vboot2: pass const work buffers, and clarify min_offset output
When a work buffer is passed to a function, and duplicated inside that
function, allocations made against the duplicate are automatically
freed when the duplicate goes out of scope. Make that explicit in the
comments. And pass in const struct workbuf * instead of struct
workbuf *, to make it clear that the passed-in work buffer pointer is
not being altered by the function.
Also, comment that the value of min_offset becomes undefined if
vb2_verify_common_member() or vb2_verify_common_subobject() fails.
BUG=chromium:423882
BRANCH=none
TEST=VBOOT2=1 make runtests
Change-Id: Icc6010e6ef786f78cd2176a59d4d0e6e14905a11
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/227524
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
diff --git a/firmware/2lib/2common.c b/firmware/2lib/2common.c
index 9a729e2..e15ddb7 100644
--- a/firmware/2lib/2common.c
+++ b/firmware/2lib/2common.c
@@ -171,7 +171,7 @@
int vb2_verify_digest(const struct vb2_public_key *key,
struct vb2_signature *sig,
const uint8_t *digest,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
uint8_t *sig_data = vb2_signature_data(sig);
@@ -190,7 +190,7 @@
uint32_t size,
struct vb2_signature *sig,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
struct vb2_workbuf wblocal = *wb;
struct vb2_digest_context *dc;
@@ -237,7 +237,7 @@
int vb2_verify_keyblock(struct vb2_keyblock *block,
uint32_t size,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
struct vb2_signature *sig;
int rv;
@@ -306,7 +306,7 @@
int vb2_verify_fw_preamble(struct vb2_fw_preamble *preamble,
uint32_t size,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
struct vb2_signature *sig = &preamble->preamble_signature;
diff --git a/firmware/2lib/2common2.c b/firmware/2lib/2common2.c
index 52b4e23..813e2b6 100644
--- a/firmware/2lib/2common2.c
+++ b/firmware/2lib/2common2.c
@@ -221,7 +221,7 @@
int vb2_verify_digest2(const struct vb2_public_key *key,
struct vb2_signature2 *sig,
const uint8_t *digest,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
uint32_t key_sig_size = vb2_sig_size(key->sig_alg, key->hash_alg);
@@ -255,7 +255,7 @@
uint32_t size,
struct vb2_signature2 *sig,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
struct vb2_workbuf wblocal = *wb;
struct vb2_digest_context *dc;
@@ -302,7 +302,7 @@
int vb2_verify_keyblock2(struct vb2_keyblock2 *block,
uint32_t size,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
uint32_t min_offset = 0, sig_offset;
int rv, i;
diff --git a/firmware/2lib/2rsa.c b/firmware/2lib/2rsa.c
index 37c5cf5..5a1e0fa 100644
--- a/firmware/2lib/2rsa.c
+++ b/firmware/2lib/2rsa.c
@@ -291,7 +291,7 @@
int vb2_rsa_verify_digest(const struct vb2_public_key *key,
uint8_t *sig,
const uint8_t *digest,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
struct vb2_workbuf wblocal = *wb;
uint32_t *workbuf32;
diff --git a/firmware/2lib/include/2common.h b/firmware/2lib/include/2common.h
index 74c7f42..e0b252b 100644
--- a/firmware/2lib/include/2common.h
+++ b/firmware/2lib/include/2common.h
@@ -66,6 +66,11 @@
* is not done. The caller must track the size of each allocation and free via
* vb2_workbuf_free() in the reverse order they were allocated.
*
+ * An acceptable alternate workflow inside a function is to pass in a const
+ * work buffer, then make a local copy. Allocations done to the local copy
+ * then don't change the passed-in work buffer, and will effectively be freed
+ * when the local copy goes out of scope.
+ *
* @param wb Work buffer
* @param size Requested size in bytes
* @return A pointer to the allocated space, or NULL if error.
@@ -196,7 +201,8 @@
* @param min_offset Pointer to minimum offset where member can be located.
* If this offset is 0 on input, uses the size of the
* fixed header (and description, if any). This will be
- * updated on return to the end of the passed member.
+ * updated on return to the end of the passed member. On
+ * error, the value of min_offset is undefined.
* @param member_offset Offset of member data from start of parent, in bytes
* @param member_size Size of member data, in bytes
* @return VB2_SUCCESS, or non-zero if error.
@@ -217,7 +223,8 @@
* @param min_offset Pointer to minimum offset where member can be located.
* If this offset is 0 on input, uses the size of the
* fixed header (and description, if any). This will be
- * updated on return to the end of the passed member.
+ * updated on return to the end of the passed member. On
+ * error, the value of min_offset is undefined.
* @param member_offset Offset of member data from start of parent, in bytes.
* This should be the start of the common header of the
* member.
@@ -327,7 +334,7 @@
int vb2_verify_digest(const struct vb2_public_key *key,
struct vb2_signature *sig,
const uint8_t *digest,
- struct vb2_workbuf *wb);
+ const struct vb2_workbuf *wb);
/**
* Verify a signature against an expected hash digest.
@@ -341,7 +348,7 @@
int vb2_verify_digest2(const struct vb2_public_key *key,
struct vb2_signature2 *sig,
const uint8_t *digest,
- struct vb2_workbuf *wb);
+ const struct vb2_workbuf *wb);
/*
* Size of work buffer sufficient for vb2_verify_data() or vb2_verify_data2()
@@ -367,13 +374,13 @@
uint32_t size,
struct vb2_signature *sig,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb);
+ const struct vb2_workbuf *wb);
int vb2_verify_data2(const void *data,
uint32_t size,
struct vb2_signature2 *sig,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb);
+ const struct vb2_workbuf *wb);
/*
* Size of work buffer sufficient for vb2_verify_keyblock() or
@@ -396,12 +403,12 @@
int vb2_verify_keyblock(struct vb2_keyblock *block,
uint32_t size,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb);
+ const struct vb2_workbuf *wb);
int vb2_verify_keyblock2(struct vb2_keyblock2 *block,
uint32_t size,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb);
+ const struct vb2_workbuf *wb);
/* Size of work buffer sufficient for vb2_verify_fw_preamble() worst case */
#define VB2_VERIFY_FIRMWARE_PREAMBLE_WORKBUF_BYTES VB2_VERIFY_DATA_WORKBUF_BYTES
@@ -420,6 +427,6 @@
int vb2_verify_fw_preamble(struct vb2_fw_preamble *preamble,
uint32_t size,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb);
+ const struct vb2_workbuf *wb);
#endif /* VBOOT_REFERENCE_VBOOT_2COMMON_H_ */
diff --git a/firmware/2lib/include/2rsa.h b/firmware/2lib/include/2rsa.h
index 3d591a5..e4e6717 100644
--- a/firmware/2lib/include/2rsa.h
+++ b/firmware/2lib/include/2rsa.h
@@ -75,6 +75,6 @@
int vb2_rsa_verify_digest(const struct vb2_public_key *key,
uint8_t *sig,
const uint8_t *digest,
- struct vb2_workbuf *wb);
+ const struct vb2_workbuf *wb);
#endif /* VBOOT_REFERENCE_2RSA_H_ */
diff --git a/tests/vb2_api_tests.c b/tests/vb2_api_tests.c
index cf706d4..5d66766 100644
--- a/tests/vb2_api_tests.c
+++ b/tests/vb2_api_tests.c
@@ -182,7 +182,7 @@
int vb2_rsa_verify_digest(const struct vb2_public_key *key,
uint8_t *sig,
const uint8_t *digest,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
return retval_vb2_verify_digest;
}
diff --git a/tests/vb2_misc2_tests.c b/tests/vb2_misc2_tests.c
index 2025fb4..796d8e6 100644
--- a/tests/vb2_misc2_tests.c
+++ b/tests/vb2_misc2_tests.c
@@ -154,7 +154,7 @@
int vb2_verify_keyblock(struct vb2_keyblock *block,
uint32_t size,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
return mock_verify_keyblock_retval;
}
@@ -162,7 +162,7 @@
int vb2_verify_fw_preamble(struct vb2_fw_preamble *preamble,
uint32_t size,
const struct vb2_public_key *key,
- struct vb2_workbuf *wb)
+ const struct vb2_workbuf *wb)
{
return mock_verify_preamble_retval;
}
