rename aggregate RSA PSS macro, add Renesas protection

Author: bigbrett

include/loader.h

@@ -48,7 +48,23 @@ extern "C" {
     defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
     defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
     defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096)
-#define WOLFBOOT_RSA_PSS
+#define WOLFBOOT_SIGN_RSAPSS_ANY
+#endif
+
+/* Consolidated RSA flag: set when any RSA variant is enabled (PKCS#1 v1.5 or
+ * PSS, primary or secondary). Used to guard the unified RSA verify function
+ * and related RSA code paths. */
+#if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_RSA3072) || \
+    defined(WOLFBOOT_SIGN_RSA4096) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \
+    defined(WOLFBOOT_SIGN_RSAPSS2048) || defined(WOLFBOOT_SIGN_RSAPSS3072) || \
+    defined(WOLFBOOT_SIGN_RSAPSS4096) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
+    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096)
+#define WOLFBOOT_SIGN_RSA_ANY
 #endif
 
 #if defined(WOLFBOOT_SIGN_RSA2048) || defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \

src/image.c

@@ -359,18 +359,7 @@ static void wolfBoot_verify_signature_ecc(uint8_t key_slot,
         * WOLFBOOT_SIGN_SECONDARY_ECC521 */
 
 
-#if defined(WOLFBOOT_SIGN_RSA2048) || \
-    defined(WOLFBOOT_SIGN_RSA3072) || \
-    defined(WOLFBOOT_SIGN_RSA4096) || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSA2048) || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSA3072) || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSA4096) || \
-    defined(WOLFBOOT_SIGN_RSAPSS2048) || \
-    defined(WOLFBOOT_SIGN_RSAPSS3072) || \
-    defined(WOLFBOOT_SIGN_RSAPSS4096) || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS2048) || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS3072) || \
-    defined(WOLFBOOT_SIGN_SECONDARY_RSAPSS4096)
+#ifdef WOLFBOOT_SIGN_RSA_ANY
 
 #include <wolfssl/wolfcrypt/asn.h>
 #include <wolfssl/wolfcrypt/rsa.h>
@@ -442,7 +431,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot,
     (void)inOutIdx;
     (void)is_pss;
 
-#ifdef WOLFBOOT_RSA_PSS
+#ifdef WOLFBOOT_SIGN_RSAPSS_ANY
     enum wc_HashType hash_type;
     int mgf;
 #if defined(WOLFBOOT_HASH_SHA256)
@@ -454,7 +443,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot,
 #else
     #error "RSA-PSS requires SHA-256 or SHA-384"
 #endif
-#endif /* WOLFBOOT_RSA_PSS */
+#endif /* WOLFBOOT_SIGN_RSAPSS_ANY */
 
 #if (!defined(WOLFBOOT_ENABLE_WOLFHSM_CLIENT) && \
      !defined(WOLFBOOT_ENABLE_WOLFHSM_SERVER)) || \
@@ -471,7 +460,10 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot,
 #if defined(WOLFBOOT_RENESAS_SCEPROTECT) || \
     defined(WOLFBOOT_RENESAS_TSIP) || \
     defined(WOLFBOOT_RENESAS_RSIP)
-    /* Renesas crypto callback — RSA PKCS#1 v1.5 only */
+    /* Renesas crypto callback supports RSA PKCS#1 v1.5 only */
+#ifdef WOLFBOOT_SIGN_RSAPSS_ANY
+    #error "RSA-PSS is not yet supported with Renesas crypto callbacks"
+#endif
     ret = wc_InitRsaKey_ex(&rsa, NULL, RENESAS_DEVID);
     if (ret == 0) {
         XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE);
@@ -535,7 +527,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot,
     }
 #endif /* !WOLFBOOT_USE_WOLFHSM_PUBKEY_ID */
     XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE);
-#ifdef WOLFBOOT_RSA_PSS
+#ifdef WOLFBOOT_SIGN_RSAPSS_ANY
     if (is_pss) {
         RSA_VERIFY_FN(ret, wc_RsaPSS_VerifyInline, output,
                       RSA_IMAGE_SIGNATURE_SIZE, &digest_out, hash_type, mgf,
@@ -570,7 +562,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot,
         ret = wc_RsaPublicKeyDecode((byte*)pubkey, &inOutIdx, &rsa, pubkey_sz);
         if (ret >= 0) {
             XMEMCPY(output, sig, RSA_IMAGE_SIGNATURE_SIZE);
-#ifdef WOLFBOOT_RSA_PSS
+#ifdef WOLFBOOT_SIGN_RSAPSS_ANY
             if (is_pss) {
                 RSA_VERIFY_FN(ret,
                     wc_RsaPSS_VerifyInline, output, RSA_IMAGE_SIGNATURE_SIZE,
@@ -587,7 +579,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot,
 #endif /* SCE || TSIP */
     wc_FreeRsaKey(&rsa);
 
-#ifdef WOLFBOOT_RSA_PSS
+#ifdef WOLFBOOT_SIGN_RSAPSS_ANY
     if (is_pss) {
         if (ret >= WOLFBOOT_SHA_DIGEST_SIZE && img && digest_out) {
             RSA_PSS_VERIFY_HASH(img, digest_out, ret, hash_type);
@@ -607,12 +599,7 @@ static void wolfBoot_verify_signature_rsa_common(uint8_t key_slot,
     }
 }
 
-#endif /* WOLFBOOT_SIGN_RSA2048 || WOLFBOOT_SIGN_RSA3072 || \
-        * WOLFBOOT_SIGN_RSA4096 || WOLFBOOT_SIGN_SECONDARY_RSA2048 ||
-        * WOLFBOOT_SIGN_SECONDARY_RSA3072 || WOLFBOOT_SIGN_SECONDARY_RSA4096 ||
-        * WOLFBOOT_SIGN_RSAPSS2048 || WOLFBOOT_SIGN_RSAPSS3072 ||
-        * WOLFBOOT_SIGN_RSAPSS4096 || WOLFBOOT_SIGN_SECONDARY_RSAPSS2048 ||
-        * WOLFBOOT_SIGN_SECONDARY_RSAPSS3072 || WOLFBOOT_SIGN_SECONDARY_RSAPSS4096 */
+#endif /* WOLFBOOT_SIGN_RSA_ANY */
 
 #ifdef WOLFBOOT_SIGN_LMS
 #include <wolfssl/wolfcrypt/lms.h>