1 /*
2 * Copyright (c) 2023-2024, Arm Limited. All rights reserved.
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7 #include <assert.h>
8 #include <stddef.h>
9 #include <string.h>
10
11 /* mbed TLS headers */
12 #include <mbedtls/gcm.h>
13 #include <mbedtls/md.h>
14 #include <mbedtls/memory_buffer_alloc.h>
15 #include <mbedtls/oid.h>
16 #include <mbedtls/platform.h>
17 #include <mbedtls/psa_util.h>
18 #include <mbedtls/version.h>
19 #include <mbedtls/x509.h>
20 #include <psa/crypto.h>
21 #include <psa/crypto_platform.h>
22 #include <psa/crypto_types.h>
23 #include <psa/crypto_values.h>
24
25 #include <common/debug.h>
26 #include <drivers/auth/crypto_mod.h>
27 #include <drivers/auth/mbedtls/mbedtls_common.h>
28 #include <plat/common/platform.h>
29
30 #define LIB_NAME "mbed TLS PSA"
31
32 /* Maximum length of R_S pair in the ECDSA signature in bytes */
33 #define MAX_ECDSA_R_S_PAIR_LEN 64U
34
35 /* Size of ASN.1 length and tag in bytes*/
36 #define SIZE_OF_ASN1_LEN 1U
37 #define SIZE_OF_ASN1_TAG 1U
38
39 #if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
40 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
41 /*
42 * CRYPTO_MD_MAX_SIZE value is as per current stronger algorithm available
43 * so make sure that mbed TLS MD maximum size must be lesser than this.
44 */
45 CASSERT(CRYPTO_MD_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE,
46 assert_mbedtls_md_size_overflow);
47
48 #endif /*
49 * CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
50 * CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
51 */
52
53 /*
54 * AlgorithmIdentifier ::= SEQUENCE {
55 * algorithm OBJECT IDENTIFIER,
56 * parameters ANY DEFINED BY algorithm OPTIONAL
57 * }
58 *
59 * SubjectPublicKeyInfo ::= SEQUENCE {
60 * algorithm AlgorithmIdentifier,
61 * subjectPublicKey BIT STRING
62 * }
63 *
64 * DigestInfo ::= SEQUENCE {
65 * digestAlgorithm AlgorithmIdentifier,
66 * digest OCTET STRING
67 * }
68 */
69
70 /*
71 * We pretend using an external RNG (through MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
72 * mbedTLS config option) so we need to provide an implementation of
73 * mbedtls_psa_external_get_random(). Provide a fake one, since we do not
74 * actually have any external RNG and TF-A itself doesn't engage in
75 * cryptographic operations that demands randomness.
76 */
mbedtls_psa_external_get_random(mbedtls_psa_external_random_context_t * context,uint8_t * output,size_t output_size,size_t * output_length)77 psa_status_t mbedtls_psa_external_get_random(
78 mbedtls_psa_external_random_context_t *context,
79 uint8_t *output, size_t output_size,
80 size_t *output_length)
81 {
82 return PSA_ERROR_INSUFFICIENT_ENTROPY;
83 }
84
85 /*
86 * Initialize the library and export the descriptor
87 */
init(void)88 static void init(void)
89 {
90 /* Initialize mbed TLS */
91 mbedtls_init();
92
93 /* Initialise PSA mbedTLS */
94 psa_status_t status = psa_crypto_init();
95
96 if (status != PSA_SUCCESS) {
97 ERROR("Failed to initialize %s crypto (%d).\n", LIB_NAME, status);
98 panic();
99 }
100
101 INFO("PSA crypto initialized successfully!\n");
102 }
103
104 #if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
105 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
106
construct_psa_key_alg_and_type(mbedtls_pk_type_t pk_alg,mbedtls_md_type_t md_alg,psa_ecc_family_t psa_ecc_family,psa_algorithm_t * psa_alg,psa_key_type_t * psa_key_type)107 static void construct_psa_key_alg_and_type(mbedtls_pk_type_t pk_alg,
108 mbedtls_md_type_t md_alg,
109 psa_ecc_family_t psa_ecc_family,
110 psa_algorithm_t *psa_alg,
111 psa_key_type_t *psa_key_type)
112 {
113 psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
114
115 switch (pk_alg) {
116 case MBEDTLS_PK_RSASSA_PSS:
117 *psa_alg = PSA_ALG_RSA_PSS(psa_md_alg);
118 *psa_key_type = PSA_KEY_TYPE_RSA_PUBLIC_KEY;
119 break;
120 case MBEDTLS_PK_ECDSA:
121 *psa_alg = PSA_ALG_ECDSA(psa_md_alg);
122 *psa_key_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY(psa_ecc_family);
123 break;
124 default:
125 *psa_alg = PSA_ALG_NONE;
126 *psa_key_type = PSA_KEY_TYPE_NONE;
127 break;
128 }
129 }
130
131
132 #if TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA || \
133 TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA
134
135 /*
136 * This is a helper function to detect padding byte (if the MSB bit of the
137 * first data byte is set to 1, for example 0x80) and on detection, ignore the
138 * padded byte(0x00) and increase the buffer pointer beyond padded byte and
139 * decrease the length of the buffer by 1.
140 *
141 * On Success returns 0, error otherwise.
142 **/
ignore_asn1_int_padding_byte(unsigned char ** buf_start,size_t * buf_len)143 static inline int ignore_asn1_int_padding_byte(unsigned char **buf_start,
144 size_t *buf_len)
145 {
146 unsigned char *local_buf = *buf_start;
147
148 /* Check for negative number */
149 if ((local_buf[0] & 0x80U) != 0U) {
150 return -1;
151 }
152
153 if ((local_buf[0] == 0U) && (local_buf[1] > 0x7FU) &&
154 (*buf_len > 1U)) {
155 *buf_start = &local_buf[1];
156 (*buf_len)--;
157 }
158
159 return 0;
160 }
161
162 /*
163 * This is a helper function that gets a pointer to the encoded ECDSA publicKey
164 * and its length (as per RFC5280) and returns corresponding decoded publicKey
165 * and its length. As well, it retrieves the family of ECC key in the PSA
166 * format.
167 *
168 * This function returns error(CRYPTO_ERR_SIGNATURE) on ASN.1 parsing failure,
169 * otherwise success(0).
170 **/
get_ecdsa_pkinfo_from_asn1(unsigned char ** pk_start,unsigned int * pk_len,psa_ecc_family_t * psa_ecc_family)171 static int get_ecdsa_pkinfo_from_asn1(unsigned char **pk_start,
172 unsigned int *pk_len,
173 psa_ecc_family_t *psa_ecc_family)
174 {
175 mbedtls_asn1_buf alg_oid, alg_params;
176 mbedtls_ecp_group_id grp_id;
177 int rc;
178 unsigned char *pk_end;
179 size_t len;
180 size_t curve_bits;
181 unsigned char *pk_ptr = *pk_start;
182
183 pk_end = pk_ptr + *pk_len;
184 rc = mbedtls_asn1_get_tag(&pk_ptr, pk_end, &len,
185 MBEDTLS_ASN1_CONSTRUCTED |
186 MBEDTLS_ASN1_SEQUENCE);
187 if (rc != 0) {
188 return CRYPTO_ERR_SIGNATURE;
189 }
190
191 pk_end = pk_ptr + len;
192 rc = mbedtls_asn1_get_alg(&pk_ptr, pk_end, &alg_oid, &alg_params);
193 if (rc != 0) {
194 return CRYPTO_ERR_SIGNATURE;
195 }
196
197 if (alg_params.tag == MBEDTLS_ASN1_OID) {
198 if (mbedtls_oid_get_ec_grp(&alg_params, &grp_id) != 0) {
199 return CRYPTO_ERR_SIGNATURE;
200 }
201 *psa_ecc_family = mbedtls_ecc_group_to_psa(grp_id,
202 &curve_bits);
203 } else {
204 return CRYPTO_ERR_SIGNATURE;
205 }
206
207 pk_end = pk_ptr + len - (alg_oid.len + alg_params.len +
208 2 * (SIZE_OF_ASN1_LEN + SIZE_OF_ASN1_TAG));
209 rc = mbedtls_asn1_get_bitstring_null(&pk_ptr, pk_end, &len);
210 if (rc != 0) {
211 return CRYPTO_ERR_SIGNATURE;
212 }
213
214 *pk_start = pk_ptr;
215 *pk_len = len;
216
217 return rc;
218 }
219
220 /*
221 * Ecdsa-Sig-Value ::= SEQUENCE {
222 * r INTEGER,
223 * s INTEGER
224 * }
225 *
226 * This helper function that gets a pointer to the encoded ECDSA signature and
227 * its length (as per RFC5280) and returns corresponding decoded signature
228 * (R_S pair) and its size.
229 *
230 * This function returns error(CRYPTO_ERR_SIGNATURE) on ASN.1 parsing failure,
231 * otherwise success(0).
232 **/
get_ecdsa_signature_from_asn1(unsigned char * sig_ptr,size_t * sig_len,unsigned char * r_s_pair)233 static int get_ecdsa_signature_from_asn1(unsigned char *sig_ptr,
234 size_t *sig_len,
235 unsigned char *r_s_pair)
236 {
237 int rc;
238 unsigned char *sig_end;
239 size_t len, r_len, s_len;
240
241 sig_end = sig_ptr + *sig_len;
242 rc = mbedtls_asn1_get_tag(&sig_ptr, sig_end, &len,
243 MBEDTLS_ASN1_CONSTRUCTED |
244 MBEDTLS_ASN1_SEQUENCE);
245 if (rc != 0) {
246 return CRYPTO_ERR_SIGNATURE;
247 }
248
249 sig_end = sig_ptr + len;
250 rc = mbedtls_asn1_get_tag(&sig_ptr, sig_end, &r_len,
251 MBEDTLS_ASN1_INTEGER);
252 if (rc != 0) {
253 return CRYPTO_ERR_SIGNATURE;
254 }
255
256 if (ignore_asn1_int_padding_byte(&sig_ptr, &r_len) != 0) {
257 return CRYPTO_ERR_SIGNATURE;
258 }
259
260 (void)memcpy((void *)&r_s_pair[0], (const void *)sig_ptr, r_len);
261
262 sig_ptr = sig_ptr + r_len;
263 sig_end = sig_ptr + len - (r_len + (SIZE_OF_ASN1_LEN +
264 SIZE_OF_ASN1_TAG));
265 rc = mbedtls_asn1_get_tag(&sig_ptr, sig_end, &s_len,
266 MBEDTLS_ASN1_INTEGER);
267 if (rc != 0) {
268 return CRYPTO_ERR_SIGNATURE;
269 }
270
271 if (ignore_asn1_int_padding_byte(&sig_ptr, &s_len) != 0) {
272 return CRYPTO_ERR_SIGNATURE;
273 }
274
275 (void)memcpy((void *)&r_s_pair[r_len], (const void *)sig_ptr, s_len);
276
277 *sig_len = s_len + r_len;
278
279 return 0;
280 }
281 #endif /*
282 * TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA || \
283 * TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA
284 **/
285
286 /*
287 * This is a helper function that adjusts the start of the pk_start to point to
288 * the subjectPublicKey bytes within the SubjectPublicKeyInfo block.
289 *
290 * SubjectPublicKeyInfo ::= SEQUENCE {
291 * algorithm AlgorithmIdentifier,
292 * subjectPublicKey BIT STRING }
293 *
294 * This function returns error(CRYPTO_ERR_SIGNATURE) on ASN.1 parsing failure,
295 * otherwise success(0).
296 **/
pk_bytes_from_subpubkey(unsigned char ** pk_start,unsigned int * pk_len)297 static int pk_bytes_from_subpubkey(unsigned char **pk_start,
298 unsigned int *pk_len)
299 {
300 mbedtls_asn1_buf alg_oid, alg_params;
301 int rc;
302 unsigned char *pk_end;
303 size_t len;
304 unsigned char *pk_ptr = *pk_start;
305
306 pk_end = pk_ptr + *pk_len;
307 rc = mbedtls_asn1_get_tag(&pk_ptr, pk_end, &len,
308 MBEDTLS_ASN1_CONSTRUCTED |
309 MBEDTLS_ASN1_SEQUENCE);
310 if (rc != 0) {
311 return CRYPTO_ERR_SIGNATURE;
312 }
313
314 pk_end = pk_ptr + len;
315 rc = mbedtls_asn1_get_alg(&pk_ptr, pk_end, &alg_oid, &alg_params);
316 if (rc != 0) {
317 return CRYPTO_ERR_SIGNATURE;
318 }
319 pk_end = pk_ptr + len - (alg_oid.len + alg_params.len +
320 2 * (SIZE_OF_ASN1_LEN + SIZE_OF_ASN1_TAG));
321 rc = mbedtls_asn1_get_bitstring_null(&pk_ptr, pk_end, &len);
322 if (rc != 0) {
323 return CRYPTO_ERR_SIGNATURE;
324 }
325
326 *pk_start = pk_ptr;
327 *pk_len = len;
328
329 return rc;
330 }
331
332 /*
333 * NOTE: This has been made internal in mbedtls 3.6.0 and the mbedtls team has
334 * advised that it's better to copy out the declaration than it would be to
335 * update to 3.5.2, where this function is exposed.
336 */
337 int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid,
338 const mbedtls_x509_buf *sig_params,
339 mbedtls_md_type_t *md_alg,
340 mbedtls_pk_type_t *pk_alg,
341 void **sig_opts);
342 /*
343 * Verify a signature.
344 *
345 * Parameters are passed using the DER encoding format following the ASN.1
346 * structures detailed above.
347 */
verify_signature(void * data_ptr,unsigned int data_len,void * sig_ptr,unsigned int sig_len,void * sig_alg,unsigned int sig_alg_len,void * pk_ptr,unsigned int pk_len)348 static int verify_signature(void *data_ptr, unsigned int data_len,
349 void *sig_ptr, unsigned int sig_len,
350 void *sig_alg, unsigned int sig_alg_len,
351 void *pk_ptr, unsigned int pk_len)
352 {
353 mbedtls_asn1_buf sig_oid, sig_params;
354 mbedtls_asn1_buf signature;
355 mbedtls_md_type_t md_alg;
356 mbedtls_pk_type_t pk_alg;
357 int rc;
358 void *sig_opts = NULL;
359 unsigned char *p, *end;
360 unsigned char *local_sig_ptr;
361 size_t local_sig_len;
362 psa_ecc_family_t psa_ecc_family = 0U;
363 __unused unsigned char reformatted_sig[MAX_ECDSA_R_S_PAIR_LEN] = {0};
364
365 /* construct PSA key algo and type */
366 psa_status_t status = PSA_SUCCESS;
367 psa_key_attributes_t psa_key_attr = PSA_KEY_ATTRIBUTES_INIT;
368 psa_key_id_t psa_key_id = PSA_KEY_ID_NULL;
369 psa_key_type_t psa_key_type;
370 psa_algorithm_t psa_alg;
371
372 /* Get pointers to signature OID and parameters */
373 p = (unsigned char *)sig_alg;
374 end = (unsigned char *)(p + sig_alg_len);
375 rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params);
376 if (rc != 0) {
377 return CRYPTO_ERR_SIGNATURE;
378 }
379
380 /* Get the actual signature algorithm (MD + PK) */
381 rc = mbedtls_x509_get_sig_alg(&sig_oid, &sig_params, &md_alg, &pk_alg, &sig_opts);
382 if (rc != 0) {
383 return CRYPTO_ERR_SIGNATURE;
384 }
385
386 /* Get the signature (bitstring) */
387 p = (unsigned char *)sig_ptr;
388 end = (unsigned char *)(p + sig_len);
389 signature.tag = *p;
390 rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len);
391 if ((rc != 0) || ((size_t)(end - p) != signature.len)) {
392 rc = CRYPTO_ERR_SIGNATURE;
393 goto end2;
394 }
395
396 local_sig_ptr = p;
397 local_sig_len = signature.len;
398
399 #if TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA || \
400 TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA
401 if (pk_alg == MBEDTLS_PK_ECDSA) {
402 rc = get_ecdsa_signature_from_asn1(local_sig_ptr,
403 &local_sig_len,
404 reformatted_sig);
405 if (rc != 0) {
406 goto end2;
407 }
408
409 local_sig_ptr = reformatted_sig;
410
411 rc = get_ecdsa_pkinfo_from_asn1((unsigned char **)&pk_ptr,
412 &pk_len,
413 &psa_ecc_family);
414 if (rc != 0) {
415 goto end2;
416 }
417 }
418 #endif /*
419 * TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA || \
420 * TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA
421 **/
422
423 /* Convert this pk_alg and md_alg to PSA key type and key algorithm */
424 construct_psa_key_alg_and_type(pk_alg, md_alg, psa_ecc_family,
425 &psa_alg, &psa_key_type);
426
427
428 if ((psa_alg == PSA_ALG_NONE) || (psa_key_type == PSA_KEY_TYPE_NONE)) {
429 rc = CRYPTO_ERR_SIGNATURE;
430 goto end2;
431 }
432
433 /* filled-in key_attributes */
434 psa_set_key_algorithm(&psa_key_attr, psa_alg);
435 psa_set_key_type(&psa_key_attr, psa_key_type);
436 psa_set_key_usage_flags(&psa_key_attr, PSA_KEY_USAGE_VERIFY_MESSAGE);
437
438 /*
439 * Note: In the implementation of the psa_import_key function in
440 * version 3.6.0, the function expects the starting pointer of the
441 * subject public key instead of the starting point of
442 * SubjectPublicKeyInfo.
443 * This is only needed while dealing with RSASSA_PSS (RSA Signature
444 * scheme with Appendix based on Probabilistic Signature Scheme)
445 * algorithm.
446 */
447 if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
448 rc = pk_bytes_from_subpubkey((unsigned char **) &pk_ptr, &pk_len);
449 goto end2;
450 }
451
452 /* Get the key_id using import API */
453 status = psa_import_key(&psa_key_attr,
454 pk_ptr,
455 (size_t)pk_len,
456 &psa_key_id);
457
458 if (status != PSA_SUCCESS) {
459 rc = CRYPTO_ERR_SIGNATURE;
460 goto end2;
461 }
462
463 /*
464 * Hash calculation and Signature verification of the given data payload
465 * is wrapped under the psa_verify_message function.
466 */
467 status = psa_verify_message(psa_key_id, psa_alg,
468 data_ptr, data_len,
469 local_sig_ptr, local_sig_len);
470
471 if (status != PSA_SUCCESS) {
472 rc = CRYPTO_ERR_SIGNATURE;
473 goto end1;
474 }
475
476 /* Signature verification success */
477 rc = CRYPTO_SUCCESS;
478
479 end1:
480 /*
481 * Destroy the key if it is created successfully
482 */
483 psa_destroy_key(psa_key_id);
484 end2:
485 mbedtls_free(sig_opts);
486 return rc;
487 }
488
489 /*
490 * Match a hash
491 *
492 * Digest info is passed in DER format following the ASN.1 structure detailed
493 * above.
494 */
verify_hash(void * data_ptr,unsigned int data_len,void * digest_info_ptr,unsigned int digest_info_len)495 static int verify_hash(void *data_ptr, unsigned int data_len,
496 void *digest_info_ptr, unsigned int digest_info_len)
497 {
498 mbedtls_asn1_buf hash_oid, params;
499 mbedtls_md_type_t md_alg;
500 unsigned char *p, *end, *hash;
501 size_t len;
502 int rc;
503 psa_status_t status;
504 psa_algorithm_t psa_md_alg;
505
506 /*
507 * Digest info should be an MBEDTLS_ASN1_SEQUENCE, but padding after
508 * it is allowed. This is necessary to support multiple hash
509 * algorithms.
510 */
511 p = (unsigned char *)digest_info_ptr;
512 end = p + digest_info_len;
513 rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
514 MBEDTLS_ASN1_SEQUENCE);
515 if (rc != 0) {
516 return CRYPTO_ERR_HASH;
517 }
518
519 end = p + len;
520
521 /* Get the hash algorithm */
522 rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms);
523 if (rc != 0) {
524 return CRYPTO_ERR_HASH;
525 }
526
527 /* Hash should be octet string type and consume all bytes */
528 rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
529 if ((rc != 0) || ((size_t)(end - p) != len)) {
530 return CRYPTO_ERR_HASH;
531 }
532 hash = p;
533
534 rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg);
535 if (rc != 0) {
536 return CRYPTO_ERR_HASH;
537 }
538
539 /* convert the md_alg to psa_algo */
540 psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
541
542 /* Length of hash must match the algorithm's size */
543 if (len != PSA_HASH_LENGTH(psa_md_alg)) {
544 return CRYPTO_ERR_HASH;
545 }
546
547 /*
548 * Calculate Hash and compare it against the retrieved hash from
549 * the certificate (one shot API).
550 */
551 status = psa_hash_compare(psa_md_alg,
552 data_ptr, (size_t)data_len,
553 (const uint8_t *)hash, len);
554
555 if (status != PSA_SUCCESS) {
556 return CRYPTO_ERR_HASH;
557 }
558
559 return CRYPTO_SUCCESS;
560 }
561 #endif /*
562 * CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
563 * CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
564 */
565
566 #if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
567 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
568 /*
569 * Map a generic crypto message digest algorithm to the corresponding macro used
570 * by Mbed TLS.
571 */
md_type(enum crypto_md_algo algo)572 static inline mbedtls_md_type_t md_type(enum crypto_md_algo algo)
573 {
574 switch (algo) {
575 case CRYPTO_MD_SHA512:
576 return MBEDTLS_MD_SHA512;
577 case CRYPTO_MD_SHA384:
578 return MBEDTLS_MD_SHA384;
579 case CRYPTO_MD_SHA256:
580 return MBEDTLS_MD_SHA256;
581 default:
582 /* Invalid hash algorithm. */
583 return MBEDTLS_MD_NONE;
584 }
585 }
586
587 /*
588 * Calculate a hash
589 *
590 * output points to the computed hash
591 */
calc_hash(enum crypto_md_algo md_algo,void * data_ptr,unsigned int data_len,unsigned char output[CRYPTO_MD_MAX_SIZE])592 static int calc_hash(enum crypto_md_algo md_algo, void *data_ptr,
593 unsigned int data_len,
594 unsigned char output[CRYPTO_MD_MAX_SIZE])
595 {
596 size_t hash_length;
597 psa_status_t status;
598 psa_algorithm_t psa_md_alg;
599
600 /* convert the md_alg to psa_algo */
601 psa_md_alg = mbedtls_md_psa_alg_from_type(md_type(md_algo));
602
603 /*
604 * Calculate the hash of the data, it is safe to pass the
605 * 'output' hash buffer pointer considering its size is always
606 * bigger than or equal to MBEDTLS_MD_MAX_SIZE.
607 */
608 status = psa_hash_compute(psa_md_alg, data_ptr, (size_t)data_len,
609 (uint8_t *)output, CRYPTO_MD_MAX_SIZE,
610 &hash_length);
611 if (status != PSA_SUCCESS) {
612 return CRYPTO_ERR_HASH;
613 }
614
615 return CRYPTO_SUCCESS;
616 }
617 #endif /*
618 * CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
619 * CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
620 */
621
622 #if TF_MBEDTLS_USE_AES_GCM
623 /*
624 * Stack based buffer allocation for decryption operation. It could
625 * be configured to balance stack usage vs execution speed.
626 */
627 #define DEC_OP_BUF_SIZE 128
628
aes_gcm_decrypt(void * data_ptr,size_t len,const void * key,unsigned int key_len,const void * iv,unsigned int iv_len,const void * tag,unsigned int tag_len)629 static int aes_gcm_decrypt(void *data_ptr, size_t len, const void *key,
630 unsigned int key_len, const void *iv,
631 unsigned int iv_len, const void *tag,
632 unsigned int tag_len)
633 {
634 mbedtls_gcm_context ctx;
635 mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
636 unsigned char buf[DEC_OP_BUF_SIZE];
637 unsigned char tag_buf[CRYPTO_MAX_TAG_SIZE];
638 unsigned char *pt = data_ptr;
639 size_t dec_len;
640 int diff, i, rc;
641 size_t output_length __unused;
642
643 mbedtls_gcm_init(&ctx);
644
645 rc = mbedtls_gcm_setkey(&ctx, cipher, key, key_len * 8);
646 if (rc != 0) {
647 rc = CRYPTO_ERR_DECRYPTION;
648 goto exit_gcm;
649 }
650
651 #if (MBEDTLS_VERSION_MAJOR < 3)
652 rc = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT, iv, iv_len, NULL, 0);
653 #else
654 rc = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT, iv, iv_len);
655 #endif
656 if (rc != 0) {
657 rc = CRYPTO_ERR_DECRYPTION;
658 goto exit_gcm;
659 }
660
661 while (len > 0) {
662 dec_len = MIN(sizeof(buf), len);
663
664 #if (MBEDTLS_VERSION_MAJOR < 3)
665 rc = mbedtls_gcm_update(&ctx, dec_len, pt, buf);
666 #else
667 rc = mbedtls_gcm_update(&ctx, pt, dec_len, buf, sizeof(buf), &output_length);
668 #endif
669
670 if (rc != 0) {
671 rc = CRYPTO_ERR_DECRYPTION;
672 goto exit_gcm;
673 }
674
675 memcpy(pt, buf, dec_len);
676 pt += dec_len;
677 len -= dec_len;
678 }
679
680 #if (MBEDTLS_VERSION_MAJOR < 3)
681 rc = mbedtls_gcm_finish(&ctx, tag_buf, sizeof(tag_buf));
682 #else
683 rc = mbedtls_gcm_finish(&ctx, NULL, 0, &output_length, tag_buf, sizeof(tag_buf));
684 #endif
685
686 if (rc != 0) {
687 rc = CRYPTO_ERR_DECRYPTION;
688 goto exit_gcm;
689 }
690
691 /* Check tag in "constant-time" */
692 for (diff = 0, i = 0; i < tag_len; i++)
693 diff |= ((const unsigned char *)tag)[i] ^ tag_buf[i];
694
695 if (diff != 0) {
696 rc = CRYPTO_ERR_DECRYPTION;
697 goto exit_gcm;
698 }
699
700 /* GCM decryption success */
701 rc = CRYPTO_SUCCESS;
702
703 exit_gcm:
704 mbedtls_gcm_free(&ctx);
705 return rc;
706 }
707
708 /*
709 * Authenticated decryption of an image
710 */
auth_decrypt(enum crypto_dec_algo dec_algo,void * data_ptr,size_t len,const void * key,unsigned int key_len,unsigned int key_flags,const void * iv,unsigned int iv_len,const void * tag,unsigned int tag_len)711 static int auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
712 size_t len, const void *key, unsigned int key_len,
713 unsigned int key_flags, const void *iv,
714 unsigned int iv_len, const void *tag,
715 unsigned int tag_len)
716 {
717 int rc;
718
719 assert((key_flags & ENC_KEY_IS_IDENTIFIER) == 0);
720
721 switch (dec_algo) {
722 case CRYPTO_GCM_DECRYPT:
723 rc = aes_gcm_decrypt(data_ptr, len, key, key_len, iv, iv_len,
724 tag, tag_len);
725 if (rc != 0)
726 return rc;
727 break;
728 default:
729 return CRYPTO_ERR_DECRYPTION;
730 }
731
732 return CRYPTO_SUCCESS;
733 }
734 #endif /* TF_MBEDTLS_USE_AES_GCM */
735
736 /*
737 * Register crypto library descriptor
738 */
739 #if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
740 #if TF_MBEDTLS_USE_AES_GCM
741 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
742 auth_decrypt, NULL);
743 #else
744 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
745 NULL, NULL);
746 #endif
747 #elif CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY
748 #if TF_MBEDTLS_USE_AES_GCM
749 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, NULL,
750 auth_decrypt, NULL);
751 #else
752 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, NULL,
753 NULL, NULL);
754 #endif
755 #elif CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY
756 REGISTER_CRYPTO_LIB(LIB_NAME, init, NULL, NULL, calc_hash, NULL, NULL);
757 #endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
758