diff --git a/app/kit_host/ascii_kit_host.c b/app/kit_host/ascii_kit_host.c index 1d2d6eabf..2b13b3679 100644 --- a/app/kit_host/ascii_kit_host.c +++ b/app/kit_host/ascii_kit_host.c @@ -342,8 +342,8 @@ static ATCA_STATUS kit_host_ca_select(ascii_kit_host_context_t* ctx, int argc, c #if ATCA_CA_SUPPORT static kit_host_map_entry_t kit_host_ca_physical_map[] = { - { "select", kit_host_ca_select }, - { NULL, NULL } + { "select", kit_host_ca_select }, + { NULL, NULL } }; static ATCA_STATUS kit_host_ca_physical(ascii_kit_host_context_t* ctx, int argc, char* argv[], uint8_t* response, size_t* rlen) @@ -353,12 +353,12 @@ static ATCA_STATUS kit_host_ca_physical(ascii_kit_host_context_t* ctx, int argc, /* Cryptoauth Device commands */ static kit_host_map_entry_t kit_host_ca_map[] = { - { "wake", kit_host_ca_wake }, - { "idle", kit_host_ca_idle }, - { "sleep", kit_host_ca_sleep }, - { "talk", kit_host_ca_talk }, - { "physical", kit_host_ca_physical }, - { NULL, NULL } + { "wake", kit_host_ca_wake }, + { "idle", kit_host_ca_idle }, + { "sleep", kit_host_ca_sleep }, + { "talk", kit_host_ca_talk }, + { "physical", kit_host_ca_physical }, + { NULL, NULL } }; static ATCA_STATUS kit_host_process_ca(ascii_kit_host_context_t* ctx, int argc, char* argv[], uint8_t* response, size_t* rlen) @@ -392,17 +392,18 @@ static ATCA_STATUS kit_host_ta_talk(ascii_kit_host_context_t* ctx, int argc, cha if (ctx && argc && response && rlen) { - ATCA_TA_CmdPacket* packet = (ATCA_TA_CmdPacket*)ctx->buffer; + cal_buffer* packet = talib_packet_alloc(); - if (packet) + if (NULL != packet) { size_t plen = sizeof(ctx->buffer) - 2; + packet->buf = ctx->buffer; - atcab_hex2bin(argv[0], strlen(argv[0]), (uint8_t*)&packet->length, &plen); + atcab_hex2bin(argv[0], strlen(argv[0]), packet->buf, &plen); if (ATCA_SUCCESS == (status = talib_execute_command_raw(packet, ctx->device))) { - ATCA_TA_RspPacket * resp = (ATCA_TA_RspPacket*)packet; - *rlen = kit_host_format_response(response, *rlen, status, resp->data, resp->resp_code); + + *rlen = kit_host_format_response(response, *rlen, status, &packet->buf[PKT_CAL_BUF_DATA_IDX], packet->buf[2]); } else { @@ -477,7 +478,7 @@ static ATCA_STATUS kit_host_ta_receive(ascii_kit_host_context_t* ctx, int argc, status = ATCA_SMALL_BUFFER; break; } - if (read_length < (3 + length_size)) //status(1) and CRC(2) size are same for CA and TA, length is variable. + if (read_length < (3 + length_size)) //status(1) and CRC(2) size are same for CA and TA, length is variable. { status = ATCA_RX_FAIL; break; @@ -513,8 +514,7 @@ static ATCA_STATUS kit_host_ta_receive(ascii_kit_host_context_t* ctx, int argc, } (void)atcontrol(&ctx->device->mIface, ATCA_HAL_CONTROL_DESELECT, NULL, 0); - } - while (0); + } while (0); if (ATCA_SUCCESS == status) { *rlen = kit_host_format_response(ctx->buffer, sizeof(ctx->buffer), status, &ctx->buffer[sizeof(ctx->buffer) / 2], read_length + length_size); @@ -528,8 +528,8 @@ static ATCA_STATUS kit_host_ta_receive(ascii_kit_host_context_t* ctx, int argc, } static kit_host_map_entry_t kit_host_ta_physical_map[] = { - { "select", kit_host_ca_select }, /* Selection logic is the same */ - { NULL, NULL } + { "select", kit_host_ca_select }, /* Selection logic is the same */ + { NULL, NULL } }; static ATCA_STATUS kit_host_ta_physical(ascii_kit_host_context_t* ctx, int argc, char* argv[], uint8_t* response, size_t* rlen) @@ -538,14 +538,14 @@ static ATCA_STATUS kit_host_ta_physical(ascii_kit_host_context_t* ctx, int argc, } static kit_host_map_entry_t kit_host_ta_map[] = { - { "wake", kit_host_ta_wake }, - { "idle", kit_host_ta_idle }, - { "sleep", kit_host_ta_sleep }, - { "talk", kit_host_ta_talk }, - { "send", kit_host_ta_send }, - { "receive", kit_host_ta_receive }, - { "physical", kit_host_ta_physical }, - { NULL, NULL } + { "wake", kit_host_ta_wake }, + { "idle", kit_host_ta_idle }, + { "sleep", kit_host_ta_sleep }, + { "talk", kit_host_ta_talk }, + { "send", kit_host_ta_send }, + { "receive", kit_host_ta_receive }, + { "physical", kit_host_ta_physical }, + { NULL, NULL } }; ATCA_STATUS kit_host_process_ta(ascii_kit_host_context_t* ctx, int argc, char* argv[], uint8_t* response, size_t* rlen) @@ -586,10 +586,10 @@ static ATCA_STATUS kit_host_board_get_device(ascii_kit_host_context_t* ctx, int static kit_host_map_entry_t kit_host_board_map[] = { - { "version", kit_host_board_get_version }, - { "firmware", kit_host_board_get_firmware }, - { "device", kit_host_board_get_device }, - { NULL, NULL } + { "version", kit_host_board_get_version }, + { "firmware", kit_host_board_get_firmware }, + { "device", kit_host_board_get_device }, + { NULL, NULL } }; static ATCA_STATUS kit_host_process_board(ascii_kit_host_context_t* ctx, int argc, char* argv[], uint8_t* response, size_t* rlen) @@ -599,15 +599,15 @@ static ATCA_STATUS kit_host_process_board(ascii_kit_host_context_t* ctx, int arg static const kit_host_map_entry_t kit_host_target_map[] = { - { "board", kit_host_process_board }, + { "board", kit_host_process_board }, #if ATCA_CA_SUPPORT - { "ecc", kit_host_process_ca }, - { "sha", kit_host_process_ca }, + { "ecc", kit_host_process_ca }, + { "sha", kit_host_process_ca }, #endif #if ATCA_TA_SUPPORT - { "ta", kit_host_process_ta }, + { "ta", kit_host_process_ta }, #endif - { NULL, NULL } + { NULL, NULL } }; static ATCA_STATUS kit_host_process_target(ascii_kit_host_context_t* ctx, int argc, char* argv[], uint8_t* response, size_t* rlen) diff --git a/app/tng/tng_atca.c b/app/tng/tng_atca.c index 8125d542a..c4f1d1784 100644 --- a/app/tng/tng_atca.c +++ b/app/tng/tng_atca.c @@ -67,7 +67,7 @@ static const size_t g_tng_cert_def_cnt = sizeof(g_tng_cert_def_map) / sizeof(tng const atcacert_def_t* tng_map_get_device_cert_def(int index) { - if ((index > 0) && ((size_t)index < g_tng_cert_def_cnt)) + if ((index >= 0) && ((size_t)index < g_tng_cert_def_cnt)) { return g_tng_cert_def_map[index].cert_def; } diff --git a/app/tng/tng_atcacert_client.c b/app/tng/tng_atcacert_client.c index 56d4b3e77..ee9da5bc4 100644 --- a/app/tng/tng_atcacert_client.c +++ b/app/tng/tng_atcacert_client.c @@ -30,27 +30,41 @@ #include "tng_atcacert_client.h" #include "tngtls_cert_def_1_signer.h" #include "tng_root_cert.h" +#include int tng_atcacert_max_device_cert_size(size_t* max_cert_size) { int ret = ATCACERT_E_WRONG_CERT_DEF; int index = 0; - size_t cert_size; + size_t cert_size = 0; const atcacert_def_t* cert_def; - do + if (NULL != max_cert_size) { - cert_def = tng_map_get_device_cert_def(index++); - if (NULL != cert_def) + do { - ret = atcacert_max_cert_size(cert_def, &cert_size); - if (cert_size > *max_cert_size) + cert_def = tng_map_get_device_cert_def(index); + + if (NULL != cert_def) { - *max_cert_size = cert_size; + ret = atcacert_max_cert_size(cert_def, &cert_size); + if (cert_size > *max_cert_size) + { + *max_cert_size = cert_size; + } + + if (index < INT_MAX) + { + index++; + } + else + { + ret = ATCACERT_E_WRONG_CERT_DEF; + break; + } } - } + } while ((NULL != cert_def) && (ret == ATCACERT_E_SUCCESS)); } - while ((NULL != cert_def) && (ret != ATCACERT_E_SUCCESS)); return ret; } diff --git a/harmony/config/cryptoauthlib.py b/harmony/config/cryptoauthlib.py index 0d7f9b8d9..6d78a67a7 100644 --- a/harmony/config/cryptoauthlib.py +++ b/harmony/config/cryptoauthlib.py @@ -381,10 +381,14 @@ def instantiateComponent(calComponent): calEnablejwt = calComponent.createBooleanSymbol("CAL_ENABLE_JWT", None) calEnablejwt.setLabel("Enable jwt functionality?") calEnablejwt.setVisible(True) - + calMaxPacketSize = calComponent.createIntegerSymbol('CAL_MAX_PACKET_SIZE', None) calMaxPacketSize.setLabel('Maximum packet size (bytes)') - calMaxPacketSize.setDefaultValue(1072) + calMaxPacketSize.setDefaultValue(1073) + + calMultiPartBuffer = calComponent.createBooleanSymbol("CAL_ENABLE_MULTIPART_BUF", None) + calMultiPartBuffer.setLabel("Enable MultiPart Buffer") + calMultiPartBuffer.setVisible(True) # Symmetric Cryptography Commands symmetricCommands = calComponent.createMenuSymbol("cal_symmetric_commands", None) diff --git a/harmony/config/device_instance.py b/harmony/config/device_instance.py index ab1b24e3e..003f4e75f 100644 --- a/harmony/config/device_instance.py +++ b/harmony/config/device_instance.py @@ -24,8 +24,8 @@ _DEFAULT_I2C_ADDRESS = {'ecc': 0xC0, 'sha': 0xC8, 'ecc204': 0x66, 'ta100': 0x2e, 'sha104': 0x62, 'sha105': 0x64} _SWI_DEVICES = ['ATSHA204A', 'ATSHA206A', 'ATECC108A', 'ATECC508A', 'ATECC608', 'ECC204', 'TA010', 'SHA104'] -_I2C_DEVICES = ['ATSHA204A', 'ATECC108A', 'ATECC508A', 'ATECC608', 'TA100', 'ECC204', 'TA010', 'SHA104', 'SHA105'] -_SPI_DEVICES = ['TA100'] +_I2C_DEVICES = ['ATSHA204A', 'ATECC108A', 'ATECC508A', 'ATECC608', 'TA100', 'TA101', 'ECC204', 'TA010', 'SHA104', 'SHA105'] +_SPI_DEVICES = ['TA100', 'TA101'] caldevcfglist = [] diff --git a/harmony/config/pkcs11.py b/harmony/config/pkcs11.py index 6a2ea1b56..56ff6d930 100644 --- a/harmony/config/pkcs11.py +++ b/harmony/config/pkcs11.py @@ -131,6 +131,10 @@ def instantiateComponent(calPkcs11Component): calPkcs11MaxObjects.setLabel('Maximum number of PKCS11 objects') calPkcs11MaxObjects.setDefaultValue(16) + calPkcs11MaxCertsCache = calPkcs11Component.createIntegerSymbol('CAL_PKCS11_MAX_CERTS_CACHED', None) + calPkcs11MaxCertsCache.setLabel('Maximum number of certificates cached') + calPkcs11MaxCertsCache.setDefaultValue(5) + calPkcs11MaxConfig = calPkcs11Component.createIntegerSymbol('CAL_PKCS11_MAX_CONFIG', None) calPkcs11MaxConfig.setLabel('Maximum number of PKCS11 Config Options') calPkcs11MaxConfig.setDefaultValue(7) diff --git a/harmony/config/test_app.py b/harmony/config/test_app.py index 999e13aa5..186ab2b97 100644 --- a/harmony/config/test_app.py +++ b/harmony/config/test_app.py @@ -27,7 +27,7 @@ fileSymbolName = "CAL_FILE_SRC_TEST_" numFileCntr = 0 -_TEST_PATHS = ['atcacert/*', 'integration/*', 'jwt/*', 'api_atcab/*', 'api_calib/*', 'api_crypto/*', 'api_talib/*', 'vectors/*'] +_TEST_PATHS = ['atcacert/*', 'integration/*', 'jwt/*', 'api_atcab/*', 'api_calib/*', 'api_crypto/*', 'api_talib/*', 'hal/*', 'vectors/*'] _TEST_SOURCES = ['atca_test.c', 'atca_test_config.c', 'atca_test_console.c', 'atca_utils_atecc608.c', 'cmd-processor.c'] _TEST_HEADERS = ['atca_test.h', 'cbuf.h', 'cmd-processor.h'] diff --git a/harmony/module.py b/harmony/module.py index 3ab8c8d16..e3dcfc5f2 100644 --- a/harmony/module.py +++ b/harmony/module.py @@ -24,7 +24,7 @@ import os _CALIB_SUPPORTED_DEVICES = ['ATECC108A', 'ATECC508A', 'ATECC608', 'ATSHA204A', 'ATSHA206A', 'ECC204', 'TA010', 'SHA104', 'SHA105'] -_TALIB_SUPPORTED_DEVICES = ['TA100'] +_TALIB_SUPPORTED_DEVICES = ['TA100', 'TA101'] def loadModule(): cryptoAuthLib = Module.CreateSharedComponent("cryptoauthlib", "Core", "/Libraries/Cryptoauthlib", "/harmony/config/cryptoauthlib.py") diff --git a/harmony/templates/atca_config.h.ftl b/harmony/templates/atca_config.h.ftl index defcec1b8..611d3ed26 100644 --- a/harmony/templates/atca_config.h.ftl +++ b/harmony/templates/atca_config.h.ftl @@ -460,6 +460,10 @@ #endif +#ifndef MULTIPART_BUF_EN +#define MULTIPART_BUF_EN ${CAL_ENABLE_MULTIPART_BUF?c} +#endif + #ifndef ATCA_PREPROCESSOR_WARNING #define ATCA_PREPROCESSOR_WARNING ${CAL_ENABLE_PREPROCESSOR_WARNING?c} #endif diff --git a/harmony/templates/pkcs11_config.h.ftl b/harmony/templates/pkcs11_config.h.ftl index a1ba5f3ce..3f058d6e7 100644 --- a/harmony/templates/pkcs11_config.h.ftl +++ b/harmony/templates/pkcs11_config.h.ftl @@ -74,6 +74,11 @@ #define PKCS11_MAX_SESSIONS_ALLOWED ${CAL_PKCS11_MAX_SESSIONS} #endif +/** Maximum number of x509 certificates allowed to be cached for parsing */ +#ifndef PKCS11_MAX_CERTS_CACHED +#define PKCS11_MAX_CERTS_CACHED ${CAL_PKCS11_MAX_CERTS_CACHED} +#endif + /** Maximum number of cryptographic objects allowed to be cached */ #ifndef PKCS11_MAX_OBJECTS_ALLOWED #define PKCS11_MAX_OBJECTS_ALLOWED ${CAL_PKCS11_MAX_OBJECTS} diff --git a/harmony/templates/talib_config.h.ftl b/harmony/templates/talib_config.h.ftl index e0bfeb8a9..2e2723b50 100644 --- a/harmony/templates/talib_config.h.ftl +++ b/harmony/templates/talib_config.h.ftl @@ -2,7 +2,6 @@ #ifndef TALIB_CONFIG_H #define TALIB_CONFIG_H - /******************** Device Configuration Section *************************/ <#if CAL_ENABLE_TA10x_AES_AUTH> diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt index 6d692e515..5d4567fb8 100644 --- a/lib/CMakeLists.txt +++ b/lib/CMakeLists.txt @@ -21,6 +21,7 @@ option(ATCA_NO_HEAP "Do not use dynamic (heap) allocation functions" OFF) option(ATCA_USE_ATCAB_FUNCTIONS "Build the atcab_ api functions rather than using macros" OFF) option(ATCA_ENABLE_DEPRECATED "Enable the use of older APIs that that been replaced" OFF) option(ATCA_STRICT_C99 "Enable strict C99 compliance for the libray" OFF) +option(MULTIPART_BUF_EN "Enable MultiPart Buffer" OFF) # Software Cryptographic backend for host crypto abstractions option(ATCA_MBEDTLS "Integrate with mbedtls" OFF) @@ -62,10 +63,6 @@ if (TARGET zephyr_interface) SET(ATCA_ZEPHYR_SUPPORT ON CACHE INTERNAL "Include zephyr hal drivers") endif() -# Set maximum packet size that is allowed in bytes -SET(MAX_PACKET_SIZE 1072 CACHE STRING "Dafault packet size allowed in bytes") - - # Check Integration Options if (ATCA_MBEDTLS AND (ATCA_WOLFSSL OR ATCA_OPENSSL)) message(FATAL_ERROR "Only one external SSL/TLS library can be supported") @@ -309,12 +306,12 @@ endif(BUILD_TESTS) configure_file(atca_config.h.in atca_config.h @ONLY) set(LIB_INC ${LIB_INC} ${CMAKE_CURRENT_BINARY_DIR}/atca_config.h) -include_directories(cryptoauth PUBLIC ${CMAKE_CURRENT_BINARY_DIR} +include_directories(cryptoauth PUBLIC ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_BINARY_DIR}/downloaded ../app/tng - ../third_party - ../third_party/hidapi/hidapi + ../third_party + ../third_party/hidapi/hidapi ${USB_INCLUDE_DIR}) if(ATCA_MBEDTLS) diff --git a/lib/atca_basic.c b/lib/atca_basic.c index 31fd6e8e0..037604f53 100644 --- a/lib/atca_basic.c +++ b/lib/atca_basic.c @@ -379,7 +379,7 @@ ATCA_STATUS atcab_get_zone_size_ext(ATCADevice device, uint8_t zone, uint16_t sl if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) { #if ATCA_CA_SUPPORT - status = calib_get_zone_size(device, zone, slot, size); + status = calib_get_zone_size(device, zone, slot, size); #endif } else if (atcab_is_ta_device(dev_type)) @@ -580,7 +580,7 @@ ATCA_STATUS atcab_aes_gfm(const uint8_t* h, const uint8_t* input, uint8_t* outpu } #endif -#if ATCAB_AES_GCM_EN && defined(ATCA_USE_ATCAB_FUNCTIONS) +#if ATCAB_AES_GCM_EN && defined(ATCA_USE_ATCAB_FUNCTIONS) && CALIB_AES_GCM_EN /** \brief Initialize context for AES GCM operation with an existing IV, which * is common when starting a decrypt operation. * @@ -840,7 +840,8 @@ ATCA_STATUS atcab_aes_gcm_encrypt_finish(atca_aes_gcm_ctx_t* ctx, uint8_t* tag, * * \return ATCA_SUCCESS on success, otherwise an error code. */ -ATCA_STATUS atcab_aes_gcm_decrypt_update_ext(ATCADevice device, atca_aes_gcm_ctx_t* ctx, const uint8_t* ciphertext, uint32_t ciphertext_size, uint8_t* plaintext) +ATCA_STATUS atcab_aes_gcm_decrypt_update_ext(ATCADevice device, atca_aes_gcm_ctx_t* ctx, const uint8_t* ciphertext, uint32_t ciphertext_size, + uint8_t* plaintext) { ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type_ext(device); @@ -1106,9 +1107,9 @@ ATCA_STATUS atcab_derivekey_ext(ATCADevice device, uint8_t mode, uint16_t key_id ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type_ext(device); - if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) + if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_DERIVEKEY_EN status = calib_derivekey(device, mode, key_id, mac); #endif } @@ -1235,7 +1236,8 @@ ATCA_STATUS atcab_ecdh(uint16_t key_id, const uint8_t* public_key, uint8_t* pms) #if defined(ATCA_USE_CONSTANT_HOST_NONCE) ATCA_STATUS atcab_ecdh_enc(uint16_t key_id, const uint8_t* public_key, uint8_t* pms, const uint8_t* read_key, uint16_t read_key_id) #else -ATCA_STATUS atcab_ecdh_enc(uint16_t key_id, const uint8_t* public_key, uint8_t* pms, const uint8_t* read_key, uint16_t read_key_id, const uint8_t num_in[NONCE_NUMIN_SIZE]) +ATCA_STATUS atcab_ecdh_enc(uint16_t key_id, const uint8_t* public_key, uint8_t* pms, const uint8_t* read_key, uint16_t read_key_id, + const uint8_t num_in[NONCE_NUMIN_SIZE]) #endif { ATCA_STATUS status = ATCA_UNIMPLEMENTED; @@ -1457,9 +1459,9 @@ ATCA_STATUS atcab_genkey_base(uint8_t mode, uint16_t key_id, const uint8_t* othe ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type(); - if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) + if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_GENKEY_EN status = calib_genkey_base(g_atcab_device_ptr, mode, key_id, other_data, public_key); #endif } @@ -1495,7 +1497,7 @@ ATCA_STATUS atcab_genkey_ext(ATCADevice device, uint16_t key_id, uint8_t* public if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_GENKEY_EN status = calib_genkey(device, key_id, public_key); #endif } @@ -1547,7 +1549,7 @@ ATCA_STATUS atcab_get_pubkey_ext(ATCADevice device, uint16_t key_id, uint8_t* pu if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_GENKEY_EN status = calib_get_pubkey(device, key_id, public_key); #endif } @@ -1841,9 +1843,9 @@ ATCA_STATUS atcab_kdf(uint8_t mode, uint16_t key_id, const uint32_t details, con ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type(); - if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) + if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_KDF_EN status = calib_kdf(g_atcab_device_ptr, mode, key_id, details, message, out_data, out_nonce); #endif } @@ -2377,7 +2379,8 @@ ATCA_STATUS atcab_challenge_seed_update(const uint8_t* num_in, uint8_t* rand_out #if defined(ATCA_USE_CONSTANT_HOST_NONCE) ATCA_STATUS atcab_priv_write(uint16_t key_id, const uint8_t priv_key[36], uint16_t write_key_id, const uint8_t write_key[32]) #else -ATCA_STATUS atcab_priv_write(uint16_t key_id, const uint8_t priv_key[36], uint16_t write_key_id, const uint8_t write_key[32], const uint8_t num_in[NONCE_NUMIN_SIZE]) +ATCA_STATUS atcab_priv_write(uint16_t key_id, const uint8_t priv_key[36], uint16_t write_key_id, const uint8_t write_key[32], + const uint8_t num_in[NONCE_NUMIN_SIZE]) #endif { ATCA_STATUS status = ATCA_UNIMPLEMENTED; @@ -2421,9 +2424,9 @@ ATCA_STATUS atcab_random_ext(ATCADevice device, uint8_t* rand_out) ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type_ext(device); - if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) + if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_RANDOM_EN status = calib_random(device, rand_out); #endif } @@ -2635,9 +2638,9 @@ ATCA_STATUS atcab_is_slot_locked_ext(ATCADevice device, uint16_t slot, bool* is_ ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type_ext(device); - if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) + if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_READ_EN status = calib_is_slot_locked(device, slot, is_locked); #endif } @@ -2872,7 +2875,7 @@ ATCA_STATUS atcab_read_sig(uint16_t slot, uint8_t* sig) if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_READ_EN status = calib_read_sig(g_atcab_device_ptr, slot, sig); #endif } @@ -2998,7 +3001,8 @@ ATCA_STATUS atcab_cmp_config_zone(uint8_t* config_data, bool* same_config) #if defined(ATCA_USE_CONSTANT_HOST_NONCE) ATCA_STATUS atcab_read_enc(uint16_t key_id, uint8_t block, uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id) #else -ATCA_STATUS atcab_read_enc(uint16_t key_id, uint8_t block, uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id, const uint8_t num_in[NONCE_NUMIN_SIZE]) +ATCA_STATUS atcab_read_enc(uint16_t key_id, uint8_t block, uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id, + const uint8_t num_in[NONCE_NUMIN_SIZE]) #endif { ATCA_STATUS status = ATCA_UNIMPLEMENTED; @@ -3006,7 +3010,7 @@ ATCA_STATUS atcab_read_enc(uint16_t key_id, uint8_t block, uint8_t* data, const if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_READ_ENC_EN #if defined(ATCA_USE_CONSTANT_HOST_NONCE) status = calib_read_enc(g_atcab_device_ptr, key_id, block, data, enc_key, enc_key_id); #else @@ -3302,7 +3306,7 @@ ATCA_STATUS atcab_sha_read_context(uint8_t* context, uint16_t* context_size) if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_SHA_CONTEXT_EN status = calib_sha_read_context(g_atcab_device_ptr, context, context_size); #endif } @@ -3342,7 +3346,7 @@ ATCA_STATUS atcab_sha_write_context(const uint8_t* context, uint16_t context_siz if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_SHA_CONTEXT_EN status = calib_sha_write_context(g_atcab_device_ptr, context, context_size); #endif } @@ -3544,9 +3548,9 @@ ATCA_STATUS atcab_sha_hmac_init(atca_hmac_sha256_ctx_t* ctx, uint16_t key_slot) ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type(); - if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) + if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_SHA_HMAC_EN status = calib_sha_hmac_init(g_atcab_device_ptr, ctx, key_slot); #endif } @@ -3575,9 +3579,9 @@ ATCA_STATUS atcab_sha_hmac_update(atca_hmac_sha256_ctx_t* ctx, const uint8_t* da ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type(); - if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) + if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_SHA_HMAC_EN status = calib_sha_hmac_update(g_atcab_device_ptr, ctx, data, data_size); #endif } @@ -3609,9 +3613,9 @@ ATCA_STATUS atcab_sha_hmac_finish(atca_hmac_sha256_ctx_t* ctx, uint8_t* digest, ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type(); - if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) + if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_SHA_HMAC_EN status = calib_sha_hmac_finish(g_atcab_device_ptr, ctx, digest, target); #endif } @@ -3646,9 +3650,9 @@ ATCA_STATUS atcab_sha_hmac_ext(ATCADevice device, const uint8_t* data, size_t da ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type_ext(device); - if (atcab_is_ca_device(dev_type) || atcab_is_ca2_device(dev_type)) + if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_SHA_HMAC_EN status = calib_sha_hmac(device, data, data_size, key_slot, digest, target); #endif } @@ -3842,7 +3846,7 @@ ATCA_STATUS atcab_updateextra(uint8_t mode, uint16_t new_value) if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_UPDATEEXTRA_EN status = calib_updateextra(g_atcab_device_ptr, mode, new_value); #endif } @@ -4004,7 +4008,8 @@ ATCA_STATUS atcab_verify_extern(const uint8_t* message, const uint8_t* signature * \return ATCA_SUCCESS on verification success or failure, because the * command still completed successfully. */ -ATCA_STATUS atcab_verify_extern_mac(const uint8_t* message, const uint8_t* signature, const uint8_t* public_key, const uint8_t* num_in, const uint8_t* io_key, bool* is_verified) +ATCA_STATUS atcab_verify_extern_mac(const uint8_t* message, const uint8_t* signature, const uint8_t* public_key, const uint8_t* num_in, const uint8_t* io_key, + bool* is_verified) { ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type(); @@ -4150,7 +4155,8 @@ ATCA_STATUS atcab_verify_stored_with_tempkey(const uint8_t* signature, uint16_t * \return ATCA_SUCCESS on verification success or failure, because the * command still completed successfully. */ -ATCA_STATUS atcab_verify_stored_mac(const uint8_t* message, const uint8_t* signature, uint16_t key_id, const uint8_t* num_in, const uint8_t* io_key, bool* is_verified) +ATCA_STATUS atcab_verify_stored_mac(const uint8_t* message, const uint8_t* signature, uint16_t key_id, const uint8_t* num_in, const uint8_t* io_key, + bool* is_verified) { ATCA_STATUS status = ATCA_UNIMPLEMENTED; ATCADeviceType dev_type = atcab_get_device_type(); @@ -4536,7 +4542,8 @@ ATCA_STATUS atcab_write_config_zone(const uint8_t* config_data) #if defined(ATCA_USE_CONSTANT_HOST_NONCE) ATCA_STATUS atcab_write_enc(uint16_t key_id, uint8_t block, const uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id) #else -ATCA_STATUS atcab_write_enc(uint16_t key_id, uint8_t block, const uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id, const uint8_t num_in[NONCE_NUMIN_SIZE]) +ATCA_STATUS atcab_write_enc(uint16_t key_id, uint8_t block, const uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id, + const uint8_t num_in[NONCE_NUMIN_SIZE]) #endif { ATCA_STATUS status = ATCA_UNIMPLEMENTED; @@ -4544,7 +4551,7 @@ ATCA_STATUS atcab_write_enc(uint16_t key_id, uint8_t block, const uint8_t* data, if (atcab_is_ca_device(dev_type)) { -#if ATCA_CA_SUPPORT +#if CALIB_WRITE_ENC_EN #if defined(ATCA_USE_CONSTANT_HOST_NONCE) status = calib_write_enc(g_atcab_device_ptr, key_id, block, data, enc_key, enc_key_id); #else diff --git a/lib/atca_basic.h b/lib/atca_basic.h index 47e06dda9..d1d28cafe 100644 --- a/lib/atca_basic.h +++ b/lib/atca_basic.h @@ -71,7 +71,8 @@ bool atcab_is_ta_device(ATCADeviceType dev_type); #include "crypto/atca_crypto_hw_aes.h" // Hardware Accelerated algorithms -ATCA_STATUS atcab_pbkdf2_sha256_ext(ATCADevice device, const uint32_t iter, const uint16_t slot, const uint8_t* salt, const size_t salt_len, uint8_t* result, size_t result_len); +ATCA_STATUS atcab_pbkdf2_sha256_ext(ATCADevice device, const uint32_t iter, const uint16_t slot, const uint8_t* salt, const size_t salt_len, uint8_t* result, + size_t result_len); ATCA_STATUS atcab_pbkdf2_sha256(const uint32_t iter, const uint16_t slot, const uint8_t* salt, const size_t salt_len, uint8_t* result, size_t result_len); #ifdef ATCA_USE_ATCAB_FUNCTIONS @@ -93,6 +94,7 @@ ATCA_STATUS atcab_aes_decrypt_ext(ATCADevice device, uint16_t key_id, uint8_t ke ATCA_STATUS atcab_aes_gfm(const uint8_t* h, const uint8_t* input, uint8_t* output); /* AES GCM */ +#if CALIB_AES_GCM_EN ATCA_STATUS atcab_aes_gcm_init(atca_aes_gcm_ctx_t* ctx, uint16_t key_id, uint8_t key_block, const uint8_t* iv, size_t iv_size); ATCA_STATUS atcab_aes_gcm_init_ext(ATCADevice device, atca_aes_gcm_ctx_t* ctx, uint16_t key_id, uint8_t key_block, const uint8_t* iv, size_t iv_size); ATCA_STATUS atcab_aes_gcm_init_rand(atca_aes_gcm_ctx_t* ctx, uint16_t key_id, uint8_t key_block, size_t rand_size, @@ -100,13 +102,16 @@ ATCA_STATUS atcab_aes_gcm_init_rand(atca_aes_gcm_ctx_t* ctx, uint16_t key_id, ui ATCA_STATUS atcab_aes_gcm_aad_update(atca_aes_gcm_ctx_t* ctx, const uint8_t* aad, uint32_t aad_size); ATCA_STATUS atcab_aes_gcm_aad_update_ext(ATCADevice device, atca_aes_gcm_ctx_t* ctx, const uint8_t* aad, uint32_t aad_size); ATCA_STATUS atcab_aes_gcm_encrypt_update(atca_aes_gcm_ctx_t* ctx, const uint8_t* plaintext, uint32_t plaintext_size, uint8_t* ciphertext); -ATCA_STATUS atcab_aes_gcm_encrypt_update_ext(ATCADevice device, atca_aes_gcm_ctx_t* ctx, const uint8_t* plaintext, uint32_t plaintext_size, uint8_t* ciphertext); +ATCA_STATUS atcab_aes_gcm_encrypt_update_ext(ATCADevice device, atca_aes_gcm_ctx_t* ctx, const uint8_t* plaintext, uint32_t plaintext_size, + uint8_t* ciphertext); ATCA_STATUS atcab_aes_gcm_encrypt_finish(atca_aes_gcm_ctx_t* ctx, uint8_t* tag, size_t tag_size); ATCA_STATUS atcab_aes_gcm_encrypt_finish_ext(ATCADevice device, atca_aes_gcm_ctx_t* ctx, uint8_t* tag, size_t tag_size); ATCA_STATUS atcab_aes_gcm_decrypt_update(atca_aes_gcm_ctx_t* ctx, const uint8_t* ciphertext, uint32_t ciphertext_size, uint8_t* plaintext); -ATCA_STATUS atcab_aes_gcm_decrypt_update_ext(ATCADevice device, atca_aes_gcm_ctx_t* ctx, const uint8_t* ciphertext, uint32_t ciphertext_size, uint8_t* plaintext); +ATCA_STATUS atcab_aes_gcm_decrypt_update_ext(ATCADevice device, atca_aes_gcm_ctx_t* ctx, const uint8_t* ciphertext, uint32_t ciphertext_size, + uint8_t* plaintext); ATCA_STATUS atcab_aes_gcm_decrypt_finish(atca_aes_gcm_ctx_t* ctx, const uint8_t* tag, size_t tag_size, bool* is_verified); ATCA_STATUS atcab_aes_gcm_decrypt_finish_ext(ATCADevice device, atca_aes_gcm_ctx_t* ctx, const uint8_t* tag, size_t tag_size, bool* is_verified); +#endif /* CheckMAC command */ ATCA_STATUS atcab_checkmac(uint8_t mode, uint16_t key_id, const uint8_t* challenge, const uint8_t* response, const uint8_t* other_data); @@ -128,7 +133,8 @@ ATCA_STATUS atcab_ecdh(uint16_t key_id, const uint8_t* public_key, uint8_t* pms) #if defined(ATCA_USE_CONSTANT_HOST_NONCE) ATCA_STATUS atcab_ecdh_enc(uint16_t key_id, const uint8_t* public_key, uint8_t* pms, const uint8_t* read_key, uint16_t read_key_id); #else -ATCA_STATUS atcab_ecdh_enc(uint16_t key_id, const uint8_t* public_key, uint8_t* pms, const uint8_t* read_key, uint16_t read_key_id, const uint8_t num_in[NONCE_NUMIN_SIZE]); +ATCA_STATUS atcab_ecdh_enc(uint16_t key_id, const uint8_t* public_key, uint8_t* pms, const uint8_t* read_key, uint16_t read_key_id, + const uint8_t num_in[NONCE_NUMIN_SIZE]); #endif ATCA_STATUS atcab_ecdh_ioenc(uint16_t key_id, const uint8_t* public_key, uint8_t* pms, const uint8_t* io_key); @@ -190,7 +196,8 @@ ATCA_STATUS atcab_challenge_seed_update(const uint8_t* num_in, uint8_t* rand_out #if defined(ATCA_USE_CONSTANT_HOST_NONCE) ATCA_STATUS atcab_priv_write(uint16_t key_id, const uint8_t priv_key[36], uint16_t write_key_id, const uint8_t write_key[32]); #else -ATCA_STATUS atcab_priv_write(uint16_t key_id, const uint8_t priv_key[36], uint16_t write_key_id, const uint8_t write_key[32], const uint8_t num_in[NONCE_NUMIN_SIZE]); +ATCA_STATUS atcab_priv_write(uint16_t key_id, const uint8_t priv_key[36], uint16_t write_key_id, const uint8_t write_key[32], + const uint8_t num_in[NONCE_NUMIN_SIZE]); #endif // Random command functions @@ -222,12 +229,14 @@ ATCA_STATUS atcab_cmp_config_zone(uint8_t* config_data, bool* same_config); #if defined(ATCA_USE_CONSTANT_HOST_NONCE) ATCA_STATUS atcab_read_enc(uint16_t key_id, uint8_t block, uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id); #else -ATCA_STATUS atcab_read_enc(uint16_t key_id, uint8_t block, uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id, const uint8_t num_in[NONCE_NUMIN_SIZE]); +ATCA_STATUS atcab_read_enc(uint16_t key_id, uint8_t block, uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id, + const uint8_t num_in[NONCE_NUMIN_SIZE]); #endif // SecureBoot command functions ATCA_STATUS atcab_secureboot(uint8_t mode, uint16_t param2, const uint8_t* digest, const uint8_t* signature, uint8_t* mac); -ATCA_STATUS atcab_secureboot_mac(uint8_t mode, const uint8_t* digest, const uint8_t* signature, const uint8_t* num_in, const uint8_t* io_key, bool* is_verified); +ATCA_STATUS atcab_secureboot_mac(uint8_t mode, const uint8_t* digest, const uint8_t* signature, const uint8_t* num_in, const uint8_t* io_key, + bool* is_verified); /* SelfTest Command */ ATCA_STATUS atcab_selftest(uint8_t mode, uint16_t param2, uint8_t* result); @@ -266,11 +275,13 @@ ATCA_STATUS atcab_updateextra(uint8_t mode, uint16_t new_value); ATCA_STATUS atcab_verify(uint8_t mode, uint16_t key_id, const uint8_t* signature, const uint8_t* public_key, const uint8_t* other_data, uint8_t* mac); ATCA_STATUS atcab_verify_extern(const uint8_t* message, const uint8_t* signature, const uint8_t* public_key, bool* is_verified); ATCA_STATUS atcab_verify_extern_ext(ATCADevice device, const uint8_t* message, const uint8_t* signature, const uint8_t* public_key, bool* is_verified); -ATCA_STATUS atcab_verify_extern_mac(const uint8_t* message, const uint8_t* signature, const uint8_t* public_key, const uint8_t* num_in, const uint8_t* io_key, bool* is_verified); +ATCA_STATUS atcab_verify_extern_mac(const uint8_t* message, const uint8_t* signature, const uint8_t* public_key, const uint8_t* num_in, const uint8_t* io_key, + bool* is_verified); ATCA_STATUS atcab_verify_stored(const uint8_t* message, const uint8_t* signature, uint16_t key_id, bool* is_verified); ATCA_STATUS atcab_verify_stored_ext(ATCADevice device, const uint8_t* message, const uint8_t* signature, uint16_t key_id, bool* is_verified); ATCA_STATUS atcab_verify_stored_with_tempkey(const uint8_t* signature, uint16_t key_id, bool* is_verified); -ATCA_STATUS atcab_verify_stored_mac(const uint8_t* message, const uint8_t* signature, uint16_t key_id, const uint8_t* num_in, const uint8_t* io_key, bool* is_verified); +ATCA_STATUS atcab_verify_stored_mac(const uint8_t* message, const uint8_t* signature, uint16_t key_id, const uint8_t* num_in, const uint8_t* io_key, + bool* is_verified); ATCA_STATUS atcab_verify_validate(uint16_t key_id, const uint8_t* signature, const uint8_t* other_data, bool* is_verified); ATCA_STATUS atcab_verify_invalidate(uint16_t key_id, const uint8_t* signature, const uint8_t* other_data, bool* is_verified); @@ -289,7 +300,8 @@ ATCA_STATUS atcab_write_config_zone_ext(ATCADevice device, const uint8_t* config #if defined(ATCA_USE_CONSTANT_HOST_NONCE) ATCA_STATUS atcab_write_enc(uint16_t key_id, uint8_t block, const uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id); #else -ATCA_STATUS atcab_write_enc(uint16_t key_id, uint8_t block, const uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id, const uint8_t num_in[NONCE_NUMIN_SIZE]); +ATCA_STATUS atcab_write_enc(uint16_t key_id, uint8_t block, const uint8_t* data, const uint8_t* enc_key, const uint16_t enc_key_id, + const uint8_t num_in[NONCE_NUMIN_SIZE]); #endif ATCA_STATUS atcab_write_config_counter(uint16_t counter_id, uint32_t counter_value); diff --git a/lib/atca_config.h.in b/lib/atca_config.h.in index 530c35540..d1d623ae7 100644 --- a/lib/atca_config.h.in +++ b/lib/atca_config.h.in @@ -99,6 +99,9 @@ selected plus however additional slots one would like */ /** Enable Strict ISO/C99 compliance */ #cmakedefine ATCA_STRICT_C99 +/** Enable ATCACERT Module */ +#cmakedefine01 ATCACERT_EN + /******************** Device Configuration Section *************************/ /** Enable the delete command */ @@ -107,10 +110,9 @@ selected plus however additional slots one would like */ /******************** Packet Size Configuration Section *************************/ /** Provide Maximum packet size for the command to be sent and received */ -#ifndef MAX_PACKET_SIZE -#define MAX_PACKET_SIZE (@MAX_PACKET_SIZE@U) -#endif +#cmakedefine MAX_PACKET_SIZE (@MAX_PACKET_SIZE@U) +/** Enables multipart buffer handling (generally for small memory model platforms) */ #cmakedefine01 MULTIPART_BUF_EN /******************** Platform Configuration Section ***********************/ diff --git a/lib/atca_config_check.h b/lib/atca_config_check.h index fbc18380f..2d0ad5873 100644 --- a/lib/atca_config_check.h +++ b/lib/atca_config_check.h @@ -70,7 +70,7 @@ /* New Trust Anchor Devices */ #ifndef ATCA_TA_SUPPORT -#if defined(ATCA_TA100_SUPPORT) +#if defined(ATCA_TA100_SUPPORT) || defined(ATCA_TA101_SUPPORT) #define ATCA_TA_SUPPORT DEFAULT_ENABLED #else #define ATCA_TA_SUPPORT DEFAULT_DISABLED @@ -117,6 +117,13 @@ #define MULTIPART_BUF_EN (DEFAULT_DISABLED) #endif +/** \def ATCACERT_EN + * Enables the ATCACERT x509 handling module + */ +#ifndef ATCACERT_EN +#define ATCACERT_EN (DEFAULT_ENABLED) +#endif + /**** AES command ****/ /** \def ATCAB_AES @@ -655,4 +662,89 @@ #define ATCAB_WRITE_ENC_EN ATCAB_WRITE_EN #endif +/* Host side Cryptographic functionality required by the library */ + +/** \def ATCAC_SHA1_EN + * + * Enable ATCAC_SHA1_EN to enable sha1 host side api + * + * Supported API's: atcab_write + **/ +#ifndef ATCAC_SHA1_EN +#define ATCAC_SHA1_EN (DEFAULT_ENABLED) +#endif + +/** \def ATCAC_SHA256_EN + * + * Enable ATCAC_SHA256_EN to enable sha256 host side api + * + * Supported API's: atcab_write + **/ +#ifndef ATCAC_SHA256_EN +#define ATCAC_SHA256_EN (DEFAULT_ENABLED) +#endif + +/** \def ATCAC_SHA256_HMAC + * + * Requires: ATCAC_SHA256_HMAC + * ATCAC_SW_SHA2_256 + * + * Enable ATCAC_SHA256_HMAC to initialize context for performing HMAC (sha256) in software + * + * Supported API's: atcac_sha256_hmac_init, atcac_sha256_hmac_update, atcac_sha256_hmac_finish + **/ +#ifndef ATCAC_SHA256_HMAC_EN +#define ATCAC_SHA256_HMAC_EN ATCAC_SHA256_EN +#endif + +/** \def ATCAC_SHA256_HMAC_COUNTER + * + * Requires: ATCAC_SHA256_HMAC_COUNTER + * ATCAC_SHA256_HMAC + * ATCAC_SW_SHA2_256 + * + * Enable ATCAC_SHA256_HMAC_COUNTER to implement SHA256 HMAC-Counter per NIST SP 800-108 used for + * KDF like operations + * + * Supported API's: atcac_sha256_hmac_counter + **/ +#ifndef ATCAC_SHA256_HMAC_CTR_EN +#define ATCAC_SHA256_HMAC_CTR_EN ATCAC_SHA256_HMAC_EN +#endif + +/** \def ATCAC_RANDOM_EN + * + * Requires: ATCA_HOSTLIB_EN + * + * Enable ATCAC_RANDOM_EN get random numbers from the host's + * implementation - generally assumed to come from the host's + * cryptographic library or peripheral driver + * + */ +#ifndef ATCAC_RANDOM_EN +#define ATCAC_RANDOM_EN ATCA_HOSTLIB_EN +#endif + +/** \def ATCAC_VERIFY_EN + * + * Requires: ATCA_HOSTLIB_EN + * + * Enable ATCAC_VERIFY_EN to use the host's verify functions. Generally assumed + * to come from the host's cryptographic library or peripheral driver. + */ +#ifndef ATCAC_VERIFY_EN +#define ATCAC_VERIFY_EN ATCA_HOSTLIB_EN +#endif + +/** \def ATCAC_SIGN_EN + * + * Requires: ATCA_HOSTLIB_EN + * + * Enable ATCAC_SIGN_EN to use the host's sign functions. Generally assumed + * to come from the host's cryptographic library or peripheral driver. + */ +#ifndef ATCAC_SIGN_EN +#define ATCAC_SIGN_EN ATCA_HOSTLIB_EN +#endif + #endif /* ATCA_CONFIG_CHECK_H */ diff --git a/lib/atca_devtypes.h b/lib/atca_devtypes.h index 5e4b487d9..9393bfff7 100644 --- a/lib/atca_devtypes.h +++ b/lib/atca_devtypes.h @@ -53,6 +53,7 @@ typedef uint8_t ATCADeviceType; #define ATECC608 (3U) #define ATSHA206A (4U) #define TA100 (0x10U) +#define TA101 (0x11U) #define ECC204 (0x20U) #define TA010 (0x21U) #define ECC206 (0x22U) diff --git a/lib/atca_iface.c b/lib/atca_iface.c index 2b8e9b1a7..7ab2563cc 100644 --- a/lib/atca_iface.c +++ b/lib/atca_iface.c @@ -174,17 +174,6 @@ ATCA_STATUS atsend(ATCAIface ca_iface, uint8_t word_address, uint8_t *txdata, in if ((NULL != ca_iface->hal) && (NULL != ca_iface->hal->halsend)) { -#ifdef ATCA_HAL_I2C - if (ATCA_I2C_IFACE == ca_iface->mIfaceCFG->iface_type && 0xFFu == word_address) - { -#ifdef ATCA_ENABLE_DEPRECATED - word_address = ATCA_IFACECFG_VALUE(ca_iface->mIfaceCFG, atcai2c.slave_address); -#else - word_address = ATCA_IFACECFG_VALUE(ca_iface->mIfaceCFG, atcai2c.address); -#endif - } -#endif - return ca_iface->hal->halsend(ca_iface, word_address, txdata, txlength); } else @@ -604,42 +593,45 @@ void deleteATCAIface(ATCAIface *ca_iface) typedef struct { - ATCADeviceType devtype; - const char * name; + ATCADeviceType devtype; + const char * name; } devtype_names_t; static const devtype_names_t devtype_names[] = { #ifdef ATCA_ATSHA204A_SUPPORT - { ATSHA204A, "sha204" }, + { ATSHA204A, "sha204" }, #endif #ifdef ATCA_ATECC108A_SUPPORT - { ATECC108A, "ecc108" }, + { ATECC108A, "ecc108" }, #endif #ifdef ATCA_ATECC508A_SUPPORT - { ATECC508A, "ecc508" }, + { ATECC508A, "ecc508" }, #endif #ifdef ATCA_ATECC608_SUPPORT - { ATECC608, "ecc608" }, + { ATECC608, "ecc608" }, #endif #ifdef ATCA_ATSHA206A_SUPPORT - { ATSHA206A, "sha206" }, + { ATSHA206A, "sha206" }, #endif #ifdef ATCA_ECC204_SUPPORT - { ECC204, "ecc204" }, + { ECC204, "ecc204" }, #endif #ifdef ATCA_TA010_SUPPORT - { TA010, "ta010" }, + { TA010, "ta010" }, #endif #ifdef ATCA_SHA104_SUPPORT - { SHA104, "sha104" }, + { SHA104, "sha104" }, #endif #ifdef ATCA_SHA105_SUPPORT - { SHA105, "sha105" }, + { SHA105, "sha105" }, #endif #ifdef ATCA_TA100_SUPPORT - { TA100, "ta100" }, + { TA100, "ta100" }, +#endif +#ifdef ATCA_TA101_SUPPORT + { TA101, "ta101" }, #endif - { ATCA_DEV_UNKNOWN, "unknown" } + { ATCA_DEV_UNKNOWN, "unknown" } }; /** \brief Get the ATCADeviceType for a string that looks like a part number */ diff --git a/lib/atca_version.h b/lib/atca_version.h index e9c7b09fb..191f57e26 100644 --- a/lib/atca_version.h +++ b/lib/atca_version.h @@ -30,9 +30,9 @@ #define ATCA_VERSION_H // Version format yyyymmdd -#define ATCA_LIBRARY_VERSION_DATE "20230908" +#define ATCA_LIBRARY_VERSION_DATE "20231215" #define ATCA_LIBRARY_VERSION_MAJOR 3 #define ATCA_LIBRARY_VERSION_MINOR 7 -#define ATCA_LIBRARY_VERSION_BUILD 0 +#define ATCA_LIBRARY_VERSION_BUILD 1 #endif /* ATCA_VERSION_H */ diff --git a/lib/atcacert/atcacert_check_config.h b/lib/atcacert/atcacert_check_config.h index 8a1825282..185f2b2e6 100644 --- a/lib/atcacert/atcacert_check_config.h +++ b/lib/atcacert/atcacert_check_config.h @@ -27,19 +27,31 @@ #ifndef ATCACERT_CHECK_CONFIG_H #define ATCACERT_CHECK_CONFIG_H -/* The atcacert_ module is only set up to work with classic cryptoauth devices */ -#include "calib/calib_config_check.h" +#include "cryptoauthlib.h" +#include "crypto/atca_crypto_sw.h" + +#ifndef HOSTLIB_CERT_EN +#define HOSTLIB_CERT_EN DEFAULT_DISABLED +#endif + +#ifndef ATCACERT_INTEGRATION_EN +#define ATCACERT_INTEGRATION_EN HOSTLIB_CERT_EN +#endif #ifndef ATCACERT_COMPCERT_EN +#if ATCA_CA_SUPPORT #define ATCACERT_COMPCERT_EN CALIB_ECC_SUPPORT +#else +#define ATCACERT_COMPCERT_EN DEFAULT_DISABLED +#endif #endif #ifndef ATCACERT_HW_CHALLENGE_EN -#define ATCACERT_HW_CHALLENGE_EN CALIB_RANDOM_EN +#define ATCACERT_HW_CHALLENGE_EN (ATCAB_RANDOM_EN && (ATCA_ECC_SUPPORT || ATCA_TA_SUPPORT)) #endif #ifndef ATCACERT_HW_VERIFY_EN -#define ATCACERT_HW_VERIFY_EN CALIB_VERIFY_EXTERN_EN +#define ATCACERT_HW_VERIFY_EN (ATCAB_VERIFY_EXTERN_EN && (ATCA_ECC_SUPPORT || ATCA_TA_SUPPORT)) #endif #ifndef ATCACERT_DATEFMT_ISO_EN diff --git a/lib/atcacert/atcacert_client.c b/lib/atcacert/atcacert_client.c index c67bc8e32..205d7f760 100644 --- a/lib/atcacert/atcacert_client.c +++ b/lib/atcacert/atcacert_client.c @@ -35,7 +35,6 @@ #include "cryptoauthlib.h" #include "calib/calib_basic.h" - #if ATCACERT_COMPCERT_EN #define DEVZONE_TO_BYTEVAL(zone) (((int)(zone) < UCHAR_MAX) ? ((uint8_t)(zone) & 0xFFu) : 0x07u) @@ -138,6 +137,7 @@ ATCA_STATUS atcacert_read_device_loc(const atcacert_device_loc_t* device_loc, { return atcacert_read_device_loc_ext(atcab_get_device(), device_loc, data); } +#endif ATCA_STATUS atcacert_read_cert_ext(ATCADevice device, const atcacert_def_t* cert_def, @@ -145,7 +145,7 @@ ATCA_STATUS atcacert_read_cert_ext(ATCADevice device, uint8_t* cert, size_t* cert_size) { - ATCA_STATUS ret = 0; + ATCA_STATUS ret = ATCACERT_E_BAD_PARAMS; atcacert_device_loc_t device_locs[16]; size_t device_locs_count = 0; size_t i = 0; @@ -161,43 +161,70 @@ ATCA_STATUS atcacert_read_cert_ext(ATCADevice device, return atcacert_read_cert_size_ext(device, cert_def, cert_size); } - ret = atcacert_get_device_locs( - cert_def, - device_locs, - &device_locs_count, - sizeof(device_locs) / sizeof(device_locs[0]), - ATCA_BLOCK_SIZE); - if (ret != ATCACERT_E_SUCCESS) - { - return ret; - } - - ret = atcacert_cert_build_start(&build_state, cert_def, cert, cert_size, ca_public_key); - if (ret != ATCACERT_E_SUCCESS) + if (CERTTYPE_X509_FULL_STORED == cert_def->type) { - return ret; + if (ATCACERT_E_SUCCESS == (ret = atcab_read_bytes_zone_ext(device, (uint8_t)cert_def->comp_cert_dev_loc.zone, + cert_def->comp_cert_dev_loc.slot, 0u, cert, *cert_size))) + { + #if ATCACERT_INTEGRATION_EN + cal_buffer buf = CAL_BUF_INIT(*cert_size, cert); + /* Load parsed certificate if not already done */ + if (NULL == *cert_def->parsed) + { + if (ATCACERT_E_SUCCESS != (ret = atcac_parse_der(cert_def->parsed, &buf))) + { + return ret; + } + } + #endif + } + else + { + return ret; + } } - - for (i = 0; i < device_locs_count; i++) + else { - static uint8_t data[416]; - ret = atcacert_read_device_loc_ext(device, &device_locs[i], data); +#if ATCACERT_COMPCERT_EN + ret = atcacert_get_device_locs( + cert_def, + device_locs, + &device_locs_count, + sizeof(device_locs) / sizeof(device_locs[0]), + ATCA_BLOCK_SIZE); if (ret != ATCACERT_E_SUCCESS) { return ret; } - ret = atcacert_cert_build_process(&build_state, &device_locs[i], data); + ret = atcacert_cert_build_start(&build_state, cert_def, cert, cert_size, ca_public_key); if (ret != ATCACERT_E_SUCCESS) { return ret; } - } - ret = atcacert_cert_build_finish(&build_state); - if (ret != ATCACERT_E_SUCCESS) - { - return ret; + for (i = 0; i < device_locs_count; i++) + { + static uint8_t data[416]; + ret = atcacert_read_device_loc_ext(device, &device_locs[i], data); + if (ret != ATCACERT_E_SUCCESS) + { + return ret; + } + + ret = atcacert_cert_build_process(&build_state, &device_locs[i], data); + if (ret != ATCACERT_E_SUCCESS) + { + return ret; + } + } + + ret = atcacert_cert_build_finish(&build_state); + if (ret != ATCACERT_E_SUCCESS) + { + return ret; + } +#endif } return ATCACERT_E_SUCCESS; @@ -227,58 +254,71 @@ ATCA_STATUS atcacert_write_cert_ext(ATCADevice device, return ATCACERT_E_BAD_PARAMS; } - ret = atcacert_get_device_locs( - cert_def, - device_locs, - &device_locs_count, - sizeof(device_locs) / sizeof(device_locs[0]), - ATCA_BLOCK_SIZE); - if (ret != ATCACERT_E_SUCCESS) - { - return ret; - } - - for (i = 0; i < device_locs_count; i++) + if (CERTTYPE_X509_FULL_STORED == cert_def->type) { - int end_block; - int start_block; - static uint8_t data[416]; - int block; - - if (device_locs[i].zone == DEVZONE_CONFIG) - { - continue; // Cert data isn't written to the config zone, only read - } - if (device_locs[i].zone == DEVZONE_DATA && (0U != device_locs[i].is_genkey)) + ret = atcab_write_bytes_zone_ext(device, (uint8_t)cert_def->comp_cert_dev_loc.zone, + cert_def->comp_cert_dev_loc.slot, 0, cert, cert_size); + if (ret != ATCACERT_E_SUCCESS) { - continue; // Public key is generated not written - + return ret; } - ret = atcacert_get_device_data(cert_def, cert, cert_size, &device_locs[i], data); + } + else + { +#if ATCACERT_COMPCERT_EN + ret = atcacert_get_device_locs( + cert_def, + device_locs, + &device_locs_count, + sizeof(device_locs) / sizeof(device_locs[0]), + ATCA_BLOCK_SIZE); if (ret != ATCACERT_E_SUCCESS) { return ret; } - start_block = (int)device_locs[i].offset / (int)ATCA_BLOCK_SIZE; - end_block = floor_div(((int)device_locs[i].offset + (int)device_locs[i].count) - 1, (int)ATCA_BLOCK_SIZE); - for (block = start_block; block <= end_block; block++) + for (i = 0; i < device_locs_count; i++) { - ret = atcab_write_zone_ext( - device, - (uint8_t)device_locs[i].zone, - device_locs[i].slot, - (uint8_t)block, - 0, - &data[(block - start_block) * (int)ATCA_BLOCK_SIZE], - ATCA_BLOCK_SIZE); - if (ret != ATCA_SUCCESS) + int end_block; + int start_block; + static uint8_t data[416]; + int block; + + if (device_locs[i].zone == DEVZONE_CONFIG) + { + continue; // Cert data isn't written to the config zone, only read + } + if (device_locs[i].zone == DEVZONE_DATA && (0U != device_locs[i].is_genkey)) + { + continue; // Public key is generated not written + + } + ret = atcacert_get_device_data(cert_def, cert, cert_size, &device_locs[i], data); + if (ret != ATCACERT_E_SUCCESS) { return ret; } + + start_block = (int)device_locs[i].offset / (int)ATCA_BLOCK_SIZE; + end_block = floor_div(((int)device_locs[i].offset + (int)device_locs[i].count) - 1, (int)ATCA_BLOCK_SIZE); + for (block = start_block; block <= end_block; block++) + { + ret = atcab_write_zone_ext( + device, + (uint8_t)device_locs[i].zone, + device_locs[i].slot, + (uint8_t)block, + 0, + &data[(block - start_block) * (int)ATCA_BLOCK_SIZE], + ATCA_BLOCK_SIZE); + if (ret != ATCA_SUCCESS) + { + return ret; + } + } } +#endif } - return ATCACERT_E_SUCCESS; } @@ -290,6 +330,7 @@ ATCA_STATUS atcacert_write_cert(const atcacert_def_t* cert_def, } #endif +#if ATCACERT_COMPCERT_EN ATCA_STATUS atcacert_create_csr_pem(const atcacert_def_t* csr_def, char* csr, size_t* csr_size) { ATCA_STATUS status = ATCA_SUCCESS; @@ -414,8 +455,7 @@ ATCA_STATUS atcacert_create_csr(const atcacert_def_t* csr_def, uint8_t* csr, siz // The exact size of the csr cannot be determined until after adding the signature // it is returned in the csr_size parameter. (*csr_size = *csr_size;) - } - while (false); + } while (false); return status; } @@ -465,6 +505,7 @@ ATCA_STATUS atcacert_read_subj_key_id(const atcacert_def_t* cert_def, uint8_t su { return atcacert_read_subj_key_id_ext(atcab_get_device(), cert_def, subj_key_id); } +#endif ATCA_STATUS atcacert_read_cert_size_ext(ATCADevice device, const atcacert_def_t* cert_def, @@ -479,19 +520,29 @@ ATCA_STATUS atcacert_read_cert_size_ext(ATCADevice device, return ATCACERT_E_BAD_PARAMS; } - ret = atcab_read_bytes_zone_ext(device, (uint8_t)DEVZONE_TO_BYTEVAL(cert_def->comp_cert_dev_loc.zone), - cert_def->comp_cert_dev_loc.slot, - cert_def->comp_cert_dev_loc.offset, - &buffer[8], ATCA_ECCP256_SIG_SIZE); - - if (ATCACERT_E_SUCCESS == ret) + if (CERTTYPE_X509_FULL_STORED == cert_def->type) { - ret = atcacert_der_enc_ecdsa_sig_value(&buffer[8], buffer, &buflen); + ret = atcab_get_zone_size_ext(device, (uint8_t)cert_def->comp_cert_dev_loc.zone, + cert_def->comp_cert_dev_loc.slot, cert_size); } - - if (ATCACERT_E_SUCCESS == ret) + else { - *cert_size = cert_def->std_cert_elements[STDCERT_SIGNATURE].offset + buflen; +#if ATCACERT_COMPCERT_EN + ret = atcab_read_bytes_zone_ext(device, (uint8_t)DEVZONE_TO_BYTEVAL(cert_def->comp_cert_dev_loc.zone), + cert_def->comp_cert_dev_loc.slot, + cert_def->comp_cert_dev_loc.offset, + &buffer[8], ATCA_ECCP256_SIG_SIZE); + + if (ATCACERT_E_SUCCESS == ret) + { + ret = atcacert_der_enc_ecdsa_sig_value(&buffer[8], buffer, &buflen); + } + + if (ATCACERT_E_SUCCESS == ret) + { + *cert_size = cert_def->std_cert_elements[STDCERT_SIGNATURE].offset + buflen; + } +#endif } return ret; @@ -502,5 +553,3 @@ ATCA_STATUS atcacert_read_cert_size(const atcacert_def_t* cert_def, { return atcacert_read_cert_size_ext(atcab_get_device(), cert_def, cert_size); } - -#endif diff --git a/lib/atcacert/atcacert_date.c b/lib/atcacert/atcacert_date.c index 221b6a4bd..ba55c30a6 100644 --- a/lib/atcacert/atcacert_date.c +++ b/lib/atcacert/atcacert_date.c @@ -30,7 +30,6 @@ #include "atcacert_date.h" #include "atca_compiler.h" -#if ATCACERT_COMPCERT_EN const size_t ATCACERT_DATE_FORMAT_SIZES[ATCACERT_DATE_FORMAT_SIZES_COUNT] = { DATEFMT_ISO8601_SEP_SIZE, @@ -40,6 +39,35 @@ const size_t ATCACERT_DATE_FORMAT_SIZES[ATCACERT_DATE_FORMAT_SIZES_COUNT] = { DATEFMT_RFC5280_GEN_SIZE }; +atcacert_date_format_t atcacert_date_from_asn1_tag(const uint8_t tag) +{ + atcacert_date_format_t fmt; + +#ifdef ATCA_MBEDTLS + fmt = DATEFMT_RFC5280_GEN; //Mbedtls follows always "YYYY-MM-DD HH:MM:SS." +#else + switch (tag) + { +#if ATCACERT_DATEFMT_UTC_EN + case 0x17: + fmt = DATEFMT_RFC5280_UTC; + break; +#endif +#if ATCACERT_DATEFMT_GEN_EN + case 0x18: + fmt = DATEFMT_RFC5280_GEN; + break; +#endif + default: + fmt = DATEFMT_INVALID; + break; + } +#endif + + return fmt; +} + + ATCA_STATUS atcacert_date_enc(atcacert_date_format_t format, const atcacert_tm_utc_t* timestamp, uint8_t* formatted_date, @@ -426,7 +454,6 @@ ATCA_STATUS atcacert_date_dec_iso8601_sep(const uint8_t formatted_date[DATE if (*(cur_pos++) != (uint8_t)'T') { return ATCACERT_E_DECODING_ERROR; // Unexpected separator - } new_pos = str_to_int(cur_pos, 2, ×tamp->tm_hour); if (new_pos == cur_pos) @@ -438,7 +465,6 @@ ATCA_STATUS atcacert_date_dec_iso8601_sep(const uint8_t formatted_date[DATE if (*(cur_pos++) != (uint8_t)':') { return ATCACERT_E_DECODING_ERROR; // Unexpected separator - } new_pos = str_to_int(cur_pos, 2, ×tamp->tm_min); if (new_pos == cur_pos) @@ -986,8 +1012,7 @@ static ATCA_STATUS atcacert_date_enc_posix_uint32(const atcacert_tm_utc_t* timep rv = atcacert_posix_enc_second(posix_uint32, timeptr->tm_sec); - } - while (false); + } while (false); } return rv; @@ -1197,7 +1222,8 @@ ATCA_STATUS atcacert_date_dec_compcert(const uint8_t enc_dates[3], * Minutes and seconds are always zero. */ - if (enc_dates == NULL || issue_date == NULL || expire_date == NULL || expire_date_format >= sizeof(ATCACERT_DATE_FORMAT_SIZES) / sizeof(ATCACERT_DATE_FORMAT_SIZES[0])) + if (enc_dates == NULL || issue_date == NULL || expire_date == NULL || + expire_date_format >= sizeof(ATCACERT_DATE_FORMAT_SIZES) / sizeof(ATCACERT_DATE_FORMAT_SIZES[0])) { return ATCACERT_E_BAD_PARAMS; } @@ -1234,5 +1260,3 @@ ATCA_STATUS atcacert_date_dec_compcert(const uint8_t enc_dates[3], #ifdef __COVERITY__ #pragma coverity compliance end_block "MISRA C-2012 Rule 10.8" #endif - -#endif diff --git a/lib/atcacert/atcacert_date.h b/lib/atcacert/atcacert_date.h index 01f30c6ba..18ad73762 100644 --- a/lib/atcacert/atcacert_date.h +++ b/lib/atcacert/atcacert_date.h @@ -72,11 +72,12 @@ typedef struct atcacert_tm_utc_s /** * Date formats. */ -#define DATEFMT_ISO8601_SEP 0 //!< ISO8601 full date YYYY-MM-DDThh:mm:ssZ -#define DATEFMT_RFC5280_UTC 1 //!< RFC 5280 (X.509) 4.1.2.5.1 UTCTime format YYMMDDhhmmssZ -#define DATEFMT_POSIX_UINT32_BE 2 //!< POSIX (aka UNIX) date format. Seconds since Jan 1, 1970. 32 bit unsigned integer, big endian. -#define DATEFMT_POSIX_UINT32_LE 3 //!< POSIX (aka UNIX) date format. Seconds since Jan 1, 1970. 32 bit unsigned integer, little endian. -#define DATEFMT_RFC5280_GEN 4 //!< RFC 5280 (X.509) 4.1.2.5.2 GeneralizedTime format YYYYMMDDhhmmssZ +#define DATEFMT_ISO8601_SEP (0U) //!< ISO8601 full date YYYY-MM-DDThh:mm:ssZ +#define DATEFMT_RFC5280_UTC (1U) //!< RFC 5280 (X.509) 4.1.2.5.1 UTCTime format YYMMDDhhmmssZ +#define DATEFMT_POSIX_UINT32_BE (2U) //!< POSIX (aka UNIX) date format. Seconds since Jan 1, 1970. 32 bit unsigned integer, big endian. +#define DATEFMT_POSIX_UINT32_LE (3U) //!< POSIX (aka UNIX) date format. Seconds since Jan 1, 1970. 32 bit unsigned integer, little endian. +#define DATEFMT_RFC5280_GEN (4U) //!< RFC 5280 (X.509) 4.1.2.5.2 GeneralizedTime format YYYYMMDDhhmmssZ +#define DATEFMT_INVALID (0xFFU) typedef uint8_t atcacert_date_format_t; @@ -154,6 +155,13 @@ ATCA_STATUS atcacert_date_dec_compcert(const uint8_t enc_dates[3], atcacert_tm_utc_t* issue_date, atcacert_tm_utc_t* expire_date); +/** + * \brief Convert the asn1 tag for the supported time formats into the local time format + * + * \return DATEFMT_RFC5280_UTC, DATEFMT_RFC5280_GEN, or DATEFMT_INVALID + */ +atcacert_date_format_t atcacert_date_from_asn1_tag(const uint8_t tag); + /** * \brief Return the maximum date available for the given format. * diff --git a/lib/atcacert/atcacert_def.c b/lib/atcacert/atcacert_def.c index 0dbce916d..9d57423ec 100644 --- a/lib/atcacert/atcacert_def.c +++ b/lib/atcacert/atcacert_def.c @@ -26,14 +26,16 @@ */ #include "atcacert_def.h" +#include "crypto/atca_crypto_sw.h" #include "crypto/atca_crypto_sw_sha1.h" #include "crypto/atca_crypto_sw_sha2.h" #include "atcacert_der.h" #include "atcacert_date.h" #include #include "atca_helpers.h" +#include "cal_buffer.h" + -#if ATCACERT_COMPCERT_EN #ifdef __COVERITY__ #pragma coverity compliance block \ @@ -42,6 +44,8 @@ (deviate "MISRA C-2012 Rule 10.4" "The module has been extensively tested to ensure behavior is correct") #endif +#if ATCACERT_COMPCERT_EN + #define ATCACERT_MIN(x, y) ((x) < (y) ? (x) : (y)) #define ATCACERT_MAX(x, y) ((x) >= (y) ? (x) : (y)) @@ -563,8 +567,8 @@ bool atcacert_is_device_loc_overlap(const atcacert_device_loc_t* device_loc1, return FALSE; // Data zone, same slot, but read method doesn't match, can't overlap } - return !( (device_loc1->offset + device_loc1->count <= device_loc2->offset) - || (device_loc1->offset >= device_loc2->offset + device_loc2->count) ); + return !((device_loc1->offset + device_loc1->count <= device_loc2->offset) + || (device_loc1->offset >= device_loc2->offset + device_loc2->count)); } static void atcacert_copy_device_loc_data(const atcacert_device_loc_t* device_loc_src, @@ -573,7 +577,7 @@ static void atcacert_copy_device_loc_data(const atcacert_device_loc_t* device_lo uint8_t* data_dest) { size_t offset = ATCACERT_MAX((size_t)device_loc_src->offset, (size_t)device_loc_dest->offset); - size_t end = ATCACERT_MIN((size_t)device_loc_src->offset + (size_t)device_loc_src->count, (size_t)device_loc_dest->offset + (size_t)device_loc_dest->count); + size_t end = ATCACERT_MIN((size_t)device_loc_src->offset + (size_t)device_loc_src->count, (size_t)device_loc_dest->offset + (size_t)device_loc_dest->count); (void)memcpy(&data_dest[offset - device_loc_dest->offset], &data_src[offset - device_loc_src->offset], end - offset); } @@ -625,7 +629,7 @@ ATCA_STATUS atcacert_get_device_data(const atcacert_def_t* cert_def, } else { - ; // no further action + // no further action } atcacert_copy_device_loc_data(&cert_def->public_key_dev_loc, temp_buf, device_loc, device_data); @@ -710,18 +714,60 @@ ATCA_STATUS atcacert_set_subj_public_key(const atcacert_def_t* cert_def, return ATCACERT_E_SUCCESS; } +#endif + +ATCA_STATUS atcacert_get_subject(const atcacert_def_t* cert_def, + const uint8_t* cert, + size_t cert_size, + cal_buffer* cert_subj_buf) +{ + ATCA_STATUS status = ATCACERT_E_BAD_PARAMS; + + ((void)cert); + ((void)cert_size); + + if (NULL != cert_def) + { +#if ATCACERT_INTEGRATION_EN + if (CERTTYPE_X509_FULL_STORED == cert_def->type) + { + status = (NULL != cert_def->parsed) ? atcac_get_subject(*cert_def->parsed, cert_subj_buf) : ATCACERT_E_ERROR; + } +#else + status = ATCA_UNIMPLEMENTED; +#endif + } + return status; +} ATCA_STATUS atcacert_get_subj_public_key(const atcacert_def_t* cert_def, const uint8_t* cert, size_t cert_size, uint8_t subj_public_key[64]) { - if (cert_def == NULL || cert == NULL || subj_public_key == NULL) + ATCA_STATUS status = ATCACERT_E_BAD_PARAMS; + + if (NULL != cert_def && NULL != subj_public_key) { - return ATCACERT_E_BAD_PARAMS; +#if ATCACERT_INTEGRATION_EN + if (CERTTYPE_X509_FULL_STORED == cert_def->type) + { + cal_buffer pk_buf = CAL_BUF_INIT(64U, subj_public_key); + status = (NULL != cert_def->parsed) ? atcac_get_subj_public_key(*cert_def->parsed, &pk_buf) : ATCACERT_E_ERROR; + } + else +#endif + { +#if ATCACERT_COMPCERT_EN + if (NULL != cert) + { + //For ECC608, always EC256 supported, hence pubkey size is max 64 + status = atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_PUBLIC_KEY], cert, cert_size, subj_public_key, 64); + } +#endif + } } - - return atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_PUBLIC_KEY], cert, cert_size, subj_public_key, 64); + return status; } ATCA_STATUS atcacert_get_subj_key_id(const atcacert_def_t* cert_def, @@ -729,14 +775,54 @@ ATCA_STATUS atcacert_get_subj_key_id(const atcacert_def_t* cert_def, size_t cert_size, uint8_t subj_key_id[20]) { - if (cert_def == NULL || cert == NULL || subj_key_id == NULL) + ATCA_STATUS status = ATCACERT_E_BAD_PARAMS; + + if (NULL != cert_def && NULL != subj_key_id) { - return ATCACERT_E_BAD_PARAMS; +#if ATCACERT_INTEGRATION_EN + if (CERTTYPE_X509_FULL_STORED == cert_def->type) + { + cal_buffer kid_buf = CAL_BUF_INIT(20U, subj_key_id); + + status = (NULL != cert_def->parsed) ? atcac_get_subj_key_id(*cert_def->parsed, &kid_buf) : ATCACERT_E_ERROR; + } + else +#endif + { +#if ATCACERT_COMPCERT_EN + if (NULL != cert) + { + status = atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_SUBJ_KEY_ID], cert, cert_size, subj_key_id, 20); + } +#endif + } } + return status; +} + +ATCA_STATUS atcacert_get_issuer(const atcacert_def_t* cert_def, + const uint8_t* cert, + size_t cert_size, + uint8_t cert_issuer[128]) +{ + ATCA_STATUS status = ATCACERT_E_BAD_PARAMS; - return atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_SUBJ_KEY_ID], cert, cert_size, subj_key_id, 20); + if (NULL != cert_def && NULL != cert_issuer) + { + #if ATCACERT_INTEGRATION_EN + if (CERTTYPE_X509_FULL_STORED == cert_def->type) + { + cal_buffer issuer_buf = CAL_BUF_INIT(128U, cert_issuer); + status = (NULL != cert_def->parsed) ? atcac_get_issuer(*cert_def->parsed, &issuer_buf) : ATCACERT_E_ERROR; + } + #else + status = ATCA_UNIMPLEMENTED; + #endif + } + return status; } +#if ATCACERT_COMPCERT_EN ATCA_STATUS atcacert_set_signature(const atcacert_def_t* cert_def, uint8_t* cert, size_t* cert_size, @@ -752,7 +838,7 @@ ATCA_STATUS atcacert_set_signature(const atcacert_def_t* cert_def, ATCA_CHECK_INVALID((NULL == cert_def) || (NULL == cert) || (0 == cert_size) || (NULL == signature), ATCACERT_E_BAD_PARAMS); - sig_offset = (size_t)cert_def->std_cert_elements[STDCERT_SIGNATURE].offset; + sig_offset = cert_def->std_cert_elements[STDCERT_SIGNATURE].offset; sig_offset += get_effective_offset(cert_def, cert, sig_offset); // Non X.509 signatures are treated like normal certificate elements @@ -868,47 +954,79 @@ ATCA_STATUS atcacert_set_issue_date(const atcacert_def_t* cert_def, return ATCACERT_E_SUCCESS; } +#endif ATCA_STATUS atcacert_get_issue_date(const atcacert_def_t* cert_def, const uint8_t* cert, size_t cert_size, atcacert_tm_utc_t* timestamp) { - ATCA_STATUS ret = 0; - uint8_t formatted_date[DATEFMT_MAX_SIZE]; - size_t formatted_date_size; + ATCA_STATUS status = ATCACERT_E_BAD_PARAMS; + uint8_t formatted_date[DATEFMT_MAX_SIZE] = { 0x00 }; + size_t formatted_date_size = 0; + atcacert_date_format_t date_format = 0; - if (cert_def == NULL || cert == NULL || timestamp == NULL) + do { - return ATCACERT_E_BAD_PARAMS; - } + if (cert_def == NULL || timestamp == NULL) + { + break; + } - if (cert_def->issue_date_format >= sizeof(ATCACERT_DATE_FORMAT_SIZES) / sizeof(ATCACERT_DATE_FORMAT_SIZES[0])) - { - return ATCACERT_E_ERROR; // Format is out of range + #if ATCACERT_INTEGRATION_EN + if (CERTTYPE_X509_FULL_STORED == cert_def->type) + { + cal_buffer ts_buf = CAL_BUF_INIT(sizeof(formatted_date), formatted_date); + uint8_t tag = 0U; - } - formatted_date_size = ATCACERT_DATE_FORMAT_SIZES[cert_def->issue_date_format]; - if (formatted_date_size > sizeof(formatted_date)) - { - return ATCACERT_E_ERROR; // DATEFMT_MAX_SIZE is wrong + status = (NULL != cert_def->parsed) ? atcac_get_issue_date(*cert_def->parsed, &ts_buf, &tag) : ATCACERT_E_ERROR; - } - ret = atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_ISSUE_DATE], cert, cert_size, formatted_date, formatted_date_size); - if (ret != ATCACERT_E_SUCCESS) - { - return ret; - } + if (ATCA_SUCCESS != status) + { + break; + } + formatted_date_size = ts_buf.len; + date_format = atcacert_date_from_asn1_tag(tag); + } + else + #endif + { +#if ATCACERT_COMPCERT_EN + if (NULL == cert) + { + break; + } - ret = atcacert_date_dec(cert_def->issue_date_format, formatted_date, formatted_date_size, timestamp); - if (ret != ATCACERT_E_SUCCESS) - { - return ret; - } + date_format = cert_def->issue_date_format; - return ATCACERT_E_SUCCESS; + if (date_format >= sizeof(ATCACERT_DATE_FORMAT_SIZES) / sizeof(ATCACERT_DATE_FORMAT_SIZES[0])) + { + status = ATCACERT_E_ERROR; // Format is out of range + break; + } + formatted_date_size = ATCACERT_DATE_FORMAT_SIZES[date_format]; + if (formatted_date_size > sizeof(formatted_date)) + { + status = ATCACERT_E_ERROR; // DATEFMT_MAX_SIZE is wrong + break; + } + + if (ATCA_SUCCESS != (status = atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_ISSUE_DATE], cert, + cert_size, formatted_date, formatted_date_size))) + { + break; + } +#endif + } + + /* Decode the encoded date into our local format */ + status = atcacert_date_dec(date_format, formatted_date, formatted_date_size, timestamp); + } while (false); + + return status; } +#if ATCACERT_COMPCERT_EN ATCA_STATUS atcacert_set_expire_date(const atcacert_def_t* cert_def, uint8_t* cert, size_t cert_size, @@ -942,45 +1060,75 @@ ATCA_STATUS atcacert_set_expire_date(const atcacert_def_t* cert_def, return ATCACERT_E_SUCCESS; } +#endif ATCA_STATUS atcacert_get_expire_date(const atcacert_def_t* cert_def, const uint8_t* cert, size_t cert_size, atcacert_tm_utc_t* timestamp) { - ATCA_STATUS ret = 0; - uint8_t formatted_date[DATEFMT_MAX_SIZE]; - size_t formatted_date_size; + ATCA_STATUS status = ATCACERT_E_BAD_PARAMS; + uint8_t formatted_date[DATEFMT_MAX_SIZE] = { 0x00 }; + size_t formatted_date_size = 0; + atcacert_date_format_t date_format = 0; - if (cert_def == NULL || cert == NULL || timestamp == NULL) + do { - return ATCACERT_E_BAD_PARAMS; - } + if (cert_def == NULL || timestamp == NULL) + { + break; + } - if (cert_def->expire_date_format >= sizeof(ATCACERT_DATE_FORMAT_SIZES) / sizeof(ATCACERT_DATE_FORMAT_SIZES[0])) - { - return ATCACERT_E_ERROR; // Format is out of range + #if ATCACERT_INTEGRATION_EN + if (CERTTYPE_X509_FULL_STORED == cert_def->type) + { + cal_buffer ts_buf = CAL_BUF_INIT(sizeof(formatted_date), formatted_date); + uint8_t tag = 0U; - } - formatted_date_size = ATCACERT_DATE_FORMAT_SIZES[cert_def->expire_date_format]; - if (formatted_date_size > sizeof(formatted_date)) - { - return ATCACERT_E_ERROR; // DATEFMT_MAX_SIZE is wrong + status = (NULL != cert_def->parsed) ? atcac_get_expire_date(*cert_def->parsed, &ts_buf, &tag) : ATCACERT_E_ERROR; - } - ret = atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_EXPIRE_DATE], cert, cert_size, formatted_date, formatted_date_size); - if (ret != ATCACERT_E_SUCCESS) - { - return ret; - } + if (ATCA_SUCCESS != status) + { + break; + } + formatted_date_size = ts_buf.len; + date_format = atcacert_date_from_asn1_tag(tag); + } + else + #endif + { +#if ATCACERT_COMPCERT_EN + if (NULL == cert) + { + break; + } - ret = atcacert_date_dec(cert_def->expire_date_format, formatted_date, formatted_date_size, timestamp); - if (ret != ATCACERT_E_SUCCESS) - { - return ret; - } + date_format = cert_def->expire_date_format; - return ATCACERT_E_SUCCESS; + if (date_format >= sizeof(ATCACERT_DATE_FORMAT_SIZES) / sizeof(ATCACERT_DATE_FORMAT_SIZES[0])) + { + status = ATCACERT_E_ERROR; // Format is out of range + break; + } + formatted_date_size = ATCACERT_DATE_FORMAT_SIZES[date_format]; + if (formatted_date_size > sizeof(formatted_date)) + { + status = ATCACERT_E_ERROR; // DATEFMT_MAX_SIZE is wrong + break; + } + + if (ATCA_SUCCESS != (status = atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_EXPIRE_DATE], cert, + cert_size, formatted_date, formatted_date_size))) + { + break; + } +#endif + } + + status = atcacert_date_dec(date_format, formatted_date, formatted_date_size, timestamp); + } while (false); + + return status; } static void uint8_to_hex(uint8_t num, uint8_t* hex_str) @@ -1006,6 +1154,7 @@ static void uint8_to_hex(uint8_t num, uint8_t* hex_str) } } +#if ATCACERT_COMPCERT_EN ATCA_STATUS atcacert_set_signer_id(const atcacert_def_t* cert_def, uint8_t* cert, size_t cert_size, @@ -1023,6 +1172,7 @@ ATCA_STATUS atcacert_set_signer_id(const atcacert_def_t* cert_def, return atcacert_set_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_SIGNER_ID], cert, cert_size, hex_str, 4); } +#endif static ATCA_STATUS hex_to_uint8(const uint8_t hex_str[2], uint8_t* num) { @@ -1065,6 +1215,7 @@ static ATCA_STATUS hex_to_uint8(const uint8_t hex_str[2], uint8_t* num) return ATCACERT_E_SUCCESS; } +#if ATCACERT_COMPCERT_EN ATCA_STATUS atcacert_get_signer_id(const atcacert_def_t* cert_def, const uint8_t* cert, size_t cert_size, @@ -1137,7 +1288,9 @@ ATCA_STATUS atcacert_set_cert_sn(const atcacert_def_t* cert_def, { (void)memmove( &cert[sn_cert_loc->offset + sn_cert_loc->count], - &cert[sn_cert_loc->offset + (int)sn_cert_loc->count + sn_offset], + /* coverity[misra_c_2012_rule_10_4_violation] Since certificate offsets are calculated, sn_offset being signed will not cause problem */ + /* coverity[misra_c_2012_rule_10_7_violation:FALSE] False positive, value within type limits */ + &cert[sn_cert_loc->offset + sn_cert_loc->count + sn_offset], *cert_size - ((size_t)sn_cert_loc->offset + (size_t)sn_cert_loc->count)); *cert_size += sn_offset; } @@ -1148,7 +1301,7 @@ ATCA_STATUS atcacert_set_cert_sn(const atcacert_def_t* cert_def, // Indicate how much buffer it has to work with - cert_der_len = *cert_size - 1; // Right after first sequence tag; 1 for der_len_offset + cert_der_len = *cert_size - 1U; // Right after first sequence tag; 1 for der_len_offset ret = atcacert_der_adjust_length( &cert[der_len_offset], @@ -1161,15 +1314,15 @@ ATCA_STATUS atcacert_set_cert_sn(const atcacert_def_t* cert_def, } if (1u + cert_der_len + cert_len != *cert_size) { - return ATCACERT_E_BAD_CERT; // Cert was malformed + return ATCACERT_E_BAD_CERT; // Cert was malformed } - der_len_offset = 1u + cert_der_len + 1u; // cert Tag (1), cert len, TBS tag (1) + der_len_offset = 1u + cert_der_len + 1u; // cert Tag (1), cert len, TBS tag (1) if (der_len_offset > *cert_size) { return ATCACERT_E_ELEM_OUT_OF_BOUNDS; } - tbs_der_len = *cert_size - der_len_offset; // Indicate how much buffer it has to work with: + tbs_der_len = *cert_size - der_len_offset; // Indicate how much buffer it has to work with: ret = atcacert_der_adjust_length( &cert[der_len_offset], &tbs_der_len, @@ -1200,9 +1353,10 @@ ATCA_STATUS atcacert_gen_cert_sn(const atcacert_def_t* cert_def, { ATCA_STATUS ret = ATCACERT_E_SUCCESS; size_t sn_size = 0; - uint8_t msg[64 + 3]; - uint8_t sn[32]; + uint8_t msg[64 + 3] = { 0x00 }; + uint8_t sn[32] = { 0x00 }; atcacert_tm_utc_t issue_date; + uint8_t expire_years; if (cert_def == NULL || cert == NULL) { @@ -1212,12 +1366,13 @@ ATCA_STATUS atcacert_gen_cert_sn(const atcacert_def_t* cert_def, if (cert_def->sn_source == SNSRC_STORED || cert_def->sn_source == SNSRC_STORED_DYNAMIC || cert_def->std_cert_elements[STDCERT_CERT_SN].count == 0u) { return ATCACERT_E_SUCCESS; // Certificate serial number is not generated or not in the certificate - } + (void)memset(&issue_date, 0, sizeof(atcacert_tm_utc_t)); + switch (cert_def->sn_source) { - case SNSRC_DEVICE_SN: // Cert serial number is 0x40(MSB) + 9-byte device serial number. Only applies to device certificates. + case SNSRC_DEVICE_SN: // Cert serial number is 0x40(MSB) + 9-byte device serial number. Only applies to device certificates. if (device_sn == NULL) { ret = ATCACERT_E_BAD_PARAMS; @@ -1230,13 +1385,13 @@ ATCA_STATUS atcacert_gen_cert_sn(const atcacert_def_t* cert_def, } break; - case SNSRC_SIGNER_ID: // Cert serial number is 0x40(MSB) + 2-byte signer ID. Only applies to signer certificates. + case SNSRC_SIGNER_ID: // Cert serial number is 0x40(MSB) + 2-byte signer ID. Only applies to signer certificates. sn_size = 1 + 2; sn[0] = 0x40; ret = atcacert_get_signer_id(cert_def, cert, cert_size, &sn[1]); break; - case SNSRC_PUB_KEY_HASH_RAW: // Cert serial number is the SHA256(Subject public key + Encoded dates) + case SNSRC_PUB_KEY_HASH_RAW: // Cert serial number is the SHA256(Subject public key + Encoded dates) case SNSRC_PUB_KEY_HASH_POS: case SNSRC_PUB_KEY_HASH: if (cert_def->std_cert_elements[STDCERT_CERT_SN].count > 32u) @@ -1259,7 +1414,12 @@ ATCA_STATUS atcacert_gen_cert_sn(const atcacert_def_t* cert_def, { break; } - ret = atcacert_date_enc_compcert(&issue_date, cert_def->expire_years, &msg[64]); + ret = atcacert_calc_expire_years(cert_def, cert, cert_size, issue_date.tm_year, &expire_years); + if (ret != ATCACERT_E_SUCCESS) + { + break; + } + ret = atcacert_date_enc_compcert(&issue_date, expire_years, &msg[64]); if (ret != ATCACERT_E_SUCCESS) { break; @@ -1272,15 +1432,15 @@ ATCA_STATUS atcacert_gen_cert_sn(const atcacert_def_t* cert_def, if (cert_def->sn_source == SNSRC_PUB_KEY_HASH_POS || cert_def->sn_source == SNSRC_PUB_KEY_HASH) { - sn[0] &= 0x7Fu; // Ensure the SN is positive + sn[0] &= 0x7Fu; // Ensure the SN is positive } if (cert_def->sn_source == SNSRC_PUB_KEY_HASH) { - sn[0] |= 0x40u; // Ensure the SN doesn't have any trimmable bytes + sn[0] |= 0x40u; // Ensure the SN doesn't have any trimmable bytes } break; - case SNSRC_DEVICE_SN_HASH_RAW: // Cert serial number is the SHA256(Device SN + Encoded dates). Only applies to device certificates. + case SNSRC_DEVICE_SN_HASH_RAW: // Cert serial number is the SHA256(Device SN + Encoded dates). Only applies to device certificates. case SNSRC_DEVICE_SN_HASH_POS: case SNSRC_DEVICE_SN_HASH: if (device_sn == NULL) @@ -1304,7 +1464,12 @@ ATCA_STATUS atcacert_gen_cert_sn(const atcacert_def_t* cert_def, { break; } - ret = atcacert_date_enc_compcert(&issue_date, cert_def->expire_years, &msg[9]); + ret = atcacert_calc_expire_years(cert_def, cert, cert_size, issue_date.tm_year, &expire_years); + if (ret != ATCACERT_E_SUCCESS) + { + break; + } + ret = atcacert_date_enc_compcert(&issue_date, expire_years, &msg[9]); if (ret != ATCACERT_E_SUCCESS) { break; @@ -1317,11 +1482,11 @@ ATCA_STATUS atcacert_gen_cert_sn(const atcacert_def_t* cert_def, if (cert_def->sn_source == SNSRC_DEVICE_SN_HASH_POS || cert_def->sn_source == SNSRC_DEVICE_SN_HASH) { - sn[0] &= 0x7Fu; // Ensure the SN is positive + sn[0] &= 0x7Fu; // Ensure the SN is positive } if (cert_def->sn_source == SNSRC_DEVICE_SN_HASH) { - sn[0] |= 0x40u; // Ensure the SN doesn't have any trimmable bytes + sn[0] |= 0x40u; // Ensure the SN doesn't have any trimmable bytes } break; @@ -1337,6 +1502,7 @@ ATCA_STATUS atcacert_gen_cert_sn(const atcacert_def_t* cert_def, return ret; } +#endif ATCA_STATUS atcacert_get_cert_sn(const atcacert_def_t* cert_def, const uint8_t* cert, @@ -1344,22 +1510,48 @@ ATCA_STATUS atcacert_get_cert_sn(const atcacert_def_t* cert_def, uint8_t* cert_sn, size_t* cert_sn_size) { - if (cert_def == NULL || cert == NULL || cert_sn == NULL || cert_sn_size == NULL) - { - return ATCACERT_E_BAD_PARAMS; - } + ATCA_STATUS status = ATCACERT_E_BAD_PARAMS; - if (*cert_sn_size < cert_def->std_cert_elements[STDCERT_CERT_SN].count) + if (NULL != cert_def && NULL != cert_sn && NULL != cert_sn_size) { - *cert_sn_size = cert_def->std_cert_elements[STDCERT_CERT_SN].count; - return ATCACERT_E_BUFFER_TOO_SMALL; - } + #if ATCACERT_INTEGRATION_EN + if (CERTTYPE_X509_FULL_STORED == cert_def->type) + { + cal_buffer sn_buf = CAL_BUF_INIT(*cert_sn_size, cert_sn); - *cert_sn_size = cert_def->std_cert_elements[STDCERT_CERT_SN].count; + status = (NULL != cert_def->parsed) ? atcac_get_cert_sn(*cert_def->parsed, &sn_buf) : ATCACERT_E_ERROR; + + if (ATCA_SUCCESS == status) + { + *cert_sn_size = cal_buf_get_used(&sn_buf); + } + } + else + #endif + { +#if ATCACERT_COMPCERT_EN + if (NULL != cert) + { + if (*cert_sn_size < cert_def->std_cert_elements[STDCERT_CERT_SN].count) + { + *cert_sn_size = cert_def->std_cert_elements[STDCERT_CERT_SN].count; + status = ATCACERT_E_BUFFER_TOO_SMALL; + } + else + { + *cert_sn_size = cert_def->std_cert_elements[STDCERT_CERT_SN].count; + status = atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_CERT_SN], + cert, cert_size, cert_sn, *cert_sn_size); + } + } +#endif + } + } - return atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_CERT_SN], cert, cert_size, cert_sn, *cert_sn_size); + return status; } +#if ATCACERT_COMPCERT_EN ATCA_STATUS atcacert_set_auth_key_id(const atcacert_def_t* cert_def, uint8_t* cert, size_t cert_size, @@ -1400,7 +1592,8 @@ ATCA_STATUS atcacert_set_auth_key_id_raw(const atcacert_def_t* cert_def, return ATCACERT_E_BAD_PARAMS; } - ret = atcacert_set_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_AUTH_KEY_ID], cert, cert_size, auth_key_id, cert_def->std_cert_elements[STDCERT_AUTH_KEY_ID].count); + ret = atcacert_set_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_AUTH_KEY_ID], cert, cert_size, + auth_key_id, cert_def->std_cert_elements[STDCERT_AUTH_KEY_ID].count); if (ret != ATCACERT_E_SUCCESS) { return ret; @@ -1408,20 +1601,39 @@ ATCA_STATUS atcacert_set_auth_key_id_raw(const atcacert_def_t* cert_def, return ATCACERT_E_SUCCESS; } +#endif ATCA_STATUS atcacert_get_auth_key_id(const atcacert_def_t* cert_def, const uint8_t* cert, size_t cert_size, uint8_t auth_key_id[20]) { - if (cert_def == NULL || cert == NULL || auth_key_id == NULL) + ATCA_STATUS status = ATCACERT_E_BAD_PARAMS; + + if (NULL != cert_def && NULL != auth_key_id) { - return ATCACERT_E_BAD_PARAMS; - } + #if ATCACERT_INTEGRATION_EN + if (CERTTYPE_X509_FULL_STORED == cert_def->type) + { + cal_buffer kid_buf = CAL_BUF_INIT(20U, auth_key_id); - return atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_AUTH_KEY_ID], cert, cert_size, auth_key_id, 20); + status = (NULL != cert_def->parsed) ? atcac_get_auth_key_id(*cert_def->parsed, &kid_buf) : ATCACERT_E_ERROR; + } + else + #endif + { +#if ATCACERT_COMPCERT_EN + if (NULL != cert) + { + status = atcacert_get_cert_element(cert_def, &cert_def->std_cert_elements[STDCERT_AUTH_KEY_ID], cert, cert_size, auth_key_id, 20); + } +#endif + } + } + return status; } +#if ATCACERT_COMPCERT_EN ATCA_STATUS atcacert_set_comp_cert(const atcacert_def_t* cert_def, uint8_t* cert, size_t* cert_size, @@ -1507,12 +1719,14 @@ ATCA_STATUS atcacert_get_comp_cert(const atcacert_def_t* cert_def, { ATCA_STATUS ret = ATCACERT_E_SUCCESS; atcacert_tm_utc_t issue_date; + uint8_t expire_years; if (cert_def == NULL || cert == NULL || comp_cert == NULL) { return ATCACERT_E_BAD_PARAMS; } + (void)memset(&issue_date, 0, sizeof(issue_date)); do { if (ATCACERT_E_SUCCESS != (ret = atcacert_get_signature(cert_def, cert, cert_size, &comp_cert[0]))) @@ -1538,6 +1752,16 @@ ATCA_STATUS atcacert_get_comp_cert(const atcacert_def_t* cert_def, } } + if (ATCACERT_E_SUCCESS != (ret = atcacert_calc_expire_years(cert_def, cert, cert_size, issue_date.tm_year, &expire_years))) + { + break; + } + + if (ATCACERT_E_SUCCESS != (ret = atcacert_date_enc_compcert(&issue_date, expire_years, &comp_cert[64]))) + { + break; + } + if (ATCACERT_E_SUCCESS != (ret = atcacert_date_enc_compcert(&issue_date, cert_def->expire_years, &comp_cert[64]))) { break; @@ -1560,8 +1784,7 @@ ATCA_STATUS atcacert_get_comp_cert(const atcacert_def_t* cert_def, comp_cert[71] = 0u; ret = ATCACERT_E_SUCCESS; - } - while (false); + } while (false); return ret; } @@ -1578,7 +1801,6 @@ ATCA_STATUS atcacert_get_tbs(const atcacert_def_t* cert_def, { return ATCACERT_E_BAD_PARAMS; } - eff_offset = get_effective_offset(cert_def, cert, (size_t)cert_def->tbs_cert_loc.offset + (size_t)cert_def->tbs_cert_loc.count); if ((size_t)cert_def->tbs_cert_loc.offset + (size_t)cert_def->tbs_cert_loc.count + (size_t)eff_offset > cert_size) @@ -1586,7 +1808,7 @@ ATCA_STATUS atcacert_get_tbs(const atcacert_def_t* cert_def, return ATCACERT_E_BAD_CERT; } - *tbs = &cert[cert_def->tbs_cert_loc.offset]; + *tbs = &cert[cert_def->tbs_cert_loc.offset]; *tbs_size = cert_def->tbs_cert_loc.count + (size_t)eff_offset; return ATCACERT_E_SUCCESS; @@ -1656,7 +1878,7 @@ ATCA_STATUS atcacert_set_cert_element(const atcacert_def_t* cert_def, eff_offset = get_effective_offset(cert_def, cert, cert_loc->offset); - if ((size_t)(cert_loc->offset + data_size + (size_t)eff_offset) > cert_size) + if ((cert_loc->offset > SIZE_MAX - data_size) || ((size_t)(cert_loc->offset + data_size + eff_offset) > cert_size)) { return ATCACERT_E_ELEM_OUT_OF_BOUNDS; } @@ -1719,10 +1941,10 @@ ATCA_STATUS atcacert_get_key_id(const uint8_t public_key[64], uint8_t key_id[20] void atcacert_public_key_add_padding(const uint8_t raw_key[64], uint8_t padded_key[72]) { - (void)memmove(&padded_key[40], &raw_key[32], 32); // Move Y to padded position - (void)memset(&padded_key[36], 0, sizeof(uint32_t)); // Add Y padding bytes - (void)memmove(&padded_key[4], &raw_key[0], 32); // Move X to padded position - (void)memset(&padded_key[0], 0, sizeof(uint32_t)); // Add X padding bytes + (void)memmove(&padded_key[40], &raw_key[32], 32); // Move Y to padded position + (void)memset(&padded_key[36], 0, sizeof(uint32_t)); // Add Y padding bytes + (void)memmove(&padded_key[4], &raw_key[0], 32); // Move X to padded position + (void)memset(&padded_key[0], 0, sizeof(uint32_t)); // Add X padding bytes } void atcacert_public_key_remove_padding(const uint8_t padded_key[72], uint8_t raw_key[64]) @@ -1831,9 +2053,41 @@ ATCA_STATUS atcacert_max_cert_size(const atcacert_def_t* cert_def, return ATCACERT_E_SUCCESS; } +#endif /* ATCACERT_EN */ + +int atcacert_calc_expire_years( const atcacert_def_t* cert_def, + const uint8_t* cert, + size_t cert_size, + int issue_tm_year, + uint8_t* expire_years) +{ + int ret; + int temp_expire_years = 0; + atcacert_tm_utc_t expire_date = { 0 }; + + // Add compressed/encoded dates to hash input + if (ATCACERT_E_SUCCESS != (ret = atcacert_get_expire_date(cert_def, cert, cert_size, &expire_date))) + { + return ret; + } + + *expire_years = 0; + + if (issue_tm_year > expire_date.tm_year) + { + return ATCACERT_E_INVALID_DATE; + } + + temp_expire_years = expire_date.tm_year - issue_tm_year; + if ((0 <= temp_expire_years) && (32 > temp_expire_years)) + { + *expire_years = (uint8_t)temp_expire_years; + } + + return ATCACERT_E_SUCCESS; +} + #ifdef __COVERITY__ #pragma coverity compliance end_block "CERT INT30-C" "CERT INT31-C" "MISRA C-2012 Rule 10.4" #endif - -#endif diff --git a/lib/atcacert/atcacert_def.h b/lib/atcacert/atcacert_def.h index 0c6be7097..2d6302e87 100644 --- a/lib/atcacert/atcacert_def.h +++ b/lib/atcacert/atcacert_def.h @@ -45,6 +45,8 @@ #include "atcacert.h" #include "atcacert_date.h" #include "atca_helpers.h" +#include "crypto/atca_crypto_sw.h" +#include "cal_buffer.h" #define ATCA_MAX_TRANSFORMS 2 @@ -62,8 +64,9 @@ */ typedef enum atcacert_cert_type_e { - CERTTYPE_X509, //!< Standard X509 certificate - CERTTYPE_CUSTOM //!< Custom format + CERTTYPE_X509, //!< Standard X509 certificate + CERTTYPE_CUSTOM, //!< Custom format + CERTTYPE_X509_FULL_STORED //!< Full Stored X509 Certificate } atcacert_cert_type_t; /** @@ -91,6 +94,7 @@ typedef enum atcacert_device_zone_e DEVZONE_CONFIG = 0x00, //!< Configuration zone. DEVZONE_OTP = 0x01, //!< One Time Programmable zone. DEVZONE_DATA = 0x02, //!< Data zone (slots). + DEVZONE_GENKEY = 0x03, //!< Data zone - Generate Pubkey (slots). DEVZONE_NONE = 0x07 //!< Special value used to indicate there is no device location. } atcacert_device_zone_t; @@ -137,7 +141,7 @@ typedef enum atcacert_std_cert_element_e typedef struct ATCA_PACKED atcacert_device_loc_s { atcacert_device_zone_t zone; //!< Zone in the device. - uint8_t slot; //!< Slot within the data zone. Only applies if zone is DEVZONE_DATA. + uint16_t slot; //!< Slot within the data zone. Only applies if zone is DEVZONE_DATA. uint8_t is_genkey; //!< If true, use GenKey command to get the contents instead of Read. uint16_t offset; //!< Byte offset in the zone. uint16_t count; //!< Byte count. @@ -176,6 +180,8 @@ typedef struct ATCA_PACKED atcacert_cert_element_s typedef struct atcacert_def_s { atcacert_cert_type_t type; //!< Certificate type. + atcacert_device_loc_t comp_cert_dev_loc; //!< Where on the device the compressed cert can be found. +#if ATCACERT_COMPCERT_EN uint8_t template_id; //!< ID for the this certificate definition (4-bit value). uint8_t chain_id; //!< ID for the certificate chain this definition is a part of (4-bit value). uint8_t private_key_slot; //!< If this is a device certificate template, this is the device slot for the device private key. @@ -186,13 +192,16 @@ typedef struct atcacert_def_s atcacert_cert_loc_t tbs_cert_loc; //!< Location in the certificate for the TBS (to be signed) portion. uint8_t expire_years; //!< Number of years the certificate is valid for (5-bit value). 0 means no expiration. atcacert_device_loc_t public_key_dev_loc; //!< Where on the device the public key can be found. - atcacert_device_loc_t comp_cert_dev_loc; //!< Where on the device the compressed cert can be found. atcacert_cert_loc_t std_cert_elements[STDCERT_NUM_ELEMENTS]; //!< Where in the certificate template the standard cert elements are inserted. const atcacert_cert_element_t* cert_elements; //!< Additional certificate elements outside of the standard certificate contents. uint8_t cert_elements_count; //!< Number of additional certificate elements in cert_elements. const uint8_t* cert_template; //!< Pointer to the actual certificate template data. uint16_t cert_template_size; //!< Size of the certificate template in cert_template in bytes. +#endif const struct atcacert_def_s* ca_cert_def; //!< Certificate definition of the CA certificate +#if ATCACERT_INTEGRATION_EN + struct atcac_x509_ctx** parsed; +#endif } atcacert_def_t; /** @@ -214,6 +223,8 @@ typedef struct atcacert_build_state_s extern "C" { #endif +#if ATCACERT_COMPCERT_EN + /** * \brief Add all the device locations required to rebuild the specified certificate (cert_def) to * a device locations list. @@ -315,6 +326,25 @@ ATCA_STATUS atcacert_get_device_data(const atcacert_def_t* cert_def, const atcacert_device_loc_t* device_loc, uint8_t* device_data); +#endif /* ATCACERT_COMPCERT_EN */ + +/** + * \brief Gets the subject name from a certificate. + * + * \param[in] cert_def Certificate definition for the certificate. + * \param[in] cert Certificate to get element from. + * \param[in] cert_size Size of the certificate (cert) in bytes. + * \param[out] subject Subject name is returned in this buffer. + * + * \return ATCACERT_E_SUCCESS on success, otherwise an error code. + */ +ATCA_STATUS atcacert_get_subject(const atcacert_def_t* cert_def, + const uint8_t* cert, + size_t cert_size, + cal_buffer* cert_subj_buf); + + +#if ATCACERT_COMPCERT_EN /** * \brief Sets the subject public key and subject key ID in a certificate. * @@ -330,6 +360,8 @@ ATCA_STATUS atcacert_set_subj_public_key(const atcacert_def_t* cert_def, size_t cert_size, const uint8_t subj_public_key[64]); +#endif /* ATCACERT_COMPCERT_EN */ + /** * \brief Gets the subject public key from a certificate. * @@ -346,6 +378,7 @@ ATCA_STATUS atcacert_get_subj_public_key(const atcacert_def_t * cert_def, size_t cert_size, uint8_t subj_public_key[64]); + /** * \brief Gets the subject key ID from a certificate. * @@ -361,6 +394,7 @@ ATCA_STATUS atcacert_get_subj_key_id(const atcacert_def_t * cert_def, size_t cert_size, uint8_t subj_key_id[20]); +#if ATCACERT_COMPCERT_EN /** * \brief Sets the signature in a certificate. This may alter the size of the X.509 certificates. * @@ -411,6 +445,23 @@ ATCA_STATUS atcacert_set_issue_date(const atcacert_def_t* cert_def, size_t cert_size, const atcacert_tm_utc_t* timestamp); +#endif /* ATCACERT_COMPCERT_EN */ + +/** + * \brief Gets the issuer name of a certificate. + * + * \param[in] cert_def Certificate definition for the certificate. + * \param[in] cert Certificate to get element from. + * \param[in] cert_size Size of the certificate (cert) in bytes. + * \param[out] cert_issuer Certificate's issuer is returned in this buffer. + * + * \return ATCACERT_E_SUCCESS on success, otherwise an error code. + */ +ATCA_STATUS atcacert_get_issuer(const atcacert_def_t* cert_def, + const uint8_t* cert, + size_t cert_size, + uint8_t cert_issuer[128]); + /** * \brief Gets the issue date from a certificate. Will be parsed according to the date format * specified in the certificate definition. @@ -427,6 +478,7 @@ ATCA_STATUS atcacert_get_issue_date(const atcacert_def_t* cert_def, size_t cert_size, atcacert_tm_utc_t* timestamp); +#if ATCACERT_COMPCERT_EN /** * \brief Sets the expire date (notAfter) in a certificate. Will be formatted according to the date * format specified in the certificate definition. @@ -442,6 +494,7 @@ ATCA_STATUS atcacert_set_expire_date(const atcacert_def_t* cert_def, uint8_t* cert, size_t cert_size, const atcacert_tm_utc_t* timestamp); +#endif /* ATCACERT_COMPCERT_EN */ /** * \brief Gets the expire date from a certificate. Will be parsed according to the date format @@ -459,6 +512,7 @@ ATCA_STATUS atcacert_get_expire_date(const atcacert_def_t* cert_def, size_t cert_size, atcacert_tm_utc_t* timestamp); +#if ATCACERT_COMPCERT_EN /** * \brief Sets the signer ID in a certificate. Will be formatted as 4 upper-case hex digits. * @@ -529,6 +583,7 @@ ATCA_STATUS atcacert_gen_cert_sn(const atcacert_def_t* cert_def, uint8_t* cert, size_t cert_size, const uint8_t device_sn[9]); +#endif /* ATCACERT_COMPCERT_EN */ /** * \brief Gets the certificate serial number from a certificate. @@ -548,6 +603,7 @@ ATCA_STATUS atcacert_get_cert_sn(const atcacert_def_t* cert_def, uint8_t* cert_sn, size_t* cert_sn_size); +#if ATCACERT_COMPCERT_EN /** * \brief Sets the authority key ID in a certificate. Note that this takes the actual public key * creates a key ID from it. @@ -579,6 +635,7 @@ ATCA_STATUS atcacert_set_auth_key_id_raw(const atcacert_def_t* cert_def, uint8_t* cert, size_t cert_size, const uint8_t* auth_key_id); +#endif /* ATCACERT_COMPCERT_EN */ /** * \brief Gets the authority key ID from a certificate. @@ -595,6 +652,7 @@ ATCA_STATUS atcacert_get_auth_key_id(const atcacert_def_t * cert_def, size_t cert_size, uint8_t auth_key_id[20]); +#if ATCACERT_COMPCERT_EN /** * \brief Sets the signature, issue date, expire date, and signer ID found in the compressed * certificate. This also checks fields common between the cert_def and the compressed @@ -703,7 +761,6 @@ ATCA_STATUS atcacert_get_cert_element(const atcacert_def_t* cert_def, uint8_t* data, size_t data_size); - // Below are utility functions for dealing with various bits for data conversion and wrangling /** @@ -812,10 +869,25 @@ ATCA_STATUS atcacert_transform_data(atcacert_transform_t transform, */ ATCA_STATUS atcacert_max_cert_size(const atcacert_def_t* cert_def, size_t* max_cert_size); +#endif /* ATCACERT_COMPCERT_EN */ +/** \brief + * + * \param[in] cert_def Certificate definition to find a max size for. + * \param[in] cert Certificate to get element from. + * \param[in] cert_size Size of the certificate (cert) in bytes. + * \param[in] issue_tm_year issue year. + * \param[out] expire_years expire years. + * + * \return ATCACERT_E_SUCCESS on success, otherwise an error code. + */ +int atcacert_calc_expire_years( const atcacert_def_t* cert_def, + const uint8_t* cert, + size_t cert_size, + int issue_tm_year, + uint8_t* expire_years); /** @} */ #ifdef __cplusplus } #endif - -#endif +#endif /* ATCACERT_DEF_H */ diff --git a/lib/cal_buffer.c b/lib/cal_buffer.c index 1bb511a2c..12f1cecf8 100644 --- a/lib/cal_buffer.c +++ b/lib/cal_buffer.c @@ -28,6 +28,10 @@ #include #include "cal_buffer.h" +#ifdef ATCA_PRINTF +#include +#endif + /** \ingroup cal_buf_ * @{ */ @@ -133,8 +137,7 @@ static ATCA_STATUS cal_buf_read_bytes_multipart( offset -= cab_p->len; } cab_p = cab_p->next; - } - while ((ATCA_SUCCESS == status) && (0U < length) && (NULL != cab_p)); + } while ((ATCA_SUCCESS == status) && (0U < length) && (NULL != cab_p)); if (0U < length) { @@ -287,8 +290,7 @@ static ATCA_STATUS cal_buf_write_bytes_multipart( offset -= cab_p->len; } cab_p = cab_p->next; - } - while ((ATCA_SUCCESS == status) && (0U < length) && (NULL != cab_p)); + } while ((ATCA_SUCCESS == status) && (0U < length) && (NULL != cab_p)); if (0U < length) { @@ -523,8 +525,7 @@ size_t cal_buf_get_used(cal_buffer * buf) /* coverity[cert_int30_c_violation] Wrapping is infeasible in practice because the total length is limited to UINT16_MAX elsewhere */ used += buf->len; buf = buf->next; - } - while ((NULL != buf) && (NULL != buf->buf) && (0U < buf->len)); + } while ((NULL != buf) && (NULL != buf->buf) && (0U < buf->len)); #else used = buf->len; #endif diff --git a/lib/calib/calib_aes.c b/lib/calib/calib_aes.c index 602f483a5..976bf58c1 100644 --- a/lib/calib/calib_aes.c +++ b/lib/calib/calib_aes.c @@ -58,7 +58,7 @@ ATCA_STATUS calib_aes(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t* aes_in, uint8_t* aes_out) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; do { @@ -68,6 +68,8 @@ ATCA_STATUS calib_aes(ATCADevice device, uint8_t mode, uint16_t key_id, const ui break; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build a AES command packet.param1 = mode; packet.param2 = key_id; @@ -92,8 +94,7 @@ ATCA_STATUS calib_aes(ATCADevice device, uint8_t mode, uint16_t key_id, const ui (void)memcpy(aes_out, &packet.data[ATCA_RSP_DATA_IDX], AES_DATA_SIZE); } - } - while (false); + } while (false); return status; } @@ -152,7 +153,7 @@ ATCA_STATUS calib_aes_decrypt(ATCADevice device, uint16_t key_id, uint8_t key_bl ATCA_STATUS calib_aes_gfm(ATCADevice device, const uint8_t* h, const uint8_t* input, uint8_t* output) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; do { @@ -162,6 +163,8 @@ ATCA_STATUS calib_aes_gfm(ATCADevice device, const uint8_t* h, const uint8_t* in break; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build a AES-GFM command packet.param1 = AES_MODE_GFM; @@ -187,8 +190,7 @@ ATCA_STATUS calib_aes_gfm(ATCADevice device, const uint8_t* h, const uint8_t* in (void)memcpy(output, &packet.data[ATCA_RSP_DATA_IDX], AES_DATA_SIZE); } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_basic.c b/lib/calib/calib_basic.c index 9ee5eabfb..a56d6bbcd 100644 --- a/lib/calib/calib_basic.c +++ b/lib/calib/calib_basic.c @@ -37,7 +37,7 @@ ATCA_STATUS calib_wakeup_i2c(ATCADevice device) { ATCA_STATUS status = ATCA_BAD_PARAM; - uint8_t second_byte = 0x01; // I2C general call should not interpreted as an addr write + uint8_t second_byte = 0x01; // I2C general call should not interpreted as an addr write ATCAIface iface = atGetIFace(device); if (NULL != iface) @@ -70,15 +70,15 @@ ATCA_STATUS calib_wakeup_i2c(ATCADevice device) if (atcab_is_ca2_device(device_type)) { - (void)atsend(iface, address, NULL, 0); + (void)atsend(iface, 0U, NULL, 0); } else { - (void)atsend(iface, 0x00, &second_byte, (int)sizeof(second_byte)); + (void)atsend(iface, second_byte, NULL, 0); } #else - (void)atsend(iface, 0x00, &second_byte, sizeof(second_byte)); + (void)atsend(iface, second_byte, NULL, 0); #endif atca_delay_us(atca_iface_get_wake_delay(iface)); @@ -98,8 +98,7 @@ ATCA_STATUS calib_wakeup_i2c(ATCADevice device) { status = hal_check_wake((uint8_t*)&wake, (int)rxlen); } - } - while (0 < retries-- && ATCA_SUCCESS != status); + } while (0 < retries-- && ATCA_SUCCESS != status); } return status; } @@ -142,7 +141,7 @@ ATCA_STATUS calib_wakeup(ATCADevice device) */ ATCA_STATUS calib_idle(ATCADevice device) { - ATCA_STATUS status = ATCA_BAD_PARAM; + ATCA_STATUS status; ATCADeviceType device_type = atcab_get_device_type_ext(device); #ifdef ATCA_HAL_LEGACY_API @@ -157,7 +156,7 @@ ATCA_STATUS calib_idle(ATCADevice device) if (!atcab_is_ca2_device(device_type)) { uint8_t command = 0x02; - status = atsend(&device->mIface, atcab_get_device_address(device), &command, 1); + status = atsend(&device->mIface, command, NULL, 0); } else { @@ -174,7 +173,7 @@ ATCA_STATUS calib_idle(ATCADevice device) */ ATCA_STATUS calib_sleep(ATCADevice device) { - ATCA_STATUS status = ATCA_BAD_PARAM; + ATCA_STATUS status; #ifdef ATCA_HAL_LEGACY_API status = atsleep(&device->mIface); @@ -186,7 +185,7 @@ ATCA_STATUS calib_sleep(ATCADevice device) else { uint8_t command = 0x01; - status = atsend(&device->mIface, atcab_get_device_address(device), &command, 1); + status = atsend(&device->mIface, command, NULL, 0); } #endif return status; @@ -235,14 +234,13 @@ ATCA_STATUS calib_get_addr(uint8_t zone, uint16_t slot, uint8_t block, uint8_t o *addr = ((uint16_t)block) << 3; *addr |= offset; } - else // ATCA_ZONE_DATA + else // ATCA_ZONE_DATA { *addr = slot << 3; - *addr |= offset; + *addr |= offset; *addr |= ((uint16_t)block) << 8; } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_checkmac.c b/lib/calib/calib_checkmac.c index c51ca0d77..a6511bd31 100644 --- a/lib/calib/calib_checkmac.c +++ b/lib/calib/calib_checkmac.c @@ -55,10 +55,11 @@ * \param[out] resp_mac Output response mac (32 bytes) if mode[3] is set * \return ATCA_SUCCESS on success, otherwise an error code. */ -ATCA_STATUS calib_checkmac_base(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t *challenge, const uint8_t *response, const uint8_t *other_data, uint8_t *resp_mac) +ATCA_STATUS calib_checkmac_base(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t *challenge, const uint8_t *response, const uint8_t *other_data, + uint8_t *resp_mac) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; // Verify the inputs if ((device == NULL) || (response == NULL) || (other_data == NULL) || @@ -70,6 +71,8 @@ ATCA_STATUS calib_checkmac_base(ATCADevice device, uint8_t mode, uint16_t key_id do { + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build Check MAC command packet.param1 = mode; packet.param2 = key_id; @@ -90,7 +93,7 @@ ATCA_STATUS calib_checkmac_base(ATCADevice device, uint8_t mode, uint16_t key_id break; } - if ((status = atca_execute_command( (void*)&packet, device)) != ATCA_SUCCESS) + if ((status = atca_execute_command((void*)&packet, device)) != ATCA_SUCCESS) { (void)ATCA_TRACE(status, "calib_checkmac_base - execution failed"); break; @@ -101,8 +104,7 @@ ATCA_STATUS calib_checkmac_base(ATCADevice device, uint8_t mode, uint16_t key_id { (void)memcpy(resp_mac, &packet.data[ATCA_RSP_DATA_IDX + CHECKMAC_SINGLE_BYTE_BOOL_RESP], MAC_SIZE); } - } - while (false); + } while (false); return status; } @@ -136,7 +138,8 @@ ATCA_STATUS calib_checkmac(ATCADevice device, uint8_t mode, uint16_t key_id, con * \param[out] mac Mac output (32 bytes) * \return ATCA_SUCCESS on success, otherwise an error code. */ -ATCA_STATUS calib_checkmac_with_response_mac(ATCADevice device, uint8_t mode, const uint8_t *challenge, const uint8_t *response, const uint8_t *other_data, uint8_t *mac) +ATCA_STATUS calib_checkmac_with_response_mac(ATCADevice device, uint8_t mode, const uint8_t *challenge, const uint8_t *response, const uint8_t *other_data, + uint8_t *mac) { return calib_checkmac_base(device, mode, CHECKMAC_SHA105_DEFAULT_KEYID, challenge, response, other_data, mac); } diff --git a/lib/calib/calib_config_check.h b/lib/calib/calib_config_check.h index b063a0171..a05d97294 100644 --- a/lib/calib/calib_config_check.h +++ b/lib/calib/calib_config_check.h @@ -96,13 +96,11 @@ #define DEFAULT_CA_MAX_PACKET_SIZE (198u) /* Check the user provided maximum packet size and set to default if that exceeds the default configuration */ -#ifndef CA_MAX_PACKET_SIZE -#if MAX_PACKET_SIZE > DEFAULT_CA_MAX_PACKET_SIZE +#if !defined(MAX_PACKET_SIZE) || (MAX_PACKET_SIZE > DEFAULT_CA_MAX_PACKET_SIZE) #define CA_MAX_PACKET_SIZE (DEFAULT_CA_MAX_PACKET_SIZE) #else #define CA_MAX_PACKET_SIZE (MAX_PACKET_SIZE) #endif -#endif /**** AES command ****/ diff --git a/lib/calib/calib_counter.c b/lib/calib/calib_counter.c index a6f2d0ba7..119fbb451 100644 --- a/lib/calib/calib_counter.c +++ b/lib/calib/calib_counter.c @@ -50,7 +50,7 @@ ATCA_STATUS calib_counter(ATCADevice device, uint8_t mode, uint16_t counter_id, uint32_t *counter_value) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; do { @@ -60,6 +60,8 @@ ATCA_STATUS calib_counter(ATCADevice device, uint8_t mode, uint16_t counter_id, break; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build a Counter command packet.param1 = mode; packet.param2 = counter_id; @@ -103,8 +105,7 @@ ATCA_STATUS calib_counter(ATCADevice device, uint8_t mode, uint16_t counter_id, } } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_delete.c b/lib/calib/calib_delete.c index 0d0982d79..2c5e86840 100644 --- a/lib/calib/calib_delete.c +++ b/lib/calib/calib_delete.c @@ -56,7 +56,7 @@ ATCA_STATUS calib_delete_base(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t* mac) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; // Verify the inputs if ((device == NULL) || (mac == NULL)) @@ -66,6 +66,8 @@ ATCA_STATUS calib_delete_base(ATCADevice device, uint8_t mode, uint16_t key_id, do { + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build Delete command packet.param1 = mode; packet.param2 = key_id; @@ -74,13 +76,12 @@ ATCA_STATUS calib_delete_base(ATCADevice device, uint8_t mode, uint16_t key_id, (void)atDelete(atcab_get_device_type_ext(device), &packet); - if ((status = atca_execute_command( (void*)&packet, device)) != ATCA_SUCCESS) + if ((status = atca_execute_command((void*)&packet, device)) != ATCA_SUCCESS) { (void)ATCA_TRACE(status, "calib_delete - execution failed"); break; } - } - while (false); + } while (false); return status; } @@ -94,7 +95,7 @@ ATCA_STATUS calib_delete_base(ATCADevice device, uint8_t mode, uint16_t key_id, */ ATCA_STATUS calib_delete(ATCADevice device, uint8_t num_in[NONCE_NUMIN_SIZE], const uint8_t *key) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t serial_number[ATCA_SERIAL_NUM_SIZE] = { 0 }; uint8_t rand_out[RANDOM_NUM_SIZE] = { 0 }; atca_delete_in_out_t delete_mac_params; @@ -129,8 +130,7 @@ ATCA_STATUS calib_delete(ATCADevice device, uint8_t num_in[NONCE_NUMIN_SIZE], co (void)ATCA_TRACE(status, "Delete Mac failed"); break; } - } - while (false); + } while (false); return calib_delete_base(device, DELETE_MODE, (uint16_t)0x0000, mac); } diff --git a/lib/calib/calib_derivekey.c b/lib/calib/calib_derivekey.c index 31b492eea..75283ec2c 100644 --- a/lib/calib/calib_derivekey.c +++ b/lib/calib/calib_derivekey.c @@ -49,7 +49,7 @@ ATCA_STATUS calib_derivekey(ATCADevice device, uint8_t mode, uint16_t target_key, const uint8_t* mac) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; bool require_mac = false; do @@ -71,6 +71,8 @@ ATCA_STATUS calib_derivekey(ATCADevice device, uint8_t mode, uint16_t target_key } #endif + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build a deriveKey command (pass through mode) packet.param1 = mode; packet.param2 = target_key; @@ -97,8 +99,7 @@ ATCA_STATUS calib_derivekey(ATCADevice device, uint8_t mode, uint16_t target_key break; } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_ecdh.c b/lib/calib/calib_ecdh.c index 661d786b9..d5b27af4f 100644 --- a/lib/calib/calib_ecdh.c +++ b/lib/calib/calib_ecdh.c @@ -59,7 +59,7 @@ ATCA_STATUS calib_ecdh_base(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t* public_key, uint8_t* pms, uint8_t* out_nonce) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; do { @@ -69,6 +69,8 @@ ATCA_STATUS calib_ecdh_base(ATCADevice device, uint8_t mode, uint16_t key_id, co break; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // Build Command packet.param1 = mode; packet.param2 = key_id; @@ -96,8 +98,7 @@ ATCA_STATUS calib_ecdh_base(ATCADevice device, uint8_t mode, uint16_t key_id, co (void)memcpy(out_nonce, &packet.data[ATCA_RSP_DATA_IDX + ATCA_KEY_SIZE], ATCA_KEY_SIZE); } - } - while (false); + } while (false); return status; } @@ -148,7 +149,8 @@ ATCA_STATUS calib_ecdh(ATCADevice device, uint16_t key_id, const uint8_t* public #if defined(ATCA_USE_CONSTANT_HOST_NONCE) ATCA_STATUS calib_ecdh_enc(ATCADevice device, uint16_t key_id, const uint8_t* public_key, uint8_t* pms, const uint8_t* read_key, uint16_t read_key_id) #else -ATCA_STATUS calib_ecdh_enc(ATCADevice device, uint16_t key_id, const uint8_t* public_key, uint8_t* pms, const uint8_t* read_key, uint16_t read_key_id, const uint8_t num_in[NONCE_NUMIN_SIZE]) +ATCA_STATUS calib_ecdh_enc(ATCADevice device, uint16_t key_id, const uint8_t* public_key, uint8_t* pms, const uint8_t* read_key, uint16_t read_key_id, + const uint8_t num_in[NONCE_NUMIN_SIZE]) #endif { ATCA_STATUS status = ATCA_SUCCESS; @@ -175,8 +177,7 @@ ATCA_STATUS calib_ecdh_enc(ATCADevice device, uint16_t key_id, const uint8_t* pu { (void)ATCA_TRACE(status, "Encrypted read failed"); break; } - } - while (false); + } while (false); return status; } @@ -200,7 +201,7 @@ ATCA_STATUS calib_ecdh_ioenc(ATCADevice device, uint16_t key_id, const uint8_t* uint8_t mode = ECDH_MODE_SOURCE_EEPROM_SLOT | ECDH_MODE_OUTPUT_ENC | ECDH_MODE_COPY_OUTPUT_BUFFER; uint8_t out_nonce[ATCA_KEY_SIZE]; atca_io_decrypt_in_out_t io_dec_params; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; // Perform ECDH operation requesting output buffer encryption if (ATCA_SUCCESS != (status = calib_ecdh_base(device, mode, key_id, public_key, pms, out_nonce))) @@ -265,7 +266,7 @@ ATCA_STATUS calib_ecdh_tempkey_ioenc(ATCADevice device, const uint8_t* public_ke uint8_t mode = ECDH_MODE_SOURCE_TEMPKEY | ECDH_MODE_OUTPUT_ENC | ECDH_MODE_COPY_OUTPUT_BUFFER; uint8_t out_nonce[ATCA_KEY_SIZE]; atca_io_decrypt_in_out_t io_dec_params; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; // Perform ECDH operation requesting output buffer encryption if (ATCA_SUCCESS != (status = calib_ecdh_base(device, mode, 0x0000, public_key, pms, out_nonce))) diff --git a/lib/calib/calib_execution.c b/lib/calib/calib_execution.c index efadd6881..00b3a70cd 100644 --- a/lib/calib/calib_execution.c +++ b/lib/calib/calib_execution.c @@ -320,9 +320,9 @@ ATCA_STATUS calib_get_execution_time(uint8_t opcode, ATCADevice device) return status; } -ATCA_STATUS calib_execute_send(ATCADevice device, uint8_t device_address, uint8_t* txdata, uint16_t txlength) +ATCA_STATUS calib_execute_send(ATCADevice device, uint8_t word_address, uint8_t* txdata, uint16_t txlength) { - ATCA_STATUS status = ATCA_COMM_FAIL; + ATCA_STATUS status; if ((NULL == txdata) || (0u == txlength)) { @@ -330,12 +330,18 @@ ATCA_STATUS calib_execute_send(ATCADevice device, uint8_t device_address, uint8_ } #ifdef ATCA_HAL_LEGACY_API - ((void)device_address); - status = atsend(&device->mIface, 0xFF, (uint8_t*)txdata, (int)txlength - 1); + uint8_t temp_buf[CA_MAX_PACKET_SIZE + 1u] = { 0u }; //! One byte for byte for word address + temp_buf[0] = word_address; + if (NULL != txdata) + { + memcpy(&temp_buf[1], txdata, txlength); + } + txlength += 1U; + status = atsend(&device->mIface, 0xFF, (uint8_t*)txdata, (int)txlength); #else if (atca_iface_is_kit(&device->mIface)) { - status = atsend(&device->mIface, 0xFF, (uint8_t*)&txdata[1], (int)txlength - 1); + status = atsend(&device->mIface, word_address, (uint8_t*)txdata, (int)txlength); } else { @@ -343,7 +349,7 @@ ATCA_STATUS calib_execute_send(ATCADevice device, uint8_t device_address, uint8_ if (ATCA_UNIMPLEMENTED == status || ATCA_SUCCESS == status) { /* Send the command packet to the device */ - status = atsend(&device->mIface, device_address, (uint8_t*)txdata, (int)txlength); + status = atsend(&device->mIface, word_address, (uint8_t*)txdata, (int)txlength); } (void)atcontrol(&device->mIface, (uint8_t)ATCA_HAL_CONTROL_DESELECT, NULL, 0); } @@ -355,7 +361,7 @@ ATCA_STATUS calib_execute_send(ATCADevice device, uint8_t device_address, uint8_ ATCA_STATUS calib_execute_receive(ATCADevice device, uint8_t device_address, uint8_t* rxdata, uint16_t* rxlength) { - ATCA_STATUS status = ATCA_COMM_FAIL; + ATCA_STATUS status; if ((NULL == rxlength) || (NULL == rxdata)) { @@ -396,7 +402,7 @@ ATCA_STATUS calib_execute_receive(ATCADevice device, uint8_t device_address, uin // Skip word address send for ECC204 device if (!atcab_is_ca2_device(device->mIface.mIfaceCFG->devtype)) { - if (ATCA_SUCCESS != (status = atsend(&device->mIface, device_address, &word_address, (int)sizeof(word_address)))) + if (ATCA_SUCCESS != (status = atsend(&device->mIface, word_address, NULL, 0))) { break; } @@ -436,11 +442,13 @@ ATCA_STATUS calib_execute_receive(ATCADevice device, uint8_t device_address, uin break; } - read_length += 1u; + if (read_length < UINT16_MAX) + { + read_length += 1u; + } *rxlength = read_length; - } - while (false); + } while (false); (void)atcontrol(&device->mIface, (uint8_t)ATCA_HAL_CONTROL_DESELECT, NULL, 0); } @@ -466,7 +474,7 @@ ATCA_STATUS calib_execute_command(ATCAPacket* packet, ATCADevice device) uint32_t max_delay_count; uint16_t rxsize; uint8_t device_address = atcab_get_device_address(device); - int32_t retries = 1; + int32_t retries; do { @@ -519,7 +527,8 @@ ATCA_STATUS calib_execute_command(ATCAPacket* packet, ATCADevice device) packet->reserved = 0x03; } #endif - if (ATCA_RX_NO_RESPONSE == (status = calib_execute_send(device, device_address, (uint8_t*)packet, (uint16_t)packet->txsize + 1u))) + /* coverity[misra_c_2012_rule_18_1_violation] calib_execute_send will not update the members of the packet structure */ + if (ATCA_RX_NO_RESPONSE == (status = calib_execute_send(device, packet->reserved, (uint8_t*)&packet->txsize, (uint16_t)packet->txsize))) { device->device_state = (uint8_t)ATCA_DEVICE_STATE_UNKNOWN; } @@ -592,8 +601,7 @@ ATCA_STATUS calib_execute_command(ATCAPacket* packet, ATCADevice device) { break; } - } - while (false); + } while (false); // Skip Idle for ECC204 device if (!atcab_is_ca2_device(device->mIface.mIfaceCFG->devtype)) diff --git a/lib/calib/calib_execution.h b/lib/calib/calib_execution.h index 2cc7f991a..825218e00 100644 --- a/lib/calib/calib_execution.h +++ b/lib/calib/calib_execution.h @@ -65,7 +65,7 @@ typedef struct ATCA_STATUS calib_get_execution_time(uint8_t opcode, ATCADevice device); #ifndef ATCA_HAL_LEGACY_API -ATCA_STATUS calib_execute_send(ATCADevice device, uint8_t device_address, uint8_t* txdata, uint16_t txlength); +ATCA_STATUS calib_execute_send(ATCADevice device, uint8_t word_address, uint8_t* txdata, uint16_t txlength); ATCA_STATUS calib_execute_receive(ATCADevice device, uint8_t device_address, uint8_t* rxdata, uint16_t* rxlength); #endif diff --git a/lib/calib/calib_gendig.c b/lib/calib/calib_gendig.c index cd3272b2d..dce0c422c 100644 --- a/lib/calib/calib_gendig.c +++ b/lib/calib/calib_gendig.c @@ -50,7 +50,7 @@ ATCA_STATUS calib_gendig(ATCADevice device, uint8_t zone, uint16_t key_id, const uint8_t *other_data, uint8_t other_data_size) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; bool is_no_mac_key = false; if ((device == NULL) || (other_data_size > 0u && other_data == NULL)) @@ -65,6 +65,8 @@ ATCA_STATUS calib_gendig(ATCADevice device, uint8_t zone, uint16_t key_id, const do { + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build gendig command packet.param1 = zone; packet.param2 = key_id; @@ -92,8 +94,7 @@ ATCA_STATUS calib_gendig(ATCADevice device, uint8_t zone, uint16_t key_id, const break; } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_genkey.c b/lib/calib/calib_genkey.c index 11970fc73..6e7800e1b 100644 --- a/lib/calib/calib_genkey.c +++ b/lib/calib/calib_genkey.c @@ -59,7 +59,7 @@ ATCA_STATUS calib_genkey_base(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t* other_data, uint8_t* public_key) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; do { @@ -69,6 +69,8 @@ ATCA_STATUS calib_genkey_base(ATCADevice device, uint8_t mode, uint16_t key_id, break; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // Build GenKey command packet.param1 = mode; packet.param2 = key_id; @@ -100,8 +102,7 @@ ATCA_STATUS calib_genkey_base(ATCADevice device, uint8_t mode, uint16_t key_id, status = ATCA_TRACE(ATCA_RX_FAIL, "Received response failure"); } } - } - while (false); + } while (false); return status; } @@ -168,6 +169,8 @@ ATCA_STATUS calib_genkey_mac(ATCADevice device, uint8_t* public_key, uint8_t* ma #error "CA_MAX_PACKET_SIZE cannot hold response packet with public key and mac" #endif + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + packet.param1 = GENKEY_MODE_MAC; packet.param2 = (uint16_t)0x00; diff --git a/lib/calib/calib_helpers.c b/lib/calib/calib_helpers.c index 68da83a9b..42fd3f524 100644 --- a/lib/calib/calib_helpers.c +++ b/lib/calib/calib_helpers.c @@ -39,7 +39,7 @@ #if CALIB_READ_EN ATCA_STATUS calib_is_slot_locked(ATCADevice device, uint16_t slot, bool* is_locked) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t data[ATCA_WORD_SIZE]; uint16_t slot_locked; @@ -60,8 +60,7 @@ ATCA_STATUS calib_is_slot_locked(ATCADevice device, uint16_t slot, bool* is_lock slot_locked = ((uint16_t)data[0]) | ((uint16_t)data[1] << 8); *is_locked = ((slot_locked & ((uint16_t)1u << slot)) == 0u); - } - while (false); + } while (false); return status; } @@ -77,7 +76,7 @@ ATCA_STATUS calib_is_slot_locked(ATCADevice device, uint16_t slot, bool* is_lock */ ATCA_STATUS calib_is_locked(ATCADevice device, uint8_t zone, bool* is_locked) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t data[ATCA_WORD_SIZE]; do @@ -102,8 +101,7 @@ ATCA_STATUS calib_is_locked(ATCADevice device, uint8_t zone, bool* is_locked) case LOCK_ZONE_DATA: *is_locked = (data[2] != 0x55u); break; default: status = ATCA_TRACE(ATCA_BAD_PARAM, "Invalid zone received"); break; } - } - while (false); + } while (false); return status; } @@ -283,7 +281,8 @@ ATCA_STATUS calib_is_private(ATCADevice device, uint16_t slot, bool* is_private) case ATECC608: { uint8_t key_config[2] = { 0 }; - if (ATCA_SUCCESS == (status = calib_read_bytes_zone(device, ATCA_ZONE_CONFIG, 0, ATCA_KEY_CONFIG_OFFSET((size_t)slot), key_config, sizeof(key_config)))) + if (ATCA_SUCCESS == (status = calib_read_bytes_zone(device, ATCA_ZONE_CONFIG, 0, ATCA_KEY_CONFIG_OFFSET((size_t)slot), + key_config, sizeof(key_config)))) { *is_private = (1u == (key_config[0] & ATCA_KEY_CONFIG_PRIVATE_MASK)) ? true : false; } diff --git a/lib/calib/calib_hmac.c b/lib/calib/calib_hmac.c index 44d37d7c2..116c9449c 100644 --- a/lib/calib/calib_hmac.c +++ b/lib/calib/calib_hmac.c @@ -53,7 +53,7 @@ ATCA_STATUS calib_hmac(ATCADevice device, uint8_t mode, uint16_t key_id, uint8_t* digest) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; do { @@ -63,6 +63,8 @@ ATCA_STATUS calib_hmac(ATCADevice device, uint8_t mode, uint16_t key_id, uint8_t break; } + (void)memset(&packet, 0, sizeof(ATCAPacket)); + // build HMAC command packet.param1 = mode; packet.param2 = key_id; @@ -81,14 +83,13 @@ ATCA_STATUS calib_hmac(ATCADevice device, uint8_t mode, uint16_t key_id, uint8_t if (packet.data[ATCA_COUNT_IDX] != HMAC_DIGEST_SIZE + 3u) { - status = ATCA_TRACE(ATCA_RX_FAIL, "Unexpected response size"); // Unexpected response size + status = ATCA_TRACE(ATCA_RX_FAIL, "Unexpected response size"); // Unexpected response size break; } (void)memcpy(digest, &packet.data[ATCA_RSP_DATA_IDX], HMAC_DIGEST_SIZE); - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_info.c b/lib/calib/calib_info.c index e75c02eb6..f7ce36bf0 100644 --- a/lib/calib/calib_info.c +++ b/lib/calib/calib_info.c @@ -55,13 +55,15 @@ ATCA_STATUS calib_info_base(ATCADevice device, uint8_t mode, uint16_t param2, uint8_t* out_data) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; if (device == NULL) { return ATCA_TRACE(ATCA_BAD_PARAM, "NULL pointer received"); } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build an info command packet.param1 = mode; packet.param2 = param2; @@ -112,8 +114,7 @@ ATCA_STATUS calib_info_base(ATCADevice device, uint8_t mode, uint16_t param2, ui } } - } - while (false); + } while (false); return status; } @@ -145,7 +146,7 @@ ATCA_STATUS calib_info(ATCADevice device, uint8_t* revision) ATCA_STATUS calib_info_get_latch(ATCADevice device, bool* state) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t out_data[4]; if (state == NULL) diff --git a/lib/calib/calib_kdf.c b/lib/calib/calib_kdf.c index 93a738272..ffcb699eb 100644 --- a/lib/calib/calib_kdf.c +++ b/lib/calib/calib_kdf.c @@ -65,7 +65,7 @@ ATCA_STATUS calib_kdf(ATCADevice device, uint8_t mode, uint16_t key_id, const uint32_t details, const uint8_t* message, uint8_t* out_data, uint8_t* out_nonce) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint16_t out_data_size = 0; do @@ -76,6 +76,8 @@ ATCA_STATUS calib_kdf(ATCADevice device, uint8_t mode, uint16_t key_id, const ui break; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // Build the KDF command packet.param1 = mode; packet.param2 = key_id; @@ -158,8 +160,7 @@ ATCA_STATUS calib_kdf(ATCADevice device, uint8_t mode, uint16_t key_id, const ui } (void)memcpy(out_nonce, &packet.data[ATCA_RSP_DATA_IDX + out_data_size], 32); } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_lock.c b/lib/calib/calib_lock.c index 9498f90fb..dd93243a5 100644 --- a/lib/calib/calib_lock.c +++ b/lib/calib/calib_lock.c @@ -56,7 +56,7 @@ ATCA_STATUS calib_lock(ATCADevice device, uint8_t mode, uint16_t summary_crc) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; if (device == NULL) { @@ -82,8 +82,7 @@ ATCA_STATUS calib_lock(ATCADevice device, uint8_t mode, uint16_t summary_crc) break; } - } - while (false); + } while (false); return status; } @@ -256,7 +255,7 @@ ATCA_STATUS calib_ca2_lock_config_slot(ATCADevice device, uint16_t slot, uint16_ */ ATCA_STATUS calib_ca2_lock_config_zone(ATCADevice device) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t slot = 0; uint8_t mode; @@ -279,7 +278,7 @@ ATCA_STATUS calib_ca2_lock_config_zone(ATCADevice device) } } - slot += 1u; //Increment slot + slot += 1u; //Increment slot } return status; @@ -305,7 +304,7 @@ ATCA_STATUS calib_ca2_lock_data_slot(ATCADevice device, uint16_t slot) */ ATCA_STATUS calib_ca2_lock_data_zone(ATCADevice device) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t slot = 0; uint8_t mode; @@ -328,7 +327,7 @@ ATCA_STATUS calib_ca2_lock_data_zone(ATCADevice device) } } - slot += 1u; //Increment slot + slot += 1u; //Increment slot } return status; diff --git a/lib/calib/calib_mac.c b/lib/calib/calib_mac.c index 53d79d15d..695f488fb 100644 --- a/lib/calib/calib_mac.c +++ b/lib/calib/calib_mac.c @@ -53,7 +53,7 @@ ATCA_STATUS calib_mac(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t* challenge, uint8_t* digest) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; do { @@ -63,6 +63,8 @@ ATCA_STATUS calib_mac(ATCADevice device, uint8_t mode, uint16_t key_id, const ui break; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build mac command packet.param1 = mode; packet.param2 = key_id; @@ -94,8 +96,7 @@ ATCA_STATUS calib_mac(ATCADevice device, uint8_t mode, uint16_t key_id, const ui (void)memcpy(digest, &packet.data[ATCA_RSP_DATA_IDX], MAC_SIZE); - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_nonce.c b/lib/calib/calib_nonce.c index d2e27c51a..9b8378965 100644 --- a/lib/calib/calib_nonce.c +++ b/lib/calib/calib_nonce.c @@ -60,7 +60,7 @@ ATCA_STATUS calib_nonce_base(ATCADevice device, uint8_t mode, uint16_t param2, const uint8_t *num_in, uint8_t* rand_out) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t length; do @@ -71,6 +71,8 @@ ATCA_STATUS calib_nonce_base(ATCADevice device, uint8_t mode, uint16_t param2, c break; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build a nonce command packet.param1 = mode; packet.param2 = param2; @@ -103,8 +105,7 @@ ATCA_STATUS calib_nonce_base(ATCADevice device, uint8_t mode, uint16_t param2, c (void)memcpy(&rand_out[0], &packet.data[ATCA_RSP_DATA_IDX], 32); } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_privwrite.c b/lib/calib/calib_privwrite.c index 184147c4a..3edf3441d 100644 --- a/lib/calib/calib_privwrite.c +++ b/lib/calib/calib_privwrite.c @@ -63,11 +63,12 @@ ATCA_STATUS calib_priv_write(ATCADevice device, uint16_t key_id, const uint8_t p uint8_t num_in[NONCE_NUMIN_SIZE] = { 0 }; #else -ATCA_STATUS calib_priv_write(ATCADevice device, uint16_t key_id, const uint8_t priv_key[36], uint16_t write_key_id, const uint8_t write_key[32], const uint8_t num_in[NONCE_NUMIN_SIZE]) +ATCA_STATUS calib_priv_write(ATCADevice device, uint16_t key_id, const uint8_t priv_key[36], uint16_t write_key_id, const uint8_t write_key[32], + const uint8_t num_in[NONCE_NUMIN_SIZE]) { #endif ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; atca_nonce_in_out_t nonce_params; atca_gen_dig_in_out_t gen_dig_param; atca_write_mac_in_out_t host_mac_param; @@ -85,6 +86,8 @@ ATCA_STATUS calib_priv_write(ATCADevice device, uint16_t key_id, const uint8_t p do { + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + if (write_key == NULL) { // Caller requested an unencrypted PrivWrite, which is only allowed when the data zone is unlocked @@ -172,8 +175,8 @@ ATCA_STATUS calib_priv_write(ATCADevice device, uint16_t key_id, const uint8_t p } // build a write command for encrypted writes - packet.param1 = PRIVWRITE_MODE_ENCRYPT; // Mode is encrypted write - packet.param2 = key_id; // Key ID + packet.param1 = PRIVWRITE_MODE_ENCRYPT; // Mode is encrypted write + packet.param2 = key_id; // Key ID (void)memcpy(&packet.data[0], cipher_text, sizeof(cipher_text)); (void)memcpy(&packet.data[sizeof(cipher_text)], host_mac, sizeof(host_mac)); } @@ -190,8 +193,7 @@ ATCA_STATUS calib_priv_write(ATCADevice device, uint16_t key_id, const uint8_t p break; } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_random.c b/lib/calib/calib_random.c index be59b3f92..7726fe676 100644 --- a/lib/calib/calib_random.c +++ b/lib/calib/calib_random.c @@ -50,7 +50,7 @@ ATCA_STATUS calib_random(ATCADevice device, uint8_t *rand_out) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; do { @@ -60,6 +60,8 @@ ATCA_STATUS calib_random(ATCADevice device, uint8_t *rand_out) break; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build an random command packet.param1 = RANDOM_SEED_UPDATE; packet.param2 = 0x0000; @@ -86,8 +88,7 @@ ATCA_STATUS calib_random(ATCADevice device, uint8_t *rand_out) { (void)memcpy(rand_out, &packet.data[ATCA_RSP_DATA_IDX], RANDOM_NUM_SIZE); } - } - while (false); + } while (false); return status; diff --git a/lib/calib/calib_read.c b/lib/calib/calib_read.c index 0cbc36a11..f2b6bbd6c 100644 --- a/lib/calib/calib_read.c +++ b/lib/calib/calib_read.c @@ -61,7 +61,7 @@ ATCA_STATUS calib_read_zone(ATCADevice device, uint8_t zone, uint16_t slot, uint8_t block, uint8_t offset, uint8_t *data, uint8_t len) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint16_t addr; do @@ -84,6 +84,8 @@ ATCA_STATUS calib_read_zone(ATCADevice device, uint8_t zone, uint16_t slot, uint zone = zone | ATCA_ZONE_READWRITE_32; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build a read command packet.param1 = zone; packet.param2 = addr; @@ -101,8 +103,7 @@ ATCA_STATUS calib_read_zone(ATCADevice device, uint8_t zone, uint16_t slot, uint } (void)memcpy(data, &packet.data[1], len); - } - while (false); + } while (false); return status; } @@ -117,7 +118,7 @@ ATCA_STATUS calib_read_zone(ATCADevice device, uint8_t zone, uint16_t slot, uint */ ATCA_STATUS calib_read_serial_number(ATCADevice device, uint8_t* serial_number) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t read_buf[ATCA_BLOCK_SIZE]; if (NULL == serial_number) @@ -134,8 +135,7 @@ ATCA_STATUS calib_read_serial_number(ATCADevice device, uint8_t* serial_number) } (void)memcpy(&serial_number[0], &read_buf[0], 4); (void)memcpy(&serial_number[4], &read_buf[8], 5); - } - while (false); + } while (false); return status; } @@ -165,10 +165,11 @@ ATCA_STATUS calib_read_enc(ATCADevice device, uint16_t key_id, uint8_t block, ui const uint8_t num_in[NONCE_NUMIN_SIZE] = { 0 }; #else -ATCA_STATUS calib_read_enc(ATCADevice device, uint16_t key_id, uint8_t block, uint8_t *data, const uint8_t* enc_key, const uint16_t enc_key_id, const uint8_t num_in[NONCE_NUMIN_SIZE]) +ATCA_STATUS calib_read_enc(ATCADevice device, uint16_t key_id, uint8_t block, uint8_t *data, const uint8_t* enc_key, const uint16_t enc_key_id, + const uint8_t num_in[NONCE_NUMIN_SIZE]) { #endif - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t zone = ATCA_ZONE_DATA | ATCA_ZONE_READWRITE_32; atca_nonce_in_out_t nonce_params; atca_gen_dig_in_out_t gen_dig_param; @@ -257,8 +258,7 @@ ATCA_STATUS calib_read_enc(ATCADevice device, uint16_t key_id, uint8_t block, ui status = ATCA_SUCCESS; - } - while (false); + } while (false); return status; @@ -285,7 +285,7 @@ ATCA_STATUS calib_read_enc(ATCADevice device, uint16_t key_id, uint8_t block, ui */ ATCA_STATUS calib_read_bytes_zone(ATCADevice device, uint8_t zone, uint16_t slot, size_t offset, uint8_t *data, size_t length) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; size_t zone_size = 0; uint8_t read_buf[32]; size_t data_idx = 0; @@ -373,8 +373,7 @@ ATCA_STATUS calib_read_bytes_zone(ATCADevice device, uint8_t zone, uint16_t slot { break; } - } - while (false); + } while (false); return status; } @@ -477,7 +476,7 @@ bool calib_ecc608_compare_config( */ ATCA_STATUS calib_read_sig(ATCADevice device, uint16_t slot, uint8_t* sig) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; do { @@ -507,8 +506,7 @@ ATCA_STATUS calib_read_sig(ATCADevice device, uint16_t slot, uint8_t* sig) (void)ATCA_TRACE(status, "calib_read_zone - failed"); break; } - } - while (false); + } while (false); return status; } @@ -577,6 +575,8 @@ ATCA_STATUS calib_ca2_read_zone(ATCADevice device, uint8_t zone, uint16_t slot, (void)ATCA_TRACE(status, "Address Encoding failed"); } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + if (ATCA_SUCCESS == status) { // Build packets @@ -610,7 +610,7 @@ ATCA_STATUS calib_ca2_read_zone(ATCADevice device, uint8_t zone, uint16_t slot, */ ATCA_STATUS calib_ca2_read_config_zone(ATCADevice device, uint8_t* config_data) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t slot = 0; while (slot <= 3u) @@ -638,7 +638,7 @@ ATCA_STATUS calib_ca2_read_config_zone(ATCADevice device, uint8_t* config_data) */ ATCA_STATUS calib_ca2_read_serial_number(ATCADevice device, uint8_t* serial_number) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t read_buf[ATCA_CA2_CONFIG_SLOT_SIZE]; @@ -673,7 +673,7 @@ ATCA_STATUS calib_ca2_read_serial_number(ATCADevice device, uint8_t* serial_numb ATCA_STATUS calib_ca2_read_bytes_zone(ATCADevice device, uint8_t zone, uint16_t slot, size_t offset, uint8_t* data, size_t length) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t data_set_size = (ATCA_ZONE_DATA == zone) ? ATCA_BLOCK_SIZE : ATCA_CA2_CONFIG_SLOT_SIZE; size_t cur_block = 0; size_t data_idx = 0; @@ -778,20 +778,20 @@ bool calib_ca2_compare_config( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS calib_read_zone_ext( - ATCADevice device, /**< [in] Device context pointer */ - uint8_t zone, /**< [in] Zone to be read from device. Options are - ATCA_ZONE_CONFIG, ATCA_ZONE_OTP, or ATCA_ZONE_DATA.*/ - uint16_t slot, /**< [in] Slot number for data zone and ignored for other zones. */ - uint8_t block, /**< [in] 32 byte block index within the zone. */ - uint8_t offset, /**< [in] 4 byte work index within the block. Ignored for 32 byte - reads. */ - uint8_t * data, /**< [out] Read data is returned here. */ - uint8_t len /**< [in] Length of the data to be read. Must be either 4 or 32. */ + ATCADevice device, /**< [in] Device context pointer */ + uint8_t zone, /**< [in] Zone to be read from device. Options are + ATCA_ZONE_CONFIG, ATCA_ZONE_OTP, or ATCA_ZONE_DATA.*/ + uint16_t slot, /**< [in] Slot number for data zone and ignored for other zones. */ + uint8_t block, /**< [in] 32 byte block index within the zone. */ + uint8_t offset, /**< [in] 4 byte work index within the block. Ignored for 32 byte + reads. */ + uint8_t * data, /**< [out] Read data is returned here. */ + uint8_t len /**< [in] Length of the data to be read. Must be either 4 or 32. */ ) { #if ATCA_CA2_SUPPORT ATCADeviceType devtype = atcab_get_device_type_ext(device); - ATCA_STATUS status = ATCA_BAD_PARAM; + ATCA_STATUS status; if (atcab_is_ca2_device(devtype)) { @@ -846,6 +846,8 @@ ATCA_STATUS calib_read_config_zone(ATCADevice device, uint8_t* config_data) case SHA104: /* fallthrough */ case SHA105: + /* fallthrough */ + case SHA106: status = calib_ca2_read_config_zone(device, config_data); break; #endif @@ -921,6 +923,8 @@ ATCA_STATUS calib_cmp_config_zone(ATCADevice device, uint8_t* config_data, bool* case SHA104: /* fallthrough */ case SHA105: + /* fallthrough */ + case SHA106: *same_config = calib_ca2_compare_config(config_data, device_config_data); break; #endif @@ -930,8 +934,7 @@ ATCA_STATUS calib_cmp_config_zone(ATCADevice device, uint8_t* config_data, bool* #endif break; } - } - while (false); + } while (false); return status; } @@ -953,7 +956,7 @@ ATCA_STATUS calib_cmp_config_zone(ATCADevice device, uint8_t* config_data, bool* */ ATCA_STATUS calib_read_pubkey(ATCADevice device, uint16_t slot, uint8_t *public_key) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t read_buf[ATCA_BLOCK_SIZE]; uint8_t block = 0; uint8_t offset = 0; @@ -1024,8 +1027,7 @@ ATCA_STATUS calib_read_pubkey(ATCADevice device, uint16_t slot, uint8_t *public_ read_index = 0; (void)memcpy(&public_key[cpy_index], &read_buf[read_index], cpy_size); - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_secureboot.c b/lib/calib/calib_secureboot.c index b040d3ce2..3f8e2c4eb 100644 --- a/lib/calib/calib_secureboot.c +++ b/lib/calib/calib_secureboot.c @@ -56,7 +56,7 @@ ATCA_STATUS calib_secureboot(ATCADevice device, uint8_t mode, uint16_t param2, const uint8_t* digest, const uint8_t* signature, uint8_t* mac) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; if ((device == NULL) || (digest == NULL)) { @@ -75,6 +75,8 @@ ATCA_STATUS calib_secureboot(ATCADevice device, uint8_t mode, uint16_t param2, c do { + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + packet.param1 = mode; packet.param2 = param2; @@ -102,8 +104,7 @@ ATCA_STATUS calib_secureboot(ATCADevice device, uint8_t mode, uint16_t param2, c (void)memcpy(mac, &packet.data[ATCA_RSP_DATA_IDX], SECUREBOOT_MAC_SIZE); } - } - while (false); + } while (false); return status; } @@ -126,9 +127,10 @@ ATCA_STATUS calib_secureboot(ATCADevice device, uint8_t mode, uint16_t param2, c * * \return ATCA_SUCCESS on success, otherwise an error code. */ -ATCA_STATUS calib_secureboot_mac(ATCADevice device, uint8_t mode, const uint8_t* digest, const uint8_t* signature, const uint8_t* num_in, const uint8_t* io_key, bool* is_verified) +ATCA_STATUS calib_secureboot_mac(ATCADevice device, uint8_t mode, const uint8_t* digest, const uint8_t* signature, const uint8_t* num_in, const uint8_t* io_key, + bool* is_verified) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; atca_temp_key_t tempkey; atca_nonce_in_out_t nonce_params; atca_secureboot_enc_in_out_t sboot_enc_params; @@ -226,8 +228,7 @@ ATCA_STATUS calib_secureboot_mac(ATCADevice device, uint8_t mode, const uint8_t* } *is_verified = (memcmp(host_mac, mac, SECUREBOOT_MAC_SIZE) == 0); - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_selftest.c b/lib/calib/calib_selftest.c index adf2738f0..7de277e7b 100644 --- a/lib/calib/calib_selftest.c +++ b/lib/calib/calib_selftest.c @@ -56,7 +56,7 @@ ATCA_STATUS calib_selftest(ATCADevice device, uint8_t mode, uint16_t param2, uint8_t* result) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t response = 0; do @@ -67,6 +67,8 @@ ATCA_STATUS calib_selftest(ATCADevice device, uint8_t mode, uint16_t param2, uin break; } + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // build a SelfTest command packet.param1 = mode; packet.param2 = param2; @@ -90,7 +92,7 @@ ATCA_STATUS calib_selftest(ATCADevice device, uint8_t mode, uint16_t param2, uin // The response has bits set outside of the bit field requested by // the mode. This indicates an actual error rather than a self test // failure. - return status; // Return the translated status. + return status; // Return the translated status. } else { @@ -106,8 +108,7 @@ ATCA_STATUS calib_selftest(ATCADevice device, uint8_t mode, uint16_t param2, uin // the results are returned in result. return ATCA_SUCCESS; } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_sha.c b/lib/calib/calib_sha.c index 90387366a..3d2cbd329 100644 --- a/lib/calib/calib_sha.c +++ b/lib/calib/calib_sha.c @@ -71,7 +71,7 @@ typedef struct ATCA_STATUS calib_sha_base(ATCADevice device, uint8_t mode, uint16_t length, const uint8_t* message, uint8_t* data_out, uint16_t* data_out_size) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t cmd_mode = (mode & SHA_MODE_MASK); ATCA_CHECK_INVALID_MSG(NULL == device, ATCA_BAD_PARAM, "NULL pointer received"); @@ -82,10 +82,13 @@ ATCA_STATUS calib_sha_base(ATCADevice device, uint8_t mode, uint16_t length, con ATCA_CHECK_INVALID_MSG(((NULL != data_out) && (NULL == data_out_size)), ATCA_BAD_PARAM, "NULL pointer received"); - ATCA_CHECK_INVALID_MSG((cmd_mode != SHA_MODE_HMAC_START && cmd_mode != SHA_MODE_SHA256_PUBLIC) && (CA_MAX_PACKET_SIZE < (ATCA_CMD_SIZE_MIN + length)), ATCA_INVALID_SIZE, "Invalid size received"); + ATCA_CHECK_INVALID_MSG((cmd_mode != SHA_MODE_HMAC_START && cmd_mode != SHA_MODE_SHA256_PUBLIC) && (CA_MAX_PACKET_SIZE < (ATCA_CMD_SIZE_MIN + length)), + ATCA_INVALID_SIZE, "Invalid size received"); do { + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + //Build Command packet.param1 = mode; packet.param2 = cmd_mode != SHA_MODE_ECC204_HMAC_START ? length : 0u; @@ -117,8 +120,7 @@ ATCA_STATUS calib_sha_base(ATCADevice device, uint8_t mode, uint16_t length, con *data_out_size = ((uint16_t)packet.data[ATCA_COUNT_IDX] - ATCA_PACKET_OVERHEAD) & UINT16_MAX; (void)memcpy(data_out, &packet.data[ATCA_RSP_DATA_IDX], *data_out_size); } - } - while (false); + } while (false); return status; } @@ -337,7 +339,8 @@ ATCA_STATUS calib_hw_sha2_256_finish(ATCADevice device, atca_sha256_ctx_t* ctx, if (ctx->block_size > ATCA_SHA256_BLOCK_SIZE) { digest_size = 32; - if (ATCA_SUCCESS != (status = calib_sha_base(device, SHA_MODE_SHA256_UPDATE, ATCA_SHA256_BLOCK_SIZE, &ctx->block[ATCA_SHA256_BLOCK_SIZE], digest, &digest_size))) + if (ATCA_SUCCESS != (status = calib_sha_base(device, SHA_MODE_SHA256_UPDATE, ATCA_SHA256_BLOCK_SIZE, + &ctx->block[ATCA_SHA256_BLOCK_SIZE], digest, &digest_size))) { return ATCA_TRACE(status, "calib_sha_base - failed"); } @@ -455,7 +458,8 @@ ATCA_STATUS calib_sha_hmac_update(ATCADevice device, atca_hmac_sha256_ctx_t* ctx block_count = (size_t)(data_size / ATCA_SHA256_BLOCK_SIZE); for (i = 0; i < block_count; i++) { - if (ATCA_SUCCESS != (status = calib_sha_base(device, SHA_MODE_HMAC_UPDATE, ATCA_SHA256_BLOCK_SIZE, &data[copy_size + i * ATCA_SHA256_BLOCK_SIZE], NULL, NULL))) + if (ATCA_SUCCESS != (status = calib_sha_base(device, SHA_MODE_HMAC_UPDATE, ATCA_SHA256_BLOCK_SIZE, + &data[copy_size + i * ATCA_SHA256_BLOCK_SIZE], NULL, NULL))) { return ATCA_TRACE(status, "calib_sha_base - failed"); } diff --git a/lib/calib/calib_sign.c b/lib/calib/calib_sign.c index c124bd27b..265b06118 100644 --- a/lib/calib/calib_sign.c +++ b/lib/calib/calib_sign.c @@ -56,7 +56,7 @@ ATCA_STATUS calib_sign_base(ATCADevice device, uint8_t mode, uint16_t key_id, uint8_t *signature) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; if ((device == NULL) || (signature == NULL)) { @@ -65,6 +65,8 @@ ATCA_STATUS calib_sign_base(ATCADevice device, uint8_t mode, uint16_t key_id, ui do { + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // Build sign command packet.param1 = mode; packet.param2 = key_id; @@ -90,8 +92,7 @@ ATCA_STATUS calib_sign_base(ATCADevice device, uint8_t mode, uint16_t key_id, ui status = ATCA_RX_FAIL; } - } - while (false); + } while (false); return status; } @@ -114,7 +115,7 @@ ATCA_STATUS calib_sign_base(ATCADevice device, uint8_t mode, uint16_t key_id, ui */ ATCA_STATUS calib_sign(ATCADevice device, uint16_t key_id, const uint8_t *msg, uint8_t *signature) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t nonce_target = NONCE_MODE_TARGET_TEMPKEY; uint8_t sign_source = SIGN_MODE_SOURCE_TEMPKEY; @@ -149,8 +150,7 @@ ATCA_STATUS calib_sign(ATCADevice device, uint16_t key_id, const uint8_t *msg, u (void)ATCA_TRACE(status, "calib_sign_base - failed"); break; } - } - while (false); + } while (false); return status; } @@ -160,7 +160,7 @@ ATCA_STATUS calib_sign(ATCADevice device, uint16_t key_id, const uint8_t *msg, u ATCA_STATUS calib_sign_ext(ATCADevice device, uint16_t key_id, const uint8_t *msg, uint8_t *signature) { ATCADeviceType devtype = atcab_get_device_type_ext(device); - ATCA_STATUS status = ATCA_BAD_PARAM; + ATCA_STATUS status; switch (devtype) { @@ -208,7 +208,7 @@ ATCA_STATUS calib_sign_ext(ATCADevice device, uint16_t key_id, const uint8_t *ms */ ATCA_STATUS calib_sign_internal(ATCADevice device, uint16_t key_id, bool is_invalidate, bool is_full_sn, uint8_t *signature) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t mode = SIGN_MODE_INTERNAL; do @@ -230,8 +230,7 @@ ATCA_STATUS calib_sign_internal(ATCADevice device, uint16_t key_id, bool is_inva break; } - } - while (false); + } while (false); return status; } @@ -255,6 +254,8 @@ ATCA_STATUS calib_ca2_sign(ATCADevice device, uint16_t key_id, const uint8_t* ms ATCA_STATUS status = ATCA_SUCCESS; ATCAPacket packet; + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + packet.param1 = 0x00; packet.param2 = key_id; diff --git a/lib/calib/calib_updateextra.c b/lib/calib/calib_updateextra.c index f05ad7c3c..17a6be6dd 100644 --- a/lib/calib/calib_updateextra.c +++ b/lib/calib/calib_updateextra.c @@ -56,7 +56,7 @@ ATCA_STATUS calib_updateextra(ATCADevice device, uint8_t mode, uint16_t new_value) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; do { @@ -83,8 +83,7 @@ ATCA_STATUS calib_updateextra(ATCADevice device, uint8_t mode, uint16_t new_valu break; } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_verify.c b/lib/calib/calib_verify.c index 58e8b2cfb..98f59b7cf 100644 --- a/lib/calib/calib_verify.c +++ b/lib/calib/calib_verify.c @@ -68,10 +68,11 @@ * * \return ATCA_SUCCESS on success, otherwise an error code. */ -ATCA_STATUS calib_verify(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t* signature, const uint8_t* public_key, const uint8_t* other_data, uint8_t* mac) +ATCA_STATUS calib_verify(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t* signature, const uint8_t* public_key, const uint8_t* other_data, + uint8_t* mac) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t verify_mode = (mode & VERIFY_MODE_MASK); do @@ -109,6 +110,8 @@ ATCA_STATUS calib_verify(ATCADevice device, uint8_t mode, uint16_t key_id, const } #endif + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // Build the verify command packet.param1 = mode; packet.param2 = key_id; @@ -141,8 +144,7 @@ ATCA_STATUS calib_verify(ATCADevice device, uint8_t mode, uint16_t key_id, const (void)memcpy(mac, &packet.data[ATCA_RSP_DATA_IDX], MAC_SIZE); } - } - while (false); + } while (false); return status; } @@ -178,9 +180,10 @@ ATCA_STATUS calib_verify(ATCADevice device, uint8_t mode, uint16_t key_id, const * \return ATCA_SUCCESS on verification success or failure, because the * command still completed successfully. */ -static ATCA_STATUS calib_verify_extern_stored_mac(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t* message, const uint8_t* signature, const uint8_t* public_key, const uint8_t* num_in, const uint8_t* io_key, bool* is_verified) +static ATCA_STATUS calib_verify_extern_stored_mac(ATCADevice device, uint8_t mode, uint16_t key_id, const uint8_t* message, const uint8_t* signature, + const uint8_t* public_key, const uint8_t* num_in, const uint8_t* io_key, bool* is_verified) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t msg_dig_buf[64]; atca_verify_mac_in_out_t verify_mac_params; uint8_t mac[SECUREBOOT_MAC_SIZE]; @@ -232,8 +235,7 @@ static ATCA_STATUS calib_verify_extern_stored_mac(ATCADevice device, uint8_t mod } *is_verified = (memcmp(host_mac, mac, MAC_SIZE) == 0); - } - while (false); + } while (false); return status; } @@ -260,7 +262,8 @@ static ATCA_STATUS calib_verify_extern_stored_mac(ATCADevice device, uint8_t mod * \return ATCA_SUCCESS on verification success or failure, because the * command still completed successfully. */ -ATCA_STATUS calib_verify_extern_mac(ATCADevice device, const uint8_t *message, const uint8_t* signature, const uint8_t* public_key, const uint8_t* num_in, const uint8_t* io_key, bool* is_verified) +ATCA_STATUS calib_verify_extern_mac(ATCADevice device, const uint8_t *message, const uint8_t* signature, const uint8_t* public_key, const uint8_t* num_in, + const uint8_t* io_key, bool* is_verified) { return calib_verify_extern_stored_mac(device, VERIFY_MODE_EXTERNAL, VERIFY_KEY_P256, message, signature, public_key, num_in, io_key, is_verified); } @@ -285,7 +288,8 @@ ATCA_STATUS calib_verify_extern_mac(ATCADevice device, const uint8_t *message, c * \return ATCA_SUCCESS on verification success or failure, because the * command still completed successfully. */ -ATCA_STATUS calib_verify_stored_mac(ATCADevice device, const uint8_t *message, const uint8_t *signature, uint16_t key_id, const uint8_t* num_in, const uint8_t* io_key, bool* is_verified) +ATCA_STATUS calib_verify_stored_mac(ATCADevice device, const uint8_t *message, const uint8_t *signature, uint16_t key_id, const uint8_t* num_in, + const uint8_t* io_key, bool* is_verified) { return calib_verify_extern_stored_mac(device, VERIFY_MODE_STORED, key_id, message, signature, NULL, num_in, io_key, is_verified); } @@ -315,7 +319,7 @@ ATCA_STATUS calib_verify_stored_mac(ATCADevice device, const uint8_t *message, c #if CALIB_VERIFY_EXTERN_EN ATCA_STATUS calib_verify_extern(ATCADevice device, const uint8_t *message, const uint8_t *signature, const uint8_t *public_key, bool *is_verified) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t nonce_target = NONCE_MODE_TARGET_TEMPKEY; uint8_t verify_source = VERIFY_MODE_SOURCE_TEMPKEY; @@ -349,8 +353,7 @@ ATCA_STATUS calib_verify_extern(ATCADevice device, const uint8_t *message, const { status = ATCA_SUCCESS; // Verify failed, but command succeeded } - } - while (false); + } while (false); return status; } @@ -377,7 +380,7 @@ ATCA_STATUS calib_verify_extern(ATCADevice device, const uint8_t *message, const */ ATCA_STATUS calib_verify_stored(ATCADevice device, const uint8_t *message, const uint8_t *signature, uint16_t key_id, bool *is_verified) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t nonce_target = NONCE_MODE_TARGET_TEMPKEY; uint8_t verify_source = VERIFY_MODE_SOURCE_TEMPKEY; @@ -410,8 +413,7 @@ ATCA_STATUS calib_verify_stored(ATCADevice device, const uint8_t *message, const { status = ATCA_SUCCESS; // Verify failed, but command succeeded } - } - while (false); + } while (false); return status; } @@ -437,7 +439,7 @@ ATCA_STATUS calib_verify_stored(ATCADevice device, const uint8_t *message, const */ ATCA_STATUS calib_verify_stored_with_tempkey(ATCADevice device, const uint8_t* signature, uint16_t key_id, bool* is_verified) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t verify_source = VERIFY_MODE_SOURCE_TEMPKEY; if ((device == NULL) || (is_verified == NULL) || (signature == NULL)) @@ -456,8 +458,7 @@ ATCA_STATUS calib_verify_stored_with_tempkey(ATCADevice device, const uint8_t* s { status = ATCA_SUCCESS; // Verify failed, but command succeeded } - } - while (false); + } while (false); return status; } diff --git a/lib/calib/calib_write.c b/lib/calib/calib_write.c index 9f29fbd6c..3e565f0b2 100644 --- a/lib/calib/calib_write.c +++ b/lib/calib/calib_write.c @@ -61,7 +61,7 @@ ATCA_STATUS calib_write(ATCADevice device, uint8_t zone, uint16_t address, const uint8_t *value, const uint8_t *mac) { ATCAPacket packet; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; bool require_mac = false; if ((device == NULL) || (value == NULL)) @@ -81,6 +81,8 @@ ATCA_STATUS calib_write(ATCADevice device, uint8_t zone, uint16_t address, const do { + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + // Build the write command packet.param1 = zone; packet.param2 = address; @@ -117,8 +119,7 @@ ATCA_STATUS calib_write(ATCADevice device, uint8_t zone, uint16_t address, const break; } - } - while (false); + } while (false); return status; } @@ -140,7 +141,7 @@ ATCA_STATUS calib_write(ATCADevice device, uint8_t zone, uint16_t address, const */ ATCA_STATUS calib_write_zone(ATCADevice device, uint8_t zone, uint16_t slot, uint8_t block, uint8_t offset, const uint8_t *data, uint8_t len) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint16_t addr; // Check the input parameters @@ -171,8 +172,7 @@ ATCA_STATUS calib_write_zone(ATCADevice device, uint8_t zone, uint16_t slot, uin status = calib_write(device, zone, addr, data, NULL); - } - while (false); + } while (false); return status; } @@ -203,10 +203,11 @@ ATCA_STATUS calib_write_enc(ATCADevice device, uint16_t key_id, uint8_t block, c uint8_t num_in[NONCE_NUMIN_SIZE] = { 0 }; #else -ATCA_STATUS calib_write_enc(ATCADevice device, uint16_t key_id, uint8_t block, const uint8_t *data, const uint8_t* enc_key, const uint16_t enc_key_id, const uint8_t num_in[NONCE_NUMIN_SIZE]) +ATCA_STATUS calib_write_enc(ATCADevice device, uint16_t key_id, uint8_t block, const uint8_t *data, const uint8_t* enc_key, const uint16_t enc_key_id, + const uint8_t num_in[NONCE_NUMIN_SIZE]) { #endif - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; uint8_t zone = ATCA_ZONE_DATA | ATCA_ZONE_READWRITE_32; atca_nonce_in_out_t nonce_params; atca_gen_dig_in_out_t gen_dig_param; @@ -315,8 +316,7 @@ ATCA_STATUS calib_write_enc(ATCADevice device, uint16_t key_id, uint8_t block, c status = calib_write(device, write_mac_param.zone, write_mac_param.key_id, write_mac_param.encrypted_data, write_mac_param.auth_mac); - } - while (false); + } while (false); return status; } @@ -342,7 +342,7 @@ ATCA_STATUS calib_write_enc(ATCADevice device, uint16_t key_id, uint8_t block, c #if CALIB_WRITE_EN ATCA_STATUS calib_write_config_zone(ATCADevice device, const uint8_t* config_data) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; size_t config_size = 0; if (config_data == NULL) @@ -378,8 +378,7 @@ ATCA_STATUS calib_write_config_zone(ATCADevice device, const uint8_t* config_dat (void)ATCA_TRACE(status, "calib_updateextra - failed"); break; } - } - while (false); + } while (false); return status; } @@ -407,7 +406,7 @@ ATCA_STATUS calib_write_config_zone(ATCADevice device, const uint8_t* config_dat */ ATCA_STATUS calib_write_bytes_zone(ATCADevice device, uint8_t zone, uint16_t slot, size_t offset_bytes, const uint8_t *data, size_t length) { - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; size_t zone_size = 0; size_t data_idx = 0; size_t cur_block = 0; @@ -482,8 +481,7 @@ ATCA_STATUS calib_write_bytes_zone(ATCADevice device, uint8_t zone, uint16_t slo } } } - } - while (false); + } while (false); return status; } @@ -506,7 +504,7 @@ ATCA_STATUS calib_write_config_counter(ATCADevice device, uint16_t counter_id, u uint16_t lin_a, lin_b, bin_a, bin_b; uint8_t bytes[8]; uint8_t idx = 0; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; if (counter_id > 1u || counter_value > COUNTER_MAX_VALUE) { @@ -586,6 +584,8 @@ ATCA_STATUS calib_ca2_write(ATCADevice device, uint8_t zone, uint16_t address, c } #endif + (void)memset(&packet, 0x00, sizeof(ATCAPacket)); + if (ATCA_SUCCESS == status) { packet.param1 = write_zone; @@ -722,7 +722,7 @@ ATCA_STATUS calib_ca2_write_config_counter(ATCADevice device, uint8_t counter_id uint16_t bin_a, bin_b; uint64_t lin_a, lin_b; uint8_t bytes[16]; - ATCA_STATUS status = ATCA_GEN_FAIL; + ATCA_STATUS status; if (counter_id != 0u || counter_value > COUNTER_MAX_VALUE_CA2) { @@ -858,8 +858,7 @@ ATCA_STATUS calib_ca2_write_enc(ATCADevice device, uint16_t slot, uint8_t* data, } status = calib_ca2_write(device, ATCA_ZONE_DATA, write_mac_param.key_id, write_mac_param.encrypted_data, write_mac_param.auth_mac); - } - while (false); + } while (false); return status; } @@ -1084,7 +1083,8 @@ ATCA_STATUS calib_write_pubkey(ATCADevice device, uint16_t slot, const uint8_t * // the data zone is unlocked for (block = 0u; block < 3u; block++) { - if (ATCA_SUCCESS != (status = calib_write_zone_ext(device, ATCA_ZONE_DATA, slot, block, 0, &public_key_formatted[ATCA_BLOCK_SIZE * block], ATCA_BLOCK_SIZE))) + if (ATCA_SUCCESS != (status = calib_write_zone_ext(device, ATCA_ZONE_DATA, slot, block, 0, + &public_key_formatted[ATCA_BLOCK_SIZE * block], ATCA_BLOCK_SIZE))) { (void)ATCA_TRACE(status, "calib_write_zone - failed"); break; diff --git a/lib/cmake/pkcs11.cmake b/lib/cmake/pkcs11.cmake index 3147567a4..b9bdfcf65 100644 --- a/lib/cmake/pkcs11.cmake +++ b/lib/cmake/pkcs11.cmake @@ -16,6 +16,7 @@ option(PKCS11_AUTH_TERMINATE_BEFORE_LOGIN "Enable auth terminate before c_log set(PKCS11_MAX_SLOTS_ALLOWED 1 CACHE STRING "Maximum number of slots allowed in the system") set(PKCS11_MAX_SESSIONS_ALLOWED 10 CACHE STRING "Maximum number of total sessions allowed in the system") +set(PKCS11_MAX_CERTS_CACHED 5 CACHE STRING "Maximum number of x509 certificates allowed to be cached") set(PKCS11_MAX_OBJECTS_ALLOWED 16 CACHE STRING "Maximum number of cryptographic objects allowed to be cached") set(PKCS11_MAX_LABEL_SIZE 30 CACHE STRING "Maximum label size in characters") set(PKCS11_MAX_CONFIG_ALLOWED 7 CACHE STRING "Maximum depth to configuration options") diff --git a/lib/cmake/wolfssl.cmake b/lib/cmake/wolfssl.cmake index 7bb1d7e30..2c3be3ea8 100644 --- a/lib/cmake/wolfssl.cmake +++ b/lib/cmake/wolfssl.cmake @@ -6,7 +6,7 @@ execute_process(COMMAND ${CMAKE_COMMAND} -G "${CMAKE_GENERATOR}" . execute_process(COMMAND ${CMAKE_COMMAND} --build . WORKING_DIRECTORY ${CMAKE_BINARY_DIR}/wolfssl_downloader/) -#file(GLOB WOLFSSL_LIB_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../third_party/wolfssl/wolfcrypt/src/*.c") +#file(GLOB WOLFSSL_LIB_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "../third_party/wolfssl/wolfcrypt/src/*.c" "../third_party/wolfssl/src/*.c") set(WOLFSSL_LIB_SRC ${CMAKE_BINARY_DIR}/downloaded/wolfssl/wolfcrypt/src/aes.c ${CMAKE_BINARY_DIR}/downloaded/wolfssl/wolfcrypt/src/arc4.c @@ -29,6 +29,14 @@ set(WOLFSSL_LIB_SRC ${CMAKE_BINARY_DIR}/downloaded/wolfssl/wolfcrypt/src/aes.c ${CMAKE_BINARY_DIR}/downloaded/wolfssl/wolfcrypt/src/wc_encrypt.c ${CMAKE_BINARY_DIR}/downloaded/wolfssl/wolfcrypt/src/wc_port.c ${CMAKE_BINARY_DIR}/downloaded/wolfssl/wolfcrypt/src/wolfmath.c + ${CMAKE_BINARY_DIR}/downloaded/wolfssl/wolfcrypt/src/pkcs12.c + ${CMAKE_BINARY_DIR}/downloaded/wolfssl/wolfcrypt/src/logging.c + ${CMAKE_BINARY_DIR}/downloaded/wolfssl/wolfcrypt/src/md4.c + ${CMAKE_BINARY_DIR}/downloaded/wolfssl/src/tls.c + ${CMAKE_BINARY_DIR}/downloaded/wolfssl/src/internal.c + ${CMAKE_BINARY_DIR}/downloaded/wolfssl/src/wolfio.c + ${CMAKE_BINARY_DIR}/downloaded/wolfssl/src/keys.c + ${CMAKE_BINARY_DIR}/downloaded/wolfssl/src/ssl.c ) diff --git a/lib/crypto/atca_crypto_sw.h b/lib/crypto/atca_crypto_sw.h index ef2d02c09..68aae97ed 100644 --- a/lib/crypto/atca_crypto_sw.h +++ b/lib/crypto/atca_crypto_sw.h @@ -177,6 +177,25 @@ ATCA_STATUS atcac_pbkdf2_sha256(const uint32_t iter, const uint8_t* password, co const uint8_t* salt, const size_t salt_len, uint8_t* result, size_t result_len); #endif +#if defined(HOSTLIB_CERT_EN) +#if HOSTLIB_CERT_EN +#include "cal_buffer.h" +struct atcac_x509_ctx; + +ATCA_STATUS atcac_parse_der(struct atcac_x509_ctx ** cert, cal_buffer *der); +ATCA_STATUS atcac_get_subject(const struct atcac_x509_ctx* cert, cal_buffer* cert_subject); +ATCA_STATUS atcac_get_subj_public_key(const struct atcac_x509_ctx * cert, cal_buffer * subj_public_key); +ATCA_STATUS atcac_get_subj_key_id(const struct atcac_x509_ctx * cert, cal_buffer * subj_public_key_id); +ATCA_STATUS atcac_get_issue_date(const struct atcac_x509_ctx * cert, cal_buffer * not_before, uint8_t * fmt); +ATCA_STATUS atcac_get_expire_date(const struct atcac_x509_ctx * cert, cal_buffer * not_after, uint8_t * fmt); +ATCA_STATUS atcac_get_cert_sn(const struct atcac_x509_ctx * cert, cal_buffer * cert_sn); +ATCA_STATUS atcac_get_issuer(const struct atcac_x509_ctx* cert, cal_buffer* issuer_buf); +ATCA_STATUS atcac_get_auth_key_id(const struct atcac_x509_ctx * cert, cal_buffer * auth_key_id); +void atcac_x509_free(void* cert); + +#endif /* HOSTLIB_CERT_EN */ +#endif /* defined(HOSTLIB_CERT_EN) */ + #ifdef __cplusplus } #endif diff --git a/lib/crypto/crypto_config_check.h b/lib/crypto/crypto_config_check.h deleted file mode 100644 index 5eba0eefc..000000000 --- a/lib/crypto/crypto_config_check.h +++ /dev/null @@ -1,270 +0,0 @@ -/** - * \file - * \brief Consistency checks for configuration options - * - * \copyright (c) 2015-2021 Microchip Technology Inc. and its subsidiaries. - * - * \page License - * - * Subject to your compliance with these terms, you may use Microchip software - * and any derivatives exclusively with Microchip products. It is your - * responsibility to comply with third party license terms applicable to your - * use of third party software (including open source software) that may - * accompany Microchip software. - * - * THIS SOFTWARE IS SUPPLIED BY MICROCHIP "AS IS". NO WARRANTIES, WHETHER - * EXPRESS, IMPLIED OR STATUTORY, APPLY TO THIS SOFTWARE, INCLUDING ANY IMPLIED - * WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A - * PARTICULAR PURPOSE. IN NO EVENT WILL MICROCHIP BE LIABLE FOR ANY INDIRECT, - * SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL LOSS, DAMAGE, COST OR EXPENSE - * OF ANY KIND WHATSOEVER RELATED TO THE SOFTWARE, HOWEVER CAUSED, EVEN IF - * MICROCHIP HAS BEEN ADVISED OF THE POSSIBILITY OR THE DAMAGES ARE - * FORESEEABLE. TO THE FULLEST EXTENT ALLOWED BY LAW, MICROCHIP'S TOTAL - * LIABILITY ON ALL CLAIMS IN ANY WAY RELATED TO THIS SOFTWARE WILL NOT EXCEED - * THE AMOUNT OF FEES, IF ANY, THAT YOU HAVE PAID DIRECTLY TO MICROCHIP FOR - * THIS SOFTWARE. - */ - -#ifndef CRYPTO_CONFIG_CHECK_H -#define CRYPTO_CONFIG_CHECK_H - -#include "atca_config_check.h" - -#if ATCA_CA_SUPPORT -#include "calib/calib_config_check.h" -#endif - -#if ATCA_TA_SUPPORT -#include "talib/talib_config_check.h" -#endif - -/** \def ATCAB_AES_EXTRAS_EN - * - * Automatically set base on other configuation options but can be overridden to disable all - * CBC, CBCMAC, CTR, & CCM modes at once rather than individually - */ -#ifndef ATCAB_AES_EXTRAS_EN -#define ATCAB_AES_EXTRAS_EN (CALIB_AES_EN || TALIB_AES_EN) -#endif - -#ifndef ATCAB_AES_RANDOM_IV_EN -#define ATCAB_AES_RANDOM_IV_EN (ATCA_HOSTLIB_EN || CALIB_RANDOM_EN || TALIB_RANDOM_EN) -#endif - -/** \def ATCAB_AES_UPDATE_EN - * Enable update/finalize APIs for block ciphers - */ -#ifndef ATCAB_AES_UPDATE_EN -#define ATCAB_AES_UPDATE_EN ATCAB_AES_EXTRAS_EN -#endif - -/****** ATCA_CRYPTO_HW_AES_CBC ******/ - -/** \def ATCAB_AES_CBC_ENCRYPT_EN - * - * Requires: ATCAB_AES_EN - * - * Enable ATCAB_AES_CBC_ENCRYPT_EN to encrypt a block of data using CBC mode and a key within the - * device. atcab_aes_cbc_init() should be called before the first use of this function - * - * Supported API's: atcab_aes_cbc_encrypt_block , atcab_aes_cbc_init_ext, atcab_aes_cbc_init - **/ -#ifndef ATCAB_AES_CBC_ENCRYPT_EN -#define ATCAB_AES_CBC_ENCRYPT_EN ATCAB_AES_EXTRAS_EN -#endif - -/** \def ATCAB_AES_CBC_DECRYPT_EN - * - * Requires: ATCAB_AES_EN - * - * Enable ATCAB_AES_CBC_DECRYPT to decrypt a block of data using CBC mode and a key within the - * device. atcab_aes_cbc_init() should be called before the first use of this function - * - * Supported API's: atcab_aes_cbc_decrypt_block, atcab_aes_cbc_init_ext, atcab_aes_cbc_init - **/ -#ifndef ATCAB_AES_CBC_DECRYPT_EN -#define ATCAB_AES_CBC_DECRYPT_EN ATCAB_AES_EXTRAS_EN -#endif - -#ifndef ATCAB_AES_CBC_UPDATE_EN -#define ATCAB_AES_CBC_UPDATE_EN ATCAB_AES_UPDATE_EN -#endif - -/****** ATCA_CRYPTO_HW_AES_CBCMAC ******/ - -/** \def ATCAB_AES_CBCMAC_EN - * - * Requires: ATCAB_AES_CBCMAC - * ATCAB_AES_CBC_ENCRYPT - * ATCAB_AES_MODE_ENCODING - * CALIB_AES_MODE_ENCODING - * CALIB_AES - * - * Enable ATCAB_AES_CBCMAC to initialize context for AES CBC-MAC operation - * Enable ATCAB_AES_CBCMAC to calculate AES CBC-MAC with key stored within ECC608 device - * Enable ATCAB_AES_CBCMAC to finish a CBC-MAC operation returning the CBC-MAC value - * - * Supported API's: atcab_aes_cbcmac_init_ext - * atcab_aes_cbcmac_init, atcab_aes_cbcmac_init_update, atcab_aes_cbcmac_finish - **/ -#ifndef ATCAB_AES_CBCMAC_EN -#define ATCAB_AES_CBCMAC_EN ATCAB_AES_CBC_ENCRYPT_EN -#endif - -/****** ATCA_CRYPTO_HW_AES_CTR ******/ - -/** \def ATCAB_AES_CTR_EN - * - * Requires: ATCAB_AES_EN - * - * Enable ATCAB_AES_CTR_EN to support AES-CTR mode - * - **/ -#ifndef ATCAB_AES_CTR_EN -#define ATCAB_AES_CTR_EN ATCAB_AES_EXTRAS_EN -#endif - -/** \def ATCAB_AES_CTR_RAND_IV_EN - * - * Requires: ATCAB_AES_CTR_EN - * ATCAB_RANDOM_EN - * - * Enable ATCAB_AES_CTR_RAND_IV_EN to initialize context for AES CTR operation with a random nonce and - * counter set to 0 as the IV, which is common when starting an encrypt operation - * - * Supported API's: atcab_aes_ctr_init_rand_ext, atcab_aes_ctr_init_rand - **/ -#ifndef ATCAB_AES_CTR_RAND_IV_EN -#define ATCAB_AES_CTR_RAND_IV_EN (ATCAB_AES_CTR_EN && ATCAB_AES_RANDOM_IV_EN) -#endif - -/****** ATCA_CRYPTO_HW_AES_CCM ******/ - -/** \def ATCAB_AES_CCM_EN - * - * Requires: ATCAB_AES_EN - * ATCAB_AES_CTR_EN - * - * Enable ATCAB_AES_CCM_EN to enable AES CCM operation - * - **/ -#ifndef ATCAB_AES_CCM_EN -#define ATCAB_AES_CCM_EN (ATCAB_AES_CBCMAC_EN && ATCAB_AES_CTR_EN) -#endif - -/** \def ATCAB_AES_CCM_INIT_RAND - * - * Requires: ATCAB_AES_CCM_INIT_RAND - * ATCAB_AES_CCM_INIT - * ATCAB_RANDOM - * CALIB_RANDOM - * - * Enable ATCAB_AES_CCM_INIT_RAND to initialize context for AES CCM operation with a random nonce - * - * Supported API's: atcab_aes_ccm_init_rand_ext - * atcab_aes_ccm_init_rand - **/ -#ifndef ATCAB_AES_CCM_RAND_IV_EN -#define ATCAB_AES_CCM_RAND_IV_EN (ATCAB_AES_CCM_EN && ATCAB_AES_RANDOM_IV_EN) -#endif - -/****** ATCA_CRYPTO_HW_AES_CMAC ******/ - -/** \def ATCAB_AES_CMAC - * - * Requires: ATCAB_AES_CMAC - * ATCAB_AES_CBC_ENCRYPT - * ATCAB_AES_MODE_ENCODING - * CALIB_AES_MODE_ENCODING - * CALIB_AES - * - * Enable ATCAB_AES_CMAC to initialize a CMAC calculation using an AES-128 key in the device - * Enable ATCAB_AES_CMAC to add data to an initialized CMAC calculation - * Enable ATCAB_AES_CMAC to finish a CMAC operation returning the CMAC value - * - * Supported API's: atcab_aes_cmac_init_ext, left_shift_one - * atcab_aes_cmac_init, atcab_aes_cmac_init_update, atcab_aes_cmac_finish - **/ -#ifndef ATCAB_AES_CMAC_EN -#define ATCAB_AES_CMAC_EN ATCAB_AES_CBC_ENCRYPT_EN -#endif - -/** \def ATCA_CRYPTO_SHA1_EN - * - * Enable ATCAC_SHA1_EN to enable sha1 host side api - * - * Supported API's: atcab_write - **/ -#ifndef ATCA_CRYPTO_SHA1_EN -#define ATCA_CRYPTO_SHA1_EN (ATCAC_SHA1_EN && !ATCA_HOSTLIB_EN) -#endif - -/** \def ATCAC_SHA256_EN - * - * Enable ATCAC_SHA256_EN to enable sha256 host side api - * - * Supported API's: atcab_write - **/ -#ifndef ATCA_CRYPTO_SHA2_EN -#define ATCA_CRYPTO_SHA2_EN (ATCAC_SHA256_EN && !ATCA_HOSTLIB_EN) -#endif - -/** \def ATCA_CRYPTO_SHA2_HMAC_EN - * - * Requires: ATCAC_SHA256_EN - * - * Enable ATCAC_SHA256_HMAC to initialize context for performing HMAC (sha256) in software - * - * Supported API's: atcac_sha256_hmac_init, atcac_sha256_hmac_update, atcac_sha256_hmac_finish - **/ -#ifndef ATCA_CRYPTO_SHA2_HMAC_EN -#define ATCA_CRYPTO_SHA2_HMAC_EN (ATCAC_SHA256_HMAC_EN && !ATCA_HOSTLIB_EN) -#endif - -/** \def ATCA_CRYPTO_SHA2_HMAC_CTR_EN - * - * Requires: ATCAC_SHA256_HMAC_EN - * - * Enable ATCAC_SHA256_HMAC_COUNTER to implement SHA256 HMAC-Counter per NIST SP 800-108 used for - * KDF like operations - * - * Supported API's: atcac_sha256_hmac_counter - **/ -#ifndef ATCA_CRYPTO_SHA2_HMAC_CTR_EN -#define ATCA_CRYPTO_SHA2_HMAC_CTR_EN ATCAC_SHA256_HMAC_CTR_EN -#endif - -/****** ATCA_CRYPTO_PBKDF2 ******/ - -/** \def ATCAC_PBKDF2_SHA256_EN - * - * Requires: ATCAC_SHA256_EN - * ATCAC_SHA256_HMAC_EN - * - * Enable ATCAC_PBKDF2_SHA256_EN to calculate a PBKDF2 hash of a given password and salt - * - * Supported API's: atcac_pbkdf2_256 - **/ -#ifndef ATCAC_PBKDF2_SHA256_EN -#define ATCAC_PBKDF2_SHA256_EN ATCAC_SHA256_HMAC_EN -#endif - -/** \def ATCAB_PBKDF2_SHA256_EN - * - * Requires: CALIB_SHA_HMAC_EN - * - * Enable ATCAB_PBKDF2_SHA256_EN to calculate a PBKDF2 password hash using a stored key inside a - * device. The key length is determined by the device being used. ECCx08: 32 bytes, TA100: 16-64 bytes - * - * Supported API's: atcab_pbkdf2_256, atcab_pbkdf2_256_ext - **/ -#ifndef ATCAB_PBKDF2_SHA256_EN -#define ATCAB_PBKDF2_SHA256_EN (CALIB_SHA_HMAC_EN || TALIB_SHA_HMAC_EN) -#endif - -/****** ATCA_CRYPTO_PKCS7_PADDING ******/ -#ifndef ATCAC_PKCS7_PAD_EN -#define ATCAC_PKCS7_PAD_EN ATCAB_AES_EXTRAS_EN -#endif - -#endif /* CRYPTO_CONFIG_CHECK_H */ diff --git a/lib/cryptoauthlib.h b/lib/cryptoauthlib.h index aefd9ceb8..de8c1f3c0 100644 --- a/lib/cryptoauthlib.h +++ b/lib/cryptoauthlib.h @@ -66,7 +66,7 @@ #define ATCA_AES256_KEY_SIZE (32u) #define ATCA_ECCP256_KEY_SIZE (32) -#define ATCA_ECCP256_PUBKEY_SIZE (64) +#define ATCA_ECCP256_PUBKEY_SIZE (64u) #define ATCA_ECCP256_SIG_SIZE (64u) #define ATCA_ZONE_CONFIG ((uint8_t)0x00) diff --git a/lib/hal/atca_hal.c b/lib/hal/atca_hal.c index 453829a2c..f0b24cfd1 100644 --- a/lib/hal/atca_hal.c +++ b/lib/hal/atca_hal.c @@ -147,35 +147,35 @@ static ATCAHAL_t hal_custom; */ typedef struct { - uint8_t iface_type; /**< */ - ATCAHAL_t* hal; /**< */ - ATCAHAL_t* phy; /**< Physical interface for the specific HAL*/ + uint8_t iface_type; /**< */ + ATCAHAL_t* hal; /**< */ + ATCAHAL_t* phy; /**< Physical interface for the specific HAL*/ } atca_hal_list_entry_t; static atca_hal_list_entry_t atca_registered_hal_list[ATCA_MAX_HAL_CACHE] = { #ifdef ATCA_HAL_I2C - { (uint8_t)ATCA_I2C_IFACE, &hal_i2c, NULL }, + { (uint8_t)ATCA_I2C_IFACE, &hal_i2c, NULL }, #endif #ifdef ATCA_HAL_SWI_UART - { (uint8_t)ATCA_SWI_IFACE, &hal_swi_uart, &hal_uart }, + { (uint8_t)ATCA_SWI_IFACE, &hal_swi_uart, &hal_uart }, #endif #ifdef ATCA_HAL_KIT_UART - { (uint8_t)ATCA_UART_IFACE, &hal_kit_v1, &hal_uart }, + { (uint8_t)ATCA_UART_IFACE, &hal_kit_v1, &hal_uart }, #elif defined(ATCA_HAL_UART) - { (uint8_t)ATCA_UART_IFACE, &hal_uart, NULL }, + { (uint8_t)ATCA_UART_IFACE, &hal_uart, NULL }, #endif #ifdef ATCA_HAL_SPI - { (uint8_t)ATCA_SPI_IFACE, &hal_spi, NULL }, + { (uint8_t)ATCA_SPI_IFACE, &hal_spi, NULL }, #endif #ifdef ATCA_HAL_KIT_HID - { (uint8_t)ATCA_HID_IFACE, &hal_kit_v1, &hal_hid }, + { (uint8_t)ATCA_HID_IFACE, &hal_kit_v1, &hal_hid }, #endif #ifdef ATCA_HAL_KIT_BRIDGE - { (uint8_t)ATCA_KIT_IFACE, &hal_kit_bridge, NULL }, + { (uint8_t)ATCA_KIT_IFACE, &hal_kit_bridge, NULL }, #endif #if defined(ATCA_HAL_SWI_GPIO) || defined(ATCA_HAL_SWI_BB) - { (uint8_t)ATCA_SWI_GPIO_IFACE, &hal_swi_gpio, &hal_gpio }, + { (uint8_t)ATCA_SWI_GPIO_IFACE, &hal_swi_gpio, &hal_gpio }, #endif }; @@ -238,6 +238,7 @@ static ATCA_STATUS hal_iface_set_registered(ATCAIfaceType iface_type, ATCAHAL_t* } else { + /* coverity[misra_c_2012_rule_14_3_violation] */ if ((empty == atca_registered_hal_list_size) && (NULL == atca_registered_hal_list[i].hal) && (NULL == atca_registered_hal_list[i].phy)) { empty = i; diff --git a/lib/hal/hal_esp32_i2c.c b/lib/hal/hal_esp32_i2c.c index 3d3bcc889..7185f9417 100644 --- a/lib/hal/hal_esp32_i2c.c +++ b/lib/hal/hal_esp32_i2c.c @@ -24,16 +24,16 @@ #define I2C0_SCL_PIN 17 #define I2C1_SDA_PIN 21 #define I2C1_SCL_PIN 22 -#define ACK_CHECK_EN 0x1 /*!< I2C master will check ack from slave*/ -#define ACK_CHECK_DIS 0x0 /*!< I2C master will not check ack from slave */ -#define ACK_VAL 0x0 /*!< I2C ack value */ -#define NACK_VAL 0x1 /*!< I2C nack value */ +#define ACK_CHECK_EN 0x1 /*!< I2C master will check ack from slave*/ +#define ACK_CHECK_DIS 0x0 /*!< I2C master will not check ack from slave */ +#define ACK_VAL 0x0 /*!< I2C ack value */ +#define NACK_VAL 0x1 /*!< I2C nack value */ #ifndef LOG_LOCAL_LEVEL #define LOG_LOCAL_LEVEL ESP_LOG_INFO #endif -#define MAX_I2C_BUSES 2 //ESP32 has 2 I2C bus +#define MAX_I2C_BUSES 2 //ESP32 has 2 I2C bus typedef struct atcaI2Cmaster { @@ -161,23 +161,36 @@ ATCA_STATUS hal_i2c_post_init(ATCAIface iface) * \param[in] txlength number of bytes to send * \return ATCA_SUCCESS on success, otherwise an error code. */ -ATCA_STATUS hal_i2c_send(ATCAIface iface, uint8_t address, uint8_t *txdata, int txlength) +ATCA_STATUS hal_i2c_send(ATCAIface iface, uint8_t word_address, uint8_t *txdata, int txlength) { ATCAIfaceCfg *cfg = iface->mIfaceCFG; esp_err_t rc; + uint8_t device_address = 0xFFu; if (!cfg) { return ATCA_BAD_PARAM; } +#ifdef ATCA_ENABLE_DEPRECATED + device_address = ATCA_IFACECFG_VALUE(cfg, atcai2c.slave_address) +#else + device_address = ATCA_IFACECFG_VALUE(cfg, atcai2c.address) +#endif + + //ESP_LOGD(TAG, "txdata: %p , txlength: %d", txdata, txlength); //ESP_LOG_BUFFER_HEXDUMP(TAG, txdata, txlength, 3); i2c_cmd_handle_t cmd = i2c_cmd_link_create(); (void)i2c_master_start(cmd); - (void)i2c_master_write_byte(cmd, address | I2C_MASTER_WRITE, ACK_CHECK_EN); - (void)i2c_master_write(cmd, txdata, txlength, ACK_CHECK_EN); + (void)i2c_master_write_byte(cmd, device_address | I2C_MASTER_WRITE, ACK_CHECK_EN); + (void)i2c_master_write_byte(cmd, word_address, ACK_CHECK_EN); + + if (NULL != txdata && 0u < txlength) + { + (void)i2c_master_write(cmd, txdata, txlength, ACK_CHECK_EN); + } (void)i2c_master_stop(cmd); rc = i2c_master_cmd_begin(cfg->atcai2c.bus, cmd, 10); (void)i2c_cmd_link_delete(cmd); diff --git a/lib/hal/hal_i2c_harmony.c b/lib/hal/hal_i2c_harmony.c index 7ba6b9e4e..fbb289aff 100644 --- a/lib/hal/hal_i2c_harmony.c +++ b/lib/hal/hal_i2c_harmony.c @@ -142,11 +142,13 @@ ATCA_STATUS hal_i2c_post_init(ATCAIface iface) * \return ATCA_SUCCESS on success, otherwise an error code. */ -ATCA_STATUS hal_i2c_send(ATCAIface iface, uint8_t address, uint8_t *txdata, int txlength) +ATCA_STATUS hal_i2c_send(ATCAIface iface, uint8_t word_address, uint8_t *txdata, int txlength) { ATCAIfaceCfg* cfg = atgetifacecfg(iface); atca_plib_i2c_api_t * plib; ATCA_STATUS status = ATCA_COMM_FAIL; + uint8_t device_address = 0xFFu; + uint8_t temp_buf[MAX_PACKET_SIZE] = { 0u }; if (!cfg) { @@ -159,13 +161,29 @@ ATCA_STATUS hal_i2c_send(ATCAIface iface, uint8_t address, uint8_t *txdata, int return ATCA_BAD_PARAM; } +#ifdef ATCA_ENABLE_DEPRECATED + device_address = ATCA_IFACECFG_VALUE(cfg, atcai2c.slave_address); +#else + device_address = ATCA_IFACECFG_VALUE(cfg, atcai2c.address); +#endif + + temp_buf[0] = word_address; + + if (NULL != txdata) + { + memcpy(&temp_buf[1], txdata, txlength); + } + + //! Add 1 byte for word address + txlength += 1u; + /* Wait for the I2C bus to be ready */ status = hal_i2c_wait(plib, cfg->atcai2c.baud, 30); if (ATCA_SUCCESS == status) { status = ATCA_COMM_FAIL; - if (plib->write(address >> 1, txdata, txlength) == true) + if (plib->write(device_address >> 1, temp_buf, txlength) == true) { /* Wait for the I2C transfer to complete */ status = hal_i2c_wait(plib, cfg->atcai2c.baud, txlength); @@ -180,7 +198,6 @@ ATCA_STATUS hal_i2c_send(ATCAIface iface, uint8_t address, uint8_t *txdata, int } } } - return status; } diff --git a/lib/hal/hal_kit_bridge.c b/lib/hal/hal_kit_bridge.c index 3de5804fe..0f5c87a5c 100644 --- a/lib/hal/hal_kit_bridge.c +++ b/lib/hal/hal_kit_bridge.c @@ -163,17 +163,21 @@ ATCA_STATUS hal_kit_send(ATCAIface iface, uint8_t word_address, uint8_t* txdata, if (packet) { hal_kit_header(iface->mIfaceCFG, packet, HAL_KIT_COMMAND_SEND); - packet[3] = word_address; + if (atcab_is_ta_device(iface->mIfaceCFG->devtype)) { - memcpy(&packet[4], &txdata[1], txlength - 1); + packet[3] = word_address; } else { - memcpy(&packet[4], txdata, txlength); - txlength++; + packet[3] = 0xFF; } + memcpy(&packet[4], txdata, txlength); + + //! Add 1 byte to txlength for word address + txlength += 1u; + status = hal_kit_phy_send(phy, packet, txlength + HAL_KIT_HEADER_LEN); if (ATCA_SUCCESS == status) diff --git a/lib/hal/hal_linux.c b/lib/hal/hal_linux.c index 7ae457e2b..e94dcb293 100644 --- a/lib/hal/hal_linux.c +++ b/lib/hal/hal_linux.c @@ -78,10 +78,10 @@ void hal_delay_ms(uint32_t delay) #include ATCA_STATUS hal_alloc_shared( - void ** pShared, /**< [in/out] Location to store the pointer to the allocated shared memory */ - size_t size, /**< [in] Requested size of the block */ - const char* pName, /**< [in] Name of the shared memory block */ - bool * initialized /**< [out] Returns initialized status (true if new and initialized to zero, false if existing) */ + void ** pShared, /**< [in/out] Location to store the pointer to the allocated shared memory */ + size_t size, /**< [in] Requested size of the block */ + const char* pName, /**< [in] Name of the shared memory block */ + bool * initialized /**< [out] Returns initialized status (true if new and initialized to zero, false if existing) */ ) { ATCA_STATUS status = ATCA_BAD_PARAM; @@ -289,7 +289,7 @@ ATCA_STATUS hal_unlock_mutex(void *pMutex) * \param[in,out] ppMutex location to receive ptr to mutex * \param[in,out] pName String used to identify the mutex */ -ATCA_STATUS hal_create_mutex(void ** ppMutex, char* pName) +ATCA_STATUS hal_create_mutex(void ** ppMutex, const char* pName) { sem_t * sem; diff --git a/lib/hal/hal_linux_i2c_userspace.c b/lib/hal/hal_linux_i2c_userspace.c index 22e889b92..142d8a5e0 100644 --- a/lib/hal/hal_linux_i2c_userspace.c +++ b/lib/hal/hal_linux_i2c_userspace.c @@ -38,6 +38,7 @@ #include #include #include +#include #include "atca_hal.h" @@ -129,36 +130,63 @@ ATCA_STATUS hal_i2c_send(ATCAIface iface, uint8_t word_address, uint8_t *txdata, { atca_i2c_host_t * hal_data = (atca_i2c_host_t*)atgetifacehaldat(iface); int f_i2c; // I2C file descriptor + uint8_t device_address = 0xFFu; + uint8_t* temp_buf = NULL; if (NULL == hal_data) { return ATCA_NOT_INITIALIZED; } +#ifdef ATCA_ENABLE_DEPRECATED + device_address = ATCA_IFACECFG_VALUE(iface->mIfaceCFG, atcai2c.slave_address); +#else + device_address = ATCA_IFACECFG_VALUE(iface->mIfaceCFG, atcai2c.address); +#endif + + //! Add 1 byte for word address + if (INT_MAX > txlength) + { + txlength += 1; + } + + if (NULL == (temp_buf = hal_malloc((size_t)txlength))) + { + return ATCA_ALLOC_FAILURE; + } + + temp_buf[0] = word_address; + if ((NULL != txdata) && (1 < txlength)) + { + /* coverity[misra_c_2012_rule_10_8_violation] */ + (void)memcpy(&temp_buf[1], txdata, (size_t)(txlength - 1)); + } + // Initiate I2C communication /* coverity[cert_fio32_c_violation] It is the system owner's responsibility ensure configuration provides a valid i2c device */ - if ( (f_i2c = open(hal_data->i2c_file, O_RDWR)) < 0) + if ((f_i2c = open(hal_data->i2c_file, O_RDWR)) < 0) { + hal_free(temp_buf); return ATCA_COMM_FAIL; } // Set Device Address - if (ioctl(f_i2c, I2C_SLAVE, word_address >> 1) < 0) + if (ioctl(f_i2c, I2C_SLAVE, device_address >> 1) < 0) { + hal_free(temp_buf); (void)close(f_i2c); return ATCA_COMM_FAIL; } // Send data - if ((NULL != txdata) && (0 < txlength)) + if (write(f_i2c, temp_buf, (size_t)txlength) != txlength) { - if (write(f_i2c, txdata, (size_t)txlength) != txlength) - { - (void)close(f_i2c); - return ATCA_COMM_FAIL; - } + hal_free(temp_buf); + (void)close(f_i2c); + return ATCA_COMM_FAIL; } + hal_free(temp_buf); (void)close(f_i2c); return ATCA_SUCCESS; } @@ -183,7 +211,7 @@ ATCA_STATUS hal_i2c_receive(ATCAIface iface, uint8_t word_address, uint8_t *rxda // Initiate I2C communication /* coverity[cert_fio32_c_violation] It is the system owner's responsibility ensure configuration provides a valid i2c device */ - if ( (f_i2c = open(hal_data->i2c_file, O_RDWR)) < 0) + if ((f_i2c = open(hal_data->i2c_file, O_RDWR)) < 0) { return ATCA_COMM_FAIL; } diff --git a/lib/hal/hal_linux_spi_userspace.c b/lib/hal/hal_linux_spi_userspace.c index f69752f71..5e546f423 100644 --- a/lib/hal/hal_linux_spi_userspace.c +++ b/lib/hal/hal_linux_spi_userspace.c @@ -9,8 +9,8 @@ typedef struct atca_spi_host_s { - char spi_file[20]; - int f_spi; + char spi_file[20]; + int f_spi; } atca_spi_host_t; /** \brief Open and configure the SPI device @@ -69,8 +69,7 @@ static ATCA_STATUS hal_spi_open_file(const char * dev_name, uint32_t speed, int /* Configuration was fully successful */ status = ATCA_SUCCESS; - } - while (false); + } while (false); } return status; @@ -213,7 +212,6 @@ ATCA_STATUS hal_spi_receive(ATCAIface iface, uint8_t word_address, uint8_t *rxda return status; } - /** \brief HAL implementation of SPI send * \param[in] iface instance * \param[in] word_address transaction type @@ -227,19 +225,17 @@ ATCA_STATUS hal_spi_send(ATCAIface iface, uint8_t word_address, uint8_t *txdata, ATCA_STATUS status = ATCA_SUCCESS; atca_spi_host_t * hal_data = (atca_spi_host_t*)atgetifacehaldat(iface); - ((void)word_address); - - if ((NULL != hal_data) && (NULL != txdata) && (0 < txlength)) + if ((NULL != hal_data)) { struct spi_ioc_transfer spi_xfer = { 0 }; - spi_xfer.tx_buf = (unsigned long)txdata; - spi_xfer.len = (unsigned int)txlength; + spi_xfer.tx_buf = (unsigned long)&word_address; + spi_xfer.len = (unsigned int)sizeof(word_address); spi_xfer.cs_change = 1U; /* coverity[misra_c_2012_rule_10_1_violation] SPI_IOC_MESSAGE is defined by the Linux Specification and is used correctly here */ /* coverity[misra_c_2012_rule_10_4_violation] SPI_IOC_MESSAGE is defined by the Linux Specification and is used correctly here */ /* coverity[misra_c_2012_rule_12_2_violation] SPI_IOC_MESSAGE is defined by the Linux Specification and is used correctly here */ - if (txlength == ioctl(hal_data->f_spi, SPI_IOC_MESSAGE(1), &spi_xfer)) + if (1 == ioctl(hal_data->f_spi, SPI_IOC_MESSAGE(1), &spi_xfer)) { status = ATCA_SUCCESS; } @@ -247,12 +243,31 @@ ATCA_STATUS hal_spi_send(ATCAIface iface, uint8_t word_address, uint8_t *txdata, { status = ATCA_COMM_FAIL; } + + if ((ATCA_SUCCESS == status) && (NULL != txdata) && (0 < txlength)) + { + struct spi_ioc_transfer spi_xfer_1 = { 0 }; + spi_xfer_1.tx_buf = (unsigned long)txdata; + spi_xfer_1.len = (unsigned int)txlength; + spi_xfer_1.cs_change = 1U; + + /* coverity[misra_c_2012_rule_10_1_violation] SPI_IOC_MESSAGE is defined by the Linux Specification and is used correctly here */ + /* coverity[misra_c_2012_rule_10_4_violation] SPI_IOC_MESSAGE is defined by the Linux Specification and is used correctly here */ + /* coverity[misra_c_2012_rule_12_2_violation] SPI_IOC_MESSAGE is defined by the Linux Specification and is used correctly here */ + if (txlength == ioctl(hal_data->f_spi, SPI_IOC_MESSAGE(1), &spi_xfer_1)) + { + status = ATCA_SUCCESS; + } + else + { + status = ATCA_COMM_FAIL; + } + } } return status; } - /** \brief Perform control operations for the kit protocol * \param[in] iface Interface to interact with. * \param[in] option Control parameter identifier diff --git a/lib/hal/hal_spi_harmony.c b/lib/hal/hal_spi_harmony.c index e68695a92..0ddd51709 100644 --- a/lib/hal/hal_spi_harmony.c +++ b/lib/hal/hal_spi_harmony.c @@ -196,6 +196,7 @@ ATCA_STATUS hal_spi_send(ATCAIface iface, uint8_t word_address, uint8_t *txdata, ATCAIfaceCfg* cfg = atgetifacecfg(iface); atca_plib_spi_api_t * plib; ATCA_STATUS status = !ATCA_SUCCESS; + bool plibstatus = false; if (!cfg) { @@ -214,22 +215,32 @@ ATCA_STATUS hal_spi_send(ATCAIface iface, uint8_t word_address, uint8_t *txdata, do { /* Wait for the SPI bus to be ready */ - if (ATCA_SUCCESS != (status = hal_spi_wait(plib, cfg->atcaspi.baud, 0)) ) + if (ATCA_SUCCESS != (status = hal_spi_wait(plib, cfg->atcaspi.baud, 0))) { break; } - if (true == plib->write(txdata, txlength) ) + if (true != (plibstatus = plib->write(&word_address, sizeof(word_address)))) { - /* Wait for the SPI transfer to complete */ - status = hal_spi_wait(plib, cfg->atcaspi.baud, txlength); + status = ATCA_COMM_FAIL; + break; } - else + + /* Wait for the SPI transfer to complete */ + status = hal_spi_wait(plib, cfg->atcaspi.baud, sizeof(word_address)); + + if (NULL != txdata && 0u < txlength) { - status = ATCA_COMM_FAIL; + if (true != (plibstatus = plib->write(txdata, txlength))) + { + status = ATCA_COMM_FAIL; + break; + } + + /* Wait for the SPI transfer to complete */ + status = hal_spi_wait(plib, cfg->atcaspi.baud, txlength); } - } - while (0); + } while (0); return status; } @@ -260,7 +271,7 @@ ATCA_STATUS hal_spi_receive(ATCAIface iface, uint8_t word_address, uint8_t *rxda /* read status register/length bytes to know number of bytes to read */ status = ATCA_COMM_FAIL; - if (true == plib->read(rxdata, *rxlength) ) + if (true == plib->read(rxdata, *rxlength)) { /* Wait for the SPI transfer to complete */ status = hal_spi_wait(plib, cfg->atcaspi.baud, *rxlength); diff --git a/lib/hal/hal_swi_gpio.c b/lib/hal/hal_swi_gpio.c index ac9202c8d..83079dc11 100644 --- a/lib/hal/hal_swi_gpio.c +++ b/lib/hal/hal_swi_gpio.c @@ -497,10 +497,7 @@ ATCA_STATUS hal_swi_gpio_send(ATCAIface iface, uint8_t word_address, uint8_t *tx { ATCAIfaceCfg *cfg = atgetifacecfg(iface); ATCA_STATUS status = ATCA_BAD_PARAM; - - #ifdef ATCA_HAL_1WIRE uint8_t dev_write_addr; - #endif if (!cfg) { @@ -515,7 +512,14 @@ ATCA_STATUS hal_swi_gpio_send(ATCAIface iface, uint8_t word_address, uint8_t *tx dev_write_addr = get_slave_addr_1wire(cfg->atcaswi.address, ATCA_GPIO_WRITE); if (ATCA_SUCCESS == (status = gpio_send_bytes(iface, &dev_write_addr, sizeof(dev_write_addr)))) { - status = gpio_send_bytes(iface, txdata, txlength); + //! Send word address + status = gpio_send_bytes(iface, &word_address, sizeof(word_address)); + + //! Send data + if((ATCA_SUCCESS == status) && (NULL != txdata) && (0u < txlength)) + { + status = gpio_send_bytes(iface, txdata, txlength); + } } status = start_stop_cond_1wire(iface); } @@ -526,7 +530,10 @@ ATCA_STATUS hal_swi_gpio_send(ATCAIface iface, uint8_t word_address, uint8_t *tx #ifdef ATCA_HAL_SWI if (ATCA_SUCCESS == (status = gpio_send_bytes(iface, &word_address, sizeof(word_address)))) { - status = gpio_send_bytes(iface, txdata, txlength); + if(NULL != txdata && 0U < txlength) + { + status = gpio_send_bytes(iface, txdata, txlength); + } } #endif } diff --git a/lib/hal/hal_swi_uart.c b/lib/hal/hal_swi_uart.c index 910e2606f..14d78751c 100644 --- a/lib/hal/hal_swi_uart.c +++ b/lib/hal/hal_swi_uart.c @@ -107,26 +107,43 @@ static ATCA_STATUS hal_swi_uart_send_bit(ATCAIface iface, uint8_t data) ATCA_STATUS hal_swi_send(ATCAIface iface, uint8_t word_address, uint8_t *txdata, int txlength) { - (void)word_address; ATCA_STATUS status = ATCA_SUCCESS; - uint8_t i, bit_mask, bit_data; + uint8_t bit_mask, bit_data; + int i; (void)iface->phy->halcontrol(iface, ATCA_HAL_FLUSH_BUFFER, NULL, 0); - for (i = 0; i < txlength; i++) + //!Send word address + for (bit_mask = 1U; bit_mask > 0U; bit_mask <<= 1U) { - for (bit_mask = 1; bit_mask > 0; bit_mask <<= 1) + // Send one byte that represent one bit, 0x7F for one or 0x7D for zero + // The LSB (least significant bit) is sent first. + bit_data = ((bit_mask & word_address) != 0U) ? 0x7FU : 0x7DU; + status = hal_swi_uart_send_bit(iface, bit_data); + if (status != ATCA_SUCCESS) { - // Send one byte that represent one bit, 0x7F for one or 0x7D for zero - // The LSB (least significant bit) is sent first. - bit_data = (bit_mask & *txdata) ? 0x7F : 0x7D; - status = hal_swi_uart_send_bit(iface, bit_data); - if (status != ATCA_SUCCESS) + return ATCA_COMM_FAIL; + } + } + + if((NULL != txdata) && (0 < txlength)) + { + //!Send data + for (i = 0; i < txlength; i++) + { + for (bit_mask = 1U; bit_mask > 0U; bit_mask <<= 1U) { + // Send one byte that represent one bit, 0x7F for one or 0x7D for zero + // The LSB (least significant bit) is sent first. + bit_data = ((bit_mask & *txdata) != 0U) ? 0x7FU : 0x7DU; + status = hal_swi_uart_send_bit(iface, bit_data); + if (status != ATCA_SUCCESS) + { return ATCA_COMM_FAIL; + } } + txdata++; } - txdata++; } return ATCA_SUCCESS; diff --git a/lib/hal/kit_protocol.c b/lib/hal/kit_protocol.c index 83e7ba2ff..98c6b3ef6 100644 --- a/lib/hal/kit_protocol.c +++ b/lib/hal/kit_protocol.c @@ -28,6 +28,7 @@ #include #include +#include #include "atca_compiler.h" #include "kit_protocol.h" #include "atca_helpers.h" @@ -96,6 +97,9 @@ const char * kit_id_from_devtype(ATCADeviceType devtype) case TA100: device_type = "TA100"; break; + case TA101: + device_type = "TA101"; + break; case ECC204: device_type = "ECC204"; break; @@ -317,7 +321,11 @@ ATCA_STATUS kit_phy_receive(ATCAIface iface, uint8_t* rxdata, int* rxsize) location = memchr(&rxdata[total_bytes_read], (int)'\n', (size_t)rxlen); total_bytes_read += rxlen; - bytes_to_read -= rxlen; + + if (rxlen <= bytes_to_read) + { + bytes_to_read -= rxlen; + } } // Save the total bytes read @@ -605,25 +613,30 @@ ATCA_STATUS kit_send(ATCAIface iface, uint8_t word_address, uint8_t* txdata, int char* pkitbuf = NULL; const char *target; - ((void)word_address); - - // Check the pointers - if (txdata == NULL) - { - return ATCA_BAD_PARAM; - } - do { // Wrap in kit protocol - /* coverity[cert_int32_c_violation:FALSE] txlength maximum value is controled by maximum supported packet size of the device */ - nkitbuf = txlength * 2 + KIT_TX_WRAP_SIZE; + if(atcab_is_ta_device(iface->mIfaceCFG->devtype)) + { + /* coverity[cert_int32_c_violation:FALSE] txlength maximum value is controled by maximum supported packet size of the device */ + nkitbuf = (txlength + sizeof(word_address)) * 2 + KIT_TX_WRAP_SIZE; + } + else + { + /* coverity[cert_int32_c_violation:FALSE] txlength maximum value is controled by maximum supported packet size of the device */ + nkitbuf = txlength * 2 + KIT_TX_WRAP_SIZE; + } + pkitbuf = hal_malloc(nkitbuf > 0 ? (size_t)nkitbuf : 0u); - (void)memset(pkitbuf, 0, (size_t)nkitbuf); + + if (NULL != pkitbuf) + { + (void)memset(pkitbuf, 0, (size_t)nkitbuf); + } target = kit_id_from_devtype(iface->mIfaceCFG->devtype); - if (ATCA_SUCCESS != (status = kit_wrap_cmd(txdata, txlength, pkitbuf, &nkitbuf, target))) + if (ATCA_SUCCESS != (status = kit_wrap_cmd(word_address, txdata, txlength, pkitbuf, &nkitbuf, target))) { status = ATCA_GEN_FAIL; break; @@ -698,7 +711,11 @@ ATCA_STATUS kit_receive(ATCAIface iface, uint8_t word_address, uint8_t* rxdata, //coverity[misra_c_2012_rule_10_8_violation] this has been tested and confirmed to be correct for USB HID communication nkitbuf = (int)((((((*rxsize * 2u) + KIT_RX_WRAP_SIZE)) / 64u) + 1u) * 64u); pkitbuf = hal_malloc((size_t)nkitbuf); - (void)memset(pkitbuf, 0, (size_t)nkitbuf); + + if (NULL != pkitbuf) + { + (void)memset(pkitbuf, 0, (size_t)nkitbuf); + } if (ATCA_SUCCESS != (status = kit_phy_receive(iface, (uint8_t*)pkitbuf, &nkitbuf))) { @@ -712,14 +729,19 @@ ATCA_STATUS kit_receive(ATCAIface iface, uint8_t word_address, uint8_t* rxdata, #endif // Unwrap from kit protocol - dataSize = (int)*rxsize; + + /* coverity[misra_c_2012_rule_14_3_violation] */ + if ((*rxsize >= 0U) &&(*rxsize <= UINT16_MAX)) + { + dataSize = (int)*rxsize; + } *rxsize = 0; if (ATCA_SUCCESS != (status = kit_parse_rsp(pkitbuf, nkitbuf, kitstatus, rxdata, &dataSize))) { break; } - *rxsize = (uint16_t)dataSize; + *rxsize = (uint16_t)(dataSize & UINT16_MAX); } while (false); @@ -870,34 +892,47 @@ ATCA_STATUS kit_sleep(ATCAIface iface) } /** \brief Wrap binary bytes in ascii kit protocol + * \param[in] word_address Binary word address to wrap. * \param[in] txdata Binary data to wrap. * \param[in] txlen Length of binary data in bytes. - * \param[out] pkitcmd ASCII kit protocol wrapped data is return here. + * \param[out] pkitcmd ASCII kit protocol wrapped data is returned here. * \param[in,out] nkitcmd As input, the size of the pkitcmd buffer. * As output, the number of bytes returned in the * pkitcmd buffer. * \param[in] target Device type * \return ATCA_SUCCESS on success, otherwise an error code. */ -ATCA_STATUS kit_wrap_cmd(const uint8_t* txdata, int txlen, char* pkitcmd, int* nkitcmd, const char* target) +ATCA_STATUS kit_wrap_cmd(uint8_t word_address, const uint8_t* txdata, int txlen, char* pkitcmd, int* nkitcmd, const char* target) { ATCA_STATUS status = ATCA_SUCCESS; const char* ta_cmdpre = "t:send("; const char* ca_cmdpre = "d:t("; + bool is_ta_device = (strncmp(target, "TA10x", 3) != 0) ? false : true; const char* cmdpre = (strncmp(target, "TA10x", 3) != 0) ? ca_cmdpre : ta_cmdpre; char cmdpost[] = ")\n"; size_t cpylen = 0U; size_t cpyindex = 0U; + size_t cmdlen = 0U; // Check the variables - if (txdata == NULL || pkitcmd == NULL || nkitcmd == NULL || (0 > txlen)) + if (pkitcmd == NULL || nkitcmd == NULL || (0 > txlen)) { return ATCA_BAD_PARAM; } - size_t cmdAsciiLen = (size_t)txlen * 2U; - /* coverity[cert_int30_c_violation:FALSE] None of these inputs can exceed SIZE_MAX */ - size_t cmdlen = cmdAsciiLen + strlen(cmdpre) + sizeof(cmdpost) - 1U; + size_t wordaddr_cmdAsciiLen = (sizeof(word_address) * 2U); + size_t txdata_cmdAsciiLen = (size_t)txlen * 2U; + + if(is_ta_device == true) + { + /* coverity[cert_int30_c_violation:FALSE] None of these inputs can exceed SIZE_MAX */ + cmdlen = wordaddr_cmdAsciiLen + txdata_cmdAsciiLen + strlen(cmdpre) + sizeof(cmdpost) - 1U; + } + else + { + /* coverity[cert_int30_c_violation:FALSE] None of these inputs can exceed SIZE_MAX */ + cmdlen = txdata_cmdAsciiLen + strlen(cmdpre) + sizeof(cmdpost) - 1U; + } /* coverity[cert_int31_c_violation:FALSE] cmdlen will never exceed INT_MAX */ if (*nkitcmd < (int)cmdlen) @@ -915,20 +950,37 @@ ATCA_STATUS kit_wrap_cmd(const uint8_t* txdata, int txlen, char* pkitcmd, int* n pkitcmd[0] = target[0]; - // Copy the ascii binary bytes - if (ATCA_SUCCESS != (status = atcab_bin2hex_(txdata, (size_t)txlen, &pkitcmd[cpyindex], &cmdAsciiLen, false, false, true))) + if(is_ta_device == true) { - return status; + // Copy the ascii binary bytes + if (ATCA_SUCCESS != (status = atcab_bin2hex_(&word_address, sizeof(word_address), &pkitcmd[cpyindex], &wordaddr_cmdAsciiLen, false, false, true))) + { + return status; + } + cpyindex += wordaddr_cmdAsciiLen; + } + + if(NULL != txdata && 0u < txlen) + { + // Copy the ascii binary bytes + if (ATCA_SUCCESS != (status = atcab_bin2hex_(txdata, (size_t)(txlen), &pkitcmd[cpyindex], &txdata_cmdAsciiLen, false, false, true))) + { + return status; + } + cpyindex += txdata_cmdAsciiLen; } - cpyindex += cmdAsciiLen; // Copy the postfix cpylen = strlen(cmdpost); (void)memcpy(&pkitcmd[cpyindex], cmdpost, cpylen); - /* coverity[cert_int30_c_violation:FALSE] cpyindex can never wrap because the input strings sizes are controled to a narrow range by the caller */ + /* coverity[cert_int30_c_violation:FALSE] cpyindex can never wrap because the input strings sizes are controlled to a narrow range by the caller */ cpyindex += cpylen; - *nkitcmd = (int)cpyindex; + /* coverity[misra_c_2012_rule_14_3_violation] Max slot can be greater than 1*/ + if (cpyindex >= INT_MIN && cpyindex <= INT_MAX) + { + *nkitcmd = (int)cpyindex; + } return status; } diff --git a/lib/hal/kit_protocol.h b/lib/hal/kit_protocol.h index c8aca70cf..40bef108b 100644 --- a/lib/hal/kit_protocol.h +++ b/lib/hal/kit_protocol.h @@ -59,7 +59,7 @@ ATCA_STATUS kit_receive(ATCAIface iface, uint8_t word_address, uint8_t* rxdata, ATCA_STATUS kit_control(ATCAIface iface, uint8_t option, void* param, size_t paramlen); ATCA_STATUS kit_release(void* hal_data); -ATCA_STATUS kit_wrap_cmd(const uint8_t* txdata, int txlen, char* pkitcmd, int* nkitcmd, const char* target); +ATCA_STATUS kit_wrap_cmd(uint8_t word_address, const uint8_t* txdata, int txlen, char* pkitcmd, int* nkitcmd, const char* target); ATCA_STATUS kit_parse_rsp(const char* pkitbuf, int nkitbuf, uint8_t* kitstatus, uint8_t* rxdata, int* datasize); ATCA_STATUS kit_wake(ATCAIface iface); diff --git a/lib/jwt/atca_jwt.c b/lib/jwt/atca_jwt.c index 337f2e5a2..a99c82f84 100644 --- a/lib/jwt/atca_jwt.c +++ b/lib/jwt/atca_jwt.c @@ -31,7 +31,7 @@ #include "jwt/atca_jwt.h" #include -#ifdef ATCA_JWT +#ifdef ATCA_JWT_EN #ifdef __COVERITY__ #pragma coverity compliance block \ @@ -46,7 +46,7 @@ static const char g_jwt_header[] = "{\"alg\":\"ES256\",\"typ\":\"JWT\"}"; * order to append a claim */ void atca_jwt_check_payload_start( - atca_jwt_t* jwt /**< [in] JWT Context to use */ + atca_jwt_t* jwt /**< [in] JWT Context to use */ ) { /* Rationality checks: a) must be valid, b) buf must be valid, c) must not be at the start, d) must have room */ @@ -310,9 +310,9 @@ ATCA_STATUS atca_jwt_add_claim_numeric( * \brief Verifies the signature of a jwt using the provided public key */ ATCA_STATUS atca_jwt_verify( - const char* buf, /**< [in] Buffer holding an encoded jwt */ - uint16_t buflen, /**< [in] Length of the buffer/jwt */ - const uint8_t* pubkey /**< [in] Public key (raw byte format) */ + const char* buf, /**< [in] Buffer holding an encoded jwt */ + uint16_t buflen, /**< [in] Length of the buffer/jwt */ + const uint8_t* pubkey /**< [in] Public key (raw byte format) */ ) { ATCA_STATUS status = ATCA_GEN_FAIL; @@ -390,8 +390,7 @@ ATCA_STATUS atca_jwt_verify( { status = ATCA_CHECKMAC_VERIFY_FAILED; } - } - while (false); + } while (false); return status; } diff --git a/lib/mbedtls/atca_mbedtls_interface.h b/lib/mbedtls/atca_mbedtls_interface.h index 8a56ee046..729821ed9 100644 --- a/lib/mbedtls/atca_mbedtls_interface.h +++ b/lib/mbedtls/atca_mbedtls_interface.h @@ -98,9 +98,14 @@ * Indicates if this module is a provider of x509 certificate handling */ #ifndef HOSTLIB_CERT_EN -#define HOSTLIB_CERT_EN (DEFAULT_DISABLED) +#define HOSTLIB_CERT_EN (DEFAULT_ENABLED) #endif +typedef struct atcac_x509_ctx +{ + void* ptr; +} atcac_x509_ctx_t; + #endif /* ATCA_MBEDTLS */ #endif /* ATCA_MBEDTLS_INTERFACE_H */ diff --git a/lib/mbedtls/atca_mbedtls_wrap.c b/lib/mbedtls/atca_mbedtls_wrap.c index 0e4a12911..e6889d328 100644 --- a/lib/mbedtls/atca_mbedtls_wrap.c +++ b/lib/mbedtls/atca_mbedtls_wrap.c @@ -29,6 +29,12 @@ /* mbedTLS boilerplate includes */ #include "atca_config_check.h" +#ifdef __COVERITY__ +#pragma coverity compliance block \ + (deviate "CERT EXP40-C" "The third party mbedtls api converts const to non constant which is out of scope of CAL") \ + (deviate "MISRA C-2012 Rule 11.8" "Third party library (mbedtls) implementation which require const to non constant") +#endif + #ifdef ATCA_MBEDTLS #if !defined(MBEDTLS_CONFIG_FILE) @@ -52,6 +58,7 @@ #include "mbedtls/ecp.h" #include "mbedtls/entropy.h" #include "mbedtls/x509_crt.h" +#include "mbedtls/oid.h" /* Cryptoauthlib Includes */ @@ -65,13 +72,93 @@ #include "atcacert/atcacert_def.h" #endif +#if !defined(ATCA_NO_HEAP) +struct atcac_sha1_ctx* atcac_sha1_ctx_new(void) +{ + return (struct atcac_sha1_ctx*)hal_malloc(sizeof(atcac_sha1_ctx_t)); +} + +struct atcac_sha2_256_ctx* atcac_sha256_ctx_new(void) +{ + return (struct atcac_sha2_256_ctx*)hal_malloc(sizeof(atcac_sha2_256_ctx_t)); +} + +struct atcac_hmac_ctx* atcac_hmac_ctx_new(void) +{ + return (struct atcac_hmac_ctx*)hal_malloc(sizeof(atcac_hmac_ctx_t)); +} + +struct atcac_aes_gcm_ctx* atcac_aes_gcm_ctx_new(void) +{ + return (struct atcac_aes_gcm_ctx*)hal_malloc(sizeof(atcac_aes_gcm_ctx_t)); +} + +struct atcac_aes_cmac_ctx* atcac_aes_cmac_ctx_new(void) +{ + return (struct atcac_aes_cmac_ctx*)hal_malloc(sizeof(atcac_aes_cmac_ctx_t)); +} + +struct atcac_pk_ctx* atcac_pk_ctx_new(void) +{ + return (struct atcac_pk_ctx*)hal_malloc(sizeof(atcac_pk_ctx_t)); +} + +struct mbedtls_x509_crt* atcac_mbedtls_new(void) +{ + return (struct mbedtls_x509_crt*)hal_malloc(sizeof(mbedtls_x509_crt)); +} + +struct atcac_x509_ctx* atcac_x509_ctx_new(void) +{ + return (struct atcac_x509_ctx*)hal_malloc(sizeof(atcac_x509_ctx_t)); +} + +void atcac_sha1_ctx_free(struct atcac_sha1_ctx* ctx) +{ + hal_free(ctx); +} + +void atcac_sha256_ctx_free(struct atcac_sha2_256_ctx* ctx) +{ + hal_free(ctx); +} + +void atcac_hmac_ctx_free(struct atcac_hmac_ctx* ctx) +{ + hal_free(ctx); +} + +void atcac_aes_gcm_ctx_free(struct atcac_aes_gcm_ctx* ctx) +{ + hal_free(ctx); +} + +void atcac_aes_cmac_ctx_free(struct atcac_aes_cmac_ctx* ctx) +{ + hal_free(ctx); +} + +void atcac_pk_ctx_free(struct atcac_pk_ctx* ctx) +{ + hal_free(ctx); +} + +void atcac_x509_ctx_free(struct atcac_x509_ctx* ctx) +{ + hal_free(ctx); +} + +#endif + +static int mbedtls_x509_time_to_asn1_generalized_time(const mbedtls_x509_time* x509_time, char* asn1_time, size_t asn1_time_len); + /** \brief Return Random Bytes * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_random(uint8_t* data, size_t data_size) +ATCA_STATUS atcac_sw_random(uint8_t* data, size_t data_size) { - return mbedtls_ctr_drbg_random(mbedtls_entropy_func, data, data_size); + return (0 == mbedtls_ctr_drbg_random(mbedtls_entropy_func, data, data_size) ? ATCA_SUCCESS : ATCA_FUNC_FAIL); } /** \brief Update the GCM context with additional authentication data (AAD) @@ -86,10 +173,11 @@ ATCA_STATUS atcac_aes_gcm_aad_update( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - int ret = mbedtls_cipher_update_ad((mbedtls_cipher_context_t*)ctx, aad, aad_len); - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + void* tmp_ptr = ctx; + int ret = mbedtls_cipher_update_ad((mbedtls_cipher_context_t*)tmp_ptr, aad, aad_len); + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -108,29 +196,30 @@ ATCA_STATUS atcac_aes_gcm_encrypt_start( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { int ret; - mbedtls_cipher_init((mbedtls_cipher_context_t*)ctx); + void* tmp_ptr = ctx; + mbedtls_cipher_init((mbedtls_cipher_context_t*)tmp_ptr); - ret = mbedtls_cipher_setup((mbedtls_cipher_context_t*)ctx, mbedtls_cipher_info_from_values(MBEDTLS_CIPHER_ID_AES, key_len * 8, MBEDTLS_MODE_GCM)); + ret = mbedtls_cipher_setup((mbedtls_cipher_context_t*)tmp_ptr, mbedtls_cipher_info_from_values(MBEDTLS_CIPHER_ID_AES, (int)(key_len) * 8, MBEDTLS_MODE_GCM)); - if (!ret) + if (0 == ret) { - ret = mbedtls_cipher_setkey((mbedtls_cipher_context_t*)ctx, key, key_len * 8, MBEDTLS_ENCRYPT); + ret = mbedtls_cipher_setkey((mbedtls_cipher_context_t*)tmp_ptr, key, (int)key_len * 8, MBEDTLS_ENCRYPT); } - if (!ret) + if (0 == ret) { - ret = mbedtls_cipher_set_iv((mbedtls_cipher_context_t*)ctx, iv, iv_len); + ret = mbedtls_cipher_set_iv((mbedtls_cipher_context_t*)tmp_ptr, iv, iv_len); } - if (!ret) + if (0 == ret) { - ret = mbedtls_cipher_reset((mbedtls_cipher_context_t*)ctx); + ret = mbedtls_cipher_reset((mbedtls_cipher_context_t*)tmp_ptr); } - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; @@ -150,10 +239,11 @@ ATCA_STATUS atcac_aes_gcm_encrypt_update( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - int ret = mbedtls_cipher_update((mbedtls_cipher_context_t*)ctx, plaintext, pt_len, ciphertext, ct_len); - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + void* tmp_ptr = ctx; + int ret = mbedtls_cipher_update((mbedtls_cipher_context_t*)tmp_ptr, plaintext, pt_len, ciphertext, ct_len); + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; @@ -171,13 +261,14 @@ ATCA_STATUS atcac_aes_gcm_encrypt_finish( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - int ret = mbedtls_cipher_write_tag((mbedtls_cipher_context_t*)ctx, tag, tag_len); + void* tmp_ptr = ctx; + int ret = mbedtls_cipher_write_tag((mbedtls_cipher_context_t*)tmp_ptr, tag, tag_len); mbedtls_cipher_free((mbedtls_cipher_context_t*)ctx); - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -196,29 +287,30 @@ ATCA_STATUS atcac_aes_gcm_decrypt_start( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { int ret; - mbedtls_cipher_init((mbedtls_cipher_context_t*)ctx); + void* tmp_ptr = ctx; + mbedtls_cipher_init((mbedtls_cipher_context_t*)tmp_ptr); - ret = mbedtls_cipher_setup((mbedtls_cipher_context_t*)ctx, mbedtls_cipher_info_from_values(MBEDTLS_CIPHER_ID_AES, key_len * 8, MBEDTLS_MODE_GCM)); + ret = mbedtls_cipher_setup((mbedtls_cipher_context_t*)tmp_ptr, mbedtls_cipher_info_from_values(MBEDTLS_CIPHER_ID_AES, (int)(key_len) * 8, MBEDTLS_MODE_GCM)); - if (!ret) + if (0 == ret) { - ret = mbedtls_cipher_setkey((mbedtls_cipher_context_t*)ctx, key, key_len * 8, MBEDTLS_DECRYPT); + ret = mbedtls_cipher_setkey((mbedtls_cipher_context_t*)tmp_ptr, key, (int)key_len * 8, MBEDTLS_DECRYPT); } - if (!ret) + if (0 == ret) { - ret = mbedtls_cipher_set_iv((mbedtls_cipher_context_t*)ctx, iv, iv_len); + ret = mbedtls_cipher_set_iv((mbedtls_cipher_context_t*)tmp_ptr, iv, iv_len); } - if (!ret) + if (0 == ret) { - ret = mbedtls_cipher_reset((mbedtls_cipher_context_t*)ctx); + ret = mbedtls_cipher_reset((mbedtls_cipher_context_t*)tmp_ptr); } - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; @@ -238,10 +330,11 @@ ATCA_STATUS atcac_aes_gcm_decrypt_update( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - int ret = mbedtls_cipher_update((mbedtls_cipher_context_t*)ctx, ciphertext, ct_len, plaintext, pt_len); - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + void* tmp_ptr = ctx; + int ret = mbedtls_cipher_update((mbedtls_cipher_context_t*)tmp_ptr, ciphertext, ct_len, plaintext, pt_len); + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; @@ -260,21 +353,21 @@ ATCA_STATUS atcac_aes_gcm_decrypt_finish( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx && is_verified) + if ((NULL != ctx) && (NULL != is_verified)) { int ret; *is_verified = false; + void* tmp_ptr = ctx; + ret = mbedtls_cipher_check_tag((mbedtls_cipher_context_t*)tmp_ptr, tag, tag_len); - ret = mbedtls_cipher_check_tag((mbedtls_cipher_context_t*)ctx, tag, tag_len); - - if (!ret) + if (0 == ret) { *is_verified = true; } mbedtls_cipher_free((mbedtls_cipher_context_t*)ctx); - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -283,23 +376,23 @@ ATCA_STATUS atcac_aes_gcm_decrypt_finish( * * \return ATCA_SUCCESS on success, otherwise an error code. */ -static ATCA_STATUS _atca_mbedtls_md_init(mbedtls_md_context_t* ctx, const mbedtls_md_info_t* md_info) +static ATCA_STATUS atca_mbedtls_md_init(mbedtls_md_context_t* ctx, const mbedtls_md_info_t* md_info) { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { int ret; mbedtls_md_init(ctx); - ret = mbedtls_md_setup(ctx, md_info, false); + ret = mbedtls_md_setup(ctx, md_info, 0); - if (!ret) + if (0 == ret) { ret = mbedtls_md_starts(ctx); } - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -308,13 +401,13 @@ static ATCA_STATUS _atca_mbedtls_md_init(mbedtls_md_context_t* ctx, const mbedtl * * \return ATCA_SUCCESS on success, otherwise an error code. */ -static ATCA_STATUS _atca_mbedtls_md_update(mbedtls_md_context_t* ctx, const uint8_t* data, size_t data_size) +static ATCA_STATUS atca_mbedtls_md_update(mbedtls_md_context_t* ctx, const uint8_t* data, size_t data_size) { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - status = (!mbedtls_md_update(ctx, data, data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == mbedtls_md_update(ctx, data, data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -323,19 +416,19 @@ static ATCA_STATUS _atca_mbedtls_md_update(mbedtls_md_context_t* ctx, const uint * * \return ATCA_SUCCESS on success, otherwise an error code. */ -static ATCA_STATUS _atca_mbedtls_md_finish(mbedtls_md_context_t* ctx, uint8_t* digest, unsigned int* outlen) +static ATCA_STATUS atca_mbedtls_md_finish(mbedtls_md_context_t* ctx, uint8_t* digest, unsigned int* outlen) { ATCA_STATUS status = ATCA_BAD_PARAM; (void)outlen; - if (ctx) + if (NULL != ctx) { int ret = mbedtls_md_finish(ctx, digest); mbedtls_md_free(ctx); - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -344,72 +437,84 @@ static ATCA_STATUS _atca_mbedtls_md_finish(mbedtls_md_context_t* ctx, uint8_t* d * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha1_init( +ATCA_STATUS atcac_sw_sha1_init( struct atcac_sha1_ctx* ctx /**< [in] pointer to a hash context */ ) { - return _atca_mbedtls_md_init((mbedtls_md_context_t*)ctx, mbedtls_md_info_from_type(MBEDTLS_MD_SHA1)); + void* tmp_ptr = ctx; + + return atca_mbedtls_md_init((mbedtls_md_context_t*)tmp_ptr, mbedtls_md_info_from_type(MBEDTLS_MD_SHA1)); } /** \brief Add data to a SHA1 hash. * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha1_update( +ATCA_STATUS atcac_sw_sha1_update( struct atcac_sha1_ctx* ctx, /**< [in] pointer to a hash context */ const uint8_t* data, /**< [in] input data buffer */ size_t data_size /**< [in] input data length */ ) { - return _atca_mbedtls_md_update((mbedtls_md_context_t*)ctx, data, data_size); + void* tmp_ptr = ctx; + + return atca_mbedtls_md_update((mbedtls_md_context_t*)tmp_ptr, data, data_size); } /** \brief Complete the SHA1 hash in software and return the digest. * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha1_finish( +ATCA_STATUS atcac_sw_sha1_finish( struct atcac_sha1_ctx* ctx, /**< [in] pointer to a hash context */ uint8_t digest[ATCA_SHA1_DIGEST_SIZE] /**< [out] output buffer (20 bytes) */ ) { - return _atca_mbedtls_md_finish((mbedtls_md_context_t*)ctx, digest, NULL); + void* tmp_ptr = ctx; + + return atca_mbedtls_md_finish((mbedtls_md_context_t*)tmp_ptr, digest, NULL); } /** \brief Initialize context for performing SHA256 hash in software. * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha2_256_init( +ATCA_STATUS atcac_sw_sha2_256_init( struct atcac_sha2_256_ctx* ctx /**< [in] pointer to a hash context */ ) { - return _atca_mbedtls_md_init((mbedtls_md_context_t*)ctx, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256)); + void* tmp_ptr = ctx; + + return atca_mbedtls_md_init((mbedtls_md_context_t*)tmp_ptr, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256)); } /** \brief Add data to a SHA256 hash. * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha2_256_update( +ATCA_STATUS atcac_sw_sha2_256_update( struct atcac_sha2_256_ctx* ctx, /**< [in] pointer to a hash context */ const uint8_t* data, /**< [in] input data buffer */ size_t data_size /**< [in] input data length */ ) { - return _atca_mbedtls_md_update((mbedtls_md_context_t*)ctx, data, data_size); + void* tmp_ptr = ctx; + + return atca_mbedtls_md_update((mbedtls_md_context_t*)tmp_ptr, data, data_size); } /** \brief Complete the SHA256 hash in software and return the digest. * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha2_256_finish( +ATCA_STATUS atcac_sw_sha2_256_finish( struct atcac_sha2_256_ctx* ctx, /**< [in] pointer to a hash context */ uint8_t digest[ATCA_SHA2_256_DIGEST_SIZE] /**< [out] output buffer (32 bytes) */ ) { - return _atca_mbedtls_md_finish((mbedtls_md_context_t*)ctx, digest, NULL); + void* tmp_ptr = ctx; + + return atca_mbedtls_md_finish((mbedtls_md_context_t*)tmp_ptr, digest, NULL); } /** \brief Initialize context for performing CMAC in software. @@ -424,19 +529,20 @@ ATCA_STATUS atcac_aes_cmac_init( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { int ret = 0; - mbedtls_cipher_init((mbedtls_cipher_context_t*)ctx); + void* tmp_ptr = ctx; + mbedtls_cipher_init((mbedtls_cipher_context_t*)tmp_ptr); - ret = mbedtls_cipher_setup((mbedtls_cipher_context_t*)ctx, mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB)); + ret = mbedtls_cipher_setup((mbedtls_cipher_context_t*)tmp_ptr, mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB)); - if (!ret) + if (0 == ret) { - ret = mbedtls_cipher_cmac_starts((mbedtls_cipher_context_t*)ctx, key, (size_t)key_len * 8); + ret = mbedtls_cipher_cmac_starts((mbedtls_cipher_context_t*)tmp_ptr, key, (size_t)key_len * 8u); } - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; @@ -454,9 +560,10 @@ ATCA_STATUS atcac_aes_cmac_update( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - status = (!mbedtls_cipher_cmac_update((mbedtls_cipher_context_t*)ctx, data, data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + void* tmp_ptr = ctx; + status = (0 == mbedtls_cipher_cmac_update((mbedtls_cipher_context_t*)tmp_ptr, data, data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -475,13 +582,14 @@ ATCA_STATUS atcac_aes_cmac_finish( (void)cmac_size; - if (ctx) + if (NULL != ctx) { - int ret = mbedtls_cipher_cmac_finish((mbedtls_cipher_context_t*)ctx, cmac); + void* tmp_ptr = ctx; + int ret = mbedtls_cipher_cmac_finish((mbedtls_cipher_context_t*)tmp_ptr, cmac); mbedtls_cipher_free((mbedtls_cipher_context_t*)ctx); - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -502,18 +610,19 @@ ATCA_STATUS atcac_sha256_hmac_init( if ((NULL != ctx) && (NULL != sha256_ctx)) { int ret; - ctx->mctx = (mbedtls_md_context_t*)sha256_ctx; + void* tmp_ptr = sha256_ctx; + ctx->mctx = (mbedtls_md_context_t*)tmp_ptr; mbedtls_md_init(ctx->mctx); - ret = mbedtls_md_setup(ctx->mctx, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), true); + ret = mbedtls_md_setup(ctx->mctx, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 1); - if (!ret) + if (0 == ret) { ret = mbedtls_md_hmac_starts(ctx->mctx, key, key_len); } - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -530,9 +639,9 @@ ATCA_STATUS atcac_sha256_hmac_update( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - status = (!mbedtls_md_hmac_update(ctx->mctx, data, data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == mbedtls_md_hmac_update(ctx->mctx, data, data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -551,13 +660,13 @@ ATCA_STATUS atcac_sha256_hmac_finish( (void)digest_len; - if (ctx) + if (NULL != ctx) { int ret = mbedtls_md_hmac_finish(ctx->mctx, digest); mbedtls_md_free(ctx->mctx); - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -578,16 +687,17 @@ ATCA_STATUS atcac_pk_init( (void)key_type; - if (ctx) + if (NULL != ctx) { int ret; uint8_t temp = 1; mbedtls_ecp_keypair* ecp = NULL; - mbedtls_pk_init((mbedtls_pk_context*)ctx); - ret = mbedtls_pk_setup((mbedtls_pk_context*)ctx, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)); + void* tmp_ptr = ctx; + mbedtls_pk_init((mbedtls_pk_context*)tmp_ptr); + ret = mbedtls_pk_setup((mbedtls_pk_context*)tmp_ptr, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)); - if (!ret) + if (0 == ret) { ecp = mbedtls_pk_ec(ctx->mctx); ret = mbedtls_ecp_group_load(&ecp->grp, MBEDTLS_ECP_DP_SECP256R1); @@ -595,30 +705,30 @@ ATCA_STATUS atcac_pk_init( if (pubkey) { - if (!ret) + if (0 == ret) { - ret = mbedtls_mpi_read_binary(&(ecp->Q.X), buf, buflen / 2); + ret = mbedtls_mpi_read_binary(&(ecp->Q.X), buf, buflen / 2u); } - if (!ret) + if (0 == ret) { - ret = mbedtls_mpi_read_binary(&(ecp->Q.Y), &buf[buflen / 2], buflen / 2); + ret = mbedtls_mpi_read_binary(&(ecp->Q.Y), &buf[buflen / 2u], buflen / 2u); } - if (!ret) + if (0 == ret) { ret = mbedtls_mpi_read_binary(&(ecp->Q.Z), &temp, 1); } } else { - if (!ret) + if (0 == ret) { ret = mbedtls_mpi_read_binary(&(ecp->d), buf, buflen); } } - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -636,10 +746,11 @@ ATCA_STATUS atcac_pk_init_pem( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { int ret; - mbedtls_pk_init((mbedtls_pk_context*)ctx); + void* tmp_ptr = ctx; + mbedtls_pk_init((mbedtls_pk_context*)tmp_ptr); if (pubkey) { @@ -649,7 +760,7 @@ ATCA_STATUS atcac_pk_init_pem( { ret = mbedtls_pk_parse_key((mbedtls_pk_context*)ctx, buf, buflen, NULL, 0); } - status = (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } return status; } @@ -664,9 +775,10 @@ ATCA_STATUS atcac_pk_free( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - mbedtls_pk_init((mbedtls_pk_context*)ctx); + void* tmp_ptr = ctx; + mbedtls_pk_init((mbedtls_pk_context*)tmp_ptr); status = ATCA_SUCCESS; } return status; @@ -684,10 +796,11 @@ ATCA_STATUS atcac_pk_public( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { int ret = -1; - switch (mbedtls_pk_get_type((mbedtls_pk_context*)ctx)) + void* tmp_ptr = ctx; + switch (mbedtls_pk_get_type((mbedtls_pk_context*)tmp_ptr)) { case MBEDTLS_PK_ECKEY: /* fallthrough */ @@ -699,6 +812,7 @@ ATCA_STATUS atcac_pk_public( break; } default: + /* Empty default case to satisfy MISRA */ break; } status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; @@ -720,7 +834,7 @@ ATCA_STATUS atcac_pk_sign( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { int ret = -1; switch (mbedtls_pk_get_type((mbedtls_pk_context*)ctx)) @@ -739,12 +853,12 @@ ATCA_STATUS atcac_pk_sign( ret = mbedtls_ecdsa_sign_det(&mbedtls_pk_ec(ctx->mctx)->grp, &r, &s, &mbedtls_pk_ec(ctx->mctx)->d, digest, dig_len, MBEDTLS_MD_SHA256); - if (!ret) + if (0 == ret) { ret = mbedtls_mpi_write_binary(&r, signature, 32); } - if (!ret) + if (0 == ret) { ret = mbedtls_mpi_write_binary(&s, &signature[32], 32); } @@ -759,6 +873,7 @@ ATCA_STATUS atcac_pk_sign( ret = mbedtls_pk_sign((mbedtls_pk_context*)ctx, MBEDTLS_MD_SHA256, digest, dig_len, signature, sig_len, NULL, NULL); break; default: + /* Empty default case to satisfy MISRA */ break; } status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; @@ -780,10 +895,11 @@ ATCA_STATUS atcac_pk_verify( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { int ret = -1; - switch (mbedtls_pk_get_type((mbedtls_pk_context*)ctx)) + void* tmp_ptr = ctx; + switch (mbedtls_pk_get_type((mbedtls_pk_context*)tmp_ptr)) { case MBEDTLS_PK_ECKEY: /* fallthrough */ @@ -795,8 +911,8 @@ ATCA_STATUS atcac_pk_verify( mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); - mbedtls_mpi_read_binary(&r, signature, sig_len / 2); - mbedtls_mpi_read_binary(&s, &signature[sig_len / 2], sig_len / 2); + (void)mbedtls_mpi_read_binary(&r, signature, sig_len / 2u); + (void)mbedtls_mpi_read_binary(&s, &signature[sig_len / 2u], sig_len / 2u); ret = mbedtls_ecdsa_verify(&mbedtls_pk_ec(ctx->mctx)->grp, digest, dig_len, &mbedtls_pk_ec(ctx->mctx)->Q, &r, &s); @@ -808,6 +924,7 @@ ATCA_STATUS atcac_pk_verify( ret = mbedtls_pk_verify((mbedtls_pk_context*)ctx, MBEDTLS_MD_SHA256, digest, dig_len, signature, sig_len); break; default: + /* Empty default case to satisfy MISRA */ break; } status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; @@ -828,9 +945,10 @@ ATCA_STATUS atcac_pk_derive( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (private_ctx && public_ctx) + if ((NULL != private_ctx) && (NULL != public_ctx)) { - mbedtls_pk_type_t keytype = mbedtls_pk_get_type((mbedtls_pk_context*)private_ctx); + void* tmp_ptr = private_ctx; + mbedtls_pk_type_t keytype = mbedtls_pk_get_type((mbedtls_pk_context*)tmp_ptr); if (mbedtls_pk_get_type((mbedtls_pk_context*)public_ctx) == keytype) { @@ -849,11 +967,12 @@ ATCA_STATUS atcac_pk_derive( &mbedtls_pk_ec(public_ctx->mctx)->Q, &mbedtls_pk_ec(private_ctx->mctx)->d, NULL, NULL); - mbedtls_mpi_write_binary(&result, buf, *buflen); + (void)mbedtls_mpi_write_binary(&result, buf, *buflen); mbedtls_mpi_free(&result); break; } default: + /* Empty default case to satisfy MISRA */ break; } status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; @@ -890,63 +1009,66 @@ static int atca_mbedtls_eckey_verify(void *ctx, mbedtls_md_type_t md_alg, (void)md_alg; (void)hash_len; - if (ecp && hash && sig) + if ((NULL != ecp) && (NULL != hash) && (NULL != sig)) { mbedtls_mpi r, s; atca_mbedtls_eckey_t key_info; - uint8_t signature[ATCA_ECCP256_SIG_SIZE]; + uint8_t signature[ATCA_ECCP256_SIG_SIZE] = { 0x00 }; + (void)memset(&key_info, 0, sizeof(atca_mbedtls_eckey_t)); /* Signature is in ASN.1 format so we have to parse it out manually */ - size_t len; - unsigned char *ptr = (unsigned char*)sig; - const unsigned char *end = sig + sig_len; + size_t len = 0; + unsigned char tmp[74] = { 0x00 }; + (void)memcpy(tmp, sig, 74); + unsigned char* tmp1 = (unsigned char*)tmp; + const unsigned char *end = tmp1 + sig_len; mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); ret = mbedtls_mpi_write_binary(&ecp->d, (unsigned char*)&key_info, sizeof(atca_mbedtls_eckey_t)); - if (!ret) + if (0 == ret) { - ret = mbedtls_asn1_get_tag(&ptr, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + ret = mbedtls_asn1_get_tag(&tmp1, end, &len, (int)((unsigned int)MBEDTLS_ASN1_CONSTRUCTED | (unsigned int)MBEDTLS_ASN1_SEQUENCE)); - if (ptr + len != end) + if (tmp1 + len != end) { /* Some sort of parsing error */ ret = -1; } } - if (!ret) + if (0 == ret) { - ret = mbedtls_asn1_get_mpi(&ptr, end, &r); + ret = mbedtls_asn1_get_mpi(&tmp1, end, &r); } - if (!ret) + if (0 == ret) { - ret = mbedtls_asn1_get_mpi(&ptr, end, &s); + ret = mbedtls_asn1_get_mpi(&tmp1, end, &s); } - if (!ret) + if (0 == ret) { ret = mbedtls_mpi_write_binary(&r, signature, 32); } - if (!ret) + if (0 == ret) { ret = mbedtls_mpi_write_binary(&s, &signature[32], 32); } - if (!ret) + if (0 == ret) { bool is_verified = false; // if (0x01 & key_info.flags) { - uint8_t public_key[ATCA_ECCP256_PUBKEY_SIZE]; - if (0 == (ret = mbedtls_mpi_write_binary(&ecp->Q.X, public_key, ATCA_ECCP256_PUBKEY_SIZE / 2))) + uint8_t public_key[ATCA_ECCP256_PUBKEY_SIZE] = { 0x00 }; + if (0 == (ret = mbedtls_mpi_write_binary(&ecp->Q.X, public_key, ATCA_ECCP256_PUBKEY_SIZE / 2u))) { - if (0 == (ret = mbedtls_mpi_write_binary(&ecp->Q.Y, &public_key[ATCA_ECCP256_PUBKEY_SIZE / 2], ATCA_ECCP256_PUBKEY_SIZE / 2))) + if (0 == (ret = mbedtls_mpi_write_binary(&ecp->Q.Y, &public_key[ATCA_ECCP256_PUBKEY_SIZE / 2u], ATCA_ECCP256_PUBKEY_SIZE / 2u))) { ret = atcab_verify_extern_ext(key_info.device, hash, signature, public_key, &is_verified); } @@ -974,7 +1096,7 @@ static int atca_mbedtls_eckey_verify(void *ctx, mbedtls_md_type_t md_alg, static int atca_mbedtls_eckey_sign(void *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len, unsigned char *sig, size_t *sig_len, - int (*f_rng)(void *, unsigned char *, size_t), + int (*f_rng)(void *d1, unsigned char *d2, size_t d3), void *p_rng) { int ret = -1; @@ -984,7 +1106,7 @@ static int atca_mbedtls_eckey_sign(void *ctx, mbedtls_md_type_t md_alg, ((void)f_rng); ((void)p_rng); - if (ecp && hash && sig && sig_len) + if ((NULL != ecp) && (NULL != hash) && (NULL != sig) && (NULL != sig_len)) { mbedtls_mpi r, s; @@ -993,7 +1115,7 @@ static int atca_mbedtls_eckey_sign(void *ctx, mbedtls_md_type_t md_alg, ret = atca_mbedtls_ecdsa_sign(&ecp->d, &r, &s, hash, hash_len); - if (!ret) + if (0 == ret) { ret = mbedtls_ecdsa_signature_to_asn1(&r, &s, sig, sig_len); } @@ -1065,12 +1187,12 @@ int atca_mbedtls_pk_init_ext(ATCADevice device, mbedtls_pk_context * pkey, const uint8_t temp = 1; bool is_private = false; - if (!pkey) + if (NULL == pkey) { ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; } - if (!ret) + if (0 == ret) { mbedtls_pk_init(pkey); #ifdef MBEDTLS_ECDSA_SIGN_ALT @@ -1081,18 +1203,21 @@ int atca_mbedtls_pk_init_ext(ATCADevice device, mbedtls_pk_context * pkey, const } - if (!ret) + if (0 == ret) { ecp = mbedtls_pk_ec(*pkey); - ret = mbedtls_ecp_group_load(&ecp->grp, MBEDTLS_ECP_DP_SECP256R1); + if (NULL != ecp) + { + ret = mbedtls_ecp_group_load(&ecp->grp, MBEDTLS_ECP_DP_SECP256R1); + } } - if (!ret) + if (0 == ret) { ret = atcab_is_private_ext(device, slotid, &is_private); } - if (!ret) + if (0 == ret) { if (is_private) { @@ -1104,44 +1229,46 @@ int atca_mbedtls_pk_init_ext(ATCADevice device, mbedtls_pk_context * pkey, const } } - if (!ret) + if (NULL != ecp) { - ret = mbedtls_mpi_read_binary(&(ecp->Q.X), public_key, ATCA_ECCP256_SIG_SIZE / 2); - } + if (0 == ret) + { + ret = mbedtls_mpi_read_binary(&(ecp->Q.X), public_key, ATCA_ECCP256_SIG_SIZE / 2u); + } - if (!ret) - { - ret = mbedtls_mpi_read_binary(&(ecp->Q.Y), &public_key[ATCA_ECCP256_SIG_SIZE / 2], ATCA_ECCP256_SIG_SIZE / 2); - } + if (0 == ret) + { + ret = mbedtls_mpi_read_binary(&(ecp->Q.Y), &public_key[ATCA_ECCP256_SIG_SIZE / 2u], ATCA_ECCP256_SIG_SIZE / 2u); + } - if (!ret) - { - atca_mbedtls_eckey_t key_info = { device, slotid }; + if (0 == ret) + { + atca_mbedtls_eckey_t key_info = { device, slotid }; - /* This is a bit of a hack to force a context into the mbedtls keypair structure but it should - work on any platform as it is in essence directly copying memory exactly as it appears in the - structure */ + /* This is a bit of a hack to force a context into the mbedtls keypair structure but it should + work on any platform as it is in essence directly copying memory exactly as it appears in the + structure */ #ifndef MBEDTLS_ECDSA_VERIFY_ALT - if (0 == (ret = mbedtls_mpi_read_binary(&(ecp->Q.Z), &temp, 1))) - { - ret = mbedtls_mpi_read_binary(&ecp->d, (const unsigned char*)&key_info, sizeof(atca_mbedtls_eckey_t)); - } -#else - if (is_private) - { if (0 == (ret = mbedtls_mpi_read_binary(&(ecp->Q.Z), &temp, 1))) { ret = mbedtls_mpi_read_binary(&ecp->d, (const unsigned char*)&key_info, sizeof(atca_mbedtls_eckey_t)); } - } - else - { - ret = mbedtls_mpi_read_binary(&ecp->Q.Z, (const unsigned char*)&key_info, sizeof(atca_mbedtls_eckey_t)); - } +#else + if (is_private) + { + if (0 == (ret = mbedtls_mpi_read_binary(&(ecp->Q.Z), &temp, 1))) + { + ret = mbedtls_mpi_read_binary(&ecp->d, (const unsigned char*)&key_info, sizeof(atca_mbedtls_eckey_t)); + } + } + else + { + ret = mbedtls_mpi_read_binary(&ecp->Q.Z, (const unsigned char*)&key_info, sizeof(atca_mbedtls_eckey_t)); + } #endif + } } - return ret; } @@ -1155,7 +1282,8 @@ int atca_mbedtls_pk_init(mbedtls_pk_context * pkey, const uint16_t slotid) return atca_mbedtls_pk_init_ext(atcab_get_device(), pkey, slotid); } -#if ATCA_CA_SUPPORT +#if (ATCA_CA_SUPPORT && ATCACERT_COMPCERT_EN) +#if !defined(ATCA_NO_HEAP) /** \brief Rebuild a certificate from an atcacert_def_t structure, and then add * it to an mbedtls cert chain. * \param[in,out] cert mbedtls cert chain. Must have already been initialized @@ -1164,26 +1292,30 @@ int atca_mbedtls_pk_init(mbedtls_pk_context * pkey, const uint16_t slotid) */ int atca_mbedtls_cert_add(mbedtls_x509_crt * cert, const atcacert_def_t * cert_def) { - uint8_t ca_key[64]; + uint8_t ca_key[64] = { 0x00 }; int ret = ATCA_SUCCESS; size_t cert_len; uint8_t * cert_buf = NULL; - if (cert_def->ca_cert_def) + if (NULL != cert_def->ca_cert_def) { const atcacert_device_loc_t * ca_key_cfg = &cert_def->ca_cert_def->public_key_dev_loc; - if (ca_key_cfg->is_genkey) + if (NULL != ca_key_cfg) { - ret = atcab_get_pubkey(ca_key_cfg->slot, ca_key); - } - else - { - ret = atcab_read_pubkey(ca_key_cfg->slot, ca_key); + if (0u == ca_key_cfg->is_genkey) + { + ret = atcab_get_pubkey(ca_key_cfg->slot, ca_key); + } + else + { + ret = atcab_read_pubkey(ca_key_cfg->slot, ca_key); + } } } cert_len = cert_def->cert_template_size + 8; + if (NULL == (cert_buf = mbedtls_calloc(1, cert_len))) { ret = -1; @@ -1191,7 +1323,7 @@ int atca_mbedtls_cert_add(mbedtls_x509_crt * cert, const atcacert_def_t * cert_d if (0 == ret) { - ret = atcacert_read_cert(cert_def, cert_def->ca_cert_def ? ca_key : NULL, cert_buf, &cert_len); + ret = atcacert_read_cert(cert_def, (cert_def->ca_cert_def != NULL) ? ca_key : NULL, cert_buf, &cert_len); } if (0 == ret) @@ -1199,75 +1331,380 @@ int atca_mbedtls_cert_add(mbedtls_x509_crt * cert, const atcacert_def_t * cert_d ret = mbedtls_x509_crt_parse(cert, (const unsigned char*)cert_buf, cert_len); } - if (cert_buf) + if (NULL != cert_buf) { mbedtls_free(cert_buf); } - return ret; } #endif +#endif -#if defined(ATCA_BUILD_SHARED_LIBS) || !defined(ATCA_NO_HEAP) -struct atcac_sha1_ctx * atcac_sha1_ctx_new(void) +ATCA_STATUS atcac_parse_der(struct atcac_x509_ctx** cert, cal_buffer* der) { - return (struct atcac_sha1_ctx*)hal_malloc(sizeof(atcac_sha1_ctx_t)); -} + ATCA_STATUS status = ATCA_BAD_PARAM; -struct atcac_sha2_256_ctx * atcac_sha256_ctx_new(void) -{ - return (struct atcac_sha2_256_ctx*)hal_malloc(sizeof(atcac_sha2_256_ctx_t)); + if (NULL != cert && NULL != der) + { +#if !defined(ATCA_NO_HEAP) + mbedtls_x509_crt* xcert = atcac_mbedtls_new(); + + if (xcert == NULL) + { + return status; + } + + mbedtls_x509_crt_init(xcert); + + int ret = mbedtls_x509_crt_parse_der(xcert, der->buf, der->len); + + if (ret != 0) + { + atcac_x509_free(xcert); + return status; + } + + /* coverity[misra_c_2012_rule_11_3_violation:FALSE] The mbetls x509 struct pointer is made to point the atcac_x509_ctx void ptr*/ + /*The memory allocated will be traversed using the void ptr in atcac_x509_ctx and is the only member*/ + /* Our library uses structure of type atcac_x509_ctx to be mapped to third party specific certificate structre and this cannot be changed*/ + *cert = xcert; + status = ATCA_SUCCESS; +#endif + } + return status; } -struct atcac_hmac_ctx * atcac_hmac_ctx_new(void) +ATCA_STATUS atcac_get_subject(const struct atcac_x509_ctx* cert, cal_buffer* cert_subject) { - return (struct atcac_hmac_ctx*)hal_malloc(sizeof(atcac_hmac_ctx_t)); + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != cert_subject) + { + /* coverity[cert_exp40_c_violation:FALSE] mbedtls ssl api requires non const qualifier in lower apis*/ + /* coverity[misra_c_2012_rule_11_8_violation:FALSE] */ + const void* tmp_ptr = cert; + const mbedtls_x509_crt* x509_cert = (const mbedtls_x509_crt*)(tmp_ptr); + + const mbedtls_x509_name *subjname = (const mbedtls_x509_name*)&x509_cert->subject; + int ret = mbedtls_x509_dn_gets((char*)cert_subject->buf, cert_subject->len, subjname); + if (ret > 0) + { + status = ATCA_SUCCESS; + } + } + return status; } -struct atcac_aes_gcm_ctx * atcac_aes_gcm_ctx_new(void) +ATCA_STATUS atcac_get_subj_public_key(const struct atcac_x509_ctx* cert, cal_buffer* subj_public_key) { - return (struct atcac_aes_gcm_ctx*)hal_malloc(sizeof(atcac_aes_gcm_ctx_t)); + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != subj_public_key) + { + /* coverity[cert_exp40_c_violation:FALSE] mbedtls ssl api requires non const qualifier in lower apis*/ + /* coverity[misra_c_2012_rule_11_8_violation:FALSE] */ + const void* tmp_ptr = cert; + const mbedtls_x509_crt* x509_cert = (const mbedtls_x509_crt*)(tmp_ptr); + const mbedtls_pk_context *pk = (const mbedtls_pk_context *)&x509_cert->pk; + if (mbedtls_pk_get_type(pk) != MBEDTLS_PK_ECKEY) + { + return status; + } + // Extract the Qx and Qy values of the public key + const mbedtls_ecp_keypair* ec = mbedtls_pk_ec(*pk); + if (NULL == ec) + { + return status; + } + + // Calculate the expected buffer length for both Qx and Qy + size_t expected_len = mbedtls_mpi_size(&ec->Q.X) + mbedtls_mpi_size(&ec->Q.Y); + + // Check if subj_public_key buffer is large enough + if (subj_public_key->len < expected_len) + { + return status; // Error: Buffer too small + } + + // Write the binary representation of Qx into the buffer + size_t bytes_written = 0; + int ret = mbedtls_mpi_write_binary(&ec->Q.X, subj_public_key->buf, mbedtls_mpi_size(&ec->Q.X)); + if (ret != 0) + { + return status; // Error: writing Qx to buffer failed + } + bytes_written += mbedtls_mpi_size(&ec->Q.X); + + // Write the binary representation of Qy into the buffer + ret = mbedtls_mpi_write_binary(&ec->Q.Y, subj_public_key->buf + bytes_written, mbedtls_mpi_size(&ec->Q.Y)); + if (ret != 0) + { + return status; // Error: writing Qy to buffer failed + } + status = ATCA_SUCCESS; + } + return status; } -struct atcac_aes_cmac_ctx * atcac_aes_cmac_ctx_new(void) +ATCA_STATUS atcac_get_subj_key_id(const struct atcac_x509_ctx* cert, cal_buffer* subj_public_key_id) { - return (struct atcac_aes_cmac_ctx*)hal_malloc(sizeof(atcac_aes_cmac_ctx_t)); + ATCA_STATUS status = ATCA_BAD_PARAM; + + //Below logic can be minimized if using v3.5.0 mbedtls + + if (NULL != cert && NULL != subj_public_key_id) + { +#if !defined(ATCA_NO_HEAP) + /* coverity[misra_c_2012_rule_21_3_violation:FALSE] Using mbedtls memory allocation api for initializing asn1 sequence object */ + // By design mbedtls prefers calloc as it not only allocates but also initializes the data + mbedtls_asn1_sequence *extns = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence)); + mbedtls_asn1_sequence* next = extns; + + /* coverity[cert_exp40_c_violation:FALSE] mbedtls ssl api requires non const qualifier in lower apis*/ + /* coverity[misra_c_2012_rule_11_8_violation:FALSE] */ + const void* tmp_ptr = cert; + const mbedtls_x509_crt* x509_cert = (const mbedtls_x509_crt*)(tmp_ptr); + size_t tag_len = 0x00; + mbedtls_x509_buf buf = x509_cert->v3_ext; + uint8_t SKID[sizeof(MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER)] = MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER; + size_t SKID_OID_len = (sizeof(SKID)-((unsigned)1)); + + if ((NULL != extns) && + (0 == mbedtls_asn1_get_sequence_of(&buf.p, buf.p + buf.len, extns, + (int)((unsigned int)MBEDTLS_ASN1_CONSTRUCTED | (unsigned int)MBEDTLS_ASN1_SEQUENCE)))) + { + while (NULL != next) + { + if (0 != mbedtls_asn1_get_tag(&(next->buf.p), next->buf.p + next->buf.len, &tag_len, MBEDTLS_ASN1_OID)) + { + break; + } + + /* coverity[misra_c_2012_rule_21_14_violation:FALSE] SKID_OID_len excluded NULL character before performing memcmp */ + if (tag_len == SKID_OID_len && memcmp(next->buf.p, SKID, SKID_OID_len) == 0) + { + // Extract the SKI value + unsigned char* p = next->buf.p + tag_len; + if (0 != mbedtls_asn1_get_tag(&p, p + next->buf.len - tag_len, &tag_len, MBEDTLS_ASN1_OCTET_STRING)) + { + break; + } + + // Include OCTET STRING TL = 2 + if (0 != mbedtls_asn1_get_tag(&p, p + next->buf.len - 2, &tag_len, MBEDTLS_ASN1_OCTET_STRING)) + { + break; + } + + if (tag_len != 20u) + { + break; + } + + // Copy the SKI value to the destination buffer + if (ATCA_SUCCESS == (status = cal_buf_write_bytes(subj_public_key_id, 0U, p, 20))) + { + status = cal_buf_set_used(subj_public_key_id, subj_public_key_id->len); + } + break; + } + next = next->next; + } + } + + if (NULL != extns) + { + mbedtls_asn1_sequence_free(extns); + } +#endif + } + return status; } -struct atcac_pk_ctx * atcac_pk_ctx_new(void) +static int mbedtls_x509_time_to_asn1_generalized_time(const mbedtls_x509_time* x509_time, char* asn1_time, size_t asn1_time_len) { - return (struct atcac_pk_ctx*)hal_malloc(sizeof(atcac_pk_ctx_t)); + int ret = 1; + + if (NULL == x509_time || NULL == asn1_time) + { + return ret; + } + // Check for buffer size to make sure snprintf usage doesn not lead to buffer overflow + if (asn1_time_len < 15u) + { + // Buffer is too small to hold the ASN.1 GeneralizedTime + asn1_time[0] = '\0'; + return ret; + } + + // Format the time in ASN.1 GeneralizedTime format (YYYYMMDDHHMMSSZ) + /* coverity[misra_c_2012_rule_21_6_violation:FALSE] It is third party library implementation and tested code and also the length of buffer is checked before usage*/ + int num_written = mbedtls_snprintf(asn1_time, asn1_time_len, "%04d%02d%02d%02d%02d%02dZ", x509_time->year, x509_time->mon, x509_time->day, + x509_time->hour, x509_time->min, x509_time->sec); + + if (num_written > 0) + { + if ((size_t)num_written < asn1_time_len) + { + ret = 0; + } + } + return ret; } -void atcac_sha1_ctx_free(struct atcac_sha1_ctx * ctx) +ATCA_STATUS atcac_get_issue_date(const struct atcac_x509_ctx* cert, cal_buffer* not_before, uint8_t* fmt) { - hal_free(ctx); -} + ATCA_STATUS status = ATCA_BAD_PARAM; -void atcac_sha256_ctx_free(struct atcac_sha2_256_ctx * ctx) + if (NULL != cert && NULL != not_before) + { + /* coverity[cert_exp40_c_violation:FALSE] mbedtls ssl api requires non const qualifier in lower apis*/ + /* coverity[misra_c_2012_rule_11_8_violation:FALSE] */ + const void* tmp_ptr = cert; + const mbedtls_x509_crt* x509_cert = (const mbedtls_x509_crt*)(tmp_ptr); + // Access the validity structure within the certificate + const mbedtls_x509_time *valid_from = (const mbedtls_x509_time *)&x509_cert->valid_from; + if (0 == mbedtls_x509_time_to_asn1_generalized_time(valid_from, (char*)not_before->buf, not_before->len)) + { + status = ATCA_SUCCESS; + } + } + return status; +} +ATCA_STATUS atcac_get_expire_date(const struct atcac_x509_ctx* cert, cal_buffer* not_after, uint8_t* fmt) { - hal_free(ctx); + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != not_after) + { + /* coverity[cert_exp40_c_violation:FALSE] mbedtls ssl api requires non const qualifier in lower apis*/ + /* coverity[misra_c_2012_rule_11_8_violation:FALSE] */ + const void* tmp_ptr = cert; + const mbedtls_x509_crt* x509_cert = (const mbedtls_x509_crt*)(tmp_ptr); + // Access the validity structure within the certificate + const mbedtls_x509_time *valid_to = (const mbedtls_x509_time *)&x509_cert->valid_to; + if (0 == mbedtls_x509_time_to_asn1_generalized_time(valid_to, (char*)not_after->buf, not_after->len)) + { + status = ATCA_SUCCESS; + } + } + return status; } -void atcac_hmac_ctx_free(struct atcac_hmac_ctx * ctx) +ATCA_STATUS atcac_get_issuer(const struct atcac_x509_ctx* cert, cal_buffer* issuer_buf) { - hal_free(ctx); + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != issuer_buf) + { + /* coverity[cert_exp40_c_violation:FALSE] mbedtls ssl api requires non const qualifier in lower apis*/ + /* coverity[misra_c_2012_rule_11_8_violation:FALSE] */ + const void* tmp_ptr = cert; + const mbedtls_x509_crt* x509_cert = (const mbedtls_x509_crt*)(tmp_ptr); + const mbedtls_x509_name *issuer_name = (const mbedtls_x509_name*)&x509_cert->issuer; + int ret = mbedtls_x509_dn_gets((char*)issuer_buf->buf, issuer_buf->len, issuer_name); + if (ret > 0) + { + status = ATCA_SUCCESS; + } + } + return status; } -void atcac_aes_gcm_ctx_free(struct atcac_aes_gcm_ctx * ctx) +ATCA_STATUS atcac_get_cert_sn(const struct atcac_x509_ctx* cert, cal_buffer* cert_sn) { - hal_free(ctx); + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != cert_sn) + { + /* coverity[cert_exp40_c_violation:FALSE] mbedtls ssl api requires non const qualifier in lower apis*/ + /* coverity[misra_c_2012_rule_11_8_violation:FALSE] */ + const void* tmp_ptr = cert; + const mbedtls_x509_crt* x509_cert = (const mbedtls_x509_crt*)(tmp_ptr); + const mbedtls_x509_buf* serial = &(x509_cert->serial); + if (ATCA_SUCCESS == (status = cal_buf_write_bytes(cert_sn, 0U, serial->p, serial->len))) + { + status = cal_buf_set_used(cert_sn, cert_sn->len); + } + } + return status; } -void atcac_aes_cmac_ctx_free(struct atcac_aes_cmac_ctx * ctx) +ATCA_STATUS atcac_get_auth_key_id(const struct atcac_x509_ctx* cert, cal_buffer* auth_key_id) { - hal_free(ctx); + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != auth_key_id) + { +#if !defined(ATCA_NO_HEAP) + /* coverity[misra_c_2012_rule_21_3_violation:FALSE] Using mbedtls memory allocation api for initializing asn1 sequence object */ + // By design mbedtls prefers calloc as it not only allocates but also initializes the data + mbedtls_asn1_sequence *extns = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence)); + mbedtls_asn1_sequence* next = extns; + + /* coverity[cert_exp40_c_violation:FALSE] mbedtls ssl api requires non const qualifier in lower apis*/ + /* coverity[misra_c_2012_rule_11_8_violation:FALSE] */ + const void* tmp_ptr = cert; + const mbedtls_x509_crt* x509_cert = (const mbedtls_x509_crt*)(tmp_ptr); + size_t tag_len = 0x00; + mbedtls_x509_buf buf = x509_cert->v3_ext; + uint8_t AKID[sizeof(MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER)] = MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER; + size_t AKID_OID_len = (sizeof(AKID) - ((unsigned)1)); + + if ((NULL != extns) && + (0 == mbedtls_asn1_get_sequence_of(&buf.p, buf.p + buf.len, extns, + (int)((unsigned int)MBEDTLS_ASN1_CONSTRUCTED | (unsigned int)MBEDTLS_ASN1_SEQUENCE)))) + { + while (NULL != next) + { + if (0 != mbedtls_asn1_get_tag(&(next->buf.p), next->buf.p + next->buf.len, &tag_len, MBEDTLS_ASN1_OID)) + { + break; + } + + // Check if the OID is the Authority Key Identifier OID + /* coverity[misra_c_2012_rule_21_14_violation:FALSE] AKID_OID_len excluded NULL character before performing memcmp */ + if (tag_len == AKID_OID_len && memcmp(next->buf.p, AKID, AKID_OID_len) == 0) + { + // Extract the AKI value + unsigned char* p = next->buf.p + tag_len; + if (0 != mbedtls_asn1_get_tag(&p, p + next->buf.len - tag_len, &tag_len, MBEDTLS_ASN1_OCTET_STRING)) + { + break; + } + p = p + MBEDTLS_ASN1_OCTET_STRING; + // Copy the AKI value to the destination buffer + if (ATCA_SUCCESS == (status = cal_buf_write_bytes(auth_key_id, 0U, p, (tag_len - ((size_t)MBEDTLS_ASN1_OCTET_STRING))))) + { + status = cal_buf_set_used(auth_key_id, auth_key_id->len); + } + break; + } + next = next->next; + } + } + + if (NULL != extns) + { + mbedtls_asn1_sequence_free(extns); + } +#endif + } + return status; } -void atcac_pk_ctx_free(struct atcac_pk_ctx * ctx) +void atcac_x509_free(void* cert) { - hal_free(ctx); + /* coverity[misra_c_2012_rule_21_3_violation:FALSE] The mbedtls certificate structure need to be freed and the below are library specific apis */ + if (NULL != cert) + { + mbedtls_x509_crt_free((mbedtls_x509_crt *)cert); + //As per https://github.com/Mbed-TLS/mbedtls/issues/2098 , mbedtls_free need to be added as well + mbedtls_free(cert); + } } -#endif #endif /* ATCA_MBEDTLS */ +#ifdef __COVERITY__ +#pragma coverity compliance end_block "CERT EXP40-C" "MISRA C-2012 Rule 11.8" +#endif diff --git a/lib/mbedtls/atca_mbedtls_wrap.h b/lib/mbedtls/atca_mbedtls_wrap.h index 9bb84816d..655435980 100644 --- a/lib/mbedtls/atca_mbedtls_wrap.h +++ b/lib/mbedtls/atca_mbedtls_wrap.h @@ -28,6 +28,8 @@ #ifndef ATCA_MBEDTLS_WRAP_H #define ATCA_MBEDTLS_WRAP_H +#ifdef ATCA_MBEDTLS + #ifdef __COVERITY__ #pragma coverity compliance block(include) \ (fp "CERT INT30-C" "Ignoring violations from third party libraries") \ @@ -134,8 +136,8 @@ int atca_mbedtls_ecdsa_sign(const mbedtls_mpi* d, mbedtls_mpi* r, mbedtls_mpi* s const unsigned char* buf, size_t buf_len); /* Wrapper Functions */ -int atca_mbedtls_pk_init_ext(ATCADevice device, struct mbedtls_pk_context * pkey, const uint16_t slotid); -int atca_mbedtls_pk_init(struct mbedtls_pk_context * pkey, const uint16_t slotid); +int atca_mbedtls_pk_init_ext(ATCADevice device, mbedtls_pk_context* pkey, const uint16_t slotid); +int atca_mbedtls_pk_init(mbedtls_pk_context* pkey, const uint16_t slotid); int atca_mbedtls_cert_add(struct mbedtls_x509_crt * cert, const struct atcacert_def_s * cert_def); /* Application Callback definitions */ @@ -152,10 +154,16 @@ int atca_mbedtls_ecdh_slot_cb(void); */ int atca_mbedtls_ecdh_ioprot_cb(uint8_t secret[32]); +struct mbedtls_x509_crt* atcac_mbedtls_new(void); +struct atcac_x509_ctx* atcac_x509_ctx_new(void); +void atcac_x509_ctx_free(struct atcac_x509_ctx* ctx); + #ifdef __cplusplus } #endif /** @} */ -#endif /* ATCA_MBEDTLS_WRAP_H */ +#endif /* ATCA_MBEDTLS */ + +#endif /* _ATCA_MBEDTLS_WRAP_H_ */ diff --git a/lib/openssl/atca_openssl_interface.c b/lib/openssl/atca_openssl_interface.c index 1b11fcf84..6c0ef333c 100644 --- a/lib/openssl/atca_openssl_interface.c +++ b/lib/openssl/atca_openssl_interface.c @@ -36,6 +36,8 @@ #include #include #include +#include +#include typedef struct { @@ -710,13 +712,17 @@ ATCA_STATUS atcac_pk_init_pem( /* coverity[cert_exp40_c_violation] Correct usage of OpenSSL 1.1 API */ /* coverity[misra_c_2012_rule_11_8_violation] Correct usage of OpenSSL 1.1 API */ BIO* bio = BIO_new_mem_buf((void*)buf, (int)buflen); - if (pubkey) + if (bio != NULL) { - ctx->ptr = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL); - } - else - { - ctx->ptr = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + if (pubkey) + { + ctx->ptr = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL); + } + else + { + ctx->ptr = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + } + BIO_free_all(bio); } } @@ -803,10 +809,17 @@ ATCA_STATUS atcac_pk_sign( { if (EVP_PKEY_EC == EVP_PKEY_id((EVP_PKEY*)ctx->ptr)) { - /* coverity[cert_exp40_c_violation] Correct usage of OpenSSL 1.1 API */ - /* coverity[misra_c_2012_rule_11_8_violation] Correct usage of OpenSSL 1.1 API */ - ECDSA_SIG* ec_sig = ECDSA_do_sign(digest, (int)dig_len, (EC_KEY*)EVP_PKEY_get0_EC_KEY((EVP_PKEY*)ctx->ptr)); - + EC_KEY* tmp_key_ptr = EC_KEY_dup(EVP_PKEY_get0_EC_KEY((EVP_PKEY*)ctx->ptr)); + ECDSA_SIG* ec_sig = NULL; + if (tmp_key_ptr == NULL) + { + ret = -1; + } + else + { + ec_sig = ECDSA_do_sign(digest, (int)dig_len, tmp_key_ptr); + EC_KEY_free(tmp_key_ptr); + } if (NULL != ec_sig) { ret = BN_bn2bin(ECDSA_SIG_get0_r(ec_sig), signature); @@ -879,10 +892,21 @@ ATCA_STATUS atcac_pk_verify( (void)ECDSA_SIG_set0(ec_sig, r, s); - /* coverity[cert_exp40_c_violation] Correct usage of OpenSSL 1.1 API */ - /* coverity[misra_c_2012_rule_11_8_violation] Correct usage of OpenSSL 1.1 API */ - ret = ECDSA_do_verify(digest, (int)dig_len, ec_sig, (EC_KEY*)EVP_PKEY_get0_EC_KEY((EVP_PKEY*)ctx->ptr)); - ECDSA_SIG_free(ec_sig); + if (NULL == ec_sig) + { + ret = -1; + } + else + { + EC_KEY* tmp_key_ptr = EC_KEY_dup(EVP_PKEY_get0_EC_KEY((EVP_PKEY*)ctx->ptr)); + + if (NULL != tmp_key_ptr) + { + ret = ECDSA_do_verify(digest, (int)dig_len, ec_sig, tmp_key_ptr); + EC_KEY_free(tmp_key_ptr); + ECDSA_SIG_free(ec_sig); + } + } } else { @@ -924,10 +948,10 @@ ATCA_STATUS atcac_pk_verify( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_pk_derive( - struct atcac_pk_ctx* private_ctx, - struct atcac_pk_ctx* public_ctx, - uint8_t* buf, - size_t* buflen + struct atcac_pk_ctx* private_ctx, + struct atcac_pk_ctx* public_ctx, + uint8_t* buf, + size_t* buflen ) { ATCA_STATUS status = ATCA_BAD_PARAM; @@ -943,7 +967,7 @@ ATCA_STATUS atcac_pk_derive( { case EVP_PKEY_EC: { - const EC_POINT *pub_key = EC_KEY_get0_public_key( + const EC_POINT* pub_key = EC_KEY_get0_public_key( EVP_PKEY_get0_EC_KEY((EVP_PKEY*)public_ctx->ptr)); ret = ECDH_compute_key(buf, *buflen, pub_key, @@ -961,6 +985,204 @@ ATCA_STATUS atcac_pk_derive( return status; } +ATCA_STATUS atcac_parse_der(struct atcac_x509_ctx** cert, cal_buffer* der) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != der) + { + if (UINT64_MAX > der->len) + { + const unsigned char* in = der->buf; + if (NULL != d2i_X509((X509 **)cert, &in, (long)der->len)) + { + status = ATCA_SUCCESS; + } + } + } + return status; +} + +static ATCA_STATUS atcac_read_asn1_string(const ASN1_STRING * as, cal_buffer* buf, uint8_t * tag) +{ + ATCA_STATUS status; + + if (NULL != as && 0 < as->length) + { + if (ATCA_SUCCESS == (status = cal_buf_write_bytes(buf, 0U, as->data, (size_t)as->length))) + { + if (NULL != tag) + { + if (as->type >= 0 && as->type <= 255) + { + *tag = (uint8_t)as->type; + } + } + status = cal_buf_set_used(buf, (size_t)as->length); + } + + } + else + { + /* No data is available */ + status = cal_buf_set_used(buf, 0U); + } + + return status; +} + +ATCA_STATUS atcac_get_subject(const struct atcac_x509_ctx* cert, cal_buffer* cert_subject) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != cert_subject) + { + X509_NAME* sub_name = X509_get_subject_name((const X509 *)&cert->ptr); + if (NULL != sub_name) + { + size_t length = 0U; + const unsigned char *tmp_ptr = NULL; + if (1 == X509_NAME_get0_der(sub_name, &tmp_ptr, &length)) + { + if (ATCA_SUCCESS == (status = cal_buf_write_bytes(cert_subject, 0U, tmp_ptr, length))) + { + status = cal_buf_set_used(cert_subject, length); + } + } + } + } + else + { + /* No data is available */ + status = cal_buf_set_used(cert_subject, 0U); + } + return status; +} + +ATCA_STATUS atcac_get_subj_public_key(const struct atcac_x509_ctx * cert, cal_buffer * subj_public_key) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != subj_public_key) + { + atcac_pk_ctx_t pk; + if (NULL != (pk.ptr = X509_get0_pubkey((const X509*)&cert->ptr))) + { + status = atcac_pk_public(&pk, subj_public_key->buf, &subj_public_key->len); + } + } + + return status; +} + +ATCA_STATUS atcac_get_subj_key_id(const struct atcac_x509_ctx * cert, cal_buffer * subj_public_key_id) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != subj_public_key_id) + { + ASN1_OCTET_STRING * ext = (ASN1_OCTET_STRING*)X509_get_ext_d2i((const X509*)&cert->ptr, NID_subject_key_identifier, NULL, NULL); + if (NULL != ext) + { + status = atcac_read_asn1_string(ext, subj_public_key_id, NULL); + ASN1_OCTET_STRING_free(ext); + } + } + return status; +} + +ATCA_STATUS atcac_get_issuer(const struct atcac_x509_ctx* cert, cal_buffer* issuer_buf) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != issuer_buf) + { + X509_NAME* sub_name = (X509_NAME*)X509_get_issuer_name((const X509*)&cert->ptr); + uint8_t x509_sub_name_enc_buf[256] = { 0 }; //Given max size as 256 bytes for issuer name + const unsigned char* tmp_buf = x509_sub_name_enc_buf; + if (NULL != sub_name) + { + if (1 == X509_NAME_get0_der(sub_name, &tmp_buf, &issuer_buf->len)) + { + if (ATCA_SUCCESS == (status = cal_buf_write_bytes(issuer_buf, 0U, tmp_buf, issuer_buf->len))) + { + status = cal_buf_set_used(issuer_buf, issuer_buf->len); + } + } + } + } + else + { + /* No data is available */ + status = cal_buf_set_used(issuer_buf, 0U); + } + return status; +} + +ATCA_STATUS atcac_get_auth_key_id(const struct atcac_x509_ctx * cert, cal_buffer * auth_key_id) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != auth_key_id) + { + AUTHORITY_KEYID * ext = (AUTHORITY_KEYID*)X509_get_ext_d2i((const X509*)&cert->ptr, NID_authority_key_identifier, NULL, NULL); + + if (NULL != ext && NULL != ext->keyid) + { + status = atcac_read_asn1_string(ext->keyid, auth_key_id, NULL); + AUTHORITY_KEYID_free(ext); + } + else + { + /* No data is available */ + status = cal_buf_set_used(auth_key_id, 0U); + } + } + return status; +} + +ATCA_STATUS atcac_get_issue_date(const struct atcac_x509_ctx * cert, cal_buffer* not_before, uint8_t * fmt) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != not_before) + { + status = atcac_read_asn1_string(X509_get0_notBefore((const X509*)&cert->ptr), not_before, fmt); + } + return status; +} + +ATCA_STATUS atcac_get_expire_date(const struct atcac_x509_ctx * cert, cal_buffer* not_after, uint8_t * fmt) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != not_after) + { + status = atcac_read_asn1_string(X509_get0_notAfter((const X509*)&cert->ptr), not_after, fmt); + } + return status; +} + +ATCA_STATUS atcac_get_cert_sn(const struct atcac_x509_ctx * cert, cal_buffer * cert_sn) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != cert_sn) + { + status = atcac_read_asn1_string(X509_get0_serialNumber((const X509*)&cert->ptr), cert_sn, NULL); + } + + return status; +} + +void atcac_x509_free(void* cert) +{ + if (NULL != cert) + { + X509_free((X509 *)cert); + } +} + #if defined(ATCA_BUILD_SHARED_LIBS) || !defined(ATCA_NO_HEAP) struct atcac_sha1_ctx * atcac_sha1_ctx_new(void) { diff --git a/lib/openssl/atca_openssl_interface.h b/lib/openssl/atca_openssl_interface.h index f4a1020ca..144d01b78 100644 --- a/lib/openssl/atca_openssl_interface.h +++ b/lib/openssl/atca_openssl_interface.h @@ -82,7 +82,7 @@ extern "C" { * Indicates if this module is a provider of x509 certificate handling */ #ifndef HOSTLIB_CERT_EN -#define HOSTLIB_CERT_EN (DEFAULT_DISABLED) +#define HOSTLIB_CERT_EN (DEFAULT_ENABLED) #endif #if ATCAC_AES_GCM_EN || ATCAC_AES_GCM_UPDATE_EN @@ -117,6 +117,11 @@ typedef struct atcac_pk_ctx void* ptr; } atcac_pk_ctx_t; +typedef struct atcac_x509_ctx +{ + void* ptr; +} atcac_x509_ctx_t; + #ifdef __cplusplus } #endif diff --git a/lib/pkcs11/pkcs11_cert.c b/lib/pkcs11/pkcs11_cert.c index 53e907950..4479df536 100644 --- a/lib/pkcs11/pkcs11_cert.c +++ b/lib/pkcs11/pkcs11_cert.c @@ -31,10 +31,8 @@ #include "tng_atca.h" #endif -#if ATCA_CA_SUPPORT #include "atcacert/atcacert_def.h" #include "atcacert/atcacert_client.h" -#endif #include "pkcs11_config.h" #include "pkcs11_debug.h" @@ -47,6 +45,22 @@ /** * \defgroup pkcs11 Key (pkcs11_key_) @{ */ + +#if !defined(ATCA_NO_HEAP) && (FEATURE_ENABLED == ATCACERT_INTEGRATION_EN) +typedef struct pkcs11_cert_cache_s +{ + CK_ATTRIBUTE cert_x509_parse; + pkcs11_session_ctx_ptr pSession_cert; + pkcs11_object_ptr pObject_cert; + atcacert_def_t * pSession_cert_def; + CK_BBOOL in_use; + void * pCert_parsed; +} pkcs11_cert_cache; + +static pkcs11_cert_cache pkcs11_cert_cache_list[PKCS11_MAX_CERTS_CACHED]; +#endif + + #if defined(ATCA_TNGTLS_SUPPORT) || defined(ATCA_TNGLORA_SUPPORT) || defined(ATCA_TFLEX_SUPPORT) static void pkcs11_cert_check_trust_data(pkcs11_object_ptr pObject) { @@ -74,10 +88,86 @@ static void pkcs11_cert_check_trust_data(pkcs11_object_ptr pObject) } #endif +/* Loads cert into cache list */ +static CK_RV pkcs11_cert_load_cache(const pkcs11_session_ctx_ptr pSession, const pkcs11_object_ptr pObject) +{ + CK_RV rv = CKR_GENERAL_ERROR; + + if ((pObject->class_id == CKO_CERTIFICATE) && + (pObject->class_type == CK_CERTIFICATE_CATEGORY_TOKEN_USER)) + { +#if !defined(ATCA_NO_HEAP) && (FEATURE_ENABLED == ATCACERT_INTEGRATION_EN) + if (NULL == pObject->data) + { + /* Find free cert cache slot*/ + CK_ULONG i; + for (i = 0; i < PKCS11_MAX_CERTS_CACHED; i++) + { + if (FALSE == pkcs11_cert_cache_list[i].in_use) + { + break; + } + } + + if (i < PKCS11_MAX_CERTS_CACHED) + { + /* Allocate cert object memory */ + atcacert_def_t* cert_def = pkcs11_os_malloc(sizeof(atcacert_def_t)); + + if (NULL != cert_def) + { + cert_def->type = CERTTYPE_X509_FULL_STORED; + cert_def->comp_cert_dev_loc.zone = (atcacert_device_zone_t)ATCA_ZONE_DATA; + cert_def->comp_cert_dev_loc.slot = pObject->slot; + cert_def->parsed = &pkcs11_cert_cache_list[i].pCert_parsed; + pObject->data = cert_def; + pObject->flags |= PKCS11_OBJECT_FLAG_CERT_CACHE; + + + /* Get the buffer size required first */ + rv = pkcs11_cert_load(pObject, &pkcs11_cert_cache_list[i].cert_x509_parse, pSession->slot->device_ctx); + if (CKR_OK == rv) + { + pkcs11_cert_cache_list[i].cert_x509_parse.pValue = pkcs11_os_malloc(pkcs11_cert_cache_list[i].cert_x509_parse.ulValueLen); + /* Link x509 parsed certificate to object */ + rv = pkcs11_cert_load(pObject, &pkcs11_cert_cache_list[i].cert_x509_parse, pSession->slot->device_ctx); + pkcs11_cert_cache_list[i].in_use = TRUE; + pkcs11_cert_cache_list[i].pSession_cert = pSession; + pkcs11_cert_cache_list[i].pObject_cert = pObject; + pkcs11_cert_cache_list[i].pSession_cert_def = cert_def; + } + } + else + { + rv = CKR_HOST_MEMORY; + } + } + else + { + rv = CKR_GENERAL_ERROR; + } + } + else + { + CK_ULONG i; + for (i = 0; i < PKCS11_MAX_CERTS_CACHED; i++) + { + if ((pkcs11_cert_cache_list[i].pSession_cert == pSession) && + (pkcs11_cert_cache_list[i].pObject_cert == pObject)) + { + return CKR_OK; + } + } + } +#endif + } + + return rv; +} + #if ATCA_CA_SUPPORT static CK_RV pkcs11_cert_load_ca(pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pAttribute, ATCADevice device) { - ATCA_STATUS status = ATCA_SUCCESS; int cert_status; if (NULL != pObject->data) @@ -87,8 +177,13 @@ static CK_RV pkcs11_cert_load_ca(pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pAt /* Load Certificate */ if ((NULL != pAttribute->pValue) && (0u != pAttribute->ulValueLen)) { - uint8_t ca_key[64]; - status = ATCA_SUCCESS; + size_t temp = pAttribute->ulValueLen; + +#if (FEATURE_ENABLED == ATCACERT_INTEGRATION_EN) + cert_status = atcacert_read_cert_ext(device, (atcacert_def_t*)pObject->data, NULL, (uint8_t*)pAttribute->pValue, &temp); +#else + ATCA_STATUS status = ATCA_SUCCESS; + uint8_t ca_key[64] = { 0 }; if (NULL != cert_cfg->ca_cert_def) { @@ -107,8 +202,9 @@ static CK_RV pkcs11_cert_load_ca(pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pAt return CKR_DEVICE_ERROR; } - size_t temp = pAttribute->ulValueLen; - cert_status = atcacert_read_cert_ext(device, (atcacert_def_t*)pObject->data, (cert_cfg->ca_cert_def != NULL) ? ca_key : NULL, (uint8_t*)pAttribute->pValue, &temp); + cert_status = atcacert_read_cert_ext(device, (atcacert_def_t*)pObject->data, (cert_cfg->ca_cert_def != NULL) ? ca_key : NULL, + (uint8_t*)pAttribute->pValue, &temp); +#endif pAttribute->ulValueLen = (uint32_t)(temp & 0xffffffffu); if (ATCACERT_E_DECODING_ERROR == cert_status) @@ -144,32 +240,45 @@ static CK_RV pkcs11_cert_load_ca(pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pAt static CK_RV pkcs11_cert_load_ta(pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pAttribute, ATCADevice device) { ta_handle_info handle_info; + ATCA_STATUS status = talib_info_get_handle_info(device, pObject->slot, &handle_info); if (ATCA_SUCCESS == status) { - uint16_t cert_size = handle_info.attributes.property; - - if ((NULL != pAttribute->pValue) && (pAttribute->ulValueLen >= cert_size)) + if (NULL != pObject->data) { - cal_buffer sAttribute = CAL_BUF_INIT(cert_size, pAttribute->pValue); - status = talib_read_element(device, pObject->slot, &sAttribute); - pAttribute->ulValueLen = cert_size; + size_t cert_size = (size_t)handle_info.attributes.property; + + if ((NULL != pAttribute->pValue) && (pAttribute->ulValueLen >= cert_size)) + { + atcacert_def_t * cert_def = (atcacert_def_t*)pObject->data; + uint8_t* cert = (uint8_t*)pAttribute->pValue; + if (ATCACERT_E_SUCCESS != (status = atcacert_read_cert_ext(device, cert_def, NULL, cert, &cert_size))) + { + return pkcs11_util_convert_rv(status); + } + pAttribute->ulValueLen = (CK_ULONG)(cert_size); + } + else + { + pAttribute->ulValueLen = (CK_ULONG)(cert_size); + } } else { - pAttribute->ulValueLen = (CK_ULONG)cert_size; + (void)pkcs11_attrib_empty(NULL, pAttribute, NULL); } } else { return CKR_GENERAL_ERROR; } + return pkcs11_util_convert_rv(status); } #endif -static CK_RV pkcs11_cert_load(pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pAttribute, ATCADevice device) +CK_RV pkcs11_cert_load(pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pAttribute, ATCADevice device) { CK_RV ret = CKR_GENERAL_ERROR; ATCADeviceType dev_type = atcab_get_device_type_ext(device); @@ -202,7 +311,27 @@ static CK_RV pkcs11_cert_get_encoded(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttr #if defined(ATCA_TNGTLS_SUPPORT) || defined(ATCA_TNGLORA_SUPPORT) || defined(ATCA_TFLEX_SUPPORT) pkcs11_cert_check_trust_data(obj_ptr); #endif + +#if !defined(ATCA_NO_HEAP) && (FEATURE_ENABLED == ATCACERT_INTEGRATION_EN) + CK_RV rv = CKR_GENERAL_ERROR; + + rv = pkcs11_cert_load_cache(psession, obj_ptr); + if (CKR_OK == rv) + { + CK_ULONG i; + for (i = 0; i < PKCS11_MAX_CERTS_CACHED; i++) + { + if ((pkcs11_cert_cache_list[i].pSession_cert == psession) && + (pkcs11_cert_cache_list[i].pObject_cert == pObject)) + { + return pkcs11_attrib_fill(pAttribute, pkcs11_cert_cache_list[i].cert_x509_parse.pValue, + pkcs11_cert_cache_list[i].cert_x509_parse.ulValueLen); + } + } + } +#else return pkcs11_cert_load(obj_ptr, pAttribute, psession->slot->device_ctx); +#endif } return CKR_ARGUMENTS_BAD; @@ -264,7 +393,6 @@ static CK_RV pkcs11_cert_get_type(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribu static CK_RV pkcs11_cert_get_subject(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr psession) { -#if !defined(ATCA_NO_HEAP) && ATCA_CA_SUPPORT pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; CK_RV rv = CKR_ARGUMENTS_BAD; @@ -274,63 +402,152 @@ static CK_RV pkcs11_cert_get_subject(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttr pkcs11_cert_check_trust_data(obj_ptr); #endif + rv = pkcs11_cert_load_cache(psession, obj_ptr); + if (NULL != obj_ptr->data) { - atcacert_def_t* cert_def = (atcacert_def_t*)obj_ptr->data; - const atcacert_cert_element_t * subj_element = NULL; - - if (NULL != cert_def->cert_elements) + if ((NULL != pAttribute->pValue) && (0u != pAttribute->ulValueLen)) { - uint8_t i; - for (i = 0; i < cert_def->cert_elements_count; i++) + atcacert_def_t* cert_def = (atcacert_def_t*)obj_ptr->data; + if (CKR_OK == rv) { - if (0 == strcmp(cert_def->cert_elements[i].id, "subject")) + uint8_t subject[128] = { 0 }; + cal_buffer subject_buf = CAL_BUF_INIT(sizeof(subject), subject); + + if (ATCA_SUCCESS == (atcacert_get_subject(cert_def, NULL, 0, &subject_buf))) { - subj_element = &cert_def->cert_elements[i]; - break; + return pkcs11_attrib_fill(pAttribute, subject, (CK_ULONG)cal_buf_get_used(&subject_buf)); + } + else + { + return CKR_DEVICE_ERROR; } } - } - - if (NULL != subj_element) - { - CK_ATTRIBUTE cert_attr = { 0, NULL, 0 }; + #if !defined(ATCA_NO_HEAP) && ATCA_CA_SUPPORT + else + { + const atcacert_cert_element_t * subj_element = NULL; - /* Get the buffer size required first */ - rv = pkcs11_cert_load(obj_ptr, &cert_attr, psession->slot->device_ctx); + if (NULL != cert_def->cert_elements) + { + uint8_t i; + for (i = 0; i < cert_def->cert_elements_count; i++) + { + if (0 == strcmp(cert_def->cert_elements[i].id, "subject")) + { + subj_element = &cert_def->cert_elements[i]; + break; + } + } + } - if (CKR_OK == rv) + if (NULL != subj_element) + { + CK_ATTRIBUTE cert_attr = { 0, NULL, 0 }; + + /* Get the buffer size required first */ + rv = pkcs11_cert_load(obj_ptr, &cert_attr, psession->slot->device_ctx); + + if (CKR_OK == rv) + { + cert_attr.pValue = pkcs11_os_malloc(cert_attr.ulValueLen); + rv = pkcs11_cert_load(obj_ptr, &cert_attr, psession->slot->device_ctx); + } + + if (CKR_OK == rv) + { + if (NULL != cert_attr.pValue) + { + rv = pkcs11_attrib_fill(pAttribute, &((uint8_t*)cert_attr.pValue)[subj_element->cert_loc.offset], + subj_element->cert_loc.count); + } + } + + if (NULL != cert_attr.pValue) + { + pkcs11_os_free(cert_attr.pValue); + } + } + } + #endif + } + else + { + pAttribute->ulValueLen = 128; + if (pAttribute->pValue == NULL) { - cert_attr.pValue = pkcs11_os_malloc(cert_attr.ulValueLen); - rv = pkcs11_cert_load(obj_ptr, &cert_attr, psession->slot->device_ctx); + return CKR_OK; } + } + } + else + { + return pkcs11_attrib_empty(NULL, pAttribute, NULL); + } + } + else + { + return pkcs11_attrib_empty(pObject, pAttribute, NULL); + } - if (CKR_OK == rv) + return rv; +} + +static CK_RV pkcs11_cert_get_issuer(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr psession) +{ + pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; + CK_RV rv = CKR_ARGUMENTS_BAD; + + if (NULL != obj_ptr && NULL != psession) + { + CK_RV read_cache = CKR_GENERAL_ERROR; + + read_cache = pkcs11_cert_load_cache(psession, obj_ptr); + + if (NULL != obj_ptr->data) + { + if ((NULL != pAttribute->pValue) && (0u != pAttribute->ulValueLen)) + { + atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data; + if (CKR_OK == read_cache) { - if (NULL != cert_attr.pValue) + uint8_t issuer_name[128] = { 0 }; + + if (ATCA_SUCCESS == (atcacert_get_issuer(cert_cfg, NULL, 0, issuer_name))) { - rv = pkcs11_attrib_fill(pAttribute, &((uint8_t*)cert_attr.pValue)[subj_element->cert_loc.offset], - subj_element->cert_loc.count); + return pkcs11_attrib_fill(pAttribute, issuer_name, (CK_ULONG)sizeof(issuer_name)); + } + else + { + return CKR_DEVICE_ERROR; } } - - if (NULL != cert_attr.pValue) + } + else + { + pAttribute->ulValueLen = 128; + if (pAttribute->pValue == NULL) { - pkcs11_os_free(cert_attr.pValue); + return CKR_OK; } } } + else + { + return pkcs11_attrib_empty(NULL, pAttribute, NULL); + } + } + else + { + return pkcs11_attrib_empty(pObject, pAttribute, NULL); } return rv; -#else - return pkcs11_attrib_empty(pObject, pAttribute, NULL); -#endif } static CK_RV pkcs11_cert_get_subject_key_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr psession) { -#if ATCA_CA_SUPPORT + CK_RV read_cache = CKR_GENERAL_ERROR; pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; if (NULL != obj_ptr && NULL != psession) @@ -339,15 +556,26 @@ static CK_RV pkcs11_cert_get_subject_key_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PT pkcs11_cert_check_trust_data(obj_ptr); #endif + read_cache = pkcs11_cert_load_cache(psession, obj_ptr); + if (NULL != obj_ptr->data) { if ((NULL != pAttribute->pValue) && (0u != pAttribute->ulValueLen)) { atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data; uint8_t subj_key_id[20] = { 0 }; - int cert_status; + ATCA_STATUS cert_status = (ATCA_STATUS)CKR_DEVICE_ERROR; - cert_status = atcacert_read_subj_key_id_ext(psession->slot->device_ctx, cert_cfg, subj_key_id); + if (CKR_OK == read_cache) + { + cert_status = atcacert_get_subj_key_id(cert_cfg, NULL, 0, subj_key_id); + } + else + { +#if ATCACERT_COMPCERT_EN + cert_status = atcacert_read_subj_key_id(cert_cfg, subj_key_id); +#endif + } if (ATCA_SUCCESS != (ATCA_STATUS)cert_status) { @@ -372,16 +600,183 @@ static CK_RV pkcs11_cert_get_subject_key_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PT } return CKR_ARGUMENTS_BAD; -#else - return pkcs11_attrib_empty(pObject, pAttribute, NULL); -#endif } +static CK_RV pkcs11_cert_get_serial_num(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr psession) +{ + pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; + + if (NULL != obj_ptr && NULL != psession) + { + (void)pkcs11_cert_load_cache(psession, obj_ptr); + + if (NULL != obj_ptr->data) + { + if ((NULL != pAttribute->pValue) && (0u != pAttribute->ulValueLen)) + { + atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data; + uint8_t cert_sn[32] = { 0 }; + size_t cert_sn_size = sizeof(cert_sn); + int sn_status; + + sn_status = atcacert_get_cert_sn(cert_cfg, NULL, 0, cert_sn, &cert_sn_size); + + if (ATCA_SUCCESS != (ATCA_STATUS)sn_status) + { + return CKR_DEVICE_ERROR; + } + + return pkcs11_attrib_fill(pAttribute, cert_sn, (CK_ULONG)cert_sn_size); + } + else + { + pAttribute->ulValueLen = 32; + if (pAttribute->pValue == NULL) + { + return CKR_OK; + } + } + } + else + { + return pkcs11_attrib_empty(NULL, pAttribute, NULL); + } + } + + return CKR_ARGUMENTS_BAD; +} + + static CK_RV pkcs11_cert_get_authority_key_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr psession) { - ((void)psession); + pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; - return pkcs11_attrib_empty(pObject, pAttribute, NULL); + if (NULL != obj_ptr && NULL != psession) + { +#if defined(ATCA_TNGTLS_SUPPORT) || defined(ATCA_TNGLORA_SUPPORT) || defined(ATCA_TFLEX_SUPPORT) + pkcs11_cert_check_trust_data(obj_ptr); +#endif + + (void)pkcs11_cert_load_cache(psession, obj_ptr); + + if (NULL != obj_ptr->data) + { + if ((NULL != pAttribute->pValue) && (0u != pAttribute->ulValueLen)) + { + atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data; + uint8_t auth_key_id[20] = { 0 }; + + if (ATCA_SUCCESS == (atcacert_get_auth_key_id(cert_cfg, NULL, 0, auth_key_id))) + { + return pkcs11_attrib_fill(pAttribute, auth_key_id, (CK_ULONG)sizeof(auth_key_id)); + } + else + { + return CKR_DEVICE_ERROR; + } + } + else + { + pAttribute->ulValueLen = 20; + if (pAttribute->pValue == NULL) + { + return CKR_OK; + } + } + } + else + { + return pkcs11_attrib_empty(NULL, pAttribute, NULL); + } + } + + return CKR_ARGUMENTS_BAD; +} + + +static CK_RV pkcs11_get_issue_date(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr psession) +{ + pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; + + if (NULL != obj_ptr && NULL != psession) + { + if (NULL != obj_ptr->data) + { + if ((NULL != pAttribute->pValue) && (0u != pAttribute->ulValueLen)) + { + atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data; + atcacert_tm_utc_t timestamp; + + (void)memset(×tamp, 0, sizeof(atcacert_tm_utc_t)); + + if (ATCA_SUCCESS == (atcacert_get_issue_date(cert_cfg, NULL, 0, ×tamp))) + { + return pkcs11_attrib_fill(pAttribute, ×tamp, (CK_ULONG)sizeof(timestamp)); + } + else + { + return CKR_DEVICE_ERROR; + } + } + else + { + pAttribute->ulValueLen = 0; + if (pAttribute->pValue == NULL) + { + return CKR_OK; + } + } + } + else + { + return pkcs11_attrib_empty(NULL, pAttribute, NULL); + } + } + + return CKR_ARGUMENTS_BAD; +} + + +static CK_RV pkcs11_get_expire_date(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr psession) +{ + pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; + + if (NULL != obj_ptr && NULL != psession) + { + if (NULL != obj_ptr->data) + { + if ((NULL != pAttribute->pValue) && (0u != pAttribute->ulValueLen)) + { + atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data; + atcacert_tm_utc_t timestamp; + + (void)memset(×tamp, 0, sizeof(atcacert_tm_utc_t)); + + if (ATCA_SUCCESS == (atcacert_get_expire_date(cert_cfg, NULL, 0, ×tamp))) + { + return pkcs11_attrib_fill(pAttribute, ×tamp, (CK_ULONG)sizeof(timestamp)); + } + else + { + return CKR_DEVICE_ERROR; + } + } + else + { + pAttribute->ulValueLen = 0; + if (pAttribute->pValue == NULL) + { + return CKR_OK; + } + } + } + else + { + return pkcs11_attrib_empty(NULL, pAttribute, NULL); + } + } + + return CKR_ARGUMENTS_BAD; } static CK_RV pkcs11_cert_get_trusted_flag(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr psession) @@ -404,27 +799,47 @@ static CK_RV pkcs11_cert_get_trusted_flag(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR return CKR_ARGUMENTS_BAD; } -static CK_RV pkcs11_cert_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr psession) +static CK_RV pkcs11_cert_get_subj_key(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr psession) { #if PKCS11_AUTO_ID_ENABLE return pkcs11_cert_get_subject_key_id(pObject, pAttribute, psession); -#elif ATCA_CA_SUPPORT +#elif ATCA_CA_SUPPORT || ATCA_TA_SUPPORT pkcs11_object_ptr obj_ptr = (pkcs11_object_ptr)pObject; CK_RV rv = CKR_ARGUMENTS_BAD; if (obj_ptr) { + CK_RV read_cache = CKR_GENERAL_ERROR; +#if defined(ATCA_TNGTLS_SUPPORT) || defined(ATCA_TNGLORA_SUPPORT) || defined(ATCA_TFLEX_SUPPORT) pkcs11_cert_check_trust_data(obj_ptr); - - if (obj_ptr->data) +#endif + read_cache = pkcs11_cert_load_cache(psession, obj_ptr); + if (NULL != obj_ptr->data) { atcacert_def_t * cert_cfg = (atcacert_def_t*)obj_ptr->data; - uint16_t key_id = ATCA_UINT16_HOST_TO_BE(cert_cfg->public_key_dev_loc.slot); - rv = pkcs11_attrib_fill(pAttribute, &key_id, sizeof(uint16_t)); + + if (CKR_OK == read_cache) + { + uint8_t subj_public_key[64] = { 0 }; + + if (ATCA_SUCCESS == (atcacert_get_subj_public_key(cert_def, NULL, 0, &subj_public_key))) + { + rv = pkcs11_attrib_fill(pAttribute, subj_public_key, (CK_ULONG)sizeof(subj_public_key)); + } + else + { + rv = CKR_DEVICE_ERROR; + } + } + else + { + uint16_t key_id = ATCA_UINT16_HOST_TO_BE(cert_cfg->public_key_dev_loc.slot); + rv = pkcs11_attrib_fill(pAttribute, &key_id, sizeof(uint16_t)); + } } else { - return pkcs11_attrib_empty(pObject, pAttribute, NULL); + rv = pkcs11_attrib_empty(pObject, pAttribute, NULL); } } return rv; @@ -438,62 +853,62 @@ static CK_RV pkcs11_cert_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute */ const pkcs11_attrib_model pkcs11_cert_x509public_attributes[] = { /** Object Class - CK_OBJECT_CLASS */ - { CKA_CLASS, pkcs11_object_get_class }, + { CKA_CLASS, pkcs11_object_get_class }, /** CK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE. */ - { CKA_TOKEN, pkcs11_attrib_true }, + { CKA_TOKEN, pkcs11_attrib_true }, /** CK_TRUE if object is a private object; CK_FALSE if object is a public object. */ - { CKA_PRIVATE, pkcs11_token_get_access_type }, + { CKA_PRIVATE, pkcs11_token_get_access_type }, /** CK_TRUE if object can be modified. Default is CK_TRUE. */ - { CKA_MODIFIABLE, pkcs11_token_get_writable }, + { CKA_MODIFIABLE, pkcs11_token_get_writable }, /** Description of the object(default empty). */ - { CKA_LABEL, pkcs11_object_get_name }, + { CKA_LABEL, pkcs11_object_get_name }, /** CK_TRUE if object can be copied using C_CopyObject.Defaults to CK_TRUE. */ - { CKA_COPYABLE, pkcs11_attrib_false }, + { CKA_COPYABLE, pkcs11_attrib_false }, /** CK_TRUE if the object can be destroyed using C_DestroyObject. Default is CK_TRUE. */ - { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, + { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, /** Type of certificate */ - { CKA_CERTIFICATE_TYPE, pkcs11_cert_get_type }, + { CKA_CERTIFICATE_TYPE, pkcs11_cert_get_type }, /** The certificate can be trusted for the application that it was created. */ - { CKA_TRUSTED, pkcs11_cert_get_trusted_flag }, + { CKA_TRUSTED, pkcs11_cert_get_trusted_flag }, /** Default CK_CERTIFICATE_CATEGORY_UNSPECIFIED) */ - { CKA_CERTIFICATE_CATEGORY, pkcs11_object_get_type }, + { CKA_CERTIFICATE_CATEGORY, pkcs11_object_get_type }, /** Checksum */ - { CKA_CHECK_VALUE, NULL_PTR }, + { CKA_CHECK_VALUE, NULL_PTR }, /** Start date for the certificate (default empty) */ - { CKA_START_DATE, pkcs11_attrib_empty }, + { CKA_START_DATE, pkcs11_get_issue_date }, /** End date for the certificate (default empty) */ - { CKA_END_DATE, pkcs11_attrib_empty }, + { CKA_END_DATE, pkcs11_get_expire_date }, /** ALL: DER-encoding of the SubjectPublicKeyInfo for the public key contained in this certificate (default empty) SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT_STRING } */ - { CKA_PUBLIC_KEY_INFO, pkcs11_attrib_empty }, + { CKA_PUBLIC_KEY_INFO, pkcs11_attrib_empty }, /** DER-encoded Certificate subject name */ - { CKA_SUBJECT, pkcs11_cert_get_subject }, + { CKA_SUBJECT, pkcs11_cert_get_subject }, /** Key identifier for public/private key pair (default empty) */ - { CKA_ID, pkcs11_cert_get_id }, + { CKA_ID, pkcs11_cert_get_subj_key }, /** DER-encoded Certificate issuer name (default empty)*/ - { CKA_ISSUER, pkcs11_attrib_empty }, + { CKA_ISSUER, pkcs11_cert_get_issuer }, /** DER-encoding of the certificate serial number (default empty) */ - { CKA_SERIAL_NUMBER, pkcs11_attrib_empty }, + { CKA_SERIAL_NUMBER, pkcs11_cert_get_serial_num }, /** BER-encoded Complete Certificate */ - { CKA_VALUE, pkcs11_cert_get_encoded }, + { CKA_VALUE, pkcs11_cert_get_encoded }, /** If not empty this attribute gives the URL where the complete certificate can be obtained (default empty) */ - { CKA_URL, pkcs11_attrib_empty }, + { CKA_URL, pkcs11_attrib_empty }, /** Hash of the subject public key (default empty). Hash algorithm is defined by CKA_NAME_HASH_ALGORITHM */ - { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, pkcs11_cert_get_subject_key_id }, + { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, pkcs11_cert_get_subject_key_id }, /** Hash of the issuer public key (default empty). Hash algorithm is defined by CKA_NAME_HASH_ALGORITHM */ - { CKA_HASH_OF_ISSUER_PUBLIC_KEY, pkcs11_cert_get_authority_key_id }, + { CKA_HASH_OF_ISSUER_PUBLIC_KEY, pkcs11_cert_get_authority_key_id }, /** Java MIDP security domain. (default CK_SECURITY_DOMAIN_UNSPECIFIED) */ - { CKA_JAVA_MIDP_SECURITY_DOMAIN, NULL_PTR }, + { CKA_JAVA_MIDP_SECURITY_DOMAIN, NULL_PTR }, /** Defines the mechanism used to calculate CKA_HASH_OF_SUBJECT_PUBLIC_KEY and CKA_HASH_OF_ISSUER_PUBLIC_KEY. If the attribute is not present then the type defaults to SHA-1. */ - { CKA_NAME_HASH_ALGORITHM, pkcs11_attrib_empty }, + { CKA_NAME_HASH_ALGORITHM, pkcs11_attrib_empty }, }; /* coverity[misra_c_2012_rule_5_1_violation:FALSE] C99 limit is 63 characters */ @@ -504,56 +919,56 @@ const CK_ULONG pkcs11_cert_x509public_attributes_count = (CK_ULONG)(PKCS11_UTIL_ */ const pkcs11_attrib_model pkcs11_cert_wtlspublic_attributes[] = { /** Object Class - CK_OBJECT_CLASS */ - { CKA_CLASS, pkcs11_object_get_class }, + { CKA_CLASS, pkcs11_object_get_class }, /** CK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE. */ - { CKA_TOKEN, pkcs11_attrib_true }, + { CKA_TOKEN, pkcs11_attrib_true }, /** CK_TRUE if object is a private object; CK_FALSE if object is a public object. */ - { CKA_PRIVATE, pkcs11_token_get_access_type }, + { CKA_PRIVATE, pkcs11_token_get_access_type }, /** CK_TRUE if object can be modified. Default is CK_TRUE. */ - { CKA_MODIFIABLE, NULL_PTR }, + { CKA_MODIFIABLE, NULL_PTR }, /** Description of the object(default empty). */ - { CKA_LABEL, pkcs11_object_get_name }, + { CKA_LABEL, pkcs11_object_get_name }, /** CK_TRUE if object can be copied using C_CopyObject.Defaults to CK_TRUE. */ - { CKA_COPYABLE, pkcs11_attrib_false }, + { CKA_COPYABLE, pkcs11_attrib_false }, /** CK_TRUE if the object can be destroyed using C_DestroyObject. Default is CK_TRUE. */ - { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, + { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, /** Type of certificate */ - { CKA_CERTIFICATE_TYPE, pkcs11_cert_get_type }, + { CKA_CERTIFICATE_TYPE, pkcs11_cert_get_type }, /** The certificate can be trusted for the application that it was created. */ - { CKA_TRUSTED, NULL_PTR }, + { CKA_TRUSTED, NULL_PTR }, /** Default CK_CERTIFICATE_CATEGORY_UNSPECIFIED) */ - { CKA_CERTIFICATE_CATEGORY, pkcs11_object_get_type }, + { CKA_CERTIFICATE_CATEGORY, pkcs11_object_get_type }, /** Checksum */ - { CKA_CHECK_VALUE, NULL_PTR }, + { CKA_CHECK_VALUE, NULL_PTR }, /** Start date for the certificate (default empty) */ - { CKA_START_DATE, pkcs11_attrib_empty }, + { CKA_START_DATE, pkcs11_attrib_empty }, /** End date for the certificate (default empty) */ - { CKA_END_DATE, pkcs11_attrib_empty }, + { CKA_END_DATE, pkcs11_attrib_empty }, /** ALL: DER-encoding of the SubjectPublicKeyInfo for the public key contained in this certificate (default empty) SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT_STRING } */ - { CKA_PUBLIC_KEY_INFO, pkcs11_attrib_empty }, + { CKA_PUBLIC_KEY_INFO, pkcs11_attrib_empty }, /** WTLS-encoded Certificate subject name */ - { CKA_SUBJECT, pkcs11_attrib_empty }, + { CKA_SUBJECT, pkcs11_attrib_empty }, /** WTLS-encoded Certificate issuer name (default empty)*/ - { CKA_ISSUER, pkcs11_attrib_empty }, + { CKA_ISSUER, pkcs11_attrib_empty }, /** WTLS-encoded Complete Certificate */ - { CKA_VALUE, pkcs11_cert_get_encoded }, + { CKA_VALUE, pkcs11_cert_get_encoded }, /** If not empty this attribute gives the URL where the complete certificate can be obtained (default empty) */ - { CKA_URL, pkcs11_attrib_empty }, + { CKA_URL, pkcs11_attrib_empty }, /** Hash of the subject public key (default empty). Hash algorithm is defined by CKA_NAME_HASH_ALGORITHM */ - { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, pkcs11_cert_get_subject_key_id }, + { CKA_HASH_OF_SUBJECT_PUBLIC_KEY, pkcs11_cert_get_subject_key_id }, /** Hash of the issuer public key (default empty). Hash algorithm is defined by CKA_NAME_HASH_ALGORITHM */ - { CKA_HASH_OF_ISSUER_PUBLIC_KEY, pkcs11_attrib_empty }, + { CKA_HASH_OF_ISSUER_PUBLIC_KEY, pkcs11_attrib_empty }, /** Defines the mechanism used to calculate CKA_HASH_OF_SUBJECT_PUBLIC_KEY and CKA_HASH_OF_ISSUER_PUBLIC_KEY. If the attribute is not present then the type defaults to SHA-1. */ - { CKA_NAME_HASH_ALGORITHM, pkcs11_attrib_empty }, + { CKA_NAME_HASH_ALGORITHM, pkcs11_attrib_empty }, }; /* coverity[misra_c_2012_rule_5_1_violation:FALSE] C99 limit is 63 characters */ @@ -564,56 +979,56 @@ const CK_ULONG pkcs11_cert_wtlspublic_attributes_count = (CK_ULONG)(PKCS11_UTIL_ */ const pkcs11_attrib_model pkcs11_cert_x509_attributes[] = { /** Object Class - CK_OBJECT_CLASS */ - { CKA_CLASS, pkcs11_object_get_class }, + { CKA_CLASS, pkcs11_object_get_class }, /** CK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE. */ - { CKA_TOKEN, pkcs11_attrib_true }, + { CKA_TOKEN, pkcs11_attrib_true }, /** CK_TRUE if object is a private object; CK_FALSE if object is a public object. */ - { CKA_PRIVATE, pkcs11_token_get_access_type }, + { CKA_PRIVATE, pkcs11_token_get_access_type }, /** CK_TRUE if object can be modified. Default is CK_TRUE. */ - { CKA_MODIFIABLE, NULL_PTR }, + { CKA_MODIFIABLE, NULL_PTR }, /** Description of the object(default empty). */ - { CKA_LABEL, pkcs11_object_get_name }, + { CKA_LABEL, pkcs11_object_get_name }, /** CK_TRUE if object can be copied using C_CopyObject.Defaults to CK_TRUE. */ - { CKA_COPYABLE, pkcs11_attrib_false }, + { CKA_COPYABLE, pkcs11_attrib_false }, /** CK_TRUE if the object can be destroyed using C_DestroyObject. Default is CK_TRUE. */ - { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, + { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, /** Type of certificate */ - { CKA_CERTIFICATE_TYPE, pkcs11_cert_get_type }, + { CKA_CERTIFICATE_TYPE, pkcs11_cert_get_type }, /** The certificate can be trusted for the application that it was created. */ - { CKA_TRUSTED, NULL_PTR }, + { CKA_TRUSTED, NULL_PTR }, /** Default CK_CERTIFICATE_CATEGORY_UNSPECIFIED) */ - { CKA_CERTIFICATE_CATEGORY, pkcs11_object_get_type }, + { CKA_CERTIFICATE_CATEGORY, pkcs11_object_get_type }, /** Checksum */ - { CKA_CHECK_VALUE, NULL_PTR }, + { CKA_CHECK_VALUE, NULL_PTR }, /** Start date for the certificate (default empty) */ - { CKA_START_DATE, pkcs11_attrib_empty }, + { CKA_START_DATE, pkcs11_attrib_empty }, /** End date for the certificate (default empty) */ - { CKA_END_DATE, pkcs11_attrib_empty }, + { CKA_END_DATE, pkcs11_attrib_empty }, /** ALL: DER-encoding of the SubjectPublicKeyInfo for the public key contained in this certificate (default empty) SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT_STRING } */ - { CKA_PUBLIC_KEY_INFO, pkcs11_attrib_empty }, + { CKA_PUBLIC_KEY_INFO, pkcs11_attrib_empty }, /** X509: DER-encoding of the attribute certificate's subject field. This is distinct from the CKA_SUBJECT attribute contained in CKC_X_509 certificates because the ASN.1 syntax and encoding are different. */ - { CKA_OWNER, pkcs11_attrib_empty }, + { CKA_OWNER, pkcs11_attrib_empty }, /** X509: DER-encoding of the attribute certificate's issuer field. This is distinct from the CKA_ISSUER attribute contained in CKC_X_509 certificates because the ASN.1 syntax and encoding are different. (default empty) */ - { CKA_AC_ISSUER, pkcs11_attrib_empty }, + { CKA_AC_ISSUER, pkcs11_attrib_empty }, /** DER-encoding of the certificate serial number (default empty) */ - { CKA_SERIAL_NUMBER, pkcs11_attrib_empty }, + { CKA_SERIAL_NUMBER, pkcs11_attrib_empty }, /** X509: BER-encoding of a sequence of object identifier values corresponding to the attribute types contained in the certificate. When present, this field offers an opportunity for applications to search for a particular attribute certificate without fetching and parsing the certificate itself. (default empty) */ - { CKA_ATTR_TYPES, pkcs11_attrib_empty }, + { CKA_ATTR_TYPES, pkcs11_attrib_empty }, /** BER-encoded Complete Certificate */ - { CKA_VALUE, pkcs11_cert_get_encoded }, + { CKA_VALUE, pkcs11_cert_get_encoded }, }; const CK_ULONG pkcs11_cert_x509_attributes_count = (CK_ULONG)(PKCS11_UTIL_ARRAY_SIZE(pkcs11_cert_x509_attributes)); @@ -631,7 +1046,8 @@ CK_RV pkcs11_cert_x509_write(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, p if (atcab_is_ca_device(atcab_get_device_type_ext(pSession->slot->device_ctx))) { #if ATCA_CA_SUPPORT - status = (ATCA_STATUS)atcacert_write_cert_ext(pSession->slot->device_ctx, (atcacert_def_t*)obj_ptr->data, (uint8_t*)pAttribute->pValue, pAttribute->ulValueLen); + status = (ATCA_STATUS)atcacert_write_cert_ext(pSession->slot->device_ctx, (atcacert_def_t*)obj_ptr->data, (uint8_t*)pAttribute->pValue, + pAttribute->ulValueLen); #else status = ATCA_NO_DEVICES; #endif @@ -670,6 +1086,99 @@ CK_RV pkcs11_cert_x509_write(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, p } } +/* Called from auth session to clear the certificate */ +CK_RV pkcs11_cert_clear_cache_session(pkcs11_session_ctx_ptr session_ctx) +{ + CK_RV rv = CKR_GENERAL_ERROR; + +#if !defined(ATCA_NO_HEAP) && (FEATURE_ENABLED == ATCACERT_INTEGRATION_EN) + CK_ULONG i; + + for (i = 0; i < PKCS11_MAX_CERTS_CACHED; i++) + { + if (session_ctx == pkcs11_cert_cache_list[i].pSession_cert) + { + if (NULL != *pkcs11_cert_cache_list[i].pSession_cert_def->parsed) + { +#if defined(ATCA_OPENSSL) || defined(ATCA_WOLFSSL) || defined(ATCA_MBEDTLS) + atcac_x509_free(*pkcs11_cert_cache_list[i].pSession_cert_def->parsed); +#else + pkcs11_os_free(*pkcs11_cert_cache_list[i].pSession_cert_def->parsed); +#endif + *pkcs11_cert_cache_list[i].pSession_cert_def->parsed = NULL; + } + + if (NULL != pkcs11_cert_cache_list[i].pSession_cert_def) + { + pkcs11_os_free(pkcs11_cert_cache_list[i].pSession_cert_def); + pkcs11_cert_cache_list[i].pSession_cert_def = NULL; + } + + if (NULL != pkcs11_cert_cache_list[i].cert_x509_parse.pValue) + { + pkcs11_os_free(pkcs11_cert_cache_list[i].cert_x509_parse.pValue); + pkcs11_cert_cache_list[i].cert_x509_parse.pValue = NULL; + } + + pkcs11_cert_cache_list[i].in_use = FALSE; + pkcs11_cert_cache_list[i].pSession_cert = NULL; + pkcs11_cert_cache_list[i].pObject_cert = NULL; + rv = CKR_OK; + break; + } + } +#endif + + return rv; +} + +/* Called to free certificate object */ +CK_RV pkcs11_cert_clear_cache(pkcs11_object_ptr pObject) +{ + CK_RV rv = CKR_GENERAL_ERROR; + +#if !defined(ATCA_NO_HEAP) && (FEATURE_ENABLED == ATCACERT_INTEGRATION_EN) + CK_ULONG i; + atcacert_def_t *cert_def = pObject->data; + + for (i = 0; i < PKCS11_MAX_CERTS_CACHED; i++) + { + if (cert_def == pkcs11_cert_cache_list[i].pSession_cert_def) + { + if (NULL != *cert_def->parsed) + { +#if defined(ATCA_OPENSSL) || defined (ATCA_WOLFSSL) || defined(ATCA_MBEDTLS) + atcac_x509_free(*cert_def->parsed); +#else + pkcs11_os_free(*cert_def->parsed); +#endif + *cert_def->parsed = NULL; + } + + if (NULL != pObject->data) + { + pkcs11_os_free(pObject->data); + pObject->data = NULL; + } + + if (NULL != pkcs11_cert_cache_list[i].cert_x509_parse.pValue) + { + pkcs11_os_free(pkcs11_cert_cache_list[i].cert_x509_parse.pValue); + pkcs11_cert_cache_list[i].cert_x509_parse.pValue = NULL; + } + + pkcs11_cert_cache_list[i].in_use = FALSE; + pkcs11_cert_cache_list[i].pSession_cert = NULL; + pkcs11_cert_cache_list[i].pObject_cert = NULL; + pkcs11_cert_cache_list[i].pSession_cert_def = NULL; + rv = CKR_OK; + break; + } + } +#endif + + return rv; +} /** @} */ diff --git a/lib/pkcs11/pkcs11_cert.h b/lib/pkcs11/pkcs11_cert.h index 4a8eb5254..31359bd42 100644 --- a/lib/pkcs11/pkcs11_cert.h +++ b/lib/pkcs11/pkcs11_cert.h @@ -34,10 +34,6 @@ extern "C" { #endif -#ifdef __cplusplus -} -#endif - extern const pkcs11_attrib_model pkcs11_cert_x509public_attributes[]; extern const CK_ULONG pkcs11_cert_x509public_attributes_count; @@ -48,5 +44,12 @@ extern const pkcs11_attrib_model pkcs11_cert_x509_attributes[]; extern const CK_ULONG pkcs11_cert_x509_attributes_count; CK_RV pkcs11_cert_x509_write(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, pkcs11_session_ctx_ptr pSession); +CK_RV pkcs11_cert_load(pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pAttribute, ATCADevice device); +CK_RV pkcs11_cert_clear_cache_session(pkcs11_session_ctx_ptr session_ctx); +CK_RV pkcs11_cert_clear_cache(pkcs11_object_ptr pObject); + +#ifdef __cplusplus +} +#endif #endif /* PKCS11_CERT_H_ */ diff --git a/lib/pkcs11/pkcs11_config.c b/lib/pkcs11/pkcs11_config.c index c2090e30e..f01efe645 100644 --- a/lib/pkcs11/pkcs11_config.c +++ b/lib/pkcs11/pkcs11_config.c @@ -334,6 +334,11 @@ static CK_RV pkcs11_config_parse_device(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs slot_ctx->interface_config.devtype = TA100; rv = CKR_OK; } + else if (0 == strcmp(argv[0], "TA101")) + { + slot_ctx->interface_config.devtype = TA101; + rv = CKR_OK; + } else { PKCS11_DEBUG("Unrecognized device: %s", argv[0]); @@ -744,9 +749,6 @@ static CK_RV pkcs11_config_parse_object(pkcs11_slot_ctx_ptr slot_ctx, char* cfgs pObject->attributes = pkcs11_cert_x509public_attributes; pObject->count = pkcs11_cert_x509public_attributes_count; - /* Load certificate data from the file system */ -// pObject->size = g_cert_def_2_device.cert_template_size; -// pObject->data = &g_cert_def_2_device; pObject->flags = 0; #if ATCA_CA_SUPPORT pObject->config = &slot_ctx->cfg_zone; @@ -888,9 +890,10 @@ CK_RV pkcs11_config_cert(pkcs11_lib_ctx_ptr pLibCtx, pkcs11_slot_ctx_ptr pSlot, CK_RV pkcs11_config_key(pkcs11_lib_ctx_ptr pLibCtx, pkcs11_slot_ctx_ptr pSlot, pkcs11_object_ptr pObject, CK_ATTRIBUTE_PTR pLabel) { - FILE* fp; const char *objtype = ""; char filename[200]; + char child_config_data[200]; + FILE* configfile = NULL; CK_RV rv = CKR_FUNCTION_FAILED; uint16_t handle = UINT16_MAX; @@ -898,7 +901,6 @@ CK_RV pkcs11_config_key(pkcs11_lib_ctx_ptr pLibCtx, pkcs11_slot_ctx_ptr pSlot, p { #if ATCA_CA_SUPPORT uint8_t i = 0; - /* Find a free slot that matches the object type */ for (i = 0; i < 16u; i++) { @@ -959,7 +961,6 @@ CK_RV pkcs11_config_key(pkcs11_lib_ctx_ptr pLibCtx, pkcs11_slot_ctx_ptr pSlot, p pObject->config = &pSlot->cfg_zone; } #endif - if (CKO_PRIVATE_KEY == pObject->class_id) { pkcs11_config_init_private(pObject, (char*)pLabel->pValue, pLabel->ulValueLen); @@ -980,24 +981,30 @@ CK_RV pkcs11_config_key(pkcs11_lib_ctx_ptr pLibCtx, pkcs11_slot_ctx_ptr pSlot, p /* Unsupported class_id */ } - int ret = snprintf(filename, sizeof(filename), "%s%lu.%u.conf", pLibCtx->config_path, + int ret = 0x00; + if (atcab_is_ca_device(pSlot->interface_config.devtype)) + { + ret = snprintf(filename, sizeof(filename), "%s%lu.%u.conf", pLibCtx->config_path, pSlot->slot_id, pObject->slot); + } + else + { + ret = snprintf(filename, sizeof(filename), "%s%lu.%04x.conf", pLibCtx->config_path, + pSlot->slot_id, pObject->slot); + } if (ret > 0 && ret < (int)sizeof(filename)) { /* coverity[cert_fio32_c_violation] files are created in pLibCtx->config_path which has already been validated as a proper device*/ /* coverity[misra_c_2012_rule_10_1_violation] Macro usage is valid per POSIX specification*/ - int fd = open(filename, O_CREAT | O_EXCL | O_WRONLY, 0755); - if (-1 != fd) + configfile = fopen(filename, "w"); + if (NULL != configfile) { - fp = fdopen(fd, "wb"); - if (NULL != fp) - { - (void)fprintf(fp, "type = %s\n", objtype); - (void)fprintf(fp, "label = %s\n", pObject->name); - (void)fclose(fp); - rv = CKR_OK; - } + (void)snprintf(child_config_data, sizeof(child_config_data), "%s,%s,0x%04x", objtype, pObject->name, pObject->slot); + + (void)fprintf(configfile, "type = %s\n", child_config_data); + (void)fclose(configfile); + rv = CKR_OK; } } } diff --git a/lib/pkcs11/pkcs11_config.h.in b/lib/pkcs11/pkcs11_config.h.in index 7f8e30984..452428902 100644 --- a/lib/pkcs11/pkcs11_config.h.in +++ b/lib/pkcs11/pkcs11_config.h.in @@ -70,6 +70,11 @@ #define PKCS11_MAX_SESSIONS_ALLOWED (@PKCS11_MAX_SESSIONS_ALLOWED@U) #endif +/** Maximum number of x509 certificates allowed to be cached for parsing */ +#ifndef PKCS11_MAX_CERTS_CACHED +#define PKCS11_MAX_CERTS_CACHED (@PKCS11_MAX_CERTS_CACHED@U) +#endif + /** Maximum number of cryptographic objects allowed to be cached */ #ifndef PKCS11_MAX_OBJECTS_ALLOWED #define PKCS11_MAX_OBJECTS_ALLOWED (@PKCS11_MAX_OBJECTS_ALLOWED@U) diff --git a/lib/pkcs11/pkcs11_debug.c b/lib/pkcs11/pkcs11_debug.c index 2a3e1e4a6..d9a495634 100644 --- a/lib/pkcs11/pkcs11_debug.c +++ b/lib/pkcs11/pkcs11_debug.c @@ -298,9 +298,12 @@ void pkcs11_debug_attributes(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) { case CKA_CLASS: { - unsigned int object_id = *((CK_OBJECT_CLASS*)pTemplate->pValue); - const char * object_name = pkcs11_debug_get_name(object_id, pkcs11_debug_cko_names, pkcs11_debug_cko_names_count); - PKCS11_DEBUG_NOFILE("%s(%X):%d:%s(%x)\r\n", name, (unsigned int)pTemplate->type, (int)pTemplate->ulValueLen, object_name, object_id); + if (pTemplate->pValue != NULL) + { + unsigned int object_id = *((CK_OBJECT_CLASS*)pTemplate->pValue); + const char * object_name = pkcs11_debug_get_name(object_id, pkcs11_debug_cko_names, pkcs11_debug_cko_names_count); + PKCS11_DEBUG_NOFILE("%s(%X):%d:%s(%x)\r\n", name, (unsigned int)pTemplate->type, (int)pTemplate->ulValueLen, object_name, object_id); + } break; } case CKA_LABEL: @@ -308,17 +311,17 @@ void pkcs11_debug_attributes(CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) break; default: #ifndef ATCA_NO_HEAP + { + size_t buf_len = pTemplate->ulValueLen * 3 + 1; + char * buffer = pkcs11_os_malloc(buf_len); + (void)memset(buffer, 0, buf_len); + if (buffer) { - size_t buf_len = pTemplate->ulValueLen * 3 + 1; - char * buffer = pkcs11_os_malloc(buf_len); - (void)memset(buffer, 0, buf_len); - if (buffer) - { - (void)atcab_bin2hex_(pTemplate->pValue, pTemplate->pValue, buffer, &buf_len, false, true, true); - PKCS11_DEBUG_NOFILE("%s(%X):%d:%s:\r\n", name, (unsigned int)pTemplate->type, (int)pTemplate->ulValueLen, buffer); - pkcs11_os_free(buffer); - } + (void)atcab_bin2hex_(pTemplate->pValue, pTemplate->pValue, buffer, &buf_len, false, true, true); + PKCS11_DEBUG_NOFILE("%s(%X):%d:%s:\r\n", name, (unsigned int)pTemplate->type, (int)pTemplate->ulValueLen, buffer); + pkcs11_os_free(buffer); } + } #else PKCS11_DEBUG_NOFILE("%s(%X):%d:%p:\r\n", name, (unsigned int)pTemplate->type, (int)pTemplate->ulValueLen, pTemplate->pValue); #endif diff --git a/lib/pkcs11/pkcs11_find.c b/lib/pkcs11/pkcs11_find.c index c84bbba00..c8991cf90 100644 --- a/lib/pkcs11/pkcs11_find.c +++ b/lib/pkcs11/pkcs11_find.c @@ -25,6 +25,7 @@ * THIS SOFTWARE. */ #include "cryptoauthlib.h" +#include "atcacert/atcacert_def.h" #include "pkcs11_config.h" #include "pkcs11_debug.h" @@ -34,6 +35,7 @@ #include "pkcs11_session.h" #include "pkcs11_find.h" #include "pkcs11_util.h" +#include "pkcs11_cert.h" /** * \defgroup pkcs11 Find (pkcs11_find_) @@ -43,6 +45,7 @@ static CK_BYTE pkcs11_find_template_cache[PKCS11_SEARCH_CACHE_SIZE]; // #endif + /** * \brief Copy an array of CK_ATTRIBUTE structures */ @@ -139,7 +142,9 @@ static const pkcs11_attrib_model *pkcs11_find_attrib(const pkcs11_attrib_model * return NULL; } -static const pkcs11_attrib_model *pkcs11_find_attrib_match(pkcs11_object_ptr pObject, const pkcs11_attrib_model *pAttributeList, const CK_ULONG ulCount, const CK_ATTRIBUTE_PTR pTemplate, pkcs11_session_ctx_ptr pSession) + +static const pkcs11_attrib_model *pkcs11_find_attrib_match(pkcs11_object_ptr pObject, const pkcs11_attrib_model *pAttributeList, const CK_ULONG ulCount, + const CK_ATTRIBUTE_PTR pTemplate, pkcs11_session_ctx_ptr pSession) { CK_BBOOL found = FALSE; const pkcs11_attrib_model *pAttribute = NULL; @@ -209,7 +214,8 @@ static const pkcs11_attrib_model *pkcs11_find_attrib_match(pkcs11_object_ptr pOb return NULL; } -static CK_OBJECT_HANDLE pkcs11_find_handle(const CK_SLOT_ID slotid, const CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_ULONG_PTR index, pkcs11_session_ctx_ptr pSession) +static CK_OBJECT_HANDLE pkcs11_find_handle(const CK_SLOT_ID slotid, const CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_ULONG_PTR index, + pkcs11_session_ctx_ptr pSession) { CK_ULONG i; CK_ULONG j; @@ -262,6 +268,7 @@ static CK_OBJECT_HANDLE pkcs11_find_handle(const CK_SLOT_ID slotid, const CK_ATT return rv; } + CK_RV pkcs11_find_init(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) { pkcs11_lib_ctx_ptr pLibCtx; @@ -412,6 +419,7 @@ CK_RV pkcs11_find_finish(CK_SESSION_HANDLE hSession) return CKR_OK; } + CK_RV pkcs11_find_get_attribute(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) { pkcs11_lib_ctx_ptr pLibCtx; @@ -450,6 +458,14 @@ CK_RV pkcs11_find_get_attribute(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hOb const pkcs11_attrib_model *pAttribute = pkcs11_find_attrib(pObject->attributes, pObject->count, &pTemplate[i]); + if (NULL != pAttribute) + { + if (CKR_OK != rv) + { + return rv; + } + } + if (NULL == pAttribute) { /* 2. Otherwise, if the specified value for the object is invalid(the object does not possess such an @@ -468,10 +484,7 @@ CK_RV pkcs11_find_get_attribute(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hOb { /* Attribute function found so try to execute it */ CK_RV temp = pAttribute->func(pObject, &pTemplate[i], pSession); - if (CKR_OK == rv) - { - rv = temp; - } + rv = temp; (void)pkcs11_unlock_both(pLibCtx); } else if (CKR_OK == rv) @@ -487,10 +500,7 @@ CK_RV pkcs11_find_get_attribute(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hOb { /* Assume if there is no function for the attribute we're keeping it private */ pTemplate[i].ulValueLen = CK_UNAVAILABLE_INFORMATION; - if (CKR_OK == rv) - { - rv = CKR_ATTRIBUTE_SENSITIVE; - } + rv = CKR_ATTRIBUTE_SENSITIVE; } } diff --git a/lib/pkcs11/pkcs11_key.c b/lib/pkcs11/pkcs11_key.c index 390d01d6c..d1d90bc9c 100644 --- a/lib/pkcs11/pkcs11_key.c +++ b/lib/pkcs11/pkcs11_key.c @@ -119,8 +119,8 @@ static ATCA_STATUS pkcs11_ta_get_pubkey(CK_VOID_PTR pObject, uint8_t buffer[ATCA { /* If the Pub_Key field of the handleinfo references a valid public key, read the public key from the referenced handle */ - if ( ((pubkey_field_handle_info.attributes.element_CKA & TA_HANDLE_INFO_CLASS_MASK) == TA_CLASS_PUBLIC_KEY) - && ((pubkey_field_handle_info.attributes.property & TA_PROP_ROOT_MASK) != TA_PROP_ROOT_MASK)) + if (((pubkey_field_handle_info.attributes.element_CKA & TA_HANDLE_INFO_CLASS_MASK) == TA_CLASS_PUBLIC_KEY) + && ((pubkey_field_handle_info.attributes.property & TA_PROP_ROOT_MASK) != TA_PROP_ROOT_MASK)) { (void)talib_handle_can_read(device, auth_handle, &pubkey_field_handle_info.attributes, &allowed); if (allowed) @@ -658,73 +658,73 @@ static CK_RV pkcs11_key_get_id(CK_VOID_PTR pObject, CK_ATTRIBUTE_PTR pAttribute, */ const pkcs11_attrib_model pkcs11_key_public_attributes[] = { /** Object Class - CK_OBJECT_CLASS */ - { CKA_CLASS, pkcs11_object_get_class }, + { CKA_CLASS, pkcs11_object_get_class }, /** CK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE. */ - { CKA_TOKEN, pkcs11_attrib_true }, + { CKA_TOKEN, pkcs11_attrib_true }, /** CK_TRUE if object is a private object; CK_FALSE if object is a public object. */ - { CKA_PRIVATE, pkcs11_attrib_false }, + { CKA_PRIVATE, pkcs11_attrib_false }, /** CK_TRUE if object can be modified. Default is CK_TRUE. */ - { CKA_MODIFIABLE, pkcs11_token_get_writable }, + { CKA_MODIFIABLE, pkcs11_token_get_writable }, /** Description of the object(default empty). */ - { CKA_LABEL, pkcs11_object_get_name }, + { CKA_LABEL, pkcs11_object_get_name }, /** CK_TRUE if object can be copied using C_CopyObject.Defaults to CK_TRUE. */ - { CKA_COPYABLE, pkcs11_attrib_false }, + { CKA_COPYABLE, pkcs11_attrib_false }, /** CK_TRUE if the object can be destroyed using C_DestroyObject. Default is CK_TRUE. */ - { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, + { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, /** Type of key */ - { CKA_KEY_TYPE, pkcs11_object_get_type }, + { CKA_KEY_TYPE, pkcs11_object_get_type }, /** Key identifier for key (default empty) */ - { CKA_ID, pkcs11_key_get_id }, + { CKA_ID, pkcs11_key_get_id }, /** Start date for the key (default empty) */ - { CKA_START_DATE, pkcs11_attrib_empty }, + { CKA_START_DATE, pkcs11_attrib_empty }, /** End date for the key (default empty) */ - { CKA_END_DATE, pkcs11_attrib_empty }, + { CKA_END_DATE, pkcs11_attrib_empty }, /** CK_TRUE if key supports key derivation (i.e., if other keys can be derived from this one (default CK_FALSE) */ - { CKA_DERIVE, pkcs11_key_get_derivekey_flag }, + { CKA_DERIVE, pkcs11_key_get_derivekey_flag }, /** CK_TRUE only if key was either generated locally (i.e., on the token) with a C_GenerateKey or C_GenerateKeyPair call created with a C_CopyObject call as a copy of a key which had its CKA_LOCAL attribute set to CK_TRUE */ - { CKA_LOCAL, pkcs11_attrib_true }, + { CKA_LOCAL, pkcs11_attrib_true }, /** Identifier of the mechanism used to generate the key material. */ - { CKA_KEY_GEN_MECHANISM, NULL_PTR }, + { CKA_KEY_GEN_MECHANISM, NULL_PTR }, /** A list of mechanisms allowed to be used with this key. The number of mechanisms in the array is the ulValueLen component of the attribute divided by the size of CK_MECHANISM_TYPE. */ - { CKA_ALLOWED_MECHANISMS, pkcs11_key_get_allowed_mechanisms }, + { CKA_ALLOWED_MECHANISMS, pkcs11_key_get_allowed_mechanisms }, /** DER-encoding of the key subject name (default empty) */ - { CKA_SUBJECT, pkcs11_attrib_empty }, + { CKA_SUBJECT, pkcs11_attrib_empty }, /** CK_TRUE if key supports encryption */ - { CKA_ENCRYPT, NULL_PTR }, + { CKA_ENCRYPT, NULL_PTR }, /** CK_TRUE if key supports verification where the signature is an appendix to the data */ - { CKA_VERIFY, pkcs11_attrib_true }, + { CKA_VERIFY, pkcs11_attrib_true }, /** CK_TRUE if key supports verification where the data is recovered from the signature */ - { CKA_VERIFY_RECOVER, NULL_PTR }, + { CKA_VERIFY_RECOVER, NULL_PTR }, /** CK_TRUE if key supports wrapping (i.e., can be used to wrap other keys) */ - { CKA_WRAP, NULL_PTR }, + { CKA_WRAP, NULL_PTR }, /** The key can be trusted for the application that it was created. The wrapping key can be used to wrap keys with CKA_WRAP_WITH_TRUSTED set to CK_TRUE. */ - { CKA_TRUSTED, NULL_PTR }, + { CKA_TRUSTED, NULL_PTR }, /** For wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. The number of attributes in the array is the ulValueLen component of the attribute divided by the size of CK_ATTRIBUTE. */ - { CKA_WRAP_TEMPLATE, NULL_PTR }, + { CKA_WRAP_TEMPLATE, NULL_PTR }, /** DER-encoding of the SubjectPublicKeyInfo for this public key. (MAY be empty, DEFAULT derived from the underlying public key data) SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT_STRING } */ - { CKA_PUBLIC_KEY_INFO, pkcs11_key_get_public_key }, + { CKA_PUBLIC_KEY_INFO, pkcs11_key_get_public_key }, /** DER - encoding of an ANSI X9.62 Parameters value Parameters ::= CHOICE { ecParameters ECParameters, namedCurve CURVES.&id({CurveNames}), implicitlyCA NULL } */ - { CKA_EC_PARAMS, pkcs11_key_get_ec_params }, + { CKA_EC_PARAMS, pkcs11_key_get_ec_params }, /** DER - encoding of ANSI X9.62 ECPoint value Q */ - { CKA_EC_POINT, pkcs11_key_get_ec_point }, + { CKA_EC_POINT, pkcs11_key_get_ec_point }, }; const CK_ULONG pkcs11_key_public_attributes_count = (CK_ULONG)(PKCS11_UTIL_ARRAY_SIZE(pkcs11_key_public_attributes)); @@ -739,9 +739,9 @@ const pkcs11_attrib_model pkcs11_key_ec_public_attributes[] = { ecParameters ECParameters, namedCurve CURVES.&id({CurveNames}), implicitlyCA NULL } */ - { CKA_EC_PARAMS, pkcs11_key_get_ec_params }, + { CKA_EC_PARAMS, pkcs11_key_get_ec_params }, /** DER - encoding of ANSI X9.62 ECPoint value Q */ - { CKA_EC_POINT, pkcs11_key_get_ec_point }, + { CKA_EC_POINT, pkcs11_key_get_ec_point }, }; #endif /** @@ -749,81 +749,81 @@ const pkcs11_attrib_model pkcs11_key_ec_public_attributes[] = { */ const pkcs11_attrib_model pkcs11_key_private_attributes[] = { /** Object Class - CK_OBJECT_CLASS */ - { CKA_CLASS, pkcs11_object_get_class }, + { CKA_CLASS, pkcs11_object_get_class }, /** CK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE. */ - { CKA_TOKEN, pkcs11_attrib_true }, + { CKA_TOKEN, pkcs11_attrib_true }, /** CK_TRUE if object is a private object; CK_FALSE if object is a public object. */ - { CKA_PRIVATE, pkcs11_attrib_true }, + { CKA_PRIVATE, pkcs11_attrib_true }, /** CK_TRUE if object can be modified. Default is CK_TRUE. */ - { CKA_MODIFIABLE, pkcs11_token_get_writable }, + { CKA_MODIFIABLE, pkcs11_token_get_writable }, /** Description of the object(default empty). */ - { CKA_LABEL, pkcs11_object_get_name }, + { CKA_LABEL, pkcs11_object_get_name }, /** CK_TRUE if object can be copied using C_CopyObject.Defaults to CK_TRUE. */ - { CKA_COPYABLE, pkcs11_attrib_false }, + { CKA_COPYABLE, pkcs11_attrib_false }, /** CK_TRUE if the object can be destroyed using C_DestroyObject. Default is CK_TRUE. */ - { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, + { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, /** Type of key */ - { CKA_KEY_TYPE, pkcs11_object_get_type }, + { CKA_KEY_TYPE, pkcs11_object_get_type }, /** Key identifier for key (default empty) */ - { CKA_ID, pkcs11_key_get_id }, + { CKA_ID, pkcs11_key_get_id }, /** Start date for the key (default empty) */ - { CKA_START_DATE, pkcs11_attrib_empty }, + { CKA_START_DATE, pkcs11_attrib_empty }, /** End date for the key (default empty) */ - { CKA_END_DATE, pkcs11_attrib_empty }, + { CKA_END_DATE, pkcs11_attrib_empty }, /** CK_TRUE if key supports key derivation (i.e., if other keys can be derived from this one (default CK_FALSE) */ - { CKA_DERIVE, pkcs11_key_get_derivekey_flag }, + { CKA_DERIVE, pkcs11_key_get_derivekey_flag }, /** CK_TRUE only if key was either generated locally (i.e., on the token) with a C_GenerateKey or C_GenerateKeyPair call created with a C_CopyObject call as a copy of a key which had its CKA_LOCAL attribute set to CK_TRUE */ - { CKA_LOCAL, pkcs11_key_get_local_flag }, + { CKA_LOCAL, pkcs11_key_get_local_flag }, /** Identifier of the mechanism used to generate the key material. */ - { CKA_KEY_GEN_MECHANISM, NULL_PTR }, + { CKA_KEY_GEN_MECHANISM, NULL_PTR }, /** A list of mechanisms allowed to be used with this key. The number of mechanisms in the array is the ulValueLen component of the attribute divided by the size of CK_MECHANISM_TYPE. */ - { CKA_ALLOWED_MECHANISMS, pkcs11_key_get_allowed_mechanisms }, + { CKA_ALLOWED_MECHANISMS, pkcs11_key_get_allowed_mechanisms }, /** DER-encoding of the key subject name (default empty) */ - { CKA_SUBJECT, pkcs11_attrib_empty }, + { CKA_SUBJECT, pkcs11_attrib_empty }, /** CK_TRUE if key is sensitive */ - { CKA_SENSITIVE, pkcs11_token_get_access_type }, + { CKA_SENSITIVE, pkcs11_token_get_access_type }, /** CK_TRUE if key supports decryption */ - { CKA_DECRYPT, NULL_PTR }, + { CKA_DECRYPT, NULL_PTR }, /** CK_TRUE if key supports signatures where the signature is an appendix to the data */ - { CKA_SIGN, pkcs11_attrib_true }, + { CKA_SIGN, pkcs11_attrib_true }, /** CK_TRUE if key supports signatures where the data can be recovered from the signature9 */ - { CKA_SIGN_RECOVER, NULL_PTR }, + { CKA_SIGN_RECOVER, NULL_PTR }, /** CK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys)9 */ - { CKA_UNWRAP, NULL_PTR }, + { CKA_UNWRAP, NULL_PTR }, /** CK_TRUE if key is extractable and can be wrapped */ - { CKA_EXTRACTABLE, pkcs11_attrib_false }, + { CKA_EXTRACTABLE, pkcs11_attrib_false }, /** CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE */ - { CKA_ALWAYS_SENSITIVE, pkcs11_token_get_access_type }, + { CKA_ALWAYS_SENSITIVE, pkcs11_token_get_access_type }, /** CK_TRUE if key has never had the CKA_EXTRACTABLE attribute set to CK_TRUE */ - { CKA_NEVER_EXTRACTABLE, pkcs11_token_get_access_type }, + { CKA_NEVER_EXTRACTABLE, pkcs11_token_get_access_type }, /** CK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE. Default is CK_FALSE. */ - { CKA_WRAP_WITH_TRUSTED, NULL_PTR }, + { CKA_WRAP_WITH_TRUSTED, NULL_PTR }, /** For wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. The number of attributes in the array is the ulValueLen component of the attribute divided by the size of CK_ATTRIBUTE. */ - { CKA_UNWRAP_TEMPLATE, NULL_PTR }, + { CKA_UNWRAP_TEMPLATE, NULL_PTR }, /** If CK_TRUE, the user has to supply the PIN for each use (sign or decrypt) with the key. Default is CK_FALSE. */ - { CKA_ALWAYS_AUTHENTICATE, pkcs11_key_auth_required }, + { CKA_ALWAYS_AUTHENTICATE, pkcs11_key_auth_required }, /** DER-encoding of the SubjectPublicKeyInfo for the associated public key (MAY be empty; DEFAULT derived from the underlying private key data; MAY be manually set for specific key types; if set; MUST be consistent with the underlying private key data) */ - { CKA_PUBLIC_KEY_INFO, pkcs11_key_get_public_key }, + { CKA_PUBLIC_KEY_INFO, pkcs11_key_get_public_key }, /** DER - encoding of an ANSI X9.62 Parameters value Parameters ::= CHOICE { ecParameters ECParameters, namedCurve CURVES.&id({CurveNames}), implicitlyCA NULL } */ - { CKA_EC_PARAMS, pkcs11_key_get_ec_params }, + { CKA_EC_PARAMS, pkcs11_key_get_ec_params }, /** DER - encoding of ANSI X9.62 ECPoint value Q */ - { CKA_EC_POINT, pkcs11_key_get_ec_point }, + { CKA_EC_POINT, pkcs11_key_get_ec_point }, /** The value of the private key should remain private. A NULL function pointer is interpreted as a sensitive attribute. */ - { CKA_VALUE, NULL_PTR }, + { CKA_VALUE, NULL_PTR }, }; const CK_ULONG pkcs11_key_private_attributes_count = (CK_ULONG)(PKCS11_UTIL_ARRAY_SIZE(pkcs11_key_private_attributes)); @@ -835,21 +835,21 @@ const CK_ULONG pkcs11_key_private_attributes_count = (CK_ULONG)(PKCS11_UTIL_ARRA */ const pkcs11_attrib_model pkcs11_key_rsa_private_attributes[] = { /** Big integer Modulus n */ - { CKA_MODULUS, NULL_PTR }, + { CKA_MODULUS, NULL_PTR }, /** Big integer Public exponent e */ - { CKA_PUBLIC_EXPONENT, NULL_PTR }, + { CKA_PUBLIC_EXPONENT, NULL_PTR }, /** Big integer Private exponent d */ - { CKA_PRIVATE_EXPONENT, NULL_PTR }, + { CKA_PRIVATE_EXPONENT, NULL_PTR }, /** Big integer Prime p */ - { CKA_PRIME_1, NULL_PTR }, + { CKA_PRIME_1, NULL_PTR }, /** Big integer Prime q */ - { CKA_PRIME_2, NULL_PTR }, + { CKA_PRIME_2, NULL_PTR }, /** Big integer Private exponent d modulo p - 1 */ - { CKA_EXPONENT_1, NULL_PTR }, + { CKA_EXPONENT_1, NULL_PTR }, /** Big integer Private exponent d modulo q - 1 */ - { CKA_EXPONENT_2, NULL_PTR }, + { CKA_EXPONENT_2, NULL_PTR }, /** Big integer CRT coefficient q - 1 mod p */ - { CKA_COEFFICIENT, NULL_PTR }, + { CKA_COEFFICIENT, NULL_PTR }, }; /** @@ -861,9 +861,9 @@ const pkcs11_attrib_model pkcs11_key_ec_private_attributes[] = { ecParameters ECParameters, namedCurve CURVES.&id({CurveNames}), implicitlyCA NULL } */ - { CKA_EC_PARAMS, pkcs11_key_get_ec_params }, + { CKA_EC_PARAMS, pkcs11_key_get_ec_params }, /** DER - encoding of ANSI X9.62 ECPoint value Q */ - { CKA_EC_POINT, pkcs11_key_get_ec_point }, + { CKA_EC_POINT, pkcs11_key_get_ec_point }, }; #endif @@ -872,82 +872,82 @@ const pkcs11_attrib_model pkcs11_key_ec_private_attributes[] = { */ const pkcs11_attrib_model pkcs11_key_secret_attributes[] = { /** Object Class - CK_OBJECT_CLASS */ - { CKA_CLASS, pkcs11_object_get_class }, + { CKA_CLASS, pkcs11_object_get_class }, /** CK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE. */ - { CKA_TOKEN, pkcs11_token_get_storage }, + { CKA_TOKEN, pkcs11_token_get_storage }, /** CK_TRUE if object is a private object; CK_FALSE if object is a public object. */ - { CKA_PRIVATE, pkcs11_token_get_access_type }, + { CKA_PRIVATE, pkcs11_token_get_access_type }, /** CK_TRUE if object can be modified. Default is CK_TRUE. */ - { CKA_MODIFIABLE, pkcs11_token_get_writable }, + { CKA_MODIFIABLE, pkcs11_token_get_writable }, /** Description of the object(default empty). */ - { CKA_LABEL, pkcs11_object_get_name }, + { CKA_LABEL, pkcs11_object_get_name }, /** CK_TRUE if object can be copied using C_CopyObject.Defaults to CK_TRUE. */ - { CKA_COPYABLE, pkcs11_attrib_false }, + { CKA_COPYABLE, pkcs11_attrib_false }, /** CK_TRUE if the object can be destroyed using C_DestroyObject. Default is CK_TRUE. */ - { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, + { CKA_DESTROYABLE, pkcs11_object_get_destroyable }, /** Type of key */ - { CKA_KEY_TYPE, pkcs11_object_get_type }, + { CKA_KEY_TYPE, pkcs11_object_get_type }, /** Key identifier for key (default empty) */ - { CKA_ID, pkcs11_attrib_empty }, + { CKA_ID, pkcs11_attrib_empty }, /** Start date for the key (default empty) */ - { CKA_START_DATE, pkcs11_attrib_empty }, + { CKA_START_DATE, pkcs11_attrib_empty }, /** End date for the key (default empty) */ - { CKA_END_DATE, pkcs11_attrib_empty }, + { CKA_END_DATE, pkcs11_attrib_empty }, /** CK_TRUE if key supports key derivation (i.e., if other keys can be derived from this one (default CK_FALSE) */ - { CKA_DERIVE, pkcs11_attrib_true }, + { CKA_DERIVE, pkcs11_attrib_true }, /** CK_TRUE only if key was either generated locally (i.e., on the token) with a C_GenerateKey or C_GenerateKeyPair call created with a C_CopyObject call as a copy of a key which had its CKA_LOCAL attribute set to CK_TRUE */ - { CKA_LOCAL, pkcs11_key_get_local_flag }, + { CKA_LOCAL, pkcs11_key_get_local_flag }, /** Identifier of the mechanism used to generate the key material. */ - { CKA_KEY_GEN_MECHANISM, NULL_PTR }, + { CKA_KEY_GEN_MECHANISM, NULL_PTR }, /** A list of mechanisms allowed to be used with this key. The number of mechanisms in the array is the ulValueLen component of the attribute divided by the size of CK_MECHANISM_TYPE. */ - { CKA_ALLOWED_MECHANISMS, pkcs11_key_get_allowed_mechanisms }, + { CKA_ALLOWED_MECHANISMS, pkcs11_key_get_allowed_mechanisms }, /** CK_TRUE if key is sensitive */ - { CKA_SENSITIVE, pkcs11_token_get_access_type }, + { CKA_SENSITIVE, pkcs11_token_get_access_type }, /** CK_TRUE if key supports encryption */ - { CKA_ENCRYPT, NULL_PTR }, + { CKA_ENCRYPT, NULL_PTR }, /** CK_TRUE if key supports decryption */ - { CKA_DECRYPT, NULL_PTR }, + { CKA_DECRYPT, NULL_PTR }, /** CK_TRUE if key supports signatures (i.e., authentication codes) where the signature is an appendix to the data */ - { CKA_SIGN, NULL_PTR }, + { CKA_SIGN, NULL_PTR }, /** CK_TRUE if key supports verification (i.e., of authentication codes) where the signature is an appendix to the data */ - { CKA_VERIFY, NULL_PTR }, + { CKA_VERIFY, NULL_PTR }, /** CK_TRUE if key supports wrapping (i.e., can be used to wrap other keys) */ - { CKA_WRAP, NULL_PTR }, + { CKA_WRAP, NULL_PTR }, /** CK_TRUE if key supports unwrapping (i.e., can be used to unwrap other keys) */ - { CKA_UNWRAP, NULL_PTR }, + { CKA_UNWRAP, NULL_PTR }, /** CK_TRUE if key is extractable and can be wrapped */ - { CKA_EXTRACTABLE, pkcs11_attrib_false }, + { CKA_EXTRACTABLE, pkcs11_attrib_false }, /** CK_TRUE if key has always had the CKA_SENSITIVE attribute set to CK_TRUE */ - { CKA_ALWAYS_SENSITIVE, pkcs11_token_get_access_type }, + { CKA_ALWAYS_SENSITIVE, pkcs11_token_get_access_type }, /** CK_TRUE if key has never had the CKA_EXTRACTABLE attribute set to CK_TRUE */ - { CKA_NEVER_EXTRACTABLE, pkcs11_token_get_access_type }, + { CKA_NEVER_EXTRACTABLE, pkcs11_token_get_access_type }, /** Key checksum */ - { CKA_CHECK_VALUE, pkcs11_key_get_check_value }, + { CKA_CHECK_VALUE, pkcs11_key_get_check_value }, /** CK_TRUE if the key can only be wrapped with a wrapping key that has CKA_TRUSTED set to CK_TRUE. Default is CK_FALSE. */ - { CKA_WRAP_WITH_TRUSTED, NULL_PTR }, + { CKA_WRAP_WITH_TRUSTED, NULL_PTR }, /** The wrapping key can be used to wrap keys with CKA_WRAP_WITH_TRUSTED set to CK_TRUE. */ - { CKA_TRUSTED, NULL_PTR }, + { CKA_TRUSTED, NULL_PTR }, /** For wrapping keys. The attribute template to match against any keys wrapped using this wrapping key. Keys that do not match cannot be wrapped. The number of attributes in the array is the ulValueLen component of the attribute divided by the size of CK_ATTRIBUTE */ - { CKA_WRAP_TEMPLATE, NULL_PTR }, + { CKA_WRAP_TEMPLATE, NULL_PTR }, /** For wrapping keys. The attribute template to apply to any keys unwrapped using this wrapping key. Any user supplied template is applied after this template as if the object has already been created. The number of attributes in the array is the ulValueLen component of the attribute divided by the size of CK_ATTRIBUTE. */ - { CKA_UNWRAP_TEMPLATE, NULL_PTR }, + { CKA_UNWRAP_TEMPLATE, NULL_PTR }, /* Key value */ - { CKA_VALUE, pkcs11_key_get_secret }, + { CKA_VALUE, pkcs11_key_get_secret }, /* Length in bytes of the key */ - { CKA_VALUE_LEN, pkcs11_key_get_secret_length }, + { CKA_VALUE_LEN, pkcs11_key_get_secret_length }, }; const CK_ULONG pkcs11_key_secret_attributes_count = (CK_ULONG)(PKCS11_UTIL_ARRAY_SIZE(pkcs11_key_secret_attributes)); @@ -981,7 +981,8 @@ static CK_RV pkcs11_key_privwrite_ca(CK_VOID_PTR pSession, pkcs11_object_ptr pOb /* Requires the io protection secret to be configured previously and for the configuration to support this - should only be enabled for testing purposes. Production devices should never have this feature enabled. */ - rv = pkcs11_util_convert_rv(calib_priv_write(session_ctx->slot->device_ctx, pObject->slot, key_buf, write_key_id, session_ctx->slot->read_key, num_in)); + rv = pkcs11_util_convert_rv(calib_priv_write(session_ctx->slot->device_ctx, pObject->slot, key_buf, write_key_id, session_ctx->slot->read_key, + num_in)); #endif } else @@ -1022,7 +1023,8 @@ CK_RV pkcs11_key_write(CK_VOID_PTR pSession, CK_VOID_PTR pObject, CK_ATTRIBUTE_P else { /* Actually write the public key into the slot */ - rv = pkcs11_util_convert_rv(atcab_write_pubkey_ext(session_ctx->slot->device_ctx, obj_ptr->slot, &(((uint8_t*)pAttribute->pValue)[sizeof(ec_x962_asn1_header)]))); + rv = pkcs11_util_convert_rv(atcab_write_pubkey_ext(session_ctx->slot->device_ctx, obj_ptr->slot, + &(((uint8_t*)pAttribute->pValue)[sizeof(ec_x962_asn1_header)]))); } } } @@ -1049,7 +1051,9 @@ CK_RV pkcs11_key_write(CK_VOID_PTR pSession, CK_VOID_PTR pObject, CK_ATTRIBUTE_P } else { - rv = pkcs11_util_convert_rv(atcab_write_bytes_zone_ext(session_ctx->slot->device_ctx, ATCA_ZONE_DATA, obj_ptr->slot, 0, (uint8_t*)pAttribute->pValue, pAttribute->ulValueLen)); + rv = pkcs11_util_convert_rv(atcab_write_bytes_zone_ext(session_ctx->slot->device_ctx, ATCA_ZONE_DATA, obj_ptr->slot, 0, + (uint8_t*)pAttribute->pValue, + pAttribute->ulValueLen)); } } else @@ -1118,13 +1122,16 @@ CK_RV pkcs11_key_generate return CKR_TEMPLATE_INCONSISTENT; } - /* Must create two new objects - a public and private key */ + /* Must create object for secret key*/ rv = pkcs11_object_alloc(pSession->slot->slot_id, &pKey); if (CKR_OK == rv) { pKey->class_id = CKO_SECRET_KEY; + #if ATCA_TA_SUPPORT + status = talib_handle_init_symmetric_key(&pKey->handle_info, TA_KEY_TYPE_AES128, TA_PROP_SYMM_KEY_USAGE_ANY); + #endif rv = pkcs11_config_key(pLibCtx, pSession->slot, pKey, pName); } @@ -1346,7 +1353,8 @@ static uint8_t pkcs11_key_used(uint8_t * key, size_t keylen) } #endif -static CK_RV pkcs11_key_derive_ca(pkcs11_session_ctx_ptr pSession, pkcs11_object_ptr pBaseKey, pkcs11_object_ptr pSecretKey, CK_ECDH1_DERIVE_PARAMS_PTR pEcdhParameters) +static CK_RV pkcs11_key_derive_ca(pkcs11_session_ctx_ptr pSession, pkcs11_object_ptr pBaseKey, pkcs11_object_ptr pSecretKey, + CK_ECDH1_DERIVE_PARAMS_PTR pEcdhParameters) { CK_RV rv = CKR_ARGUMENTS_BAD; @@ -1389,7 +1397,8 @@ static CK_RV pkcs11_key_derive_ca(pkcs11_session_ctx_ptr pSession, pkcs11_object { if (pSession->slot->logged_in) { - status = calib_ecdh_tempkey_ioenc(pSession->slot->device_ctx, &pEcdhParameters->pPublicData[1], (uint8_t*)pSecretKey->data, pSession->slot->read_key); + status = calib_ecdh_tempkey_ioenc(pSession->slot->device_ctx, &pEcdhParameters->pPublicData[1], (uint8_t*)pSecretKey->data, + pSession->slot->read_key); } else { @@ -1414,7 +1423,8 @@ static CK_RV pkcs11_key_derive_ca(pkcs11_session_ctx_ptr pSession, pkcs11_object (ATCA_CHIP_OPT_IO_PROT_EN_MASK == (ATCA_CHIP_OPT_IO_PROT_EN_MASK & pSession->slot->cfg_zone.ChipOptions)) && pSession->slot->logged_in) { - status = calib_ecdh_ioenc(pSession->slot->device_ctx, pBaseKey->slot, &pEcdhParameters->pPublicData[1], (uint8_t*)pSecretKey->data, pSession->slot->read_key); + status = calib_ecdh_ioenc(pSession->slot->device_ctx, pBaseKey->slot, &pEcdhParameters->pPublicData[1], (uint8_t*)pSecretKey->data, + pSession->slot->read_key); } else { diff --git a/lib/pkcs11/pkcs11_object.c b/lib/pkcs11/pkcs11_object.c index 5fbc345ba..1e1a286d2 100644 --- a/lib/pkcs11/pkcs11_object.c +++ b/lib/pkcs11/pkcs11_object.c @@ -25,6 +25,7 @@ * THIS SOFTWARE. */ #include "cryptoauthlib.h" +#include "atcacert/atcacert_def.h" #include "cryptoki.h" #include "pkcs11_config.h" @@ -90,19 +91,19 @@ const CK_ULONG pkcs11_object_monotonic_attributes_count = (CK_ULONG)(PKCS11_UTIL */ const pkcs11_attrib_model const pkcs11_object_storage_attributes[] = { /** Object Class - CK_OBJECT_CLASS */ - { CKA_CLASS, pkcs11_object_get_class }, + { CKA_CLASS, pkcs11_object_get_class }, /** CK_TRUE if object is a token object; CK_FALSE if object is a session object. Default is CK_FALSE. */ - { CKA_TOKEN, pkcs11_attrib_true }, + { CKA_TOKEN, pkcs11_attrib_true }, /** CK_TRUE if object is a private object; CK_FALSE if object is a public object. */ - { CKA_PRIVATE, pkcs11_key_get_access_type }, + { CKA_PRIVATE, pkcs11_key_get_access_type }, /** CK_TRUE if object can be modified. Default is CK_TRUE. */ - { CKA_MODIFIABLE, NULL_PTR }, + { CKA_MODIFIABLE, NULL_PTR }, /** Description of the object(default empty). */ - { CKA_LABEL, pkcs11_object_get_name }, + { CKA_LABEL, pkcs11_object_get_name }, /** CK_TRUE if object can be copied using C_CopyObject.Defaults to CK_TRUE. */ - { CKA_COPYABLE, pkcs11_attrib_false }, + { CKA_COPYABLE, pkcs11_attrib_false }, /** CK_TRUE if the object can be destroyed using C_DestroyObject. Default is CK_TRUE. */ - { CKA_DESTROYABLE, pkcs11_attrib_false }, + { CKA_DESTROYABLE, pkcs11_attrib_false }, }; /** @@ -111,11 +112,11 @@ const pkcs11_attrib_model const pkcs11_object_storage_attributes[] = { */ const pkcs11_attrib_model pkcs11_object_data_attributes[] = { /** Description of the application that manages the object(default empty) */ - { CKA_APPLICATION, NULL_PTR }, + { CKA_APPLICATION, NULL_PTR }, /** DER - encoding of the object identifier indicating the data object type(default empty) */ - { CKA_OBJECT_ID, NULL_PTR }, + { CKA_OBJECT_ID, NULL_PTR }, /** Value of the object(default empty) */ - { CKA_VALUE, NULL_PTR } + { CKA_VALUE, NULL_PTR } }; #endif @@ -190,21 +191,22 @@ CK_RV pkcs11_object_free(pkcs11_object_ptr pObject) if (NULL != pObject) { -#if ATCA_CA_SUPPORT if (NULL != pObject->data) { - if (PKCS11_OBJECT_FLAG_SENSITIVE == (pObject->flags & PKCS11_OBJECT_FLAG_SENSITIVE)) + if (PKCS11_OBJECT_FLAG_CERT_CACHE == (pObject->flags & PKCS11_OBJECT_FLAG_CERT_CACHE)) + { + (void)pkcs11_cert_clear_cache(pObject); + pObject->flags &= PKCS11_OBJECT_FLAG_CERT_CACHE_COMPLEMENT; + } + else if (PKCS11_OBJECT_FLAG_SENSITIVE == (pObject->flags & PKCS11_OBJECT_FLAG_SENSITIVE)) { (void)pkcs11_util_memset((CK_VOID_PTR)pObject->data, pObject->size, 0, pObject->size); } -#ifndef ATCA_NO_HEAP - if ((NULL != pObject->data) && (PKCS11_OBJECT_FLAG_DYNAMIC == (pObject->flags & PKCS11_OBJECT_FLAG_DYNAMIC))) + else { - pkcs11_os_free(pObject->data); + /* Added for MISRA Violation */ } -#endif } -#endif (void)pkcs11_util_memset(pObject, sizeof(pkcs11_object), 0, sizeof(pkcs11_object)); diff --git a/lib/pkcs11/pkcs11_object.h b/lib/pkcs11/pkcs11_object.h index 475605a94..d72bb0565 100644 --- a/lib/pkcs11/pkcs11_object.h +++ b/lib/pkcs11/pkcs11_object.h @@ -82,6 +82,8 @@ extern const CK_ULONG pkcs11_object_monotonic_attributes_count; #define PKCS11_OBJECT_FLAG_SENSITIVE (0x08U) #define PKCS11_OBJECT_FLAG_TA_TYPE (0x10U) #define PKCS11_OBJECT_FLAG_TRUST_TYPE (0x20U) +#define PKCS11_OBJECT_FLAG_CERT_CACHE (0x40U) +#define PKCS11_OBJECT_FLAG_CERT_CACHE_COMPLEMENT ~(PKCS11_OBJECT_FLAG_CERT_CACHE & 0xffu) /* Object System Access */ CK_RV pkcs11_object_alloc(CK_SLOT_ID slotId, pkcs11_object_ptr * ppObject); diff --git a/lib/pkcs11/pkcs11_os.c b/lib/pkcs11/pkcs11_os.c index 237098cc2..62206843d 100644 --- a/lib/pkcs11/pkcs11_os.c +++ b/lib/pkcs11/pkcs11_os.c @@ -74,7 +74,7 @@ CK_RV pkcs11_os_alloc_shared_ctx(void ** ppShared, size_t size) { ATCA_STATUS status = ATCA_GEN_FAIL; -#if defined(_WIN32) || defined(__linux__) || defined(__APPLE__) +#if ((defined(__linux__) || defined(__APPLE__)) && defined(ATCA_USE_SHARED_MUTEX)) bool initialized = false; if (ATCA_SUCCESS == (status = hal_alloc_shared(ppShared, size, "atpkcs11_3_6", &initialized))) { @@ -106,7 +106,7 @@ CK_RV pkcs11_os_free_shared_ctx(void * pShared, size_t size) { ATCA_STATUS status = ATCA_GEN_FAIL; -#if defined(_WIN32) || defined(__linux__) || defined(__APPLE__) +#if (defined(__linux__) && defined(ATCA_USE_SHARED_MUTEX)) || defined(__APPLE__) status = hal_free_shared(pShared, size); #elif defined(ATCA_NO_HEAP) ((void)pShared); diff --git a/lib/pkcs11/pkcs11_session.c b/lib/pkcs11/pkcs11_session.c index 683b63f3c..30f265f55 100644 --- a/lib/pkcs11/pkcs11_session.c +++ b/lib/pkcs11/pkcs11_session.c @@ -40,6 +40,7 @@ #include "pkcs11_object.h" #include "pkcs11_os.h" #include "pkcs11_util.h" +#include "pkcs11_cert.h" /** * \defgroup pkcs11 Session Management (pkcs11_) @@ -83,7 +84,7 @@ static pkcs11_session_ctx_ptr pkcs11_allocate_session_context(void) return rv; } -static pkcs11_session_ctx_ptr pkcs11_get_session_context(CK_SESSION_HANDLE hSession) +pkcs11_session_ctx_ptr pkcs11_get_session_context(CK_SESSION_HANDLE hSession) { pkcs11_session_ctx_ptr rv = NULL; @@ -317,6 +318,7 @@ CK_RV pkcs11_session_open( session_ctx->slot = slot_ctx; session_ctx->initialized = TRUE; session_ctx->active_mech = CKM_VENDOR_DEFINED; + session_ctx->state = CKS_RO_PUBLIC_SESSION; /* Assign the session handle */ /* coverity[cert_int36_c_violation] A truncated pointer on 64 bit platforms should still be unique in a memory space */ @@ -582,6 +584,7 @@ CK_RV pkcs11_session_login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK if (CKR_OK == rv) { session_ctx->slot->logged_in = TRUE; + session_ctx->state = CKS_RO_USER_FUNCTIONS; } return rv; @@ -619,12 +622,14 @@ CK_RV pkcs11_session_logout(CK_SESSION_HANDLE hSession) } #endif + (void)pkcs11_cert_clear_cache_session(session_ctx); rv = pkcs11_release_resource(lib_ctx, session_ctx, PKCS11_AUTH_OP_0); /* Wipe the io protection secret regardless if the above operatios succeeded */ (void)pkcs11_util_memset(session_ctx->slot->read_key, sizeof(session_ctx->slot->read_key), 0, sizeof(session_ctx->slot->read_key)); session_ctx->slot->logged_in = FALSE; + session_ctx->state = CKS_RO_PUBLIC_SESSION; return rv; } diff --git a/lib/pkcs11/pkcs11_session.h b/lib/pkcs11/pkcs11_session.h index 17cfba9ac..c0f37a6a5 100644 --- a/lib/pkcs11/pkcs11_session.h +++ b/lib/pkcs11/pkcs11_session.h @@ -41,19 +41,19 @@ extern "C" { typedef struct pkcs11_session_mech_ctx_s { #ifdef PKCS11_HARDWARE_SHA256 - atca_hmac_sha256_ctx_t hmac; - atca_sha256_ctx_t sha256; + atca_hmac_sha256_ctx_t hmac; + atca_sha256_ctx_t sha256; #else - atcac_hmac_ctx_t hmac; - atcac_sha2_256_ctx_t sha256; + atcac_hmac_ctx_t hmac; + atcac_sha2_256_ctx_t sha256; #endif atca_aes_cmac_ctx_t cmac; atca_aes_cbc_ctx_t cbc; #ifdef ATCA_ATECC608_SUPPORT struct { - atca_aes_gcm_ctx_t context; - CK_BYTE tag_len; + atca_aes_gcm_ctx_t context; + CK_BYTE tag_len; } gcm; #endif #if ATCA_TA_SUPPORT @@ -86,7 +86,7 @@ typedef struct pkcs11_session_ctx_s #ifdef __cplusplus } #endif -//pkcs11_session_ctx_ptr pkcs11_get_session_context(CK_SESSION_HANDLE hSession); +pkcs11_session_ctx_ptr pkcs11_get_session_context(CK_SESSION_HANDLE hSession); CK_RV pkcs11_session_check(pkcs11_session_ctx_ptr * pSession, CK_SESSION_HANDLE hSession); CK_RV pkcs11_session_get_info(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo); diff --git a/lib/pkcs11/pkcs11_slot.c.uncrustify b/lib/pkcs11/pkcs11_slot.c.uncrustify deleted file mode 100644 index e69de29bb..000000000 diff --git a/lib/wolfssl/atca_wolfssl_interface.c b/lib/wolfssl/atca_wolfssl_interface.c index efc2b250c..5a7d0b203 100644 --- a/lib/wolfssl/atca_wolfssl_interface.c +++ b/lib/wolfssl/atca_wolfssl_interface.c @@ -27,9 +27,19 @@ #include "cryptoauthlib.h" +#ifdef __COVERITY__ +#pragma coverity compliance block \ + (deviate "CERT EXP40-C" "The third party wolfssl api converts const to non constant which is out of scope of CAL") \ + (deviate "MISRA C-2012 Rule 10.3" "Third party library (wolfssl) implementation which is tested code") \ + (deviate "MISRA C-2012 Rule 11.3" "Third party library (wolfssl) implementation which is tested code") \ + (deviate "MISRA C-2012 Rule 11.8" "Third party library (wolfssl) implementation which is tested code") +#endif + #ifdef ATCA_WOLFSSL #include "crypto/atca_crypto_sw.h" #include "atca_wolfssl_internal.h" +#include "wolfssl/wolfssl/internal.h" +#include "wolfssl/wolfssl/ssl.h" /** \brief Return Random Bytes * @@ -53,6 +63,7 @@ ATCA_STATUS atcac_sw_random(uint8_t* data, size_t data_size) status = ATCA_GEN_FAIL; } } + (void)wc_FreeRng(&rng); } else { @@ -66,49 +77,49 @@ ATCA_STATUS atcac_sw_random(uint8_t* data, size_t data_size) * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_aes_gcm_encrypt_start( - struct atcac_aes_gcm_ctx * ctx, /**< [in] AES-GCM Context */ - const uint8_t * key, /**< [in] AES Key */ - const uint8_t key_len, /**< [in] Length of the AES key - should be 16 or 32*/ - const uint8_t * iv, /**< [in] Initialization vector input */ - const uint8_t iv_len /**< [in] Length of the initialization vector */ + struct atcac_aes_gcm_ctx * ctx, /**< [in] AES-GCM Context */ + const uint8_t * key, /**< [in] AES Key */ + const uint8_t key_len, /**< [in] Length of the AES key - should be 16 or 32*/ + const uint8_t * iv, /**< [in] Initialization vector input */ + const uint8_t iv_len /**< [in] Length of the initialization vector */ ) { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - memset(ctx, 0, sizeof(atcac_aes_gcm_ctx_t)); + (void)memset(ctx, 0, sizeof(atcac_aes_gcm_ctx_t)); ctx->iv_len = iv_len; - if (iv) + if (NULL != iv) { - memcpy(ctx->iv, iv, ctx->iv_len); + (void)memcpy(ctx->iv, iv, ctx->iv_len); } - - status = !wc_AesGcmSetKey(&ctx->aes, key, key_len) ? ATCA_SUCCESS : ATCA_GEN_FAIL; + status = (0 == wc_AesGcmSetKey(&ctx->aes, key, key_len)) ? ATCA_SUCCESS : ATCA_GEN_FAIL; } return status; } ATCA_STATUS atcac_aes_gcm_encrypt( - struct atcac_aes_gcm_ctx* ctx, - const uint8_t* plaintext, - const size_t pt_len, - uint8_t* ciphertext, - uint8_t* tag, - size_t tag_len, - const uint8_t* aad, - const size_t aad_len + struct atcac_aes_gcm_ctx* ctx, + const uint8_t* plaintext, + const size_t pt_len, + uint8_t* ciphertext, + uint8_t* tag, + size_t tag_len, + const uint8_t* aad, + const size_t aad_len ) { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - if (!wc_AesGcmEncrypt(&ctx->aes, ciphertext, plaintext, pt_len, ctx->iv, ctx->iv_len, tag, tag_len, aad, aad_len)) + if ((pt_len <= UINT32_MAX) && (tag_len <= UINT32_MAX) && (aad_len <= UINT32_MAX)) { - status = ATCA_SUCCESS; + status = (0 == wc_AesGcmEncrypt(&ctx->aes, ciphertext, plaintext, (word32)pt_len, ctx->iv, ctx->iv_len, + tag, (word32)tag_len, aad, (word32)aad_len)) ? ATCA_SUCCESS : ATCA_GEN_FAIL; } } return status; @@ -119,51 +130,56 @@ ATCA_STATUS atcac_aes_gcm_encrypt( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_aes_gcm_decrypt_start( - struct atcac_aes_gcm_ctx* ctx, /**< [in] AES-GCM Context */ - const uint8_t* key, /**< [in] AES Key */ - const uint8_t key_len, /**< [in] Length of the AES key - should be 16 or 32*/ - const uint8_t* iv, /**< [in] Initialization vector input */ - const uint8_t iv_len /**< [in] Length of the initialization vector */ + struct atcac_aes_gcm_ctx* ctx, /**< [in] AES-GCM Context */ + const uint8_t* key, /**< [in] AES Key */ + const uint8_t key_len, /**< [in] Length of the AES key - should be 16 or 32*/ + const uint8_t* iv, /**< [in] Initialization vector input */ + const uint8_t iv_len /**< [in] Length of the initialization vector */ ) { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - memset(ctx, 0, sizeof(atcac_aes_gcm_ctx_t)); + (void)memset(ctx, 0, sizeof(atcac_aes_gcm_ctx_t)); ctx->iv_len = iv_len; - if (iv) + if (NULL != iv) { - memcpy(ctx->iv, iv, ctx->iv_len); + (void)memcpy(ctx->iv, iv, ctx->iv_len); } - status = !wc_AesGcmSetKey(&ctx->aes, key, key_len) ? ATCA_SUCCESS : ATCA_GEN_FAIL; + status = (0 == wc_AesGcmSetKey(&ctx->aes, key, key_len)) ? ATCA_SUCCESS : ATCA_GEN_FAIL; } return status; } ATCA_STATUS atcac_aes_gcm_decrypt( - struct atcac_aes_gcm_ctx* ctx, - const uint8_t* ciphertext, - const size_t ct_len, - uint8_t* plaintext, - const uint8_t* tag, - size_t tag_len, - const uint8_t* aad, - const size_t aad_len, - bool* is_verified + struct atcac_aes_gcm_ctx* ctx, + const uint8_t* ciphertext, + const size_t ct_len, + uint8_t* plaintext, + const uint8_t* tag, + size_t tag_len, + const uint8_t* aad, + const size_t aad_len, + bool* is_verified ) { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx && is_verified) + if (NULL != ctx && NULL != is_verified) { - if (!wc_AesGcmDecrypt(&ctx->aes, plaintext, ciphertext, ct_len, ctx->iv, ctx->iv_len, tag, tag_len, aad, aad_len)) + if ((tag_len <= UINT32_MAX) && (aad_len <= UINT32_MAX) && (ct_len <= UINT32_MAX)) + { + status = (0 == wc_AesGcmDecrypt(&ctx->aes, plaintext, ciphertext, (word32)ct_len, ctx->iv, ctx->iv_len, + tag, (word32)tag_len, aad, (word32)aad_len)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + } + + if (ATCA_SUCCESS == status) { *is_verified = true; - status = ATCA_SUCCESS; } else { @@ -177,72 +193,98 @@ ATCA_STATUS atcac_aes_gcm_decrypt( * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha1_init( - struct atcac_sha1_ctx* ctx /**< [in] pointer to a hash context */ +ATCA_STATUS atcac_sw_sha1_init( + struct atcac_sha1_ctx* ctx /**< [in] pointer to a hash context */ ) { - return (!wc_InitSha((wc_Sha*)ctx)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + wc_Sha* temp_ptr = &ctx->sha; + ATCA_STATUS status = (0 == wc_InitSha(temp_ptr)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + + return status; } /** \brief Add data to a SHA1 hash. * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha1_update( - struct atcac_sha1_ctx* ctx, /**< [in] pointer to a hash context */ - const uint8_t* data, /**< [in] input data buffer */ - size_t data_size /**< [in] input data length */ +ATCA_STATUS atcac_sw_sha1_update( + struct atcac_sha1_ctx* ctx, /**< [in] pointer to a hash context */ + const uint8_t* data, /**< [in] input data buffer */ + size_t data_size /**< [in] input data length */ ) { - return (!wc_ShaUpdate((wc_Sha*)ctx, data, data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (data_size <= UINT32_MAX) + { + wc_Sha* temp_ptr = &ctx->sha; + status = (0 == wc_ShaUpdate(temp_ptr, data, (word32)data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + } + return status; } /** \brief Complete the SHA1 hash in software and return the digest. * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha1_finish( - struct atcac_sha1_ctx* ctx, /**< [in] pointer to a hash context */ - uint8_t digest[ATCA_SHA1_DIGEST_SIZE] /**< [out] output buffer (20 bytes) */ +ATCA_STATUS atcac_sw_sha1_finish( + struct atcac_sha1_ctx* ctx, /**< [in] pointer to a hash context */ + uint8_t digest[ATCA_SHA1_DIGEST_SIZE] /**< [out] output buffer (20 bytes) */ ) { - return (!wc_ShaFinal((wc_Sha*)ctx, digest)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + wc_Sha* temp_ptr = &ctx->sha; + ATCA_STATUS status = (0 == wc_ShaFinal(temp_ptr, digest)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + + return status; } /** \brief Initialize context for performing SHA256 hash in software. * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha2_256_init( +ATCA_STATUS atcac_sw_sha2_256_init( struct atcac_sha2_256_ctx* ctx /**< [in] pointer to a hash context */ ) { - return (!wc_InitSha256((wc_Sha256*)ctx)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + wc_Sha256* temp_ptr = &ctx->sha; + ATCA_STATUS status = (0 == wc_InitSha256(temp_ptr)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + + return status; } /** \brief Add data to a SHA256 hash. * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha2_256_update( - struct atcac_sha2_256_ctx* ctx, /**< [in] pointer to a hash context */ - const uint8_t* data, /**< [in] input data buffer */ - size_t data_size /**< [in] input data length */ +ATCA_STATUS atcac_sw_sha2_256_update( + struct atcac_sha2_256_ctx* ctx, /**< [in] pointer to a hash context */ + const uint8_t* data, /**< [in] input data buffer */ + size_t data_size /**< [in] input data length */ ) { - return (!wc_Sha256Update((wc_Sha256*)ctx, data, data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (data_size <= UINT32_MAX) + { + wc_Sha256* temp_ptr = &ctx->sha; + status = (0 == wc_Sha256Update(temp_ptr, data, (word32)data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + } + return status; } /** \brief Complete the SHA256 hash in software and return the digest. * * \return ATCA_SUCCESS on success, otherwise an error code. */ -int atcac_sw_sha2_256_finish( - struct atcac_sha2_256_ctx* ctx, /**< [in] pointer to a hash context */ - uint8_t digest[ATCA_SHA2_256_DIGEST_SIZE] /**< [out] output buffer (32 bytes) */ +ATCA_STATUS atcac_sw_sha2_256_finish( + struct atcac_sha2_256_ctx* ctx, /**< [in] pointer to a hash context */ + uint8_t digest[ATCA_SHA2_256_DIGEST_SIZE] /**< [out] output buffer (32 bytes) */ ) { - return (!wc_Sha256Final((wc_Sha256*)ctx, digest)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + wc_Sha256* temp_ptr = &ctx->sha; + ATCA_STATUS status = (0 == wc_Sha256Final(temp_ptr, digest)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + + return status; } /** \brief Initialize context for performing CMAC in software. @@ -250,12 +292,21 @@ int atcac_sw_sha2_256_finish( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_aes_cmac_init( - struct atcac_aes_cmac_ctx* ctx, /**< [in] pointer to a aes-cmac context */ - const uint8_t* key, /**< [in] key value to use */ - const uint8_t key_len /**< [in] length of the key */ + struct atcac_aes_cmac_ctx* ctx, /**< [in] pointer to a aes-cmac context */ + const uint8_t* key, /**< [in] key value to use */ + const uint8_t key_len /**< [in] length of the key */ ) { - return (!wc_InitCmac((Cmac*)ctx, key, key_len, WC_CMAC_AES, NULL)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (ctx != NULL) + { + Cmac* tmp_ptr = &ctx->cmac; + /* coverity[misra_c_2012_rule_10_3_violation:FALSE] */ + status = (0 == wc_InitCmac(tmp_ptr, key, key_len, (sword32)WC_CMAC_AES, NULL)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + } + + return status; } /** \brief Update CMAC context with input data @@ -263,12 +314,19 @@ ATCA_STATUS atcac_aes_cmac_init( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_aes_cmac_update( - struct atcac_aes_cmac_ctx* ctx, /**< [in] pointer to a aes-cmac context */ - const uint8_t* data, /**< [in] input data */ - const size_t data_size /**< [in] length of input data */ + struct atcac_aes_cmac_ctx* ctx, /**< [in] pointer to a aes-cmac context */ + const uint8_t* data, /**< [in] input data */ + const size_t data_size /**< [in] length of input data */ ) { - return (!wc_CmacUpdate((Cmac*)ctx, data, data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (data_size <= UINT32_MAX) + { + Cmac* tmp_ptr = &ctx->cmac; + status = (0 == wc_CmacUpdate(tmp_ptr, data, (word32)data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + } + return status; } /** \brief Finish CMAC calculation and clear the CMAC context @@ -276,18 +334,22 @@ ATCA_STATUS atcac_aes_cmac_update( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_aes_cmac_finish( - struct atcac_aes_cmac_ctx* ctx, /**< [in] pointer to a aes-cmac context */ - uint8_t* cmac, /**< [out] cmac value */ - size_t* cmac_size /**< [inout] length of cmac */ + struct atcac_aes_cmac_ctx* ctx, /**< [in] pointer to a aes-cmac context */ + uint8_t* cmac, /**< [out] cmac value */ + size_t* cmac_size /**< [inout] length of cmac */ ) { ATCA_STATUS status = ATCA_BAD_PARAM; - if (cmac_size) + if (NULL != cmac_size) { - word32 out_len = *cmac_size; - status = (!wc_CmacFinal((Cmac*)ctx, cmac, &out_len)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; - *cmac_size = out_len; + if ((*cmac_size <= UINT32_MAX) && (ctx != NULL)) + { + Cmac* tmp_ptr = &ctx->cmac; + word32 out_len = (word32) * cmac_size; + status = (0 == wc_CmacFinal(tmp_ptr, cmac, &out_len)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + *cmac_size = out_len; + } } return status; } @@ -297,22 +359,31 @@ ATCA_STATUS atcac_aes_cmac_finish( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_sha256_hmac_init( - struct atcac_hmac_ctx* ctx, /**< [in] pointer to a sha256-hmac context */ - struct atcac_sha2_256_ctx* sha256_ctx, /**< [in] pointer to a sha256 context */ - const uint8_t* key, /**< [in] key value to use */ - const uint8_t key_len /**< [in] length of the key */ + struct atcac_hmac_ctx* ctx, /**< [in] pointer to a sha256-hmac context */ + struct atcac_sha2_256_ctx* sha256_ctx, /**< [in] pointer to a sha256 context */ + const uint8_t* key, /**< [in] key value to use */ + const uint8_t key_len /**< [in] length of the key */ ) { - int ret = wc_HmacInit((Hmac*)ctx, NULL, 0); - - (void)sha256_ctx; + ATCA_STATUS status = ATCA_BAD_PARAM; - if (!ret) + if (ctx != NULL) { - ret = wc_HmacSetKey((Hmac*)ctx, SHA256, key, key_len); - } + Hmac* temp_ptr = &ctx->hmac; + status = (0 == wc_HmacInit(temp_ptr, NULL, 0)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; - return (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + (void)sha256_ctx; + + if (ATCA_SUCCESS == status) + { +#if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) + status = (0 == wc_HmacSetKey(temp_ptr, WC_SHA256, key, key_len)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; +#else + status = (0 == wc_HmacSetKey(temp_ptr, SHA256, key, key_len)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; +#endif + } + } + return status; } /** \brief Update HMAC context with input data @@ -320,12 +391,19 @@ ATCA_STATUS atcac_sha256_hmac_init( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_sha256_hmac_update( - struct atcac_hmac_ctx* ctx, /**< [in] pointer to a sha256-hmac context */ - const uint8_t* data, /**< [in] input data */ - size_t data_size /**< [in] length of input data */ + struct atcac_hmac_ctx* ctx, /**< [in] pointer to a sha256-hmac context */ + const uint8_t* data, /**< [in] input data */ + size_t data_size /**< [in] length of input data */ ) { - return (!wc_HmacUpdate((Hmac*)ctx, data, data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + ATCA_STATUS status = ATCA_BAD_PARAM; + + if ((data_size <= UINT32_MAX) && ctx != NULL) + { + Hmac* temp_ptr = &ctx->hmac; + status = (0 == wc_HmacUpdate(temp_ptr, data, (word32)data_size)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + } + return status; } /** \brief Finish HMAC calculation and clear the HMAC context @@ -333,18 +411,21 @@ ATCA_STATUS atcac_sha256_hmac_update( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_sha256_hmac_finish( - struct atcac_hmac_ctx* ctx, /**< [in] pointer to a sha256-hmac context */ - uint8_t* digest, /**< [out] hmac value */ - size_t* digest_len /**< [inout] length of hmac */ + struct atcac_hmac_ctx* ctx, /**< [in] pointer to a sha256-hmac context */ + uint8_t* digest, /**< [out] hmac value */ + size_t* digest_len /**< [inout] length of hmac */ ) { ((void)digest_len); + ATCA_STATUS status = ATCA_BAD_PARAM; + if (ctx != NULL) + { + Hmac* temp_ptr = &ctx->hmac; + status = (0 == wc_HmacFinal(temp_ptr, digest)) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; - int ret = wc_HmacFinal((Hmac*)ctx, digest); - - wc_HmacFree((Hmac*)ctx); - - return (!ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; + wc_HmacFree(temp_ptr); + } + return status; } /** \brief Set up a public/private key structure for use in asymmetric cryptographic functions @@ -352,41 +433,45 @@ ATCA_STATUS atcac_sha256_hmac_finish( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_pk_init( - struct atcac_pk_ctx* ctx, /**< [in] pointer to a pk context */ - const uint8_t* buf, /**< [in] buffer containing a pem encoded key */ - size_t buflen, /**< [in] length of the input buffer */ - uint8_t key_type, - bool pubkey /**< [in] buffer is a public key */ + struct atcac_pk_ctx* ctx, /**< [in] pointer to a pk context */ + const uint8_t* buf, /**< [in] buffer containing a pem encoded key */ + size_t buflen, /**< [in] length of the input buffer */ + uint8_t key_type, + bool pubkey /**< [in] buffer is a public key */ ) { ATCA_STATUS status = ATCA_BAD_PARAM; ((void)buflen); - if (ctx) + if (NULL != ctx) { - if (!key_type) + if (0u == key_type) { ctx->ptr = wc_ecc_key_new(NULL); - if (ctx->ptr) + if (NULL != ctx->ptr) { - int ret = wc_ecc_set_curve((ecc_key*)ctx->ptr, 32, ECC_SECP256R1); + /* coverity[misra_c_2012_rule_10_3_violation:FALSE] */ + int ret = (0 == wc_ecc_set_curve((ecc_key*)ctx->ptr, 32, (sword32)ECC_SECP256R1)) ? 0 : 1; - if (!ret) + if (0 == ret) { if (pubkey) { + uint8_t buf_copy[64] = { 0x00 }; + (void)memcpy(&buf_copy, buf, sizeof(buf_copy)); /* Configure the public key */ - ret = wc_ecc_import_unsigned((ecc_key*)ctx->ptr, (byte*)buf, (byte*)&buf[32], NULL, ECC_SECP256R1); + ret = wc_ecc_import_unsigned((ecc_key*)ctx->ptr, (byte*)buf_copy, (byte*)&buf_copy[32], NULL, (sword32)ECC_SECP256R1); + } else { /* Configure a private key */ - ret = wc_ecc_import_private_key((byte*)buf, 32, NULL, 0, (ecc_key*)ctx->ptr); + ret = wc_ecc_import_private_key((const byte*)buf, 32, NULL, 0, (ecc_key*)ctx->ptr); } - if (!ret) + if (0 == ret) { status = ATCA_SUCCESS; } @@ -411,18 +496,18 @@ ATCA_STATUS atcac_pk_init( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_pk_init_pem( - struct atcac_pk_ctx* ctx, /**< [in] pointer to a pk context */ - const uint8_t * buf, /**< [in] buffer containing a pem encoded key */ - size_t buflen, /**< [in] length of the input buffer */ - bool pubkey /**< [in] buffer is a public key */ + struct atcac_pk_ctx* ctx, /**< [in] pointer to a pk context */ + const uint8_t * buf, /**< [in] buffer containing a pem encoded key */ + size_t buflen, /**< [in] length of the input buffer */ + bool pubkey /**< [in] buffer is a public key */ ) { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx && buf) + if (NULL != ctx && NULL != buf) { - int ret = -1; int ecckey = 0; + /* coverity[misra_c_2012_rule_10_3_violation:FALSE] */ int type = ECC_PRIVATEKEY_TYPE; word32 inOutIdx = 0; DerBuffer* der = NULL; @@ -433,31 +518,33 @@ ATCA_STATUS atcac_pk_init_pem( type = ECC_PUBLICKEY_TYPE; } - ret = PemToDer((const unsigned char*)buf, (long)buflen, type, &der, NULL, NULL, &ecckey); - - if ((ret >= 0) && (der != NULL)) + if (buflen <= UINT32_MAX) { - ctx->ptr = wc_ecc_key_new(NULL); - - if (ctx->ptr) + int ret = PemToDer((const unsigned char*)buf, (long)buflen, type, &der, NULL, NULL, &ecckey); + if ((ret >= 0) && (der != NULL)) { - ret = wc_ecc_set_curve((ecc_key*)ctx->ptr, 32, ECC_SECP256R1); + ctx->ptr = wc_ecc_key_new(NULL); - if (!ret) + if (NULL != ctx->ptr) { - if (pubkey) + ret = (0 == wc_ecc_set_curve((ecc_key*)ctx->ptr, 32, (sword32)ECC_SECP256R1)) ? 0 : 1; + + if (0 == ret) { - ret = wc_EccPublicKeyDecode(der->buffer, &inOutIdx, (ecc_key*)ctx->ptr, der->length); + if (pubkey) + { + ret = wc_EccPublicKeyDecode(der->buffer, &inOutIdx, (ecc_key*)ctx->ptr, der->length); + } + else + { + ret = wc_EccPrivateKeyDecode(der->buffer, &inOutIdx, (ecc_key*)ctx->ptr, der->length); + } + status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } - else + if (ATCA_SUCCESS == status) { - ret = wc_EccPrivateKeyDecode(der->buffer, &inOutIdx, (ecc_key*)ctx->ptr, der->length); + ctx->key_type = 0; } - status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; - } - if (ATCA_SUCCESS == status) - { - ctx->key_type = 0; } } } @@ -470,16 +557,16 @@ ATCA_STATUS atcac_pk_init_pem( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_pk_public( - struct atcac_pk_ctx* ctx, - uint8_t* buf, - size_t* buflen + struct atcac_pk_ctx* ctx, + uint8_t* buf, + size_t* buflen ) { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx && ctx->ptr && buf) + if (NULL != ctx && NULL != ctx->ptr && NULL != buf) { - if (buflen) + if (NULL != buflen) { (void)*buflen; } @@ -509,9 +596,9 @@ ATCA_STATUS atcac_pk_free( { ATCA_STATUS status = ATCA_BAD_PARAM; - if (ctx) + if (NULL != ctx) { - if (ctx->ptr) + if (NULL != ctx->ptr) { wc_ecc_key_free((ecc_key*)(ctx->ptr)); } @@ -525,11 +612,11 @@ ATCA_STATUS atcac_pk_free( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_pk_sign( - struct atcac_pk_ctx* ctx, - const uint8_t * digest, - size_t dig_len, - uint8_t* signature, - size_t* sig_len + struct atcac_pk_ctx* ctx, + const uint8_t * digest, + size_t dig_len, + uint8_t* signature, + size_t* sig_len ) { ATCA_STATUS status = ATCA_BAD_PARAM; @@ -541,16 +628,16 @@ ATCA_STATUS atcac_pk_sign( if (0 == ret) { - if ((0 == ctx->key_type) && (ATCA_SHA256_DIGEST_SIZE == dig_len)) + if ((0u == ctx->key_type) && (ATCA_SHA256_DIGEST_SIZE == dig_len)) { uint8_t sig[72]; - word32 siglen = sizeof(sig); + word32 siglen = 72; word32 rlen = 32; word32 slen = 32; - memset(signature, 0, *sig_len); + (void)memset(signature, 0, *sig_len); - ret = wc_ecc_sign_hash((byte*)digest, (word32)dig_len, (byte*)sig, &siglen, &rng, (ecc_key*)ctx->ptr); + ret = wc_ecc_sign_hash((const byte*)digest, (word32)dig_len, (byte*)sig, &siglen, &rng, (ecc_key*)ctx->ptr); if (0 == ret) { @@ -567,7 +654,7 @@ ATCA_STATUS atcac_pk_sign( // ret = wc_SignatureGenerateHash(WC_HASH_TYPE_SHA256, WC_SIGNATURE_TYPE_RSA, digest, dig_len, signature, // *sig_len, (RsaKey*)ctx->ptr, 32, &rng); } - wc_FreeRng(&rng); + (void)wc_FreeRng(&rng); } status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } @@ -579,11 +666,11 @@ ATCA_STATUS atcac_pk_sign( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_pk_verify( - struct atcac_pk_ctx* ctx, - const uint8_t* digest, - size_t dig_len, - const uint8_t* signature, - size_t sig_len + struct atcac_pk_ctx* ctx, + const uint8_t* digest, + size_t dig_len, + const uint8_t* signature, + size_t sig_len ) { ATCA_STATUS status = ATCA_BAD_PARAM; @@ -593,16 +680,16 @@ ATCA_STATUS atcac_pk_verify( { int ret = -1; int res = 0; - if ((0 == ctx->key_type) && (ATCA_ECCP256_SIG_SIZE == sig_len)) + if ((0u == ctx->key_type) && (ATCA_ECCP256_SIG_SIZE == sig_len)) { uint8_t sig[72]; - word32 len = sizeof(sig); + word32 len = 72; - ret = wc_ecc_rs_raw_to_sig(signature, 32, &signature[32], 32, (byte*)sig, &len); + ret = (0 == wc_ecc_rs_raw_to_sig(signature, 32, &signature[32], 32, (byte*)sig, &len)) ? 0 : 1; - if (!ret) + if (0 == ret) { - ret = wc_ecc_verify_hash((byte*)sig, len, (byte*)digest, (word32)dig_len, &res, (ecc_key*)ctx->ptr); + ret = wc_ecc_verify_hash((byte*)sig, len, (const byte*)digest, (word32)dig_len, &res, (ecc_key*)ctx->ptr); } } else @@ -612,9 +699,9 @@ ATCA_STATUS atcac_pk_verify( } status = ATCA_FUNC_FAIL; - if (!ret) + if (0 == ret) { - if (res) + if (1 == res) { status = ATCA_SUCCESS; } @@ -630,10 +717,10 @@ ATCA_STATUS atcac_pk_verify( * \return ATCA_SUCCESS on success, otherwise an error code. */ ATCA_STATUS atcac_pk_derive( - struct atcac_pk_ctx* private_ctx, - struct atcac_pk_ctx* public_ctx, - uint8_t* buf, - size_t* buflen + struct atcac_pk_ctx* private_ctx, + struct atcac_pk_ctx* public_ctx, + uint8_t* buf, + size_t* buflen ) { ATCA_STATUS status = ATCA_BAD_PARAM; @@ -642,9 +729,11 @@ ATCA_STATUS atcac_pk_derive( { int ret = -1; - if (0 == private_ctx->key_type) + if ((*buflen <= UINT32_MAX) && (0u == private_ctx->key_type)) { - ret = wc_ecc_shared_secret((ecc_key*)private_ctx->ptr, (ecc_key*)public_ctx->ptr, (byte*)buf, (word32*)buflen); + word32 temp_len = (word32)*buflen; + ret = wc_ecc_shared_secret((ecc_key*)private_ctx->ptr, (ecc_key*)public_ctx->ptr, (byte*)buf, &temp_len); + *buflen = temp_len; } status = (0 == ret) ? ATCA_SUCCESS : ATCA_FUNC_FAIL; } @@ -652,6 +741,259 @@ ATCA_STATUS atcac_pk_derive( return status; } + +static ATCA_STATUS atcac_read_asn1_string(WOLFSSL_ASN1_TIME* as, cal_buffer* buf, uint8_t* tag) +{ + ATCA_STATUS status; + + if (NULL != as && 0 < as->length) + { + if (ATCA_SUCCESS == (status = cal_buf_write_bytes(buf, 0U, as->data, (size_t)as->length))) + { + if (NULL != tag) + { + if ((as->type >= 0 && as->type <= 255)) + { + *tag = (unsigned char)as->type; + } + } + status = cal_buf_set_used(buf, (size_t)as->length); + } + + } + else + { + /* No data is available */ + status = cal_buf_set_used(buf, 0U); + } + + return status; +} + +ATCA_STATUS atcac_parse_der(struct atcac_x509_ctx** cert, cal_buffer* der) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != der) + { + const unsigned char* in = der->buf; + if (der->len <= UINT32_MAX) + { + void** tmp = cert; + WOLFSSL_X509** x509 = (WOLFSSL_X509**)tmp; + /* coverity[misra_c_2012_rule_11_3_violation:FALSE] */ + if (NULL != wolfSSL_d2i_X509((WOLFSSL_X509**)x509, &in, (int)der->len)) + { + status = ATCA_SUCCESS; + } + } + } + return status; +} + +static WOLFSSL_X509* get_wssl_cert_from_atcac_ctx(const struct atcac_x509_ctx* cert) +{ + /* coverity[cert_exp40_c_violation] wolf ssl api removes const qualifier which is out of scope */ + /* coverity[misra_c_2012_rule_11_8_violation:FALSE] */ + WOLFSSL_X509* wssl_cert = (NULL != cert) ? &cert->ptr : NULL; + + return wssl_cert; +} + +ATCA_STATUS atcac_get_subject(const struct atcac_x509_ctx* cert, cal_buffer* cert_subject) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != cert_subject) + { + const WOLFSSL_X509_NAME* sub_name = wolfSSL_X509_get_subject_name(get_wssl_cert_from_atcac_ctx(cert)); + + if (NULL != sub_name) + { + if (sub_name->sz > 0) + { + if (ATCA_SUCCESS == (status = cal_buf_write_bytes(cert_subject, 0U, sub_name->name, (size_t)sub_name->sz))) + { + status = ATCA_SUCCESS; + } + } + } + } + if (ATCA_SUCCESS != status) + { + /* No data is available */ + status = cal_buf_set_used(cert_subject, 0U); + } + return status; +} + +ATCA_STATUS atcac_get_subj_public_key(const struct atcac_x509_ctx* cert, cal_buffer* subj_public_key) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != subj_public_key) + { + WOLFSSL_EVP_PKEY* key; + + if (NULL != (key = wolfSSL_X509_get_pubkey(get_wssl_cert_from_atcac_ctx(cert)))) + { + ecc_key pubKeyEcc; + (void)memset(&pubKeyEcc, 0, sizeof(ecc_key)); + word32 idx = 0; + if (0 == wc_ecc_init(&pubKeyEcc)) + { + int pkey_sz = key->pkey_sz; // Cast to signed int + + if (pkey_sz >= 0) + { + if (0 == wc_EccPublicKeyDecode((byte*)key->pkey.ptr, &idx, &pubKeyEcc, (word32)key->pkey_sz)) + { + /* coverity[misra_c_2012_rule_9_1_violation:SUPPRESS] wc_ecc_init is called to initialize pubKeyEcc */ + if (NULL != pubKeyEcc.dp) + { + word32 xlen = (word32)pubKeyEcc.dp->size; + word32 ylen = (word32)pubKeyEcc.dp->size; + if (0 == wc_ecc_export_public_raw(&pubKeyEcc, (byte*)subj_public_key->buf, &xlen, + (byte*)&subj_public_key->buf[pubKeyEcc.dp->size], &ylen)) + { + status = ATCA_SUCCESS; + } + } + } + } + } + wolfSSL_EVP_PKEY_free(key); + if (0 != wc_ecc_free(&pubKeyEcc)) + { + status = ATCA_BAD_PARAM; + } + } + } + return status; +} + +ATCA_STATUS atcac_get_subj_key_id(const struct atcac_x509_ctx* cert, cal_buffer* subj_public_key_id) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != subj_public_key_id) + { + if (subj_public_key_id->len <= UINT32_MAX) + { + int len_as_int = (int)(subj_public_key_id->len); + if (NULL != wolfSSL_X509_get_subjectKeyID(get_wssl_cert_from_atcac_ctx(cert), subj_public_key_id->buf, &len_as_int)) + { + status = ATCA_SUCCESS; + } + } + } + return status; +} + +ATCA_STATUS atcac_get_issue_date(const struct atcac_x509_ctx* cert, cal_buffer* not_before, uint8_t* fmt) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != not_before && NULL != fmt) + { + WOLFSSL_ASN1_TIME* x509_tm_date = wolfSSL_X509_get_notBefore((const WOLFSSL_X509*)&cert->ptr); + + if (NULL != x509_tm_date) + { + status = atcac_read_asn1_string(x509_tm_date, not_before, fmt); + } + } + return status; +} + +ATCA_STATUS atcac_get_expire_date(const struct atcac_x509_ctx* cert, cal_buffer* not_after, uint8_t* fmt) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != not_after && NULL != fmt) + { + WOLFSSL_ASN1_TIME* x509_tm_date = wolfSSL_X509_get_notAfter((const WOLFSSL_X509*)&cert->ptr); + + if (NULL != x509_tm_date) + { + status = atcac_read_asn1_string(x509_tm_date, not_after, fmt); + } + } + + return status; +} + +ATCA_STATUS atcac_get_cert_sn(const struct atcac_x509_ctx* cert, cal_buffer* cert_sn) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != cert_sn) + { + if (cert_sn->len <= UINT32_MAX) + { + int len_as_int = (int)(cert_sn->len); + if (WOLFSSL_SUCCESS == wolfSSL_X509_get_serial_number(get_wssl_cert_from_atcac_ctx(cert), cert_sn->buf, &len_as_int)) + { + status = ATCA_SUCCESS; + } + } + } + return status; +} + +ATCA_STATUS atcac_get_issuer(const struct atcac_x509_ctx* cert, cal_buffer* issuer_buf) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != issuer_buf) + { + WOLFSSL_X509_NAME* sub_name = wolfSSL_X509_get_issuer_name(get_wssl_cert_from_atcac_ctx(cert)); + + if (NULL != sub_name) + { + if (sub_name->sz > 0) + { + if (ATCA_SUCCESS == (status = cal_buf_write_bytes(issuer_buf, 0U, sub_name->name, (size_t)sub_name->sz))) + { + status = ATCA_SUCCESS; + } + } + } + } + if (ATCA_SUCCESS != status) + { + /* No data is available */ + status = cal_buf_set_used(issuer_buf, 0U); + } + return status; +} + +ATCA_STATUS atcac_get_auth_key_id(const struct atcac_x509_ctx* cert, cal_buffer* auth_key_id) +{ + ATCA_STATUS status = ATCA_BAD_PARAM; + + if (NULL != cert && NULL != auth_key_id) + { + if (auth_key_id->len <= UINT32_MAX) + { + int len_as_int = (int)(auth_key_id->len); + if (NULL != wolfSSL_X509_get_authorityKeyID(get_wssl_cert_from_atcac_ctx(cert), auth_key_id->buf, &len_as_int)) + { + status = ATCA_SUCCESS; + } + } + } + return status; +} + +void atcac_x509_free(void* cert) +{ + if (NULL != cert) + { + wolfSSL_X509_free((WOLFSSL_X509 *)cert); + } +} + #if defined(ATCA_BUILD_SHARED_LIBS) || !defined(ATCA_NO_HEAP) struct atcac_sha1_ctx * atcac_sha1_ctx_new(void) { @@ -713,5 +1055,7 @@ void atcac_pk_ctx_free(struct atcac_pk_ctx * ctx) hal_free(ctx); } #endif - #endif /* ATCA_WOLFSSL */ +#ifdef __COVERITY__ +#pragma coverity compliance end_block "CERT EXP40-C" "MISRA C-2012 Rule 10.3" "MISRA C-2012 Rule 11.3" "MISRA C-2012 Rule 11.8" +#endif diff --git a/lib/wolfssl/atca_wolfssl_interface.h b/lib/wolfssl/atca_wolfssl_interface.h index 8b4d61a67..6403c2ad9 100644 --- a/lib/wolfssl/atca_wolfssl_interface.h +++ b/lib/wolfssl/atca_wolfssl_interface.h @@ -98,9 +98,14 @@ * Indicates if this module is a provider of x509 certificate handling */ #ifndef HOSTLIB_CERT_EN -#define HOSTLIB_CERT_EN (DEFAULT_DISABLED) +#define HOSTLIB_CERT_EN (DEFAULT_ENABLED) #endif +typedef struct atcac_x509_ctx +{ + void* ptr; +} atcac_x509_ctx_t; + #endif /* ATCA_WOLFSSL */ #endif /* ATCA_WOLFSSL_CHECK_H */ diff --git a/license.txt b/license.txt index 1df672142..3c4c6ad83 100644 --- a/license.txt +++ b/license.txt @@ -19,4 +19,4 @@ OF ANY KIND WHATSOEVER RELATED TO THE SOFTWARE, HOWEVER CAUSED, EVEN IF MICROCHIP HAS BEEN ADVISED OF THE POSSIBILITY OR THE DAMAGES ARE FORESEEABLE. TO THE FULLEST EXTENT ALLOWED BY LAW, MICROCHIP'S TOTAL LIABILITY ON ALL CLAIMS IN ANY WAY RELATED TO THIS SOFTWARE WILL NOT EXCEED THE AMOUNT OF -FEES, IF ANY, THAT YOU HAVE PAID DIRECTLY TO MICROCHIP FOR THIS SOFTWARE. +FEES, IF ANY, THAT YOU HAVE PAID DIRECTLY TO MICROCHIP FOR THIS SOFTWARE. \ No newline at end of file diff --git a/python/cryptoauthlib/atcacert.py b/python/cryptoauthlib/atcacert.py index 5363bd778..c720b6ff3 100644 --- a/python/cryptoauthlib/atcacert.py +++ b/python/cryptoauthlib/atcacert.py @@ -77,6 +77,7 @@ class atcacert_device_zone_t(AtcaEnum): DEVZONE_CONFIG = 0x00 # Configuration zone. DEVZONE_OTP = 0x01 # One Time Programmable zone. DEVZONE_DATA = 0x02 # Data zone (slots). + DEVZONE_GENKEY = 0x03, # Data zone - Generate Pubkey (slots). DEVZONE_NONE = 0x07 # Special value used to indicate there is no device location. @@ -206,7 +207,7 @@ class atcacert_device_loc_t(AtcaStructure): _pack_ = 1 _def_ = { 'zone': (atcacert_device_zone_t,), # Zone in the device. - 'slot': (c_uint8,), # Slot within the data zone. Only applies if zone is DEVZONE_DATA. + 'slot': (c_uint16,), # Slot within the data zone. Only applies if zone is DEVZONE_DATA. 'is_genkey': (c_uint8,), # If true, use GenKey command to get the contents instead of Read. 'offset': (c_uint16,), # Byte offset in the zone. 'count': (c_uint16,) # Byte count. @@ -248,6 +249,8 @@ class atcacert_def_t(AtcaStructure): atcacert_def_t._def_ = { # pylint: disable=protected-access # Certificate type. 'type': (atcacert_cert_type_t,), + # Where on the device the compressed cert can be found. + 'comp_cert_dev_loc': (atcacert_device_loc_t,), # ID for the this certificate definition (4-bit value). 'template_id': (c_uint8,), # ID for the certificate chain this definition is a part of (4-bit value). @@ -269,8 +272,6 @@ class atcacert_def_t(AtcaStructure): 'expire_years': (c_uint8,), # Where on the device the public key can be found. 'public_key_dev_loc': (atcacert_device_loc_t,), - # Where on the device the compressed cert can be found. - 'comp_cert_dev_loc': (atcacert_device_loc_t,), # Where in the certificate template the standard cert elements are inserted. 'std_cert_elements': (atcacert_cert_loc_t, atcacert_std_cert_element_t), # Additional certificate elements outside of the standard certificate contents. diff --git a/python/cryptoauthlib/iface.py b/python/cryptoauthlib/iface.py index 455cf9f91..537218296 100644 --- a/python/cryptoauthlib/iface.py +++ b/python/cryptoauthlib/iface.py @@ -70,6 +70,7 @@ class ATCADeviceType(AtcaEnum): ATECC608 = 3 ATSHA206A = 4 TA100 = 0x10 + TA101 = 0x11 ECC204 = 0x20 TA010 = 0x21 ECC206 = 0x22 diff --git a/python/cryptoauthlib/library.py b/python/cryptoauthlib/library.py index 63f975983..b644bdb18 100644 --- a/python/cryptoauthlib/library.py +++ b/python/cryptoauthlib/library.py @@ -172,6 +172,7 @@ def get_device_type_id(name): 'ATECC608': 3, 'ATSHA206A': 4, 'TA100': 0x10, + 'TA101': 0x11, 'ECC204': 0x20, 'TA010': 0x21, 'ECC206': 0x22, diff --git a/python/tests/test_atcacert.py b/python/tests/test_atcacert.py index 0692172a8..1d258b637 100644 --- a/python/tests/test_atcacert.py +++ b/python/tests/test_atcacert.py @@ -62,7 +62,7 @@ {'offset': 207, 'count': 64}, {'offset': 351, 'count': 75}, {'offset': 101, 'count': 13}, - {'offset': 0, 'count': 0}, + {'offset': 116, 'count': 15}, {'offset': 93, 'count': 4}, {'offset': 15, 'count': 16}, {'offset': 319, 'count': 20}, @@ -174,9 +174,7 @@ def create_device_cert(cert_def): # Device cert must have minutes and seconds set to 0 builder = builder.not_valid_before(datetime.now(tz=pytz.utc).replace(minute=0, second=0)) - - # Should be year 9999, but this doesn't work on windows - builder = builder.not_valid_after(datetime(3000, 12, 31, 23, 59, 59)) + builder = builder.not_valid_after(datetime(9999, 12, 31, 23, 59, 59)) builder = builder.subject_name(x509.Name([ x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, u'Example Inc'), diff --git a/release_notes.md b/release_notes.md index da81ac5b7..5c38a75b5 100644 --- a/release_notes.md +++ b/release_notes.md @@ -1,6 +1,29 @@ # Microchip Cryptoauthlib Release Notes +## Release v3.7.1 (12/15/2023) + +### New Features + - PKCS11 module enhancements for x509 public key certificates + - Added more certificate attributes to x509 public key certificates. + These attributes include certificate start date, certificate end date, subject, + subject key, DER encoded certificate issuer name, DER encoded certificate + serial number and hash of the issuer public key. + - Added cache support to store these certificates into stack memory and utilize + it for parsing the above specified certificate attributes. + - See [talib/CHANGES.md] for details on talib module changes + +### Fixes + - Updated atcab_read_config_zone to support SHA106 + - For Linux platforms, i2c baud rate is always set to 100 khz as the default configuration + - Resolved build errors when ATCA_USE_SHARED_MUTEX is disabled + - Resolved build error with ATCA_JWT_EN + +### API Changes + - Added atcacert_get_subject api to get the subject name from public x509 certificates + - Added atcacert_get_issuer api to get the issuer name from public x509 certificates + - Updated the atcacert_def_s structure to include x509 full certificates support + ## Release v3.7.0 (09/08/2023) ### New Features @@ -14,12 +37,12 @@ party headers. ### API Changes - - The software crypto structures are generally no longer typedef'd so they must be - declared with the `struct` keyword. New typedefs were added by appending the + - The software crypto structures are generally no longer typedef'd so they must be + declared with the `struct` keyword. New typedefs were added by appending the suffix `_t` which allows for the same mechanism for declaring these structure in code - if building a standalone application (such as in embedded projects). If dynamically - linking with the library and using a third party crypto library one will need to use - the `_new` & `_free` APIs to allocate these structures for use with the `atcac` + if building a standalone application (such as in embedded projects). If dynamically + linking with the library and using a third party crypto library one will need to use + the `_new` & `_free` APIs to allocate these structures for use with the `atcac` interfaces. ## Release v3.6.1 (07/14/2023) diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index b80a1ca70..a35ec5b02 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -12,6 +12,7 @@ file(GLOB TEST_API_ATCAB RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "api_atcab/*.c") file(GLOB TEST_API_CALIB RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "api_calib/*.c") file(GLOB TEST_API_CRYPTO RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "api_crypto/*.c") file(GLOB TEST_API_TALIB RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "api_talib/*.c") +file(GLOB TEST_HAL_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "hal/*.c") file(GLOB TEST_VECTORS_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "vectors/*.c") file(GLOB TEST_INTEGRATION_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "integration/*.c") file(GLOB TEST_SRC RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} "*.c") @@ -24,11 +25,12 @@ set(CRYPTOAUTH_TEST_SRC ${TEST_SRC} ${TEST_API_ATCAB} ${TEST_API_CALIB} ${TEST_API_CRYPTO} + ${TEST_HAL_SRC} ${TEST_VECTORS_SRC}) -if(ATCA_TA100_SUPPORT) +if(ATCA_TA100_SUPPORT OR ATCA_TA101_SUPPORT) set(CRYPTOAUTH_TEST_SRC ${CRYPTOAUTH_TEST_SRC} ${TEST_API_TALIB}) -endif(ATCA_TA100_SUPPORT) +endif(ATCA_TA100_SUPPORT OR ATCA_TA101_SUPPORT) if(ATCA_WPC_SUPPORT) set(CRYPTOAUTH_TEST_SRC ${CRYPTOAUTH_TEST_SRC} ${TEST_WPC_SRC}) @@ -58,6 +60,7 @@ include_directories(cryptoauth_test ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_SOURCE_DIR}/api_calib ${CMAKE_CURRENT_SOURCE_DIR}/api_crypto ${CMAKE_CURRENT_SOURCE_DIR}/api_talib + ${CMAKE_CURRENT_SOURCE_DIR}/hal ${CMAKE_CURRENT_SOURCE_DIR}/integration ${CMAKE_CURRENT_SOURCE_DIR}/../lib ${CMAKE_CURRENT_SOURCE_DIR}/../third_party diff --git a/test/api_atcab/atca_tests_sign.c b/test/api_atcab/atca_tests_sign.c index c01081d8b..d4b3796d3 100644 --- a/test/api_atcab/atca_tests_sign.c +++ b/test/api_atcab/atca_tests_sign.c @@ -98,6 +98,7 @@ TEST(atca_cmd_basic_test, sign_sw_verify) #if defined(ATCA_BUILD_SHARED_LIBS) || !defined(ATCA_NO_HEAP) if (NULL != pkey) { + atcac_pk_free(pkey); atcac_pk_ctx_free(pkey); } #endif diff --git a/test/api_atcab/atca_tests_verify.c b/test/api_atcab/atca_tests_verify.c index c959baee3..f5dafd462 100644 --- a/test/api_atcab/atca_tests_verify.c +++ b/test/api_atcab/atca_tests_verify.c @@ -238,7 +238,7 @@ TEST(atca_cmd_basic_test, verify_stored) TEST_ASSERT(!is_verified); } -#if TEST_ATCAB_VERIFY_REQRANDOM_EN +#if TEST_ATCAB_VERIFY_REQRANDOM_EN && ATCA_CA_SUPPORT TEST_CONDITION(atca_cmd_basic_test, verify_stored_on_reqrandom_set) { ATCADeviceType dev_type = atca_test_get_device_type(); @@ -248,6 +248,7 @@ TEST_CONDITION(atca_cmd_basic_test, verify_stored_on_reqrandom_set) || (ATECC608 == dev_type); } + TEST(atca_cmd_basic_test, verify_stored_on_reqrandom_set) { ATCA_STATUS status; @@ -704,7 +705,7 @@ t_test_case_info verify_basic_test_info[] = #endif /* TEST_ATCAB_VERIFY_EXTERN_EN */ #if TEST_ATCAB_VERIFY_STORED_EN { REGISTER_TEST_CASE(atca_cmd_basic_test, verify_stored), atca_test_cond_p256_sign_verify }, -#if TEST_ATCAB_VERIFY_REQRANDOM_EN +#if TEST_ATCAB_VERIFY_REQRANDOM_EN && ATCA_CA_SUPPORT { REGISTER_TEST_CASE(atca_cmd_basic_test, verify_stored_on_reqrandom_set), REGISTER_TEST_CONDITION(atca_cmd_basic_test, verify_stored_on_reqrandom_set) }, #endif #if TEST_ATCAB_VERIFY_MAC_EN diff --git a/test/api_atcab/atca_tests_write.c b/test/api_atcab/atca_tests_write.c index fac375df4..a3f294f17 100644 --- a/test/api_atcab/atca_tests_write.c +++ b/test/api_atcab/atca_tests_write.c @@ -708,6 +708,8 @@ TEST(atca_cmd_basic_test, write_config_zone) #endif #if ATCA_TA_SUPPORT case TA100: + /* fallthrough */ + case TA101: status = atcab_write_config_zone(test_ta10x_configdata); break; #endif diff --git a/test/api_crypto/test_crypto_pk.c b/test/api_crypto/test_crypto_pk.c index 855435305..b466c73d5 100644 --- a/test/api_crypto/test_crypto_pk.c +++ b/test/api_crypto/test_crypto_pk.c @@ -205,8 +205,16 @@ TEST(atcac_pk, sign_simple) TEST_ASSERT_NOT_EQUAL(ATCA_SUCCESS, status); #if defined(ATCA_BUILD_SHARED_LIBS) || !defined(ATCA_NO_HEAP) - atcac_pk_ctx_free(sign_ctx); - atcac_pk_ctx_free(verify_ctx); + if (NULL != sign_ctx) + { + atcac_pk_free(sign_ctx); + atcac_pk_ctx_free(sign_ctx); + } + if (NULL != verify_ctx) + { + atcac_pk_free(verify_ctx); + atcac_pk_ctx_free(verify_ctx); + } #endif } diff --git a/test/atca_test.c b/test/atca_test.c index 7cb97f066..df5b82973 100644 --- a/test/atca_test.c +++ b/test/atca_test.c @@ -239,7 +239,6 @@ void RunWPCTests(void) #ifdef ATCA_NO_HEAP ATCA_DLL ATCADevice g_atcab_device_ptr; ATCA_DLL struct atca_device g_atcab_device; -ATCA_DLL struct atca_command g_atcab_command; ATCA_DLL struct atca_iface g_atcab_iface; #endif @@ -448,6 +447,8 @@ ATCA_STATUS atca_test_config_get_id(uint8_t test_type, uint16_t* handle) #endif #if ATCA_TA_SUPPORT case TA100: + /* fallthrough */ + case TA101: status = talib_config_get_handle_by_test(test_type, handle); break; #endif diff --git a/test/atca_test.h b/test/atca_test.h index 4eab04044..57714bdf4 100644 --- a/test/atca_test.h +++ b/test/atca_test.h @@ -185,7 +185,10 @@ void atca_test_assert_ta_sboot_preboot_enabled(UNITY_LINE_TYPE from_line); #define TEST_TYPE_AUTH_CMAC (9) #define TEST_TYPE_AUTH_GCM (10) #define TEST_TYPE_ECC_ROOT_KEY (11) -#define TEST_TYPE_TEMPLATE_DATA (12) +#define TEST_TYPE_ECC_ROOTED25519_KEY (12) +#define TEST_TYPE_ECC_ROOTRSA2K_KEY (13) +#define TEST_TYPE_TEMPLATE_DATA (14) +#define TEST_TYPE_CRL_KEY_SIGN (15) typedef struct { diff --git a/test/atca_test_config.c b/test/atca_test_config.c index 937fc9448..6121c87ab 100644 --- a/test/atca_test_config.c +++ b/test/atca_test_config.c @@ -244,6 +244,11 @@ static int select_custom(int argc, char* argv[]) case TA100: ret = select_ta100_custom(argc, argv); break; +#endif +#ifdef ATCA_TA101_SUPPORT + case TA101: + ret = select_ta101_custom(argc, argv); + break; #endif default: ret = -1; @@ -405,11 +410,13 @@ static int opt_iface_i2c(int argc, char* argv[]) } if (1 < argc) + { + ATCA_IFACECFG_VALUE(gCfg, atcai2c.baud) = (uint32_t)strtol(argv[1], NULL, 10); + } + else { #ifdef __linux__ ATCA_IFACECFG_VALUE(gCfg, atcai2c.baud) = 100000; -#else - ATCA_IFACECFG_VALUE(gCfg, atcai2c.baud) = (uint32_t)strtol(argv[1], NULL, 10); #endif } diff --git a/test/atcacert/test_atcacert_client.c b/test/atcacert/test_atcacert_client.c index 72e927e38..636ce3913 100644 --- a/test/atcacert/test_atcacert_client.c +++ b/test/atcacert/test_atcacert_client.c @@ -37,6 +37,12 @@ #include "test_cert_def_0_device.h" #include "test_cert_def_1_signer.h" #include "test_cert_def_2_device_csr.h" +#include "test_cert_def_4_device.h" +#include "test_cert_def_5_device.h" + +#ifdef ATCA_MBEDTLS + #include "mbedtls/certs.h" +#endif extern ATCAIfaceCfg *gCfg; @@ -50,6 +56,7 @@ size_t g_signer_cert_ref_size = 0; uint8_t g_device_cert_ref[512]; size_t g_device_cert_ref_size = 0; +#if ATCACERT_COMPCERT_EN static void build_and_save_cert( const atcacert_def_t* cert_def, uint8_t* cert, @@ -148,6 +155,7 @@ static void build_and_save_cert( } } } +#endif TEST_GROUP(atcacert_client); @@ -188,6 +196,7 @@ TEST_TEAR_DOWN(atcacert_client) TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); } +#if ATCACERT_COMPCERT_EN TEST(atcacert_client, init) { int ret = 0; @@ -537,6 +546,7 @@ TEST(atcacert_client, atcacert_generate_device_csr) } + TEST(atcacert_client, atcacert_generate_device_csr_pem) { uint8_t csr_der_buffer[512]; @@ -583,3 +593,701 @@ TEST(atcacert_client, atcacert_generate_device_csr_pem) TEST_ASSERT(is_verified); } #endif + +#if ATCACERT_INTEGRATION_EN + +//For ECC608 +#ifdef ATCA_ATECC608_SUPPORT +uint8_t test_ecc608_configdata_full_cert_test[ATCA_ECC_CONFIG_SIZE] = { + 0x01, 0x23, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 0x04, 0x05, 0x06, 0x07, 0xEE, 0x01, 0x01, 0x00, //15 + 0xC0, 0x00, 0xA1, 0x00, 0xAF, 0x2F, 0xC4, 0x44, 0x87, 0x20, 0xC4, 0xF4, 0x8F, 0x0F, 0x0F, 0x0F, //31, + 0x9F, 0x8F, 0x83, 0x64, 0x04, 0x04, 0xC4, 0x64, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, //47 + 0x0F, 0x0F, 0x0F, 0x0F, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, //63 + 0x00, 0x00, 0x00, 0x00, 0xFF, 0x84, 0x03, 0xBC, 0x09, 0x69, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00, //79 + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x0E, 0x40, 0x00, 0x00, 0x00, 0x00, //95 + 0x33, 0x00, 0x1C, 0x00, 0x13, 0x00, 0x1C, 0x00, 0x3C, 0x00, 0x3A, 0x10, 0x1C, 0x00, 0x33, 0x00, //111 + 0x1C, 0x00, 0x1C, 0x00, 0x38, 0x00, 0x30, 0x00, 0x3C, 0x00, 0x3C, 0x00, 0x32, 0x00, 0x30, 0x00 //127 +}; +#endif + +#if defined(ATCA_ATECC108A_SUPPORT) || defined(ATCA_ATECC508A_SUPPORT) +const uint8_t test_ecc_configdata_full_cert_test[ATCA_ECC_CONFIG_SIZE] = { + 0x01, 0x23, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x04, 0x05, 0x06, 0x07, 0xEE, 0x00, 0x01, 0x00, //15 + 0xC0, 0x00, 0x55, 0x00, 0x8F, 0x2F, 0xC4, 0x44, 0x87, 0x20, 0xC4, 0xF4, 0x8F, 0x0F, 0x8F, 0x8F, //31, + 0x9F, 0x8F, 0x83, 0x64, 0x04, 0x04, 0xC4, 0x64, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, //47 + 0x0F, 0x0F, 0x0F, 0x0F, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, //63 + 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, //79 + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //95 + 0x33, 0x00, 0x1C, 0x00, 0x13, 0x00, 0x1C, 0x00, 0x3C, 0x00, 0x1C, 0x00, 0x1C, 0x00, 0x33, 0x00, //111 + 0x1C, 0x00, 0x1C, 0x00, 0x3C, 0x00, 0x30, 0x00, 0x3C, 0x00, 0x3C, 0x00, 0x32, 0x00, 0x30, 0x00 //127 +}; +#endif + +TEST(atcacert_client, atcacert_get_subj) +{ + ATCA_STATUS status; + uint8_t cert_buffer[800] = { 0x00 }; + uint8_t public_key[64] = { 0x00 }; + uint8_t subject_data[256] = { 0x00 }; + cal_buffer subject_data_buf = CAL_BUF_INIT(sizeof(subject_data), subject_data); + size_t cert_sz = 0x00; + ATCADeviceType dev_type = atca_test_get_device_type(); + if (atcab_is_ca_device(dev_type)) + { +#if ATCA_CA_SUPPORT + // Skip test if data zone is locked + test_assert_data_is_unlocked(); + + // Skip test if config zone is locked + test_assert_config_is_unlocked(); + + #if defined(ATCA_ATECC108A_SUPPORT) || defined(ATCA_ATECC508A_SUPPORT) + status = atcab_write_config_zone(test_ecc_configdata_full_cert_test); + + #elif defined(ATCA_ATECC608_SUPPORT) + status = atcab_write_config_zone(test_ecc608_configdata_full_cert_test); + #endif + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + cert_sz = sizeof(g_test_ecc256_ca_cert_ecc608); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_5_device, g_test_ecc256_ca_cert_ecc608, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = (sizeof(g_test_ecc256_ca_cert_ecc608) - 3); + //Read cert to check the asn1 parse der api works fine + status = atcacert_read_cert(&g_test_cert_def_5_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_subject(&g_test_cert_def_5_device, cert_buffer, cert_sz, &subject_data_buf); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#else + status = ATCA_NO_DEVICES; +#endif + } + else + { +#if ATCA_TA_SUPPORT + ta_element_attributes_t data_attr; + uint16_t signer_cert_handle = 0x8800; + cal_buffer signer_cert_buf = CAL_BUF_INIT(sizeof(g_test_ecc256_ca_cert), g_test_ecc256_ca_cert); + status = talib_handle_init_data(&data_attr, sizeof(g_test_ecc256_ca_cert)); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + /* Creating data handle for storing the complete signer certificate */ + status = talib_create_element_with_handle(atcab_get_device(), signer_cert_handle, &data_attr); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = sizeof(g_test_ecc256_ca_cert); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_4_device, g_test_ecc256_ca_cert, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + //Read cert to check the asn1 parse der api works fine + status = atcacert_read_cert(&g_test_cert_def_4_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_subject(&g_test_cert_def_4_device, cert_buffer, cert_sz, &subject_data_buf); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = talib_delete_handle(atcab_get_device(), (uint32_t)signer_cert_handle); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#endif + } + +} + +TEST(atcacert_client, atcacert_get_subj_pbkey) +{ + ATCA_STATUS status; + uint8_t cert_buffer[800] = { 0x00 }; + uint8_t public_key[64] = { 0x00 }; + // Skip test if data zone isn't locked + test_assert_data_is_locked(); + + // Skip test if config zone isn't locked + test_assert_config_is_locked(); + size_t cert_sz = 0x00; + ATCADeviceType dev_type = atca_test_get_device_type(); + uint8_t ref_pubkey[64] = { 0x00 }; + + if (atcab_is_ca_device(dev_type)) + { +#if ATCA_CA_SUPPORT + // Skip test if data zone is locked + test_assert_data_is_unlocked(); + + // Skip test if config zone is locked + test_assert_config_is_unlocked(); + + #if defined(ATCA_ATECC108A_SUPPORT) || defined(ATCA_ATECC508A_SUPPORT) + status = atcab_write_config_zone(test_ecc_configdata_full_cert_test); + + #elif defined(ATCA_ATECC608_SUPPORT) + status = atcab_write_config_zone(test_ecc608_configdata_full_cert_test); + #endif + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + uint8_t ref_pubkey_ecc[64] = {0x6B,0xD8,0xEC,0x15,0x0F,0xD5,0xB6,0x44,0xE4,0xC1,0xB4,0x41,0x23,0xA0,0xE3,0x9E,0x6E,0xFD,0x88,0x83,0x07,0xAE,0xCC,0x0B,0x81,0x54,0x51,0x2C,0x5E,0x7F,0x71,0xFB,0x8E,0xE5,0x7B,0x15,0x61,0xB1,0xB5,0x8E,0x93,0x65,0x7A,0x02,0x68,0xA4,0x1F,0x00,0xE5,0x0B,0x02,0x5D,0x12,0xD1,0x39,0x4C,0x84,0xAC,0x94,0xC7,0x51,0x51,0xD3,0x1F}; + memcpy(ref_pubkey, ref_pubkey_ecc, 64); + cert_sz = sizeof(g_test_ecc256_ca_cert_ecc608); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_5_device, g_test_ecc256_ca_cert_ecc608, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = (sizeof(g_test_ecc256_ca_cert_ecc608)-3); + //Read cert to check the asn1 parse der api works fine + status = atcacert_read_cert(&g_test_cert_def_5_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_subj_public_key(&g_test_cert_def_5_device, cert_buffer, cert_sz, public_key); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#else + status = ATCA_NO_DEVICES; +#endif + } + else + { +#if ATCA_TA_SUPPORT + + uint8_t ref_pubkey_ta[64] = { 0x62, 0xB4, 0xC4, 0xF9, 0x4E, 0xD0, 0xDB, 0x36, 0xFE, 0xEC, 0x9A, 0x4E, 0xC8, 0x2A, 0x93, 0x96, 0x47, 0x1D, 0x01, 0x0A, 0xA9, 0x37, 0x91, 0x98, 0xB4, 0xBD, 0xDB, 0x7E, 0xEB, 0xD3, 0x32, 0x65, 0x88, 0xAA, 0xA5, 0x53, 0xC1, 0x61, 0x63, 0x92, 0xC9, 0xE4, 0x2D, 0xD1, 0x88, 0x56, 0x9F, 0x9A, 0xC2, 0x54, 0x85, 0x4A, 0xAA, 0xF4, 0xEC, 0xB8, 0x12, 0xBC, 0x66, 0x5D, 0x76, 0xE2, 0x22, 0xC8 }; + memcpy(ref_pubkey, ref_pubkey_ta, 64); + cert_sz = sizeof(g_test_ecc256_ca_cert); + ta_element_attributes_t data_attr; + uint16_t signer_cert_handle = 0x8800; + cal_buffer signer_cert_buf = CAL_BUF_INIT(sizeof(g_test_ecc256_ca_cert), g_test_ecc256_ca_cert); + status = talib_handle_init_data(&data_attr, sizeof(g_test_ecc256_ca_cert)); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + /* Creating data handle for storing the complete signer certificate */ + status = talib_create_element_with_handle(atcab_get_device(), signer_cert_handle, &data_attr); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_4_device, g_test_ecc256_ca_cert, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + //Read cert to check the asn1 parse der api works fine + status = atcacert_read_cert(&g_test_cert_def_4_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_subj_public_key(&g_test_cert_def_4_device, cert_buffer, cert_sz, public_key); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = talib_delete_handle(atcab_get_device(), (uint32_t)signer_cert_handle); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#endif + } + TEST_ASSERT_EQUAL(0, memcmp(ref_pubkey, public_key, sizeof(ref_pubkey))); +} + +TEST(atcacert_client, atcacert_get_subj_pbkey_id) +{ + ATCA_STATUS status; + uint8_t cert_buffer[800] = { 0x00 }; + uint8_t public_key[64] = { 0x00 }; + // Skip test if data zone isn't locked + test_assert_data_is_locked(); + + // Skip test if config zone isn't locked + test_assert_config_is_locked(); + uint8_t key_id[20] = { 0x00 }; + uint8_t ref_key_id[20] = { 0x00 }; + uint8_t key_id_sz = sizeof(ref_key_id); + ATCADeviceType dev_type = atca_test_get_device_type(); + size_t cert_sz = 0x00; + + if (atcab_is_ca_device(dev_type)) + { +#if ATCA_CA_SUPPORT + // Skip test if data zone is locked + test_assert_data_is_unlocked(); + + // Skip test if config zone is locked + test_assert_config_is_unlocked(); + + #if defined(ATCA_ATECC108A_SUPPORT) || defined(ATCA_ATECC508A_SUPPORT) + status = atcab_write_config_zone(test_ecc_configdata_full_cert_test); + + #elif defined(ATCA_ATECC608_SUPPORT) + status = atcab_write_config_zone(test_ecc608_configdata_full_cert_test); + #endif + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + uint8_t ref_key_id_ecc[20] = { 0x52,0xCB,0xBF,0x0D,0xA6,0xA5,0xE2,0x72,0x67,0x61,0x39,0x87,0xE5,0x24,0xAE,0xC3,0x7D,0x74,0xE2,0x3F }; + memcpy(ref_key_id, ref_key_id_ecc, sizeof(ref_key_id_ecc)); + cert_sz = sizeof(g_test_ecc256_ca_cert_ecc608); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_5_device, g_test_ecc256_ca_cert_ecc608, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = (sizeof(g_test_ecc256_ca_cert_ecc608) - 3); + status = atcacert_read_cert(&g_test_cert_def_5_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_subj_key_id(&g_test_cert_def_5_device, cert_buffer, cert_sz, key_id); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#else + status = ATCA_NO_DEVICES; +#endif + + } + else + { +#if ATCA_TA_SUPPORT + uint8_t ref_key_id_ta[20] = { 0x00, 0xD8, 0xDE, 0xEC, 0x59, 0x5C, 0xE6, 0x3E, 0x43, 0x44, 0x77, 0xEA, 0xDA, 0x57, 0xE4, 0xEB, 0x6C, 0x22, 0xD6, 0x15 }; + memcpy(ref_key_id, ref_key_id_ta, sizeof(ref_key_id_ta)); + cert_sz = sizeof(g_test_ecc256_ca_cert); + ta_element_attributes_t data_attr; + uint16_t signer_cert_handle = 0x8800; + cal_buffer signer_cert_buf = CAL_BUF_INIT(sizeof(g_test_ecc256_ca_cert), g_test_ecc256_ca_cert); + status = talib_handle_init_data(&data_attr, sizeof(g_test_ecc256_ca_cert)); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + /* Creating data handle for storing the complete signer certificate */ + status = talib_create_element_with_handle(atcab_get_device(), signer_cert_handle, &data_attr); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_4_device, g_test_ecc256_ca_cert, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + //Read cert to check the asn1 parse der api works fine + status = atcacert_read_cert(&g_test_cert_def_4_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_subj_key_id(&g_test_cert_def_4_device, cert_buffer, cert_sz, key_id); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = talib_delete_handle(atcab_get_device(), (uint32_t)signer_cert_handle); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#endif + } + TEST_ASSERT_EQUAL(0, memcmp(ref_key_id, key_id, key_id_sz)); +} + +TEST(atcacert_client, atcacert_get_issue_date_test) +{ + ATCA_STATUS status; + uint8_t cert_buffer[800] = { 0x00 }; + uint8_t public_key[64] = { 0x00 }; + atcacert_tm_utc_t issue_date = { + .tm_year = 0, + .tm_mon = 0, //Actual month as per the test certificate (g_test_ecc256_ca_cert) is December. CAL takes 0 as Jan and Dec as 11 + .tm_mday = 0, + .tm_hour = 0, + .tm_min = 0, + .tm_sec = 0 + }; + size_t cert_sz = 0x00; + // Skip test if data zone isn't locked + test_assert_data_is_locked(); + + // Skip test if config zone isn't locked + test_assert_config_is_locked(); + + atcacert_tm_utc_t issue_date_ref = { + .tm_year = 0, + .tm_mon = 0, //Actual month as per the test certificate (g_test_ecc256_ca_cert) is December. CAL takes 0 as Jan and Dec as 11 + .tm_mday = 0, + .tm_hour = 0, + .tm_min = 0, + .tm_sec = 0 + }; + + ATCADeviceType dev_type = atca_test_get_device_type(); + + if (atcab_is_ca_device(dev_type)) + { +#if ATCA_CA_SUPPORT + // Skip test if data zone is locked + test_assert_data_is_unlocked(); + + // Skip test if config zone is locked + test_assert_config_is_unlocked(); + + #if defined(ATCA_ATECC108A_SUPPORT) || defined(ATCA_ATECC508A_SUPPORT) + status = atcab_write_config_zone(test_ecc_configdata_full_cert_test); + + #elif defined(ATCA_ATECC608_SUPPORT) + status = atcab_write_config_zone(test_ecc608_configdata_full_cert_test); + #endif + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + static const atcacert_tm_utc_t issue_date_ref_ecc = { + .tm_year = 121, + .tm_mon = 11, //Actual month as per the test certificate (g_test_ecc256_ca_cert) is December. CAL takes 0 as Jan and Dec as 11 + .tm_mday = 30, + .tm_hour = 15, + .tm_min = 33, + .tm_sec = 32 + }; + memcpy(&issue_date_ref, &issue_date_ref_ecc, sizeof(issue_date_ref_ecc)); + cert_sz = sizeof(g_test_ecc256_ca_cert_ecc608); + + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_5_device, g_test_ecc256_ca_cert_ecc608, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = (sizeof(g_test_ecc256_ca_cert_ecc608) - 3); + status = atcacert_read_cert(&g_test_cert_def_5_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + //Not Before : Dec 24 18 : 26 : 04 2022 GMT + //221224182604Z (from asn1 editor) + status = atcacert_get_issue_date(&g_test_cert_def_5_device, cert_buffer, cert_sz, &issue_date); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#else + status = ATCA_NO_DEVICES; +#endif + } + else + { +#if ATCA_TA_SUPPORT + static const atcacert_tm_utc_t issue_date_ref_ta = { + .tm_year = 122, + .tm_mon = 11, //Actual month as per the test certificate (g_test_ecc256_ca_cert) is December. CAL takes 0 as Jan and Dec as 11 + .tm_mday = 24, + .tm_hour = 18, + .tm_min = 26, + .tm_sec = 04 + }; + memcpy(&issue_date_ref, &issue_date_ref_ta, sizeof(issue_date_ref_ta)); + ta_element_attributes_t data_attr; + uint16_t signer_cert_handle = 0x8800; + cal_buffer signer_cert_buf = CAL_BUF_INIT(sizeof(g_test_ecc256_ca_cert), g_test_ecc256_ca_cert); + status = talib_handle_init_data(&data_attr, sizeof(g_test_ecc256_ca_cert)); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = sizeof(g_test_ecc256_ca_cert); + /* Creating data handle for storing the complete signer certificate */ + status = talib_create_element_with_handle(atcab_get_device(), signer_cert_handle, &data_attr); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_4_device, g_test_ecc256_ca_cert, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + //Read cert to check the asn1 parse der api works fine + status = atcacert_read_cert(&g_test_cert_def_4_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + //Not Before : Dec 24 18 : 26 : 04 2022 GMT + //221224182604Z (from asn1 editor) + status = atcacert_get_issue_date(&g_test_cert_def_4_device, cert_buffer, cert_sz, &issue_date); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = talib_delete_handle(atcab_get_device(), (uint32_t)signer_cert_handle); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#endif + } + TEST_ASSERT_EQUAL(0, memcmp(&issue_date_ref, &issue_date, sizeof(atcacert_tm_utc_t))); +} + +TEST(atcacert_client, atcacert_get_expiry_date) +{ + ATCA_STATUS status; + uint8_t cert_buffer[800] = { 0x00 }; + uint8_t public_key[64] = { 0x00 }; + atcacert_tm_utc_t expiry_date = { + .tm_year = 0, + .tm_mon = 0, + .tm_mday = 0, + .tm_hour = 0, + .tm_min = 0, + .tm_sec = 0, + }; + + size_t cert_sz = 0x00; + + atcacert_tm_utc_t expiry_date_ref = { + .tm_year = 0, + .tm_mon = 0, + .tm_mday = 0, + .tm_hour = 0, + .tm_min = 0, + .tm_sec = 0, + }; + // Skip test if data zone isn't locked + test_assert_data_is_locked(); + + // Skip test if config zone isn't locked + test_assert_config_is_locked(); + ATCADeviceType dev_type = atca_test_get_device_type(); + + if (atcab_is_ca_device(dev_type)) + { +#if ATCA_CA_SUPPORT + // Skip test if data zone is locked + test_assert_data_is_unlocked(); + + // Skip test if config zone is locked + test_assert_config_is_unlocked(); + + #if defined(ATCA_ATECC108A_SUPPORT) || defined(ATCA_ATECC508A_SUPPORT) + status = atcab_write_config_zone(test_ecc_configdata_full_cert_test); + + #elif defined(ATCA_ATECC608_SUPPORT) + status = atcab_write_config_zone(test_ecc608_configdata_full_cert_test); + #endif + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + static const atcacert_tm_utc_t expiry_date_ref_ecc = { + .tm_year = 131, + .tm_mon = 11, + .tm_mday = 28, + .tm_hour = 15, + .tm_min = 33, + .tm_sec = 32, + }; + memcpy(&expiry_date_ref, &expiry_date_ref_ecc, sizeof(expiry_date_ref_ecc)); + cert_sz = sizeof(g_test_ecc256_ca_cert_ecc608); + + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_5_device, g_test_ecc256_ca_cert_ecc608, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = (sizeof(g_test_ecc256_ca_cert_ecc608) - 3); + status = atcacert_read_cert(&g_test_cert_def_5_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_expire_date(&g_test_cert_def_5_device, cert_buffer, cert_sz, &expiry_date); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#else + status = ATCA_NO_DEVICES; +#endif + } + else + { +#if ATCA_TA_SUPPORT + static const atcacert_tm_utc_t expiry_date_ref_ta = { + .tm_year = 123, + .tm_mon = 11, + .tm_mday = 24, + .tm_hour = 18, + .tm_min = 26, + .tm_sec = 04, + }; + memcpy(&expiry_date_ref, &expiry_date_ref_ta, sizeof(expiry_date_ref_ta)); + ta_element_attributes_t data_attr; + uint16_t signer_cert_handle = 0x8800; + cal_buffer signer_cert_buf = CAL_BUF_INIT(sizeof(g_test_ecc256_ca_cert), g_test_ecc256_ca_cert); + status = talib_handle_init_data(&data_attr, sizeof(g_test_ecc256_ca_cert)); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + /* Creating data handle for storing the complete signer certificate */ + status = talib_create_element_with_handle(atcab_get_device(), signer_cert_handle, &data_attr); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = sizeof(g_test_ecc256_ca_cert); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_4_device, g_test_ecc256_ca_cert, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + //Read cert to check the asn1 parse der api works fine + status = atcacert_read_cert(&g_test_cert_def_4_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_expire_date(&g_test_cert_def_4_device, cert_buffer, cert_sz, &expiry_date); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = talib_delete_handle(atcab_get_device(), (uint32_t)signer_cert_handle); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#endif + } + + TEST_ASSERT_EQUAL(0, memcmp(&expiry_date_ref, &expiry_date, sizeof(atcacert_tm_utc_t))); +} + +TEST(atcacert_client, atcacert_get_serial_num) +{ + ATCA_STATUS status; + uint8_t cert_buffer[800] = { 0x00 }; + uint8_t public_key[64] = { 0x00 }; + uint8_t ref_cert_sn[32] = {0x00}; + uint8_t cert_sn[32] = { 0x00 }; + size_t cert_sn_size = sizeof(cert_sn); + size_t cert_sz = 0x00; + + // Skip test if data zone isn't locked + test_assert_data_is_locked(); + + // Skip test if config zone isn't locked + test_assert_config_is_locked(); + + ATCADeviceType dev_type = atca_test_get_device_type(); + + if (atcab_is_ca_device(dev_type)) + { +#if ATCA_CA_SUPPORT + // Skip test if data zone is locked + test_assert_data_is_unlocked(); + + // Skip test if config zone is locked + test_assert_config_is_unlocked(); + + #if defined(ATCA_ATECC108A_SUPPORT) || defined(ATCA_ATECC508A_SUPPORT) + status = atcab_write_config_zone(test_ecc_configdata_full_cert_test); + + #elif defined(ATCA_ATECC608_SUPPORT) + status = atcab_write_config_zone(test_ecc608_configdata_full_cert_test); + #endif + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + uint8_t ref_cert_sn_ecc[32] = {0x51 , 0xd7 , 0x42 , 0x1c , 0xdd , 0xd2 , 0xed , 0xed , 0xd0 , 0x3d , 0x59 , 0xa4 , 0x15 , 0xec , 0xf0 , 0xd1 , 0xcc , 0xaa , 0xce , 0xcb}; + cert_sz = sizeof(g_test_ecc256_ca_cert_ecc608); + + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_5_device, g_test_ecc256_ca_cert_ecc608, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = (sizeof(g_test_ecc256_ca_cert_ecc608) - 3); + + status = atcacert_read_cert(&g_test_cert_def_5_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + memcpy(ref_cert_sn, ref_cert_sn_ecc, sizeof(ref_cert_sn_ecc)); + status = atcacert_get_cert_sn(&g_test_cert_def_5_device, cert_buffer, cert_sz, cert_sn, &cert_sn_size); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#else + status = ATCA_NO_DEVICES; +#endif + } + else + { +#if ATCA_TA_SUPPORT + uint8_t ref_cert_sn_ta[32] = { 0x01 }; + memcpy(ref_cert_sn, ref_cert_sn_ta, sizeof(ref_cert_sn_ta)); + cert_sz = sizeof(g_test_ecc256_ca_cert); + ta_element_attributes_t data_attr; + uint16_t signer_cert_handle = 0x8800; + cal_buffer signer_cert_buf = CAL_BUF_INIT(sizeof(g_test_ecc256_ca_cert), g_test_ecc256_ca_cert); + status = talib_handle_init_data(&data_attr, sizeof(g_test_ecc256_ca_cert)); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + /* Creating data handle for storing the complete signer certificate */ + status = talib_create_element_with_handle(atcab_get_device(), signer_cert_handle, &data_attr); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_4_device, g_test_ecc256_ca_cert, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + //Read cert to check the asn1 parse der api works fine + status = atcacert_read_cert(&g_test_cert_def_4_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_cert_sn(&g_test_cert_def_4_device, cert_buffer, cert_sz, cert_sn, &cert_sn_size); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = talib_delete_handle(atcab_get_device(), (uint32_t)signer_cert_handle); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#endif + } + TEST_ASSERT_EQUAL(0, memcmp(ref_cert_sn, cert_sn, cert_sn_size)); +} + +TEST(atcacert_client, atcacert_get_auth_key_id_test) +{ + ATCA_STATUS status; + uint8_t cert_buffer[800] = { 0x00 }; + size_t cert_sz = 0x00; + uint8_t ref_auth_key_id[20] = {0x00}; + uint8_t auth_key_id[20] = { 0x00 }; + uint8_t public_key[64] = { 0x00 }; + + // Skip test if data zone isn't locked + test_assert_data_is_locked(); + + // Skip test if config zone isn't locked + test_assert_config_is_locked(); + + ATCADeviceType dev_type = atca_test_get_device_type(); + + if (atcab_is_ca_device(dev_type)) + { +#if ATCA_CA_SUPPORT + // Skip test if data zone is locked + test_assert_data_is_unlocked(); + + // Skip test if config zone is locked + test_assert_config_is_unlocked(); + + #if defined(ATCA_ATECC108A_SUPPORT) || defined(ATCA_ATECC508A_SUPPORT) + status = atcab_write_config_zone(test_ecc_configdata_full_cert_test); + + #elif defined(ATCA_ATECC608_SUPPORT) + status = atcab_write_config_zone(test_ecc608_configdata_full_cert_test); + #endif + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + uint8_t ref_authkey_id_ecc[20] = { 0x99,0x9C,0xA4,0x4C,0xC7,0x23,0x40,0xD9,0xA9,0xC6,0x85,0xAF,0x76,0x76,0x04,0x34,0x13,0x81,0x72,0xB8 }; + memcpy(ref_auth_key_id, ref_authkey_id_ecc, sizeof(ref_authkey_id_ecc)); + cert_sz = sizeof(g_test_ecc256_ca_cert_ecc608); + + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_5_device, g_test_ecc256_ca_cert_ecc608, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = (sizeof(g_test_ecc256_ca_cert_ecc608) - 3); + + status = atcacert_read_cert(&g_test_cert_def_5_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_auth_key_id(&g_test_cert_def_5_device, cert_buffer, cert_sz, auth_key_id); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#else + status = ATCA_NO_DEVICES; +#endif + } + else + { +#if ATCA_TA_SUPPORT + uint8_t ref_auth_key_id_ta[20] = { 0xA8,0xC1,0x09,0x1C,0x2C,0x82,0xF6,0xE7,0x36,0xB9,0x40,0x2D,0xAB,0x7B,0x27,0xC8,0x08,0x5D,0x18,0xBF }; + memcpy(ref_auth_key_id, ref_auth_key_id_ta, sizeof(ref_auth_key_id_ta)); + cert_sz = sizeof(g_test_ecc256_ca_cert); + ta_element_attributes_t data_attr; + uint16_t signer_cert_handle = 0x8800; + cal_buffer signer_cert_buf = CAL_BUF_INIT(sizeof(g_test_ecc256_ca_cert), g_test_ecc256_ca_cert); + status = talib_handle_init_data(&data_attr, sizeof(g_test_ecc256_ca_cert)); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + /* Creating data handle for storing the complete signer certificate */ + status = talib_create_element_with_handle(atcab_get_device(), signer_cert_handle, &data_attr); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_4_device, g_test_ecc256_ca_cert, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + //Read cert to check the asn1 parse der api works fine + status = atcacert_read_cert(&g_test_cert_def_4_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_auth_key_id(&g_test_cert_def_4_device, cert_buffer, cert_sz, auth_key_id); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = talib_delete_handle(atcab_get_device(), (uint32_t)signer_cert_handle); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#endif + } + TEST_ASSERT_EQUAL(0, memcmp(ref_auth_key_id, auth_key_id, sizeof(ref_auth_key_id))); +} + + +TEST(atcacert_client, atcacert_get_issuer_test) +{ + ATCA_STATUS status; + uint8_t cert_buffer[800] = { 0x00 }; + uint8_t public_key[64] = { 0x00 }; + uint8_t issuer_data[256] = { 0x00 }; + // Skip test if data zone isn't locked + test_assert_data_is_locked(); + + // Skip test if config zone isn't locked + test_assert_config_is_locked(); + size_t cert_sz = 0x00; + ATCADeviceType dev_type = atca_test_get_device_type(); + + if (atcab_is_ca_device(dev_type)) + { +#if ATCA_CA_SUPPORT + // Skip test if data zone is locked + test_assert_data_is_unlocked(); + + // Skip test if config zone is locked + test_assert_config_is_unlocked(); + + #if defined(ATCA_ATECC108A_SUPPORT) || defined(ATCA_ATECC508A_SUPPORT) + status = atcab_write_config_zone(test_ecc_configdata_full_cert_test); + + #elif defined(ATCA_ATECC608_SUPPORT) + status = atcab_write_config_zone(test_ecc608_configdata_full_cert_test); + #endif + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + cert_sz = sizeof(g_test_ecc256_ca_cert_ecc608); + + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_5_device, g_test_ecc256_ca_cert_ecc608, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + cert_sz = (sizeof(g_test_ecc256_ca_cert_ecc608) - 3); + + status = atcacert_read_cert(&g_test_cert_def_5_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_issuer(&g_test_cert_def_5_device, cert_buffer, cert_sz, issuer_data); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#else + status = ATCA_NO_DEVICES; +#endif + } + else + { +#if ATCA_TA_SUPPORT + cert_sz = sizeof(g_test_ecc256_ca_cert); + ta_element_attributes_t data_attr; + uint16_t signer_cert_handle = 0x8800; + cal_buffer signer_cert_buf = CAL_BUF_INIT(sizeof(g_test_ecc256_ca_cert), g_test_ecc256_ca_cert); + status = talib_handle_init_data(&data_attr, sizeof(g_test_ecc256_ca_cert)); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + /* Creating data handle for storing the complete signer certificate */ + status = talib_create_element_with_handle(atcab_get_device(), signer_cert_handle, &data_attr); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = (ATCA_STATUS)atcacert_write_cert(&g_test_cert_def_4_device, g_test_ecc256_ca_cert, cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + + //Read cert to check the asn1 parse der api works fine + status = atcacert_read_cert(&g_test_cert_def_4_device, public_key, cert_buffer, &cert_sz); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = atcacert_get_issuer(&g_test_cert_def_4_device, cert_buffer, cert_sz, issuer_data); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); + status = talib_delete_handle(atcab_get_device(), (uint32_t)signer_cert_handle); + TEST_ASSERT_EQUAL(ATCA_SUCCESS, status); +#endif + } +} +#endif +#endif \ No newline at end of file diff --git a/test/atcacert/test_atcacert_client_runner.c b/test/atcacert/test_atcacert_client_runner.c index 9a082b03f..da35450bd 100644 --- a/test/atcacert/test_atcacert_client_runner.c +++ b/test/atcacert/test_atcacert_client_runner.c @@ -34,6 +34,7 @@ TEST_GROUP_RUNNER(atcacert_client) { +#if ATCACERT_COMPCERT_EN // Load certificate data onto the device RUN_TEST_CASE(atcacert_client, init); @@ -51,5 +52,17 @@ TEST_GROUP_RUNNER(atcacert_client) RUN_TEST_CASE(atcacert_client, atcacert_get_response); RUN_TEST_CASE(atcacert_client, atcacert_get_response_bad_params); +#endif + +#if ATCACERT_INTEGRATION_EN + RUN_TEST_CASE(atcacert_client, atcacert_get_subj); + RUN_TEST_CASE(atcacert_client, atcacert_get_subj_pbkey); + RUN_TEST_CASE(atcacert_client, atcacert_get_subj_pbkey_id); + RUN_TEST_CASE(atcacert_client, atcacert_get_issuer_test); + RUN_TEST_CASE(atcacert_client, atcacert_get_auth_key_id_test); + RUN_TEST_CASE(atcacert_client, atcacert_get_issue_date_test); + RUN_TEST_CASE(atcacert_client, atcacert_get_expiry_date); + RUN_TEST_CASE(atcacert_client, atcacert_get_serial_num); +#endif } #endif diff --git a/test/cmd-processor.c b/test/cmd-processor.c index 80b9ca4f4..484d3a1cc 100644 --- a/test/cmd-processor.c +++ b/test/cmd-processor.c @@ -58,6 +58,9 @@ /* Library Integration Tests - Tests to ensure the library accesses device properly*/ #include "integration/test_integration.h" +/* Hal layer testing */ +#include "hal/test_hal.h" + /* JWT Support */ #include "jwt/test_jwt.h" @@ -67,7 +70,6 @@ static int help(int argc, char* argv[]); static int call_exit(int argc, char* argv[]); #endif - // *INDENT-OFF* - Preserve formatting static t_menu_info mas_menu_info[] = { @@ -101,12 +103,16 @@ static t_menu_info mas_menu_info[] = #endif #ifdef ATCA_TA100_SUPPORT { "ta100", "Set Target Device to TA100", select_device }, +#endif +#ifdef ATCA_TA101_SUPPORT + { "ta101", "Set Target Device to TA101", select_device }, #endif { "info", "Get the Chip Revision", info }, { "sernum", "Get the Chip Serial Number", read_sernum }, { "rand", "Generate Some Random Numbers", do_randoms }, { "readcfg", "Read the Config Zone", read_config }, { "lockstat", "Zone Lock Status", lock_status }, + { "hal", "Tests hal drivers functionality", hal_tests }, #ifdef ATCA_TEST_LOCK_ENABLE { "lockcfg", "Lock the Config Zone", lock_config }, { "lockdata", "Lock Data and OTP Zones", lock_data }, diff --git a/test/vectors/ecdsa_nist_vectors.c b/test/vectors/ecdsa_nist_vectors.c index 8da460c91..59191b4f0 100644 --- a/test/vectors/ecdsa_nist_vectors.c +++ b/test/vectors/ecdsa_nist_vectors.c @@ -486,7 +486,148 @@ const ecdsa_p384_test_vector ecdsa_p384_s256_test_vectors[] = { }; const size_t ecdsa_p384_s256_test_vectors_count = sizeof(ecdsa_p384_s256_test_vectors) / sizeof(ecdsa_p384_test_vector); #endif -#endif /* TEST_VECTOR_EC_P384_EN */ + +#ifdef ATCA_TA101_SUPPORT +const ecdsa_p384_test_vector ecdsa_p384_test_vectors[] = { + { + { 0x41, 0x32, 0x83, 0x3a, 0x52, 0x5a, 0xec, 0xc8, 0xa1, 0xa6, 0xde, 0xa9, 0xf4, 0x7, 0x5f, 0x44, 0xfe, 0xef, 0xce, 0x81, 0xc, 0x46, 0x68, 0x42, 0x3b, 0x38, 0x58, 0x4, 0x17, 0xf7, 0xbd, 0xca, 0x5b, 0x21, 0x6, 0x1a, 0x45, 0xea, 0xa3, 0xcb, 0xe2, 0xa7, 0x3, 0x5e, 0xd1, 0x89, 0x52, 0x3a, 0xf8, 0x0, 0x2d, 0x65, 0xc2, 0x89, 0x9e, 0x65, 0x73, 0x5e, 0x4d, 0x93, 0xa1, 0x65, 0x3, 0xc1, 0x45, 0x5, 0x9f, 0x36, 0x5c, 0x32, 0xb3, 0xac, 0xc6, 0x27, 0xe, 0x29, 0xa0, 0x91, 0x31, 0x29, 0x91, 0x81, 0xc9, 0x8b, 0x3c, 0x76, 0x76, 0x9a, 0x18, 0xfa, 0xf2, 0x1f, 0x6b, 0x4a, 0x8f, 0x27, 0x1e, 0x6b, 0xf9, 0x8, 0xe2, 0x38, 0xaf, 0xe8, 0x0, 0x2e, 0x27, 0xc6, 0x34, 0x17, 0xbd, 0xa7, 0x58, 0xf8, 0x46, 0xe1, 0xe3, 0xb8, 0xe6, 0x2d, 0x7f, 0x5, 0xeb, 0xd9, 0x8f, 0x1f, 0x91, 0x54}, + { 0x1f, 0x94, 0xeb, 0x6f, 0x43, 0x9a, 0x38, 0x6, 0xf8, 0x5, 0x4d, 0xd7, 0x91, 0x24, 0x84, 0x7d, 0x13, 0x8d, 0x14, 0xd4, 0xf5, 0x2b, 0xac, 0x93, 0xb0, 0x42, 0xf2, 0xee, 0x3c, 0xdb, 0x7d, 0xc9, 0xe0, 0x99, 0x25, 0xc2, 0xa5, 0xfe, 0xe7, 0xd, 0x4c, 0xe0, 0x8c, 0x61, 0xe3, 0xb1, 0x91, 0x60}, + { 0x1c, 0x4f, 0xd1, 0x11, 0xf6, 0xe3, 0x33, 0x3, 0x6, 0x94, 0x21, 0xde, 0xb3, 0x1e, 0x87, 0x31, 0x26, 0xbe, 0x35, 0xee, 0xb4, 0x36, 0xfe, 0x20, 0x34, 0x85, 0x6a, 0x3e, 0xd1, 0xe8, 0x97, 0xf2, 0x6c, 0x84, 0x6e, 0xe3, 0x23, 0x3c, 0xd1, 0x62, 0x40, 0x98, 0x9a, 0x79, 0x90, 0xc1, 0x9d, 0x8c}, + { 0x3c, 0x15, 0xc3, 0xce, 0xdf, 0x2a, 0x6f, 0xbf, 0xf2, 0xf9, 0x6, 0xe6, 0x61, 0xf5, 0x93, 0x2f, 0x25, 0x42, 0xf0, 0xce, 0x68, 0xe2, 0xa8, 0x18, 0x2e, 0x5e, 0xd3, 0x85, 0x8f, 0x33, 0xbd, 0x3c, 0x56, 0x66, 0xf1, 0x7a, 0xc3, 0x9e, 0x52, 0xcb, 0x0, 0x4b, 0x80, 0xa0, 0xd4, 0xba, 0x73, 0xcd}, + { 0x9d, 0xe8, 0x79, 0x8, 0x3c, 0xbb, 0xa, 0x97, 0x97, 0x3c, 0x94, 0xf1, 0x96, 0x3d, 0x84, 0xf5, 0x81, 0xe4, 0xc6, 0x54, 0x1b, 0x7d, 0x0, 0xf, 0x98, 0x50, 0xde, 0xb2, 0x51, 0x54, 0xb2, 0x3a, 0x37, 0xdd, 0x72, 0x26, 0x7b, 0xdd, 0x72, 0x66, 0x5c, 0xc7, 0x2, 0x7f, 0x88, 0x16, 0x4f, 0xab}, + false, + "2 - R changed" + }, + { + { 0x9d, 0xd7, 0x89, 0xea, 0x25, 0xc0, 0x47, 0x45, 0xd5, 0x7a, 0x38, 0x1f, 0x22, 0xde, 0x1, 0xfb, 0xa, 0xbd, 0x3c, 0x72, 0xdb, 0xde, 0xfd, 0x44, 0xe4, 0x32, 0x13, 0xc1, 0x89, 0x58, 0x3e, 0xef, 0x85, 0xba, 0x66, 0x20, 0x44, 0xda, 0x3d, 0xe2, 0xdd, 0x86, 0x70, 0xe6, 0x32, 0x51, 0x54, 0x48, 0x1, 0x55, 0xbb, 0xee, 0xbb, 0x70, 0x2c, 0x75, 0x78, 0x1a, 0xc3, 0x2e, 0x13, 0x94, 0x18, 0x60, 0xcb, 0x57, 0x6f, 0xe3, 0x7a, 0x5, 0xb7, 0x57, 0xda, 0x5b, 0x5b, 0x41, 0x8f, 0x6d, 0xd7, 0xc3, 0xb, 0x4, 0x2e, 0x40, 0xf4, 0x39, 0x5a, 0x34, 0x2a, 0xe4, 0xdc, 0xe0, 0x56, 0x34, 0xc3, 0x36, 0x25, 0xe2, 0xbc, 0x52, 0x43, 0x45, 0x48, 0x1f, 0x7e, 0x25, 0x3d, 0x95, 0x51, 0x26, 0x68, 0x23, 0x77, 0x1b, 0x25, 0x17, 0x5, 0xb4, 0xa8, 0x51, 0x66, 0x2, 0x2a, 0x37, 0xac, 0x28, 0xf1, 0xbd}, + { 0xcb, 0x90, 0x8b, 0x1f, 0xd5, 0x16, 0xa5, 0x7b, 0x8e, 0xe1, 0xe1, 0x43, 0x83, 0x57, 0x9b, 0x33, 0xcb, 0x15, 0x4f, 0xec, 0xe2, 0xc, 0x50, 0x35, 0xe2, 0xb3, 0x76, 0x51, 0x95, 0xd1, 0x95, 0x1d, 0x75, 0xbd, 0x78, 0xfb, 0x23, 0xe0, 0xf, 0xef, 0x37, 0xd7, 0xd0, 0x64, 0xfd, 0x9a, 0xf1, 0x44}, + { 0xcd, 0x99, 0xc4, 0x6b, 0x58, 0x57, 0x40, 0x1d, 0xdc, 0xff, 0x2c, 0xf7, 0xcf, 0x82, 0x21, 0x21, 0xfa, 0xf1, 0xcb, 0xad, 0x9a, 0x1, 0x1b, 0xed, 0x8c, 0x55, 0x1f, 0x6f, 0x59, 0xb2, 0xc3, 0x60, 0xf7, 0x9b, 0xfb, 0xe3, 0x2a, 0xdb, 0xca, 0xa0, 0x95, 0x83, 0xbd, 0xfd, 0xf7, 0xc3, 0x74, 0xbb}, + { 0x33, 0xf6, 0x4f, 0xb6, 0x5c, 0xd6, 0xa8, 0x91, 0x85, 0x23, 0xf2, 0x3a, 0xea, 0xb, 0xbc, 0xf5, 0x6b, 0xba, 0x1d, 0xac, 0xa7, 0xaf, 0xf8, 0x17, 0xc8, 0x79, 0x1d, 0xc9, 0x24, 0x28, 0xd6, 0x5, 0xac, 0x62, 0x9d, 0xe2, 0xe8, 0x47, 0xd4, 0x3c, 0xee, 0x55, 0xba, 0x9e, 0x4a, 0xe, 0x83, 0xba}, + { 0x44, 0x28, 0xbb, 0x47, 0x8a, 0x43, 0xac, 0x73, 0xec, 0xd6, 0xde, 0x51, 0xdd, 0xf7, 0xc2, 0x8f, 0xf3, 0xc2, 0x44, 0x16, 0x25, 0xa0, 0x81, 0x71, 0x43, 0x37, 0xdd, 0x44, 0xfe, 0xa8, 0x1, 0x1b, 0xae, 0x71, 0x95, 0x9a, 0x10, 0x94, 0x7b, 0x6e, 0xa3, 0x3f, 0x77, 0xe1, 0x28, 0xd3, 0xc6, 0xae}, + true, + "P" + }, + { + { 0x9c, 0x44, 0x79, 0x97, 0x7e, 0xd3, 0x77, 0xe7, 0x5f, 0x5c, 0xc0, 0x47, 0xed, 0xfa, 0x68, 0x9e, 0xf2, 0x32, 0x79, 0x95, 0x13, 0xa2, 0xe7, 0x2, 0x80, 0xe9, 0xb1, 0x24, 0xb6, 0xc8, 0xd1, 0x66, 0xe1, 0x7, 0xf5, 0x49, 0x4b, 0x40, 0x68, 0x53, 0xae, 0xc4, 0xcf, 0xf0, 0xf2, 0xca, 0x0, 0xc6, 0xf8, 0x9f, 0xf, 0x4a, 0x2d, 0x4a, 0xb0, 0x26, 0x7f, 0x44, 0x51, 0x2d, 0xff, 0xf1, 0x10, 0xd1, 0xb1, 0xb2, 0xe5, 0xe7, 0x88, 0x32, 0x2, 0x2c, 0x14, 0xac, 0x6, 0xa4, 0x93, 0xab, 0x78, 0x9e, 0x69, 0x6f, 0x7f, 0xf, 0x6, 0x8, 0x77, 0x2, 0x9c, 0x27, 0x15, 0x7c, 0xe4, 0xf, 0x81, 0x25, 0x87, 0x29, 0xca, 0xa4, 0xd9, 0x77, 0x8b, 0xae, 0x48, 0x9d, 0x3a, 0xb0, 0x25, 0x9f, 0x67, 0x33, 0x8, 0xae, 0x1e, 0xc1, 0xb1, 0x94, 0x8a, 0xd2, 0x84, 0x5f, 0x86, 0x3b, 0x36, 0xae, 0xdf, 0xfb}, + { 0x9b, 0x3c, 0x48, 0xd9, 0x24, 0x19, 0x41, 0x46, 0xec, 0xa4, 0x17, 0x2b, 0x6d, 0x7d, 0x61, 0x84, 0x23, 0x68, 0x26, 0x86, 0xf4, 0x3e, 0x1d, 0xbc, 0x54, 0xed, 0x90, 0x90, 0x53, 0xd0, 0x75, 0xca, 0x53, 0xb6, 0x8a, 0xe1, 0x2f, 0xf, 0x16, 0xa1, 0x63, 0x3d, 0x5d, 0x9c, 0xb1, 0x70, 0x11, 0xec}, + { 0x69, 0x50, 0x39, 0xf8, 0x37, 0xb6, 0x8e, 0x59, 0x33, 0xe, 0xe9, 0x5d, 0x11, 0xd5, 0x31, 0x5a, 0x8f, 0xb5, 0x60, 0x2a, 0x7b, 0x60, 0xc1, 0x51, 0x42, 0xdb, 0xba, 0x6e, 0x93, 0xb5, 0xe4, 0xab, 0xa8, 0xae, 0x44, 0x69, 0xea, 0xc3, 0x9f, 0xa6, 0x43, 0x63, 0x23, 0xec, 0xcc, 0x60, 0xdc, 0xb6}, + { 0x20, 0x2d, 0xa4, 0xe4, 0xe9, 0x63, 0x2b, 0xcb, 0x6b, 0xf0, 0xf6, 0xda, 0xfb, 0x7e, 0x34, 0x85, 0x28, 0xd0, 0xb4, 0x69, 0xd7, 0x7e, 0x46, 0xb9, 0xf9, 0x39, 0xe2, 0xfa, 0x94, 0x6a, 0x60, 0x8d, 0xd1, 0xf1, 0x66, 0xbc, 0xbc, 0xde, 0x96, 0xcf, 0xad, 0x55, 0x17, 0x1, 0xda, 0x69, 0xf6, 0xc2}, + { 0xdb, 0x59, 0x5b, 0x49, 0x98, 0x38, 0x82, 0xc4, 0x8d, 0xf8, 0xa3, 0x96, 0x88, 0x4c, 0xd9, 0x88, 0x93, 0xa4, 0x69, 0xc4, 0xd5, 0x90, 0xe5, 0x6c, 0x6a, 0x59, 0xb6, 0x15, 0xd, 0x9a, 0xa, 0xcd, 0xf1, 0x42, 0xcf, 0x92, 0x15, 0x10, 0x52, 0x64, 0x47, 0x2, 0xed, 0x85, 0x7a, 0x5b, 0x79, 0x81}, + false, + "3 - S changed" + }, + { + { 0x21, 0xeb, 0x31, 0xf2, 0xb3, 0x4e, 0x4d, 0xde, 0x8d, 0x6c, 0x70, 0x1e, 0x97, 0x6d, 0x3f, 0xbb, 0xf4, 0xde, 0x6a, 0x33, 0x84, 0x32, 0x91, 0x18, 0xd4, 0xdd, 0xb4, 0x9a, 0xdb, 0x2b, 0xb4, 0x44, 0x65, 0x59, 0x8a, 0xbf, 0x6d, 0xf2, 0x58, 0x58, 0xb4, 0x50, 0xc7, 0x76, 0x7e, 0x28, 0x2c, 0xca, 0xca, 0x49, 0x40, 0x88, 0x27, 0x4e, 0x37, 0x35, 0x36, 0x74, 0xee, 0xf5, 0x8f, 0x58, 0x39, 0x37, 0xd3, 0xd1, 0x84, 0xef, 0x72, 0x73, 0x17, 0xd3, 0x67, 0x23, 0x97, 0xa7, 0x4c, 0x8f, 0xe3, 0x27, 0x91, 0x9a, 0x3d, 0xf8, 0xfd, 0x65, 0xaf, 0xb, 0xc8, 0xce, 0xbb, 0xc4, 0x0, 0x95, 0xad, 0xf8, 0x9f, 0x1b, 0xf2, 0xc5, 0xe6, 0xdc, 0x6b, 0xa4, 0x46, 0x33, 0xfd, 0x84, 0x33, 0xb2, 0x5f, 0x6, 0x5f, 0x5e, 0x3e, 0xb4, 0x84, 0xa, 0xf2, 0x3c, 0xc5, 0x34, 0x41, 0x54, 0x6, 0x74, 0x5a, 0x31}, + { 0x51, 0x40, 0x10, 0x8b, 0x93, 0xb5, 0x2d, 0x9a, 0xd5, 0x72, 0xd6, 0x12, 0x9e, 0xd6, 0x56, 0x47, 0x66, 0xf8, 0xdf, 0x37, 0x55, 0xe4, 0x9f, 0xa5, 0x3e, 0xba, 0x41, 0xa5, 0xa0, 0xd6, 0xc1, 0xd2, 0x4a, 0x48, 0x3c, 0x90, 0x7, 0x5, 0x83, 0xa6, 0x6e, 0x3c, 0xfa, 0x52, 0xb6, 0xfb, 0x1f, 0x31}, + { 0xff, 0x52, 0x49, 0x84, 0x46, 0xa4, 0xc, 0x61, 0xe6, 0xc, 0x97, 0x55, 0x42, 0x56, 0x47, 0x26, 0x25, 0x63, 0x3e, 0xda, 0xc, 0x1a, 0x8b, 0x40, 0x61, 0x48, 0x1f, 0xec, 0xfb, 0xe9, 0xc4, 0x50, 0x3e, 0x99, 0xdf, 0xc6, 0x9e, 0x86, 0xc9, 0xe8, 0x5c, 0x8c, 0xc5, 0x3d, 0xca, 0x6b, 0x8d, 0xc4}, + { 0xb2, 0x72, 0x6b, 0x2b, 0xa9, 0xda, 0x2, 0xde, 0x35, 0xe9, 0x95, 0x3f, 0xc2, 0x83, 0xd1, 0xe7, 0x87, 0x0, 0x86, 0xd, 0x4c, 0x33, 0xdc, 0xe8, 0xdb, 0x4, 0xdd, 0x41, 0x49, 0x9d, 0x90, 0x48, 0x66, 0xc1, 0xb8, 0xde, 0xbb, 0x37, 0x7f, 0x6c, 0xd, 0xfc, 0xb0, 0x70, 0x42, 0x52, 0x17, 0x4f}, + { 0x7, 0x75, 0xb0, 0x27, 0x6, 0x8d, 0x7a, 0xd5, 0x51, 0x21, 0xa2, 0x78, 0xa8, 0x19, 0xf5, 0x20, 0x99, 0xac, 0xe7, 0x50, 0xd5, 0xe9, 0x96, 0xea, 0xec, 0x9d, 0xee, 0x7b, 0xe7, 0x27, 0x58, 0x73, 0x6c, 0xf7, 0x69, 0x65, 0x1, 0x48, 0xfb, 0xd5, 0xc4, 0x11, 0xbe, 0xb9, 0xb8, 0x8f, 0x97, 0x9e}, + false, + "4 - Q changed" + }, + { + { 0x58, 0xea, 0x3b, 0x1e, 0x82, 0xf9, 0x77, 0x8, 0x5, 0x3d, 0xb, 0x41, 0x44, 0x1d, 0xa, 0xa9, 0x61, 0x90, 0x50, 0xe8, 0x6a, 0xc6, 0xc4, 0xf7, 0x78, 0x11, 0x64, 0xe5, 0xda, 0x30, 0x19, 0xc4, 0x7a, 0x83, 0x93, 0x66, 0x50, 0x9f, 0xa9, 0x58, 0x12, 0xe4, 0xf6, 0x4a, 0xfd, 0xc6, 0x2b, 0x62, 0x7c, 0x7a, 0x98, 0xf6, 0x33, 0xdd, 0x5, 0xdb, 0x45, 0xc1, 0xd8, 0x95, 0x4f, 0xc8, 0x3b, 0xdb, 0x50, 0x42, 0x67, 0x93, 0x78, 0xbb, 0x7e, 0x4c, 0x78, 0x63, 0xaa, 0xcf, 0x20, 0x26, 0x36, 0xc, 0xa5, 0x83, 0x14, 0x98, 0x3e, 0x6c, 0x72, 0x6c, 0xf0, 0x2b, 0xb3, 0x47, 0x70, 0x6b, 0x84, 0x4d, 0xdc, 0x66, 0xae, 0xe4, 0x17, 0x7c, 0x30, 0x9c, 0xb7, 0x0, 0x76, 0x95, 0x53, 0x48, 0xc, 0xdd, 0x6b, 0x1c, 0xd7, 0x73, 0x41, 0xc9, 0xa8, 0x1c, 0x5, 0xfb, 0xb8, 0x8, 0x19, 0xbc, 0x62, 0x3f}, + { 0x31, 0xf4, 0xfc, 0x2f, 0xac, 0x3a, 0x16, 0x3a, 0x57, 0x96, 0xf5, 0xe4, 0x14, 0xaf, 0x6f, 0x81, 0x7, 0xab, 0x5e, 0x4a, 0x98, 0xc7, 0x55, 0xd8, 0x1e, 0xfa, 0x9d, 0x5a, 0x83, 0xc1, 0x1, 0x28, 0xc1, 0x6c, 0x86, 0x31, 0x90, 0x11, 0x2f, 0xc2, 0x9d, 0x3d, 0x5f, 0x30, 0x57, 0xa2, 0xed, 0xf1}, + { 0xfe, 0x20, 0x87, 0x43, 0xf3, 0xe9, 0x6c, 0x3a, 0x34, 0xb5, 0xff, 0xf7, 0x8c, 0x97, 0x16, 0xc0, 0x74, 0xa1, 0xce, 0x3d, 0xc0, 0x1c, 0x3f, 0xe, 0x47, 0x1d, 0xdf, 0xae, 0x91, 0xcd, 0x88, 0xe7, 0xdd, 0xa3, 0x8d, 0xd0, 0xe5, 0xe1, 0xf9, 0x1b, 0x0, 0xb8, 0x53, 0x9d, 0xa3, 0xcc, 0x10, 0xbc}, + { 0x70, 0x69, 0x11, 0x81, 0x2e, 0xc9, 0xe7, 0x37, 0x2, 0x34, 0xef, 0xd5, 0x7b, 0x28, 0x55, 0x97, 0x5e, 0xab, 0x81, 0xe9, 0xc2, 0xfe, 0x78, 0x3a, 0xa8, 0xe4, 0x42, 0xdc, 0x6e, 0x7d, 0x68, 0x1d, 0xab, 0x2d, 0xc0, 0xdf, 0xc6, 0x76, 0x5f, 0x87, 0xab, 0x67, 0x0, 0x11, 0x8, 0xe3, 0xfa, 0xcf}, + { 0x42, 0xc8, 0x9e, 0xfa, 0x22, 0xd8, 0x53, 0xd3, 0x2f, 0x61, 0x9c, 0x9f, 0xe1, 0x3e, 0x98, 0x52, 0x88, 0x9a, 0xc9, 0x8a, 0x9f, 0xed, 0x5d, 0x4f, 0xa4, 0x7f, 0xed, 0x23, 0x8e, 0x1c, 0xbe, 0x70, 0xd7, 0x97, 0xa, 0xf9, 0xf7, 0xbd, 0xf8, 0x4e, 0x51, 0x17, 0x6a, 0xf4, 0x88, 0x5f, 0x24, 0x90}, + false, + "4 - Q changed" + }, + { + { 0x18, 0x8c, 0xd5, 0x30, 0x97, 0xef, 0x3e, 0x64, 0xb7, 0x8b, 0x92, 0x60, 0xbf, 0x46, 0x17, 0x8, 0xc8, 0x36, 0xf2, 0x5f, 0x2b, 0xcc, 0x98, 0xb5, 0x34, 0xaf, 0x98, 0xb9, 0x6e, 0xe4, 0xb3, 0x24, 0xe2, 0x20, 0x3a, 0x7e, 0x62, 0xdb, 0xc3, 0x96, 0x96, 0x6f, 0x56, 0x41, 0x9f, 0xb5, 0x13, 0x5c, 0xb1, 0x24, 0x36, 0x9a, 0xaa, 0x2, 0x5f, 0x39, 0x6e, 0xac, 0x72, 0xf0, 0x5a, 0xb4, 0x59, 0x50, 0xd9, 0xe0, 0x2c, 0xd5, 0xa2, 0x35, 0x7e, 0xaf, 0xab, 0x9f, 0x81, 0x61, 0x17, 0xb7, 0xf1, 0xde, 0x19, 0x24, 0x68, 0x89, 0x53, 0x27, 0x80, 0x2e, 0xc7, 0x9f, 0x5d, 0x6b, 0x5a, 0x3d, 0x44, 0xd7, 0xaf, 0xbe, 0xd7, 0xb4, 0xa3, 0x8, 0xe3, 0x65, 0x65, 0x5b, 0x8d, 0xb2, 0xbd, 0xe7, 0x5e, 0x14, 0x30, 0x62, 0xee, 0x48, 0xb7, 0xc5, 0x16, 0x88, 0xac, 0x5d, 0xb0, 0xbc, 0x7c, 0x83, 0xec, 0x9c}, + { 0x1f, 0x79, 0x11, 0xdc, 0xfe, 0x63, 0xa6, 0xf2, 0x70, 0xcf, 0x75, 0xb8, 0x58, 0x4d, 0x9b, 0x1b, 0x4a, 0x0, 0xaf, 0xc1, 0xfa, 0x43, 0x54, 0x3c, 0x94, 0x59, 0x45, 0xb8, 0xa8, 0x21, 0xeb, 0xeb, 0x37, 0xfb, 0xc7, 0x5, 0xa0, 0x0, 0xf9, 0xcc, 0x7c, 0x35, 0xf7, 0xd2, 0x70, 0x27, 0xb7, 0xbb}, + { 0xf1, 0x18, 0x35, 0xec, 0x80, 0xc4, 0xac, 0x6, 0xd9, 0x92, 0x47, 0xe7, 0x3b, 0xf7, 0x25, 0x22, 0x10, 0x9a, 0xc2, 0x55, 0xe6, 0x10, 0x92, 0x62, 0xde, 0x4d, 0xfb, 0xf9, 0x61, 0x92, 0x44, 0xf7, 0x4f, 0xb6, 0xc9, 0xee, 0x57, 0x69, 0x45, 0x37, 0xd7, 0xe7, 0x9c, 0x24, 0x8d, 0xb3, 0x4d, 0xc4}, + { 0x35, 0x87, 0xc9, 0xc6, 0x88, 0x5a, 0xdf, 0x3b, 0xe1, 0x8, 0x68, 0x25, 0xf9, 0xa4, 0x1c, 0xcd, 0x2e, 0xdf, 0xa0, 0xbd, 0x95, 0xe7, 0xfc, 0x4d, 0xba, 0x5a, 0x97, 0x10, 0xf4, 0x1d, 0x53, 0x91, 0x32, 0xde, 0x77, 0x72, 0xf1, 0x4c, 0x18, 0xe3, 0x18, 0xf8, 0x99, 0x2b, 0x66, 0xd2, 0xa8, 0x6c}, + { 0x73, 0xa8, 0x44, 0xd7, 0x29, 0x59, 0x9d, 0x4e, 0x3e, 0x3c, 0x1b, 0x63, 0xe9, 0xc4, 0xbf, 0x5a, 0x73, 0xd1, 0xf6, 0x9e, 0x1, 0x60, 0x85, 0x7f, 0xe6, 0x3a, 0x56, 0xc3, 0x81, 0xc0, 0x51, 0xf5, 0xc3, 0x7e, 0xa6, 0xb4, 0xcc, 0x4c, 0xaa, 0xcb, 0x6f, 0xf2, 0x6e, 0xf9, 0x69, 0x9e, 0xfe, 0x30}, + false, + "4 - Q changed" + }, + { + { 0x64, 0x62, 0xbc, 0x8c, 0x1, 0x81, 0xdb, 0x7d, 0x59, 0x6a, 0x35, 0xaa, 0x25, 0xd5, 0xd3, 0x23, 0xdd, 0x3b, 0x27, 0x98, 0x5, 0x4c, 0x2a, 0xf6, 0xc2, 0x2e, 0x84, 0x1b, 0x1c, 0xcf, 0x3d, 0xc3, 0xee, 0x51, 0x4f, 0x86, 0xd4, 0xa0, 0xce, 0xf7, 0xa6, 0xf7, 0xf5, 0x66, 0xae, 0x44, 0x8b, 0x24, 0xdc, 0xc8, 0xd1, 0x1e, 0xb7, 0xa5, 0x85, 0xd4, 0x49, 0x23, 0xea, 0x1a, 0x6, 0xc7, 0x74, 0xa2, 0xb3, 0xeb, 0x74, 0x9, 0xab, 0x17, 0xa0, 0x6, 0x5d, 0x58, 0x34, 0xab, 0x0, 0x30, 0x9a, 0xd4, 0x43, 0x12, 0xa7, 0x31, 0x72, 0x59, 0x21, 0x95, 0x43, 0xe8, 0xd, 0xdb, 0xc, 0xc2, 0xa4, 0x38, 0x1b, 0xf6, 0xe5, 0x3c, 0xd1, 0xbb, 0x35, 0x7e, 0xba, 0x82, 0xe1, 0x1c, 0x59, 0xf8, 0x2e, 0x44, 0x6c, 0x4b, 0x79, 0x31, 0x41, 0x19, 0x18, 0x2c, 0xd, 0xe9, 0x6a, 0x1b, 0x5b, 0xae, 0xb, 0x8}, + { 0x20, 0x39, 0x66, 0x1d, 0xb8, 0x13, 0xd4, 0x94, 0xa9, 0xec, 0xb2, 0xc4, 0xe0, 0xcd, 0xd7, 0xb5, 0x40, 0x68, 0xaa, 0xe8, 0xa5, 0xd0, 0x59, 0x70, 0x9, 0xf6, 0x7f, 0x4f, 0x36, 0xf3, 0x2c, 0x8e, 0xe9, 0x39, 0xab, 0xe0, 0x37, 0x16, 0xe9, 0x49, 0x70, 0xbb, 0xa6, 0x9f, 0x59, 0x5f, 0xea, 0xd6}, + { 0xe2, 0xd5, 0x23, 0x6e, 0x7e, 0x35, 0x77, 0x44, 0x51, 0x4e, 0x66, 0xa3, 0xfb, 0x11, 0x10, 0x73, 0x33, 0x6d, 0xe9, 0x29, 0x59, 0x8e, 0xb7, 0x9f, 0xb4, 0x36, 0x8c, 0x5b, 0xf8, 0x8, 0x14, 0xe7, 0x58, 0x4a, 0x3b, 0x94, 0x11, 0x8f, 0xaa, 0xc9, 0x32, 0x1d, 0xf3, 0x74, 0x52, 0xa8, 0x46, 0xfc}, + { 0x16, 0x4b, 0x8a, 0xc2, 0xb3, 0x4c, 0x4c, 0x49, 0x9b, 0x9d, 0x67, 0x27, 0xe1, 0x30, 0xb5, 0xef, 0x37, 0xc2, 0x96, 0xbd, 0x22, 0xc3, 0x6, 0xd1, 0x39, 0x6c, 0x6a, 0xa5, 0x4c, 0xa6, 0x61, 0xf7, 0x29, 0xaa, 0x63, 0x53, 0xb5, 0x5d, 0x7c, 0xf1, 0x79, 0x3b, 0x80, 0xb5, 0xa4, 0x85, 0x11, 0x5f}, + { 0x4e, 0x71, 0x87, 0xf8, 0xf7, 0x35, 0xb7, 0x27, 0x2f, 0x2c, 0x9, 0x85, 0x31, 0x5b, 0x56, 0x2, 0xbb, 0x9b, 0x1a, 0x9, 0xf3, 0x22, 0x33, 0xaa, 0x10, 0x57, 0xc, 0x82, 0xd1, 0xcc, 0xed, 0xef, 0x6e, 0x72, 0x58, 0x0, 0x33, 0x65, 0x11, 0xe4, 0x7f, 0x88, 0xdd, 0xbb, 0xbd, 0xc0, 0x8f, 0x54}, + false, + "1 - Message changed" + }, + { + { 0x13, 0xc6, 0x3a, 0x3c, 0xb6, 0x1f, 0x15, 0xc6, 0x59, 0x72, 0x6, 0x58, 0xa7, 0x78, 0x69, 0x14, 0x5a, 0xe8, 0xa1, 0x76, 0xc6, 0xd9, 0x3d, 0x3a, 0x8a, 0xa9, 0x94, 0x62, 0x36, 0xd9, 0xfb, 0x4, 0x63, 0xdb, 0x9e, 0x48, 0xc6, 0x67, 0xcb, 0xa7, 0x31, 0xaf, 0xaa, 0x81, 0x4b, 0xa0, 0xd5, 0x83, 0x57, 0x52, 0x4f, 0x8d, 0xe2, 0x8d, 0x4c, 0x4b, 0xbe, 0x26, 0x91, 0xda, 0xc9, 0xb3, 0x26, 0x32, 0xa7, 0xdd, 0xf, 0x99, 0xfd, 0x4c, 0xb2, 0x40, 0x29, 0x8, 0x78, 0x30, 0x50, 0x11, 0xf7, 0xd3, 0xe3, 0x7e, 0xcc, 0x41, 0xc, 0xc1, 0xfe, 0xd6, 0x1, 0xe7, 0x90, 0x1e, 0x8b, 0xe6, 0x41, 0x4e, 0xa4, 0x43, 0x17, 0x58, 0x48, 0x43, 0xa2, 0xd2, 0xca, 0x2e, 0x15, 0x10, 0x3e, 0x1e, 0xa4, 0x93, 0x65, 0xbc, 0x38, 0x43, 0x55, 0xb3, 0xc6, 0xfa, 0x6c, 0xcd, 0xd4, 0x52, 0x54, 0x3e, 0x97, 0x69}, + { 0x46, 0xdc, 0xf8, 0xee, 0x84, 0x8c, 0x64, 0x59, 0xfa, 0x66, 0xd1, 0xca, 0xe9, 0x1c, 0xcd, 0x47, 0x14, 0x1, 0xa5, 0x78, 0x2c, 0xb2, 0xd3, 0xb9, 0xb9, 0x26, 0x41, 0x89, 0xf0, 0xe9, 0xdd, 0xf7, 0x19, 0x7b, 0x5, 0xc6, 0x94, 0x93, 0x1b, 0xde, 0x33, 0x6, 0x24, 0xc, 0xf9, 0xd2, 0x4b, 0x7e}, + { 0x79, 0xd9, 0x50, 0x8f, 0x82, 0xc5, 0xea, 0xd0, 0x5c, 0x3f, 0x93, 0x92, 0xf3, 0xb1, 0x45, 0x8f, 0x6d, 0x6c, 0x2, 0xf4, 0x44, 0x20, 0xb9, 0x2, 0x1d, 0x65, 0x6e, 0x59, 0x40, 0x2e, 0x26, 0x45, 0xbf, 0x3b, 0xa1, 0xa6, 0xb2, 0x44, 0xdd, 0xb1, 0x2e, 0xdb, 0xb6, 0x95, 0x16, 0xd5, 0x87, 0x3b}, + { 0x5f, 0xfb, 0xa3, 0xb5, 0xbd, 0x7c, 0x3a, 0x89, 0xec, 0x40, 0xb4, 0x78, 0x84, 0xb0, 0xb3, 0x46, 0x4e, 0x8a, 0xbb, 0x78, 0x60, 0x8c, 0x6d, 0x61, 0xe1, 0xe6, 0x2c, 0x2c, 0xa9, 0x8d, 0x44, 0xfc, 0xdf, 0x61, 0x82, 0x5d, 0x69, 0xdf, 0xfe, 0xe8, 0x40, 0x8d, 0x8, 0x49, 0xd0, 0x62, 0x3b, 0xac}, + { 0xd, 0x25, 0x97, 0xb5, 0xfc, 0x38, 0x42, 0xff, 0xce, 0x19, 0x57, 0x17, 0x22, 0x53, 0xa8, 0xc9, 0xc0, 0xe4, 0xdb, 0xe7, 0x70, 0xce, 0x54, 0xf7, 0xf, 0x13, 0x9e, 0x5, 0x45, 0xdc, 0x34, 0xec, 0x63, 0x9d, 0x60, 0x9e, 0x14, 0x17, 0x5b, 0xdb, 0x2b, 0x81, 0x2c, 0xcf, 0xda, 0x0, 0xc9, 0xd4}, + false, + "1 - Message changed" + }, + { + { 0x69, 0x39, 0xa9, 0x11, 0x8a, 0xdc, 0x30, 0x71, 0x7, 0xaa, 0x6b, 0x0, 0x57, 0xc2, 0x80, 0xd1, 0xf, 0xa4, 0x4a, 0x64, 0x70, 0xc, 0x7b, 0xd2, 0x3e, 0x1f, 0x33, 0xa4, 0x78, 0xad, 0x2c, 0xfe, 0x59, 0x6c, 0x5, 0xf7, 0x2b, 0x54, 0xc, 0xbd, 0xb6, 0x96, 0xaa, 0xc6, 0xab, 0x98, 0xd9, 0xca, 0x8c, 0x62, 0xf3, 0x3e, 0x18, 0x26, 0x57, 0x13, 0xb, 0x83, 0x17, 0xa7, 0x62, 0x75, 0xa5, 0x99, 0x63, 0x33, 0xa5, 0xd3, 0x54, 0x7e, 0x22, 0x93, 0xb4, 0x1, 0xd0, 0xad, 0xf6, 0xf, 0x91, 0xe9, 0x1d, 0x21, 0x37, 0xe3, 0x4f, 0x33, 0x36, 0xe0, 0x17, 0xc3, 0xc6, 0xdb, 0xa6, 0xbf, 0x5b, 0x13, 0xdd, 0xd, 0xe2, 0x88, 0xf9, 0xb2, 0xa, 0x89, 0x6a, 0x92, 0xc4, 0x8e, 0x98, 0x4f, 0xbc, 0x9, 0xf9, 0x20, 0xfa, 0xb8, 0x2f, 0x3f, 0x91, 0x5d, 0x65, 0x24, 0xb0, 0xc1, 0x12, 0x36, 0xac, 0xa4}, + { 0x9, 0x7c, 0xea, 0x75, 0xf6, 0x85, 0xcf, 0x4d, 0x54, 0x32, 0x4a, 0xd2, 0x12, 0x4c, 0xe3, 0xf7, 0x7b, 0x1e, 0x49, 0xb, 0xba, 0xa1, 0xff, 0xac, 0xde, 0x40, 0xdd, 0x98, 0x8f, 0x75, 0x91, 0xe1, 0xc5, 0xd1, 0x58, 0xe6, 0xf2, 0x32, 0x50, 0xd, 0x95, 0x87, 0x62, 0x83, 0x19, 0x14, 0xaf, 0x7f}, + { 0x71, 0x6d, 0x8b, 0xc0, 0x56, 0xda, 0xf6, 0x9c, 0xa2, 0xed, 0xd2, 0x1b, 0x89, 0xa6, 0xae, 0x99, 0x23, 0xcf, 0xca, 0xe8, 0x7b, 0xfd, 0xa5, 0xf9, 0xa6, 0xe5, 0x14, 0xdd, 0x4b, 0x9d, 0x28, 0xd1, 0x64, 0xfc, 0xc6, 0x13, 0xca, 0x2a, 0xfb, 0x96, 0x60, 0xad, 0xfe, 0xce, 0x59, 0xf0, 0x9b, 0x66}, + { 0x1c, 0x5d, 0x45, 0x61, 0xd2, 0xa3, 0xaf, 0x88, 0x35, 0x83, 0x9b, 0x54, 0x30, 0x98, 0xc1, 0x1, 0xc7, 0x15, 0xc5, 0x45, 0xeb, 0x7d, 0x0, 0x30, 0xc, 0x5c, 0xb0, 0x5b, 0xb0, 0x8d, 0xac, 0x29, 0xe7, 0x32, 0xff, 0xdc, 0x31, 0xc5, 0x9, 0x15, 0xe6, 0x91, 0x99, 0x9a, 0xd5, 0x5, 0x10, 0x4c}, + { 0xc3, 0x44, 0x2f, 0x2f, 0xb1, 0x49, 0x8f, 0xd4, 0x7c, 0x2f, 0x95, 0x9e, 0xdf, 0xf3, 0x7a, 0x19, 0x78, 0x3e, 0x3c, 0xce, 0xe8, 0xd, 0xc6, 0x95, 0x5c, 0xa6, 0x4d, 0xb0, 0x87, 0xfd, 0x18, 0x8e, 0x67, 0x35, 0x8e, 0x7b, 0x92, 0x23, 0x53, 0x5b, 0xbb, 0x85, 0x8d, 0x21, 0xba, 0x6a, 0x97, 0x8c}, + false, + "2 - R changed" + }, + { + { 0xc8, 0x20, 0x71, 0xe4, 0x2c, 0x45, 0xac, 0x35, 0x97, 0xf2, 0x55, 0xba, 0x27, 0x76, 0x6a, 0xfe, 0x36, 0x6e, 0x31, 0xa5, 0x53, 0xa4, 0xd2, 0x19, 0x13, 0x60, 0xb8, 0x8a, 0x2a, 0x34, 0x9e, 0xe0, 0x77, 0x29, 0x14, 0x54, 0xbf, 0x7b, 0x32, 0x3c, 0xb3, 0xc9, 0xd7, 0xfe, 0xc5, 0x53, 0x3e, 0x4e, 0x4b, 0xf4, 0xfb, 0x5b, 0xc2, 0xeb, 0x16, 0xc6, 0x31, 0x9e, 0x93, 0x78, 0xa3, 0xd8, 0xa4, 0x44, 0xb2, 0xd7, 0x58, 0x12, 0x34, 0x38, 0xdb, 0xb4, 0x57, 0xb2, 0x6b, 0x14, 0xb6, 0x54, 0xb3, 0xc8, 0x8d, 0x66, 0x83, 0x8a, 0xdf, 0xa6, 0x73, 0x6, 0x7c, 0x5, 0x52, 0xd1, 0xb8, 0xa3, 0xad, 0xe3, 0xa9, 0xcb, 0x77, 0x79, 0x86, 0xc0, 0xf, 0x65, 0xca, 0xce, 0x53, 0xf8, 0x52, 0xc1, 0x12, 0x1a, 0xcf, 0x19, 0x51, 0x6a, 0x7c, 0xf0, 0xba, 0x38, 0x20, 0xb5, 0xf5, 0x1f, 0x31, 0xc5, 0x39, 0xa2}, + { 0xd2, 0xe2, 0xb3, 0xd2, 0x62, 0xbb, 0x11, 0x5, 0xd9, 0x14, 0xc3, 0x2c, 0x0, 0x7e, 0xa2, 0x3d, 0x15, 0xa9, 0x81, 0x97, 0xf0, 0xed, 0x90, 0xb4, 0x6a, 0x17, 0xf3, 0xd4, 0x3, 0xe4, 0x6, 0xa7, 0x6c, 0x8f, 0x75, 0x2b, 0xe1, 0xa8, 0xcd, 0x1, 0xa9, 0x4f, 0xd4, 0x51, 0x57, 0xf6, 0x51, 0x1a}, + { 0xe5, 0x85, 0xfb, 0xa1, 0x80, 0x1, 0x7b, 0x99, 0x83, 0xb4, 0xc8, 0x53, 0xad, 0x3a, 0x5d, 0xd5, 0x2e, 0x7, 0x9c, 0x5f, 0xe, 0xf7, 0x92, 0xd1, 0xa0, 0x21, 0x3b, 0x60, 0x85, 0xe3, 0x90, 0xb0, 0x73, 0xde, 0x1a, 0x4b, 0x1, 0x74, 0x9c, 0xea, 0xb2, 0x78, 0x6, 0xe5, 0x60, 0x49, 0x80, 0xfe}, + { 0x49, 0xc0, 0x1, 0xc4, 0x7b, 0xbc, 0xee, 0x10, 0xc8, 0x1c, 0xc, 0xdf, 0xdb, 0x84, 0xc8, 0x6e, 0x5b, 0x38, 0x85, 0x10, 0x80, 0x1e, 0x9c, 0x9d, 0xc7, 0xf8, 0x1b, 0xf6, 0x67, 0xe4, 0x3f, 0x74, 0xb6, 0xa6, 0x76, 0x9c, 0x4a, 0xc0, 0xa3, 0x88, 0x63, 0xdc, 0x4f, 0x21, 0xc5, 0x58, 0xf2, 0x86}, + { 0x1f, 0xb4, 0xff, 0x67, 0x34, 0xc, 0xc4, 0x4f, 0x21, 0x24, 0x4, 0xba, 0x60, 0xf3, 0x9a, 0x2c, 0xb8, 0xdc, 0xd3, 0xf3, 0x54, 0xc8, 0x1b, 0x72, 0x19, 0x28, 0x9d, 0x32, 0xe8, 0x49, 0xd4, 0x91, 0x5e, 0x9d, 0x2f, 0x91, 0x96, 0x9b, 0xa7, 0x1e, 0x3d, 0xd4, 0x41, 0x4f, 0x1e, 0x8f, 0x18, 0xf7}, + false, + "3 - S changed" + }, + { + { 0x13, 0x7b, 0x21, 0x5c, 0x1, 0x50, 0xee, 0x95, 0xe8, 0x49, 0x4b, 0x79, 0x17, 0x3d, 0x7a, 0xe3, 0xc3, 0xe7, 0x1e, 0xfc, 0xc7, 0xc7, 0x5a, 0xd9, 0x2f, 0x75, 0x65, 0x9c, 0xe1, 0xb2, 0xd7, 0xeb, 0x55, 0x5a, 0xad, 0x80, 0x26, 0x27, 0x7a, 0xe3, 0x70, 0x9f, 0x46, 0xe8, 0x96, 0x96, 0x39, 0x64, 0x48, 0x69, 0x46, 0xb9, 0xfe, 0x26, 0x9d, 0xf4, 0x44, 0xa6, 0xea, 0x28, 0x9e, 0xc2, 0x28, 0x5e, 0x79, 0x46, 0xdb, 0x57, 0xff, 0x18, 0xf7, 0x22, 0xa5, 0x83, 0x19, 0x4a, 0x96, 0x44, 0xe8, 0x63, 0xae, 0x45, 0x2d, 0x14, 0x57, 0xdc, 0x5d, 0xb7, 0x2e, 0xe2, 0xc, 0x48, 0x64, 0x75, 0xf3, 0x58, 0xdc, 0x57, 0x5c, 0x62, 0x1b, 0x5a, 0xb8, 0x65, 0xc6, 0x62, 0xe4, 0x83, 0x25, 0x8c, 0x71, 0x91, 0xb4, 0xcc, 0x21, 0x8e, 0x1f, 0x9a, 0xfe, 0xeb, 0x3e, 0x1c, 0xb9, 0x78, 0xce, 0x96, 0x57, 0xdc}, + { 0xcd, 0x88, 0x7c, 0x65, 0xc0, 0x1a, 0x1f, 0x8, 0x80, 0xbf, 0x58, 0x61, 0x1b, 0xf3, 0x60, 0xa8, 0x43, 0x55, 0x73, 0xbc, 0x67, 0x4, 0xbf, 0xb2, 0x49, 0xf1, 0x19, 0x27, 0x93, 0xf6, 0xd3, 0x28, 0x36, 0x37, 0xcd, 0x50, 0xf3, 0x91, 0x1e, 0x51, 0x34, 0xb0, 0xd6, 0x13, 0xa, 0x1d, 0xb6, 0xe}, + { 0xf2, 0xb3, 0xcb, 0xf4, 0xfe, 0x47, 0x5f, 0xd1, 0x5a, 0x78, 0x97, 0x56, 0x1e, 0x5c, 0x89, 0x8f, 0x10, 0xca, 0xa6, 0xd9, 0xd7, 0x3f, 0xef, 0x10, 0xd4, 0x34, 0x59, 0x17, 0xb5, 0x27, 0xce, 0x30, 0xca, 0xea, 0xef, 0x13, 0x8e, 0x21, 0xac, 0x6d, 0xa, 0x49, 0xef, 0x2f, 0xef, 0x14, 0xbe, 0xe6}, + { 0xad, 0xdf, 0xa4, 0x75, 0xb9, 0x98, 0xf3, 0x91, 0x14, 0x41, 0x56, 0xc4, 0x18, 0x56, 0x1d, 0x32, 0x3b, 0xdf, 0xd0, 0xc4, 0xf4, 0x16, 0xa2, 0xf7, 0x1a, 0x94, 0x67, 0x12, 0xc3, 0x49, 0xbb, 0x79, 0xba, 0x13, 0x34, 0xc3, 0xde, 0x5b, 0x86, 0xc2, 0x56, 0x7b, 0x86, 0x57, 0xfe, 0x4c, 0xa1, 0xf1}, + { 0x1c, 0x31, 0x4b, 0x13, 0x39, 0xf7, 0x35, 0x45, 0xff, 0x45, 0x73, 0x23, 0x47, 0x6, 0x95, 0xe0, 0x47, 0x4c, 0x4b, 0x68, 0x60, 0xb3, 0x5d, 0x70, 0x37, 0x84, 0xfb, 0xf6, 0x6e, 0x9c, 0x66, 0x5d, 0xe6, 0xca, 0x3a, 0xcb, 0x60, 0x28, 0x3d, 0xf6, 0x14, 0x13, 0xe0, 0x74, 0x9, 0x6, 0xf1, 0x9e}, + false, + "2 - R changed" + }, + { + { 0x93, 0xe7, 0xe7, 0x5c, 0xfa, 0xf3, 0xfa, 0x4e, 0x71, 0xdf, 0x80, 0xf7, 0xf8, 0xc0, 0xef, 0x66, 0x72, 0xa6, 0x30, 0xd2, 0xdb, 0xeb, 0xa1, 0xd6, 0x13, 0x49, 0xac, 0xba, 0xaa, 0x47, 0x6f, 0x5f, 0xe, 0x34, 0xdc, 0xcb, 0xd8, 0x5b, 0x9a, 0x81, 0x5d, 0x90, 0x82, 0x3, 0x31, 0x3a, 0x22, 0xfe, 0x3e, 0x91, 0x95, 0x4, 0xcb, 0x22, 0x2d, 0x62, 0x3a, 0xd9, 0x56, 0x62, 0xea, 0x4a, 0x90, 0x9, 0x97, 0x42, 0xc0, 0x48, 0x34, 0x1f, 0xe3, 0xa7, 0xa5, 0x11, 0x10, 0xd3, 0xa, 0xd3, 0xa4, 0x8a, 0x77, 0x7c, 0x63, 0x47, 0xea, 0x8b, 0x71, 0x74, 0x93, 0x16, 0xe0, 0xdd, 0x19, 0x2, 0xfa, 0xcb, 0x30, 0x4a, 0x76, 0x32, 0x4b, 0x71, 0xf3, 0x88, 0x2e, 0x6e, 0x70, 0x31, 0x9e, 0x13, 0xfc, 0x2b, 0xb9, 0xf3, 0xf5, 0xdb, 0xb9, 0xbd, 0x2c, 0xc7, 0x26, 0x5f, 0x52, 0xdf, 0xc0, 0xa3, 0xbb, 0x91}, + { 0xa3, 0x70, 0xcd, 0xbe, 0xf9, 0x5d, 0x1d, 0xf5, 0xbf, 0x68, 0xec, 0x48, 0x71, 0x22, 0x51, 0x4a, 0x10, 0x7d, 0xb8, 0x7d, 0xf3, 0xf8, 0x85, 0x20, 0x68, 0xfd, 0x46, 0x94, 0xab, 0xca, 0xdb, 0x9b, 0x14, 0x30, 0x2c, 0x72, 0x49, 0x1a, 0x76, 0xa6, 0x44, 0x42, 0xfc, 0x7, 0xbd, 0x99, 0xf0, 0x2c}, + { 0xd3, 0x97, 0xc2, 0x5d, 0xc1, 0xa5, 0x78, 0x15, 0x73, 0xd0, 0x39, 0xf2, 0x52, 0xc, 0xf3, 0x29, 0xbf, 0x65, 0x12, 0xf, 0xdb, 0xe9, 0x64, 0xb6, 0xb8, 0x1, 0x1, 0x16, 0xe, 0x53, 0x3d, 0x55, 0x70, 0xe6, 0x21, 0x25, 0xb9, 0xf3, 0x27, 0x6c, 0x49, 0x24, 0x4b, 0x8d, 0xf, 0x3e, 0x44, 0xec}, + { 0xc6, 0xc7, 0xbb, 0x51, 0x6c, 0xc3, 0xf3, 0x7a, 0x30, 0x43, 0x28, 0xd1, 0x36, 0xb2, 0xf4, 0x4b, 0xb8, 0x9d, 0x3d, 0xac, 0x78, 0xf1, 0xf5, 0xbc, 0xd3, 0x6b, 0x41, 0x2a, 0x8b, 0x4d, 0x87, 0x9f, 0x6c, 0xdb, 0x75, 0x17, 0x52, 0x92, 0xc6, 0x96, 0xb5, 0x8b, 0xfa, 0x9c, 0x91, 0xfe, 0x63, 0x91}, + { 0x6b, 0x71, 0x14, 0x25, 0xe1, 0xb1, 0x4f, 0x72, 0x24, 0xcd, 0x4b, 0x96, 0x71, 0x7a, 0x84, 0xd6, 0x5a, 0x60, 0xec, 0x99, 0x51, 0xa3, 0x1, 0x52, 0xea, 0x1d, 0xd3, 0xb6, 0xea, 0x66, 0xa0, 0x8, 0x8d, 0x1f, 0xd3, 0xe9, 0xa1, 0xef, 0x6, 0x98, 0x4, 0xb7, 0xd9, 0x69, 0x14, 0x8c, 0x37, 0xa0}, + true, + "P" + }, + { + { 0x15, 0x49, 0x3a, 0xa1, 0xc, 0xfb, 0x80, 0x4b, 0x3d, 0x80, 0x70, 0x3c, 0xa0, 0x2a, 0xf7, 0xe2, 0xcf, 0xdc, 0x67, 0x14, 0x47, 0xd9, 0xa1, 0x71, 0xb4, 0x18, 0xec, 0xf6, 0xca, 0x48, 0xb4, 0x50, 0x41, 0x4a, 0x28, 0xe7, 0xa0, 0x58, 0xa7, 0x8a, 0xb0, 0x94, 0x61, 0x86, 0xad, 0x2f, 0xe2, 0x97, 0xe1, 0xb7, 0xe2, 0xe, 0x40, 0x54, 0x7c, 0x74, 0xf9, 0x48, 0x87, 0xa0, 0xf, 0x27, 0xdd, 0xe7, 0xf7, 0x8a, 0x3c, 0x15, 0xeb, 0x11, 0x15, 0xd7, 0x4, 0x97, 0x2b, 0x35, 0xa2, 0x7c, 0xaf, 0x8f, 0x7c, 0xdc, 0xce, 0x2, 0xb9, 0x6f, 0x8a, 0x72, 0xd7, 0x7f, 0x36, 0xa2, 0xd, 0x3f, 0x82, 0x9e, 0x91, 0x5c, 0xd3, 0xbb, 0x81, 0xf9, 0xc2, 0x99, 0x77, 0x87, 0xa7, 0x36, 0x16, 0xed, 0x5c, 0xb0, 0xe8, 0x64, 0x23, 0x19, 0x59, 0xe0, 0xb6, 0x23, 0xf1, 0x2a, 0x18, 0xf7, 0x79, 0x59, 0x9d, 0x65}, + { 0xd1, 0xcf, 0x63, 0x5c, 0xa0, 0x4f, 0x9, 0xb5, 0x88, 0x79, 0xd2, 0x90, 0x12, 0xf2, 0x2, 0x54, 0x79, 0xa0, 0x2, 0xbd, 0xa5, 0x90, 0x2, 0xe, 0x6a, 0x23, 0x8b, 0xcc, 0xc7, 0x64, 0x47, 0x81, 0x31, 0xca, 0xc7, 0xe6, 0x98, 0xc, 0x67, 0x2, 0x7d, 0x92, 0xec, 0xe9, 0x47, 0xfe, 0xa5, 0xa6}, + { 0x21, 0xf7, 0x67, 0x5c, 0x2b, 0xe6, 0xc, 0xa, 0x5b, 0x7d, 0x6d, 0xf2, 0xbc, 0xc8, 0x9b, 0x56, 0x21, 0x2a, 0x28, 0x49, 0xec, 0x2, 0x10, 0xc5, 0x93, 0x16, 0x20, 0xc, 0x59, 0x86, 0x4f, 0xd8, 0x6b, 0x9a, 0x19, 0xe1, 0x64, 0x1d, 0x20, 0x6f, 0xd8, 0xb2, 0x9a, 0xf7, 0x76, 0x8b, 0x61, 0xd3}, + { 0x61, 0x1, 0xd2, 0x6e, 0x76, 0x69, 0x6, 0x34, 0xb7, 0x29, 0x4b, 0x6b, 0x16, 0x2d, 0xcc, 0x1a, 0x5e, 0x62, 0x33, 0x81, 0x3b, 0xa0, 0x9e, 0xdf, 0x85, 0x67, 0xfb, 0x57, 0xa8, 0xf7, 0x7, 0xe0, 0x24, 0xab, 0xe0, 0xeb, 0x3c, 0xe9, 0x48, 0x67, 0x5c, 0xd5, 0x18, 0xbb, 0x3b, 0xfd, 0x43, 0x83}, + { 0x4e, 0x2a, 0x30, 0xf7, 0x1c, 0x8f, 0x18, 0xb7, 0x41, 0x84, 0x83, 0x7f, 0x98, 0x1a, 0x90, 0x48, 0x5c, 0xd5, 0x94, 0x3c, 0x7a, 0x18, 0x4a, 0xba, 0x9a, 0xc7, 0x87, 0xd1, 0x79, 0xf1, 0x70, 0x11, 0x4a, 0x96, 0xdd, 0xbb, 0x87, 0x20, 0x86, 0xa, 0x21, 0x3c, 0xc2, 0x89, 0xae, 0x34, 0xf, 0x1f}, + false, + "1 - Message changed" + }, + { + { 0xbc, 0x55, 0x82, 0x96, 0x78, 0x88, 0xa4, 0x25, 0xfb, 0x75, 0x7b, 0xd4, 0x96, 0x59, 0x0, 0xf0, 0x1e, 0x66, 0x95, 0xd1, 0x54, 0x7e, 0xd9, 0x67, 0xc1, 0xd4, 0xf6, 0x7b, 0x1b, 0x1d, 0xe3, 0x65, 0xd2, 0x3, 0xf4, 0x7, 0x69, 0x87, 0x61, 0x69, 0x9f, 0xec, 0x5f, 0x5a, 0x61, 0x4c, 0x21, 0xe3, 0x6a, 0x9f, 0x57, 0xa8, 0xaa, 0xf8, 0x52, 0xe9, 0x55, 0x38, 0xf5, 0x61, 0x57, 0x85, 0x53, 0x45, 0x68, 0x81, 0x1a, 0x9a, 0x9c, 0xcc, 0x34, 0x98, 0x43, 0xf6, 0xc1, 0x6d, 0xc9, 0xa, 0x4a, 0xc9, 0x6a, 0x8f, 0x72, 0xc3, 0x3d, 0x95, 0x89, 0xa8, 0x60, 0xf4, 0x98, 0x1d, 0x7b, 0x4e, 0xe7, 0x17, 0x3d, 0x1d, 0xb5, 0xd4, 0x9c, 0x43, 0x61, 0x36, 0x85, 0x4, 0xc9, 0xa6, 0xcb, 0xba, 0xed, 0xc2, 0xc9, 0xbf, 0xf2, 0xb1, 0x28, 0x84, 0x37, 0x9b, 0xa9, 0x4, 0x33, 0x69, 0x8c, 0xeb, 0x88, 0x1d}, + { 0xd1, 0x5c, 0xa4, 0xb2, 0xd9, 0x44, 0xd5, 0x53, 0x96, 0x58, 0xa1, 0x9b, 0xe8, 0xef, 0x85, 0x87, 0x4f, 0xc, 0x36, 0x3b, 0x87, 0xf, 0x1c, 0xd1, 0xf2, 0xdc, 0x9c, 0xb6, 0x8b, 0x2a, 0x43, 0xa1, 0xd, 0x37, 0x6, 0x46, 0x97, 0xc8, 0x45, 0x43, 0xe6, 0x9, 0x82, 0xab, 0x62, 0xbb, 0x32, 0xc8}, + { 0x6, 0x2f, 0xb7, 0xdf, 0xc3, 0x79, 0xfc, 0x64, 0x65, 0x30, 0x2a, 0xc5, 0xd8, 0xd1, 0x1d, 0x3b, 0x95, 0x7b, 0x59, 0x4c, 0x9e, 0xf4, 0x45, 0xcf, 0xe8, 0x56, 0x76, 0x5d, 0xd5, 0x9e, 0x6f, 0x10, 0xf1, 0x18, 0x9, 0xe1, 0x15, 0xac, 0x64, 0x96, 0x9b, 0xaa, 0x23, 0x54, 0x3f, 0x2e, 0x56, 0x61}, + { 0xe2, 0xcf, 0x12, 0x3c, 0xe1, 0x5c, 0xa4, 0xed, 0xad, 0x5f, 0x8, 0x77, 0x78, 0xd4, 0x83, 0xd9, 0x53, 0x6e, 0x4a, 0x37, 0xd2, 0xd5, 0x55, 0x99, 0x54, 0x1c, 0x6, 0xf8, 0x78, 0xe6, 0x3, 0x54, 0xaa, 0x31, 0xdf, 0x25, 0xb, 0x2f, 0xc4, 0xed, 0x25, 0x2b, 0x80, 0x21, 0x95, 0x52, 0xc9, 0x58}, + { 0x69, 0x67, 0x7, 0xa7, 0xe3, 0xf9, 0xa4, 0xb9, 0x18, 0xe7, 0xc9, 0x94, 0xe7, 0x33, 0x21, 0x3, 0xd8, 0xe8, 0x16, 0xbb, 0xe6, 0xd0, 0xd1, 0xcf, 0x72, 0x87, 0x73, 0x18, 0xe0, 0x87, 0xed, 0xe, 0x23, 0xb, 0xd, 0x12, 0x69, 0x90, 0x2f, 0x36, 0x9a, 0xcb, 0x43, 0x2b, 0x9e, 0x97, 0xa3, 0x89}, + true, + "P" + }, + { + { 0x4f, 0x31, 0x33, 0x1e, 0x20, 0xa3, 0x27, 0x3d, 0xa8, 0xfc, 0xe6, 0xb0, 0x3f, 0x2a, 0x86, 0x71, 0x2e, 0xd5, 0xdf, 0x41, 0x12, 0xa, 0x81, 0xe9, 0x94, 0xd2, 0xb2, 0xf3, 0x70, 0xe9, 0x8e, 0xf3, 0x5b, 0x84, 0x7f, 0x30, 0x47, 0xd3, 0xcf, 0x57, 0xe8, 0x83, 0x50, 0xe2, 0x7b, 0x9a, 0xc3, 0xf0, 0x20, 0x73, 0xac, 0x18, 0x38, 0xdb, 0x25, 0xb5, 0xad, 0x47, 0x7a, 0xee, 0x68, 0x93, 0x8, 0x82, 0x30, 0x4f, 0xc0, 0x52, 0xf2, 0x73, 0x82, 0x10, 0x56, 0xdf, 0x75, 0x0, 0xdc, 0x9e, 0xab, 0x3, 0x7e, 0xd3, 0xac, 0x3c, 0x75, 0x39, 0x6e, 0x31, 0x3b, 0xf0, 0xf4, 0xb8, 0x9b, 0x26, 0x67, 0x5a, 0xf5, 0x5f, 0x33, 0x78, 0xcf, 0x9, 0x9d, 0x9d, 0x9a, 0x25, 0xa4, 0x88, 0x7c, 0x1c, 0xfd, 0x24, 0x48, 0xf5, 0xb2, 0x18, 0x8c, 0x41, 0xd6, 0xfa, 0x26, 0x4, 0x5c, 0x5e, 0x97, 0x4b, 0xf3, 0xe4}, + { 0xc8, 0x3d, 0x30, 0xde, 0x9c, 0x4e, 0x18, 0x16, 0x7c, 0xb4, 0x1c, 0x99, 0x7, 0x81, 0xb3, 0x4b, 0x9f, 0xce, 0xb5, 0x27, 0x93, 0xb4, 0x62, 0x7e, 0x69, 0x67, 0x96, 0xc5, 0x80, 0x35, 0x15, 0xdb, 0xc4, 0xd1, 0x42, 0x97, 0x7d, 0x91, 0x4b, 0xc0, 0x4c, 0x15, 0x32, 0x61, 0xcc, 0x5b, 0x53, 0x7f}, + { 0x42, 0x31, 0x8e, 0x5c, 0x15, 0xd6, 0x5c, 0x3f, 0x54, 0x51, 0x89, 0x78, 0x16, 0x19, 0x26, 0x7d, 0x89, 0x92, 0x50, 0xd8, 0xa, 0xcc, 0x61, 0x1f, 0xe7, 0xed, 0x9, 0x43, 0xa0, 0xf5, 0xbf, 0xc9, 0xd4, 0x32, 0x8f, 0xf7, 0xcc, 0xf6, 0x75, 0xae, 0xa, 0xac, 0x6, 0x9c, 0xcb, 0x4b, 0x4d, 0x6e}, + { 0xb5, 0x67, 0xc3, 0x7f, 0x7c, 0x84, 0x10, 0x7e, 0xf7, 0x26, 0x39, 0xe5, 0x20, 0x65, 0x48, 0x6c, 0x2e, 0x5b, 0xf4, 0x12, 0x5b, 0x86, 0x1d, 0x37, 0xea, 0x3b, 0x44, 0xfc, 0xb, 0x75, 0xbc, 0xd9, 0x6d, 0xce, 0xa3, 0xe4, 0xdb, 0xb9, 0xe8, 0xf4, 0xf4, 0x59, 0x23, 0x24, 0xb, 0x2b, 0x9e, 0x44}, + { 0xd0, 0x62, 0x66, 0xe0, 0xf2, 0x7c, 0xfe, 0x4b, 0xe1, 0xc6, 0x21, 0x7, 0x34, 0xa8, 0xfa, 0x68, 0x9a, 0x6c, 0xd1, 0xd6, 0x32, 0x40, 0xcb, 0x19, 0x12, 0x79, 0x61, 0x36, 0x5e, 0x35, 0x89, 0xa, 0x5f, 0x1b, 0x46, 0x4d, 0xcb, 0x43, 0x5, 0xf3, 0xe8, 0x29, 0x5c, 0x6f, 0x84, 0x2e, 0xf3, 0x44}, + false, + "3 - S changed" + } +}; +const size_t ecdsa_p384_test_vectors_count = sizeof(ecdsa_p384_test_vectors) / sizeof(ecdsa_p384_test_vector); +#endif +#endif #if TEST_VECTOR_EC_P521_EN const ecdsa_p521_test_vector ecdsa_p521_test_vectors[] = { diff --git a/test/vectors/ecdsa_nist_vectors.h b/test/vectors/ecdsa_nist_vectors.h index c38fbd8b6..82fc6092a 100644 --- a/test/vectors/ecdsa_nist_vectors.h +++ b/test/vectors/ecdsa_nist_vectors.h @@ -85,7 +85,12 @@ typedef struct ATCA_PACKED extern const ecdsa_p384_test_vector ecdsa_p384_s256_test_vectors[]; extern const size_t ecdsa_p384_s256_test_vectors_count; #endif -#endif /* TEST_VECTOR_EC_P384_EN */ + +#ifdef ATCA_TA101_SUPPORT +extern const ecdsa_p384_test_vector ecdsa_p384_test_vectors[]; +extern const size_t ecdsa_p384_test_vectors_count; +#endif +#endif #if TEST_VECTOR_EC_P521_EN typedef struct ATCA_PACKED diff --git a/third_party/hal/esp32/hal_esp32_i2c.c b/third_party/hal/esp32/hal_esp32_i2c.c index cd8cb7887..7185f9417 100644 --- a/third_party/hal/esp32/hal_esp32_i2c.c +++ b/third_party/hal/esp32/hal_esp32_i2c.c @@ -24,22 +24,22 @@ #define I2C0_SCL_PIN 17 #define I2C1_SDA_PIN 21 #define I2C1_SCL_PIN 22 -#define ACK_CHECK_EN 0x1 /*!< I2C master will check ack from slave*/ -#define ACK_CHECK_DIS 0x0 /*!< I2C master will not check ack from slave */ -#define ACK_VAL 0x0 /*!< I2C ack value */ -#define NACK_VAL 0x1 /*!< I2C nack value */ +#define ACK_CHECK_EN 0x1 /*!< I2C master will check ack from slave*/ +#define ACK_CHECK_DIS 0x0 /*!< I2C master will not check ack from slave */ +#define ACK_VAL 0x0 /*!< I2C ack value */ +#define NACK_VAL 0x1 /*!< I2C nack value */ #ifndef LOG_LOCAL_LEVEL #define LOG_LOCAL_LEVEL ESP_LOG_INFO #endif -#define MAX_I2C_BUSES 2 //ESP32 has 2 I2C bus +#define MAX_I2C_BUSES 2 //ESP32 has 2 I2C bus typedef struct atcaI2Cmaster { - int id; + int id; i2c_config_t conf; - int ref_ct; + int ref_ct; } ATCAI2CMaster_t; ATCAI2CMaster_t i2c_hal_data[MAX_I2C_BUSES]; @@ -161,23 +161,36 @@ ATCA_STATUS hal_i2c_post_init(ATCAIface iface) * \param[in] txlength number of bytes to send * \return ATCA_SUCCESS on success, otherwise an error code. */ -ATCA_STATUS hal_i2c_send(ATCAIface iface, uint8_t address, uint8_t *txdata, int txlength) +ATCA_STATUS hal_i2c_send(ATCAIface iface, uint8_t word_address, uint8_t *txdata, int txlength) { ATCAIfaceCfg *cfg = iface->mIfaceCFG; esp_err_t rc; + uint8_t device_address = 0xFFu; if (!cfg) { return ATCA_BAD_PARAM; } +#ifdef ATCA_ENABLE_DEPRECATED + device_address = ATCA_IFACECFG_VALUE(cfg, atcai2c.slave_address) +#else + device_address = ATCA_IFACECFG_VALUE(cfg, atcai2c.address) +#endif + + //ESP_LOGD(TAG, "txdata: %p , txlength: %d", txdata, txlength); //ESP_LOG_BUFFER_HEXDUMP(TAG, txdata, txlength, 3); i2c_cmd_handle_t cmd = i2c_cmd_link_create(); (void)i2c_master_start(cmd); - (void)i2c_master_write_byte(cmd, address | I2C_MASTER_WRITE, ACK_CHECK_EN); - (void)i2c_master_write(cmd, txdata, txlength, ACK_CHECK_EN); + (void)i2c_master_write_byte(cmd, device_address | I2C_MASTER_WRITE, ACK_CHECK_EN); + (void)i2c_master_write_byte(cmd, word_address, ACK_CHECK_EN); + + if (NULL != txdata && 0u < txlength) + { + (void)i2c_master_write(cmd, txdata, txlength, ACK_CHECK_EN); + } (void)i2c_master_stop(cmd); rc = i2c_master_cmd_begin(cfg->atcai2c.bus, cmd, 10); (void)i2c_cmd_link_delete(cmd); @@ -206,10 +219,10 @@ ATCA_STATUS hal_i2c_receive(ATCAIface iface, uint8_t address, uint8_t *rxdata, u esp_err_t rc; i2c_cmd_handle_t cmd; ATCA_STATUS status = ATCA_COMM_FAIL; - + if ((NULL == cfg) || (NULL == rxlength) || (NULL == rxdata)) { - return ATCA_TRACE(ATCA_INVALID_POINTER, "NULL pointer encountered"); + return ATCA_TRACE(ATCA_BAD_PARAM, "NULL pointer encountered"); } cmd = i2c_cmd_link_create(); diff --git a/third_party/hal/esp32/hal_esp32_timer.c b/third_party/hal/esp32/hal_esp32_timer.c index 0cf6f566d..ee7196632 100644 --- a/third_party/hal/esp32/hal_esp32_timer.c +++ b/third_party/hal/esp32/hal_esp32_timer.c @@ -19,16 +19,12 @@ extern void ets_delay_us(uint32_t); -void atca_delay_us(uint32_t delay) +void hal_delay_us(uint32_t delay) { ets_delay_us(delay); } -#ifdef ATCA_USE_RTOS_TIMER -void atca_delay_ms_internal(uint32_t msec) -#else -void atca_delay_ms(uint32_t msec) -#endif +void hal_delay_ms(uint32_t msec) { ets_delay_us(msec * 1000); } diff --git a/third_party/hal/zephyr/hal_zephyr.c b/third_party/hal/zephyr/hal_zephyr.c index 8a4f355eb..66f8d0ec3 100644 --- a/third_party/hal/zephyr/hal_zephyr.c +++ b/third_party/hal/zephyr/hal_zephyr.c @@ -127,9 +127,8 @@ ATCA_STATUS hal_unlock_mutex(void * pMutex) } k_mutex_unlock((struct k_mutex*)pMutex); - + return ATCA_SUCCESS; } - /** @} */ diff --git a/third_party/unity/unity_fixture.c b/third_party/unity/unity_fixture.c index 7c4991a98..05ea4b949 100644 --- a/third_party/unity/unity_fixture.c +++ b/third_party/unity/unity_fixture.c @@ -314,17 +314,17 @@ void UnityConcludeFixtureTest(void) Unity.TestFailures++; } else if (UnityFixture.Verbose) - { - UnityPrint(" "); - UnityPrint(UnityStrPass); + { + UnityPrint(" "); + UnityPrint(UnityStrPass); } if (UnityFixture.Verbose) { - UNITY_EXEC_TIME_STOP(); - UNITY_PRINT_EXEC_TIME(); - UNITY_PRINT_EOL(); - } + UNITY_EXEC_TIME_STOP(); + UNITY_PRINT_EXEC_TIME(); + UNITY_PRINT_EOL(); + } else if (Unity.CurrentTestIgnored || Unity.CurrentTestFailed) { UNITY_PRINT_EOL(); diff --git a/third_party/wolfssl_settings.h.in b/third_party/wolfssl_settings.h.in index b2e63c664..173bb16f9 100644 --- a/third_party/wolfssl_settings.h.in +++ b/third_party/wolfssl_settings.h.in @@ -16,8 +16,6 @@ #define HAVE_ALL_CURVES -#define WOLFCRYPT_ONLY - #define WOLFSSL_PEM_TO_DER #define WOLFSSL_VALIDATE_ECC_IMPORT @@ -32,6 +30,23 @@ #define NO_MD5 +#define KEEP_OUR_CERT + +#define KEEP_PEER_CERT + +#define NO_ERROR_STRINGS + +#define NO_DH + +#define WOLFSSL_USER_IO + +#define OPENSSL_EXTRA_X509_SMALL + +#define OPENSSL_EXTRA + +#define WOLFSSL_NO_SOCK + +#define NO_PWDBASED #ifdef __cplusplus } /* extern "C" */