Merge changes from topic "fix-for-hash-lengths" into integration

* changes:
  fix(auth): allow hashes of different lengths
  feat(juno): add mbedtls_asn1_get_len symbol in ROMlib
  feat(fvp): add mbedtls_asn1_get_len symbol in ROMlib

drivers/auth/mbedtls/mbedtls_crypto.c

@@ -172,17 +172,20 @@ static int verify_hash(void *data_ptr, unsigned int data_len,
 	int rc;
 
 	/*
-	 * Digest info should be an MBEDTLS_ASN1_SEQUENCE
-	 * and consume all bytes.
+	 * Digest info should be an MBEDTLS_ASN1_SEQUENCE, but padding after
+	 * it is allowed.  This is necessary to support multiple hash
+	 * algorithms.
 	 */
 	p = (unsigned char *)digest_info_ptr;
 	end = p + digest_info_len;
 	rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
 				  MBEDTLS_ASN1_SEQUENCE);
-	if (rc != 0 || ((size_t)(end - p) != len)) {
+	if (rc != 0) {
 		return CRYPTO_ERR_HASH;
 	}
 
+	end = p + len;
+
 	/* Get the hash algorithm */
 	rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, &params);
 	if (rc != 0) {

drivers/auth/mbedtls/mbedtls_x509_parser.c

@@ -135,8 +135,38 @@ static int get_ext(const char *oid, void **ext, unsigned int *ext_len)
 		if ((oid != NULL) &&
 		    ((size_t)oid_len == strlen(oid_str)) &&
 		    (strcmp(oid, oid_str) == 0)) {
+			/* Extension must be ASN.1 DER */
+			if (len < 2) {
+				/* too short */
+				return IMG_PARSER_ERR_FORMAT;
+			}
+
+			if ((p[0] & 0x1F) == 0x1F) {
+				/* multi-byte ASN.1 DER tag, not allowed */
+				return IMG_PARSER_ERR_FORMAT;
+			}
+
+			if ((p[0] & 0xDF) == 0) {
+				/* UNIVERSAL 0 tag, not allowed */
+				return IMG_PARSER_ERR_FORMAT;
+			}
+
 			*ext = (void *)p;
 			*ext_len = (unsigned int)len;
+
+			/* Advance past the tag byte */
+			p++;
+
+			if (mbedtls_asn1_get_len(&p, end_ext_data, &len)) {
+				/* not valid DER */
+				return IMG_PARSER_ERR_FORMAT;
+			}
+
+			if (p + len != end_ext_data) {
+				/* junk after ASN.1 object */
+				return IMG_PARSER_ERR_FORMAT;
+			}
+
 			return IMG_PARSER_OK;
 		}
 

plat/arm/board/fvp/jmptbl.i

@@ -43,6 +43,7 @@ mbedtls mbedtls_asn1_get_alg_null
 mbedtls mbedtls_asn1_get_bitstring_null
 mbedtls mbedtls_asn1_get_bool
 mbedtls mbedtls_asn1_get_int
+mbedtls mbedtls_asn1_get_len
 mbedtls mbedtls_asn1_get_tag
 mbedtls mbedtls_free
 mbedtls mbedtls_md

plat/arm/board/juno/jmptbl.i

@@ -41,6 +41,7 @@ mbedtls mbedtls_asn1_get_alg_null
 mbedtls mbedtls_asn1_get_bitstring_null
 mbedtls mbedtls_asn1_get_bool
 mbedtls mbedtls_asn1_get_int
+mbedtls mbedtls_asn1_get_len
 mbedtls mbedtls_asn1_get_tag
 mbedtls mbedtls_free
 mbedtls mbedtls_md