1 /* 2 * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <stddef.h> 9 #include <string.h> 10 11 /* mbed TLS headers */ 12 #include <mbedtls/gcm.h> 13 #include <mbedtls/md.h> 14 #include <mbedtls/memory_buffer_alloc.h> 15 #include <mbedtls/oid.h> 16 #include <mbedtls/platform.h> 17 #include <mbedtls/version.h> 18 #include <mbedtls/x509.h> 19 20 #include <common/debug.h> 21 #include <drivers/auth/crypto_mod.h> 22 #include <drivers/auth/mbedtls/mbedtls_common.h> 23 24 #include <plat/common/platform.h> 25 26 #define LIB_NAME "mbed TLS" 27 28 #if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \ 29 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC 30 /* 31 * CRYPTO_MD_MAX_SIZE value is as per current stronger algorithm available 32 * so make sure that mbed TLS MD maximum size must be lesser than this. 33 */ 34 CASSERT(CRYPTO_MD_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE, 35 assert_mbedtls_md_size_overflow); 36 37 #endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \ 38 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */ 39 40 /* 41 * AlgorithmIdentifier ::= SEQUENCE { 42 * algorithm OBJECT IDENTIFIER, 43 * parameters ANY DEFINED BY algorithm OPTIONAL 44 * } 45 * 46 * SubjectPublicKeyInfo ::= SEQUENCE { 47 * algorithm AlgorithmIdentifier, 48 * subjectPublicKey BIT STRING 49 * } 50 * 51 * DigestInfo ::= SEQUENCE { 52 * digestAlgorithm AlgorithmIdentifier, 53 * digest OCTET STRING 54 * } 55 */ 56 57 /* 58 * Initialize the library and export the descriptor 59 */ 60 static void init(void) 61 { 62 /* Initialize mbed TLS */ 63 mbedtls_init(); 64 } 65 66 #if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \ 67 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC 68 /* 69 * Verify a signature. 70 * 71 * Parameters are passed using the DER encoding format following the ASN.1 72 * structures detailed above. 73 */ 74 static int verify_signature(void *data_ptr, unsigned int data_len, 75 void *sig_ptr, unsigned int sig_len, 76 void *sig_alg, unsigned int sig_alg_len, 77 void *pk_ptr, unsigned int pk_len) 78 { 79 mbedtls_asn1_buf sig_oid, sig_params; 80 mbedtls_asn1_buf signature; 81 mbedtls_md_type_t md_alg; 82 mbedtls_pk_type_t pk_alg; 83 mbedtls_pk_context pk = {0}; 84 int rc; 85 void *sig_opts = NULL; 86 const mbedtls_md_info_t *md_info; 87 unsigned char *p, *end; 88 unsigned char hash[MBEDTLS_MD_MAX_SIZE]; 89 90 /* Get pointers to signature OID and parameters */ 91 p = (unsigned char *)sig_alg; 92 end = (unsigned char *)(p + sig_alg_len); 93 rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params); 94 if (rc != 0) { 95 return CRYPTO_ERR_SIGNATURE; 96 } 97 98 /* Get the actual signature algorithm (MD + PK) */ 99 rc = mbedtls_x509_get_sig_alg(&sig_oid, &sig_params, &md_alg, &pk_alg, &sig_opts); 100 if (rc != 0) { 101 return CRYPTO_ERR_SIGNATURE; 102 } 103 104 /* Parse the public key */ 105 mbedtls_pk_init(&pk); 106 p = (unsigned char *)pk_ptr; 107 end = (unsigned char *)(p + pk_len); 108 rc = mbedtls_pk_parse_subpubkey(&p, end, &pk); 109 if (rc != 0) { 110 rc = CRYPTO_ERR_SIGNATURE; 111 goto end2; 112 } 113 114 /* Get the signature (bitstring) */ 115 p = (unsigned char *)sig_ptr; 116 end = (unsigned char *)(p + sig_len); 117 signature.tag = *p; 118 rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len); 119 if ((rc != 0) || ((size_t)(end - p) != signature.len)) { 120 rc = CRYPTO_ERR_SIGNATURE; 121 goto end1; 122 } 123 signature.p = p; 124 125 /* Calculate the hash of the data */ 126 md_info = mbedtls_md_info_from_type(md_alg); 127 if (md_info == NULL) { 128 rc = CRYPTO_ERR_SIGNATURE; 129 goto end1; 130 } 131 p = (unsigned char *)data_ptr; 132 rc = mbedtls_md(md_info, p, data_len, hash); 133 if (rc != 0) { 134 rc = CRYPTO_ERR_SIGNATURE; 135 goto end1; 136 } 137 138 /* Verify the signature */ 139 rc = mbedtls_pk_verify_ext(pk_alg, sig_opts, &pk, md_alg, hash, 140 mbedtls_md_get_size(md_info), 141 signature.p, signature.len); 142 if (rc != 0) { 143 rc = CRYPTO_ERR_SIGNATURE; 144 goto end1; 145 } 146 147 /* Signature verification success */ 148 rc = CRYPTO_SUCCESS; 149 150 end1: 151 mbedtls_pk_free(&pk); 152 end2: 153 mbedtls_free(sig_opts); 154 return rc; 155 } 156 157 /* 158 * Match a hash 159 * 160 * Digest info is passed in DER format following the ASN.1 structure detailed 161 * above. 162 */ 163 static int verify_hash(void *data_ptr, unsigned int data_len, 164 void *digest_info_ptr, unsigned int digest_info_len) 165 { 166 mbedtls_asn1_buf hash_oid, params; 167 mbedtls_md_type_t md_alg; 168 const mbedtls_md_info_t *md_info; 169 unsigned char *p, *end, *hash; 170 unsigned char data_hash[MBEDTLS_MD_MAX_SIZE]; 171 size_t len; 172 int rc; 173 174 /* 175 * Digest info should be an MBEDTLS_ASN1_SEQUENCE 176 * and consume all bytes. 177 */ 178 p = (unsigned char *)digest_info_ptr; 179 end = p + digest_info_len; 180 rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 181 MBEDTLS_ASN1_SEQUENCE); 182 if (rc != 0 || ((size_t)(end - p) != len)) { 183 return CRYPTO_ERR_HASH; 184 } 185 186 /* Get the hash algorithm */ 187 rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms); 188 if (rc != 0) { 189 return CRYPTO_ERR_HASH; 190 } 191 192 rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg); 193 if (rc != 0) { 194 return CRYPTO_ERR_HASH; 195 } 196 197 md_info = mbedtls_md_info_from_type(md_alg); 198 if (md_info == NULL) { 199 return CRYPTO_ERR_HASH; 200 } 201 202 /* Hash should be octet string type and consume all bytes */ 203 rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); 204 if ((rc != 0) || ((size_t)(end - p) != len)) { 205 return CRYPTO_ERR_HASH; 206 } 207 208 /* Length of hash must match the algorithm's size */ 209 if (len != mbedtls_md_get_size(md_info)) { 210 return CRYPTO_ERR_HASH; 211 } 212 hash = p; 213 214 /* Calculate the hash of the data */ 215 p = (unsigned char *)data_ptr; 216 rc = mbedtls_md(md_info, p, data_len, data_hash); 217 if (rc != 0) { 218 return CRYPTO_ERR_HASH; 219 } 220 221 /* Compare values */ 222 rc = memcmp(data_hash, hash, mbedtls_md_get_size(md_info)); 223 if (rc != 0) { 224 return CRYPTO_ERR_HASH; 225 } 226 227 return CRYPTO_SUCCESS; 228 } 229 #endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \ 230 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */ 231 232 #if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \ 233 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC 234 /* 235 * Map a generic crypto message digest algorithm to the corresponding macro used 236 * by Mbed TLS. 237 */ 238 static inline mbedtls_md_type_t md_type(enum crypto_md_algo algo) 239 { 240 switch (algo) { 241 case CRYPTO_MD_SHA512: 242 return MBEDTLS_MD_SHA512; 243 case CRYPTO_MD_SHA384: 244 return MBEDTLS_MD_SHA384; 245 case CRYPTO_MD_SHA256: 246 return MBEDTLS_MD_SHA256; 247 default: 248 /* Invalid hash algorithm. */ 249 return MBEDTLS_MD_NONE; 250 } 251 } 252 253 /* 254 * Calculate a hash 255 * 256 * output points to the computed hash 257 */ 258 static int calc_hash(enum crypto_md_algo md_algo, void *data_ptr, 259 unsigned int data_len, 260 unsigned char output[CRYPTO_MD_MAX_SIZE]) 261 { 262 const mbedtls_md_info_t *md_info; 263 264 md_info = mbedtls_md_info_from_type(md_type(md_algo)); 265 if (md_info == NULL) { 266 return CRYPTO_ERR_HASH; 267 } 268 269 /* 270 * Calculate the hash of the data, it is safe to pass the 271 * 'output' hash buffer pointer considering its size is always 272 * bigger than or equal to MBEDTLS_MD_MAX_SIZE. 273 */ 274 return mbedtls_md(md_info, data_ptr, data_len, output); 275 } 276 #endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \ 277 CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */ 278 279 #if TF_MBEDTLS_USE_AES_GCM 280 /* 281 * Stack based buffer allocation for decryption operation. It could 282 * be configured to balance stack usage vs execution speed. 283 */ 284 #define DEC_OP_BUF_SIZE 128 285 286 static int aes_gcm_decrypt(void *data_ptr, size_t len, const void *key, 287 unsigned int key_len, const void *iv, 288 unsigned int iv_len, const void *tag, 289 unsigned int tag_len) 290 { 291 mbedtls_gcm_context ctx; 292 mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES; 293 unsigned char buf[DEC_OP_BUF_SIZE]; 294 unsigned char tag_buf[CRYPTO_MAX_TAG_SIZE]; 295 unsigned char *pt = data_ptr; 296 size_t dec_len; 297 int diff, i, rc; 298 size_t output_length __unused; 299 300 mbedtls_gcm_init(&ctx); 301 302 rc = mbedtls_gcm_setkey(&ctx, cipher, key, key_len * 8); 303 if (rc != 0) { 304 rc = CRYPTO_ERR_DECRYPTION; 305 goto exit_gcm; 306 } 307 308 #if (MBEDTLS_VERSION_MAJOR < 3) 309 rc = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT, iv, iv_len, NULL, 0); 310 #else 311 rc = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT, iv, iv_len); 312 #endif 313 if (rc != 0) { 314 rc = CRYPTO_ERR_DECRYPTION; 315 goto exit_gcm; 316 } 317 318 while (len > 0) { 319 dec_len = MIN(sizeof(buf), len); 320 321 #if (MBEDTLS_VERSION_MAJOR < 3) 322 rc = mbedtls_gcm_update(&ctx, dec_len, pt, buf); 323 #else 324 rc = mbedtls_gcm_update(&ctx, pt, dec_len, buf, sizeof(buf), &output_length); 325 #endif 326 327 if (rc != 0) { 328 rc = CRYPTO_ERR_DECRYPTION; 329 goto exit_gcm; 330 } 331 332 memcpy(pt, buf, dec_len); 333 pt += dec_len; 334 len -= dec_len; 335 } 336 337 #if (MBEDTLS_VERSION_MAJOR < 3) 338 rc = mbedtls_gcm_finish(&ctx, tag_buf, sizeof(tag_buf)); 339 #else 340 rc = mbedtls_gcm_finish(&ctx, NULL, 0, &output_length, tag_buf, sizeof(tag_buf)); 341 #endif 342 343 if (rc != 0) { 344 rc = CRYPTO_ERR_DECRYPTION; 345 goto exit_gcm; 346 } 347 348 /* Check tag in "constant-time" */ 349 for (diff = 0, i = 0; i < tag_len; i++) 350 diff |= ((const unsigned char *)tag)[i] ^ tag_buf[i]; 351 352 if (diff != 0) { 353 rc = CRYPTO_ERR_DECRYPTION; 354 goto exit_gcm; 355 } 356 357 /* GCM decryption success */ 358 rc = CRYPTO_SUCCESS; 359 360 exit_gcm: 361 mbedtls_gcm_free(&ctx); 362 return rc; 363 } 364 365 /* 366 * Authenticated decryption of an image 367 */ 368 static int auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, 369 size_t len, const void *key, unsigned int key_len, 370 unsigned int key_flags, const void *iv, 371 unsigned int iv_len, const void *tag, 372 unsigned int tag_len) 373 { 374 int rc; 375 376 assert((key_flags & ENC_KEY_IS_IDENTIFIER) == 0); 377 378 switch (dec_algo) { 379 case CRYPTO_GCM_DECRYPT: 380 rc = aes_gcm_decrypt(data_ptr, len, key, key_len, iv, iv_len, 381 tag, tag_len); 382 if (rc != 0) 383 return rc; 384 break; 385 default: 386 return CRYPTO_ERR_DECRYPTION; 387 } 388 389 return CRYPTO_SUCCESS; 390 } 391 #endif /* TF_MBEDTLS_USE_AES_GCM */ 392 393 /* 394 * Register crypto library descriptor 395 */ 396 #if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC 397 #if TF_MBEDTLS_USE_AES_GCM 398 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash, 399 auth_decrypt); 400 #else 401 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash, 402 NULL); 403 #endif 404 #elif CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY 405 #if TF_MBEDTLS_USE_AES_GCM 406 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, 407 auth_decrypt); 408 #else 409 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, NULL); 410 #endif 411 #elif CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY 412 REGISTER_CRYPTO_LIB(LIB_NAME, init, calc_hash); 413 #endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */ 414