Permit using the Updater _hash function, even if we don't have a signature appended to the image#8507
Merged
mcspr merged 2 commits intoesp8266:masterfrom Apr 11, 2022
Merged
Conversation
…ature appended to the image
Contributor
Author
|
Ty |
|
After comparing with the old code, I would like to clarify line 247: shouldn't it be: because the former will cause line 276 to read from the wrong address. Thank you. |
Contributor
Author
|
Good spot, @blue-wind-25. I think you're right. |
|
Great, thank you for the confirmation :-) |
mcspr
added a commit
that referenced
this pull request
Sep 13, 2022
Amends #8507 I took the liberty to also do some refactoring; specifically, fixing signed vs. unsigned mismatch in len, using pointer object vs. the original manual malloc & free, try to have named constants for certain addresses and lengths, plus localize printing of u8 arrays. The suggested test to have a 'dummy' verifier works just fine. (...how it actually works and gets the hash to compare with is a whole other question, though) Another issue noticed while testing, in the underlying bearssl api there's an actual limit for hash length. https://github.com/earlephilhower/bearssl-esp8266/blob/6105635531027f5b298aa656d44be2289b2d434f/inc/bearssl_rsa.h#L257
6 tasks
hasenradball
pushed a commit
to hasenradball/Arduino
that referenced
this pull request
Nov 18, 2024
…ature appended to the image (esp8266#8507) The _hash and _verify functionality of the Updater class are pretty much entwined. But it might be useful to calculate the hash, even without a signature present in the image itself. This change permits that by allowing a zero-length signature. For reference, one possible use case is where the expected hash is provided separately to the uploaded image. Another is to provide generic post-upload validation of the image: the hash function permits a convenient way of inspecting the complete image against arbitrary conditions; this is particularly useful after HTTP client OTA updates. (It's fair that reading the whole image back out of flash is not very efficient, but that's not the concern of this PR.)
hasenradball
pushed a commit
to hasenradball/Arduino
that referenced
this pull request
Nov 18, 2024
Amends esp8266#8507 I took the liberty to also do some refactoring; specifically, fixing signed vs. unsigned mismatch in len, using pointer object vs. the original manual malloc & free, try to have named constants for certain addresses and lengths, plus localize printing of u8 arrays. The suggested test to have a 'dummy' verifier works just fine. (...how it actually works and gets the hash to compare with is a whole other question, though) Another issue noticed while testing, in the underlying bearssl api there's an actual limit for hash length. https://github.com/earlephilhower/bearssl-esp8266/blob/6105635531027f5b298aa656d44be2289b2d434f/inc/bearssl_rsa.h#L257
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NOTE: Re-submission of PR #8472 due to user error :(
The _hash and _verify functionality of the Updater class are pretty much entwined. But it might be useful to calculate the hash, even without a signature present in the image itself. This change permits that by allowing a zero-length signature.
For reference, one possible use case is where the expected hash is provided separately to the uploaded image. Another is to provide generic post-upload validation of the image: the hash function permits a convenient way of inspecting the complete image against arbitrary conditions; this is particularly useful after HTTP client OTA updates.
(It's fair that reading the whole image back out of flash is not very efficient, but that's not the concern of this PR.)