blob: 42a09255da48b34f6d28761a77d16ba9ba82c8f3 [file] [log] [blame]
Juan Castilloa57a4d52015-04-02 15:44:20 +01001/*
Manish V Badarkhe92de80a2021-12-16 10:41:47 +00002 * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
Juan Castilloa57a4d52015-04-02 15:44:20 +01003 *
dp-armfa3cf0b2017-05-03 09:38:09 +01004 * SPDX-License-Identifier: BSD-3-Clause
Juan Castilloa57a4d52015-04-02 15:44:20 +01005 */
6
Sumit Garg392e4df2019-11-15 10:43:00 +05307#include <assert.h>
Juan Castilloa57a4d52015-04-02 15:44:20 +01008#include <stddef.h>
9#include <string.h>
10
Juan Castillobae6b2a2015-11-05 09:24:53 +000011/* mbed TLS headers */
Sumit Garg392e4df2019-11-15 10:43:00 +053012#include <mbedtls/gcm.h>
Juan Castillobae6b2a2015-11-05 09:24:53 +000013#include <mbedtls/md.h>
14#include <mbedtls/memory_buffer_alloc.h>
15#include <mbedtls/oid.h>
16#include <mbedtls/platform.h>
Madhukar Pappireddy57eaae82020-03-05 18:18:40 -060017#include <mbedtls/x509.h>
Juan Castilloa57a4d52015-04-02 15:44:20 +010018
Antonio Nino Diaze0f90632018-12-14 00:18:21 +000019#include <common/debug.h>
20#include <drivers/auth/crypto_mod.h>
21#include <drivers/auth/mbedtls/mbedtls_common.h>
22#include <drivers/auth/mbedtls/mbedtls_config.h>
Sumit Garg392e4df2019-11-15 10:43:00 +053023#include <plat/common/platform.h>
Antonio Nino Diaze0f90632018-12-14 00:18:21 +000024
Juan Castillobae6b2a2015-11-05 09:24:53 +000025#define LIB_NAME "mbed TLS"
Juan Castilloa57a4d52015-04-02 15:44:20 +010026
Manish V Badarkhec9fdaf62022-06-20 15:32:38 +010027#if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
28CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
Manish V Badarkhee112a5a2021-10-06 23:41:50 +010029/*
30 * CRYPTO_MD_MAX_SIZE value is as per current stronger algorithm available
31 * so make sure that mbed TLS MD maximum size must be lesser than this.
32 */
33CASSERT(CRYPTO_MD_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE,
34 assert_mbedtls_md_size_overflow);
35
Manish V Badarkhec9fdaf62022-06-20 15:32:38 +010036#endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
37 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
Manish V Badarkhee112a5a2021-10-06 23:41:50 +010038
Juan Castilloa57a4d52015-04-02 15:44:20 +010039/*
40 * AlgorithmIdentifier ::= SEQUENCE {
41 * algorithm OBJECT IDENTIFIER,
42 * parameters ANY DEFINED BY algorithm OPTIONAL
43 * }
44 *
45 * SubjectPublicKeyInfo ::= SEQUENCE {
46 * algorithm AlgorithmIdentifier,
47 * subjectPublicKey BIT STRING
48 * }
49 *
50 * DigestInfo ::= SEQUENCE {
51 * digestAlgorithm AlgorithmIdentifier,
52 * digest OCTET STRING
53 * }
54 */
55
56/*
57 * Initialize the library and export the descriptor
58 */
59static void init(void)
60{
Juan Castillobae6b2a2015-11-05 09:24:53 +000061 /* Initialize mbed TLS */
Juan Castilloa57a4d52015-04-02 15:44:20 +010062 mbedtls_init();
63}
64
Manish V Badarkhec9fdaf62022-06-20 15:32:38 +010065#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
66CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
Juan Castilloa57a4d52015-04-02 15:44:20 +010067/*
68 * Verify a signature.
69 *
70 * Parameters are passed using the DER encoding format following the ASN.1
71 * structures detailed above.
72 */
73static int verify_signature(void *data_ptr, unsigned int data_len,
74 void *sig_ptr, unsigned int sig_len,
75 void *sig_alg, unsigned int sig_alg_len,
76 void *pk_ptr, unsigned int pk_len)
77{
Juan Castillobae6b2a2015-11-05 09:24:53 +000078 mbedtls_asn1_buf sig_oid, sig_params;
79 mbedtls_asn1_buf signature;
80 mbedtls_md_type_t md_alg;
81 mbedtls_pk_type_t pk_alg;
Soby Mathew0a68d132017-05-31 10:35:27 +010082 mbedtls_pk_context pk = {0};
Juan Castilloa57a4d52015-04-02 15:44:20 +010083 int rc;
84 void *sig_opts = NULL;
Juan Castillobae6b2a2015-11-05 09:24:53 +000085 const mbedtls_md_info_t *md_info;
Juan Castilloa57a4d52015-04-02 15:44:20 +010086 unsigned char *p, *end;
Juan Castillobae6b2a2015-11-05 09:24:53 +000087 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
Juan Castilloa57a4d52015-04-02 15:44:20 +010088
89 /* Get pointers to signature OID and parameters */
90 p = (unsigned char *)sig_alg;
91 end = (unsigned char *)(p + sig_alg_len);
Juan Castillobae6b2a2015-11-05 09:24:53 +000092 rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params);
Juan Castilloa57a4d52015-04-02 15:44:20 +010093 if (rc != 0) {
94 return CRYPTO_ERR_SIGNATURE;
95 }
96
97 /* Get the actual signature algorithm (MD + PK) */
Soby Mathew0a68d132017-05-31 10:35:27 +010098 rc = mbedtls_x509_get_sig_alg(&sig_oid, &sig_params, &md_alg, &pk_alg, &sig_opts);
Juan Castilloa57a4d52015-04-02 15:44:20 +010099 if (rc != 0) {
100 return CRYPTO_ERR_SIGNATURE;
101 }
102
103 /* Parse the public key */
Juan Castillobae6b2a2015-11-05 09:24:53 +0000104 mbedtls_pk_init(&pk);
Juan Castilloa57a4d52015-04-02 15:44:20 +0100105 p = (unsigned char *)pk_ptr;
106 end = (unsigned char *)(p + pk_len);
Juan Castillobae6b2a2015-11-05 09:24:53 +0000107 rc = mbedtls_pk_parse_subpubkey(&p, end, &pk);
Juan Castilloa57a4d52015-04-02 15:44:20 +0100108 if (rc != 0) {
Soby Mathew0a68d132017-05-31 10:35:27 +0100109 rc = CRYPTO_ERR_SIGNATURE;
110 goto end2;
Juan Castilloa57a4d52015-04-02 15:44:20 +0100111 }
112
113 /* Get the signature (bitstring) */
114 p = (unsigned char *)sig_ptr;
115 end = (unsigned char *)(p + sig_len);
116 signature.tag = *p;
Juan Castillobae6b2a2015-11-05 09:24:53 +0000117 rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len);
Demi Marie Obenour447adc02022-12-08 15:24:10 -0500118 if ((rc != 0) || ((size_t)(end - p) != signature.len)) {
Juan Castilloa57a4d52015-04-02 15:44:20 +0100119 rc = CRYPTO_ERR_SIGNATURE;
Soby Mathew0a68d132017-05-31 10:35:27 +0100120 goto end1;
Juan Castilloa57a4d52015-04-02 15:44:20 +0100121 }
122 signature.p = p;
123
124 /* Calculate the hash of the data */
Juan Castillobae6b2a2015-11-05 09:24:53 +0000125 md_info = mbedtls_md_info_from_type(md_alg);
Juan Castilloa57a4d52015-04-02 15:44:20 +0100126 if (md_info == NULL) {
127 rc = CRYPTO_ERR_SIGNATURE;
Soby Mathew0a68d132017-05-31 10:35:27 +0100128 goto end1;
Juan Castilloa57a4d52015-04-02 15:44:20 +0100129 }
130 p = (unsigned char *)data_ptr;
Juan Castillobae6b2a2015-11-05 09:24:53 +0000131 rc = mbedtls_md(md_info, p, data_len, hash);
Juan Castilloa57a4d52015-04-02 15:44:20 +0100132 if (rc != 0) {
133 rc = CRYPTO_ERR_SIGNATURE;
Soby Mathew0a68d132017-05-31 10:35:27 +0100134 goto end1;
Juan Castilloa57a4d52015-04-02 15:44:20 +0100135 }
136
137 /* Verify the signature */
Juan Castillobae6b2a2015-11-05 09:24:53 +0000138 rc = mbedtls_pk_verify_ext(pk_alg, sig_opts, &pk, md_alg, hash,
139 mbedtls_md_get_size(md_info),
140 signature.p, signature.len);
Juan Castilloa57a4d52015-04-02 15:44:20 +0100141 if (rc != 0) {
142 rc = CRYPTO_ERR_SIGNATURE;
Soby Mathew0a68d132017-05-31 10:35:27 +0100143 goto end1;
Juan Castilloa57a4d52015-04-02 15:44:20 +0100144 }
145
146 /* Signature verification success */
147 rc = CRYPTO_SUCCESS;
148
Soby Mathew0a68d132017-05-31 10:35:27 +0100149end1:
Juan Castillobae6b2a2015-11-05 09:24:53 +0000150 mbedtls_pk_free(&pk);
Soby Mathew0a68d132017-05-31 10:35:27 +0100151end2:
152 mbedtls_free(sig_opts);
Juan Castilloa57a4d52015-04-02 15:44:20 +0100153 return rc;
154}
155
156/*
157 * Match a hash
158 *
159 * Digest info is passed in DER format following the ASN.1 structure detailed
160 * above.
161 */
162static int verify_hash(void *data_ptr, unsigned int data_len,
163 void *digest_info_ptr, unsigned int digest_info_len)
164{
Juan Castillobae6b2a2015-11-05 09:24:53 +0000165 mbedtls_asn1_buf hash_oid, params;
166 mbedtls_md_type_t md_alg;
167 const mbedtls_md_info_t *md_info;
Juan Castilloa57a4d52015-04-02 15:44:20 +0100168 unsigned char *p, *end, *hash;
Juan Castillobae6b2a2015-11-05 09:24:53 +0000169 unsigned char data_hash[MBEDTLS_MD_MAX_SIZE];
Juan Castilloa57a4d52015-04-02 15:44:20 +0100170 size_t len;
171 int rc;
172
Demi Marie Obenourae266642022-12-08 15:24:01 -0500173 /*
174 * Digest info should be an MBEDTLS_ASN1_SEQUENCE
175 * and consume all bytes.
176 */
Juan Castilloa57a4d52015-04-02 15:44:20 +0100177 p = (unsigned char *)digest_info_ptr;
Sandrine Bailleuxdf8de2d2016-01-04 15:49:23 +0000178 end = p + digest_info_len;
Juan Castillobae6b2a2015-11-05 09:24:53 +0000179 rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
180 MBEDTLS_ASN1_SEQUENCE);
Demi Marie Obenourae266642022-12-08 15:24:01 -0500181 if (rc != 0 || ((size_t)(end - p) != len)) {
Juan Castilloa57a4d52015-04-02 15:44:20 +0100182 return CRYPTO_ERR_HASH;
183 }
184
185 /* Get the hash algorithm */
Juan Castillobae6b2a2015-11-05 09:24:53 +0000186 rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, &params);
Juan Castilloa57a4d52015-04-02 15:44:20 +0100187 if (rc != 0) {
188 return CRYPTO_ERR_HASH;
189 }
190
Juan Castillobae6b2a2015-11-05 09:24:53 +0000191 rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg);
Juan Castilloa57a4d52015-04-02 15:44:20 +0100192 if (rc != 0) {
193 return CRYPTO_ERR_HASH;
194 }
195
Juan Castillobae6b2a2015-11-05 09:24:53 +0000196 md_info = mbedtls_md_info_from_type(md_alg);
Juan Castilloa57a4d52015-04-02 15:44:20 +0100197 if (md_info == NULL) {
198 return CRYPTO_ERR_HASH;
199 }
200
Demi Marie Obenourae266642022-12-08 15:24:01 -0500201 /* Hash should be octet string type and consume all bytes */
Juan Castillobae6b2a2015-11-05 09:24:53 +0000202 rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
Demi Marie Obenourae266642022-12-08 15:24:01 -0500203 if ((rc != 0) || ((size_t)(end - p) != len)) {
Juan Castilloa57a4d52015-04-02 15:44:20 +0100204 return CRYPTO_ERR_HASH;
205 }
206
207 /* Length of hash must match the algorithm's size */
Juan Castillobae6b2a2015-11-05 09:24:53 +0000208 if (len != mbedtls_md_get_size(md_info)) {
Juan Castilloa57a4d52015-04-02 15:44:20 +0100209 return CRYPTO_ERR_HASH;
210 }
211 hash = p;
212
213 /* Calculate the hash of the data */
214 p = (unsigned char *)data_ptr;
Juan Castillobae6b2a2015-11-05 09:24:53 +0000215 rc = mbedtls_md(md_info, p, data_len, data_hash);
Juan Castilloa57a4d52015-04-02 15:44:20 +0100216 if (rc != 0) {
217 return CRYPTO_ERR_HASH;
218 }
219
220 /* Compare values */
Antonio Nino Diaz0ca1afa2017-02-09 10:26:54 +0000221 rc = memcmp(data_hash, hash, mbedtls_md_get_size(md_info));
Juan Castilloa57a4d52015-04-02 15:44:20 +0100222 if (rc != 0) {
223 return CRYPTO_ERR_HASH;
224 }
225
226 return CRYPTO_SUCCESS;
227}
Manish V Badarkhec9fdaf62022-06-20 15:32:38 +0100228#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
229 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
Juan Castilloa57a4d52015-04-02 15:44:20 +0100230
Manish V Badarkhec9fdaf62022-06-20 15:32:38 +0100231#if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
232CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
Alexei Fedorov913cb7e2020-01-23 14:27:38 +0000233/*
Manish V Badarkhee112a5a2021-10-06 23:41:50 +0100234 * Map a generic crypto message digest algorithm to the corresponding macro used
235 * by Mbed TLS.
236 */
237static inline mbedtls_md_type_t md_type(enum crypto_md_algo algo)
238{
239 switch (algo) {
240 case CRYPTO_MD_SHA512:
241 return MBEDTLS_MD_SHA512;
242 case CRYPTO_MD_SHA384:
243 return MBEDTLS_MD_SHA384;
244 case CRYPTO_MD_SHA256:
245 return MBEDTLS_MD_SHA256;
246 default:
247 /* Invalid hash algorithm. */
248 return MBEDTLS_MD_NONE;
249 }
250}
251
252/*
Alexei Fedorov913cb7e2020-01-23 14:27:38 +0000253 * Calculate a hash
254 *
255 * output points to the computed hash
256 */
Manish V Badarkhee112a5a2021-10-06 23:41:50 +0100257static int calc_hash(enum crypto_md_algo md_algo, void *data_ptr,
258 unsigned int data_len,
259 unsigned char output[CRYPTO_MD_MAX_SIZE])
Alexei Fedorov913cb7e2020-01-23 14:27:38 +0000260{
261 const mbedtls_md_info_t *md_info;
262
Manish V Badarkhee112a5a2021-10-06 23:41:50 +0100263 md_info = mbedtls_md_info_from_type(md_type(md_algo));
Alexei Fedorov913cb7e2020-01-23 14:27:38 +0000264 if (md_info == NULL) {
265 return CRYPTO_ERR_HASH;
266 }
267
Manish V Badarkhee112a5a2021-10-06 23:41:50 +0100268 /*
269 * Calculate the hash of the data, it is safe to pass the
270 * 'output' hash buffer pointer considering its size is always
271 * bigger than or equal to MBEDTLS_MD_MAX_SIZE.
272 */
Alexei Fedorov913cb7e2020-01-23 14:27:38 +0000273 return mbedtls_md(md_info, data_ptr, data_len, output);
274}
Manish V Badarkhec9fdaf62022-06-20 15:32:38 +0100275#endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
276 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
Alexei Fedorov913cb7e2020-01-23 14:27:38 +0000277
Sumit Garg392e4df2019-11-15 10:43:00 +0530278#if TF_MBEDTLS_USE_AES_GCM
279/*
280 * Stack based buffer allocation for decryption operation. It could
281 * be configured to balance stack usage vs execution speed.
282 */
283#define DEC_OP_BUF_SIZE 128
284
285static int aes_gcm_decrypt(void *data_ptr, size_t len, const void *key,
286 unsigned int key_len, const void *iv,
287 unsigned int iv_len, const void *tag,
288 unsigned int tag_len)
289{
290 mbedtls_gcm_context ctx;
291 mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;
292 unsigned char buf[DEC_OP_BUF_SIZE];
293 unsigned char tag_buf[CRYPTO_MAX_TAG_SIZE];
294 unsigned char *pt = data_ptr;
295 size_t dec_len;
296 int diff, i, rc;
297
298 mbedtls_gcm_init(&ctx);
299
300 rc = mbedtls_gcm_setkey(&ctx, cipher, key, key_len * 8);
301 if (rc != 0) {
302 rc = CRYPTO_ERR_DECRYPTION;
303 goto exit_gcm;
304 }
305
306 rc = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT, iv, iv_len, NULL, 0);
307 if (rc != 0) {
308 rc = CRYPTO_ERR_DECRYPTION;
309 goto exit_gcm;
310 }
311
312 while (len > 0) {
313 dec_len = MIN(sizeof(buf), len);
314
315 rc = mbedtls_gcm_update(&ctx, dec_len, pt, buf);
316 if (rc != 0) {
317 rc = CRYPTO_ERR_DECRYPTION;
318 goto exit_gcm;
319 }
320
321 memcpy(pt, buf, dec_len);
322 pt += dec_len;
323 len -= dec_len;
324 }
325
326 rc = mbedtls_gcm_finish(&ctx, tag_buf, sizeof(tag_buf));
327 if (rc != 0) {
328 rc = CRYPTO_ERR_DECRYPTION;
329 goto exit_gcm;
330 }
331
332 /* Check tag in "constant-time" */
333 for (diff = 0, i = 0; i < tag_len; i++)
334 diff |= ((const unsigned char *)tag)[i] ^ tag_buf[i];
335
336 if (diff != 0) {
337 rc = CRYPTO_ERR_DECRYPTION;
338 goto exit_gcm;
339 }
340
341 /* GCM decryption success */
342 rc = CRYPTO_SUCCESS;
343
344exit_gcm:
345 mbedtls_gcm_free(&ctx);
346 return rc;
347}
348
349/*
350 * Authenticated decryption of an image
351 */
352static int auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
353 size_t len, const void *key, unsigned int key_len,
354 unsigned int key_flags, const void *iv,
355 unsigned int iv_len, const void *tag,
356 unsigned int tag_len)
357{
358 int rc;
359
360 assert((key_flags & ENC_KEY_IS_IDENTIFIER) == 0);
361
362 switch (dec_algo) {
363 case CRYPTO_GCM_DECRYPT:
364 rc = aes_gcm_decrypt(data_ptr, len, key, key_len, iv, iv_len,
365 tag, tag_len);
366 if (rc != 0)
367 return rc;
368 break;
369 default:
370 return CRYPTO_ERR_DECRYPTION;
371 }
372
373 return CRYPTO_SUCCESS;
374}
375#endif /* TF_MBEDTLS_USE_AES_GCM */
376
Juan Castilloa57a4d52015-04-02 15:44:20 +0100377/*
378 * Register crypto library descriptor
379 */
Manish V Badarkhec9fdaf62022-06-20 15:32:38 +0100380#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
Sumit Garg392e4df2019-11-15 10:43:00 +0530381#if TF_MBEDTLS_USE_AES_GCM
382REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
383 auth_decrypt);
384#else
385REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
386 NULL);
387#endif
Manish V Badarkhec9fdaf62022-06-20 15:32:38 +0100388#elif CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY
Sumit Garg392e4df2019-11-15 10:43:00 +0530389#if TF_MBEDTLS_USE_AES_GCM
390REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash,
391 auth_decrypt);
Alexei Fedorov913cb7e2020-01-23 14:27:38 +0000392#else
Sumit Garg392e4df2019-11-15 10:43:00 +0530393REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, NULL);
394#endif
Manish V Badarkhec9fdaf62022-06-20 15:32:38 +0100395#elif CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY
Manish V Badarkhe92de80a2021-12-16 10:41:47 +0000396REGISTER_CRYPTO_LIB(LIB_NAME, init, calc_hash);
Manish V Badarkhec9fdaf62022-06-20 15:32:38 +0100397#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */