mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-25 17:05:42 +01:00
Merge remote-tracking branch 'mbedtls/development' into montgomery-keys-clarification
This commit is contained in:
commit
aec44e9fe8
6
3rdparty/CMakeLists.txt
vendored
6
3rdparty/CMakeLists.txt
vendored
@ -1,11 +1,17 @@
|
||||
list (APPEND thirdparty_src)
|
||||
list (APPEND thirdparty_lib)
|
||||
list (APPEND thirdparty_inc_public)
|
||||
list (APPEND thirdparty_inc)
|
||||
list (APPEND thirdparty_def)
|
||||
|
||||
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE result)
|
||||
|
||||
if(${result} EQUAL 0)
|
||||
add_subdirectory(everest)
|
||||
endif()
|
||||
|
||||
set(thirdparty_src ${thirdparty_src} PARENT_SCOPE)
|
||||
set(thirdparty_lib ${thirdparty_lib} PARENT_SCOPE)
|
||||
set(thirdparty_inc_public ${thirdparty_inc_public} PARENT_SCOPE)
|
||||
set(thirdparty_inc ${thirdparty_inc} PARENT_SCOPE)
|
||||
set(thirdparty_def ${thirdparty_def} PARENT_SCOPE)
|
||||
|
11
3rdparty/everest/CMakeLists.txt
vendored
11
3rdparty/everest/CMakeLists.txt
vendored
@ -1,4 +1,5 @@
|
||||
list (APPEND everest_src)
|
||||
list (APPEND everest_inc_public)
|
||||
list (APPEND everest_inc)
|
||||
list (APPEND everest_def)
|
||||
|
||||
@ -8,11 +9,8 @@ set(everest_src
|
||||
${CMAKE_CURRENT_SOURCE_DIR}/library/Hacl_Curve25519_joined.c
|
||||
)
|
||||
|
||||
list(APPEND everest_inc ${CMAKE_CURRENT_SOURCE_DIR}/include ${CMAKE_CURRENT_SOURCE_DIR}/include/everest ${CMAKE_CURRENT_SOURCE_DIR}/include/everest/kremlib)
|
||||
|
||||
execute_process(COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE result)
|
||||
|
||||
if(${result} EQUAL 0)
|
||||
list(APPEND everest_inc_public ${CMAKE_CURRENT_SOURCE_DIR}/include)
|
||||
list(APPEND everest_inc ${CMAKE_CURRENT_SOURCE_DIR}/include/everest ${CMAKE_CURRENT_SOURCE_DIR}/include/everest/kremlib)
|
||||
|
||||
if(INSTALL_MBEDTLS_HEADERS)
|
||||
|
||||
@ -24,8 +22,7 @@ if(${result} EQUAL 0)
|
||||
|
||||
endif(INSTALL_MBEDTLS_HEADERS)
|
||||
|
||||
endif()
|
||||
|
||||
set(thirdparty_src ${thirdparty_src} ${everest_src} PARENT_SCOPE)
|
||||
set(thirdparty_inc_public ${thirdparty_inc_public} ${everest_inc_public} PARENT_SCOPE)
|
||||
set(thirdparty_inc ${thirdparty_inc} ${everest_inc} PARENT_SCOPE)
|
||||
set(thirdparty_def ${thirdparty_def} ${everest_def} PARENT_SCOPE)
|
||||
|
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
|
||||
|
||||
|
6
3rdparty/everest/library/everest.c
vendored
6
3rdparty/everest/library/everest.c
vendored
@ -19,11 +19,7 @@
|
||||
* This file is part of Mbed TLS (https://tls.mbed.org).
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
|
6
3rdparty/everest/library/x25519.c
vendored
6
3rdparty/everest/library/x25519.c
vendored
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C) && defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
|
||||
|
||||
|
@ -1,3 +1,21 @@
|
||||
#
|
||||
# CMake build system design considerations:
|
||||
#
|
||||
# - Include directories:
|
||||
# + Do not define include directories globally using the include_directories
|
||||
# command but rather at the target level using the
|
||||
# target_include_directories command. That way, it is easier to guarantee
|
||||
# that targets are built using the proper list of include directories.
|
||||
# + Use the PUBLIC and PRIVATE keywords to specifiy the scope of include
|
||||
# directories. That way, a target linking to a library (using the
|
||||
# target_link_librairies command) inherits from the library PUBLIC include
|
||||
# directories and not from the PRIVATE ones.
|
||||
# + Note: there is currently one remaining include_directories command in the
|
||||
# CMake files. It is related to ZLIB support which is planned to be removed.
|
||||
# When the support is removed, the associated include_directories command
|
||||
# will be removed as well as this note.
|
||||
#
|
||||
|
||||
cmake_minimum_required(VERSION 2.6)
|
||||
if(TEST_CPP)
|
||||
project("mbed TLS" C CXX)
|
||||
@ -51,18 +69,29 @@ set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}"
|
||||
"${WARNING_BORDER}")
|
||||
|
||||
# Python 3 is only needed here to check for configuration warnings.
|
||||
if(NOT CMAKE_VERSION VERSION_LESS 3.15.0)
|
||||
set(Python3_FIND_STRATEGY LOCATION)
|
||||
find_package(Python3 COMPONENTS Interpreter)
|
||||
if(Python3_Interpreter_FOUND)
|
||||
set(MBEDTLS_PYTHON_EXECUTABLE ${Python3_EXECUTABLE})
|
||||
endif()
|
||||
else()
|
||||
find_package(PythonInterp 3)
|
||||
if(PYTHONINTERP_FOUND)
|
||||
set(MBEDTLS_PYTHON_EXECUTABLE ${PYTHON_EXECUTABLE})
|
||||
endif()
|
||||
endif()
|
||||
if(MBEDTLS_PYTHON_EXECUTABLE)
|
||||
|
||||
# If 128-bit keys are configured for CTR_DRBG, display an appropriate warning
|
||||
execute_process(COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
||||
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
|
||||
RESULT_VARIABLE result)
|
||||
if(${result} EQUAL 0)
|
||||
message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING})
|
||||
endif()
|
||||
|
||||
# If NULL Entropy is configured, display an appropriate warning
|
||||
execute_process(COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
|
||||
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/config.h get MBEDTLS_TEST_NULL_ENTROPY
|
||||
RESULT_VARIABLE result)
|
||||
if(${result} EQUAL 0)
|
||||
message(WARNING ${NULL_ENTROPY_WARNING})
|
||||
@ -136,7 +165,10 @@ if(CMAKE_COMPILER_IS_GNU)
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op")
|
||||
endif()
|
||||
if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow -Wformat-signedness")
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
|
||||
endif()
|
||||
if (GCC_VERSION VERSION_GREATER 5.0)
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wformat-signedness")
|
||||
endif()
|
||||
set(CMAKE_C_FLAGS_RELEASE "-O2")
|
||||
set(CMAKE_C_FLAGS_DEBUG "-O0 -g3")
|
||||
@ -194,9 +226,6 @@ else()
|
||||
set(LIB_INSTALL_DIR lib)
|
||||
endif()
|
||||
|
||||
include_directories(include/)
|
||||
include_directories(library/)
|
||||
|
||||
if(ENABLE_ZLIB_SUPPORT)
|
||||
find_package(ZLIB)
|
||||
|
||||
@ -208,12 +237,33 @@ endif(ENABLE_ZLIB_SUPPORT)
|
||||
add_subdirectory(include)
|
||||
|
||||
add_subdirectory(3rdparty)
|
||||
include_directories(${thirdparty_inc})
|
||||
list(APPEND libs ${thirdparty_lib})
|
||||
add_definitions(${thirdparty_def})
|
||||
|
||||
add_subdirectory(library)
|
||||
|
||||
#
|
||||
# The C files in tests/src directory contain test code shared among test suites
|
||||
# and programs. This shared test code is compiled and linked to test suites and
|
||||
# programs objects as a set of compiled objects. The compiled objects are NOT
|
||||
# built into a library that the test suite and program objects would link
|
||||
# against as they link against the mbedcrypto, mbedx509 and mbedtls libraries.
|
||||
# The reason is that such library is expected to have mutual dependencies with
|
||||
# the aforementioned libraries and that there is as of today no portable way of
|
||||
# handling such dependencies (only toolchain specific solutions).
|
||||
#
|
||||
# Thus the below definition of the `mbedtls_test` CMake library of objects
|
||||
# target. This library of objects is used by tests and programs CMake files
|
||||
# to define the test executables.
|
||||
#
|
||||
if(ENABLE_TESTING OR ENABLE_PROGRAMS)
|
||||
file(GLOB MBEDTLS_TEST_FILES ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c)
|
||||
add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES})
|
||||
target_include_directories(mbedtls_test
|
||||
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include
|
||||
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
|
||||
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library)
|
||||
endif()
|
||||
|
||||
if(ENABLE_PROGRAMS)
|
||||
add_subdirectory(programs)
|
||||
endif()
|
||||
|
123
ChangeLog
123
ChangeLog
@ -1,5 +1,128 @@
|
||||
mbed TLS ChangeLog (Sorted per branch, date)
|
||||
|
||||
= mbed TLS 2.23.0 branch released 2020-07-01
|
||||
|
||||
Default behavior changes
|
||||
* In the experimental PSA secure element interface, change the encoding of
|
||||
key lifetimes to encode a persistence level and the location. Although C
|
||||
prototypes do not effectively change, code calling
|
||||
psa_register_se_driver() must be modified to pass the driver's location
|
||||
instead of the keys' lifetime. If the library is upgraded on an existing
|
||||
device, keys created with the old lifetime value will not be readable or
|
||||
removable through Mbed TLS after the upgrade.
|
||||
|
||||
Features
|
||||
* New functions in the error module return constant strings for
|
||||
high- and low-level error codes, complementing mbedtls_strerror()
|
||||
which constructs a string for any error code, including compound
|
||||
ones, but requires a writable buffer. Contributed by Gaurav Aggarwal
|
||||
in #3176.
|
||||
* The new utility programs/ssl/ssl_context_info prints a human-readable
|
||||
dump of an SSL context saved with mbedtls_ssl_context_save().
|
||||
* Add support for midipix, a POSIX layer for Microsoft Windows.
|
||||
* Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows
|
||||
parsing unsupported certificate extensions via user provided callback.
|
||||
Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as
|
||||
a solution to #3241.
|
||||
* Pass the "certificate policies" extension to the callback supplied to
|
||||
mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
|
||||
policies (#3419).
|
||||
* Added support to entropy_poll for the kern.arandom syscall supported on
|
||||
some BSD systems. Contributed by Nia Alarie in #3423.
|
||||
* Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
|
||||
|
||||
Security
|
||||
* Fix a side channel vulnerability in modular exponentiation that could
|
||||
reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
|
||||
Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
|
||||
of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
|
||||
Strackx (Fortanix) in #3394.
|
||||
* Fix side channel in mbedtls_ecp_check_pub_priv() and
|
||||
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
|
||||
private key that didn't include the uncompressed public key), as well as
|
||||
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
|
||||
f_rng argument. An attacker with access to precise enough timing and
|
||||
memory access information (typically an untrusted operating system
|
||||
attacking a secure enclave) could fully recover the ECC private key.
|
||||
Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
|
||||
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
|
||||
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
|
||||
macros). This would cause the original Lucky 13 attack to be possible in
|
||||
those configurations, allowing an active network attacker to recover
|
||||
plaintext after repeated timing measurements under some conditions.
|
||||
Reported and fix suggested by Luc Perneel in #3246.
|
||||
|
||||
Bugfix
|
||||
* Fix the Visual Studio Release x64 build configuration for mbedtls itself.
|
||||
Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
|
||||
the example programs. Reported in #1430 and fix contributed by irwir.
|
||||
* Fix undefined behavior in X.509 certificate parsing if the
|
||||
pathLenConstraint basic constraint value is equal to INT_MAX.
|
||||
The actual effect with almost every compiler is the intended
|
||||
behavior, so this is unlikely to be exploitable anywhere. #3192
|
||||
* Fix issue with a detected HW accelerated record error not being exposed
|
||||
due to shadowed variable. Contributed by Sander Visser in #3310.
|
||||
* Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
|
||||
NULL pointer argument. Contributed by Sander Visser in #3312.
|
||||
* Fix potential linker errors on dual world platforms by inlining
|
||||
mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
|
||||
from psa_crypto.c. Fixes #3300.
|
||||
* Remove dead code in X.509 certificate parsing. Contributed by irwir in
|
||||
#2855.
|
||||
* Include asn1.h in error.c. Fixes #3328 reported by David Hu.
|
||||
* Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
|
||||
when PRNG function fails. Contributed by Jonas Lejeune in #3318.
|
||||
* Remove unused macros from MSVC projects. Reported in #3297 and fix
|
||||
submitted in #3333 by irwir.
|
||||
* Add additional bounds checks in ssl_write_client_hello() preventing
|
||||
output buffer overflow if the configuration declared a buffer that was
|
||||
too small.
|
||||
* Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
|
||||
fix submitted in #3421 by Nia Alarie.
|
||||
* Fix building library/net_sockets.c and the ssl_mail_client program on
|
||||
NetBSD. Contributed by Nia Alarie in #3422.
|
||||
* Fix false positive uninitialised variable reported by cpp-check.
|
||||
Contributed by Sander Visser in #3311.
|
||||
* Update iv and len context pointers manually when reallocating buffers
|
||||
using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues
|
||||
when receiving a connection with CID, when these fields were shifted
|
||||
in ssl_parse_record_header().
|
||||
|
||||
Changes
|
||||
* Fix warnings about signedness issues in format strings. The build is now
|
||||
clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
|
||||
in #3153.
|
||||
* Fix minor performance issue in operations on Curve25519 caused by using a
|
||||
suboptimal modular reduction in one place. Found and fix contributed by
|
||||
Aurelien Jarno in #3209.
|
||||
* Combine identical cases in switch statements in md.c. Contributed
|
||||
by irwir in #3208.
|
||||
* Simplify a bounds check in ssl_write_certificate_request(). Contributed
|
||||
by irwir in #3150.
|
||||
* Unify the example programs termination to call mbedtls_exit() instead of
|
||||
using a return command. This has been done to enable customization of the
|
||||
behavior in bare metal environments.
|
||||
* Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
|
||||
Contributed by Koh M. Nakagawa in #3326.
|
||||
* Use FindPython3 when cmake version >= 3.15.0
|
||||
* Abort the ClientHello writing function as soon as some extension doesn't
|
||||
fit into the record buffer. Previously, such extensions were silently
|
||||
dropped. As a consequence, the TLS handshake now fails when the output
|
||||
buffer is not large enough to hold the ClientHello.
|
||||
* The unit tests now rely on header files in tests/include/test and source
|
||||
files in tests/src. When building with make or cmake, the files in
|
||||
tests/src are compiled and the resulting object linked into each test
|
||||
executable.
|
||||
* The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
|
||||
`MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
|
||||
coutermeasures. If side channels are not a concern, this dependency can
|
||||
be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
|
||||
* Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes
|
||||
Martinho. #3147
|
||||
* Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
|
||||
in #3182 and fix submitted by irwir. #3217
|
||||
* Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
|
||||
|
||||
= mbed TLS 2.22.0 branch released 2020-04-14
|
||||
|
||||
New deprecations
|
||||
|
@ -1,4 +0,0 @@
|
||||
Bugfix
|
||||
* Fix the Visual Studio Release x64 build configuration for mbedtls itself.
|
||||
Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
|
||||
the example programs. Reported in #1430 and fix contributed by irwir.
|
@ -1,2 +0,0 @@
|
||||
Bugfix
|
||||
* Remove dead code in X.509 certificate parsing. Contributed by irwir in #2855.
|
3
ChangeLog.d/bugfix_PR3452.txt
Normal file
3
ChangeLog.d/bugfix_PR3452.txt
Normal file
@ -0,0 +1,3 @@
|
||||
Bugfix
|
||||
* Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol redefinition if the function is inlined.
|
||||
Reported in #3451 and fix contributed in #3452 by okhowang.
|
3
ChangeLog.d/cmake-install.txt
Normal file
3
ChangeLog.d/cmake-install.txt
Normal file
@ -0,0 +1,3 @@
|
||||
Bugfix
|
||||
* Library files installed after a CMake build no longer have execute
|
||||
permission.
|
4
ChangeLog.d/do_not_persist_volatile_external_keys.txt
Normal file
4
ChangeLog.d/do_not_persist_volatile_external_keys.txt
Normal file
@ -0,0 +1,4 @@
|
||||
Default behavior changes
|
||||
* Stop storing persistent information about externally stored keys created
|
||||
through PSA Crypto with a volatile lifetime. Reported in #3288 and
|
||||
contributed by Steven Cooreman in #3382.
|
@ -1,2 +0,0 @@
|
||||
Bugfix
|
||||
* Include asn1.h in error.c. Fixes #3328 reported by David Hu.
|
@ -1,6 +0,0 @@
|
||||
Features
|
||||
* New functions in the error module return constant strings for
|
||||
high- and low-level error codes, complementing mbedtls_strerror()
|
||||
which constructs a string for any error code, including compound
|
||||
ones, but requires a writable buffer. Contributed by Gaurav Aggarwal
|
||||
in #3176.
|
@ -1,4 +0,0 @@
|
||||
Changes
|
||||
* Fix minor performance issue in operations on Curve25519 caused by using a
|
||||
suboptimal modular reduction in one place. Found and fix contributed by
|
||||
Aurelien Jarno in #3209.
|
@ -1,3 +0,0 @@
|
||||
Changes
|
||||
* Fix warnings about signedness issues in format strings. The build is now
|
||||
clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen in #3153.
|
@ -1,3 +0,0 @@
|
||||
Bugfix
|
||||
* Fix issue with a detected HW accelerated record error not being exposed
|
||||
due to shadowed variable. Contributed by Sander Visser in #3310.
|
@ -1,3 +0,0 @@
|
||||
Bugfix
|
||||
* Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
|
||||
NULL pointer argument. Contributed by Sander Visser in #3312.
|
@ -1,3 +0,0 @@
|
||||
Changes
|
||||
* Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
|
||||
Contributed by Koh M. Nakagawa in #3326.
|
3
ChangeLog.d/format-signedness.txt
Normal file
3
ChangeLog.d/format-signedness.txt
Normal file
@ -0,0 +1,3 @@
|
||||
Changes
|
||||
* Only pass -Wformat-signedness to versions of GCC that support it. Reported
|
||||
in #3478 and fix contributed in #3479 by okhowang.
|
@ -1,4 +0,0 @@
|
||||
Bugfix
|
||||
* Fix potential linker errors on dual world platforms by inlining
|
||||
mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
|
||||
from psa_crypto.c. Fixes #3300.
|
@ -1,5 +0,0 @@
|
||||
Bugfix
|
||||
* Fix undefined behavior in X.509 certificate parsing if the
|
||||
pathLenConstraint basic constraint value is equal to INT_MAX.
|
||||
The actual effect with almost every compiler is the intended
|
||||
behavior, so this is unlikely to be exploitable anywhere. #3192
|
@ -1,3 +0,0 @@
|
||||
Changes
|
||||
* Combine identical cases in switch statements in md.c. Contributed
|
||||
by irwir in #3208.
|
@ -1,2 +0,0 @@
|
||||
Features
|
||||
* Add support for midipix, a POSIX layer for Microsoft Windows.
|
@ -1,8 +0,0 @@
|
||||
Default behavior changes
|
||||
* In the experimental PSA secure element interface, change the encoding of
|
||||
key lifetimes to encode a persistence level and the location. Although C
|
||||
prototypes do not effectively change, code calling
|
||||
psa_register_se_driver() must be modified to pass the driver's location
|
||||
instead of the keys' lifetime. If the library is upgraded on an existing
|
||||
device, keys created with the old lifetime value will not be readable or
|
||||
removable through Mbed TLS after the upgrade.
|
9
ChangeLog.d/psa_ecc_dh_macros.txt
Normal file
9
ChangeLog.d/psa_ecc_dh_macros.txt
Normal file
@ -0,0 +1,9 @@
|
||||
API changes
|
||||
* In the PSA API, rename the types of elliptic curve and Diffie-Hellman group families to
|
||||
psa_ecc_family_t and psa_dh_family_t, in line with the PSA Crypto API specification version 1.0.0.
|
||||
Rename associated macros as well:
|
||||
PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
|
||||
PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
|
||||
PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
|
||||
PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
|
||||
|
@ -1,3 +0,0 @@
|
||||
Features
|
||||
* The new utility programs/ssl/ssl_context_info prints a human-readable
|
||||
dump of an SSL context saved with mbedtls_ssl_context_save().
|
@ -1,3 +0,0 @@
|
||||
Changes
|
||||
* Simplify a bounds check in ssl_write_certificate_request(). Contributed
|
||||
by irwir in #3150.
|
@ -1,4 +0,0 @@
|
||||
Changes
|
||||
* Unify the example programs termination to call mbedtls_exit() instead of
|
||||
using a return command. This has been done to enable customization of the
|
||||
behavior in bare metal environments.
|
4
ChangeLog.d/x509write_csr_heap_alloc.txt
Normal file
4
ChangeLog.d/x509write_csr_heap_alloc.txt
Normal file
@ -0,0 +1,4 @@
|
||||
Changes
|
||||
* Reduce the stack consumption of mbedtls_x509write_csr_der() which
|
||||
previously could lead to stack overflow on constrained devices.
|
||||
Contributed by Doru Gucea and Simon Leet in #3464.
|
15
Makefile
15
Makefile
@ -10,15 +10,18 @@ all: programs tests
|
||||
|
||||
no_test: programs
|
||||
|
||||
programs: lib
|
||||
programs: lib mbedtls_test
|
||||
$(MAKE) -C programs
|
||||
|
||||
lib:
|
||||
$(MAKE) -C library
|
||||
|
||||
tests: lib
|
||||
tests: lib mbedtls_test
|
||||
$(MAKE) -C tests
|
||||
|
||||
mbedtls_test:
|
||||
$(MAKE) -C tests mbedtls_test
|
||||
|
||||
ifndef WINDOWS
|
||||
install: no_test
|
||||
mkdir -p $(DESTDIR)/include/mbedtls
|
||||
@ -107,11 +110,11 @@ covtest:
|
||||
lcov:
|
||||
rm -rf Coverage
|
||||
lcov --capture --initial --directory library -o files.info
|
||||
lcov --capture --directory library -o tests.info
|
||||
lcov --add-tracefile files.info --add-tracefile tests.info -o all.info
|
||||
lcov --remove all.info -o final.info '*.h'
|
||||
lcov --rc lcov_branch_coverage=1 --capture --directory library -o tests.info
|
||||
lcov --rc lcov_branch_coverage=1 --add-tracefile files.info --add-tracefile tests.info -o all.info
|
||||
lcov --rc lcov_branch_coverage=1 --remove all.info -o final.info '*.h'
|
||||
gendesc tests/Descriptions.txt -o descriptions
|
||||
genhtml --title "mbed TLS" --description-file descriptions --keep-descriptions --legend --no-branch-coverage -o Coverage final.info
|
||||
genhtml --title "mbed TLS" --description-file descriptions --keep-descriptions --legend --branch-coverage -o Coverage final.info
|
||||
rm -f files.info tests.info all.info final.info descriptions
|
||||
|
||||
apidoc:
|
||||
|
@ -5,6 +5,7 @@ default: all
|
||||
all_markdown = \
|
||||
mbed-crypto-storage-specification.md \
|
||||
testing/driver-interface-test-strategy.md \
|
||||
testing/invasive-testing.md \
|
||||
testing/test-framework.md \
|
||||
# This line is intentionally left blank
|
||||
|
||||
@ -22,3 +23,4 @@ all: html pdf
|
||||
|
||||
clean:
|
||||
rm -f *.html *.pdf
|
||||
rm -f testing/*.html testing/*.pdf
|
||||
|
367
docs/architecture/testing/invasive-testing.md
Normal file
367
docs/architecture/testing/invasive-testing.md
Normal file
@ -0,0 +1,367 @@
|
||||
# Mbed TLS invasive testing strategy
|
||||
|
||||
## Introduction
|
||||
|
||||
In Mbed TLS, we use black-box testing as much as possible: test the documented behavior of the product, in a realistic environment. However this is not always sufficient.
|
||||
|
||||
The goal of this document is to identify areas where black-box testing is insufficient and to propose solutions.
|
||||
|
||||
This is a test strategy document, not a test plan. A description of exactly what is tested is out of scope.
|
||||
|
||||
This document is structured as follows:
|
||||
|
||||
* [“Rules”](#rules) gives general rules and is written for brevity.
|
||||
* [“Requirements”](#requirements) explores the reasons why invasive testing is needed and how it should be done.
|
||||
* [“Possible approaches”](#possible-approaches) discusses some general methods for non-black-box testing.
|
||||
* [“Solutions”](#solutions) explains how we currently solve, or intend to solve, specific problems.
|
||||
|
||||
### TLS
|
||||
|
||||
This document currently focuses on data structure manipulation and storage, which is what the crypto/keystore and X.509 parts of the library are about. More work is needed to fully take TLS into account.
|
||||
|
||||
## Rules
|
||||
|
||||
Always follow these rules unless you have a good reason not to. If you deviate, document the rationale somewhere.
|
||||
|
||||
See the section [“Possible approaches”](#possible-approaches) for a rationale.
|
||||
|
||||
### Interface design for testing
|
||||
|
||||
Do not add test-specific interfaces if there's a practical way of doing it another way. All public interfaces should be useful in at least some configurations. Features with a significant impact on the code size or attack surface should have a compile-time guard.
|
||||
|
||||
### Reliance on internal details
|
||||
|
||||
In unit tests and in test programs, it's ok to include header files from `library/`. Do not define non-public interfaces in public headers (`include/mbedtls` has `*_internal.h` headers for legacy reasons, but this approach is deprecated). In contrast, sample programs must not include header files from `library/`.
|
||||
|
||||
Sometimes it makes sense to have unit tests on functions that aren't part of the public API. Declare such functions in `library/*.h` and include the corresponding header in the test code. If the function should be `static` for optimization but can't be `static` for testing, declare it as `MBEDTLS_STATIC_TESTABLE`, and make the tests that use it depend on `MBEDTLS_TEST_HOOKS` (see [“rules for compile-time options”](#rules-for-compile-time-options)).
|
||||
|
||||
If test code or test data depends on internal details of the library and not just on its documented behavior, add a comment in the code that explains the dependency. For example:
|
||||
|
||||
> ```
|
||||
> /* This test file is specific to the ITS implementation in PSA Crypto
|
||||
> * on top of stdio. It expects to know what the stdio name of a file is
|
||||
> * based on its keystore name.
|
||||
> */
|
||||
> ```
|
||||
|
||||
> ```
|
||||
> # This test assumes that PSA_MAX_KEY_BITS (currently 65536-8 bits = 8191 bytes
|
||||
> # and not expected to be raised any time soon) is less than the maximum
|
||||
> # output from HKDF-SHA512 (255*64 = 16320 bytes).
|
||||
> ```
|
||||
|
||||
### Rules for compile-time options
|
||||
|
||||
If the most practical way to test something is to add code to the product that is only useful for testing, do so, but obey the following rules. For more information, see the [rationale](#guidelines-for-compile-time-options).
|
||||
|
||||
* **Only use test-specific code when necessary.** Anything that can be tested through the documented API must be tested through the documented API.
|
||||
* **Test-specific code must be guarded by `#if defined(MBEDTLS_TEST_HOOKS)`**. Do not create fine-grained guards for test-specific code.
|
||||
* **Do not use `MBEDTLS_TEST_HOOKS` for security checks or assertions.** Security checks belong in the product.
|
||||
* **Merely defining `MBEDTLS_TEST_HOOKS` must not change the behavior**. It may define extra functions. It may add fields to structures, but if so, make it very clear that these fields have no impact on non-test-specific fields.
|
||||
* **Where tests must be able to change the behavior, do it by function substitution.** See [“rules for function substitution”](#rules-for-function-substitution) for more details.
|
||||
|
||||
#### Rules for function substitution
|
||||
|
||||
This section explains how to replace a library function `mbedtls_foo()` by alternative code for test purposes. That is, library code calls `mbedtls_foo()`, and there is a mechanism to arrange for these calls to invoke different code.
|
||||
|
||||
Often `mbedtls_foo` is a macro which is defined to be a system function (like `mbedtls_calloc` or `mbedtls_fopen`), which we replace to mock or wrap the system function. This is useful to simulate I/O failure, for example. Note that if the macro can be replaced at compile time to support alternative platforms, the test code should be compatible with this compile-time configuration so that it works on these alternative platforms as well.
|
||||
|
||||
Sometimes the substitutable function is a `static inline` function that does nothing (not a macro, to avoid accidentally skipping side effects in its parameters), to provide a hook for test code; such functions should have a name that starts with the prefix `mbedtls_test_hook_`. In such cases, the function should generally not modify its parameters, so any pointer argument should be const. The function should return void.
|
||||
|
||||
With `MBEDTLS_TEST_HOOKS` set, `mbedtls_foo` is a global variable of function pointer type. This global variable is initialized to the system function, or to a function that does nothing. The global variable is defined in a header in the `library` directory such as `psa_crypto_invasive.h`. This is similar to the platform function configuration mechanism with `MBEDTLS_PLATFORM_xxx_ALT`.
|
||||
|
||||
In unit test code that needs to modify the internal behavior:
|
||||
|
||||
* The test function (or the whole test file) must depend on `MBEDTLS_TEST_HOOKS`.
|
||||
* At the beginning of the test function, set the global function pointers to the desired value.
|
||||
* In the test function's cleanup code, restore the global function pointers to their default value.
|
||||
|
||||
## Requirements
|
||||
|
||||
### General goals
|
||||
|
||||
We need to balance the following goals, which are sometimes contradictory.
|
||||
|
||||
* Coverage: we need to test behaviors which are not easy to trigger by using the API or which cannot be triggered deterministically, for example I/O failures.
|
||||
* Correctness: we want to test the actual product, not a modified version, since conclusions drawn from a test of a modified product may not apply to the real product.
|
||||
* Effacement: the product should not include features that are solely present for test purposes, since these increase the attack surface and the code size.
|
||||
* Portability: tests should work on every platform. Skipping tests on certain platforms may hide errors that are only apparent on such platforms.
|
||||
* Maintainability: tests should only enforce the documented behavior of the product, to avoid extra work when the product's internal or implementation-specific behavior changes. We should also not give the impression that whatever the tests check is guaranteed behavior of the product which cannot change in future versions.
|
||||
|
||||
Where those goals conflict, we should at least mitigate the goals that cannot be fulfilled, and document the architectural choices and their rationale.
|
||||
|
||||
### Problem areas
|
||||
|
||||
#### Allocation
|
||||
|
||||
Resource allocation can fail, but rarely does so in a typical test environment. How does the product cope if some allocations fail?
|
||||
|
||||
Resources include:
|
||||
|
||||
* Memory.
|
||||
* Files in storage (PSA API only — in the Mbed TLS API, black-box unit tests are sufficient).
|
||||
* Key handles (PSA API only).
|
||||
* Key slots in a secure element (PSA SE HAL).
|
||||
* Communication handles (PSA crypto service only).
|
||||
|
||||
#### Storage
|
||||
|
||||
Storage can fail, either due to hardware errors or to active attacks on trusted storage. How does the code cope if some storage accesses fail?
|
||||
|
||||
We also need to test resilience: if the system is reset during an operation, does it restart in a correct state?
|
||||
|
||||
#### Cleanup
|
||||
|
||||
When code should clean up resources, how do we know that they have truly been cleaned up?
|
||||
|
||||
* Zeroization of confidential data after use.
|
||||
* Freeing memory.
|
||||
* Closing key handles.
|
||||
* Freeing key slots in a secure element.
|
||||
* Deleting files in storage (PSA API only).
|
||||
|
||||
#### Internal data
|
||||
|
||||
Sometimes it is useful to peek or poke internal data.
|
||||
|
||||
* Check consistency of internal data (e.g. output of key generation).
|
||||
* Check the format of files (which matters so that the product can still read old files after an upgrade).
|
||||
* Inject faults and test corruption checks inside the product.
|
||||
|
||||
## Possible approaches
|
||||
|
||||
Key to requirement tables:
|
||||
|
||||
* ++ requirement is fully met
|
||||
* \+ requirement is mostly met
|
||||
* ~ requirement is partially met but there are limitations
|
||||
* ! requirement is somewhat problematic
|
||||
* !! requirement is very problematic
|
||||
|
||||
### Fine-grained public interfaces
|
||||
|
||||
We can include all the features we want to test in the public interface. Then the tests can be truly black-box. The limitation of this approach is that this requires adding a lot of interfaces that are not useful in production. These interfaces have costs: they increase the code size, the attack surface, and the testing burden (exponentially, because we need to test all these interfaces in combination).
|
||||
|
||||
As a rule, we do not add public interfaces solely for testing purposes. We only add public interfaces if they are also useful in production, at least sometimes. For example, the main purpose of `mbedtls_psa_crypto_free` is to clean up all resources in tests, but this is also useful in production in some applications that only want to use PSA Crypto during part of their lifetime.
|
||||
|
||||
Mbed TLS traditionally has very fine-grained public interfaces, with many platform functions that can be substituted (`MBEDTLS_PLATFORM_xxx` macros). PSA Crypto has more opacity and less platform substitution macros.
|
||||
|
||||
| Requirement | Analysis |
|
||||
| ----------- | -------- |
|
||||
| Coverage | ~ Many useful tests are not reasonably achievable |
|
||||
| Correctness | ++ Ideal |
|
||||
| Effacement | !! Requires adding many otherwise-useless interfaces |
|
||||
| Portability | ++ Ideal; the additional interfaces may be useful for portability beyond testing |
|
||||
| Maintainability | !! Combinatorial explosion on the testing burden |
|
||||
| | ! Public interfaces must remain for backward compatibility even if the test architecture changes |
|
||||
|
||||
### Fine-grained undocumented interfaces
|
||||
|
||||
We can include all the features we want to test in undocumented interfaces. Undocumented interfaces are described in public headers for the sake of the C compiler, but are described as “do not use” in comments (or not described at all) and are not included in Doxygen-rendered documentation. This mitigates some of the downsides of [fine-grained public interfaces](#fine-grained-public-interfaces), but not all. In particular, the extra interfaces do increase the code size, the attack surface and the test surface.
|
||||
|
||||
Mbed TLS traditionally has a few internal interfaces, mostly intended for cross-module abstraction leakage rather than for testing. For the PSA API, we favor [internal interfaces](#internal-interfaces).
|
||||
|
||||
| Requirement | Analysis |
|
||||
| ----------- | -------- |
|
||||
| Coverage | ~ Many useful tests are not reasonably achievable |
|
||||
| Correctness | ++ Ideal |
|
||||
| Effacement | !! Requires adding many otherwise-useless interfaces |
|
||||
| Portability | ++ Ideal; the additional interfaces may be useful for portability beyond testing |
|
||||
| Maintainability | ! Combinatorial explosion on the testing burden |
|
||||
|
||||
### Internal interfaces
|
||||
|
||||
We can write tests that call internal functions that are not exposed in the public interfaces. This is nice when it works, because it lets us test the unchanged product without compromising the design of the public interface.
|
||||
|
||||
A limitation is that these interfaces must exist in the first place. If they don't, this has mostly the same downside as public interfaces: the extra interfaces increase the code size and the attack surface for no direct benefit to the product.
|
||||
|
||||
Another limitation is that internal interfaces need to be used correctly. We may accidentally rely on internal details in the tests that are not necessarily always true (for example that are platform-specific). We may accidentally use these internal interfaces in ways that don't correspond to the actual product.
|
||||
|
||||
This approach is mostly portable since it only relies on C interfaces. A limitation is that the test-only interfaces must not be hidden at link time (but link-time hiding is not something we currently do). Another limitation is that this approach does not work for users who patch the library by replacing some modules; this is a secondary concern since we do not officially offer this as a feature.
|
||||
|
||||
| Requirement | Analysis |
|
||||
| ----------- | -------- |
|
||||
| Coverage | ~ Many useful tests require additional internal interfaces |
|
||||
| Correctness | + Does not require a product change |
|
||||
| | ~ The tests may call internal functions in a way that does not reflect actual usage inside the product |
|
||||
| Effacement | ++ Fine as long as the internal interfaces aren't added solely for test purposes |
|
||||
| Portability | + Fine as long as we control how the tests are linked |
|
||||
| | ~ Doesn't work if the users rewrite an internal module |
|
||||
| Maintainability | + Tests interfaces that are documented; dependencies in the tests are easily noticed when changing these interfaces |
|
||||
|
||||
### Static analysis
|
||||
|
||||
If we guarantee certain properties through static analysis, we don't need to test them. This puts some constraints on the properties:
|
||||
|
||||
* We need to have confidence in the specification (but we can gain this confidence by evaluating the specification on test data).
|
||||
* This does not work for platform-dependent properties unless we have a formal model of the platform.
|
||||
|
||||
| Requirement | Analysis |
|
||||
| ----------- | -------- |
|
||||
| Coverage | ~ Good for platform-independent properties, if we can guarantee them statically |
|
||||
| Correctness | + Good as long as we have confidence in the specification |
|
||||
| Effacement | ++ Zero impact on the code |
|
||||
| Portability | ++ Zero runtime burden |
|
||||
| Maintainability | ~ Static analysis is hard, but it's also helpful |
|
||||
|
||||
### Compile-time options
|
||||
|
||||
If there's code that we want to have in the product for testing, but not in production, we can add a compile-time option to enable it. This is very powerful and usually easy to use, but comes with a major downside: we aren't testing the same code anymore.
|
||||
|
||||
| Requirement | Analysis |
|
||||
| ----------- | -------- |
|
||||
| Coverage | ++ Most things can be tested that way |
|
||||
| Correctness | ! Difficult to ensure that what we test is what we run |
|
||||
| Effacement | ++ No impact on the product when built normally or on the documentation, if done right |
|
||||
| | ! Risk of getting “no impact” wrong |
|
||||
| Portability | ++ It's just C code so it works everywhere |
|
||||
| | ~ Doesn't work if the users rewrite an internal module |
|
||||
| Maintainability | + Test interfaces impact the product source code, but at least they're clearly marked as such in the code |
|
||||
|
||||
#### Guidelines for compile-time options
|
||||
|
||||
* **Minimize the number of compile-time options.**<br>
|
||||
Either we're testing or we're not. Fine-grained options for testing would require more test builds, especially if combinatorics enters the play.
|
||||
* **Merely enabling the compile-time option should not change the behavior.**<br>
|
||||
When building in test mode, the code should have exactly the same behavior. Changing the behavior should require some action at runtime (calling a function or changing a variable).
|
||||
* **Minimize the impact on code**.<br>
|
||||
We should not have test-specific conditional compilation littered through the code, as that makes the code hard to read.
|
||||
|
||||
### Runtime instrumentation
|
||||
|
||||
Some properties can be tested through runtime instrumentation: have the compiler or a similar tool inject something into the binary.
|
||||
|
||||
* Sanitizers check for certain bad usage patterns (ASan, MSan, UBSan, Valgrind).
|
||||
* We can inject external libraries at link time. This can be a way to make system functions fail.
|
||||
|
||||
| Requirement | Analysis |
|
||||
| ----------- | -------- |
|
||||
| Coverage | ! Limited scope |
|
||||
| Correctness | + Instrumentation generally does not affect the program's functional behavior |
|
||||
| Effacement | ++ Zero impact on the code |
|
||||
| Portability | ~ Depends on the method |
|
||||
| Maintainability | ~ Depending on the instrumentation, this may require additional builds and scripts |
|
||||
| | + Many properties come for free, but some require effort (e.g. the test code itself must be leak-free to avoid false positives in a leak detector) |
|
||||
|
||||
### Debugger-based testing
|
||||
|
||||
If we want to do something in a test that the product isn't capable of doing, we can use a debugger to read or modify the memory, or hook into the code at arbitrary points.
|
||||
|
||||
This is a very powerful approach, but it comes with limitations:
|
||||
|
||||
* The debugger may introduce behavior changes (e.g. timing). If we modify data structures in memory, we may do so in a way that the code doesn't expect.
|
||||
* Due to compiler optimizations, the memory may not have the layout that we expect.
|
||||
* Writing reliable debugger scripts is hard. We need to have confidence that we're testing what we mean to test, even in the face of compiler optimizations. Languages such as gdb make it hard to automate even relatively simple things such as finding the place(s) in the binary corresponding to some place in the source code.
|
||||
* Debugger scripts are very much non-portable.
|
||||
|
||||
| Requirement | Analysis |
|
||||
| ----------- | -------- |
|
||||
| Coverage | ++ The sky is the limit |
|
||||
| Correctness | ++ The code is unmodified, and tested as compiled (so we even detect compiler-induced bugs) |
|
||||
| | ! Compiler optimizations may hinder |
|
||||
| | ~ Modifying the execution may introduce divergence |
|
||||
| Effacement | ++ Zero impact on the code |
|
||||
| Portability | !! Not all environments have a debugger, and even if they do, we'd need completely different scripts for every debugger |
|
||||
| Maintainability | ! Writing reliable debugger scripts is hard |
|
||||
| | !! Very tight coupling with the details of the source code and even with the compiler |
|
||||
|
||||
## Solutions
|
||||
|
||||
This section lists some strategies that are currently used for invasive testing, or planned to be used. This list is not intended to be exhaustive.
|
||||
|
||||
### Memory management
|
||||
|
||||
#### Zeroization testing
|
||||
|
||||
Goal: test that `mbedtls_platform_zeroize` does wipe the memory buffer.
|
||||
|
||||
Solution ([debugger](#debugger-based-testing)): implemented in `tests/scripts/test_zeroize.gdb`.
|
||||
|
||||
Rationale: this cannot be tested by adding C code, because the danger is that the compiler optimizes the zeroization away, and any C code that observes the zeroization would cause the compiler not to optimize it away.
|
||||
|
||||
#### Memory cleanup
|
||||
|
||||
Goal: test the absence of memory leaks.
|
||||
|
||||
Solution ([instrumentation](#runtime-instrumentation)): run tests with ASan. (We also use Valgrind, but it's slower than ASan, so we favor ASan.)
|
||||
|
||||
Since we run many test jobs with a memory leak detector, each test function or test program must clean up after itself. Use the cleanup code (after the `exit` label in test functions) to free any memory that the function may have allocated.
|
||||
|
||||
#### Robustness against memory allocation failure
|
||||
|
||||
Solution: TODO. We don't test this at all at this point.
|
||||
|
||||
#### PSA key store memory cleanup
|
||||
|
||||
Goal: test the absence of resource leaks in the PSA key store code, in particular that `psa_close_key` and `psa_destroy_key` work correctly.
|
||||
|
||||
Solution ([internal interface](#internal-interfaces)): in most tests involving PSA functions, the cleanup code explicitly calls `PSA_DONE()` instead of `mbedtls_psa_crypto_free()`. `PSA_DONE` fails the test if the key store in memory is not empty.
|
||||
|
||||
Note there must also be tests that call `mbedtls_psa_crypto_free` with keys still open, to verify that it does close all keys.
|
||||
|
||||
`PSA_DONE` is a macro defined in `psa_crypto_helpers.h` which uses `mbedtls_psa_get_stats()` to get information about the keystore content before calling `mbedtls_psa_crypto_free()`. This feature is mostly but not exclusively useful for testing, and may be moved under `MBEDTLS_TEST_HOOKS`.
|
||||
|
||||
### PSA storage
|
||||
|
||||
#### PSA storage cleanup on success
|
||||
|
||||
Goal: test that no stray files are left over in the key store after a test that succeeded.
|
||||
|
||||
Solution: TODO. Currently the various test suites do it differently.
|
||||
|
||||
#### PSA storage cleanup on failure
|
||||
|
||||
Goal: ensure that no stray files are left over in the key store even if a test has failed (as that could cause other tests to fail).
|
||||
|
||||
Solution: TODO. Currently the various test suites do it differently.
|
||||
|
||||
#### PSA storage resilience
|
||||
|
||||
Goal: test the resilience of PSA storage against power failures.
|
||||
|
||||
Solution: TODO.
|
||||
|
||||
See the [secure element driver interface test strategy](driver-interface-test-strategy.html) for more information.
|
||||
|
||||
#### Corrupted storage
|
||||
|
||||
Goal: test the robustness against corrupted storage.
|
||||
|
||||
Solution ([internal interface](#internal-interfaces)): call `psa_its` functions to modify the storage.
|
||||
|
||||
#### Storage read failure
|
||||
|
||||
Goal: test the robustness against read errors.
|
||||
|
||||
Solution: TODO
|
||||
|
||||
#### Storage write failure
|
||||
|
||||
Goal: test the robustness against write errors (`STORAGE_FAILURE` or `INSUFFICIENT_STORAGE`).
|
||||
|
||||
Solution: TODO
|
||||
|
||||
#### Storage format stability
|
||||
|
||||
Goal: test that the storage format does not change between versions (or if it does, an upgrade path must be provided).
|
||||
|
||||
Solution ([internal interface](#internal-interfaces)): call internal functions to inspect the content of the file.
|
||||
|
||||
Note that the storage format is defined not only by the general layout, but also by the numerical values of encodings for key types and other metadata. For numerical values, there is a risk that we would accidentally modify a single value or a few values, so the tests should be exhaustive. This probably requires some compile-time analysis (perhaps the automation for `psa_constant_names` can be used here). TODO
|
||||
|
||||
### Other fault injection
|
||||
|
||||
#### PSA crypto init failure
|
||||
|
||||
Goal: test the failure of `psa_crypto_init`.
|
||||
|
||||
Solution ([compile-time option](#compile-time-options)): replace entropy initialization functions by functions that can fail. This is the only failure point for `psa_crypto_init` that is present in all builds.
|
||||
|
||||
When we implement the PSA entropy driver interface, this should be reworked to use the entropy driver interface.
|
||||
|
||||
#### PSA crypto data corruption
|
||||
|
||||
The PSA crypto subsystem has a few checks to detect corrupted data in memory. We currently don't have a way to exercise those checks.
|
||||
|
||||
Solution: TODO. To corrupt a multipart operation structure, we can do it by looking inside the structure content, but only when running without isolation. To corrupt the key store, we would need to add a function to the library or to use a debugger.
|
||||
|
@ -22,7 +22,7 @@ Each test case has a description which succinctly describes for a human audience
|
||||
* Make the description descriptive. “foo: x=2, y=4” is more descriptive than “foo #2”. “foo: 0<x<y, both even” is even better if these inequalities and parities are why this particular test data was chosen.
|
||||
* Avoid changing the description of an existing test case without a good reason. This breaks the tracking of failures across CI runs, since this tracking is based on the descriptions.
|
||||
|
||||
`tests/scripts/check-test-cases.py` enforces some rules and warns if some guidelines are violated.
|
||||
`tests/scripts/check_test_cases.py` enforces some rules and warns if some guidelines are violated.
|
||||
|
||||
## TLS tests
|
||||
|
||||
@ -32,7 +32,7 @@ Each test case has a description which succinctly describes for a human audience
|
||||
|
||||
Each test case in `ssl-opt.sh` has a description which succinctly describes for a human audience what the test does. The test description is the first parameter to `run_tests`.
|
||||
|
||||
The same rules and guidelines apply as for [unit test descriptions](#unit-test-descriptions). In addition, the description must be written on the same line as `run_test`, in double quotes, for the sake of `check-test-cases.py`.
|
||||
The same rules and guidelines apply as for [unit test descriptions](#unit-test-descriptions). In addition, the description must be written on the same line as `run_test`, in double quotes, for the sake of `check_test_cases.py`.
|
||||
|
||||
## Running tests
|
||||
|
||||
|
40
docs/architecture/tls13-experimental.md
Normal file
40
docs/architecture/tls13-experimental.md
Normal file
@ -0,0 +1,40 @@
|
||||
TLS 1.3 Experimental Developments
|
||||
=================================
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
Mbed TLS doesn't support the TLS 1.3 protocol yet, but a prototype is in development.
|
||||
Stable parts of this prototype that can be independently tested are being successively
|
||||
upstreamed under the guard of the following macro:
|
||||
|
||||
```
|
||||
MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
|
||||
```
|
||||
|
||||
This macro will likely be renamed to `MBEDTLS_SSL_PROTO_TLS1_3` once a minimal viable
|
||||
implementation of the TLS 1.3 protocol is available.
|
||||
|
||||
See the [documentation of `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`](../../include/mbedtls/config.h)
|
||||
for more information.
|
||||
|
||||
Status
|
||||
------
|
||||
|
||||
The following lists which parts of the TLS 1.3 prototype have already been upstreamed
|
||||
together with their level of testing:
|
||||
|
||||
* TLS 1.3 record protection mechanisms
|
||||
|
||||
The record protection routines `mbedtls_ssl_{encrypt|decrypt}_buf()` have been extended
|
||||
to support the modified TLS 1.3 record protection mechanism, including modified computation
|
||||
of AAD, IV, and the introduction of a flexible padding.
|
||||
|
||||
Those record protection routines have unit tests in `test_suite_ssl` alongside the
|
||||
tests for the other record protection routines.
|
||||
|
||||
TODO: Add some test vectors from RFC 8448.
|
||||
|
||||
- The HKDF key derivation function on which the TLS 1.3 key schedule is based,
|
||||
is already present as an independent module controlled by `MBEDTLS_HKDF_C`
|
||||
independently of the development of the TLS 1.3 prototype.
|
@ -865,7 +865,7 @@ Mbed Crypto provides a simple way to generate a key or key pair.
|
||||
psa_set_key_algorithm(&attributes,
|
||||
PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256));
|
||||
psa_set_key_type(&attributes,
|
||||
PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP_R1));
|
||||
PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
|
||||
psa_set_key_bits(&attributes, key_bits);
|
||||
status = psa_generate_key(&attributes, &handle);
|
||||
if (status != PSA_SUCCESS) {
|
||||
|
@ -24,7 +24,7 @@
|
||||
*/
|
||||
|
||||
/**
|
||||
* @mainpage mbed TLS v2.22.0 source code documentation
|
||||
* @mainpage mbed TLS v2.23.0 source code documentation
|
||||
*
|
||||
* This documentation describes the internal structure of mbed TLS. It was
|
||||
* automatically generated from specially formatted comment blocks in
|
||||
|
@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8
|
||||
# identify the project. Note that if you do not use Doxywizard you need
|
||||
# to put quotes around the project name if it contains spaces.
|
||||
|
||||
PROJECT_NAME = "mbed TLS v2.22.0"
|
||||
PROJECT_NAME = "mbed TLS v2.23.0"
|
||||
|
||||
# The PROJECT_NUMBER tag can be used to enter a project or revision number.
|
||||
# This could be handy for archiving the generated documentation or
|
||||
|
@ -20,7 +20,8 @@
|
||||
* <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
|
||||
*/
|
||||
|
||||
/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
|
||||
/*
|
||||
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
|
@ -9,7 +9,8 @@
|
||||
* Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
|
||||
* and also described by the IETF in <em>RFC 5794</em>.
|
||||
*/
|
||||
/* Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
|
||||
/*
|
||||
* Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
|
@ -12,7 +12,8 @@
|
||||
* \author Daniel King <damaki.gh@gmail.com>
|
||||
*/
|
||||
|
||||
/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
|
||||
/*
|
||||
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
|
@ -12,7 +12,8 @@
|
||||
* \author Daniel King <damaki.gh@gmail.com>
|
||||
*/
|
||||
|
||||
/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
|
||||
/*
|
||||
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
|
@ -156,6 +156,14 @@
|
||||
#error "MBEDTLS_ECP_C defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_C) && !( \
|
||||
defined(MBEDTLS_ECP_ALT) || \
|
||||
defined(MBEDTLS_CTR_DRBG_C) || \
|
||||
defined(MBEDTLS_HMAC_DRBG_C) || \
|
||||
defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
|
||||
#error "MBEDTLS_ECP_C requires a DRBG module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
|
||||
#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
|
||||
#endif
|
||||
@ -619,6 +627,11 @@
|
||||
#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_HKDF_C) && \
|
||||
!defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
|
||||
#error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||
defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
|
||||
!(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
|
@ -781,6 +781,28 @@
|
||||
*/
|
||||
#define MBEDTLS_ECP_NIST_OPTIM
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_NO_INTERNAL_RNG
|
||||
*
|
||||
* When this option is disabled, mbedtls_ecp_mul() will make use of an
|
||||
* internal RNG when called with a NULL \c f_rng argument, in order to protect
|
||||
* against some side-channel attacks.
|
||||
*
|
||||
* This protection introduces a dependency of the ECP module on one of the
|
||||
* DRBG modules. For very constrained implementations that don't require this
|
||||
* protection (for example, because you're only doing signature verification,
|
||||
* so not manipulating any secret, or because local/physical side-channel
|
||||
* attacks are outside your threat model), it might be desirable to get rid of
|
||||
* that dependency.
|
||||
*
|
||||
* \warning Enabling this option makes some uses of ECP vulnerable to some
|
||||
* side-channel attacks. Only enable it if you know that's not a problem for
|
||||
* your use case.
|
||||
*
|
||||
* Uncomment this macro to disable some counter-measures in ECP.
|
||||
*/
|
||||
//#define MBEDTLS_ECP_NO_INTERNAL_RNG
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECP_RESTARTABLE
|
||||
*
|
||||
@ -1706,6 +1728,25 @@
|
||||
*/
|
||||
#define MBEDTLS_SSL_PROTO_TLS1_2
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
|
||||
*
|
||||
* This macro is used to selectively enable experimental parts
|
||||
* of the code that contribute to the ongoing development of
|
||||
* the prototype TLS 1.3 and DTLS 1.3 implementation, and provide
|
||||
* no other purpose.
|
||||
*
|
||||
* \warning TLS 1.3 and DTLS 1.3 aren't yet supported in Mbed TLS,
|
||||
* and no feature exposed through this macro is part of the
|
||||
* public API. In particular, features under the control
|
||||
* of this macro are experimental and don't come with any
|
||||
* stability guarantees.
|
||||
*
|
||||
* Uncomment this macro to enable experimental and partial
|
||||
* functionality specific to TLS 1.3.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_PROTO_DTLS
|
||||
*
|
||||
@ -1865,6 +1906,26 @@
|
||||
*/
|
||||
//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_TEST_HOOKS
|
||||
*
|
||||
* Enable features for invasive testing such as introspection functions and
|
||||
* hooks for fault injection. This enables additional unit tests.
|
||||
*
|
||||
* Merely enabling this feature should not change the behavior of the product.
|
||||
* It only adds new code, and new branching points where the default behavior
|
||||
* is the same as when this feature is disabled.
|
||||
* However, this feature increases the attack surface: there is an added
|
||||
* risk of vulnerabilities, and more gadgets that can make exploits easier.
|
||||
* Therefore this feature must never be enabled in production.
|
||||
*
|
||||
* See `docs/architecture/testing/mbed-crypto-invasive-testing.md` for more
|
||||
* information.
|
||||
*
|
||||
* Uncomment to enable invasive tests.
|
||||
*/
|
||||
//#define MBEDTLS_TEST_HOOKS
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_THREADING_ALT
|
||||
*
|
||||
@ -3535,6 +3596,22 @@
|
||||
*/
|
||||
//#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
|
||||
|
||||
/** \def MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY
|
||||
*
|
||||
* This option controls the use of record plaintext padding
|
||||
* in TLS 1.3.
|
||||
*
|
||||
* The padding will always be chosen so that the length of the
|
||||
* padded plaintext is a multiple of the value of this option.
|
||||
*
|
||||
* Note: A value of \c 1 means that no padding will be used
|
||||
* for outgoing records.
|
||||
*
|
||||
* Note: On systems lacking division instructions,
|
||||
* a power of two should be preferred.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1
|
||||
|
||||
/** \def MBEDTLS_SSL_OUT_CONTENT_LEN
|
||||
*
|
||||
* Maximum length (in bytes) of outgoing plaintext fragments.
|
||||
|
@ -846,6 +846,9 @@ int mbedtls_ecp_tls_write_group( const mbedtls_ecp_group *grp,
|
||||
* intermediate results to prevent potential timing attacks
|
||||
* targeting these results. We recommend always providing
|
||||
* a non-NULL \p f_rng. The overhead is negligible.
|
||||
* Note: unless #MBEDTLS_ECP_NO_INTERNAL_RNG is defined, when
|
||||
* \p f_rng is NULL, an internal RNG (seeded from the value
|
||||
* of \p m) will be used instead.
|
||||
*
|
||||
* \param grp The ECP group to use.
|
||||
* This must be initialized and have group parameters
|
||||
|
@ -101,7 +101,7 @@
|
||||
* ECP 4 10 (Started from top)
|
||||
* MD 5 5
|
||||
* HKDF 5 1 (Started from top)
|
||||
* SSL 5 1 (Started from 0x5F00)
|
||||
* SSL 5 2 (Started from 0x5F00)
|
||||
* CIPHER 6 8 (Started from 0x6080)
|
||||
* SSL 6 24 (Started from top, plus 0x6000)
|
||||
* SSL 7 32
|
||||
|
@ -104,6 +104,8 @@ typedef struct mbedtls_md_context_t
|
||||
* \brief This function returns the list of digests supported by the
|
||||
* generic digest module.
|
||||
*
|
||||
* \note The list starts with the strongest available hashes.
|
||||
*
|
||||
* \return A statically allocated array of digests. Each element
|
||||
* in the returned list is an integer belonging to the
|
||||
* message-digest enumeration #mbedtls_md_type_t.
|
||||
|
@ -12,7 +12,8 @@
|
||||
* \author Daniel King <damaki.gh@gmail.com>
|
||||
*/
|
||||
|
||||
/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
|
||||
/*
|
||||
* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
|
@ -160,12 +160,12 @@ static inline psa_algorithm_t mbedtls_psa_translate_md( mbedtls_md_type_t md_alg
|
||||
/* Translations for ECC. */
|
||||
|
||||
static inline int mbedtls_psa_get_ecc_oid_from_id(
|
||||
psa_ecc_curve_t curve, size_t bits,
|
||||
psa_ecc_family_t curve, size_t bits,
|
||||
char const **oid, size_t *oid_len )
|
||||
{
|
||||
switch( curve )
|
||||
{
|
||||
case PSA_ECC_CURVE_SECP_R1:
|
||||
case PSA_ECC_FAMILY_SECP_R1:
|
||||
switch( bits )
|
||||
{
|
||||
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
|
||||
@ -200,7 +200,7 @@ static inline int mbedtls_psa_get_ecc_oid_from_id(
|
||||
#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
|
||||
}
|
||||
break;
|
||||
case PSA_ECC_CURVE_SECP_K1:
|
||||
case PSA_ECC_FAMILY_SECP_K1:
|
||||
switch( bits )
|
||||
{
|
||||
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
|
||||
@ -223,7 +223,7 @@ static inline int mbedtls_psa_get_ecc_oid_from_id(
|
||||
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
|
||||
}
|
||||
break;
|
||||
case PSA_ECC_CURVE_BRAINPOOL_P_R1:
|
||||
case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
|
||||
switch( bits )
|
||||
{
|
||||
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
|
||||
|
@ -129,6 +129,7 @@
|
||||
#define MBEDTLS_ERR_SSL_UNEXPECTED_CID -0x6000 /**< An encrypted DTLS-frame with an unexpected CID was received. */
|
||||
#define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00 /**< An operation failed due to an unexpected version or configuration. */
|
||||
#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x7000 /**< A cryptographic operation is in progress. Try again later. */
|
||||
#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80 /**< Invalid value in SSL config */
|
||||
|
||||
/*
|
||||
* Various constants
|
||||
@ -138,11 +139,15 @@
|
||||
#define MBEDTLS_SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 */
|
||||
#define MBEDTLS_SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 */
|
||||
#define MBEDTLS_SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */
|
||||
#define MBEDTLS_SSL_MINOR_VERSION_4 4 /*!< TLS v1.3 (experimental) */
|
||||
|
||||
#define MBEDTLS_SSL_TRANSPORT_STREAM 0 /*!< TLS */
|
||||
#define MBEDTLS_SSL_TRANSPORT_DATAGRAM 1 /*!< DTLS */
|
||||
|
||||
#define MBEDTLS_SSL_MAX_HOST_NAME_LEN 255 /*!< Maximum host name defined in RFC 1035 */
|
||||
#define MBEDTLS_SSL_MAX_ALPN_NAME_LEN 255 /*!< Maximum size in bytes of a protocol name in alpn ext., RFC 7301 */
|
||||
|
||||
#define MBEDTLS_SSL_MAX_ALPN_LIST_LEN 65535 /*!< Maximum size in bytes of list in alpn ext., RFC 7301 */
|
||||
|
||||
/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
|
||||
* NONE must be zero so that memset()ing structure to zero works */
|
||||
@ -276,6 +281,10 @@
|
||||
#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY)
|
||||
#define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1
|
||||
#endif
|
||||
|
||||
/* \} name SECTION: Module settings */
|
||||
|
||||
/*
|
||||
|
@ -207,6 +207,12 @@
|
||||
: ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
|
||||
)
|
||||
|
||||
/* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
|
||||
#define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN 65534
|
||||
|
||||
/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
|
||||
#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
|
||||
|
||||
/*
|
||||
* Check that we obey the standard's message size bounds
|
||||
*/
|
||||
@ -299,6 +305,41 @@ static inline uint32_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *
|
||||
#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
|
||||
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
|
||||
|
||||
/**
|
||||
* \brief This function checks if the remaining size in a buffer is
|
||||
* greater or equal than a needed space.
|
||||
*
|
||||
* \param cur Pointer to the current position in the buffer.
|
||||
* \param end Pointer to one past the end of the buffer.
|
||||
* \param need Needed space in bytes.
|
||||
*
|
||||
* \return Zero if the needed space is available in the buffer, non-zero
|
||||
* otherwise.
|
||||
*/
|
||||
static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
|
||||
const uint8_t *end, size_t need )
|
||||
{
|
||||
return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
|
||||
}
|
||||
|
||||
/**
|
||||
* \brief This macro checks if the remaining size in a buffer is
|
||||
* greater or equal than a needed space. If it is not the case,
|
||||
* it returns an SSL_BUFFER_TOO_SMALL error.
|
||||
*
|
||||
* \param cur Pointer to the current position in the buffer.
|
||||
* \param end Pointer to one past the end of the buffer.
|
||||
* \param need Needed space in bytes.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \
|
||||
do { \
|
||||
if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
|
||||
{ \
|
||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \
|
||||
} \
|
||||
} while( 0 )
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
@ -554,6 +595,10 @@ typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
|
||||
* time with the 8-byte record sequence number, without prepending the
|
||||
* latter to the encrypted record.
|
||||
*
|
||||
* Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
|
||||
* which allows to add flexible length padding and to hide a record's true
|
||||
* content type.
|
||||
*
|
||||
* In addition to type and version, the following parameters are relevant:
|
||||
* - The symmetric cipher algorithm to be used.
|
||||
* - The (static) encryption/decryption keys for the cipher.
|
||||
|
@ -39,7 +39,7 @@
|
||||
* Major, Minor, Patchlevel
|
||||
*/
|
||||
#define MBEDTLS_VERSION_MAJOR 2
|
||||
#define MBEDTLS_VERSION_MINOR 22
|
||||
#define MBEDTLS_VERSION_MINOR 23
|
||||
#define MBEDTLS_VERSION_PATCH 0
|
||||
|
||||
/**
|
||||
@ -47,9 +47,9 @@
|
||||
* MMNNPP00
|
||||
* Major version | Minor version | Patch version
|
||||
*/
|
||||
#define MBEDTLS_VERSION_NUMBER 0x02160000
|
||||
#define MBEDTLS_VERSION_STRING "2.22.0"
|
||||
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.22.0"
|
||||
#define MBEDTLS_VERSION_NUMBER 0x02170000
|
||||
#define MBEDTLS_VERSION_STRING "2.23.0"
|
||||
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.23.0"
|
||||
|
||||
#if defined(MBEDTLS_VERSION_C)
|
||||
|
||||
|
@ -303,6 +303,90 @@ int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain,
|
||||
const unsigned char *buf,
|
||||
size_t buflen );
|
||||
|
||||
/**
|
||||
* \brief The type of certificate extension callbacks.
|
||||
*
|
||||
* Callbacks of this type are passed to and used by the
|
||||
* mbedtls_x509_crt_parse_der_with_ext_cb() routine when
|
||||
* it encounters either an unsupported extension or a
|
||||
* "certificate policies" extension containing any
|
||||
* unsupported certificate policies.
|
||||
* Future versions of the library may invoke the callback
|
||||
* in other cases, if and when the need arises.
|
||||
*
|
||||
* \param p_ctx An opaque context passed to the callback.
|
||||
* \param crt The certificate being parsed.
|
||||
* \param oid The OID of the extension.
|
||||
* \param critical Whether the extension is critical.
|
||||
* \param p Pointer to the start of the extension value
|
||||
* (the content of the OCTET STRING).
|
||||
* \param end End of extension value.
|
||||
*
|
||||
* \note The callback must fail and return a negative error code
|
||||
* if it can not parse or does not support the extension.
|
||||
* When the callback fails to parse a critical extension
|
||||
* mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
|
||||
* When the callback fails to parse a non critical extension
|
||||
* mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
|
||||
* the extension and continues parsing.
|
||||
*
|
||||
* \return \c 0 on success.
|
||||
* \return A negative error code on failure.
|
||||
*/
|
||||
typedef int (*mbedtls_x509_crt_ext_cb_t)( void *p_ctx,
|
||||
mbedtls_x509_crt const *crt,
|
||||
mbedtls_x509_buf const *oid,
|
||||
int critical,
|
||||
const unsigned char *p,
|
||||
const unsigned char *end );
|
||||
|
||||
/**
|
||||
* \brief Parse a single DER formatted certificate and add it
|
||||
* to the end of the provided chained list.
|
||||
*
|
||||
* \param chain The pointer to the start of the CRT chain to attach to.
|
||||
* When parsing the first CRT in a chain, this should point
|
||||
* to an instance of ::mbedtls_x509_crt initialized through
|
||||
* mbedtls_x509_crt_init().
|
||||
* \param buf The buffer holding the DER encoded certificate.
|
||||
* \param buflen The size in Bytes of \p buf.
|
||||
* \param make_copy When not zero this function makes an internal copy of the
|
||||
* CRT buffer \p buf. In particular, \p buf may be destroyed
|
||||
* or reused after this call returns.
|
||||
* When zero this function avoids duplicating the CRT buffer
|
||||
* by taking temporary ownership thereof until the CRT
|
||||
* is destroyed (like mbedtls_x509_crt_parse_der_nocopy())
|
||||
* \param cb A callback invoked for every unsupported certificate
|
||||
* extension.
|
||||
* \param p_ctx An opaque context passed to the callback.
|
||||
*
|
||||
* \note This call is functionally equivalent to
|
||||
* mbedtls_x509_crt_parse_der(), and/or
|
||||
* mbedtls_x509_crt_parse_der_nocopy()
|
||||
* but it calls the callback with every unsupported
|
||||
* certificate extension and additionally the
|
||||
* "certificate policies" extension if it contains any
|
||||
* unsupported certificate policies.
|
||||
* The callback must return a negative error code if it
|
||||
* does not know how to handle such an extension.
|
||||
* When the callback fails to parse a critical extension
|
||||
* mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
|
||||
* When the callback fails to parse a non critical extension
|
||||
* mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
|
||||
* the extension and continues parsing.
|
||||
* Future versions of the library may invoke the callback
|
||||
* in other cases, if and when the need arises.
|
||||
*
|
||||
* \return \c 0 if successful.
|
||||
* \return A negative error code on failure.
|
||||
*/
|
||||
int mbedtls_x509_crt_parse_der_with_ext_cb( mbedtls_x509_crt *chain,
|
||||
const unsigned char *buf,
|
||||
size_t buflen,
|
||||
int make_copy,
|
||||
mbedtls_x509_crt_ext_cb_t cb,
|
||||
void *p_ctx );
|
||||
|
||||
/**
|
||||
* \brief Parse a single DER formatted certificate and add it
|
||||
* to the end of the provided chained list. This is a
|
||||
|
@ -735,9 +735,9 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
|
||||
* where `m` is the bit size associated with the curve, i.e. the bit size
|
||||
* of the order of the curve's coordinate field. This byte string is
|
||||
* in little-endian order for Montgomery curves (curve types
|
||||
* `PSA_ECC_CURVE_CURVEXXX`), and in big-endian order for Weierstrass
|
||||
* curves (curve types `PSA_ECC_CURVE_SECTXXX`, `PSA_ECC_CURVE_SECPXXX`
|
||||
* and `PSA_ECC_CURVE_BRAINPOOL_PXXX`).
|
||||
* `PSA_ECC_FAMILY_CURVEXXX`), and in big-endian order for Weierstrass
|
||||
* curves (curve types `PSA_ECC_FAMILY_SECTXXX`, `PSA_ECC_FAMILY_SECPXXX`
|
||||
* and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`).
|
||||
* For Weierstrass curves, this is the content of the `privateKey` field of
|
||||
* the `ECPrivateKey` format defined by RFC 5915. For Montgomery curves,
|
||||
* the format is defined by RFC 7748, and output is masked according to §5.
|
||||
@ -3503,9 +3503,9 @@ psa_status_t psa_key_derivation_output_bytes(
|
||||
* length is determined by the curve, and sets the mandatory bits
|
||||
* accordingly. That is:
|
||||
*
|
||||
* - Curve25519 (#PSA_ECC_CURVE_MONTGOMERY, 255 bits): draw a 32-byte
|
||||
* - Curve25519 (#PSA_ECC_FAMILY_MONTGOMERY, 255 bits): draw a 32-byte
|
||||
* string and process it as specified in RFC 7748 §5.
|
||||
* - Curve448 (#PSA_ECC_CURVE_MONTGOMERY, 448 bits): draw a 56-byte
|
||||
* - Curve448 (#PSA_ECC_FAMILY_MONTGOMERY, 448 bits): draw a 56-byte
|
||||
* string and process it as specified in RFC 7748 §5.
|
||||
*
|
||||
* - For key types for which the key is represented by a single sequence of
|
||||
|
@ -50,8 +50,13 @@ extern "C" {
|
||||
typedef MBEDTLS_PSA_DEPRECATED size_t mbedtls_deprecated_size_t;
|
||||
typedef MBEDTLS_PSA_DEPRECATED psa_status_t mbedtls_deprecated_psa_status_t;
|
||||
typedef MBEDTLS_PSA_DEPRECATED psa_key_usage_t mbedtls_deprecated_psa_key_usage_t;
|
||||
typedef MBEDTLS_PSA_DEPRECATED psa_ecc_curve_t mbedtls_deprecated_psa_ecc_curve_t;
|
||||
typedef MBEDTLS_PSA_DEPRECATED psa_dh_group_t mbedtls_deprecated_psa_dh_group_t;
|
||||
typedef MBEDTLS_PSA_DEPRECATED psa_ecc_family_t mbedtls_deprecated_psa_ecc_family_t;
|
||||
typedef MBEDTLS_PSA_DEPRECATED psa_dh_family_t mbedtls_deprecated_psa_dh_family_t;
|
||||
typedef MBEDTLS_PSA_DEPRECATED psa_ecc_family_t psa_ecc_curve_t;
|
||||
typedef MBEDTLS_PSA_DEPRECATED psa_dh_family_t psa_dh_group_t;
|
||||
|
||||
#define PSA_KEY_TYPE_GET_CURVE PSA_KEY_TYPE_ECC_GET_FAMILY
|
||||
#define PSA_KEY_TYPE_GET_GROUP PSA_KEY_TYPE_DH_GET_FAMILY
|
||||
|
||||
#define MBEDTLS_DEPRECATED_CONSTANT( type, value ) \
|
||||
( (mbedtls_deprecated_##type) ( value ) )
|
||||
@ -115,79 +120,110 @@ MBEDTLS_PSA_DEPRECATED static inline psa_status_t psa_asymmetric_verify( psa_key
|
||||
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
||||
|
||||
/*
|
||||
* Size-specific elliptic curve and Diffie-Hellman group names
|
||||
* Size-specific elliptic curve families.
|
||||
*/
|
||||
#define PSA_ECC_CURVE_SECP160K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_K1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_K1 )
|
||||
#define PSA_ECC_CURVE_SECP192K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_K1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_K1 )
|
||||
#define PSA_ECC_CURVE_SECP224K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_K1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_K1 )
|
||||
#define PSA_ECC_CURVE_SECP256K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_K1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_K1 )
|
||||
#define PSA_ECC_CURVE_SECP160R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
|
||||
#define PSA_ECC_CURVE_SECP192R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
|
||||
#define PSA_ECC_CURVE_SECP224R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
|
||||
#define PSA_ECC_CURVE_SECP256R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
|
||||
#define PSA_ECC_CURVE_SECP384R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
|
||||
#define PSA_ECC_CURVE_SECP521R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
|
||||
#define PSA_ECC_CURVE_SECP160R2 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECP_R2 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R2 )
|
||||
#define PSA_ECC_CURVE_SECT163K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
|
||||
#define PSA_ECC_CURVE_SECT233K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
|
||||
#define PSA_ECC_CURVE_SECT239K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
|
||||
#define PSA_ECC_CURVE_SECT283K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
|
||||
#define PSA_ECC_CURVE_SECT409K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
|
||||
#define PSA_ECC_CURVE_SECT571K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_K1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
|
||||
#define PSA_ECC_CURVE_SECT163R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
|
||||
#define PSA_ECC_CURVE_SECT193R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
|
||||
#define PSA_ECC_CURVE_SECT233R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
|
||||
#define PSA_ECC_CURVE_SECT283R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
|
||||
#define PSA_ECC_CURVE_SECT409R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
|
||||
#define PSA_ECC_CURVE_SECT571R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
|
||||
#define PSA_ECC_CURVE_SECT163R2 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R2 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R2 )
|
||||
#define PSA_ECC_CURVE_SECT193R2 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_SECT_R2 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R2 )
|
||||
#define PSA_ECC_CURVE_BRAINPOOL_P256R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_BRAINPOOL_P_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_BRAINPOOL_P_R1 )
|
||||
#define PSA_ECC_CURVE_BRAINPOOL_P384R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_BRAINPOOL_P_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_BRAINPOOL_P_R1 )
|
||||
#define PSA_ECC_CURVE_BRAINPOOL_P512R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_BRAINPOOL_P_R1 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_BRAINPOOL_P_R1 )
|
||||
#define PSA_ECC_CURVE_CURVE25519 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_MONTGOMERY )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_MONTGOMERY )
|
||||
#define PSA_ECC_CURVE_CURVE448 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_curve_t, PSA_ECC_CURVE_MONTGOMERY )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_MONTGOMERY )
|
||||
|
||||
/*
|
||||
* Curves that changed name due to PSA specification.
|
||||
*/
|
||||
#define PSA_ECC_CURVE_SECP_K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_K1 )
|
||||
#define PSA_ECC_CURVE_SECP_R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R1 )
|
||||
#define PSA_ECC_CURVE_SECP_R2 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECP_R2 )
|
||||
#define PSA_ECC_CURVE_SECT_K1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_K1 )
|
||||
#define PSA_ECC_CURVE_SECT_R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R1 )
|
||||
#define PSA_ECC_CURVE_SECT_R2 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_SECT_R2 )
|
||||
#define PSA_ECC_CURVE_BRAINPOOL_P_R1 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_BRAINPOOL_P_R1 )
|
||||
#define PSA_ECC_CURVE_MONTGOMERY \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_ecc_family_t, PSA_ECC_FAMILY_MONTGOMERY )
|
||||
|
||||
/*
|
||||
* Finite-field Diffie-Hellman families.
|
||||
*/
|
||||
#define PSA_DH_GROUP_FFDHE2048 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_group_t, PSA_DH_GROUP_RFC7919 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
|
||||
#define PSA_DH_GROUP_FFDHE3072 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_group_t, PSA_DH_GROUP_RFC7919 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
|
||||
#define PSA_DH_GROUP_FFDHE4096 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_group_t, PSA_DH_GROUP_RFC7919 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
|
||||
#define PSA_DH_GROUP_FFDHE6144 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_group_t, PSA_DH_GROUP_RFC7919 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
|
||||
#define PSA_DH_GROUP_FFDHE8192 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_group_t, PSA_DH_GROUP_RFC7919 )
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
|
||||
|
||||
/*
|
||||
* Diffie-Hellman families that changed name due to PSA specification.
|
||||
*/
|
||||
#define PSA_DH_GROUP_RFC7919 \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_RFC7919 )
|
||||
#define PSA_DH_GROUP_CUSTOM \
|
||||
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_CUSTOM )
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
@ -414,11 +414,11 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
|
||||
|
||||
/** Custom Diffie-Hellman group.
|
||||
*
|
||||
* For keys of type #PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_GROUP_CUSTOM) or
|
||||
* #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_GROUP_CUSTOM), the group data comes
|
||||
* For keys of type #PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
|
||||
* #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM), the group data comes
|
||||
* from domain parameters set by psa_set_key_domain_parameters().
|
||||
*/
|
||||
#define PSA_DH_GROUP_CUSTOM ((psa_dh_group_t) 0x7e)
|
||||
#define PSA_DH_FAMILY_CUSTOM ((psa_dh_family_t) 0x7e)
|
||||
|
||||
|
||||
/**
|
||||
@ -448,8 +448,8 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
|
||||
* }
|
||||
* ```
|
||||
* - For Diffie-Hellman key exchange keys
|
||||
* (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_GROUP_CUSTOM) or
|
||||
* #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_GROUP_CUSTOM)), the
|
||||
* (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
|
||||
* #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the
|
||||
* `DomainParameters` format as defined by RFC 3279 §2.3.3.
|
||||
* ```
|
||||
* DomainParameters ::= SEQUENCE {
|
||||
@ -575,53 +575,53 @@ psa_status_t psa_get_key_domain_parameters(
|
||||
* \param[out] bits On success, the bit size of the curve.
|
||||
*
|
||||
* \return The corresponding PSA elliptic curve identifier
|
||||
* (`PSA_ECC_CURVE_xxx`).
|
||||
* (`PSA_ECC_FAMILY_xxx`).
|
||||
* \return \c 0 on failure (\p grpid is not recognized).
|
||||
*/
|
||||
static inline psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid,
|
||||
static inline psa_ecc_family_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid,
|
||||
size_t *bits )
|
||||
{
|
||||
switch( grpid )
|
||||
{
|
||||
case MBEDTLS_ECP_DP_SECP192R1:
|
||||
*bits = 192;
|
||||
return( PSA_ECC_CURVE_SECP_R1 );
|
||||
return( PSA_ECC_FAMILY_SECP_R1 );
|
||||
case MBEDTLS_ECP_DP_SECP224R1:
|
||||
*bits = 224;
|
||||
return( PSA_ECC_CURVE_SECP_R1 );
|
||||
return( PSA_ECC_FAMILY_SECP_R1 );
|
||||
case MBEDTLS_ECP_DP_SECP256R1:
|
||||
*bits = 256;
|
||||
return( PSA_ECC_CURVE_SECP_R1 );
|
||||
return( PSA_ECC_FAMILY_SECP_R1 );
|
||||
case MBEDTLS_ECP_DP_SECP384R1:
|
||||
*bits = 384;
|
||||
return( PSA_ECC_CURVE_SECP_R1 );
|
||||
return( PSA_ECC_FAMILY_SECP_R1 );
|
||||
case MBEDTLS_ECP_DP_SECP521R1:
|
||||
*bits = 521;
|
||||
return( PSA_ECC_CURVE_SECP_R1 );
|
||||
return( PSA_ECC_FAMILY_SECP_R1 );
|
||||
case MBEDTLS_ECP_DP_BP256R1:
|
||||
*bits = 256;
|
||||
return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
|
||||
return( PSA_ECC_FAMILY_BRAINPOOL_P_R1 );
|
||||
case MBEDTLS_ECP_DP_BP384R1:
|
||||
*bits = 384;
|
||||
return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
|
||||
return( PSA_ECC_FAMILY_BRAINPOOL_P_R1 );
|
||||
case MBEDTLS_ECP_DP_BP512R1:
|
||||
*bits = 512;
|
||||
return( PSA_ECC_CURVE_BRAINPOOL_P_R1 );
|
||||
return( PSA_ECC_FAMILY_BRAINPOOL_P_R1 );
|
||||
case MBEDTLS_ECP_DP_CURVE25519:
|
||||
*bits = 255;
|
||||
return( PSA_ECC_CURVE_MONTGOMERY );
|
||||
return( PSA_ECC_FAMILY_MONTGOMERY );
|
||||
case MBEDTLS_ECP_DP_SECP192K1:
|
||||
*bits = 192;
|
||||
return( PSA_ECC_CURVE_SECP_K1 );
|
||||
return( PSA_ECC_FAMILY_SECP_K1 );
|
||||
case MBEDTLS_ECP_DP_SECP224K1:
|
||||
*bits = 224;
|
||||
return( PSA_ECC_CURVE_SECP_K1 );
|
||||
return( PSA_ECC_FAMILY_SECP_K1 );
|
||||
case MBEDTLS_ECP_DP_SECP256K1:
|
||||
*bits = 256;
|
||||
return( PSA_ECC_CURVE_SECP_K1 );
|
||||
return( PSA_ECC_FAMILY_SECP_K1 );
|
||||
case MBEDTLS_ECP_DP_CURVE448:
|
||||
*bits = 448;
|
||||
return( PSA_ECC_CURVE_MONTGOMERY );
|
||||
return( PSA_ECC_FAMILY_MONTGOMERY );
|
||||
default:
|
||||
*bits = 0;
|
||||
return( 0 );
|
||||
@ -634,7 +634,7 @@ static inline psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grp
|
||||
* Mbed TLS and may be removed at any time without notice.
|
||||
*
|
||||
* \param curve A PSA elliptic curve identifier
|
||||
* (`PSA_ECC_CURVE_xxx`).
|
||||
* (`PSA_ECC_FAMILY_xxx`).
|
||||
* \param byte_length The byte-length of a private key on \p curve.
|
||||
*
|
||||
* \return The corresponding Mbed TLS elliptic curve identifier
|
||||
@ -643,7 +643,7 @@ static inline psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grp
|
||||
* \return #MBEDTLS_ECP_DP_NONE if \p byte_length is not
|
||||
* correct for \p curve.
|
||||
*/
|
||||
mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_curve_t curve,
|
||||
mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve,
|
||||
size_t byte_length );
|
||||
#endif /* MBEDTLS_ECP_C */
|
||||
|
||||
|
@ -74,7 +74,7 @@ typedef uint16_t psa_key_type_t;
|
||||
* Values defined by this standard will never be in the range 0x80-0xff.
|
||||
* Vendors who define additional families must use an encoding in this range.
|
||||
*/
|
||||
typedef uint8_t psa_ecc_curve_t;
|
||||
typedef uint8_t psa_ecc_family_t;
|
||||
|
||||
/** The type of PSA Diffie-Hellman group family identifiers.
|
||||
*
|
||||
@ -85,7 +85,7 @@ typedef uint8_t psa_ecc_curve_t;
|
||||
* Values defined by this standard will never be in the range 0x80-0xff.
|
||||
* Vendors who define additional families must use an encoding in this range.
|
||||
*/
|
||||
typedef uint8_t psa_dh_group_t;
|
||||
typedef uint8_t psa_dh_family_t;
|
||||
|
||||
/** \brief Encoding of a cryptographic algorithm.
|
||||
*
|
||||
|
@ -426,15 +426,15 @@
|
||||
#define PSA_KEY_TYPE_ECC_CURVE_MASK ((psa_key_type_t)0x00ff)
|
||||
/** Elliptic curve key pair.
|
||||
*
|
||||
* \param curve A value of type ::psa_ecc_curve_t that identifies the
|
||||
* ECC curve to be used.
|
||||
* \param curve A value of type ::psa_ecc_family_t that
|
||||
* identifies the ECC curve to be used.
|
||||
*/
|
||||
#define PSA_KEY_TYPE_ECC_KEY_PAIR(curve) \
|
||||
(PSA_KEY_TYPE_ECC_KEY_PAIR_BASE | (curve))
|
||||
/** Elliptic curve public key.
|
||||
*
|
||||
* \param curve A value of type ::psa_ecc_curve_t that identifies the
|
||||
* ECC curve to be used.
|
||||
* \param curve A value of type ::psa_ecc_family_t that
|
||||
* identifies the ECC curve to be used.
|
||||
*/
|
||||
#define PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve) \
|
||||
(PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE | (curve))
|
||||
@ -453,8 +453,8 @@
|
||||
PSA_KEY_TYPE_ECC_PUBLIC_KEY_BASE)
|
||||
|
||||
/** Extract the curve from an elliptic curve key type. */
|
||||
#define PSA_KEY_TYPE_GET_CURVE(type) \
|
||||
((psa_ecc_curve_t) (PSA_KEY_TYPE_IS_ECC(type) ? \
|
||||
#define PSA_KEY_TYPE_ECC_GET_FAMILY(type) \
|
||||
((psa_ecc_family_t) (PSA_KEY_TYPE_IS_ECC(type) ? \
|
||||
((type) & PSA_KEY_TYPE_ECC_CURVE_MASK) : \
|
||||
0))
|
||||
|
||||
@ -466,7 +466,7 @@
|
||||
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
|
||||
* https://www.secg.org/sec2-v2.pdf
|
||||
*/
|
||||
#define PSA_ECC_CURVE_SECP_K1 ((psa_ecc_curve_t) 0x17)
|
||||
#define PSA_ECC_FAMILY_SECP_K1 ((psa_ecc_family_t) 0x17)
|
||||
|
||||
/** SEC random curves over prime fields.
|
||||
*
|
||||
@ -476,9 +476,9 @@
|
||||
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
|
||||
* https://www.secg.org/sec2-v2.pdf
|
||||
*/
|
||||
#define PSA_ECC_CURVE_SECP_R1 ((psa_ecc_curve_t) 0x12)
|
||||
#define PSA_ECC_FAMILY_SECP_R1 ((psa_ecc_family_t) 0x12)
|
||||
/* SECP160R2 (SEC2 v1, obsolete) */
|
||||
#define PSA_ECC_CURVE_SECP_R2 ((psa_ecc_curve_t) 0x1b)
|
||||
#define PSA_ECC_FAMILY_SECP_R2 ((psa_ecc_family_t) 0x1b)
|
||||
|
||||
/** SEC Koblitz curves over binary fields.
|
||||
*
|
||||
@ -488,7 +488,7 @@
|
||||
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
|
||||
* https://www.secg.org/sec2-v2.pdf
|
||||
*/
|
||||
#define PSA_ECC_CURVE_SECT_K1 ((psa_ecc_curve_t) 0x27)
|
||||
#define PSA_ECC_FAMILY_SECT_K1 ((psa_ecc_family_t) 0x27)
|
||||
|
||||
/** SEC random curves over binary fields.
|
||||
*
|
||||
@ -498,7 +498,7 @@
|
||||
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
|
||||
* https://www.secg.org/sec2-v2.pdf
|
||||
*/
|
||||
#define PSA_ECC_CURVE_SECT_R1 ((psa_ecc_curve_t) 0x22)
|
||||
#define PSA_ECC_FAMILY_SECT_R1 ((psa_ecc_family_t) 0x22)
|
||||
|
||||
/** SEC additional random curves over binary fields.
|
||||
*
|
||||
@ -508,7 +508,7 @@
|
||||
* _SEC 2: Recommended Elliptic Curve Domain Parameters_.
|
||||
* https://www.secg.org/sec2-v2.pdf
|
||||
*/
|
||||
#define PSA_ECC_CURVE_SECT_R2 ((psa_ecc_curve_t) 0x2b)
|
||||
#define PSA_ECC_FAMILY_SECT_R2 ((psa_ecc_family_t) 0x2b)
|
||||
|
||||
/** Brainpool P random curves.
|
||||
*
|
||||
@ -517,7 +517,7 @@
|
||||
* brainpoolP320r1, brainpoolP384r1, brainpoolP512r1.
|
||||
* It is defined in RFC 5639.
|
||||
*/
|
||||
#define PSA_ECC_CURVE_BRAINPOOL_P_R1 ((psa_ecc_curve_t) 0x30)
|
||||
#define PSA_ECC_FAMILY_BRAINPOOL_P_R1 ((psa_ecc_family_t) 0x30)
|
||||
|
||||
/** Curve25519 and Curve448.
|
||||
*
|
||||
@ -529,21 +529,21 @@
|
||||
* _Ed448-Goldilocks, a new elliptic curve_, NIST ECC Workshop, 2015.
|
||||
* The algorithm #PSA_ALG_ECDH performs X448 when used with this curve.
|
||||
*/
|
||||
#define PSA_ECC_CURVE_MONTGOMERY ((psa_ecc_curve_t) 0x41)
|
||||
#define PSA_ECC_FAMILY_MONTGOMERY ((psa_ecc_family_t) 0x41)
|
||||
|
||||
#define PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE ((psa_key_type_t)0x4200)
|
||||
#define PSA_KEY_TYPE_DH_KEY_PAIR_BASE ((psa_key_type_t)0x7200)
|
||||
#define PSA_KEY_TYPE_DH_GROUP_MASK ((psa_key_type_t)0x00ff)
|
||||
/** Diffie-Hellman key pair.
|
||||
*
|
||||
* \param group A value of type ::psa_dh_group_t that identifies the
|
||||
* \param group A value of type ::psa_dh_family_t that identifies the
|
||||
* Diffie-Hellman group to be used.
|
||||
*/
|
||||
#define PSA_KEY_TYPE_DH_KEY_PAIR(group) \
|
||||
(PSA_KEY_TYPE_DH_KEY_PAIR_BASE | (group))
|
||||
/** Diffie-Hellman public key.
|
||||
*
|
||||
* \param group A value of type ::psa_dh_group_t that identifies the
|
||||
* \param group A value of type ::psa_dh_family_t that identifies the
|
||||
* Diffie-Hellman group to be used.
|
||||
*/
|
||||
#define PSA_KEY_TYPE_DH_PUBLIC_KEY(group) \
|
||||
@ -563,8 +563,8 @@
|
||||
PSA_KEY_TYPE_DH_PUBLIC_KEY_BASE)
|
||||
|
||||
/** Extract the group from a Diffie-Hellman key type. */
|
||||
#define PSA_KEY_TYPE_GET_GROUP(type) \
|
||||
((psa_dh_group_t) (PSA_KEY_TYPE_IS_DH(type) ? \
|
||||
#define PSA_KEY_TYPE_DH_GET_FAMILY(type) \
|
||||
((psa_dh_family_t) (PSA_KEY_TYPE_IS_DH(type) ? \
|
||||
((type) & PSA_KEY_TYPE_DH_GROUP_MASK) : \
|
||||
0))
|
||||
|
||||
@ -574,7 +574,7 @@
|
||||
* 2048, 3072, 4096, 6144, 8192. A given implementation may support
|
||||
* all of these sizes or only a subset.
|
||||
*/
|
||||
#define PSA_DH_GROUP_RFC7919 ((psa_dh_group_t) 0x03)
|
||||
#define PSA_DH_FAMILY_RFC7919 ((psa_dh_family_t) 0x03)
|
||||
|
||||
#define PSA_GET_KEY_TYPE_BLOCK_SIZE_EXPONENT(type) \
|
||||
(((type) >> 8) & 7)
|
||||
@ -1483,17 +1483,17 @@
|
||||
* is padded with zero bits. The byte order is either little-endian
|
||||
* or big-endian depending on the curve type.
|
||||
*
|
||||
* - For Montgomery curves (curve types `PSA_ECC_CURVE_CURVEXXX`),
|
||||
* - For Montgomery curves (curve types `PSA_ECC_FAMILY_CURVEXXX`),
|
||||
* the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
|
||||
* in little-endian byte order.
|
||||
* The bit size is 448 for Curve448 and 255 for Curve25519.
|
||||
* - For Weierstrass curves over prime fields (curve types
|
||||
* `PSA_ECC_CURVE_SECPXXX` and `PSA_ECC_CURVE_BRAINPOOL_PXXX`),
|
||||
* `PSA_ECC_FAMILY_SECPXXX` and `PSA_ECC_FAMILY_BRAINPOOL_PXXX`),
|
||||
* the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
|
||||
* in big-endian byte order.
|
||||
* The bit size is `m = ceiling(log_2(p))` for the field `F_p`.
|
||||
* - For Weierstrass curves over binary fields (curve types
|
||||
* `PSA_ECC_CURVE_SECTXXX`),
|
||||
* `PSA_ECC_FAMILY_SECTXXX`),
|
||||
* the shared secret is the x-coordinate of `d_A Q_B = d_B Q_A`
|
||||
* in big-endian byte order.
|
||||
* The bit size is `m` for the field `F_{2^m}`.
|
||||
@ -1611,7 +1611,7 @@
|
||||
*/
|
||||
#define PSA_KEY_LIFETIME_IS_VOLATILE(lifetime) \
|
||||
(PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime) == \
|
||||
PSA_KEY_LIFETIME_PERSISTENCE_VOLATILE)
|
||||
PSA_KEY_PERSISTENCE_VOLATILE)
|
||||
|
||||
/** Construct a lifetime from a persistence level and a location.
|
||||
*
|
||||
|
@ -148,10 +148,14 @@ if (NOT USE_STATIC_MBEDTLS_LIBRARY AND NOT USE_SHARED_MBEDTLS_LIBRARY)
|
||||
message(FATAL_ERROR "Need to choose static or shared mbedtls build!")
|
||||
endif(NOT USE_STATIC_MBEDTLS_LIBRARY AND NOT USE_SHARED_MBEDTLS_LIBRARY)
|
||||
|
||||
set(target_libraries "mbedcrypto" "mbedx509" "mbedtls")
|
||||
|
||||
if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
|
||||
set(mbedtls_static_target "mbedtls_static")
|
||||
set(mbedx509_static_target "mbedx509_static")
|
||||
set(mbedcrypto_static_target "mbedcrypto_static")
|
||||
list(APPEND target_libraries
|
||||
"mbedcrypto_static" "mbedx509_static" "mbedtls_static")
|
||||
elseif(USE_STATIC_MBEDTLS_LIBRARY)
|
||||
set(mbedtls_static_target "mbedtls")
|
||||
set(mbedx509_static_target "mbedx509")
|
||||
@ -162,8 +166,6 @@ if(USE_STATIC_MBEDTLS_LIBRARY)
|
||||
add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
|
||||
set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
|
||||
target_link_libraries(${mbedcrypto_static_target} ${libs})
|
||||
target_include_directories(${mbedcrypto_static_target}
|
||||
PUBLIC ${MBEDTLS_DIR}/include/)
|
||||
|
||||
add_library(${mbedx509_static_target} STATIC ${src_x509})
|
||||
set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509)
|
||||
@ -172,37 +174,40 @@ if(USE_STATIC_MBEDTLS_LIBRARY)
|
||||
add_library(${mbedtls_static_target} STATIC ${src_tls})
|
||||
set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls)
|
||||
target_link_libraries(${mbedtls_static_target} ${libs} ${mbedx509_static_target})
|
||||
|
||||
install(TARGETS ${mbedtls_static_target} ${mbedx509_static_target} ${mbedcrypto_static_target}
|
||||
DESTINATION ${LIB_INSTALL_DIR}
|
||||
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
|
||||
endif(USE_STATIC_MBEDTLS_LIBRARY)
|
||||
|
||||
if(USE_SHARED_MBEDTLS_LIBRARY)
|
||||
|
||||
add_library(mbedcrypto SHARED ${src_crypto})
|
||||
set_target_properties(mbedcrypto PROPERTIES VERSION 2.22.0 SOVERSION 4)
|
||||
set_target_properties(mbedcrypto PROPERTIES VERSION 2.23.0 SOVERSION 5)
|
||||
target_link_libraries(mbedcrypto ${libs})
|
||||
target_include_directories(mbedcrypto
|
||||
PUBLIC ${MBEDTLS_DIR}/include/)
|
||||
|
||||
add_library(mbedx509 SHARED ${src_x509})
|
||||
set_target_properties(mbedx509 PROPERTIES VERSION 2.22.0 SOVERSION 1)
|
||||
set_target_properties(mbedx509 PROPERTIES VERSION 2.23.0 SOVERSION 1)
|
||||
target_link_libraries(mbedx509 ${libs} mbedcrypto)
|
||||
target_include_directories(mbedx509
|
||||
PUBLIC ${MBEDTLS_DIR}/include/)
|
||||
|
||||
add_library(mbedtls SHARED ${src_tls})
|
||||
set_target_properties(mbedtls PROPERTIES VERSION 2.22.0 SOVERSION 13)
|
||||
set_target_properties(mbedtls PROPERTIES VERSION 2.23.0 SOVERSION 13)
|
||||
target_link_libraries(mbedtls ${libs} mbedx509)
|
||||
target_include_directories(mbedtls
|
||||
PUBLIC ${MBEDTLS_DIR}/include/)
|
||||
|
||||
install(TARGETS mbedtls mbedx509 mbedcrypto
|
||||
DESTINATION ${LIB_INSTALL_DIR}
|
||||
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
|
||||
endif(USE_SHARED_MBEDTLS_LIBRARY)
|
||||
|
||||
foreach(target IN LISTS target_libraries)
|
||||
# Include public header files from /include and other directories
|
||||
# declared by /3rdparty/**/CMakeLists.txt. Include private header files
|
||||
# from /library and others declared by /3rdparty/**/CMakeLists.txt.
|
||||
# /library needs to be listed explicitly when building .c files outside
|
||||
# of /library (which currently means: under /3rdparty).
|
||||
target_include_directories(${target}
|
||||
PUBLIC ${MBEDTLS_DIR}/include/
|
||||
PUBLIC ${thirdparty_inc_public}
|
||||
PRIVATE ${MBEDTLS_DIR}/library/
|
||||
PRIVATE ${thirdparty_inc})
|
||||
target_compile_definitions(${target}
|
||||
PRIVATE ${thirdparty_def})
|
||||
install(TARGETS ${target}
|
||||
DESTINATION ${LIB_INSTALL_DIR}
|
||||
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
|
||||
endforeach(target)
|
||||
|
||||
add_custom_target(lib DEPENDS mbedcrypto mbedx509 mbedtls)
|
||||
if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
|
||||
add_dependencies(lib mbedcrypto_static mbedx509_static mbedtls_static)
|
||||
|
@ -5,7 +5,11 @@ CFLAGS ?= -O2
|
||||
WARNING_CFLAGS ?= -Wall -Wextra
|
||||
LDFLAGS ?=
|
||||
|
||||
LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../include -D_FILE_OFFSET_BITS=64
|
||||
# Include ../include for public headers and . for private headers.
|
||||
# Note that . needs to be included explicitly for the sake of library
|
||||
# files that are not in the /library directory (which currently means
|
||||
# under /3rdparty).
|
||||
LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. -I../include -D_FILE_OFFSET_BITS=64
|
||||
LOCAL_LDFLAGS =
|
||||
|
||||
ifdef DEBUG
|
||||
@ -37,7 +41,7 @@ endif
|
||||
|
||||
SOEXT_TLS=so.13
|
||||
SOEXT_X509=so.1
|
||||
SOEXT_CRYPTO=so.4
|
||||
SOEXT_CRYPTO=so.5
|
||||
|
||||
# Set AR_DASH= (empty string) to use an ar implementation that does not accept
|
||||
# the - prefix for command line options (e.g. llvm-ar)
|
||||
|
@ -25,11 +25,7 @@
|
||||
* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
|
||||
|
@ -24,11 +24,7 @@
|
||||
* [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_AESNI_C)
|
||||
|
||||
|
@ -24,11 +24,7 @@
|
||||
* http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ARC4_C)
|
||||
|
||||
|
@ -25,11 +25,7 @@
|
||||
* [2] https://tools.ietf.org/html/rfc5794
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ARIA_C)
|
||||
|
||||
|
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ASN1_PARSE_C)
|
||||
|
||||
|
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ASN1_WRITE_C)
|
||||
|
||||
|
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_BASE64_C)
|
||||
|
||||
|
152
library/bignum.c
152
library/bignum.c
@ -35,11 +35,7 @@
|
||||
*
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
@ -243,6 +239,22 @@ void mbedtls_mpi_swap( mbedtls_mpi *X, mbedtls_mpi *Y )
|
||||
memcpy( Y, &T, sizeof( mbedtls_mpi ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Conditionally assign dest = src, without leaking information
|
||||
* about whether the assignment was made or not.
|
||||
* dest and src must be arrays of limbs of size n.
|
||||
* assign must be 0 or 1.
|
||||
*/
|
||||
static void mpi_safe_cond_assign( size_t n,
|
||||
mbedtls_mpi_uint *dest,
|
||||
const mbedtls_mpi_uint *src,
|
||||
unsigned char assign )
|
||||
{
|
||||
size_t i;
|
||||
for( i = 0; i < n; i++ )
|
||||
dest[i] = dest[i] * ( 1 - assign ) + src[i] * assign;
|
||||
}
|
||||
|
||||
/*
|
||||
* Conditionally assign X = Y, without leaking information
|
||||
* about whether the assignment was made or not.
|
||||
@ -262,10 +274,9 @@ int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X, const mbedtls_mpi *Y, unsigned
|
||||
|
||||
X->s = X->s * ( 1 - assign ) + Y->s * assign;
|
||||
|
||||
for( i = 0; i < Y->n; i++ )
|
||||
X->p[i] = X->p[i] * ( 1 - assign ) + Y->p[i] * assign;
|
||||
mpi_safe_cond_assign( Y->n, X->p, Y->p, assign );
|
||||
|
||||
for( ; i < X->n; i++ )
|
||||
for( i = Y->n; i < X->n; i++ )
|
||||
X->p[i] *= ( 1 - assign );
|
||||
|
||||
cleanup:
|
||||
@ -1327,10 +1338,24 @@ cleanup:
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Helper for mbedtls_mpi subtraction
|
||||
/**
|
||||
* Helper for mbedtls_mpi subtraction.
|
||||
*
|
||||
* Calculate d - s where d and s have the same size.
|
||||
* This function operates modulo (2^ciL)^n and returns the carry
|
||||
* (1 if there was a wraparound, i.e. if `d < s`, and 0 otherwise).
|
||||
*
|
||||
* \param n Number of limbs of \p d and \p s.
|
||||
* \param[in,out] d On input, the left operand.
|
||||
* On output, the result of the subtraction:
|
||||
* \param[in] s The right operand.
|
||||
*
|
||||
* \return 1 if `d < s`.
|
||||
* 0 if `d >= s`.
|
||||
*/
|
||||
static void mpi_sub_hlp( size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d )
|
||||
static mbedtls_mpi_uint mpi_sub_hlp( size_t n,
|
||||
mbedtls_mpi_uint *d,
|
||||
const mbedtls_mpi_uint *s )
|
||||
{
|
||||
size_t i;
|
||||
mbedtls_mpi_uint c, z;
|
||||
@ -1341,28 +1366,22 @@ static void mpi_sub_hlp( size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d )
|
||||
c = ( *d < *s ) + z; *d -= *s;
|
||||
}
|
||||
|
||||
while( c != 0 )
|
||||
{
|
||||
z = ( *d < c ); *d -= c;
|
||||
c = z; d++;
|
||||
}
|
||||
return( c );
|
||||
}
|
||||
|
||||
/*
|
||||
* Unsigned subtraction: X = |A| - |B| (HAC 14.9)
|
||||
* Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10)
|
||||
*/
|
||||
int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
|
||||
{
|
||||
mbedtls_mpi TB;
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t n;
|
||||
mbedtls_mpi_uint carry;
|
||||
MPI_VALIDATE_RET( X != NULL );
|
||||
MPI_VALIDATE_RET( A != NULL );
|
||||
MPI_VALIDATE_RET( B != NULL );
|
||||
|
||||
if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
|
||||
return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
|
||||
|
||||
mbedtls_mpi_init( &TB );
|
||||
|
||||
if( X == B )
|
||||
@ -1385,7 +1404,18 @@ int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
|
||||
if( B->p[n - 1] != 0 )
|
||||
break;
|
||||
|
||||
mpi_sub_hlp( n, B->p, X->p );
|
||||
carry = mpi_sub_hlp( n, X->p, B->p );
|
||||
if( carry != 0 )
|
||||
{
|
||||
/* Propagate the carry to the first nonzero limb of X. */
|
||||
for( ; n < X->n && X->p[n] == 0; n++ )
|
||||
--X->p[n];
|
||||
/* If we ran out of space for the carry, it means that the result
|
||||
* is negative. */
|
||||
if( n == X->n )
|
||||
return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
|
||||
--X->p[n];
|
||||
}
|
||||
|
||||
cleanup:
|
||||
|
||||
@ -1975,18 +2005,34 @@ static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
|
||||
*mm = ~x + 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
|
||||
/** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
|
||||
*
|
||||
* \param[in,out] A One of the numbers to multiply.
|
||||
* It must have at least as many limbs as N
|
||||
* (A->n >= N->n), and any limbs beyond n are ignored.
|
||||
* On successful completion, A contains the result of
|
||||
* the multiplication A * B * R^-1 mod N where
|
||||
* R = (2^ciL)^n.
|
||||
* \param[in] B One of the numbers to multiply.
|
||||
* It must be nonzero and must not have more limbs than N
|
||||
* (B->n <= N->n).
|
||||
* \param[in] N The modulo. N must be odd.
|
||||
* \param mm The value calculated by `mpi_montg_init(&mm, N)`.
|
||||
* This is -N^-1 mod 2^ciL.
|
||||
* \param[in,out] T A bignum for temporary storage.
|
||||
* It must be at least twice the limb size of N plus 2
|
||||
* (T->n >= 2 * (N->n + 1)).
|
||||
* Its initial content is unused and
|
||||
* its final content is indeterminate.
|
||||
* Note that unlike the usual convention in the library
|
||||
* for `const mbedtls_mpi*`, the content of T can change.
|
||||
*/
|
||||
static int mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
|
||||
static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
|
||||
const mbedtls_mpi *T )
|
||||
{
|
||||
size_t i, n, m;
|
||||
mbedtls_mpi_uint u0, u1, *d;
|
||||
|
||||
if( T->n < N->n + 1 || T->p == NULL )
|
||||
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
|
||||
|
||||
memset( T->p, 0, T->n * ciL );
|
||||
|
||||
d = T->p;
|
||||
@ -2007,21 +2053,33 @@ static int mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi
|
||||
*d++ = u0; d[n + 1] = 0;
|
||||
}
|
||||
|
||||
memcpy( A->p, d, ( n + 1 ) * ciL );
|
||||
/* At this point, d is either the desired result or the desired result
|
||||
* plus N. We now potentially subtract N, avoiding leaking whether the
|
||||
* subtraction is performed through side channels. */
|
||||
|
||||
if( mbedtls_mpi_cmp_abs( A, N ) >= 0 )
|
||||
mpi_sub_hlp( n, N->p, A->p );
|
||||
else
|
||||
/* prevent timing attacks */
|
||||
mpi_sub_hlp( n, A->p, T->p );
|
||||
|
||||
return( 0 );
|
||||
/* Copy the n least significant limbs of d to A, so that
|
||||
* A = d if d < N (recall that N has n limbs). */
|
||||
memcpy( A->p, d, n * ciL );
|
||||
/* If d >= N then we want to set A to d - N. To prevent timing attacks,
|
||||
* do the calculation without using conditional tests. */
|
||||
/* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */
|
||||
d[n] += 1;
|
||||
d[n] -= mpi_sub_hlp( n, d, N->p );
|
||||
/* If d0 < N then d < (2^biL)^n
|
||||
* so d[n] == 0 and we want to keep A as it is.
|
||||
* If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n
|
||||
* so d[n] == 1 and we want to set A to the result of the subtraction
|
||||
* which is d - (2^biL)^n, i.e. the n least significant limbs of d.
|
||||
* This exactly corresponds to a conditional assignment. */
|
||||
mpi_safe_cond_assign( n, A->p, d, (unsigned char) d[n] );
|
||||
}
|
||||
|
||||
/*
|
||||
* Montgomery reduction: A = A * R^-1 mod N
|
||||
*
|
||||
* See mpi_montmul() regarding constraints and guarantees on the parameters.
|
||||
*/
|
||||
static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
|
||||
static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
|
||||
mbedtls_mpi_uint mm, const mbedtls_mpi *T )
|
||||
{
|
||||
mbedtls_mpi_uint z = 1;
|
||||
@ -2030,7 +2088,7 @@ static int mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
|
||||
U.n = U.s = (int) z;
|
||||
U.p = &z;
|
||||
|
||||
return( mpi_montmul( A, &U, N, mm, T ) );
|
||||
mpi_montmul( A, &U, N, mm, T );
|
||||
}
|
||||
|
||||
/*
|
||||
@ -2116,13 +2174,13 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
else
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
|
||||
|
||||
MBEDTLS_MPI_CHK( mpi_montmul( &W[1], &RR, N, mm, &T ) );
|
||||
mpi_montmul( &W[1], &RR, N, mm, &T );
|
||||
|
||||
/*
|
||||
* X = R^2 * R^-1 mod N = R mod N
|
||||
*/
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
|
||||
MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
|
||||
mpi_montred( X, N, mm, &T );
|
||||
|
||||
if( wsize > 1 )
|
||||
{
|
||||
@ -2135,7 +2193,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) );
|
||||
|
||||
for( i = 0; i < wsize - 1; i++ )
|
||||
MBEDTLS_MPI_CHK( mpi_montmul( &W[j], &W[j], N, mm, &T ) );
|
||||
mpi_montmul( &W[j], &W[j], N, mm, &T );
|
||||
|
||||
/*
|
||||
* W[i] = W[i - 1] * W[1]
|
||||
@ -2145,7 +2203,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
|
||||
|
||||
MBEDTLS_MPI_CHK( mpi_montmul( &W[i], &W[1], N, mm, &T ) );
|
||||
mpi_montmul( &W[i], &W[1], N, mm, &T );
|
||||
}
|
||||
}
|
||||
|
||||
@ -2182,7 +2240,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
/*
|
||||
* out of window, square X
|
||||
*/
|
||||
MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
|
||||
mpi_montmul( X, X, N, mm, &T );
|
||||
continue;
|
||||
}
|
||||
|
||||
@ -2200,12 +2258,12 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
* X = X^wsize R^-1 mod N
|
||||
*/
|
||||
for( i = 0; i < wsize; i++ )
|
||||
MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
|
||||
mpi_montmul( X, X, N, mm, &T );
|
||||
|
||||
/*
|
||||
* X = X * W[wbits] R^-1 mod N
|
||||
*/
|
||||
MBEDTLS_MPI_CHK( mpi_montmul( X, &W[wbits], N, mm, &T ) );
|
||||
mpi_montmul( X, &W[wbits], N, mm, &T );
|
||||
|
||||
state--;
|
||||
nbits = 0;
|
||||
@ -2218,18 +2276,18 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
*/
|
||||
for( i = 0; i < nbits; i++ )
|
||||
{
|
||||
MBEDTLS_MPI_CHK( mpi_montmul( X, X, N, mm, &T ) );
|
||||
mpi_montmul( X, X, N, mm, &T );
|
||||
|
||||
wbits <<= 1;
|
||||
|
||||
if( ( wbits & ( one << wsize ) ) != 0 )
|
||||
MBEDTLS_MPI_CHK( mpi_montmul( X, &W[1], N, mm, &T ) );
|
||||
mpi_montmul( X, &W[1], N, mm, &T );
|
||||
}
|
||||
|
||||
/*
|
||||
* X = A^E * R * R^-1 mod N = A^E mod N
|
||||
*/
|
||||
MBEDTLS_MPI_CHK( mpi_montred( X, N, mm, &T ) );
|
||||
mpi_montred( X, N, mm, &T );
|
||||
|
||||
if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
|
||||
{
|
||||
|
@ -25,11 +25,7 @@
|
||||
*
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_BLOWFISH_C)
|
||||
|
||||
|
@ -25,11 +25,7 @@
|
||||
* http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_CAMELLIA_C)
|
||||
|
||||
|
@ -28,11 +28,7 @@
|
||||
* RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_CCM_C)
|
||||
|
||||
|
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#include "mbedtls/certs.h"
|
||||
|
||||
|
@ -23,11 +23,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_CHACHA20_C)
|
||||
|
||||
|
@ -20,11 +20,7 @@
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_CHACHAPOLY_C)
|
||||
|
||||
|
@ -23,11 +23,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_C)
|
||||
|
||||
|
@ -23,11 +23,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_C)
|
||||
|
||||
|
@ -40,11 +40,7 @@
|
||||
*
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_CMAC_C)
|
||||
|
||||
|
55
library/common.h
Normal file
55
library/common.h
Normal file
@ -0,0 +1,55 @@
|
||||
/**
|
||||
* \file common.h
|
||||
*
|
||||
* \brief Utility macros for internal use in the library
|
||||
*/
|
||||
/*
|
||||
* Copyright (C) 2019, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#ifndef MBEDTLS_LIBRARY_COMMON_H
|
||||
#define MBEDTLS_LIBRARY_COMMON_H
|
||||
|
||||
#if defined(MBEDTLS_CONFIG_FILE)
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#else
|
||||
#include "mbedtls/config.h"
|
||||
#endif
|
||||
|
||||
/** Helper to define a function as static except when building invasive tests.
|
||||
*
|
||||
* If a function is only used inside its own source file and should be
|
||||
* declared `static` to allow the compiler to optimize for code size,
|
||||
* but that function has unit tests, define it with
|
||||
* ```
|
||||
* MBEDTLS_STATIC_TESTABLE int mbedtls_foo(...) { ... }
|
||||
* ```
|
||||
* and declare it in a header in the `library/` directory with
|
||||
* ```
|
||||
* #if defined(MBEDTLS_TEST_HOOKS)
|
||||
* int mbedtls_foo(...);
|
||||
* #endif
|
||||
* ```
|
||||
*/
|
||||
#if defined(MBEDTLS_TEST_HOOKS)
|
||||
#define MBEDTLS_STATIC_TESTABLE
|
||||
#else
|
||||
#define MBEDTLS_STATIC_TESTABLE static
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_LIBRARY_COMMON_H */
|
@ -24,11 +24,7 @@
|
||||
* http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_CTR_DRBG_C)
|
||||
|
||||
|
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_DEBUG_C)
|
||||
|
||||
|
@ -25,11 +25,7 @@
|
||||
* http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_DES_C)
|
||||
|
||||
|
@ -27,11 +27,7 @@
|
||||
*
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_DHM_C)
|
||||
|
||||
|
@ -26,11 +26,7 @@
|
||||
* RFC 4492
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C)
|
||||
|
||||
|
@ -25,11 +25,7 @@
|
||||
* SEC1 http://www.secg.org/index.php?action=secg,docs_secg
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
|
||||
|
@ -24,11 +24,7 @@
|
||||
* available to members of the Thread Group http://threadgroup.org/
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ECJPAKE_C)
|
||||
|
||||
|
250
library/ecp.c
250
library/ecp.c
@ -41,11 +41,7 @@
|
||||
* <http://eprint.iacr.org/2004/342.pdf>
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
/**
|
||||
* \brief Function level alternative implementation.
|
||||
@ -105,6 +101,16 @@
|
||||
|
||||
#include "mbedtls/ecp_internal.h"
|
||||
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
#if defined(MBEDTLS_HMAC_DRBG_C)
|
||||
#include "mbedtls/hmac_drbg.h"
|
||||
#elif defined(MBEDTLS_CTR_DRBG_C)
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#else
|
||||
#error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
|
||||
#endif
|
||||
#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
|
||||
|
||||
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
|
||||
!defined(inline) && !defined(__cplusplus)
|
||||
#define inline __inline
|
||||
@ -118,6 +124,144 @@
|
||||
static unsigned long add_count, dbl_count, mul_count;
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
/*
|
||||
* Currently ecp_mul() takes a RNG function as an argument, used for
|
||||
* side-channel protection, but it can be NULL. The initial reasoning was
|
||||
* that people will pass non-NULL RNG when they care about side-channels, but
|
||||
* unfortunately we have some APIs that call ecp_mul() with a NULL RNG, with
|
||||
* no opportunity for the user to do anything about it.
|
||||
*
|
||||
* The obvious strategies for addressing that include:
|
||||
* - change those APIs so that they take RNG arguments;
|
||||
* - require a global RNG to be available to all crypto modules.
|
||||
*
|
||||
* Unfortunately those would break compatibility. So what we do instead is
|
||||
* have our own internal DRBG instance, seeded from the secret scalar.
|
||||
*
|
||||
* The following is a light-weight abstraction layer for doing that with
|
||||
* HMAC_DRBG (first choice) or CTR_DRBG.
|
||||
*/
|
||||
|
||||
#if defined(MBEDTLS_HMAC_DRBG_C)
|
||||
|
||||
/* DRBG context type */
|
||||
typedef mbedtls_hmac_drbg_context ecp_drbg_context;
|
||||
|
||||
/* DRBG context init */
|
||||
static inline void ecp_drbg_init( ecp_drbg_context *ctx )
|
||||
{
|
||||
mbedtls_hmac_drbg_init( ctx );
|
||||
}
|
||||
|
||||
/* DRBG context free */
|
||||
static inline void ecp_drbg_free( ecp_drbg_context *ctx )
|
||||
{
|
||||
mbedtls_hmac_drbg_free( ctx );
|
||||
}
|
||||
|
||||
/* DRBG function */
|
||||
static inline int ecp_drbg_random( void *p_rng,
|
||||
unsigned char *output, size_t output_len )
|
||||
{
|
||||
return( mbedtls_hmac_drbg_random( p_rng, output, output_len ) );
|
||||
}
|
||||
|
||||
/* DRBG context seeding */
|
||||
static int ecp_drbg_seed( ecp_drbg_context *ctx,
|
||||
const mbedtls_mpi *secret, size_t secret_len )
|
||||
{
|
||||
int ret;
|
||||
unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
|
||||
/* The list starts with strong hashes */
|
||||
const mbedtls_md_type_t md_type = mbedtls_md_list()[0];
|
||||
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_type );
|
||||
|
||||
if( secret_len > MBEDTLS_ECP_MAX_BYTES )
|
||||
{
|
||||
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
|
||||
secret_bytes, secret_len ) );
|
||||
|
||||
ret = mbedtls_hmac_drbg_seed_buf( ctx, md_info, secret_bytes, secret_len );
|
||||
|
||||
cleanup:
|
||||
mbedtls_platform_zeroize( secret_bytes, secret_len );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#elif defined(MBEDTLS_CTR_DRBG_C)
|
||||
|
||||
/* DRBG context type */
|
||||
typedef mbedtls_ctr_drbg_context ecp_drbg_context;
|
||||
|
||||
/* DRBG context init */
|
||||
static inline void ecp_drbg_init( ecp_drbg_context *ctx )
|
||||
{
|
||||
mbedtls_ctr_drbg_init( ctx );
|
||||
}
|
||||
|
||||
/* DRBG context free */
|
||||
static inline void ecp_drbg_free( ecp_drbg_context *ctx )
|
||||
{
|
||||
mbedtls_ctr_drbg_free( ctx );
|
||||
}
|
||||
|
||||
/* DRBG function */
|
||||
static inline int ecp_drbg_random( void *p_rng,
|
||||
unsigned char *output, size_t output_len )
|
||||
{
|
||||
return( mbedtls_ctr_drbg_random( p_rng, output, output_len ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Since CTR_DRBG doesn't have a seed_buf() function the way HMAC_DRBG does,
|
||||
* we need to pass an entropy function when seeding. So we use a dummy
|
||||
* function for that, and pass the actual entropy as customisation string.
|
||||
* (During seeding of CTR_DRBG the entropy input and customisation string are
|
||||
* concatenated before being used to update the secret state.)
|
||||
*/
|
||||
static int ecp_ctr_drbg_null_entropy(void *ctx, unsigned char *out, size_t len)
|
||||
{
|
||||
(void) ctx;
|
||||
memset( out, 0, len );
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/* DRBG context seeding */
|
||||
static int ecp_drbg_seed( ecp_drbg_context *ctx,
|
||||
const mbedtls_mpi *secret, size_t secret_len )
|
||||
{
|
||||
int ret;
|
||||
unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
|
||||
|
||||
if( secret_len > MBEDTLS_ECP_MAX_BYTES )
|
||||
{
|
||||
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
|
||||
secret_bytes, secret_len ) );
|
||||
|
||||
ret = mbedtls_ctr_drbg_seed( ctx, ecp_ctr_drbg_null_entropy, NULL,
|
||||
secret_bytes, secret_len );
|
||||
|
||||
cleanup:
|
||||
mbedtls_platform_zeroize( secret_bytes, secret_len );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#else
|
||||
#error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
|
||||
#endif /* DRBG modules */
|
||||
#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
|
||||
|
||||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
/*
|
||||
* Maximum number of "basic operations" to be done in a row.
|
||||
@ -165,6 +309,10 @@ struct mbedtls_ecp_restart_mul
|
||||
ecp_rsm_comb_core, /* ecp_mul_comb_core() */
|
||||
ecp_rsm_final_norm, /* do the final normalization */
|
||||
} state;
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
ecp_drbg_context drbg_ctx;
|
||||
unsigned char drbg_seeded;
|
||||
#endif
|
||||
};
|
||||
|
||||
/*
|
||||
@ -177,6 +325,10 @@ static void ecp_restart_rsm_init( mbedtls_ecp_restart_mul_ctx *ctx )
|
||||
ctx->T = NULL;
|
||||
ctx->T_size = 0;
|
||||
ctx->state = ecp_rsm_init;
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
ecp_drbg_init( &ctx->drbg_ctx );
|
||||
ctx->drbg_seeded = 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
@ -198,6 +350,10 @@ static void ecp_restart_rsm_free( mbedtls_ecp_restart_mul_ctx *ctx )
|
||||
mbedtls_free( ctx->T );
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
ecp_drbg_free( &ctx->drbg_ctx );
|
||||
#endif
|
||||
|
||||
ecp_restart_rsm_init( ctx );
|
||||
}
|
||||
|
||||
@ -1544,7 +1700,10 @@ static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
|
||||
|
||||
if( count++ > 10 )
|
||||
return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
|
||||
{
|
||||
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
|
||||
|
||||
@ -1894,7 +2053,9 @@ static int ecp_mul_comb_core( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R
|
||||
i = d;
|
||||
MBEDTLS_MPI_CHK( ecp_select_comb( grp, R, T, T_size, x[i] ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
|
||||
#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
if( f_rng != 0 )
|
||||
#endif
|
||||
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
|
||||
}
|
||||
|
||||
@ -2015,6 +2176,7 @@ static int ecp_mul_comb_after_precomp( const mbedtls_ecp_group *grp,
|
||||
rs_ctx->rsm->state = ecp_rsm_final_norm;
|
||||
|
||||
final_norm:
|
||||
MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
|
||||
#endif
|
||||
/*
|
||||
* Knowledge of the jacobian coordinates may leak the last few bits of the
|
||||
@ -2027,10 +2189,11 @@ final_norm:
|
||||
*
|
||||
* Avoid the leak by randomizing coordinates before we normalize them.
|
||||
*/
|
||||
#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
if( f_rng != 0 )
|
||||
#endif
|
||||
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) );
|
||||
|
||||
MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
|
||||
MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
|
||||
|
||||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
@ -2101,11 +2264,44 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char w, p_eq_g, i;
|
||||
size_t d;
|
||||
unsigned char T_size, T_ok;
|
||||
mbedtls_ecp_point *T;
|
||||
unsigned char T_size = 0, T_ok = 0;
|
||||
mbedtls_ecp_point *T = NULL;
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
ecp_drbg_context drbg_ctx;
|
||||
|
||||
ecp_drbg_init( &drbg_ctx );
|
||||
#endif
|
||||
|
||||
ECP_RS_ENTER( rsm );
|
||||
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
if( f_rng == NULL )
|
||||
{
|
||||
/* Adjust pointers */
|
||||
f_rng = &ecp_drbg_random;
|
||||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
if( rs_ctx != NULL && rs_ctx->rsm != NULL )
|
||||
p_rng = &rs_ctx->rsm->drbg_ctx;
|
||||
else
|
||||
#endif
|
||||
p_rng = &drbg_ctx;
|
||||
|
||||
/* Initialize internal DRBG if necessary */
|
||||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
if( rs_ctx == NULL || rs_ctx->rsm == NULL ||
|
||||
rs_ctx->rsm->drbg_seeded == 0 )
|
||||
#endif
|
||||
{
|
||||
const size_t m_len = ( grp->nbits + 7 ) / 8;
|
||||
MBEDTLS_MPI_CHK( ecp_drbg_seed( p_rng, m, m_len ) );
|
||||
}
|
||||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
if( rs_ctx != NULL && rs_ctx->rsm != NULL )
|
||||
rs_ctx->rsm->drbg_seeded = 1;
|
||||
#endif
|
||||
}
|
||||
#endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
|
||||
|
||||
/* Is P the base point ? */
|
||||
#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
|
||||
p_eq_g = ( mbedtls_mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
|
||||
@ -2177,6 +2373,10 @@ static int ecp_mul_comb( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||
|
||||
cleanup:
|
||||
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
ecp_drbg_free( &drbg_ctx );
|
||||
#endif
|
||||
|
||||
/* does T belong to the group? */
|
||||
if( T == grp->T )
|
||||
T = NULL;
|
||||
@ -2278,7 +2478,10 @@ static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
|
||||
|
||||
if( count++ > 10 )
|
||||
return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
|
||||
{
|
||||
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
|
||||
|
||||
@ -2364,9 +2567,23 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||
unsigned char b;
|
||||
mbedtls_ecp_point RP;
|
||||
mbedtls_mpi PX;
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
ecp_drbg_context drbg_ctx;
|
||||
|
||||
ecp_drbg_init( &drbg_ctx );
|
||||
#endif
|
||||
mbedtls_ecp_point_init( &RP ); mbedtls_mpi_init( &PX );
|
||||
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
if( f_rng == NULL )
|
||||
{
|
||||
const size_t m_len = ( grp->nbits + 7 ) / 8;
|
||||
MBEDTLS_MPI_CHK( ecp_drbg_seed( &drbg_ctx, m, m_len ) );
|
||||
f_rng = &ecp_drbg_random;
|
||||
p_rng = &drbg_ctx;
|
||||
}
|
||||
#endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
|
||||
|
||||
/* Save PX and read from P before writing to R, in case P == R */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &PX, &P->X ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &RP, P ) );
|
||||
@ -2380,7 +2597,9 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||
MOD_ADD( RP.X );
|
||||
|
||||
/* Randomize coordinates of the starting point */
|
||||
#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
if( f_rng != NULL )
|
||||
#endif
|
||||
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
|
||||
|
||||
/* Loop invariant: R = result so far, RP = R + P */
|
||||
@ -2413,12 +2632,18 @@ static int ecp_mul_mxz( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
|
||||
*
|
||||
* Avoid the leak by randomizing coordinates before we normalize them.
|
||||
*/
|
||||
#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
if( f_rng != NULL )
|
||||
#endif
|
||||
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
|
||||
|
||||
MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
|
||||
|
||||
cleanup:
|
||||
#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
|
||||
ecp_drbg_free( &drbg_ctx );
|
||||
#endif
|
||||
|
||||
mbedtls_ecp_point_free( &RP ); mbedtls_mpi_free( &PX );
|
||||
|
||||
return( ret );
|
||||
@ -2856,7 +3081,10 @@ int mbedtls_ecp_gen_privkey( const mbedtls_ecp_group *grp,
|
||||
* such as secp224k1 are actually very close to the worst case.
|
||||
*/
|
||||
if( ++count > 30 )
|
||||
return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
|
||||
{
|
||||
ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = mbedtls_mpi_lt_mpi_ct( d, &grp->N, &cmp );
|
||||
if( ret != 0 )
|
||||
|
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
|
||||
|
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ENTROPY_C)
|
||||
|
||||
|
@ -24,11 +24,7 @@
|
||||
#define _GNU_SOURCE
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
@ -115,6 +111,41 @@ static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
|
||||
#endif /* SYS_getrandom */
|
||||
#endif /* __linux__ || __midipix__ */
|
||||
|
||||
/*
|
||||
* Some BSD systems provide KERN_ARND.
|
||||
* This is equivalent to reading from /dev/urandom, only it doesn't require an
|
||||
* open file descriptor, and provides up to 256 bytes per call (basically the
|
||||
* same as getentropy(), but with a longer history).
|
||||
*
|
||||
* Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7
|
||||
*/
|
||||
#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM)
|
||||
#include <sys/param.h>
|
||||
#include <sys/sysctl.h>
|
||||
#if defined(KERN_ARND)
|
||||
#define HAVE_SYSCTL_ARND
|
||||
|
||||
static int sysctl_arnd_wrapper( unsigned char *buf, size_t buflen )
|
||||
{
|
||||
int name[2];
|
||||
size_t len;
|
||||
|
||||
name[0] = CTL_KERN;
|
||||
name[1] = KERN_ARND;
|
||||
|
||||
while( buflen > 0 )
|
||||
{
|
||||
len = buflen > 256 ? 256 : buflen;
|
||||
if( sysctl(name, 2, buf, &len, NULL, 0) == -1 )
|
||||
return( -1 );
|
||||
buflen -= len;
|
||||
buf += len;
|
||||
}
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* KERN_ARND */
|
||||
#endif /* __FreeBSD__ || __NetBSD__ */
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
int mbedtls_platform_entropy_poll( void *data,
|
||||
@ -139,6 +170,15 @@ int mbedtls_platform_entropy_poll( void *data,
|
||||
((void) ret);
|
||||
#endif /* HAVE_GETRANDOM */
|
||||
|
||||
#if defined(HAVE_SYSCTL_ARND)
|
||||
((void) file);
|
||||
((void) read_len);
|
||||
if( sysctl_arnd_wrapper( output, len ) == -1 )
|
||||
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
|
||||
*olen = len;
|
||||
return( 0 );
|
||||
#else
|
||||
|
||||
*olen = 0;
|
||||
|
||||
file = fopen( "/dev/urandom", "rb" );
|
||||
@ -156,6 +196,7 @@ int mbedtls_platform_entropy_poll( void *data,
|
||||
*olen = len;
|
||||
|
||||
return( 0 );
|
||||
#endif /* HAVE_SYSCTL_ARND */
|
||||
}
|
||||
#endif /* _WIN32 && !EFIX64 && !EFI32 */
|
||||
#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
|
||||
|
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
|
||||
#include <string.h>
|
||||
@ -526,6 +522,8 @@ const char * mbedtls_high_level_strerr( int error_code )
|
||||
return( "SSL - An operation failed due to an unexpected version or configuration" );
|
||||
case -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS):
|
||||
return( "SSL - A cryptographic operation is in progress. Try again later" );
|
||||
case -(MBEDTLS_ERR_SSL_BAD_CONFIG):
|
||||
return( "SSL - Invalid value in SSL config" );
|
||||
#endif /* MBEDTLS_SSL_TLS_C */
|
||||
|
||||
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
|
||||
|
@ -29,11 +29,7 @@
|
||||
* [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_GCM_C)
|
||||
|
||||
|
@ -26,11 +26,7 @@
|
||||
* Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_HAVEGE_C)
|
||||
|
||||
|
@ -18,11 +18,7 @@
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_HKDF_C)
|
||||
|
||||
|
@ -25,11 +25,7 @@
|
||||
* References below are based on rev. 1 (January 2012).
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_HMAC_DRBG_C)
|
||||
|
||||
|
@ -23,11 +23,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_MD_C)
|
||||
|
||||
|
@ -25,11 +25,7 @@
|
||||
* http://www.ietf.org/rfc/rfc1319.txt
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_MD2_C)
|
||||
|
||||
|
@ -25,11 +25,7 @@
|
||||
* http://www.ietf.org/rfc/rfc1320.txt
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_MD4_C)
|
||||
|
||||
|
@ -24,11 +24,7 @@
|
||||
* http://www.ietf.org/rfc/rfc1321.txt
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
|
||||
|
@ -19,11 +19,7 @@
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
|
||||
#include "mbedtls/memory_buffer_alloc.h"
|
||||
|
@ -23,12 +23,9 @@
|
||||
* be set before config.h, which pulls in glibc's features.h indirectly.
|
||||
* Harmless on other platforms. */
|
||||
#define _POSIX_C_SOURCE 200112L
|
||||
#define _XOPEN_SOURCE 600 /* sockaddr_storage */
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_NET_C)
|
||||
|
||||
@ -322,7 +319,8 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
|
||||
struct sockaddr_storage client_addr;
|
||||
|
||||
#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) || \
|
||||
defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t)
|
||||
defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t) || \
|
||||
defined(socklen_t)
|
||||
socklen_t n = (socklen_t) sizeof( client_addr );
|
||||
socklen_t type_len = (socklen_t) sizeof( type );
|
||||
#else
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user