Commit Graph

3300 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
1465602ee1 poly1305: fix bug in starts() and add test for it 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
55c0d096b7 chacha20: fix bug in starts() and add test for it
Previously the streaming API would fail when encrypting multiple messages with
the same key.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
b8bd80aa02 Add FEATURE_NOT_AVAILABLE error codes. 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
5ef92d309a chachapoly: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the GCM API that
very comparable to it, so switch to (pointer, len) for consistency.

Note that the crypt_and_tag() and auth_decrypt() functions were already using
the same convention as GCM, so this also increases intra-module consistency.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
b1ac5e7842 poly1305: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the CMAC API that is
very comparable to Poly1305, so switch to (pointer, len) for consistency.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
fe725defae cipher: use new functions from chachapoly 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
346b8d5050 chachapoly: split crypt_and_mac() to match GCM API
In addition to making the APIs of the various AEAD modules more consistent
with each other, it's useful to have an auth_decrypt() function so that we can
safely check the tag ourselves, as the user might otherwise do it in an
insecure way (or even forget to do it altogether).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
56206c4db1 Remove semi-internal chacha20_keystrem_block()
It's actually easy to implement chachapoly without it, so let's not clutter
the API (and avoid adding a burden to alt implementers).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
502f189253 ChaCha20: allow in-place en/decryption
All other ciphers so far allow this. In particular, the TLS layer depends on
this, despite what's documented in the Cipher layer, see
https://github.com/ARMmbed/mbedtls/issues/1085
https://github.com/ARMmbed/mbedtls/issues/1087

Also, this can be useful for implementing chachapoly without depending on the
semi-internal function keystream_block(), see next commit.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
dca3a5d884 Rename aead_chacha20_poly1305 to chachapoly
While the old name is explicit and aligned with the RFC, it's also very long,
so with the mbedtls_ prefix prepended we get a 31-char prefix to each
identifier, which quickly conflicts with our 80-column policy.

The new name is shorter, it's what a lot of people use when speaking about
that construction anyway, and hopefully should not introduce confusion at
it seems unlikely that variants other than 20/1305 be standardised in the
foreseeable future.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
4edd51babe Rename poly1305_setkey() to poly1305_starts()
For consistency with the existing CMAC and HMAC APIs
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
b7e99006f9 Avoid using %zu in selftest functions
This is a C99 feature and unfortunately we can't rely on it yet considering
the set of toolchain (versions) we want to support.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard
95d0bdbd84 Adapt the _ALT style to our new standard
- in .h files: only put the context declaration inside the #ifdef _ALT
  (this was changed in 2.9.0, ie after the original PR)
- in .c file: only leave selftest out of _ALT: even though some function are
  trivial to build from other parts, alt implementors might want to go another
way about them (for efficiency or other reasons)
2018-05-24 13:37:31 +02:00
Daniel King
e6e7968c3a Minor style and formatting fixes.
This change corrects some minor style violations, mostly for spacing
around parentheses.
2018-05-24 13:37:31 +02:00
Daniel King
b6897f67a4 Correct signedness of printf specifier in self tests 2018-05-24 13:37:31 +02:00
Daniel King
16b04ce641 Fix unused function warning under certain configurations.
I refactored some code into the function mbedtls_constant_time_memcmp
in commit 7aad291 but this function is only used by GCM and
AEAD_ChaCha20_Poly1305 to check the tags. So this function is now
only enabled if either of these two ciphers is enabled.
2018-05-24 13:37:31 +02:00
Daniel King
dedf4a3e7b Adjust verbose self-test output to match other ciphers. 2018-05-24 13:37:31 +02:00
Daniel King
8fe4701abe Add ChaCha20+Poly1305 to the Cipher module 2018-05-24 13:37:31 +02:00
Daniel King
a310c5e42b Allow some parameters to be NULL if the length is 0.
This change permits users of the ChaCha20/Poly1305 algorithms
(and the AEAD construction thereof) to pass NULL pointers for
data that they do not need, and avoids the need to provide a valid
buffer for data that is not used.
2018-05-24 13:37:31 +02:00
Daniel King
b8025c5826 Implement AEAD-ChaCha20-Poly1305.
This implementation is based off the description in RFC 7539.

The ChaCha20 code is also updated to provide a means of generating
keystream blocks with arbitrary counter values. This is used to
generated the one-time Poly1305 key in the AEAD construction.
2018-05-24 13:37:31 +02:00
Daniel King
adc32c0b50 Add Poly1305 authenticator algorithm (RFC 7539)
Test vectors are included from RFC 7539.

Poly1305 is also added to the benchmark program.
2018-05-24 13:37:31 +02:00
Daniel King
bd92062269 Add ChaCha20 to the Cipher module 2018-05-24 13:37:31 +02:00
Daniel King
34b822ce7b Initial implementation of ChaCha20 2018-05-24 13:37:31 +02:00
Darryl Green
11999bb72e Fix minor code style issues 2018-05-15 09:21:57 +01:00
Jaeden Amero
a331e0f0af Merge remote-tracking branch 'upstream-restricted/pr/421' into development-proposed 2018-05-04 14:39:24 +01:00
Jaeden Amero
7d7bad6b1f Update version to 2.9.0
Bump SOVERSION for parity with 2.7.2 and 2.7.3.
2018-04-30 09:58:33 +01:00
Jaeden Amero
c64a300027 Merge remote-tracking branch 'upstream-restricted/pr/471' into development-restricted-proposed
Remove trailing whitespace in ChangeLog.
2018-04-26 09:06:33 +01:00
Jaeden Amero
bd05dfd49f Merge branch 'development-proposed' into development-restricted-proposed
Resolve conflicts in ChangeLog
2018-04-26 09:03:03 +01:00
Jaeden Amero
84a1107818 Merge remote-tracking branch 'upstream-public/pr/1592' into development-proposed 2018-04-25 14:22:12 +01:00
Andrzej Kurek
03bac448db Change accepted ciphersuite versions when parsing server hello
Accept only ciphersuites for version chosen by the server
2018-04-25 05:06:07 -04:00
Jaeden Amero
8945343a51 Merge branch 'development-proposed' into development-restricted-proposed
Resolve merge conflict in ecp.h, where `mbedtls_ecp_keypair` was moved.
2018-04-24 17:16:34 +01:00
Andres Amaya Garcia
8491406803 Remove preprocessor directives around platform_util.h include 2018-04-24 08:40:46 -05:00
Andres Amaya Garcia
6698d2fc5c Fix style for mbedtls_mpi_zeroize() 2018-04-24 08:39:07 -05:00
Andres Amaya Garcia
bc7bdbf5c8 Organize CMakeLists targets in alphabetical order 2018-04-24 08:29:20 -05:00
Andres Amaya Garcia
21b376b56c Organize output objs in alfabetical order in Makefile 2018-04-24 08:28:26 -05:00
Jaeden Amero
1afdec1812 Merge remote-tracking branch 'upstream-public/pr/1578' into development-proposed 2018-04-24 14:19:41 +01:00
Jaeden Amero
3dd8abd037 Regenerate errors after ecp.h updates
The error descriptions were updated in ecp.h (PR #1578), so also update
the strings in error.c.
2018-04-24 14:13:15 +01:00
Andrzej Kurek
a9ceef8e03 Change variable bytes_written to header_bytes in record decompression
The name is changed to better reflect the input, decompression case
2018-04-24 06:34:17 -04:00
Mohammad Azim Khan
1d3b508b82 Same ciphersuite validation in server and client hello 2018-04-20 18:54:18 +01:00
Andrzej Kurek
5462e02874 ssl_tls: Fix invalid buffer sizes during compression / decompression
Adjust information passed to zlib to include already written data.
2018-04-20 07:58:53 -04:00
Gilles Peskine
f2b76cd45c Merge remote-tracking branch 'upstream-restricted/pr/461' into development-restricted-proposed 2018-04-19 17:41:39 +02:00
Manuel Pégourié-Gonnard
64f5adf9f9 Merge remote-tracking branch 'public/pr/1380' into development-proposed
* public/pr/1380:
  Update ChangeLog for #1380
  Generate RSA keys according to FIPS 186-4
  Generate primes according to FIPS 186-4
  Avoid small private exponents during RSA key generation
2018-04-18 16:13:52 +02:00
Andres Amaya Garcia
3ea559ea6c Fix alignment in makefile 2018-04-17 10:17:22 -05:00
Andres Amaya Garcia
1f6301b3c8 Rename mbedtls_zeroize to mbedtls_platform_zeroize 2018-04-17 10:00:21 -05:00
Andres Amaya Garcia
904e1efb8c Make utils module part of the platform 2018-04-17 10:00:11 -05:00
Andres Amaya Garcia
757cd72edf Update license headers year and branding 2018-04-17 09:21:49 -05:00
Andres Amaya Garcia
1e8ea5fa68 Improve docs for mbedtls_zeroize() and add refs 2018-04-17 09:21:49 -05:00
Andres Amaya Garcia
0bd4237c2a Fix formatting in utils.c file comment 2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
ecd1891c51 Change mbedtls_zeroize() to prevent optimizations
Change mbedtls_zeroize() implementation to use memset() instead of a
custom implementation for performance reasons. Furthermore, we would
also like to prevent as much as we can compiler optimisations that
remove zeroization code.

The implementation of mbedtls_zeroize() now uses a volatile function
pointer to memset() as suggested by Colin Percival at:

http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
2018-04-17 09:19:05 -05:00
Andres Amaya Garcia
b1262a3bdb Allow compile-time alternate to mbedtls_zeroize()
Add a new macro MBEDTLS_UTILS_ZEROIZE that allows users to configure
mbedtls_zeroize() to an alternative definition when defined. If the
macro is not defined, then mbed TLS will use the default definition of
the function.
2018-04-17 09:19:05 -05:00