Merge "feat(mbedtls): update config for 3.6.0" into integration

7 files changed, 94 insertions, 27 deletions

diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
index 2bb23f961..55ab9358e 100644
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@@ -41,7 +41,6 @@ LIBMBEDTLS_SRCS		+= $(addprefix ${MBEDTLS_DIR}/library/,		\
 					cipher.c 			\
 					cipher_wrap.c 			\
 					constant_time.c			\
-					hash_info.c			\
 					memory_buffer_alloc.c		\
 					oid.c 				\
 					platform.c 			\
@@ -51,6 +50,7 @@ LIBMBEDTLS_SRCS		+= $(addprefix ${MBEDTLS_DIR}/library/,		\
 					gcm.c 				\
 					md.c				\
 					pk.c 				\
+					pk_ecc.c 			\
 					pk_wrap.c 			\
 					pkparse.c 			\
 					pkwrite.c 			\
@@ -65,22 +65,16 @@ LIBMBEDTLS_SRCS		+= $(addprefix ${MBEDTLS_DIR}/library/,		\
 					x509_crt.c 			\
 					)
 
-# Currently on Mbedtls-3 there is outstanding bug due to usage
-# of redundant declaration[1], So disable redundant-decls
-# compilation flag to avoid compilation error when compiling with
-# Mbedtls-3.
-# [1]: https://github.com/Mbed-TLS/mbedtls/issues/6910
-LIBMBEDTLS_CFLAGS += -Wno-error=redundant-decls
-
 ifeq (${PSA_CRYPTO},1)
+LIBMBEDTLS_CFLAGS 	+= -Wno-error=unused-but-set-variable
 LIBMBEDTLS_SRCS         += $(addprefix ${MBEDTLS_DIR}/library/,    	\
 					psa_crypto.c                   	\
 					psa_crypto_client.c            	\
-					psa_crypto_driver_wrappers.c   	\
 					psa_crypto_hash.c              	\
 					psa_crypto_rsa.c               	\
 					psa_crypto_ecp.c               	\
 					psa_crypto_slot_management.c   	\
+					psa_util.c			\
 					)
 endif
 
diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c
index 230cec9d4..9bfcaac0b 100644
--- a/drivers/auth/mbedtls/mbedtls_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_crypto.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2024, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -65,6 +65,18 @@ static void init(void)
 
 #if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
+
+
+/*
+ * NOTE: This has been made internal in mbedtls 3.6.0 and the mbedtls team has
+ * advised that it's better to copy out the declaration than it would be to
+ * update to 3.5.2, where this function is exposed.
+ */
+int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid,
+			     const mbedtls_x509_buf *sig_params,
+			     mbedtls_md_type_t *md_alg,
+			     mbedtls_pk_type_t *pk_alg,
+			     void **sig_opts);
 /*
  * Verify a signature.
  *
diff --git a/drivers/auth/mbedtls/mbedtls_psa_crypto.c b/drivers/auth/mbedtls/mbedtls_psa_crypto.c
index 5891acf37..99242e335 100644
--- a/drivers/auth/mbedtls/mbedtls_psa_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_psa_crypto.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2023-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -14,6 +14,7 @@
 #include <mbedtls/memory_buffer_alloc.h>
 #include <mbedtls/oid.h>
 #include <mbedtls/platform.h>
+#include <mbedtls/psa_util.h>
 #include <mbedtls/version.h>
 #include <mbedtls/x509.h>
 #include <psa/crypto.h>
@@ -49,16 +50,6 @@ CASSERT(CRYPTO_MD_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE,
 	* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
 	*/
 
-static inline psa_algorithm_t mbedtls_md_psa_alg_from_type(
-						mbedtls_md_type_t md_type)
-{
-	assert((md_type == MBEDTLS_MD_SHA256) ||
-	       (md_type == MBEDTLS_MD_SHA384) ||
-	       (md_type == MBEDTLS_MD_SHA512));
-
-	return PSA_ALG_CATEGORY_HASH | (psa_algorithm_t) (md_type + 0x5);
-}
-
 /*
  * AlgorithmIdentifier  ::=  SEQUENCE  {
  *     algorithm               OBJECT IDENTIFIER,
@@ -293,6 +284,62 @@ static int get_ecdsa_signature_from_asn1(unsigned char *sig_ptr,
 	**/
 
 /*
+ * This is a helper function that adjusts the start of the pk_start to point to
+ * the subjectPublicKey bytes within the SubjectPublicKeyInfo block.
+ *
+ *  SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *       algorithm            AlgorithmIdentifier,
+ *       subjectPublicKey     BIT STRING }
+ *
+ * This function returns error(CRYPTO_ERR_SIGNATURE) on ASN.1 parsing failure,
+ * otherwise success(0).
+ **/
+static int pk_bytes_from_subpubkey(unsigned char **pk_start,
+				   unsigned int *pk_len)
+{
+	mbedtls_asn1_buf alg_oid, alg_params;
+	int rc;
+	unsigned char *pk_end;
+	size_t len;
+	unsigned char *pk_ptr = *pk_start;
+
+	pk_end = pk_ptr + *pk_len;
+	rc = mbedtls_asn1_get_tag(&pk_ptr, pk_end, &len,
+				  MBEDTLS_ASN1_CONSTRUCTED |
+				  MBEDTLS_ASN1_SEQUENCE);
+	if (rc != 0) {
+		return CRYPTO_ERR_SIGNATURE;
+	}
+
+	pk_end = pk_ptr + len;
+	rc = mbedtls_asn1_get_alg(&pk_ptr, pk_end, &alg_oid, &alg_params);
+	if (rc != 0) {
+		return CRYPTO_ERR_SIGNATURE;
+	}
+	pk_end = pk_ptr + len - (alg_oid.len + alg_params.len +
+		 2 * (SIZE_OF_ASN1_LEN + SIZE_OF_ASN1_TAG));
+	rc = mbedtls_asn1_get_bitstring_null(&pk_ptr, pk_end, &len);
+	if (rc != 0) {
+		return CRYPTO_ERR_SIGNATURE;
+	}
+
+	*pk_start = pk_ptr;
+	*pk_len = len;
+
+	return rc;
+}
+
+/*
+ * NOTE: This has been made internal in mbedtls 3.6.0 and the mbedtls team has
+ * advised that it's better to copy out the declaration than it would be to
+ * update to 3.5.2, where this function is exposed.
+ */
+int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid,
+			     const mbedtls_x509_buf *sig_params,
+			     mbedtls_md_type_t *md_alg,
+			     mbedtls_pk_type_t *pk_alg,
+			     void **sig_opts);
+/*
  * Verify a signature.
  *
  * Parameters are passed using the DER encoding format following the ASN.1
@@ -388,6 +435,20 @@ TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA
 	psa_set_key_type(&psa_key_attr, psa_key_type);
 	psa_set_key_usage_flags(&psa_key_attr, PSA_KEY_USAGE_VERIFY_MESSAGE);
 
+	/*
+	 * Note: In the implementation of the psa_import_key function in
+	 * version 3.6.0, the function expects the starting pointer of the
+	 * subject public key instead of the starting point of
+	 * SubjectPublicKeyInfo.
+	 * This is only needed while dealing with RSASSA_PSS (RSA Signature
+	 * scheme with Appendix based on Probabilistic Signature Scheme)
+	 * algorithm.
+	 */
+	if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
+		rc = pk_bytes_from_subpubkey((unsigned char **) &pk_ptr, &pk_len);
+		goto end2;
+	}
+
 	/* Get the key_id using import API */
 	status = psa_import_key(&psa_key_attr,
 				pk_ptr,
diff --git a/include/drivers/auth/mbedtls/mbedtls_config-3.h b/include/drivers/auth/mbedtls/mbedtls_config-3.h
index 923fc5467..37a9288ec 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config-3.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config-3.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2023-2024, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -128,7 +128,6 @@
 #ifndef __ASSEMBLER__
 /* System headers required to build mbed TLS with the current configuration */
 #include <stdlib.h>
-#include <mbedtls/check_config.h>
 #endif
 
 /*
diff --git a/include/drivers/auth/mbedtls/psa_mbedtls_config.h b/include/drivers/auth/mbedtls/psa_mbedtls_config.h
index ad825f0aa..1001d895e 100644
--- a/include/drivers/auth/mbedtls/psa_mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/psa_mbedtls_config.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2023, Arm Ltd. All rights reserved.
+ * Copyright (c) 2023-2024, Arm Ltd. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -10,6 +10,7 @@
 #include "mbedtls_config-3.h"
 
 #define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
 
 /*
  * Using PSA crypto API requires an RNG right now. If we don't define the macro
diff --git a/plat/arm/board/tc/platform_test.mk b/plat/arm/board/tc/platform_test.mk
index 8ef6f768b..8d393254c 100644
--- a/plat/arm/board/tc/platform_test.mk
+++ b/plat/arm/board/tc/platform_test.mk
@@ -61,11 +61,12 @@ else ifeq (${PLATFORM_TEST},tfm-testsuite)
 					hmac_drbg.c				\
 					psa_crypto.c				\
 					psa_crypto_client.c			\
-					psa_crypto_driver_wrappers.c		\
+					psa_crypto_driver_wrappers_no_static.c	\
 					psa_crypto_hash.c			\
 					psa_crypto_rsa.c			\
 					psa_crypto_ecp.c			\
 					psa_crypto_slot_management.c		\
+					psa_util.c				\
 					)
 
     BL31_SOURCES	+=	${RSE_COMMS_SOURCES}				\
diff --git a/plat/st/common/include/stm32mp_mbedtls_config-3.h b/plat/st/common/include/stm32mp_mbedtls_config-3.h
index a812671bb..2dbf06891 100644
--- a/plat/st/common/include/stm32mp_mbedtls_config-3.h
+++ b/plat/st/common/include/stm32mp_mbedtls_config-3.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023, STMicroelectronics - All Rights Reserved
+ * Copyright (c) 2022-2024, STMicroelectronics - All Rights Reserved
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -102,7 +102,6 @@
 #ifndef __ASSEMBLER__
 /* System headers required to build mbed TLS with the current configuration */
 #include <stdlib.h>
-#include <mbedtls/check_config.h>
 #endif
 
 /*