yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 06:25:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'mbedtls/development' into montgomery-keys-clarification

Browse Source
This commit is contained in:
Steven Cooreman 2020-07-13 11:48:21 +02:00
commit aec44e9fe8
377 changed files with 7759 additions and 4963 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
3rdparty/CMakeLists.txt vendored
View File

@ -1,11 +1,17 @@
list (APPEND thirdparty_src)
list (APPEND thirdparty_lib)
list (APPEND thirdparty_inc_public)
list (APPEND thirdparty_inc)
list (APPEND thirdparty_def)
add_subdirectory(everest)
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE result)
if(${result} EQUAL 0)
add_subdirectory(everest)
endif()
set(thirdparty_src ${thirdparty_src} PARENT_SCOPE)
set(thirdparty_lib ${thirdparty_lib} PARENT_SCOPE)
set(thirdparty_inc_public ${thirdparty_inc_public} PARENT_SCOPE)
set(thirdparty_inc ${thirdparty_inc} PARENT_SCOPE)
set(thirdparty_def ${thirdparty_def} PARENT_SCOPE)

25
3rdparty/everest/CMakeLists.txt vendored
View File

@ -1,4 +1,5 @@
list (APPEND everest_src)
list (APPEND everest_inc_public)
list (APPEND everest_inc)
list (APPEND everest_def)
@ -8,24 +9,20 @@ set(everest_src
${CMAKE_CURRENT_SOURCE_DIR}/library/Hacl_Curve25519_joined.c
)
list(APPEND everest_inc ${CMAKE_CURRENT_SOURCE_DIR}/include ${CMAKE_CURRENT_SOURCE_DIR}/include/everest ${CMAKE_CURRENT_SOURCE_DIR}/include/everest/kremlib)
list(APPEND everest_inc_public ${CMAKE_CURRENT_SOURCE_DIR}/include)
list(APPEND everest_inc ${CMAKE_CURRENT_SOURCE_DIR}/include/everest ${CMAKE_CURRENT_SOURCE_DIR}/include/everest/kremlib)
execute_process(COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE result)
if(INSTALL_MBEDTLS_HEADERS)
if(${result} EQUAL 0)
install(DIRECTORY include/everest
DESTINATION include
FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
FILES_MATCHING PATTERN "*.h")
if(INSTALL_MBEDTLS_HEADERS)
install(DIRECTORY include/everest
DESTINATION include
FILE_PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ
DIRECTORY_PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
FILES_MATCHING PATTERN "*.h")
endif(INSTALL_MBEDTLS_HEADERS)
endif()
endif(INSTALL_MBEDTLS_HEADERS)
set(thirdparty_src ${thirdparty_src} ${everest_src} PARENT_SCOPE)
set(thirdparty_inc_public ${thirdparty_inc_public} ${everest_inc_public} PARENT_SCOPE)
set(thirdparty_inc ${thirdparty_inc} ${everest_inc} PARENT_SCOPE)
set(thirdparty_def ${thirdparty_def} ${everest_def} PARENT_SCOPE)

6
3rdparty/everest/library/Hacl_Curve25519_joined.c vendored
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)

6
3rdparty/everest/library/everest.c vendored
View File

@ -19,11 +19,7 @@
* This file is part of Mbed TLS (https://tls.mbed.org).
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#include <string.h>

6
3rdparty/everest/library/x25519.c vendored
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)

70
CMakeLists.txt
View File

@ -1,3 +1,21 @@
#
# CMake build system design considerations:
#
# - Include directories:
# + Do not define include directories globally using the include_directories
# command but rather at the target level using the
# target_include_directories command. That way, it is easier to guarantee
# that targets are built using the proper list of include directories.
# + Use the PUBLIC and PRIVATE keywords to specifiy the scope of include
# directories. That way, a target linking to a library (using the
# target_link_librairies command) inherits from the library PUBLIC include
# directories and not from the PRIVATE ones.
# + Note: there is currently one remaining include_directories command in the
# CMake files. It is related to ZLIB support which is planned to be removed.
# When the support is removed, the associated include_directories command
# will be removed as well as this note.
#
cmake_minimum_required(VERSION 2.6)
if(TEST_CPP)
project("mbed TLS" C CXX)
@ -51,18 +69,29 @@ set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}"
"${WARNING_BORDER}")
# Python 3 is only needed here to check for configuration warnings.
find_package(PythonInterp 3)
if(PYTHONINTERP_FOUND)
if(NOT CMAKE_VERSION VERSION_LESS 3.15.0)
set(Python3_FIND_STRATEGY LOCATION)
find_package(Python3 COMPONENTS Interpreter)
if(Python3_Interpreter_FOUND)
set(MBEDTLS_PYTHON_EXECUTABLE ${Python3_EXECUTABLE})
endif()
else()
find_package(PythonInterp 3)
if(PYTHONINTERP_FOUND)
set(MBEDTLS_PYTHON_EXECUTABLE ${PYTHON_EXECUTABLE})
endif()
endif()
if(MBEDTLS_PYTHON_EXECUTABLE)
# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
execute_process(COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
RESULT_VARIABLE result)
if(${result} EQUAL 0)
message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
endif()
# If NULL Entropy is configured, display an appropriate warning
execute_process(COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
RESULT_VARIABLE result)
if(${result} EQUAL 0)
message(WARNING ${NULL_ENTROPY_WARNING})
@ -136,7 +165,10 @@ if(CMAKE_COMPILER_IS_GNU)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op")
endif()
if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow -Wformat-signedness")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
endif()
if (GCC_VERSION VERSION_GREATER 5.0)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-signedness")
endif()
set(CMAKE_C_FLAGS_RELEASE "-O2")
set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
@ -194,9 +226,6 @@ else()
set(LIB_INSTALL_DIR lib)
endif()
include_directories(include/)
include_directories(library/)
if(ENABLE_ZLIB_SUPPORT)
find_package(ZLIB)
@ -208,12 +237,33 @@ endif(ENABLE_ZLIB_SUPPORT)
add_subdirectory(include)
add_subdirectory(3rdparty)
include_directories(${thirdparty_inc})
list(APPEND libs ${thirdparty_lib})
add_definitions(${thirdparty_def})
add_subdirectory(library)
#
# The C files in tests/src directory contain test code shared among test suites
# and programs. This shared test code is compiled and linked to test suites and
# programs objects as a set of compiled objects. The compiled objects are NOT
# built into a library that the test suite and program objects would link
# against as they link against the mbedcrypto, mbedx509 and mbedtls libraries.
# The reason is that such library is expected to have mutual dependencies with
# the aforementioned libraries and that there is as of today no portable way of
# handling such dependencies (only toolchain specific solutions).
#
# Thus the below definition of the `mbedtls_test` CMake library of objects
# target. This library of objects is used by tests and programs CMake files
# to define the test executables.
#
if(ENABLE_TESTING OR ENABLE_PROGRAMS)
file(GLOB MBEDTLS_TEST_FILES ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c)
add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
target_include_directories(mbedtls_test
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library)
endif()
if(ENABLE_PROGRAMS)
add_subdirectory(programs)
endif()

123
ChangeLog
View File

@ -1,5 +1,128 @@
mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS 2.23.0 branch released 2020-07-01
Default behavior changes
* In the experimental PSA secure element interface, change the encoding of
key lifetimes to encode a persistence level and the location. Although C
prototypes do not effectively change, code calling
psa_register_se_driver() must be modified to pass the driver's location
instead of the keys' lifetime. If the library is upgraded on an existing
device, keys created with the old lifetime value will not be readable or
removable through Mbed TLS after the upgrade.
Features
* New functions in the error module return constant strings for
high- and low-level error codes, complementing mbedtls_strerror()
which constructs a string for any error code, including compound
ones, but requires a writable buffer. Contributed by Gaurav Aggarwal
in #3176.
* The new utility programs/ssl/ssl_context_info prints a human-readable
dump of an SSL context saved with mbedtls_ssl_context_save().
* Add support for midipix, a POSIX layer for Microsoft Windows.
* Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows
parsing unsupported certificate extensions via user provided callback.
Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as
a solution to #3241.
* Pass the "certificate policies" extension to the callback supplied to
mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
policies (#3419).
* Added support to entropy_poll for the kern.arandom syscall supported on
some BSD systems. Contributed by Nia Alarie in #3423.
* Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
Security
* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
Strackx (Fortanix) in #3394.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
private key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros). This would cause the original Lucky 13 attack to be possible in
those configurations, allowing an active network attacker to recover
plaintext after repeated timing measurements under some conditions.
Reported and fix suggested by Luc Perneel in #3246.
Bugfix
* Fix the Visual Studio Release x64 build configuration for mbedtls itself.
Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
the example programs. Reported in #1430 and fix contributed by irwir.
* Fix undefined behavior in X.509 certificate parsing if the
pathLenConstraint basic constraint value is equal to INT_MAX.
The actual effect with almost every compiler is the intended
behavior, so this is unlikely to be exploitable anywhere. #3192
* Fix issue with a detected HW accelerated record error not being exposed
due to shadowed variable. Contributed by Sander Visser in #3310.
* Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
NULL pointer argument. Contributed by Sander Visser in #3312.
* Fix potential linker errors on dual world platforms by inlining
mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
from psa_crypto.c. Fixes #3300.
* Remove dead code in X.509 certificate parsing. Contributed by irwir in
#2855.
* Include asn1.h in error.c. Fixes #3328 reported by David Hu.
* Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
when PRNG function fails. Contributed by Jonas Lejeune in #3318.
* Remove unused macros from MSVC projects. Reported in #3297 and fix
submitted in #3333 by irwir.
* Add additional bounds checks in ssl_write_client_hello() preventing
output buffer overflow if the configuration declared a buffer that was
too small.
* Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
fix submitted in #3421 by Nia Alarie.
* Fix building library/net_sockets.c and the ssl_mail_client program on
NetBSD. Contributed by Nia Alarie in #3422.
* Fix false positive uninitialised variable reported by cpp-check.
Contributed by Sander Visser in #3311.
* Update iv and len context pointers manually when reallocating buffers
using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues
when receiving a connection with CID, when these fields were shifted
in ssl_parse_record_header().
Changes
* Fix warnings about signedness issues in format strings. The build is now
clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
in #3153.
* Fix minor performance issue in operations on Curve25519 caused by using a
suboptimal modular reduction in one place. Found and fix contributed by
Aurelien Jarno in #3209.
* Combine identical cases in switch statements in md.c. Contributed
by irwir in #3208.
* Simplify a bounds check in ssl_write_certificate_request(). Contributed
by irwir in #3150.
* Unify the example programs termination to call mbedtls_exit() instead of
using a return command. This has been done to enable customization of the
behavior in bare metal environments.
* Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
Contributed by Koh M. Nakagawa in #3326.
* Use FindPython3 when cmake version >= 3.15.0
* Abort the ClientHello writing function as soon as some extension doesn't
fit into the record buffer. Previously, such extensions were silently
dropped. As a consequence, the TLS handshake now fails when the output
buffer is not large enough to hold the ClientHello.
* The unit tests now rely on header files in tests/include/test and source
files in tests/src. When building with make or cmake, the files in
tests/src are compiled and the resulting object linked into each test
executable.
* The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
`MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
coutermeasures. If side channels are not a concern, this dependency can
be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
* Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes
Martinho. #3147
* Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
in #3182 and fix submitted by irwir. #3217
* Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
= mbed TLS 2.22.0 branch released 2020-04-14
New deprecations

4
ChangeLog.d/bugfix.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix the Visual Studio Release x64 build configuration for mbedtls itself.
Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
the example programs. Reported in #1430 and fix contributed by irwir.

2
ChangeLog.d/bugfix_PR2855.txt
View File

@ -1,2 +0,0 @@
Bugfix
* Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855.

3
ChangeLog.d/bugfix_PR3452.txt Normal file
View File

@ -0,0 +1,3 @@
Bugfix
* Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol redefinition if the function is inlined.
Reported in #3451 and fix contributed in #3452 by okhowang.

3
ChangeLog.d/cmake-install.txt Normal file
View File

@ -0,0 +1,3 @@
Bugfix
* Library files installed after a CMake build no longer have execute
permission.

4
ChangeLog.d/do_not_persist_volatile_external_keys.txt Normal file
View File

@ -0,0 +1,4 @@
Default behavior changes
* Stop storing persistent information about externally stored keys created
through PSA Crypto with a volatile lifetime. Reported in #3288 and
contributed by Steven Cooreman in #3382.

2
ChangeLog.d/error-asn1.txt
View File

@ -1,2 +0,0 @@
Bugfix
* Include asn1.h in error.c. Fixes #3328 reported by David Hu.

6
ChangeLog.d/error_const.txt
View File

@ -1,6 +0,0 @@
Features
* New functions in the error module return constant strings for
high- and low-level error codes, complementing mbedtls_strerror()
which constructs a string for any error code, including compound
ones, but requires a writable buffer. Contributed by Gaurav Aggarwal
in #3176.

4
ChangeLog.d/fix-ecp_double_add_mxz.txt
View File

@ -1,4 +0,0 @@
Changes
* Fix minor performance issue in operations on Curve25519 caused by using a
suboptimal modular reduction in one place. Found and fix contributed by
Aurelien Jarno in #3209.

3
ChangeLog.d/fix-gcc-format-signedness-warnings.txt
View File

@ -1,3 +0,0 @@
Changes
* Fix warnings about signedness issues in format strings. The build is now
clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen in #3153.

3
ChangeLog.d/fix-masked-hw-record-init-error.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Fix issue with a detected HW accelerated record error not being exposed
due to shadowed variable. Contributed by Sander Visser in #3310.

3
ChangeLog.d/fix-null-ptr-deref-in-mbedtls_ssl_free.txt
View File

@ -1,3 +0,0 @@
Bugfix
* Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
NULL pointer argument. Contributed by Sander Visser in #3312.

3
ChangeLog.d/fix-print-non-ascii-string-in-mbedtls_x509_dn_gets.txt
View File

@ -1,3 +0,0 @@
Changes
* Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
Contributed by Koh M. Nakagawa in #3326.

3
ChangeLog.d/format-signedness.txt Normal file
View File

@ -0,0 +1,3 @@
Changes
* Only pass -Wformat-signedness to versions of GCC that support it. Reported
in #3478 and fix contributed in #3479 by okhowang.

4
ChangeLog.d/inline-mbedtls_gcc_group_to_psa.txt
View File

@ -1,4 +0,0 @@
Bugfix
* Fix potential linker errors on dual world platforms by inlining
mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
from psa_crypto.c. Fixes #3300.

5
ChangeLog.d/max_pathlen.txt
View File

@ -1,5 +0,0 @@
Bugfix
* Fix undefined behavior in X.509 certificate parsing if the
pathLenConstraint basic constraint value is equal to INT_MAX.
The actual effect with almost every compiler is the intended
behavior, so this is unlikely to be exploitable anywhere. #3192

3
ChangeLog.d/md_switch.txt
View File

@ -1,3 +0,0 @@
Changes
* Combine identical cases in switch statements in md.c. Contributed
by irwir in #3208.

2
ChangeLog.d/midipix-support.txt
View File

@ -1,2 +0,0 @@
Features
* Add support for midipix, a POSIX layer for Microsoft Windows.

8
ChangeLog.d/psa-lifetime-locations.txt
View File

@ -1,8 +0,0 @@
Default behavior changes
* In the experimental PSA secure element interface, change the encoding of
key lifetimes to encode a persistence level and the location. Although C
prototypes do not effectively change, code calling
psa_register_se_driver() must be modified to pass the driver's location
instead of the keys' lifetime. If the library is upgraded on an existing
device, keys created with the old lifetime value will not be readable or
removable through Mbed TLS after the upgrade.

9
ChangeLog.d/psa_ecc_dh_macros.txt Normal file
View File

@ -0,0 +1,9 @@
API changes
* In the PSA API, rename the types of elliptic curve and Diffie-Hellman group families to
psa_ecc_family_t and psa_dh_family_t, in line with the PSA Crypto API specification version 1.0.0.
Rename associated macros as well:
PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY

3
ChangeLog.d/ssl_context_info.txt
View File

@ -1,3 +0,0 @@
Features
* The new utility programs/ssl/ssl_context_info prints a human-readable
dump of an SSL context saved with mbedtls_ssl_context_save().

3
ChangeLog.d/ssl_write_certificate_request.txt
View File

@ -1,3 +0,0 @@
Changes
* Simplify a bounds check in ssl_write_certificate_request(). Contributed
by irwir in #3150.

4
ChangeLog.d/unified-exit-in-examples.txt
View File

@ -1,4 +0,0 @@
Changes
* Unify the example programs termination to call mbedtls_exit() instead of
using a return command. This has been done to enable customization of the
behavior in bare metal environments.

4
ChangeLog.d/x509write_csr_heap_alloc.txt Normal file
View File

@ -0,0 +1,4 @@
Changes
* Reduce the stack consumption of mbedtls_x509write_csr_der() which
previously could lead to stack overflow on constrained devices.
Contributed by Doru Gucea and Simon Leet in #3464.

15
Makefile
View File

@ -10,15 +10,18 @@ all: programs tests
no_test: programs
programs: lib
programs: lib mbedtls_test
$(MAKE) -C programs
lib:
$(MAKE) -C library
tests: lib
tests: lib mbedtls_test
$(MAKE) -C tests
mbedtls_test:
$(MAKE) -C tests mbedtls_test
ifndef WINDOWS
install: no_test
mkdir -p $(DESTDIR)/include/mbedtls
@ -107,11 +110,11 @@ covtest:
lcov:
rm -rf Coverage
lcov --capture --initial --directory library -o files.info
lcov --capture --directory library -o tests.info
lcov --add-tracefile files.info --add-tracefile tests.info -o all.info
lcov --remove all.info -o final.info '*.h'
lcov --rc lcov_branch_coverage=1 --capture --directory library -o tests.info
lcov --rc lcov_branch_coverage=1 --add-tracefile files.info --add-tracefile tests.info -o all.info
lcov --rc lcov_branch_coverage=1 --remove all.info -o final.info '*.h'
gendesc tests/Descriptions.txt -o descriptions
genhtml --title "mbed TLS" --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage final.info
genhtml --title "mbed TLS" --description-file descriptions --keep-descriptions --legend --branch-coverage -o Coverage final.info
rm -f files.info tests.info all.info final.info descriptions
apidoc:

2
docs/architecture/Makefile
View File

@ -5,6 +5,7 @@ default: all
all_markdown = \
mbed-crypto-storage-specification.md \
testing/driver-interface-test-strategy.md \
testing/invasive-testing.md \
testing/test-framework.md \
# This line is intentionally left blank
@ -22,3 +23,4 @@ all: html pdf
clean:
rm -f *.html *.pdf
rm -f testing/*.html testing/*.pdf

367
docs/architecture/testing/invasive-testing.md Normal file
View File

@ -0,0 +1,367 @@
# Mbed TLS invasive testing strategy
## Introduction
In Mbed TLS, we use black-box testing as much as possible: test the documented behavior of the product, in a realistic environment. However this is not always sufficient.
The goal of this document is to identify areas where black-box testing is insufficient and to propose solutions.
This is a test strategy document, not a test plan. A description of exactly what is tested is out of scope.
This document is structured as follows:
* [“Rules”](#rules) gives general rules and is written for brevity.
* [“Requirements”](#requirements) explores the reasons why invasive testing is needed and how it should be done.
* [“Possible approaches”](#possible-approaches) discusses some general methods for non-black-box testing.
* [“Solutions”](#solutions) explains how we currently solve, or intend to solve, specific problems.
### TLS
This document currently focuses on data structure manipulation and storage, which is what the crypto/keystore and X.509 parts of the library are about. More work is needed to fully take TLS into account.
## Rules
Always follow these rules unless you have a good reason not to. If you deviate, document the rationale somewhere.
See the section [“Possible approaches”](#possible-approaches) for a rationale.
### Interface design for testing
Do not add test-specific interfaces if there's a practical way of doing it another way. All public interfaces should be useful in at least some configurations. Features with a significant impact on the code size or attack surface should have a compile-time guard.
### Reliance on internal details
In unit tests and in test programs, it's ok to include header files from `library/`. Do not define non-public interfaces in public headers (`include/mbedtls` has `*_internal.h` headers for legacy reasons, but this approach is deprecated). In contrast, sample programs must not include header files from `library/`.
Sometimes it makes sense to have unit tests on functions that aren't part of the public API. Declare such functions in `library/*.h` and include the corresponding header in the test code. If the function should be `static` for optimization but can't be `static` for testing, declare it as `MBEDTLS_STATIC_TESTABLE`, and make the tests that use it depend on `MBEDTLS_TEST_HOOKS` (see [“rules for compile-time options”](#rules-for-compile-time-options)).
If test code or test data depends on internal details of the library and not just on its documented behavior, add a comment in the code that explains the dependency. For example:
> ```
> /* This test file is specific to the ITS implementation in PSA Crypto
> * on top of stdio. It expects to know what the stdio name of a file is
> * based on its keystore name.
> */
> ```
> ```
> # This test assumes that PSA_MAX_KEY_BITS (currently 65536-8 bits = 8191 bytes
> # and not expected to be raised any time soon) is less than the maximum
> # output from HKDF-SHA512 (255*64 = 16320 bytes).
> ```
### Rules for compile-time options
If the most practical way to test something is to add code to the product that is only useful for testing, do so, but obey the following rules. For more information, see the [rationale](#guidelines-for-compile-time-options).
* **Only use test-specific code when necessary.** Anything that can be tested through the documented API must be tested through the documented API.
* **Test-specific code must be guarded by `#if defined(MBEDTLS_TEST_HOOKS)`**. Do not create fine-grained guards for test-specific code.
* **Do not use `MBEDTLS_TEST_HOOKS` for security checks or assertions.** Security checks belong in the product.
* **Merely defining `MBEDTLS_TEST_HOOKS` must not change the behavior**. It may define extra functions. It may add fields to structures, but if so, make it very clear that these fields have no impact on non-test-specific fields.
* **Where tests must be able to change the behavior, do it by function substitution.** See [“rules for function substitution”](#rules-for-function-substitution) for more details.
#### Rules for function substitution
This section explains how to replace a library function `mbedtls_foo()` by alternative code for test purposes. That is, library code calls `mbedtls_foo()`, and there is a mechanism to arrange for these calls to invoke different code.
Often `mbedtls_foo` is a macro which is defined to be a system function (like `mbedtls_calloc` or `mbedtls_fopen`), which we replace to mock or wrap the system function. This is useful to simulate I/O failure, for example. Note that if the macro can be replaced at compile time to support alternative platforms, the test code should be compatible with this compile-time configuration so that it works on these alternative platforms as well.
Sometimes the substitutable function is a `static inline` function that does nothing (not a macro, to avoid accidentally skipping side effects in its parameters), to provide a hook for test code; such functions should have a name that starts with the prefix `mbedtls_test_hook_`. In such cases, the function should generally not modify its parameters, so any pointer argument should be const. The function should return void.
With `MBEDTLS_TEST_HOOKS` set, `mbedtls_foo` is a global variable of function pointer type. This global variable is initialized to the system function, or to a function that does nothing. The global variable is defined in a header in the `library` directory such as `psa_crypto_invasive.h`. This is similar to the platform function configuration mechanism with `MBEDTLS_PLATFORM_xxx_ALT`.
In unit test code that needs to modify the internal behavior:
* The test function (or the whole test file) must depend on `MBEDTLS_TEST_HOOKS`.
* At the beginning of the test function, set the global function pointers to the desired value.
* In the test function's cleanup code, restore the global function pointers to their default value.
## Requirements
### General goals
We need to balance the following goals, which are sometimes contradictory.
* Coverage: we need to test behaviors which are not easy to trigger by using the API or which cannot be triggered deterministically, for example I/O failures.
* Correctness: we want to test the actual product, not a modified version, since conclusions drawn from a test of a modified product may not apply to the real product.
* Effacement: the product should not include features that are solely present for test purposes, since these increase the attack surface and the code size.
* Portability: tests should work on every platform. Skipping tests on certain platforms may hide errors that are only apparent on such platforms.
* Maintainability: tests should only enforce the documented behavior of the product, to avoid extra work when the product's internal or implementation-specific behavior changes. We should also not give the impression that whatever the tests check is guaranteed behavior of the product which cannot change in future versions.
Where those goals conflict, we should at least mitigate the goals that cannot be fulfilled, and document the architectural choices and their rationale.
### Problem areas
#### Allocation
Resource allocation can fail, but rarely does so in a typical test environment. How does the product cope if some allocations fail?
Resources include:
* Memory.
* Files in storage (PSA API only — in the Mbed TLS API, black-box unit tests are sufficient).
* Key handles (PSA API only).
* Key slots in a secure element (PSA SE HAL).
* Communication handles (PSA crypto service only).
#### Storage
Storage can fail, either due to hardware errors or to active attacks on trusted storage. How does the code cope if some storage accesses fail?
We also need to test resilience: if the system is reset during an operation, does it restart in a correct state?
#### Cleanup
When code should clean up resources, how do we know that they have truly been cleaned up?
* Zeroization of confidential data after use.
* Freeing memory.
* Closing key handles.
* Freeing key slots in a secure element.
* Deleting files in storage (PSA API only).
#### Internal data
Sometimes it is useful to peek or poke internal data.
* Check consistency of internal data (e.g. output of key generation).
* Check the format of files (which matters so that the product can still read old files after an upgrade).
* Inject faults and test corruption checks inside the product.
## Possible approaches
Key to requirement tables:
* ++ requirement is fully met
* \+ requirement is mostly met
* ~ requirement is partially met but there are limitations
* ! requirement is somewhat problematic
* !! requirement is very problematic
### Fine-grained public interfaces
We can include all the features we want to test in the public interface. Then the tests can be truly black-box. The limitation of this approach is that this requires adding a lot of interfaces that are not useful in production. These interfaces have costs: they increase the code size, the attack surface, and the testing burden (exponentially, because we need to test all these interfaces in combination).
As a rule, we do not add public interfaces solely for testing purposes. We only add public interfaces if they are also useful in production, at least sometimes. For example, the main purpose of `mbedtls_psa_crypto_free` is to clean up all resources in tests, but this is also useful in production in some applications that only want to use PSA Crypto during part of their lifetime.
Mbed TLS traditionally has very fine-grained public interfaces, with many platform functions that can be substituted (`MBEDTLS_PLATFORM_xxx` macros). PSA Crypto has more opacity and less platform substitution macros.
| Requirement | Analysis |
| ----------- | -------- |
| Coverage | ~ Many useful tests are not reasonably achievable |
| Correctness | ++ Ideal |
| Effacement | !! Requires adding many otherwise-useless interfaces |
| Portability | ++ Ideal; the additional interfaces may be useful for portability beyond testing |
| Maintainability | !! Combinatorial explosion on the testing burden |
| | ! Public interfaces must remain for backward compatibility even if the test architecture changes |
### Fine-grained undocumented interfaces
We can include all the features we want to test in undocumented interfaces. Undocumented interfaces are described in public headers for the sake of the C compiler, but are described as “do not use” in comments (or not described at all) and are not included in Doxygen-rendered documentation. This mitigates some of the downsides of [fine-grained public interfaces](#fine-grained-public-interfaces), but not all. In particular, the extra interfaces do increase the code size, the attack surface and the test surface.
Mbed TLS traditionally has a few internal interfaces, mostly intended for cross-module abstraction leakage rather than for testing. For the PSA API, we favor [internal interfaces](#internal-interfaces).
| Requirement | Analysis |
| ----------- | -------- |
| Coverage | ~ Many useful tests are not reasonably achievable |
| Correctness | ++ Ideal |
| Effacement | !! Requires adding many otherwise-useless interfaces |
| Portability | ++ Ideal; the additional interfaces may be useful for portability beyond testing |
| Maintainability | ! Combinatorial explosion on the testing burden |
### Internal interfaces
We can write tests that call internal functions that are not exposed in the public interfaces. This is nice when it works, because it lets us test the unchanged product without compromising the design of the public interface.
A limitation is that these interfaces must exist in the first place. If they don't, this has mostly the same downside as public interfaces: the extra interfaces increase the code size and the attack surface for no direct benefit to the product.
Another limitation is that internal interfaces need to be used correctly. We may accidentally rely on internal details in the tests that are not necessarily always true (for example that are platform-specific). We may accidentally use these internal interfaces in ways that don't correspond to the actual product.
This approach is mostly portable since it only relies on C interfaces. A limitation is that the test-only interfaces must not be hidden at link time (but link-time hiding is not something we currently do). Another limitation is that this approach does not work for users who patch the library by replacing some modules; this is a secondary concern since we do not officially offer this as a feature.
| Requirement | Analysis |
| ----------- | -------- |
| Coverage | ~ Many useful tests require additional internal interfaces |
| Correctness | + Does not require a product change |
| | ~ The tests may call internal functions in a way that does not reflect actual usage inside the product |
| Effacement | ++ Fine as long as the internal interfaces aren't added solely for test purposes |
| Portability | + Fine as long as we control how the tests are linked |
| | ~ Doesn't work if the users rewrite an internal module |
| Maintainability | + Tests interfaces that are documented; dependencies in the tests are easily noticed when changing these interfaces |
### Static analysis
If we guarantee certain properties through static analysis, we don't need to test them. This puts some constraints on the properties:
* We need to have confidence in the specification (but we can gain this confidence by evaluating the specification on test data).
* This does not work for platform-dependent properties unless we have a formal model of the platform.
| Requirement | Analysis |
| ----------- | -------- |
| Coverage | ~ Good for platform-independent properties, if we can guarantee them statically |
| Correctness | + Good as long as we have confidence in the specification |
| Effacement | ++ Zero impact on the code |
| Portability | ++ Zero runtime burden |
| Maintainability | ~ Static analysis is hard, but it's also helpful |
### Compile-time options
If there's code that we want to have in the product for testing, but not in production, we can add a compile-time option to enable it. This is very powerful and usually easy to use, but comes with a major downside: we aren't testing the same code anymore.
| Requirement | Analysis |
| ----------- | -------- |
| Coverage | ++ Most things can be tested that way |
| Correctness | ! Difficult to ensure that what we test is what we run |
| Effacement | ++ No impact on the product when built normally or on the documentation, if done right |
| | ! Risk of getting “no impact” wrong |
| Portability | ++ It's just C code so it works everywhere |
| | ~ Doesn't work if the users rewrite an internal module |
| Maintainability | + Test interfaces impact the product source code, but at least they're clearly marked as such in the code |
#### Guidelines for compile-time options
* **Minimize the number of compile-time options.**<br>
Either we're testing or we're not. Fine-grained options for testing would require more test builds, especially if combinatorics enters the play.
* **Merely enabling the compile-time option should not change the behavior.**<br>
When building in test mode, the code should have exactly the same behavior. Changing the behavior should require some action at runtime (calling a function or changing a variable).
* **Minimize the impact on code**.<br>
We should not have test-specific conditional compilation littered through the code, as that makes the code hard to read.
### Runtime instrumentation
Some properties can be tested through runtime instrumentation: have the compiler or a similar tool inject something into the binary.
* Sanitizers check for certain bad usage patterns (ASan, MSan, UBSan, Valgrind).
* We can inject external libraries at link time. This can be a way to make system functions fail.
| Requirement | Analysis |
| ----------- | -------- |
| Coverage | ! Limited scope |
| Correctness | + Instrumentation generally does not affect the program's functional behavior |
| Effacement | ++ Zero impact on the code |
| Portability | ~ Depends on the method |
| Maintainability | ~ Depending on the instrumentation, this may require additional builds and scripts |
| | + Many properties come for free, but some require effort (e.g. the test code itself must be leak-free to avoid false positives in a leak detector) |
### Debugger-based testing
If we want to do something in a test that the product isn't capable of doing, we can use a debugger to read or modify the memory, or hook into the code at arbitrary points.
This is a very powerful approach, but it comes with limitations:
* The debugger may introduce behavior changes (e.g. timing). If we modify data structures in memory, we may do so in a way that the code doesn't expect.
* Due to compiler optimizations, the memory may not have the layout that we expect.
* Writing reliable debugger scripts is hard. We need to have confidence that we're testing what we mean to test, even in the face of compiler optimizations. Languages such as gdb make it hard to automate even relatively simple things such as finding the place(s) in the binary corresponding to some place in the source code.
* Debugger scripts are very much non-portable.
| Requirement | Analysis |
| ----------- | -------- |
| Coverage | ++ The sky is the limit |
| Correctness | ++ The code is unmodified, and tested as compiled (so we even detect compiler-induced bugs) |
| | ! Compiler optimizations may hinder |
| | ~ Modifying the execution may introduce divergence |
| Effacement | ++ Zero impact on the code |
| Portability | !! Not all environments have a debugger, and even if they do, we'd need completely different scripts for every debugger |
| Maintainability | ! Writing reliable debugger scripts is hard |
| | !! Very tight coupling with the details of the source code and even with the compiler |
## Solutions
This section lists some strategies that are currently used for invasive testing, or planned to be used. This list is not intended to be exhaustive.
### Memory management
#### Zeroization testing
Goal: test that `mbedtls_platform_zeroize` does wipe the memory buffer.
Solution ([debugger](#debugger-based-testing)): implemented in `tests/scripts/test_zeroize.gdb`.
Rationale: this cannot be tested by adding C code, because the danger is that the compiler optimizes the zeroization away, and any C code that observes the zeroization would cause the compiler not to optimize it away.
#### Memory cleanup
Goal: test the absence of memory leaks.
Solution ([instrumentation](#runtime-instrumentation)): run tests with ASan. (We also use Valgrind, but it's slower than ASan, so we favor ASan.)
Since we run many test jobs with a memory leak detector, each test function or test program must clean up after itself. Use the cleanup code (after the `exit` label in test functions) to free any memory that the function may have allocated.
#### Robustness against memory allocation failure
Solution: TODO. We don't test this at all at this point.
#### PSA key store memory cleanup
Goal: test the absence of resource leaks in the PSA key store code, in particular that `psa_close_key` and `psa_destroy_key` work correctly.
Solution ([internal interface](#internal-interfaces)): in most tests involving PSA functions, the cleanup code explicitly calls `PSA_DONE()` instead of `mbedtls_psa_crypto_free()`. `PSA_DONE` fails the test if the key store in memory is not empty.
Note there must also be tests that call `mbedtls_psa_crypto_free` with keys still open, to verify that it does close all keys.
`PSA_DONE` is a macro defined in `psa_crypto_helpers.h` which uses `mbedtls_psa_get_stats()` to get information about the keystore content before calling `mbedtls_psa_crypto_free()`. This feature is mostly but not exclusively useful for testing, and may be moved under `MBEDTLS_TEST_HOOKS`.
### PSA storage
#### PSA storage cleanup on success
Goal: test that no stray files are left over in the key store after a test that succeeded.
Solution: TODO. Currently the various test suites do it differently.
#### PSA storage cleanup on failure
Goal: ensure that no stray files are left over in the key store even if a test has failed (as that could cause other tests to fail).
Solution: TODO. Currently the various test suites do it differently.
#### PSA storage resilience
Goal: test the resilience of PSA storage against power failures.
Solution: TODO.
See the [secure element driver interface test strategy](driver-interface-test-strategy.html) for more information.
#### Corrupted storage
Goal: test the robustness against corrupted storage.
Solution ([internal interface](#internal-interfaces)): call `psa_its` functions to modify the storage.
#### Storage read failure
Goal: test the robustness against read errors.
Solution: TODO
#### Storage write failure
Goal: test the robustness against write errors (`STORAGE_FAILURE` or `INSUFFICIENT_STORAGE`).
Solution: TODO
#### Storage format stability
Goal: test that the storage format does not change between versions (or if it does, an upgrade path must be provided).
Solution ([internal interface](#internal-interfaces)): call internal functions to inspect the content of the file.
Note that the storage format is defined not only by the general layout, but also by the numerical values of encodings for key types and other metadata. For numerical values, there is a risk that we would accidentally modify a single value or a few values, so the tests should be exhaustive. This probably requires some compile-time analysis (perhaps the automation for `psa_constant_names` can be used here). TODO
### Other fault injection
#### PSA crypto init failure
Goal: test the failure of `psa_crypto_init`.
Solution ([compile-time option](#compile-time-options)): replace entropy initialization functions by functions that can fail. This is the only failure point for `psa_crypto_init` that is present in all builds.
When we implement the PSA entropy driver interface, this should be reworked to use the entropy driver interface.
#### PSA crypto data corruption
The PSA crypto subsystem has a few checks to detect corrupted data in memory. We currently don't have a way to exercise those checks.
Solution: TODO. To corrupt a multipart operation structure, we can do it by looking inside the structure content, but only when running without isolation. To corrupt the key store, we would need to add a function to the library or to use a debugger.

4
docs/architecture/testing/test-framework.md
View File

@ -22,7 +22,7 @@ Each test case has a description which succinctly describes for a human audience
* Make the description descriptive. “foo: x=2, y=4” is more descriptive than “foo #2”. “foo: 0<x<y, both even is even better if these inequalities and parities are why this particular test data was chosen.
* Avoid changing the description of an existing test case without a good reason. This breaks the tracking of failures across CI runs, since this tracking is based on the descriptions.
`tests/scripts/check-test-cases.py` enforces some rules and warns if some guidelines are violated.
`tests/scripts/check_test_cases.py` enforces some rules and warns if some guidelines are violated.
## TLS tests
@ -32,7 +32,7 @@ Each test case has a description which succinctly describes for a human audience
Each test case in `ssl-opt.sh` has a description which succinctly describes for a human audience what the test does. The test description is the first parameter to `run_tests`.
The same rules and guidelines apply as for [unit test descriptions](#unit-test-descriptions). In addition, the description must be written on the same line as `run_test`, in double quotes, for the sake of `check-test-cases.py`.
The same rules and guidelines apply as for [unit test descriptions](#unit-test-descriptions). In addition, the description must be written on the same line as `run_test`, in double quotes, for the sake of `check_test_cases.py`.
## Running tests

40
docs/architecture/tls13-experimental.md Normal file
View File

@ -0,0 +1,40 @@
TLS 1.3 Experimental Developments
=================================
Overview
--------
Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development.
Stable parts of this prototype that can be independently tested are being successively
upstreamed under the guard of the following macro:
```
MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
```
This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable
implementation of the TLS 1.3 protocol is available.
See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/config.h)
for more information.
Status
------
The following lists which parts of the TLS 1.3 prototype have already been upstreamed
together with their level of testing:
* TLS 1.3 record protection mechanisms
The record protection routines `mbedtls_ssl_{encrypt|decrypt}_buf()` have been extended
to support the modified TLS 1.3 record protection mechanism, including modified computation
of AAD, IV, and the introduction of a flexible padding.
Those record protection routines have unit tests in `test_suite_ssl` alongside the
tests for the other record protection routines.
TODO: Add some test vectors from RFC 8448.
- The HKDF key derivation function on which the TLS 1.3 key schedule is based,
is already present as an independent module controlled by `MBEDTLS_HKDF_C`
independently of the development of the TLS 1.3 prototype.

2
docs/getting_started.md
View File

@ -865,7 +865,7 @@ Mbed Crypto provides a simple way to generate a key or key pair.
psa_set_key_algorithm(&attributes,
PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256));
psa_set_key_type(&attributes,
PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP_R1));
PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
psa_set_key_bits(&attributes, key_bits);
status = psa_generate_key(&attributes, &handle);
if (status != PSA_SUCCESS) {

2
doxygen/input/doc_mainpage.h
View File

@ -24,7 +24,7 @@
*/
/**
* @mainpage mbed TLS v2.22.0 source code documentation
* @mainpage mbed TLS v2.23.0 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in

2
doxygen/mbedtls.doxyfile
View File

@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8
# identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces.
PROJECT_NAME = "mbed TLS v2.22.0"
PROJECT_NAME = "mbed TLS v2.23.0"
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or

3
include/mbedtls/aes.h
View File

@ -20,7 +20,8 @@
* <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
*/
/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
/*
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may

3
include/mbedtls/aria.h
View File

@ -9,7 +9,8 @@
* Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
* and also described by the IETF in <em>RFC 5794</em>.
*/
/* Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
/*
* Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may

3
include/mbedtls/chacha20.h
View File

@ -12,7 +12,8 @@
* \author Daniel King <damaki.gh@gmail.com>
*/
/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
/*
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may

3
include/mbedtls/chachapoly.h
View File

@ -12,7 +12,8 @@
* \author Daniel King <damaki.gh@gmail.com>
*/
/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
/*
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may

13
include/mbedtls/check_config.h
View File

@ -156,6 +156,14 @@
#error "MBEDTLS_ECP_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_C) && !( \
defined(MBEDTLS_ECP_ALT) || \
defined(MBEDTLS_CTR_DRBG_C) || \
defined(MBEDTLS_HMAC_DRBG_C) || \
defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
#error "MBEDTLS_ECP_C requires a DRBG module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
#endif
#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
#endif
@ -619,6 +627,11 @@
#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_HKDF_C) && \
!defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
#error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites"
#endif
#if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
!(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \

77
include/mbedtls/config.h
View File

@ -781,6 +781,28 @@
*/
#define MBEDTLS_ECP_NIST_OPTIM
/**
* \def MBEDTLS_ECP_NO_INTERNAL_RNG
*
* When this option is disabled, mbedtls_ecp_mul() will make use of an
* internal RNG when called with a NULL \c f_rng argument, in order to protect
* against some side-channel attacks.
*
* This protection introduces a dependency of the ECP module on one of the
* DRBG modules. For very constrained implementations that don't require this
* protection (for example, because you're only doing signature verification,
* so not manipulating any secret, or because local/physical side-channel
* attacks are outside your threat model), it might be desirable to get rid of
* that dependency.
*
* \warning Enabling this option makes some uses of ECP vulnerable to some
* side-channel attacks. Only enable it if you know that's not a problem for
* your use case.
*
* Uncomment this macro to disable some counter-measures in ECP.
*/
//#define MBEDTLS_ECP_NO_INTERNAL_RNG
/**
* \def MBEDTLS_ECP_RESTARTABLE
*
@ -1706,6 +1728,25 @@
*/
#define MBEDTLS_SSL_PROTO_TLS1_2
/**
* \def MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
*
* This macro is used to selectively enable experimental parts
* of the code that contribute to the ongoing development of
* the prototype TLS 1.3 and DTLS 1.3 implementation, and provide
* no other purpose.
*
* \warning TLS 1.3 and DTLS 1.3 aren't yet supported in Mbed TLS,
* and no feature exposed through this macro is part of the
* public API. In particular, features under the control
* of this macro are experimental and don't come with any
* stability guarantees.
*
* Uncomment this macro to enable experimental and partial
* functionality specific to TLS 1.3.
*/
//#define MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
/**
* \def MBEDTLS_SSL_PROTO_DTLS
*
@ -1865,6 +1906,26 @@
*/
//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
/**
* \def MBEDTLS_TEST_HOOKS
*
* Enable features for invasive testing such as introspection functions and
* hooks for fault injection. This enables additional unit tests.
*
* Merely enabling this feature should not change the behavior of the product.
* It only adds new code, and new branching points where the default behavior
* is the same as when this feature is disabled.
* However, this feature increases the attack surface: there is an added
* risk of vulnerabilities, and more gadgets that can make exploits easier.
* Therefore this feature must never be enabled in production.
*
* See `docs/architecture/testing/mbed-crypto-invasive-testing.md` for more
* information.
*
* Uncomment to enable invasive tests.
*/
//#define MBEDTLS_TEST_HOOKS
/**
* \def MBEDTLS_THREADING_ALT
*
@ -3535,6 +3596,22 @@
*/
//#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
/** \def MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY
*
* This option controls the use of record plaintext padding
* in TLS 1.3.
*
* The padding will always be chosen so that the length of the
* padded plaintext is a multiple of the value of this option.
*
* Note: A value of \c 1 means that no padding will be used
* for outgoing records.
*
* Note: On systems lacking division instructions,
* a power of two should be preferred.
*/
//#define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
*
* Maximum length (in bytes) of outgoing plaintext fragments.

3
include/mbedtls/ecp.h
View File

@ -846,6 +846,9 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp,
* intermediate results to prevent potential timing attacks
* targeting these results. We recommend always providing
* a non-NULL \p f_rng. The overhead is negligible.
* Note: unless #MBEDTLS_ECP_NO_INTERNAL_RNG is defined, when
* \p f_rng is NULL, an internal RNG (seeded from the value
* of \p m) will be used instead.
*
* \param grp The ECP group to use.
* This must be initialized and have group parameters

2
include/mbedtls/error.h
View File

@ -101,7 +101,7 @@
* ECP 4 10 (Started from top)
* MD 5 5
* HKDF 5 1 (Started from top)
* SSL 5 1 (Started from 0x5F00)
* SSL 5 2 (Started from 0x5F00)
* CIPHER 6 8 (Started from 0x6080)
* SSL 6 24 (Started from top, plus 0x6000)
* SSL 7 32

2
include/mbedtls/md.h
View File

@ -104,6 +104,8 @@ typedef struct mbedtls_md_context_t
* \brief This function returns the list of digests supported by the
* generic digest module.
*
* \note The list starts with the strongest available hashes.
*
* \return A statically allocated array of digests. Each element
* in the returned list is an integer belonging to the
* message-digest enumeration #mbedtls_md_type_t.

3
include/mbedtls/poly1305.h
View File

@ -12,7 +12,8 @@
* \author Daniel King <damaki.gh@gmail.com>
*/
/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
/*
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may

8
include/mbedtls/psa_util.h
View File

@ -160,12 +160,12 @@ static inline psa_algorithm_t mbedtls_psa_translate_md( mbedtls_md_type_t md_alg
/* Translations for ECC. */
static inline int mbedtls_psa_get_ecc_oid_from_id(
psa_ecc_curve_t curve, size_t bits,
psa_ecc_family_t curve, size_t bits,
char const **oid, size_t *oid_len )
{
switch( curve )
{
case PSA_ECC_CURVE_SECP_R1:
case PSA_ECC_FAMILY_SECP_R1:
switch( bits )
{
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
@ -200,7 +200,7 @@ static inline int mbedtls_psa_get_ecc_oid_from_id(
#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
}
break;
case PSA_ECC_CURVE_SECP_K1:
case PSA_ECC_FAMILY_SECP_K1:
switch( bits )
{
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
@ -223,7 +223,7 @@ static inline int mbedtls_psa_get_ecc_oid_from_id(
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
}
break;
case PSA_ECC_CURVE_BRAINPOOL_P_R1:
case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
switch( bits )
{
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)

9
include/mbedtls/ssl.h
View File

@ -129,6 +129,7 @@
#define MBEDTLS_ERR_SSL_UNEXPECTED_CID -0x6000 /**< An encrypted DTLS-frame with an unexpected CID was received. */
#define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00 /**< An operation failed due to an unexpected version or configuration. */
#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x7000 /**< A cryptographic operation is in progress. Try again later. */
#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80 /**< Invalid value in SSL config */
/*
* Various constants
@ -138,11 +139,15 @@
#define MBEDTLS_SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 */
#define MBEDTLS_SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 */
#define MBEDTLS_SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */
#define MBEDTLS_SSL_MINOR_VERSION_4 4 /*!< TLS v1.3 (experimental) */
#define MBEDTLS_SSL_TRANSPORT_STREAM 0 /*!< TLS */
#define MBEDTLS_SSL_TRANSPORT_DATAGRAM 1 /*!< DTLS */
#define MBEDTLS_SSL_MAX_HOST_NAME_LEN 255 /*!< Maximum host name defined in RFC 1035 */
#define MBEDTLS_SSL_MAX_ALPN_NAME_LEN 255 /*!< Maximum size in bytes of a protocol name in alpn ext., RFC 7301 */
#define MBEDTLS_SSL_MAX_ALPN_LIST_LEN 65535 /*!< Maximum size in bytes of list in alpn ext., RFC 7301 */
/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
* NONE must be zero so that memset()ing structure to zero works */
@ -276,6 +281,10 @@
#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
#endif
#if !defined(MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY)
#define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1
#endif
/* \} name SECTION: Module settings */
/*

45
include/mbedtls/ssl_internal.h
View File

@ -207,6 +207,12 @@
: ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
)
/* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
#define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN 65534
/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
/*
* Check that we obey the standard's message size bounds
*/
@ -299,6 +305,41 @@ static inline uint32_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *
#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
/**
* \brief This function checks if the remaining size in a buffer is
* greater or equal than a needed space.
*
* \param cur Pointer to the current position in the buffer.
* \param end Pointer to one past the end of the buffer.
* \param need Needed space in bytes.
*
* \return Zero if the needed space is available in the buffer, non-zero
* otherwise.
*/
static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
const uint8_t *end, size_t need )
{
return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
}
/**
* \brief This macro checks if the remaining size in a buffer is
* greater or equal than a needed space. If it is not the case,
* it returns an SSL_BUFFER_TOO_SMALL error.
*
* \param cur Pointer to the current position in the buffer.
* \param end Pointer to one past the end of the buffer.
* \param need Needed space in bytes.
*
*/
#define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \
do { \
if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
{ \
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \
} \
} while( 0 )
#ifdef __cplusplus
extern "C" {
#endif
@ -554,6 +595,10 @@ typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
* time with the 8-byte record sequence number, without prepending the
* latter to the encrypted record.
*
* Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
* which allows to add flexible length padding and to hide a record's true
* content type.
*
* In addition to type and version, the following parameters are relevant:
* - The symmetric cipher algorithm to be used.
* - The (static) encryption/decryption keys for the cipher.

8
include/mbedtls/version.h
View File

@ -39,7 +39,7 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 22
#define MBEDTLS_VERSION_MINOR 23
#define MBEDTLS_VERSION_PATCH 0
/**
@ -47,9 +47,9 @@
* MMNNPP00
* Major version | Minor version | Patch version
*/
#define MBEDTLS_VERSION_NUMBER 0x02160000
#define MBEDTLS_VERSION_STRING "2.22.0"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.22.0"
#define MBEDTLS_VERSION_NUMBER 0x02170000
#define MBEDTLS_VERSION_STRING "2.23.0"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.23.0"
#if defined(MBEDTLS_VERSION_C)

84
include/mbedtls/x509_crt.h
View File

@ -303,6 +303,90 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain,
const unsigned char *buf,
size_t buflen );
/**
* \brief The type of certificate extension callbacks.
*
* Callbacks of this type are passed to and used by the
* mbedtls_x509_crt_parse_der_with_ext_cb() routine when
* it encounters either an unsupported extension or a
* "certificate policies" extension containing any
* unsupported certificate policies.
* Future versions of the library may invoke the callback
* in other cases, if and when the need arises.
*
* \param p_ctx An opaque context passed to the callback.
* \param crt The certificate being parsed.
* \param oid The OID of the extension.
* \param critical Whether the extension is critical.
* \param p Pointer to the start of the extension value
* (the content of the OCTET STRING).
* \param end End of extension value.
*
* \note The callback must fail and return a negative error code
* if it can not parse or does not support the extension.
* When the callback fails to parse a critical extension
* mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
* When the callback fails to parse a non critical extension
* mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
* the extension and continues parsing.
*
* \return \c 0 on success.
* \return A negative error code on failure.
*/
typedef int (*mbedtls_x509_crt_ext_cb_t)( void *p_ctx,
mbedtls_x509_crt const *crt,
mbedtls_x509_buf const *oid,
int critical,
const unsigned char *p,
const unsigned char *end );
/**
* \brief Parse a single DER formatted certificate and add it
* to the end of the provided chained list.
*
* \param chain The pointer to the start of the CRT chain to attach to.
* When parsing the first CRT in a chain, this should point
* to an instance of ::mbedtls_x509_crt initialized through
* mbedtls_x509_crt_init().
* \param buf The buffer holding the DER encoded certificate.
* \param buflen The size in Bytes of \p buf.
* \param make_copy When not zero this function makes an internal copy of the
* CRT buffer \p buf. In particular, \p buf may be destroyed
* or reused after this call returns.
* When zero this function avoids duplicating the CRT buffer
* by taking temporary ownership thereof until the CRT
* is destroyed (like mbedtls_x509_crt_parse_der_nocopy())
* \param cb A callback invoked for every unsupported certificate
* extension.
* \param p_ctx An opaque context passed to the callback.
*
* \note This call is functionally equivalent to
* mbedtls_x509_crt_parse_der(), and/or
* mbedtls_x509_crt_parse_der_nocopy()
* but it calls the callback with every unsupported
* certificate extension and additionally the
* "certificate policies" extension if it contains any
* unsupported certificate policies.
* The callback must return a negative error code if it
* does not know how to handle such an extension.
* When the callback fails to parse a critical extension
* mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
* When the callback fails to parse a non critical extension
* mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
* the extension and continues parsing.
* Future versions of the library may invoke the callback
* in other cases, if and when the need arises.
*
* \return \c 0 if successful.
* \return A negative error code on failure.
*/
int mbedtls_x509_crt_parse_der_with_ext_cb( mbedtls_x509_crt *chain,
const unsigned char *buf,
size_t buflen,
int make_copy,
mbedtls_x509_crt_ext_cb_t cb,
void *p_ctx );
/**
* \brief Parse a single DER formatted certificate and add it
* to the end of the provided chained list. This is a

10
include/psa/crypto.h
View File

@ -735,9 +735,9 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
* where `m` is the bit size associated with the curve, i.e. the bit size
* of the order of the curve's coordinate field. This byte string is
* in little-endian order for Montgomery curves (curve types
* `PSA_ECC_CURVE_CURVEXXX`), and in big-endian order for Weierstrass
* curves (curve types `PSA_ECC_CURVE_SECTXXX`, `PSA_ECC_CURVE_SECPXXX`
* and `PSA_ECC_CURVE_BRAINPOOL_PXXX`).
* `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass
* curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX`
* and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`).
* For Weierstrass curves, this is the content of the `privateKey` field of
* the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves,
* the format is defined by RFC 7748, and output is masked according to §5.
@ -3503,9 +3503,9 @@ psa_status_t psa_key_derivation_output_bytes(
* length is determined by the curve, and sets the mandatory bits
* accordingly. That is:
*
* - Curve25519 (#PSA_ECC_CURVE_MONTGOMERY, 255 bits): draw a 32-byte
* - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte
* string and process it as specified in RFC 7748 &sect;5.
* - Curve448 (#PSA_ECC_CURVE_MONTGOMERY, 448 bits): draw a 56-byte
* - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte
* string and process it as specified in RFC 7748 &sect;5.
*
* - For key types for which the key is represented by a single sequence of

112
include/psa/crypto_compat.h
View File

@ -50,8 +50,13 @@ extern "C" {
typedef MBEDTLS_PSA_DEPRECATED size_t mbedtls_deprecated_size_t;
typedef MBEDTLS_PSA_DEPRECATED psa_status_t mbedtls_deprecated_psa_status_t;
typedef MBEDTLS_PSA_DEPRECATED psa_key_usage_t mbedtls_deprecated_psa_key_usage_t;
typedef MBEDTLS_PSA_DEPRECATED psa_ecc_curve_t mbedtls_deprecated_psa_ecc_curve_t;
typedef MBEDTLS_PSA_DEPRECATED psa_dh_group_t mbedtls_deprecated_psa_dh_group_t;
typedef MBEDTLS_PSA_DEPRECATED psa_ecc_family_t mbedtls_deprecated_psa_ecc_family_t;
typedef MBEDTLS_PSA_DEPRECATED psa_dh_family_t mbedtls_deprecated_psa_dh_family_t;
typedef MBEDTLS_PSA_DEPRECATED psa_ecc_family_t psa_ecc_curve_t;
typedef MBEDTLS_PSA_DEPRECATED psa_dh_family_t psa_dh_group_t;
#define PSA_KEY_TYPE_GET_CURVE PSA_KEY_TYPE_ECC_GET_FAMILY
#define PSA_KEY_TYPE_GET_GROUP PSA_KEY_TYPE_DH_GET_FAMILY
#define MBEDTLS_DEPRECATED_CONSTANT( type, value ) \
( (mbedtls_deprecated_##type) ( value ) )
@ -115,79 +120,110 @@ MBEDTLS_PSA_DEPRECATED static inline psa_status_t psa_asymmetric_verify( psa_key
#endif /* MBEDTLS_DEPRECATED_REMOVED */
/*
* Size-specific elliptic curve and Diffie-Hellman group names
* Size-specific elliptic curve families.
*/
#define PSA_ECC_CURVE_SECP160K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_K1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_K1 )
#define PSA_ECC_CURVE_SECP192K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_K1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_K1 )
#define PSA_ECC_CURVE_SECP224K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_K1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_K1 )
#define PSA_ECC_CURVE_SECP256K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_K1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_K1 )
#define PSA_ECC_CURVE_SECP160R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
#define PSA_ECC_CURVE_SECP192R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
#define PSA_ECC_CURVE_SECP224R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
#define PSA_ECC_CURVE_SECP256R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
#define PSA_ECC_CURVE_SECP384R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
#define PSA_ECC_CURVE_SECP521R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
#define PSA_ECC_CURVE_SECP160R2 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R2 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R2 )
#define PSA_ECC_CURVE_SECT163K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
#define PSA_ECC_CURVE_SECT233K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
#define PSA_ECC_CURVE_SECT239K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
#define PSA_ECC_CURVE_SECT283K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
#define PSA_ECC_CURVE_SECT409K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
#define PSA_ECC_CURVE_SECT571K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
#define PSA_ECC_CURVE_SECT163R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
#define PSA_ECC_CURVE_SECT193R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
#define PSA_ECC_CURVE_SECT233R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
#define PSA_ECC_CURVE_SECT283R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
#define PSA_ECC_CURVE_SECT409R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
#define PSA_ECC_CURVE_SECT571R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
#define PSA_ECC_CURVE_SECT163R2 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R2 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R2 )
#define PSA_ECC_CURVE_SECT193R2 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R2 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R2 )
#define PSA_ECC_CURVE_BRAINPOOL_P256R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_BRAINPOOL_P_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_BRAINPOOL_P_R1 )
#define PSA_ECC_CURVE_BRAINPOOL_P384R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_BRAINPOOL_P_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_BRAINPOOL_P_R1 )
#define PSA_ECC_CURVE_BRAINPOOL_P512R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_BRAINPOOL_P_R1 )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_BRAINPOOL_P_R1 )
#define PSA_ECC_CURVE_CURVE25519 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_MONTGOMERY )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_MONTGOMERY )
#define PSA_ECC_CURVE_CURVE448 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_MONTGOMERY )
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_MONTGOMERY )
/*
* Curves that changed name due to PSA specification.
*/
#define PSA_ECC_CURVE_SECP_K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_K1 )
#define PSA_ECC_CURVE_SECP_R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
#define PSA_ECC_CURVE_SECP_R2 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R2 )
#define PSA_ECC_CURVE_SECT_K1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
#define PSA_ECC_CURVE_SECT_R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
#define PSA_ECC_CURVE_SECT_R2 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R2 )
#define PSA_ECC_CURVE_BRAINPOOL_P_R1 \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_BRAINPOOL_P_R1 )
#define PSA_ECC_CURVE_MONTGOMERY \
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_MONTGOMERY )
/*
* Finite-field Diffie-Hellman families.
*/
#define PSA_DH_GROUP_FFDHE2048 \
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_group_t, PSA_DH_GROUP_RFC7919 )
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
#define PSA_DH_GROUP_FFDHE3072 \
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_group_t, PSA_DH_GROUP_RFC7919 )
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
#define PSA_DH_GROUP_FFDHE4096 \
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_group_t, PSA_DH_GROUP_RFC7919 )
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
#define PSA_DH_GROUP_FFDHE6144 \
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_group_t, PSA_DH_GROUP_RFC7919 )
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
#define PSA_DH_GROUP_FFDHE8192 \
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_group_t, PSA_DH_GROUP_RFC7919 )
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
/*
* Diffie-Hellman families that changed name due to PSA specification.
*/
#define PSA_DH_GROUP_RFC7919 \
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
#define PSA_DH_GROUP_CUSTOM \
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_CUSTOM )
#ifdef __cplusplus
}

44
include/psa/crypto_extra.h
View File

@ -414,11 +414,11 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
/** Custom Diffie-Hellman group.
*
* For keys of type #PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_GROUP_CUSTOM) or
* #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_GROUP_CUSTOM), the group data comes
* For keys of type #PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
* #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM), the group data comes
* from domain parameters set by psa_set_key_domain_parameters().
*/
#define PSA_DH_GROUP_CUSTOM ((psa_dh_group_t) 0x7e)
#define PSA_DH_FAMILY_CUSTOM ((psa_dh_family_t) 0x7e)
/**
@ -448,8 +448,8 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
* }
* ```
* - For Diffie-Hellman key exchange keys
* (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_GROUP_CUSTOM) or
* #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_GROUP_CUSTOM)), the
* (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
* #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the
* `DomainParameters` format as defined by RFC 3279 &sect;2.3.3.
* ```
* DomainParameters ::= SEQUENCE {
@ -575,53 +575,53 @@ psa_status_t psa_get_key_domain_parameters(
* \param[out] bits On success, the bit size of the curve.
*
* \return The corresponding PSA elliptic curve identifier
* (`PSA_ECC_CURVE_xxx`).
* (`PSA_ECC_FAMILY_xxx`).
* \return \c 0 on failure (\p grpid is not recognized).
*/
static inline psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid,
static inline psa_ecc_family_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid,
size_t *bits )
{
switch( grpid )
{
case MBEDTLS_ECP_DP_SECP192R1:
*bits = 192;
return( PSA_ECC_CURVE_SECP_R1 );
return( PSA_ECC_FAMILY_SECP_R1 );
case MBEDTLS_ECP_DP_SECP224R1:
*bits = 224;
return( PSA_ECC_CURVE_SECP_R1 );
return( PSA_ECC_FAMILY_SECP_R1 );
case MBEDTLS_ECP_DP_SECP256R1:
*bits = 256;
return( PSA_ECC_CURVE_SECP_R1 );
return( PSA_ECC_FAMILY_SECP_R1 );
case MBEDTLS_ECP_DP_SECP384R1:
*bits = 384;
return( PSA_ECC_CURVE_SECP_R1 );
return( PSA_ECC_FAMILY_SECP_R1 );
case MBEDTLS_ECP_DP_SECP521R1:
*bits = 521;
return( PSA_ECC_CURVE_SECP_R1 );
return( PSA_ECC_FAMILY_SECP_R1 );
case MBEDTLS_ECP_DP_BP256R1:
*bits = 256;
return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
return( PSA_ECC_FAMILY_BRAINPOOL_P_R1 );
case MBEDTLS_ECP_DP_BP384R1:
*bits = 384;
return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
return( PSA_ECC_FAMILY_BRAINPOOL_P_R1 );
case MBEDTLS_ECP_DP_BP512R1:
*bits = 512;
return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
return( PSA_ECC_FAMILY_BRAINPOOL_P_R1 );
case MBEDTLS_ECP_DP_CURVE25519:
*bits = 255;
return( PSA_ECC_CURVE_MONTGOMERY );
return( PSA_ECC_FAMILY_MONTGOMERY );
case MBEDTLS_ECP_DP_SECP192K1:
*bits = 192;
return( PSA_ECC_CURVE_SECP_K1 );
return( PSA_ECC_FAMILY_SECP_K1 );
case MBEDTLS_ECP_DP_SECP224K1:
*bits = 224;
return( PSA_ECC_CURVE_SECP_K1 );
return( PSA_ECC_FAMILY_SECP_K1 );
case MBEDTLS_ECP_DP_SECP256K1:
*bits = 256;
return( PSA_ECC_CURVE_SECP_K1 );
return( PSA_ECC_FAMILY_SECP_K1 );
case MBEDTLS_ECP_DP_CURVE448:
*bits = 448;
return( PSA_ECC_CURVE_MONTGOMERY );
return( PSA_ECC_FAMILY_MONTGOMERY );
default:
*bits = 0;
return( 0 );
@ -634,7 +634,7 @@ static inline psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grp
* Mbed TLS and may be removed at any time without notice.
*
* \param curve A PSA elliptic curve identifier
* (`PSA_ECC_CURVE_xxx`).
* (`PSA_ECC_FAMILY_xxx`).
* \param byte_length The byte-length of a private key on \p curve.
*
* \return The corresponding Mbed TLS elliptic curve identifier
@ -643,7 +643,7 @@ static inline psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grp
* \return #MBEDTLS_ECP_DP_NONE if \p byte_length is not
* correct for \p curve.
*/
mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_curve_t curve,
mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
size_t byte_length );
#endif /* MBEDTLS_ECP_C */

4
include/psa/crypto_types.h
View File

@ -74,7 +74,7 @@ typedef uint16_t psa_key_type_t;
* Values defined by this standard will never be in the range 0x80-0xff.
* Vendors who define additional families must use an encoding in this range.
*/
typedef uint8_t psa_ecc_curve_t;
typedef uint8_t psa_ecc_family_t;
/** The type of PSA Diffie-Hellman group family identifiers.
*
@ -85,7 +85,7 @@ typedef uint8_t psa_ecc_curve_t;
* Values defined by this standard will never be in the range 0x80-0xff.
* Vendors who define additional families must use an encoding in this range.
*/
typedef uint8_t psa_dh_group_t;
typedef uint8_t psa_dh_family_t;
/** \brief Encoding of a cryptographic algorithm.
*

46
include/psa/crypto_values.h
View File

@ -426,15 +426,15 @@
#define PSA_KEY_TYPE_ECC_CURVE_MASK ((psa_key_type_t)0x00ff)
/** Elliptic curve key pair.
*
* \param curve A value of type ::psa_ecc_curve_t that identifies the
* ECC curve to be used.
* \param curve A value of type ::psa_ecc_family_t that
* identifies the ECC curve to be used.
*/
#define PSA_KEY_TYPE_ECC_KEY_PAIR(curve) \
(PSA_KEY_TYPE_ECC_KEY_PAIR_BASE | (curve))
/** Elliptic curve public key.
*
* \param curve A value of type ::psa_ecc_curve_t that identifies the
* ECC curve to be used.
* \param curve A value of type ::psa_ecc_family_t that
* identifies the ECC curve to be used.
*/
#define PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve) \
(PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve))
@ -453,8 +453,8 @@
PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)
/** Extract the curve from an elliptic curve key type. */
#define PSA_KEY_TYPE_GET_CURVE(type) \
((psa_ecc_curve_t) (PSA_KEY_TYPE_IS_ECC(type) ? \
#define PSA_KEY_TYPE_ECC_GET_FAMILY(type) \
((psa_ecc_family_t) (PSA_KEY_TYPE_IS_ECC(type) ? \
((type) & PSA_KEY_TYPE_ECC_CURVE_MASK) : \
0))
@ -466,7 +466,7 @@
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
* https://www.secg.org/sec2-v2.pdf
*/
#define PSA_ECC_CURVE_SECP_K1 ((psa_ecc_curve_t) 0x17)
#define PSA_ECC_FAMILY_SECP_K1 ((psa_ecc_family_t) 0x17)
/** SEC random curves over prime fields.
*
@ -476,9 +476,9 @@
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
* https://www.secg.org/sec2-v2.pdf
*/
#define PSA_ECC_CURVE_SECP_R1 ((psa_ecc_curve_t) 0x12)
#define PSA_ECC_FAMILY_SECP_R1 ((psa_ecc_family_t) 0x12)
/* SECP160R2 (SEC2 v1, obsolete) */
#define PSA_ECC_CURVE_SECP_R2 ((psa_ecc_curve_t) 0x1b)
#define PSA_ECC_FAMILY_SECP_R2 ((psa_ecc_family_t) 0x1b)
/** SEC Koblitz curves over binary fields.
*
@ -488,7 +488,7 @@
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
* https://www.secg.org/sec2-v2.pdf
*/
#define PSA_ECC_CURVE_SECT_K1 ((psa_ecc_curve_t) 0x27)
#define PSA_ECC_FAMILY_SECT_K1 ((psa_ecc_family_t) 0x27)
/** SEC random curves over binary fields.
*
@ -498,7 +498,7 @@
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
* https://www.secg.org/sec2-v2.pdf
*/
#define PSA_ECC_CURVE_SECT_R1 ((psa_ecc_curve_t) 0x22)
#define PSA_ECC_FAMILY_SECT_R1 ((psa_ecc_family_t) 0x22)
/** SEC additional random curves over binary fields.
*
@ -508,7 +508,7 @@
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
* https://www.secg.org/sec2-v2.pdf
*/
#define PSA_ECC_CURVE_SECT_R2 ((psa_ecc_curve_t) 0x2b)
#define PSA_ECC_FAMILY_SECT_R2 ((psa_ecc_family_t) 0x2b)
/** Brainpool P random curves.
*
@ -517,7 +517,7 @@
* brainpoolP320r1, brainpoolP384r1, brainpoolP512r1.
* It is defined in RFC 5639.
*/
#define PSA_ECC_CURVE_BRAINPOOL_P_R1 ((psa_ecc_curve_t) 0x30)
#define PSA_ECC_FAMILY_BRAINPOOL_P_R1 ((psa_ecc_family_t) 0x30)
/** Curve25519 and Curve448.
*
@ -529,21 +529,21 @@
* _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
* The algorithm #PSA_ALG_ECDH performs X448 when used with this curve.
*/
#define PSA_ECC_CURVE_MONTGOMERY ((psa_ecc_curve_t) 0x41)
#define PSA_ECC_FAMILY_MONTGOMERY ((psa_ecc_family_t) 0x41)
#define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE ((psa_key_type_t)0x4200)
#define PSA_KEY_TYPE_DH_KEY_PAIR_BASE ((psa_key_type_t)0x7200)
#define PSA_KEY_TYPE_DH_GROUP_MASK ((psa_key_type_t)0x00ff)
/** Diffie-Hellman key pair.
*
* \param group A value of type ::psa_dh_group_t that identifies the
* \param group A value of type ::psa_dh_family_t that identifies the
* Diffie-Hellman group to be used.
*/
#define PSA_KEY_TYPE_DH_KEY_PAIR(group) \
(PSA_KEY_TYPE_DH_KEY_PAIR_BASE | (group))
/** Diffie-Hellman public key.
*
* \param group A value of type ::psa_dh_group_t that identifies the
* \param group A value of type ::psa_dh_family_t that identifies the
* Diffie-Hellman group to be used.
*/
#define PSA_KEY_TYPE_DH_PUBLIC_KEY(group) \
@ -563,8 +563,8 @@
PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)
/** Extract the group from a Diffie-Hellman key type. */
#define PSA_KEY_TYPE_GET_GROUP(type) \
((psa_dh_group_t) (PSA_KEY_TYPE_IS_DH(type) ? \
#define PSA_KEY_TYPE_DH_GET_FAMILY(type) \
((psa_dh_family_t) (PSA_KEY_TYPE_IS_DH(type) ? \
((type) & PSA_KEY_TYPE_DH_GROUP_MASK) : \
0))
@ -574,7 +574,7 @@
* 2048, 3072, 4096, 6144, 8192. A given implementation may support
* all of these sizes or only a subset.
*/
#define PSA_DH_GROUP_RFC7919 ((psa_dh_group_t) 0x03)
#define PSA_DH_FAMILY_RFC7919 ((psa_dh_family_t) 0x03)
#define PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) \
(((type) >> 8) & 7)
@ -1483,17 +1483,17 @@
* is padded with zero bits. The byte order is either little-endian
* or big-endian depending on the curve type.
*
* - For Montgomery curves (curve types `PSA_ECC_CURVE_CURVEXXX`),
* - For Montgomery curves (curve types `PSA_ECC_FAMILY_CURVEXXX`),
* the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
* in little-endian byte order.
* The bit size is 448 for Curve448 and 255 for Curve25519.
* - For Weierstrass curves over prime fields (curve types
* `PSA_ECC_CURVE_SECPXXX` and `PSA_ECC_CURVE_BRAINPOOL_PXXX`),
* `PSA_ECC_FAMILY_SECPXXX` and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`),
* the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
* in big-endian byte order.
* The bit size is `m = ceiling(log_2(p))` for the field `F_p`.
* - For Weierstrass curves over binary fields (curve types
* `PSA_ECC_CURVE_SECTXXX`),
* `PSA_ECC_FAMILY_SECTXXX`),
* the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
* in big-endian byte order.
* The bit size is `m` for the field `F_{2^m}`.
@ -1611,7 +1611,7 @@
*/
#define PSA_KEY_LIFETIME_IS_VOLATILE(lifetime) \
(PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \
PSA_KEY_LIFETIME_PERSISTENCE_VOLATILE)
PSA_KEY_PERSISTENCE_VOLATILE)
/** Construct a lifetime from a persistence level and a location.
*

45
library/CMakeLists.txt
View File

@ -148,10 +148,14 @@ if (NOT USE_STATIC_MBEDTLS_LIBRARY AND NOT USE_SHARED_MBEDTLS_LIBRARY)
message(FATAL_ERROR "Need to choose static or shared mbedtls build!")
endif(NOT USE_STATIC_MBEDTLS_LIBRARY AND NOT USE_SHARED_MBEDTLS_LIBRARY)
set(target_libraries "mbedcrypto" "mbedx509" "mbedtls")
if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
set(mbedtls_static_target "mbedtls_static")
set(mbedx509_static_target "mbedx509_static")
set(mbedcrypto_static_target "mbedcrypto_static")
list(APPEND target_libraries
"mbedcrypto_static" "mbedx509_static" "mbedtls_static")
elseif(USE_STATIC_MBEDTLS_LIBRARY)
set(mbedtls_static_target "mbedtls")
set(mbedx509_static_target "mbedx509")
@ -162,8 +166,6 @@ if(USE_STATIC_MBEDTLS_LIBRARY)
add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
target_link_libraries(${mbedcrypto_static_target} ${libs})
target_include_directories(${mbedcrypto_static_target}
PUBLIC ${MBEDTLS_DIR}/include/)
add_library(${mbedx509_static_target} STATIC ${src_x509})
set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509)
@ -172,37 +174,40 @@ if(USE_STATIC_MBEDTLS_LIBRARY)
add_library(${mbedtls_static_target} STATIC ${src_tls})
set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls)
target_link_libraries(${mbedtls_static_target} ${libs} ${mbedx509_static_target})
install(TARGETS ${mbedtls_static_target} ${mbedx509_static_target} ${mbedcrypto_static_target}
DESTINATION ${LIB_INSTALL_DIR}
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedcrypto SHARED ${src_crypto})
set_target_properties(mbedcrypto PROPERTIES VERSION 2.22.0 SOVERSION 4)
set_target_properties(mbedcrypto PROPERTIES VERSION 2.23.0 SOVERSION 5)
target_link_libraries(mbedcrypto ${libs})
target_include_directories(mbedcrypto
PUBLIC ${MBEDTLS_DIR}/include/)
add_library(mbedx509 SHARED ${src_x509})
set_target_properties(mbedx509 PROPERTIES VERSION 2.22.0 SOVERSION 1)
set_target_properties(mbedx509 PROPERTIES VERSION 2.23.0 SOVERSION 1)
target_link_libraries(mbedx509 ${libs} mbedcrypto)
target_include_directories(mbedx509
PUBLIC ${MBEDTLS_DIR}/include/)
add_library(mbedtls SHARED ${src_tls})
set_target_properties(mbedtls PROPERTIES VERSION 2.22.0 SOVERSION 13)
set_target_properties(mbedtls PROPERTIES VERSION 2.23.0 SOVERSION 13)
target_link_libraries(mbedtls ${libs} mbedx509)
target_include_directories(mbedtls
PUBLIC ${MBEDTLS_DIR}/include/)
install(TARGETS mbedtls mbedx509 mbedcrypto
DESTINATION ${LIB_INSTALL_DIR}
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
endif(USE_SHARED_MBEDTLS_LIBRARY)
foreach(target IN LISTS target_libraries)
# Include public header files from /include and other directories
# declared by /3rdparty/**/CMakeLists.txt. Include private header files
# from /library and others declared by /3rdparty/**/CMakeLists.txt.
# /library needs to be listed explicitly when building .c files outside
# of /library (which currently means: under /3rdparty).
target_include_directories(${target}
PUBLIC ${MBEDTLS_DIR}/include/
PUBLIC ${thirdparty_inc_public}
PRIVATE ${MBEDTLS_DIR}/library/
PRIVATE ${thirdparty_inc})
target_compile_definitions(${target}
PRIVATE ${thirdparty_def})
install(TARGETS ${target}
DESTINATION ${LIB_INSTALL_DIR}
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
endforeach(target)
add_custom_target(lib DEPENDS mbedcrypto mbedx509 mbedtls)
if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
add_dependencies(lib mbedcrypto_static mbedx509_static mbedtls_static)

8
library/Makefile
View File

@ -5,7 +5,11 @@ CFLAGS ?= -O2
WARNING_CFLAGS ?= -Wall -Wextra
LDFLAGS ?=
LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64
# Include ../include for public headers and . for private headers.
# Note that . needs to be included explicitly for the sake of library
# files that are not in the /library directory (which currently means
# under /3rdparty).
LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. -I../include -D_FILE_OFFSET_BITS=64
LOCAL_LDFLAGS =
ifdef DEBUG
@ -37,7 +41,7 @@ endif
SOEXT_TLS=so.13
SOEXT_X509=so.1
SOEXT_CRYPTO=so.4
SOEXT_CRYPTO=so.5
# Set AR_DASH= (empty string) to use an ar implementation that does not accept
# the - prefix for command line options (e.g. llvm-ar)

6
library/aes.c
View File

@ -25,11 +25,7 @@
* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_AES_C)

6
library/aesni.c
View File

@ -24,11 +24,7 @@
* [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_AESNI_C)

6
library/arc4.c
View File

@ -24,11 +24,7 @@
* http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ARC4_C)

6
library/aria.c
View File

@ -25,11 +25,7 @@
* [2] https://tools.ietf.org/html/rfc5794
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ARIA_C)

6
library/asn1parse.c
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ASN1_PARSE_C)

6
library/asn1write.c
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ASN1_WRITE_C)

6
library/base64.c
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_BASE64_C)

154
library/bignum.c
View File

@ -35,11 +35,7 @@
*
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_BIGNUM_C)
@ -243,6 +239,22 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
memcpy( Y, &T, sizeof( mbedtls_mpi ) );
}
/*
* Conditionally assign dest = src, without leaking information
* about whether the assignment was made or not.
* dest and src must be arrays of limbs of size n.
* assign must be 0 or 1.
*/
static void mpi_safe_cond_assign( size_t n,
mbedtls_mpi_uint *dest,
const mbedtls_mpi_uint *src,
unsigned char assign )
{
size_t i;
for( i = 0; i < n; i++ )
dest[i] = dest[i] * ( 1 - assign ) + src[i] * assign;
}
/*
* Conditionally assign X = Y, without leaking information
* about whether the assignment was made or not.
@ -262,10 +274,9 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned
X->s = X->s * ( 1 - assign ) + Y->s * assign;
for( i = 0; i < Y->n; i++ )
X->p[i] = X->p[i] * ( 1 - assign ) + Y->p[i] * assign;
mpi_safe_cond_assign( Y->n, X->p, Y->p, assign );
for( ; i < X->n; i++ )
for( i = Y->n; i < X->n; i++ )
X->p[i] *= ( 1 - assign );
cleanup:
@ -1327,10 +1338,24 @@ cleanup:
return( ret );
}
/*
* Helper for mbedtls_mpi subtraction
/**
* Helper for mbedtls_mpi subtraction.
*
* Calculate d - s where d and s have the same size.
* This function operates modulo (2^ciL)^n and returns the carry
* (1 if there was a wraparound, i.e. if `d < s`, and 0 otherwise).
*
* \param n Number of limbs of \p d and \p s.
* \param[in,out] d On input, the left operand.
* On output, the result of the subtraction:
* \param[in] s The right operand.
*
* \return 1 if `d < s`.
* 0 if `d >= s`.
*/
static void mpi_sub_hlp( size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d )
static mbedtls_mpi_uint mpi_sub_hlp( size_t n,
mbedtls_mpi_uint *d,
const mbedtls_mpi_uint *s )
{
size_t i;
mbedtls_mpi_uint c, z;
@ -1341,28 +1366,22 @@ static void mpi_sub_hlp( size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d )
c = ( *d < *s ) + z; *d -= *s;
}
while( c != 0 )
{
z = ( *d < c ); *d -= c;
c = z; d++;
}
return( c );
}
/*
* Unsigned subtraction: X = |A| - |B| (HAC 14.9)
* Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10)
*/
int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
{
mbedtls_mpi TB;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n;
mbedtls_mpi_uint carry;
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( A != NULL );
MPI_VALIDATE_RET( B != NULL );
if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
mbedtls_mpi_init( &TB );
if( X == B )
@ -1385,7 +1404,18 @@ int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
if( B->p[n - 1] != 0 )
break;
mpi_sub_hlp( n, B->p, X->p );
carry = mpi_sub_hlp( n, X->p, B->p );
if( carry != 0 )
{
/* Propagate the carry to the first nonzero limb of X. */
for( ; n < X->n && X->p[n] == 0; n++ )
--X->p[n];
/* If we ran out of space for the carry, it means that the result
* is negative. */
if( n == X->n )
return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
--X->p[n];
}
cleanup:
@ -1975,18 +2005,34 @@ static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
*mm = ~x + 1;
}
/*
* Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
/** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
*
* \param[in,out] A One of the numbers to multiply.
* It must have at least as many limbs as N
* (A->n >= N->n), and any limbs beyond n are ignored.
* On successful completion, A contains the result of
* the multiplication A * B * R^-1 mod N where
* R = (2^ciL)^n.
* \param[in] B One of the numbers to multiply.
* It must be nonzero and must not have more limbs than N
* (B->n <= N->n).
* \param[in] N The modulo. N must be odd.
* \param mm The value calculated by `mpi_montg_init(&mm, N)`.
* This is -N^-1 mod 2^ciL.
* \param[in,out] T A bignum for temporary storage.
* It must be at least twice the limb size of N plus 2
* (T->n >= 2 * (N->n + 1)).
* Its initial content is unused and
* its final content is indeterminate.
* Note that unlike the usual convention in the library
* for `const mbedtls_mpi*`, the content of T can change.
*/
static int mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
const mbedtls_mpi *T )
{
size_t i, n, m;
mbedtls_mpi_uint u0, u1, *d;
if( T->n < N->n + 1 || T->p == NULL )
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
memset( T->p, 0, T->n * ciL );
d = T->p;
@ -2007,22 +2053,34 @@ static int mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi
*d++ = u0; d[n + 1] = 0;
}
memcpy( A->p, d, ( n + 1 ) * ciL );
/* At this point, d is either the desired result or the desired result
* plus N. We now potentially subtract N, avoiding leaking whether the
* subtraction is performed through side channels. */
if( mbedtls_mpi_cmp_abs( A, N ) >= 0 )
mpi_sub_hlp( n, N->p, A->p );
else
/* prevent timing attacks */
mpi_sub_hlp( n, A->p, T->p );
return( 0 );
/* Copy the n least significant limbs of d to A, so that
* A = d if d < N (recall that N has n limbs). */
memcpy( A->p, d, n * ciL );
/* If d >= N then we want to set A to d - N. To prevent timing attacks,
* do the calculation without using conditional tests. */
/* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */
d[n] += 1;
d[n] -= mpi_sub_hlp( n, d, N->p );
/* If d0 < N then d < (2^biL)^n
* so d[n] == 0 and we want to keep A as it is.
* If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n
* so d[n] == 1 and we want to set A to the result of the subtraction
* which is d - (2^biL)^n, i.e. the n least significant limbs of d.
* This exactly corresponds to a conditional assignment. */
mpi_safe_cond_assign( n, A->p, d, (unsigned char) d[n] );
}
/*
* Montgomery reduction: A = A * R^-1 mod N
*
* See mpi_montmul() regarding constraints and guarantees on the parameters.
*/
static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
mbedtls_mpi_uint mm, const mbedtls_mpi *T )
static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
mbedtls_mpi_uint mm, const mbedtls_mpi *T )
{
mbedtls_mpi_uint z = 1;
mbedtls_mpi U;
@ -2030,7 +2088,7 @@ static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
U.n = U.s = (int) z;
U.p = &z;
return( mpi_montmul( A, &U, N, mm, T ) );
mpi_montmul( A, &U, N, mm, T );
}
/*
@ -2116,13 +2174,13 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
else
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
MBEDTLS_MPI_CHK( mpi_montmul( &W[1], &RR, N, mm, &T ) );
mpi_montmul( &W[1], &RR, N, mm, &T );
/*
* X = R^2 * R^-1 mod N = R mod N
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
mpi_montred( X, N, mm, &T );
if( wsize > 1 )
{
@ -2135,7 +2193,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) );
for( i = 0; i < wsize - 1; i++ )
MBEDTLS_MPI_CHK( mpi_montmul( &W[j], &W[j], N, mm, &T ) );
mpi_montmul( &W[j], &W[j], N, mm, &T );
/*
* W[i] = W[i - 1] * W[1]
@ -2145,7 +2203,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
MBEDTLS_MPI_CHK( mpi_montmul( &W[i], &W[1], N, mm, &T ) );
mpi_montmul( &W[i], &W[1], N, mm, &T );
}
}
@ -2182,7 +2240,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
/*
* out of window, square X
*/
MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
mpi_montmul( X, X, N, mm, &T );
continue;
}
@ -2200,12 +2258,12 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
* X = X^wsize R^-1 mod N
*/
for( i = 0; i < wsize; i++ )
MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
mpi_montmul( X, X, N, mm, &T );
/*
* X = X * W[wbits] R^-1 mod N
*/
MBEDTLS_MPI_CHK( mpi_montmul( X, &W[wbits], N, mm, &T ) );
mpi_montmul( X, &W[wbits], N, mm, &T );
state--;
nbits = 0;
@ -2218,18 +2276,18 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
*/
for( i = 0; i < nbits; i++ )
{
MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
mpi_montmul( X, X, N, mm, &T );
wbits <<= 1;
if( ( wbits & ( one << wsize ) ) != 0 )
MBEDTLS_MPI_CHK( mpi_montmul( X, &W[1], N, mm, &T ) );
mpi_montmul( X, &W[1], N, mm, &T );
}
/*
* X = A^E * R * R^-1 mod N = A^E mod N
*/
MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
mpi_montred( X, N, mm, &T );
if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
{

6
library/blowfish.c
View File

@ -25,11 +25,7 @@
*
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_BLOWFISH_C)

6
library/camellia.c
View File

@ -25,11 +25,7 @@
* http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_CAMELLIA_C)

6
library/ccm.c
View File

@ -28,11 +28,7 @@
* RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_CCM_C)

6
library/certs.c
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#include "mbedtls/certs.h"

6
library/chacha20.c
View File

@ -23,11 +23,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_CHACHA20_C)

6
library/chachapoly.c
View File

@ -20,11 +20,7 @@
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_CHACHAPOLY_C)

6
library/cipher.c
View File

@ -23,11 +23,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_CIPHER_C)

6
library/cipher_wrap.c
View File

@ -23,11 +23,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_CIPHER_C)

6
library/cmac.c
View File

@ -40,11 +40,7 @@
*
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_CMAC_C)

55
library/common.h Normal file
View File

@ -0,0 +1,55 @@
/**
* \file common.h
*
* \brief Utility macros for internal use in the library
*/
/*
* Copyright (C) 2019, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_LIBRARY_COMMON_H
#define MBEDTLS_LIBRARY_COMMON_H
#if defined(MBEDTLS_CONFIG_FILE)
#include MBEDTLS_CONFIG_FILE
#else
#include "mbedtls/config.h"
#endif
/** Helper to define a function as static except when building invasive tests.
*
* If a function is only used inside its own source file and should be
* declared `static` to allow the compiler to optimize for code size,
* but that function has unit tests, define it with
* ```
* MBEDTLS_STATIC_TESTABLE int mbedtls_foo(...) { ... }
* ```
* and declare it in a header in the `library/` directory with
* ```
* #if defined(MBEDTLS_TEST_HOOKS)
* int mbedtls_foo(...);
* #endif
* ```
*/
#if defined(MBEDTLS_TEST_HOOKS)
#define MBEDTLS_STATIC_TESTABLE
#else
#define MBEDTLS_STATIC_TESTABLE static
#endif
#endif /* MBEDTLS_LIBRARY_COMMON_H */

6
library/ctr_drbg.c
View File

@ -24,11 +24,7 @@
* http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_CTR_DRBG_C)

6
library/debug.c
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_DEBUG_C)

6
library/des.c
View File

@ -25,11 +25,7 @@
* http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_DES_C)

6
library/dhm.c
View File

@ -27,11 +27,7 @@
*
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_DHM_C)

6
library/ecdh.c
View File

@ -26,11 +26,7 @@
* RFC 4492
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ECDH_C)

6
library/ecdsa.c
View File

@ -25,11 +25,7 @@
* SEC1 http://www.secg.org/index.php?action=secg,docs_secg
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ECDSA_C)

6
library/ecjpake.c
View File

@ -24,11 +24,7 @@
* available to members of the Thread Group http://threadgroup.org/
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ECJPAKE_C)

250
library/ecp.c
View File

@ -41,11 +41,7 @@
* <http://eprint.iacr.org/2004/342.pdf>
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
/**
* \brief Function level alternative implementation.
@ -105,6 +101,16 @@
#include "mbedtls/ecp_internal.h"
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
#if defined(MBEDTLS_HMAC_DRBG_C)
#include "mbedtls/hmac_drbg.h"
#elif defined(MBEDTLS_CTR_DRBG_C)
#include "mbedtls/ctr_drbg.h"
#else
#error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
#endif
#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
!defined(inline) && !defined(__cplusplus)
#define inline __inline
@ -118,6 +124,144 @@
static unsigned long add_count, dbl_count, mul_count;
#endif
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
/*
* Currently ecp_mul() takes a RNG function as an argument, used for
* side-channel protection, but it can be NULL. The initial reasoning was
* that people will pass non-NULL RNG when they care about side-channels, but
* unfortunately we have some APIs that call ecp_mul() with a NULL RNG, with
* no opportunity for the user to do anything about it.
*
* The obvious strategies for addressing that include:
* - change those APIs so that they take RNG arguments;
* - require a global RNG to be available to all crypto modules.
*
* Unfortunately those would break compatibility. So what we do instead is
* have our own internal DRBG instance, seeded from the secret scalar.
*
* The following is a light-weight abstraction layer for doing that with
* HMAC_DRBG (first choice) or CTR_DRBG.
*/
#if defined(MBEDTLS_HMAC_DRBG_C)
/* DRBG context type */
typedef mbedtls_hmac_drbg_context ecp_drbg_context;
/* DRBG context init */
static inline void ecp_drbg_init( ecp_drbg_context *ctx )
{
mbedtls_hmac_drbg_init( ctx );
}
/* DRBG context free */
static inline void ecp_drbg_free( ecp_drbg_context *ctx )
{
mbedtls_hmac_drbg_free( ctx );
}
/* DRBG function */
static inline int ecp_drbg_random( void *p_rng,
unsigned char *output, size_t output_len )
{
return( mbedtls_hmac_drbg_random( p_rng, output, output_len ) );
}
/* DRBG context seeding */
static int ecp_drbg_seed( ecp_drbg_context *ctx,
const mbedtls_mpi *secret, size_t secret_len )
{
int ret;
unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
/* The list starts with strong hashes */
const mbedtls_md_type_t md_type = mbedtls_md_list()[0];
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_type );
if( secret_len > MBEDTLS_ECP_MAX_BYTES )
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
}
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
secret_bytes, secret_len ) );
ret = mbedtls_hmac_drbg_seed_buf( ctx, md_info, secret_bytes, secret_len );
cleanup:
mbedtls_platform_zeroize( secret_bytes, secret_len );
return( ret );
}
#elif defined(MBEDTLS_CTR_DRBG_C)
/* DRBG context type */
typedef mbedtls_ctr_drbg_context ecp_drbg_context;
/* DRBG context init */
static inline void ecp_drbg_init( ecp_drbg_context *ctx )
{
mbedtls_ctr_drbg_init( ctx );
}
/* DRBG context free */
static inline void ecp_drbg_free( ecp_drbg_context *ctx )
{
mbedtls_ctr_drbg_free( ctx );
}
/* DRBG function */
static inline int ecp_drbg_random( void *p_rng,
unsigned char *output, size_t output_len )
{
return( mbedtls_ctr_drbg_random( p_rng, output, output_len ) );
}
/*
* Since CTR_DRBG doesn't have a seed_buf() function the way HMAC_DRBG does,
* we need to pass an entropy function when seeding. So we use a dummy
* function for that, and pass the actual entropy as customisation string.
* (During seeding of CTR_DRBG the entropy input and customisation string are
* concatenated before being used to update the secret state.)
*/
static int ecp_ctr_drbg_null_entropy(void *ctx, unsigned char *out, size_t len)
{
(void) ctx;
memset( out, 0, len );
return( 0 );
}
/* DRBG context seeding */
static int ecp_drbg_seed( ecp_drbg_context *ctx,
const mbedtls_mpi *secret, size_t secret_len )
{
int ret;
unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
if( secret_len > MBEDTLS_ECP_MAX_BYTES )
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
}
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
secret_bytes, secret_len ) );
ret = mbedtls_ctr_drbg_seed( ctx, ecp_ctr_drbg_null_entropy, NULL,
secret_bytes, secret_len );
cleanup:
mbedtls_platform_zeroize( secret_bytes, secret_len );
return( ret );
}
#else
#error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
#endif /* DRBG modules */
#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
#if defined(MBEDTLS_ECP_RESTARTABLE)
/*
* Maximum number of "basic operations" to be done in a row.
@ -165,6 +309,10 @@ struct mbedtls_ecp_restart_mul
ecp_rsm_comb_core, /* ecp_mul_comb_core() */
ecp_rsm_final_norm, /* do the final normalization */
} state;
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
ecp_drbg_context drbg_ctx;
unsigned char drbg_seeded;
#endif
};
/*
@ -177,6 +325,10 @@ static void ecp_restart_rsm_init( mbedtls_ecp_restart_mul_ctx *ctx )
ctx->T = NULL;
ctx->T_size = 0;
ctx->state = ecp_rsm_init;
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
ecp_drbg_init( &ctx->drbg_ctx );
ctx->drbg_seeded = 0;
#endif
}
/*
@ -198,6 +350,10 @@ static void ecp_restart_rsm_free( mbedtls_ecp_restart_mul_ctx *ctx )
mbedtls_free( ctx->T );
}
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
ecp_drbg_free( &ctx->drbg_ctx );
#endif
ecp_restart_rsm_init( ctx );
}
@ -1544,7 +1700,10 @@ static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
if( count++ > 10 )
return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
}
}
while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
@ -1894,7 +2053,9 @@ static int ecp_mul_comb_core( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R
i = d;
MBEDTLS_MPI_CHK( ecp_select_comb( grp, R, T, T_size, x[i] ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
if( f_rng != 0 )
#endif
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
}
@ -2015,6 +2176,7 @@ static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
rs_ctx->rsm->state = ecp_rsm_final_norm;
final_norm:
MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
#endif
/*
* Knowledge of the jacobian coordinates may leak the last few bits of the
@ -2027,10 +2189,11 @@ final_norm:
*
* Avoid the leak by randomizing coordinates before we normalize them.
*/
#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
if( f_rng != 0 )
#endif
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) );
MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
#if defined(MBEDTLS_ECP_RESTARTABLE)
@ -2101,11 +2264,44 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char w, p_eq_g, i;
size_t d;
unsigned char T_size, T_ok;
mbedtls_ecp_point *T;
unsigned char T_size = 0, T_ok = 0;
mbedtls_ecp_point *T = NULL;
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
ecp_drbg_context drbg_ctx;
ecp_drbg_init( &drbg_ctx );
#endif
ECP_RS_ENTER( rsm );
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
if( f_rng == NULL )
{
/* Adjust pointers */
f_rng = &ecp_drbg_random;
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx != NULL && rs_ctx->rsm != NULL )
p_rng = &rs_ctx->rsm->drbg_ctx;
else
#endif
p_rng = &drbg_ctx;
/* Initialize internal DRBG if necessary */
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx == NULL || rs_ctx->rsm == NULL ||
rs_ctx->rsm->drbg_seeded == 0 )
#endif
{
const size_t m_len = ( grp->nbits + 7 ) / 8;
MBEDTLS_MPI_CHK( ecp_drbg_seed( p_rng, m, m_len ) );
}
#if defined(MBEDTLS_ECP_RESTARTABLE)
if( rs_ctx != NULL && rs_ctx->rsm != NULL )
rs_ctx->rsm->drbg_seeded = 1;
#endif
}
#endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
/* Is P the base point ? */
#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
p_eq_g = ( mbedtls_mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
@ -2177,6 +2373,10 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
cleanup:
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
ecp_drbg_free( &drbg_ctx );
#endif
/* does T belong to the group? */
if( T == grp->T )
T = NULL;
@ -2278,7 +2478,10 @@ static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
if( count++ > 10 )
return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
}
}
while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
@ -2364,9 +2567,23 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
unsigned char b;
mbedtls_ecp_point RP;
mbedtls_mpi PX;
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
ecp_drbg_context drbg_ctx;
ecp_drbg_init( &drbg_ctx );
#endif
mbedtls_ecp_point_init( &RP ); mbedtls_mpi_init( &PX );
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
if( f_rng == NULL )
{
const size_t m_len = ( grp->nbits + 7 ) / 8;
MBEDTLS_MPI_CHK( ecp_drbg_seed( &drbg_ctx, m, m_len ) );
f_rng = &ecp_drbg_random;
p_rng = &drbg_ctx;
}
#endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
/* Save PX and read from P before writing to R, in case P == R */
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &PX, &P->X ) );
MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &RP, P ) );
@ -2380,7 +2597,9 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
MOD_ADD( RP.X );
/* Randomize coordinates of the starting point */
#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
if( f_rng != NULL )
#endif
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
/* Loop invariant: R = result so far, RP = R + P */
@ -2413,12 +2632,18 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
*
* Avoid the leak by randomizing coordinates before we normalize them.
*/
#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
if( f_rng != NULL )
#endif
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
cleanup:
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
ecp_drbg_free( &drbg_ctx );
#endif
mbedtls_ecp_point_free( &RP ); mbedtls_mpi_free( &PX );
return( ret );
@ -2856,7 +3081,10 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
* such as secp224k1 are actually very close to the worst case.
*/
if( ++count > 30 )
return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
{
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
goto cleanup;
}
ret = mbedtls_mpi_lt_mpi_ct( d, &grp->N, &cmp );
if( ret != 0 )

6
library/ecp_curves.c
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ECP_C)

6
library/entropy.c
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ENTROPY_C)

51
library/entropy_poll.c
View File

@ -24,11 +24,7 @@
#define _GNU_SOURCE
#endif
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#include <string.h>
@ -115,6 +111,41 @@ static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
#endif /* SYS_getrandom */
#endif /* __linux__ || __midipix__ */
/*
* Some BSD systems provide KERN_ARND.
* This is equivalent to reading from /dev/urandom, only it doesn't require an
* open file descriptor, and provides up to 256 bytes per call (basically the
* same as getentropy(), but with a longer history).
*
* Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7
*/
#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM)
#include <sys/param.h>
#include <sys/sysctl.h>
#if defined(KERN_ARND)
#define HAVE_SYSCTL_ARND
static int sysctl_arnd_wrapper( unsigned char *buf, size_t buflen )
{
int name[2];
size_t len;
name[0] = CTL_KERN;
name[1] = KERN_ARND;
while( buflen > 0 )
{
len = buflen > 256 ? 256 : buflen;
if( sysctl(name, 2, buf, &len, NULL, 0) == -1 )
return( -1 );
buflen -= len;
buf += len;
}
return( 0 );
}
#endif /* KERN_ARND */
#endif /* __FreeBSD__ || __NetBSD__ */
#include <stdio.h>
int mbedtls_platform_entropy_poll( void *data,
@ -139,6 +170,15 @@ int mbedtls_platform_entropy_poll( void *data,
((void) ret);
#endif /* HAVE_GETRANDOM */
#if defined(HAVE_SYSCTL_ARND)
((void) file);
((void) read_len);
if( sysctl_arnd_wrapper( output, len ) == -1 )
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
*olen = len;
return( 0 );
#else
*olen = 0;
file = fopen( "/dev/urandom", "rb" );
@ -156,6 +196,7 @@ int mbedtls_platform_entropy_poll( void *data,
*olen = len;
return( 0 );
#endif /* HAVE_SYSCTL_ARND */
}
#endif /* _WIN32 && !EFIX64 && !EFI32 */
#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */

8
library/error.c
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
#include <string.h>
@ -526,6 +522,8 @@ const char * mbedtls_high_level_strerr( int error_code )
return( "SSL - An operation failed due to an unexpected version or configuration" );
case -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS):
return( "SSL - A cryptographic operation is in progress. Try again later" );
case -(MBEDTLS_ERR_SSL_BAD_CONFIG):
return( "SSL - Invalid value in SSL config" );
#endif /* MBEDTLS_SSL_TLS_C */
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)

6
library/gcm.c
View File

@ -29,11 +29,7 @@
* [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_GCM_C)

6
library/havege.c
View File

@ -26,11 +26,7 @@
* Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_HAVEGE_C)

6
library/hkdf.c
View File

@ -18,11 +18,7 @@
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_HKDF_C)

6
library/hmac_drbg.c
View File

@ -25,11 +25,7 @@
* References below are based on rev. 1 (January 2012).
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_HMAC_DRBG_C)

6
library/md.c
View File

@ -23,11 +23,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_MD_C)

6
library/md2.c
View File

@ -25,11 +25,7 @@
* http://www.ietf.org/rfc/rfc1319.txt
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_MD2_C)

6
library/md4.c
View File

@ -25,11 +25,7 @@
* http://www.ietf.org/rfc/rfc1320.txt
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_MD4_C)

6
library/md5.c
View File

@ -24,11 +24,7 @@
* http://www.ietf.org/rfc/rfc1321.txt
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_MD5_C)

6
library/memory_buffer_alloc.c
View File

@ -19,11 +19,7 @@
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#include "mbedtls/memory_buffer_alloc.h"

10
library/net_sockets.c
View File

@ -23,12 +23,9 @@
* be set before config.h, which pulls in glibc's features.h indirectly.
* Harmless on other platforms. */
#define _POSIX_C_SOURCE 200112L
#define _XOPEN_SOURCE 600 /* sockaddr_storage */
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "common.h"
#if defined(MBEDTLS_NET_C)
@ -322,7 +319,8 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
struct sockaddr_storage client_addr;
#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) || \
defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t)
defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t) || \
defined(socklen_t)
socklen_t n = (socklen_t) sizeof( client_addr );
socklen_t type_len = (socklen_t) sizeof( type );
#else

Some files were not shown because too many files have changed in this diff Show More