boot: Add the support of MBEDTLS version 3.0.0
Signed-off-by: Sherry Zhang <sherry.zhang2@arm.com>
Change-Id: Idd7ce989fe259e9003732e80beaf3dccdedd3050
diff --git a/boot/bootutil/include/bootutil/crypto/common.h b/boot/bootutil/include/bootutil/crypto/common.h
new file mode 100644
index 0000000..e02c4de
--- /dev/null
+++ b/boot/bootutil/include/bootutil/crypto/common.h
@@ -0,0 +1,19 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Copyright (c) 2021 Arm Limited
+ */
+
+#ifndef __BOOTUTIL_CRYPTO_COMMON_H__
+#define __BOOTUTIL_CRYPTO_COMMON_H__
+
+/* TODO May need to update this in a future 3.x version of Mbed TLS.
+ * Extract a member of the mbedtls context structure.
+ */
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+#define MBEDTLS_CONTEXT_MEMBER(X) MBEDTLS_PRIVATE(X)
+#else
+#define MBEDTLS_CONTEXT_MEMBER(X) X
+#endif
+
+#endif /* __BOOTUTIL_CRYPTO_COMMON_H__ */
\ No newline at end of file
diff --git a/boot/bootutil/include/bootutil/crypto/ecdh_p256.h b/boot/bootutil/include/bootutil/crypto/ecdh_p256.h
index b6d16ba..962535c 100644
--- a/boot/bootutil/include/bootutil/crypto/ecdh_p256.h
+++ b/boot/bootutil/include/bootutil/crypto/ecdh_p256.h
@@ -70,6 +70,10 @@
#if defined(MCUBOOT_USE_MBED_TLS)
#define NUM_ECC_BYTES 32
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+static int fake_rng(void *p_rng, unsigned char *output, size_t len);
+#endif
+
typedef struct bootutil_ecdh_p256_context {
mbedtls_ecp_group grp;
mbedtls_ecp_point P;
@@ -122,13 +126,21 @@
mbedtls_mpi_read_binary(&ctx->d, sk, NUM_ECC_BYTES);
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+ rc = mbedtls_ecdh_compute_shared(&ctx->grp,
+ &ctx->z,
+ &ctx->P,
+ &ctx->d,
+ fake_rng,
+ NULL);
+#else
rc = mbedtls_ecdh_compute_shared(&ctx->grp,
&ctx->z,
&ctx->P,
&ctx->d,
NULL,
NULL);
-
+#endif
mbedtls_mpi_write_binary(&ctx->z, z, NUM_ECC_BYTES);
return rc;
diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa_p256.h b/boot/bootutil/include/bootutil/crypto/ecdsa_p256.h
index fa26ffd..6b5b315 100644
--- a/boot/bootutil/include/bootutil/crypto/ecdsa_p256.h
+++ b/boot/bootutil/include/bootutil/crypto/ecdsa_p256.h
@@ -31,6 +31,7 @@
#if defined(MCUBOOT_USE_MBED_TLS)
#include <mbedtls/ecdsa.h>
+ #include "bootutil/crypto/common.h"
#define BOOTUTIL_CRYPTO_ECDSA_P256_HASH_SIZE (4 * 8)
#endif
@@ -132,17 +133,17 @@
(void)sig;
(void)hash;
- rc = mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP256R1);
+ rc = mbedtls_ecp_group_load(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), MBEDTLS_ECP_DP_SECP256R1);
if (rc) {
return -1;
}
- rc = mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, pk, pk_len);
+ rc = mbedtls_ecp_point_read_binary(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), &ctx->MBEDTLS_CONTEXT_MEMBER(Q), pk, pk_len);
if (rc) {
return -1;
}
- rc = mbedtls_ecp_check_pubkey(&ctx->grp, &ctx->Q);
+ rc = mbedtls_ecp_check_pubkey(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), &ctx->MBEDTLS_CONTEXT_MEMBER(Q));
if (rc) {
return -1;
}
diff --git a/boot/bootutil/include/bootutil/crypto/hmac_sha256.h b/boot/bootutil/include/bootutil/crypto/hmac_sha256.h
index 49d372a..e684018 100644
--- a/boot/bootutil/include/bootutil/crypto/hmac_sha256.h
+++ b/boot/bootutil/include/bootutil/crypto/hmac_sha256.h
@@ -22,7 +22,6 @@
#include <stddef.h>
#include <mbedtls/cmac.h>
#include <mbedtls/md.h>
- #include <mbedtls/md_internal.h>
#endif /* MCUBOOT_USE_MBED_TLS */
#if defined(MCUBOOT_USE_TINYCRYPT)
diff --git a/boot/bootutil/include/bootutil/crypto/sha256.h b/boot/bootutil/include/bootutil/crypto/sha256.h
index 00c3218..b45cd63 100644
--- a/boot/bootutil/include/bootutil/crypto/sha256.h
+++ b/boot/bootutil/include/bootutil/crypto/sha256.h
@@ -3,6 +3,7 @@
*
* Copyright (c) 2017-2019 Linaro LTD
* Copyright (c) 2017-2019 JUUL Labs
+ * Copyright (c) 2021 Arm Limited
*/
/*
@@ -27,6 +28,10 @@
#if defined(MCUBOOT_USE_MBED_TLS)
#include <mbedtls/sha256.h>
+ #include <mbedtls/version.h>
+ #if MBEDTLS_VERSION_NUMBER >= 0x03000000
+ #include <mbedtls/compat-2.x.h>
+ #endif
#define BOOTUTIL_CRYPTO_SHA256_BLOCK_SIZE (64)
#define BOOTUTIL_CRYPTO_SHA256_DIGEST_SIZE (32)
#endif /* MCUBOOT_USE_MBED_TLS */
diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c
index 2ea1bef..fdd9852 100644
--- a/boot/bootutil/src/encrypted.c
+++ b/boot/bootutil/src/encrypted.c
@@ -14,7 +14,11 @@
#if defined(MCUBOOT_ENCRYPT_RSA)
#include "mbedtls/rsa.h"
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+#include "rsa_alt_helpers.h"
+#else
#include "mbedtls/rsa_internal.h"
+#endif
#include "mbedtls/asn1.h"
#endif
@@ -40,6 +44,7 @@
#include "bootutil/image.h"
#include "bootutil/enc_key.h"
#include "bootutil/sign_key.h"
+#include "bootutil/crypto/common.h"
#include "bootutil_priv.h"
@@ -105,16 +110,16 @@
/* Non-optional fields. */
if ( /* version */
- mbedtls_asn1_get_int(p, end, &ctx->ver) != 0 ||
+ mbedtls_asn1_get_int(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(ver)) != 0 ||
/* public modulus */
- mbedtls_asn1_get_mpi(p, end, &ctx->N) != 0 ||
+ mbedtls_asn1_get_mpi(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(N)) != 0 ||
/* public exponent */
- mbedtls_asn1_get_mpi(p, end, &ctx->E) != 0 ||
+ mbedtls_asn1_get_mpi(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(E)) != 0 ||
/* private exponent */
- mbedtls_asn1_get_mpi(p, end, &ctx->D) != 0 ||
+ mbedtls_asn1_get_mpi(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(D)) != 0 ||
/* primes */
- mbedtls_asn1_get_mpi(p, end, &ctx->P) != 0 ||
- mbedtls_asn1_get_mpi(p, end, &ctx->Q) != 0) {
+ mbedtls_asn1_get_mpi(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(P)) != 0 ||
+ mbedtls_asn1_get_mpi(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(Q)) != 0) {
return -3;
}
@@ -127,22 +132,26 @@
*/
if (*p < end) {
if ( /* d mod (p-1) and d mod (q-1) */
- mbedtls_asn1_get_mpi(p, end, &ctx->DP) != 0 ||
- mbedtls_asn1_get_mpi(p, end, &ctx->DQ) != 0 ||
+ mbedtls_asn1_get_mpi(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(DP)) != 0 ||
+ mbedtls_asn1_get_mpi(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(DQ)) != 0 ||
/* q ^ (-1) mod p */
- mbedtls_asn1_get_mpi(p, end, &ctx->QP) != 0) {
+ mbedtls_asn1_get_mpi(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(QP)) != 0) {
return -4;
}
} else {
- if (mbedtls_rsa_deduce_crt(&ctx->P, &ctx->Q, &ctx->D,
- &ctx->DP, &ctx->DQ, &ctx->QP) != 0) {
+ if (mbedtls_rsa_deduce_crt(&ctx->MBEDTLS_CONTEXT_MEMBER(P),
+ &ctx->MBEDTLS_CONTEXT_MEMBER(Q),
+ &ctx->MBEDTLS_CONTEXT_MEMBER(D),
+ &ctx->MBEDTLS_CONTEXT_MEMBER(DP),
+ &ctx->MBEDTLS_CONTEXT_MEMBER(DQ),
+ &ctx->MBEDTLS_CONTEXT_MEMBER(QP)) != 0) {
return -5;
}
}
#endif
- ctx->len = mbedtls_mpi_size(&ctx->N);
+ ctx->MBEDTLS_CONTEXT_MEMBER(len) = mbedtls_mpi_size(&ctx->MBEDTLS_CONTEXT_MEMBER(N));
if (mbedtls_rsa_check_privkey(ctx) != 0) {
return -6;
@@ -190,12 +199,12 @@
return -5;
}
- if (alg.len != sizeof(ec_pubkey_oid) - 1 ||
- memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
+ if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 ||
+ memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
return -6;
}
- if (param.len != sizeof(ec_secp256r1_oid) - 1 ||
- memcmp(param.p, ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) {
+ if (param.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1 ||
+ memcmp(param.MBEDTLS_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) {
return -7;
}
@@ -267,8 +276,8 @@
return -4;
}
- if (alg.len != sizeof(ec_pubkey_oid) - 1 ||
- memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
+ if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 ||
+ memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
return -5;
}
@@ -451,6 +460,24 @@
"Please fix ECIES-X25519 component indexes");
#endif
+#if defined(MCUBOOT_ENCRYPT_RSA) || \
+ (defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS))
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+static int fake_rng(void *p_rng, unsigned char *output, size_t len)
+{
+ size_t i;
+
+ (void)p_rng;
+ for (i = 0; i < len; i++) {
+ output[i] = (char)i;
+ }
+
+ return 0;
+}
+#endif
+#endif /* defined(MCUBOOT_ENCRYPT_RSA) ||
+ defined(MCUBOOT_ENCRYPT_EC256) && defined(MCUBOOT_USE_MBED_TLS) */
+
/*
* Decrypt an encryption key TLV.
*
@@ -488,8 +515,12 @@
#if defined(MCUBOOT_ENCRYPT_RSA)
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+ mbedtls_rsa_init(&rsa);
+ mbedtls_rsa_set_padding(&rsa, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256);
+#else
mbedtls_rsa_init(&rsa, MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256);
-
+#endif
cp = (uint8_t *)bootutil_enc_key.key;
cpend = cp + *bootutil_enc_key.len;
@@ -498,9 +529,13 @@
mbedtls_rsa_free(&rsa);
return rc;
}
-
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+ rc = mbedtls_rsa_rsaes_oaep_decrypt(&rsa, fake_rng, NULL,
+ NULL, 0, &olen, buf, enckey, BOOT_ENC_KEY_SIZE);
+#else
rc = mbedtls_rsa_rsaes_oaep_decrypt(&rsa, NULL, NULL, MBEDTLS_RSA_PRIVATE,
NULL, 0, &olen, buf, enckey, BOOT_ENC_KEY_SIZE);
+#endif
mbedtls_rsa_free(&rsa);
#endif /* defined(MCUBOOT_ENCRYPT_RSA) */
diff --git a/boot/bootutil/src/image_ec.c b/boot/bootutil/src/image_ec.c
index a127b74..2d92afb 100644
--- a/boot/bootutil/src/image_ec.c
+++ b/boot/bootutil/src/image_ec.c
@@ -2,6 +2,7 @@
* SPDX-License-Identifier: Apache-2.0
*
* Copyright (c) 2016-2018 JUUL Labs
+ * Copyright (C) 2021 Arm Limited
*
* Original license:
*
@@ -34,6 +35,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/asn1.h"
+#include "bootutil/crypto/common.h"
#include "bootutil_priv.h"
/*
@@ -70,7 +72,7 @@
return -4;
}
- if (mbedtls_ecp_group_load(&ctx->grp, MBEDTLS_ECP_DP_SECP224R1)) {
+ if (mbedtls_ecp_group_load(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), MBEDTLS_ECP_DP_SECP224R1)) {
return -5;
}
@@ -81,11 +83,11 @@
return -7;
}
- if (mbedtls_ecp_point_read_binary(&ctx->grp, &ctx->Q, *p, end - *p)) {
+ if (mbedtls_ecp_point_read_binary(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), &ctx->MBEDTLS_CONTEXT_MEMBER(Q), *p, end - *p)) {
return -8;
}
- if (mbedtls_ecp_check_pubkey(&ctx->grp, &ctx->Q)) {
+ if (mbedtls_ecp_check_pubkey(&ctx->MBEDTLS_CONTEXT_MEMBER(grp), &ctx->MBEDTLS_CONTEXT_MEMBER(Q))) {
return -9;
}
return 0;
diff --git a/boot/bootutil/src/image_ec256.c b/boot/bootutil/src/image_ec256.c
index 5d73c9f..196d593 100644
--- a/boot/bootutil/src/image_ec256.c
+++ b/boot/bootutil/src/image_ec256.c
@@ -3,6 +3,7 @@
*
* Copyright (c) 2016-2019 JUUL Labs
* Copyright (c) 2017 Linaro LTD
+ * Copyright (C) 2021 Arm Limited
*
* Original license:
*
@@ -40,6 +41,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/asn1.h"
#include "bootutil/crypto/ecdsa_p256.h"
+#include "bootutil/crypto/common.h"
#include "bootutil_priv.h"
/*
@@ -68,12 +70,12 @@
if (mbedtls_asn1_get_alg(p, end, &alg, ¶m)) {
return -2;
}
- if (alg.len != sizeof(ec_pubkey_oid) - 1 ||
- memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
+ if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 ||
+ memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
return -3;
}
- if (param.len != sizeof(ec_secp256r1_oid) - 1||
- memcmp(param.p, ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) {
+ if (param.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1||
+ memcmp(param.MBEDTLS_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) {
return -4;
}
@@ -116,13 +118,13 @@
return -2;
}
/* id-ecPublicKey (RFC5480) */
- if (alg.len != sizeof(ec_pubkey_oid) - 1 ||
- memcmp(alg.p, ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
+ if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 ||
+ memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) {
return -3;
}
/* namedCurve (RFC5480) */
- if (param.len != sizeof(ec_secp256r1_oid) - 1 ||
- memcmp(param.p, ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) {
+ if (param.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1 ||
+ memcmp(param.MBEDTLS_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) {
return -4;
}
/* ECPoint (RFC5480) */
diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c
index 940c18d..b5838c4 100644
--- a/boot/bootutil/src/image_ed25519.c
+++ b/boot/bootutil/src/image_ed25519.c
@@ -2,6 +2,7 @@
* SPDX-License-Identifier: Apache-2.0
*
* Copyright (c) 2019 JUUL Labs
+ * Copyright (c) 2021 Arm Limited
*/
#include <string.h>
@@ -15,6 +16,7 @@
#include "mbedtls/asn1.h"
#include "bootutil_priv.h"
+#include "bootutil/crypto/common.h"
static const uint8_t ed25519_pubkey_oid[] = MBEDTLS_OID_ISO_IDENTIFIED_ORG "\x65\x70";
#define NUM_ED25519_BYTES 32
@@ -43,8 +45,8 @@
return -2;
}
- if (alg.len != sizeof(ed25519_pubkey_oid) - 1 ||
- memcmp(alg.p, ed25519_pubkey_oid, sizeof(ed25519_pubkey_oid) - 1)) {
+ if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ed25519_pubkey_oid) - 1 ||
+ memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ed25519_pubkey_oid, sizeof(ed25519_pubkey_oid) - 1)) {
return -3;
}
diff --git a/boot/bootutil/src/image_rsa.c b/boot/bootutil/src/image_rsa.c
index 1a1727e..42d2db7 100644
--- a/boot/bootutil/src/image_rsa.c
+++ b/boot/bootutil/src/image_rsa.c
@@ -3,7 +3,7 @@
*
* Copyright (c) 2017-2018 Linaro LTD
* Copyright (c) 2017-2019 JUUL Labs
- * Copyright (c) 2020 Arm Limited
+ * Copyright (c) 2020-2021 Arm Limited
*
* Original license:
*
@@ -32,6 +32,7 @@
#ifdef MCUBOOT_SIGN_RSA
#include "bootutil/sign_key.h"
#include "bootutil/crypto/sha256.h"
+#include "bootutil/crypto/common.h"
#include "mbedtls/rsa.h"
#include "mbedtls/asn1.h"
@@ -88,12 +89,12 @@
return -2;
}
- if ((rc = mbedtls_asn1_get_mpi(p, end, &ctx->N)) != 0 ||
- (rc = mbedtls_asn1_get_mpi(p, end, &ctx->E)) != 0) {
+ if ((rc = mbedtls_asn1_get_mpi(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(N))) != 0 ||
+ (rc = mbedtls_asn1_get_mpi(p, end, &ctx->MBEDTLS_CONTEXT_MEMBER(E))) != 0) {
return -3;
}
- ctx->len = mbedtls_mpi_size(&ctx->N);
+ ctx->MBEDTLS_CONTEXT_MEMBER(len) = mbedtls_mpi_size(&ctx->MBEDTLS_CONTEXT_MEMBER(N));
if (*p != end) {
return -4;
@@ -101,7 +102,8 @@
/* The mbedtls version is more than 2.6.1 */
#if MBEDTLS_VERSION_NUMBER > 0x02060100
- rc = mbedtls_rsa_import(ctx, &ctx->N, NULL, NULL, NULL, &ctx->E);
+ rc = mbedtls_rsa_import(ctx, &ctx->MBEDTLS_CONTEXT_MEMBER(N), NULL,
+ NULL, NULL, &ctx->MBEDTLS_CONTEXT_MEMBER(E));
if (rc != 0) {
return -5;
}
@@ -112,7 +114,7 @@
return -6;
}
- ctx->len = mbedtls_mpi_size(&ctx->N);
+ ctx->MBEDTLS_CONTEXT_MEMBER(len) = mbedtls_mpi_size(&ctx->MBEDTLS_CONTEXT_MEMBER(N));
return 0;
}
@@ -171,7 +173,8 @@
int rc = 0;
fih_int fih_rc = FIH_FAILURE;
- if (ctx->len != PSS_EMLEN || PSS_EMLEN > MBEDTLS_MPI_MAX_SIZE) {
+ if (ctx->MBEDTLS_CONTEXT_MEMBER(len) != PSS_EMLEN ||
+ PSS_EMLEN > MBEDTLS_MPI_MAX_SIZE) {
rc = -1;
goto out;
}
@@ -296,13 +299,17 @@
uint8_t *cp;
uint8_t *end;
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+ mbedtls_rsa_init(&ctx);
+#else
mbedtls_rsa_init(&ctx, 0, 0);
+#endif
cp = (uint8_t *)bootutil_keys[key_id].key;
end = cp + *bootutil_keys[key_id].len;
rc = bootutil_parse_rsakey(&ctx, &cp, end);
- if (rc || slen != ctx.len) {
+ if (rc || slen != ctx.MBEDTLS_CONTEXT_MEMBER(len)) {
mbedtls_rsa_free(&ctx);
goto out;
}