Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / d6d619757a0bfca21d4bbd5c5355a3531f2683e8^1..d6d619757a0bfca21d4bbd5c5355a3531f2683e8 / .
commitd6d619757a0bfca21d4bbd5c5355a3531f2683e8[log] [tgz]
authordanh-arm <dan.handley@arm.com>Mon Jun 05 14:45:10 2017 +0100
committerGitHub <noreply@github.com>Mon Jun 05 14:45:10 2017 +0100
tree3667f11a0d0c0b79bc242f42245da05c5e301891
parentc2c877af1ab3a7cbe56542789ac0a2dc528e7712 [diff]
parentd5b22d3319d1d1ffa3ab022bc998e468c6b36c41 [diff]
Merge pull request #964 from soby-mathew/sm/rsapss_sup

Add support for RSASSAPSS algorithm

diff --git a/drivers/auth/mbedtls/mbedtls_common.c b/drivers/auth/mbedtls/mbedtls_common.c
index 336e44b..3799d41 100644
--- a/drivers/auth/mbedtls/mbedtls_common.c
+++ b/drivers/auth/mbedtls/mbedtls_common.c

@@ -16,7 +16,7 @@
 #if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA)
 #define MBEDTLS_HEAP_SIZE		(14*1024)
 #elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
-#define MBEDTLS_HEAP_SIZE		(6*1024)
+#define MBEDTLS_HEAP_SIZE		(7*1024)
 #endif
 static unsigned char heap[MBEDTLS_HEAP_SIZE];
 

diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c
index 2c15148..b157a32 100644
--- a/drivers/auth/mbedtls/mbedtls_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_crypto.c

@@ -60,7 +60,7 @@
 	mbedtls_asn1_buf signature;
 	mbedtls_md_type_t md_alg;
 	mbedtls_pk_type_t pk_alg;
-	mbedtls_pk_context pk;
+	mbedtls_pk_context pk = {0};
 	int rc;
 	void *sig_opts = NULL;
 	const mbedtls_md_info_t *md_info;
@@ -76,7 +76,7 @@
 	}
 
 	/* Get the actual signature algorithm (MD + PK) */
-	rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
+	rc = mbedtls_x509_get_sig_alg(&sig_oid, &sig_params, &md_alg, &pk_alg, &sig_opts);
 	if (rc != 0) {
 		return CRYPTO_ERR_SIGNATURE;
 	}
@@ -87,7 +87,8 @@
 	end = (unsigned char *)(p + pk_len);
 	rc = mbedtls_pk_parse_subpubkey(&p, end, &pk);
 	if (rc != 0) {
-		return CRYPTO_ERR_SIGNATURE;
+		rc = CRYPTO_ERR_SIGNATURE;
+		goto end2;
 	}
 
 	/* Get the signature (bitstring) */
@@ -97,7 +98,7 @@
 	rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len);
 	if (rc != 0) {
 		rc = CRYPTO_ERR_SIGNATURE;
-		goto end;
+		goto end1;
 	}
 	signature.p = p;
 
@@ -105,13 +106,13 @@
 	md_info = mbedtls_md_info_from_type(md_alg);
 	if (md_info == NULL) {
 		rc = CRYPTO_ERR_SIGNATURE;
-		goto end;
+		goto end1;
 	}
 	p = (unsigned char *)data_ptr;
 	rc = mbedtls_md(md_info, p, data_len, hash);
 	if (rc != 0) {
 		rc = CRYPTO_ERR_SIGNATURE;
-		goto end;
+		goto end1;
 	}
 
 	/* Verify the signature */
@@ -120,14 +121,16 @@
 			signature.p, signature.len);
 	if (rc != 0) {
 		rc = CRYPTO_ERR_SIGNATURE;
-		goto end;
+		goto end1;
 	}
 
 	/* Signature verification success */
 	rc = CRYPTO_SUCCESS;
 
-end:
+end1:
 	mbedtls_pk_free(&pk);
+end2:
+	mbedtls_free(sig_opts);
 	return rc;
 }
 

diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h
index 22e7574..0a05886 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config.h

@@ -22,12 +22,15 @@
 /* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
 #define MBEDTLS_PLATFORM_SNPRINTF_ALT
 
+#if !ERROR_DEPRECATED
 #define MBEDTLS_PKCS1_V15
+#endif
 #define MBEDTLS_PKCS1_V21
 
 #define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 #define MBEDTLS_X509_CHECK_KEY_USAGE
 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
 
 #define MBEDTLS_ASN1_PARSE_C
 #define MBEDTLS_ASN1_WRITE_C

diff --git a/tools/cert_create/src/cert.c b/tools/cert_create/src/cert.c
index 80ccfe9..9775664 100644
--- a/tools/cert_create/src/cert.c
+++ b/tools/cert_create/src/cert.c

@@ -10,6 +10,7 @@
 
 #include <openssl/conf.h>
 #include <openssl/err.h>
+#include <openssl/opensslv.h>
 #include <openssl/pem.h>
 #include <openssl/sha.h>
 #include <openssl/x509v3.h>
@@ -27,6 +28,7 @@
 #include "sha.h"
 
 #define SERIAL_RAND_BITS	64
+#define RSA_SALT_LEN		32
 
 int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
 {
@@ -77,7 +79,6 @@
 	return 1;
 }
 
-
 int cert_new(cert_t *cert, int days, int ca, STACK_OF(X509_EXTENSION) * sk)
 {
 	EVP_PKEY *pkey = keys[cert->key].key;
@@ -88,7 +89,9 @@
 	X509_EXTENSION *ex;
 	X509_NAME *name;
 	ASN1_INTEGER *sno;
-	int i, num;
+	int i, num, rc = 0;
+	EVP_MD_CTX  mdCtx;
+	EVP_PKEY_CTX *pKeyCtx = NULL;
 
 	/* Create the certificate structure */
 	x = X509_new();
@@ -108,6 +111,27 @@
 		issuer = x;
 	}
 
+	EVP_MD_CTX_init(&mdCtx);
+	if (!EVP_DigestSignInit(&mdCtx, &pKeyCtx, EVP_sha256(), NULL, ikey)) {
+		ERR_print_errors_fp(stdout);
+		goto END;
+	}
+
+	if (!EVP_PKEY_CTX_set_rsa_padding(pKeyCtx, RSA_PKCS1_PSS_PADDING)) {
+		ERR_print_errors_fp(stdout);
+		goto END;
+	}
+
+	if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx, RSA_SALT_LEN)) {
+		ERR_print_errors_fp(stdout);
+		goto END;
+	}
+
+	if (!EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, EVP_sha256())) {
+		ERR_print_errors_fp(stdout);
+		goto END;
+	}
+
 	/* x509.v3 */
 	X509_set_version(x, 2);
 
@@ -152,14 +176,18 @@
 		}
 	}
 
-	/* Sign the certificate with the issuer key */
-	if (!X509_sign(x, ikey, EVP_sha256())) {
+	if (!X509_sign_ctx(x, &mdCtx)) {
 		ERR_print_errors_fp(stdout);
-		return 0;
+		goto END;
 	}
 
+	/* X509 certificate signed successfully */
+	rc = 1;
 	cert->x = x;
-	return 1;
+
+END:
+	EVP_MD_CTX_cleanup(&mdCtx);
+	return rc;
 }
 
 int cert_init(void)