diff options
author | Lauren Wehrmeister <lauren.wehrmeister@arm.com> | 2024-05-09 21:14:07 +0200 |
---|---|---|
committer | TrustedFirmware Code Review <review@review.trustedfirmware.org> | 2024-05-09 21:14:07 +0200 |
commit | b692987ccb02fd3a19d5d5facb9d6b1aa1fede9e (patch) | |
tree | da1f29714888b54b7357841a14b7a9a611856213 | |
parent | bbbc32c9041ba8931acdbffd350433ae101e4f50 (diff) | |
parent | 55aed7d798f3d48d6aa08d58eb46c4cda318bcfb (diff) | |
download | arm-trusted-firmware-b692987ccb02fd3a19d5d5facb9d6b1aa1fede9e.tar.gz |
Merge "feat(mbedtls): update config for 3.6.0" into integration
-rw-r--r-- | drivers/auth/mbedtls/mbedtls_common.mk | 12 | ||||
-rw-r--r-- | drivers/auth/mbedtls/mbedtls_crypto.c | 14 | ||||
-rw-r--r-- | drivers/auth/mbedtls/mbedtls_psa_crypto.c | 83 | ||||
-rw-r--r-- | include/drivers/auth/mbedtls/mbedtls_config-3.h | 3 | ||||
-rw-r--r-- | include/drivers/auth/mbedtls/psa_mbedtls_config.h | 3 | ||||
-rw-r--r-- | plat/arm/board/tc/platform_test.mk | 3 | ||||
-rw-r--r-- | plat/st/common/include/stm32mp_mbedtls_config-3.h | 3 |
7 files changed, 94 insertions, 27 deletions
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk index 2bb23f961..55ab9358e 100644 --- a/drivers/auth/mbedtls/mbedtls_common.mk +++ b/drivers/auth/mbedtls/mbedtls_common.mk @@ -41,7 +41,6 @@ LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ cipher.c \ cipher_wrap.c \ constant_time.c \ - hash_info.c \ memory_buffer_alloc.c \ oid.c \ platform.c \ @@ -51,6 +50,7 @@ LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ gcm.c \ md.c \ pk.c \ + pk_ecc.c \ pk_wrap.c \ pkparse.c \ pkwrite.c \ @@ -65,22 +65,16 @@ LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ x509_crt.c \ ) -# Currently on Mbedtls-3 there is outstanding bug due to usage -# of redundant declaration[1], So disable redundant-decls -# compilation flag to avoid compilation error when compiling with -# Mbedtls-3. -# [1]: https://github.com/Mbed-TLS/mbedtls/issues/6910 -LIBMBEDTLS_CFLAGS += -Wno-error=redundant-decls - ifeq (${PSA_CRYPTO},1) +LIBMBEDTLS_CFLAGS += -Wno-error=unused-but-set-variable LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ psa_crypto.c \ psa_crypto_client.c \ - psa_crypto_driver_wrappers.c \ psa_crypto_hash.c \ psa_crypto_rsa.c \ psa_crypto_ecp.c \ psa_crypto_slot_management.c \ + psa_util.c \ ) endif diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c index 230cec9d4..9bfcaac0b 100644 --- a/drivers/auth/mbedtls/mbedtls_crypto.c +++ b/drivers/auth/mbedtls/mbedtls_crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2024, Arm Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -65,6 +65,18 @@ static void init(void) #if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC + + +/* + * NOTE: This has been made internal in mbedtls 3.6.0 and the mbedtls team has + * advised that it's better to copy out the declaration than it would be to + * update to 3.5.2, where this function is exposed. + */ +int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, + const mbedtls_x509_buf *sig_params, + mbedtls_md_type_t *md_alg, + mbedtls_pk_type_t *pk_alg, + void **sig_opts); /* * Verify a signature. * diff --git a/drivers/auth/mbedtls/mbedtls_psa_crypto.c b/drivers/auth/mbedtls/mbedtls_psa_crypto.c index 5891acf37..99242e335 100644 --- a/drivers/auth/mbedtls/mbedtls_psa_crypto.c +++ b/drivers/auth/mbedtls/mbedtls_psa_crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023, Arm Limited. All rights reserved. + * Copyright (c) 2023-2024, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -14,6 +14,7 @@ #include <mbedtls/memory_buffer_alloc.h> #include <mbedtls/oid.h> #include <mbedtls/platform.h> +#include <mbedtls/psa_util.h> #include <mbedtls/version.h> #include <mbedtls/x509.h> #include <psa/crypto.h> @@ -49,16 +50,6 @@ CASSERT(CRYPTO_MD_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE, * CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */ -static inline psa_algorithm_t mbedtls_md_psa_alg_from_type( - mbedtls_md_type_t md_type) -{ - assert((md_type == MBEDTLS_MD_SHA256) || - (md_type == MBEDTLS_MD_SHA384) || - (md_type == MBEDTLS_MD_SHA512)); - - return PSA_ALG_CATEGORY_HASH | (psa_algorithm_t) (md_type + 0x5); -} - /* * AlgorithmIdentifier ::= SEQUENCE { * algorithm OBJECT IDENTIFIER, @@ -293,6 +284,62 @@ static int get_ecdsa_signature_from_asn1(unsigned char *sig_ptr, **/ /* + * This is a helper function that adjusts the start of the pk_start to point to + * the subjectPublicKey bytes within the SubjectPublicKeyInfo block. + * + * SubjectPublicKeyInfo ::= SEQUENCE { + * algorithm AlgorithmIdentifier, + * subjectPublicKey BIT STRING } + * + * This function returns error(CRYPTO_ERR_SIGNATURE) on ASN.1 parsing failure, + * otherwise success(0). + **/ +static int pk_bytes_from_subpubkey(unsigned char **pk_start, + unsigned int *pk_len) +{ + mbedtls_asn1_buf alg_oid, alg_params; + int rc; + unsigned char *pk_end; + size_t len; + unsigned char *pk_ptr = *pk_start; + + pk_end = pk_ptr + *pk_len; + rc = mbedtls_asn1_get_tag(&pk_ptr, pk_end, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (rc != 0) { + return CRYPTO_ERR_SIGNATURE; + } + + pk_end = pk_ptr + len; + rc = mbedtls_asn1_get_alg(&pk_ptr, pk_end, &alg_oid, &alg_params); + if (rc != 0) { + return CRYPTO_ERR_SIGNATURE; + } + pk_end = pk_ptr + len - (alg_oid.len + alg_params.len + + 2 * (SIZE_OF_ASN1_LEN + SIZE_OF_ASN1_TAG)); + rc = mbedtls_asn1_get_bitstring_null(&pk_ptr, pk_end, &len); + if (rc != 0) { + return CRYPTO_ERR_SIGNATURE; + } + + *pk_start = pk_ptr; + *pk_len = len; + + return rc; +} + +/* + * NOTE: This has been made internal in mbedtls 3.6.0 and the mbedtls team has + * advised that it's better to copy out the declaration than it would be to + * update to 3.5.2, where this function is exposed. + */ +int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, + const mbedtls_x509_buf *sig_params, + mbedtls_md_type_t *md_alg, + mbedtls_pk_type_t *pk_alg, + void **sig_opts); +/* * Verify a signature. * * Parameters are passed using the DER encoding format following the ASN.1 @@ -388,6 +435,20 @@ TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA psa_set_key_type(&psa_key_attr, psa_key_type); psa_set_key_usage_flags(&psa_key_attr, PSA_KEY_USAGE_VERIFY_MESSAGE); + /* + * Note: In the implementation of the psa_import_key function in + * version 3.6.0, the function expects the starting pointer of the + * subject public key instead of the starting point of + * SubjectPublicKeyInfo. + * This is only needed while dealing with RSASSA_PSS (RSA Signature + * scheme with Appendix based on Probabilistic Signature Scheme) + * algorithm. + */ + if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { + rc = pk_bytes_from_subpubkey((unsigned char **) &pk_ptr, &pk_len); + goto end2; + } + /* Get the key_id using import API */ status = psa_import_key(&psa_key_attr, pk_ptr, diff --git a/include/drivers/auth/mbedtls/mbedtls_config-3.h b/include/drivers/auth/mbedtls/mbedtls_config-3.h index 923fc5467..37a9288ec 100644 --- a/include/drivers/auth/mbedtls/mbedtls_config-3.h +++ b/include/drivers/auth/mbedtls/mbedtls_config-3.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023, Arm Limited. All rights reserved. + * Copyright (c) 2023-2024, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -128,7 +128,6 @@ #ifndef __ASSEMBLER__ /* System headers required to build mbed TLS with the current configuration */ #include <stdlib.h> -#include <mbedtls/check_config.h> #endif /* diff --git a/include/drivers/auth/mbedtls/psa_mbedtls_config.h b/include/drivers/auth/mbedtls/psa_mbedtls_config.h index ad825f0aa..1001d895e 100644 --- a/include/drivers/auth/mbedtls/psa_mbedtls_config.h +++ b/include/drivers/auth/mbedtls/psa_mbedtls_config.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2023, Arm Ltd. All rights reserved. + * Copyright (c) 2023-2024, Arm Ltd. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -10,6 +10,7 @@ #include "mbedtls_config-3.h" #define MBEDTLS_PSA_CRYPTO_C +#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS /* * Using PSA crypto API requires an RNG right now. If we don't define the macro diff --git a/plat/arm/board/tc/platform_test.mk b/plat/arm/board/tc/platform_test.mk index 8ef6f768b..8d393254c 100644 --- a/plat/arm/board/tc/platform_test.mk +++ b/plat/arm/board/tc/platform_test.mk @@ -61,11 +61,12 @@ else ifeq (${PLATFORM_TEST},tfm-testsuite) hmac_drbg.c \ psa_crypto.c \ psa_crypto_client.c \ - psa_crypto_driver_wrappers.c \ + psa_crypto_driver_wrappers_no_static.c \ psa_crypto_hash.c \ psa_crypto_rsa.c \ psa_crypto_ecp.c \ psa_crypto_slot_management.c \ + psa_util.c \ ) BL31_SOURCES += ${RSE_COMMS_SOURCES} \ diff --git a/plat/st/common/include/stm32mp_mbedtls_config-3.h b/plat/st/common/include/stm32mp_mbedtls_config-3.h index a812671bb..2dbf06891 100644 --- a/plat/st/common/include/stm32mp_mbedtls_config-3.h +++ b/plat/st/common/include/stm32mp_mbedtls_config-3.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2022-2023, STMicroelectronics - All Rights Reserved + * Copyright (c) 2022-2024, STMicroelectronics - All Rights Reserved * * SPDX-License-Identifier: BSD-3-Clause */ @@ -102,7 +102,6 @@ #ifndef __ASSEMBLER__ /* System headers required to build mbed TLS with the current configuration */ #include <stdlib.h> -#include <mbedtls/check_config.h> #endif /* |