From 76b92ffc0b6c38310d13d47a0df99fee0c73b9dc Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 9 Jul 2024 05:59:25 +0000 Subject: [PATCH] Update crc to v2 API The crc crate completely changed their API from v1 to v2. Change our implementation to use v2 so that we can use newer crc crates. Signed-off-by: Alexander Graf --- src/utils/eif_reader.rs | 13 +++++++------ src/utils/mod.rs | 34 +++++++++++++++++++--------------- 2 files changed, 26 insertions(+), 21 deletions(-) diff --git a/src/utils/eif_reader.rs b/src/utils/eif_reader.rs index f2defc7..b92dd6d 100644 --- a/src/utils/eif_reader.rs +++ b/src/utils/eif_reader.rs @@ -6,7 +6,7 @@ use crate::defs::{ EifHeader, EifIdentityInfo, EifSectionHeader, EifSectionType, PcrInfo, PcrSignature, }; use aws_nitro_enclaves_cose::{crypto::Openssl, CoseSign1}; -use crc::{crc32, Hasher32}; +use crc::{Crc, CRC_32_ISO_HDLC}; use openssl::pkey::PKey; use serde::{Deserialize, Serialize}; use serde_cbor::{from_slice, to_vec}; @@ -83,7 +83,8 @@ impl EifReader { /// on section type. Also writes sections in the eif_crc, excluding the /// CRC from the header pub fn from_eif(eif_path: String) -> Result { - let mut eif_crc = crc32::Digest::new_with_initial(crc32::IEEE, 0); + let crc_gen = Crc::::new(&CRC_32_ISO_HDLC); + let mut eif_crc = crc_gen.digest(); let mut curr_seek = 0; let mut eif_file = File::open(eif_path).map_err(|e| format!("Failed to open the EIF file: {:?}", e))?; @@ -96,7 +97,7 @@ impl EifReader { // Exclude last field of header which is CRC let len_without_crc = header_buf.len() - size_of::(); - eif_crc.write(&header_buf[..len_without_crc]); + eif_crc.update(&header_buf[..len_without_crc]); let header = EifHeader::from_be_bytes(&header_buf) .map_err(|e| format!("Error while parsing EIF header: {:?}", e))?; @@ -126,7 +127,7 @@ impl EifReader { { let section = EifSectionHeader::from_be_bytes(§ion_buf) .map_err(|e| format!("Error extracting EIF section header: {:?}", e))?; - eif_crc.write(§ion_buf); + eif_crc.update(§ion_buf); let mut buf = vec![0u8; section.section_size as usize]; curr_seek += EifSectionHeader::size(); @@ -136,7 +137,7 @@ impl EifReader { eif_file .read_exact(&mut buf) .map_err(|e| format!("Error while reading kernel from EIF: {:?}", e))?; - eif_crc.write(&buf); + eif_crc.update(&buf); curr_seek += section.section_size as usize; eif_file @@ -202,7 +203,7 @@ impl EifReader { bootstrap_hasher, app_hasher, cert_hasher, - eif_crc: eif_crc.sum32(), + eif_crc: eif_crc.finalize(), sign_check: None, metadata, }) diff --git a/src/utils/mod.rs b/src/utils/mod.rs index aa723e8..fe226c6 100644 --- a/src/utils/mod.rs +++ b/src/utils/mod.rs @@ -10,7 +10,7 @@ use crate::defs::{ MAX_NUM_SECTIONS, }; use aws_nitro_enclaves_cose::{crypto::Openssl, header_map::HeaderMap, CoseSign1}; -use crc::{crc32, Hasher32}; +use crc::{Crc, CRC_32_ISO_HDLC}; use openssl::asn1::Asn1Time; use openssl::pkey::PKey; use serde::{Deserialize, Serialize}; @@ -135,7 +135,7 @@ pub struct EifBuilder { /// Hash the signing certificate pub certificate_hasher: EifHasher, hasher_template: T, - eif_crc: crc32::Digest, + eif_crc: u32, } impl EifBuilder { @@ -170,7 +170,7 @@ impl EifBuilder { certificate_hasher: EifHasher::new_without_cache(hasher.clone()) .expect("Could not create certificate hasher"), hasher_template: hasher, - eif_crc: crc32::Digest::new_with_initial(crc32::IEEE, 0), + eif_crc: 0, } } @@ -331,19 +331,21 @@ impl EifBuilder { section_offsets: self.sections_offsets(), section_sizes: self.sections_sizes(), unused: 0, - eif_crc32: self.eif_crc.sum32(), + eif_crc32: self.eif_crc, } } /// Compute the crc for the whole enclave image, excluding the /// eif_crc32 field from the EIF header. pub fn compute_crc(&mut self) { + let crc_gen = Crc::::new(&CRC_32_ISO_HDLC); + let mut crc = crc_gen.digest(); let eif_header = self.header(); let eif_buffer = eif_header.to_be_bytes(); // The last field of the EifHeader is the CRC itself, so we need // to exclude it from contributing to the CRC. let len_without_crc = eif_buffer.len() - size_of::(); - self.eif_crc.write(&eif_buffer[..len_without_crc]); + crc.update(&eif_buffer[..len_without_crc]); let eif_section = EifSectionHeader { section_type: EifSectionType::EifSectionKernel, @@ -352,7 +354,7 @@ impl EifBuilder { }; let eif_buffer = eif_section.to_be_bytes(); - self.eif_crc.write(&eif_buffer[..]); + crc.update(&eif_buffer[..]); let mut kernel_file = &self.kernel; kernel_file @@ -363,7 +365,7 @@ impl EifBuilder { .read_to_end(&mut buffer) .expect("Failed to read kernel content"); - self.eif_crc.write(&buffer[..]); + crc.update(&buffer[..]); let eif_section = EifSectionHeader { section_type: EifSectionType::EifSectionCmdline, @@ -372,8 +374,8 @@ impl EifBuilder { }; let eif_buffer = eif_section.to_be_bytes(); - self.eif_crc.write(&eif_buffer[..]); - self.eif_crc.write(&self.cmdline[..]); + crc.update(&eif_buffer[..]); + crc.update(&self.cmdline[..]); let eif_section = EifSectionHeader { section_type: EifSectionType::EifSectionMetadata, @@ -382,8 +384,8 @@ impl EifBuilder { }; let eif_buffer = eif_section.to_be_bytes(); - self.eif_crc.write(&eif_buffer[..]); - self.eif_crc.write(&self.metadata[..]); + crc.update(&eif_buffer[..]); + crc.update(&self.metadata[..]); for mut ramdisk in &self.ramdisks { let eif_section = EifSectionHeader { @@ -393,7 +395,7 @@ impl EifBuilder { }; let eif_buffer = eif_section.to_be_bytes(); - self.eif_crc.write(&eif_buffer[..]); + crc.update(&eif_buffer[..]); ramdisk .seek(SeekFrom::Start(0)) @@ -402,7 +404,7 @@ impl EifBuilder { ramdisk .read_to_end(&mut buffer) .expect("Failed to read kernel content"); - self.eif_crc.write(&buffer[..]); + crc.update(&buffer[..]); } if let Some(signature) = &self.signature { @@ -413,9 +415,11 @@ impl EifBuilder { }; let eif_buffer = eif_section.to_be_bytes(); - self.eif_crc.write(&eif_buffer[..]); - self.eif_crc.write(&signature[..]); + crc.update(&eif_buffer[..]); + crc.update(&signature[..]); } + + self.eif_crc = crc.finalize(); } pub fn write_header(&mut self, file: &mut File) {