Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / f18daf7db473988bd9c5a1b34c4370accb077f9f / . / common / auth / polarssl / polarssl.c
blob: b55a7fc6c7a5467036f36e2b3ad01a2e9bda3e54 [file] [log] [blame]
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]1/*
2 * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 *
7 * Redistributions of source code must retain the above copyright notice, this
8 * list of conditions and the following disclaimer.
9 *
10 * Redistributions in binary form must reproduce the above copyright notice,
11 * this list of conditions and the following disclaimer in the documentation
12 * and/or other materials provided with the distribution.
13 *
14 * Neither the name of ARM nor the names of its contributors may be used
15 * to endorse or promote products derived from this software without specific
16 * prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
22 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 * POSSIBILITY OF SUCH DAMAGE.
29 */
30
31/* Authentication module based on PolarSSL */
32
33#include <stddef.h>
34
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]35#include <auth.h>
36#include <debug.h>
37#include <platform.h>
38#include <platform_def.h>
39#include <platform_oid.h>
40
41#include <polarssl/memory_buffer_alloc.h>
42#include <polarssl/oid.h>
43#include <polarssl/platform.h>
44#include <polarssl/sha256.h>
45#include <polarssl/x509_crt.h>
46
47/*
48 * At each authentication stage, the module is responsible for extracting and
49 * storing those elements (keys, hashes, etc.) that will be needed later on
50 * during the Trusted Boot process.
51 */
52
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]53/* Maximum OID string length ("a.b.c.d.e.f ...") */
54#define MAX_OID_STR_LEN 64
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]55
56/*
57 * An 8 KB stack has been proven to be enough for the current Trusted Boot
58 * process
59 */
60#define POLARSSL_HEAP_SIZE (8*1024)
61static unsigned char heap[POLARSSL_HEAP_SIZE];
62
63/*
64 * RSA public keys:
65 * SubjectPublicKeyInfo ::= SEQUENCE { 1 + 3
66 * algorithm AlgorithmIdentifier, 1 + 1 (sequence)
67 * + 1 + 1 + 9 (rsa oid)
68 * + 1 + 1 (params null)
69 * subjectPublicKey BIT STRING } 1 + 3 + (1 + below)
70 * RSAPublicKey ::= SEQUENCE { 1 + 3
71 * modulus INTEGER, -- n 1 + 3 + MPI_MAX + 1
72 * publicExponent INTEGER -- e 1 + 3 + MPI_MAX + 1
73 * }
74 *
75 * POLARSSL_MPI_MAX_SIZE is set to 256 bytes (RSA-2048 bit keys) in the
76 * configuration file
77 */
78#define RSA_PUB_DER_MAX_BYTES 38 + 2 * POLARSSL_MPI_MAX_SIZE
79
80/*
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]81 * SHA256:
82 * DigestInfo ::= SEQUENCE { 1 + 1
83 * digestAlgorithm AlgorithmIdentifier, + 1 + 1 (sequence)
84 * + 1 + 1 + 9 (sha256 oid)
85 * + 1 + 1 (params null)
86 * digest OCTET STRING + 1 + 1 + 32 (sha256)
87 * }
88 */
89#define SHA256_BYTES 32
90#define SHA256_DER_BYTES (19 + SHA256_BYTES)
91
92/*
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]93 * Buffer for storing public keys extracted from certificates while they are
94 * verified
95 */
96static unsigned char pk_buf[RSA_PUB_DER_MAX_BYTES];
97
98/* We use this variable to parse and authenticate the certificates */
99static x509_crt cert;
100
101/* BL specific variables */
102#if IMAGE_BL1
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]103static unsigned char sha_bl2[SHA256_DER_BYTES];
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]104#elif IMAGE_BL2
105/* Buffers to store the hash of BL3-x images */
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]106static unsigned char sha_bl30[SHA256_DER_BYTES];
107static unsigned char sha_bl31[SHA256_DER_BYTES];
108static unsigned char sha_bl32[SHA256_DER_BYTES];
109static unsigned char sha_bl33[SHA256_DER_BYTES];
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]110/* Buffers to store the Trusted and Non-Trusted world public keys */
111static unsigned char tz_world_pk[RSA_PUB_DER_MAX_BYTES];
112static unsigned char ntz_world_pk[RSA_PUB_DER_MAX_BYTES];
113static size_t tz_world_pk_len, ntz_world_pk_len;
114/* Buffer to store the BL3-x public keys */
115static unsigned char content_pk[RSA_PUB_DER_MAX_BYTES];
116static size_t content_pk_len;
117#endif
118
119
120static int x509_get_crt_ext_data(const unsigned char **ext_data,
121 size_t *ext_len,
122 x509_crt *crt,
123 const char *oid)
124{
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]125 int ret, oid_len;
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]126 size_t len;
127 unsigned char *end_ext_data, *end_ext_octet;
128 unsigned char *p;
129 const unsigned char *end;
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]130 char oid_str[MAX_OID_STR_LEN];
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]131
132 p = crt->v3_ext.p;
133 end = crt->v3_ext.p + crt->v3_ext.len;
134
135 ret = asn1_get_tag(&p, end, &len, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
136 if (ret != 0)
137 return POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret;
138
139 if (end != p + len)
140 return POLARSSL_ERR_X509_INVALID_EXTENSIONS +
141 POLARSSL_ERR_ASN1_LENGTH_MISMATCH;
142
143 while (p < end) {
144 /*
145 * Extension ::= SEQUENCE {
146 * extnID OBJECT IDENTIFIER,
147 * critical BOOLEAN DEFAULT FALSE,
148 * extnValue OCTET STRING }
149 */
150 x509_buf extn_oid = {0, 0, NULL};
151 int is_critical = 0; /* DEFAULT FALSE */
152
153 ret = asn1_get_tag(&p, end, &len,
154 ASN1_CONSTRUCTED | ASN1_SEQUENCE);
155 if (ret != 0)
156 return POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret;
157
158 end_ext_data = p + len;
159
160 /* Get extension ID */
161 extn_oid.tag = *p;
162
163 ret = asn1_get_tag(&p, end, &extn_oid.len, ASN1_OID);
164 if (ret != 0)
165 return POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret;
166
167 extn_oid.p = p;
168 p += extn_oid.len;
169
170 if ((end - p) < 1)
171 return POLARSSL_ERR_X509_INVALID_EXTENSIONS +
172 POLARSSL_ERR_ASN1_OUT_OF_DATA;
173
174 /* Get optional critical */
175 ret = asn1_get_bool(&p, end_ext_data, &is_critical);
176 if (ret != 0 && (ret != POLARSSL_ERR_ASN1_UNEXPECTED_TAG))
177 return POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret;
178
179 /* Data should be octet string type */
180 ret = asn1_get_tag(&p, end_ext_data, &len, ASN1_OCTET_STRING);
181 if (ret != 0)
182 return POLARSSL_ERR_X509_INVALID_EXTENSIONS + ret;
183
184 end_ext_octet = p + len;
185
186 if (end_ext_octet != end_ext_data)
187 return POLARSSL_ERR_X509_INVALID_EXTENSIONS +
188 POLARSSL_ERR_ASN1_LENGTH_MISMATCH;
189
190 /* Detect requested extension */
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]191 oid_len = oid_get_numeric_string(oid_str,
192 MAX_OID_STR_LEN, &extn_oid);
193 if (oid_len == POLARSSL_ERR_OID_BUF_TOO_SMALL)
194 return POLARSSL_ERR_X509_INVALID_EXTENSIONS +
195 POLARSSL_ERR_ASN1_BUF_TOO_SMALL;
196 if ((oid_len == strlen(oid_str)) && !strcmp(oid, oid_str)) {
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]197 *ext_data = p;
198 *ext_len = len;
199 return 0;
200 }
201
202 /* Next */
203 p = end_ext_octet;
204 }
205
206 if (p != end)
207 return POLARSSL_ERR_X509_INVALID_EXTENSIONS +
208 POLARSSL_ERR_ASN1_LENGTH_MISMATCH;
209
210 return POLARSSL_ERR_X509_UNKNOWN_OID;
211}
212
213#if IMAGE_BL1
214/*
215 * Parse and verify the BL2 certificate
216 *
217 * This function verifies the integrity of the BL2 certificate, checks that it
218 * has been signed with the ROT key and extracts the BL2 hash stored in the
219 * certificate so it can be matched later against the calculated hash.
220 *
221 * Return: 0 = success, Otherwise = error
222 */
223static int check_bl2_cert(unsigned char *buf, size_t len)
224{
225 const unsigned char *p;
226 size_t sz;
227 int err, flags;
228
229 x509_crt_init(&cert);
230
231 /* Parse the BL2 certificate */
232 err = x509_crt_parse(&cert, buf, len);
233 if (err) {
234 ERROR("BL2 certificate parse error %d.\n", err);
235 goto error;
236 }
237
238 /* Check that it has been signed with the ROT key */
239 err = pk_write_pubkey_der(&cert.pk, pk_buf, sizeof(pk_buf));
240 if (err < 0) {
241 ERROR("Error loading ROT key in DER format %d.\n", err);
242 goto error;
243 }
244
245 sz = (size_t)err;
246 p = pk_buf + sizeof(pk_buf) - sz;
247
248 err = plat_match_rotpk(p, sz);
249 if (err) {
250 ERROR("ROT and BL2 certificate key mismatch\n");
251 goto error;
252 }
253
254 /* Verify certificate */
255 err = x509_crt_verify(&cert, &cert, NULL, NULL, &flags, NULL, NULL);
256 if (err) {
257 ERROR("BL2 certificate verification error %d. Flags: 0x%x.\n",
258 err, flags);
259 goto error;
260 }
261
262 /* Extract BL2 image hash from certificate */
263 err = x509_get_crt_ext_data(&p, &sz, &cert, BL2_HASH_OID);
264 if (err) {
265 ERROR("Cannot read BL2 hash from certificate\n");
266 goto error;
267 }
268
Juan Castillof18daf72015-03-10 15:18:55 +0000[diff] [blame^]269 if (sz != SHA256_DER_BYTES) {
270 ERROR("Wrong BL2 hash size: %lu\n", sz);
271 err = 1;
272 goto error;
273 }
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]274 memcpy(sha_bl2, p, SHA256_DER_BYTES);
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]275
276error:
277 x509_crt_free(&cert);
278
279 return err;
280}
281#endif /* IMAGE_BL1 */
282
283#if IMAGE_BL2
284static int check_trusted_key_cert(unsigned char *buf, size_t len)
285{
286 const unsigned char *p;
287 size_t sz;
288 int err, flags;
289
290 x509_crt_init(&cert);
291
292 /* Parse the Trusted Key certificate */
293 err = x509_crt_parse(&cert, buf, len);
294 if (err) {
295 ERROR("Trusted Key certificate parse error %d.\n", err);
296 goto error;
297 }
298
299 /* Verify Trusted Key certificate */
300 err = x509_crt_verify(&cert, &cert, NULL, NULL, &flags, NULL, NULL);
301 if (err) {
302 ERROR("Trusted Key certificate verification error %d. Flags: "
303 "0x%x.\n", err, flags);
304 goto error;
305 }
306
307 /* Check that it has been signed with the ROT key */
308 err = pk_write_pubkey_der(&cert.pk, pk_buf, sizeof(pk_buf));
309 if (err < 0) {
310 ERROR("Error loading ROT key in DER format %d.\n", err);
311 goto error;
312 }
313
314 sz = (size_t)err;
315 p = pk_buf + sizeof(pk_buf) - sz;
316
317 if (plat_match_rotpk(p, sz)) {
318 ERROR("ROT and Trusted Key certificate key mismatch\n");
319 goto error;
320 }
321
322 /* Extract Trusted World key from extensions */
323 err = x509_get_crt_ext_data(&p, &tz_world_pk_len,
324 &cert, TZ_WORLD_PK_OID);
325 if (err) {
326 ERROR("Cannot read Trusted World key\n");
327 goto error;
328 }
329
Juan Castillof18daf72015-03-10 15:18:55 +0000[diff] [blame^]330 if (tz_world_pk_len > RSA_PUB_DER_MAX_BYTES) {
331 ERROR("Wrong RSA key size: %lu\n", tz_world_pk_len);
332 err = 1;
333 goto error;
334 }
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]335 memcpy(tz_world_pk, p, tz_world_pk_len);
336
337 /* Extract Non-Trusted World key from extensions */
338 err = x509_get_crt_ext_data(&p, &ntz_world_pk_len,
339 &cert, NTZ_WORLD_PK_OID);
340 if (err) {
341 ERROR("Cannot read Non-Trusted World key\n");
342 goto error;
343 }
344
Juan Castillof18daf72015-03-10 15:18:55 +0000[diff] [blame^]345 if (ntz_world_pk_len > RSA_PUB_DER_MAX_BYTES) {
346 ERROR("Wrong RSA key size: %lu\n", ntz_world_pk_len);
347 err = 1;
348 goto error;
349 }
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]350 memcpy(ntz_world_pk, p, ntz_world_pk_len);
351
352error:
353 x509_crt_free(&cert);
354
355 return err;
356}
357
358static int check_bl3x_key_cert(const unsigned char *buf, size_t len,
359 const unsigned char *i_key, size_t i_key_len,
360 unsigned char *s_key, size_t *s_key_len,
361 const char *key_oid)
362{
363 const unsigned char *p;
364 size_t sz;
365 int err, flags;
366
367 x509_crt_init(&cert);
368
369 /* Parse key certificate */
370 err = x509_crt_parse(&cert, buf, len);
371 if (err) {
372 ERROR("Key certificate parse error %d.\n", err);
373 goto error;
374 }
375
376 /* Verify certificate */
377 err = x509_crt_verify(&cert, &cert, NULL, NULL, &flags, NULL, NULL);
378 if (err) {
379 ERROR("Key certificate verification error %d. Flags: "
380 "0x%x.\n", err, flags);
381 goto error;
382 }
383
384 /* Check that the certificate has been signed by the issuer */
385 err = pk_write_pubkey_der(&cert.pk, pk_buf, sizeof(pk_buf));
386 if (err < 0) {
387 ERROR("Error loading key in DER format %d.\n", err);
388 goto error;
389 }
390
391 sz = (size_t)err;
392 p = pk_buf + sizeof(pk_buf) - sz;
393 if ((sz != i_key_len) || memcmp(p, i_key, sz)) {
394 ERROR("Key certificate not signed with issuer key\n");
395 err = 1;
396 goto error;
397 }
398
399 /* Get the content certificate key */
400 err = x509_get_crt_ext_data(&p, &sz, &cert, key_oid);
401 if (err) {
402 ERROR("Extension %s not found in Key certificate\n", key_oid);
403 goto error;
404 }
405
Juan Castillof18daf72015-03-10 15:18:55 +0000[diff] [blame^]406 if (sz > RSA_PUB_DER_MAX_BYTES) {
407 ERROR("Wrong RSA key size: %lu\n", sz);
408 err = 1;
409 goto error;
410 }
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]411 memcpy(s_key, p, sz);
412 *s_key_len = sz;
413
414error:
415 x509_crt_free(&cert);
416
417 return err;
418}
419
420static int check_bl3x_cert(unsigned char *buf, size_t len,
421 const unsigned char *i_key, size_t i_key_len,
422 const char *hash_oid, unsigned char *sha)
423{
424 const unsigned char *p;
425 size_t sz;
426 int err, flags;
427
428 x509_crt_init(&cert);
429
430 /* Parse BL31 content certificate */
431 err = x509_crt_parse(&cert, buf, len);
432 if (err) {
433 ERROR("Content certificate parse error %d.\n", err);
434 goto error;
435 }
436
437 /* Verify certificate */
438 err = x509_crt_verify(&cert, &cert, NULL, NULL, &flags, NULL, NULL);
439 if (err) {
440 ERROR("Content certificate verification error %d. Flags: "
441 "0x%x.\n", err, flags);
442 goto error;
443 }
444
445 /* Check that content certificate has been signed with the content
446 * certificate key corresponding to this image */
447 sz = pk_write_pubkey_der(&cert.pk, pk_buf, sizeof(pk_buf));
448 p = pk_buf + sizeof(pk_buf) - sz;
449
450 if ((sz != i_key_len) || memcmp(p, i_key, sz)) {
451 ERROR("Content certificate not signed with content "
452 "certificate key\n");
453 err = 1;
454 goto error;
455 }
456
457 /* Extract image hash from certificate */
458 err = x509_get_crt_ext_data(&p, &sz, &cert, hash_oid);
459 if (err) {
460 ERROR("Cannot read hash from certificate\n");
461 goto error;
462 }
463
Juan Castillof18daf72015-03-10 15:18:55 +0000[diff] [blame^]464 if (sz != SHA256_DER_BYTES) {
465 ERROR("Wrong image hash length: %lu\n", sz);
466 err = 1;
467 goto error;
468 }
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]469 memcpy(sha, p, SHA256_DER_BYTES);
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]470
471error:
472 x509_crt_free(&cert);
473
474 return err;
475}
476#endif /* IMAGE_BL2 */
477
478/*
479 * Calculate the hash of the image and check it against the hash extracted
480 * previously from the certificate
481 *
482 * Parameters:
483 * buf: buffer where image is loaded
484 * len: size of the image
485 * sha: matching hash (extracted from the image certificate)
486 *
487 * Return: 0 = match, Otherwise = mismatch
488 */
489static int check_bl_img(unsigned char *buf, size_t len,
490 const unsigned char *sha)
491{
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]492 asn1_buf md_oid, params;
493 md_type_t md_alg;
494 int err;
495 unsigned char *p = NULL;
496 const unsigned char *end = NULL;
497 size_t sz;
498 unsigned char img_sha[SHA256_BYTES];
499
500 /*
501 * Extract the image hash from the ASN.1 structure:
502 *
503 * DigestInfo ::= SEQUENCE {
504 * digestAlgorithm AlgorithmIdentifier,
505 * digest OCTET STRING
506 * }
507 */
508
509 p = (unsigned char *)sha;
510 end = sha + SHA256_DER_BYTES;
511 err = asn1_get_tag(&p, end, &sz, ASN1_CONSTRUCTED | ASN1_SEQUENCE);
512 if (err != 0) {
513 ERROR("Malformed image hash extension\n");
514 goto error;
515 }
516
517 err = asn1_get_alg(&p, end, &md_oid, &params);
518 if (err != 0) {
519 ERROR("Malformed image hash algorithm\n");
520 goto error;
521 }
522
523 err = oid_get_md_alg(&md_oid, &md_alg);
524 if (err != 0) {
525 ERROR("Unknown image hash algorithm\n");
526 goto error;
527 }
528
529 /* Only SHA256 is supported */
530 if (md_alg != POLARSSL_MD_SHA256) {
531 ERROR("Only SHA256 is supported as image hash algorithm\n");
532 err = 1;
533 goto error;
534 }
535
536 /* Get the hash */
537 err = asn1_get_tag(&p, end, &sz, ASN1_OCTET_STRING);
538 if (err != 0) {
539 ERROR("Image hash not found in extension\n");
540 goto error;
541 }
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]542
543 /* Calculate the hash of the image */
544 sha256(buf, len, img_sha, 0);
545
546 /* Match the hash with the one extracted from the certificate */
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]547 if (memcmp(img_sha, p, SHA256_BYTES)) {
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]548 ERROR("Image hash mismatch\n");
549 return 1;
550 }
551
Juan Castilloac402932015-03-05 14:30:00 +0000[diff] [blame]552error:
553 return err;
Juan Castillo9c25a402015-01-13 12:21:04 +0000[diff] [blame]554}
555
556/*
557 * Object verification function
558 *
559 * The id parameter will indicate the expected format of the object
560 * (certificate, image, etc).
561 *
562 * Return: 0 = success, Otherwise = error
563 */
564static int polarssl_mod_verify(unsigned int id, uintptr_t obj, size_t len)
565{
566 int ret;
567
568 switch (id) {
569#if IMAGE_BL1
570 case AUTH_BL2_IMG_CERT:
571 ret = check_bl2_cert((unsigned char *)obj, len);
572 break;
573 case AUTH_BL2_IMG:
574 ret = check_bl_img((unsigned char *)obj, len, sha_bl2);
575 break;
576#endif /* IMAGE_BL1 */
577
578#if IMAGE_BL2
579 case AUTH_TRUSTED_KEY_CERT:
580 ret = check_trusted_key_cert((unsigned char *)obj, len);
581 break;
582 case AUTH_BL30_KEY_CERT:
583 ret = check_bl3x_key_cert((unsigned char *)obj, len,
584 tz_world_pk, tz_world_pk_len,
585 content_pk, &content_pk_len,
586 BL30_CONTENT_CERT_PK_OID);
587 break;
588 case AUTH_BL31_KEY_CERT:
589 ret = check_bl3x_key_cert((unsigned char *)obj, len,
590 tz_world_pk, tz_world_pk_len,
591 content_pk, &content_pk_len,
592 BL31_CONTENT_CERT_PK_OID);
593 break;
594 case AUTH_BL32_KEY_CERT:
595 ret = check_bl3x_key_cert((unsigned char *)obj, len,
596 tz_world_pk, tz_world_pk_len,
597 content_pk, &content_pk_len,
598 BL32_CONTENT_CERT_PK_OID);
599 break;
600 case AUTH_BL33_KEY_CERT:
601 ret = check_bl3x_key_cert((unsigned char *)obj, len,
602 ntz_world_pk, ntz_world_pk_len,
603 content_pk, &content_pk_len,
604 BL33_CONTENT_CERT_PK_OID);
605 break;
606 case AUTH_BL30_IMG_CERT:
607 ret = check_bl3x_cert((unsigned char *)obj, len,
608 content_pk, content_pk_len,
609 BL30_HASH_OID, sha_bl30);
610 break;
611 case AUTH_BL31_IMG_CERT:
612 ret = check_bl3x_cert((unsigned char *)obj, len,
613 content_pk, content_pk_len,
614 BL31_HASH_OID, sha_bl31);
615 break;
616 case AUTH_BL32_IMG_CERT:
617 ret = check_bl3x_cert((unsigned char *)obj, len,
618 content_pk, content_pk_len,
619 BL32_HASH_OID, sha_bl32);
620 break;
621 case AUTH_BL33_IMG_CERT:
622 ret = check_bl3x_cert((unsigned char *)obj, len,
623 content_pk, content_pk_len,
624 BL33_HASH_OID, sha_bl33);
625 break;
626 case AUTH_BL30_IMG:
627 ret = check_bl_img((unsigned char *)obj, len, sha_bl30);
628 break;
629 case AUTH_BL31_IMG:
630 ret = check_bl_img((unsigned char *)obj, len, sha_bl31);
631 break;
632 case AUTH_BL32_IMG:
633 ret = check_bl_img((unsigned char *)obj, len, sha_bl32);
634 break;
635 case AUTH_BL33_IMG:
636 ret = check_bl_img((unsigned char *)obj, len, sha_bl33);
637 break;
638#endif /* IMAGE_BL2 */
639 default:
640 ret = -1;
641 break;
642 }
643
644 return ret;
645}
646
647/*
648 * Module initialization function
649 *
650 * Return: 0 = success, Otherwise = error
651 */
652static int polarssl_mod_init(void)
653{
654 /* Initialize the PolarSSL heap */
655 return memory_buffer_alloc_init(heap, POLARSSL_HEAP_SIZE);
656}
657
658const auth_mod_t auth_mod = {
659 .name = "PolarSSL",
660 .init = polarssl_mod_init,
661 .verify = polarssl_mod_verify
662};