Merge pull request #465 from jcastillo-arm/jc/tbb_mbedtls_2_x
Move up to mbed TLS 2.x
This commit is contained in:
commit
a84deb9c3f
|
@ -381,7 +381,7 @@ platform.
|
|||
PKI certificates (authentication images). It is expected that open source
|
||||
libraries will be available which can be used to parse an image represented
|
||||
by this method. Such libraries can be used to write the corresponding IPL
|
||||
e.g. the X.509 parsing library code in PolarSSL.
|
||||
e.g. the X.509 parsing library code in mbed TLS.
|
||||
|
||||
3. Platform defined method: This method caters for platform specific
|
||||
proprietary standards to represent authentication or data images. For
|
||||
|
@ -867,7 +867,7 @@ extract the authentication parameters. The number and type of parser libraries
|
|||
depend on the images used in the CoT. Raw images do not need a library, so
|
||||
only an x509v3 library is required for the TBBR CoT.
|
||||
|
||||
ARM platforms will use an x509v3 library based on mbedTLS. This library may be
|
||||
ARM platforms will use an x509v3 library based on mbed TLS. This library may be
|
||||
found in `drivers/auth/mbedtls/mbedtls_x509_parser.c`. It exports three
|
||||
functions:
|
||||
|
||||
|
@ -885,15 +885,17 @@ an image of type `IMG_CERT`, it will call the corresponding function exported
|
|||
in this file.
|
||||
|
||||
The build system must be updated to include the corresponding library and
|
||||
mbedTLS sources. ARM platforms use the `arm_common.mk` file to pull the sources.
|
||||
mbed TLS sources. ARM platforms use the `arm_common.mk` file to pull the
|
||||
sources.
|
||||
|
||||
### 4.3 The cryptographic library
|
||||
|
||||
The cryptographic module relies on a library to perform the required operations,
|
||||
i.e. verify a hash or a digital signature. ARM platforms will use a library
|
||||
based on mbedTLS, which can be found in `drivers/auth/mbedtls/mbedtls_crypto.c`.
|
||||
This library is registered in the authentication framework using the macro
|
||||
`REGISTER_CRYPTO_LIB()` and exports three functions:
|
||||
based on mbed TLS, which can be found in
|
||||
`drivers/auth/mbedtls/mbedtls_crypto.c`. This library is registered in the
|
||||
authentication framework using the macro `REGISTER_CRYPTO_LIB()` and exports
|
||||
three functions:
|
||||
|
||||
```
|
||||
void init(void);
|
||||
|
|
|
@ -607,22 +607,24 @@ following steps should be followed to build a FIP image with support for this
|
|||
feature.
|
||||
|
||||
1. Fulfill the dependencies of the `mbedtls` cryptographic and image parser
|
||||
modules by checking out the tag `mbedtls-1.3.11` from the
|
||||
[mbedTLS Repository].
|
||||
modules by checking out a recent version of the [mbed TLS Repository]. It
|
||||
is important to use a version that is compatible with TF and fixes any
|
||||
known security vulnerabilities. See [mbed TLS Security Center] for more
|
||||
information. This version of TF is tested with tag `mbedtls-2.2.0`.
|
||||
|
||||
The `drivers/auth/mbedtls/mbedtls_*.mk` files contain the list of mbedTLS
|
||||
The `drivers/auth/mbedtls/mbedtls_*.mk` files contain the list of mbed TLS
|
||||
source files the modules depend upon.
|
||||
`include/drivers/auth/mbedtls/mbedtls_config.h` contains the configuration
|
||||
options required to build the mbedTLS sources.
|
||||
options required to build the mbed TLS sources.
|
||||
|
||||
Note that the mbedTLS library is licensed under the GNU GPL version 2
|
||||
or later license. Using mbedTLS source code will affect the licensing of
|
||||
Note that the mbed TLS library is licensed under the Apache version 2.0
|
||||
license. Using mbed TLS source code will affect the licensing of
|
||||
Trusted Firmware binaries that are built using this library.
|
||||
|
||||
2. Ensure that the following command line variables are set while invoking
|
||||
`make` to build Trusted Firmware:
|
||||
|
||||
* `MBEDTLS_DIR=<path of the directory containing mbedTLS sources>`
|
||||
* `MBEDTLS_DIR=<path of the directory containing mbed TLS sources>`
|
||||
* `TRUSTED_BOARD_BOOT=1`
|
||||
* `GENERATE_COT=1`
|
||||
|
||||
|
@ -647,7 +649,7 @@ feature.
|
|||
|
||||
CROSS_COMPILE=<path-to-aarch64-gcc>/bin/aarch64-linux-gnu- \
|
||||
BL33=<path-to>/<bl33_image> \
|
||||
MBEDTLS_DIR=<path of the directory containing mbedTLS sources> \
|
||||
MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
|
||||
make PLAT=<platform> TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \
|
||||
ARM_ROTPK_LOCATION=devel_rsa \
|
||||
ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \
|
||||
|
@ -1265,6 +1267,7 @@ _Copyright (c) 2013-2015, ARM Limited and Contributors. All rights reserved._
|
|||
[Juno Instructions]: https://community.arm.com/docs/DOC-10804
|
||||
[Juno Getting Started Guide]: http://infocenter.arm.com/help/topic/com.arm.doc.dui0928e/DUI0928E_juno_arm_development_platform_gsg.pdf
|
||||
[DS-5]: http://www.arm.com/products/tools/software-tools/ds-5/index.php
|
||||
[mbedTLS Repository]: https://github.com/ARMmbed/mbedtls.git
|
||||
[mbed TLS Repository]: https://github.com/ARMmbed/mbedtls.git
|
||||
[mbed TLS Security Center]: https://tls.mbed.org/security
|
||||
[PSCI]: http://infocenter.arm.com/help/topic/com.arm.doc.den0022c/DEN0022C_Power_State_Coordination_Interface.pdf "Power State Coordination Interface PDD (ARM DEN 0022C)"
|
||||
[Trusted Board Boot]: trusted-board-boot.md
|
||||
|
|
|
@ -30,11 +30,11 @@
|
|||
|
||||
#include <assert.h>
|
||||
|
||||
/* mbedTLS headers */
|
||||
#include <polarssl/memory_buffer_alloc.h>
|
||||
/* mbed TLS headers */
|
||||
#include <mbedtls/memory_buffer_alloc.h>
|
||||
|
||||
/*
|
||||
* mbedTLS heap
|
||||
* mbed TLS heap
|
||||
*/
|
||||
#if (MBEDTLS_KEY_ALG_ID == MBEDTLS_ECDSA)
|
||||
#define MBEDTLS_HEAP_SIZE (14*1024)
|
||||
|
@ -44,22 +44,15 @@
|
|||
static unsigned char heap[MBEDTLS_HEAP_SIZE];
|
||||
|
||||
/*
|
||||
* mbedTLS initialization function
|
||||
*
|
||||
* Return: 0 = success, Otherwise = error
|
||||
* mbed TLS initialization function
|
||||
*/
|
||||
void mbedtls_init(void)
|
||||
{
|
||||
static int ready;
|
||||
int rc;
|
||||
|
||||
if (!ready) {
|
||||
/* Initialize the mbedTLS heap */
|
||||
rc = memory_buffer_alloc_init(heap, MBEDTLS_HEAP_SIZE);
|
||||
if (rc == 0) {
|
||||
ready = 1;
|
||||
} else {
|
||||
assert(0);
|
||||
}
|
||||
/* Initialize the mbed TLS heap */
|
||||
mbedtls_memory_buffer_alloc_init(heap, MBEDTLS_HEAP_SIZE);
|
||||
ready = 1;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -31,7 +31,7 @@
|
|||
ifneq (${MBEDTLS_COMMON_MK},1)
|
||||
MBEDTLS_COMMON_MK := 1
|
||||
|
||||
# MBEDTLS_DIR must be set to the mbedTLS main directory (it must contain
|
||||
# MBEDTLS_DIR must be set to the mbed TLS main directory (it must contain
|
||||
# the 'include' and 'library' subdirectories).
|
||||
ifeq (${MBEDTLS_DIR},)
|
||||
$(error Error: MBEDTLS_DIR not set)
|
||||
|
@ -40,9 +40,9 @@ endif
|
|||
INCLUDES += -I${MBEDTLS_DIR}/include \
|
||||
-Iinclude/drivers/auth/mbedtls
|
||||
|
||||
# Specify mbedTLS configuration file
|
||||
POLARSSL_CONFIG_FILE := "<mbedtls_config.h>"
|
||||
$(eval $(call add_define,POLARSSL_CONFIG_FILE))
|
||||
# Specify mbed TLS configuration file
|
||||
MBEDTLS_CONFIG_FILE := "<mbedtls_config.h>"
|
||||
$(eval $(call add_define,MBEDTLS_CONFIG_FILE))
|
||||
|
||||
MBEDTLS_COMMON_SOURCES := drivers/auth/mbedtls/mbedtls_common.c \
|
||||
$(addprefix ${MBEDTLS_DIR}/library/, \
|
||||
|
|
|
@ -35,13 +35,13 @@
|
|||
#include <stddef.h>
|
||||
#include <string.h>
|
||||
|
||||
/* mbedTLS headers */
|
||||
#include <polarssl/md_wrap.h>
|
||||
#include <polarssl/memory_buffer_alloc.h>
|
||||
#include <polarssl/oid.h>
|
||||
#include <polarssl/platform.h>
|
||||
/* mbed TLS headers */
|
||||
#include <mbedtls/md.h>
|
||||
#include <mbedtls/memory_buffer_alloc.h>
|
||||
#include <mbedtls/oid.h>
|
||||
#include <mbedtls/platform.h>
|
||||
|
||||
#define LIB_NAME "mbedTLS"
|
||||
#define LIB_NAME "mbed TLS"
|
||||
|
||||
/*
|
||||
* AlgorithmIdentifier ::= SEQUENCE {
|
||||
|
@ -65,7 +65,7 @@
|
|||
*/
|
||||
static void init(void)
|
||||
{
|
||||
/* Initialize mbedTLS */
|
||||
/* Initialize mbed TLS */
|
||||
mbedtls_init();
|
||||
}
|
||||
|
||||
|
@ -80,36 +80,36 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
|
|||
void *sig_alg, unsigned int sig_alg_len,
|
||||
void *pk_ptr, unsigned int pk_len)
|
||||
{
|
||||
asn1_buf sig_oid, sig_params;
|
||||
asn1_buf signature;
|
||||
md_type_t md_alg;
|
||||
pk_type_t pk_alg;
|
||||
pk_context pk;
|
||||
mbedtls_asn1_buf sig_oid, sig_params;
|
||||
mbedtls_asn1_buf signature;
|
||||
mbedtls_md_type_t md_alg;
|
||||
mbedtls_pk_type_t pk_alg;
|
||||
mbedtls_pk_context pk;
|
||||
int rc;
|
||||
void *sig_opts = NULL;
|
||||
const md_info_t *md_info;
|
||||
const mbedtls_md_info_t *md_info;
|
||||
unsigned char *p, *end;
|
||||
unsigned char hash[POLARSSL_MD_MAX_SIZE];
|
||||
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
|
||||
|
||||
/* Get pointers to signature OID and parameters */
|
||||
p = (unsigned char *)sig_alg;
|
||||
end = (unsigned char *)(p + sig_alg_len);
|
||||
rc = asn1_get_alg(&p, end, &sig_oid, &sig_params);
|
||||
rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params);
|
||||
if (rc != 0) {
|
||||
return CRYPTO_ERR_SIGNATURE;
|
||||
}
|
||||
|
||||
/* Get the actual signature algorithm (MD + PK) */
|
||||
rc = oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
|
||||
rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
|
||||
if (rc != 0) {
|
||||
return CRYPTO_ERR_SIGNATURE;
|
||||
}
|
||||
|
||||
/* Parse the public key */
|
||||
pk_init(&pk);
|
||||
mbedtls_pk_init(&pk);
|
||||
p = (unsigned char *)pk_ptr;
|
||||
end = (unsigned char *)(p + pk_len);
|
||||
rc = pk_parse_subpubkey(&p, end, &pk);
|
||||
rc = mbedtls_pk_parse_subpubkey(&p, end, &pk);
|
||||
if (rc != 0) {
|
||||
return CRYPTO_ERR_SIGNATURE;
|
||||
}
|
||||
|
@ -118,7 +118,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
|
|||
p = (unsigned char *)sig_ptr;
|
||||
end = (unsigned char *)(p + sig_len);
|
||||
signature.tag = *p;
|
||||
rc = asn1_get_bitstring_null(&p, end, &signature.len);
|
||||
rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len);
|
||||
if (rc != 0) {
|
||||
rc = CRYPTO_ERR_SIGNATURE;
|
||||
goto end;
|
||||
|
@ -126,21 +126,22 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
|
|||
signature.p = p;
|
||||
|
||||
/* Calculate the hash of the data */
|
||||
md_info = md_info_from_type(md_alg);
|
||||
md_info = mbedtls_md_info_from_type(md_alg);
|
||||
if (md_info == NULL) {
|
||||
rc = CRYPTO_ERR_SIGNATURE;
|
||||
goto end;
|
||||
}
|
||||
p = (unsigned char *)data_ptr;
|
||||
rc = md(md_info, p, data_len, hash);
|
||||
rc = mbedtls_md(md_info, p, data_len, hash);
|
||||
if (rc != 0) {
|
||||
rc = CRYPTO_ERR_SIGNATURE;
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* Verify the signature */
|
||||
rc = pk_verify_ext(pk_alg, sig_opts, &pk, md_alg, hash,
|
||||
md_info->size, signature.p, signature.len);
|
||||
rc = mbedtls_pk_verify_ext(pk_alg, sig_opts, &pk, md_alg, hash,
|
||||
mbedtls_md_get_size(md_info),
|
||||
signature.p, signature.len);
|
||||
if (rc != 0) {
|
||||
rc = CRYPTO_ERR_SIGNATURE;
|
||||
goto end;
|
||||
|
@ -150,7 +151,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
|
|||
rc = CRYPTO_SUCCESS;
|
||||
|
||||
end:
|
||||
pk_free(&pk);
|
||||
mbedtls_pk_free(&pk);
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
@ -163,59 +164,60 @@ end:
|
|||
static int verify_hash(void *data_ptr, unsigned int data_len,
|
||||
void *digest_info_ptr, unsigned int digest_info_len)
|
||||
{
|
||||
asn1_buf hash_oid, params;
|
||||
md_type_t md_alg;
|
||||
const md_info_t *md_info;
|
||||
mbedtls_asn1_buf hash_oid, params;
|
||||
mbedtls_md_type_t md_alg;
|
||||
const mbedtls_md_info_t *md_info;
|
||||
unsigned char *p, *end, *hash;
|
||||
unsigned char data_hash[POLARSSL_MD_MAX_SIZE];
|
||||
unsigned char data_hash[MBEDTLS_MD_MAX_SIZE];
|
||||
size_t len;
|
||||
int rc;
|
||||
|
||||
/* Digest info should be an ASN1_SEQUENCE */
|
||||
/* Digest info should be an MBEDTLS_ASN1_SEQUENCE */
|
||||
p = (unsigned char *)digest_info_ptr;
|
||||
end = (unsigned char *)(digest_info_ptr + digest_info_len);
|
||||
rc = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (rc != 0) {
|
||||
return CRYPTO_ERR_HASH;
|
||||
}
|
||||
|
||||
/* Get the hash algorithm */
|
||||
rc = asn1_get_alg(&p, end, &hash_oid, ¶ms);
|
||||
rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms);
|
||||
if (rc != 0) {
|
||||
return CRYPTO_ERR_HASH;
|
||||
}
|
||||
|
||||
rc = oid_get_md_alg(&hash_oid, &md_alg);
|
||||
rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg);
|
||||
if (rc != 0) {
|
||||
return CRYPTO_ERR_HASH;
|
||||
}
|
||||
|
||||
md_info = md_info_from_type(md_alg);
|
||||
md_info = mbedtls_md_info_from_type(md_alg);
|
||||
if (md_info == NULL) {
|
||||
return CRYPTO_ERR_HASH;
|
||||
}
|
||||
|
||||
/* Hash should be octet string type */
|
||||
rc = asn1_get_tag(&p, end, &len, ASN1_OCTET_STRING);
|
||||
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
|
||||
if (rc != 0) {
|
||||
return CRYPTO_ERR_HASH;
|
||||
}
|
||||
|
||||
/* Length of hash must match the algorithm's size */
|
||||
if (len != md_info->size) {
|
||||
if (len != mbedtls_md_get_size(md_info)) {
|
||||
return CRYPTO_ERR_HASH;
|
||||
}
|
||||
hash = p;
|
||||
|
||||
/* Calculate the hash of the data */
|
||||
p = (unsigned char *)data_ptr;
|
||||
rc = md(md_info, p, data_len, data_hash);
|
||||
rc = mbedtls_md(md_info, p, data_len, data_hash);
|
||||
if (rc != 0) {
|
||||
return CRYPTO_ERR_HASH;
|
||||
}
|
||||
|
||||
/* Compare values */
|
||||
rc = memcmp(data_hash, hash, md_info->size);
|
||||
rc = memcmp(data_hash, hash, mbedtls_md_get_size(md_info));
|
||||
if (rc != 0) {
|
||||
return CRYPTO_ERR_HASH;
|
||||
}
|
||||
|
|
|
@ -62,10 +62,10 @@ else ifeq (${MBEDTLS_KEY_ALG},rsa)
|
|||
)
|
||||
MBEDTLS_KEY_ALG_ID := MBEDTLS_RSA
|
||||
else
|
||||
$(error "MBEDTLS_KEY_ALG=${MBEDTLS_KEY_ALG} not supported on mbedTLS")
|
||||
$(error "MBEDTLS_KEY_ALG=${MBEDTLS_KEY_ALG} not supported on mbed TLS")
|
||||
endif
|
||||
|
||||
# mbedTLS libraries rely on this define to build correctly
|
||||
# mbed TLS libraries rely on this define to build correctly
|
||||
$(eval $(call add_define,MBEDTLS_KEY_ALG_ID))
|
||||
|
||||
BL1_SOURCES += ${MBEDTLS_CRYPTO_SOURCES}
|
||||
|
|
|
@ -29,7 +29,7 @@
|
|||
*/
|
||||
|
||||
/*
|
||||
* X509 parser based on PolarSSL
|
||||
* X509 parser based on mbed TLS
|
||||
*
|
||||
* This module implements functions to check the integrity of a X509v3
|
||||
* certificate ASN.1 structure and extract authentication parameters from the
|
||||
|
@ -43,25 +43,25 @@
|
|||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
/* mbedTLS headers */
|
||||
#include <polarssl/asn1.h>
|
||||
#include <polarssl/oid.h>
|
||||
#include <polarssl/platform.h>
|
||||
/* mbed TLS headers */
|
||||
#include <mbedtls/asn1.h>
|
||||
#include <mbedtls/oid.h>
|
||||
#include <mbedtls/platform.h>
|
||||
|
||||
/* Maximum OID string length ("a.b.c.d.e.f ...") */
|
||||
#define MAX_OID_STR_LEN 64
|
||||
|
||||
#define LIB_NAME "mbedTLS X509v3"
|
||||
#define LIB_NAME "mbed TLS X509v3"
|
||||
|
||||
/* Temporary variables to speed up the authentication parameters search. These
|
||||
* variables are assigned once during the integrity check and used any time an
|
||||
* authentication parameter is requested, so we do not have to parse the image
|
||||
* again */
|
||||
static asn1_buf tbs;
|
||||
static asn1_buf v3_ext;
|
||||
static asn1_buf pk;
|
||||
static asn1_buf sig_alg;
|
||||
static asn1_buf signature;
|
||||
static mbedtls_asn1_buf tbs;
|
||||
static mbedtls_asn1_buf v3_ext;
|
||||
static mbedtls_asn1_buf pk;
|
||||
static mbedtls_asn1_buf sig_alg;
|
||||
static mbedtls_asn1_buf signature;
|
||||
|
||||
/*
|
||||
* Get X509v3 extension
|
||||
|
@ -78,7 +78,7 @@ static int get_ext(const char *oid, void **ext, unsigned int *ext_len)
|
|||
unsigned char *p;
|
||||
const unsigned char *end;
|
||||
char oid_str[MAX_OID_STR_LEN];
|
||||
asn1_buf extn_oid;
|
||||
mbedtls_asn1_buf extn_oid;
|
||||
int is_critical;
|
||||
|
||||
assert(oid != NULL);
|
||||
|
@ -86,32 +86,36 @@ static int get_ext(const char *oid, void **ext, unsigned int *ext_len)
|
|||
p = v3_ext.p;
|
||||
end = v3_ext.p + v3_ext.len;
|
||||
|
||||
asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
|
||||
while (p < end) {
|
||||
memset(&extn_oid, 0x0, sizeof(extn_oid));
|
||||
is_critical = 0; /* DEFAULT FALSE */
|
||||
|
||||
asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
end_ext_data = p + len;
|
||||
|
||||
/* Get extension ID */
|
||||
extn_oid.tag = *p;
|
||||
asn1_get_tag(&p, end, &extn_oid.len, ASN1_OID);
|
||||
mbedtls_asn1_get_tag(&p, end, &extn_oid.len, MBEDTLS_ASN1_OID);
|
||||
extn_oid.p = p;
|
||||
p += extn_oid.len;
|
||||
|
||||
/* Get optional critical */
|
||||
asn1_get_bool(&p, end_ext_data, &is_critical);
|
||||
mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical);
|
||||
|
||||
/* Extension data */
|
||||
asn1_get_tag(&p, end_ext_data, &len, ASN1_OCTET_STRING);
|
||||
mbedtls_asn1_get_tag(&p, end_ext_data, &len,
|
||||
MBEDTLS_ASN1_OCTET_STRING);
|
||||
end_ext_octet = p + len;
|
||||
|
||||
/* Detect requested extension */
|
||||
oid_len = oid_get_numeric_string(oid_str,
|
||||
MAX_OID_STR_LEN, &extn_oid);
|
||||
if (oid_len == POLARSSL_ERR_OID_BUF_TOO_SMALL) {
|
||||
oid_len = mbedtls_oid_get_numeric_string(oid_str,
|
||||
MAX_OID_STR_LEN,
|
||||
&extn_oid);
|
||||
if (oid_len == MBEDTLS_ERR_OID_BUF_TOO_SMALL) {
|
||||
return IMG_PARSER_ERR;
|
||||
}
|
||||
if ((oid_len == strlen(oid_str)) && !strcmp(oid, oid_str)) {
|
||||
|
@ -137,7 +141,7 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
int ret, is_critical;
|
||||
size_t len;
|
||||
unsigned char *p, *end, *crt_end;
|
||||
asn1_buf sig_alg1, sig_alg2;
|
||||
mbedtls_asn1_buf sig_alg1, sig_alg2;
|
||||
|
||||
p = (unsigned char *)img;
|
||||
len = img_len;
|
||||
|
@ -149,7 +153,8 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
* signatureAlgorithm AlgorithmIdentifier,
|
||||
* signatureValue BIT STRING }
|
||||
*/
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -163,7 +168,8 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
* TBSCertificate ::= SEQUENCE {
|
||||
*/
|
||||
tbs.p = p;
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -173,8 +179,9 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
/*
|
||||
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
||||
*/
|
||||
ret = asn1_get_tag(&p, end, &len,
|
||||
ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||
MBEDTLS_ASN1_CONSTRUCTED | 0);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -183,7 +190,7 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
/*
|
||||
* CertificateSerialNumber ::= INTEGER
|
||||
*/
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_INTEGER);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -193,7 +200,8 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
* signature AlgorithmIdentifier
|
||||
*/
|
||||
sig_alg1.p = p;
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -206,7 +214,8 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
/*
|
||||
* issuer Name
|
||||
*/
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -218,7 +227,8 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
* notAfter Time }
|
||||
*
|
||||
*/
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -227,7 +237,8 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
/*
|
||||
* subject Name
|
||||
*/
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -237,7 +248,8 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
* SubjectPublicKeyInfo
|
||||
*/
|
||||
pk.p = p;
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -247,10 +259,11 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
/*
|
||||
* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
|
||||
*/
|
||||
ret = asn1_get_tag(&p, end, &len,
|
||||
ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||
MBEDTLS_ASN1_CONSTRUCTED | 1);
|
||||
if (ret != 0) {
|
||||
if (ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG) {
|
||||
if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
} else {
|
||||
|
@ -260,10 +273,11 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
/*
|
||||
* subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
|
||||
*/
|
||||
ret = asn1_get_tag(&p, end, &len,
|
||||
ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 2);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||
MBEDTLS_ASN1_CONSTRUCTED | 2);
|
||||
if (ret != 0) {
|
||||
if (ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG) {
|
||||
if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
} else {
|
||||
|
@ -273,8 +287,9 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
/*
|
||||
* extensions [3] EXPLICIT Extensions OPTIONAL
|
||||
*/
|
||||
ret = asn1_get_tag(&p, end, &len,
|
||||
ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||
MBEDTLS_ASN1_CONSTRUCTED | 3);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -283,7 +298,8 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
|
||||
*/
|
||||
v3_ext.p = p;
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -293,27 +309,29 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
* Check extensions integrity
|
||||
*/
|
||||
while (p < end) {
|
||||
ret = asn1_get_tag(&p, end, &len,
|
||||
ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
||||
/* Get extension ID */
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_OID);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
p += len;
|
||||
|
||||
/* Get optional critical */
|
||||
ret = asn1_get_bool(&p, end, &is_critical);
|
||||
if ((ret != 0) && (ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG)) {
|
||||
ret = mbedtls_asn1_get_bool(&p, end, &is_critical);
|
||||
if ((ret != 0) && (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
||||
/* Data should be octet string type */
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_OCTET_STRING);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len,
|
||||
MBEDTLS_ASN1_OCTET_STRING);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -333,7 +351,8 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
* signatureAlgorithm AlgorithmIdentifier
|
||||
*/
|
||||
sig_alg2.p = p;
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
@ -356,7 +375,7 @@ static int cert_parse(void *img, unsigned int img_len)
|
|||
* signatureValue BIT STRING
|
||||
*/
|
||||
signature.p = p;
|
||||
ret = asn1_get_tag(&p, end, &len, ASN1_BIT_STRING);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_BIT_STRING);
|
||||
if (ret != 0) {
|
||||
return IMG_PARSER_ERR_FORMAT;
|
||||
}
|
||||
|
|
|
@ -31,69 +31,69 @@
|
|||
#define __MBEDTLS_CONFIG_H__
|
||||
|
||||
/*
|
||||
* Key algorithms currently supported on mbedTLS libraries
|
||||
* Key algorithms currently supported on mbed TLS libraries
|
||||
*/
|
||||
#define MBEDTLS_RSA 1
|
||||
#define MBEDTLS_ECDSA 2
|
||||
|
||||
/*
|
||||
* Configuration file to build PolarSSL with the required features for
|
||||
* Configuration file to build mbed TLS with the required features for
|
||||
* Trusted Boot
|
||||
*/
|
||||
|
||||
#define POLARSSL_PLATFORM_MEMORY
|
||||
#define POLARSSL_PLATFORM_NO_STD_FUNCTIONS
|
||||
#define MBEDTLS_PLATFORM_MEMORY
|
||||
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
|
||||
|
||||
#define POLARSSL_PKCS1_V15
|
||||
#define POLARSSL_PKCS1_V21
|
||||
#define MBEDTLS_PKCS1_V15
|
||||
#define MBEDTLS_PKCS1_V21
|
||||
|
||||
#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
||||
#define POLARSSL_X509_CHECK_KEY_USAGE
|
||||
#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE
|
||||
#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
||||
#define MBEDTLS_X509_CHECK_KEY_USAGE
|
||||
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
|
||||
|
||||
#define POLARSSL_ASN1_PARSE_C
|
||||
#define POLARSSL_ASN1_WRITE_C
|
||||
#define MBEDTLS_ASN1_PARSE_C
|
||||
#define MBEDTLS_ASN1_WRITE_C
|
||||
|
||||
#define POLARSSL_BASE64_C
|
||||
#define POLARSSL_BIGNUM_C
|
||||
#define MBEDTLS_BASE64_C
|
||||
#define MBEDTLS_BIGNUM_C
|
||||
|
||||
#define POLARSSL_ERROR_C
|
||||
#define POLARSSL_MD_C
|
||||
#define MBEDTLS_ERROR_C
|
||||
#define MBEDTLS_MD_C
|
||||
|
||||
#define POLARSSL_MEMORY_BUFFER_ALLOC_C
|
||||
#define POLARSSL_OID_C
|
||||
#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
||||
#define MBEDTLS_OID_C
|
||||
|
||||
#define POLARSSL_PK_C
|
||||
#define POLARSSL_PK_PARSE_C
|
||||
#define POLARSSL_PK_WRITE_C
|
||||
#define MBEDTLS_PK_C
|
||||
#define MBEDTLS_PK_PARSE_C
|
||||
#define MBEDTLS_PK_WRITE_C
|
||||
|
||||
#define POLARSSL_PLATFORM_C
|
||||
#define MBEDTLS_PLATFORM_C
|
||||
|
||||
#if (MBEDTLS_KEY_ALG_ID == MBEDTLS_ECDSA)
|
||||
#define POLARSSL_ECDSA_C
|
||||
#define POLARSSL_ECP_C
|
||||
#define POLARSSL_ECP_DP_SECP256R1_ENABLED
|
||||
#define MBEDTLS_ECDSA_C
|
||||
#define MBEDTLS_ECP_C
|
||||
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
#elif (MBEDTLS_KEY_ALG_ID == MBEDTLS_RSA)
|
||||
#define POLARSSL_RSA_C
|
||||
#define MBEDTLS_RSA_C
|
||||
#endif
|
||||
|
||||
#define POLARSSL_SHA256_C
|
||||
#define MBEDTLS_SHA256_C
|
||||
|
||||
#define POLARSSL_VERSION_C
|
||||
#define MBEDTLS_VERSION_C
|
||||
|
||||
#define POLARSSL_X509_USE_C
|
||||
#define POLARSSL_X509_CRT_PARSE_C
|
||||
#define MBEDTLS_X509_USE_C
|
||||
#define MBEDTLS_X509_CRT_PARSE_C
|
||||
|
||||
/* MPI / BIGNUM options */
|
||||
#define POLARSSL_MPI_WINDOW_SIZE 2
|
||||
#define POLARSSL_MPI_MAX_SIZE 256
|
||||
#define MBEDTLS_MPI_WINDOW_SIZE 2
|
||||
#define MBEDTLS_MPI_MAX_SIZE 256
|
||||
|
||||
/* Memory buffer allocator options */
|
||||
#define POLARSSL_MEMORY_ALIGN_MULTIPLE 8
|
||||
#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
|
||||
|
||||
#include "polarssl/check_config.h"
|
||||
#include "mbedtls/check_config.h"
|
||||
|
||||
/* System headers required to build mbedTLS with the current configuration */
|
||||
/* System headers required to build mbed TLS with the current configuration */
|
||||
#include <stdlib.h>
|
||||
|
||||
#endif /* __MBEDTLS_CONFIG_H__ */
|
||||
|
|
Loading…
Reference in New Issue