github
/
arm-trusted-firmware
mirror of https://github.com/ARM-software/arm-trusted-firmware.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3350 Commits
5 Branches
114 Tags
55 MiB
Tree: 79c17995aa
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '79c17995aa'
${ noResults }
arm-trusted-firmware/drivers/auth/mbedtls/mbedtls_crypto.c

211 lines
4.8 KiB
Raw Normal View History

TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the 'MBEDTLS_KEY_ALG' variable in the platform makefile. Available options are: * 'rsa' (for RSA-2048) (default option) * 'ecdsa' (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
/*
tbbr: Add build flag HASH_ALG to let the user to select the SHA The flag support the following values: - sha256 (default) - sha384 - sha512 Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066 Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
7 years ago
* Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the 'MBEDTLS_KEY_ALG' variable in the platform makefile. Available options are: * 'rsa' (for RSA-2048) (default option) * 'ecdsa' (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
*
Use SPDX license identifiers To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
8 years ago
* SPDX-License-Identifier: BSD-3-Clause
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the 'MBEDTLS_KEY_ALG' variable in the platform makefile. Available options are: * 'rsa' (for RSA-2048) (default option) * 'ecdsa' (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
*/
#include <crypto_mod.h>
#include <debug.h>
#include <mbedtls_common.h>
tbbr: Add build flag HASH_ALG to let the user to select the SHA The flag support the following values: - sha256 (default) - sha384 - sha512 Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066 Signed-off-by: Qixiang Xu &lt;qixiang.xu@arm.com&gt;
7 years ago
#include <mbedtls_config.h>
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
#include <stddef.h>
#include <string.h>
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
/* mbed TLS headers */
#include <mbedtls/md.h>
#include <mbedtls/memory_buffer_alloc.h>
#include <mbedtls/oid.h>
#include <mbedtls/platform.h>
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
#define LIB_NAME "mbed TLS"
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
/*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
* parameters ANY DEFINED BY algorithm OPTIONAL
* }
*
* SubjectPublicKeyInfo ::= SEQUENCE {
* algorithm AlgorithmIdentifier,
* subjectPublicKey BIT STRING
* }
*
* DigestInfo ::= SEQUENCE {
* digestAlgorithm AlgorithmIdentifier,
* digest OCTET STRING
* }
*/
/*
* Initialize the library and export the descriptor
*/
static void init(void)
{
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
/* Initialize mbed TLS */
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
mbedtls_init();
}
/*
* Verify a signature.
*
* Parameters are passed using the DER encoding format following the ASN.1
* structures detailed above.
*/
static int verify_signature(void *data_ptr, unsigned int data_len,
void *sig_ptr, unsigned int sig_len,
void *sig_alg, unsigned int sig_alg_len,
void *pk_ptr, unsigned int pk_len)
{
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
mbedtls_asn1_buf sig_oid, sig_params;
mbedtls_asn1_buf signature;
mbedtls_md_type_t md_alg;
mbedtls_pk_type_t pk_alg;
Add support for RSASSAPSS algorithm in mbedtls crypto driver This patch adds support for RSASSA-PSS Signature Algorithm for X509 certificates in mbedtls crypto driver. Now the driver supports RSA PKCS2_1 standard as mandated by TBBR. NOTE: With this patch, the PKCS1_5 standard compliant RSA signature is deprecated. Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461 Signed-off-by: Soby Mathew &lt;soby.mathew@arm.com&gt;
8 years ago
mbedtls_pk_context pk = {0};
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
int rc;
void *sig_opts = NULL;
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
const mbedtls_md_info_t *md_info;
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
unsigned char *p, *end;
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
/* Get pointers to signature OID and parameters */
p = (unsigned char *)sig_alg;
end = (unsigned char *)(p + sig_alg_len);
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
/* Get the actual signature algorithm (MD + PK) */
Add support for RSASSAPSS algorithm in mbedtls crypto driver This patch adds support for RSASSA-PSS Signature Algorithm for X509 certificates in mbedtls crypto driver. Now the driver supports RSA PKCS2_1 standard as mandated by TBBR. NOTE: With this patch, the PKCS1_5 standard compliant RSA signature is deprecated. Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461 Signed-off-by: Soby Mathew &lt;soby.mathew@arm.com&gt;
8 years ago
rc = mbedtls_x509_get_sig_alg(&sig_oid, &sig_params, &md_alg, &pk_alg, &sig_opts);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
/* Parse the public key */
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
mbedtls_pk_init(&pk);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
p = (unsigned char *)pk_ptr;
end = (unsigned char *)(p + pk_len);
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
rc = mbedtls_pk_parse_subpubkey(&p, end, &pk);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
Add support for RSASSAPSS algorithm in mbedtls crypto driver This patch adds support for RSASSA-PSS Signature Algorithm for X509 certificates in mbedtls crypto driver. Now the driver supports RSA PKCS2_1 standard as mandated by TBBR. NOTE: With this patch, the PKCS1_5 standard compliant RSA signature is deprecated. Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461 Signed-off-by: Soby Mathew &lt;soby.mathew@arm.com&gt;
8 years ago
rc = CRYPTO_ERR_SIGNATURE;
goto end2;
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
}
/* Get the signature (bitstring) */
p = (unsigned char *)sig_ptr;
end = (unsigned char *)(p + sig_len);
signature.tag = *p;
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
rc = CRYPTO_ERR_SIGNATURE;
Add support for RSASSAPSS algorithm in mbedtls crypto driver This patch adds support for RSASSA-PSS Signature Algorithm for X509 certificates in mbedtls crypto driver. Now the driver supports RSA PKCS2_1 standard as mandated by TBBR. NOTE: With this patch, the PKCS1_5 standard compliant RSA signature is deprecated. Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461 Signed-off-by: Soby Mathew &lt;soby.mathew@arm.com&gt;
8 years ago
goto end1;
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
}
signature.p = p;
/* Calculate the hash of the data */
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
md_info = mbedtls_md_info_from_type(md_alg);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (md_info == NULL) {
rc = CRYPTO_ERR_SIGNATURE;
Add support for RSASSAPSS algorithm in mbedtls crypto driver This patch adds support for RSASSA-PSS Signature Algorithm for X509 certificates in mbedtls crypto driver. Now the driver supports RSA PKCS2_1 standard as mandated by TBBR. NOTE: With this patch, the PKCS1_5 standard compliant RSA signature is deprecated. Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461 Signed-off-by: Soby Mathew &lt;soby.mathew@arm.com&gt;
8 years ago
goto end1;
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
}
p = (unsigned char *)data_ptr;
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
rc = mbedtls_md(md_info, p, data_len, hash);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
rc = CRYPTO_ERR_SIGNATURE;
Add support for RSASSAPSS algorithm in mbedtls crypto driver This patch adds support for RSASSA-PSS Signature Algorithm for X509 certificates in mbedtls crypto driver. Now the driver supports RSA PKCS2_1 standard as mandated by TBBR. NOTE: With this patch, the PKCS1_5 standard compliant RSA signature is deprecated. Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461 Signed-off-by: Soby Mathew &lt;soby.mathew@arm.com&gt;
8 years ago
goto end1;
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
}
/* Verify the signature */
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
rc = mbedtls_pk_verify_ext(pk_alg, sig_opts, &pk, md_alg, hash,
mbedtls_md_get_size(md_info),
signature.p, signature.len);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
rc = CRYPTO_ERR_SIGNATURE;
Add support for RSASSAPSS algorithm in mbedtls crypto driver This patch adds support for RSASSA-PSS Signature Algorithm for X509 certificates in mbedtls crypto driver. Now the driver supports RSA PKCS2_1 standard as mandated by TBBR. NOTE: With this patch, the PKCS1_5 standard compliant RSA signature is deprecated. Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461 Signed-off-by: Soby Mathew &lt;soby.mathew@arm.com&gt;
8 years ago
goto end1;
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
}
/* Signature verification success */
rc = CRYPTO_SUCCESS;
Add support for RSASSAPSS algorithm in mbedtls crypto driver This patch adds support for RSASSA-PSS Signature Algorithm for X509 certificates in mbedtls crypto driver. Now the driver supports RSA PKCS2_1 standard as mandated by TBBR. NOTE: With this patch, the PKCS1_5 standard compliant RSA signature is deprecated. Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461 Signed-off-by: Soby Mathew &lt;soby.mathew@arm.com&gt;
8 years ago
end1:
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
mbedtls_pk_free(&pk);
Add support for RSASSAPSS algorithm in mbedtls crypto driver This patch adds support for RSASSA-PSS Signature Algorithm for X509 certificates in mbedtls crypto driver. Now the driver supports RSA PKCS2_1 standard as mandated by TBBR. NOTE: With this patch, the PKCS1_5 standard compliant RSA signature is deprecated. Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461 Signed-off-by: Soby Mathew &lt;soby.mathew@arm.com&gt;
8 years ago
end2:
mbedtls_free(sig_opts);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
return rc;
}
/*
* Match a hash
*
* Digest info is passed in DER format following the ASN.1 structure detailed
* above.
*/
static int verify_hash(void *data_ptr, unsigned int data_len,
void *digest_info_ptr, unsigned int digest_info_len)
{
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
mbedtls_asn1_buf hash_oid, params;
mbedtls_md_type_t md_alg;
const mbedtls_md_info_t *md_info;
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
unsigned char *p, *end, *hash;
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
unsigned char data_hash[MBEDTLS_MD_MAX_SIZE];
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
size_t len;
int rc;
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
/* Digest info should be an MBEDTLS_ASN1_SEQUENCE */
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
p = (unsigned char *)digest_info_ptr;
Always build with &#39;-pedantic&#39; By default ARM TF is built with the &#39;-pedantic&#39; compiler flag, which helps detecting violations of the C standard. However, the mbed TLS library and its associated authentication module in TF used to fail building with this compiler flag. As a workaround, the mbed TLS authentication module makefile used to set the &#39;DISABLE_PEDANTIC&#39; TF build flag. The compiler errors flagged by &#39;-pedantic&#39; in the mbed TLS library have been fixed between versions 1.3.9 and 2.2.0 and the library now properly builds with this compiler flag. This patch fixes the remaining compiler errors in the mbed TLS authentication module in TF and unsets the &#39;DISABLE_PEDANTIC&#39; TF build flag. This means that TF is now always built with &#39;-pedantic&#39;. In particular, this patch: * Removes the final semi-colon in REGISTER_COT() macro. This semi-colon was causing the following error message: drivers/auth/tbbr/tbbr_cot.c:544:23: error: ISO C does not allow extra &#39;;&#39; outside of a function [-Werror=pedantic] This has been fixed both in the mbed TLS authentication module as well as in the certificate generation tool. Note that the latter code didn&#39;t need fixing since it is not built with &#39;-pedantic&#39; but the change has been propagated for consistency. Also fixed the REGISTER_KEYS() and REGISTER_EXTENSIONS() macros, which were suffering from the same issue. * Fixes a pointer type. It was causing the following error message: drivers/auth/mbedtls/mbedtls_crypto.c: In function &#39;verify_hash&#39;: drivers/auth/mbedtls/mbedtls_crypto.c:177:42: error: pointer of type &#39;void *&#39; used in arithmetic [-Werror=pointer-arith] Change-Id: I7b7a04ef711efd65e17b5be26990d1a0d940257d
9 years ago
end = p + digest_info_len;
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
/* Get the hash algorithm */
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, &params);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
md_info = mbedtls_md_info_from_type(md_alg);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (md_info == NULL) {
return CRYPTO_ERR_HASH;
}
/* Hash should be octet string type */
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
/* Length of hash must match the algorithm's size */
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
if (len != mbedtls_md_get_size(md_info)) {
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
return CRYPTO_ERR_HASH;
}
hash = p;
/* Calculate the hash of the data */
p = (unsigned char *)data_ptr;
Move up to mbed TLS 2.x The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to &#39;mbed TLS&#39;. Old references to PolarSSL have been updated to &#39;mbed TLS&#39;. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
9 years ago
rc = mbedtls_md(md_info, p, data_len, data_hash);
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
/* Compare values */
Revert &#34;tbbr: Use constant-time bcmp() to compare hashes&#34; This reverts commit b621fb503c76f3bdf06ed5ed1d3a995df8da9c50. Because of the Trusted Firmware design, timing-safe functions are not needed. Using them may be misleading as it could be interpreted as being a protection against private data leakage, which isn&#39;t the case here. For each image, the SHA-256 hash is calculated. Some padding is appended and the result is encrypted with a private key using RSA-2048. This is the signature of the image. The public key is stored along with BL1 in read-only memory and the encrypted hash is stored in the FIP. When authenticating an image, the TF decrypts the hash stored in the FIP and recalculates the hash of the image. If they don&#39;t match, the boot sequence won&#39;t continue. A constant-time comparison does not provide additional security as all the data involved in this process is already known to any attacker. There is no private data that can leaked through a timing attack when authenticating an image. `timingsafe_bcmp()` is kept in the codebase because it could be useful in the future. Change-Id: I44bdcd58faa586a050cc89447e38c142508c9888 Signed-off-by: Antonio Nino Diaz &lt;antonio.ninodiaz@arm.com&gt;
8 years ago
rc = memcmp(data_hash, hash, mbedtls_md_get_size(md_info));
TBB: add mbedTLS authentication related libraries This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the &#39;MBEDTLS_KEY_ALG&#39; variable in the platform makefile. Available options are: * &#39;rsa&#39; (for RSA-2048) (default option) * &#39;ecdsa&#39; (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
10 years ago
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
return CRYPTO_SUCCESS;
}
/*
* Register crypto library descriptor
*/
REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash);