struct asn1_cursor *key __unused,
                          const struct asn1_cursor *plaintext __unused,
                          struct asn1_builder *ciphertext __unused ) {
-       return 0;
+       return -ENOTTY;
 }
 
 int pubkey_null_decrypt ( const struct asn1_cursor *key __unused,
                          const struct asn1_cursor *ciphertext __unused,
                          struct asn1_builder *plaintext __unused ) {
-       return 0;
+       return -ENOTTY;
 }
 
 int pubkey_null_sign ( const struct asn1_cursor *key __unused,
                       struct digest_algorithm *digest __unused,
                       const void *value __unused,
                       struct asn1_builder *signature __unused ) {
-       return 0;
+       return -ENOTTY;
 }
 
 int pubkey_null_verify ( const struct asn1_cursor *key __unused,
                         struct digest_algorithm *digest __unused,
                         const void *value __unused,
                         const struct asn1_cursor *signature __unused ) {
-       return 0;
+       return -ENOTTY;
 }
 
 struct pubkey_algorithm pubkey_null = {

diff --git a/src/crypto/ecdsa.c b/src/crypto/ecdsa.c
index 6f10a1a0fbf12d9a81bcdbbcdb96373235390ceb..5be4b4b21599e20cd41b3b87a7dd600a5995d79f 100644 (file)
--- a/src/crypto/ecdsa.c
+++ b/src/crypto/ecdsa.c
@@ -765,38 +765,6 @@ static int ecdsa_verify_rs ( struct ecdsa_context *ctx ) {
        return ( valid ? 0 : -EINVAL_SIGNATURE );
 }
 
-/**
- * Encrypt using ECDSA
- *
- * @v key              Key
- * @v plaintext                Plaintext
- * @v ciphertext       Ciphertext
- * @ret rc             Return status code
- */
-static int ecdsa_encrypt ( const struct asn1_cursor *key __unused,
-                          const struct asn1_cursor *plaintext __unused,
-                          struct asn1_builder *ciphertext __unused ) {
-
-       /* Not a defined operation for ECDSA */
-       return -ENOTTY;
-}
-
-/**
- * Decrypt using ECDSA
- *
- * @v key              Key
- * @v ciphertext       Ciphertext
- * @v plaintext                Plaintext
- * @ret rc             Return status code
- */
-static int ecdsa_decrypt ( const struct asn1_cursor *key __unused,
-                          const struct asn1_cursor *ciphertext __unused,
-                          struct asn1_builder *plaintext __unused ) {
-
-       /* Not a defined operation for ECDSA */
-       return -ENOTTY;
-}
-
 /**
  * Sign digest value using ECDSA
  *
@@ -936,8 +904,8 @@ static int ecdsa_match ( const struct asn1_cursor *private_key,
 /** ECDSA public-key algorithm */
 struct pubkey_algorithm ecdsa_algorithm = {
        .name           = "ecdsa",
-       .encrypt        = ecdsa_encrypt,
-       .decrypt        = ecdsa_decrypt,
+       .encrypt        = pubkey_null_encrypt,
+       .decrypt        = pubkey_null_decrypt,
        .sign           = ecdsa_sign,
        .verify         = ecdsa_verify,
        .match          = ecdsa_match,

diff --git a/src/include/ipxe/errfile.h b/src/include/ipxe/errfile.h
index dbd3c99639f52c1363acca09ecdd31284f9c2e5d..a2e3ff891359f581666cdbd3db929edb97f39ad5 100644 (file)
--- a/src/include/ipxe/errfile.h
+++ b/src/include/ipxe/errfile.h
@@ -449,6 +449,7 @@ FILE_SECBOOT ( PERMITTED );
 #define ERRFILE_efi_cacert           ( ERRFILE_OTHER | 0x00670000 )
 #define ERRFILE_ecdhe                ( ERRFILE_OTHER | 0x00680000 )
 #define ERRFILE_ecdsa                ( ERRFILE_OTHER | 0x00690000 )
+#define ERRFILE_crypto_null          ( ERRFILE_OTHER | 0x006a0000 )
 
 /** @} */