New functions to write a representation of an elliptic curve group and
point according to X9.62 and RFC5480: ECParameters as OID and ECPoint
as octet string.
Change the documentation of mbedtls_pk_rsa and mbedtls_pk_ec to
require that mbedtls_pk_get_type returns a corresponding transparent
key time.
Change the implementation of mbedtls_pk_rsa and mbedtls_pk_ec to
return NULL if called with an argument that is not suitable, rather
than returning an invalid pointer.
Add a new key pair object type: MBEDTLS_PK_OPAQUE, intended for
implementations of asymmetric cryptography operations that call an
external cryptographic module.
External cryptographic module engines must implement the API described
by a mbedtls_pk_info_t structure and, usually, a custom setup function.
Document the fields of the mbedtls_pk_info_t structure and the
requirements on a PK engine. Also document non-obvious aspects of the
behavior of the pk interface functions on opaque keys.
Change the interface of check_pair_func to take a pointer to a full
mbedtls_pk_context as its pub argument, and not just the data part of
the context. This is necessary because when prv is opaque, pub may
legitimately be of a different type (typically prv would be opaque and
pub would be transparent).
This is in preparation to adding support for opaque keys in the pk layer. The
header files are for use as follows:
* pk.h for users of the pk interface.
* pk_info.h for implementers of opaque key engines.
* pk_internal.h only inside libmbedcrypto to implement built-in pk types.
Expose a function mbedtls_pk_signature_size to calculate the maximum
size of a signature made with a given key. Document that this is the
buffer size that mbedtls_pk_sign requires.
Add a corresponding field signature_size_func to the mbedtls_pk_info
structure.
Expose ecdsa_signature_to_asn1 in the API. It's useful when converting
between RFC 4492 format and other representations that might be used
in external crypto processors.
Expose a macro MBEDTLS_ECDSA_MAX_SIG_LEN and a function
mbedtls_ecdsa_max_sig_len to calculate the size of an ECDSA signature
based on the curve size.
Document that this is the buffer size that
mbedtls_ecdsa_write_signature requires.
In the mbedtls_pk_info_t method can_do, pass the context data. This
will be needed for opaque keys, where the info structure depends on
the method to access the opaque key and not on the key type.
When checking whether a server key matches the handshake parameters,
rely only on the offered certificate and not on the metadata of the
private key. Specifically, with an EC key, check the curve in the
certificate rather than in the associated private key.
This was the only place in the SSL module where mbedtls_pk_ec or
mbedtls_pk_rsa was called to access a private signature or decryption
key (as opposed to a public key or a key used for DH/ECDH).
Generate proper #line directives in all BEGIN_xxx blocks. Before,
there were #line directives for BEGIN_SUITE_HELPERS and BEGIN_CASE but
not BEGIN_HEADER, so debug information for code in the header block
pointed inside helpers.function instead of the test's source file.
This commit adds some explicit downcasts from `size_t` to `uint8_t` in
the RSASSA signature encoding function `rsa_rsassa_pkcs1_v15_encode`.
The truncation is safe as it has been checked beforehand that the
respective values are in the range of a `uint8_t`.
1) `mbedtls_rsa_import_raw` used an uninitialized return
value when it was called without any input parameters.
While not sensible, this is allowed and should be a
succeeding no-op.
2) The MPI test for prime generation missed a return value
check for a call to `mbedtls_mpi_shift_r`. This is neither
critical nor new but should be fixed.
3) Both the RSA keygeneration example program and the
RSA test suites contained code initializing an RSA context
after a potentially failing call to CTR DRBG initialization,
leaving the corresponding RSA context free call in the
cleanup section of the respective function orphaned.
While this defect existed before, Coverity picked up on
it again because of newly introduced MPI's that were
also wrongly initialized only after the call to CTR DRBG
init. The commit fixes both the old and the new issue
by moving the initializtion of both the RSA context and
all MPI's prior to the first potentially failing call.
The function `mbedtls_rsa_complete` is supposed to guarantee that
RSA operations will complete without failure. In contrast, it does
not ensure consistency of parameters, which is the task of the
checking functions `rsa_check_pubkey` and `rsa_check_privkey`.
Previously, the maximum allowed size of the RSA modulus was checked
in `mbedtls_rsa_check_pubkey`. However, exceeding this size would lead
to failure of some RSA operations, hence this check belongs to
`mbedtls_rsa_complete` rather than `mbedtls_rsa_check_pubkey`.
This commit moves it accordingly.
The function `pk_get_rsapubkey` originally performed some basic
sanity checks (e.g. on the size of public exponent) on the parsed
RSA public key by a call to `mbedtls_rsa_check_pubkey`.
This check was dropped because it is not possible to thoroughly
check full parameter sanity (i.e. that (-)^E is a bijection on Z/NZ).
Still, for the sake of not silently changing existing behavior,
this commit puts back the call to `mbedtls_rsa_check_pubkey`.
- Adapt the change in all.sh to the new keep-going mode
- Restore alphabetical order of configuration flags for
alternative implementations in config.h and rebuild
library/version_features.c
Compilation and test for the `MBEDTLS_RSA_NO_CRT` option were
previously guarded by a check for 64-bit systems, for which there
is no reason. This commit moves both outside of the guard.
`mbedtls_rsa_deduce_primes` implicitly casts the result of a call to
`mbedtls_mpi_lsb` to a `uint16_t`. This is safe because of the size
of MPI's used in the library, but still may have compilers complain
about it. This commit makes the cast explicit.
Edit the CMAC_ALT ChangeLog entry to mention CCM_ALT which was added
in a sister PR and is being merged together.
Use full name rather than Github id as attribution.
Move the entry under "Features" for better consistency with historical
practice.
Conflict resolution: additions in the same places as
upstream-public/pr/865, both adding into lexicographically sorted
lists, resolved by taking the additions in lexicographic order.
* public/pr/1207:
all.sh: add some documentation
all.sh: new option --no-armcc
all.sh: add --yotta to go with --no-yotta
all.sh: --keep-going mode
all.sh: cleaned up usage output
all.sh: indent
* public/pr/1136:
Timing self test: shorten redundant tests
Timing self test: increased duration
Timing self test: increased tolerance
Timing unit tests: more protection against infinite loops
Unit test for mbedtls_timing_hardclock
New timing unit tests
selftest: allow excluding a subset of the tests
selftest: allow running a subset of the tests
selftest: refactor to separate the list of tests from the logic
Timing self test: print some diagnosis information
mbedtls_timing_get_timer: don't use uninitialized memory
timing interface documentation: minor clarifications
Timing: fix mbedtls_set_alarm(0) on Unix/POSIX
* Correct order of sections in ChangeLog
* Restore unintentionally removed whitespace and
formatting improvements.
* Consistently rename MBEDTLS_ERR_RSA_EXPORT_UNSUPPORTED
to MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION in rsa.h
documentation.
During the work on the RSA change the issue was brought up,
and a fix was provided on development, that some RSA tests
use CTR DRBG and depend on the presence of a strong entropy
source to succeed. The RSA work introduced more tests using
CTR DRBG, and the dependency needs to be added for them, too.