Commit 649dbf6f authored by Juan Castillo's avatar Juan Castillo
Browse files

Move up to mbed TLS 2.x

The mbed TLS library has introduced some changes in the API from
the 1.3.x to the 2.x releases. Using the 2.x releases requires
some changes to the crypto and transport modules.

This patch updates both modules to the mbed TLS 2.x API.

All references to the mbed TLS library in the code or documentation
have been updated to 'mbed TLS'. Old references to PolarSSL have
been updated to 'mbed TLS'.

User guide updated to use mbed TLS 2.2.0.

NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible.
Applying this patch will require an mbed TLS 2.x release to be used.
Also note that the mbed TLS license changed to Apache version 2.0.

Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
parent f3974ea5
...@@ -381,7 +381,7 @@ platform. ...@@ -381,7 +381,7 @@ platform.
PKI certificates (authentication images). It is expected that open source PKI certificates (authentication images). It is expected that open source
libraries will be available which can be used to parse an image represented libraries will be available which can be used to parse an image represented
by this method. Such libraries can be used to write the corresponding IPL by this method. Such libraries can be used to write the corresponding IPL
e.g. the X.509 parsing library code in PolarSSL. e.g. the X.509 parsing library code in mbed TLS.
3. Platform defined method: This method caters for platform specific 3. Platform defined method: This method caters for platform specific
proprietary standards to represent authentication or data images. For proprietary standards to represent authentication or data images. For
...@@ -867,7 +867,7 @@ extract the authentication parameters. The number and type of parser libraries ...@@ -867,7 +867,7 @@ extract the authentication parameters. The number and type of parser libraries
depend on the images used in the CoT. Raw images do not need a library, so depend on the images used in the CoT. Raw images do not need a library, so
only an x509v3 library is required for the TBBR CoT. only an x509v3 library is required for the TBBR CoT.
ARM platforms will use an x509v3 library based on mbedTLS. This library may be ARM platforms will use an x509v3 library based on mbed TLS. This library may be
found in `drivers/auth/mbedtls/mbedtls_x509_parser.c`. It exports three found in `drivers/auth/mbedtls/mbedtls_x509_parser.c`. It exports three
functions: functions:
...@@ -885,15 +885,17 @@ an image of type `IMG_CERT`, it will call the corresponding function exported ...@@ -885,15 +885,17 @@ an image of type `IMG_CERT`, it will call the corresponding function exported
in this file. in this file.
The build system must be updated to include the corresponding library and The build system must be updated to include the corresponding library and
mbedTLS sources. ARM platforms use the `arm_common.mk` file to pull the sources. mbed TLS sources. ARM platforms use the `arm_common.mk` file to pull the
sources.
### 4.3 The cryptographic library ### 4.3 The cryptographic library
The cryptographic module relies on a library to perform the required operations, The cryptographic module relies on a library to perform the required operations,
i.e. verify a hash or a digital signature. ARM platforms will use a library i.e. verify a hash or a digital signature. ARM platforms will use a library
based on mbedTLS, which can be found in `drivers/auth/mbedtls/mbedtls_crypto.c`. based on mbed TLS, which can be found in
This library is registered in the authentication framework using the macro `drivers/auth/mbedtls/mbedtls_crypto.c`. This library is registered in the
`REGISTER_CRYPTO_LIB()` and exports three functions: authentication framework using the macro `REGISTER_CRYPTO_LIB()` and exports
three functions:
``` ```
void init(void); void init(void);
......
...@@ -603,22 +603,24 @@ following steps should be followed to build a FIP image with support for this ...@@ -603,22 +603,24 @@ following steps should be followed to build a FIP image with support for this
feature. feature.
1. Fulfill the dependencies of the `mbedtls` cryptographic and image parser 1. Fulfill the dependencies of the `mbedtls` cryptographic and image parser
modules by checking out the tag `mbedtls-1.3.11` from the modules by checking out a recent version of the [mbed TLS Repository]. It
[mbedTLS Repository]. is important to use a version that is compatible with TF and fixes any
known security vulnerabilities. See [mbed TLS Security Center] for more
information. This version of TF is tested with tag `mbedtls-2.2.0`.
The `drivers/auth/mbedtls/mbedtls_*.mk` files contain the list of mbedTLS The `drivers/auth/mbedtls/mbedtls_*.mk` files contain the list of mbed TLS
source files the modules depend upon. source files the modules depend upon.
`include/drivers/auth/mbedtls/mbedtls_config.h` contains the configuration `include/drivers/auth/mbedtls/mbedtls_config.h` contains the configuration
options required to build the mbedTLS sources. options required to build the mbed TLS sources.
Note that the mbedTLS library is licensed under the GNU GPL version 2 Note that the mbed TLS library is licensed under the Apache version 2.0
or later license. Using mbedTLS source code will affect the licensing of license. Using mbed TLS source code will affect the licensing of
Trusted Firmware binaries that are built using this library. Trusted Firmware binaries that are built using this library.
2. Ensure that the following command line variables are set while invoking 2. Ensure that the following command line variables are set while invoking
`make` to build Trusted Firmware: `make` to build Trusted Firmware:
* `MBEDTLS_DIR=<path of the directory containing mbedTLS sources>` * `MBEDTLS_DIR=<path of the directory containing mbed TLS sources>`
* `TRUSTED_BOARD_BOOT=1` * `TRUSTED_BOARD_BOOT=1`
* `GENERATE_COT=1` * `GENERATE_COT=1`
...@@ -643,7 +645,7 @@ feature. ...@@ -643,7 +645,7 @@ feature.
CROSS_COMPILE=<path-to-aarch64-gcc>/bin/aarch64-linux-gnu- \ CROSS_COMPILE=<path-to-aarch64-gcc>/bin/aarch64-linux-gnu- \
BL33=<path-to>/<bl33_image> \ BL33=<path-to>/<bl33_image> \
MBEDTLS_DIR=<path of the directory containing mbedTLS sources> \ MBEDTLS_DIR=<path of the directory containing mbed TLS sources> \
make PLAT=<platform> TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \ make PLAT=<platform> TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 \
ARM_ROTPK_LOCATION=devel_rsa \ ARM_ROTPK_LOCATION=devel_rsa \
ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \
...@@ -1257,6 +1259,7 @@ _Copyright (c) 2013-2015, ARM Limited and Contributors. All rights reserved._ ...@@ -1257,6 +1259,7 @@ _Copyright (c) 2013-2015, ARM Limited and Contributors. All rights reserved._
[ARM Connected Community]: http://community.arm.com [ARM Connected Community]: http://community.arm.com
[Juno Software Guide]: http://community.arm.com/docs/DOC-8396 [Juno Software Guide]: http://community.arm.com/docs/DOC-8396
[DS-5]: http://www.arm.com/products/tools/software-tools/ds-5/index.php [DS-5]: http://www.arm.com/products/tools/software-tools/ds-5/index.php
[mbedTLS Repository]: https://github.com/ARMmbed/mbedtls.git [mbed TLS Repository]: https://github.com/ARMmbed/mbedtls.git
[mbed TLS Security Center]: https://tls.mbed.org/security
[PSCI]: http://infocenter.arm.com/help/topic/com.arm.doc.den0022c/DEN0022C_Power_State_Coordination_Interface.pdf "Power State Coordination Interface PDD (ARM DEN 0022C)" [PSCI]: http://infocenter.arm.com/help/topic/com.arm.doc.den0022c/DEN0022C_Power_State_Coordination_Interface.pdf "Power State Coordination Interface PDD (ARM DEN 0022C)"
[Trusted Board Boot]: trusted-board-boot.md [Trusted Board Boot]: trusted-board-boot.md
...@@ -30,11 +30,11 @@ ...@@ -30,11 +30,11 @@
#include <assert.h> #include <assert.h>
/* mbedTLS headers */ /* mbed TLS headers */
#include <polarssl/memory_buffer_alloc.h> #include <mbedtls/memory_buffer_alloc.h>
/* /*
* mbedTLS heap * mbed TLS heap
*/ */
#if (MBEDTLS_KEY_ALG_ID == MBEDTLS_ECDSA) #if (MBEDTLS_KEY_ALG_ID == MBEDTLS_ECDSA)
#define MBEDTLS_HEAP_SIZE (14*1024) #define MBEDTLS_HEAP_SIZE (14*1024)
...@@ -44,22 +44,15 @@ ...@@ -44,22 +44,15 @@
static unsigned char heap[MBEDTLS_HEAP_SIZE]; static unsigned char heap[MBEDTLS_HEAP_SIZE];
/* /*
* mbedTLS initialization function * mbed TLS initialization function
*
* Return: 0 = success, Otherwise = error
*/ */
void mbedtls_init(void) void mbedtls_init(void)
{ {
static int ready; static int ready;
int rc;
if (!ready) { if (!ready) {
/* Initialize the mbedTLS heap */ /* Initialize the mbed TLS heap */
rc = memory_buffer_alloc_init(heap, MBEDTLS_HEAP_SIZE); mbedtls_memory_buffer_alloc_init(heap, MBEDTLS_HEAP_SIZE);
if (rc == 0) {
ready = 1; ready = 1;
} else {
assert(0);
}
} }
} }
...@@ -31,7 +31,7 @@ ...@@ -31,7 +31,7 @@
ifneq (${MBEDTLS_COMMON_MK},1) ifneq (${MBEDTLS_COMMON_MK},1)
MBEDTLS_COMMON_MK := 1 MBEDTLS_COMMON_MK := 1
# MBEDTLS_DIR must be set to the mbedTLS main directory (it must contain # MBEDTLS_DIR must be set to the mbed TLS main directory (it must contain
# the 'include' and 'library' subdirectories). # the 'include' and 'library' subdirectories).
ifeq (${MBEDTLS_DIR},) ifeq (${MBEDTLS_DIR},)
$(error Error: MBEDTLS_DIR not set) $(error Error: MBEDTLS_DIR not set)
...@@ -40,9 +40,9 @@ endif ...@@ -40,9 +40,9 @@ endif
INCLUDES += -I${MBEDTLS_DIR}/include \ INCLUDES += -I${MBEDTLS_DIR}/include \
-Iinclude/drivers/auth/mbedtls -Iinclude/drivers/auth/mbedtls
# Specify mbedTLS configuration file # Specify mbed TLS configuration file
POLARSSL_CONFIG_FILE := "<mbedtls_config.h>" MBEDTLS_CONFIG_FILE := "<mbedtls_config.h>"
$(eval $(call add_define,POLARSSL_CONFIG_FILE)) $(eval $(call add_define,MBEDTLS_CONFIG_FILE))
MBEDTLS_COMMON_SOURCES := drivers/auth/mbedtls/mbedtls_common.c \ MBEDTLS_COMMON_SOURCES := drivers/auth/mbedtls/mbedtls_common.c \
$(addprefix ${MBEDTLS_DIR}/library/, \ $(addprefix ${MBEDTLS_DIR}/library/, \
......
...@@ -35,13 +35,13 @@ ...@@ -35,13 +35,13 @@
#include <stddef.h> #include <stddef.h>
#include <string.h> #include <string.h>
/* mbedTLS headers */ /* mbed TLS headers */
#include <polarssl/md_wrap.h> #include <mbedtls/md.h>
#include <polarssl/memory_buffer_alloc.h> #include <mbedtls/memory_buffer_alloc.h>
#include <polarssl/oid.h> #include <mbedtls/oid.h>
#include <polarssl/platform.h> #include <mbedtls/platform.h>
#define LIB_NAME "mbedTLS" #define LIB_NAME "mbed TLS"
/* /*
* AlgorithmIdentifier ::= SEQUENCE { * AlgorithmIdentifier ::= SEQUENCE {
...@@ -65,7 +65,7 @@ ...@@ -65,7 +65,7 @@
*/ */
static void init(void) static void init(void)
{ {
/* Initialize mbedTLS */ /* Initialize mbed TLS */
mbedtls_init(); mbedtls_init();
} }
...@@ -80,36 +80,36 @@ static int verify_signature(void *data_ptr, unsigned int data_len, ...@@ -80,36 +80,36 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
void *sig_alg, unsigned int sig_alg_len, void *sig_alg, unsigned int sig_alg_len,
void *pk_ptr, unsigned int pk_len) void *pk_ptr, unsigned int pk_len)
{ {
asn1_buf sig_oid, sig_params; mbedtls_asn1_buf sig_oid, sig_params;
asn1_buf signature; mbedtls_asn1_buf signature;
md_type_t md_alg; mbedtls_md_type_t md_alg;
pk_type_t pk_alg; mbedtls_pk_type_t pk_alg;
pk_context pk; mbedtls_pk_context pk;
int rc; int rc;
void *sig_opts = NULL; void *sig_opts = NULL;
const md_info_t *md_info; const mbedtls_md_info_t *md_info;
unsigned char *p, *end; unsigned char *p, *end;
unsigned char hash[POLARSSL_MD_MAX_SIZE]; unsigned char hash[MBEDTLS_MD_MAX_SIZE];
/* Get pointers to signature OID and parameters */ /* Get pointers to signature OID and parameters */
p = (unsigned char *)sig_alg; p = (unsigned char *)sig_alg;
end = (unsigned char *)(p + sig_alg_len); end = (unsigned char *)(p + sig_alg_len);
rc = asn1_get_alg(&p, end, &sig_oid, &sig_params); rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params);
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_SIGNATURE; return CRYPTO_ERR_SIGNATURE;
} }
/* Get the actual signature algorithm (MD + PK) */ /* Get the actual signature algorithm (MD + PK) */
rc = oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg); rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_SIGNATURE; return CRYPTO_ERR_SIGNATURE;
} }
/* Parse the public key */ /* Parse the public key */
pk_init(&pk); mbedtls_pk_init(&pk);
p = (unsigned char *)pk_ptr; p = (unsigned char *)pk_ptr;
end = (unsigned char *)(p + pk_len); end = (unsigned char *)(p + pk_len);
rc = pk_parse_subpubkey(&p, end, &pk); rc = mbedtls_pk_parse_subpubkey(&p, end, &pk);
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_SIGNATURE; return CRYPTO_ERR_SIGNATURE;
} }
...@@ -118,7 +118,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len, ...@@ -118,7 +118,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
p = (unsigned char *)sig_ptr; p = (unsigned char *)sig_ptr;
end = (unsigned char *)(p + sig_len); end = (unsigned char *)(p + sig_len);
signature.tag = *p; signature.tag = *p;
rc = asn1_get_bitstring_null(&p, end, &signature.len); rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len);
if (rc != 0) { if (rc != 0) {
rc = CRYPTO_ERR_SIGNATURE; rc = CRYPTO_ERR_SIGNATURE;
goto end; goto end;
...@@ -126,21 +126,22 @@ static int verify_signature(void *data_ptr, unsigned int data_len, ...@@ -126,21 +126,22 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
signature.p = p; signature.p = p;
/* Calculate the hash of the data */ /* Calculate the hash of the data */
md_info = md_info_from_type(md_alg); md_info = mbedtls_md_info_from_type(md_alg);
if (md_info == NULL) { if (md_info == NULL) {
rc = CRYPTO_ERR_SIGNATURE; rc = CRYPTO_ERR_SIGNATURE;
goto end; goto end;
} }
p = (unsigned char *)data_ptr; p = (unsigned char *)data_ptr;
rc = md(md_info, p, data_len, hash); rc = mbedtls_md(md_info, p, data_len, hash);
if (rc != 0) { if (rc != 0) {
rc = CRYPTO_ERR_SIGNATURE; rc = CRYPTO_ERR_SIGNATURE;
goto end; goto end;
} }
/* Verify the signature */ /* Verify the signature */
rc = pk_verify_ext(pk_alg, sig_opts, &pk, md_alg, hash, rc = mbedtls_pk_verify_ext(pk_alg, sig_opts, &pk, md_alg, hash,
md_info->size, signature.p, signature.len); mbedtls_md_get_size(md_info),
signature.p, signature.len);
if (rc != 0) { if (rc != 0) {
rc = CRYPTO_ERR_SIGNATURE; rc = CRYPTO_ERR_SIGNATURE;
goto end; goto end;
...@@ -150,7 +151,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len, ...@@ -150,7 +151,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
rc = CRYPTO_SUCCESS; rc = CRYPTO_SUCCESS;
end: end:
pk_free(&pk); mbedtls_pk_free(&pk);
return rc; return rc;
} }
...@@ -163,59 +164,60 @@ end: ...@@ -163,59 +164,60 @@ end:
static int verify_hash(void *data_ptr, unsigned int data_len, static int verify_hash(void *data_ptr, unsigned int data_len,
void *digest_info_ptr, unsigned int digest_info_len) void *digest_info_ptr, unsigned int digest_info_len)
{ {
asn1_buf hash_oid, params; mbedtls_asn1_buf hash_oid, params;
md_type_t md_alg; mbedtls_md_type_t md_alg;
const md_info_t *md_info; const mbedtls_md_info_t *md_info;
unsigned char *p, *end, *hash; unsigned char *p, *end, *hash;
unsigned char data_hash[POLARSSL_MD_MAX_SIZE]; unsigned char data_hash[MBEDTLS_MD_MAX_SIZE];
size_t len; size_t len;
int rc; int rc;
/* Digest info should be an ASN1_SEQUENCE */ /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */
p = (unsigned char *)digest_info_ptr; p = (unsigned char *)digest_info_ptr;
end = (unsigned char *)(digest_info_ptr + digest_info_len); end = (unsigned char *)(digest_info_ptr + digest_info_len);
rc = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_HASH; return CRYPTO_ERR_HASH;
} }
/* Get the hash algorithm */ /* Get the hash algorithm */
rc = asn1_get_alg(&p, end, &hash_oid, &params); rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, &params);
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_HASH; return CRYPTO_ERR_HASH;
} }
rc = oid_get_md_alg(&hash_oid, &md_alg); rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg);
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_HASH; return CRYPTO_ERR_HASH;
} }
md_info = md_info_from_type(md_alg); md_info = mbedtls_md_info_from_type(md_alg);
if (md_info == NULL) { if (md_info == NULL) {
return CRYPTO_ERR_HASH; return CRYPTO_ERR_HASH;
} }
/* Hash should be octet string type */ /* Hash should be octet string type */
rc = asn1_get_tag(&p, end, &len, ASN1_OCTET_STRING); rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_HASH; return CRYPTO_ERR_HASH;
} }
/* Length of hash must match the algorithm's size */ /* Length of hash must match the algorithm's size */
if (len != md_info->size) { if (len != mbedtls_md_get_size(md_info)) {
return CRYPTO_ERR_HASH; return CRYPTO_ERR_HASH;
} }
hash = p; hash = p;
/* Calculate the hash of the data */ /* Calculate the hash of the data */
p = (unsigned char *)data_ptr; p = (unsigned char *)data_ptr;
rc = md(md_info, p, data_len, data_hash); rc = mbedtls_md(md_info, p, data_len, data_hash);
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_HASH; return CRYPTO_ERR_HASH;
} }
/* Compare values */ /* Compare values */
rc = memcmp(data_hash, hash, md_info->size); rc = memcmp(data_hash, hash, mbedtls_md_get_size(md_info));
if (rc != 0) { if (rc != 0) {
return CRYPTO_ERR_HASH; return CRYPTO_ERR_HASH;
} }
......
...@@ -62,10 +62,10 @@ else ifeq (${MBEDTLS_KEY_ALG},rsa) ...@@ -62,10 +62,10 @@ else ifeq (${MBEDTLS_KEY_ALG},rsa)
) )
MBEDTLS_KEY_ALG_ID := MBEDTLS_RSA MBEDTLS_KEY_ALG_ID := MBEDTLS_RSA
else else
$(error "MBEDTLS_KEY_ALG=${MBEDTLS_KEY_ALG} not supported on mbedTLS") $(error "MBEDTLS_KEY_ALG=${MBEDTLS_KEY_ALG} not supported on mbed TLS")
endif endif
# mbedTLS libraries rely on this define to build correctly # mbed TLS libraries rely on this define to build correctly
$(eval $(call add_define,MBEDTLS_KEY_ALG_ID)) $(eval $(call add_define,MBEDTLS_KEY_ALG_ID))
BL1_SOURCES += ${MBEDTLS_CRYPTO_SOURCES} BL1_SOURCES += ${MBEDTLS_CRYPTO_SOURCES}
......
...@@ -29,7 +29,7 @@ ...@@ -29,7 +29,7 @@
*/ */
/* /*
* X509 parser based on PolarSSL * X509 parser based on mbed TLS
* *
* This module implements functions to check the integrity of a X509v3 * This module implements functions to check the integrity of a X509v3
* certificate ASN.1 structure and extract authentication parameters from the * certificate ASN.1 structure and extract authentication parameters from the
...@@ -43,25 +43,25 @@ ...@@ -43,25 +43,25 @@
#include <stdint.h> #include <stdint.h>
#include <string.h> #include <string.h>
/* mbedTLS headers */ /* mbed TLS headers */
#include <polarssl/asn1.h> #include <mbedtls/asn1.h>
#include <polarssl/oid.h> #include <mbedtls/oid.h>
#include <polarssl/platform.h> #include <mbedtls/platform.h>
/* Maximum OID string length ("a.b.c.d.e.f ...") */ /* Maximum OID string length ("a.b.c.d.e.f ...") */
#define MAX_OID_STR_LEN 64 #define MAX_OID_STR_LEN 64
#define LIB_NAME "mbedTLS X509v3" #define LIB_NAME "mbed TLS X509v3"
/* Temporary variables to speed up the authentication parameters search. These /* Temporary variables to speed up the authentication parameters search. These
* variables are assigned once during the integrity check and used any time an * variables are assigned once during the integrity check and used any time an
* authentication parameter is requested, so we do not have to parse the image * authentication parameter is requested, so we do not have to parse the image
* again */ * again */
static asn1_buf tbs; static mbedtls_asn1_buf tbs;
static asn1_buf v3_ext; static mbedtls_asn1_buf v3_ext;
static asn1_buf pk; static mbedtls_asn1_buf pk;
static asn1_buf sig_alg; static mbedtls_asn1_buf sig_alg;
static asn1_buf signature; static mbedtls_asn1_buf signature;
/* /*
* Get X509v3 extension * Get X509v3 extension
...@@ -78,7 +78,7 @@ static int get_ext(const char *oid, void **ext, unsigned int *ext_len) ...@@ -78,7 +78,7 @@ static int get_ext(const char *oid, void **ext, unsigned int *ext_len)
unsigned char *p; unsigned char *p;
const unsigned char *end; const unsigned char *end;
char oid_str[MAX_OID_STR_LEN]; char oid_str[MAX_OID_STR_LEN];
asn1_buf extn_oid; mbedtls_asn1_buf extn_oid;
int is_critical; int is_critical;
assert(oid != NULL); assert(oid != NULL);
...@@ -86,32 +86,36 @@ static int get_ext(const char *oid, void **ext, unsigned int *ext_len) ...@@ -86,32 +86,36 @@ static int get_ext(const char *oid, void **ext, unsigned int *ext_len)
p = v3_ext.p; p = v3_ext.p;
end = v3_ext.p + v3_ext.len; end = v3_ext.p + v3_ext.len;
asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
while (p < end) { while (p < end) {
memset(&extn_oid, 0x0, sizeof(extn_oid)); memset(&extn_oid, 0x0, sizeof(extn_oid));
is_critical = 0; /* DEFAULT FALSE */ is_critical = 0; /* DEFAULT FALSE */
asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
end_ext_data = p + len; end_ext_data = p + len;
/* Get extension ID */ /* Get extension ID */
extn_oid.tag = *p; extn_oid.tag = *p;
asn1_get_tag(&p, end, &extn_oid.len, ASN1_OID); mbedtls_asn1_get_tag(&p, end, &extn_oid.len, MBEDTLS_ASN1_OID);
extn_oid.p = p; extn_oid.p = p;
p += extn_oid.len; p += extn_oid.len;
/* Get optional critical */ /* Get optional critical */
asn1_get_bool(&p, end_ext_data, &is_critical); mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical);
/* Extension data */ /* Extension data */
asn1_get_tag(&p, end_ext_data, &len, ASN1_OCTET_STRING); mbedtls_asn1_get_tag(&p, end_ext_data, &len,
MBEDTLS_ASN1_OCTET_STRING);
end_ext_octet = p + len; end_ext_octet = p + len;
/* Detect requested extension */ /* Detect requested extension */
oid_len = oid_get_numeric_string(oid_str, oid_len = mbedtls_oid_get_numeric_string(oid_str,
MAX_OID_STR_LEN, &extn_oid); MAX_OID_STR_LEN,
if (oid_len == POLARSSL_ERR_OID_BUF_TOO_SMALL) { &extn_oid);
if (oid_len == MBEDTLS_ERR_OID_BUF_TOO_SMALL) {
return IMG_PARSER_ERR; return IMG_PARSER_ERR;
} }
if ((oid_len == strlen(oid_str)) && !strcmp(oid, oid_str)) { if ((oid_len == strlen(oid_str)) && !strcmp(oid, oid_str)) {
...@@ -137,7 +141,7 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -137,7 +141,7 @@ static int cert_parse(void *img, unsigned int img_len)
int ret, is_critical; int ret, is_critical;
size_t len; size_t len;
unsigned char *p, *end, *crt_end; unsigned char *p, *end, *crt_end;
asn1_buf sig_alg1, sig_alg2; mbedtls_asn1_buf sig_alg1, sig_alg2;
p = (unsigned char *)img; p = (unsigned char *)img;
len = img_len; len = img_len;
...@@ -149,7 +153,8 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -149,7 +153,8 @@ static int cert_parse(void *img, unsigned int img_len)
* signatureAlgorithm AlgorithmIdentifier, * signatureAlgorithm AlgorithmIdentifier,
* signatureValue BIT STRING } * signatureValue BIT STRING }
*/ */
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -163,7 +168,8 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -163,7 +168,8 @@ static int cert_parse(void *img, unsigned int img_len)
* TBSCertificate ::= SEQUENCE { * TBSCertificate ::= SEQUENCE {
*/ */
tbs.p = p; tbs.p = p;
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -173,8 +179,9 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -173,8 +179,9 @@ static int cert_parse(void *img, unsigned int img_len)
/* /*
* Version ::= INTEGER { v1(0), v2(1), v3(2) } * Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/ */
ret = asn1_get_tag(&p, end, &len, ret = mbedtls_asn1_get_tag(&p, end, &len,
ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0); MBEDTLS_ASN1_CONTEXT_SPECIFIC |
MBEDTLS_ASN1_CONSTRUCTED | 0);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -183,7 +190,7 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -183,7 +190,7 @@ static int cert_parse(void *img, unsigned int img_len)
/* /*
* CertificateSerialNumber ::= INTEGER * CertificateSerialNumber ::= INTEGER
*/ */
ret = asn1_get_tag(&p, end, &len, ASN1_INTEGER); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -193,7 +200,8 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -193,7 +200,8 @@ static int cert_parse(void *img, unsigned int img_len)
* signature AlgorithmIdentifier * signature AlgorithmIdentifier
*/ */
sig_alg1.p = p; sig_alg1.p = p;
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -206,7 +214,8 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -206,7 +214,8 @@ static int cert_parse(void *img, unsigned int img_len)
/* /*
* issuer Name * issuer Name
*/ */
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -218,7 +227,8 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -218,7 +227,8 @@ static int cert_parse(void *img, unsigned int img_len)
* notAfter Time } * notAfter Time }
* *
*/ */
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -227,7 +237,8 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -227,7 +237,8 @@ static int cert_parse(void *img, unsigned int img_len)
/* /*
* subject Name * subject Name
*/ */
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -237,7 +248,8 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -237,7 +248,8 @@ static int cert_parse(void *img, unsigned int img_len)
* SubjectPublicKeyInfo * SubjectPublicKeyInfo
*/ */
pk.p = p; pk.p = p;
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -247,10 +259,11 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -247,10 +259,11 @@ static int cert_parse(void *img, unsigned int img_len)
/* /*
* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
*/ */
ret = asn1_get_tag(&p, end, &len, ret = mbedtls_asn1_get_tag(&p, end, &len,
ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1); MBEDTLS_ASN1_CONTEXT_SPECIFIC |
MBEDTLS_ASN1_CONSTRUCTED | 1);
if (ret != 0) { if (ret != 0) {
if (ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG) { if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
} else { } else {
...@@ -260,10 +273,11 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -260,10 +273,11 @@ static int cert_parse(void *img, unsigned int img_len)
/* /*
* subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
*/ */
ret = asn1_get_tag(&p, end, &len, ret = mbedtls_asn1_get_tag(&p, end, &len,
ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 2); MBEDTLS_ASN1_CONTEXT_SPECIFIC |
MBEDTLS_ASN1_CONSTRUCTED | 2);
if (ret != 0) { if (ret != 0) {
if (ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG) { if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
} else { } else {
...@@ -273,8 +287,9 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -273,8 +287,9 @@ static int cert_parse(void *img, unsigned int img_len)
/* /*
* extensions [3] EXPLICIT Extensions OPTIONAL * extensions [3] EXPLICIT Extensions OPTIONAL
*/ */
ret = asn1_get_tag(&p, end, &len, ret = mbedtls_asn1_get_tag(&p, end, &len,
ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3); MBEDTLS_ASN1_CONTEXT_SPECIFIC |
MBEDTLS_ASN1_CONSTRUCTED | 3);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -283,7 +298,8 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -283,7 +298,8 @@ static int cert_parse(void *img, unsigned int img_len)
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
*/ */
v3_ext.p = p; v3_ext.p = p;
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -293,27 +309,29 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -293,27 +309,29 @@ static int cert_parse(void *img, unsigned int img_len)
* Check extensions integrity * Check extensions integrity
*/ */
while (p < end) { while (p < end) {
ret = asn1_get_tag(&p, end, &len, ret = mbedtls_asn1_get_tag(&p, end, &len,
ASN1_CONSTRUCTED | ASN1_SEQUENCE); MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
/* Get extension ID */ /* Get extension ID */
ret = asn1_get_tag(&p, end, &len, ASN1_OID); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
p += len; p += len;
/* Get optional critical */ /* Get optional critical */
ret = asn1_get_bool(&p, end, &is_critical); ret = mbedtls_asn1_get_bool(&p, end, &is_critical);
if ((ret != 0) && (ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG)) { if ((ret != 0) && (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
/* Data should be octet string type */ /* Data should be octet string type */
ret = asn1_get_tag(&p, end, &len, ASN1_OCTET_STRING); ret = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_OCTET_STRING);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -333,7 +351,8 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -333,7 +351,8 @@ static int cert_parse(void *img, unsigned int img_len)
* signatureAlgorithm AlgorithmIdentifier * signatureAlgorithm AlgorithmIdentifier
*/ */
sig_alg2.p = p; sig_alg2.p = p;
ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
...@@ -356,7 +375,7 @@ static int cert_parse(void *img, unsigned int img_len) ...@@ -356,7 +375,7 @@ static int cert_parse(void *img, unsigned int img_len)
* signatureValue BIT STRING * signatureValue BIT STRING
*/ */
signature.p = p; signature.p = p;
ret = asn1_get_tag(&p, end, &len, ASN1_BIT_STRING); ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_BIT_STRING);
if (ret != 0) { if (ret != 0) {
return IMG_PARSER_ERR_FORMAT; return IMG_PARSER_ERR_FORMAT;
} }
......
...@@ -31,69 +31,69 @@ ...@@ -31,69 +31,69 @@
#define __MBEDTLS_CONFIG_H__ #define __MBEDTLS_CONFIG_H__
/* /*
* Key algorithms currently supported on mbedTLS libraries * Key algorithms currently supported on mbed TLS libraries
*/ */
#define MBEDTLS_RSA 1 #define MBEDTLS_RSA 1
#define MBEDTLS_ECDSA 2 #define MBEDTLS_ECDSA 2
/* /*
* Configuration file to build PolarSSL with the required features for * Configuration file to build mbed TLS with the required features for
* Trusted Boot * Trusted Boot
*/ */
#define POLARSSL_PLATFORM_MEMORY #define MBEDTLS_PLATFORM_MEMORY
#define POLARSSL_PLATFORM_NO_STD_FUNCTIONS #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
#define POLARSSL_PKCS1_V15 #define MBEDTLS_PKCS1_V15
#define POLARSSL_PKCS1_V21 #define MBEDTLS_PKCS1_V21
#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION #define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
#define POLARSSL_X509_CHECK_KEY_USAGE #define MBEDTLS_X509_CHECK_KEY_USAGE
#define POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
#define POLARSSL_ASN1_PARSE_C #define MBEDTLS_ASN1_PARSE_C
#define POLARSSL_ASN1_WRITE_C #define MBEDTLS_ASN1_WRITE_C
#define POLARSSL_BASE64_C #define MBEDTLS_BASE64_C
#define POLARSSL_BIGNUM_C #define MBEDTLS_BIGNUM_C
#define POLARSSL_ERROR_C #define MBEDTLS_ERROR_C
#define POLARSSL_MD_C #define MBEDTLS_MD_C
#define POLARSSL_MEMORY_BUFFER_ALLOC_C #define MBEDTLS_MEMORY_BUFFER_ALLOC_C
#define POLARSSL_OID_C #define MBEDTLS_OID_C
#define POLARSSL_PK_C #define MBEDTLS_PK_C
#define POLARSSL_PK_PARSE_C #define MBEDTLS_PK_PARSE_C
#define POLARSSL_PK_WRITE_C #define MBEDTLS_PK_WRITE_C
#define POLARSSL_PLATFORM_C #define MBEDTLS_PLATFORM_C
#if (MBEDTLS_KEY_ALG_ID == MBEDTLS_ECDSA) #if (MBEDTLS_KEY_ALG_ID == MBEDTLS_ECDSA)
#define POLARSSL_ECDSA_C #define MBEDTLS_ECDSA_C
#define POLARSSL_ECP_C #define MBEDTLS_ECP_C
#define POLARSSL_ECP_DP_SECP256R1_ENABLED #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#elif (MBEDTLS_KEY_ALG_ID == MBEDTLS_RSA) #elif (MBEDTLS_KEY_ALG_ID == MBEDTLS_RSA)
#define POLARSSL_RSA_C #define MBEDTLS_RSA_C
#endif #endif
#define POLARSSL_SHA256_C #define MBEDTLS_SHA256_C
#define POLARSSL_VERSION_C #define MBEDTLS_VERSION_C
#define POLARSSL_X509_USE_C #define MBEDTLS_X509_USE_C
#define POLARSSL_X509_CRT_PARSE_C #define MBEDTLS_X509_CRT_PARSE_C
/* MPI / BIGNUM options */ /* MPI / BIGNUM options */
#define POLARSSL_MPI_WINDOW_SIZE 2 #define MBEDTLS_MPI_WINDOW_SIZE 2
#define POLARSSL_MPI_MAX_SIZE 256 #define MBEDTLS_MPI_MAX_SIZE 256
/* Memory buffer allocator options */ /* Memory buffer allocator options */
#define POLARSSL_MEMORY_ALIGN_MULTIPLE 8 #define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
#include "polarssl/check_config.h" #include "mbedtls/check_config.h"
/* System headers required to build mbedTLS with the current configuration */ /* System headers required to build mbed TLS with the current configuration */
#include <stdlib.h> #include <stdlib.h>
#endif /* __MBEDTLS_CONFIG_H__ */ #endif /* __MBEDTLS_CONFIG_H__ */
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment