Squashed commit upgrading to mbedtls-2.27.0
Squash merging branch import/mbedtls-2.27.0
335b95f50f90 ("core: libmbedtls: add ctr_drbg.c to core sources")
9ad9df8b36e4 ("core: libtomcrypt: libmbedtls: mbedtls_mpi_montred() now returns void")
ade0994c57b3 ("libmbedtls: add SM2 curve")
3041cf9726e2 ("libmbedtls: mbedtls_mpi_exp_mod(): optimize mempool usage")
a2e7a4cd262d ("libmbedtls: mbedtls_mpi_exp_mod(): reduce stack usage")
87efbd27f8e0 ("libmbedtls: mbedtls_mpi_exp_mod() initialize W")
e7c59b9b1d5f ("libmbedtls: fix no CRT issue")
d76bd278d9e2 ("libmbedtls: add interfaces in mbedtls for context memory operation")
e5b6c167f809 ("libmedtls: mpi_miller_rabin: increase count limit")
b81d896a903d ("libmbedtls: add mbedtls_mpi_init_mempool()")
3fbd8660c09d ("libmbedtls: make mbedtls_mpi_mont*() available")
2cc759c67e37 ("mbedtls: configure mbedtls to reach for config")
48bf81758c6e ("mbedtls: remove default include/mbedtls/config.h")
3602df84d7b3 ("Import mbedtls-2.27.0")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
diff --git a/lib/libmbedtls/mbedtls/BUGS.md b/lib/libmbedtls/mbedtls/BUGS.md
new file mode 100644
index 0000000..e8705ff
--- /dev/null
+++ b/lib/libmbedtls/mbedtls/BUGS.md
@@ -0,0 +1,20 @@
+## Known issues
+
+Known issues in Mbed TLS are [tracked on GitHub](https://github.com/ARMmbed/mbedtls/issues).
+
+## Reporting a bug
+
+If you think you've found a bug in Mbed TLS, please follow these steps:
+
+1. Make sure you're using the latest version of a
+ [maintained branch](BRANCHES.md): `master`, `development`,
+ or a long-time support branch.
+2. Check [GitHub](https://github.com/ARMmbed/mbedtls/issues) to see if
+ your issue has already been reported. If not, …
+3. If the issue is a security risk (for example: buffer overflow,
+ data leak), please report it confidentially as described in
+ [`SECURITY.md`](SECURITY.md). If not, …
+4. Please [create an issue on on GitHub](https://github.com/ARMmbed/mbedtls/issues).
+
+Please do not use GitHub for support questions. If you want to know
+how to do something with Mbed TLS, please see [`SUPPORT.md`](SUPPORT.md) for available documentation and support channels.
diff --git a/lib/libmbedtls/mbedtls/CONTRIBUTING.md b/lib/libmbedtls/mbedtls/CONTRIBUTING.md
index c1ae452..b3a9547 100644
--- a/lib/libmbedtls/mbedtls/CONTRIBUTING.md
+++ b/lib/libmbedtls/mbedtls/CONTRIBUTING.md
@@ -14,7 +14,7 @@
Making a Contribution
---------------------
-1. [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://tls.mbed.org/discussions) around a feature idea or a bug.
+1. [Check for open issues](https://github.com/ARMmbed/mbedtls/issues) or [start a discussion](https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls) around a feature idea or a bug.
1. Fork the [Mbed TLS repository on GitHub](https://github.com/ARMmbed/mbedtls) to start making your changes. As a general rule, you should use the ["development" branch](https://github.com/ARMmbed/mbedtls/tree/development) as a basis.
1. Write a test which shows that the bug was fixed or that the feature works as expected.
1. Send a pull request (PR) and work with us until it gets merged and published. Contributions may need some modifications, so a few rounds of review and fixing may be necessary. We will include your name in the ChangeLog :)
@@ -22,9 +22,10 @@
1. All new files should include the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) standard license header where possible.
1. Ensure that each commit has at least one `Signed-off-by:` line from the committer. If anyone else contributes to the commit, they should also add their own `Signed-off-by:` line. By adding this line, contributor(s) certify that the contribution is made under the terms of the [Developer Certificate of Origin](dco.txt). The contribution licensing is described in the [License section of the README](README.md#License).
-API/ABI Compatibility
----------------------
-The project aims to minimise the impact on users upgrading to newer versions of the library and it should not be necessary for a user to make any changes to their own code to work with a newer version of the library. Unless the user has made an active decision to use newer features, a newer generation of the library or a change has been necessary due to a security issue or other significant software defect, no modifications to their own code should be necessary. To achieve this, API compatibility is maintained between different versions of Mbed TLS on the main development branch and in LTS (Long Term Support) branches.
+Backwards Compatibility
+-----------------------
+
+The project aims to minimise the impact on users upgrading to newer versions of the library and it should not be necessary for a user to make any changes to their own code to work with a newer version of the library. Unless the user has made an active decision to use newer features, a newer generation of the library or a change has been necessary due to a security issue or other significant software defect, no modifications to their own code should be necessary. To achieve this, API compatibility is maintained between different versions of Mbed TLS on the main development branch and in LTS (Long Term Support) branches, as described in [BRANCHES.md](BRANCHES.md).
To minimise such disruption to users, where a change to the interface is required, all changes to the ABI or API, even on the main development branch where new features are added, need to be justifiable by either being a significant enhancement, new feature or bug fix which is best resolved by an interface change.
@@ -48,6 +49,9 @@
It would be highly appreciated if contributions are backported to LTS branches in addition to the [development branch](https://github.com/ARMmbed/mbedtls/tree/development) by contributors.
+The list of maintained branches can be found in the [Current Branches section
+of BRANCHES.md](BRANCHES.md#current-branches).
+
Currently maintained LTS branches are:
1. [mbedtls-2.7](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.7)
1. [mbedtls-2.16](https://github.com/ARMmbed/mbedtls/tree/mbedtls-2.16)
@@ -79,4 +83,4 @@
1. Complex parts in the code should include comments.
1. If needed, a Readme file is advised.
1. If a [Knowledge Base (KB)](https://tls.mbed.org/kb) article should be added, write this as a comment in the PR description.
-1. A [ChangeLog](https://github.com/ARMmbed/mbedtls/blob/development/ChangeLog) entry should be added for this contribution.
+1. A [ChangeLog](https://github.com/ARMmbed/mbedtls/blob/development/ChangeLog.d/00README.md) entry should be added for this contribution.
diff --git a/lib/libmbedtls/mbedtls/ChangeLog b/lib/libmbedtls/mbedtls/ChangeLog
index 062a1ad..89572ca 100644
--- a/lib/libmbedtls/mbedtls/ChangeLog
+++ b/lib/libmbedtls/mbedtls/ChangeLog
@@ -1,5 +1,718 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS 2.27.0 branch released 2021-07-07
+
+API changes
+ * Update AEAD output size macros to bring them in line with the PSA Crypto
+ API version 1.0 spec. This version of the spec parameterizes them on the
+ key type used, as well as the key bit-size in the case of
+ PSA_AEAD_TAG_LENGTH.
+ The old versions of these macros were renamed and deprecated as follows:
+ - PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG
+ - PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG
+ - PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG
+ - PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG
+ - PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG
+ - PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG
+ * Implement one-shot cipher functions, psa_cipher_encrypt and
+ psa_cipher_decrypt, according to the PSA Crypto API 1.0.0
+ specification.
+
+Requirement changes
+ * The library now uses the %zu format specifier with the printf() family of
+ functions, so requires a toolchain that supports it. This change does not
+ affect the maintained LTS branches, so when contributing changes please
+ bear this in mind and do not add them to backported code.
+
+Features
+ * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a
+ signature with a specific salt length. This function allows to validate
+ test cases provided in the NIST's CAVP test suite. Contributed by Cédric
+ Meuter in PR #3183.
+ * Added support for built-in driver keys through the PSA opaque crypto
+ driver interface. Refer to the documentation of
+ MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information.
+ * Implement psa_sign_message() and psa_verify_message().
+ * The new function mbedtls_mpi_random() generates a random value in a
+ given range uniformly.
+ * Implement psa_mac_compute() and psa_mac_verify() as defined in the
+ PSA Cryptograpy API 1.0.0 specification.
+ * MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured
+ curves and no longer needs to be configured explicitly to save RAM.
+
+Security
+ * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM)
+ private keys and of blinding values for DHM and elliptic curves (ECP)
+ computations. Reported by FlorianF89 in #4245.
+ * Fix a potential side channel vulnerability in ECDSA ephemeral key generation.
+ An adversary who is capable of very precise timing measurements could
+ learn partial information about the leading bits of the nonce used for the
+ signature, allowing the recovery of the private key after observing a
+ large number of signature operations. This completes a partial fix in
+ Mbed TLS 2.20.0.
+ * It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is
+ too small, leading to buffer overflows in ECC operations. Fail the build
+ in such a case.
+ * An adversary with access to precise enough information about memory
+ accesses (typically, an untrusted operating system attacking a secure
+ enclave) could recover an RSA private key after observing the victim
+ performing a single private-key operation. Found and reported by
+ Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG.
+ * An adversary with access to precise enough timing information (typically, a
+ co-located process) could recover a Curve25519 or Curve448 static ECDH key
+ after inputting a chosen public key and observing the victim performing the
+ corresponding private-key operation. Found and reported by Leila Batina,
+ Lukas Chmielewski, Björn Haase, Niels Samwel and Peter Schwabe.
+
+Bugfix
+ * Add printf function attributes to mbedtls_debug_print_msg to ensure we
+ get printf format specifier warnings.
+ * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may
+ lead to seed file corruption in the case where the path to the seed file is
+ equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. Contributed by Victor
+ Krasnoshchok in #3616.
+ * PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE
+ rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them
+ in line with version 1.0.0 of the specification. Fix #4162.
+ * PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather
+ than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key
+ to create is not valid, bringing them in line with version 1.0.0 of the
+ specification. Fix #4271.
+ * Fix some cases in the bignum module where the library constructed an
+ unintended representation of the value 0 which was not processed
+ correctly by some bignum operations. This could happen when
+ mbedtls_mpi_read_string() was called on "-0", or when
+ mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of
+ the arguments being negative and the other being 0. Fixes #4643.
+ * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits
+ zero. Fixes #1792
+ * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is
+ defined. Fixes #4217.
+ * Fix an incorrect error code when parsing a PKCS#8 private key.
+ * In a TLS client, enforce the Diffie-Hellman minimum parameter size
+ set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the
+ minimum size was rounded down to the nearest multiple of 8.
+ * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are
+ defined to specific values. If the code is used in a context
+ where these are already defined, this can result in a compilation
+ error. Instead, assume that if they are defined, the values will
+ be adequate to build Mbed TLS.
+ * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available
+ when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384
+ was disabled. Fix the dependency. Fixes #4472.
+ * Do not offer SHA384 cipher suites when SHA-384 is disabled. Fixes #4499.
+ * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built
+ nonetheless, resulting in undefined reference errors when building a
+ shared library. Reported by Guillermo Garcia M. in #4411.
+ * Fix test suite code on platforms where int32_t is not int, such as
+ Arm Cortex-M. Fixes #4530.
+ * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced
+ directive in a header and a missing initialization in the self-test.
+ * Fix a missing initialization in the Camellia self-test, affecting
+ MBEDTLS_CAMELLIA_ALT implementations.
+ * Restore the ability to configure PSA via Mbed TLS options to support RSA
+ key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME
+ is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key().
+ Fixes #4512.
+ * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites
+ (when the encrypt-then-MAC extension is not in use) with some ALT
+ implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing
+ the affected side to wrongly reject valid messages. Fixes #4118.
+ * Remove outdated check-config.h check that prevented implementing the
+ timing module on Mbed OS. Fixes #4633.
+ * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive
+ about missing inputs.
+ * Fix mbedtls_net_poll() and mbedtls_net_recv_timeout() often failing with
+ MBEDTLS_ERR_NET_POLL_FAILED on Windows. Fixes #4465.
+ * Fix a resource leak in a test suite with an alternative AES
+ implementation. Fixes #4176.
+ * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This
+ could notably be triggered by setting the TLS debug level to 3 or above
+ and using a Montgomery curve for the key exchange. Reported by lhuang04
+ in #4578. Fixes #4608.
+ * psa_verify_hash() was relying on implementation-specific behavior of
+ mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT
+ implementations. This reliance is now removed. Fixes #3990.
+ * Disallow inputs of length different from the corresponding hash when
+ signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates
+ that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.)
+ * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with
+ A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug
+ could not be triggered by code that constructed A with one of the
+ mbedtls_mpi_read_xxx functions (including in particular TLS code) since
+ those always built an mpi object with at least one limb.
+ Credit to OSS-Fuzz. Fixes #4641.
+ * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no
+ effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect
+ applications that call mbedtls_mpi_gcd() directly. Fixes #4642.
+ * The PSA API no longer allows the creation or destruction of keys with a
+ read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY
+ can now only be used as intended, for keys that cannot be modified through
+ normal use of the API.
+ * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
+ in all the right places. Include it from crypto_platform.h, which is
+ the natural place. Fixes #4649.
+ * mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and
+ restartable variants now always honor the specified hash length if
+ nonzero. Before, for RSA, hash_len was ignored in favor of the length of
+ the specified hash algorithm.
+ * Fix which alert is sent in some cases to conform to the
+ applicable RFC: on an invalid Finished message value, an
+ invalid max_fragment_length extension, or an
+ unsupported extension used by the server.
+ * Correct (change from 12 to 13 bytes) the value of the macro describing the
+ maximum nonce length returned by psa_aead_generate_nonce().
+
+Changes
+ * Add extra printf compiler warning flags to builds.
+ * Fix memsan build false positive in x509_crt.c with Clang 11
+ * Fix the setting of the read timeout in the DTLS sample programs.
+ * Remove the AES sample application programs/aes/aescrypt2 which shows
+ bad cryptographic practice. Fix #1906.
+ * Alternative implementations of CMAC may now opt to not support 3DES as a
+ CMAC block cipher, and still pass the CMAC self test.
+ * Remove configs/config-psa-crypto.h, which was identical to the default
+ configuration except for having some extra cryptographic mechanisms
+ enabled and for unintended differences. This configuration was primarily
+ intended to demonstrate the PSA API, and lost most of its usefulness when
+ MBEDTLS_PSA_CRYPTO_C became enabled by default.
+ * When building the test suites with GNU make, invoke python3 or python, not
+ python2, which is no longer supported upstream.
+ * When using session cache based session resumption on the server,
+ double-check that custom session cache implementations return
+ sessions which are consistent with the negotiated ciphersuite
+ and compression method.
+ * Fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on.
+ When that flag is on, standard GNU C printf format specifiers
+ should be used.
+ * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage
+ during ECC operations at a negligible performance cost.
+ * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and
+ mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs
+ when their input has length 0. Note that this is an implementation detail
+ and can change at any time, so this change should be transparent, but it
+ may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string()
+ now writing an empty string where it previously wrote one or more
+ zero digits when operating from values constructed with an mpi_read
+ function and some mpi operations.
+ * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when
+ PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag
+ when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension
+ is also applied when loading a key from storage.
+
+= mbed TLS 2.26.0 branch released 2021-03-08
+
+API changes
+ * Renamed the PSA Crypto API output buffer size macros to bring them in line
+ with version 1.0.0 of the specification.
+ * The API glue function mbedtls_ecc_group_of_psa() now takes the curve size
+ in bits rather than bytes, with an additional flag to indicate if the
+ size may have been rounded up to a whole number of bytes.
+ * Renamed the PSA Crypto API AEAD tag length macros to bring them in line
+ with version 1.0.0 of the specification.
+
+Default behavior changes
+ * In mbedtls_rsa_context objects, the ver field was formerly documented
+ as always 0. It is now reserved for internal purposes and may take
+ different values.
+
+New deprecations
+ * PSA_KEY_EXPORT_MAX_SIZE, PSA_HASH_SIZE, PSA_MAC_FINAL_SIZE,
+ PSA_BLOCK_CIPHER_BLOCK_SIZE, PSA_MAX_BLOCK_CIPHER_BLOCK_SIZE and
+ PSA_ALG_TLS12_PSK_TO_MS_MAX_PSK_LEN have been renamed, and the old names
+ deprecated.
+ * PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH and PSA_ALG_AEAD_WITH_TAG_LENGTH
+ have been renamed, and the old names deprecated.
+
+Features
+ * The PSA crypto subsystem can now use HMAC_DRBG instead of CTR_DRBG.
+ CTR_DRBG is used by default if it is available, but you can override
+ this choice by setting MBEDTLS_PSA_HMAC_DRBG_MD_TYPE at compile time.
+ Fix #3354.
+ * Automatic fallback to a software implementation of ECP when
+ MBEDTLS_ECP_xxx_ALT accelerator hooks are in use can now be turned off
+ through setting the new configuration flag MBEDTLS_ECP_NO_FALLBACK.
+ * The PSA crypto subsystem can now be configured to use less static RAM by
+ tweaking the setting for the maximum amount of keys simultaneously in RAM.
+ MBEDTLS_PSA_KEY_SLOT_COUNT sets the maximum number of volatile keys that
+ can exist simultaneously. It has a sensible default if not overridden.
+ * Partial implementation of the PSA crypto driver interface: Mbed TLS can
+ now use an external random generator instead of the library's own
+ entropy collection and DRBG code. Enable MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+ and see the documentation of mbedtls_psa_external_get_random() for details.
+ * Applications using both mbedtls_xxx and psa_xxx functions (for example,
+ applications using TLS and MBEDTLS_USE_PSA_CRYPTO) can now use the PSA
+ random generator with mbedtls_xxx functions. See the documentation of
+ mbedtls_psa_get_random() for details.
+ * In the PSA API, the policy for a MAC or AEAD algorithm can specify a
+ minimum MAC or tag length thanks to the new wildcards
+ PSA_ALG_AT_LEAST_THIS_LENGTH_MAC and
+ PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG.
+
+Security
+ * Fix a security reduction in CTR_DRBG when the initial seeding obtained a
+ nonce from entropy. Applications were affected if they called
+ mbedtls_ctr_drbg_set_nonce_len(), if they called
+ mbedtls_ctr_drbg_set_entropy_len() with a size that was 3/2 times the key
+ length, or when the entropy module uses SHA-256 and CTR_DRBG uses AES-256.
+ In such cases, a random nonce was necessary to achieve the advertised
+ security strength, but the code incorrectly used a constant instead of
+ entropy from the nonce.
+ Found by John Stroebel in #3819 and fixed in #3973.
+ * Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
+ |A| - |B| where |B| is larger than |A| and has more limbs (so the
+ function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
+ applications calling mbedtls_mpi_sub_abs() directly are affected:
+ all calls inside the library were safe since this function is
+ only called with |A| >= |B|. Reported by Guido Vranken in #4042.
+ * Fix an errorneous estimation for an internal buffer in
+ mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
+ value the function might fail to write a private RSA keys of the largest
+ supported size.
+ Found by Daniel Otte, reported in #4093 and fixed in #4094.
+ * Fix a stack buffer overflow with mbedtls_net_poll() and
+ mbedtls_net_recv_timeout() when given a file descriptor that is
+ beyond FD_SETSIZE. Reported by FigBug in #4169.
+ * Guard against strong local side channel attack against base64 tables by
+ making access aceess to them use constant flow code.
+
+Bugfix
+ * Fix use-after-scope error in programs/ssl/ssl_client2.c and ssl_server2.c
+ * Fix memory leak that occured when calling psa_close_key() on a
+ wrapped key with MBEDTLS_PSA_CRYPTO_SE_C defined.
+ * Fix an incorrect error code if an RSA private operation glitched.
+ * Fix a memory leak in an error case in psa_generate_derived_key_internal().
+ * Fix a resource leak in CTR_DRBG and HMAC_DRBG when MBEDTLS_THREADING_C
+ is enabled, on platforms where initializing a mutex allocates resources.
+ This was a regression introduced in the previous release. Reported in
+ #4017, #4045 and #4071.
+ * Ensure that calling mbedtls_rsa_free() or mbedtls_entropy_free()
+ twice is safe. This happens for RSA when some Mbed TLS library functions
+ fail. Such a double-free was not safe when MBEDTLS_THREADING_C was
+ enabled on platforms where freeing a mutex twice is not safe.
+ * Fix a resource leak in a bad-arguments case of mbedtls_rsa_gen_key()
+ when MBEDTLS_THREADING_C is enabled on platforms where initializing
+ a mutex allocates resources.
+ * Fixes a bug where, if the library was configured to include support for
+ both the old SE interface and the new PSA driver interface, external keys were
+ not loaded from storage. This was fixed by #3996.
+ * This change makes 'mbedtls_x509write_crt_set_basic_constraints'
+ consistent with RFC 5280 4.2.1.9 which says: "Conforming CAs MUST
+ include this extension in all CA certificates that contain public keys
+ used to validate digital signatures on certificates and MUST mark the
+ extension as critical in such certificates." Previous to this change,
+ the extension was always marked as non-critical. This was fixed by
+ #3698.
+
+Changes
+ * A new library C file psa_crypto_client.c has been created to contain
+ the PSA code needed by a PSA crypto client when the PSA crypto
+ implementation is not included into the library.
+ * On recent enough versions of FreeBSD and DragonFlyBSD, the entropy module
+ now uses the getrandom syscall instead of reading from /dev/urandom.
+
+= mbed TLS 2.25.0 branch released 2020-12-11
+
+API changes
+ * The numerical values of the PSA Crypto API macros have been updated to
+ conform to version 1.0.0 of the specification.
+ * PSA_ALG_STREAM_CIPHER replaces PSA_ALG_CHACHA20 and PSA_ALG_ARC4.
+ The underlying stream cipher is determined by the key type
+ (PSA_KEY_TYPE_CHACHA20 or PSA_KEY_TYPE_ARC4).
+ * The functions mbedtls_cipher_auth_encrypt() and
+ mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts,
+ as they have no way to check if the output buffer is large enough.
+ Please use mbedtls_cipher_auth_encrypt_ext() and
+ mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
+ Cryptofuzz. Fixes #3665.
+
+Requirement changes
+ * Update the minimum required CMake version to 2.8.12. This silences a
+ warning on CMake 3.19.0. #3801
+
+New deprecations
+ * PSA_ALG_CHACHA20 and PSA_ALG_ARC4 have been deprecated.
+ Use PSA_ALG_STREAM_CIPHER instead.
+ * The functions mbedtls_cipher_auth_encrypt() and
+ mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
+ functions mbedtls_cipher_auth_encrypt_ext() and
+ mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers,
+ these new functions always append the tag to the ciphertext, and include
+ the tag in the ciphertext length.
+
+Features
+ * Partial implementation of the new PSA Crypto accelerator APIs. (Symmetric
+ ciphers, asymmetric signing/verification and key generation, validate_key
+ entry point, and export_public_key interface.)
+ * Add support for ECB to the PSA cipher API.
+ * In PSA, allow using a key declared with a base key agreement algorithm
+ in combined key agreement and derivation operations, as long as the key
+ agreement algorithm in use matches the algorithm the key was declared with.
+ This is currently non-standard behaviour, but expected to make it into a
+ future revision of the PSA Crypto standard.
+ * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
+ mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by
+ external CMake projects that include this one to avoid CMake target name
+ clashes. The default value of this variable is "", so default target names
+ are unchanged.
+ * Add support for DTLS-SRTP as defined in RFC 5764. Contributed by Johan
+ Pascal, improved by Ron Eldor.
+ * In the PSA API, it is no longer necessary to open persistent keys:
+ operations now accept the key identifier. The type psa_key_handle_t is now
+ identical to psa_key_id_t instead of being platform-defined. This bridges
+ the last major gap to compliance with the PSA Cryptography specification
+ version 1.0.0. Opening persistent keys is still supported for backward
+ compatibility, but will be deprecated and later removed in future
+ releases.
+ * PSA_AEAD_NONCE_LENGTH, PSA_AEAD_NONCE_MAX_SIZE, PSA_CIPHER_IV_LENGTH and
+ PSA_CIPHER_IV_MAX_SIZE macros have been added as defined in version
+ 1.0.0 of the PSA Crypto API specification.
+
+Security
+ * The functions mbedtls_cipher_auth_encrypt() and
+ mbedtls_cipher_auth_decrypt() would write past the minimum documented
+ size of the output buffer when used with NIST_KW. As a result, code using
+ those functions as documented with NIST_KW could have a buffer overwrite
+ of up to 15 bytes, with consequences ranging up to arbitrary code
+ execution depending on the location of the output buffer.
+ * Limit the size of calculations performed by mbedtls_mpi_exp_mod to
+ MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
+ generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.
+ * A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
+ which is how most uses of randomization in asymmetric cryptography
+ (including key generation, intermediate value randomization and blinding)
+ are implemented. This could cause failures or the silent use of non-random
+ values. A random generator can fail if it needs reseeding and cannot not
+ obtain entropy, or due to an internal failure (which, for Mbed TLS's own
+ CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).
+ * Fix a compliance issue whereby we were not checking the tag on the
+ algorithm parameters (only the size) when comparing the signature in the
+ description part of the cert to the real signature. This meant that a
+ NULL algorithm parameters entry would look identical to an array of REAL
+ (size zero) to the library and thus the certificate would be considered
+ valid. However, if the parameters do not match in *any* way then the
+ certificate should be considered invalid, and indeed OpenSSL marks these
+ certs as invalid when mbedtls did not.
+ Many thanks to guidovranken who found this issue via differential fuzzing
+ and reported it in #3629.
+ * Zeroising of local buffers and variables which are used for calculations
+ in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
+ mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
+ functions to erase sensitive data from memory. Reported by
+ Johan Malmgren and Johan Uppman Bruce from Sectra.
+
+Bugfix
+ * Fix an invalid (but non-zero) return code from mbedtls_pk_parse_subpubkey()
+ when the input has trailing garbage. Fixes #2512.
+ * Fix build failure in configurations where MBEDTLS_USE_PSA_CRYPTO is
+ enabled but ECDSA is disabled. Contributed by jdurkop. Fixes #3294.
+ * Include the psa_constant_names generated source code in the source tree
+ instead of generating it at build time. Fixes #3524.
+ * Fix rsa_prepare_blinding() to retry when the blinding value is not
+ invertible (mod N), instead of returning MBEDTLS_ERR_RSA_RNG_FAILED. This
+ addresses a regression but is rare in practice (approx. 1 in 2/sqrt(N)).
+ Found by Synopsys Coverity, fix contributed by Peter Kolbus (Garmin).
+ Fixes #3647.
+ * Use socklen_t on Android and other POSIX-compliant system
+ * Fix the build when the macro _GNU_SOURCE is defined to a non-empty value.
+ Fix #3432.
+ * Consistently return PSA_ERROR_INVALID_ARGUMENT on invalid cipher input
+ sizes (instead of PSA_ERROR_BAD_STATE in some cases) to make the
+ psa_cipher_* functions compliant with the PSA Crypto API specification.
+ * mbedtls_ecp_curve_list() now lists Curve25519 and Curve448 under the names
+ "x25519" and "x448". These curves support ECDH but not ECDSA. If you need
+ only the curves that support ECDSA, filter the list with
+ mbedtls_ecdsa_can_do().
+ * Fix psa_generate_key() returning an error when asked to generate
+ an ECC key pair on Curve25519 or secp244k1.
+ * Fix psa_key_derivation_output_key() to allow the output of a combined key
+ agreement and subsequent key derivation operation to be used as a key
+ inside of the PSA Crypto core.
+ * Fix handling of EOF against 0xff bytes and on platforms with unsigned
+ chars. Fixes a build failure on platforms where char is unsigned. Fixes
+ #3794.
+ * Fix an off-by-one error in the additional data length check for
+ CCM, which allowed encryption with a non-standard length field.
+ Fixes #3719.
+ * Correct the default IV size for mbedtls_cipher_info_t structures using
+ MBEDTLS_MODE_ECB to 0, since ECB mode ciphers don't use IVs.
+ * Make arc4random_buf available on NetBSD and OpenBSD when _POSIX_C_SOURCE is
+ defined. Fix contributed in #3571.
+ * Fix conditions for including string.h in error.c. Fixes #3866.
+ * psa_set_key_id() now also sets the lifetime to persistent for keys located
+ in a secure element.
+ * Attempting to create a volatile key with a non-zero key identifier now
+ fails. Previously the key identifier was just ignored when creating a
+ volatile key.
+ * Attempting to create or register a key with a key identifier in the vendor
+ range now fails.
+ * Fix build failures on GCC 11. Fixes #3782.
+ * Add missing arguments of debug message in mbedtls_ssl_decrypt_buf.
+ * Fix a memory leak in mbedtls_mpi_sub_abs() when the result was negative
+ (an error condition) and the second operand was aliased to the result.
+ * Fix a case in elliptic curve arithmetic where an out-of-memory condition
+ could go undetected, resulting in an incorrect result.
+ * In CTR_DRBG and HMAC_DRBG, don't reset the reseed interval in seed().
+ Fixes #2927.
+ * In PEM writing functions, fill the trailing part of the buffer with null
+ bytes. This guarantees that the corresponding parsing function can read
+ the buffer back, which was the case for mbedtls_x509write_{crt,csr}_pem
+ until this property was inadvertently broken in Mbed TLS 2.19.0.
+ Fixes #3682.
+ * Fix a build failure that occurred with the MBEDTLS_AES_SETKEY_DEC_ALT
+ option on. In this configuration key management methods that are required
+ for MBEDTLS_CIPHER_MODE_XTS were excluded from the build and made it fail.
+ Fixes #3818. Reported by John Stroebel.
+
+Changes
+ * Reduce stack usage significantly during sliding window exponentiation.
+ Reported in #3591 and fix contributed in #3592 by Daniel Otte.
+ * The PSA persistent storage format is updated to always store the key bits
+ attribute. No automatic upgrade path is provided. Previously stored keys
+ must be erased, or manually upgraded based on the key storage format
+ specification (docs/architecture/mbed-crypto-storage-specification.md).
+ Fixes #3740.
+ * Remove the zeroization of a pointer variable in AES rounds. It was valid
+ but spurious and misleading since it looked like a mistaken attempt to
+ zeroize the pointed-to buffer. Reported by Antonio de la Piedra, CEA
+ Leti, France.
+
+= mbed TLS 2.24.0 branch released 2020-09-01
+
+API changes
+ * In the PSA API, rename the types of elliptic curve and Diffie-Hellman
+ group families to psa_ecc_family_t and psa_dh_family_t, in line with the
+ PSA Crypto API specification version 1.0.0.
+ Rename associated macros as well:
+ PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
+ PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
+ PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
+ PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
+
+Default behavior changes
+ * Stop storing persistent information about externally stored keys created
+ through PSA Crypto with a volatile lifetime. Reported in #3288 and
+ contributed by Steven Cooreman in #3382.
+
+Features
+ * The new function mbedtls_ecp_write_key() exports private ECC keys back to
+ a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
+ * Support building on e2k (Elbrus) architecture: correctly enable
+ -Wformat-signedness, and fix the code that causes signed-one-bit-field
+ and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
+ <akemi_homura@kurisa.ch>.
+
+Security
+ * Fix a vulnerability in the verification of X.509 certificates when
+ matching the expected common name (the cn argument of
+ mbedtls_x509_crt_verify()) with the actual certificate name: when the
+ subjecAltName extension is present, the expected name was compared to any
+ name in that extension regardless of its type. This means that an
+ attacker could for example impersonate a 4-bytes or 16-byte domain by
+ getting a certificate for the corresponding IPv4 or IPv6 (this would
+ require the attacker to control that IP address, though). Similar attacks
+ using other subjectAltName name types might be possible. Found and
+ reported by kFYatek in #3498.
+ * When checking X.509 CRLs, a certificate was only considered as revoked if
+ its revocationDate was in the past according to the local clock if
+ available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
+ certificates were never considered as revoked. On builds with
+ MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
+ example, an untrusted OS attacking a secure enclave) could prevent
+ revocation of certificates via CRLs. Fixed by no longer checking the
+ revocationDate field, in accordance with RFC 5280. Reported by
+ yuemonangong in #3340. Reported independently and fixed by
+ Raoul Strackx and Jethro Beekman in #3433.
+ * In (D)TLS record decryption, when using a CBC ciphersuites without the
+ Encrypt-then-Mac extension, use constant code flow memory access patterns
+ to extract and check the MAC. This is an improvement to the existing
+ countermeasure against Lucky 13 attacks. The previous countermeasure was
+ effective against network-based attackers, but less so against local
+ attackers. The new countermeasure defends against local attackers, even
+ if they have access to fine-grained measurements. In particular, this
+ fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz,
+ Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
+ (University of Florida) and Dave Tian (Purdue University).
+ * Fix side channel in RSA private key operations and static (finite-field)
+ Diffie-Hellman. An adversary with precise enough timing and memory access
+ information (typically an untrusted operating system attacking a secure
+ enclave) could bypass an existing counter-measure (base blinding) and
+ potentially fully recover the private key.
+ * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
+ Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
+ for pinpointing the problematic code.
+ * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
+ application data from memory. Reported in #689 by
+ Johan Uppman Bruce of Sectra.
+
+Bugfix
+ * Library files installed after a CMake build no longer have execute
+ permission.
+ * Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
+ redefinition if the function is inlined.
+ Reported in #3451 and fix contributed in #3452 by okhowang.
+ * Fix the endianness of Curve25519 keys imported/exported through the PSA
+ APIs. psa_import_key and psa_export_key will now correctly expect/output
+ Montgomery keys in little-endian as defined by RFC7748. Contributed by
+ Steven Cooreman in #3425.
+ * Fix build errors when the only enabled elliptic curves are Montgomery
+ curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
+ also fixes missing declarations reported by Steven Cooreman in #1147.
+ * Fix self-test failure when the only enabled short Weierstrass elliptic
+ curve is secp192k1. Fixes #2017.
+ * PSA key import will now correctly import a Curve25519/Curve448 public key
+ instead of erroring out. Contributed by Steven Cooreman in #3492.
+ * Use arc4random_buf on NetBSD instead of rand implementation with cyclical
+ lower bits. Fix contributed in #3540.
+ * Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
+ conditions. Reported and fix suggested by Guido Vranken in #3486.
+ * Fix bug in redirection of unit test outputs on platforms where stdout is
+ defined as a macro. First reported in #2311 and fix contributed in #3528.
+
+Changes
+ * Only pass -Wformat-signedness to versions of GCC that support it. Reported
+ in #3478 and fix contributed in #3479 by okhowang.
+ * Reduce the stack consumption of mbedtls_x509write_csr_der() which
+ previously could lead to stack overflow on constrained devices.
+ Contributed by Doru Gucea and Simon Leet in #3464.
+ * Undefine the ASSERT macro before defining it locally, in case it is defined
+ in a platform header. Contributed by Abdelatif Guettouche in #3557.
+ * Update copyright notices to use Linux Foundation guidance. As a result,
+ the copyright of contributors other than Arm is now acknowledged, and the
+ years of publishing are no longer tracked in the source files. This also
+ eliminates the need for the lines declaring the files to be part of
+ MbedTLS. Fixes #3457.
+ * Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
+ example applications which allows to provide a password for the key file
+ specified through the existing key_file argument. This allows the use of
+ these applications with password-protected key files. Analogously but for
+ ssl_server2 only, add the command line parameter key_pwd2 which allows to
+ set a password for the key file provided through the existing key_file2
+ argument.
+
+= mbed TLS 2.23.0 branch released 2020-07-01
+
+Default behavior changes
+ * In the experimental PSA secure element interface, change the encoding of
+ key lifetimes to encode a persistence level and the location. Although C
+ prototypes do not effectively change, code calling
+ psa_register_se_driver() must be modified to pass the driver's location
+ instead of the keys' lifetime. If the library is upgraded on an existing
+ device, keys created with the old lifetime value will not be readable or
+ removable through Mbed TLS after the upgrade.
+
+Features
+ * New functions in the error module return constant strings for
+ high- and low-level error codes, complementing mbedtls_strerror()
+ which constructs a string for any error code, including compound
+ ones, but requires a writable buffer. Contributed by Gaurav Aggarwal
+ in #3176.
+ * The new utility programs/ssl/ssl_context_info prints a human-readable
+ dump of an SSL context saved with mbedtls_ssl_context_save().
+ * Add support for midipix, a POSIX layer for Microsoft Windows.
+ * Add new mbedtls_x509_crt_parse_der_with_ext_cb() routine which allows
+ parsing unsupported certificate extensions via user provided callback.
+ Contributed by Nicola Di Lieto <nicola.dilieto@gmail.com> in #3243 as
+ a solution to #3241.
+ * Pass the "certificate policies" extension to the callback supplied to
+ mbedtls_x509_crt_parse_der_with_ext_cb() if it contains unsupported
+ policies (#3419).
+ * Added support to entropy_poll for the kern.arandom syscall supported on
+ some BSD systems. Contributed by Nia Alarie in #3423.
+ * Add support for Windows 2000 in net_sockets. Contributed by opatomic. #3239
+
+Security
+ * Fix a side channel vulnerability in modular exponentiation that could
+ reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee,
+ Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute
+ of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul
+ Strackx (Fortanix) in #3394.
+ * Fix side channel in mbedtls_ecp_check_pub_priv() and
+ mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a
+ private key that didn't include the uncompressed public key), as well as
+ mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
+ f_rng argument. An attacker with access to precise enough timing and
+ memory access information (typically an untrusted operating system
+ attacking a secure enclave) could fully recover the ECC private key.
+ Found and reported by Alejandro Cabrera Aldaya and Billy Brumley.
+ * Fix issue in Lucky 13 counter-measure that could make it ineffective when
+ hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
+ macros). This would cause the original Lucky 13 attack to be possible in
+ those configurations, allowing an active network attacker to recover
+ plaintext after repeated timing measurements under some conditions.
+ Reported and fix suggested by Luc Perneel in #3246.
+
+Bugfix
+ * Fix the Visual Studio Release x64 build configuration for mbedtls itself.
+ Completes a previous fix in Mbed TLS 2.19 that only fixed the build for
+ the example programs. Reported in #1430 and fix contributed by irwir.
+ * Fix undefined behavior in X.509 certificate parsing if the
+ pathLenConstraint basic constraint value is equal to INT_MAX.
+ The actual effect with almost every compiler is the intended
+ behavior, so this is unlikely to be exploitable anywhere. #3192
+ * Fix issue with a detected HW accelerated record error not being exposed
+ due to shadowed variable. Contributed by Sander Visser in #3310.
+ * Avoid NULL pointer dereferencing if mbedtls_ssl_free() is called with a
+ NULL pointer argument. Contributed by Sander Visser in #3312.
+ * Fix potential linker errors on dual world platforms by inlining
+ mbedtls_gcc_group_to_psa(). This allows the pk.c module to link separately
+ from psa_crypto.c. Fixes #3300.
+ * Remove dead code in X.509 certificate parsing. Contributed by irwir in
+ #2855.
+ * Include asn1.h in error.c. Fixes #3328 reported by David Hu.
+ * Fix potential memory leaks in ecp_randomize_jac() and ecp_randomize_mxz()
+ when PRNG function fails. Contributed by Jonas Lejeune in #3318.
+ * Remove unused macros from MSVC projects. Reported in #3297 and fix
+ submitted in #3333 by irwir.
+ * Add additional bounds checks in ssl_write_client_hello() preventing
+ output buffer overflow if the configuration declared a buffer that was
+ too small.
+ * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and
+ fix submitted in #3421 by Nia Alarie.
+ * Fix building library/net_sockets.c and the ssl_mail_client program on
+ NetBSD. Contributed by Nia Alarie in #3422.
+ * Fix false positive uninitialised variable reported by cpp-check.
+ Contributed by Sander Visser in #3311.
+ * Update iv and len context pointers manually when reallocating buffers
+ using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues
+ when receiving a connection with CID, when these fields were shifted
+ in ssl_parse_record_header().
+
+Changes
+ * Fix warnings about signedness issues in format strings. The build is now
+ clean of -Wformat-signedness warnings. Contributed by Kenneth Soerensen
+ in #3153.
+ * Fix minor performance issue in operations on Curve25519 caused by using a
+ suboptimal modular reduction in one place. Found and fix contributed by
+ Aurelien Jarno in #3209.
+ * Combine identical cases in switch statements in md.c. Contributed
+ by irwir in #3208.
+ * Simplify a bounds check in ssl_write_certificate_request(). Contributed
+ by irwir in #3150.
+ * Unify the example programs termination to call mbedtls_exit() instead of
+ using a return command. This has been done to enable customization of the
+ behavior in bare metal environments.
+ * Fix mbedtls_x509_dn_gets to escape non-ASCII characters as "?".
+ Contributed by Koh M. Nakagawa in #3326.
+ * Use FindPython3 when cmake version >= 3.15.0
+ * Abort the ClientHello writing function as soon as some extension doesn't
+ fit into the record buffer. Previously, such extensions were silently
+ dropped. As a consequence, the TLS handshake now fails when the output
+ buffer is not large enough to hold the ClientHello.
+ * The unit tests now rely on header files in tests/include/test and source
+ files in tests/src. When building with make or cmake, the files in
+ tests/src are compiled and the resulting object linked into each test
+ executable.
+ * The ECP module, enabled by `MBEDTLS_ECP_C`, now depends on
+ `MBEDTLS_CTR_DRBG_C` or `MBEDTLS_HMAC_DRBG_C` for some side-channel
+ coutermeasures. If side channels are not a concern, this dependency can
+ be avoided by enabling the new option `MBEDTLS_ECP_NO_INTERNAL_RNG`.
+ * Align MSVC error flag with GCC and Clang. Contributed by Carlos Gomes
+ Martinho. #3147
+ * Remove superfluous assignment in mbedtls_ssl_parse_certificate(). Reported
+ in #3182 and fix submitted by irwir. #3217
+ * Fix typo in XTS tests. Reported and fix submitted by Kxuan. #3319
+
= mbed TLS 2.22.0 branch released 2020-04-14
New deprecations
diff --git a/lib/libmbedtls/mbedtls/README.md b/lib/libmbedtls/mbedtls/README.md
index f868a0a..759ffb5 100644
--- a/lib/libmbedtls/mbedtls/README.md
+++ b/lib/libmbedtls/mbedtls/README.md
@@ -25,6 +25,8 @@
1. Run `make apidoc`.
1. Browse `apidoc/index.html` or `apidoc/modules.html`.
+For other sources of documentation, see the [SUPPORT](SUPPORT.md) document.
+
Compiling
---------
@@ -85,11 +87,11 @@
mkdir /path/to/build_dir && cd /path/to/build_dir
cmake /path/to/mbedtls_source
- make
+ cmake --build .
In order to run the tests, enter:
- make test
+ ctest
The test suites need Python to be built and Perl to be executed. If you don't have one of these installed, you'll want to disable the test suites with:
@@ -208,7 +210,7 @@
* The API distinguishes caller memory from internal memory, which allows the library to be implemented in an isolated space for additional security. Library calls can be implemented as direct function calls if isolation is not desired, and as remote procedure calls if isolation is desired.
* The structure of internal data is hidden to the application, which allows substituting alternative implementations at build time or run time, for example, in order to take advantage of hardware accelerators.
-* All access to the keys happens through handles, which allows support for external cryptoprocessors that is transparent to applications.
+* All access to the keys happens through key identifiers, which allows support for external cryptoprocessors that is transparent to applications.
* The interface to algorithms is generic, favoring algorithm agility.
* The interface is designed to be easy to use and hard to accidentally misuse.
diff --git a/lib/libmbedtls/mbedtls/SECURITY.md b/lib/libmbedtls/mbedtls/SECURITY.md
new file mode 100644
index 0000000..bd18f6c
--- /dev/null
+++ b/lib/libmbedtls/mbedtls/SECURITY.md
@@ -0,0 +1,20 @@
+## Reporting Vulneratibilities
+
+If you think you have found an Mbed TLS security vulnerability, then please
+send an email to the security team at
+<mbed-tls-security@lists.trustedfirmware.org>.
+
+## Security Incident Handling Process
+
+Our security process is detailled in our
+[security
+center](https://developer.trustedfirmware.org/w/mbed-tls/security-center/).
+
+Its primary goal is to ensure fixes are ready to be deployed when the issue
+goes public.
+
+## Maintained branches
+
+Only the maintained branches, as listed in [`BRANCHES.md`](BRANCHES.md),
+get security fixes.
+Users are urged to always use the latest version of a maintained branch.
diff --git a/lib/libmbedtls/mbedtls/SUPPORT.md b/lib/libmbedtls/mbedtls/SUPPORT.md
new file mode 100644
index 0000000..1bc0695
--- /dev/null
+++ b/lib/libmbedtls/mbedtls/SUPPORT.md
@@ -0,0 +1,15 @@
+## Documentation
+
+Here are some useful sources of information about using Mbed TLS:
+
+- API documentation, see the [Documentation section of the
+ README](README.md#License);
+- the `docs` directory in the source tree;
+- the [Mbed TLS knowledge Base](https://tls.mbed.org/kb);
+- the [Mbed TLS mailing-list
+ archives](https://lists.trustedfirmware.org/pipermail/mbed-tls/).
+
+## Asking Questions
+
+If you can't find your answer in the above sources, please use the [Mbed TLS
+mailing list](https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls).
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/aes.h b/lib/libmbedtls/mbedtls/include/mbedtls/aes.h
index a429c86..052f47c 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/aes.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/aes.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file aes.h
*
@@ -21,7 +20,9 @@
* <https://ieeexplore.ieee.org/servlet/opac?punumber=4375278>.
*/
-/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -34,8 +35,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_AES_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/aesni.h b/lib/libmbedtls/mbedtls/include/mbedtls/aesni.h
index 1bdee2d..c1d22f5 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/aesni.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/aesni.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file aesni.h
*
@@ -8,7 +7,8 @@
* functions; you must not call them directly.
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -21,8 +21,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_AESNI_H
#define MBEDTLS_AESNI_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/arc4.h b/lib/libmbedtls/mbedtls/include/mbedtls/arc4.h
index d6e9da9..17728f4 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/arc4.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/arc4.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file arc4.h
*
@@ -8,7 +7,8 @@
* security risk. We recommend considering stronger ciphers instead.
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -22,8 +22,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*
- * This file is part of mbed TLS (https://tls.mbed.org)
- *
*/
#ifndef MBEDTLS_ARC4_H
#define MBEDTLS_ARC4_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/aria.h b/lib/libmbedtls/mbedtls/include/mbedtls/aria.h
index a72a8c2..6c73d10 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/aria.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/aria.h
@@ -9,7 +9,8 @@
* Korean, but see http://210.104.33.10/ARIA/index-e.html in English)
* and also described by the IETF in <em>RFC 5794</em>.
*/
-/* Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+/*
+ * Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -23,8 +24,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ARIA_H
@@ -62,14 +61,14 @@
/* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED -0x0058 /**< ARIA hardware accelerator failed. */
-#if !defined(MBEDTLS_ARIA_ALT)
-// Regular implementation
-//
-
#ifdef __cplusplus
extern "C" {
#endif
+#if !defined(MBEDTLS_ARIA_ALT)
+// Regular implementation
+//
+
/**
* \brief The ARIA context-type definition.
*/
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/asn1.h b/lib/libmbedtls/mbedtls/include/mbedtls/asn1.h
index 993a1f5..6b79196 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/asn1.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/asn1.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file asn1.h
*
* \brief Generic ASN.1 parsing
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ASN1_H
#define MBEDTLS_ASN1_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/asn1write.h b/lib/libmbedtls/mbedtls/include/mbedtls/asn1write.h
index 12b1369..44afae0 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/asn1write.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/asn1write.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file asn1write.h
*
* \brief ASN.1 buffer writing functionality
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ASN1_WRITE_H
#define MBEDTLS_ASN1_WRITE_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/base64.h b/lib/libmbedtls/mbedtls/include/mbedtls/base64.h
index 4586171..7e73a8b 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/base64.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/base64.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file base64.h
*
* \brief RFC 1521 base64 encoding/decoding
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_BASE64_H
#define MBEDTLS_BASE64_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/bignum.h b/lib/libmbedtls/mbedtls/include/mbedtls/bignum.h
index 4b4ca3d..212464b 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/bignum.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/bignum.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file bignum.h
*
* \brief Multi-precision integer library
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_BIGNUM_H
#define MBEDTLS_BIGNUM_H
@@ -63,12 +61,12 @@
* Maximum window size used for modular exponentiation. Default: 6
* Minimum value: 1. Maximum value: 6.
*
- * Result is an array of ( 2 << MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
+ * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
* for the sliding window calculation. (So 64 by default)
*
* Reduction in size, reduces speed.
*/
-#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum windows size used. */
+#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */
#endif /* !MBEDTLS_MPI_WINDOW_SIZE */
#if !defined(MBEDTLS_MPI_MAX_SIZE)
@@ -877,6 +875,44 @@
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
+/** Generate a random number uniformly in a range.
+ *
+ * This function generates a random number between \p min inclusive and
+ * \p N exclusive.
+ *
+ * The procedure complies with RFC 6979 §3.3 (deterministic ECDSA)
+ * when the RNG is a suitably parametrized instance of HMAC_DRBG
+ * and \p min is \c 1.
+ *
+ * \note There are `N - min` possible outputs. The lower bound
+ * \p min can be reached, but the upper bound \p N cannot.
+ *
+ * \param X The destination MPI. This must point to an initialized MPI.
+ * \param min The minimum value to return.
+ * It must be nonnegative.
+ * \param N The upper bound of the range, exclusive.
+ * In other words, this is one plus the maximum value to return.
+ * \p N must be strictly larger than \p min.
+ * \param f_rng The RNG function to use. This must not be \c NULL.
+ * \param p_rng The RNG parameter to be passed to \p f_rng.
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
+ * \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p min or \p N is invalid
+ * or if they are incompatible.
+ * \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if the implementation was
+ * unable to find a suitable value within a limited number
+ * of attempts. This has a negligible probability if \p N
+ * is significantly larger than \p min, which is the case
+ * for all usual cryptographic applications.
+ * \return Another negative error code on failure.
+ */
+int mbedtls_mpi_random( mbedtls_mpi *X,
+ mbedtls_mpi_sint min,
+ const mbedtls_mpi *N,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
+
/**
* \brief Compute the greatest common divisor: G = gcd(A, B)
*
@@ -1020,12 +1056,10 @@
* \N Modulus
* \mm Parameter from mbedtls_mpi_montg_init()
* \T Temporary variable, should be as twice as big as N + 2
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_BAD_INPUT_DATA if nbits is < 3
*/
-int mbedtls_mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B,
- const mbedtls_mpi *N, mbedtls_mpi_uint mm,
- const mbedtls_mpi *T );
+void mbedtls_mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B,
+ const mbedtls_mpi *N, mbedtls_mpi_uint mm,
+ const mbedtls_mpi *T );
/**
* \brief Montgomery reduction: A = A * R^-1 mod N
@@ -1033,11 +1067,9 @@
* \N Modulus
* \mm Parameter from mbedtls_mpi_montg_init()
* \T Temporary variable, should be as twice as big as N + 2
- * \return 0 if successful,
- * MBEDTLS_ERR_MPI_BAD_INPUT_DATA if nbits is < 3
*/
-int mbedtls_mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
- mbedtls_mpi_uint mm, const mbedtls_mpi *T );
+void mbedtls_mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
+ mbedtls_mpi_uint mm, const mbedtls_mpi *T );
#if defined(MBEDTLS_SELF_TEST)
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/blowfish.h b/lib/libmbedtls/mbedtls/include/mbedtls/blowfish.h
index 7882110..c2a6ff9 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/blowfish.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/blowfish.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file blowfish.h
*
* \brief Blowfish block cipher
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_BLOWFISH_H
#define MBEDTLS_BLOWFISH_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/bn_mul.h b/lib/libmbedtls/mbedtls/include/mbedtls/bn_mul.h
index 9076c21..a0fa677 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/bn_mul.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/bn_mul.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file bn_mul.h
*
* \brief Multi-precision integer library
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* Multiply source vector [s] with b, add result
@@ -46,6 +44,46 @@
#include "mbedtls/bignum.h"
+
+/*
+ * Conversion macros for embedded constants:
+ * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
+ */
+#if defined(MBEDTLS_HAVE_INT32)
+
+#define MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ) \
+ ( (mbedtls_mpi_uint) (a) << 0 ) | \
+ ( (mbedtls_mpi_uint) (b) << 8 ) | \
+ ( (mbedtls_mpi_uint) (c) << 16 ) | \
+ ( (mbedtls_mpi_uint) (d) << 24 )
+
+#define MBEDTLS_BYTES_TO_T_UINT_2( a, b ) \
+ MBEDTLS_BYTES_TO_T_UINT_4( a, b, 0, 0 )
+
+#define MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
+ MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ), \
+ MBEDTLS_BYTES_TO_T_UINT_4( e, f, g, h )
+
+#else /* 64-bits */
+
+#define MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
+ ( (mbedtls_mpi_uint) (a) << 0 ) | \
+ ( (mbedtls_mpi_uint) (b) << 8 ) | \
+ ( (mbedtls_mpi_uint) (c) << 16 ) | \
+ ( (mbedtls_mpi_uint) (d) << 24 ) | \
+ ( (mbedtls_mpi_uint) (e) << 32 ) | \
+ ( (mbedtls_mpi_uint) (f) << 40 ) | \
+ ( (mbedtls_mpi_uint) (g) << 48 ) | \
+ ( (mbedtls_mpi_uint) (h) << 56 )
+
+#define MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ) \
+ MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
+
+#define MBEDTLS_BYTES_TO_T_UINT_2( a, b ) \
+ MBEDTLS_BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
+
+#endif /* bits in mbedtls_mpi_uint */
+
#if defined(MBEDTLS_HAVE_ASM)
#ifndef asm
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/camellia.h b/lib/libmbedtls/mbedtls/include/mbedtls/camellia.h
index 1697141..f7d2b23 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/camellia.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/camellia.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file camellia.h
*
* \brief Camellia block cipher
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_CAMELLIA_H
#define MBEDTLS_CAMELLIA_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ccm.h b/lib/libmbedtls/mbedtls/include/mbedtls/ccm.h
index c3fb759..7193863 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ccm.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ccm.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ccm.h
*
@@ -29,7 +28,8 @@
* consistent with RFC 3610.
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -42,8 +42,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_CCM_H
@@ -150,7 +148,7 @@
* than zero, \p output must be a writable buffer of at least
* that length.
* \param tag The buffer holding the authentication field. This must be a
- * readable buffer of at least \p tag_len Bytes.
+ * writable buffer of at least \p tag_len Bytes.
* \param tag_len The length of the authentication field to generate in Bytes:
* 4, 6, 8, 10, 12, 14 or 16.
*
@@ -195,7 +193,7 @@
* than zero, \p output must be a writable buffer of at least
* that length.
* \param tag The buffer holding the authentication field. This must be a
- * readable buffer of at least \p tag_len Bytes.
+ * writable buffer of at least \p tag_len Bytes.
* \param tag_len The length of the authentication field to generate in Bytes:
* 0, 4, 6, 8, 10, 12, 14 or 16.
*
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/certs.h b/lib/libmbedtls/mbedtls/include/mbedtls/certs.h
index ce4aa5f..c93c741 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/certs.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/certs.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file certs.h
*
* \brief Sample certificates and DHM parameters for testing
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_CERTS_H
#define MBEDTLS_CERTS_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/chacha20.h b/lib/libmbedtls/mbedtls/include/mbedtls/chacha20.h
index a8c155e..e59dd1f 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/chacha20.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/chacha20.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file chacha20.h
*
@@ -13,7 +12,9 @@
* \author Daniel King <damaki.gh@gmail.com>
*/
-/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -26,8 +27,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_CHACHA20_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/chachapoly.h b/lib/libmbedtls/mbedtls/include/mbedtls/chachapoly.h
index 766cebe..1007f95 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/chachapoly.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/chachapoly.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file chachapoly.h
*
@@ -13,7 +12,9 @@
* \author Daniel King <damaki.gh@gmail.com>
*/
-/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -26,8 +27,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_CHACHAPOLY_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/check_config.h b/lib/libmbedtls/mbedtls/include/mbedtls/check_config.h
index e2bc10a..ce25bd0 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/check_config.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/check_config.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file check_config.h
*
* \brief Consistency checks for configuration options
*/
/*
- * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -57,9 +55,8 @@
#endif
#endif /* _WIN32 */
-#if defined(TARGET_LIKE_MBED) && \
- ( defined(MBEDTLS_NET_C) || defined(MBEDTLS_TIMING_C) )
-#error "The NET and TIMING modules are not available for mbed OS - please use the network and timing functions provided by mbed OS"
+#if defined(TARGET_LIKE_MBED) && defined(MBEDTLS_NET_C)
+#error "The NET module is not available for mbed OS - please use the network functions provided by Mbed OS"
#endif
#if defined(MBEDTLS_DEPRECATED_WARNING) && \
@@ -103,6 +100,17 @@
#if defined(MBEDTLS_ECDSA_C) && \
( !defined(MBEDTLS_ECP_C) || \
+ !( defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) ) || \
!defined(MBEDTLS_ASN1_PARSE_C) || \
!defined(MBEDTLS_ASN1_WRITE_C) )
#error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
@@ -156,6 +164,14 @@
#error "MBEDTLS_ECP_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_ECP_C) && !( \
+ defined(MBEDTLS_ECP_ALT) || \
+ defined(MBEDTLS_CTR_DRBG_C) || \
+ defined(MBEDTLS_HMAC_DRBG_C) || \
+ defined(MBEDTLS_ECP_NO_INTERNAL_RNG))
+#error "MBEDTLS_ECP_C requires a DRBG module unless MBEDTLS_ECP_NO_INTERNAL_RNG is defined or an alternative implementation is used"
+#endif
+
#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
#error "MBEDTLS_PK_PARSE_C defined, but not all prerequesites"
#endif
@@ -178,6 +194,16 @@
#error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
#endif
+#if defined(__has_feature)
+#if __has_feature(memory_sanitizer)
+#define MBEDTLS_HAS_MEMSAN
+#endif
+#endif
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) && !defined(MBEDTLS_HAS_MEMSAN)
+#error "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN requires building with MemorySanitizer"
+#endif
+#undef MBEDTLS_HAS_MEMSAN
+
#if defined(MBEDTLS_TEST_NULL_ENTROPY) && \
( !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES) )
#error "MBEDTLS_TEST_NULL_ENTROPY defined, but not all prerequisites"
@@ -225,6 +251,10 @@
#error "MBEDTLS_ECP_NORMALIZE_MXZ_ALT defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
+#error "MBEDTLS_ECP_NO_FALLBACK defined, but no alternative implementation enabled"
+#endif
+
#if defined(MBEDTLS_HAVEGE_C) && !defined(MBEDTLS_TIMING_C)
#error "MBEDTLS_HAVEGE_C defined, but not all prerequisites"
#endif
@@ -238,12 +268,14 @@
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) && \
- ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
+ ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) || \
+ !defined(MBEDTLS_X509_CRT_PARSE_C) )
#error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
- ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
+ ( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) || \
+ !defined(MBEDTLS_X509_CRT_PARSE_C) )
#error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites"
#endif
@@ -543,10 +575,11 @@
#error "MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_WRITE cannot be defined simultaneously"
#endif
-#if defined(MBEDTLS_PSA_CRYPTO_C) && \
- !( defined(MBEDTLS_CTR_DRBG_C) && \
- defined(MBEDTLS_ENTROPY_C) )
-#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites"
+#if defined(MBEDTLS_PSA_CRYPTO_C) && \
+ !( ( ( defined(MBEDTLS_CTR_DRBG_C) || defined(MBEDTLS_HMAC_DRBG_C) ) && \
+ defined(MBEDTLS_ENTROPY_C) ) || \
+ defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) )
+#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)"
#endif
#if defined(MBEDTLS_PSA_CRYPTO_SPM) && !defined(MBEDTLS_PSA_CRYPTO_C)
@@ -575,11 +608,21 @@
#error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with actual entropy sources"
#endif
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) && \
+ defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+#error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG"
+#endif
+
#if defined(MBEDTLS_PSA_ITS_FILE_C) && \
!defined(MBEDTLS_FS_IO)
#error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) && \
+ defined(MBEDTLS_USE_PSA_CRYPTO)
+#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined, but it cannot coexist with MBEDTLS_USE_PSA_CRYPTO."
+#endif
+
#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) || \
!defined(MBEDTLS_OID_C) )
#error "MBEDTLS_RSA_C defined, but not all prerequisites"
@@ -619,6 +662,11 @@
#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) && ( !defined(MBEDTLS_HKDF_C) && \
+ !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
+#error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites"
+#endif
+
#if (defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
!(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
@@ -837,6 +885,14 @@
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+#if defined(MBEDTLS_SSL_DTLS_SRTP) && ( !defined(MBEDTLS_SSL_PROTO_DTLS) )
+#error "MBEDTLS_SSL_DTLS_SRTP defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) && ( !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) )
+#error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites"
+#endif
+
/*
* Avoid warning from -pedantic. This is a convenient place for this
* workaround since this is included by every single file before the
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/cipher.h b/lib/libmbedtls/mbedtls/include/mbedtls/cipher.h
index 1c4f371..ad093b5 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/cipher.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/cipher.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file cipher.h
*
@@ -9,7 +8,8 @@
* \author Adriaan de Jong <dejong@fox-it.com>
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -22,8 +22,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_CIPHER_H
@@ -229,10 +227,30 @@
};
/** Maximum length of any IV, in Bytes. */
+/* This should ideally be derived automatically from list of ciphers.
+ * This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined
+ * in ssl_internal.h. */
#define MBEDTLS_MAX_IV_LENGTH 16
+
/** Maximum block size of any cipher, in Bytes. */
+/* This should ideally be derived automatically from list of ciphers.
+ * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
+ * in ssl_internal.h. */
#define MBEDTLS_MAX_BLOCK_LENGTH 16
+/** Maximum key length, in Bytes. */
+/* This should ideally be derived automatically from list of ciphers.
+ * For now, only check whether XTS is enabled which uses 64 Byte keys,
+ * and use 32 Bytes as an upper bound for the maximum key length otherwise.
+ * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined
+ * in ssl_internal.h, which however deliberately ignores the case of XTS
+ * since the latter isn't used in SSL/TLS. */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+#define MBEDTLS_MAX_KEY_LENGTH 64
+#else
+#define MBEDTLS_MAX_KEY_LENGTH 32
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
/**
* Base cipher information (opaque struct).
*/
@@ -864,30 +882,52 @@
unsigned char *output, size_t *olen );
#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_WARNING */
/**
- * \brief The generic autenticated encryption (AEAD) function.
+ * \brief The generic authenticated encryption (AEAD) function.
+ *
+ * \deprecated Superseded by mbedtls_cipher_auth_encrypt_ext().
+ *
+ * \note This function only supports AEAD algorithms, not key
+ * wrapping algorithms such as NIST_KW; for this, see
+ * mbedtls_cipher_auth_encrypt_ext().
*
* \param ctx The generic cipher context. This must be initialized and
- * bound to a key.
- * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
- * This must be a readable buffer of at least \p iv_len
- * Bytes.
- * \param iv_len The IV length for ciphers with variable-size IV.
- * This parameter is discarded by ciphers with fixed-size IV.
+ * bound to a key associated with an AEAD algorithm.
+ * \param iv The nonce to use. This must be a readable buffer of
+ * at least \p iv_len Bytes and must not be \c NULL.
+ * \param iv_len The length of the nonce. This must satisfy the
+ * constraints imposed by the AEAD cipher used.
* \param ad The additional data to authenticate. This must be a
- * readable buffer of at least \p ad_len Bytes.
+ * readable buffer of at least \p ad_len Bytes, and may
+ * be \c NULL is \p ad_len is \c 0.
* \param ad_len The length of \p ad.
* \param input The buffer holding the input data. This must be a
- * readable buffer of at least \p ilen Bytes.
+ * readable buffer of at least \p ilen Bytes, and may be
+ * \c NULL if \p ilen is \c 0.
* \param ilen The length of the input data.
- * \param output The buffer for the output data. This must be able to
- * hold at least \p ilen Bytes.
- * \param olen The length of the output data, to be updated with the
- * actual number of Bytes written. This must not be
- * \c NULL.
+ * \param output The buffer for the output data. This must be a
+ * writable buffer of at least \p ilen Bytes, and must
+ * not be \c NULL.
+ * \param olen This will be filled with the actual number of Bytes
+ * written to the \p output buffer. This must point to a
+ * writable object of type \c size_t.
* \param tag The buffer for the authentication tag. This must be a
- * writable buffer of at least \p tag_len Bytes.
- * \param tag_len The desired length of the authentication tag.
+ * writable buffer of at least \p tag_len Bytes. See note
+ * below regarding restrictions with PSA-based contexts.
+ * \param tag_len The desired length of the authentication tag. This
+ * must match the constraints imposed by the AEAD cipher
+ * used, and in particular must not be \c 0.
+ *
+ * \note If the context is based on PSA (that is, it was set up
+ * with mbedtls_cipher_setup_psa()), then it is required
+ * that \c tag == output + ilen. That is, the tag must be
+ * appended to the ciphertext as recommended by RFC 5116.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -899,36 +939,53 @@
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen,
- unsigned char *tag, size_t tag_len );
+ unsigned char *tag, size_t tag_len )
+ MBEDTLS_DEPRECATED;
/**
- * \brief The generic autenticated decryption (AEAD) function.
+ * \brief The generic authenticated decryption (AEAD) function.
+ *
+ * \deprecated Superseded by mbedtls_cipher_auth_decrypt_ext().
+ *
+ * \note This function only supports AEAD algorithms, not key
+ * wrapping algorithms such as NIST_KW; for this, see
+ * mbedtls_cipher_auth_decrypt_ext().
*
* \note If the data is not authentic, then the output buffer
* is zeroed out to prevent the unauthentic plaintext being
* used, making this interface safer.
*
* \param ctx The generic cipher context. This must be initialized and
- * and bound to a key.
- * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers.
- * This must be a readable buffer of at least \p iv_len
- * Bytes.
- * \param iv_len The IV length for ciphers with variable-size IV.
- * This parameter is discarded by ciphers with fixed-size IV.
- * \param ad The additional data to be authenticated. This must be a
- * readable buffer of at least \p ad_len Bytes.
+ * bound to a key associated with an AEAD algorithm.
+ * \param iv The nonce to use. This must be a readable buffer of
+ * at least \p iv_len Bytes and must not be \c NULL.
+ * \param iv_len The length of the nonce. This must satisfy the
+ * constraints imposed by the AEAD cipher used.
+ * \param ad The additional data to authenticate. This must be a
+ * readable buffer of at least \p ad_len Bytes, and may
+ * be \c NULL is \p ad_len is \c 0.
* \param ad_len The length of \p ad.
* \param input The buffer holding the input data. This must be a
- * readable buffer of at least \p ilen Bytes.
+ * readable buffer of at least \p ilen Bytes, and may be
+ * \c NULL if \p ilen is \c 0.
* \param ilen The length of the input data.
- * \param output The buffer for the output data.
- * This must be able to hold at least \p ilen Bytes.
- * \param olen The length of the output data, to be updated with the
- * actual number of Bytes written. This must not be
- * \c NULL.
- * \param tag The buffer holding the authentication tag. This must be
- * a readable buffer of at least \p tag_len Bytes.
- * \param tag_len The length of the authentication tag.
+ * \param output The buffer for the output data. This must be a
+ * writable buffer of at least \p ilen Bytes, and must
+ * not be \c NULL.
+ * \param olen This will be filled with the actual number of Bytes
+ * written to the \p output buffer. This must point to a
+ * writable object of type \c size_t.
+ * \param tag The buffer for the authentication tag. This must be a
+ * readable buffer of at least \p tag_len Bytes. See note
+ * below regarding restrictions with PSA-based contexts.
+ * \param tag_len The length of the authentication tag. This must match
+ * the constraints imposed by the AEAD cipher used, and in
+ * particular must not be \c 0.
+ *
+ * \note If the context is based on PSA (that is, it was set up
+ * with mbedtls_cipher_setup_psa()), then it is required
+ * that \c tag == input + len. That is, the tag must be
+ * appended to the ciphertext as recommended by RFC 5116.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@@ -941,9 +998,120 @@
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen,
- const unsigned char *tag, size_t tag_len );
+ const unsigned char *tag, size_t tag_len )
+ MBEDTLS_DEPRECATED;
+#undef MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
+/**
+ * \brief The authenticated encryption (AEAD/NIST_KW) function.
+ *
+ * \note For AEAD modes, the tag will be appended to the
+ * ciphertext, as recommended by RFC 5116.
+ * (NIST_KW doesn't have a separate tag.)
+ *
+ * \param ctx The generic cipher context. This must be initialized and
+ * bound to a key, with an AEAD algorithm or NIST_KW.
+ * \param iv The nonce to use. This must be a readable buffer of
+ * at least \p iv_len Bytes and may be \c NULL if \p
+ * iv_len is \c 0.
+ * \param iv_len The length of the nonce. For AEAD ciphers, this must
+ * satisfy the constraints imposed by the cipher used.
+ * For NIST_KW, this must be \c 0.
+ * \param ad The additional data to authenticate. This must be a
+ * readable buffer of at least \p ad_len Bytes, and may
+ * be \c NULL is \p ad_len is \c 0.
+ * \param ad_len The length of \p ad. For NIST_KW, this must be \c 0.
+ * \param input The buffer holding the input data. This must be a
+ * readable buffer of at least \p ilen Bytes, and may be
+ * \c NULL if \p ilen is \c 0.
+ * \param ilen The length of the input data.
+ * \param output The buffer for the output data. This must be a
+ * writable buffer of at least \p output_len Bytes, and
+ * must not be \c NULL.
+ * \param output_len The length of the \p output buffer in Bytes. For AEAD
+ * ciphers, this must be at least \p ilen + \p tag_len.
+ * For NIST_KW, this must be at least \p ilen + 8
+ * (rounded up to a multiple of 8 if KWP is used);
+ * \p ilen + 15 is always a safe value.
+ * \param olen This will be filled with the actual number of Bytes
+ * written to the \p output buffer. This must point to a
+ * writable object of type \c size_t.
+ * \param tag_len The desired length of the authentication tag. For AEAD
+ * ciphers, this must match the constraints imposed by
+ * the cipher used, and in particular must not be \c 0.
+ * For NIST_KW, this must be \c 0.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ * parameter-verification failure.
+ * \return A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *ad, size_t ad_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t output_len,
+ size_t *olen, size_t tag_len );
+
+/**
+ * \brief The authenticated encryption (AEAD/NIST_KW) function.
+ *
+ * \note If the data is not authentic, then the output buffer
+ * is zeroed out to prevent the unauthentic plaintext being
+ * used, making this interface safer.
+ *
+ * \note For AEAD modes, the tag must be appended to the
+ * ciphertext, as recommended by RFC 5116.
+ * (NIST_KW doesn't have a separate tag.)
+ *
+ * \param ctx The generic cipher context. This must be initialized and
+ * bound to a key, with an AEAD algorithm or NIST_KW.
+ * \param iv The nonce to use. This must be a readable buffer of
+ * at least \p iv_len Bytes and may be \c NULL if \p
+ * iv_len is \c 0.
+ * \param iv_len The length of the nonce. For AEAD ciphers, this must
+ * satisfy the constraints imposed by the cipher used.
+ * For NIST_KW, this must be \c 0.
+ * \param ad The additional data to authenticate. This must be a
+ * readable buffer of at least \p ad_len Bytes, and may
+ * be \c NULL is \p ad_len is \c 0.
+ * \param ad_len The length of \p ad. For NIST_KW, this must be \c 0.
+ * \param input The buffer holding the input data. This must be a
+ * readable buffer of at least \p ilen Bytes, and may be
+ * \c NULL if \p ilen is \c 0.
+ * \param ilen The length of the input data. For AEAD ciphers this
+ * must be at least \p tag_len. For NIST_KW this must be
+ * at least \c 8.
+ * \param output The buffer for the output data. This must be a
+ * writable buffer of at least \p output_len Bytes, and
+ * may be \c NULL if \p output_len is \c 0.
+ * \param output_len The length of the \p output buffer in Bytes. For AEAD
+ * ciphers, this must be at least \p ilen - \p tag_len.
+ * For NIST_KW, this must be at least \p ilen - 8.
+ * \param olen This will be filled with the actual number of Bytes
+ * written to the \p output buffer. This must point to a
+ * writable object of type \c size_t.
+ * \param tag_len The actual length of the authentication tag. For AEAD
+ * ciphers, this must match the constraints imposed by
+ * the cipher used, and in particular must not be \c 0.
+ * For NIST_KW, this must be \c 0.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
+ * parameter-verification failure.
+ * \return #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
+ * \return A cipher-specific error code on failure.
+ */
+int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *ad, size_t ad_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t output_len,
+ size_t *olen, size_t tag_len );
+#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
#ifdef __cplusplus
}
#endif
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/cipher_internal.h b/lib/libmbedtls/mbedtls/include/mbedtls/cipher_internal.h
index 6089241..d437b80 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/cipher_internal.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/cipher_internal.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file cipher_internal.h
*
@@ -7,7 +6,8 @@
* \author Adriaan de Jong <dejong@fox-it.com>
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -20,8 +20,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_CIPHER_WRAP_H
#define MBEDTLS_CIPHER_WRAP_H
@@ -139,7 +137,7 @@
typedef struct
{
psa_algorithm_t alg;
- psa_key_handle_t slot;
+ psa_key_id_t slot;
mbedtls_cipher_psa_key_ownership slot_state;
} mbedtls_cipher_context_psa;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/cmac.h b/lib/libmbedtls/mbedtls/include/mbedtls/cmac.h
index 1759f2e..637f1cf 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/cmac.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/cmac.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file cmac.h
*
@@ -8,7 +7,8 @@
* Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
*/
/*
- * Copyright (C) 2015-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -21,8 +21,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_CMAC_H
@@ -92,6 +90,12 @@
* the input data.
* Must be called with an initialized cipher context.
*
+ * \note When the CMAC implementation is supplied by an alternate
+ * implementation (through #MBEDTLS_CMAC_ALT), some ciphers
+ * may not be supported by that implementation, and thus
+ * return an error. Alternate implementations must support
+ * AES-128 and AES-256, and may support AES-192 and 3DES.
+ *
* \param ctx The cipher context used for the CMAC operation, initialized
* as one of the following types: MBEDTLS_CIPHER_AES_128_ECB,
* MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB,
@@ -169,6 +173,11 @@
* The CMAC result is calculated as
* output = generic CMAC(cmac key, input buffer).
*
+ * \note When the CMAC implementation is supplied by an alternate
+ * implementation (through #MBEDTLS_CMAC_ALT), some ciphers
+ * may not be supported by that implementation, and thus
+ * return an error. Alternate implementations must support
+ * AES-128 and AES-256, and may support AES-192 and 3DES.
*
* \param cipher_info The cipher information.
* \param key The CMAC key.
@@ -213,6 +222,13 @@
/**
* \brief The CMAC checkup routine.
*
+ * \note In case the CMAC routines are provided by an alternative
+ * implementation (i.e. #MBEDTLS_CMAC_ALT is defined), the
+ * checkup routine will succeed even if the implementation does
+ * not support the less widely used AES-192 or 3DES primitives.
+ * The self-test requires at least AES-128 and AES-256 to be
+ * supported by the underlying implementation.
+ *
* \return \c 0 on success.
* \return \c 1 on failure.
*/
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/compat-1.3.h b/lib/libmbedtls/mbedtls/include/mbedtls/compat-1.3.h
index c64d06e..4017751 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/compat-1.3.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/compat-1.3.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file compat-1.3.h
*
@@ -8,7 +7,8 @@
* \deprecated Use the new names directly instead
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -21,8 +21,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ctr_drbg.h b/lib/libmbedtls/mbedtls/include/mbedtls/ctr_drbg.h
index b80ee96..653fd83 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ctr_drbg.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ctr_drbg.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ctr_drbg.h
*
@@ -23,7 +22,8 @@
* information.
*/
/*
- * Copyright (C) 2006-2019, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -36,8 +36,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_CTR_DRBG_H
@@ -202,6 +200,13 @@
void *p_entropy; /*!< The context for the entropy function. */
#if defined(MBEDTLS_THREADING_C)
+ /* Invariant: the mutex is initialized if and only if f_entropy != NULL.
+ * This means that the mutex is initialized during the initial seeding
+ * in mbedtls_ctr_drbg_seed() and freed in mbedtls_ctr_drbg_free().
+ *
+ * Note that this invariant may change without notice. Do not rely on it
+ * and do not access the mutex directly in application code.
+ */
mbedtls_threading_mutex_t mutex;
#endif
}
@@ -212,6 +217,11 @@
* and prepares it for mbedtls_ctr_drbg_seed()
* or mbedtls_ctr_drbg_free().
*
+ * \note The reseed interval is
+ * #MBEDTLS_CTR_DRBG_RESEED_INTERVAL by default.
+ * You can override it by calling
+ * mbedtls_ctr_drbg_set_reseed_interval().
+ *
* \param ctx The CTR_DRBG context to initialize.
*/
void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx );
@@ -261,6 +271,15 @@
* make a second call to \p f_entropy.
*/
#endif
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note When Mbed TLS is built with threading support,
+ * after this function returns successfully,
+ * it is safe to call mbedtls_ctr_drbg_random()
+ * from multiple threads. Other operations, including
+ * reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
/**
* - The \p custom string.
*
@@ -287,6 +306,8 @@
* the same context unless you call
* mbedtls_ctr_drbg_free() and mbedtls_ctr_drbg_init()
* again first.
+ * After a failed call to mbedtls_ctr_drbg_seed(),
+ * you must call mbedtls_ctr_drbg_free().
* \param f_entropy The entropy callback, taking as arguments the
* \p p_entropy context, the buffer to fill, and the
* length of the buffer.
@@ -311,7 +332,8 @@
size_t len );
/**
- * \brief This function clears CTR_CRBG context data.
+ * \brief This function resets CTR_DRBG context to the state immediately
+ * after initial call of mbedtls_ctr_drbg_init().
*
* \param ctx The CTR_DRBG context to clear.
*/
@@ -401,6 +423,11 @@
* \brief This function reseeds the CTR_DRBG context, that is
* extracts data from the entropy source.
*
+ * \note This function is not thread-safe. It is not safe
+ * to call this function if another thread might be
+ * concurrently obtaining random numbers from the same
+ * context or updating or reseeding the same context.
+ *
* \param ctx The CTR_DRBG context.
* \param additional Additional data to add to the state. Can be \c NULL.
* \param len The length of the additional data.
@@ -418,6 +445,11 @@
/**
* \brief This function updates the state of the CTR_DRBG context.
*
+ * \note This function is not thread-safe. It is not safe
+ * to call this function if another thread might be
+ * concurrently obtaining random numbers from the same
+ * context or updating or reseeding the same context.
+ *
* \param ctx The CTR_DRBG context.
* \param additional The data to update the state with. This must not be
* \c NULL unless \p add_len is \c 0.
@@ -441,6 +473,11 @@
* This function automatically reseeds if the reseed counter is exceeded
* or prediction resistance is enabled.
*
+ * \note This function is not thread-safe. It is not safe
+ * to call this function if another thread might be
+ * concurrently obtaining random numbers from the same
+ * context or updating or reseeding the same context.
+ *
* \param p_rng The CTR_DRBG context. This must be a pointer to a
* #mbedtls_ctr_drbg_context structure.
* \param output The buffer to fill.
@@ -469,8 +506,16 @@
*
* This function automatically reseeds if the reseed counter is exceeded
* or prediction resistance is enabled.
- *
- *
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note When Mbed TLS is built with threading support,
+ * it is safe to call mbedtls_ctr_drbg_random()
+ * from multiple threads. Other operations, including
+ * reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
* \param p_rng The CTR_DRBG context. This must be a pointer to a
* #mbedtls_ctr_drbg_context structure.
* \param output The buffer to fill.
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/debug.h b/lib/libmbedtls/mbedtls/include/mbedtls/debug.h
index 7ce28d6..3c08244 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/debug.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/debug.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file debug.h
*
* \brief Functions for controlling and providing debug output from the library.
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_DEBUG_H
#define MBEDTLS_DEBUG_H
@@ -82,6 +80,55 @@
#endif /* MBEDTLS_DEBUG_C */
+/**
+ * \def MBEDTLS_PRINTF_ATTRIBUTE
+ *
+ * Mark a function as having printf attributes, and thus enable checking
+ * via -wFormat and other flags. This does nothing on builds with compilers
+ * that do not support the format attribute
+ *
+ * Module: library/debug.c
+ * Caller:
+ *
+ * This module provides debugging functions.
+ */
+#if defined(__has_attribute)
+#if __has_attribute(format)
+#if defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 1
+#define MBEDTLS_PRINTF_ATTRIBUTE(string_index, first_to_check) \
+ __attribute__((__format__ (gnu_printf, string_index, first_to_check)))
+#else /* defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 1 */
+#define MBEDTLS_PRINTF_ATTRIBUTE(string_index, first_to_check) \
+ __attribute__((format(printf, string_index, first_to_check)))
+#endif
+#else /* __has_attribute(format) */
+#define MBEDTLS_PRINTF_ATTRIBUTE(string_index, first_to_check)
+#endif /* __has_attribute(format) */
+#else /* defined(__has_attribute) */
+#define MBEDTLS_PRINTF_ATTRIBUTE(string_index, first_to_check)
+#endif
+
+/**
+ * \def MBEDTLS_PRINTF_SIZET
+ *
+ * MBEDTLS_PRINTF_xxx: Due to issues with older window compilers
+ * and MinGW we need to define the printf specifier for size_t
+ * and long long per platform.
+ *
+ * Module: library/debug.c
+ * Caller:
+ *
+ * This module provides debugging functions.
+ */
+#if (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800)
+ #include <inttypes.h>
+ #define MBEDTLS_PRINTF_SIZET PRIuPTR
+ #define MBEDTLS_PRINTF_LONGLONG "I64d"
+#else /* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */
+ #define MBEDTLS_PRINTF_SIZET "zu"
+ #define MBEDTLS_PRINTF_LONGLONG "lld"
+#endif /* (defined(__MINGW32__) && __USE_MINGW_ANSI_STDIO == 0) || (defined(_MSC_VER) && _MSC_VER < 1800) */
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -120,7 +167,7 @@
*/
void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
- const char *format, ... );
+ const char *format, ... ) MBEDTLS_PRINTF_ATTRIBUTE(5, 6);
/**
* \brief Print the return value of a function to the debug output. This
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/des.h b/lib/libmbedtls/mbedtls/include/mbedtls/des.h
index fa0f0bb..549d19b 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/des.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/des.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file des.h
*
@@ -9,7 +8,8 @@
* instead.
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -23,8 +23,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*
- * This file is part of mbed TLS (https://tls.mbed.org)
- *
*/
#ifndef MBEDTLS_DES_H
#define MBEDTLS_DES_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/dhm.h b/lib/libmbedtls/mbedtls/include/mbedtls/dhm.h
index cc4d652..c7830b9 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/dhm.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/dhm.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file dhm.h
*
@@ -45,7 +44,8 @@
*
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -58,8 +58,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_DHM_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ecdh.h b/lib/libmbedtls/mbedtls/include/mbedtls/ecdh.h
index 02de74f..05855cd 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ecdh.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ecdh.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ecdh.h
*
@@ -14,7 +13,8 @@
* Cryptography</em>.
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -27,8 +27,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ECDH_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ecdsa.h b/lib/libmbedtls/mbedtls/include/mbedtls/ecdsa.h
index aa1ddd0..264a638 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ecdsa.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ecdsa.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ecdsa.h
*
@@ -12,7 +11,8 @@
*
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -25,8 +25,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ECDSA_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ecjpake.h b/lib/libmbedtls/mbedtls/include/mbedtls/ecjpake.h
index afb8ba7..891705d 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ecjpake.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ecjpake.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ecjpake.h
*
* \brief Elliptic curve J-PAKE
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ECJPAKE_H
#define MBEDTLS_ECJPAKE_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ecp.h b/lib/libmbedtls/mbedtls/include/mbedtls/ecp.h
index ddfeb4e..9c6ebce 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ecp.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ecp.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ecp.h
*
@@ -16,7 +15,8 @@
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -29,8 +29,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ECP_H
@@ -61,6 +59,27 @@
#define MBEDTLS_ERR_ECP_IN_PROGRESS -0x4B00 /**< Operation in progress, call again with the same parameters to continue. */
+/* Flags indicating whether to include code that is specific to certain
+ * types of curves. These flags are for internal library use only. */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SM2_ENABLED)
+#define MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED
+#endif
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define MBEDTLS_ECP_MONTGOMERY_ENABLED
+#endif
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -74,6 +93,21 @@
* parameters. Therefore, only standardized domain parameters from trusted
* sources should be used. See mbedtls_ecp_group_load().
*/
+/* Note: when adding a new curve:
+ * - Add it at the end of this enum, otherwise you'll break the ABI by
+ * changing the numerical value for existing curves.
+ * - Increment MBEDTLS_ECP_DP_MAX below if needed.
+ * - Update the calculation of MBEDTLS_ECP_MAX_BITS_MIN below.
+ * - Add the corresponding MBEDTLS_ECP_DP_xxx_ENABLED macro definition to
+ * config.h.
+ * - List the curve as a dependency of MBEDTLS_ECP_C and
+ * MBEDTLS_ECDSA_C if supported in check_config.h.
+ * - Add the curve to the appropriate curve type macro
+ * MBEDTLS_ECP_yyy_ENABLED above.
+ * - Add the necessary definitions to ecp_curves.c.
+ * - Add the curve to the ecp_supported_curves array in ecp.c.
+ * - Add the curve to applicable profiles in x509_crt.c if applicable.
+ */
typedef enum
{
MBEDTLS_ECP_DP_NONE = 0, /*!< Curve not defined. */
@@ -140,6 +174,42 @@
}
mbedtls_ecp_point;
+/* Determine the minimum safe value of MBEDTLS_ECP_MAX_BITS. */
+#if !defined(MBEDTLS_ECP_C)
+#define MBEDTLS_ECP_MAX_BITS_MIN 0
+/* Note: the curves must be listed in DECREASING size! */
+#elif defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 521
+#elif defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 512
+#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 448
+#elif defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 384
+#elif defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 384
+#elif defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 256
+#elif defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 256
+#elif defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 256
+#elif defined(MBEDTLS_ECP_DP_SM2_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 256
+#elif defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 255
+#elif defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 225 // n is slightly above 2^224
+#elif defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 224
+#elif defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 192
+#elif defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+#define MBEDTLS_ECP_MAX_BITS_MIN 192
+#else
+#error "MBEDTLS_ECP_C enabled, but no curve?"
+#endif
+
#if !defined(MBEDTLS_ECP_ALT)
/*
* default mbed TLS elliptic curve arithmetic implementation
@@ -214,11 +284,23 @@
* \{
*/
-#if !defined(MBEDTLS_ECP_MAX_BITS)
+#if defined(MBEDTLS_ECP_MAX_BITS)
+
+#if MBEDTLS_ECP_MAX_BITS < MBEDTLS_ECP_MAX_BITS_MIN
+#error "MBEDTLS_ECP_MAX_BITS is smaller than the largest supported curve"
+#endif
+
+#elif defined(MBEDTLS_ECP_C)
/**
* The maximum size of the groups, that is, of \c N and \c P.
*/
-#define MBEDTLS_ECP_MAX_BITS 521 /**< The maximum size of groups, in bits. */
+#define MBEDTLS_ECP_MAX_BITS MBEDTLS_ECP_MAX_BITS_MIN
+
+#else
+/* MBEDTLS_ECP_MAX_BITS is not relevant without MBEDTLS_ECP_C, but set it
+ * to a nonzero value so that code that unconditionally allocates an array
+ * of a size based on it keeps working if built without ECC support. */
+#define MBEDTLS_ECP_MAX_BITS 1
#endif
#define MBEDTLS_ECP_MAX_BYTES ( ( MBEDTLS_ECP_MAX_BITS + 7 ) / 8 )
@@ -227,7 +309,8 @@
#if !defined(MBEDTLS_ECP_WINDOW_SIZE)
/*
* Maximum "window" size used for point multiplication.
- * Default: 6.
+ * Default: a point where higher memory usage yields disminishing performance
+ * returns.
* Minimum value: 2. Maximum value: 7.
*
* Result is an array of at most ( 1 << ( MBEDTLS_ECP_WINDOW_SIZE - 1 ) )
@@ -244,7 +327,7 @@
* 224 475 475 453 398 342
* 192 640 640 633 587 476
*/
-#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< The maximum window size used. */
+#define MBEDTLS_ECP_WINDOW_SIZE 4 /**< The maximum window size used. */
#endif /* MBEDTLS_ECP_WINDOW_SIZE */
#if !defined(MBEDTLS_ECP_FIXED_POINT_OPTIM)
@@ -435,8 +518,7 @@
/**
* \brief This function retrieves the information defined in
- * mbedtls_ecp_curve_info() for all supported curves in order
- * of preference.
+ * mbedtls_ecp_curve_info() for all supported curves.
*
* \note This function returns information about all curves
* supported by the library. Some curves may not be
@@ -847,6 +929,9 @@
* intermediate results to prevent potential timing attacks
* targeting these results. We recommend always providing
* a non-NULL \p f_rng. The overhead is negligible.
+ * Note: unless #MBEDTLS_ECP_NO_INTERNAL_RNG is defined, when
+ * \p f_rng is NULL, an internal RNG (seeded from the value
+ * of \p m) will be used instead.
*
* \param grp The ECP group to use.
* This must be initialized and have group parameters
@@ -904,6 +989,7 @@
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
mbedtls_ecp_restart_ctx *rs_ctx );
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
/**
* \brief This function performs multiplication and addition of two
* points by integers: \p R = \p m * \p P + \p n * \p Q
@@ -913,6 +999,10 @@
* \note In contrast to mbedtls_ecp_mul(), this function does not
* guarantee a constant execution flow and timing.
*
+ * \note This function is only defined for short Weierstrass curves.
+ * It may not be included in builds without any short
+ * Weierstrass curve.
+ *
* \param grp The ECP group to use.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
@@ -931,6 +1021,8 @@
* valid private keys, or \p P or \p Q are not valid public
* keys.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not
+ * designate a short Weierstrass curve.
* \return Another negative error code on other kinds of failure.
*/
int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
@@ -948,6 +1040,10 @@
* but it can return early and restart according to the limit
* set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
*
+ * \note This function is only defined for short Weierstrass curves.
+ * It may not be included in builds without any short
+ * Weierstrass curve.
+ *
* \param grp The ECP group to use.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
@@ -967,6 +1063,8 @@
* valid private keys, or \p P or \p Q are not valid public
* keys.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory-allocation failure.
+ * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if \p grp does not
+ * designate a short Weierstrass curve.
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
* operations was reached: see \c mbedtls_ecp_set_max_ops().
* \return Another negative error code on other kinds of failure.
@@ -976,6 +1074,7 @@
const mbedtls_mpi *m, const mbedtls_ecp_point *P,
const mbedtls_mpi *n, const mbedtls_ecp_point *Q,
mbedtls_ecp_restart_ctx *rs_ctx );
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
/**
* \brief This function checks that a point is a valid public key
@@ -1132,7 +1231,7 @@
*
* \param grp_id The ECP group identifier.
* \param key The destination key.
- * \param buf The the buffer containing the binary representation of the
+ * \param buf The buffer containing the binary representation of the
* key. (Big endian integer for Weierstrass curves, byte
* string for Montgomery curves.)
* \param buflen The length of the buffer in bytes.
@@ -1147,6 +1246,26 @@
*/
int mbedtls_ecp_read_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
const unsigned char *buf, size_t buflen );
+
+/**
+ * \brief This function exports an elliptic curve private key.
+ *
+ * \param key The private key.
+ * \param buf The output buffer for containing the binary representation
+ * of the key. (Big endian integer for Weierstrass curves, byte
+ * string for Montgomery curves.)
+ * \param buflen The total length of the buffer in bytes.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL if the \p key
+ representation is larger than the available space in \p buf.
+ * \return #MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the operation for
+ * the group is not implemented.
+ * \return Another negative error code on different kinds of failure.
+ */
+int mbedtls_ecp_write_key( mbedtls_ecp_keypair *key,
+ unsigned char *buf, size_t buflen );
+
/**
* \brief This function checks that the keypair objects
* \p pub and \p prv have the same group and the
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ecp_internal.h b/lib/libmbedtls/mbedtls/include/mbedtls/ecp_internal.h
index a580f1e..6a47a8f 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ecp_internal.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ecp_internal.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ecp_internal.h
*
@@ -6,7 +5,8 @@
* point arithmetic.
*/
/*
- * Copyright (C) 2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -19,8 +19,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -105,7 +103,7 @@
*/
void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp );
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
/**
@@ -245,9 +243,9 @@
mbedtls_ecp_point *pt );
#endif
-#endif /* ECP_SHORTWEIERSTRASS */
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
int mbedtls_internal_ecp_double_add_mxz( const mbedtls_ecp_group *grp,
@@ -291,7 +289,7 @@
mbedtls_ecp_point *P );
#endif
-#endif /* ECP_MONTGOMERY */
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
#endif /* MBEDTLS_ECP_INTERNAL_ALT */
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/entropy.h b/lib/libmbedtls/mbedtls/include/mbedtls/entropy.h
index 1625764..fa0b24f 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/entropy.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/entropy.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file entropy.h
*
* \brief Entropy accumulator implementation
*/
/*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ENTROPY_H
#define MBEDTLS_ENTROPY_H
@@ -122,13 +120,15 @@
*/
typedef struct mbedtls_entropy_context
{
- int accumulator_started;
+ int accumulator_started; /* 0 after init.
+ * 1 after the first update.
+ * -1 after free. */
#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
mbedtls_sha512_context accumulator;
#else
mbedtls_sha256_context accumulator;
#endif
- int source_count;
+ int source_count; /* Number of entries used in source. */
mbedtls_entropy_source_state source[MBEDTLS_ENTROPY_MAX_SOURCES];
#if defined(MBEDTLS_HAVEGE_C)
mbedtls_havege_state havege_data;
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/entropy_poll.h b/lib/libmbedtls/mbedtls/include/mbedtls/entropy_poll.h
index a076e23..e1d7491 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/entropy_poll.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/entropy_poll.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file entropy_poll.h
*
* \brief Platform-specific and custom entropy polling functions
*/
/*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ENTROPY_POLL_H
#define MBEDTLS_ENTROPY_POLL_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/error.h b/lib/libmbedtls/mbedtls/include/mbedtls/error.h
index 5d06436..6296cd3 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/error.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/error.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file error.h
*
* \brief Error to string translation
*/
/*
- * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_ERROR_H
#define MBEDTLS_ERROR_H
@@ -32,6 +30,11 @@
#include <stddef.h>
+#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
+ !defined(inline) && !defined(__cplusplus)
+#define inline __inline
+#endif
+
/**
* Error code layout.
*
@@ -101,7 +104,7 @@
* ECP 4 10 (Started from top)
* MD 5 5
* HKDF 5 1 (Started from top)
- * SSL 5 1 (Started from 0x5F00)
+ * SSL 5 2 (Started from 0x5F00)
* CIPHER 6 8 (Started from 0x6080)
* SSL 6 24 (Started from top, plus 0x6000)
* SSL 7 32
@@ -117,6 +120,54 @@
#define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E /**< This is a bug in the library */
/**
+ * \brief Combines a high-level and low-level error code together.
+ *
+ * Wrapper macro for mbedtls_error_add(). See that function for
+ * more details.
+ */
+#define MBEDTLS_ERROR_ADD( high, low ) \
+ mbedtls_error_add( high, low, __FILE__, __LINE__ )
+
+#if defined(MBEDTLS_TEST_HOOKS)
+/**
+ * \brief Testing hook called before adding/combining two error codes together.
+ * Only used when invasive testing is enabled via MBEDTLS_TEST_HOOKS.
+ */
+extern void (*mbedtls_test_hook_error_add)( int, int, const char *, int );
+#endif
+
+/**
+ * \brief Combines a high-level and low-level error code together.
+ *
+ * This function can be called directly however it is usually
+ * called via the #MBEDTLS_ERROR_ADD macro.
+ *
+ * While a value of zero is not a negative error code, it is still an
+ * error code (that denotes success) and can be combined with both a
+ * negative error code or another value of zero.
+ *
+ * \note When invasive testing is enabled via #MBEDTLS_TEST_HOOKS, also try to
+ * call \link mbedtls_test_hook_error_add \endlink.
+ *
+ * \param high high-level error code. See error.h for more details.
+ * \param low low-level error code. See error.h for more details.
+ * \param file file where this error code addition occurred.
+ * \param line line where this error code addition occurred.
+ */
+static inline int mbedtls_error_add( int high, int low,
+ const char *file, int line )
+{
+#if defined(MBEDTLS_TEST_HOOKS)
+ if( *mbedtls_test_hook_error_add != NULL )
+ ( *mbedtls_test_hook_error_add )( high, low, file, line );
+#endif
+ (void)file;
+ (void)line;
+
+ return( high + low );
+}
+
+/**
* \brief Translate a mbed TLS error code into a string representation,
* Result is truncated if necessary and always includes a terminating
* null byte.
@@ -127,6 +178,36 @@
*/
void mbedtls_strerror( int errnum, char *buffer, size_t buflen );
+/**
+ * \brief Translate the high-level part of an Mbed TLS error code into a string
+ * representation.
+ *
+ * This function returns a const pointer to an un-modifiable string. The caller
+ * must not try to modify the string. It is intended to be used mostly for
+ * logging purposes.
+ *
+ * \param error_code error code
+ *
+ * \return The string representation of the error code, or \c NULL if the error
+ * code is unknown.
+ */
+const char * mbedtls_high_level_strerr( int error_code );
+
+/**
+ * \brief Translate the low-level part of an Mbed TLS error code into a string
+ * representation.
+ *
+ * This function returns a const pointer to an un-modifiable string. The caller
+ * must not try to modify the string. It is intended to be used mostly for
+ * logging purposes.
+ *
+ * \param error_code error code
+ *
+ * \return The string representation of the error code, or \c NULL if the error
+ * code is unknown.
+ */
+const char * mbedtls_low_level_strerr( int error_code );
+
#ifdef __cplusplus
}
#endif
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/gcm.h b/lib/libmbedtls/mbedtls/include/mbedtls/gcm.h
index 3e1ab68..6b67361 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/gcm.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/gcm.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file gcm.h
*
@@ -13,7 +12,8 @@
*
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -26,8 +26,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_GCM_H
@@ -157,7 +155,7 @@
* than zero, this must be a writable buffer of at least that
* size in Bytes.
* \param tag_len The length of the tag to generate.
- * \param tag The buffer for holding the tag. This must be a readable
+ * \param tag The buffer for holding the tag. This must be a writable
* buffer of at least \p tag_len Bytes.
*
* \return \c 0 if the encryption or decryption was performed
@@ -285,7 +283,7 @@
* tag. The tag can have a maximum length of 16 Bytes.
*
* \param ctx The GCM context. This must be initialized.
- * \param tag The buffer for holding the tag. This must be a readable
+ * \param tag The buffer for holding the tag. This must be a writable
* buffer of at least \p tag_len Bytes.
* \param tag_len The length of the tag to generate. This must be at least
* four.
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/havege.h b/lib/libmbedtls/mbedtls/include/mbedtls/havege.h
index 86c2a9e..7d27039 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/havege.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/havege.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file havege.h
*
* \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_HAVEGE_H
#define MBEDTLS_HAVEGE_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/hkdf.h b/lib/libmbedtls/mbedtls/include/mbedtls/hkdf.h
index 77a99ab..2e6b363 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/hkdf.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/hkdf.h
@@ -7,7 +7,7 @@
* specified by RFC 5869.
*/
/*
- * Copyright (C) 2018-2019, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -21,8 +21,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_HKDF_H
#define MBEDTLS_HKDF_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/hmac_drbg.h b/lib/libmbedtls/mbedtls/include/mbedtls/hmac_drbg.h
index 2361de1..fa33611 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/hmac_drbg.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/hmac_drbg.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file hmac_drbg.h
*
@@ -9,7 +8,8 @@
* Deterministic Random Bit Generators</em>.
*/
/*
- * Copyright (C) 2006-2019, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -22,8 +22,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_HMAC_DRBG_H
#define MBEDTLS_HMAC_DRBG_H
@@ -103,6 +101,14 @@
void *p_entropy; /*!< context for the entropy function */
#if defined(MBEDTLS_THREADING_C)
+ /* Invariant: the mutex is initialized if and only if
+ * md_ctx->md_info != NULL. This means that the mutex is initialized
+ * during the initial seeding in mbedtls_hmac_drbg_seed() or
+ * mbedtls_hmac_drbg_seed_buf() and freed in mbedtls_ctr_drbg_free().
+ *
+ * Note that this invariant may change without notice. Do not rely on it
+ * and do not access the mutex directly in application code.
+ */
mbedtls_threading_mutex_t mutex;
#endif
} mbedtls_hmac_drbg_context;
@@ -113,6 +119,10 @@
* This function makes the context ready for mbedtls_hmac_drbg_seed(),
* mbedtls_hmac_drbg_seed_buf() or mbedtls_hmac_drbg_free().
*
+ * \note The reseed interval is #MBEDTLS_HMAC_DRBG_RESEED_INTERVAL
+ * by default. Override this value by calling
+ * mbedtls_hmac_drbg_set_reseed_interval().
+ *
* \param ctx HMAC_DRBG context to be initialized.
*/
void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx );
@@ -148,7 +158,17 @@
* \note During the initial seeding, this function calls
* the entropy source to obtain a nonce
* whose length is half the entropy length.
- *
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note When Mbed TLS is built with threading support,
+ * after this function returns successfully,
+ * it is safe to call mbedtls_hmac_drbg_random()
+ * from multiple threads. Other operations, including
+ * reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
* \param ctx HMAC_DRBG context to be seeded.
* \param md_info MD algorithm to use for HMAC_DRBG.
* \param f_entropy The entropy callback, taking as arguments the
@@ -187,7 +207,17 @@
*
* This function is meant for use in algorithms that need a pseudorandom
* input such as deterministic ECDSA.
- *
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note When Mbed TLS is built with threading support,
+ * after this function returns successfully,
+ * it is safe to call mbedtls_hmac_drbg_random()
+ * from multiple threads. Other operations, including
+ * reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
* \param ctx HMAC_DRBG context to be initialised.
* \param md_info MD algorithm to use for HMAC_DRBG.
* \param data Concatenation of the initial entropy string and
@@ -250,6 +280,11 @@
/**
* \brief This function updates the state of the HMAC_DRBG context.
*
+ * \note This function is not thread-safe. It is not safe
+ * to call this function if another thread might be
+ * concurrently obtaining random numbers from the same
+ * context or updating or reseeding the same context.
+ *
* \param ctx The HMAC_DRBG context.
* \param additional The data to update the state with.
* If this is \c NULL, there is no additional data.
@@ -266,6 +301,11 @@
* \brief This function reseeds the HMAC_DRBG context, that is
* extracts data from the entropy source.
*
+ * \note This function is not thread-safe. It is not safe
+ * to call this function if another thread might be
+ * concurrently obtaining random numbers from the same
+ * context or updating or reseeding the same context.
+ *
* \param ctx The HMAC_DRBG context.
* \param additional Additional data to add to the state.
* If this is \c NULL, there is no additional data
@@ -291,6 +331,11 @@
* This function automatically reseeds if the reseed counter is exceeded
* or prediction resistance is enabled.
*
+ * \note This function is not thread-safe. It is not safe
+ * to call this function if another thread might be
+ * concurrently obtaining random numbers from the same
+ * context or updating or reseeding the same context.
+ *
* \param p_rng The HMAC_DRBG context. This must be a pointer to a
* #mbedtls_hmac_drbg_context structure.
* \param output The buffer to fill.
@@ -320,7 +365,16 @@
*
* This function automatically reseeds if the reseed counter is exceeded
* or prediction resistance is enabled.
- *
+ */
+#if defined(MBEDTLS_THREADING_C)
+/**
+ * \note When Mbed TLS is built with threading support,
+ * it is safe to call mbedtls_ctr_drbg_random()
+ * from multiple threads. Other operations, including
+ * reseeding, are not thread-safe.
+ */
+#endif /* MBEDTLS_THREADING_C */
+/**
* \param p_rng The HMAC_DRBG context. This must be a pointer to a
* #mbedtls_hmac_drbg_context structure.
* \param output The buffer to fill.
@@ -336,7 +390,8 @@
int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len );
/**
- * \brief Free an HMAC_DRBG context
+ * \brief This function resets HMAC_DRBG context to the state immediately
+ * after initial call of mbedtls_hmac_drbg_init().
*
* \param ctx The HMAC_DRBG context to free.
*/
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/md.h b/lib/libmbedtls/mbedtls/include/mbedtls/md.h
index cbe4b56..e4354ba 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/md.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/md.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file md.h
*
@@ -7,7 +6,8 @@
* \author Adriaan de Jong <dejong@fox-it.com>
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -20,8 +20,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_MD_H
@@ -104,6 +102,8 @@
* \brief This function returns the list of digests supported by the
* generic digest module.
*
+ * \note The list starts with the strongest available hashes.
+ *
* \return A statically allocated array of digests. Each element
* in the returned list is an integer belonging to the
* message-digest enumeration #mbedtls_md_type_t.
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/md2.h b/lib/libmbedtls/mbedtls/include/mbedtls/md2.h
index 4d540a2..23c48f4 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/md2.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/md2.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file md2.h
*
@@ -9,7 +8,8 @@
* instead.
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -23,8 +23,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*
- * This file is part of mbed TLS (https://tls.mbed.org)
- *
*/
#ifndef MBEDTLS_MD2_H
#define MBEDTLS_MD2_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/md4.h b/lib/libmbedtls/mbedtls/include/mbedtls/md4.h
index 7d5790c..eeb1670 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/md4.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/md4.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file md4.h
*
@@ -9,7 +8,8 @@
* instead.
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -23,8 +23,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*
- * This file is part of mbed TLS (https://tls.mbed.org)
- *
*/
#ifndef MBEDTLS_MD4_H
#define MBEDTLS_MD4_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/md5.h b/lib/libmbedtls/mbedtls/include/mbedtls/md5.h
index 4fc3154..aaca0f2 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/md5.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/md5.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file md5.h
*
@@ -9,7 +8,8 @@
* digests instead.
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -22,8 +22,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_MD5_H
#define MBEDTLS_MD5_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/md_internal.h b/lib/libmbedtls/mbedtls/include/mbedtls/md_internal.h
index 434b847..f33cdf6 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/md_internal.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/md_internal.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file md_internal.h
*
@@ -9,7 +8,8 @@
* \author Adriaan de Jong <dejong@fox-it.com>
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -22,8 +22,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_MD_WRAP_H
#define MBEDTLS_MD_WRAP_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/memory_buffer_alloc.h b/lib/libmbedtls/mbedtls/include/mbedtls/memory_buffer_alloc.h
index 738a55b..2339772 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/memory_buffer_alloc.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/memory_buffer_alloc.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file memory_buffer_alloc.h
*
* \brief Buffer-based memory allocator
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_MEMORY_BUFFER_ALLOC_H
#define MBEDTLS_MEMORY_BUFFER_ALLOC_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/net.h b/lib/libmbedtls/mbedtls/include/mbedtls/net.h
index 788efd7..6692188 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/net.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/net.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file net.h
*
@@ -7,7 +6,8 @@
* \deprecated Superseded by mbedtls/net_sockets.h
*/
/*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -20,8 +20,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/net_sockets.h b/lib/libmbedtls/mbedtls/include/mbedtls/net_sockets.h
index dc29d82..319f4be 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/net_sockets.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/net_sockets.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file net_sockets.h
*
@@ -21,7 +20,8 @@
*
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -34,8 +34,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_NET_SOCKETS_H
#define MBEDTLS_NET_SOCKETS_H
@@ -126,6 +124,7 @@
*
* \return 0 if successful, or one of:
* MBEDTLS_ERR_NET_SOCKET_FAILED,
+ * MBEDTLS_ERR_NET_UNKNOWN_HOST,
* MBEDTLS_ERR_NET_BIND_FAILED,
* MBEDTLS_ERR_NET_LISTEN_FAILED
*
@@ -145,6 +144,8 @@
* can be NULL if client_ip is null
*
* \return 0 if successful, or
+ * MBEDTLS_ERR_NET_SOCKET_FAILED,
+ * MBEDTLS_ERR_NET_BIND_FAILED,
* MBEDTLS_ERR_NET_ACCEPT_FAILED, or
* MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small,
* MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
@@ -157,6 +158,10 @@
/**
* \brief Check and wait for the context to be ready for read/write
*
+ * \note The current implementation of this function uses
+ * select() and returns an error if the file descriptor
+ * is \c FD_SETSIZE or greater.
+ *
* \param ctx Socket to check
* \param rw Bitflag composed of MBEDTLS_NET_POLL_READ and
* MBEDTLS_NET_POLL_WRITE specifying the events
@@ -238,16 +243,21 @@
* 'timeout' seconds. If no error occurs, the actual amount
* read is returned.
*
+ * \note The current implementation of this function uses
+ * select() and returns an error if the file descriptor
+ * is \c FD_SETSIZE or greater.
+ *
* \param ctx Socket
* \param buf The buffer to write to
* \param len Maximum length of the buffer
* \param timeout Maximum number of milliseconds to wait for data
* 0 means no timeout (wait forever)
*
- * \return the number of bytes received,
- * or a non-zero error code:
- * MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
+ * \return The number of bytes received if successful.
+ * MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out.
* MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
+ * Another negative error code (MBEDTLS_ERR_NET_xxx)
+ * for other failures.
*
* \note This function will block (until data becomes available or
* timeout is reached) even if the socket is set to
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/nist_kw.h b/lib/libmbedtls/mbedtls/include/mbedtls/nist_kw.h
index b39406f..7f3e64a 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/nist_kw.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/nist_kw.h
@@ -16,7 +16,7 @@
*
*/
/*
- * Copyright (C) 2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -30,8 +30,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_NIST_KW_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/oid.h b/lib/libmbedtls/mbedtls/include/mbedtls/oid.h
index de927cb..e4c697b 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/oid.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/oid.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file oid.h
*
* \brief Object Identifier (OID) database
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_OID_H
#define MBEDTLS_OID_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/padlock.h b/lib/libmbedtls/mbedtls/include/mbedtls/padlock.h
index 951c6ea..4f4e400 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/padlock.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/padlock.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file padlock.h
*
@@ -9,7 +8,8 @@
* functions; you must not call them directly.
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -22,8 +22,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PADLOCK_H
#define MBEDTLS_PADLOCK_H
@@ -73,7 +71,7 @@
*
* \param feature The feature to detect
*
- * \return 1 if CPU has support for the feature, 0 otherwise
+ * \return non-zero if CPU has support for the feature, 0 otherwise
*/
int mbedtls_padlock_has_support( int feature );
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/pem.h b/lib/libmbedtls/mbedtls/include/mbedtls/pem.h
index 421f57c..4769bec 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/pem.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/pem.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file pem.h
*
* \brief Privacy Enhanced Mail (PEM) decoding
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PEM_H
#define MBEDTLS_PEM_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/pk.h b/lib/libmbedtls/mbedtls/include/mbedtls/pk.h
index 283219b..7d0f977 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/pk.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/pk.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file pk.h
*
* \brief Public Key abstraction layer
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PK_H
@@ -333,12 +331,13 @@
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input
- * (context already used, invalid key handle).
+ * (context already used, invalid key identifier).
* \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an
* ECC key pair.
* \return #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
*/
-int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_handle_t key );
+int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx,
+ const psa_key_id_t key );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
@@ -860,9 +859,9 @@
*
* \param pk Input: the EC key to import to a PSA key.
* Output: a PK context wrapping that PSA key.
- * \param handle Output: a PSA key handle.
+ * \param key Output: a PSA key identifier.
* It's the caller's responsibility to call
- * psa_destroy_key() on that handle after calling
+ * psa_destroy_key() on that key identifier after calling
* mbedtls_pk_free() on the PK context.
* \param hash_alg The hash algorithm to allow for use with that key.
*
@@ -870,7 +869,7 @@
* \return An Mbed TLS error code otherwise.
*/
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
- psa_key_handle_t *handle,
+ psa_key_id_t *key,
psa_algorithm_t hash_alg );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/pk_internal.h b/lib/libmbedtls/mbedtls/include/mbedtls/pk_internal.h
index 50ff69a..47f7767 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/pk_internal.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/pk_internal.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file pk_internal.h
*
* \brief Public Key abstraction layer: wrapper functions
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PK_WRAP_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/pkcs11.h b/lib/libmbedtls/mbedtls/include/mbedtls/pkcs11.h
index f5f2779..3530ee1 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/pkcs11.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/pkcs11.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file pkcs11.h
*
@@ -7,7 +6,8 @@
* \author Adriaan de Jong <dejong@fox-it.com>
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -20,8 +20,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PKCS11_H
#define MBEDTLS_PKCS11_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/pkcs12.h b/lib/libmbedtls/mbedtls/include/mbedtls/pkcs12.h
index e7d4e36..4b8ce7e 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/pkcs12.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/pkcs12.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file pkcs12.h
*
* \brief PKCS#12 Personal Information Exchange Syntax
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PKCS12_H
#define MBEDTLS_PKCS12_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/pkcs5.h b/lib/libmbedtls/mbedtls/include/mbedtls/pkcs5.h
index 9eb759d..8f348ce 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/pkcs5.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/pkcs5.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file pkcs5.h
*
@@ -7,7 +6,8 @@
* \author Mathias Olsson <mathias@kompetensum.com>
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -20,8 +20,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PKCS5_H
#define MBEDTLS_PKCS5_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/platform.h b/lib/libmbedtls/mbedtls/include/mbedtls/platform.h
index c8b72f7..fde5ee8 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/platform.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/platform.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file platform.h
*
@@ -14,7 +13,8 @@
* dynamically configured at runtime.
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -27,8 +27,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PLATFORM_H
#define MBEDTLS_PLATFORM_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/platform_time.h b/lib/libmbedtls/mbedtls/include/mbedtls/platform_time.h
index b5f0119..7e7daab 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/platform_time.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/platform_time.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file platform_time.h
*
* \brief mbed TLS Platform time abstraction
*/
/*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PLATFORM_TIME_H
#define MBEDTLS_PLATFORM_TIME_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/platform_util.h b/lib/libmbedtls/mbedtls/include/mbedtls/platform_util.h
index cf0130a..fbc2a0d 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/platform_util.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/platform_util.h
@@ -5,7 +5,7 @@
* library.
*/
/*
- * Copyright (C) 2018, Arm Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -19,8 +19,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PLATFORM_UTIL_H
#define MBEDTLS_PLATFORM_UTIL_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/poly1305.h b/lib/libmbedtls/mbedtls/include/mbedtls/poly1305.h
index 05866a2..905c145 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/poly1305.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/poly1305.h
@@ -12,7 +12,8 @@
* \author Daniel King <damaki.gh@gmail.com>
*/
-/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved.
+/*
+ * Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -26,8 +27,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_POLY1305_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/psa_util.h b/lib/libmbedtls/mbedtls/include/mbedtls/psa_util.h
index 513bc5f..691ff3c 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/psa_util.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/psa_util.h
@@ -7,7 +7,7 @@
* change at any time.
*/
/*
- * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -21,8 +21,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PSA_UTIL_H
@@ -85,15 +83,17 @@
{
switch( mode )
{
+ case MBEDTLS_MODE_ECB:
+ return( PSA_ALG_ECB_NO_PADDING );
case MBEDTLS_MODE_GCM:
- return( PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_GCM, taglen ) );
+ return( PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, taglen ) );
case MBEDTLS_MODE_CCM:
- return( PSA_ALG_AEAD_WITH_TAG_LENGTH( PSA_ALG_CCM, taglen ) );
+ return( PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, taglen ) );
case MBEDTLS_MODE_CBC:
if( taglen == 0 )
return( PSA_ALG_CBC_NO_PADDING );
- /* Intentional fallthrough for taglen != 0 */
- /* fallthrough */
+ else
+ return( 0 );
default:
return( 0 );
}
@@ -151,7 +151,8 @@
case MBEDTLS_MD_RIPEMD160:
return( PSA_ALG_RIPEMD160 );
#endif
- case MBEDTLS_MD_NONE: /* Intentional fallthrough */
+ case MBEDTLS_MD_NONE:
+ return( 0 );
default:
return( 0 );
}
@@ -160,12 +161,12 @@
/* Translations for ECC. */
static inline int mbedtls_psa_get_ecc_oid_from_id(
- psa_ecc_curve_t curve, size_t bits,
+ psa_ecc_family_t curve, size_t bits,
char const **oid, size_t *oid_len )
{
switch( curve )
{
- case PSA_ECC_CURVE_SECP_R1:
+ case PSA_ECC_FAMILY_SECP_R1:
switch( bits )
{
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
@@ -200,7 +201,7 @@
#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
}
break;
- case PSA_ECC_CURVE_SECP_K1:
+ case PSA_ECC_FAMILY_SECP_K1:
switch( bits )
{
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
@@ -223,7 +224,7 @@
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
}
break;
- case PSA_ECC_CURVE_BRAINPOOL_P_R1:
+ case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
switch( bits )
{
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
@@ -419,4 +420,90 @@
#endif /* MBEDTLS_USE_PSA_CRYPTO */
+/* Expose whatever RNG the PSA subsystem uses to applications using the
+ * mbedtls_xxx API. The declarations and definitions here need to be
+ * consistent with the implementation in library/psa_crypto_random_impl.h.
+ * See that file for implementation documentation. */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+/* The type of a `f_rng` random generator function that many library functions
+ * take.
+ *
+ * This type name is not part of the Mbed TLS stable API. It may be renamed
+ * or moved without warning.
+ */
+typedef int mbedtls_f_rng_t( void *p_rng, unsigned char *output, size_t output_size );
+
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+
+/** The random generator function for the PSA subsystem.
+ *
+ * This function is suitable as the `f_rng` random generator function
+ * parameter of many `mbedtls_xxx` functions. Use #MBEDTLS_PSA_RANDOM_STATE
+ * to obtain the \p p_rng parameter.
+ *
+ * The implementation of this function depends on the configuration of the
+ * library.
+ *
+ * \note Depending on the configuration, this may be a function or
+ * a pointer to a function.
+ *
+ * \note This function may only be used if the PSA crypto subsystem is active.
+ * This means that you must call psa_crypto_init() before any call to
+ * this function, and you must not call this function after calling
+ * mbedtls_psa_crypto_free().
+ *
+ * \param p_rng The random generator context. This must be
+ * #MBEDTLS_PSA_RANDOM_STATE. No other state is
+ * supported.
+ * \param output The buffer to fill. It must have room for
+ * \c output_size bytes.
+ * \param output_size The number of bytes to write to \p output.
+ * This function may fail if \p output_size is too
+ * large. It is guaranteed to accept any output size
+ * requested by Mbed TLS library functions. The
+ * maximum request size depends on the library
+ * configuration.
+ *
+ * \return \c 0 on success.
+ * \return An `MBEDTLS_ERR_ENTROPY_xxx`,
+ * `MBEDTLS_ERR_PLATFORM_xxx,
+ * `MBEDTLS_ERR_CTR_DRBG_xxx` or
+ * `MBEDTLS_ERR_HMAC_DRBG_xxx` on error.
+ */
+int mbedtls_psa_get_random( void *p_rng,
+ unsigned char *output,
+ size_t output_size );
+
+/** The random generator state for the PSA subsystem.
+ *
+ * This macro expands to an expression which is suitable as the `p_rng`
+ * random generator state parameter of many `mbedtls_xxx` functions.
+ * It must be used in combination with the random generator function
+ * mbedtls_psa_get_random().
+ *
+ * The implementation of this macro depends on the configuration of the
+ * library. Do not make any assumption on its nature.
+ */
+#define MBEDTLS_PSA_RANDOM_STATE NULL
+
+#else /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+typedef mbedtls_ctr_drbg_context mbedtls_psa_drbg_context_t;
+static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_ctr_drbg_random;
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+typedef mbedtls_hmac_drbg_context mbedtls_psa_drbg_context_t;
+static mbedtls_f_rng_t *const mbedtls_psa_get_random = mbedtls_hmac_drbg_random;
+#endif
+extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;
+
+#define MBEDTLS_PSA_RANDOM_STATE mbedtls_psa_random_state
+
+#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
#endif /* MBEDTLS_PSA_UTIL_H */
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ripemd160.h b/lib/libmbedtls/mbedtls/include/mbedtls/ripemd160.h
index b5d8e20..381c725 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ripemd160.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ripemd160.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ripemd160.h
*
* \brief RIPE MD-160 message digest
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_RIPEMD160_H
#define MBEDTLS_RIPEMD160_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/rsa.h b/lib/libmbedtls/mbedtls/include/mbedtls/rsa.h
index c47ef0f..991026e 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/rsa.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/rsa.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file rsa.h
*
@@ -11,7 +10,8 @@
*
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -24,8 +24,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_RSA_H
#define MBEDTLS_RSA_H
@@ -99,7 +97,10 @@
*/
typedef struct mbedtls_rsa_context
{
- int ver; /*!< Always 0.*/
+ int ver; /*!< Reserved for internal purposes.
+ * Do not set this field in application
+ * code. Its meaning might change without
+ * notice. */
size_t len; /*!< The size of \p N in Bytes. */
mbedtls_mpi N; /*!< The public modulus. */
@@ -129,6 +130,7 @@
mask generating function used in the
EME-OAEP and EMSA-PSS encodings. */
#if defined(MBEDTLS_THREADING_C)
+ /* Invariant: the mutex is initialized iff ver != 0. */
mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex. */
#endif
}
@@ -974,12 +976,69 @@
* \brief This function performs a PKCS#1 v2.1 PSS signature
* operation (RSASSA-PSS-SIGN).
*
- * \note The \p hash_id in the RSA context is the one used for the
- * encoding. \p md_alg in the function call is the type of hash
- * that is encoded. According to <em>RFC-3447: Public-Key
+ * \note The \c hash_id set in \p ctx (when calling
+ * mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding()
+ * afterwards) selects the hash used for the
+ * encoding operation and for the mask generation function
+ * (MGF1). For more details on the encoding operation and the
+ * mask generation function, consult <em>RFC-3447: Public-Key
* Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
- * Specifications</em> it is advised to keep both hashes the
- * same.
+ * Specifications</em>.
+ *
+ * \note This function enforces that the provided salt length complies
+ * with FIPS 186-4 §5.5 (e) and RFC 8017 (PKCS#1 v2.2) §9.1.1
+ * step 3. The constraint is that the hash length plus the salt
+ * length plus 2 bytes must be at most the key length. If this
+ * constraint is not met, this function returns
+ * #MBEDTLS_ERR_RSA_BAD_INPUT_DATA.
+ *
+ * \param ctx The initialized RSA context to use.
+ * \param f_rng The RNG function. It must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL
+ * if \p f_rng doesn't need a context argument.
+ * \param md_alg The message-digest algorithm used to hash the original data.
+ * Use #MBEDTLS_MD_NONE for signing raw data.
+ * \param hashlen The length of the message digest.
+ * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * \param hash The buffer holding the message digest or raw data.
+ * If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
+ * buffer of length \p hashlen Bytes. If \p md_alg is not
+ * #MBEDTLS_MD_NONE, it must be a readable buffer of length
+ * the size of the hash corresponding to \p md_alg.
+ * \param saltlen The length of the salt that should be used.
+ * If passed #MBEDTLS_RSA_SALT_LEN_ANY, the function will use
+ * the largest possible salt length up to the hash length,
+ * which is the largest permitted by some standards including
+ * FIPS 186-4 §5.5.
+ * \param sig The buffer to hold the signature. This must be a writable
+ * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
+ * for an 2048-bit RSA modulus. A buffer length of
+ * #MBEDTLS_MPI_MAX_SIZE is always safe.
+ *
+ * \return \c 0 if the signing operation was successful.
+ * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
+ */
+int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ int saltlen,
+ unsigned char *sig );
+
+/**
+ * \brief This function performs a PKCS#1 v2.1 PSS signature
+ * operation (RSASSA-PSS-SIGN).
+ *
+ * \note The \c hash_id set in \p ctx (when calling
+ * mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding()
+ * afterwards) selects the hash used for the
+ * encoding operation and for the mask generation function
+ * (MGF1). For more details on the encoding operation and the
+ * mask generation function, consult <em>RFC-3447: Public-Key
+ * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
+ * Specifications</em>.
*
* \note This function always uses the maximum possible salt size,
* up to the length of the payload hash. This choice of salt
@@ -1009,7 +1068,7 @@
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
- * Ths is only used if \p md_alg is #MBEDTLS_MD_NONE.
+ * This is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
@@ -1135,16 +1194,15 @@
* \brief This function performs a PKCS#1 v2.1 PSS verification
* operation (RSASSA-PSS-VERIFY).
*
- * The hash function for the MGF mask generating function
- * is that specified in the RSA context.
- *
- * \note The \p hash_id in the RSA context is the one used for the
- * verification. \p md_alg in the function call is the type of
- * hash that is verified. According to <em>RFC-3447: Public-Key
+ * \note The \c hash_id set in \p ctx (when calling
+ * mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding()
+ * afterwards) selects the hash used for the
+ * encoding operation and for the mask generation function
+ * (MGF1). For more details on the encoding operation and the
+ * mask generation function, consult <em>RFC-3447: Public-Key
* Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
- * Specifications</em> it is advised to keep both hashes the
- * same. If \p hash_id in the RSA context is unset,
- * the \p md_alg from the function call is used.
+ * Specifications</em>. If the \c hash_id set in \p ctx is
+ * #MBEDTLS_MD_NONE, the \p md_alg parameter is used.
*
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
@@ -1192,13 +1250,12 @@
* \brief This function performs a PKCS#1 v2.1 PSS verification
* operation (RSASSA-PSS-VERIFY).
*
- * The hash function for the MGF mask generating function
- * is that specified in \p mgf1_hash_id.
- *
* \note The \p sig buffer must be as large as the size
* of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
*
- * \note The \p hash_id in the RSA context is ignored.
+ * \note The \c hash_id set in \p ctx (when calling
+ * mbedtls_rsa_init() or by calling mbedtls_rsa_set_padding()
+ * afterwards) is ignored.
*
* \param ctx The initialized RSA public key context to use.
* \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
@@ -1217,7 +1274,13 @@
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
- * \param mgf1_hash_id The message digest used for mask generation.
+ * \param mgf1_hash_id The message digest algorithm used for the
+ * verification operation and the mask generation
+ * function (MGF1). For more details on the encoding
+ * operation and the mask generation function, consult
+ * <em>RFC-3447: Public-Key Cryptography Standards
+ * (PKCS) #1 v2.1: RSA Cryptography
+ * Specifications</em>.
* \param expected_salt_len The length of the salt used in padding. Use
* #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
* \param sig The buffer holding the signature. This must be a readable
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/rsa_internal.h b/lib/libmbedtls/mbedtls/include/mbedtls/rsa_internal.h
index c1c844e..d55492b 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/rsa_internal.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/rsa_internal.h
@@ -35,7 +35,7 @@
*
*/
/*
- * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -50,8 +50,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*
- * This file is part of mbed TLS (https://tls.mbed.org)
- *
*/
#ifndef MBEDTLS_RSA_INTERNAL_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/sha1.h b/lib/libmbedtls/mbedtls/include/mbedtls/sha1.h
index b51d873..86a3d06 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/sha1.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/sha1.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file sha1.h
*
@@ -12,7 +11,8 @@
* digests instead.
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -25,8 +25,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_SHA1_H
#define MBEDTLS_SHA1_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/sha256.h b/lib/libmbedtls/mbedtls/include/mbedtls/sha256.h
index 0a77767..73d9544 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/sha256.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/sha256.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file sha256.h
*
@@ -8,7 +7,8 @@
* hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -21,8 +21,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_SHA256_H
#define MBEDTLS_SHA256_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/sha512.h b/lib/libmbedtls/mbedtls/include/mbedtls/sha512.h
index f288623..4a8ab42 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/sha512.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/sha512.h
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file sha512.h
* \brief This file contains SHA-384 and SHA-512 definitions and functions.
@@ -7,7 +6,8 @@
* hash functions are defined in <em>FIPS 180-4: Secure Hash Standard (SHS)</em>.
*/
/*
- * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -20,8 +20,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_SHA512_H
#define MBEDTLS_SHA512_H
@@ -133,8 +131,7 @@
/**
* \brief This function finishes the SHA-512 operation, and writes
- * the result to the output buffer. This function is for
- * internal use only.
+ * the result to the output buffer.
*
* \param ctx The SHA-512 context. This must be initialized
* and have a hash operation started.
@@ -150,6 +147,7 @@
/**
* \brief This function processes a single data block within
* the ongoing SHA-512 computation.
+ * This function is for internal use only.
*
* \param ctx The SHA-512 context. This must be initialized.
* \param data The buffer holding one block of data. This
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ssl.h b/lib/libmbedtls/mbedtls/include/mbedtls/ssl.h
index b76b9bb..30dfbce 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ssl.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ssl.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ssl.h
*
* \brief SSL/TLS functions.
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_SSL_H
#define MBEDTLS_SSL_H
@@ -44,7 +42,12 @@
#include "mbedtls/dhm.h"
#endif
-#if defined(MBEDTLS_ECDH_C)
+/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
+ * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
+ * in functionality that access to ecdh_ctx structure is needed for
+ * MBEDTLS_ECDSA_C which does not seem correct.
+ */
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
#include "mbedtls/ecdh.h"
#endif
@@ -129,6 +132,7 @@
#define MBEDTLS_ERR_SSL_UNEXPECTED_CID -0x6000 /**< An encrypted DTLS-frame with an unexpected CID was received. */
#define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00 /**< An operation failed due to an unexpected version or configuration. */
#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x7000 /**< A cryptographic operation is in progress. Try again later. */
+#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80 /**< Invalid value in SSL config */
/*
* Various constants
@@ -138,11 +142,15 @@
#define MBEDTLS_SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 */
#define MBEDTLS_SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 */
#define MBEDTLS_SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */
+#define MBEDTLS_SSL_MINOR_VERSION_4 4 /*!< TLS v1.3 (experimental) */
#define MBEDTLS_SSL_TRANSPORT_STREAM 0 /*!< TLS */
#define MBEDTLS_SSL_TRANSPORT_DATAGRAM 1 /*!< DTLS */
#define MBEDTLS_SSL_MAX_HOST_NAME_LEN 255 /*!< Maximum host name defined in RFC 1035 */
+#define MBEDTLS_SSL_MAX_ALPN_NAME_LEN 255 /*!< Maximum size in bytes of a protocol name in alpn ext., RFC 7301 */
+
+#define MBEDTLS_SSL_MAX_ALPN_LIST_LEN 65535 /*!< Maximum size in bytes of list in alpn ext., RFC 7301 */
/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
* NONE must be zero so that memset()ing structure to zero works */
@@ -211,6 +219,9 @@
#define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED 1
#define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED 0
+#define MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED 0
+#define MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED 1
+
/*
* Default range for DTLS retransmission timer value, in milliseconds.
* RFC 6347 4.2.4.1 says from 1 second to 60 seconds.
@@ -276,6 +287,10 @@
#define MBEDTLS_SSL_CID_PADDING_GRANULARITY 16
#endif
+#if !defined(MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY)
+#define MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY 1
+#endif
+
/* \} name SECTION: Module settings */
/*
@@ -386,6 +401,8 @@
#define MBEDTLS_TLS_EXT_SIG_ALG 13
+#define MBEDTLS_TLS_EXT_USE_SRTP 14
+
#define MBEDTLS_TLS_EXT_ALPN 16
#define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC 22 /* 0x16 */
@@ -844,6 +861,41 @@
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED &&
!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+
+#define MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH 255
+#define MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH 4
+/*
+ * For code readability use a typedef for DTLS-SRTP profiles
+ *
+ * Use_srtp extension protection profiles values as defined in
+ * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
+ *
+ * Reminder: if this list is expanded mbedtls_ssl_check_srtp_profile_value
+ * must be updated too.
+ */
+#define MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80 ( (uint16_t) 0x0001)
+#define MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32 ( (uint16_t) 0x0002)
+#define MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80 ( (uint16_t) 0x0005)
+#define MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32 ( (uint16_t) 0x0006)
+/* This one is not iana defined, but for code readability. */
+#define MBEDTLS_TLS_SRTP_UNSET ( (uint16_t) 0x0000)
+
+typedef uint16_t mbedtls_ssl_srtp_profile;
+
+typedef struct mbedtls_dtls_srtp_info_t
+{
+ /*! The SRTP profile that was negotiated. */
+ mbedtls_ssl_srtp_profile chosen_dtls_srtp_profile;
+ /*! The length of mki_value. */
+ uint16_t mki_len;
+ /*! The mki_value used, with max size of 256 bytes. */
+ unsigned char mki_value[MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH];
+}
+mbedtls_dtls_srtp_info;
+
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
/*
* This structure is used for storing current session data.
*
@@ -1016,11 +1068,12 @@
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_handle_t psk_opaque; /*!< PSA key slot holding opaque PSK.
- * This field should only be set via
- * mbedtls_ssl_conf_psk_opaque().
- * If either no PSK or a raw PSK have
- * been configured, this has value \c 0. */
+ psa_key_id_t psk_opaque; /*!< PSA key slot holding opaque PSK. This field
+ * should only be set via
+ * mbedtls_ssl_conf_psk_opaque().
+ * If either no PSK or a raw PSK have been
+ * configured, this has value \c 0.
+ */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char *psk; /*!< The raw pre-shared key. This field should
@@ -1050,6 +1103,13 @@
const char **alpn_list; /*!< ordered list of protocols */
#endif
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ /*! ordered list of supported srtp profile */
+ const mbedtls_ssl_srtp_profile *dtls_srtp_profile_list;
+ /*! number of supported profiles */
+ size_t dtls_srtp_profile_list_len;
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
/*
* Numerical settings (int then char)
*/
@@ -1130,9 +1190,12 @@
* record with unexpected CID
* should lead to failure. */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ unsigned int dtls_srtp_mki_support : 1; /* support having mki_value
+ in the use_srtp extension */
+#endif
};
-
struct mbedtls_ssl_context
{
const mbedtls_ssl_config *conf; /*!< configuration information */
@@ -1291,6 +1354,13 @@
const char *alpn_chosen; /*!< negotiated protocol */
#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ /*
+ * use_srtp extension
+ */
+ mbedtls_dtls_srtp_info dtls_srtp_info;
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
/*
* Information for DTLS hello verify
*/
@@ -1552,7 +1622,7 @@
* \note For DTLS, you need to provide either a non-NULL
* f_recv_timeout callback, or a f_recv that doesn't block.
*
- * \note See the documentations of \c mbedtls_ssl_sent_t,
+ * \note See the documentations of \c mbedtls_ssl_send_t,
* \c mbedtls_ssl_recv_t and \c mbedtls_ssl_recv_timeout_t for
* the conventions those callbacks must follow.
*
@@ -2025,6 +2095,8 @@
* (Default: none.)
*
* \note See \c mbedtls_ssl_export_keys_ext_t.
+ * \warning Exported key material must not be used for any purpose
+ * before the (D)TLS handshake is completed
*
* \param conf SSL configuration context
* \param f_export_keys_ext Callback for exporting keys
@@ -2682,6 +2754,9 @@
* \note This is mainly useful for clients. Servers will usually
* want to use \c mbedtls_ssl_conf_psk_cb() instead.
*
+ * \note A PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
+ * takes precedence over a PSK configured by this function.
+ *
* \warning Currently, clients can only register a single pre-shared key.
* Calling this function or mbedtls_ssl_conf_psk_opaque() more
* than once will overwrite values configured in previous calls.
@@ -2715,6 +2790,10 @@
* \note This is mainly useful for clients. Servers will usually
* want to use \c mbedtls_ssl_conf_psk_cb() instead.
*
+ * \note An opaque PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in
+ * the PSK callback takes precedence over an opaque PSK
+ * configured by this function.
+ *
* \warning Currently, clients can only register a single pre-shared key.
* Calling this function or mbedtls_ssl_conf_psk() more than
* once will overwrite values configured in previous calls.
@@ -2741,7 +2820,7 @@
* \return An \c MBEDTLS_ERR_SSL_XXX error code on failure.
*/
int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
- psa_key_handle_t psk,
+ psa_key_id_t psk,
const unsigned char *psk_identity,
size_t psk_identity_len );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -2752,6 +2831,9 @@
* \note This should only be called inside the PSK callback,
* i.e. the function passed to \c mbedtls_ssl_conf_psk_cb().
*
+ * \note A PSK set by this function takes precedence over a PSK
+ * configured by \c mbedtls_ssl_conf_psk().
+ *
* \param ssl The SSL context to configure a PSK for.
* \param psk The pointer to the pre-shared key.
* \param psk_len The length of the pre-shared key in bytes.
@@ -2769,6 +2851,9 @@
* \note This should only be called inside the PSK callback,
* i.e. the function passed to \c mbedtls_ssl_conf_psk_cb().
*
+ * \note An opaque PSK set by this function takes precedence over an
+ * opaque PSK configured by \c mbedtls_ssl_conf_psk_opaque().
+ *
* \param ssl The SSL context to configure a PSK for.
* \param psk The identifier of the key slot holding the PSK.
* For the duration of the current handshake, the key slot
@@ -2781,7 +2866,7 @@
* \return An \c MBEDTLS_ERR_SSL_XXX error code on failure.
*/
int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
- psa_key_handle_t psk );
+ psa_key_id_t psk );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/**
@@ -2807,9 +2892,14 @@
* on the SSL context to set the correct PSK and return \c 0.
* Any other return value will result in a denied PSK identity.
*
- * \note If you set a PSK callback using this function, then you
- * don't need to set a PSK key and identity using
- * \c mbedtls_ssl_conf_psk().
+ * \note A dynamic PSK (i.e. set by the PSK callback) takes
+ * precedence over a static PSK (i.e. set by
+ * \c mbedtls_ssl_conf_psk() or
+ * \c mbedtls_ssl_conf_psk_opaque()).
+ * This means that if you set a PSK callback using this
+ * function, you don't need to set a PSK using
+ * \c mbedtls_ssl_conf_psk() or
+ * \c mbedtls_ssl_conf_psk_opaque()).
*
* \param conf The SSL configuration to register the callback with.
* \param f_psk The callback for selecting and setting the PSK based
@@ -2897,7 +2987,9 @@
#if defined(MBEDTLS_ECP_C)
/**
* \brief Set the allowed curves in order of preference.
- * (Default: all defined curves.)
+ * (Default: all defined curves in order of decreasing size,
+ * except that Montgomery curves come last. This order
+ * is likely to change in a future version.)
*
* On server: this only affects selection of the ECDHE curve;
* the curves used for ECDH and ECDSA are determined by the
@@ -2929,7 +3021,9 @@
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/**
* \brief Set the allowed hashes for signatures during the handshake.
- * (Default: all available hashes except MD5.)
+ * (Default: all SHA-2 hashes, largest first. Also SHA-1 if
+ * the compile-time option
+ * `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE` is enabled.)
*
* \note This only affects which hashes are offered and can be used
* for signatures during the handshake. Hashes for message
@@ -3095,6 +3189,105 @@
const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+#if defined(MBEDTLS_DEBUG_C)
+static inline const char *mbedtls_ssl_get_srtp_profile_as_string( mbedtls_ssl_srtp_profile profile )
+{
+ switch( profile )
+ {
+ case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
+ return( "MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" );
+ case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
+ return( "MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" );
+ case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
+ return( "MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80" );
+ case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
+ return( "MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32" );
+ default: break;
+ }
+ return( "" );
+}
+#endif /* MBEDTLS_DEBUG_C */
+/**
+ * \brief Manage support for mki(master key id) value
+ * in use_srtp extension.
+ * MKI is an optional part of SRTP used for key management
+ * and re-keying. See RFC3711 section 3.1 for details.
+ * The default value is
+ * #MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED.
+ *
+ * \param conf The SSL configuration to manage mki support.
+ * \param support_mki_value Enable or disable mki usage. Values are
+ * #MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED
+ * or #MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED.
+ */
+void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf,
+ int support_mki_value );
+
+/**
+ * \brief Set the supported DTLS-SRTP protection profiles.
+ *
+ * \param conf SSL configuration
+ * \param profiles Pointer to a List of MBEDTLS_TLS_SRTP_UNSET terminated
+ * supported protection profiles
+ * in decreasing preference order.
+ * The pointer to the list is recorded by the library
+ * for later reference as required, so the lifetime
+ * of the table must be at least as long as the lifetime
+ * of the SSL configuration structure.
+ * The list must not hold more than
+ * MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH elements
+ * (excluding the terminating MBEDTLS_TLS_SRTP_UNSET).
+ *
+ * \return 0 on success
+ * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA when the list of
+ * protection profiles is incorrect.
+ */
+int mbedtls_ssl_conf_dtls_srtp_protection_profiles
+ ( mbedtls_ssl_config *conf,
+ const mbedtls_ssl_srtp_profile *profiles );
+
+/**
+ * \brief Set the mki_value for the current DTLS-SRTP session.
+ *
+ * \param ssl SSL context to use.
+ * \param mki_value The MKI value to set.
+ * \param mki_len The length of the MKI value.
+ *
+ * \note This function is relevant on client side only.
+ * The server discovers the mki value during handshake.
+ * A mki value set on server side using this function
+ * is ignored.
+ *
+ * \return 0 on success
+ * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA
+ * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+ */
+int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
+ unsigned char *mki_value,
+ uint16_t mki_len );
+/**
+ * \brief Get the negotiated DTLS-SRTP informations:
+ * Protection profile and MKI value.
+ *
+ * \warning This function must be called after the handshake is
+ * completed. The value returned by this function must
+ * not be trusted or acted upon before the handshake completes.
+ *
+ * \param ssl The SSL context to query.
+ * \param dtls_srtp_info The negotiated DTLS-SRTP informations:
+ * - Protection profile in use.
+ * A direct mapping of the iana defined value for protection
+ * profile on an uint16_t.
+ http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
+ * #MBEDTLS_TLS_SRTP_UNSET if the use of SRTP was not negotiated
+ * or peer's Hello packet was not parsed yet.
+ * - mki size and value( if size is > 0 ).
+ */
+void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl,
+ mbedtls_dtls_srtp_info *dtls_srtp_info );
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
/**
* \brief Set the maximum supported version sent from the client side
* and/or accepted at the server side
@@ -4138,7 +4331,7 @@
/**
* \brief TLS-PRF function for key derivation.
*
- * \param prf The tls_prf type funtion type to be used.
+ * \param prf The tls_prf type function type to be used.
* \param secret Secret for the key derivation function.
* \param slen Length of the secret.
* \param label String label for the key derivation function,
@@ -4148,7 +4341,7 @@
* \param dstbuf The buffer holding the derived key.
* \param dlen Length of the output buffer.
*
- * \return 0 on sucess. An SSL specific error on failure.
+ * \return 0 on success. An SSL specific error on failure.
*/
int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
const unsigned char *secret, size_t slen,
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ssl_cache.h b/lib/libmbedtls/mbedtls/include/mbedtls/ssl_cache.h
index 8df68f1..c6ef296 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ssl_cache.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ssl_cache.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ssl_cache.h
*
* \brief SSL session cache implementation
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_SSL_CACHE_H
#define MBEDTLS_SSL_CACHE_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h b/lib/libmbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h
index 0ddbd68..93c32a5 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ssl_ciphersuites.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ssl_ciphersuites.h
*
* \brief SSL Ciphersuites for mbed TLS
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_SSL_CIPHERSUITES_H
#define MBEDTLS_SSL_CIPHERSUITES_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ssl_cookie.h b/lib/libmbedtls/mbedtls/include/mbedtls/ssl_cookie.h
index 3800e2c..0a23870 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ssl_cookie.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ssl_cookie.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ssl_cookie.h
*
* \brief DTLS cookie callbacks implementation
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_SSL_COOKIE_H
#define MBEDTLS_SSL_COOKIE_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ssl_internal.h b/lib/libmbedtls/mbedtls/include/mbedtls/ssl_internal.h
index 5b9f4c1..2097a6d 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ssl_internal.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ssl_internal.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ssl_internal.h
*
* \brief Internal functions shared by the SSL modules
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_SSL_INTERNAL_H
#define MBEDTLS_SSL_INTERNAL_H
@@ -146,12 +144,26 @@
#define MBEDTLS_SSL_COMPRESSION_ADD 0
#endif
+/* This macro determines whether CBC is supported. */
+#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
+ ( defined(MBEDTLS_AES_C) || \
+ defined(MBEDTLS_CAMELLIA_C) || \
+ defined(MBEDTLS_ARIA_C) || \
+ defined(MBEDTLS_DES_C) )
+#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
+#endif
+
+/* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
+ * opposed to the very different CBC construct used in SSLv3) is supported. */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
+ ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
+ defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
+ defined(MBEDTLS_SSL_PROTO_TLS1_2) )
+#define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
+#endif
+
#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
- ( defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || \
- defined(MBEDTLS_CAMELLIA_C) || \
- defined(MBEDTLS_ARIA_C) || \
- defined(MBEDTLS_DES_C) ) )
+ defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
#define MBEDTLS_SSL_SOME_MODES_USE_MAC
#endif
@@ -207,6 +219,12 @@
: ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
)
+/* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
+#define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN 65534
+
+/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
+#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
+
/*
* Check that we obey the standard's message size bounds
*/
@@ -257,26 +275,26 @@
#endif
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
-static inline uint32_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
+static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
{
#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
- return (uint32_t) mbedtls_ssl_get_output_max_frag_len( ctx )
+ return mbedtls_ssl_get_output_max_frag_len( ctx )
+ MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
+ MBEDTLS_SSL_CID_OUT_LEN_MAX;
#else
- return (uint32_t) mbedtls_ssl_get_output_max_frag_len( ctx )
+ return mbedtls_ssl_get_output_max_frag_len( ctx )
+ MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
#endif
}
-static inline uint32_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
+static inline size_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
{
#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
- return (uint32_t) mbedtls_ssl_get_input_max_frag_len( ctx )
+ return mbedtls_ssl_get_input_max_frag_len( ctx )
+ MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
+ MBEDTLS_SSL_CID_IN_LEN_MAX;
#else
- return (uint32_t) mbedtls_ssl_get_input_max_frag_len( ctx )
+ return mbedtls_ssl_get_input_max_frag_len( ctx )
+ MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
#endif
}
@@ -299,6 +317,41 @@
#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
+/**
+ * \brief This function checks if the remaining size in a buffer is
+ * greater or equal than a needed space.
+ *
+ * \param cur Pointer to the current position in the buffer.
+ * \param end Pointer to one past the end of the buffer.
+ * \param need Needed space in bytes.
+ *
+ * \return Zero if the needed space is available in the buffer, non-zero
+ * otherwise.
+ */
+static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
+ const uint8_t *end, size_t need )
+{
+ return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
+}
+
+/**
+ * \brief This macro checks if the remaining size in a buffer is
+ * greater or equal than a needed space. If it is not the case,
+ * it returns an SSL_BUFFER_TOO_SMALL error.
+ *
+ * \param cur Pointer to the current position in the buffer.
+ * \param end Pointer to one past the end of the buffer.
+ * \param need Needed space in bytes.
+ *
+ */
+#define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \
+ do { \
+ if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
+ { \
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \
+ } \
+ } while( 0 )
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -325,6 +378,49 @@
const char *label,
const unsigned char *random, size_t rlen,
unsigned char *dstbuf, size_t dlen );
+
+/* cipher.h exports the maximum IV, key and block length from
+ * all ciphers enabled in the config, regardless of whether those
+ * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
+ * in the default configuration and uses 64 Byte keys, but it is
+ * not used for record protection in SSL/TLS.
+ *
+ * In order to prevent unnecessary inflation of key structures,
+ * we introduce SSL-specific variants of the max-{key,block,IV}
+ * macros here which are meant to only take those ciphers into
+ * account which can be negotiated in SSL/TLS.
+ *
+ * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
+ * in cipher.h are rough overapproximations of the real maxima, here
+ * we content ourselves with replicating those overapproximations
+ * for the maximum block and IV length, and excluding XTS from the
+ * computation of the maximum key length. */
+#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
+#define MBEDTLS_SSL_MAX_IV_LENGTH 16
+#define MBEDTLS_SSL_MAX_KEY_LENGTH 32
+
+/**
+ * \brief The data structure holding the cryptographic material (key and IV)
+ * used for record protection in TLS 1.3.
+ */
+struct mbedtls_ssl_key_set
+{
+ /*! The key for client->server records. */
+ unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
+ /*! The key for server->client records. */
+ unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
+ /*! The IV for client->server records. */
+ unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
+ /*! The IV for server->client records. */
+ unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
+
+ size_t key_len; /*!< The length of client_write_key and
+ * server_write_key, in Bytes. */
+ size_t iv_len; /*!< The length of client_write_iv and
+ * server_write_iv, in Bytes. */
+};
+typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
+
/*
* This structure contains the parameters only needed during handshake.
*/
@@ -341,17 +437,22 @@
#if defined(MBEDTLS_DHM_C)
mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
#endif
-#if defined(MBEDTLS_ECDH_C)
+/* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
+ * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
+ * in functionality that access to ecdh_ctx structure is needed for
+ * MBEDTLS_ECDSA_C which does not seem correct.
+ */
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_type_t ecdh_psa_type;
uint16_t ecdh_bits;
- psa_key_handle_t ecdh_psa_privkey;
+ psa_key_id_t ecdh_psa_privkey;
unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
size_t ecdh_psa_peerkey_len;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
-#endif /* MBEDTLS_ECDH_C */
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
@@ -366,7 +467,7 @@
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_handle_t psk_opaque; /*!< Opaque PSK from the callback */
+ psa_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char *psk; /*!< PSK from the callback */
size_t psk_len; /*!< Length of PSK from callback */
@@ -554,6 +655,10 @@
* time with the 8-byte record sequence number, without prepending the
* latter to the encrypted record.
*
+ * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
+ * which allows to add flexible length padding and to hide a record's true
+ * content type.
+ *
* In addition to type and version, the following parameters are relevant:
* - The symmetric cipher algorithm to be used.
* - The (static) encryption/decryption keys for the cipher.
@@ -921,7 +1026,60 @@
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
-#endif
+
+/**
+ * Get the first defined PSK by order of precedence:
+ * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
+ * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
+ * Return a code and update the pair (PSK, PSK length) passed to this function
+ */
+static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
+ const unsigned char **psk, size_t *psk_len )
+{
+ if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 )
+ {
+ *psk = ssl->handshake->psk;
+ *psk_len = ssl->handshake->psk_len;
+ }
+
+ else if( ssl->conf->psk != NULL && ssl->conf->psk_len > 0 )
+ {
+ *psk = ssl->conf->psk;
+ *psk_len = ssl->conf->psk_len;
+ }
+
+ else
+ {
+ *psk = NULL;
+ *psk_len = 0;
+ return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+ }
+
+ return( 0 );
+}
+
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+/**
+ * Get the first defined opaque PSK by order of precedence:
+ * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
+ * callback
+ * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
+ * Return an opaque PSK
+ */
+static inline psa_key_id_t mbedtls_ssl_get_opaque_psk(
+ const mbedtls_ssl_context *ssl )
+{
+ if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
+ return( ssl->handshake->psk_opaque );
+
+ if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
+ return( ssl->conf->psk_opaque );
+
+ return( MBEDTLS_SVC_KEY_ID_INIT );
+}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_PK_C)
unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
@@ -942,6 +1100,23 @@
mbedtls_md_type_t md );
#endif
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
+ ( const uint16_t srtp_profile_value )
+{
+ switch( srtp_profile_value )
+ {
+ case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
+ case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
+ case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
+ case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
+ return srtp_profile_value;
+ default: break;
+ }
+ return( MBEDTLS_TLS_SRTP_UNSET );
+}
+#endif
+
#if defined(MBEDTLS_X509_CRT_PARSE_C)
static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
{
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/ssl_ticket.h b/lib/libmbedtls/mbedtls/include/mbedtls/ssl_ticket.h
index 6e13444..a882eed 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/ssl_ticket.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/ssl_ticket.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file ssl_ticket.h
*
* \brief TLS server ticket callbacks implementation
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_SSL_TICKET_H
#define MBEDTLS_SSL_TICKET_H
@@ -99,7 +97,7 @@
* Recommended value: 86400 (one day).
*
* \note It is highly recommended to select a cipher that is at
- * least as strong as the the strongest ciphersuite
+ * least as strong as the strongest ciphersuite
* supported. Usually that means a 256-bit key.
*
* \note The lifetime of the keys is twice the lifetime of tickets.
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/threading.h b/lib/libmbedtls/mbedtls/include/mbedtls/threading.h
index 555c36b..05e27c5 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/threading.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/threading.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file threading.h
*
* \brief Threading abstraction layer
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_THREADING_H
#define MBEDTLS_THREADING_H
@@ -48,6 +46,9 @@
typedef struct mbedtls_threading_mutex_t
{
pthread_mutex_t mutex;
+ /* is_valid is 0 after a failed init or a free, and nonzero after a
+ * successful init. This field is not considered part of the public
+ * API of Mbed TLS and may change without notice. */
char is_valid;
} mbedtls_threading_mutex_t;
#endif
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/timing.h b/lib/libmbedtls/mbedtls/include/mbedtls/timing.h
index 2f22929..b7290cf 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/timing.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/timing.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file timing.h
*
* \brief Portable interface to timeouts and to the CPU cycle counter
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_TIMING_H
#define MBEDTLS_TIMING_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/version.h b/lib/libmbedtls/mbedtls/include/mbedtls/version.h
index 250b291..2740479 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/version.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/version.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file version.h
*
* \brief Run-time version information
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* This set of compile-time defines and run-time variables can be used to
@@ -39,7 +37,7 @@
* Major, Minor, Patchlevel
*/
#define MBEDTLS_VERSION_MAJOR 2
-#define MBEDTLS_VERSION_MINOR 22
+#define MBEDTLS_VERSION_MINOR 27
#define MBEDTLS_VERSION_PATCH 0
/**
@@ -47,9 +45,9 @@
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define MBEDTLS_VERSION_NUMBER 0x02160000
-#define MBEDTLS_VERSION_STRING "2.22.0"
-#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.22.0"
+#define MBEDTLS_VERSION_NUMBER 0x021B0000
+#define MBEDTLS_VERSION_STRING "2.27.0"
+#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.27.0"
#if defined(MBEDTLS_VERSION_C)
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/x509.h b/lib/libmbedtls/mbedtls/include/mbedtls/x509.h
index 752516d..08525e2 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/x509.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/x509.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file x509.h
*
* \brief X.509 generic defines and structures
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_X509_H
#define MBEDTLS_X509_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/x509_crl.h b/lib/libmbedtls/mbedtls/include/mbedtls/x509_crl.h
index 3ec874e..7e9e888 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/x509_crl.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/x509_crl.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file x509_crl.h
*
* \brief X.509 certificate revocation list parsing
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_X509_CRL_H
#define MBEDTLS_X509_CRL_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/x509_crt.h b/lib/libmbedtls/mbedtls/include/mbedtls/x509_crt.h
index 9d52665..64ccb43 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/x509_crt.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/x509_crt.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file x509_crt.h
*
* \brief X.509 certificate parsing and writing
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_X509_CRT_H
#define MBEDTLS_X509_CRT_H
@@ -265,12 +263,21 @@
/**
* Default security profile. Should provide a good balance between security
* and compatibility with current deployments.
+ *
+ * This profile permits:
+ * - SHA2 hashes.
+ * - All supported elliptic curves.
+ * - RSA with 2048 bits and above.
+ *
+ * New minor versions of Mbed TLS may extend this profile, for example if
+ * new curves are added to the library. New minor versions of Mbed TLS will
+ * not reduce this profile unless serious security concerns require it.
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
/**
* Expected next default profile. Recommended for new deployments.
- * Currently targets a 128-bit security level, except for RSA-2048.
+ * Currently targets a 128-bit security level, except for allowing RSA-2048.
*/
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
@@ -304,6 +311,90 @@
size_t buflen );
/**
+ * \brief The type of certificate extension callbacks.
+ *
+ * Callbacks of this type are passed to and used by the
+ * mbedtls_x509_crt_parse_der_with_ext_cb() routine when
+ * it encounters either an unsupported extension or a
+ * "certificate policies" extension containing any
+ * unsupported certificate policies.
+ * Future versions of the library may invoke the callback
+ * in other cases, if and when the need arises.
+ *
+ * \param p_ctx An opaque context passed to the callback.
+ * \param crt The certificate being parsed.
+ * \param oid The OID of the extension.
+ * \param critical Whether the extension is critical.
+ * \param p Pointer to the start of the extension value
+ * (the content of the OCTET STRING).
+ * \param end End of extension value.
+ *
+ * \note The callback must fail and return a negative error code
+ * if it can not parse or does not support the extension.
+ * When the callback fails to parse a critical extension
+ * mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
+ * When the callback fails to parse a non critical extension
+ * mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
+ * the extension and continues parsing.
+ *
+ * \return \c 0 on success.
+ * \return A negative error code on failure.
+ */
+typedef int (*mbedtls_x509_crt_ext_cb_t)( void *p_ctx,
+ mbedtls_x509_crt const *crt,
+ mbedtls_x509_buf const *oid,
+ int critical,
+ const unsigned char *p,
+ const unsigned char *end );
+
+/**
+ * \brief Parse a single DER formatted certificate and add it
+ * to the end of the provided chained list.
+ *
+ * \param chain The pointer to the start of the CRT chain to attach to.
+ * When parsing the first CRT in a chain, this should point
+ * to an instance of ::mbedtls_x509_crt initialized through
+ * mbedtls_x509_crt_init().
+ * \param buf The buffer holding the DER encoded certificate.
+ * \param buflen The size in Bytes of \p buf.
+ * \param make_copy When not zero this function makes an internal copy of the
+ * CRT buffer \p buf. In particular, \p buf may be destroyed
+ * or reused after this call returns.
+ * When zero this function avoids duplicating the CRT buffer
+ * by taking temporary ownership thereof until the CRT
+ * is destroyed (like mbedtls_x509_crt_parse_der_nocopy())
+ * \param cb A callback invoked for every unsupported certificate
+ * extension.
+ * \param p_ctx An opaque context passed to the callback.
+ *
+ * \note This call is functionally equivalent to
+ * mbedtls_x509_crt_parse_der(), and/or
+ * mbedtls_x509_crt_parse_der_nocopy()
+ * but it calls the callback with every unsupported
+ * certificate extension and additionally the
+ * "certificate policies" extension if it contains any
+ * unsupported certificate policies.
+ * The callback must return a negative error code if it
+ * does not know how to handle such an extension.
+ * When the callback fails to parse a critical extension
+ * mbedtls_x509_crt_parse_der_with_ext_cb() also fails.
+ * When the callback fails to parse a non critical extension
+ * mbedtls_x509_crt_parse_der_with_ext_cb() simply skips
+ * the extension and continues parsing.
+ * Future versions of the library may invoke the callback
+ * in other cases, if and when the need arises.
+ *
+ * \return \c 0 if successful.
+ * \return A negative error code on failure.
+ */
+int mbedtls_x509_crt_parse_der_with_ext_cb( mbedtls_x509_crt *chain,
+ const unsigned char *buf,
+ size_t buflen,
+ int make_copy,
+ mbedtls_x509_crt_ext_cb_t cb,
+ void *p_ctx );
+
+/**
* \brief Parse a single DER formatted certificate and add it
* to the end of the provided chained list. This is a
* variant of mbedtls_x509_crt_parse_der() which takes
@@ -501,8 +592,11 @@
* \param crt The certificate chain to be verified.
* \param trust_ca The list of trusted CAs.
* \param ca_crl The list of CRLs for trusted CAs.
- * \param cn The expected Common Name. This may be \c NULL if the
- * CN need not be verified.
+ * \param cn The expected Common Name. This will be checked to be
+ * present in the certificate's subjectAltNames extension or,
+ * if this extension is absent, as a CN component in its
+ * Subject name. Currently only DNS names are supported. This
+ * may be \c NULL if the CN need not be verified.
* \param flags The address at which to store the result of the verification.
* If the verification couldn't be completed, the flag value is
* set to (uint32_t) -1.
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/x509_csr.h b/lib/libmbedtls/mbedtls/include/mbedtls/x509_csr.h
index c5a7cad..b1dfc21 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/x509_csr.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/x509_csr.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file x509_csr.h
*
* \brief X.509 certificate signing request parsing and writing
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_X509_CSR_H
#define MBEDTLS_X509_CSR_H
diff --git a/lib/libmbedtls/mbedtls/include/mbedtls/xtea.h b/lib/libmbedtls/mbedtls/include/mbedtls/xtea.h
index b607547..473dd4b 100644
--- a/lib/libmbedtls/mbedtls/include/mbedtls/xtea.h
+++ b/lib/libmbedtls/mbedtls/include/mbedtls/xtea.h
@@ -1,11 +1,11 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file xtea.h
*
* \brief XTEA block cipher (32-bit)
*/
/*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -18,8 +18,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_XTEA_H
#define MBEDTLS_XTEA_H
diff --git a/lib/libmbedtls/mbedtls/library/aes.c b/lib/libmbedtls/mbedtls/library/aes.c
index c6a45f3..3f61642 100644
--- a/lib/libmbedtls/mbedtls/library/aes.c
+++ b/lib/libmbedtls/mbedtls/library/aes.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* FIPS-197 compliant AES implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
@@ -25,11 +23,7 @@
* http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_AES_C)
@@ -736,6 +730,7 @@
return( ret );
}
+#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
#if defined(MBEDTLS_CIPHER_MODE_XTS)
static int mbedtls_aes_xts_decode_keys( const unsigned char *key,
@@ -814,8 +809,6 @@
}
#endif /* MBEDTLS_CIPHER_MODE_XTS */
-#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
-
#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
do \
{ \
@@ -873,63 +866,56 @@
unsigned char output[16] )
{
int i;
- uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
+ uint32_t *RK = ctx->rk;
+ struct
+ {
+ uint32_t X[4];
+ uint32_t Y[4];
+ } t;
- RK = ctx->rk;
-
- GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
- GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
- GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
- GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
+ GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
+ GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
+ GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
+ GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
{
- AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
- AES_FROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
+ AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
+ AES_FROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
}
- AES_FROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
+ AES_FROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
- X0 = *RK++ ^ \
- ( (uint32_t) FSb[ ( Y0 ) & 0xFF ] ) ^
- ( (uint32_t) FSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
- ( (uint32_t) FSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
- ( (uint32_t) FSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
+ t.X[0] = *RK++ ^ \
+ ( (uint32_t) FSb[ ( t.Y[0] ) & 0xFF ] ) ^
+ ( (uint32_t) FSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
+ ( (uint32_t) FSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
+ ( (uint32_t) FSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
- X1 = *RK++ ^ \
- ( (uint32_t) FSb[ ( Y1 ) & 0xFF ] ) ^
- ( (uint32_t) FSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
- ( (uint32_t) FSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
- ( (uint32_t) FSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
+ t.X[1] = *RK++ ^ \
+ ( (uint32_t) FSb[ ( t.Y[1] ) & 0xFF ] ) ^
+ ( (uint32_t) FSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
+ ( (uint32_t) FSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
+ ( (uint32_t) FSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
- X2 = *RK++ ^ \
- ( (uint32_t) FSb[ ( Y2 ) & 0xFF ] ) ^
- ( (uint32_t) FSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
- ( (uint32_t) FSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
- ( (uint32_t) FSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
+ t.X[2] = *RK++ ^ \
+ ( (uint32_t) FSb[ ( t.Y[2] ) & 0xFF ] ) ^
+ ( (uint32_t) FSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
+ ( (uint32_t) FSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
+ ( (uint32_t) FSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
- X3 = *RK++ ^ \
- ( (uint32_t) FSb[ ( Y3 ) & 0xFF ] ) ^
- ( (uint32_t) FSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
- ( (uint32_t) FSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
- ( (uint32_t) FSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
+ t.X[3] = *RK++ ^ \
+ ( (uint32_t) FSb[ ( t.Y[3] ) & 0xFF ] ) ^
+ ( (uint32_t) FSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
+ ( (uint32_t) FSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
+ ( (uint32_t) FSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
- PUT_UINT32_LE( X0, output, 0 );
- PUT_UINT32_LE( X1, output, 4 );
- PUT_UINT32_LE( X2, output, 8 );
- PUT_UINT32_LE( X3, output, 12 );
+ PUT_UINT32_LE( t.X[0], output, 0 );
+ PUT_UINT32_LE( t.X[1], output, 4 );
+ PUT_UINT32_LE( t.X[2], output, 8 );
+ PUT_UINT32_LE( t.X[3], output, 12 );
- mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
- mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
- mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
- mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
-
- mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
- mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
- mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
- mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
-
- mbedtls_platform_zeroize( &RK, sizeof( RK ) );
+ mbedtls_platform_zeroize( &t, sizeof( t ) );
return( 0 );
}
@@ -953,63 +939,56 @@
unsigned char output[16] )
{
int i;
- uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3;
+ uint32_t *RK = ctx->rk;
+ struct
+ {
+ uint32_t X[4];
+ uint32_t Y[4];
+ } t;
- RK = ctx->rk;
-
- GET_UINT32_LE( X0, input, 0 ); X0 ^= *RK++;
- GET_UINT32_LE( X1, input, 4 ); X1 ^= *RK++;
- GET_UINT32_LE( X2, input, 8 ); X2 ^= *RK++;
- GET_UINT32_LE( X3, input, 12 ); X3 ^= *RK++;
+ GET_UINT32_LE( t.X[0], input, 0 ); t.X[0] ^= *RK++;
+ GET_UINT32_LE( t.X[1], input, 4 ); t.X[1] ^= *RK++;
+ GET_UINT32_LE( t.X[2], input, 8 ); t.X[2] ^= *RK++;
+ GET_UINT32_LE( t.X[3], input, 12 ); t.X[3] ^= *RK++;
for( i = ( ctx->nr >> 1 ) - 1; i > 0; i-- )
{
- AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
- AES_RROUND( X0, X1, X2, X3, Y0, Y1, Y2, Y3 );
+ AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
+ AES_RROUND( t.X[0], t.X[1], t.X[2], t.X[3], t.Y[0], t.Y[1], t.Y[2], t.Y[3] );
}
- AES_RROUND( Y0, Y1, Y2, Y3, X0, X1, X2, X3 );
+ AES_RROUND( t.Y[0], t.Y[1], t.Y[2], t.Y[3], t.X[0], t.X[1], t.X[2], t.X[3] );
- X0 = *RK++ ^ \
- ( (uint32_t) RSb[ ( Y0 ) & 0xFF ] ) ^
- ( (uint32_t) RSb[ ( Y3 >> 8 ) & 0xFF ] << 8 ) ^
- ( (uint32_t) RSb[ ( Y2 >> 16 ) & 0xFF ] << 16 ) ^
- ( (uint32_t) RSb[ ( Y1 >> 24 ) & 0xFF ] << 24 );
+ t.X[0] = *RK++ ^ \
+ ( (uint32_t) RSb[ ( t.Y[0] ) & 0xFF ] ) ^
+ ( (uint32_t) RSb[ ( t.Y[3] >> 8 ) & 0xFF ] << 8 ) ^
+ ( (uint32_t) RSb[ ( t.Y[2] >> 16 ) & 0xFF ] << 16 ) ^
+ ( (uint32_t) RSb[ ( t.Y[1] >> 24 ) & 0xFF ] << 24 );
- X1 = *RK++ ^ \
- ( (uint32_t) RSb[ ( Y1 ) & 0xFF ] ) ^
- ( (uint32_t) RSb[ ( Y0 >> 8 ) & 0xFF ] << 8 ) ^
- ( (uint32_t) RSb[ ( Y3 >> 16 ) & 0xFF ] << 16 ) ^
- ( (uint32_t) RSb[ ( Y2 >> 24 ) & 0xFF ] << 24 );
+ t.X[1] = *RK++ ^ \
+ ( (uint32_t) RSb[ ( t.Y[1] ) & 0xFF ] ) ^
+ ( (uint32_t) RSb[ ( t.Y[0] >> 8 ) & 0xFF ] << 8 ) ^
+ ( (uint32_t) RSb[ ( t.Y[3] >> 16 ) & 0xFF ] << 16 ) ^
+ ( (uint32_t) RSb[ ( t.Y[2] >> 24 ) & 0xFF ] << 24 );
- X2 = *RK++ ^ \
- ( (uint32_t) RSb[ ( Y2 ) & 0xFF ] ) ^
- ( (uint32_t) RSb[ ( Y1 >> 8 ) & 0xFF ] << 8 ) ^
- ( (uint32_t) RSb[ ( Y0 >> 16 ) & 0xFF ] << 16 ) ^
- ( (uint32_t) RSb[ ( Y3 >> 24 ) & 0xFF ] << 24 );
+ t.X[2] = *RK++ ^ \
+ ( (uint32_t) RSb[ ( t.Y[2] ) & 0xFF ] ) ^
+ ( (uint32_t) RSb[ ( t.Y[1] >> 8 ) & 0xFF ] << 8 ) ^
+ ( (uint32_t) RSb[ ( t.Y[0] >> 16 ) & 0xFF ] << 16 ) ^
+ ( (uint32_t) RSb[ ( t.Y[3] >> 24 ) & 0xFF ] << 24 );
- X3 = *RK++ ^ \
- ( (uint32_t) RSb[ ( Y3 ) & 0xFF ] ) ^
- ( (uint32_t) RSb[ ( Y2 >> 8 ) & 0xFF ] << 8 ) ^
- ( (uint32_t) RSb[ ( Y1 >> 16 ) & 0xFF ] << 16 ) ^
- ( (uint32_t) RSb[ ( Y0 >> 24 ) & 0xFF ] << 24 );
+ t.X[3] = *RK++ ^ \
+ ( (uint32_t) RSb[ ( t.Y[3] ) & 0xFF ] ) ^
+ ( (uint32_t) RSb[ ( t.Y[2] >> 8 ) & 0xFF ] << 8 ) ^
+ ( (uint32_t) RSb[ ( t.Y[1] >> 16 ) & 0xFF ] << 16 ) ^
+ ( (uint32_t) RSb[ ( t.Y[0] >> 24 ) & 0xFF ] << 24 );
- PUT_UINT32_LE( X0, output, 0 );
- PUT_UINT32_LE( X1, output, 4 );
- PUT_UINT32_LE( X2, output, 8 );
- PUT_UINT32_LE( X3, output, 12 );
+ PUT_UINT32_LE( t.X[0], output, 0 );
+ PUT_UINT32_LE( t.X[1], output, 4 );
+ PUT_UINT32_LE( t.X[2], output, 8 );
+ PUT_UINT32_LE( t.X[3], output, 12 );
- mbedtls_platform_zeroize( &X0, sizeof( X0 ) );
- mbedtls_platform_zeroize( &X1, sizeof( X1 ) );
- mbedtls_platform_zeroize( &X2, sizeof( X2 ) );
- mbedtls_platform_zeroize( &X3, sizeof( X3 ) );
-
- mbedtls_platform_zeroize( &Y0, sizeof( Y0 ) );
- mbedtls_platform_zeroize( &Y1, sizeof( Y1 ) );
- mbedtls_platform_zeroize( &Y2, sizeof( Y2 ) );
- mbedtls_platform_zeroize( &Y3, sizeof( Y3 ) );
-
- mbedtls_platform_zeroize( &RK, sizeof( RK ) );
+ mbedtls_platform_zeroize( &t, sizeof( t ) );
return( 0 );
}
@@ -1847,7 +1826,7 @@
mode = i & 1;
if( verbose != 0 )
- mbedtls_printf( " AES-ECB-%3d (%s): ", keybits,
+ mbedtls_printf( " AES-ECB-%3u (%s): ", keybits,
( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
memset( buf, 0, 16 );
@@ -1909,7 +1888,7 @@
mode = i & 1;
if( verbose != 0 )
- mbedtls_printf( " AES-CBC-%3d (%s): ", keybits,
+ mbedtls_printf( " AES-CBC-%3u (%s): ", keybits,
( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
memset( iv , 0, 16 );
@@ -1984,7 +1963,7 @@
mode = i & 1;
if( verbose != 0 )
- mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits,
+ mbedtls_printf( " AES-CFB128-%3u (%s): ", keybits,
( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
memcpy( iv, aes_test_cfb128_iv, 16 );
@@ -2047,7 +2026,7 @@
mode = i & 1;
if( verbose != 0 )
- mbedtls_printf( " AES-OFB-%3d (%s): ", keybits,
+ mbedtls_printf( " AES-OFB-%3u (%s): ", keybits,
( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
memcpy( iv, aes_test_ofb_iv, 16 );
diff --git a/lib/libmbedtls/mbedtls/library/aesni.c b/lib/libmbedtls/mbedtls/library/aesni.c
index 62469d3..996292f 100644
--- a/lib/libmbedtls/mbedtls/library/aesni.c
+++ b/lib/libmbedtls/mbedtls/library/aesni.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* AES-NI support functions
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -24,11 +22,7 @@
* [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_AESNI_C)
diff --git a/lib/libmbedtls/mbedtls/library/arc4.c b/lib/libmbedtls/mbedtls/library/arc4.c
index 9bb43dd..b34dc5e 100644
--- a/lib/libmbedtls/mbedtls/library/arc4.c
+++ b/lib/libmbedtls/mbedtls/library/arc4.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* An implementation of the ARCFOUR algorithm
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The ARCFOUR algorithm was publicly disclosed on 94/09.
@@ -24,11 +22,7 @@
* http://groups.google.com/group/sci.crypt/msg/10a300c9d21afca0
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_ARC4_C)
diff --git a/lib/libmbedtls/mbedtls/library/aria.c b/lib/libmbedtls/mbedtls/library/aria.c
index a3dd893..a5786b3 100644
--- a/lib/libmbedtls/mbedtls/library/aria.c
+++ b/lib/libmbedtls/mbedtls/library/aria.c
@@ -1,8 +1,8 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/*
* ARIA implementation
*
- * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -25,11 +23,7 @@
* [2] https://tools.ietf.org/html/rfc5794
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_ARIA_C)
@@ -927,7 +921,7 @@
{ \
if( verbose ) \
mbedtls_printf( "failed\n" ); \
- return( 1 ); \
+ goto exit; \
} else { \
if( verbose ) \
mbedtls_printf( "passed\n" ); \
@@ -941,6 +935,7 @@
int i;
uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE];
mbedtls_aria_context ctx;
+ int ret = 1;
#if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR))
size_t j;
@@ -952,6 +947,8 @@
uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE];
#endif
+ mbedtls_aria_init( &ctx );
+
/*
* Test set 1
*/
@@ -1071,7 +1068,11 @@
mbedtls_printf( "\n" );
#endif /* MBEDTLS_CIPHER_MODE_CTR */
- return( 0 );
+ ret = 0;
+
+exit:
+ mbedtls_aria_free( &ctx );
+ return( ret );
}
#endif /* MBEDTLS_SELF_TEST */
diff --git a/lib/libmbedtls/mbedtls/library/asn1parse.c b/lib/libmbedtls/mbedtls/library/asn1parse.c
index cb15b97..22747d3 100644
--- a/lib/libmbedtls/mbedtls/library/asn1parse.c
+++ b/lib/libmbedtls/mbedtls/library/asn1parse.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Generic ASN.1 parsing
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_ASN1_PARSE_C)
diff --git a/lib/libmbedtls/mbedtls/library/asn1write.c b/lib/libmbedtls/mbedtls/library/asn1write.c
index 43d1321..deb1a2f 100644
--- a/lib/libmbedtls/mbedtls/library/asn1write.c
+++ b/lib/libmbedtls/mbedtls/library/asn1write.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* ASN.1 buffer writing functionality
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_ASN1_WRITE_C)
diff --git a/lib/libmbedtls/mbedtls/library/base64.c b/lib/libmbedtls/mbedtls/library/base64.c
index 0401c06..1a05226 100644
--- a/lib/libmbedtls/mbedtls/library/base64.c
+++ b/lib/libmbedtls/mbedtls/library/base64.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* RFC 1521 base64 encoding/decoding
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_BASE64_C)
@@ -72,6 +66,99 @@
#define BASE64_SIZE_T_MAX ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
/*
+ * Constant flow conditional assignment to unsigned char
+ */
+static void mbedtls_base64_cond_assign_uchar( unsigned char * dest, const unsigned char * const src,
+ unsigned char condition )
+{
+ /* MSVC has a warning about unary minus on unsigned integer types,
+ * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+ /* Generate bitmask from condition, mask will either be 0xFF or 0 */
+ unsigned char mask = ( condition | -condition );
+ mask >>= 7;
+ mask = -mask;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+ *dest = ( ( *src ) & mask ) | ( ( *dest ) & ~mask );
+}
+
+/*
+ * Constant flow conditional assignment to uint_32
+ */
+static void mbedtls_base64_cond_assign_uint32( uint32_t * dest, const uint32_t src,
+ uint32_t condition )
+{
+ /* MSVC has a warning about unary minus on unsigned integer types,
+ * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+ /* Generate bitmask from condition, mask will either be 0xFFFFFFFF or 0 */
+ uint32_t mask = ( condition | -condition );
+ mask >>= 31;
+ mask = -mask;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+ *dest = ( src & mask ) | ( ( *dest ) & ~mask );
+}
+
+/*
+ * Constant flow check for equality
+ */
+static unsigned char mbedtls_base64_eq( size_t in_a, size_t in_b )
+{
+ size_t difference = in_a ^ in_b;
+
+ /* MSVC has a warning about unary minus on unsigned integer types,
+ * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+ difference |= -difference;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+ /* cope with the varying size of size_t per platform */
+ difference >>= ( sizeof( difference ) * 8 - 1 );
+
+ return (unsigned char) ( 1 ^ difference );
+}
+
+/*
+ * Constant flow lookup into table.
+ */
+static unsigned char mbedtls_base64_table_lookup( const unsigned char * const table,
+ const size_t table_size, const size_t table_index )
+{
+ size_t i;
+ unsigned char result = 0;
+
+ for( i = 0; i < table_size; ++i )
+ {
+ mbedtls_base64_cond_assign_uchar( &result, &table[i], mbedtls_base64_eq( i, table_index ) );
+ }
+
+ return result;
+}
+
+/*
* Encode a buffer into base64 format
*/
int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
@@ -111,10 +198,17 @@
C2 = *src++;
C3 = *src++;
- *p++ = base64_enc_map[(C1 >> 2) & 0x3F];
- *p++ = base64_enc_map[(((C1 & 3) << 4) + (C2 >> 4)) & 0x3F];
- *p++ = base64_enc_map[(((C2 & 15) << 2) + (C3 >> 6)) & 0x3F];
- *p++ = base64_enc_map[C3 & 0x3F];
+ *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+ ( ( C1 >> 2 ) & 0x3F ) );
+
+ *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+ ( ( ( ( C1 & 3 ) << 4 ) + ( C2 >> 4 ) ) & 0x3F ) );
+
+ *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+ ( ( ( ( C2 & 15 ) << 2 ) + ( C3 >> 6 ) ) & 0x3F ) );
+
+ *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+ ( C3 & 0x3F ) );
}
if( i < slen )
@@ -122,11 +216,15 @@
C1 = *src++;
C2 = ( ( i + 1 ) < slen ) ? *src++ : 0;
- *p++ = base64_enc_map[(C1 >> 2) & 0x3F];
- *p++ = base64_enc_map[(((C1 & 3) << 4) + (C2 >> 4)) & 0x3F];
+ *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+ ( ( C1 >> 2 ) & 0x3F ) );
+
+ *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+ ( ( ( ( C1 & 3 ) << 4 ) + ( C2 >> 4 ) ) & 0x3F ) );
if( ( i + 1 ) < slen )
- *p++ = base64_enc_map[((C2 & 15) << 2) & 0x3F];
+ *p++ = mbedtls_base64_table_lookup( base64_enc_map, sizeof( base64_enc_map ),
+ ( ( ( C2 & 15 ) << 2 ) & 0x3F ) );
else *p++ = '=';
*p++ = '=';
@@ -147,6 +245,7 @@
size_t i, n;
uint32_t j, x;
unsigned char *p;
+ unsigned char dec_map_lookup;
/* First pass: check for validity and get output length */
for( i = n = j = 0; i < slen; i++ )
@@ -177,10 +276,12 @@
if( src[i] == '=' && ++j > 2 )
return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
- if( src[i] > 127 || base64_dec_map[src[i]] == 127 )
+ dec_map_lookup = mbedtls_base64_table_lookup( base64_dec_map, sizeof( base64_dec_map ), src[i] );
+
+ if( src[i] > 127 || dec_map_lookup == 127 )
return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
- if( base64_dec_map[src[i]] < 64 && j != 0 )
+ if( dec_map_lookup < 64 && j != 0 )
return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
n++;
@@ -210,8 +311,10 @@
if( *src == '\r' || *src == '\n' || *src == ' ' )
continue;
- j -= ( base64_dec_map[*src] == 64 );
- x = ( x << 6 ) | ( base64_dec_map[*src] & 0x3F );
+ dec_map_lookup = mbedtls_base64_table_lookup( base64_dec_map, sizeof( base64_dec_map ), *src );
+
+ mbedtls_base64_cond_assign_uint32( &j, j - 1, mbedtls_base64_eq( dec_map_lookup, 64 ) );
+ x = ( x << 6 ) | ( dec_map_lookup & 0x3F );
if( ++n == 4 )
{
diff --git a/lib/libmbedtls/mbedtls/library/bignum.c b/lib/libmbedtls/mbedtls/library/bignum.c
index 9478670..31ef3ee 100644
--- a/lib/libmbedtls/mbedtls/library/bignum.c
+++ b/lib/libmbedtls/mbedtls/library/bignum.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Multi-precision integer library
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -35,11 +33,7 @@
*
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_BIGNUM_C)
@@ -234,8 +228,35 @@
return( 0 );
}
+/* Resize X to have exactly n limbs and set it to 0. */
+static int mbedtls_mpi_resize_clear( mbedtls_mpi *X, size_t limbs )
+{
+ if( limbs == 0 )
+ {
+ mbedtls_mpi_free( X );
+ return( 0 );
+ }
+ else if( X->n == limbs )
+ {
+ memset( X->p, 0, limbs * ciL );
+ X->s = 1;
+ return( 0 );
+ }
+ else
+ {
+ mbedtls_mpi_free( X );
+ return( mbedtls_mpi_grow( X, limbs ) );
+ }
+}
+
/*
- * Copy the contents of Y into X
+ * Copy the contents of Y into X.
+ *
+ * This function is not constant-time. Leading zeros in Y may be removed.
+ *
+ * Ensure that X does not shrink. This is not guaranteed by the public API,
+ * but some code in the bignum module relies on this property, for example
+ * in mbedtls_mpi_exp_mod().
*/
int mbedtls_mpi_copy( mbedtls_mpi *X, const mbedtls_mpi *Y )
{
@@ -249,7 +270,11 @@
if( Y->n == 0 )
{
- mbedtls_mpi_free( X );
+ if( X->n != 0 )
+ {
+ X->s = 1;
+ memset( X->p, 0, X->n * ciL );
+ }
return( 0 );
}
@@ -290,6 +315,67 @@
memcpy( Y, &T, sizeof( mbedtls_mpi ) );
}
+/**
+ * Select between two sign values in constant-time.
+ *
+ * This is functionally equivalent to second ? a : b but uses only bit
+ * operations in order to avoid branches.
+ *
+ * \param[in] a The first sign; must be either +1 or -1.
+ * \param[in] b The second sign; must be either +1 or -1.
+ * \param[in] second Must be either 1 (return b) or 0 (return a).
+ *
+ * \return The selected sign value.
+ */
+static int mpi_safe_cond_select_sign( int a, int b, unsigned char second )
+{
+ /* In order to avoid questions about what we can reasonnably assume about
+ * the representations of signed integers, move everything to unsigned
+ * by taking advantage of the fact that a and b are either +1 or -1. */
+ unsigned ua = a + 1;
+ unsigned ub = b + 1;
+
+ /* second was 0 or 1, mask is 0 or 2 as are ua and ub */
+ const unsigned mask = second << 1;
+
+ /* select ua or ub */
+ unsigned ur = ( ua & ~mask ) | ( ub & mask );
+
+ /* ur is now 0 or 2, convert back to -1 or +1 */
+ return( (int) ur - 1 );
+}
+
+/*
+ * Conditionally assign dest = src, without leaking information
+ * about whether the assignment was made or not.
+ * dest and src must be arrays of limbs of size n.
+ * assign must be 0 or 1.
+ */
+static void mpi_safe_cond_assign( size_t n,
+ mbedtls_mpi_uint *dest,
+ const mbedtls_mpi_uint *src,
+ unsigned char assign )
+{
+ size_t i;
+
+ /* MSVC has a warning about unary minus on unsigned integer types,
+ * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+ /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
+ const mbedtls_mpi_uint mask = -assign;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+ for( i = 0; i < n; i++ )
+ dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
+}
+
/*
* Conditionally assign X = Y, without leaking information
* about whether the assignment was made or not.
@@ -299,21 +385,34 @@
{
int ret = 0;
size_t i;
+ mbedtls_mpi_uint limb_mask;
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( Y != NULL );
+ /* MSVC has a warning about unary minus on unsigned integer types,
+ * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
/* make sure assign is 0 or 1 in a time-constant manner */
- assign = (assign | (unsigned char)-assign) >> 7;
+ assign = (assign | (unsigned char)-assign) >> (sizeof( assign ) * 8 - 1);
+ /* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
+ limb_mask = -assign;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
- X->s = X->s * ( 1 - assign ) + Y->s * assign;
+ X->s = mpi_safe_cond_select_sign( X->s, Y->s, assign );
- for( i = 0; i < Y->n; i++ )
- X->p[i] = X->p[i] * ( 1 - assign ) + Y->p[i] * assign;
+ mpi_safe_cond_assign( Y->n, X->p, Y->p, assign );
- for( ; i < X->n; i++ )
- X->p[i] *= ( 1 - assign );
+ for( i = Y->n; i < X->n; i++ )
+ X->p[i] &= ~limb_mask;
cleanup:
return( ret );
@@ -329,6 +428,7 @@
{
int ret, s;
size_t i;
+ mbedtls_mpi_uint limb_mask;
mbedtls_mpi_uint tmp;
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( Y != NULL );
@@ -336,22 +436,35 @@
if( X == Y )
return( 0 );
+ /* MSVC has a warning about unary minus on unsigned integer types,
+ * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
/* make sure swap is 0 or 1 in a time-constant manner */
- swap = (swap | (unsigned char)-swap) >> 7;
+ swap = (swap | (unsigned char)-swap) >> (sizeof( swap ) * 8 - 1);
+ /* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */
+ limb_mask = -swap;
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
s = X->s;
- X->s = X->s * ( 1 - swap ) + Y->s * swap;
- Y->s = Y->s * ( 1 - swap ) + s * swap;
+ X->s = mpi_safe_cond_select_sign( X->s, Y->s, swap );
+ Y->s = mpi_safe_cond_select_sign( Y->s, s, swap );
for( i = 0; i < X->n; i++ )
{
tmp = X->p[i];
- X->p[i] = X->p[i] * ( 1 - swap ) + Y->p[i] * swap;
- Y->p[i] = Y->p[i] * ( 1 - swap ) + tmp * swap;
+ X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask );
+ Y->p[i] = ( Y->p[i] & ~limb_mask ) | ( tmp & limb_mask );
}
cleanup:
@@ -508,6 +621,7 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i, j, slen, n;
+ int sign = 1;
mbedtls_mpi_uint d;
mbedtls_mpi T;
MPI_VALIDATE_RET( X != NULL );
@@ -518,6 +632,18 @@
mbedtls_mpi_init_mempool( &T );
+ if( s[0] == 0 )
+ {
+ mbedtls_mpi_free( X );
+ return( 0 );
+ }
+
+ if( s[0] == '-' )
+ {
+ ++s;
+ sign = -1;
+ }
+
slen = strlen( s );
if( radix == 16 )
@@ -532,12 +658,6 @@
for( i = slen, j = 0; i > 0; i--, j++ )
{
- if( i == 1 && s[i - 1] == '-' )
- {
- X->s = -1;
- break;
- }
-
MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i - 1] ) );
X->p[j / ( 2 * ciL )] |= d << ( ( j % ( 2 * ciL ) ) << 2 );
}
@@ -548,26 +668,15 @@
for( i = 0; i < slen; i++ )
{
- if( i == 0 && s[i] == '-' )
- {
- X->s = -1;
- continue;
- }
-
MBEDTLS_MPI_CHK( mpi_get_digit( &d, radix, s[i] ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_int( &T, X, radix ) );
-
- if( X->s == 1 )
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, &T, d ) );
- }
- else
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( X, &T, d ) );
- }
+ MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( X, &T, d ) );
}
}
+ if( sign < 0 && mbedtls_mpi_bitlen( X ) != 0 )
+ X->s = -1;
+
cleanup:
mbedtls_mpi_free( &T );
@@ -886,14 +995,7 @@
size_t const limbs = CHARS_TO_LIMBS( buflen );
/* Ensure that target MPI has exactly the necessary number of limbs */
- if( X->n != limbs )
- {
- mbedtls_mpi_free( X );
- mbedtls_mpi_init( X );
- MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
- }
-
- MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, limbs ) );
for( i = 0; i < buflen; i++ )
X->p[i / ciL] |= ((mbedtls_mpi_uint) buf[i]) << ((i % ciL) << 3);
@@ -922,19 +1024,11 @@
MPI_VALIDATE_RET( buflen == 0 || buf != NULL );
/* Ensure that target MPI has exactly the necessary number of limbs */
- if( X->n != limbs )
- {
- short use_mempool = X->use_mempool;
+ MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, limbs ) );
- mbedtls_mpi_free( X );
- mpi_init( X, use_mempool );
- MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
- }
- MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
-
- /* Avoid calling `memcpy` with NULL source argument,
+ /* Avoid calling `memcpy` with NULL source or destination argument,
* even if buflen is 0. */
- if( buf != NULL )
+ if( buflen != 0 )
{
Xp = (unsigned char*) X->p;
memcpy( Xp + overhead, buf, buflen );
@@ -1376,70 +1470,92 @@
return( ret );
}
-/*
- * Helper for mbedtls_mpi subtraction
+/**
+ * Helper for mbedtls_mpi subtraction.
+ *
+ * Calculate l - r where l and r have the same size.
+ * This function operates modulo (2^ciL)^n and returns the carry
+ * (1 if there was a wraparound, i.e. if `l < r`, and 0 otherwise).
+ *
+ * d may be aliased to l or r.
+ *
+ * \param n Number of limbs of \p d, \p l and \p r.
+ * \param[out] d The result of the subtraction.
+ * \param[in] l The left operand.
+ * \param[in] r The right operand.
+ *
+ * \return 1 if `l < r`.
+ * 0 if `l >= r`.
*/
-static void mpi_sub_hlp( size_t n, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d )
+static mbedtls_mpi_uint mpi_sub_hlp( size_t n,
+ mbedtls_mpi_uint *d,
+ const mbedtls_mpi_uint *l,
+ const mbedtls_mpi_uint *r )
{
size_t i;
- mbedtls_mpi_uint c, z;
+ mbedtls_mpi_uint c = 0, t, z;
- for( i = c = 0; i < n; i++, s++, d++ )
+ for( i = 0; i < n; i++ )
{
- z = ( *d < c ); *d -= c;
- c = ( *d < *s ) + z; *d -= *s;
+ z = ( l[i] < c ); t = l[i] - c;
+ c = ( t < r[i] ) + z; d[i] = t - r[i];
}
- while( c != 0 )
- {
- z = ( *d < c ); *d -= c;
- c = z; d++;
- }
+ return( c );
}
/*
- * Unsigned subtraction: X = |A| - |B| (HAC 14.9)
+ * Unsigned subtraction: X = |A| - |B| (HAC 14.9, 14.10)
*/
int mbedtls_mpi_sub_abs( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi *B )
{
- mbedtls_mpi TB;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t n;
+ mbedtls_mpi_uint carry;
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( A != NULL );
MPI_VALIDATE_RET( B != NULL );
- if( mbedtls_mpi_cmp_abs( A, B ) < 0 )
- return( MBEDTLS_ERR_MPI_NEGATIVE_VALUE );
-
- mbedtls_mpi_init_mempool( &TB );
-
- if( X == B )
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &TB, B ) );
- B = &TB;
- }
-
- if( X != A )
- MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
-
- /*
- * X should always be positive as a result of unsigned subtractions.
- */
- X->s = 1;
-
- ret = 0;
-
for( n = B->n; n > 0; n-- )
if( B->p[n - 1] != 0 )
break;
+ if( n > A->n )
+ {
+ /* B >= (2^ciL)^n > A */
+ ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+ goto cleanup;
+ }
- mpi_sub_hlp( n, B->p, X->p );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, A->n ) );
+
+ /* Set the high limbs of X to match A. Don't touch the lower limbs
+ * because X might be aliased to B, and we must not overwrite the
+ * significant digits of B. */
+ if( A->n > n )
+ memcpy( X->p + n, A->p + n, ( A->n - n ) * ciL );
+ if( X->n > A->n )
+ memset( X->p + A->n, 0, ( X->n - A->n ) * ciL );
+
+ carry = mpi_sub_hlp( n, X->p, A->p, B->p );
+ if( carry != 0 )
+ {
+ /* Propagate the carry to the first nonzero limb of X. */
+ for( ; n < X->n && X->p[n] == 0; n++ )
+ --X->p[n];
+ /* If we ran out of space for the carry, it means that the result
+ * is negative. */
+ if( n == X->n )
+ {
+ ret = MBEDTLS_ERR_MPI_NEGATIVE_VALUE;
+ goto cleanup;
+ }
+ --X->p[n];
+ }
+
+ /* X should always be positive as a result of unsigned subtractions. */
+ X->s = 1;
cleanup:
-
- mbedtls_mpi_free( &TB );
-
return( ret );
}
@@ -1549,8 +1665,21 @@
return( mbedtls_mpi_sub_mpi( X, A, &_B ) );
}
-/*
- * Helper for mbedtls_mpi multiplication
+/** Helper for mbedtls_mpi multiplication.
+ *
+ * Add \p b * \p s to \p d.
+ *
+ * \param i The number of limbs of \p s.
+ * \param[in] s A bignum to multiply, of size \p i.
+ * It may overlap with \p d, but only if
+ * \p d <= \p s.
+ * Its leading limb must not be \c 0.
+ * \param[in,out] d The bignum to add to.
+ * It must be sufficiently large to store the
+ * result of the multiplication. This means
+ * \p i + 1 limbs if \p d[\p i - 1] started as 0 and \p b
+ * is not known a priori.
+ * \param b A scalar to multiply.
*/
static
#if defined(__APPLE__) && defined(__arm__)
@@ -1560,7 +1689,10 @@
*/
__attribute__ ((noinline))
#endif
-void mpi_mul_hlp( size_t i, mbedtls_mpi_uint *s, mbedtls_mpi_uint *d, mbedtls_mpi_uint b )
+void mpi_mul_hlp( size_t i,
+ const mbedtls_mpi_uint *s,
+ mbedtls_mpi_uint *d,
+ mbedtls_mpi_uint b )
{
mbedtls_mpi_uint c = 0, t = 0;
@@ -1615,10 +1747,10 @@
t++;
- do {
+ while( c != 0 )
+ {
*d += c; c = ( *d < c ); d++;
}
- while( c != 0 );
}
/*
@@ -1629,6 +1761,7 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i, j;
mbedtls_mpi TA, TB;
+ int result_is_zero = 0;
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( A != NULL );
MPI_VALIDATE_RET( B != NULL );
@@ -1641,10 +1774,14 @@
for( i = A->n; i > 0; i-- )
if( A->p[i - 1] != 0 )
break;
+ if( i == 0 )
+ result_is_zero = 1;
for( j = B->n; j > 0; j-- )
if( B->p[j - 1] != 0 )
break;
+ if( j == 0 )
+ result_is_zero = 1;
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, i + j ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
@@ -1652,7 +1789,14 @@
for( ; j > 0; j-- )
mpi_mul_hlp( i, A->p, X->p + j - 1, B->p[j - 1] );
- X->s = A->s * B->s;
+ /* If the result is 0, we don't shortcut the operation, which reduces
+ * but does not eliminate side channels leaking the zero-ness. We do
+ * need to take care to set the sign bit properly since the library does
+ * not fully support an MPI object with a value of 0 and s == -1. */
+ if( result_is_zero )
+ X->s = 1;
+ else
+ X->s = A->s * B->s;
cleanup:
@@ -1666,17 +1810,37 @@
*/
int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, mbedtls_mpi_uint b )
{
- mbedtls_mpi _B;
- mbedtls_mpi_uint p[1];
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( A != NULL );
- _B.s = 1;
- _B.n = 1;
- _B.p = p;
- p[0] = b;
+ /* mpi_mul_hlp can't deal with a leading 0. */
+ size_t n = A->n;
+ while( n > 0 && A->p[n - 1] == 0 )
+ --n;
- return( mbedtls_mpi_mul_mpi( X, A, &_B ) );
+ /* The general method below doesn't work if n==0 or b==0. By chance
+ * calculating the result is trivial in those cases. */
+ if( b == 0 || n == 0 )
+ {
+ return( mbedtls_mpi_lset( X, 0 ) );
+ }
+
+ /* Calculate A*b as A + A*(b-1) to take advantage of mpi_mul_hlp */
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ /* In general, A * b requires 1 limb more than b. If
+ * A->p[n - 1] * b / b == A->p[n - 1], then A * b fits in the same
+ * number of limbs as A and the call to grow() is not required since
+ * copy() will take care of the growth if needed. However, experimentally,
+ * making the call to grow() unconditional causes slightly fewer
+ * calls to calloc() in ECP code, presumably because it reuses the
+ * same mpi for a while and this way the mpi is more likely to directly
+ * grow to its final size. */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, n + 1 ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, A ) );
+ mpi_mul_hlp( n, A->p, X->p, b - 1 );
+
+cleanup:
+ return( ret );
}
/*
@@ -1817,7 +1981,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &Z, A->n + 2 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &Z, 0 ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T1, 2 ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T1, A->n + 2 ) );
k = mbedtls_mpi_bitlen( &Y ) % biL;
if( k < biL - 1 )
@@ -2010,7 +2174,7 @@
/*
* Fast Montgomery initialization (thanks to Tom St Denis)
*/
-void mbedtls_mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
+static void mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
{
mbedtls_mpi_uint x, m0 = N->p[0];
unsigned int i;
@@ -2024,19 +2188,39 @@
*mm = ~x + 1;
}
-/*
- * Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
+void mbedtls_mpi_montg_init( mbedtls_mpi_uint *mm, const mbedtls_mpi *N )
+{
+ mpi_montg_init( mm, N );
+}
+
+/** Montgomery multiplication: A = A * B * R^-1 mod N (HAC 14.36)
+ *
+ * \param[in,out] A One of the numbers to multiply.
+ * It must have at least as many limbs as N
+ * (A->n >= N->n), and any limbs beyond n are ignored.
+ * On successful completion, A contains the result of
+ * the multiplication A * B * R^-1 mod N where
+ * R = (2^ciL)^n.
+ * \param[in] B One of the numbers to multiply.
+ * It must be nonzero and must not have more limbs than N
+ * (B->n <= N->n).
+ * \param[in] N The modulo. N must be odd.
+ * \param mm The value calculated by `mpi_montg_init(&mm, N)`.
+ * This is -N^-1 mod 2^ciL.
+ * \param[in,out] T A bignum for temporary storage.
+ * It must be at least twice the limb size of N plus 2
+ * (T->n >= 2 * (N->n + 1)).
+ * Its initial content is unused and
+ * its final content is indeterminate.
+ * Note that unlike the usual convention in the library
+ * for `const mbedtls_mpi*`, the content of T can change.
*/
-int mbedtls_mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B,
- const mbedtls_mpi *N, mbedtls_mpi_uint mm,
+static void mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
const mbedtls_mpi *T )
{
size_t i, n, m;
mbedtls_mpi_uint u0, u1, *d;
- if( T->n < N->n + 1 || T->p == NULL )
- return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
-
memset( T->p, 0, T->n * ciL );
d = T->p;
@@ -2057,22 +2241,40 @@
*d++ = u0; d[n + 1] = 0;
}
- memcpy( A->p, d, ( n + 1 ) * ciL );
+ /* At this point, d is either the desired result or the desired result
+ * plus N. We now potentially subtract N, avoiding leaking whether the
+ * subtraction is performed through side channels. */
- if( mbedtls_mpi_cmp_abs( A, N ) >= 0 )
- mpi_sub_hlp( n, N->p, A->p );
- else
- /* prevent timing attacks */
- mpi_sub_hlp( n, A->p, T->p );
+ /* Copy the n least significant limbs of d to A, so that
+ * A = d if d < N (recall that N has n limbs). */
+ memcpy( A->p, d, n * ciL );
+ /* If d >= N then we want to set A to d - N. To prevent timing attacks,
+ * do the calculation without using conditional tests. */
+ /* Set d to d0 + (2^biL)^n - N where d0 is the current value of d. */
+ d[n] += 1;
+ d[n] -= mpi_sub_hlp( n, d, d, N->p );
+ /* If d0 < N then d < (2^biL)^n
+ * so d[n] == 0 and we want to keep A as it is.
+ * If d0 >= N then d >= (2^biL)^n, and d <= (2^biL)^n + N < 2 * (2^biL)^n
+ * so d[n] == 1 and we want to set A to the result of the subtraction
+ * which is d - (2^biL)^n, i.e. the n least significant limbs of d.
+ * This exactly corresponds to a conditional assignment. */
+ mpi_safe_cond_assign( n, A->p, d, (unsigned char) d[n] );
+}
- return( 0 );
+void mbedtls_mpi_montmul( mbedtls_mpi *A, const mbedtls_mpi *B, const mbedtls_mpi *N, mbedtls_mpi_uint mm,
+ const mbedtls_mpi *T )
+{
+ mpi_montmul( A, B, N, mm, T);
}
/*
* Montgomery reduction: A = A * R^-1 mod N
+ *
+ * See mpi_montmul() regarding constraints and guarantees on the parameters.
*/
-int mbedtls_mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
- mbedtls_mpi_uint mm, const mbedtls_mpi *T )
+static void mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
+ mbedtls_mpi_uint mm, const mbedtls_mpi *T )
{
mbedtls_mpi_uint z = 1;
mbedtls_mpi U;
@@ -2080,7 +2282,78 @@
U.n = U.s = (int) z;
U.p = &z;
- return( mbedtls_mpi_montmul( A, &U, N, mm, T ) );
+ mpi_montmul( A, &U, N, mm, T );
+}
+
+void mbedtls_mpi_montred( mbedtls_mpi *A, const mbedtls_mpi *N,
+ mbedtls_mpi_uint mm, const mbedtls_mpi *T )
+{
+ mpi_montred( A, N, mm, T );
+}
+
+/*
+ * Constant-flow boolean "equal" comparison:
+ * return x == y
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations - it can be used in conjunction with
+ * mbedtls_ssl_cf_mask_from_bit().
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static size_t mbedtls_mpi_cf_bool_eq( size_t x, size_t y )
+{
+ /* diff = 0 if x == y, non-zero otherwise */
+ const size_t diff = x ^ y;
+
+ /* MSVC has a warning about unary minus on unsigned integer types,
+ * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+ /* diff_msb's most significant bit is equal to x != y */
+ const size_t diff_msb = ( diff | (size_t) -diff );
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+ /* diff1 = (x != y) ? 1 : 0 */
+ const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
+
+ return( 1 ^ diff1 );
+}
+
+/**
+ * Select an MPI from a table without leaking the index.
+ *
+ * This is functionally equivalent to mbedtls_mpi_copy(R, T[idx]) except it
+ * reads the entire table in order to avoid leaking the value of idx to an
+ * attacker able to observe memory access patterns.
+ *
+ * \param[out] R Where to write the selected MPI.
+ * \param[in] T The table to read from.
+ * \param[in] T_size The number of elements in the table.
+ * \param[in] idx The index of the element to select;
+ * this must satisfy 0 <= idx < T_size.
+ *
+ * \return \c 0 on success, or a negative error code.
+ */
+static int mpi_select( mbedtls_mpi *R, const mbedtls_mpi *T, size_t T_size, size_t idx )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ for( size_t i = 0; i < T_size; i++ )
+ {
+ MBEDTLS_MPI_CHK( mbedtls_mpi_safe_cond_assign( R, &T[i],
+ (unsigned char) mbedtls_mpi_cf_bool_eq( i, idx ) ) );
+ }
+
+cleanup:
+ return( ret );
}
/*
@@ -2095,7 +2368,7 @@
size_t i, j, nblimbs;
size_t bufsize, nbits;
mbedtls_mpi_uint ei, mm, state;
- mbedtls_mpi RR, T, Apos;
+ mbedtls_mpi RR, T, WW, Apos;
mbedtls_mpi *W = NULL;
const size_t array_size_W = 2 << MBEDTLS_MPI_WINDOW_SIZE;
int neg;
@@ -2111,12 +2384,17 @@
if( mbedtls_mpi_cmp_int( E, 0 ) < 0 )
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+ if( mbedtls_mpi_bitlen( E ) > MBEDTLS_MPI_MAX_BITS ||
+ mbedtls_mpi_bitlen( N ) > MBEDTLS_MPI_MAX_BITS )
+ return ( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
/*
* Init temps and window size
*/
- mbedtls_mpi_montg_init( &mm, N );
- mbedtls_mpi_init_mempool( &RR ); mbedtls_mpi_init_mempool( &T );
+ mpi_montg_init( &mm, N );
+ mbedtls_mpi_init_mempool( &RR ); mbedtls_mpi_init( &T );
mbedtls_mpi_init_mempool( &Apos );
+ mbedtls_mpi_init_mempool( &WW );
i = mbedtls_mpi_bitlen( E );
@@ -2129,6 +2407,11 @@
#endif
j = N->n + 1;
+ /* All W[i] and X must have at least N->n limbs for the mpi_montmul()
+ * and mpi_montred() calls later. Here we ensure that W[1] and X are
+ * large enough, and later we'll grow other W[i] to the same length.
+ * They must not be shrunk midway through this function!
+ */
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, j ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
@@ -2173,17 +2456,25 @@
* W[1] = A * R^2 * R^-1 mod N = A * R mod N
*/
if( mbedtls_mpi_cmp_mpi( A, N ) >= 0 )
+ {
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &W[1], A, N ) );
+ /* This should be a no-op because W[1] is already that large before
+ * mbedtls_mpi_mod_mpi(), but it's necessary to avoid an overflow
+ * in mpi_montmul() below, so let's make sure. */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], N->n + 1 ) );
+ }
else
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[1], A ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_montmul( &W[1], &RR, N, mm, &T ) );
+ /* Note that this is safe because W[1] always has at least N->n limbs
+ * (it grew above and was preserved by mbedtls_mpi_copy()). */
+ mpi_montmul( &W[1], &RR, N, mm, &T );
/*
* X = R^2 * R^-1 mod N = R mod N
*/
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_montred( X, N, mm, &T ) );
+ mpi_montred( X, N, mm, &T );
if( wsize > 1 )
{
@@ -2196,7 +2487,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[j], &W[1] ) );
for( i = 0; i < wsize - 1; i++ )
- MBEDTLS_MPI_CHK( mbedtls_mpi_montmul( &W[j], &W[j], N, mm, &T ) );
+ mpi_montmul( &W[j], &W[j], N, mm, &T );
/*
* W[i] = W[i - 1] * W[1]
@@ -2206,7 +2497,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_montmul( &W[i], &W[1], N, mm, &T ) );
+ mpi_montmul( &W[i], &W[1], N, mm, &T );
}
}
@@ -2243,7 +2534,7 @@
/*
* out of window, square X
*/
- MBEDTLS_MPI_CHK( mbedtls_mpi_montmul( X, X, N, mm, &T ) );
+ mpi_montmul( X, X, N, mm, &T );
continue;
}
@@ -2261,12 +2552,13 @@
* X = X^wsize R^-1 mod N
*/
for( i = 0; i < wsize; i++ )
- MBEDTLS_MPI_CHK( mbedtls_mpi_montmul( X, X, N, mm, &T ) );
+ mpi_montmul( X, X, N, mm, &T );
/*
* X = X * W[wbits] R^-1 mod N
*/
- MBEDTLS_MPI_CHK( mbedtls_mpi_montmul( X, &W[wbits], N, mm, &T ) );
+ MBEDTLS_MPI_CHK( mpi_select( &WW, W, (size_t) 1 << wsize, wbits ) );
+ mpi_montmul( X, &WW, N, mm, &T );
state--;
nbits = 0;
@@ -2279,18 +2571,18 @@
*/
for( i = 0; i < nbits; i++ )
{
- MBEDTLS_MPI_CHK( mbedtls_mpi_montmul( X, X, N, mm, &T ) );
+ mpi_montmul( X, X, N, mm, &T );
wbits <<= 1;
if( ( wbits & ( one << wsize ) ) != 0 )
- MBEDTLS_MPI_CHK( mbedtls_mpi_montmul( X, &W[1], N, mm, &T ) );
+ mpi_montmul( X, &W[1], N, mm, &T );
}
/*
* X = A^E * R * R^-1 mod N = A^E mod N
*/
- MBEDTLS_MPI_CHK( mbedtls_mpi_montred( X, N, mm, &T ) );
+ mpi_montred( X, N, mm, &T );
if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
{
@@ -2306,6 +2598,7 @@
mempool_free( mbedtls_mpi_mempool , W );
mbedtls_mpi_free( &T ); mbedtls_mpi_free( &Apos );
+ mbedtls_mpi_free( &WW );
if( _RR == NULL || _RR->p == NULL )
mbedtls_mpi_free( &RR );
@@ -2334,19 +2627,67 @@
lz = mbedtls_mpi_lsb( &TA );
lzt = mbedtls_mpi_lsb( &TB );
+ /* The loop below gives the correct result when A==0 but not when B==0.
+ * So have a special case for B==0. Leverage the fact that we just
+ * calculated the lsb and lsb(B)==0 iff B is odd or 0 to make the test
+ * slightly more efficient than cmp_int(). */
+ if( lzt == 0 && mbedtls_mpi_get_bit( &TB, 0 ) == 0 )
+ {
+ ret = mbedtls_mpi_copy( G, A );
+ goto cleanup;
+ }
+
if( lzt < lz )
lz = lzt;
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, lz ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, lz ) );
-
TA.s = TB.s = 1;
+ /* We mostly follow the procedure described in HAC 14.54, but with some
+ * minor differences:
+ * - Sequences of multiplications or divisions by 2 are grouped into a
+ * single shift operation.
+ * - The procedure in HAC assumes that 0 < TB <= TA.
+ * - The condition TB <= TA is not actually necessary for correctness.
+ * TA and TB have symmetric roles except for the loop termination
+ * condition, and the shifts at the beginning of the loop body
+ * remove any significance from the ordering of TA vs TB before
+ * the shifts.
+ * - If TA = 0, the loop goes through 0 iterations and the result is
+ * correctly TB.
+ * - The case TB = 0 was short-circuited above.
+ *
+ * For the correctness proof below, decompose the original values of
+ * A and B as
+ * A = sa * 2^a * A' with A'=0 or A' odd, and sa = +-1
+ * B = sb * 2^b * B' with B'=0 or B' odd, and sb = +-1
+ * Then gcd(A, B) = 2^{min(a,b)} * gcd(A',B'),
+ * and gcd(A',B') is odd or 0.
+ *
+ * At the beginning, we have TA = |A| and TB = |B| so gcd(A,B) = gcd(TA,TB).
+ * The code maintains the following invariant:
+ * gcd(A,B) = 2^k * gcd(TA,TB) for some k (I)
+ */
+
+ /* Proof that the loop terminates:
+ * At each iteration, either the right-shift by 1 is made on a nonzero
+ * value and the nonnegative integer bitlen(TA) + bitlen(TB) decreases
+ * by at least 1, or the right-shift by 1 is made on zero and then
+ * TA becomes 0 which ends the loop (TB cannot be 0 if it is right-shifted
+ * since in that case TB is calculated from TB-TA with the condition TB>TA).
+ */
while( mbedtls_mpi_cmp_int( &TA, 0 ) != 0 )
{
+ /* Divisions by 2 preserve the invariant (I). */
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TA, mbedtls_mpi_lsb( &TA ) ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, mbedtls_mpi_lsb( &TB ) ) );
+ /* Set either TA or TB to |TA-TB|/2. Since TA and TB are both odd,
+ * TA-TB is even so the division by 2 has an integer result.
+ * Invariant (I) is preserved since any odd divisor of both TA and TB
+ * also divides |TA-TB|/2, and any odd divisor of both TA and |TA-TB|/2
+ * also divides TB, and any odd divisior of both TB and |TA-TB|/2 also
+ * divides TA.
+ */
if( mbedtls_mpi_cmp_mpi( &TA, &TB ) >= 0 )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TA, &TA, &TB ) );
@@ -2357,8 +2698,18 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( &TB, &TB, &TA ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &TB, 1 ) );
}
+ /* Note that one of TA or TB is still odd. */
}
+ /* By invariant (I), gcd(A,B) = 2^k * gcd(TA,TB) for some k.
+ * At the loop exit, TA = 0, so gcd(TA,TB) = TB.
+ * - If there was at least one loop iteration, then one of TA or TB is odd,
+ * and TA = 0, so TB is odd and gcd(TA,TB) = gcd(A',B'). In this case,
+ * lz = min(a,b) so gcd(A,B) = 2^lz * TB.
+ * - If there was no loop iteration, then A was 0, and gcd(A,B) = B.
+ * In this case, lz = 0 and B = TB so gcd(A,B) = B = 2^lz * TB as well.
+ */
+
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_l( &TB, lz ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( G, &TB ) );
@@ -2369,6 +2720,33 @@
return( ret );
}
+/* Fill X with n_bytes random bytes.
+ * X must already have room for those bytes.
+ * The ordering of the bytes returned from the RNG is suitable for
+ * deterministic ECDSA (see RFC 6979 §3.3 and mbedtls_mpi_random()).
+ * The size and sign of X are unchanged.
+ * n_bytes must not be 0.
+ */
+static int mpi_fill_random_internal(
+ mbedtls_mpi *X, size_t n_bytes,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ const size_t limbs = CHARS_TO_LIMBS( n_bytes );
+ const size_t overhead = ( limbs * ciL ) - n_bytes;
+
+ if( X->n < limbs )
+ return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+ memset( X->p, 0, overhead );
+ memset( (unsigned char *) X->p + limbs * ciL, 0, ( X->n - limbs ) * ciL );
+ MBEDTLS_MPI_CHK( f_rng( p_rng, (unsigned char *) X->p + overhead, n_bytes ) );
+ mpi_bigendian_to_host( X->p, limbs );
+
+cleanup:
+ return( ret );
+}
+
/*
* Fill X with size bytes of random.
*
@@ -2382,30 +2760,96 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t const limbs = CHARS_TO_LIMBS( size );
- size_t const overhead = ( limbs * ciL ) - size;
- unsigned char *Xp;
MPI_VALIDATE_RET( X != NULL );
MPI_VALIDATE_RET( f_rng != NULL );
/* Ensure that target MPI has exactly the necessary number of limbs */
- if( X->n != limbs )
- {
- mbedtls_mpi_free( X );
- mbedtls_mpi_init( X );
- MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
- }
- MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, limbs ) );
+ if( size == 0 )
+ return( 0 );
- Xp = (unsigned char*) X->p;
- f_rng( p_rng, Xp + overhead, size );
-
- mpi_bigendian_to_host( X->p, limbs );
+ ret = mpi_fill_random_internal( X, size, f_rng, p_rng );
cleanup:
return( ret );
}
+int mbedtls_mpi_random( mbedtls_mpi *X,
+ mbedtls_mpi_sint min,
+ const mbedtls_mpi *N,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
+{
+ int ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
+ int count;
+ unsigned lt_lower = 1, lt_upper = 0;
+ size_t n_bits = mbedtls_mpi_bitlen( N );
+ size_t n_bytes = ( n_bits + 7 ) / 8;
+ mbedtls_mpi lower_bound;
+
+ if( min < 0 )
+ return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+ if( mbedtls_mpi_cmp_int( N, min ) <= 0 )
+ return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
+
+ /*
+ * When min == 0, each try has at worst a probability 1/2 of failing
+ * (the msb has a probability 1/2 of being 0, and then the result will
+ * be < N), so after 30 tries failure probability is a most 2**(-30).
+ *
+ * When N is just below a power of 2, as is the case when generating
+ * a random scalar on most elliptic curves, 1 try is enough with
+ * overwhelming probability. When N is just above a power of 2,
+ * as when generating a random scalar on secp224k1, each try has
+ * a probability of failing that is almost 1/2.
+ *
+ * The probabilities are almost the same if min is nonzero but negligible
+ * compared to N. This is always the case when N is crypto-sized, but
+ * it's convenient to support small N for testing purposes. When N
+ * is small, use a higher repeat count, otherwise the probability of
+ * failure is macroscopic.
+ */
+ count = ( n_bytes > 4 ? 30 : 250 );
+
+ mbedtls_mpi_init( &lower_bound );
+
+ /* Ensure that target MPI has exactly the same number of limbs
+ * as the upper bound, even if the upper bound has leading zeros.
+ * This is necessary for the mbedtls_mpi_lt_mpi_ct() check. */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_resize_clear( X, N->n ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &lower_bound, N->n ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &lower_bound, min ) );
+
+ /*
+ * Match the procedure given in RFC 6979 §3.3 (deterministic ECDSA)
+ * when f_rng is a suitably parametrized instance of HMAC_DRBG:
+ * - use the same byte ordering;
+ * - keep the leftmost n_bits bits of the generated octet string;
+ * - try until result is in the desired range.
+ * This also avoids any bias, which is especially important for ECDSA.
+ */
+ do
+ {
+ MBEDTLS_MPI_CHK( mpi_fill_random_internal( X, n_bytes, f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( X, 8 * n_bytes - n_bits ) );
+
+ if( --count == 0 )
+ {
+ ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( X, &lower_bound, <_lower ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_lt_mpi_ct( X, N, <_upper ) );
+ }
+ while( lt_lower != 0 || lt_upper == 0 );
+
+cleanup:
+ mbedtls_mpi_free( &lower_bound );
+ return( ret );
+}
+
/*
* Modular inverse: X = A^-1 mod N (HAC 14.61 / 14.64)
*/
@@ -3005,7 +3449,7 @@
cleanup:
if( ret != 0 && verbose != 0 )
- mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
+ mbedtls_printf( "Unexpected error, return code = %08X\n", (unsigned int) ret );
mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N ); mbedtls_mpi_free( &X );
mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &U ); mbedtls_mpi_free( &V );
diff --git a/lib/libmbedtls/mbedtls/library/blowfish.c b/lib/libmbedtls/mbedtls/library/blowfish.c
index 1013e93..76da448 100644
--- a/lib/libmbedtls/mbedtls/library/blowfish.c
+++ b/lib/libmbedtls/mbedtls/library/blowfish.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Blowfish implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The Blowfish block cipher was designed by Bruce Schneier in 1993.
@@ -25,11 +23,7 @@
*
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_BLOWFISH_C)
diff --git a/lib/libmbedtls/mbedtls/library/camellia.c b/lib/libmbedtls/mbedtls/library/camellia.c
index bd6b771..f7e0136 100644
--- a/lib/libmbedtls/mbedtls/library/camellia.c
+++ b/lib/libmbedtls/mbedtls/library/camellia.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Camellia implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The Camellia block cipher was designed by NTT and Mitsubishi Electric
@@ -25,11 +23,7 @@
* http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/01espec.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_CAMELLIA_C)
@@ -948,9 +942,11 @@
unsigned char nonce_counter[16];
unsigned char stream_block[16];
#endif
+ int ret = 1;
mbedtls_camellia_context ctx;
+ mbedtls_camellia_init( &ctx );
memset( key, 0, 32 );
for( j = 0; j < 6; j++ ) {
@@ -980,8 +976,7 @@
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
-
- return( 1 );
+ goto exit;
}
}
@@ -1033,8 +1028,7 @@
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
-
- return( 1 );
+ goto exit;
}
}
@@ -1077,8 +1071,7 @@
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
-
- return( 1 );
+ goto exit;
}
}
else
@@ -1093,8 +1086,7 @@
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
-
- return( 1 );
+ goto exit;
}
}
@@ -1106,7 +1098,11 @@
mbedtls_printf( "\n" );
#endif /* MBEDTLS_CIPHER_MODE_CTR */
- return( 0 );
+ ret = 0;
+
+exit:
+ mbedtls_camellia_free( &ctx );
+ return( ret );
}
#endif /* MBEDTLS_SELF_TEST */
diff --git a/lib/libmbedtls/mbedtls/library/ccm.c b/lib/libmbedtls/mbedtls/library/ccm.c
index 4c070ab..424ee77 100644
--- a/lib/libmbedtls/mbedtls/library/ccm.c
+++ b/lib/libmbedtls/mbedtls/library/ccm.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* NIST SP800-38C compliant CCM implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -28,11 +26,7 @@
* RFC 5116 "An Interface and Algorithms for Authenticated Encryption"
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_CCM_C)
@@ -181,7 +175,7 @@
if( iv_len < 7 || iv_len > 13 )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
- if( add_len > 0xFF00 )
+ if( add_len >= 0xFF00 )
return( MBEDTLS_ERR_CCM_BAD_INPUT );
q = 16 - 1 - (unsigned char) iv_len;
diff --git a/lib/libmbedtls/mbedtls/library/certs.c b/lib/libmbedtls/mbedtls/library/certs.c
index 1d879a1..a5695e3 100644
--- a/lib/libmbedtls/mbedtls/library/certs.c
+++ b/lib/libmbedtls/mbedtls/library/certs.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* X.509 test certificates
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#include "mbedtls/certs.h"
diff --git a/lib/libmbedtls/mbedtls/library/chacha20.c b/lib/libmbedtls/mbedtls/library/chacha20.c
index f991b21..78467d3 100644
--- a/lib/libmbedtls/mbedtls/library/chacha20.c
+++ b/lib/libmbedtls/mbedtls/library/chacha20.c
@@ -1,4 +1,3 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file chacha20.c
*
@@ -6,7 +5,8 @@
*
* \author Daniel King <damaki.gh@gmail.com>
*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -19,15 +19,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_CHACHA20_C)
@@ -520,6 +514,9 @@
375U
};
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
#define ASSERT( cond, args ) \
do \
{ \
diff --git a/lib/libmbedtls/mbedtls/library/chachapoly.c b/lib/libmbedtls/mbedtls/library/chachapoly.c
index 117521f..77d5477 100644
--- a/lib/libmbedtls/mbedtls/library/chachapoly.c
+++ b/lib/libmbedtls/mbedtls/library/chachapoly.c
@@ -1,10 +1,10 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file chachapoly.c
*
* \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -17,14 +17,8 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_CHACHAPOLY_C)
@@ -476,6 +470,9 @@
}
};
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
#define ASSERT( cond, args ) \
do \
{ \
diff --git a/lib/libmbedtls/mbedtls/library/check_crypto_config.h b/lib/libmbedtls/mbedtls/library/check_crypto_config.h
new file mode 100644
index 0000000..d7ad16a
--- /dev/null
+++ b/lib/libmbedtls/mbedtls/library/check_crypto_config.h
@@ -0,0 +1,91 @@
+/**
+ * \file check_crypto_config.h
+ *
+ * \brief Consistency checks for PSA configuration options
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * It is recommended to include this file from your crypto_config.h
+ * in order to catch dependency issues early.
+ */
+
+#ifndef MBEDTLS_CHECK_CRYPTO_CONFIG_H
+#define MBEDTLS_CHECK_CRYPTO_CONFIG_H
+
+#if defined(PSA_WANT_ALG_CCM) && \
+ !( defined(PSA_WANT_KEY_TYPE_AES) || \
+ defined(PSA_WANT_KEY_TYPE_CAMELLIA) )
+#error "PSA_WANT_ALG_CCM defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_CMAC) && \
+ !( defined(PSA_WANT_KEY_TYPE_AES) || \
+ defined(PSA_WANT_KEY_TYPE_CAMELLIA) || \
+ defined(PSA_WANT_KEY_TYPE_DES) )
+#error "PSA_WANT_ALG_CMAC defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
+ !( defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
+ defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_DETERMINISTIC_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_ECDSA) && \
+ !( defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
+ defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_ECDSA defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_GCM) && \
+ !( defined(PSA_WANT_KEY_TYPE_AES) || \
+ defined(PSA_WANT_KEY_TYPE_CAMELLIA) )
+#error "PSA_WANT_ALG_GCM defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) && \
+ !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_PKCS1V15_CRYPT defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) && \
+ !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_PKCS1V15_SIGN defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_OAEP) && \
+ !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_OAEP defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_ALG_RSA_PSS) && \
+ !( defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
+ defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) )
+#error "PSA_WANT_ALG_RSA_PSS defined, but not all prerequisites"
+#endif
+
+#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) && \
+ !defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
+#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR defined, but not all prerequisites"
+#endif
+
+#endif /* MBEDTLS_CHECK_CRYPTO_CONFIG_H */
diff --git a/lib/libmbedtls/mbedtls/library/cipher.c b/lib/libmbedtls/mbedtls/library/cipher.c
index 21235ff..789185c 100644
--- a/lib/libmbedtls/mbedtls/library/cipher.c
+++ b/lib/libmbedtls/mbedtls/library/cipher.c
@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
/**
* \file cipher.c
*
@@ -6,7 +5,8 @@
*
* \author Adriaan de Jong <dejong@fox-it.com>
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -19,15 +19,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_CIPHER_C)
@@ -1333,23 +1327,16 @@
#if defined(MBEDTLS_CIPHER_MODE_AEAD)
/*
- * Packet-oriented encryption for AEAD modes
+ * Packet-oriented encryption for AEAD modes: internal function shared by
+ * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
*/
-int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
+static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen,
unsigned char *tag, size_t tag_len )
{
- CIPHER_VALIDATE_RET( ctx != NULL );
- CIPHER_VALIDATE_RET( iv != NULL );
- CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
- CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
- CIPHER_VALIDATE_RET( output != NULL );
- CIPHER_VALIDATE_RET( olen != NULL );
- CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
-
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ctx->psa_enabled == 1 )
{
@@ -1365,7 +1352,7 @@
/* PSA Crypto API always writes the authentication tag
* at the end of the encrypted message. */
- if( tag != output + ilen )
+ if( output == NULL || tag != output + ilen )
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
status = psa_aead_encrypt( cipher_psa->slot,
@@ -1415,44 +1402,21 @@
ilen, iv, ad, ad_len, input, output, tag ) );
}
#endif /* MBEDTLS_CHACHAPOLY_C */
-#if defined(MBEDTLS_NIST_KW_C)
- if( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
- MBEDTLS_MODE_KWP == ctx->cipher_info->mode )
- {
- mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
- MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
-
- /* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */
- if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
- {
- return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
- }
-
- return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) );
- }
-#endif /* MBEDTLS_NIST_KW_C */
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
/*
- * Packet-oriented decryption for AEAD modes
+ * Packet-oriented encryption for AEAD modes: internal function shared by
+ * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
*/
-int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
+static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen,
const unsigned char *tag, size_t tag_len )
{
- CIPHER_VALIDATE_RET( ctx != NULL );
- CIPHER_VALIDATE_RET( iv != NULL );
- CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
- CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
- CIPHER_VALIDATE_RET( output != NULL );
- CIPHER_VALIDATE_RET( olen != NULL );
- CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
-
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ctx->psa_enabled == 1 )
{
@@ -1468,7 +1432,7 @@
/* PSA Crypto API always writes the authentication tag
* at the end of the encrypted message. */
- if( tag != input + ilen )
+ if( input == NULL || tag != input + ilen )
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
status = psa_aead_decrypt( cipher_psa->slot,
@@ -1540,25 +1504,169 @@
return( ret );
}
#endif /* MBEDTLS_CHACHAPOLY_C */
+
+ return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+}
+
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)
+/*
+ * Packet-oriented encryption for AEAD modes: public legacy function.
+ */
+int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *ad, size_t ad_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen,
+ unsigned char *tag, size_t tag_len )
+{
+ CIPHER_VALIDATE_RET( ctx != NULL );
+ CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
+ CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+ CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+ CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
+ CIPHER_VALIDATE_RET( olen != NULL );
+ CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+ return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
+ input, ilen, output, olen,
+ tag, tag_len ) );
+}
+
+/*
+ * Packet-oriented decryption for AEAD modes: public legacy function.
+ */
+int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *ad, size_t ad_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t *olen,
+ const unsigned char *tag, size_t tag_len )
+{
+ CIPHER_VALIDATE_RET( ctx != NULL );
+ CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
+ CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+ CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+ CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
+ CIPHER_VALIDATE_RET( olen != NULL );
+ CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
+
+ return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
+ input, ilen, output, olen,
+ tag, tag_len ) );
+}
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
+/*
+ * Packet-oriented encryption for AEAD/NIST_KW: public function.
+ */
+int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *ad, size_t ad_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t output_len,
+ size_t *olen, size_t tag_len )
+{
+ CIPHER_VALIDATE_RET( ctx != NULL );
+ CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
+ CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+ CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+ CIPHER_VALIDATE_RET( output != NULL );
+ CIPHER_VALIDATE_RET( olen != NULL );
+
#if defined(MBEDTLS_NIST_KW_C)
- if( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
- MBEDTLS_MODE_KWP == ctx->cipher_info->mode )
+ if(
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ctx->psa_enabled == 0 &&
+#endif
+ ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
+ MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
{
mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
- /* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */
+ /* There is no iv, tag or ad associated with KW and KWP,
+ * so these length should be 0 as documented. */
if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
- {
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
- }
- return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) );
+ (void) iv;
+ (void) ad;
+
+ return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen,
+ output, olen, output_len ) );
}
#endif /* MBEDTLS_NIST_KW_C */
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+ /* AEAD case: check length before passing on to shared function */
+ if( output_len < ilen + tag_len )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
+ input, ilen, output, olen,
+ output + ilen, tag_len );
+ *olen += tag_len;
+ return( ret );
+#else
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
-}
#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+}
+
+/*
+ * Packet-oriented decryption for AEAD/NIST_KW: public function.
+ */
+int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
+ const unsigned char *iv, size_t iv_len,
+ const unsigned char *ad, size_t ad_len,
+ const unsigned char *input, size_t ilen,
+ unsigned char *output, size_t output_len,
+ size_t *olen, size_t tag_len )
+{
+ CIPHER_VALIDATE_RET( ctx != NULL );
+ CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
+ CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
+ CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
+ CIPHER_VALIDATE_RET( output_len == 0 || output != NULL );
+ CIPHER_VALIDATE_RET( olen != NULL );
+
+#if defined(MBEDTLS_NIST_KW_C)
+ if(
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ ctx->psa_enabled == 0 &&
+#endif
+ ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
+ MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
+ {
+ mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
+ MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
+
+ /* There is no iv, tag or ad associated with KW and KWP,
+ * so these length should be 0 as documented. */
+ if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ (void) iv;
+ (void) ad;
+
+ return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen,
+ output, olen, output_len ) );
+ }
+#endif /* MBEDTLS_NIST_KW_C */
+
+#if defined(MBEDTLS_CIPHER_MODE_AEAD)
+ /* AEAD case: check length before passing on to shared function */
+ if( ilen < tag_len || output_len < ilen - tag_len )
+ return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
+
+ return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
+ input, ilen - tag_len, output, olen,
+ input + ilen - tag_len, tag_len ) );
+#else
+ return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+#endif /* MBEDTLS_CIPHER_MODE_AEAD */
+}
+#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
#endif /* MBEDTLS_CIPHER_C */
diff --git a/lib/libmbedtls/mbedtls/library/cipher_wrap.c b/lib/libmbedtls/mbedtls/library/cipher_wrap.c
index f0c3614..51def60 100644
--- a/lib/libmbedtls/mbedtls/library/cipher_wrap.c
+++ b/lib/libmbedtls/mbedtls/library/cipher_wrap.c
@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
/**
* \file cipher_wrap.c
*
@@ -6,7 +5,8 @@
*
* \author Adriaan de Jong <dejong@fox-it.com>
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -19,15 +19,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#include <string.h>
@@ -785,7 +779,7 @@
MBEDTLS_MODE_ECB,
128,
"CAMELLIA-128-ECB",
- 16,
+ 0,
0,
16,
&camellia_info
@@ -796,7 +790,7 @@
MBEDTLS_MODE_ECB,
192,
"CAMELLIA-192-ECB",
- 16,
+ 0,
0,
16,
&camellia_info
@@ -807,7 +801,7 @@
MBEDTLS_MODE_ECB,
256,
"CAMELLIA-256-ECB",
- 16,
+ 0,
0,
16,
&camellia_info
@@ -1163,7 +1157,7 @@
MBEDTLS_MODE_ECB,
128,
"ARIA-128-ECB",
- 16,
+ 0,
0,
16,
&aria_info
@@ -1174,7 +1168,7 @@
MBEDTLS_MODE_ECB,
192,
"ARIA-192-ECB",
- 16,
+ 0,
0,
16,
&aria_info
@@ -1185,7 +1179,7 @@
MBEDTLS_MODE_ECB,
256,
"ARIA-256-ECB",
- 16,
+ 0,
0,
16,
&aria_info
@@ -1598,7 +1592,7 @@
MBEDTLS_MODE_ECB,
MBEDTLS_KEY_LENGTH_DES,
"DES-ECB",
- 8,
+ 0,
0,
8,
&des_info
@@ -1650,7 +1644,7 @@
MBEDTLS_MODE_ECB,
MBEDTLS_KEY_LENGTH_DES_EDE,
"DES-EDE-ECB",
- 8,
+ 0,
0,
8,
&des_ede_info
@@ -1702,7 +1696,7 @@
MBEDTLS_MODE_ECB,
MBEDTLS_KEY_LENGTH_DES_EDE3,
"DES-EDE3-ECB",
- 8,
+ 0,
0,
8,
&des_ede3_info
@@ -1823,7 +1817,7 @@
MBEDTLS_MODE_ECB,
128,
"BLOWFISH-ECB",
- 8,
+ 0,
MBEDTLS_CIPHER_VARIABLE_KEY_LEN,
8,
&blowfish_info
diff --git a/lib/libmbedtls/mbedtls/library/cmac.c b/lib/libmbedtls/mbedtls/library/cmac.c
index c879674..8dd7fab 100644
--- a/lib/libmbedtls/mbedtls/library/cmac.c
+++ b/lib/libmbedtls/mbedtls/library/cmac.c
@@ -1,10 +1,10 @@
-// SPDX-License-Identifier: Apache-2.0
/**
* \file cmac.c
*
* \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES
*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -17,8 +17,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -40,32 +38,17 @@
*
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_CMAC_C)
#include "mbedtls/cmac.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
+#include "mbedtls/platform.h"
#include <string.h>
-#if defined(MBEDTLS_PLATFORM_C)
-#include "mbedtls/platform.h"
-#else
-#include <stdlib.h>
-#define mbedtls_calloc calloc
-#define mbedtls_free free
-#if defined(MBEDTLS_SELF_TEST)
-#include <stdio.h>
-#define mbedtls_printf printf
-#endif /* MBEDTLS_SELF_TEST */
-#endif /* MBEDTLS_PLATFORM_C */
-
#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)
/*
@@ -434,7 +417,7 @@
*/
int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_length,
const unsigned char *input, size_t in_len,
- unsigned char *output )
+ unsigned char output[16] )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const mbedtls_cipher_info_t *cipher_info;
@@ -792,7 +775,7 @@
for( i = 0; i < num_tests; i++ )
{
if( verbose != 0 )
- mbedtls_printf( " %s CMAC subkey #%u: ", testname, i + 1 );
+ mbedtls_printf( " %s CMAC subkey #%d: ", testname, i + 1 );
mbedtls_cipher_init( &ctx );
@@ -807,6 +790,18 @@
if( ( ret = mbedtls_cipher_setkey( &ctx, key, keybits,
MBEDTLS_ENCRYPT ) ) != 0 )
{
+ /* When CMAC is implemented by an alternative implementation, or
+ * the underlying primitive itself is implemented alternatively,
+ * AES-192 may be unavailable. This should not cause the selftest
+ * function to fail. */
+ if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
+ ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) &&
+ cipher_type == MBEDTLS_CIPHER_AES_192_ECB ) {
+ if( verbose != 0 )
+ mbedtls_printf( "skipped\n" );
+ goto next_test;
+ }
+
if( verbose != 0 )
mbedtls_printf( "test execution failed\n" );
@@ -834,6 +829,7 @@
if( verbose != 0 )
mbedtls_printf( "passed\n" );
+next_test:
mbedtls_cipher_free( &ctx );
}
@@ -873,11 +869,24 @@
for( i = 0; i < num_tests; i++ )
{
if( verbose != 0 )
- mbedtls_printf( " %s CMAC #%u: ", testname, i + 1 );
+ mbedtls_printf( " %s CMAC #%d: ", testname, i + 1 );
if( ( ret = mbedtls_cipher_cmac( cipher_info, key, keybits, messages,
message_lengths[i], output ) ) != 0 )
{
+ /* When CMAC is implemented by an alternative implementation, or
+ * the underlying primitive itself is implemented alternatively,
+ * AES-192 and/or 3DES may be unavailable. This should not cause
+ * the selftest function to fail. */
+ if( ( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ||
+ ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ) &&
+ ( cipher_type == MBEDTLS_CIPHER_AES_192_ECB ||
+ cipher_type == MBEDTLS_CIPHER_DES_EDE3_ECB ) ) {
+ if( verbose != 0 )
+ mbedtls_printf( "skipped\n" );
+ continue;
+ }
+
if( verbose != 0 )
mbedtls_printf( "failed\n" );
goto exit;
@@ -908,7 +917,7 @@
for( i = 0; i < NB_PRF_TESTS; i++ )
{
- mbedtls_printf( " AES CMAC 128 PRF #%u: ", i );
+ mbedtls_printf( " AES CMAC 128 PRF #%d: ", i );
ret = mbedtls_aes_cmac_prf_128( PRFK, PRFKlen[i], PRFM, 20, output );
if( ret != 0 ||
memcmp( output, PRFT[i], MBEDTLS_AES_BLOCK_SIZE ) != 0 )
diff --git a/lib/libmbedtls/mbedtls/library/common.h b/lib/libmbedtls/mbedtls/library/common.h
new file mode 100644
index 0000000..5845766
--- /dev/null
+++ b/lib/libmbedtls/mbedtls/library/common.h
@@ -0,0 +1,53 @@
+/**
+ * \file common.h
+ *
+ * \brief Utility macros for internal use in the library
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MBEDTLS_LIBRARY_COMMON_H
+#define MBEDTLS_LIBRARY_COMMON_H
+
+#if defined(MBEDTLS_CONFIG_FILE)
+#include MBEDTLS_CONFIG_FILE
+#else
+#include "mbedtls/config.h"
+#endif
+
+/** Helper to define a function as static except when building invasive tests.
+ *
+ * If a function is only used inside its own source file and should be
+ * declared `static` to allow the compiler to optimize for code size,
+ * but that function has unit tests, define it with
+ * ```
+ * MBEDTLS_STATIC_TESTABLE int mbedtls_foo(...) { ... }
+ * ```
+ * and declare it in a header in the `library/` directory with
+ * ```
+ * #if defined(MBEDTLS_TEST_HOOKS)
+ * int mbedtls_foo(...);
+ * #endif
+ * ```
+ */
+#if defined(MBEDTLS_TEST_HOOKS)
+#define MBEDTLS_STATIC_TESTABLE
+#else
+#define MBEDTLS_STATIC_TESTABLE static
+#endif
+
+#endif /* MBEDTLS_LIBRARY_COMMON_H */
diff --git a/lib/libmbedtls/mbedtls/library/ctr_drbg.c b/lib/libmbedtls/mbedtls/library/ctr_drbg.c
index ca96171..ab52861 100644
--- a/lib/libmbedtls/mbedtls/library/ctr_drbg.c
+++ b/lib/libmbedtls/mbedtls/library/ctr_drbg.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* CTR_DRBG implementation based on AES-256 (NIST SP 800-90)
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The NIST SP 800-90 DRBGs are described in the following publication.
@@ -24,11 +22,7 @@
* http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_CTR_DRBG_C)
@@ -61,21 +55,27 @@
* See mbedtls_ctr_drbg_set_nonce_len(). */
ctx->reseed_counter = -1;
-#if defined(MBEDTLS_THREADING_C)
- mbedtls_mutex_init( &ctx->mutex );
-#endif
+ ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
}
+/*
+ * This function resets CTR_DRBG context to the state immediately
+ * after initial call of mbedtls_ctr_drbg_init().
+ */
void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx )
{
if( ctx == NULL )
return;
#if defined(MBEDTLS_THREADING_C)
- mbedtls_mutex_free( &ctx->mutex );
+ /* The mutex is initialized iff f_entropy is set. */
+ if( ctx->f_entropy != NULL )
+ mbedtls_mutex_free( &ctx->mutex );
#endif
mbedtls_aes_free( &ctx->aes_ctx );
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ctr_drbg_context ) );
+ ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
+ ctx->reseed_counter = -1;
}
void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
@@ -389,7 +389,7 @@
/* Gather entropy for a nonce if requested. */
if( nonce_len != 0 )
{
- if( 0 != ctx->f_entropy( ctx->p_entropy, seed, nonce_len ) )
+ if( 0 != ctx->f_entropy( ctx->p_entropy, seed + seedlen, nonce_len ) )
{
return( MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED );
}
@@ -459,6 +459,11 @@
memset( key, 0, MBEDTLS_CTR_DRBG_KEYSIZE );
+ /* The mutex is initialized iff f_entropy is set. */
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init( &ctx->mutex );
+#endif
+
mbedtls_aes_init( &ctx->aes_ctx );
ctx->f_entropy = f_entropy;
@@ -474,8 +479,6 @@
(size_t) ctx->reseed_counter :
good_nonce_len( ctx->entropy_len ) );
- ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
-
/* Initialize with an empty key. */
if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key,
MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 )
@@ -681,54 +684,134 @@
#if defined(MBEDTLS_SELF_TEST)
-static const unsigned char entropy_source_pr[96] =
- { 0xc1, 0x80, 0x81, 0xa6, 0x5d, 0x44, 0x02, 0x16,
- 0x19, 0xb3, 0xf1, 0x80, 0xb1, 0xc9, 0x20, 0x02,
- 0x6a, 0x54, 0x6f, 0x0c, 0x70, 0x81, 0x49, 0x8b,
- 0x6e, 0xa6, 0x62, 0x52, 0x6d, 0x51, 0xb1, 0xcb,
- 0x58, 0x3b, 0xfa, 0xd5, 0x37, 0x5f, 0xfb, 0xc9,
- 0xff, 0x46, 0xd2, 0x19, 0xc7, 0x22, 0x3e, 0x95,
- 0x45, 0x9d, 0x82, 0xe1, 0xe7, 0x22, 0x9f, 0x63,
- 0x31, 0x69, 0xd2, 0x6b, 0x57, 0x47, 0x4f, 0xa3,
- 0x37, 0xc9, 0x98, 0x1c, 0x0b, 0xfb, 0x91, 0x31,
- 0x4d, 0x55, 0xb9, 0xe9, 0x1c, 0x5a, 0x5e, 0xe4,
- 0x93, 0x92, 0xcf, 0xc5, 0x23, 0x12, 0xd5, 0x56,
- 0x2c, 0x4a, 0x6e, 0xff, 0xdc, 0x10, 0xd0, 0x68 };
-
-static const unsigned char entropy_source_nopr[64] =
- { 0x5a, 0x19, 0x4d, 0x5e, 0x2b, 0x31, 0x58, 0x14,
- 0x54, 0xde, 0xf6, 0x75, 0xfb, 0x79, 0x58, 0xfe,
- 0xc7, 0xdb, 0x87, 0x3e, 0x56, 0x89, 0xfc, 0x9d,
- 0x03, 0x21, 0x7c, 0x68, 0xd8, 0x03, 0x38, 0x20,
- 0xf9, 0xe6, 0x5e, 0x04, 0xd8, 0x56, 0xf3, 0xa9,
- 0xc4, 0x4a, 0x4c, 0xbd, 0xc1, 0xd0, 0x08, 0x46,
- 0xf5, 0x98, 0x3d, 0x77, 0x1c, 0x1b, 0x13, 0x7e,
- 0x4e, 0x0f, 0x9d, 0x8e, 0xf4, 0x09, 0xf9, 0x2e };
-
-static const unsigned char nonce_pers_pr[16] =
- { 0xd2, 0x54, 0xfc, 0xff, 0x02, 0x1e, 0x69, 0xd2,
- 0x29, 0xc9, 0xcf, 0xad, 0x85, 0xfa, 0x48, 0x6c };
-
-static const unsigned char nonce_pers_nopr[16] =
- { 0x1b, 0x54, 0xb8, 0xff, 0x06, 0x42, 0xbf, 0xf5,
- 0x21, 0xf1, 0x5c, 0x1c, 0x0b, 0x66, 0x5f, 0x3f };
+/* The CTR_DRBG NIST test vectors used here are available at
+ * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/drbg/drbgtestvectors.zip
+ *
+ * The parameters used to derive the test data are:
+ *
+ * [AES-128 use df]
+ * [PredictionResistance = True/False]
+ * [EntropyInputLen = 128]
+ * [NonceLen = 64]
+ * [PersonalizationStringLen = 128]
+ * [AdditionalInputLen = 0]
+ * [ReturnedBitsLen = 512]
+ *
+ * [AES-256 use df]
+ * [PredictionResistance = True/False]
+ * [EntropyInputLen = 256]
+ * [NonceLen = 128]
+ * [PersonalizationStringLen = 256]
+ * [AdditionalInputLen = 0]
+ * [ReturnedBitsLen = 512]
+ *
+ */
#if defined(MBEDTLS_CTR_DRBG_USE_128_BIT_KEY)
-static const unsigned char result_pr[16] =
- { 0x95, 0x3c, 0xa5, 0xbd, 0x44, 0x1, 0x34, 0xb7,
- 0x13, 0x58, 0x3e, 0x6a, 0x6c, 0x7e, 0x88, 0x8a };
+static const unsigned char entropy_source_pr[] =
+ { 0x04, 0xd9, 0x49, 0xa6, 0xdc, 0xe8, 0x6e, 0xbb,
+ 0xf1, 0x08, 0x77, 0x2b, 0x9e, 0x08, 0xca, 0x92,
+ 0x65, 0x16, 0xda, 0x99, 0xa2, 0x59, 0xf3, 0xe8,
+ 0x38, 0x7e, 0x3f, 0x6b, 0x51, 0x70, 0x7b, 0x20,
+ 0xec, 0x53, 0xd0, 0x66, 0xc3, 0x0f, 0xe3, 0xb0,
+ 0xe0, 0x86, 0xa6, 0xaa, 0x5f, 0x72, 0x2f, 0xad,
+ 0xf7, 0xef, 0x06, 0xb8, 0xd6, 0x9c, 0x9d, 0xe8 };
-static const unsigned char result_nopr[16] =
- { 0x6c, 0x25, 0x27, 0x95, 0xa3, 0x62, 0xd6, 0xdb,
- 0x90, 0xfd, 0x69, 0xb5, 0x42, 0x9, 0x4b, 0x84 };
+static const unsigned char entropy_source_nopr[] =
+ { 0x07, 0x0d, 0x59, 0x63, 0x98, 0x73, 0xa5, 0x45,
+ 0x27, 0x38, 0x22, 0x7b, 0x76, 0x85, 0xd1, 0xa9,
+ 0x74, 0x18, 0x1f, 0x3c, 0x22, 0xf6, 0x49, 0x20,
+ 0x4a, 0x47, 0xc2, 0xf3, 0x85, 0x16, 0xb4, 0x6f,
+ 0x00, 0x2e, 0x71, 0xda, 0xed, 0x16, 0x9b, 0x5c };
+
+static const unsigned char pers_pr[] =
+ { 0xbf, 0xa4, 0x9a, 0x8f, 0x7b, 0xd8, 0xb1, 0x7a,
+ 0x9d, 0xfa, 0x45, 0xed, 0x21, 0x52, 0xb3, 0xad };
+
+static const unsigned char pers_nopr[] =
+ { 0x4e, 0x61, 0x79, 0xd4, 0xc2, 0x72, 0xa1, 0x4c,
+ 0xf1, 0x3d, 0xf6, 0x5e, 0xa3, 0xa6, 0xe5, 0x0f };
+
+static const unsigned char result_pr[] =
+ { 0xc9, 0x0a, 0xaf, 0x85, 0x89, 0x71, 0x44, 0x66,
+ 0x4f, 0x25, 0x0b, 0x2b, 0xde, 0xd8, 0xfa, 0xff,
+ 0x52, 0x5a, 0x1b, 0x32, 0x5e, 0x41, 0x7a, 0x10,
+ 0x1f, 0xef, 0x1e, 0x62, 0x23, 0xe9, 0x20, 0x30,
+ 0xc9, 0x0d, 0xad, 0x69, 0xb4, 0x9c, 0x5b, 0xf4,
+ 0x87, 0x42, 0xd5, 0xae, 0x5e, 0x5e, 0x43, 0xcc,
+ 0xd9, 0xfd, 0x0b, 0x93, 0x4a, 0xe3, 0xd4, 0x06,
+ 0x37, 0x36, 0x0f, 0x3f, 0x72, 0x82, 0x0c, 0xcf };
+
+static const unsigned char result_nopr[] =
+ { 0x31, 0xc9, 0x91, 0x09, 0xf8, 0xc5, 0x10, 0x13,
+ 0x3c, 0xd3, 0x96, 0xf9, 0xbc, 0x2c, 0x12, 0xc0,
+ 0x7c, 0xc1, 0x61, 0x5f, 0xa3, 0x09, 0x99, 0xaf,
+ 0xd7, 0xf2, 0x36, 0xfd, 0x40, 0x1a, 0x8b, 0xf2,
+ 0x33, 0x38, 0xee, 0x1d, 0x03, 0x5f, 0x83, 0xb7,
+ 0xa2, 0x53, 0xdc, 0xee, 0x18, 0xfc, 0xa7, 0xf2,
+ 0xee, 0x96, 0xc6, 0xc2, 0xcd, 0x0c, 0xff, 0x02,
+ 0x76, 0x70, 0x69, 0xaa, 0x69, 0xd1, 0x3b, 0xe8 };
#else /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
-static const unsigned char result_pr[16] =
- { 0x34, 0x01, 0x16, 0x56, 0xb4, 0x29, 0x00, 0x8f,
- 0x35, 0x63, 0xec, 0xb5, 0xf2, 0x59, 0x07, 0x23 };
-static const unsigned char result_nopr[16] =
- { 0xa0, 0x54, 0x30, 0x3d, 0x8a, 0x7e, 0xa9, 0x88,
- 0x9d, 0x90, 0x3e, 0x07, 0x7c, 0x6f, 0x21, 0x8f };
+static const unsigned char entropy_source_pr[] =
+ { 0xca, 0x58, 0xfd, 0xf2, 0xb9, 0x77, 0xcb, 0x49,
+ 0xd4, 0xe0, 0x5b, 0xe2, 0x39, 0x50, 0xd9, 0x8a,
+ 0x6a, 0xb3, 0xc5, 0x2f, 0xdf, 0x74, 0xd5, 0x85,
+ 0x8f, 0xd1, 0xba, 0x64, 0x54, 0x7b, 0xdb, 0x1e,
+ 0xc5, 0xea, 0x24, 0xc0, 0xfa, 0x0c, 0x90, 0x15,
+ 0x09, 0x20, 0x92, 0x42, 0x32, 0x36, 0x45, 0x45,
+ 0x7d, 0x20, 0x76, 0x6b, 0xcf, 0xa2, 0x15, 0xc8,
+ 0x2f, 0x9f, 0xbc, 0x88, 0x3f, 0x80, 0xd1, 0x2c,
+ 0xb7, 0x16, 0xd1, 0x80, 0x9e, 0xe1, 0xc9, 0xb3,
+ 0x88, 0x1b, 0x21, 0x45, 0xef, 0xa1, 0x7f, 0xce,
+ 0xc8, 0x92, 0x35, 0x55, 0x2a, 0xd9, 0x1d, 0x8e,
+ 0x12, 0x38, 0xac, 0x01, 0x4e, 0x38, 0x18, 0x76,
+ 0x9c, 0xf2, 0xb6, 0xd4, 0x13, 0xb6, 0x2c, 0x77,
+ 0xc0, 0xe7, 0xe6, 0x0c, 0x47, 0x44, 0x95, 0xbe };
+
+static const unsigned char entropy_source_nopr[] =
+ { 0x4c, 0xfb, 0x21, 0x86, 0x73, 0x34, 0x6d, 0x9d,
+ 0x50, 0xc9, 0x22, 0xe4, 0x9b, 0x0d, 0xfc, 0xd0,
+ 0x90, 0xad, 0xf0, 0x4f, 0x5c, 0x3b, 0xa4, 0x73,
+ 0x27, 0xdf, 0xcd, 0x6f, 0xa6, 0x3a, 0x78, 0x5c,
+ 0x01, 0x69, 0x62, 0xa7, 0xfd, 0x27, 0x87, 0xa2,
+ 0x4b, 0xf6, 0xbe, 0x47, 0xef, 0x37, 0x83, 0xf1,
+ 0xb7, 0xec, 0x46, 0x07, 0x23, 0x63, 0x83, 0x4a,
+ 0x1b, 0x01, 0x33, 0xf2, 0xc2, 0x38, 0x91, 0xdb,
+ 0x4f, 0x11, 0xa6, 0x86, 0x51, 0xf2, 0x3e, 0x3a,
+ 0x8b, 0x1f, 0xdc, 0x03, 0xb1, 0x92, 0xc7, 0xe7 };
+
+static const unsigned char pers_pr[] =
+ { 0x5a, 0x70, 0x95, 0xe9, 0x81, 0x40, 0x52, 0x33,
+ 0x91, 0x53, 0x7e, 0x75, 0xd6, 0x19, 0x9d, 0x1e,
+ 0xad, 0x0d, 0xc6, 0xa7, 0xde, 0x6c, 0x1f, 0xe0,
+ 0xea, 0x18, 0x33, 0xa8, 0x7e, 0x06, 0x20, 0xe9 };
+
+static const unsigned char pers_nopr[] =
+ { 0x88, 0xee, 0xb8, 0xe0, 0xe8, 0x3b, 0xf3, 0x29,
+ 0x4b, 0xda, 0xcd, 0x60, 0x99, 0xeb, 0xe4, 0xbf,
+ 0x55, 0xec, 0xd9, 0x11, 0x3f, 0x71, 0xe5, 0xeb,
+ 0xcb, 0x45, 0x75, 0xf3, 0xd6, 0xa6, 0x8a, 0x6b };
+
+static const unsigned char result_pr[] =
+ { 0xce, 0x2f, 0xdb, 0xb6, 0xd9, 0xb7, 0x39, 0x85,
+ 0x04, 0xc5, 0xc0, 0x42, 0xc2, 0x31, 0xc6, 0x1d,
+ 0x9b, 0x5a, 0x59, 0xf8, 0x7e, 0x0d, 0xcc, 0x62,
+ 0x7b, 0x65, 0x11, 0x55, 0x10, 0xeb, 0x9e, 0x3d,
+ 0xa4, 0xfb, 0x1c, 0x6a, 0x18, 0xc0, 0x74, 0xdb,
+ 0xdd, 0xe7, 0x02, 0x23, 0x63, 0x21, 0xd0, 0x39,
+ 0xf9, 0xa7, 0xc4, 0x52, 0x84, 0x3b, 0x49, 0x40,
+ 0x72, 0x2b, 0xb0, 0x6c, 0x9c, 0xdb, 0xc3, 0x43 };
+
+static const unsigned char result_nopr[] =
+ { 0xa5, 0x51, 0x80, 0xa1, 0x90, 0xbe, 0xf3, 0xad,
+ 0xaf, 0x28, 0xf6, 0xb7, 0x95, 0xe9, 0xf1, 0xf3,
+ 0xd6, 0xdf, 0xa1, 0xb2, 0x7d, 0xd0, 0x46, 0x7b,
+ 0x0c, 0x75, 0xf5, 0xfa, 0x93, 0x1e, 0x97, 0x14,
+ 0x75, 0xb2, 0x7c, 0xae, 0x03, 0xa2, 0x96, 0x54,
+ 0xe2, 0xf4, 0x09, 0x66, 0xea, 0x33, 0x64, 0x30,
+ 0x40, 0xd1, 0x40, 0x0f, 0xe6, 0x77, 0x87, 0x3a,
+ 0xf8, 0x09, 0x7c, 0x1f, 0xe9, 0xf0, 0x02, 0x98 };
#endif /* MBEDTLS_CTR_DRBG_USE_128_BIT_KEY */
static size_t test_offset;
@@ -748,13 +831,15 @@
return( 1 ); \
}
+#define SELF_TEST_OUPUT_DISCARD_LENGTH 64
+
/*
* Checkup routine
*/
int mbedtls_ctr_drbg_self_test( int verbose )
{
mbedtls_ctr_drbg_context ctx;
- unsigned char buf[16];
+ unsigned char buf[ sizeof( result_pr ) ];
mbedtls_ctr_drbg_init( &ctx );
@@ -765,16 +850,16 @@
mbedtls_printf( " CTR_DRBG (PR = TRUE) : " );
test_offset = 0;
- mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
- mbedtls_ctr_drbg_set_nonce_len( &ctx, 0 );
+ mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE );
+ mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2 );
CHK( mbedtls_ctr_drbg_seed( &ctx,
ctr_drbg_self_test_entropy,
(void *) entropy_source_pr,
- nonce_pers_pr, 16 ) );
+ pers_pr, MBEDTLS_CTR_DRBG_KEYSIZE ) );
mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
- CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
- CHK( mbedtls_ctr_drbg_random( &ctx, buf, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
- CHK( memcmp( buf, result_pr, MBEDTLS_CTR_DRBG_BLOCKSIZE ) );
+ CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH ) );
+ CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_pr ) ) );
+ CHK( memcmp( buf, result_pr, sizeof( result_pr ) ) );
mbedtls_ctr_drbg_free( &ctx );
@@ -790,16 +875,16 @@
mbedtls_ctr_drbg_init( &ctx );
test_offset = 0;
- mbedtls_ctr_drbg_set_entropy_len( &ctx, 32 );
- mbedtls_ctr_drbg_set_nonce_len( &ctx, 0 );
+ mbedtls_ctr_drbg_set_entropy_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE);
+ mbedtls_ctr_drbg_set_nonce_len( &ctx, MBEDTLS_CTR_DRBG_KEYSIZE / 2 );
CHK( mbedtls_ctr_drbg_seed( &ctx,
ctr_drbg_self_test_entropy,
(void *) entropy_source_nopr,
- nonce_pers_nopr, 16 ) );
- CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
+ pers_nopr, MBEDTLS_CTR_DRBG_KEYSIZE ) );
CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
- CHK( mbedtls_ctr_drbg_random( &ctx, buf, 16 ) );
- CHK( memcmp( buf, result_nopr, 16 ) );
+ CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH ) );
+ CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_nopr ) ) );
+ CHK( memcmp( buf, result_nopr, sizeof( result_nopr ) ) );
mbedtls_ctr_drbg_free( &ctx );
diff --git a/lib/libmbedtls/mbedtls/library/debug.c b/lib/libmbedtls/mbedtls/library/debug.c
index 46b6f6e..e108600 100644
--- a/lib/libmbedtls/mbedtls/library/debug.c
+++ b/lib/libmbedtls/mbedtls/library/debug.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Debugging routines
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_DEBUG_C)
@@ -80,6 +74,7 @@
#endif
}
+MBEDTLS_PRINTF_ATTRIBUTE(5, 6)
void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
const char *format, ... )
@@ -132,7 +127,7 @@
return;
mbedtls_snprintf( str, sizeof( str ), "%s() returned %d (-0x%04x)\n",
- text, ret, -ret );
+ text, ret, (unsigned int) -ret );
debug_send_line( ssl, level, file, line, str );
}
@@ -225,8 +220,8 @@
const char *text, const mbedtls_mpi *X )
{
char str[DEBUG_BUF_SIZE];
- int j, k, zeros = 1;
- size_t i, n, idx = 0;
+ size_t bitlen;
+ size_t idx = 0;
if( NULL == ssl ||
NULL == ssl->conf ||
@@ -237,55 +232,43 @@
return;
}
- for( n = X->n - 1; n > 0; n-- )
- if( X->p[n] != 0 )
- break;
+ bitlen = mbedtls_mpi_bitlen( X );
- for( j = ( sizeof(mbedtls_mpi_uint) << 3 ) - 1; j >= 0; j-- )
- if( ( ( X->p[n] >> j ) & 1 ) != 0 )
- break;
-
- mbedtls_snprintf( str + idx, sizeof( str ) - idx, "value of '%s' (%d bits) is:\n",
- text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) );
-
+ mbedtls_snprintf( str, sizeof( str ), "value of '%s' (%u bits) is:\n",
+ text, (unsigned) bitlen );
debug_send_line( ssl, level, file, line, str );
- idx = 0;
- for( i = n + 1, j = 0; i > 0; i-- )
+ if( bitlen == 0 )
{
- if( zeros && X->p[i - 1] == 0 )
- continue;
-
- for( k = sizeof( mbedtls_mpi_uint ) - 1; k >= 0; k-- )
+ str[0] = ' '; str[1] = '0'; str[2] = '0';
+ idx = 3;
+ }
+ else
+ {
+ int n;
+ for( n = (int) ( ( bitlen - 1 ) / 8 ); n >= 0; n-- )
{
- if( zeros && ( ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF ) == 0 )
- continue;
- else
- zeros = 0;
-
- if( j % 16 == 0 )
+ size_t limb_offset = n / sizeof( mbedtls_mpi_uint );
+ size_t offset_in_limb = n % sizeof( mbedtls_mpi_uint );
+ unsigned char octet =
+ ( X->p[limb_offset] >> ( offset_in_limb * 8 ) ) & 0xff;
+ mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", octet );
+ idx += 3;
+ /* Wrap lines after 16 octets that each take 3 columns */
+ if( idx >= 3 * 16 )
{
- if( j > 0 )
- {
- mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
- debug_send_line( ssl, level, file, line, str );
- idx = 0;
- }
+ mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
+ debug_send_line( ssl, level, file, line, str );
+ idx = 0;
}
-
- idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", (unsigned int)
- ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF );
-
- j++;
}
-
}
- if( zeros == 1 )
- idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " 00" );
-
- mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
- debug_send_line( ssl, level, file, line, str );
+ if( idx != 0 )
+ {
+ mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
+ debug_send_line( ssl, level, file, line, str );
+ }
}
#endif /* MBEDTLS_BIGNUM_C */
diff --git a/lib/libmbedtls/mbedtls/library/des.c b/lib/libmbedtls/mbedtls/library/des.c
index 90f8642..eddf55e 100644
--- a/lib/libmbedtls/mbedtls/library/des.c
+++ b/lib/libmbedtls/mbedtls/library/des.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* FIPS-46-3 compliant Triple-DES implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* DES, on which TDES is based, was originally designed by Horst Feistel
@@ -25,11 +23,7 @@
* http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_DES_C)
diff --git a/lib/libmbedtls/mbedtls/library/dhm.c b/lib/libmbedtls/mbedtls/library/dhm.c
index 9a76fc5..accd5a8 100644
--- a/lib/libmbedtls/mbedtls/library/dhm.c
+++ b/lib/libmbedtls/mbedtls/library/dhm.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Diffie-Hellman-Merkle key exchange
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The following sources were referenced in the design of this implementation
@@ -27,11 +25,7 @@
*
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_DHM_C)
@@ -85,7 +79,7 @@
return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
if( ( ret = mbedtls_mpi_read_binary( X, *p, n ) ) != 0 )
- return( MBEDTLS_ERR_DHM_READ_PARAMS_FAILED + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_DHM_READ_PARAMS_FAILED, ret ) );
(*p) += n;
@@ -106,22 +100,21 @@
*/
static int dhm_check_range( const mbedtls_mpi *param, const mbedtls_mpi *P )
{
- mbedtls_mpi L, U;
+ mbedtls_mpi U;
int ret = 0;
- mbedtls_mpi_init( &L ); mbedtls_mpi_init( &U );
+ mbedtls_mpi_init( &U );
- MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &L, 2 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &U, P, 2 ) );
- if( mbedtls_mpi_cmp_mpi( param, &L ) < 0 ||
+ if( mbedtls_mpi_cmp_int( param, 2 ) < 0 ||
mbedtls_mpi_cmp_mpi( param, &U ) > 0 )
{
ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA;
}
cleanup:
- mbedtls_mpi_free( &L ); mbedtls_mpi_free( &U );
+ mbedtls_mpi_free( &U );
return( ret );
}
@@ -157,38 +150,44 @@
}
/*
- * Setup and write the ServerKeyExchange parameters
+ * Pick a random R in the range [2, M-2] for blinding or key generation.
*/
-int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
- unsigned char *output, size_t *olen,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng )
+static int dhm_random_below( mbedtls_mpi *R, const mbedtls_mpi *M,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- int ret, count = 0;
- size_t n1, n2, n3;
- unsigned char *p;
- DHM_VALIDATE_RET( ctx != NULL );
- DHM_VALIDATE_RET( output != NULL );
- DHM_VALIDATE_RET( olen != NULL );
- DHM_VALIDATE_RET( f_rng != NULL );
+ int ret;
+
+ MBEDTLS_MPI_CHK( mbedtls_mpi_random( R, 3, M, f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( R, R, 1 ) );
+
+cleanup:
+ return( ret );
+}
+
+static int dhm_make_common( mbedtls_dhm_context *ctx, int x_size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
+{
+ int ret = 0;
if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 )
return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
+ if( x_size < 0 )
+ return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
- /*
- * Generate X as large as possible ( < P )
- */
- do
+ if( (unsigned) x_size < mbedtls_mpi_size( &ctx->P ) )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) );
-
- while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) );
-
- if( count++ > 10 )
- return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED );
}
- while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
+ else
+ {
+ /* Generate X as large as possible ( <= P - 2 ) */
+ ret = dhm_random_below( &ctx->X, &ctx->P, f_rng, p_rng );
+ if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+ return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED );
+ if( ret != 0 )
+ return( ret );
+ }
/*
* Calculate GX = G^X mod P
@@ -199,8 +198,33 @@
if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
return( ret );
+cleanup:
+ return( ret );
+}
+
+/*
+ * Setup and write the ServerKeyExchange parameters
+ */
+int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size,
+ unsigned char *output, size_t *olen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
+{
+ int ret;
+ size_t n1, n2, n3;
+ unsigned char *p;
+ DHM_VALIDATE_RET( ctx != NULL );
+ DHM_VALIDATE_RET( output != NULL );
+ DHM_VALIDATE_RET( olen != NULL );
+ DHM_VALIDATE_RET( f_rng != NULL );
+
+ ret = dhm_make_common( ctx, x_size, f_rng, p_rng );
+ if( ret != 0 )
+ goto cleanup;
+
/*
- * export P, G, GX
+ * Export P, G, GX. RFC 5246 §4.4 states that "leading zero octets are
+ * not required". We omit leading zeros for compactness.
*/
#define DHM_MPI_EXPORT( X, n ) \
do { \
@@ -226,11 +250,9 @@
ctx->len = n1;
cleanup:
-
- if( ret != 0 )
- return( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED + ret );
-
- return( 0 );
+ if( ret != 0 && ret > -128 )
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED, ret );
+ return( ret );
}
/*
@@ -248,7 +270,7 @@
if( ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 ||
( ret = mbedtls_mpi_copy( &ctx->G, G ) ) != 0 )
{
- return( MBEDTLS_ERR_DHM_SET_GROUP_FAILED + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_DHM_SET_GROUP_FAILED, ret ) );
}
ctx->len = mbedtls_mpi_size( &ctx->P );
@@ -269,7 +291,7 @@
return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
if( ( ret = mbedtls_mpi_read_binary( &ctx->GY, input, ilen ) ) != 0 )
- return( MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED, ret ) );
return( 0 );
}
@@ -282,7 +304,7 @@
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
- int ret, count = 0;
+ int ret;
DHM_VALIDATE_RET( ctx != NULL );
DHM_VALIDATE_RET( output != NULL );
DHM_VALIDATE_RET( f_rng != NULL );
@@ -290,40 +312,21 @@
if( olen < 1 || olen > ctx->len )
return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
- if( mbedtls_mpi_cmp_int( &ctx->P, 0 ) == 0 )
- return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA );
-
- /*
- * generate X and calculate GX = G^X mod P
- */
- do
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->X, x_size, f_rng, p_rng ) );
-
- while( mbedtls_mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->X, 1 ) );
-
- if( count++ > 10 )
- return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED );
- }
- while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
-
- MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
- &ctx->P , &ctx->RP ) );
-
- if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
- return( ret );
+ ret = dhm_make_common( ctx, x_size, f_rng, p_rng );
+ if( ret == MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED )
+ return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED );
+ if( ret != 0 )
+ goto cleanup;
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->GX, output, olen ) );
cleanup:
-
- if( ret != 0 )
- return( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED + ret );
-
- return( 0 );
+ if( ret != 0 && ret > -128 )
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED, ret );
+ return( ret );
}
+
/*
* Use the blinding method and optimisation suggested in section 10 of:
* KOCHER, Paul C. Timing attacks on implementations of Diffie-Hellman, RSA,
@@ -333,7 +336,10 @@
static int dhm_update_blinding( mbedtls_dhm_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- int ret, count;
+ int ret;
+ mbedtls_mpi R;
+
+ mbedtls_mpi_init( &R );
/*
* Don't use any blinding the first time a particular X is used,
@@ -367,25 +373,24 @@
* We need to generate blinding values from scratch
*/
- /* Vi = random( 2, P-1 ) */
- count = 0;
- do
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vi, mbedtls_mpi_size( &ctx->P ), f_rng, p_rng ) );
+ /* Vi = random( 2, P-2 ) */
+ MBEDTLS_MPI_CHK( dhm_random_below( &ctx->Vi, &ctx->P, f_rng, p_rng ) );
- while( mbedtls_mpi_cmp_mpi( &ctx->Vi, &ctx->P ) >= 0 )
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &ctx->Vi, 1 ) );
+ /* Vf = Vi^-X mod P
+ * First compute Vi^-1 = R * (R Vi)^-1, (avoiding leaks from inv_mod),
+ * then elevate to the Xth power. */
+ MBEDTLS_MPI_CHK( dhm_random_below( &R, &ctx->P, f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vi, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vf, &ctx->P ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vf, &ctx->Vf, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vf, &ctx->Vf, &ctx->P ) );
- if( count++ > 10 )
- return( MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
- }
- while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) <= 0 );
-
- /* Vf = Vi^-X mod P */
- MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vf, &ctx->Vi, &ctx->P ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vf, &ctx->Vf, &ctx->X, &ctx->P, &ctx->RP ) );
cleanup:
+ mbedtls_mpi_free( &R );
+
return( ret );
}
@@ -432,15 +437,16 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->K, &ctx->K, &ctx->P ) );
}
+ /* Output the secret without any leading zero byte. This is mandatory
+ * for TLS per RFC 5246 §8.1.2. */
*olen = mbedtls_mpi_size( &ctx->K );
-
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &ctx->K, output, *olen ) );
cleanup:
mbedtls_mpi_free( &GYb );
if( ret != 0 )
- return( MBEDTLS_ERR_DHM_CALC_SECRET_FAILED + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_DHM_CALC_SECRET_FAILED, ret ) );
return( 0 );
}
@@ -522,7 +528,7 @@
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
- ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_DHM_INVALID_FORMAT, ret );
goto exit;
}
@@ -531,7 +537,7 @@
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &dhm->P ) ) != 0 ||
( ret = mbedtls_asn1_get_mpi( &p, end, &dhm->G ) ) != 0 )
{
- ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_DHM_INVALID_FORMAT, ret );
goto exit;
}
@@ -545,13 +551,13 @@
mbedtls_mpi_free( &rec );
if ( ret != 0 )
{
- ret = MBEDTLS_ERR_DHM_INVALID_FORMAT + ret;
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_DHM_INVALID_FORMAT, ret );
goto exit;
}
if ( p != end )
{
- ret = MBEDTLS_ERR_DHM_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_DHM_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
goto exit;
}
}
diff --git a/lib/libmbedtls/mbedtls/library/ecdh.c b/lib/libmbedtls/mbedtls/library/ecdh.c
index d196852..9dfa868 100644
--- a/lib/libmbedtls/mbedtls/library/ecdh.c
+++ b/lib/libmbedtls/mbedtls/library/ecdh.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Elliptic curve Diffie-Hellman
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -26,11 +24,7 @@
* RFC 4492
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_ECDH_C)
diff --git a/lib/libmbedtls/mbedtls/library/ecdsa.c b/lib/libmbedtls/mbedtls/library/ecdsa.c
index bf99573..640eb24 100644
--- a/lib/libmbedtls/mbedtls/library/ecdsa.c
+++ b/lib/libmbedtls/mbedtls/library/ecdsa.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Elliptic curve DSA
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -25,11 +23,7 @@
* SEC1 http://www.secg.org/index.php?action=secg,docs_secg
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_ECDSA_C)
@@ -223,6 +217,9 @@
#endif /* MBEDTLS_ECP_RESTARTABLE */
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC) || \
+ !defined(MBEDTLS_ECDSA_SIGN_ALT) || \
+ !defined(MBEDTLS_ECDSA_VERIFY_ALT)
/*
* Derive a suitable integer for group grp from a buffer of length len
* SEC1 4.1.3 step 5 aka SEC1 4.1.4 step 3
@@ -245,6 +242,7 @@
cleanup:
return( ret );
}
+#endif /* ECDSA_DETERMINISTIC || !ECDSA_SIGN_ALT || !ECDSA_VERIFY_ALT */
#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
/*
@@ -472,6 +470,8 @@
sign:
#endif
#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+ (void) f_rng_blind;
+ (void) p_rng_blind;
ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen,
mbedtls_hmac_drbg_random, p_rng );
#else
@@ -726,7 +726,7 @@
unsigned char *sig, size_t *slen )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char buf[MBEDTLS_ECDSA_MAX_LEN];
+ unsigned char buf[MBEDTLS_ECDSA_MAX_LEN] = {0};
unsigned char *p = buf + sizeof( buf );
size_t len = 0;
@@ -772,6 +772,8 @@
(void) md_alg;
#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+ (void) rs_ctx;
+
MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d,
hash, hlen, f_rng, p_rng ) );
#else
@@ -868,8 +870,8 @@
if( p + len != end )
{
- ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
goto cleanup;
}
@@ -880,6 +882,8 @@
goto cleanup;
}
#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+ (void) rs_ctx;
+
if( ( ret = mbedtls_ecdsa_verify( &ctx->grp, hash, hlen,
&ctx->Q, &r, &s ) ) != 0 )
goto cleanup;
diff --git a/lib/libmbedtls/mbedtls/library/ecjpake.c b/lib/libmbedtls/mbedtls/library/ecjpake.c
index 4aca839..464ff51 100644
--- a/lib/libmbedtls/mbedtls/library/ecjpake.c
+++ b/lib/libmbedtls/mbedtls/library/ecjpake.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Elliptic curve J-PAKE
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -24,11 +22,7 @@
* available to members of the Thread Group http://threadgroup.org/
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_ECJPAKE_C)
@@ -279,7 +273,7 @@
r_len = *(*p)++;
- if( end < *p || (size_t)( end - *p ) < r_len )
+ if( end < *p || (size_t)( end - *p ) < r_len || r_len == 0 )
{
ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
goto cleanup;
@@ -826,6 +820,8 @@
0x65, 0x73, 0x74
};
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+
static const unsigned char ecjpake_test_x1[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
@@ -970,6 +966,8 @@
return( ret );
}
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
+
/* For tests we don't need a secure RNG;
* use the LGC from Numerical Recipes for simplicity */
static int ecjpake_lgc( void *p, unsigned char *out, size_t len )
@@ -1065,6 +1063,12 @@
if( verbose != 0 )
mbedtls_printf( "passed\n" );
+#if !defined(MBEDTLS_ECJPAKE_ALT)
+ /* 'reference handshake' tests can only be run against implementations
+ * for which we have 100% control over how the random ephemeral keys
+ * are generated. This is only the case for the internal mbed TLS
+ * implementation, so these tests are skipped in case the internal
+ * implementation is swapped out for an alternative one. */
if( verbose != 0 )
mbedtls_printf( " ECJPAKE test #2 (reference handshake): " );
@@ -1113,6 +1117,7 @@
if( verbose != 0 )
mbedtls_printf( "passed\n" );
+#endif /* ! MBEDTLS_ECJPAKE_ALT */
cleanup:
mbedtls_ecjpake_free( &cli );
diff --git a/lib/libmbedtls/mbedtls/library/ecp.c b/lib/libmbedtls/mbedtls/library/ecp.c
index ff86b0f..4aaac7e 100644
--- a/lib/libmbedtls/mbedtls/library/ecp.c
+++ b/lib/libmbedtls/mbedtls/library/ecp.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Elliptic curves over GF(p): generic functions
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -41,11 +39,7 @@
* <http://eprint.iacr.org/2004/342.pdf>
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
/**
* \brief Function level alternative implementation.
@@ -82,6 +76,9 @@
#include "mbedtls/threading.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
+#include "mbedtls/bn_mul.h"
+
+#include "ecp_invasive.h"
#include <string.h>
@@ -105,6 +102,16 @@
#include "mbedtls/ecp_internal.h"
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+#if defined(MBEDTLS_HMAC_DRBG_C)
+#include "mbedtls/hmac_drbg.h"
+#elif defined(MBEDTLS_CTR_DRBG_C)
+#include "mbedtls/ctr_drbg.h"
+#else
+#error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
+#endif
+#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
+
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
!defined(inline) && !defined(__cplusplus)
#define inline __inline
@@ -118,6 +125,144 @@
static unsigned long add_count, dbl_count, mul_count;
#endif
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+/*
+ * Currently ecp_mul() takes a RNG function as an argument, used for
+ * side-channel protection, but it can be NULL. The initial reasoning was
+ * that people will pass non-NULL RNG when they care about side-channels, but
+ * unfortunately we have some APIs that call ecp_mul() with a NULL RNG, with
+ * no opportunity for the user to do anything about it.
+ *
+ * The obvious strategies for addressing that include:
+ * - change those APIs so that they take RNG arguments;
+ * - require a global RNG to be available to all crypto modules.
+ *
+ * Unfortunately those would break compatibility. So what we do instead is
+ * have our own internal DRBG instance, seeded from the secret scalar.
+ *
+ * The following is a light-weight abstraction layer for doing that with
+ * HMAC_DRBG (first choice) or CTR_DRBG.
+ */
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+
+/* DRBG context type */
+typedef mbedtls_hmac_drbg_context ecp_drbg_context;
+
+/* DRBG context init */
+static inline void ecp_drbg_init( ecp_drbg_context *ctx )
+{
+ mbedtls_hmac_drbg_init( ctx );
+}
+
+/* DRBG context free */
+static inline void ecp_drbg_free( ecp_drbg_context *ctx )
+{
+ mbedtls_hmac_drbg_free( ctx );
+}
+
+/* DRBG function */
+static inline int ecp_drbg_random( void *p_rng,
+ unsigned char *output, size_t output_len )
+{
+ return( mbedtls_hmac_drbg_random( p_rng, output, output_len ) );
+}
+
+/* DRBG context seeding */
+static int ecp_drbg_seed( ecp_drbg_context *ctx,
+ const mbedtls_mpi *secret, size_t secret_len )
+{
+ int ret;
+ unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
+ /* The list starts with strong hashes */
+ const mbedtls_md_type_t md_type = mbedtls_md_list()[0];
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_type );
+
+ if( secret_len > MBEDTLS_ECP_MAX_BYTES )
+ {
+ ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
+ secret_bytes, secret_len ) );
+
+ ret = mbedtls_hmac_drbg_seed_buf( ctx, md_info, secret_bytes, secret_len );
+
+cleanup:
+ mbedtls_platform_zeroize( secret_bytes, secret_len );
+
+ return( ret );
+}
+
+#elif defined(MBEDTLS_CTR_DRBG_C)
+
+/* DRBG context type */
+typedef mbedtls_ctr_drbg_context ecp_drbg_context;
+
+/* DRBG context init */
+static inline void ecp_drbg_init( ecp_drbg_context *ctx )
+{
+ mbedtls_ctr_drbg_init( ctx );
+}
+
+/* DRBG context free */
+static inline void ecp_drbg_free( ecp_drbg_context *ctx )
+{
+ mbedtls_ctr_drbg_free( ctx );
+}
+
+/* DRBG function */
+static inline int ecp_drbg_random( void *p_rng,
+ unsigned char *output, size_t output_len )
+{
+ return( mbedtls_ctr_drbg_random( p_rng, output, output_len ) );
+}
+
+/*
+ * Since CTR_DRBG doesn't have a seed_buf() function the way HMAC_DRBG does,
+ * we need to pass an entropy function when seeding. So we use a dummy
+ * function for that, and pass the actual entropy as customisation string.
+ * (During seeding of CTR_DRBG the entropy input and customisation string are
+ * concatenated before being used to update the secret state.)
+ */
+static int ecp_ctr_drbg_null_entropy(void *ctx, unsigned char *out, size_t len)
+{
+ (void) ctx;
+ memset( out, 0, len );
+ return( 0 );
+}
+
+/* DRBG context seeding */
+static int ecp_drbg_seed( ecp_drbg_context *ctx,
+ const mbedtls_mpi *secret, size_t secret_len )
+{
+ int ret;
+ unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
+
+ if( secret_len > MBEDTLS_ECP_MAX_BYTES )
+ {
+ ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
+ goto cleanup;
+ }
+
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
+ secret_bytes, secret_len ) );
+
+ ret = mbedtls_ctr_drbg_seed( ctx, ecp_ctr_drbg_null_entropy, NULL,
+ secret_bytes, secret_len );
+
+cleanup:
+ mbedtls_platform_zeroize( secret_bytes, secret_len );
+
+ return( ret );
+}
+
+#else
+#error "Invalid configuration detected. Include check_config.h to ensure that the configuration is valid."
+#endif /* DRBG modules */
+#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
+
#if defined(MBEDTLS_ECP_RESTARTABLE)
/*
* Maximum number of "basic operations" to be done in a row.
@@ -165,6 +310,10 @@
ecp_rsm_comb_core, /* ecp_mul_comb_core() */
ecp_rsm_final_norm, /* do the final normalization */
} state;
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+ ecp_drbg_context drbg_ctx;
+ unsigned char drbg_seeded;
+#endif
};
/*
@@ -177,6 +326,10 @@
ctx->T = NULL;
ctx->T_size = 0;
ctx->state = ecp_rsm_init;
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+ ecp_drbg_init( &ctx->drbg_ctx );
+ ctx->drbg_seeded = 0;
+#endif
}
/*
@@ -198,6 +351,10 @@
mbedtls_free( ctx->T );
}
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+ ecp_drbg_free( &ctx->drbg_ctx );
+#endif
+
ecp_restart_rsm_init( ctx );
}
@@ -345,26 +502,6 @@
#endif /* MBEDTLS_ECP_RESTARTABLE */
-#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || \
- defined(MBEDTLS_ECP_DP_SM2_ENABLED)
-#define ECP_SHORTWEIERSTRASS
-#endif
-
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || \
- defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
-#define ECP_MONTGOMERY
-#endif
-
/*
* List of supported curves:
* - internal ID
@@ -412,9 +549,12 @@
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
{ MBEDTLS_ECP_DP_SECP192K1, 18, 192, "secp192k1" },
#endif
-#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) && defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED)
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
{ MBEDTLS_ECP_DP_CURVE25519, 29, 256, "x25519" },
#endif
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ { MBEDTLS_ECP_DP_CURVE448, 30, 448, "x448" },
+#endif
#if defined(MBEDTLS_ECP_DP_SM2_ENABLED)
/* https://tools.ietf.org/id/draft-yang-tls-tls13-sm-suites-05.html */
{ MBEDTLS_ECP_DP_SM2, 41, 256, "sm2" },
@@ -746,7 +886,8 @@
plen = mbedtls_mpi_size( &grp->P );
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ (void) format; /* Montgomery curves always use the same point format */
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
{
*olen = plen;
@@ -756,7 +897,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary_le( &P->X, buf, plen ) );
}
#endif
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS )
{
/*
@@ -819,7 +960,7 @@
plen = mbedtls_mpi_size( &grp->P );
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
{
if( plen != ilen )
@@ -835,7 +976,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &pt->Z, 1 ) );
}
#endif
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS )
{
if( buf[0] == 0x00 )
@@ -1109,6 +1250,13 @@
while( (N).s < 0 && mbedtls_mpi_cmp_int( &(N), 0 ) != 0 ) \
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &(N), &(N), &grp->P ) )
+#if ( defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
+ !( defined(MBEDTLS_ECP_NO_FALLBACK) && \
+ defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
+ defined(MBEDTLS_ECP_ADD_MIXED_ALT) ) ) || \
+ ( defined(MBEDTLS_ECP_MONTGOMERY_ENABLED) && \
+ !( defined(MBEDTLS_ECP_NO_FALLBACK) && \
+ defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) ) )
static inline int mbedtls_mpi_sub_mod( const mbedtls_ecp_group *grp,
mbedtls_mpi *X,
const mbedtls_mpi *A,
@@ -1120,6 +1268,7 @@
cleanup:
return( ret );
}
+#endif /* All functions referencing mbedtls_mpi_sub_mod() are alt-implemented without fallback */
/*
* Reduce a mbedtls_mpi mod p in-place, to use after mbedtls_mpi_add_mpi and mbedtls_mpi_mul_int.
@@ -1142,6 +1291,10 @@
return( ret );
}
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED) && \
+ !( defined(MBEDTLS_ECP_NO_FALLBACK) && \
+ defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && \
+ defined(MBEDTLS_ECP_ADD_MIXED_ALT) )
static inline int mbedtls_mpi_shift_l_mod( const mbedtls_ecp_group *grp,
mbedtls_mpi *X,
size_t count )
@@ -1152,8 +1305,9 @@
cleanup:
return( ret );
}
+#endif /* All functions referencing mbedtls_mpi_shift_l_mod() are alt-implemented without fallback */
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
/*
* For curves in short Weierstrass form, we do all the internal operations in
* Jacobian coordinates.
@@ -1168,9 +1322,6 @@
*/
static int ecp_normalize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_mpi Zi, ZZi;
-
if( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 )
return( 0 );
@@ -1179,6 +1330,11 @@
return( mbedtls_internal_ecp_normalize_jac( grp, pt ) );
#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
+ return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi Zi, ZZi;
mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi );
/*
@@ -1204,6 +1360,7 @@
mbedtls_mpi_free( &Zi ); mbedtls_mpi_free( &ZZi );
return( ret );
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) */
}
/*
@@ -1220,10 +1377,6 @@
static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp,
mbedtls_ecp_point *T[], size_t T_size )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t i;
- mbedtls_mpi *c, u, Zi, ZZi;
-
if( T_size < 2 )
return( ecp_normalize_jac( grp, *T ) );
@@ -1232,6 +1385,13 @@
return( mbedtls_internal_ecp_normalize_jac_many( grp, T, T_size ) );
#endif
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
+ return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i;
+ mbedtls_mpi *c, u, Zi, ZZi;
+
if( ( c = mbedtls_calloc( T_size, sizeof( mbedtls_mpi ) ) ) == NULL )
return( MBEDTLS_ERR_ECP_ALLOC_FAILED );
@@ -1299,6 +1459,7 @@
mbedtls_free( c );
return( ret );
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) */
}
/*
@@ -1343,9 +1504,6 @@
static int ecp_double_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
const mbedtls_ecp_point *P )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_mpi M, S, T, U;
-
#if defined(MBEDTLS_SELF_TEST)
dbl_count++;
#endif
@@ -1355,6 +1513,12 @@
return( mbedtls_internal_ecp_double_jac( grp, R, P ) );
#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
+ return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi M, S, T, U;
+
mbedtls_mpi_init( &M ); mbedtls_mpi_init( &S ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &U );
/* Special case for A = -3 */
@@ -1416,6 +1580,7 @@
mbedtls_mpi_free( &M ); mbedtls_mpi_free( &S ); mbedtls_mpi_free( &T ); mbedtls_mpi_free( &U );
return( ret );
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) */
}
/*
@@ -1439,9 +1604,6 @@
static int ecp_add_mixed( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_mpi T1, T2, T3, T4, X, Y, Z;
-
#if defined(MBEDTLS_SELF_TEST)
add_count++;
#endif
@@ -1451,6 +1613,12 @@
return( mbedtls_internal_ecp_add_mixed( grp, R, P, Q ) );
#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_ADD_MIXED_ALT)
+ return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi T1, T2, T3, T4, X, Y, Z;
+
/*
* Trivial cases: P == 0 or Q == 0 (case 1)
*/
@@ -1515,6 +1683,7 @@
mbedtls_mpi_free( &X ); mbedtls_mpi_free( &Y ); mbedtls_mpi_free( &Z );
return( ret );
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_ADD_MIXED_ALT) */
}
/*
@@ -1527,31 +1696,21 @@
static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *pt,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_mpi l, ll;
- size_t p_size;
- int count = 0;
-
#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
if( mbedtls_internal_ecp_grp_capable( grp ) )
return( mbedtls_internal_ecp_randomize_jac( grp, pt, f_rng, p_rng ) );
#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
- p_size = ( grp->pbits + 7 ) / 8;
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
+ return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi l, ll;
+
mbedtls_mpi_init( &l ); mbedtls_mpi_init( &ll );
/* Generate l such that 1 < l < p */
- do
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
-
- while( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 )
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
-
- if( count++ > 10 )
- return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
- }
- while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_random( &l, 2, &grp->P, f_rng, p_rng ) );
/* Z = l * Z */
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &pt->Z, &pt->Z, &l ) );
@@ -1567,7 +1726,10 @@
cleanup:
mbedtls_mpi_free( &l ); mbedtls_mpi_free( &ll );
+ if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+ ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
return( ret );
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) */
}
/*
@@ -1899,7 +2061,9 @@
i = d;
MBEDTLS_MPI_CHK( ecp_select_comb( grp, R, T, T_size, x[i] ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &R->Z, 1 ) );
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
if( f_rng != 0 )
+#endif
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, R, f_rng, p_rng ) );
}
@@ -2020,6 +2184,7 @@
rs_ctx->rsm->state = ecp_rsm_final_norm;
final_norm:
+ MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
#endif
/*
* Knowledge of the jacobian coordinates may leak the last few bits of the
@@ -2032,10 +2197,11 @@
*
* Avoid the leak by randomizing coordinates before we normalize them.
*/
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
if( f_rng != 0 )
+#endif
MBEDTLS_MPI_CHK( ecp_randomize_jac( grp, RR, f_rng, p_rng ) );
- MBEDTLS_ECP_BUDGET( MBEDTLS_ECP_OPS_INV );
MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, RR ) );
#if defined(MBEDTLS_ECP_RESTARTABLE)
@@ -2106,11 +2272,44 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char w, p_eq_g, i;
size_t d;
- unsigned char T_size, T_ok;
- mbedtls_ecp_point *T;
+ unsigned char T_size = 0, T_ok = 0;
+ mbedtls_ecp_point *T = NULL;
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+ ecp_drbg_context drbg_ctx;
+
+ ecp_drbg_init( &drbg_ctx );
+#endif
ECP_RS_ENTER( rsm );
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+ if( f_rng == NULL )
+ {
+ /* Adjust pointers */
+ f_rng = &ecp_drbg_random;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+ p_rng = &rs_ctx->rsm->drbg_ctx;
+ else
+#endif
+ p_rng = &drbg_ctx;
+
+ /* Initialize internal DRBG if necessary */
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if( rs_ctx == NULL || rs_ctx->rsm == NULL ||
+ rs_ctx->rsm->drbg_seeded == 0 )
+#endif
+ {
+ const size_t m_len = ( grp->nbits + 7 ) / 8;
+ MBEDTLS_MPI_CHK( ecp_drbg_seed( p_rng, m, m_len ) );
+ }
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+ if( rs_ctx != NULL && rs_ctx->rsm != NULL )
+ rs_ctx->rsm->drbg_seeded = 1;
+#endif
+ }
+#endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
+
/* Is P the base point ? */
#if MBEDTLS_ECP_FIXED_POINT_OPTIM == 1
p_eq_g = ( mbedtls_mpi_cmp_mpi( &P->Y, &grp->G.Y ) == 0 &&
@@ -2182,6 +2381,10 @@
cleanup:
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+ ecp_drbg_free( &drbg_ctx );
+#endif
+
/* does T belong to the group? */
if( T == grp->T )
T = NULL;
@@ -2218,9 +2421,9 @@
return( ret );
}
-#endif /* ECP_SHORTWEIERSTRASS */
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
/*
* For Montgomery curves, we do all the internal arithmetic in projective
* coordinates. Import/export of points uses only the x coordinates, which is
@@ -2235,19 +2438,22 @@
*/
static int ecp_normalize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
if( mbedtls_internal_ecp_grp_capable( grp ) )
return( mbedtls_internal_ecp_normalize_mxz( grp, P ) );
#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
+ return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &P->Z, &P->Z, &grp->P ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &P->X, &P->X, &P->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) );
cleanup:
return( ret );
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) */
}
/*
@@ -2261,31 +2467,20 @@
static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_mpi l;
- size_t p_size;
- int count = 0;
-
#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
if( mbedtls_internal_ecp_grp_capable( grp ) )
- return( mbedtls_internal_ecp_randomize_mxz( grp, P, f_rng, p_rng );
+ return( mbedtls_internal_ecp_randomize_mxz( grp, P, f_rng, p_rng ) );
#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */
- p_size = ( grp->pbits + 7 ) / 8;
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
+ return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi l;
mbedtls_mpi_init( &l );
/* Generate l such that 1 < l < p */
- do
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &l, p_size, f_rng, p_rng ) );
-
- while( mbedtls_mpi_cmp_mpi( &l, &grp->P ) >= 0 )
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &l, 1 ) );
-
- if( count++ > 10 )
- return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
- }
- while( mbedtls_mpi_cmp_int( &l, 1 ) <= 0 );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_random( &l, 2, &grp->P, f_rng, p_rng ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &P->X, &P->X, &l ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &P->Z, &P->Z, &l ) );
@@ -2293,7 +2488,10 @@
cleanup:
mbedtls_mpi_free( &l );
+ if( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+ ret = MBEDTLS_ERR_ECP_RANDOM_FAILED;
return( ret );
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) */
}
/*
@@ -2316,14 +2514,17 @@
const mbedtls_ecp_point *P, const mbedtls_ecp_point *Q,
const mbedtls_mpi *d )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_mpi A, AA, B, BB, E, C, D, DA, CB;
-
#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
if( mbedtls_internal_ecp_grp_capable( grp ) )
return( mbedtls_internal_ecp_double_add_mxz( grp, R, S, P, Q, d ) );
#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */
+#if defined(MBEDTLS_ECP_NO_FALLBACK) && defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
+ return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi A, AA, B, BB, E, C, D, DA, CB;
+
mbedtls_mpi_init( &A ); mbedtls_mpi_init( &AA ); mbedtls_mpi_init( &B );
mbedtls_mpi_init( &BB ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &C );
mbedtls_mpi_init( &D ); mbedtls_mpi_init( &DA ); mbedtls_mpi_init( &CB );
@@ -2337,7 +2538,7 @@
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &D, &Q->X, &Q->Z ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &DA, &D, &A ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &CB, &C, &B ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &S->X, &DA, &CB ) ); MOD_MUL( S->X );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_add_mod( grp, &S->X, &DA, &CB ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S->X, &S->X, &S->X ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mod( grp, &S->Z, &DA, &CB ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mod( grp, &S->Z, &S->Z, &S->Z ) );
@@ -2353,6 +2554,7 @@
mbedtls_mpi_free( &D ); mbedtls_mpi_free( &DA ); mbedtls_mpi_free( &CB );
return( ret );
+#endif /* !defined(MBEDTLS_ECP_NO_FALLBACK) || !defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) */
}
/*
@@ -2369,9 +2571,23 @@
unsigned char b;
mbedtls_ecp_point RP;
mbedtls_mpi PX;
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+ ecp_drbg_context drbg_ctx;
+ ecp_drbg_init( &drbg_ctx );
+#endif
mbedtls_ecp_point_init( &RP ); mbedtls_mpi_init( &PX );
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+ if( f_rng == NULL )
+ {
+ const size_t m_len = ( grp->nbits + 7 ) / 8;
+ MBEDTLS_MPI_CHK( ecp_drbg_seed( &drbg_ctx, m, m_len ) );
+ f_rng = &ecp_drbg_random;
+ p_rng = &drbg_ctx;
+ }
+#endif /* !MBEDTLS_ECP_NO_INTERNAL_RNG */
+
/* Save PX and read from P before writing to R, in case P == R */
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &PX, &P->X ) );
MBEDTLS_MPI_CHK( mbedtls_ecp_copy( &RP, P ) );
@@ -2385,7 +2601,9 @@
MOD_ADD( RP.X );
/* Randomize coordinates of the starting point */
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
if( f_rng != NULL )
+#endif
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, &RP, f_rng, p_rng ) );
/* Loop invariant: R = result so far, RP = R + P */
@@ -2418,18 +2636,24 @@
*
* Avoid the leak by randomizing coordinates before we normalize them.
*/
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
if( f_rng != NULL )
+#endif
MBEDTLS_MPI_CHK( ecp_randomize_mxz( grp, R, f_rng, p_rng ) );
MBEDTLS_MPI_CHK( ecp_normalize_mxz( grp, R ) );
cleanup:
+#if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+ ecp_drbg_free( &drbg_ctx );
+#endif
+
mbedtls_ecp_point_free( &RP ); mbedtls_mpi_free( &PX );
return( ret );
}
-#endif /* ECP_MONTGOMERY */
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
/*
* Restartable multiplication R = m * P
@@ -2452,6 +2676,8 @@
/* reset ops count for this call if top-level */
if( rs_ctx != NULL && rs_ctx->depth++ == 0 )
rs_ctx->ops_done = 0;
+#else
+ (void) rs_ctx;
#endif
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
@@ -2473,11 +2699,11 @@
}
ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
MBEDTLS_MPI_CHK( ecp_mul_mxz( grp, R, m, P, f_rng, p_rng ) );
#endif
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS )
MBEDTLS_MPI_CHK( ecp_mul_comb( grp, R, m, P, f_rng, p_rng, rs_ctx ) );
#endif
@@ -2511,7 +2737,7 @@
return( mbedtls_ecp_mul_restartable( grp, R, m, P, f_rng, p_rng, NULL ) );
}
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
/*
* Check that an affine point is valid as a public key,
* short weierstrass curves (SEC1 3.2.3.1)
@@ -2559,10 +2785,11 @@
return( ret );
}
-#endif /* ECP_SHORTWEIERSTRASS */
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
/*
- * R = m * P with shortcuts for m == 1 and m == -1
+ * R = m * P with shortcuts for m == 0, m == 1 and m == -1
* NOT constant-time - ONLY for short Weierstrass!
*/
static int mbedtls_ecp_mul_shortcuts( mbedtls_ecp_group *grp,
@@ -2573,7 +2800,11 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- if( mbedtls_mpi_cmp_int( m, 1 ) == 0 )
+ if( mbedtls_mpi_cmp_int( m, 0 ) == 0 )
+ {
+ MBEDTLS_MPI_CHK( mbedtls_ecp_set_zero( R ) );
+ }
+ else if( mbedtls_mpi_cmp_int( m, 1 ) == 0 )
{
MBEDTLS_MPI_CHK( mbedtls_ecp_copy( R, P ) );
}
@@ -2706,8 +2937,100 @@
ECP_VALIDATE_RET( Q != NULL );
return( mbedtls_ecp_muladd_restartable( grp, R, m, P, n, Q, NULL ) );
}
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#define ECP_MPI_INIT(s, n, p) {s, 0, (n), (mbedtls_mpi_uint *)(p)}
+#define ECP_MPI_INIT_ARRAY(x) \
+ ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
+/*
+ * Constants for the two points other than 0, 1, -1 (mod p) in
+ * https://cr.yp.to/ecdh.html#validate
+ * See ecp_check_pubkey_x25519().
+ */
+static const mbedtls_mpi_uint x25519_bad_point_1[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 ),
+};
+static const mbedtls_mpi_uint x25519_bad_point_2[] = {
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 ),
+};
+static const mbedtls_mpi ecp_x25519_bad_point_1 = ECP_MPI_INIT_ARRAY(
+ x25519_bad_point_1 );
+static const mbedtls_mpi ecp_x25519_bad_point_2 = ECP_MPI_INIT_ARRAY(
+ x25519_bad_point_2 );
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+
+/*
+ * Check that the input point is not one of the low-order points.
+ * This is recommended by the "May the Fourth" paper:
+ * https://eprint.iacr.org/2017/806.pdf
+ * Those points are never sent by an honest peer.
+ */
+static int ecp_check_bad_points_mx( const mbedtls_mpi *X, const mbedtls_mpi *P,
+ const mbedtls_ecp_group_id grp_id )
+{
+ int ret;
+ mbedtls_mpi XmP;
+
+ mbedtls_mpi_init( &XmP );
+
+ /* Reduce X mod P so that we only need to check values less than P.
+ * We know X < 2^256 so we can proceed by subtraction. */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &XmP, X ) );
+ while( mbedtls_mpi_cmp_mpi( &XmP, P ) >= 0 )
+ MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &XmP, &XmP, P ) );
+
+ /* Check against the known bad values that are less than P. For Curve448
+ * these are 0, 1 and -1. For Curve25519 we check the values less than P
+ * from the following list: https://cr.yp.to/ecdh.html#validate */
+ if( mbedtls_mpi_cmp_int( &XmP, 1 ) <= 0 ) /* takes care of 0 and 1 */
+ {
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ goto cleanup;
+ }
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ if( grp_id == MBEDTLS_ECP_DP_CURVE25519 )
+ {
+ if( mbedtls_mpi_cmp_mpi( &XmP, &ecp_x25519_bad_point_1 ) == 0 )
+ {
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ goto cleanup;
+ }
+
+ if( mbedtls_mpi_cmp_mpi( &XmP, &ecp_x25519_bad_point_2 ) == 0 )
+ {
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ goto cleanup;
+ }
+ }
+#else
+ (void) grp_id;
+#endif
+
+ /* Final check: check if XmP + 1 is P (final because it changes XmP!) */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &XmP, &XmP, 1 ) );
+ if( mbedtls_mpi_cmp_mpi( &XmP, P ) == 0 )
+ {
+ ret = MBEDTLS_ERR_ECP_INVALID_KEY;
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ mbedtls_mpi_free( &XmP );
+
+ return( ret );
+}
+
/*
* Check validity of a public key for Montgomery curves with x-only schemes
*/
@@ -2719,9 +3042,15 @@
if( mbedtls_mpi_size( &pt->X ) > ( grp->nbits + 7 ) / 8 )
return( MBEDTLS_ERR_ECP_INVALID_KEY );
- return( 0 );
+ /* Implicit in all standards (as they don't consider negative numbers):
+ * X must be non-negative. This is normally ensured by the way it's
+ * encoded for transmission, but let's be extra sure. */
+ if( mbedtls_mpi_cmp_int( &pt->X, 0 ) < 0 )
+ return( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+ return( ecp_check_bad_points_mx( &pt->X, &grp->P, grp->id ) );
}
-#endif /* ECP_MONTGOMERY */
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
/*
* Check that a point is valid as a public key
@@ -2736,11 +3065,11 @@
if( mbedtls_mpi_cmp_int( &pt->Z, 1 ) != 0 )
return( MBEDTLS_ERR_ECP_INVALID_KEY );
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
return( ecp_check_pubkey_mx( grp, pt ) );
#endif
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS )
return( ecp_check_pubkey_sw( grp, pt ) );
#endif
@@ -2756,7 +3085,7 @@
ECP_VALIDATE_RET( grp != NULL );
ECP_VALIDATE_RET( d != NULL );
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
{
/* see RFC 7748 sec. 5 para. 5 */
@@ -2771,8 +3100,8 @@
return( 0 );
}
-#endif /* ECP_MONTGOMERY */
-#if defined(ECP_SHORTWEIERSTRASS)
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS )
{
/* see SEC1 3.2 */
@@ -2782,11 +3111,61 @@
else
return( 0 );
}
-#endif /* ECP_SHORTWEIERSTRASS */
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
}
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_gen_privkey_mx( size_t high_bit,
+ mbedtls_mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
+{
+ int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ size_t n_random_bytes = high_bit / 8 + 1;
+
+ /* [Curve25519] page 5 */
+ /* Generate a (high_bit+1)-bit random number by generating just enough
+ * random bytes, then shifting out extra bits from the top (necessary
+ * when (high_bit+1) is not a multiple of 8). */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_random_bytes,
+ f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_random_bytes - high_bit - 1 ) );
+
+ MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, high_bit, 1 ) );
+
+ /* Make sure the last two bits are unset for Curve448, three bits for
+ Curve25519 */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 0, 0 ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 1, 0 ) );
+ if( high_bit == 254 )
+ {
+ MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 2, 0 ) );
+ }
+
+cleanup:
+ return( ret );
+}
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+static int mbedtls_ecp_gen_privkey_sw(
+ const mbedtls_mpi *N, mbedtls_mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+ int ret = mbedtls_mpi_random( d, 1, N, f_rng, p_rng );
+ switch( ret )
+ {
+ case MBEDTLS_ERR_MPI_NOT_ACCEPTABLE:
+ return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+ default:
+ return( ret );
+ }
+}
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+
/*
* Generate a private key
*/
@@ -2795,86 +3174,21 @@
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
- int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
- size_t n_size;
-
ECP_VALIDATE_RET( grp != NULL );
ECP_VALIDATE_RET( d != NULL );
ECP_VALIDATE_RET( f_rng != NULL );
- n_size = ( grp->nbits + 7 ) / 8;
-
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
- {
- /* [M225] page 5 */
- size_t b;
+ return( mbedtls_ecp_gen_privkey_mx( grp->nbits, d, f_rng, p_rng ) );
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
- do {
- MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
- } while( mbedtls_mpi_bitlen( d ) == 0);
-
- /* Make sure the most significant bit is nbits */
- b = mbedtls_mpi_bitlen( d ) - 1; /* mbedtls_mpi_bitlen is one-based */
- if( b > grp->nbits )
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, b - grp->nbits ) );
- else
- MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, grp->nbits, 1 ) );
-
- /* Make sure the last two bits are unset for Curve448, three bits for
- Curve25519 */
- MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 0, 0 ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 1, 0 ) );
- if( grp->nbits == 254 )
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, 2, 0 ) );
- }
- }
-#endif /* ECP_MONTGOMERY */
-
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
if( mbedtls_ecp_get_type( grp ) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS )
- {
- /* SEC1 3.2.1: Generate d such that 1 <= n < N */
- int count = 0;
- unsigned cmp = 0;
+ return( mbedtls_ecp_gen_privkey_sw( &grp->N, d, f_rng, p_rng ) );
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
- /*
- * Match the procedure given in RFC 6979 (deterministic ECDSA):
- * - use the same byte ordering;
- * - keep the leftmost nbits bits of the generated octet string;
- * - try until result is in the desired range.
- * This also avoids any biais, which is especially important for ECDSA.
- */
- do
- {
- MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
-
- /*
- * Each try has at worst a probability 1/2 of failing (the msb has
- * a probability 1/2 of being 0, and then the result will be < N),
- * so after 30 tries failure probability is a most 2**(-30).
- *
- * For most curves, 1 try is enough with overwhelming probability,
- * since N starts with a lot of 1s in binary, but some curves
- * such as secp224k1 are actually very close to the worst case.
- */
- if( ++count > 30 )
- return( MBEDTLS_ERR_ECP_RANDOM_FAILED );
-
- ret = mbedtls_mpi_lt_mpi_ct( d, &grp->N, &cmp );
- if( ret != 0 )
- {
- goto cleanup;
- }
- }
- while( mbedtls_mpi_cmp_int( d, 1 ) < 0 || cmp != 1 );
- }
-#endif /* ECP_SHORTWEIERSTRASS */
-
-cleanup:
- return( ret );
+ return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
}
/*
@@ -2949,7 +3263,7 @@
ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
-#if defined(ECP_MONTGOMERY)
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
if( mbedtls_ecp_get_type( &key->grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
{
/*
@@ -2984,7 +3298,7 @@
}
#endif
-#if defined(ECP_SHORTWEIERSTRASS)
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
if( mbedtls_ecp_get_type( &key->grp ) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS )
{
MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &key->d, buf, buflen ) );
@@ -3002,6 +3316,45 @@
}
/*
+ * Write a private key.
+ */
+int mbedtls_ecp_write_key( mbedtls_ecp_keypair *key,
+ unsigned char *buf, size_t buflen )
+{
+ int ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+ ECP_VALIDATE_RET( key != NULL );
+ ECP_VALIDATE_RET( buf != NULL );
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ if( mbedtls_ecp_get_type( &key->grp ) == MBEDTLS_ECP_TYPE_MONTGOMERY )
+ {
+ if( key->grp.id == MBEDTLS_ECP_DP_CURVE25519 )
+ {
+ if( buflen < ECP_CURVE25519_KEY_SIZE )
+ return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
+
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary_le( &key->d, buf, buflen ) );
+ }
+ else
+ ret = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+ }
+
+#endif
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ if( mbedtls_ecp_get_type( &key->grp ) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS )
+ {
+ MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &key->d, buf, buflen ) );
+ }
+
+#endif
+cleanup:
+
+ return( ret );
+}
+
+
+/*
* Check a public-private key pair
*/
int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv )
@@ -3047,33 +3400,141 @@
#if defined(MBEDTLS_SELF_TEST)
+/* Adjust the exponent to be a valid private point for the specified curve.
+ * This is sometimes necessary because we use a single set of exponents
+ * for all curves but the validity of values depends on the curve. */
+static int self_test_adjust_exponent( const mbedtls_ecp_group *grp,
+ mbedtls_mpi *m )
+{
+ int ret = 0;
+ switch( grp->id )
+ {
+ /* If Curve25519 is available, then that's what we use for the
+ * Montgomery test, so we don't need the adjustment code. */
+#if ! defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE448:
+ /* Move highest bit from 254 to N-1. Setting bit N-1 is
+ * necessary to enforce the highest-bit-set constraint. */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( m, 254, 0 ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( m, grp->nbits, 1 ) );
+ /* Copy second-highest bit from 253 to N-2. This is not
+ * necessary but improves the test variety a bit. */
+ MBEDTLS_MPI_CHK(
+ mbedtls_mpi_set_bit( m, grp->nbits - 1,
+ mbedtls_mpi_get_bit( m, 253 ) ) );
+ break;
+#endif
+#endif /* ! defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) */
+ default:
+ /* Non-Montgomery curves and Curve25519 need no adjustment. */
+ (void) grp;
+ (void) m;
+ goto cleanup;
+ }
+cleanup:
+ return( ret );
+}
+
+/* Calculate R = m.P for each m in exponents. Check that the number of
+ * basic operations doesn't depend on the value of m. */
+static int self_test_point( int verbose,
+ mbedtls_ecp_group *grp,
+ mbedtls_ecp_point *R,
+ mbedtls_mpi *m,
+ const mbedtls_ecp_point *P,
+ const char *const *exponents,
+ size_t n_exponents )
+{
+ int ret = 0;
+ size_t i = 0;
+ unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
+ add_count = 0;
+ dbl_count = 0;
+ mul_count = 0;
+
+ MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( m, 16, exponents[0] ) );
+ MBEDTLS_MPI_CHK( self_test_adjust_exponent( grp, m ) );
+ MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, R, m, P, NULL, NULL ) );
+
+ for( i = 1; i < n_exponents; i++ )
+ {
+ add_c_prev = add_count;
+ dbl_c_prev = dbl_count;
+ mul_c_prev = mul_count;
+ add_count = 0;
+ dbl_count = 0;
+ mul_count = 0;
+
+ MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( m, 16, exponents[i] ) );
+ MBEDTLS_MPI_CHK( self_test_adjust_exponent( grp, m ) );
+ MBEDTLS_MPI_CHK( mbedtls_ecp_mul( grp, R, m, P, NULL, NULL ) );
+
+ if( add_count != add_c_prev ||
+ dbl_count != dbl_c_prev ||
+ mul_count != mul_c_prev )
+ {
+ ret = 1;
+ break;
+ }
+ }
+
+cleanup:
+ if( verbose != 0 )
+ {
+ if( ret != 0 )
+ mbedtls_printf( "failed (%u)\n", (unsigned int) i );
+ else
+ mbedtls_printf( "passed\n" );
+ }
+ return( ret );
+}
+
/*
* Checkup routine
*/
int mbedtls_ecp_self_test( int verbose )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t i;
mbedtls_ecp_group grp;
mbedtls_ecp_point R, P;
mbedtls_mpi m;
- unsigned long add_c_prev, dbl_c_prev, mul_c_prev;
- /* exponents especially adapted for secp192r1 */
- const char *exponents[] =
+
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
+ /* Exponents especially adapted for secp192k1, which has the lowest
+ * order n of all supported curves (secp192r1 is in a slightly larger
+ * field but the order of its base point is slightly smaller). */
+ const char *sw_exponents[] =
{
"000000000000000000000000000000000000000000000001", /* one */
- "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830", /* N - 1 */
+ "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8C", /* n - 1 */
"5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", /* random */
"400000000000000000000000000000000000000000000000", /* one and zeros */
"7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", /* all ones */
"555555555555555555555555555555555555555555555555", /* 101010... */
};
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+ const char *m_exponents[] =
+ {
+ /* Valid private values for Curve25519. In a build with Curve448
+ * but not Curve25519, they will be adjusted in
+ * self_test_adjust_exponent(). */
+ "4000000000000000000000000000000000000000000000000000000000000000",
+ "5C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C3C30",
+ "5715ECCE24583F7A7023C24164390586842E816D7280A49EF6DF4EAE6B280BF8",
+ "41A2B017516F6D254E1F002BCCBADD54BE30F8CEC737A0E912B4963B6BA74460",
+ "5555555555555555555555555555555555555555555555555555555555555550",
+ "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8",
+ };
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
mbedtls_ecp_group_init( &grp );
mbedtls_ecp_point_init( &R );
mbedtls_ecp_point_init( &P );
mbedtls_mpi_init( &m );
+#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
/* Use secp192r1 if available, or any available curve */
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP192R1 ) );
@@ -3082,86 +3543,53 @@
#endif
if( verbose != 0 )
- mbedtls_printf( " ECP test #1 (constant op_count, base point G): " );
-
+ mbedtls_printf( " ECP SW test #1 (constant op_count, base point G): " );
/* Do a dummy multiplication first to trigger precomputation */
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &m, 2 ) );
MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &P, &m, &grp.G, NULL, NULL ) );
-
- add_count = 0;
- dbl_count = 0;
- mul_count = 0;
- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[0] ) );
- MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
-
- for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
- {
- add_c_prev = add_count;
- dbl_c_prev = dbl_count;
- mul_c_prev = mul_count;
- add_count = 0;
- dbl_count = 0;
- mul_count = 0;
-
- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[i] ) );
- MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &grp.G, NULL, NULL ) );
-
- if( add_count != add_c_prev ||
- dbl_count != dbl_c_prev ||
- mul_count != mul_c_prev )
- {
- if( verbose != 0 )
- mbedtls_printf( "failed (%u)\n", (unsigned int) i );
-
- ret = 1;
- goto cleanup;
- }
- }
+ ret = self_test_point( verbose,
+ &grp, &R, &m, &grp.G,
+ sw_exponents,
+ sizeof( sw_exponents ) / sizeof( sw_exponents[0] ));
+ if( ret != 0 )
+ goto cleanup;
if( verbose != 0 )
- mbedtls_printf( "passed\n" );
-
- if( verbose != 0 )
- mbedtls_printf( " ECP test #2 (constant op_count, other point): " );
+ mbedtls_printf( " ECP SW test #2 (constant op_count, other point): " );
/* We computed P = 2G last time, use it */
+ ret = self_test_point( verbose,
+ &grp, &R, &m, &P,
+ sw_exponents,
+ sizeof( sw_exponents ) / sizeof( sw_exponents[0] ));
+ if( ret != 0 )
+ goto cleanup;
- add_count = 0;
- dbl_count = 0;
- mul_count = 0;
- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[0] ) );
- MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &P, NULL, NULL ) );
+ mbedtls_ecp_group_free( &grp );
+ mbedtls_ecp_point_free( &R );
+#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
- for( i = 1; i < sizeof( exponents ) / sizeof( exponents[0] ); i++ )
- {
- add_c_prev = add_count;
- dbl_c_prev = dbl_count;
- mul_c_prev = mul_count;
- add_count = 0;
- dbl_count = 0;
- mul_count = 0;
-
- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &m, 16, exponents[i] ) );
- MBEDTLS_MPI_CHK( mbedtls_ecp_mul( &grp, &R, &m, &P, NULL, NULL ) );
-
- if( add_count != add_c_prev ||
- dbl_count != dbl_c_prev ||
- mul_count != mul_c_prev )
- {
- if( verbose != 0 )
- mbedtls_printf( "failed (%u)\n", (unsigned int) i );
-
- ret = 1;
- goto cleanup;
- }
- }
-
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
if( verbose != 0 )
- mbedtls_printf( "passed\n" );
+ mbedtls_printf( " ECP Montgomery test (constant op_count): " );
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_CURVE25519 ) );
+#elif defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_CURVE448 ) );
+#else
+#error "MBEDTLS_ECP_MONTGOMERY_ENABLED is defined, but no curve is supported for self-test"
+#endif
+ ret = self_test_point( verbose,
+ &grp, &R, &m, &grp.G,
+ m_exponents,
+ sizeof( m_exponents ) / sizeof( m_exponents[0] ));
+ if( ret != 0 )
+ goto cleanup;
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
cleanup:
if( ret < 0 && verbose != 0 )
- mbedtls_printf( "Unexpected error, return code = %08X\n", ret );
+ mbedtls_printf( "Unexpected error, return code = %08X\n", (unsigned int) ret );
mbedtls_ecp_group_free( &grp );
mbedtls_ecp_point_free( &R );
diff --git a/lib/libmbedtls/mbedtls/library/ecp_curves.c b/lib/libmbedtls/mbedtls/library/ecp_curves.c
index fb2265c..537ad38 100644
--- a/lib/libmbedtls/mbedtls/library/ecp_curves.c
+++ b/lib/libmbedtls/mbedtls/library/ecp_curves.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Elliptic curves over GF(p): curve-specific data and functions
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,21 +15,18 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_ECP_C)
#include "mbedtls/ecp.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
+#include "mbedtls/bn_mul.h"
+
+#include "ecp_invasive.h"
#include <string.h>
@@ -46,44 +43,10 @@
#define inline __inline
#endif
-/*
- * Conversion macros for embedded constants:
- * build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
- */
-#if defined(MBEDTLS_HAVE_INT32)
+#define ECP_MPI_INIT(s, n, p) {s, (n), (mbedtls_mpi_uint *)(p)}
-#define BYTES_TO_T_UINT_4( a, b, c, d ) \
- ( (mbedtls_mpi_uint) (a) << 0 ) | \
- ( (mbedtls_mpi_uint) (b) << 8 ) | \
- ( (mbedtls_mpi_uint) (c) << 16 ) | \
- ( (mbedtls_mpi_uint) (d) << 24 )
-
-#define BYTES_TO_T_UINT_2( a, b ) \
- BYTES_TO_T_UINT_4( a, b, 0, 0 )
-
-#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
- BYTES_TO_T_UINT_4( a, b, c, d ), \
- BYTES_TO_T_UINT_4( e, f, g, h )
-
-#else /* 64-bits */
-
-#define BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
- ( (mbedtls_mpi_uint) (a) << 0 ) | \
- ( (mbedtls_mpi_uint) (b) << 8 ) | \
- ( (mbedtls_mpi_uint) (c) << 16 ) | \
- ( (mbedtls_mpi_uint) (d) << 24 ) | \
- ( (mbedtls_mpi_uint) (e) << 32 ) | \
- ( (mbedtls_mpi_uint) (f) << 40 ) | \
- ( (mbedtls_mpi_uint) (g) << 48 ) | \
- ( (mbedtls_mpi_uint) (h) << 56 )
-
-#define BYTES_TO_T_UINT_4( a, b, c, d ) \
- BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
-
-#define BYTES_TO_T_UINT_2( a, b ) \
- BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
-
-#endif /* bits in mbedtls_mpi_uint */
+#define ECP_MPI_INIT_ARRAY(x) \
+ ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
/*
* Note: the constants are in little-endian order
@@ -95,29 +58,29 @@
*/
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
static const mbedtls_mpi_uint secp192r1_p[] = {
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
};
static const mbedtls_mpi_uint secp192r1_b[] = {
- BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
- BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
- BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xB1, 0xB9, 0x46, 0xC1, 0xEC, 0xDE, 0xB8, 0xFE ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x49, 0x30, 0x24, 0x72, 0xAB, 0xE9, 0xA7, 0x0F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x80, 0x9C, 0xE5, 0x19, 0x05, 0x21, 0x64 ),
};
static const mbedtls_mpi_uint secp192r1_gx[] = {
- BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
- BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
- BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x10, 0xFF, 0x82, 0xFD, 0x0A, 0xFF, 0xF4 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x88, 0xA1, 0x43, 0xEB, 0x20, 0xBF, 0x7C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0x90, 0x30, 0xB0, 0x0E, 0xA8, 0x8D, 0x18 ),
};
static const mbedtls_mpi_uint secp192r1_gy[] = {
- BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
- BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
- BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x48, 0x79, 0x1E, 0xA1, 0x77, 0xF9, 0x73 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0xCD, 0x24, 0x6B, 0xED, 0x11, 0x10, 0x63 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x78, 0xDA, 0xC8, 0xFF, 0x95, 0x2B, 0x19, 0x07 ),
};
static const mbedtls_mpi_uint secp192r1_n[] = {
- BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
- BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x31, 0x28, 0xD2, 0xB4, 0xB1, 0xC9, 0x6B, 0x14 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x36, 0xF8, 0xDE, 0x99, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
};
#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
@@ -126,34 +89,34 @@
*/
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
static const mbedtls_mpi_uint secp224r1_p[] = {
- BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
};
static const mbedtls_mpi_uint secp224r1_b[] = {
- BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
- BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
- BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
- BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0xFF, 0x55, 0x23, 0x43, 0x39, 0x0B, 0x27 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0xD8, 0xBF, 0xD7, 0xB7, 0xB0, 0x44, 0x50 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x56, 0x32, 0x41, 0xF5, 0xAB, 0xB3, 0x04, 0x0C ),
+ MBEDTLS_BYTES_TO_T_UINT_4( 0x85, 0x0A, 0x05, 0xB4 ),
};
static const mbedtls_mpi_uint secp224r1_gx[] = {
- BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
- BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
- BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
- BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0x1D, 0x5C, 0x11, 0xD6, 0x80, 0x32, 0x34 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0x11, 0xC2, 0x56, 0xD3, 0xC1, 0x03, 0x4A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0x90, 0x13, 0x32, 0x7F, 0xBF, 0xB4, 0x6B ),
+ MBEDTLS_BYTES_TO_T_UINT_4( 0xBD, 0x0C, 0x0E, 0xB7 ),
};
static const mbedtls_mpi_uint secp224r1_gy[] = {
- BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
- BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
- BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
- BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x7E, 0x00, 0x85, 0x99, 0x81, 0xD5, 0x44 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x47, 0x07, 0x5A, 0xA0, 0x75, 0x43, 0xCD ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0xDF, 0x22, 0x4C, 0xFB, 0x23, 0xF7, 0xB5 ),
+ MBEDTLS_BYTES_TO_T_UINT_4( 0x88, 0x63, 0x37, 0xBD ),
};
static const mbedtls_mpi_uint secp224r1_n[] = {
- BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
- BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x3D, 0x2A, 0x5C, 0x5C, 0x45, 0x29, 0xDD, 0x13 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x3E, 0xF0, 0xB8, 0xE0, 0xA2, 0x16, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
};
#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
@@ -162,34 +125,34 @@
*/
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
static const mbedtls_mpi_uint secp256r1_p[] = {
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
- BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
};
static const mbedtls_mpi_uint secp256r1_b[] = {
- BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
- BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
- BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
- BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x4B, 0x60, 0xD2, 0x27, 0x3E, 0x3C, 0xCE, 0x3B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xF6, 0xB0, 0x53, 0xCC, 0xB0, 0x06, 0x1D, 0x65 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x86, 0x98, 0x76, 0x55, 0xBD, 0xEB, 0xB3 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0x93, 0x3A, 0xAA, 0xD8, 0x35, 0xC6, 0x5A ),
};
static const mbedtls_mpi_uint secp256r1_gx[] = {
- BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
- BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
- BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
- BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x96, 0xC2, 0x98, 0xD8, 0x45, 0x39, 0xA1, 0xF4 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0x33, 0xEB, 0x2D, 0x81, 0x7D, 0x03, 0x77 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xF2, 0x40, 0xA4, 0x63, 0xE5, 0xE6, 0xBC, 0xF8 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x42, 0x2C, 0xE1, 0xF2, 0xD1, 0x17, 0x6B ),
};
static const mbedtls_mpi_uint secp256r1_gy[] = {
- BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
- BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
- BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
- BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xF5, 0x51, 0xBF, 0x37, 0x68, 0x40, 0xB6, 0xCB ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0x5E, 0x31, 0x6B, 0x57, 0x33, 0xCE, 0x2B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x16, 0x9E, 0x0F, 0x7C, 0x4A, 0xEB, 0xE7, 0x8E ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x7F, 0x1A, 0xFE, 0xE2, 0x42, 0xE3, 0x4F ),
};
static const mbedtls_mpi_uint secp256r1_n[] = {
- BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
- BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x51, 0x25, 0x63, 0xFC, 0xC2, 0xCA, 0xB9, 0xF3 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x9E, 0x17, 0xA7, 0xAD, 0xFA, 0xE6, 0xBC ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
};
#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
@@ -198,44 +161,44 @@
*/
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
static const mbedtls_mpi_uint secp384r1_p[] = {
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
};
static const mbedtls_mpi_uint secp384r1_b[] = {
- BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
- BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
- BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
- BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
- BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
- BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xEF, 0x2A, 0xEC, 0xD3, 0xED, 0xC8, 0x85, 0x2A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0xD1, 0x2E, 0x8A, 0x8D, 0x39, 0x56, 0xC6 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x87, 0x13, 0x50, 0x8F, 0x08, 0x14, 0x03 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x12, 0x41, 0x81, 0xFE, 0x6E, 0x9C, 0x1D, 0x18 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x2D, 0xF8, 0xE3, 0x6B, 0x05, 0x8E, 0x98 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xE4, 0xE7, 0x3E, 0xE2, 0xA7, 0x2F, 0x31, 0xB3 ),
};
static const mbedtls_mpi_uint secp384r1_gx[] = {
- BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
- BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
- BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
- BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
- BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
- BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xB7, 0x0A, 0x76, 0x72, 0x38, 0x5E, 0x54, 0x3A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x29, 0x55, 0xBF, 0x5D, 0xF2, 0x02, 0x55 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x38, 0x2A, 0x54, 0x82, 0xE0, 0x41, 0xF7, 0x59 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x9B, 0xA7, 0x8B, 0x62, 0x3B, 0x1D, 0x6E ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x74, 0xAD, 0x20, 0xF3, 0x1E, 0xC7, 0xB1, 0x8E ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0x05, 0x8B, 0xBE, 0x22, 0xCA, 0x87, 0xAA ),
};
static const mbedtls_mpi_uint secp384r1_gy[] = {
- BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
- BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
- BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
- BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
- BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
- BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x0E, 0xEA, 0x90, 0x7C, 0x1D, 0x43, 0x7A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x81, 0x7E, 0x1D, 0xCE, 0xB1, 0x60, 0x0A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xC0, 0xB8, 0xF0, 0xB5, 0x13, 0x31, 0xDA, 0xE9 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x14, 0x9A, 0x28, 0xBD, 0x1D, 0xF4, 0xF8 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x29, 0xDC, 0x92, 0x92, 0xBF, 0x98, 0x9E, 0x5D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x6F, 0x2C, 0x26, 0x96, 0x4A, 0xDE, 0x17, 0x36 ),
};
static const mbedtls_mpi_uint secp384r1_n[] = {
- BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
- BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
- BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x73, 0x29, 0xC5, 0xCC, 0x6A, 0x19, 0xEC, 0xEC ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x7A, 0xA7, 0xB0, 0x48, 0xB2, 0x0D, 0x1A, 0x58 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x2D, 0x37, 0xF4, 0x81, 0x4D, 0x63, 0xC7 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
};
#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
@@ -244,154 +207,154 @@
*/
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
static const mbedtls_mpi_uint secp521r1_p[] = {
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
};
static const mbedtls_mpi_uint secp521r1_b[] = {
- BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
- BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
- BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
- BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
- BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
- BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
- BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
- BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
- BYTES_TO_T_UINT_2( 0x51, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x3F, 0x50, 0x6B, 0xD4, 0x1F, 0x45, 0xEF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xF1, 0x34, 0x2C, 0x3D, 0x88, 0xDF, 0x73, 0x35 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xBF, 0xB1, 0x3B, 0xBD, 0xC0, 0x52, 0x16 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x7B, 0x93, 0x7E, 0xEC, 0x51, 0x39, 0x19, 0x56 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xE1, 0x09, 0xF1, 0x8E, 0x91, 0x89, 0xB4, 0xB8 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x15, 0xB3, 0x99, 0x5B, 0x72, 0xDA, 0xA2 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xEE, 0x40, 0x85, 0xB6, 0xA0, 0x21, 0x9A, 0x92 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x1F, 0x9A, 0x1C, 0x8E, 0x61, 0xB9, 0x3E, 0x95 ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0x51, 0x00 ),
};
static const mbedtls_mpi_uint secp521r1_gx[] = {
- BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
- BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
- BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
- BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
- BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
- BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
- BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
- BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
- BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x66, 0xBD, 0xE5, 0xC2, 0x31, 0x7E, 0x7E, 0xF9 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x9B, 0x42, 0x6A, 0x85, 0xC1, 0xB3, 0x48, 0x33 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xDE, 0xA8, 0xFF, 0xA2, 0x27, 0xC1, 0x1D, 0xFE ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x59, 0xE7, 0xEF, 0x77, 0x5E, 0x4B, 0xA1 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xBA, 0x3D, 0x4D, 0x6B, 0x60, 0xAF, 0x28, 0xF8 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x21, 0xB5, 0x3F, 0x05, 0x39, 0x81, 0x64, 0x9C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0xB4, 0x95, 0x23, 0x66, 0xCB, 0x3E, 0x9E ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xCD, 0xE9, 0x04, 0x04, 0xB7, 0x06, 0x8E, 0x85 ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0xC6, 0x00 ),
};
static const mbedtls_mpi_uint secp521r1_gy[] = {
- BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
- BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
- BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
- BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
- BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
- BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
- BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
- BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
- BYTES_TO_T_UINT_2( 0x18, 0x01 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x50, 0x66, 0xD1, 0x9F, 0x76, 0x94, 0xBE, 0x88 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0xC2, 0x72, 0xA2, 0x86, 0x70, 0x3C, 0x35 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x61, 0x07, 0xAD, 0x3F, 0x01, 0xB9, 0x50, 0xC5 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0x26, 0xF4, 0x5E, 0x99, 0x72, 0xEE, 0x97 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x2C, 0x66, 0x3E, 0x27, 0x17, 0xBD, 0xAF, 0x17 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x44, 0x9B, 0x57, 0x49, 0x44, 0xF5, 0x98 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x1B, 0x7D, 0x2C, 0xB4, 0x5F, 0x8A, 0x5C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x04, 0xC0, 0x3B, 0x9A, 0x78, 0x6A, 0x29, 0x39 ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0x18, 0x01 ),
};
static const mbedtls_mpi_uint secp521r1_n[] = {
- BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
- BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
- BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
- BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
- BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x09, 0x64, 0x38, 0x91, 0x1E, 0xB7, 0x6F, 0xBB ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x47, 0x9C, 0x89, 0xB8, 0xC9, 0xB5, 0x3B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xD0, 0xA5, 0x09, 0xF7, 0x48, 0x01, 0xCC, 0x7F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x96, 0x2F, 0xBF, 0x83, 0x87, 0x86, 0x51 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0xFF, 0x01 ),
};
#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
static const mbedtls_mpi_uint secp192k1_p[] = {
- BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x37, 0xEE, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
};
static const mbedtls_mpi_uint secp192k1_a[] = {
- BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
};
static const mbedtls_mpi_uint secp192k1_b[] = {
- BYTES_TO_T_UINT_2( 0x03, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0x03, 0x00 ),
};
static const mbedtls_mpi_uint secp192k1_gx[] = {
- BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
- BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
- BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x7D, 0x6C, 0xE0, 0xEA, 0xB1, 0xD1, 0xA5, 0x1D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0xF4, 0xB7, 0x80, 0x02, 0x7D, 0xB0, 0x26 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0xE9, 0x57, 0xC0, 0x0E, 0xF1, 0x4F, 0xDB ),
};
static const mbedtls_mpi_uint secp192k1_gy[] = {
- BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
- BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
- BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x9D, 0x2F, 0x5E, 0xD9, 0x88, 0xAA, 0x82, 0x40 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x86, 0xBE, 0x15, 0xD0, 0x63, 0x41, 0x84 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x28, 0x56, 0x9C, 0x6D, 0x2F, 0x2F, 0x9B ),
};
static const mbedtls_mpi_uint secp192k1_n[] = {
- BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
- BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xFD, 0xDE, 0x74, 0x6A, 0x46, 0x69, 0x0F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x17, 0xFC, 0xF2, 0x26, 0xFE, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
};
#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
static const mbedtls_mpi_uint secp224k1_p[] = {
- BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x6D, 0xE5, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_4( 0xFF, 0xFF, 0xFF, 0xFF ),
};
static const mbedtls_mpi_uint secp224k1_a[] = {
- BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
};
static const mbedtls_mpi_uint secp224k1_b[] = {
- BYTES_TO_T_UINT_2( 0x05, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0x05, 0x00 ),
};
static const mbedtls_mpi_uint secp224k1_gx[] = {
- BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
- BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
- BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
- BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x5C, 0xA4, 0xB7, 0xB6, 0x0E, 0x65, 0x7E, 0x0F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA9, 0x75, 0x70, 0xE4, 0xE9, 0x67, 0xA4, 0x69 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x28, 0xFC, 0x30, 0xDF, 0x99, 0xF0, 0x4D ),
+ MBEDTLS_BYTES_TO_T_UINT_4( 0x33, 0x5B, 0x45, 0xA1 ),
};
static const mbedtls_mpi_uint secp224k1_gy[] = {
- BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
- BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
- BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
- BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA5, 0x61, 0x6D, 0x55, 0xDB, 0x4B, 0xCA, 0xE2 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x59, 0xBD, 0xB0, 0xC0, 0xF7, 0x19, 0xE3, 0xF7 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xD6, 0xFB, 0xCA, 0x82, 0x42, 0x34, 0xBA, 0x7F ),
+ MBEDTLS_BYTES_TO_T_UINT_4( 0xED, 0x9F, 0x08, 0x7E ),
};
static const mbedtls_mpi_uint secp224k1_n[] = {
- BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
- BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xB1, 0x9F, 0x76, 0x71, 0xA9, 0xF0, 0xCA ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x84, 0x61, 0xEC, 0xD2, 0xE8, 0xDC, 0x01, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ),
};
#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
static const mbedtls_mpi_uint secp256k1_p[] = {
- BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x2F, 0xFC, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
};
static const mbedtls_mpi_uint secp256k1_a[] = {
- BYTES_TO_T_UINT_2( 0x00, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0x00, 0x00 ),
};
static const mbedtls_mpi_uint secp256k1_b[] = {
- BYTES_TO_T_UINT_2( 0x07, 0x00 ),
+ MBEDTLS_BYTES_TO_T_UINT_2( 0x07, 0x00 ),
};
static const mbedtls_mpi_uint secp256k1_gx[] = {
- BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
- BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
- BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
- BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x98, 0x17, 0xF8, 0x16, 0x5B, 0x81, 0xF2, 0x59 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0x28, 0xCE, 0x2D, 0xDB, 0xFC, 0x9B, 0x02 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0x0B, 0x87, 0xCE, 0x95, 0x62, 0xA0, 0x55 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xAC, 0xBB, 0xDC, 0xF9, 0x7E, 0x66, 0xBE, 0x79 ),
};
static const mbedtls_mpi_uint secp256k1_gy[] = {
- BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
- BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
- BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
- BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xB8, 0xD4, 0x10, 0xFB, 0x8F, 0xD0, 0x47, 0x9C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x54, 0x85, 0xA6, 0x48, 0xB4, 0x17, 0xFD ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA8, 0x08, 0x11, 0x0E, 0xFC, 0xFB, 0xA4, 0x5D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0xC4, 0xA3, 0x26, 0x77, 0xDA, 0x3A, 0x48 ),
};
static const mbedtls_mpi_uint secp256k1_n[] = {
- BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
- BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
- BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x41, 0x41, 0x36, 0xD0, 0x8C, 0x5E, 0xD2, 0xBF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x3B, 0xA0, 0x48, 0xAF, 0xE6, 0xDC, 0xAE, 0xBA ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
};
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
@@ -400,40 +363,40 @@
*/
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
static const mbedtls_mpi_uint brainpoolP256r1_p[] = {
- BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
- BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
- BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
- BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x77, 0x53, 0x6E, 0x1F, 0x1D, 0x48, 0x13, 0x20 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x20, 0x26, 0xD5, 0x23, 0xF6, 0x3B, 0x6E ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x72, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
};
static const mbedtls_mpi_uint brainpoolP256r1_a[] = {
- BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
- BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
- BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
- BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xD9, 0xB5, 0x30, 0xF3, 0x44, 0x4B, 0x4A, 0xE9 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x6C, 0x5C, 0xDC, 0x26, 0xC1, 0x55, 0x80, 0xFB ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xE7, 0xFF, 0x7A, 0x41, 0x30, 0x75, 0xF6, 0xEE ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x57, 0x30, 0x2C, 0xFC, 0x75, 0x09, 0x5A, 0x7D ),
};
static const mbedtls_mpi_uint brainpoolP256r1_b[] = {
- BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
- BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
- BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
- BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xB6, 0x07, 0x8C, 0xFF, 0x18, 0xDC, 0xCC, 0x6B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xCE, 0xE1, 0xF7, 0x5C, 0x29, 0x16, 0x84, 0x95 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xBF, 0x7C, 0xD7, 0xBB, 0xD9, 0xB5, 0x30, 0xF3 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x44, 0x4B, 0x4A, 0xE9, 0x6C, 0x5C, 0xDC, 0x26 ),
};
static const mbedtls_mpi_uint brainpoolP256r1_gx[] = {
- BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
- BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
- BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
- BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x62, 0x32, 0xCE, 0x9A, 0xBD, 0x53, 0x44, 0x3A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xC2, 0x23, 0xBD, 0xE3, 0xE1, 0x27, 0xDE, 0xB9 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xAF, 0xB7, 0x81, 0xFC, 0x2F, 0x48, 0x4B, 0x2C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xCB, 0x57, 0x7E, 0xCB, 0xB9, 0xAE, 0xD2, 0x8B ),
};
static const mbedtls_mpi_uint brainpoolP256r1_gy[] = {
- BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
- BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
- BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
- BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x97, 0x69, 0x04, 0x2F, 0xC7, 0x54, 0x1D, 0x5C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x54, 0x8E, 0xED, 0x2D, 0x13, 0x45, 0x77, 0xC2 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x1D, 0x61, 0x14, 0x1A, 0x46, 0xF8, 0x97 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0xC4, 0xDA, 0xC3, 0x35, 0xF8, 0x7E, 0x54 ),
};
static const mbedtls_mpi_uint brainpoolP256r1_n[] = {
- BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
- BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
- BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
- BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x56, 0x48, 0x97, 0x82, 0x0E, 0x1E, 0x90 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xF7, 0xA6, 0x61, 0xB5, 0xA3, 0x7A, 0x39, 0x8C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x8D, 0x83, 0x9D, 0x90, 0x0A, 0x66, 0x3E ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0xA9, 0xEE, 0xA1, 0xDB, 0x57, 0xFB, 0xA9 ),
};
#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
@@ -442,52 +405,52 @@
*/
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
static const mbedtls_mpi_uint brainpoolP384r1_p[] = {
- BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
- BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
- BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
- BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
- BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
- BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x53, 0xEC, 0x07, 0x31, 0x13, 0x00, 0x47, 0x87 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x1A, 0x1D, 0x90, 0x29, 0xA7, 0xD3, 0xAC ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0x11, 0xB7, 0x7F, 0x19, 0xDA, 0xB1, 0x12 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xB4, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
};
static const mbedtls_mpi_uint brainpoolP384r1_a[] = {
- BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
- BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
- BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
- BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
- BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
- BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xEB, 0xD4, 0x3A, 0x50, 0x4A, 0x81, 0xA5, 0x8A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x0F, 0xF9, 0x91, 0xBA, 0xEF, 0x65, 0x91, 0x13 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x87, 0x27, 0xB2, 0x4F, 0x8E, 0xA2, 0xBE, 0xC2 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0xAF, 0x05, 0xCE, 0x0A, 0x08, 0x72, 0x3C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x0C, 0x15, 0x8C, 0x3D, 0xC6, 0x82, 0xC3, 0x7B ),
};
static const mbedtls_mpi_uint brainpoolP384r1_b[] = {
- BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
- BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
- BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
- BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
- BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
- BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x4C, 0x50, 0xFA, 0x96, 0x86, 0xB7, 0x3A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x94, 0xC9, 0xDB, 0x95, 0x02, 0x39, 0xB4, 0x7C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xD5, 0x62, 0xEB, 0x3E, 0xA5, 0x0E, 0x88, 0x2E ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA6, 0xD2, 0xDC, 0x07, 0xE1, 0x7D, 0xB7, 0x2F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x7C, 0x44, 0xF0, 0x16, 0x54, 0xB5, 0x39, 0x8B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x26, 0x28, 0xCE, 0x22, 0xDD, 0xC7, 0xA8, 0x04 ),
};
static const mbedtls_mpi_uint brainpoolP384r1_gx[] = {
- BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
- BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
- BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
- BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
- BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
- BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x1E, 0xAF, 0xD4, 0x47, 0xE2, 0xB2, 0x87, 0xEF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xAA, 0x46, 0xD6, 0x36, 0x34, 0xE0, 0x26, 0xE8 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xE8, 0x10, 0xBD, 0x0C, 0xFE, 0xCA, 0x7F, 0xDB ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xE3, 0x4F, 0xF1, 0x7E, 0xE7, 0xA3, 0x47, 0x88 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x6B, 0x3F, 0xC1, 0xB7, 0x81, 0x3A, 0xA6, 0xA2 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0x45, 0xCF, 0x68, 0xF0, 0x64, 0x1C, 0x1D ),
};
static const mbedtls_mpi_uint brainpoolP384r1_gy[] = {
- BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
- BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
- BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
- BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
- BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
- BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x15, 0x53, 0x3C, 0x26, 0x41, 0x03, 0x82, 0x42 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x91, 0x77, 0x21, 0x46, 0x46, 0x0E ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x29, 0x91, 0xF9, 0x4F, 0x05, 0x9C, 0xE1 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0x58, 0xEC, 0xFE, 0x29, 0x0B, 0xB7, 0x62 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x52, 0xD5, 0xCF, 0x95, 0x8E, 0xEB, 0xB1, 0x5C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA4, 0xC2, 0xF9, 0x20, 0x75, 0x1D, 0xBE, 0x8A ),
};
static const mbedtls_mpi_uint brainpoolP384r1_n[] = {
- BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
- BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
- BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
- BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
- BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
- BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x65, 0x65, 0x04, 0xE9, 0x02, 0x32, 0x88, 0x3B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0xC3, 0x7F, 0x6B, 0xAF, 0xB6, 0x3A, 0xCF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x25, 0x04, 0xAC, 0x6C, 0x6E, 0x16, 0x1F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xB3, 0x56, 0x54, 0xED, 0x09, 0x71, 0x2F, 0x15 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xDF, 0x41, 0xE6, 0x50, 0x7E, 0x6F, 0x5D, 0x0F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x28, 0x6D, 0x38, 0xA3, 0x82, 0x1E, 0xB9, 0x8C ),
};
#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
@@ -496,106 +459,122 @@
*/
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
static const mbedtls_mpi_uint brainpoolP512r1_p[] = {
- BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
- BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
- BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
- BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
- BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
- BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
- BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
- BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xF3, 0x48, 0x3A, 0x58, 0x56, 0x60, 0xAA, 0x28 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x85, 0xC6, 0x82, 0x2D, 0x2F, 0xFF, 0x81, 0x28 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xE6, 0x80, 0xA3, 0xE6, 0x2A, 0xA1, 0xCD, 0xAE ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x42, 0x68, 0xC6, 0x9B, 0x00, 0x9B, 0x4D, 0x7D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x71, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
};
static const mbedtls_mpi_uint brainpoolP512r1_a[] = {
- BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
- BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
- BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
- BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
- BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
- BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
- BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
- BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x94, 0xFC, 0x77, 0x4D, 0xAC, 0xC1, 0xE7 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xB9, 0xC7, 0xF2, 0x2B, 0xA7, 0x17, 0x11, 0x7F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xB5, 0xC8, 0x9A, 0x8B, 0xC9, 0xF1, 0x2E, 0x0A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA1, 0x3A, 0x25, 0xA8, 0x5A, 0x5D, 0xED, 0x2D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xBC, 0x63, 0x98, 0xEA, 0xCA, 0x41, 0x34, 0xA8 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x10, 0x16, 0xF9, 0x3D, 0x8D, 0xDD, 0xCB, 0x94 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xC5, 0x4C, 0x23, 0xAC, 0x45, 0x71, 0x32, 0xE2 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x89, 0x3B, 0x60, 0x8B, 0x31, 0xA3, 0x30, 0x78 ),
};
static const mbedtls_mpi_uint brainpoolP512r1_b[] = {
- BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
- BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
- BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
- BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
- BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
- BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
- BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
- BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0xF7, 0x16, 0x80, 0x63, 0xBD, 0x09, 0x28 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xE5, 0xBA, 0x5E, 0xB7, 0x50, 0x40, 0x98 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x67, 0x3E, 0x08, 0xDC, 0xCA, 0x94, 0xFC, 0x77 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x4D, 0xAC, 0xC1, 0xE7, 0xB9, 0xC7, 0xF2, 0x2B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x17, 0x11, 0x7F, 0xB5, 0xC8, 0x9A, 0x8B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0xF1, 0x2E, 0x0A, 0xA1, 0x3A, 0x25, 0xA8 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x5A, 0x5D, 0xED, 0x2D, 0xBC, 0x63, 0x98, 0xEA ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xCA, 0x41, 0x34, 0xA8, 0x10, 0x16, 0xF9, 0x3D ),
};
static const mbedtls_mpi_uint brainpoolP512r1_gx[] = {
- BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
- BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
- BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
- BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
- BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
- BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
- BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
- BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x22, 0xF8, 0xB9, 0xBC, 0x09, 0x22, 0x35, 0x8B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x68, 0x5E, 0x6A, 0x40, 0x47, 0x50, 0x6D, 0x7C ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x5F, 0x7D, 0xB9, 0x93, 0x7B, 0x68, 0xD1, 0x50 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x8D, 0xD4, 0xD0, 0xE2, 0x78, 0x1F, 0x3B, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x8E, 0x09, 0xD0, 0xF4, 0xEE, 0x62, 0x3B, 0xB4 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xC1, 0x16, 0xD9, 0xB5, 0x70, 0x9F, 0xED, 0x85 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x6A, 0x4C, 0x9C, 0x2E, 0x32, 0x21, 0x5A ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x64, 0xD9, 0x2E, 0xD8, 0xBD, 0xE4, 0xAE, 0x81 ),
};
static const mbedtls_mpi_uint brainpoolP512r1_gy[] = {
- BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
- BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
- BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
- BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
- BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
- BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
- BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
- BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x92, 0x08, 0xD8, 0x3A, 0x0F, 0x1E, 0xCD, 0x78 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x06, 0x54, 0xF0, 0xA8, 0x2F, 0x2B, 0xCA, 0xD1 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xAE, 0x63, 0x27, 0x8A, 0xD8, 0x4B, 0xCA, 0x5B ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x5E, 0x48, 0x5F, 0x4A, 0x49, 0xDE, 0xDC, 0xB2 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x11, 0x81, 0x1F, 0x88, 0x5B, 0xC5, 0x00, 0xA0 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x1A, 0x7B, 0xA5, 0x24, 0x00, 0xF7, 0x09, 0xF2 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFD, 0x22, 0x78, 0xCF, 0xA9, 0xBF, 0xEA, 0xC0 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xEC, 0x32, 0x63, 0x56, 0x5D, 0x38, 0xDE, 0x7D ),
};
static const mbedtls_mpi_uint brainpoolP512r1_n[] = {
- BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
- BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
- BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
- BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
- BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
- BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
- BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
- BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x69, 0x00, 0xA9, 0x9C, 0x82, 0x96, 0x87, 0xB5 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xDD, 0xDA, 0x5D, 0x08, 0x81, 0xD3, 0xB1, 0x1D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x47, 0x10, 0xAC, 0x7F, 0x19, 0x61, 0x86, 0x41 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x26, 0xA9, 0x4C, 0x41, 0x5C, 0x3E, 0x55 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x70, 0x08, 0x33, 0x70, 0xCA, 0x9C, 0x63, 0xD6 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x0E, 0xD2, 0xC9, 0xB3, 0xB3, 0x8D, 0x30, 0xCB ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x07, 0xFC, 0xC9, 0x33, 0xAE, 0xE6, 0xD4, 0x3F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x8B, 0xC4, 0xE9, 0xDB, 0xB8, 0x9D, 0xDD, 0xAA ),
};
#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+/* For these curves, we build the group parameters dynamically. */
+#define ECP_LOAD_GROUP
+#endif
+
+#if defined(ECP_LOAD_GROUP)
/*
* Domain parameters for SM2 (GM/T 0003 Part 5)
*/
#if defined(MBEDTLS_ECP_DP_SM2_ENABLED)
static const mbedtls_mpi_uint sm2_p[] = {
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
};
static const mbedtls_mpi_uint sm2_a[] = {
- BYTES_TO_T_UINT_8( 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFC, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
};
static const mbedtls_mpi_uint sm2_b[] = {
- BYTES_TO_T_UINT_8( 0x93, 0x0E, 0x94, 0x4D, 0x41, 0xBD, 0xBC, 0xDD ),
- BYTES_TO_T_UINT_8( 0x92, 0x8F, 0xAB, 0x15, 0xF5, 0x89, 0x97, 0xF3 ),
- BYTES_TO_T_UINT_8( 0xA7, 0x09, 0x65, 0xCF, 0x4B, 0x9E, 0x5A, 0x4D ),
- BYTES_TO_T_UINT_8( 0x34, 0x5E, 0x9F, 0x9D, 0x9E, 0xFA, 0xE9, 0x28 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x0E, 0x94, 0x4D, 0x41, 0xBD, 0xBC, 0xDD ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x92, 0x8F, 0xAB, 0x15, 0xF5, 0x89, 0x97, 0xF3 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA7, 0x09, 0x65, 0xCF, 0x4B, 0x9E, 0x5A, 0x4D ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x34, 0x5E, 0x9F, 0x9D, 0x9E, 0xFA, 0xE9, 0x28 ),
};
static const mbedtls_mpi_uint sm2_gx[] = {
- BYTES_TO_T_UINT_8( 0xC7, 0x74, 0x4C, 0x33, 0x89, 0x45, 0x5A, 0x71 ),
- BYTES_TO_T_UINT_8( 0xE1, 0x0B, 0x66, 0xF2, 0xBF, 0x0B, 0xE3, 0x8F ),
- BYTES_TO_T_UINT_8( 0x94, 0xC9, 0x39, 0x6A, 0x46, 0x04, 0x99, 0x5F ),
- BYTES_TO_T_UINT_8( 0x19, 0x81, 0x19, 0x1F, 0x2C, 0xAE, 0xC4, 0x32 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xC7, 0x74, 0x4C, 0x33, 0x89, 0x45, 0x5A, 0x71 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xE1, 0x0B, 0x66, 0xF2, 0xBF, 0x0B, 0xE3, 0x8F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x94, 0xC9, 0x39, 0x6A, 0x46, 0x04, 0x99, 0x5F ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x19, 0x81, 0x19, 0x1F, 0x2C, 0xAE, 0xC4, 0x32 ),
};
static const mbedtls_mpi_uint sm2_gy[] = {
- BYTES_TO_T_UINT_8( 0xA0, 0xF0, 0x39, 0x21, 0xE5, 0x32, 0xDF, 0x02 ),
- BYTES_TO_T_UINT_8( 0x40, 0x47, 0x2A, 0xC6, 0x7C, 0x87, 0xA9, 0xD0 ),
- BYTES_TO_T_UINT_8( 0x53, 0x21, 0x69, 0x6B, 0xE3, 0xCE, 0xBD, 0x59 ),
- BYTES_TO_T_UINT_8( 0x9C, 0x77, 0xF6, 0xF4, 0xA2, 0x36, 0x37, 0xBC ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xA0, 0xF0, 0x39, 0x21, 0xE5, 0x32, 0xDF, 0x02 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x40, 0x47, 0x2A, 0xC6, 0x7C, 0x87, 0xA9, 0xD0 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x53, 0x21, 0x69, 0x6B, 0xE3, 0xCE, 0xBD, 0x59 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x9C, 0x77, 0xF6, 0xF4, 0xA2, 0x36, 0x37, 0xBC ),
};
static const mbedtls_mpi_uint sm2_n[] = {
- BYTES_TO_T_UINT_8( 0x23, 0x41, 0xD5, 0x39, 0x09, 0xF4, 0xBB, 0x53 ),
- BYTES_TO_T_UINT_8( 0x2B, 0x05, 0xC6, 0x21, 0x6B, 0xDF, 0x03, 0x72 ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
- BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x23, 0x41, 0xD5, 0x39, 0x09, 0xF4, 0xBB, 0x53 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x2B, 0x05, 0xC6, 0x21, 0x6B, 0xDF, 0x03, 0x72 ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ),
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF ),
};
#endif /* MBEDTLS_ECP_DP_SM2_ENABLED */
/*
@@ -648,6 +627,7 @@
return( 0 );
}
+#endif /* ECP_LOAD_GROUP */
#if defined(MBEDTLS_ECP_NIST_OPTIM)
/* Forward declarations */
@@ -689,6 +669,7 @@
static int ecp_mod_p256k1( mbedtls_mpi * );
#endif
+#if defined(ECP_LOAD_GROUP)
#define LOAD_GROUP_A( G ) ecp_group_load( grp, \
G ## _p, sizeof( G ## _p ), \
G ## _a, sizeof( G ## _a ), \
@@ -704,8 +685,16 @@
G ## _gx, sizeof( G ## _gx ), \
G ## _gy, sizeof( G ## _gy ), \
G ## _n, sizeof( G ## _n ) )
+#endif /* ECP_LOAD_GROUP */
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+/* Constants used by ecp_use_curve25519() */
+static const mbedtls_mpi_sint curve25519_a24 = 0x01DB42;
+static const unsigned char curve25519_part_of_n[] = {
+ 0x14, 0xDE, 0xF9, 0xDE, 0xA2, 0xF7, 0x9C, 0xD6,
+ 0x58, 0x12, 0x63, 0x1A, 0x5C, 0xF5, 0xD3, 0xED,
+};
+
/*
* Specialized function for creating the Curve25519 group
*/
@@ -714,7 +703,7 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
/* Actually ( A + 2 ) / 4 */
- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "01DB42" ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve25519_a24 ) );
/* P = 2^255 - 19 */
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
@@ -723,8 +712,8 @@
grp->pbits = mbedtls_mpi_bitlen( &grp->P );
/* N = 2^252 + 27742317777372353535851937790883648493 */
- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->N, 16,
- "14DEF9DEA2F79CD65812631A5CF5D3ED" ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &grp->N,
+ curve25519_part_of_n, sizeof( curve25519_part_of_n ) ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 252, 1 ) );
/* Y intentionally not set, since we use x/z coordinates.
@@ -745,6 +734,15 @@
#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+/* Constants used by ecp_use_curve448() */
+static const mbedtls_mpi_sint curve448_a24 = 0x98AA;
+static const unsigned char curve448_part_of_n[] = {
+ 0x83, 0x35, 0xDC, 0x16, 0x3B, 0xB1, 0x24,
+ 0xB6, 0x51, 0x29, 0xC9, 0x6F, 0xDE, 0x93,
+ 0x3D, 0x8D, 0x72, 0x3A, 0x70, 0xAA, 0xDC,
+ 0x87, 0x3D, 0x6D, 0x54, 0xA7, 0xBB, 0x0D,
+};
+
/*
* Specialized function for creating the Curve448 group
*/
@@ -756,7 +754,7 @@
mbedtls_mpi_init( &Ns );
/* Actually ( A + 2 ) / 4 */
- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &grp->A, 16, "98AA" ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->A, curve448_a24 ) );
/* P = 2^448 - 2^224 - 1 */
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &grp->P, 1 ) );
@@ -774,8 +772,8 @@
/* N = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 */
MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( &grp->N, 446, 1 ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_read_string( &Ns, 16,
- "8335DC163BB124B65129C96FDE933D8D723A70AADC873D6D54A7BB0D" ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &Ns,
+ curve448_part_of_n, sizeof( curve448_part_of_n ) ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &grp->N, &grp->N, &Ns ) );
/* Actually, the required msb for private keys */
@@ -1033,25 +1031,20 @@
#define ADD( j ) add32( &cur, A( j ), &c );
#define SUB( j ) sub32( &cur, A( j ), &c );
+#define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */
+#define biL (ciL << 3) /* bits in limb */
+
/*
* Helpers for the main 'loop'
- * (see fix_negative for the motivation of C)
*/
#define INIT( b ) \
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; \
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; \
signed char c = 0, cc; \
uint32_t cur; \
size_t i = 0, bits = (b); \
- mbedtls_mpi C; \
- mbedtls_mpi_uint Cp[ (b) / 8 / sizeof( mbedtls_mpi_uint) + 1 ]; \
- \
- C.s = 1; \
- C.n = (b) / 8 / sizeof( mbedtls_mpi_uint) + 1; \
- C.p = Cp; \
- memset( Cp, 0, C.n * sizeof( mbedtls_mpi_uint ) ); \
- \
- MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, (b) * 2 / 8 / \
- sizeof( mbedtls_mpi_uint ) ) ); \
+ /* N is the size of the product of two b-bit numbers, plus one */ \
+ /* limb for fix_negative */ \
+ MBEDTLS_MPI_CHK( mbedtls_mpi_grow( N, ( b ) * 2 / biL + 1 ) ); \
LOAD32;
#define NEXT \
@@ -1066,33 +1059,41 @@
STORE32; i++; \
cur = c > 0 ? c : 0; STORE32; \
cur = 0; while( ++i < MAX32 ) { STORE32; } \
- if( c < 0 ) fix_negative( N, c, &C, bits );
+ if( c < 0 ) mbedtls_ecp_fix_negative( N, c, bits );
/*
* If the result is negative, we get it in the form
- * c * 2^(bits + 32) + N, with c negative and N positive shorter than 'bits'
+ * c * 2^bits + N, with c negative and N positive shorter than 'bits'
*/
-static inline int fix_negative( mbedtls_mpi *N, signed char c, mbedtls_mpi *C, size_t bits )
+MBEDTLS_STATIC_TESTABLE
+void mbedtls_ecp_fix_negative( mbedtls_mpi *N, signed char c, size_t bits )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ size_t i;
- /* C = - c * 2^(bits + 32) */
-#if !defined(MBEDTLS_HAVE_INT64)
- ((void) bits);
-#else
- if( bits == 224 )
- C->p[ C->n - 1 ] = ((mbedtls_mpi_uint) -c) << 32;
- else
-#endif
- C->p[ C->n - 1 ] = (mbedtls_mpi_uint) -c;
-
- /* N = - ( C - N ) */
- MBEDTLS_MPI_CHK( mbedtls_mpi_sub_abs( N, C, N ) );
+ /* Set N := 2^bits - 1 - N. We know that 0 <= N < 2^bits, so
+ * set the absolute value to 0xfff...fff - N. There is no carry
+ * since we're subtracting from all-bits-one. */
+ for( i = 0; i <= bits / 8 / sizeof( mbedtls_mpi_uint ); i++ )
+ {
+ N->p[i] = ~(mbedtls_mpi_uint)0 - N->p[i];
+ }
+ /* Add 1, taking care of the carry. */
+ i = 0;
+ do
+ ++N->p[i];
+ while( N->p[i++] == 0 && i <= bits / 8 / sizeof( mbedtls_mpi_uint ) );
+ /* Invert the sign.
+ * Now N = N0 - 2^bits where N0 is the initial value of N. */
N->s = -1;
-cleanup:
-
- return( ret );
+ /* Add |c| * 2^bits to the absolute value. Since c and N are
+ * negative, this adds c * 2^bits. */
+ mbedtls_mpi_uint msw = (mbedtls_mpi_uint) -c;
+#if defined(MBEDTLS_HAVE_INT64)
+ if( bits == 224 )
+ msw <<= 32;
+#endif
+ N->p[bits / 8 / sizeof( mbedtls_mpi_uint)] += msw;
}
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
@@ -1474,9 +1475,11 @@
static int ecp_mod_p192k1( mbedtls_mpi *N )
{
static mbedtls_mpi_uint Rp[] = {
- BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00,
+ 0x00 ) };
- return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+ return( ecp_mod_koblitz( N, Rp, 192 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
+ 0 ) );
}
#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
@@ -1488,12 +1491,14 @@
static int ecp_mod_p224k1( mbedtls_mpi *N )
{
static mbedtls_mpi_uint Rp[] = {
- BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
+ MBEDTLS_BYTES_TO_T_UINT_8( 0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00,
+ 0x00 ) };
#if defined(MBEDTLS_HAVE_INT64)
return( ecp_mod_koblitz( N, Rp, 4, 1, 32, 0xFFFFFFFF ) );
#else
- return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+ return( ecp_mod_koblitz( N, Rp, 224 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
+ 0 ) );
#endif
}
@@ -1507,8 +1512,10 @@
static int ecp_mod_p256k1( mbedtls_mpi *N )
{
static mbedtls_mpi_uint Rp[] = {
- BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 ) };
- return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0, 0 ) );
+ MBEDTLS_BYTES_TO_T_UINT_8( 0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00,
+ 0x00 ) };
+ return( ecp_mod_koblitz( N, Rp, 256 / 8 / sizeof( mbedtls_mpi_uint ), 0, 0,
+ 0 ) );
}
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
diff --git a/lib/libmbedtls/mbedtls/library/ecp_invasive.h b/lib/libmbedtls/mbedtls/library/ecp_invasive.h
new file mode 100644
index 0000000..71c7702
--- /dev/null
+++ b/lib/libmbedtls/mbedtls/library/ecp_invasive.h
@@ -0,0 +1,81 @@
+/**
+ * \file ecp_invasive.h
+ *
+ * \brief ECP module: interfaces for invasive testing only.
+ *
+ * The interfaces in this file are intended for testing purposes only.
+ * They SHOULD NOT be made available in library integrations except when
+ * building the library for testing.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef MBEDTLS_ECP_INVASIVE_H
+#define MBEDTLS_ECP_INVASIVE_H
+
+#include "common.h"
+#include "mbedtls/bignum.h"
+#include "mbedtls/ecp.h"
+
+#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_ECP_C)
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || \
+ defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+/* Preconditions:
+ * - bits is a multiple of 64 or is 224
+ * - c is -1 or -2
+ * - 0 <= N < 2^bits
+ * - N has room for bits plus one limb
+ *
+ * Behavior:
+ * Set N to c * 2^bits + old_value_of_N.
+ */
+void mbedtls_ecp_fix_negative( mbedtls_mpi *N, signed char c, size_t bits );
+#endif
+
+#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
+/** Generate a private key on a Montgomery curve (Curve25519 or Curve448).
+ *
+ * This function implements key generation for the set of secret keys
+ * specified in [Curve25519] p. 5 and in [Curve448]. The resulting value
+ * has the lower bits masked but is not necessarily canonical.
+ *
+ * \note - [Curve25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
+ * - [RFC7748] https://tools.ietf.org/html/rfc7748
+ *
+ * \p high_bit The position of the high-order bit of the key to generate.
+ * This is the bit-size of the key minus 1:
+ * 254 for Curve25519 or 447 for Curve448.
+ * \param d The randomly generated key. This is a number of size
+ * exactly \p n_bits + 1 bits, with the least significant bits
+ * masked as specified in [Curve25519] and in [RFC7748] §5.
+ * \param f_rng The RNG function.
+ * \param p_rng The RNG context to be passed to \p f_rng.
+ *
+ * \return \c 0 on success.
+ * \return \c MBEDTLS_ERR_ECP_xxx or MBEDTLS_ERR_MPI_xxx on failure.
+ */
+int mbedtls_ecp_gen_privkey_mx( size_t n_bits,
+ mbedtls_mpi *d,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng );
+
+#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */
+
+#endif /* MBEDTLS_ECP_INVASIVE_H */
diff --git a/lib/libmbedtls/mbedtls/library/entropy.c b/lib/libmbedtls/mbedtls/library/entropy.c
index e40c8ec..12fd3b9 100644
--- a/lib/libmbedtls/mbedtls/library/entropy.c
+++ b/lib/libmbedtls/mbedtls/library/entropy.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Entropy accumulator implementation
*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_ENTROPY_C)
@@ -122,6 +116,11 @@
void mbedtls_entropy_free( mbedtls_entropy_context *ctx )
{
+ /* If the context was already free, don't call free() again.
+ * This is important for mutexes which don't allow double-free. */
+ if( ctx->accumulator_started == -1 )
+ return;
+
#if defined(MBEDTLS_HAVEGE_C)
mbedtls_havege_free( &ctx->havege_data );
#endif
@@ -138,7 +137,7 @@
#endif
ctx->source_count = 0;
mbedtls_platform_zeroize( ctx->source, sizeof( ctx->source ) );
- ctx->accumulator_started = 0;
+ ctx->accumulator_started = -1;
}
int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx,
@@ -472,15 +471,21 @@
#if defined(MBEDTLS_FS_IO)
int mbedtls_entropy_write_seed_file( mbedtls_entropy_context *ctx, const char *path )
{
- int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
- FILE *f;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ FILE *f = NULL;
unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
- if( ( f = fopen( path, "wb" ) ) == NULL )
- return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR );
-
if( ( ret = mbedtls_entropy_func( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 )
+ {
+ ret = MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
goto exit;
+ }
+
+ if( ( f = fopen( path, "wb" ) ) == NULL )
+ {
+ ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR;
+ goto exit;
+ }
if( fwrite( buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f ) != MBEDTLS_ENTROPY_BLOCK_SIZE )
{
@@ -493,7 +498,9 @@
exit:
mbedtls_platform_zeroize( buf, sizeof( buf ) );
- fclose( f );
+ if( f != NULL )
+ fclose( f );
+
return( ret );
}
diff --git a/lib/libmbedtls/mbedtls/library/entropy_poll.c b/lib/libmbedtls/mbedtls/library/entropy_poll.c
index 8148aff..2c1e093 100644
--- a/lib/libmbedtls/mbedtls/library/entropy_poll.c
+++ b/lib/libmbedtls/mbedtls/library/entropy_poll.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Platform-specific and custom entropy polling functions
*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,20 +15,14 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if defined(__linux__)
+#if defined(__linux__) && !defined(_GNU_SOURCE)
/* Ensure that syscall() is available even when compiling with -std=c99 */
#define _GNU_SOURCE
#endif
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#include <string.h>
@@ -52,7 +46,7 @@
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
!defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
- !defined(__HAIKU__)
+ !defined(__HAIKU__) && !defined(__midipix__)
#error "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in config.h"
#endif
@@ -95,7 +89,7 @@
* Since there is no wrapper in the libc yet, use the generic syscall wrapper
* available in GNU libc and compatible libc's (eg uClibc).
*/
-#if defined(__linux__) && defined(__GLIBC__)
+#if ((defined(__linux__) && defined(__GLIBC__)) || defined(__midipix__))
#include <unistd.h>
#include <sys/syscall.h>
#if defined(SYS_getrandom)
@@ -113,7 +107,57 @@
return( syscall( SYS_getrandom, buf, buflen, flags ) );
}
#endif /* SYS_getrandom */
-#endif /* __linux__ */
+#endif /* __linux__ || __midipix__ */
+
+#if defined(__FreeBSD__) || defined(__DragonFly__)
+#include <sys/param.h>
+#if (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || \
+ (defined(__DragonFly__) && __DragonFly_version >= 500700)
+#include <errno.h>
+#include <sys/random.h>
+#define HAVE_GETRANDOM
+static int getrandom_wrapper( void *buf, size_t buflen, unsigned int flags )
+{
+ return getrandom( buf, buflen, flags );
+}
+#endif /* (__FreeBSD__ && __FreeBSD_version >= 1200000) ||
+ (__DragonFly__ && __DragonFly_version >= 500700) */
+#endif /* __FreeBSD__ || __DragonFly__ */
+
+/*
+ * Some BSD systems provide KERN_ARND.
+ * This is equivalent to reading from /dev/urandom, only it doesn't require an
+ * open file descriptor, and provides up to 256 bytes per call (basically the
+ * same as getentropy(), but with a longer history).
+ *
+ * Documentation: https://netbsd.gw.com/cgi-bin/man-cgi?sysctl+7
+ */
+#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(HAVE_GETRANDOM)
+#include <sys/param.h>
+#include <sys/sysctl.h>
+#if defined(KERN_ARND)
+#define HAVE_SYSCTL_ARND
+
+static int sysctl_arnd_wrapper( unsigned char *buf, size_t buflen )
+{
+ int name[2];
+ size_t len;
+
+ name[0] = CTL_KERN;
+ name[1] = KERN_ARND;
+
+ while( buflen > 0 )
+ {
+ len = buflen > 256 ? 256 : buflen;
+ if( sysctl(name, 2, buf, &len, NULL, 0) == -1 )
+ return( -1 );
+ buflen -= len;
+ buf += len;
+ }
+ return( 0 );
+}
+#endif /* KERN_ARND */
+#endif /* __FreeBSD__ || __NetBSD__ */
#include <stdio.h>
@@ -139,6 +183,15 @@
((void) ret);
#endif /* HAVE_GETRANDOM */
+#if defined(HAVE_SYSCTL_ARND)
+ ((void) file);
+ ((void) read_len);
+ if( sysctl_arnd_wrapper( output, len ) == -1 )
+ return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
+ *olen = len;
+ return( 0 );
+#else
+
*olen = 0;
file = fopen( "/dev/urandom", "rb" );
@@ -156,6 +209,7 @@
*olen = len;
return( 0 );
+#endif /* HAVE_SYSCTL_ARND */
}
#endif /* _WIN32 && !EFIX64 && !EFI32 */
#endif /* !MBEDTLS_NO_PLATFORM_ENTROPY */
@@ -166,13 +220,13 @@
{
((void) data);
((void) output);
- *olen = 0;
+ *olen = 0;
if( len < sizeof(unsigned char) )
return( 0 );
+ output[0] = 0;
*olen = sizeof(unsigned char);
-
return( 0 );
}
#endif
diff --git a/lib/libmbedtls/mbedtls/library/error.c b/lib/libmbedtls/mbedtls/library/error.c
index b171fd3..afad389 100644
--- a/lib/libmbedtls/mbedtls/library/error.c
+++ b/lib/libmbedtls/mbedtls/library/error.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Error message information
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,30 +15,24 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
-#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
-#include <string.h>
-#endif
+#include "mbedtls/error.h"
+
+#if defined(MBEDTLS_ERROR_C) || defined(MBEDTLS_ERROR_STRERROR_DUMMY)
+
+#if defined(MBEDTLS_ERROR_C)
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#define mbedtls_snprintf snprintf
-#define mbedtls_time_t time_t
#endif
-#if defined(MBEDTLS_ERROR_C)
-
#include <stdio.h>
+#include <string.h>
#if defined(MBEDTLS_AES_C)
#include "mbedtls/aes.h"
@@ -52,6 +46,10 @@
#include "mbedtls/aria.h"
#endif
+#if defined(MBEDTLS_ASN1_PARSE_C)
+#include "mbedtls/asn1.h"
+#endif
+
#if defined(MBEDTLS_BASE64_C)
#include "mbedtls/base64.h"
#endif
@@ -213,10 +211,694 @@
#endif
+const char * mbedtls_high_level_strerr( int error_code )
+{
+ int high_level_error_code;
+
+ if( error_code < 0 )
+ error_code = -error_code;
+
+ /* Extract the high-level part from the error code. */
+ high_level_error_code = error_code & 0xFF80;
+
+ switch( high_level_error_code )
+ {
+ /* Begin Auto-Generated Code. */
+#if defined(MBEDTLS_CIPHER_C)
+ case -(MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE):
+ return( "CIPHER - The selected feature is not available" );
+ case -(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA):
+ return( "CIPHER - Bad input parameters" );
+ case -(MBEDTLS_ERR_CIPHER_ALLOC_FAILED):
+ return( "CIPHER - Failed to allocate memory" );
+ case -(MBEDTLS_ERR_CIPHER_INVALID_PADDING):
+ return( "CIPHER - Input data contains invalid padding and is rejected" );
+ case -(MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED):
+ return( "CIPHER - Decryption of block requires a full block" );
+ case -(MBEDTLS_ERR_CIPHER_AUTH_FAILED):
+ return( "CIPHER - Authentication failed (for AEAD modes)" );
+ case -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT):
+ return( "CIPHER - The context is invalid. For example, because it was freed" );
+ case -(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED):
+ return( "CIPHER - Cipher hardware accelerator failed" );
+#endif /* MBEDTLS_CIPHER_C */
+
+#if defined(MBEDTLS_DHM_C)
+ case -(MBEDTLS_ERR_DHM_BAD_INPUT_DATA):
+ return( "DHM - Bad input parameters" );
+ case -(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED):
+ return( "DHM - Reading of the DHM parameters failed" );
+ case -(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED):
+ return( "DHM - Making of the DHM parameters failed" );
+ case -(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED):
+ return( "DHM - Reading of the public values failed" );
+ case -(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED):
+ return( "DHM - Making of the public value failed" );
+ case -(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED):
+ return( "DHM - Calculation of the DHM secret failed" );
+ case -(MBEDTLS_ERR_DHM_INVALID_FORMAT):
+ return( "DHM - The ASN.1 data is not formatted correctly" );
+ case -(MBEDTLS_ERR_DHM_ALLOC_FAILED):
+ return( "DHM - Allocation of memory failed" );
+ case -(MBEDTLS_ERR_DHM_FILE_IO_ERROR):
+ return( "DHM - Read or write of file failed" );
+ case -(MBEDTLS_ERR_DHM_HW_ACCEL_FAILED):
+ return( "DHM - DHM hardware accelerator failed" );
+ case -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED):
+ return( "DHM - Setting the modulus and generator failed" );
+#endif /* MBEDTLS_DHM_C */
+
+#if defined(MBEDTLS_ECP_C)
+ case -(MBEDTLS_ERR_ECP_BAD_INPUT_DATA):
+ return( "ECP - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL):
+ return( "ECP - The buffer is too small to write to" );
+ case -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE):
+ return( "ECP - The requested feature is not available, for example, the requested curve is not supported" );
+ case -(MBEDTLS_ERR_ECP_VERIFY_FAILED):
+ return( "ECP - The signature is not valid" );
+ case -(MBEDTLS_ERR_ECP_ALLOC_FAILED):
+ return( "ECP - Memory allocation failed" );
+ case -(MBEDTLS_ERR_ECP_RANDOM_FAILED):
+ return( "ECP - Generation of random value, such as ephemeral key, failed" );
+ case -(MBEDTLS_ERR_ECP_INVALID_KEY):
+ return( "ECP - Invalid private or public key" );
+ case -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH):
+ return( "ECP - The buffer contains a valid signature followed by more data" );
+ case -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED):
+ return( "ECP - The ECP hardware accelerator failed" );
+ case -(MBEDTLS_ERR_ECP_IN_PROGRESS):
+ return( "ECP - Operation in progress, call again with the same parameters to continue" );
+#endif /* MBEDTLS_ECP_C */
+
+#if defined(MBEDTLS_MD_C)
+ case -(MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE):
+ return( "MD - The selected feature is not available" );
+ case -(MBEDTLS_ERR_MD_BAD_INPUT_DATA):
+ return( "MD - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_MD_ALLOC_FAILED):
+ return( "MD - Failed to allocate memory" );
+ case -(MBEDTLS_ERR_MD_FILE_IO_ERROR):
+ return( "MD - Opening or reading of file failed" );
+ case -(MBEDTLS_ERR_MD_HW_ACCEL_FAILED):
+ return( "MD - MD hardware accelerator failed" );
+#endif /* MBEDTLS_MD_C */
+
+#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
+ case -(MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT):
+ return( "PEM - No PEM header or footer found" );
+ case -(MBEDTLS_ERR_PEM_INVALID_DATA):
+ return( "PEM - PEM string is not as expected" );
+ case -(MBEDTLS_ERR_PEM_ALLOC_FAILED):
+ return( "PEM - Failed to allocate memory" );
+ case -(MBEDTLS_ERR_PEM_INVALID_ENC_IV):
+ return( "PEM - RSA IV is not in hex-format" );
+ case -(MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG):
+ return( "PEM - Unsupported key encryption algorithm" );
+ case -(MBEDTLS_ERR_PEM_PASSWORD_REQUIRED):
+ return( "PEM - Private key password can't be empty" );
+ case -(MBEDTLS_ERR_PEM_PASSWORD_MISMATCH):
+ return( "PEM - Given private key password does not allow for correct decryption" );
+ case -(MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE):
+ return( "PEM - Unavailable feature, e.g. hashing/encryption combination" );
+ case -(MBEDTLS_ERR_PEM_BAD_INPUT_DATA):
+ return( "PEM - Bad input parameters to function" );
+#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
+
+#if defined(MBEDTLS_PK_C)
+ case -(MBEDTLS_ERR_PK_ALLOC_FAILED):
+ return( "PK - Memory allocation failed" );
+ case -(MBEDTLS_ERR_PK_TYPE_MISMATCH):
+ return( "PK - Type mismatch, eg attempt to encrypt with an ECDSA key" );
+ case -(MBEDTLS_ERR_PK_BAD_INPUT_DATA):
+ return( "PK - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_PK_FILE_IO_ERROR):
+ return( "PK - Read/write of file failed" );
+ case -(MBEDTLS_ERR_PK_KEY_INVALID_VERSION):
+ return( "PK - Unsupported key version" );
+ case -(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT):
+ return( "PK - Invalid key tag or value" );
+ case -(MBEDTLS_ERR_PK_UNKNOWN_PK_ALG):
+ return( "PK - Key algorithm is unsupported (only RSA and EC are supported)" );
+ case -(MBEDTLS_ERR_PK_PASSWORD_REQUIRED):
+ return( "PK - Private key password can't be empty" );
+ case -(MBEDTLS_ERR_PK_PASSWORD_MISMATCH):
+ return( "PK - Given private key password does not allow for correct decryption" );
+ case -(MBEDTLS_ERR_PK_INVALID_PUBKEY):
+ return( "PK - The pubkey tag or value is invalid (only RSA and EC are supported)" );
+ case -(MBEDTLS_ERR_PK_INVALID_ALG):
+ return( "PK - The algorithm tag or value is invalid" );
+ case -(MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE):
+ return( "PK - Elliptic curve is unsupported (only NIST curves are supported)" );
+ case -(MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE):
+ return( "PK - Unavailable feature, e.g. RSA disabled for RSA key" );
+ case -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH):
+ return( "PK - The buffer contains a valid signature followed by more data" );
+ case -(MBEDTLS_ERR_PK_HW_ACCEL_FAILED):
+ return( "PK - PK hardware accelerator failed" );
+#endif /* MBEDTLS_PK_C */
+
+#if defined(MBEDTLS_PKCS12_C)
+ case -(MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA):
+ return( "PKCS12 - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE):
+ return( "PKCS12 - Feature not available, e.g. unsupported encryption scheme" );
+ case -(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT):
+ return( "PKCS12 - PBE ASN.1 data not as expected" );
+ case -(MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH):
+ return( "PKCS12 - Given private key password does not allow for correct decryption" );
+#endif /* MBEDTLS_PKCS12_C */
+
+#if defined(MBEDTLS_PKCS5_C)
+ case -(MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA):
+ return( "PKCS5 - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_PKCS5_INVALID_FORMAT):
+ return( "PKCS5 - Unexpected ASN.1 data" );
+ case -(MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE):
+ return( "PKCS5 - Requested encryption or digest alg not available" );
+ case -(MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH):
+ return( "PKCS5 - Given private key password does not allow for correct decryption" );
+#endif /* MBEDTLS_PKCS5_C */
+
+#if defined(MBEDTLS_RSA_C)
+ case -(MBEDTLS_ERR_RSA_BAD_INPUT_DATA):
+ return( "RSA - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_RSA_INVALID_PADDING):
+ return( "RSA - Input data contains invalid padding and is rejected" );
+ case -(MBEDTLS_ERR_RSA_KEY_GEN_FAILED):
+ return( "RSA - Something failed during generation of a key" );
+ case -(MBEDTLS_ERR_RSA_KEY_CHECK_FAILED):
+ return( "RSA - Key failed to pass the validity check of the library" );
+ case -(MBEDTLS_ERR_RSA_PUBLIC_FAILED):
+ return( "RSA - The public key operation failed" );
+ case -(MBEDTLS_ERR_RSA_PRIVATE_FAILED):
+ return( "RSA - The private key operation failed" );
+ case -(MBEDTLS_ERR_RSA_VERIFY_FAILED):
+ return( "RSA - The PKCS#1 verification failed" );
+ case -(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE):
+ return( "RSA - The output buffer for decryption is not large enough" );
+ case -(MBEDTLS_ERR_RSA_RNG_FAILED):
+ return( "RSA - The random generator failed to generate non-zeros" );
+ case -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION):
+ return( "RSA - The implementation does not offer the requested operation, for example, because of security violations or lack of functionality" );
+ case -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED):
+ return( "RSA - RSA hardware accelerator failed" );
+#endif /* MBEDTLS_RSA_C */
+
+#if defined(MBEDTLS_SSL_TLS_C)
+ case -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE):
+ return( "SSL - The requested feature is not available" );
+ case -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA):
+ return( "SSL - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_SSL_INVALID_MAC):
+ return( "SSL - Verification of the message MAC failed" );
+ case -(MBEDTLS_ERR_SSL_INVALID_RECORD):
+ return( "SSL - An invalid SSL record was received" );
+ case -(MBEDTLS_ERR_SSL_CONN_EOF):
+ return( "SSL - The connection indicated an EOF" );
+ case -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER):
+ return( "SSL - An unknown cipher was received" );
+ case -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN):
+ return( "SSL - The server has no ciphersuites in common with the client" );
+ case -(MBEDTLS_ERR_SSL_NO_RNG):
+ return( "SSL - No RNG was provided to the SSL module" );
+ case -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE):
+ return( "SSL - No client certification received from the client, but required by the authentication mode" );
+ case -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE):
+ return( "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
+ case -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED):
+ return( "SSL - The own certificate is not set, but needed by the server" );
+ case -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED):
+ return( "SSL - The own private key or pre-shared key is not set, but needed" );
+ case -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED):
+ return( "SSL - No CA Chain is set, but required to operate" );
+ case -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE):
+ return( "SSL - An unexpected message was received from our peer" );
+ case -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE):
+ return( "SSL - A fatal alert message was received from our peer" );
+ case -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED):
+ return( "SSL - Verification of our peer failed" );
+ case -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY):
+ return( "SSL - The peer notified us that the connection is going to be closed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO):
+ return( "SSL - Processing of the ClientHello handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO):
+ return( "SSL - Processing of the ServerHello handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE):
+ return( "SSL - Processing of the Certificate handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST):
+ return( "SSL - Processing of the CertificateRequest handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE):
+ return( "SSL - Processing of the ServerKeyExchange handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE):
+ return( "SSL - Processing of the ServerHelloDone handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE):
+ return( "SSL - Processing of the ClientKeyExchange handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP):
+ return( "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS):
+ return( "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY):
+ return( "SSL - Processing of the CertificateVerify handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC):
+ return( "SSL - Processing of the ChangeCipherSpec handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_FINISHED):
+ return( "SSL - Processing of the Finished handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_ALLOC_FAILED):
+ return( "SSL - Memory allocation failed" );
+ case -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED):
+ return( "SSL - Hardware acceleration function returned with error" );
+ case -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH):
+ return( "SSL - Hardware acceleration function skipped / left alone data" );
+ case -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED):
+ return( "SSL - Processing of the compression / decompression failed" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION):
+ return( "SSL - Handshake protocol not within min/max boundaries" );
+ case -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET):
+ return( "SSL - Processing of the NewSessionTicket handshake message failed" );
+ case -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED):
+ return( "SSL - Session ticket has expired" );
+ case -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH):
+ return( "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
+ case -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY):
+ return( "SSL - Unknown identity received (eg, PSK identity)" );
+ case -(MBEDTLS_ERR_SSL_INTERNAL_ERROR):
+ return( "SSL - Internal error (eg, unexpected failure in lower-level module)" );
+ case -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING):
+ return( "SSL - A counter would wrap (eg, too many messages exchanged)" );
+ case -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO):
+ return( "SSL - Unexpected message at ServerHello in renegotiation" );
+ case -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED):
+ return( "SSL - DTLS client must retry for hello verification" );
+ case -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL):
+ return( "SSL - A buffer is too small to receive or write a message" );
+ case -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE):
+ return( "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)" );
+ case -(MBEDTLS_ERR_SSL_WANT_READ):
+ return( "SSL - No data of requested type currently available on underlying transport" );
+ case -(MBEDTLS_ERR_SSL_WANT_WRITE):
+ return( "SSL - Connection requires a write call" );
+ case -(MBEDTLS_ERR_SSL_TIMEOUT):
+ return( "SSL - The operation timed out" );
+ case -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT):
+ return( "SSL - The client initiated a reconnect from the same port" );
+ case -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD):
+ return( "SSL - Record header looks valid but is not expected" );
+ case -(MBEDTLS_ERR_SSL_NON_FATAL):
+ return( "SSL - The alert message received indicates a non-fatal error" );
+ case -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH):
+ return( "SSL - Couldn't set the hash for verifying CertificateVerify" );
+ case -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING):
+ return( "SSL - Internal-only message signaling that further message-processing should be done" );
+ case -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS):
+ return( "SSL - The asynchronous operation is not completed yet" );
+ case -(MBEDTLS_ERR_SSL_EARLY_MESSAGE):
+ return( "SSL - Internal-only message signaling that a message arrived early" );
+ case -(MBEDTLS_ERR_SSL_UNEXPECTED_CID):
+ return( "SSL - An encrypted DTLS-frame with an unexpected CID was received" );
+ case -(MBEDTLS_ERR_SSL_VERSION_MISMATCH):
+ return( "SSL - An operation failed due to an unexpected version or configuration" );
+ case -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS):
+ return( "SSL - A cryptographic operation is in progress. Try again later" );
+ case -(MBEDTLS_ERR_SSL_BAD_CONFIG):
+ return( "SSL - Invalid value in SSL config" );
+#endif /* MBEDTLS_SSL_TLS_C */
+
+#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
+ case -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE):
+ return( "X509 - Unavailable feature, e.g. RSA hashing/encryption combination" );
+ case -(MBEDTLS_ERR_X509_UNKNOWN_OID):
+ return( "X509 - Requested OID is unknown" );
+ case -(MBEDTLS_ERR_X509_INVALID_FORMAT):
+ return( "X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected" );
+ case -(MBEDTLS_ERR_X509_INVALID_VERSION):
+ return( "X509 - The CRT/CRL/CSR version element is invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_SERIAL):
+ return( "X509 - The serial tag or value is invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_ALG):
+ return( "X509 - The algorithm tag or value is invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_NAME):
+ return( "X509 - The name tag or value is invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_DATE):
+ return( "X509 - The date tag or value is invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_SIGNATURE):
+ return( "X509 - The signature tag or value invalid" );
+ case -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS):
+ return( "X509 - The extension tag or value is invalid" );
+ case -(MBEDTLS_ERR_X509_UNKNOWN_VERSION):
+ return( "X509 - CRT/CRL/CSR has an unsupported version number" );
+ case -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG):
+ return( "X509 - Signature algorithm (oid) is unsupported" );
+ case -(MBEDTLS_ERR_X509_SIG_MISMATCH):
+ return( "X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)" );
+ case -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED):
+ return( "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
+ case -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT):
+ return( "X509 - Format not recognized as DER or PEM" );
+ case -(MBEDTLS_ERR_X509_BAD_INPUT_DATA):
+ return( "X509 - Input invalid" );
+ case -(MBEDTLS_ERR_X509_ALLOC_FAILED):
+ return( "X509 - Allocation of memory failed" );
+ case -(MBEDTLS_ERR_X509_FILE_IO_ERROR):
+ return( "X509 - Read/write of file failed" );
+ case -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL):
+ return( "X509 - Destination buffer is too small" );
+ case -(MBEDTLS_ERR_X509_FATAL_ERROR):
+ return( "X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed" );
+#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
+ /* End Auto-Generated Code. */
+
+ default:
+ break;
+ }
+
+ return( NULL );
+}
+
+const char * mbedtls_low_level_strerr( int error_code )
+{
+ int low_level_error_code;
+
+ if( error_code < 0 )
+ error_code = -error_code;
+
+ /* Extract the low-level part from the error code. */
+ low_level_error_code = error_code & ~0xFF80;
+
+ switch( low_level_error_code )
+ {
+ /* Begin Auto-Generated Code. */
+#if defined(MBEDTLS_AES_C)
+ case -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH):
+ return( "AES - Invalid key length" );
+ case -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH):
+ return( "AES - Invalid data input length" );
+ case -(MBEDTLS_ERR_AES_BAD_INPUT_DATA):
+ return( "AES - Invalid input data" );
+ case -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE):
+ return( "AES - Feature not available. For example, an unsupported AES key size" );
+ case -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED):
+ return( "AES - AES hardware accelerator failed" );
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_ARC4_C)
+ case -(MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED):
+ return( "ARC4 - ARC4 hardware accelerator failed" );
+#endif /* MBEDTLS_ARC4_C */
+
+#if defined(MBEDTLS_ARIA_C)
+ case -(MBEDTLS_ERR_ARIA_BAD_INPUT_DATA):
+ return( "ARIA - Bad input data" );
+ case -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH):
+ return( "ARIA - Invalid data input length" );
+ case -(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE):
+ return( "ARIA - Feature not available. For example, an unsupported ARIA key size" );
+ case -(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED):
+ return( "ARIA - ARIA hardware accelerator failed" );
+#endif /* MBEDTLS_ARIA_C */
+
+#if defined(MBEDTLS_ASN1_PARSE_C)
+ case -(MBEDTLS_ERR_ASN1_OUT_OF_DATA):
+ return( "ASN1 - Out of data when parsing an ASN1 data structure" );
+ case -(MBEDTLS_ERR_ASN1_UNEXPECTED_TAG):
+ return( "ASN1 - ASN1 tag was of an unexpected value" );
+ case -(MBEDTLS_ERR_ASN1_INVALID_LENGTH):
+ return( "ASN1 - Error when trying to determine the length or invalid length" );
+ case -(MBEDTLS_ERR_ASN1_LENGTH_MISMATCH):
+ return( "ASN1 - Actual length differs from expected length" );
+ case -(MBEDTLS_ERR_ASN1_INVALID_DATA):
+ return( "ASN1 - Data is invalid" );
+ case -(MBEDTLS_ERR_ASN1_ALLOC_FAILED):
+ return( "ASN1 - Memory allocation failed" );
+ case -(MBEDTLS_ERR_ASN1_BUF_TOO_SMALL):
+ return( "ASN1 - Buffer too small when writing ASN.1 data structure" );
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
+#if defined(MBEDTLS_BASE64_C)
+ case -(MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL):
+ return( "BASE64 - Output buffer too small" );
+ case -(MBEDTLS_ERR_BASE64_INVALID_CHARACTER):
+ return( "BASE64 - Invalid character in input" );
+#endif /* MBEDTLS_BASE64_C */
+
+#if defined(MBEDTLS_BIGNUM_C)
+ case -(MBEDTLS_ERR_MPI_FILE_IO_ERROR):
+ return( "BIGNUM - An error occurred while reading from or writing to a file" );
+ case -(MBEDTLS_ERR_MPI_BAD_INPUT_DATA):
+ return( "BIGNUM - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_MPI_INVALID_CHARACTER):
+ return( "BIGNUM - There is an invalid character in the digit string" );
+ case -(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL):
+ return( "BIGNUM - The buffer is too small to write to" );
+ case -(MBEDTLS_ERR_MPI_NEGATIVE_VALUE):
+ return( "BIGNUM - The input arguments are negative or result in illegal output" );
+ case -(MBEDTLS_ERR_MPI_DIVISION_BY_ZERO):
+ return( "BIGNUM - The input argument for division is zero, which is not allowed" );
+ case -(MBEDTLS_ERR_MPI_NOT_ACCEPTABLE):
+ return( "BIGNUM - The input arguments are not acceptable" );
+ case -(MBEDTLS_ERR_MPI_ALLOC_FAILED):
+ return( "BIGNUM - Memory allocation failed" );
+#endif /* MBEDTLS_BIGNUM_C */
+
+#if defined(MBEDTLS_BLOWFISH_C)
+ case -(MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA):
+ return( "BLOWFISH - Bad input data" );
+ case -(MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH):
+ return( "BLOWFISH - Invalid data input length" );
+ case -(MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED):
+ return( "BLOWFISH - Blowfish hardware accelerator failed" );
+#endif /* MBEDTLS_BLOWFISH_C */
+
+#if defined(MBEDTLS_CAMELLIA_C)
+ case -(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA):
+ return( "CAMELLIA - Bad input data" );
+ case -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH):
+ return( "CAMELLIA - Invalid data input length" );
+ case -(MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED):
+ return( "CAMELLIA - Camellia hardware accelerator failed" );
+#endif /* MBEDTLS_CAMELLIA_C */
+
+#if defined(MBEDTLS_CCM_C)
+ case -(MBEDTLS_ERR_CCM_BAD_INPUT):
+ return( "CCM - Bad input parameters to the function" );
+ case -(MBEDTLS_ERR_CCM_AUTH_FAILED):
+ return( "CCM - Authenticated decryption failed" );
+ case -(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED):
+ return( "CCM - CCM hardware accelerator failed" );
+#endif /* MBEDTLS_CCM_C */
+
+#if defined(MBEDTLS_CHACHA20_C)
+ case -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA):
+ return( "CHACHA20 - Invalid input parameter(s)" );
+ case -(MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE):
+ return( "CHACHA20 - Feature not available. For example, s part of the API is not implemented" );
+ case -(MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED):
+ return( "CHACHA20 - Chacha20 hardware accelerator failed" );
+#endif /* MBEDTLS_CHACHA20_C */
+
+#if defined(MBEDTLS_CHACHAPOLY_C)
+ case -(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE):
+ return( "CHACHAPOLY - The requested operation is not permitted in the current state" );
+ case -(MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED):
+ return( "CHACHAPOLY - Authenticated decryption failed: data was not authentic" );
+#endif /* MBEDTLS_CHACHAPOLY_C */
+
+#if defined(MBEDTLS_CMAC_C)
+ case -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED):
+ return( "CMAC - CMAC hardware accelerator failed" );
+#endif /* MBEDTLS_CMAC_C */
+
+#if defined(MBEDTLS_CTR_DRBG_C)
+ case -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED):
+ return( "CTR_DRBG - The entropy source failed" );
+ case -(MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG):
+ return( "CTR_DRBG - The requested random buffer length is too big" );
+ case -(MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG):
+ return( "CTR_DRBG - The input (entropy + additional data) is too large" );
+ case -(MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR):
+ return( "CTR_DRBG - Read or write error in file" );
+#endif /* MBEDTLS_CTR_DRBG_C */
+
+#if defined(MBEDTLS_DES_C)
+ case -(MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH):
+ return( "DES - The data input has an invalid length" );
+ case -(MBEDTLS_ERR_DES_HW_ACCEL_FAILED):
+ return( "DES - DES hardware accelerator failed" );
+#endif /* MBEDTLS_DES_C */
+
+#if defined(MBEDTLS_ENTROPY_C)
+ case -(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED):
+ return( "ENTROPY - Critical entropy source failure" );
+ case -(MBEDTLS_ERR_ENTROPY_MAX_SOURCES):
+ return( "ENTROPY - No more sources can be added" );
+ case -(MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED):
+ return( "ENTROPY - No sources have been added to poll" );
+ case -(MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE):
+ return( "ENTROPY - No strong sources have been added to poll" );
+ case -(MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR):
+ return( "ENTROPY - Read/write error in file" );
+#endif /* MBEDTLS_ENTROPY_C */
+
+#if defined(MBEDTLS_ERROR_C)
+ case -(MBEDTLS_ERR_ERROR_GENERIC_ERROR):
+ return( "ERROR - Generic error" );
+ case -(MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED):
+ return( "ERROR - This is a bug in the library" );
+#endif /* MBEDTLS_ERROR_C */
+
+#if defined(MBEDTLS_GCM_C)
+ case -(MBEDTLS_ERR_GCM_AUTH_FAILED):
+ return( "GCM - Authenticated decryption failed" );
+ case -(MBEDTLS_ERR_GCM_HW_ACCEL_FAILED):
+ return( "GCM - GCM hardware accelerator failed" );
+ case -(MBEDTLS_ERR_GCM_BAD_INPUT):
+ return( "GCM - Bad input parameters to function" );
+#endif /* MBEDTLS_GCM_C */
+
+#if defined(MBEDTLS_HKDF_C)
+ case -(MBEDTLS_ERR_HKDF_BAD_INPUT_DATA):
+ return( "HKDF - Bad input parameters to function" );
+#endif /* MBEDTLS_HKDF_C */
+
+#if defined(MBEDTLS_HMAC_DRBG_C)
+ case -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG):
+ return( "HMAC_DRBG - Too many random requested in single call" );
+ case -(MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG):
+ return( "HMAC_DRBG - Input too large (Entropy + additional)" );
+ case -(MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR):
+ return( "HMAC_DRBG - Read/write error in file" );
+ case -(MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED):
+ return( "HMAC_DRBG - The entropy source failed" );
+#endif /* MBEDTLS_HMAC_DRBG_C */
+
+#if defined(MBEDTLS_MD2_C)
+ case -(MBEDTLS_ERR_MD2_HW_ACCEL_FAILED):
+ return( "MD2 - MD2 hardware accelerator failed" );
+#endif /* MBEDTLS_MD2_C */
+
+#if defined(MBEDTLS_MD4_C)
+ case -(MBEDTLS_ERR_MD4_HW_ACCEL_FAILED):
+ return( "MD4 - MD4 hardware accelerator failed" );
+#endif /* MBEDTLS_MD4_C */
+
+#if defined(MBEDTLS_MD5_C)
+ case -(MBEDTLS_ERR_MD5_HW_ACCEL_FAILED):
+ return( "MD5 - MD5 hardware accelerator failed" );
+#endif /* MBEDTLS_MD5_C */
+
+#if defined(MBEDTLS_NET_C)
+ case -(MBEDTLS_ERR_NET_SOCKET_FAILED):
+ return( "NET - Failed to open a socket" );
+ case -(MBEDTLS_ERR_NET_CONNECT_FAILED):
+ return( "NET - The connection to the given server / port failed" );
+ case -(MBEDTLS_ERR_NET_BIND_FAILED):
+ return( "NET - Binding of the socket failed" );
+ case -(MBEDTLS_ERR_NET_LISTEN_FAILED):
+ return( "NET - Could not listen on the socket" );
+ case -(MBEDTLS_ERR_NET_ACCEPT_FAILED):
+ return( "NET - Could not accept the incoming connection" );
+ case -(MBEDTLS_ERR_NET_RECV_FAILED):
+ return( "NET - Reading information from the socket failed" );
+ case -(MBEDTLS_ERR_NET_SEND_FAILED):
+ return( "NET - Sending information through the socket failed" );
+ case -(MBEDTLS_ERR_NET_CONN_RESET):
+ return( "NET - Connection was reset by peer" );
+ case -(MBEDTLS_ERR_NET_UNKNOWN_HOST):
+ return( "NET - Failed to get an IP address for the given hostname" );
+ case -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL):
+ return( "NET - Buffer is too small to hold the data" );
+ case -(MBEDTLS_ERR_NET_INVALID_CONTEXT):
+ return( "NET - The context is invalid, eg because it was free()ed" );
+ case -(MBEDTLS_ERR_NET_POLL_FAILED):
+ return( "NET - Polling the net context failed" );
+ case -(MBEDTLS_ERR_NET_BAD_INPUT_DATA):
+ return( "NET - Input invalid" );
+#endif /* MBEDTLS_NET_C */
+
+#if defined(MBEDTLS_OID_C)
+ case -(MBEDTLS_ERR_OID_NOT_FOUND):
+ return( "OID - OID is not found" );
+ case -(MBEDTLS_ERR_OID_BUF_TOO_SMALL):
+ return( "OID - output buffer is too small" );
+#endif /* MBEDTLS_OID_C */
+
+#if defined(MBEDTLS_PADLOCK_C)
+ case -(MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED):
+ return( "PADLOCK - Input data should be aligned" );
+#endif /* MBEDTLS_PADLOCK_C */
+
+#if defined(MBEDTLS_PLATFORM_C)
+ case -(MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED):
+ return( "PLATFORM - Hardware accelerator failed" );
+ case -(MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED):
+ return( "PLATFORM - The requested feature is not supported by the platform" );
+#endif /* MBEDTLS_PLATFORM_C */
+
+#if defined(MBEDTLS_POLY1305_C)
+ case -(MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA):
+ return( "POLY1305 - Invalid input parameter(s)" );
+ case -(MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE):
+ return( "POLY1305 - Feature not available. For example, s part of the API is not implemented" );
+ case -(MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED):
+ return( "POLY1305 - Poly1305 hardware accelerator failed" );
+#endif /* MBEDTLS_POLY1305_C */
+
+#if defined(MBEDTLS_RIPEMD160_C)
+ case -(MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED):
+ return( "RIPEMD160 - RIPEMD160 hardware accelerator failed" );
+#endif /* MBEDTLS_RIPEMD160_C */
+
+#if defined(MBEDTLS_SHA1_C)
+ case -(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED):
+ return( "SHA1 - SHA-1 hardware accelerator failed" );
+ case -(MBEDTLS_ERR_SHA1_BAD_INPUT_DATA):
+ return( "SHA1 - SHA-1 input data was malformed" );
+#endif /* MBEDTLS_SHA1_C */
+
+#if defined(MBEDTLS_SHA256_C)
+ case -(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED):
+ return( "SHA256 - SHA-256 hardware accelerator failed" );
+ case -(MBEDTLS_ERR_SHA256_BAD_INPUT_DATA):
+ return( "SHA256 - SHA-256 input data was malformed" );
+#endif /* MBEDTLS_SHA256_C */
+
+#if defined(MBEDTLS_SHA512_C)
+ case -(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED):
+ return( "SHA512 - SHA-512 hardware accelerator failed" );
+ case -(MBEDTLS_ERR_SHA512_BAD_INPUT_DATA):
+ return( "SHA512 - SHA-512 input data was malformed" );
+#endif /* MBEDTLS_SHA512_C */
+
+#if defined(MBEDTLS_THREADING_C)
+ case -(MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE):
+ return( "THREADING - The selected feature is not available" );
+ case -(MBEDTLS_ERR_THREADING_BAD_INPUT_DATA):
+ return( "THREADING - Bad input parameters to function" );
+ case -(MBEDTLS_ERR_THREADING_MUTEX_ERROR):
+ return( "THREADING - Locking / unlocking / free failed with error code" );
+#endif /* MBEDTLS_THREADING_C */
+
+#if defined(MBEDTLS_XTEA_C)
+ case -(MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH):
+ return( "XTEA - The data input has an invalid length" );
+ case -(MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED):
+ return( "XTEA - XTEA hardware accelerator failed" );
+#endif /* MBEDTLS_XTEA_C */
+ /* End Auto-Generated Code. */
+
+ default:
+ break;
+ }
+
+ return( NULL );
+}
+
void mbedtls_strerror( int ret, char *buf, size_t buflen )
{
size_t len;
int use_ret;
+ const char * high_level_error_description = NULL;
+ const char * low_level_error_description = NULL;
if( buflen == 0 )
return;
@@ -230,356 +912,20 @@
{
use_ret = ret & 0xFF80;
- // High level error codes
- //
- // BEGIN generated code
-#if defined(MBEDTLS_CIPHER_C)
- if( use_ret == -(MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "CIPHER - The selected feature is not available" );
- if( use_ret == -(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "CIPHER - Bad input parameters" );
- if( use_ret == -(MBEDTLS_ERR_CIPHER_ALLOC_FAILED) )
- mbedtls_snprintf( buf, buflen, "CIPHER - Failed to allocate memory" );
- if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_PADDING) )
- mbedtls_snprintf( buf, buflen, "CIPHER - Input data contains invalid padding and is rejected" );
- if( use_ret == -(MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED) )
- mbedtls_snprintf( buf, buflen, "CIPHER - Decryption of block requires a full block" );
- if( use_ret == -(MBEDTLS_ERR_CIPHER_AUTH_FAILED) )
- mbedtls_snprintf( buf, buflen, "CIPHER - Authentication failed (for AEAD modes)" );
- if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT) )
- mbedtls_snprintf( buf, buflen, "CIPHER - The context is invalid. For example, because it was freed" );
- if( use_ret == -(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "CIPHER - Cipher hardware accelerator failed" );
-#endif /* MBEDTLS_CIPHER_C */
+ // Translate high level error code.
+ high_level_error_description = mbedtls_high_level_strerr( ret );
-#if defined(MBEDTLS_DHM_C)
- if( use_ret == -(MBEDTLS_ERR_DHM_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "DHM - Bad input parameters" );
- if( use_ret == -(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED) )
- mbedtls_snprintf( buf, buflen, "DHM - Reading of the DHM parameters failed" );
- if( use_ret == -(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED) )
- mbedtls_snprintf( buf, buflen, "DHM - Making of the DHM parameters failed" );
- if( use_ret == -(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED) )
- mbedtls_snprintf( buf, buflen, "DHM - Reading of the public values failed" );
- if( use_ret == -(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED) )
- mbedtls_snprintf( buf, buflen, "DHM - Making of the public value failed" );
- if( use_ret == -(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED) )
- mbedtls_snprintf( buf, buflen, "DHM - Calculation of the DHM secret failed" );
- if( use_ret == -(MBEDTLS_ERR_DHM_INVALID_FORMAT) )
- mbedtls_snprintf( buf, buflen, "DHM - The ASN.1 data is not formatted correctly" );
- if( use_ret == -(MBEDTLS_ERR_DHM_ALLOC_FAILED) )
- mbedtls_snprintf( buf, buflen, "DHM - Allocation of memory failed" );
- if( use_ret == -(MBEDTLS_ERR_DHM_FILE_IO_ERROR) )
- mbedtls_snprintf( buf, buflen, "DHM - Read or write of file failed" );
- if( use_ret == -(MBEDTLS_ERR_DHM_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "DHM - DHM hardware accelerator failed" );
- if( use_ret == -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED) )
- mbedtls_snprintf( buf, buflen, "DHM - Setting the modulus and generator failed" );
-#endif /* MBEDTLS_DHM_C */
-
-#if defined(MBEDTLS_ECP_C)
- if( use_ret == -(MBEDTLS_ERR_ECP_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "ECP - Bad input parameters to function" );
- if( use_ret == -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL) )
- mbedtls_snprintf( buf, buflen, "ECP - The buffer is too small to write to" );
- if( use_ret == -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "ECP - The requested feature is not available, for example, the requested curve is not supported" );
- if( use_ret == -(MBEDTLS_ERR_ECP_VERIFY_FAILED) )
- mbedtls_snprintf( buf, buflen, "ECP - The signature is not valid" );
- if( use_ret == -(MBEDTLS_ERR_ECP_ALLOC_FAILED) )
- mbedtls_snprintf( buf, buflen, "ECP - Memory allocation failed" );
- if( use_ret == -(MBEDTLS_ERR_ECP_RANDOM_FAILED) )
- mbedtls_snprintf( buf, buflen, "ECP - Generation of random value, such as ephemeral key, failed" );
- if( use_ret == -(MBEDTLS_ERR_ECP_INVALID_KEY) )
- mbedtls_snprintf( buf, buflen, "ECP - Invalid private or public key" );
- if( use_ret == -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "ECP - The buffer contains a valid signature followed by more data" );
- if( use_ret == -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "ECP - The ECP hardware accelerator failed" );
- if( use_ret == -(MBEDTLS_ERR_ECP_IN_PROGRESS) )
- mbedtls_snprintf( buf, buflen, "ECP - Operation in progress, call again with the same parameters to continue" );
-#endif /* MBEDTLS_ECP_C */
-
-#if defined(MBEDTLS_MD_C)
- if( use_ret == -(MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "MD - The selected feature is not available" );
- if( use_ret == -(MBEDTLS_ERR_MD_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "MD - Bad input parameters to function" );
- if( use_ret == -(MBEDTLS_ERR_MD_ALLOC_FAILED) )
- mbedtls_snprintf( buf, buflen, "MD - Failed to allocate memory" );
- if( use_ret == -(MBEDTLS_ERR_MD_FILE_IO_ERROR) )
- mbedtls_snprintf( buf, buflen, "MD - Opening or reading of file failed" );
- if( use_ret == -(MBEDTLS_ERR_MD_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "MD - MD hardware accelerator failed" );
-#endif /* MBEDTLS_MD_C */
-
-#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
- if( use_ret == -(MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) )
- mbedtls_snprintf( buf, buflen, "PEM - No PEM header or footer found" );
- if( use_ret == -(MBEDTLS_ERR_PEM_INVALID_DATA) )
- mbedtls_snprintf( buf, buflen, "PEM - PEM string is not as expected" );
- if( use_ret == -(MBEDTLS_ERR_PEM_ALLOC_FAILED) )
- mbedtls_snprintf( buf, buflen, "PEM - Failed to allocate memory" );
- if( use_ret == -(MBEDTLS_ERR_PEM_INVALID_ENC_IV) )
- mbedtls_snprintf( buf, buflen, "PEM - RSA IV is not in hex-format" );
- if( use_ret == -(MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG) )
- mbedtls_snprintf( buf, buflen, "PEM - Unsupported key encryption algorithm" );
- if( use_ret == -(MBEDTLS_ERR_PEM_PASSWORD_REQUIRED) )
- mbedtls_snprintf( buf, buflen, "PEM - Private key password can't be empty" );
- if( use_ret == -(MBEDTLS_ERR_PEM_PASSWORD_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "PEM - Given private key password does not allow for correct decryption" );
- if( use_ret == -(MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "PEM - Unavailable feature, e.g. hashing/encryption combination" );
- if( use_ret == -(MBEDTLS_ERR_PEM_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "PEM - Bad input parameters to function" );
-#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
-
-#if defined(MBEDTLS_PK_C)
- if( use_ret == -(MBEDTLS_ERR_PK_ALLOC_FAILED) )
- mbedtls_snprintf( buf, buflen, "PK - Memory allocation failed" );
- if( use_ret == -(MBEDTLS_ERR_PK_TYPE_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "PK - Type mismatch, eg attempt to encrypt with an ECDSA key" );
- if( use_ret == -(MBEDTLS_ERR_PK_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "PK - Bad input parameters to function" );
- if( use_ret == -(MBEDTLS_ERR_PK_FILE_IO_ERROR) )
- mbedtls_snprintf( buf, buflen, "PK - Read/write of file failed" );
- if( use_ret == -(MBEDTLS_ERR_PK_KEY_INVALID_VERSION) )
- mbedtls_snprintf( buf, buflen, "PK - Unsupported key version" );
- if( use_ret == -(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT) )
- mbedtls_snprintf( buf, buflen, "PK - Invalid key tag or value" );
- if( use_ret == -(MBEDTLS_ERR_PK_UNKNOWN_PK_ALG) )
- mbedtls_snprintf( buf, buflen, "PK - Key algorithm is unsupported (only RSA and EC are supported)" );
- if( use_ret == -(MBEDTLS_ERR_PK_PASSWORD_REQUIRED) )
- mbedtls_snprintf( buf, buflen, "PK - Private key password can't be empty" );
- if( use_ret == -(MBEDTLS_ERR_PK_PASSWORD_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "PK - Given private key password does not allow for correct decryption" );
- if( use_ret == -(MBEDTLS_ERR_PK_INVALID_PUBKEY) )
- mbedtls_snprintf( buf, buflen, "PK - The pubkey tag or value is invalid (only RSA and EC are supported)" );
- if( use_ret == -(MBEDTLS_ERR_PK_INVALID_ALG) )
- mbedtls_snprintf( buf, buflen, "PK - The algorithm tag or value is invalid" );
- if( use_ret == -(MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE) )
- mbedtls_snprintf( buf, buflen, "PK - Elliptic curve is unsupported (only NIST curves are supported)" );
- if( use_ret == -(MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "PK - Unavailable feature, e.g. RSA disabled for RSA key" );
- if( use_ret == -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "PK - The buffer contains a valid signature followed by more data" );
- if( use_ret == -(MBEDTLS_ERR_PK_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "PK - PK hardware accelerator failed" );
-#endif /* MBEDTLS_PK_C */
-
-#if defined(MBEDTLS_PKCS12_C)
- if( use_ret == -(MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "PKCS12 - Bad input parameters to function" );
- if( use_ret == -(MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "PKCS12 - Feature not available, e.g. unsupported encryption scheme" );
- if( use_ret == -(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT) )
- mbedtls_snprintf( buf, buflen, "PKCS12 - PBE ASN.1 data not as expected" );
- if( use_ret == -(MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "PKCS12 - Given private key password does not allow for correct decryption" );
-#endif /* MBEDTLS_PKCS12_C */
-
-#if defined(MBEDTLS_PKCS5_C)
- if( use_ret == -(MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "PKCS5 - Bad input parameters to function" );
- if( use_ret == -(MBEDTLS_ERR_PKCS5_INVALID_FORMAT) )
- mbedtls_snprintf( buf, buflen, "PKCS5 - Unexpected ASN.1 data" );
- if( use_ret == -(MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "PKCS5 - Requested encryption or digest alg not available" );
- if( use_ret == -(MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "PKCS5 - Given private key password does not allow for correct decryption" );
-#endif /* MBEDTLS_PKCS5_C */
-
-#if defined(MBEDTLS_RSA_C)
- if( use_ret == -(MBEDTLS_ERR_RSA_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "RSA - Bad input parameters to function" );
- if( use_ret == -(MBEDTLS_ERR_RSA_INVALID_PADDING) )
- mbedtls_snprintf( buf, buflen, "RSA - Input data contains invalid padding and is rejected" );
- if( use_ret == -(MBEDTLS_ERR_RSA_KEY_GEN_FAILED) )
- mbedtls_snprintf( buf, buflen, "RSA - Something failed during generation of a key" );
- if( use_ret == -(MBEDTLS_ERR_RSA_KEY_CHECK_FAILED) )
- mbedtls_snprintf( buf, buflen, "RSA - Key failed to pass the validity check of the library" );
- if( use_ret == -(MBEDTLS_ERR_RSA_PUBLIC_FAILED) )
- mbedtls_snprintf( buf, buflen, "RSA - The public key operation failed" );
- if( use_ret == -(MBEDTLS_ERR_RSA_PRIVATE_FAILED) )
- mbedtls_snprintf( buf, buflen, "RSA - The private key operation failed" );
- if( use_ret == -(MBEDTLS_ERR_RSA_VERIFY_FAILED) )
- mbedtls_snprintf( buf, buflen, "RSA - The PKCS#1 verification failed" );
- if( use_ret == -(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE) )
- mbedtls_snprintf( buf, buflen, "RSA - The output buffer for decryption is not large enough" );
- if( use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED) )
- mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" );
- if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) )
- mbedtls_snprintf( buf, buflen, "RSA - The implementation does not offer the requested operation, for example, because of security violations or lack of functionality" );
- if( use_ret == -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "RSA - RSA hardware accelerator failed" );
-#endif /* MBEDTLS_RSA_C */
+ if( high_level_error_description == NULL )
+ mbedtls_snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", (unsigned int) use_ret );
+ else
+ mbedtls_snprintf( buf, buflen, "%s", high_level_error_description );
#if defined(MBEDTLS_SSL_TLS_C)
- if( use_ret == -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "SSL - The requested feature is not available" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "SSL - Bad input parameters to function" );
- if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_MAC) )
- mbedtls_snprintf( buf, buflen, "SSL - Verification of the message MAC failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_RECORD) )
- mbedtls_snprintf( buf, buflen, "SSL - An invalid SSL record was received" );
- if( use_ret == -(MBEDTLS_ERR_SSL_CONN_EOF) )
- mbedtls_snprintf( buf, buflen, "SSL - The connection indicated an EOF" );
- if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER) )
- mbedtls_snprintf( buf, buflen, "SSL - An unknown cipher was received" );
- if( use_ret == -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN) )
- mbedtls_snprintf( buf, buflen, "SSL - The server has no ciphersuites in common with the client" );
- if( use_ret == -(MBEDTLS_ERR_SSL_NO_RNG) )
- mbedtls_snprintf( buf, buflen, "SSL - No RNG was provided to the SSL module" );
- if( use_ret == -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE) )
- mbedtls_snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
- if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE) )
- mbedtls_snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
- if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED) )
- mbedtls_snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
- if( use_ret == -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) )
- mbedtls_snprintf( buf, buflen, "SSL - The own private key or pre-shared key is not set, but needed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED) )
- mbedtls_snprintf( buf, buflen, "SSL - No CA Chain is set, but required to operate" );
- if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) )
- mbedtls_snprintf( buf, buflen, "SSL - An unexpected message was received from our peer" );
- if( use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE) )
- {
- mbedtls_snprintf( buf, buflen, "SSL - A fatal alert message was received from our peer" );
+ // Early return in case of a fatal error - do not try to translate low
+ // level code.
+ if(use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE))
return;
- }
- if( use_ret == -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED) )
- mbedtls_snprintf( buf, buflen, "SSL - Verification of our peer failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) )
- mbedtls_snprintf( buf, buflen, "SSL - The peer notified us that the connection is going to be closed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientHello handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHello handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the Certificate handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateRequest handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerKeyExchange handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHelloDone handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateVerify handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the ChangeCipherSpec handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_FINISHED) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the Finished handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_ALLOC_FAILED) )
- mbedtls_snprintf( buf, buflen, "SSL - Memory allocation failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function returned with error" );
- if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH) )
- mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function skipped / left alone data" );
- if( use_ret == -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION) )
- mbedtls_snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
- mbedtls_snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
- if( use_ret == -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) )
- mbedtls_snprintf( buf, buflen, "SSL - Session ticket has expired" );
- if( use_ret == -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
- if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) )
- mbedtls_snprintf( buf, buflen, "SSL - Unknown identity received (eg, PSK identity)" );
- if( use_ret == -(MBEDTLS_ERR_SSL_INTERNAL_ERROR) )
- mbedtls_snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" );
- if( use_ret == -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING) )
- mbedtls_snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" );
- if( use_ret == -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO) )
- mbedtls_snprintf( buf, buflen, "SSL - Unexpected message at ServerHello in renegotiation" );
- if( use_ret == -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) )
- mbedtls_snprintf( buf, buflen, "SSL - DTLS client must retry for hello verification" );
- if( use_ret == -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) )
- mbedtls_snprintf( buf, buflen, "SSL - A buffer is too small to receive or write a message" );
- if( use_ret == -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) )
- mbedtls_snprintf( buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)" );
- if( use_ret == -(MBEDTLS_ERR_SSL_WANT_READ) )
- mbedtls_snprintf( buf, buflen, "SSL - No data of requested type currently available on underlying transport" );
- if( use_ret == -(MBEDTLS_ERR_SSL_WANT_WRITE) )
- mbedtls_snprintf( buf, buflen, "SSL - Connection requires a write call" );
- if( use_ret == -(MBEDTLS_ERR_SSL_TIMEOUT) )
- mbedtls_snprintf( buf, buflen, "SSL - The operation timed out" );
- if( use_ret == -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT) )
- mbedtls_snprintf( buf, buflen, "SSL - The client initiated a reconnect from the same port" );
- if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) )
- mbedtls_snprintf( buf, buflen, "SSL - Record header looks valid but is not expected" );
- if( use_ret == -(MBEDTLS_ERR_SSL_NON_FATAL) )
- mbedtls_snprintf( buf, buflen, "SSL - The alert message received indicates a non-fatal error" );
- if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH) )
- mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
- if( use_ret == -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) )
- mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that further message-processing should be done" );
- if( use_ret == -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) )
- mbedtls_snprintf( buf, buflen, "SSL - The asynchronous operation is not completed yet" );
- if( use_ret == -(MBEDTLS_ERR_SSL_EARLY_MESSAGE) )
- mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" );
- if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_CID) )
- mbedtls_snprintf( buf, buflen, "SSL - An encrypted DTLS-frame with an unexpected CID was received" );
- if( use_ret == -(MBEDTLS_ERR_SSL_VERSION_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "SSL - An operation failed due to an unexpected version or configuration" );
- if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) )
- mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" );
#endif /* MBEDTLS_SSL_TLS_C */
-
-#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
- if( use_ret == -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "X509 - Unavailable feature, e.g. RSA hashing/encryption combination" );
- if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_OID) )
- mbedtls_snprintf( buf, buflen, "X509 - Requested OID is unknown" );
- if( use_ret == -(MBEDTLS_ERR_X509_INVALID_FORMAT) )
- mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected" );
- if( use_ret == -(MBEDTLS_ERR_X509_INVALID_VERSION) )
- mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR version element is invalid" );
- if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SERIAL) )
- mbedtls_snprintf( buf, buflen, "X509 - The serial tag or value is invalid" );
- if( use_ret == -(MBEDTLS_ERR_X509_INVALID_ALG) )
- mbedtls_snprintf( buf, buflen, "X509 - The algorithm tag or value is invalid" );
- if( use_ret == -(MBEDTLS_ERR_X509_INVALID_NAME) )
- mbedtls_snprintf( buf, buflen, "X509 - The name tag or value is invalid" );
- if( use_ret == -(MBEDTLS_ERR_X509_INVALID_DATE) )
- mbedtls_snprintf( buf, buflen, "X509 - The date tag or value is invalid" );
- if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SIGNATURE) )
- mbedtls_snprintf( buf, buflen, "X509 - The signature tag or value invalid" );
- if( use_ret == -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS) )
- mbedtls_snprintf( buf, buflen, "X509 - The extension tag or value is invalid" );
- if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_VERSION) )
- mbedtls_snprintf( buf, buflen, "X509 - CRT/CRL/CSR has an unsupported version number" );
- if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG) )
- mbedtls_snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
- if( use_ret == -(MBEDTLS_ERR_X509_SIG_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)" );
- if( use_ret == -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) )
- mbedtls_snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
- if( use_ret == -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT) )
- mbedtls_snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" );
- if( use_ret == -(MBEDTLS_ERR_X509_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "X509 - Input invalid" );
- if( use_ret == -(MBEDTLS_ERR_X509_ALLOC_FAILED) )
- mbedtls_snprintf( buf, buflen, "X509 - Allocation of memory failed" );
- if( use_ret == -(MBEDTLS_ERR_X509_FILE_IO_ERROR) )
- mbedtls_snprintf( buf, buflen, "X509 - Read/write of file failed" );
- if( use_ret == -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL) )
- mbedtls_snprintf( buf, buflen, "X509 - Destination buffer is too small" );
- if( use_ret == -(MBEDTLS_ERR_X509_FATAL_ERROR) )
- mbedtls_snprintf( buf, buflen, "X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed" );
-#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
- // END generated code
-
- if( strlen( buf ) == 0 )
- mbedtls_snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret );
}
use_ret = ret & ~0xFF80;
@@ -603,317 +949,17 @@
buflen -= len + 3;
}
- // Low level error codes
- //
- // BEGIN generated code
-#if defined(MBEDTLS_AES_C)
- if( use_ret == -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH) )
- mbedtls_snprintf( buf, buflen, "AES - Invalid key length" );
- if( use_ret == -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH) )
- mbedtls_snprintf( buf, buflen, "AES - Invalid data input length" );
- if( use_ret == -(MBEDTLS_ERR_AES_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "AES - Invalid input data" );
- if( use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "AES - Feature not available. For example, an unsupported AES key size" );
- if( use_ret == -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "AES - AES hardware accelerator failed" );
-#endif /* MBEDTLS_AES_C */
+ // Translate low level error code.
+ low_level_error_description = mbedtls_low_level_strerr( ret );
-#if defined(MBEDTLS_ARC4_C)
- if( use_ret == -(MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "ARC4 - ARC4 hardware accelerator failed" );
-#endif /* MBEDTLS_ARC4_C */
-
-#if defined(MBEDTLS_ARIA_C)
- if( use_ret == -(MBEDTLS_ERR_ARIA_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "ARIA - Bad input data" );
- if( use_ret == -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH) )
- mbedtls_snprintf( buf, buflen, "ARIA - Invalid data input length" );
- if( use_ret == -(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "ARIA - Feature not available. For example, an unsupported ARIA key size" );
- if( use_ret == -(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "ARIA - ARIA hardware accelerator failed" );
-#endif /* MBEDTLS_ARIA_C */
-
-#if defined(MBEDTLS_ASN1_PARSE_C)
- if( use_ret == -(MBEDTLS_ERR_ASN1_OUT_OF_DATA) )
- mbedtls_snprintf( buf, buflen, "ASN1 - Out of data when parsing an ASN1 data structure" );
- if( use_ret == -(MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) )
- mbedtls_snprintf( buf, buflen, "ASN1 - ASN1 tag was of an unexpected value" );
- if( use_ret == -(MBEDTLS_ERR_ASN1_INVALID_LENGTH) )
- mbedtls_snprintf( buf, buflen, "ASN1 - Error when trying to determine the length or invalid length" );
- if( use_ret == -(MBEDTLS_ERR_ASN1_LENGTH_MISMATCH) )
- mbedtls_snprintf( buf, buflen, "ASN1 - Actual length differs from expected length" );
- if( use_ret == -(MBEDTLS_ERR_ASN1_INVALID_DATA) )
- mbedtls_snprintf( buf, buflen, "ASN1 - Data is invalid" );
- if( use_ret == -(MBEDTLS_ERR_ASN1_ALLOC_FAILED) )
- mbedtls_snprintf( buf, buflen, "ASN1 - Memory allocation failed" );
- if( use_ret == -(MBEDTLS_ERR_ASN1_BUF_TOO_SMALL) )
- mbedtls_snprintf( buf, buflen, "ASN1 - Buffer too small when writing ASN.1 data structure" );
-#endif /* MBEDTLS_ASN1_PARSE_C */
-
-#if defined(MBEDTLS_BASE64_C)
- if( use_ret == -(MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL) )
- mbedtls_snprintf( buf, buflen, "BASE64 - Output buffer too small" );
- if( use_ret == -(MBEDTLS_ERR_BASE64_INVALID_CHARACTER) )
- mbedtls_snprintf( buf, buflen, "BASE64 - Invalid character in input" );
-#endif /* MBEDTLS_BASE64_C */
-
-#if defined(MBEDTLS_BIGNUM_C)
- if( use_ret == -(MBEDTLS_ERR_MPI_FILE_IO_ERROR) )
- mbedtls_snprintf( buf, buflen, "BIGNUM - An error occurred while reading from or writing to a file" );
- if( use_ret == -(MBEDTLS_ERR_MPI_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "BIGNUM - Bad input parameters to function" );
- if( use_ret == -(MBEDTLS_ERR_MPI_INVALID_CHARACTER) )
- mbedtls_snprintf( buf, buflen, "BIGNUM - There is an invalid character in the digit string" );
- if( use_ret == -(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL) )
- mbedtls_snprintf( buf, buflen, "BIGNUM - The buffer is too small to write to" );
- if( use_ret == -(MBEDTLS_ERR_MPI_NEGATIVE_VALUE) )
- mbedtls_snprintf( buf, buflen, "BIGNUM - The input arguments are negative or result in illegal output" );
- if( use_ret == -(MBEDTLS_ERR_MPI_DIVISION_BY_ZERO) )
- mbedtls_snprintf( buf, buflen, "BIGNUM - The input argument for division is zero, which is not allowed" );
- if( use_ret == -(MBEDTLS_ERR_MPI_NOT_ACCEPTABLE) )
- mbedtls_snprintf( buf, buflen, "BIGNUM - The input arguments are not acceptable" );
- if( use_ret == -(MBEDTLS_ERR_MPI_ALLOC_FAILED) )
- mbedtls_snprintf( buf, buflen, "BIGNUM - Memory allocation failed" );
-#endif /* MBEDTLS_BIGNUM_C */
-
-#if defined(MBEDTLS_BLOWFISH_C)
- if( use_ret == -(MBEDTLS_ERR_BLOWFISH_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "BLOWFISH - Bad input data" );
- if( use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH) )
- mbedtls_snprintf( buf, buflen, "BLOWFISH - Invalid data input length" );
- if( use_ret == -(MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "BLOWFISH - Blowfish hardware accelerator failed" );
-#endif /* MBEDTLS_BLOWFISH_C */
-
-#if defined(MBEDTLS_CAMELLIA_C)
- if( use_ret == -(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "CAMELLIA - Bad input data" );
- if( use_ret == -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH) )
- mbedtls_snprintf( buf, buflen, "CAMELLIA - Invalid data input length" );
- if( use_ret == -(MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "CAMELLIA - Camellia hardware accelerator failed" );
-#endif /* MBEDTLS_CAMELLIA_C */
-
-#if defined(MBEDTLS_CCM_C)
- if( use_ret == -(MBEDTLS_ERR_CCM_BAD_INPUT) )
- mbedtls_snprintf( buf, buflen, "CCM - Bad input parameters to the function" );
- if( use_ret == -(MBEDTLS_ERR_CCM_AUTH_FAILED) )
- mbedtls_snprintf( buf, buflen, "CCM - Authenticated decryption failed" );
- if( use_ret == -(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "CCM - CCM hardware accelerator failed" );
-#endif /* MBEDTLS_CCM_C */
-
-#if defined(MBEDTLS_CHACHA20_C)
- if( use_ret == -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "CHACHA20 - Invalid input parameter(s)" );
- if( use_ret == -(MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "CHACHA20 - Feature not available. For example, s part of the API is not implemented" );
- if( use_ret == -(MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "CHACHA20 - Chacha20 hardware accelerator failed" );
-#endif /* MBEDTLS_CHACHA20_C */
-
-#if defined(MBEDTLS_CHACHAPOLY_C)
- if( use_ret == -(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE) )
- mbedtls_snprintf( buf, buflen, "CHACHAPOLY - The requested operation is not permitted in the current state" );
- if( use_ret == -(MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED) )
- mbedtls_snprintf( buf, buflen, "CHACHAPOLY - Authenticated decryption failed: data was not authentic" );
-#endif /* MBEDTLS_CHACHAPOLY_C */
-
-#if defined(MBEDTLS_CMAC_C)
- if( use_ret == -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "CMAC - CMAC hardware accelerator failed" );
-#endif /* MBEDTLS_CMAC_C */
-
-#if defined(MBEDTLS_CTR_DRBG_C)
- if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED) )
- mbedtls_snprintf( buf, buflen, "CTR_DRBG - The entropy source failed" );
- if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG) )
- mbedtls_snprintf( buf, buflen, "CTR_DRBG - The requested random buffer length is too big" );
- if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG) )
- mbedtls_snprintf( buf, buflen, "CTR_DRBG - The input (entropy + additional data) is too large" );
- if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR) )
- mbedtls_snprintf( buf, buflen, "CTR_DRBG - Read or write error in file" );
-#endif /* MBEDTLS_CTR_DRBG_C */
-
-#if defined(MBEDTLS_DES_C)
- if( use_ret == -(MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH) )
- mbedtls_snprintf( buf, buflen, "DES - The data input has an invalid length" );
- if( use_ret == -(MBEDTLS_ERR_DES_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "DES - DES hardware accelerator failed" );
-#endif /* MBEDTLS_DES_C */
-
-#if defined(MBEDTLS_ENTROPY_C)
- if( use_ret == -(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED) )
- mbedtls_snprintf( buf, buflen, "ENTROPY - Critical entropy source failure" );
- if( use_ret == -(MBEDTLS_ERR_ENTROPY_MAX_SOURCES) )
- mbedtls_snprintf( buf, buflen, "ENTROPY - No more sources can be added" );
- if( use_ret == -(MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED) )
- mbedtls_snprintf( buf, buflen, "ENTROPY - No sources have been added to poll" );
- if( use_ret == -(MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE) )
- mbedtls_snprintf( buf, buflen, "ENTROPY - No strong sources have been added to poll" );
- if( use_ret == -(MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR) )
- mbedtls_snprintf( buf, buflen, "ENTROPY - Read/write error in file" );
-#endif /* MBEDTLS_ENTROPY_C */
-
-#if defined(MBEDTLS_ERROR_C)
- if( use_ret == -(MBEDTLS_ERR_ERROR_GENERIC_ERROR) )
- mbedtls_snprintf( buf, buflen, "ERROR - Generic error" );
- if( use_ret == -(MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED) )
- mbedtls_snprintf( buf, buflen, "ERROR - This is a bug in the library" );
-#endif /* MBEDTLS_ERROR_C */
-
-#if defined(MBEDTLS_GCM_C)
- if( use_ret == -(MBEDTLS_ERR_GCM_AUTH_FAILED) )
- mbedtls_snprintf( buf, buflen, "GCM - Authenticated decryption failed" );
- if( use_ret == -(MBEDTLS_ERR_GCM_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "GCM - GCM hardware accelerator failed" );
- if( use_ret == -(MBEDTLS_ERR_GCM_BAD_INPUT) )
- mbedtls_snprintf( buf, buflen, "GCM - Bad input parameters to function" );
-#endif /* MBEDTLS_GCM_C */
-
-#if defined(MBEDTLS_HKDF_C)
- if( use_ret == -(MBEDTLS_ERR_HKDF_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "HKDF - Bad input parameters to function" );
-#endif /* MBEDTLS_HKDF_C */
-
-#if defined(MBEDTLS_HMAC_DRBG_C)
- if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG) )
- mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Too many random requested in single call" );
- if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG) )
- mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Input too large (Entropy + additional)" );
- if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR) )
- mbedtls_snprintf( buf, buflen, "HMAC_DRBG - Read/write error in file" );
- if( use_ret == -(MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED) )
- mbedtls_snprintf( buf, buflen, "HMAC_DRBG - The entropy source failed" );
-#endif /* MBEDTLS_HMAC_DRBG_C */
-
-#if defined(MBEDTLS_MD2_C)
- if( use_ret == -(MBEDTLS_ERR_MD2_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "MD2 - MD2 hardware accelerator failed" );
-#endif /* MBEDTLS_MD2_C */
-
-#if defined(MBEDTLS_MD4_C)
- if( use_ret == -(MBEDTLS_ERR_MD4_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "MD4 - MD4 hardware accelerator failed" );
-#endif /* MBEDTLS_MD4_C */
-
-#if defined(MBEDTLS_MD5_C)
- if( use_ret == -(MBEDTLS_ERR_MD5_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "MD5 - MD5 hardware accelerator failed" );
-#endif /* MBEDTLS_MD5_C */
-
-#if defined(MBEDTLS_NET_C)
- if( use_ret == -(MBEDTLS_ERR_NET_SOCKET_FAILED) )
- mbedtls_snprintf( buf, buflen, "NET - Failed to open a socket" );
- if( use_ret == -(MBEDTLS_ERR_NET_CONNECT_FAILED) )
- mbedtls_snprintf( buf, buflen, "NET - The connection to the given server / port failed" );
- if( use_ret == -(MBEDTLS_ERR_NET_BIND_FAILED) )
- mbedtls_snprintf( buf, buflen, "NET - Binding of the socket failed" );
- if( use_ret == -(MBEDTLS_ERR_NET_LISTEN_FAILED) )
- mbedtls_snprintf( buf, buflen, "NET - Could not listen on the socket" );
- if( use_ret == -(MBEDTLS_ERR_NET_ACCEPT_FAILED) )
- mbedtls_snprintf( buf, buflen, "NET - Could not accept the incoming connection" );
- if( use_ret == -(MBEDTLS_ERR_NET_RECV_FAILED) )
- mbedtls_snprintf( buf, buflen, "NET - Reading information from the socket failed" );
- if( use_ret == -(MBEDTLS_ERR_NET_SEND_FAILED) )
- mbedtls_snprintf( buf, buflen, "NET - Sending information through the socket failed" );
- if( use_ret == -(MBEDTLS_ERR_NET_CONN_RESET) )
- mbedtls_snprintf( buf, buflen, "NET - Connection was reset by peer" );
- if( use_ret == -(MBEDTLS_ERR_NET_UNKNOWN_HOST) )
- mbedtls_snprintf( buf, buflen, "NET - Failed to get an IP address for the given hostname" );
- if( use_ret == -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL) )
- mbedtls_snprintf( buf, buflen, "NET - Buffer is too small to hold the data" );
- if( use_ret == -(MBEDTLS_ERR_NET_INVALID_CONTEXT) )
- mbedtls_snprintf( buf, buflen, "NET - The context is invalid, eg because it was free()ed" );
- if( use_ret == -(MBEDTLS_ERR_NET_POLL_FAILED) )
- mbedtls_snprintf( buf, buflen, "NET - Polling the net context failed" );
- if( use_ret == -(MBEDTLS_ERR_NET_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "NET - Input invalid" );
-#endif /* MBEDTLS_NET_C */
-
-#if defined(MBEDTLS_OID_C)
- if( use_ret == -(MBEDTLS_ERR_OID_NOT_FOUND) )
- mbedtls_snprintf( buf, buflen, "OID - OID is not found" );
- if( use_ret == -(MBEDTLS_ERR_OID_BUF_TOO_SMALL) )
- mbedtls_snprintf( buf, buflen, "OID - output buffer is too small" );
-#endif /* MBEDTLS_OID_C */
-
-#if defined(MBEDTLS_PADLOCK_C)
- if( use_ret == -(MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED) )
- mbedtls_snprintf( buf, buflen, "PADLOCK - Input data should be aligned" );
-#endif /* MBEDTLS_PADLOCK_C */
-
-#if defined(MBEDTLS_PLATFORM_C)
- if( use_ret == -(MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "PLATFORM - Hardware accelerator failed" );
- if( use_ret == -(MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED) )
- mbedtls_snprintf( buf, buflen, "PLATFORM - The requested feature is not supported by the platform" );
-#endif /* MBEDTLS_PLATFORM_C */
-
-#if defined(MBEDTLS_POLY1305_C)
- if( use_ret == -(MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "POLY1305 - Invalid input parameter(s)" );
- if( use_ret == -(MBEDTLS_ERR_POLY1305_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "POLY1305 - Feature not available. For example, s part of the API is not implemented" );
- if( use_ret == -(MBEDTLS_ERR_POLY1305_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "POLY1305 - Poly1305 hardware accelerator failed" );
-#endif /* MBEDTLS_POLY1305_C */
-
-#if defined(MBEDTLS_RIPEMD160_C)
- if( use_ret == -(MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "RIPEMD160 - RIPEMD160 hardware accelerator failed" );
-#endif /* MBEDTLS_RIPEMD160_C */
-
-#if defined(MBEDTLS_SHA1_C)
- if( use_ret == -(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "SHA1 - SHA-1 hardware accelerator failed" );
- if( use_ret == -(MBEDTLS_ERR_SHA1_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "SHA1 - SHA-1 input data was malformed" );
-#endif /* MBEDTLS_SHA1_C */
-
-#if defined(MBEDTLS_SHA256_C)
- if( use_ret == -(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "SHA256 - SHA-256 hardware accelerator failed" );
- if( use_ret == -(MBEDTLS_ERR_SHA256_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "SHA256 - SHA-256 input data was malformed" );
-#endif /* MBEDTLS_SHA256_C */
-
-#if defined(MBEDTLS_SHA512_C)
- if( use_ret == -(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "SHA512 - SHA-512 hardware accelerator failed" );
- if( use_ret == -(MBEDTLS_ERR_SHA512_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "SHA512 - SHA-512 input data was malformed" );
-#endif /* MBEDTLS_SHA512_C */
-
-#if defined(MBEDTLS_THREADING_C)
- if( use_ret == -(MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE) )
- mbedtls_snprintf( buf, buflen, "THREADING - The selected feature is not available" );
- if( use_ret == -(MBEDTLS_ERR_THREADING_BAD_INPUT_DATA) )
- mbedtls_snprintf( buf, buflen, "THREADING - Bad input parameters to function" );
- if( use_ret == -(MBEDTLS_ERR_THREADING_MUTEX_ERROR) )
- mbedtls_snprintf( buf, buflen, "THREADING - Locking / unlocking / free failed with error code" );
-#endif /* MBEDTLS_THREADING_C */
-
-#if defined(MBEDTLS_XTEA_C)
- if( use_ret == -(MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH) )
- mbedtls_snprintf( buf, buflen, "XTEA - The data input has an invalid length" );
- if( use_ret == -(MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED) )
- mbedtls_snprintf( buf, buflen, "XTEA - XTEA hardware accelerator failed" );
-#endif /* MBEDTLS_XTEA_C */
- // END generated code
-
- if( strlen( buf ) != 0 )
- return;
-
- mbedtls_snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", use_ret );
+ if( low_level_error_description == NULL )
+ mbedtls_snprintf( buf, buflen, "UNKNOWN ERROR CODE (%04X)", (unsigned int) use_ret );
+ else
+ mbedtls_snprintf( buf, buflen, "%s", low_level_error_description );
}
#else /* MBEDTLS_ERROR_C */
-#if defined(MBEDTLS_ERROR_STRERROR_DUMMY)
-
/*
* Provide an non-function in case MBEDTLS_ERROR_C is not defined
*/
@@ -925,6 +971,10 @@
buf[0] = '\0';
}
-#endif /* MBEDTLS_ERROR_STRERROR_DUMMY */
-
#endif /* MBEDTLS_ERROR_C */
+
+#if defined(MBEDTLS_TEST_HOOKS)
+void (*mbedtls_test_hook_error_add)( int, int, const char *, int );
+#endif
+
+#endif /* MBEDTLS_ERROR_C || MBEDTLS_ERROR_STRERROR_DUMMY */
diff --git a/lib/libmbedtls/mbedtls/library/gcm.c b/lib/libmbedtls/mbedtls/library/gcm.c
index ddd2d4e..f237bab 100644
--- a/lib/libmbedtls/mbedtls/library/gcm.c
+++ b/lib/libmbedtls/mbedtls/library/gcm.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* NIST SP800-38D compliant GCM implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -29,11 +27,7 @@
* [MGV] 4.1, pp. 12-13, to enhance speed without using too much memory.
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_GCM_C)
@@ -825,6 +819,15 @@
add_len_test_data[i],
pt_test_data[pt_index_test_data[i]],
buf, 16, tag_buf );
+#if defined(MBEDTLS_GCM_ALT)
+ /* Allow alternative implementations to only support 12-byte nonces. */
+ if( ret == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED &&
+ iv_len_test_data[i] != 12 )
+ {
+ mbedtls_printf( "skipped\n" );
+ break;
+ }
+#endif /* defined(MBEDTLS_GCM_ALT) */
if( ret != 0 )
goto exit;
diff --git a/lib/libmbedtls/mbedtls/library/havege.c b/lib/libmbedtls/mbedtls/library/havege.c
index 1140544..2a360a1 100644
--- a/lib/libmbedtls/mbedtls/library/havege.c
+++ b/lib/libmbedtls/mbedtls/library/havege.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/**
* \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The HAVEGE RNG was designed by Andre Seznec in 2002.
@@ -26,11 +24,7 @@
* Contact: seznec(at)irisa_dot_fr - orocheco(at)irisa_dot_fr
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_HAVEGE_C)
diff --git a/lib/libmbedtls/mbedtls/library/hkdf.c b/lib/libmbedtls/mbedtls/library/hkdf.c
index 82df597..5013729 100644
--- a/lib/libmbedtls/mbedtls/library/hkdf.c
+++ b/lib/libmbedtls/mbedtls/library/hkdf.c
@@ -1,7 +1,7 @@
/*
* HKDF implementation -- RFC 5869
*
- * Copyright (C) 2016-2018, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -15,14 +15,8 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_HKDF_C)
diff --git a/lib/libmbedtls/mbedtls/library/hmac_drbg.c b/lib/libmbedtls/mbedtls/library/hmac_drbg.c
index 167cdd5..de97068 100644
--- a/lib/libmbedtls/mbedtls/library/hmac_drbg.c
+++ b/lib/libmbedtls/mbedtls/library/hmac_drbg.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* HMAC_DRBG implementation (NIST SP 800-90)
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -25,11 +23,7 @@
* References below are based on rev. 1 (January 2012).
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_HMAC_DRBG_C)
@@ -59,9 +53,7 @@
{
memset( ctx, 0, sizeof( mbedtls_hmac_drbg_context ) );
-#if defined(MBEDTLS_THREADING_C)
- mbedtls_mutex_init( &ctx->mutex );
-#endif
+ ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
}
/*
@@ -133,6 +125,10 @@
if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
return( ret );
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init( &ctx->mutex );
+#endif
+
/*
* Set initial working state.
* Use the V memory location, which is currently all 0, to initialize the
@@ -258,6 +254,11 @@
if( ( ret = mbedtls_md_setup( &ctx->md_ctx, md_info, 1 ) ) != 0 )
return( ret );
+ /* The mutex is initialized iff the md context is set up. */
+#if defined(MBEDTLS_THREADING_C)
+ mbedtls_mutex_init( &ctx->mutex );
+#endif
+
md_size = mbedtls_md_get_size( md_info );
/*
@@ -272,8 +273,6 @@
ctx->f_entropy = f_entropy;
ctx->p_entropy = p_entropy;
- ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
-
if( ctx->entropy_len == 0 )
{
/*
@@ -418,7 +417,8 @@
}
/*
- * Free an HMAC_DRBG context
+ * This function resets HMAC_DRBG context to the state immediately
+ * after initial call of mbedtls_hmac_drbg_init().
*/
void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx )
{
@@ -426,10 +426,13 @@
return;
#if defined(MBEDTLS_THREADING_C)
- mbedtls_mutex_free( &ctx->mutex );
+ /* The mutex is initialized iff the md context is set up. */
+ if( ctx->md_ctx.md_info != NULL )
+ mbedtls_mutex_free( &ctx->mutex );
#endif
mbedtls_md_free( &ctx->md_ctx );
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_hmac_drbg_context ) );
+ ctx->reseed_interval = MBEDTLS_HMAC_DRBG_RESEED_INTERVAL;
}
#if defined(MBEDTLS_FS_IO)
diff --git a/lib/libmbedtls/mbedtls/library/md.c b/lib/libmbedtls/mbedtls/library/md.c
index 869b177..341a9cf 100644
--- a/lib/libmbedtls/mbedtls/library/md.c
+++ b/lib/libmbedtls/mbedtls/library/md.c
@@ -1,12 +1,12 @@
-// SPDX-License-Identifier: Apache-2.0
/**
- * \file mbedtls_md.c
+ * \file md.c
*
* \brief Generic message digest wrapper for mbed TLS
*
* \author Adriaan de Jong <dejong@fox-it.com>
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -19,15 +19,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_MD_C)
@@ -420,6 +414,10 @@
if( md_info == NULL || ctx == NULL )
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
+ ctx->md_info = md_info;
+ ctx->md_ctx = NULL;
+ ctx->hmac_ctx = NULL;
+
switch( md_info->type )
{
#if defined(MBEDTLS_MD2_C)
@@ -475,8 +473,6 @@
}
}
- ctx->md_info = md_info;
-
return( 0 );
}
#undef ALLOC
@@ -556,14 +552,12 @@
#endif
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_MD_SHA224:
- return( mbedtls_sha256_update_ret( ctx->md_ctx, input, ilen ) );
case MBEDTLS_MD_SHA256:
return( mbedtls_sha256_update_ret( ctx->md_ctx, input, ilen ) );
#endif
#if defined(MBEDTLS_SHA512_C)
#if !defined(MBEDTLS_SHA512_NO_SHA384)
case MBEDTLS_MD_SHA384:
- return( mbedtls_sha512_update_ret( ctx->md_ctx, input, ilen ) );
#endif
case MBEDTLS_MD_SHA512:
return( mbedtls_sha512_update_ret( ctx->md_ctx, input, ilen ) );
@@ -602,14 +596,12 @@
#endif
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_MD_SHA224:
- return( mbedtls_sha256_finish_ret( ctx->md_ctx, output ) );
case MBEDTLS_MD_SHA256:
return( mbedtls_sha256_finish_ret( ctx->md_ctx, output ) );
#endif
#if defined(MBEDTLS_SHA512_C)
#if !defined(MBEDTLS_SHA512_NO_SHA384)
case MBEDTLS_MD_SHA384:
- return( mbedtls_sha512_finish_ret( ctx->md_ctx, output ) );
#endif
case MBEDTLS_MD_SHA512:
return( mbedtls_sha512_finish_ret( ctx->md_ctx, output ) );
@@ -859,14 +851,12 @@
#endif
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_MD_SHA224:
- return( mbedtls_internal_sha256_process( ctx->md_ctx, data ) );
case MBEDTLS_MD_SHA256:
return( mbedtls_internal_sha256_process( ctx->md_ctx, data ) );
#endif
#if defined(MBEDTLS_SHA512_C)
#if !defined(MBEDTLS_SHA512_NO_SHA384)
case MBEDTLS_MD_SHA384:
- return( mbedtls_internal_sha512_process( ctx->md_ctx, data ) );
#endif
case MBEDTLS_MD_SHA512:
return( mbedtls_internal_sha512_process( ctx->md_ctx, data ) );
diff --git a/lib/libmbedtls/mbedtls/library/md2.c b/lib/libmbedtls/mbedtls/library/md2.c
index 483faf3..7264e30 100644
--- a/lib/libmbedtls/mbedtls/library/md2.c
+++ b/lib/libmbedtls/mbedtls/library/md2.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* RFC 1115/1319 compliant MD2 implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The MD2 algorithm was designed by Ron Rivest in 1989.
@@ -25,11 +23,7 @@
* http://www.ietf.org/rfc/rfc1319.txt
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_MD2_C)
@@ -153,6 +147,9 @@
t = ctx->cksum[i];
}
+ /* Zeroise variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize( &t, sizeof( t ) );
+
return( 0 );
}
diff --git a/lib/libmbedtls/mbedtls/library/md4.c b/lib/libmbedtls/mbedtls/library/md4.c
index 48b4ccd..4fd6bc3 100644
--- a/lib/libmbedtls/mbedtls/library/md4.c
+++ b/lib/libmbedtls/mbedtls/library/md4.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* RFC 1186/1320 compliant MD4 implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The MD4 algorithm was designed by Ron Rivest in 1990.
@@ -25,11 +23,7 @@
* http://www.ietf.org/rfc/rfc1320.txt
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_MD4_C)
@@ -119,31 +113,34 @@
int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
const unsigned char data[64] )
{
- uint32_t X[16], A, B, C, D;
+ struct
+ {
+ uint32_t X[16], A, B, C, D;
+ } local;
- GET_UINT32_LE( X[ 0], data, 0 );
- GET_UINT32_LE( X[ 1], data, 4 );
- GET_UINT32_LE( X[ 2], data, 8 );
- GET_UINT32_LE( X[ 3], data, 12 );
- GET_UINT32_LE( X[ 4], data, 16 );
- GET_UINT32_LE( X[ 5], data, 20 );
- GET_UINT32_LE( X[ 6], data, 24 );
- GET_UINT32_LE( X[ 7], data, 28 );
- GET_UINT32_LE( X[ 8], data, 32 );
- GET_UINT32_LE( X[ 9], data, 36 );
- GET_UINT32_LE( X[10], data, 40 );
- GET_UINT32_LE( X[11], data, 44 );
- GET_UINT32_LE( X[12], data, 48 );
- GET_UINT32_LE( X[13], data, 52 );
- GET_UINT32_LE( X[14], data, 56 );
- GET_UINT32_LE( X[15], data, 60 );
+ GET_UINT32_LE( local.X[ 0], data, 0 );
+ GET_UINT32_LE( local.X[ 1], data, 4 );
+ GET_UINT32_LE( local.X[ 2], data, 8 );
+ GET_UINT32_LE( local.X[ 3], data, 12 );
+ GET_UINT32_LE( local.X[ 4], data, 16 );
+ GET_UINT32_LE( local.X[ 5], data, 20 );
+ GET_UINT32_LE( local.X[ 6], data, 24 );
+ GET_UINT32_LE( local.X[ 7], data, 28 );
+ GET_UINT32_LE( local.X[ 8], data, 32 );
+ GET_UINT32_LE( local.X[ 9], data, 36 );
+ GET_UINT32_LE( local.X[10], data, 40 );
+ GET_UINT32_LE( local.X[11], data, 44 );
+ GET_UINT32_LE( local.X[12], data, 48 );
+ GET_UINT32_LE( local.X[13], data, 52 );
+ GET_UINT32_LE( local.X[14], data, 56 );
+ GET_UINT32_LE( local.X[15], data, 60 );
#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
- A = ctx->state[0];
- B = ctx->state[1];
- C = ctx->state[2];
- D = ctx->state[3];
+ local.A = ctx->state[0];
+ local.B = ctx->state[1];
+ local.C = ctx->state[2];
+ local.D = ctx->state[3];
#define F(x, y, z) (((x) & (y)) | ((~(x)) & (z)))
#define P(a,b,c,d,x,s) \
@@ -154,22 +151,22 @@
} while( 0 )
- P( A, B, C, D, X[ 0], 3 );
- P( D, A, B, C, X[ 1], 7 );
- P( C, D, A, B, X[ 2], 11 );
- P( B, C, D, A, X[ 3], 19 );
- P( A, B, C, D, X[ 4], 3 );
- P( D, A, B, C, X[ 5], 7 );
- P( C, D, A, B, X[ 6], 11 );
- P( B, C, D, A, X[ 7], 19 );
- P( A, B, C, D, X[ 8], 3 );
- P( D, A, B, C, X[ 9], 7 );
- P( C, D, A, B, X[10], 11 );
- P( B, C, D, A, X[11], 19 );
- P( A, B, C, D, X[12], 3 );
- P( D, A, B, C, X[13], 7 );
- P( C, D, A, B, X[14], 11 );
- P( B, C, D, A, X[15], 19 );
+ P( local.A, local.B, local.C, local.D, local.X[ 0], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[ 1], 7 );
+ P( local.C, local.D, local.A, local.B, local.X[ 2], 11 );
+ P( local.B, local.C, local.D, local.A, local.X[ 3], 19 );
+ P( local.A, local.B, local.C, local.D, local.X[ 4], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[ 5], 7 );
+ P( local.C, local.D, local.A, local.B, local.X[ 6], 11 );
+ P( local.B, local.C, local.D, local.A, local.X[ 7], 19 );
+ P( local.A, local.B, local.C, local.D, local.X[ 8], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[ 9], 7 );
+ P( local.C, local.D, local.A, local.B, local.X[10], 11 );
+ P( local.B, local.C, local.D, local.A, local.X[11], 19 );
+ P( local.A, local.B, local.C, local.D, local.X[12], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[13], 7 );
+ P( local.C, local.D, local.A, local.B, local.X[14], 11 );
+ P( local.B, local.C, local.D, local.A, local.X[15], 19 );
#undef P
#undef F
@@ -182,22 +179,22 @@
(a) = S((a),(s)); \
} while( 0 )
- P( A, B, C, D, X[ 0], 3 );
- P( D, A, B, C, X[ 4], 5 );
- P( C, D, A, B, X[ 8], 9 );
- P( B, C, D, A, X[12], 13 );
- P( A, B, C, D, X[ 1], 3 );
- P( D, A, B, C, X[ 5], 5 );
- P( C, D, A, B, X[ 9], 9 );
- P( B, C, D, A, X[13], 13 );
- P( A, B, C, D, X[ 2], 3 );
- P( D, A, B, C, X[ 6], 5 );
- P( C, D, A, B, X[10], 9 );
- P( B, C, D, A, X[14], 13 );
- P( A, B, C, D, X[ 3], 3 );
- P( D, A, B, C, X[ 7], 5 );
- P( C, D, A, B, X[11], 9 );
- P( B, C, D, A, X[15], 13 );
+ P( local.A, local.B, local.C, local.D, local.X[ 0], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[ 4], 5 );
+ P( local.C, local.D, local.A, local.B, local.X[ 8], 9 );
+ P( local.B, local.C, local.D, local.A, local.X[12], 13 );
+ P( local.A, local.B, local.C, local.D, local.X[ 1], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[ 5], 5 );
+ P( local.C, local.D, local.A, local.B, local.X[ 9], 9 );
+ P( local.B, local.C, local.D, local.A, local.X[13], 13 );
+ P( local.A, local.B, local.C, local.D, local.X[ 2], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[ 6], 5 );
+ P( local.C, local.D, local.A, local.B, local.X[10], 9 );
+ P( local.B, local.C, local.D, local.A, local.X[14], 13 );
+ P( local.A, local.B, local.C, local.D, local.X[ 3], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[ 7], 5 );
+ P( local.C, local.D, local.A, local.B, local.X[11], 9 );
+ P( local.B, local.C, local.D, local.A, local.X[15], 13 );
#undef P
#undef F
@@ -210,30 +207,33 @@
(a) = S((a),(s)); \
} while( 0 )
- P( A, B, C, D, X[ 0], 3 );
- P( D, A, B, C, X[ 8], 9 );
- P( C, D, A, B, X[ 4], 11 );
- P( B, C, D, A, X[12], 15 );
- P( A, B, C, D, X[ 2], 3 );
- P( D, A, B, C, X[10], 9 );
- P( C, D, A, B, X[ 6], 11 );
- P( B, C, D, A, X[14], 15 );
- P( A, B, C, D, X[ 1], 3 );
- P( D, A, B, C, X[ 9], 9 );
- P( C, D, A, B, X[ 5], 11 );
- P( B, C, D, A, X[13], 15 );
- P( A, B, C, D, X[ 3], 3 );
- P( D, A, B, C, X[11], 9 );
- P( C, D, A, B, X[ 7], 11 );
- P( B, C, D, A, X[15], 15 );
+ P( local.A, local.B, local.C, local.D, local.X[ 0], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[ 8], 9 );
+ P( local.C, local.D, local.A, local.B, local.X[ 4], 11 );
+ P( local.B, local.C, local.D, local.A, local.X[12], 15 );
+ P( local.A, local.B, local.C, local.D, local.X[ 2], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[10], 9 );
+ P( local.C, local.D, local.A, local.B, local.X[ 6], 11 );
+ P( local.B, local.C, local.D, local.A, local.X[14], 15 );
+ P( local.A, local.B, local.C, local.D, local.X[ 1], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[ 9], 9 );
+ P( local.C, local.D, local.A, local.B, local.X[ 5], 11 );
+ P( local.B, local.C, local.D, local.A, local.X[13], 15 );
+ P( local.A, local.B, local.C, local.D, local.X[ 3], 3 );
+ P( local.D, local.A, local.B, local.C, local.X[11], 9 );
+ P( local.C, local.D, local.A, local.B, local.X[ 7], 11 );
+ P( local.B, local.C, local.D, local.A, local.X[15], 15 );
#undef F
#undef P
- ctx->state[0] += A;
- ctx->state[1] += B;
- ctx->state[2] += C;
- ctx->state[3] += D;
+ ctx->state[0] += local.A;
+ ctx->state[1] += local.B;
+ ctx->state[2] += local.C;
+ ctx->state[3] += local.D;
+
+ /* Zeroise variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 );
}
diff --git a/lib/libmbedtls/mbedtls/library/md5.c b/lib/libmbedtls/mbedtls/library/md5.c
index ae712fb..c4f2dbf 100644
--- a/lib/libmbedtls/mbedtls/library/md5.c
+++ b/lib/libmbedtls/mbedtls/library/md5.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* RFC 1321 compliant MD5 implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The MD5 algorithm was designed by Ron Rivest in 1991.
@@ -24,11 +22,7 @@
* http://www.ietf.org/rfc/rfc1321.txt
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_MD5_C)
@@ -118,128 +112,134 @@
int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
const unsigned char data[64] )
{
- uint32_t X[16], A, B, C, D;
+ struct
+ {
+ uint32_t X[16], A, B, C, D;
+ } local;
- GET_UINT32_LE( X[ 0], data, 0 );
- GET_UINT32_LE( X[ 1], data, 4 );
- GET_UINT32_LE( X[ 2], data, 8 );
- GET_UINT32_LE( X[ 3], data, 12 );
- GET_UINT32_LE( X[ 4], data, 16 );
- GET_UINT32_LE( X[ 5], data, 20 );
- GET_UINT32_LE( X[ 6], data, 24 );
- GET_UINT32_LE( X[ 7], data, 28 );
- GET_UINT32_LE( X[ 8], data, 32 );
- GET_UINT32_LE( X[ 9], data, 36 );
- GET_UINT32_LE( X[10], data, 40 );
- GET_UINT32_LE( X[11], data, 44 );
- GET_UINT32_LE( X[12], data, 48 );
- GET_UINT32_LE( X[13], data, 52 );
- GET_UINT32_LE( X[14], data, 56 );
- GET_UINT32_LE( X[15], data, 60 );
+ GET_UINT32_LE( local.X[ 0], data, 0 );
+ GET_UINT32_LE( local.X[ 1], data, 4 );
+ GET_UINT32_LE( local.X[ 2], data, 8 );
+ GET_UINT32_LE( local.X[ 3], data, 12 );
+ GET_UINT32_LE( local.X[ 4], data, 16 );
+ GET_UINT32_LE( local.X[ 5], data, 20 );
+ GET_UINT32_LE( local.X[ 6], data, 24 );
+ GET_UINT32_LE( local.X[ 7], data, 28 );
+ GET_UINT32_LE( local.X[ 8], data, 32 );
+ GET_UINT32_LE( local.X[ 9], data, 36 );
+ GET_UINT32_LE( local.X[10], data, 40 );
+ GET_UINT32_LE( local.X[11], data, 44 );
+ GET_UINT32_LE( local.X[12], data, 48 );
+ GET_UINT32_LE( local.X[13], data, 52 );
+ GET_UINT32_LE( local.X[14], data, 56 );
+ GET_UINT32_LE( local.X[15], data, 60 );
#define S(x,n) \
( ( (x) << (n) ) | ( ( (x) & 0xFFFFFFFF) >> ( 32 - (n) ) ) )
-#define P(a,b,c,d,k,s,t) \
- do \
- { \
- (a) += F((b),(c),(d)) + X[(k)] + (t); \
- (a) = S((a),(s)) + (b); \
+#define P(a,b,c,d,k,s,t) \
+ do \
+ { \
+ (a) += F((b),(c),(d)) + local.X[(k)] + (t); \
+ (a) = S((a),(s)) + (b); \
} while( 0 )
- A = ctx->state[0];
- B = ctx->state[1];
- C = ctx->state[2];
- D = ctx->state[3];
+ local.A = ctx->state[0];
+ local.B = ctx->state[1];
+ local.C = ctx->state[2];
+ local.D = ctx->state[3];
#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
- P( A, B, C, D, 0, 7, 0xD76AA478 );
- P( D, A, B, C, 1, 12, 0xE8C7B756 );
- P( C, D, A, B, 2, 17, 0x242070DB );
- P( B, C, D, A, 3, 22, 0xC1BDCEEE );
- P( A, B, C, D, 4, 7, 0xF57C0FAF );
- P( D, A, B, C, 5, 12, 0x4787C62A );
- P( C, D, A, B, 6, 17, 0xA8304613 );
- P( B, C, D, A, 7, 22, 0xFD469501 );
- P( A, B, C, D, 8, 7, 0x698098D8 );
- P( D, A, B, C, 9, 12, 0x8B44F7AF );
- P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
- P( B, C, D, A, 11, 22, 0x895CD7BE );
- P( A, B, C, D, 12, 7, 0x6B901122 );
- P( D, A, B, C, 13, 12, 0xFD987193 );
- P( C, D, A, B, 14, 17, 0xA679438E );
- P( B, C, D, A, 15, 22, 0x49B40821 );
+ P( local.A, local.B, local.C, local.D, 0, 7, 0xD76AA478 );
+ P( local.D, local.A, local.B, local.C, 1, 12, 0xE8C7B756 );
+ P( local.C, local.D, local.A, local.B, 2, 17, 0x242070DB );
+ P( local.B, local.C, local.D, local.A, 3, 22, 0xC1BDCEEE );
+ P( local.A, local.B, local.C, local.D, 4, 7, 0xF57C0FAF );
+ P( local.D, local.A, local.B, local.C, 5, 12, 0x4787C62A );
+ P( local.C, local.D, local.A, local.B, 6, 17, 0xA8304613 );
+ P( local.B, local.C, local.D, local.A, 7, 22, 0xFD469501 );
+ P( local.A, local.B, local.C, local.D, 8, 7, 0x698098D8 );
+ P( local.D, local.A, local.B, local.C, 9, 12, 0x8B44F7AF );
+ P( local.C, local.D, local.A, local.B, 10, 17, 0xFFFF5BB1 );
+ P( local.B, local.C, local.D, local.A, 11, 22, 0x895CD7BE );
+ P( local.A, local.B, local.C, local.D, 12, 7, 0x6B901122 );
+ P( local.D, local.A, local.B, local.C, 13, 12, 0xFD987193 );
+ P( local.C, local.D, local.A, local.B, 14, 17, 0xA679438E );
+ P( local.B, local.C, local.D, local.A, 15, 22, 0x49B40821 );
#undef F
#define F(x,y,z) ((y) ^ ((z) & ((x) ^ (y))))
- P( A, B, C, D, 1, 5, 0xF61E2562 );
- P( D, A, B, C, 6, 9, 0xC040B340 );
- P( C, D, A, B, 11, 14, 0x265E5A51 );
- P( B, C, D, A, 0, 20, 0xE9B6C7AA );
- P( A, B, C, D, 5, 5, 0xD62F105D );
- P( D, A, B, C, 10, 9, 0x02441453 );
- P( C, D, A, B, 15, 14, 0xD8A1E681 );
- P( B, C, D, A, 4, 20, 0xE7D3FBC8 );
- P( A, B, C, D, 9, 5, 0x21E1CDE6 );
- P( D, A, B, C, 14, 9, 0xC33707D6 );
- P( C, D, A, B, 3, 14, 0xF4D50D87 );
- P( B, C, D, A, 8, 20, 0x455A14ED );
- P( A, B, C, D, 13, 5, 0xA9E3E905 );
- P( D, A, B, C, 2, 9, 0xFCEFA3F8 );
- P( C, D, A, B, 7, 14, 0x676F02D9 );
- P( B, C, D, A, 12, 20, 0x8D2A4C8A );
+ P( local.A, local.B, local.C, local.D, 1, 5, 0xF61E2562 );
+ P( local.D, local.A, local.B, local.C, 6, 9, 0xC040B340 );
+ P( local.C, local.D, local.A, local.B, 11, 14, 0x265E5A51 );
+ P( local.B, local.C, local.D, local.A, 0, 20, 0xE9B6C7AA );
+ P( local.A, local.B, local.C, local.D, 5, 5, 0xD62F105D );
+ P( local.D, local.A, local.B, local.C, 10, 9, 0x02441453 );
+ P( local.C, local.D, local.A, local.B, 15, 14, 0xD8A1E681 );
+ P( local.B, local.C, local.D, local.A, 4, 20, 0xE7D3FBC8 );
+ P( local.A, local.B, local.C, local.D, 9, 5, 0x21E1CDE6 );
+ P( local.D, local.A, local.B, local.C, 14, 9, 0xC33707D6 );
+ P( local.C, local.D, local.A, local.B, 3, 14, 0xF4D50D87 );
+ P( local.B, local.C, local.D, local.A, 8, 20, 0x455A14ED );
+ P( local.A, local.B, local.C, local.D, 13, 5, 0xA9E3E905 );
+ P( local.D, local.A, local.B, local.C, 2, 9, 0xFCEFA3F8 );
+ P( local.C, local.D, local.A, local.B, 7, 14, 0x676F02D9 );
+ P( local.B, local.C, local.D, local.A, 12, 20, 0x8D2A4C8A );
#undef F
#define F(x,y,z) ((x) ^ (y) ^ (z))
- P( A, B, C, D, 5, 4, 0xFFFA3942 );
- P( D, A, B, C, 8, 11, 0x8771F681 );
- P( C, D, A, B, 11, 16, 0x6D9D6122 );
- P( B, C, D, A, 14, 23, 0xFDE5380C );
- P( A, B, C, D, 1, 4, 0xA4BEEA44 );
- P( D, A, B, C, 4, 11, 0x4BDECFA9 );
- P( C, D, A, B, 7, 16, 0xF6BB4B60 );
- P( B, C, D, A, 10, 23, 0xBEBFBC70 );
- P( A, B, C, D, 13, 4, 0x289B7EC6 );
- P( D, A, B, C, 0, 11, 0xEAA127FA );
- P( C, D, A, B, 3, 16, 0xD4EF3085 );
- P( B, C, D, A, 6, 23, 0x04881D05 );
- P( A, B, C, D, 9, 4, 0xD9D4D039 );
- P( D, A, B, C, 12, 11, 0xE6DB99E5 );
- P( C, D, A, B, 15, 16, 0x1FA27CF8 );
- P( B, C, D, A, 2, 23, 0xC4AC5665 );
+ P( local.A, local.B, local.C, local.D, 5, 4, 0xFFFA3942 );
+ P( local.D, local.A, local.B, local.C, 8, 11, 0x8771F681 );
+ P( local.C, local.D, local.A, local.B, 11, 16, 0x6D9D6122 );
+ P( local.B, local.C, local.D, local.A, 14, 23, 0xFDE5380C );
+ P( local.A, local.B, local.C, local.D, 1, 4, 0xA4BEEA44 );
+ P( local.D, local.A, local.B, local.C, 4, 11, 0x4BDECFA9 );
+ P( local.C, local.D, local.A, local.B, 7, 16, 0xF6BB4B60 );
+ P( local.B, local.C, local.D, local.A, 10, 23, 0xBEBFBC70 );
+ P( local.A, local.B, local.C, local.D, 13, 4, 0x289B7EC6 );
+ P( local.D, local.A, local.B, local.C, 0, 11, 0xEAA127FA );
+ P( local.C, local.D, local.A, local.B, 3, 16, 0xD4EF3085 );
+ P( local.B, local.C, local.D, local.A, 6, 23, 0x04881D05 );
+ P( local.A, local.B, local.C, local.D, 9, 4, 0xD9D4D039 );
+ P( local.D, local.A, local.B, local.C, 12, 11, 0xE6DB99E5 );
+ P( local.C, local.D, local.A, local.B, 15, 16, 0x1FA27CF8 );
+ P( local.B, local.C, local.D, local.A, 2, 23, 0xC4AC5665 );
#undef F
#define F(x,y,z) ((y) ^ ((x) | ~(z)))
- P( A, B, C, D, 0, 6, 0xF4292244 );
- P( D, A, B, C, 7, 10, 0x432AFF97 );
- P( C, D, A, B, 14, 15, 0xAB9423A7 );
- P( B, C, D, A, 5, 21, 0xFC93A039 );
- P( A, B, C, D, 12, 6, 0x655B59C3 );
- P( D, A, B, C, 3, 10, 0x8F0CCC92 );
- P( C, D, A, B, 10, 15, 0xFFEFF47D );
- P( B, C, D, A, 1, 21, 0x85845DD1 );
- P( A, B, C, D, 8, 6, 0x6FA87E4F );
- P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
- P( C, D, A, B, 6, 15, 0xA3014314 );
- P( B, C, D, A, 13, 21, 0x4E0811A1 );
- P( A, B, C, D, 4, 6, 0xF7537E82 );
- P( D, A, B, C, 11, 10, 0xBD3AF235 );
- P( C, D, A, B, 2, 15, 0x2AD7D2BB );
- P( B, C, D, A, 9, 21, 0xEB86D391 );
+ P( local.A, local.B, local.C, local.D, 0, 6, 0xF4292244 );
+ P( local.D, local.A, local.B, local.C, 7, 10, 0x432AFF97 );
+ P( local.C, local.D, local.A, local.B, 14, 15, 0xAB9423A7 );
+ P( local.B, local.C, local.D, local.A, 5, 21, 0xFC93A039 );
+ P( local.A, local.B, local.C, local.D, 12, 6, 0x655B59C3 );
+ P( local.D, local.A, local.B, local.C, 3, 10, 0x8F0CCC92 );
+ P( local.C, local.D, local.A, local.B, 10, 15, 0xFFEFF47D );
+ P( local.B, local.C, local.D, local.A, 1, 21, 0x85845DD1 );
+ P( local.A, local.B, local.C, local.D, 8, 6, 0x6FA87E4F );
+ P( local.D, local.A, local.B, local.C, 15, 10, 0xFE2CE6E0 );
+ P( local.C, local.D, local.A, local.B, 6, 15, 0xA3014314 );
+ P( local.B, local.C, local.D, local.A, 13, 21, 0x4E0811A1 );
+ P( local.A, local.B, local.C, local.D, 4, 6, 0xF7537E82 );
+ P( local.D, local.A, local.B, local.C, 11, 10, 0xBD3AF235 );
+ P( local.C, local.D, local.A, local.B, 2, 15, 0x2AD7D2BB );
+ P( local.B, local.C, local.D, local.A, 9, 21, 0xEB86D391 );
#undef F
- ctx->state[0] += A;
- ctx->state[1] += B;
- ctx->state[2] += C;
- ctx->state[3] += D;
+ ctx->state[0] += local.A;
+ ctx->state[1] += local.B;
+ ctx->state[2] += local.C;
+ ctx->state[3] += local.D;
+
+ /* Zeroise variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 );
}
diff --git a/lib/libmbedtls/mbedtls/library/memory_buffer_alloc.c b/lib/libmbedtls/mbedtls/library/memory_buffer_alloc.c
index 5556a84..0d5d27d 100644
--- a/lib/libmbedtls/mbedtls/library/memory_buffer_alloc.c
+++ b/lib/libmbedtls/mbedtls/library/memory_buffer_alloc.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Buffer-based memory allocator
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#include "mbedtls/memory_buffer_alloc.h"
diff --git a/lib/libmbedtls/mbedtls/library/net_sockets.c b/lib/libmbedtls/mbedtls/library/net_sockets.c
index bb313c2..5fbe1f7 100644
--- a/lib/libmbedtls/mbedtls/library/net_sockets.c
+++ b/lib/libmbedtls/mbedtls/library/net_sockets.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* TCP/IP or UDP/IP networking functions
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,26 +15,25 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
* be set before config.h, which pulls in glibc's features.h indirectly.
* Harmless on other platforms. */
+#ifndef _POSIX_C_SOURCE
#define _POSIX_C_SOURCE 200112L
-
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
#endif
+#ifndef _XOPEN_SOURCE
+#define _XOPEN_SOURCE 600 /* sockaddr_storage */
+#endif
+
+#include "common.h"
#if defined(MBEDTLS_NET_C)
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
!defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
- !defined(__HAIKU__)
+ !defined(__HAIKU__) && !defined(__midipix__)
#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
#endif
@@ -54,8 +53,7 @@
#define IS_EINTR( ret ) ( ( ret ) == WSAEINTR )
-#if !defined(_WIN32_WINNT) || (_WIN32_WINNT < 0x0501)
-#undef _WIN32_WINNT
+#if !defined(_WIN32_WINNT)
/* Enables getaddrinfo() & Co */
#define _WIN32_WINNT 0x0501
#endif
@@ -64,6 +62,9 @@
#include <winsock2.h>
#include <windows.h>
+#if (_WIN32_WINNT < 0x0501)
+#include <wspiapi.h>
+#endif
#if defined(_MSC_VER)
#if defined(_WIN32_WCE)
@@ -135,6 +136,31 @@
}
/*
+ * Return 0 if the file descriptor is valid, an error otherwise.
+ * If for_select != 0, check whether the file descriptor is within the range
+ * allowed for fd_set used for the FD_xxx macros and the select() function.
+ */
+static int check_fd( int fd, int for_select )
+{
+ if( fd < 0 )
+ return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+
+#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
+ !defined(EFI32)
+ (void) for_select;
+#else
+ /* A limitation of select() is that it only works with file descriptors
+ * that are strictly less than FD_SETSIZE. This is a limitation of the
+ * fd_set type. Error out early, because attempting to call FD_SET on a
+ * large file descriptor is a buffer overflow on typical platforms. */
+ if( for_select && fd >= FD_SETSIZE )
+ return( MBEDTLS_ERR_NET_POLL_FAILED );
+#endif
+
+ return( 0 );
+}
+
+/*
* Initialize a context
*/
void mbedtls_net_init( mbedtls_net_context *ctx )
@@ -320,7 +346,8 @@
struct sockaddr_storage client_addr;
#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) || \
- defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t)
+ defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t) || \
+ defined(socklen_t) || (defined(_POSIX_VERSION) && _POSIX_VERSION >= 200112L)
socklen_t n = (socklen_t) sizeof( client_addr );
socklen_t type_len = (socklen_t) sizeof( type );
#else
@@ -464,8 +491,9 @@
int fd = ctx->fd;
- if( fd < 0 )
- return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+ ret = check_fd( fd, 1 );
+ if( ret != 0 )
+ return( ret );
#if defined(__has_feature)
#if __has_feature(memory_sanitizer)
@@ -544,8 +572,9 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int fd = ((mbedtls_net_context *) ctx)->fd;
- if( fd < 0 )
- return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+ ret = check_fd( fd, 0 );
+ if( ret != 0 )
+ return( ret );
ret = (int) read( fd, buf, len );
@@ -583,8 +612,9 @@
fd_set read_fds;
int fd = ((mbedtls_net_context *) ctx)->fd;
- if( fd < 0 )
- return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+ ret = check_fd( fd, 1 );
+ if( ret != 0 )
+ return( ret );
FD_ZERO( &read_fds );
FD_SET( fd, &read_fds );
@@ -624,8 +654,9 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int fd = ((mbedtls_net_context *) ctx)->fd;
- if( fd < 0 )
- return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
+ ret = check_fd( fd, 0 );
+ if( ret != 0 )
+ return( ret );
ret = (int) write( fd, buf, len );
diff --git a/lib/libmbedtls/mbedtls/library/nist_kw.c b/lib/libmbedtls/mbedtls/library/nist_kw.c
index 7201346..5054ca2 100644
--- a/lib/libmbedtls/mbedtls/library/nist_kw.c
+++ b/lib/libmbedtls/mbedtls/library/nist_kw.c
@@ -1,9 +1,9 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/*
* Implementation of NIST SP 800-38F key wrapping, supporting KW and KWP modes
* only
*
- * Copyright (C) 2018, Arm Limited (or its affiliates), All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -16,8 +16,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
/*
* Definition of Key Wrapping:
@@ -29,11 +27,7 @@
* the wrapping and unwrapping operation than the definition in NIST SP 800-38F.
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_NIST_KW_C)
@@ -195,8 +189,6 @@
uint64_t t = 0;
unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
- unsigned char *R2 = output + KW_SEMIBLOCK_LENGTH;
- unsigned char *A = output;
*out_len = 0;
/*
@@ -272,6 +264,9 @@
}
else
{
+ unsigned char *R2 = output + KW_SEMIBLOCK_LENGTH;
+ unsigned char *A = output;
+
/*
* Do the wrapping function W, as defined in RFC 3394 section 2.2.1
*/
@@ -335,7 +330,7 @@
uint64_t t = 0;
unsigned char outbuff[KW_SEMIBLOCK_LENGTH * 2];
unsigned char inbuff[KW_SEMIBLOCK_LENGTH * 2];
- unsigned char *R = output + ( semiblocks - 2 ) * KW_SEMIBLOCK_LENGTH;
+ unsigned char *R = NULL;
*out_len = 0;
if( semiblocks < MIN_SEMIBLOCKS_COUNT )
@@ -345,6 +340,7 @@
memcpy( A, input, KW_SEMIBLOCK_LENGTH );
memmove( output, input + KW_SEMIBLOCK_LENGTH, ( semiblocks - 1 ) * KW_SEMIBLOCK_LENGTH );
+ R = output + ( semiblocks - 2 ) * KW_SEMIBLOCK_LENGTH;
/* Calculate intermediate values */
for( t = s; t >= 1; t-- )
diff --git a/lib/libmbedtls/mbedtls/library/oid.c b/lib/libmbedtls/mbedtls/library/oid.c
index 6272f32..19c8ac2 100644
--- a/lib/libmbedtls/mbedtls/library/oid.c
+++ b/lib/libmbedtls/mbedtls/library/oid.c
@@ -1,10 +1,10 @@
-// SPDX-License-Identifier: Apache-2.0
/**
* \file oid.c
*
* \brief Object Identifier (OID) database
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -17,15 +17,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_OID_C)
@@ -761,7 +755,7 @@
if( !( oid->p[i] & 0x80 ) )
{
/* Last byte */
- ret = mbedtls_snprintf( p, n, ".%d", value );
+ ret = mbedtls_snprintf( p, n, ".%u", value );
OID_SAFE_SNPRINTF;
value = 0;
}
diff --git a/lib/libmbedtls/mbedtls/library/padlock.c b/lib/libmbedtls/mbedtls/library/padlock.c
index d6c4e32..8373374 100644
--- a/lib/libmbedtls/mbedtls/library/padlock.c
+++ b/lib/libmbedtls/mbedtls/library/padlock.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* VIA PadLock support functions
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* This implementation is based on the VIA PadLock Programming Guide:
@@ -25,11 +23,7 @@
* programming_guide.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_PADLOCK_C)
@@ -58,10 +52,10 @@
"cpuid \n\t"
"cmpl $0xC0000001, %%eax \n\t"
"movl $0, %%edx \n\t"
- "jb unsupported \n\t"
+ "jb 1f \n\t"
"movl $0xC0000001, %%eax \n\t"
"cpuid \n\t"
- "unsupported: \n\t"
+ "1: \n\t"
"movl %%edx, %1 \n\t"
"movl %2, %%ebx \n\t"
: "=m" (ebx), "=m" (edx)
diff --git a/lib/libmbedtls/mbedtls/library/pem.c b/lib/libmbedtls/mbedtls/library/pem.c
index 06cf8f0..fcfde94 100644
--- a/lib/libmbedtls/mbedtls/library/pem.c
+++ b/lib/libmbedtls/mbedtls/library/pem.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Privacy Enhanced Mail (PEM) decoding
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
@@ -349,7 +343,7 @@
ret = mbedtls_base64_decode( NULL, 0, &len, s1, s2 - s1 );
if( ret == MBEDTLS_ERR_BASE64_INVALID_CHARACTER )
- return( MBEDTLS_ERR_PEM_INVALID_DATA + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PEM_INVALID_DATA, ret ) );
if( ( buf = mbedtls_calloc( 1, len ) ) == NULL )
return( MBEDTLS_ERR_PEM_ALLOC_FAILED );
@@ -358,7 +352,7 @@
{
mbedtls_platform_zeroize( buf, len );
mbedtls_free( buf );
- return( MBEDTLS_ERR_PEM_INVALID_DATA + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PEM_INVALID_DATA, ret ) );
}
if( enc != 0 )
@@ -484,8 +478,12 @@
*p++ = '\0';
*olen = p - buf;
+ /* Clean any remaining data previously written to the buffer */
+ memset( buf + *olen, 0, buf_len - *olen );
+
mbedtls_free( encode_buf );
return( 0 );
}
#endif /* MBEDTLS_PEM_WRITE_C */
#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
+
diff --git a/lib/libmbedtls/mbedtls/library/pk.c b/lib/libmbedtls/mbedtls/library/pk.c
index 98ad7b8..05cc213 100644
--- a/lib/libmbedtls/mbedtls/library/pk.c
+++ b/lib/libmbedtls/mbedtls/library/pk.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Public Key abstraction layer
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_PK_C)
#include "mbedtls/pk.h"
@@ -156,11 +150,12 @@
/*
* Initialise a PSA-wrapping context
*/
-int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_handle_t key )
+int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx,
+ const psa_key_id_t key )
{
const mbedtls_pk_info_t * const info = &mbedtls_pk_opaque_info;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_key_handle_t *pk_ctx;
+ psa_key_id_t *pk_ctx;
psa_key_type_t type;
if( ctx == NULL || ctx->pk_info != NULL )
@@ -180,7 +175,7 @@
ctx->pk_info = info;
- pk_ctx = (psa_key_handle_t *) ctx->pk_ctx;
+ pk_ctx = (psa_key_id_t *) ctx->pk_ctx;
*pk_ctx = key;
return( 0 );
@@ -240,12 +235,15 @@
{
const mbedtls_md_info_t *md_info;
- if( *hash_len != 0 )
+ if( *hash_len != 0 && md_alg == MBEDTLS_MD_NONE )
return( 0 );
if( ( md_info = mbedtls_md_info_from_type( md_alg ) ) == NULL )
return( -1 );
+ if ( *hash_len != 0 && *hash_len != mbedtls_md_get_size( md_info ) )
+ return ( -1 );
+
*hash_len = mbedtls_md_get_size( md_info );
return( 0 );
}
@@ -593,16 +591,19 @@
* Currently only works for EC private keys.
*/
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
- psa_key_handle_t *handle,
+ psa_key_id_t *key,
psa_algorithm_t hash_alg )
{
#if !defined(MBEDTLS_ECP_C)
+ ((void) pk);
+ ((void) key);
+ ((void) hash_alg);
return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
#else
const mbedtls_ecp_keypair *ec;
unsigned char d[MBEDTLS_ECP_MAX_BYTES];
size_t d_len;
- psa_ecc_curve_t curve_id;
+ psa_ecc_family_t curve_id;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
size_t bits;
@@ -627,14 +628,14 @@
psa_set_key_algorithm( &attributes, PSA_ALG_ECDSA(hash_alg) );
/* import private key into PSA */
- if( PSA_SUCCESS != psa_import_key( &attributes, d, d_len, handle ) )
+ if( PSA_SUCCESS != psa_import_key( &attributes, d, d_len, key ) )
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
/* make PK context wrap the key slot */
mbedtls_pk_free( pk );
mbedtls_pk_init( pk );
- return( mbedtls_pk_setup_opaque( pk, *handle ) );
+ return( mbedtls_pk_setup_opaque( pk, *key ) );
#endif /* MBEDTLS_ECP_C */
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
diff --git a/lib/libmbedtls/mbedtls/library/pk_wrap.c b/lib/libmbedtls/mbedtls/library/pk_wrap.c
index 919a7ba..107e912 100644
--- a/lib/libmbedtls/mbedtls/library/pk_wrap.c
+++ b/lib/libmbedtls/mbedtls/library/pk_wrap.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Public Key abstraction layer: wrapper functions
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_PK_C)
#include "mbedtls/pk_internal.h"
@@ -549,7 +543,7 @@
mbedtls_ecdsa_context *ctx = ctx_arg;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_key_handle_t key_handle = 0;
+ psa_key_id_t key_id = 0;
psa_status_t status;
mbedtls_pk_context key;
int key_len;
@@ -557,11 +551,12 @@
unsigned char buf[30 + 2 * MBEDTLS_ECP_MAX_BYTES];
unsigned char *p;
mbedtls_pk_info_t pk_info = mbedtls_eckey_info;
- psa_algorithm_t psa_sig_md, psa_md;
+ psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
size_t curve_bits;
- psa_ecc_curve_t curve =
+ psa_ecc_family_t curve =
mbedtls_ecc_group_to_psa( ctx->grp.id, &curve_bits );
const size_t signature_part_size = ( ctx->grp.nbits + 7 ) / 8;
+ ((void) md_alg);
if( curve == 0 )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -575,18 +570,13 @@
if( key_len <= 0 )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
- psa_md = mbedtls_psa_translate_md( md_alg );
- if( psa_md == 0 )
- return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
- psa_sig_md = PSA_ALG_ECDSA( psa_md );
-
psa_set_key_type( &attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve ) );
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
psa_set_key_algorithm( &attributes, psa_sig_md );
status = psa_import_key( &attributes,
buf + sizeof( buf ) - key_len, key_len,
- &key_handle );
+ &key_id );
if( status != PSA_SUCCESS )
{
ret = mbedtls_psa_err_translate_pk( status );
@@ -608,7 +598,7 @@
goto cleanup;
}
- if( psa_verify_hash( key_handle, psa_sig_md,
+ if( psa_verify_hash( key_id, psa_sig_md,
hash, hash_len,
buf, 2 * signature_part_size )
!= PSA_SUCCESS )
@@ -625,7 +615,7 @@
ret = 0;
cleanup:
- psa_destroy_key( key_handle );
+ psa_destroy_key( key_id );
return( ret );
}
#else /* MBEDTLS_USE_PSA_CRYPTO */
@@ -880,7 +870,7 @@
static void *pk_opaque_alloc_wrap( void )
{
- void *ctx = mbedtls_calloc( 1, sizeof( psa_key_handle_t ) );
+ void *ctx = mbedtls_calloc( 1, sizeof( psa_key_id_t ) );
/* no _init() function to call, an calloc() already zeroized */
@@ -889,13 +879,13 @@
static void pk_opaque_free_wrap( void *ctx )
{
- mbedtls_platform_zeroize( ctx, sizeof( psa_key_handle_t ) );
+ mbedtls_platform_zeroize( ctx, sizeof( psa_key_id_t ) );
mbedtls_free( ctx );
}
static size_t pk_opaque_get_bitlen( const void *ctx )
{
- const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
+ const psa_key_id_t *key = (const psa_key_id_t *) ctx;
size_t bits;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -916,6 +906,8 @@
type == MBEDTLS_PK_ECDSA );
}
+#if defined(MBEDTLS_ECDSA_C)
+
/*
* Simultaneously convert and move raw MPI from the beginning of a buffer
* to an ASN.1 MPI at the end of the buffer.
@@ -998,12 +990,25 @@
return( 0 );
}
+#endif /* MBEDTLS_ECDSA_C */
+
static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
+#if !defined(MBEDTLS_ECDSA_C)
+ ((void) ctx);
+ ((void) md_alg);
+ ((void) hash);
+ ((void) hash_len);
+ ((void) sig);
+ ((void) sig_len);
+ ((void) f_rng);
+ ((void) p_rng);
+ return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
+#else /* !MBEDTLS_ECDSA_C */
+ const psa_key_id_t *key = (const psa_key_id_t *) ctx;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) );
size_t buf_len;
@@ -1033,6 +1038,7 @@
/* transcode it to ASN.1 sequence */
return( pk_ecdsa_sig_asn1_from_psa( sig, sig_len, buf_len ) );
+#endif /* !MBEDTLS_ECDSA_C */
}
const mbedtls_pk_info_t mbedtls_pk_opaque_info = {
diff --git a/lib/libmbedtls/mbedtls/library/pkcs11.c b/lib/libmbedtls/mbedtls/library/pkcs11.c
index 765d519..4deccf3 100644
--- a/lib/libmbedtls/mbedtls/library/pkcs11.c
+++ b/lib/libmbedtls/mbedtls/library/pkcs11.c
@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
/**
* \file pkcs11.c
*
@@ -6,7 +5,8 @@
*
* \author Adriaan de Jong <dejong@fox-it.com>
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -19,8 +19,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
#include "mbedtls/pkcs11.h"
diff --git a/lib/libmbedtls/mbedtls/library/pkcs12.c b/lib/libmbedtls/mbedtls/library/pkcs12.c
index 9305457..9823d96 100644
--- a/lib/libmbedtls/mbedtls/library/pkcs12.c
+++ b/lib/libmbedtls/mbedtls/library/pkcs12.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* PKCS#12 Personal Information Exchange Syntax
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The PKCS #12 Personal Information Exchange Syntax Standard v1.1
@@ -25,11 +23,7 @@
* ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1-1.asn
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_PKCS12_C)
@@ -66,21 +60,21 @@
*
*/
if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
- return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
if( ( ret = mbedtls_asn1_get_tag( p, end, &salt->len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
- return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret ) );
salt->p = *p;
*p += salt->len;
if( ( ret = mbedtls_asn1_get_int( p, end, iterations ) ) != 0 )
- return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT, ret ) );
if( *p != end )
- return( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
diff --git a/lib/libmbedtls/mbedtls/library/pkcs5.c b/lib/libmbedtls/mbedtls/library/pkcs5.c
index 24b8778..2b014d9 100644
--- a/lib/libmbedtls/mbedtls/library/pkcs5.c
+++ b/lib/libmbedtls/mbedtls/library/pkcs5.c
@@ -1,4 +1,3 @@
-// SPDX-License-Identifier: Apache-2.0
/**
* \file pkcs5.c
*
@@ -6,7 +5,8 @@
*
* \author Mathias Olsson <mathias@kompetensum.com>
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -19,8 +19,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* PKCS#5 includes PBKDF2 and more
@@ -29,11 +27,7 @@
* http://tools.ietf.org/html/rfc6070 (Test vectors)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_PKCS5_C)
@@ -66,8 +60,8 @@
const unsigned char *end = params->p + params->len;
if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
- return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
/*
* PBKDF2-params ::= SEQUENCE {
* salt OCTET STRING,
@@ -79,13 +73,13 @@
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end, &salt->len,
MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
- return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret ) );
salt->p = p;
p += salt->len;
if( ( ret = mbedtls_asn1_get_int( &p, end, iterations ) ) != 0 )
- return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret ) );
if( p == end )
return( 0 );
@@ -93,21 +87,21 @@
if( ( ret = mbedtls_asn1_get_int( &p, end, keylen ) ) != 0 )
{
if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
- return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret ) );
}
if( p == end )
return( 0 );
if( ( ret = mbedtls_asn1_get_alg_null( &p, end, &prf_alg_oid ) ) != 0 )
- return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret ) );
if( mbedtls_oid_get_md_hmac( &prf_alg_oid, md_type ) != 0 )
return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
if( p != end )
- return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -140,12 +134,12 @@
* }
*/
if( pbe_params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
- return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS5_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
if( ( ret = mbedtls_asn1_get_alg( &p, end, &kdf_alg_oid,
&kdf_alg_params ) ) != 0 )
- return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret ) );
// Only PBKDF2 supported at the moment
//
@@ -166,7 +160,7 @@
if( ( ret = mbedtls_asn1_get_alg( &p, end, &enc_scheme_oid,
&enc_scheme_params ) ) != 0 )
{
- return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PKCS5_INVALID_FORMAT, ret ) );
}
if( mbedtls_oid_get_cipher_alg( &enc_scheme_oid, &cipher_alg ) != 0 )
@@ -227,7 +221,8 @@
unsigned int iteration_count,
uint32_t key_length, unsigned char *output )
{
- int ret, j;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ int j;
unsigned int i;
unsigned char md1[MBEDTLS_MD_MAX_SIZE];
unsigned char work[MBEDTLS_MD_MAX_SIZE];
@@ -251,16 +246,16 @@
// U1 ends up in work
//
if( ( ret = mbedtls_md_hmac_update( ctx, salt, slen ) ) != 0 )
- return( ret );
+ goto cleanup;
if( ( ret = mbedtls_md_hmac_update( ctx, counter, 4 ) ) != 0 )
- return( ret );
+ goto cleanup;
if( ( ret = mbedtls_md_hmac_finish( ctx, work ) ) != 0 )
- return( ret );
+ goto cleanup;
if( ( ret = mbedtls_md_hmac_reset( ctx ) ) != 0 )
- return( ret );
+ goto cleanup;
memcpy( md1, work, md_size );
@@ -269,13 +264,13 @@
// U2 ends up in md1
//
if( ( ret = mbedtls_md_hmac_update( ctx, md1, md_size ) ) != 0 )
- return( ret );
+ goto cleanup;
if( ( ret = mbedtls_md_hmac_finish( ctx, md1 ) ) != 0 )
- return( ret );
+ goto cleanup;
if( ( ret = mbedtls_md_hmac_reset( ctx ) ) != 0 )
- return( ret );
+ goto cleanup;
// U1 xor U2
//
@@ -294,7 +289,12 @@
break;
}
- return( 0 );
+cleanup:
+ /* Zeroise buffers to clear sensitive data from memory. */
+ mbedtls_platform_zeroize( work, MBEDTLS_MD_MAX_SIZE );
+ mbedtls_platform_zeroize( md1, MBEDTLS_MD_MAX_SIZE );
+
+ return( ret );
}
#if defined(MBEDTLS_SELF_TEST)
diff --git a/lib/libmbedtls/mbedtls/library/pkparse.c b/lib/libmbedtls/mbedtls/library/pkparse.c
index 09219bc..3222ca2 100644
--- a/lib/libmbedtls/mbedtls/library/pkparse.c
+++ b/lib/libmbedtls/mbedtls/library/pkparse.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Public Key layer for parsing key files and structures
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_PK_PARSE_C)
@@ -192,8 +186,8 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if ( end - *p < 1 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
/* Tag may be either OID or SEQUENCE */
params->tag = **p;
@@ -203,21 +197,21 @@
#endif
)
{
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
}
if( ( ret = mbedtls_asn1_get_tag( p, end, ¶ms->len, params->tag ) ) != 0 )
{
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
params->p = *p;
*p += params->len;
if( *p != end )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -253,7 +247,7 @@
/* SpecifiedECDomainVersion ::= INTEGER { 1, 2, 3 } */
if( ( ret = mbedtls_asn1_get_int( &p, end, &ver ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
if( ver < 1 || ver > 3 )
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT );
@@ -291,13 +285,13 @@
/* Prime-p ::= INTEGER -- Field of size p. */
if( ( ret = mbedtls_asn1_get_mpi( &p, end_field, &grp->P ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
grp->pbits = mbedtls_mpi_bitlen( &grp->P );
if( p != end_field )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
/*
* Curve ::= SEQUENCE {
@@ -321,7 +315,7 @@
if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
( ret = mbedtls_mpi_read_binary( &grp->A, p, len ) ) != 0 )
{
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
p += len;
@@ -329,7 +323,7 @@
if( ( ret = mbedtls_asn1_get_tag( &p, end_curve, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 ||
( ret = mbedtls_mpi_read_binary( &grp->B, p, len ) ) != 0 )
{
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
p += len;
@@ -339,14 +333,14 @@
p += len;
if( p != end_curve )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
/*
* ECPoint ::= OCTET STRING
*/
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
if( ( ret = mbedtls_ecp_point_read_binary( grp, &grp->G,
( const unsigned char *) p, len ) ) != 0 )
@@ -372,7 +366,7 @@
* order INTEGER
*/
if( ( ret = mbedtls_asn1_get_mpi( &p, end, &grp->N ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
grp->nbits = mbedtls_mpi_bitlen( &grp->N );
@@ -534,15 +528,15 @@
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
if( *p + len != end )
- return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
/* Import N */
if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
- return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
if( ( ret = mbedtls_rsa_import_raw( rsa, *p, len, NULL, 0, NULL, 0,
NULL, 0, NULL, 0 ) ) != 0 )
@@ -552,7 +546,7 @@
/* Import E */
if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
- return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
if( ( ret = mbedtls_rsa_import_raw( rsa, NULL, 0, NULL, 0, NULL, 0,
NULL, 0, *p, len ) ) != 0 )
@@ -567,8 +561,8 @@
}
if( *p != end )
- return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -590,7 +584,7 @@
memset( params, 0, sizeof(mbedtls_asn1_buf) );
if( ( ret = mbedtls_asn1_get_alg( p, end, &alg_oid, params ) ) != 0 )
- return( MBEDTLS_ERR_PK_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_ALG, ret ) );
if( mbedtls_oid_get_pk_alg( &alg_oid, pk_alg ) != 0 )
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
@@ -630,7 +624,7 @@
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
end = *p + len;
@@ -639,11 +633,11 @@
return( ret );
if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
- return( MBEDTLS_ERR_PK_INVALID_PUBKEY + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY, ret ) );
if( *p + len != end )
- return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
@@ -668,8 +662,8 @@
ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
if( ret == 0 && *p != end )
- ret = MBEDTLS_ERR_PK_INVALID_PUBKEY
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
if( ret != 0 )
mbedtls_pk_free( pk );
@@ -740,14 +734,14 @@
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
end = p + len;
if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
{
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
if( version != 0 )
@@ -837,8 +831,8 @@
if( p != end )
{
- ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ;
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
}
cleanup:
@@ -849,7 +843,7 @@
{
/* Wrap error code if it's coming from a lower level */
if( ( ret & 0xff80 ) == 0 )
- ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret;
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret );
else
ret = MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
@@ -889,24 +883,24 @@
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
end = p + len;
if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
if( version != 1 )
return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION );
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
if( ( ret = mbedtls_mpi_read_binary( &eck->d, p, len ) ) != 0 )
{
mbedtls_ecp_keypair_free( eck );
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
p += len;
@@ -930,7 +924,7 @@
else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
{
mbedtls_ecp_keypair_free( eck );
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
}
@@ -946,11 +940,11 @@
end2 = p + len;
if( ( ret = mbedtls_asn1_get_bitstring_null( &p, end2, &len ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
if( p + len != end2 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
if( ( ret = pk_get_ecpubkey( &p, end2, eck ) ) == 0 )
pubkey_done = 1;
@@ -967,7 +961,7 @@
else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
{
mbedtls_ecp_keypair_free( eck );
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
}
@@ -976,7 +970,7 @@
NULL, NULL ) ) != 0 )
{
mbedtls_ecp_keypair_free( eck );
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
if( ( ret = mbedtls_ecp_check_privkey( &eck->grp, &eck->d ) ) != 0 )
@@ -1034,26 +1028,28 @@
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
end = p + len;
if( ( ret = mbedtls_asn1_get_int( &p, end, &version ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
if( version != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_VERSION + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_VERSION, ret ) );
if( ( ret = pk_get_pk_alg( &p, end, &pk_alg, ¶ms ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ {
+ return( ret );
+ }
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
if( len < 1 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
@@ -1136,16 +1132,16 @@
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
}
end = p + len;
if( ( ret = mbedtls_asn1_get_alg( &p, end, &pbe_alg_oid, &pbe_params ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
- return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret ) );
buf = p;
@@ -1524,7 +1520,8 @@
return( ret );
}
mbedtls_pk_free( ctx );
- if( ret != ( MBEDTLS_ERR_PK_INVALID_PUBKEY + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
+ if( ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_PK_INVALID_PUBKEY,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) )
{
return( ret );
}
diff --git a/lib/libmbedtls/mbedtls/library/pkwrite.c b/lib/libmbedtls/mbedtls/library/pkwrite.c
index 854d22e..566153d 100644
--- a/lib/libmbedtls/mbedtls/library/pkwrite.c
+++ b/lib/libmbedtls/mbedtls/library/pkwrite.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Public Key layer for writing key files and structures
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_PK_WRITE_C)
@@ -168,7 +162,7 @@
size_t byte_length = ( ec->grp.pbits + 7 ) / 8;
unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
- ret = mbedtls_mpi_write_binary( &ec->d, tmp, byte_length );
+ ret = mbedtls_ecp_write_key( ec, tmp, byte_length );
if( ret != 0 )
goto exit;
ret = mbedtls_asn1_write_octet_string( p, start, tmp, byte_length );
@@ -204,13 +198,13 @@
if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_OPAQUE )
{
size_t buffer_size;
- psa_key_handle_t* key_slot = (psa_key_handle_t*) key->pk_ctx;
+ psa_key_id_t* key_id = (psa_key_id_t*) key->pk_ctx;
if ( *p < start )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
buffer_size = (size_t)( *p - start );
- if ( psa_export_public_key( *key_slot, start, buffer_size, &len )
+ if ( psa_export_public_key( *key_id, start, buffer_size, &len )
!= PSA_SUCCESS )
{
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -271,18 +265,18 @@
{
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
- psa_key_handle_t handle;
- psa_ecc_curve_t curve;
+ psa_key_id_t key_id;
+ psa_ecc_family_t curve;
size_t bits;
- handle = *((psa_key_handle_t*) key->pk_ctx );
- if( PSA_SUCCESS != psa_get_key_attributes( handle, &attributes ) )
+ key_id = *((psa_key_id_t*) key->pk_ctx );
+ if( PSA_SUCCESS != psa_get_key_attributes( key_id, &attributes ) )
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
key_type = psa_get_key_type( &attributes );
bits = psa_get_key_bits( &attributes );
psa_reset_key_attributes( &attributes );
- curve = PSA_KEY_TYPE_GET_CURVE( key_type );
+ curve = PSA_KEY_TYPE_ECC_GET_FAMILY( key_type );
if( curve == 0 )
return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
@@ -493,7 +487,7 @@
* publicExponent INTEGER -- e 1 + 3 + MPI_MAX + 1
* }
*/
-#define RSA_PUB_DER_MAX_BYTES 38 + 2 * MBEDTLS_MPI_MAX_SIZE
+#define RSA_PUB_DER_MAX_BYTES ( 38 + 2 * MBEDTLS_MPI_MAX_SIZE )
/*
* RSA private keys:
@@ -510,10 +504,10 @@
* otherPrimeInfos OtherPrimeInfos OPTIONAL 0 (not supported)
* }
*/
-#define MPI_MAX_SIZE_2 MBEDTLS_MPI_MAX_SIZE / 2 + \
- MBEDTLS_MPI_MAX_SIZE % 2
-#define RSA_PRV_DER_MAX_BYTES 47 + 3 * MBEDTLS_MPI_MAX_SIZE \
- + 5 * MPI_MAX_SIZE_2
+#define MPI_MAX_SIZE_2 ( MBEDTLS_MPI_MAX_SIZE / 2 + \
+ MBEDTLS_MPI_MAX_SIZE % 2 )
+#define RSA_PRV_DER_MAX_BYTES ( 47 + 3 * MBEDTLS_MPI_MAX_SIZE \
+ + 5 * MPI_MAX_SIZE_2 )
#else /* MBEDTLS_RSA_C */
@@ -534,7 +528,7 @@
* + 2 * ECP_MAX (coords) [1]
* }
*/
-#define ECP_PUB_DER_MAX_BYTES 30 + 2 * MBEDTLS_ECP_MAX_BYTES
+#define ECP_PUB_DER_MAX_BYTES ( 30 + 2 * MBEDTLS_ECP_MAX_BYTES )
/*
* EC private keys:
@@ -545,7 +539,7 @@
* publicKey [1] BIT STRING OPTIONAL 1 + 2 + [1] above
* }
*/
-#define ECP_PRV_DER_MAX_BYTES 29 + 3 * MBEDTLS_ECP_MAX_BYTES
+#define ECP_PRV_DER_MAX_BYTES ( 29 + 3 * MBEDTLS_ECP_MAX_BYTES )
#else /* MBEDTLS_ECP_C */
@@ -554,10 +548,10 @@
#endif /* MBEDTLS_ECP_C */
-#define PUB_DER_MAX_BYTES RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \
- RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES
-#define PRV_DER_MAX_BYTES RSA_PRV_DER_MAX_BYTES > ECP_PRV_DER_MAX_BYTES ? \
- RSA_PRV_DER_MAX_BYTES : ECP_PRV_DER_MAX_BYTES
+#define PUB_DER_MAX_BYTES ( RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \
+ RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES )
+#define PRV_DER_MAX_BYTES ( RSA_PRV_DER_MAX_BYTES > ECP_PRV_DER_MAX_BYTES ? \
+ RSA_PRV_DER_MAX_BYTES : ECP_PRV_DER_MAX_BYTES )
int mbedtls_pk_write_pubkey_pem( mbedtls_pk_context *key, unsigned char *buf, size_t size )
{
diff --git a/lib/libmbedtls/mbedtls/library/platform.c b/lib/libmbedtls/mbedtls/library/platform.c
index ffd9890..e742fde 100644
--- a/lib/libmbedtls/mbedtls/library/platform.c
+++ b/lib/libmbedtls/mbedtls/library/platform.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Platform abstraction layer
*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_PLATFORM_C)
diff --git a/lib/libmbedtls/mbedtls/library/platform_util.c b/lib/libmbedtls/mbedtls/library/platform_util.c
index 0fe2f55..98fe5de 100644
--- a/lib/libmbedtls/mbedtls/library/platform_util.c
+++ b/lib/libmbedtls/mbedtls/library/platform_util.c
@@ -1,9 +1,9 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/*
* Common and shared functions used by multiple modules in the Mbed TLS
* library.
*
- * Copyright (C) 2018, Arm Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -16,8 +16,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of Mbed TLS (https://tls.mbed.org)
*/
/*
@@ -28,11 +26,7 @@
#define _POSIX_C_SOURCE 200112L
#endif
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/platform.h"
@@ -90,7 +84,7 @@
#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
- _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) )
+ _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) )
/*
* This is a convenience shorthand macro to avoid checking the long
* preprocessor conditions above. Ideally, we could expose this macro in
@@ -104,7 +98,7 @@
#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
- _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) ) */
+ _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
struct tm *mbedtls_platform_gmtime_r( const mbedtls_time_t *tt,
struct tm *tm_buf )
diff --git a/lib/libmbedtls/mbedtls/library/poly1305.c b/lib/libmbedtls/mbedtls/library/poly1305.c
index 5ac21cc..492d145 100644
--- a/lib/libmbedtls/mbedtls/library/poly1305.c
+++ b/lib/libmbedtls/mbedtls/library/poly1305.c
@@ -1,10 +1,10 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/**
* \file poly1305.c
*
* \brief Poly1305 authentication algorithm.
*
- * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -17,14 +17,8 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_POLY1305_C)
@@ -513,6 +507,9 @@
}
};
+/* Make sure no other definition is already present. */
+#undef ASSERT
+
#define ASSERT( cond, args ) \
do \
{ \
diff --git a/lib/libmbedtls/mbedtls/library/ripemd160.c b/lib/libmbedtls/mbedtls/library/ripemd160.c
index 6f644ef..ae4dee4 100644
--- a/lib/libmbedtls/mbedtls/library/ripemd160.c
+++ b/lib/libmbedtls/mbedtls/library/ripemd160.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* RIPE MD-160 implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -25,11 +23,7 @@
* http://ehash.iaik.tugraz.at/wiki/RIPEMD-160
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_RIPEMD160_C)
@@ -123,30 +117,33 @@
int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
const unsigned char data[64] )
{
- uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
+ struct
+ {
+ uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
+ } local;
- GET_UINT32_LE( X[ 0], data, 0 );
- GET_UINT32_LE( X[ 1], data, 4 );
- GET_UINT32_LE( X[ 2], data, 8 );
- GET_UINT32_LE( X[ 3], data, 12 );
- GET_UINT32_LE( X[ 4], data, 16 );
- GET_UINT32_LE( X[ 5], data, 20 );
- GET_UINT32_LE( X[ 6], data, 24 );
- GET_UINT32_LE( X[ 7], data, 28 );
- GET_UINT32_LE( X[ 8], data, 32 );
- GET_UINT32_LE( X[ 9], data, 36 );
- GET_UINT32_LE( X[10], data, 40 );
- GET_UINT32_LE( X[11], data, 44 );
- GET_UINT32_LE( X[12], data, 48 );
- GET_UINT32_LE( X[13], data, 52 );
- GET_UINT32_LE( X[14], data, 56 );
- GET_UINT32_LE( X[15], data, 60 );
+ GET_UINT32_LE( local.X[ 0], data, 0 );
+ GET_UINT32_LE( local.X[ 1], data, 4 );
+ GET_UINT32_LE( local.X[ 2], data, 8 );
+ GET_UINT32_LE( local.X[ 3], data, 12 );
+ GET_UINT32_LE( local.X[ 4], data, 16 );
+ GET_UINT32_LE( local.X[ 5], data, 20 );
+ GET_UINT32_LE( local.X[ 6], data, 24 );
+ GET_UINT32_LE( local.X[ 7], data, 28 );
+ GET_UINT32_LE( local.X[ 8], data, 32 );
+ GET_UINT32_LE( local.X[ 9], data, 36 );
+ GET_UINT32_LE( local.X[10], data, 40 );
+ GET_UINT32_LE( local.X[11], data, 44 );
+ GET_UINT32_LE( local.X[12], data, 48 );
+ GET_UINT32_LE( local.X[13], data, 52 );
+ GET_UINT32_LE( local.X[14], data, 56 );
+ GET_UINT32_LE( local.X[15], data, 60 );
- A = Ap = ctx->state[0];
- B = Bp = ctx->state[1];
- C = Cp = ctx->state[2];
- D = Dp = ctx->state[3];
- E = Ep = ctx->state[4];
+ local.A = local.Ap = ctx->state[0];
+ local.B = local.Bp = ctx->state[1];
+ local.C = local.Cp = ctx->state[2];
+ local.D = local.Dp = ctx->state[3];
+ local.E = local.Ep = ctx->state[4];
#define F1( x, y, z ) ( (x) ^ (y) ^ (z) )
#define F2( x, y, z ) ( ( (x) & (y) ) | ( ~(x) & (z) ) )
@@ -156,12 +153,12 @@
#define S( x, n ) ( ( (x) << (n) ) | ( (x) >> (32 - (n)) ) )
-#define P( a, b, c, d, e, r, s, f, k ) \
- do \
- { \
- (a) += f( (b), (c), (d) ) + X[r] + (k); \
- (a) = S( (a), (s) ) + (e); \
- (c) = S( (c), 10 ); \
+#define P( a, b, c, d, e, r, s, f, k ) \
+ do \
+ { \
+ (a) += f( (b), (c), (d) ) + local.X[r] + (k); \
+ (a) = S( (a), (s) ) + (e); \
+ (c) = S( (c), 10 ); \
} while( 0 )
#define P2( a, b, c, d, e, r, s, rp, sp ) \
@@ -176,22 +173,22 @@
#define K 0x00000000
#define Fp F5
#define Kp 0x50A28BE6
- P2( A, B, C, D, E, 0, 11, 5, 8 );
- P2( E, A, B, C, D, 1, 14, 14, 9 );
- P2( D, E, A, B, C, 2, 15, 7, 9 );
- P2( C, D, E, A, B, 3, 12, 0, 11 );
- P2( B, C, D, E, A, 4, 5, 9, 13 );
- P2( A, B, C, D, E, 5, 8, 2, 15 );
- P2( E, A, B, C, D, 6, 7, 11, 15 );
- P2( D, E, A, B, C, 7, 9, 4, 5 );
- P2( C, D, E, A, B, 8, 11, 13, 7 );
- P2( B, C, D, E, A, 9, 13, 6, 7 );
- P2( A, B, C, D, E, 10, 14, 15, 8 );
- P2( E, A, B, C, D, 11, 15, 8, 11 );
- P2( D, E, A, B, C, 12, 6, 1, 14 );
- P2( C, D, E, A, B, 13, 7, 10, 14 );
- P2( B, C, D, E, A, 14, 9, 3, 12 );
- P2( A, B, C, D, E, 15, 8, 12, 6 );
+ P2( local.A, local.B, local.C, local.D, local.E, 0, 11, 5, 8 );
+ P2( local.E, local.A, local.B, local.C, local.D, 1, 14, 14, 9 );
+ P2( local.D, local.E, local.A, local.B, local.C, 2, 15, 7, 9 );
+ P2( local.C, local.D, local.E, local.A, local.B, 3, 12, 0, 11 );
+ P2( local.B, local.C, local.D, local.E, local.A, 4, 5, 9, 13 );
+ P2( local.A, local.B, local.C, local.D, local.E, 5, 8, 2, 15 );
+ P2( local.E, local.A, local.B, local.C, local.D, 6, 7, 11, 15 );
+ P2( local.D, local.E, local.A, local.B, local.C, 7, 9, 4, 5 );
+ P2( local.C, local.D, local.E, local.A, local.B, 8, 11, 13, 7 );
+ P2( local.B, local.C, local.D, local.E, local.A, 9, 13, 6, 7 );
+ P2( local.A, local.B, local.C, local.D, local.E, 10, 14, 15, 8 );
+ P2( local.E, local.A, local.B, local.C, local.D, 11, 15, 8, 11 );
+ P2( local.D, local.E, local.A, local.B, local.C, 12, 6, 1, 14 );
+ P2( local.C, local.D, local.E, local.A, local.B, 13, 7, 10, 14 );
+ P2( local.B, local.C, local.D, local.E, local.A, 14, 9, 3, 12 );
+ P2( local.A, local.B, local.C, local.D, local.E, 15, 8, 12, 6 );
#undef F
#undef K
#undef Fp
@@ -201,22 +198,22 @@
#define K 0x5A827999
#define Fp F4
#define Kp 0x5C4DD124
- P2( E, A, B, C, D, 7, 7, 6, 9 );
- P2( D, E, A, B, C, 4, 6, 11, 13 );
- P2( C, D, E, A, B, 13, 8, 3, 15 );
- P2( B, C, D, E, A, 1, 13, 7, 7 );
- P2( A, B, C, D, E, 10, 11, 0, 12 );
- P2( E, A, B, C, D, 6, 9, 13, 8 );
- P2( D, E, A, B, C, 15, 7, 5, 9 );
- P2( C, D, E, A, B, 3, 15, 10, 11 );
- P2( B, C, D, E, A, 12, 7, 14, 7 );
- P2( A, B, C, D, E, 0, 12, 15, 7 );
- P2( E, A, B, C, D, 9, 15, 8, 12 );
- P2( D, E, A, B, C, 5, 9, 12, 7 );
- P2( C, D, E, A, B, 2, 11, 4, 6 );
- P2( B, C, D, E, A, 14, 7, 9, 15 );
- P2( A, B, C, D, E, 11, 13, 1, 13 );
- P2( E, A, B, C, D, 8, 12, 2, 11 );
+ P2( local.E, local.A, local.B, local.C, local.D, 7, 7, 6, 9 );
+ P2( local.D, local.E, local.A, local.B, local.C, 4, 6, 11, 13 );
+ P2( local.C, local.D, local.E, local.A, local.B, 13, 8, 3, 15 );
+ P2( local.B, local.C, local.D, local.E, local.A, 1, 13, 7, 7 );
+ P2( local.A, local.B, local.C, local.D, local.E, 10, 11, 0, 12 );
+ P2( local.E, local.A, local.B, local.C, local.D, 6, 9, 13, 8 );
+ P2( local.D, local.E, local.A, local.B, local.C, 15, 7, 5, 9 );
+ P2( local.C, local.D, local.E, local.A, local.B, 3, 15, 10, 11 );
+ P2( local.B, local.C, local.D, local.E, local.A, 12, 7, 14, 7 );
+ P2( local.A, local.B, local.C, local.D, local.E, 0, 12, 15, 7 );
+ P2( local.E, local.A, local.B, local.C, local.D, 9, 15, 8, 12 );
+ P2( local.D, local.E, local.A, local.B, local.C, 5, 9, 12, 7 );
+ P2( local.C, local.D, local.E, local.A, local.B, 2, 11, 4, 6 );
+ P2( local.B, local.C, local.D, local.E, local.A, 14, 7, 9, 15 );
+ P2( local.A, local.B, local.C, local.D, local.E, 11, 13, 1, 13 );
+ P2( local.E, local.A, local.B, local.C, local.D, 8, 12, 2, 11 );
#undef F
#undef K
#undef Fp
@@ -226,22 +223,22 @@
#define K 0x6ED9EBA1
#define Fp F3
#define Kp 0x6D703EF3
- P2( D, E, A, B, C, 3, 11, 15, 9 );
- P2( C, D, E, A, B, 10, 13, 5, 7 );
- P2( B, C, D, E, A, 14, 6, 1, 15 );
- P2( A, B, C, D, E, 4, 7, 3, 11 );
- P2( E, A, B, C, D, 9, 14, 7, 8 );
- P2( D, E, A, B, C, 15, 9, 14, 6 );
- P2( C, D, E, A, B, 8, 13, 6, 6 );
- P2( B, C, D, E, A, 1, 15, 9, 14 );
- P2( A, B, C, D, E, 2, 14, 11, 12 );
- P2( E, A, B, C, D, 7, 8, 8, 13 );
- P2( D, E, A, B, C, 0, 13, 12, 5 );
- P2( C, D, E, A, B, 6, 6, 2, 14 );
- P2( B, C, D, E, A, 13, 5, 10, 13 );
- P2( A, B, C, D, E, 11, 12, 0, 13 );
- P2( E, A, B, C, D, 5, 7, 4, 7 );
- P2( D, E, A, B, C, 12, 5, 13, 5 );
+ P2( local.D, local.E, local.A, local.B, local.C, 3, 11, 15, 9 );
+ P2( local.C, local.D, local.E, local.A, local.B, 10, 13, 5, 7 );
+ P2( local.B, local.C, local.D, local.E, local.A, 14, 6, 1, 15 );
+ P2( local.A, local.B, local.C, local.D, local.E, 4, 7, 3, 11 );
+ P2( local.E, local.A, local.B, local.C, local.D, 9, 14, 7, 8 );
+ P2( local.D, local.E, local.A, local.B, local.C, 15, 9, 14, 6 );
+ P2( local.C, local.D, local.E, local.A, local.B, 8, 13, 6, 6 );
+ P2( local.B, local.C, local.D, local.E, local.A, 1, 15, 9, 14 );
+ P2( local.A, local.B, local.C, local.D, local.E, 2, 14, 11, 12 );
+ P2( local.E, local.A, local.B, local.C, local.D, 7, 8, 8, 13 );
+ P2( local.D, local.E, local.A, local.B, local.C, 0, 13, 12, 5 );
+ P2( local.C, local.D, local.E, local.A, local.B, 6, 6, 2, 14 );
+ P2( local.B, local.C, local.D, local.E, local.A, 13, 5, 10, 13 );
+ P2( local.A, local.B, local.C, local.D, local.E, 11, 12, 0, 13 );
+ P2( local.E, local.A, local.B, local.C, local.D, 5, 7, 4, 7 );
+ P2( local.D, local.E, local.A, local.B, local.C, 12, 5, 13, 5 );
#undef F
#undef K
#undef Fp
@@ -251,22 +248,22 @@
#define K 0x8F1BBCDC
#define Fp F2
#define Kp 0x7A6D76E9
- P2( C, D, E, A, B, 1, 11, 8, 15 );
- P2( B, C, D, E, A, 9, 12, 6, 5 );
- P2( A, B, C, D, E, 11, 14, 4, 8 );
- P2( E, A, B, C, D, 10, 15, 1, 11 );
- P2( D, E, A, B, C, 0, 14, 3, 14 );
- P2( C, D, E, A, B, 8, 15, 11, 14 );
- P2( B, C, D, E, A, 12, 9, 15, 6 );
- P2( A, B, C, D, E, 4, 8, 0, 14 );
- P2( E, A, B, C, D, 13, 9, 5, 6 );
- P2( D, E, A, B, C, 3, 14, 12, 9 );
- P2( C, D, E, A, B, 7, 5, 2, 12 );
- P2( B, C, D, E, A, 15, 6, 13, 9 );
- P2( A, B, C, D, E, 14, 8, 9, 12 );
- P2( E, A, B, C, D, 5, 6, 7, 5 );
- P2( D, E, A, B, C, 6, 5, 10, 15 );
- P2( C, D, E, A, B, 2, 12, 14, 8 );
+ P2( local.C, local.D, local.E, local.A, local.B, 1, 11, 8, 15 );
+ P2( local.B, local.C, local.D, local.E, local.A, 9, 12, 6, 5 );
+ P2( local.A, local.B, local.C, local.D, local.E, 11, 14, 4, 8 );
+ P2( local.E, local.A, local.B, local.C, local.D, 10, 15, 1, 11 );
+ P2( local.D, local.E, local.A, local.B, local.C, 0, 14, 3, 14 );
+ P2( local.C, local.D, local.E, local.A, local.B, 8, 15, 11, 14 );
+ P2( local.B, local.C, local.D, local.E, local.A, 12, 9, 15, 6 );
+ P2( local.A, local.B, local.C, local.D, local.E, 4, 8, 0, 14 );
+ P2( local.E, local.A, local.B, local.C, local.D, 13, 9, 5, 6 );
+ P2( local.D, local.E, local.A, local.B, local.C, 3, 14, 12, 9 );
+ P2( local.C, local.D, local.E, local.A, local.B, 7, 5, 2, 12 );
+ P2( local.B, local.C, local.D, local.E, local.A, 15, 6, 13, 9 );
+ P2( local.A, local.B, local.C, local.D, local.E, 14, 8, 9, 12 );
+ P2( local.E, local.A, local.B, local.C, local.D, 5, 6, 7, 5 );
+ P2( local.D, local.E, local.A, local.B, local.C, 6, 5, 10, 15 );
+ P2( local.C, local.D, local.E, local.A, local.B, 2, 12, 14, 8 );
#undef F
#undef K
#undef Fp
@@ -276,33 +273,36 @@
#define K 0xA953FD4E
#define Fp F1
#define Kp 0x00000000
- P2( B, C, D, E, A, 4, 9, 12, 8 );
- P2( A, B, C, D, E, 0, 15, 15, 5 );
- P2( E, A, B, C, D, 5, 5, 10, 12 );
- P2( D, E, A, B, C, 9, 11, 4, 9 );
- P2( C, D, E, A, B, 7, 6, 1, 12 );
- P2( B, C, D, E, A, 12, 8, 5, 5 );
- P2( A, B, C, D, E, 2, 13, 8, 14 );
- P2( E, A, B, C, D, 10, 12, 7, 6 );
- P2( D, E, A, B, C, 14, 5, 6, 8 );
- P2( C, D, E, A, B, 1, 12, 2, 13 );
- P2( B, C, D, E, A, 3, 13, 13, 6 );
- P2( A, B, C, D, E, 8, 14, 14, 5 );
- P2( E, A, B, C, D, 11, 11, 0, 15 );
- P2( D, E, A, B, C, 6, 8, 3, 13 );
- P2( C, D, E, A, B, 15, 5, 9, 11 );
- P2( B, C, D, E, A, 13, 6, 11, 11 );
+ P2( local.B, local.C, local.D, local.E, local.A, 4, 9, 12, 8 );
+ P2( local.A, local.B, local.C, local.D, local.E, 0, 15, 15, 5 );
+ P2( local.E, local.A, local.B, local.C, local.D, 5, 5, 10, 12 );
+ P2( local.D, local.E, local.A, local.B, local.C, 9, 11, 4, 9 );
+ P2( local.C, local.D, local.E, local.A, local.B, 7, 6, 1, 12 );
+ P2( local.B, local.C, local.D, local.E, local.A, 12, 8, 5, 5 );
+ P2( local.A, local.B, local.C, local.D, local.E, 2, 13, 8, 14 );
+ P2( local.E, local.A, local.B, local.C, local.D, 10, 12, 7, 6 );
+ P2( local.D, local.E, local.A, local.B, local.C, 14, 5, 6, 8 );
+ P2( local.C, local.D, local.E, local.A, local.B, 1, 12, 2, 13 );
+ P2( local.B, local.C, local.D, local.E, local.A, 3, 13, 13, 6 );
+ P2( local.A, local.B, local.C, local.D, local.E, 8, 14, 14, 5 );
+ P2( local.E, local.A, local.B, local.C, local.D, 11, 11, 0, 15 );
+ P2( local.D, local.E, local.A, local.B, local.C, 6, 8, 3, 13 );
+ P2( local.C, local.D, local.E, local.A, local.B, 15, 5, 9, 11 );
+ P2( local.B, local.C, local.D, local.E, local.A, 13, 6, 11, 11 );
#undef F
#undef K
#undef Fp
#undef Kp
- C = ctx->state[1] + C + Dp;
- ctx->state[1] = ctx->state[2] + D + Ep;
- ctx->state[2] = ctx->state[3] + E + Ap;
- ctx->state[3] = ctx->state[4] + A + Bp;
- ctx->state[4] = ctx->state[0] + B + Cp;
- ctx->state[0] = C;
+ local.C = ctx->state[1] + local.C + local.Dp;
+ ctx->state[1] = ctx->state[2] + local.D + local.Ep;
+ ctx->state[2] = ctx->state[3] + local.E + local.Ap;
+ ctx->state[3] = ctx->state[4] + local.A + local.Bp;
+ ctx->state[4] = ctx->state[0] + local.B + local.Cp;
+ ctx->state[0] = local.C;
+
+ /* Zeroise variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 );
}
diff --git a/lib/libmbedtls/mbedtls/library/rsa.c b/lib/libmbedtls/mbedtls/library/rsa.c
index b6bc225..f438b2a 100644
--- a/lib/libmbedtls/mbedtls/library/rsa.c
+++ b/lib/libmbedtls/mbedtls/library/rsa.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* The RSA public-key cryptosystem
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -37,11 +35,7 @@
*
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_RSA_C)
@@ -57,7 +51,7 @@
#include "mbedtls/md.h"
#endif
-#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__)
+#if defined(MBEDTLS_PKCS1_V15) && !defined(__OpenBSD__) && !defined(__NetBSD__)
#include <stdlib.h>
#endif
@@ -108,7 +102,7 @@
( D != NULL && ( ret = mbedtls_mpi_copy( &ctx->D, D ) ) != 0 ) ||
( E != NULL && ( ret = mbedtls_mpi_copy( &ctx->E, E ) ) != 0 ) )
{
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
}
if( N != NULL )
@@ -148,7 +142,7 @@
cleanup:
if( ret != 0 )
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
return( 0 );
}
@@ -299,7 +293,7 @@
if( ( ret = mbedtls_mpi_mul_mpi( &ctx->N, &ctx->P,
&ctx->Q ) ) != 0 )
{
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
}
ctx->len = mbedtls_mpi_size( &ctx->N );
@@ -314,7 +308,7 @@
ret = mbedtls_rsa_deduce_primes( &ctx->N, &ctx->E, &ctx->D,
&ctx->P, &ctx->Q );
if( ret != 0 )
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
}
else if( d_missing )
@@ -324,7 +318,7 @@
&ctx->E,
&ctx->D ) ) != 0 )
{
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
}
}
@@ -339,7 +333,7 @@
ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
&ctx->DP, &ctx->DQ, &ctx->QP );
if( ret != 0 )
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
}
#endif /* MBEDTLS_RSA_NO_CRT */
@@ -467,13 +461,13 @@
( DQ != NULL && ( ret = mbedtls_mpi_copy( DQ, &ctx->DQ ) ) != 0 ) ||
( QP != NULL && ( ret = mbedtls_mpi_copy( QP, &ctx->QP ) ) != 0 ) )
{
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
}
#else
if( ( ret = mbedtls_rsa_deduce_crt( &ctx->P, &ctx->Q, &ctx->D,
DP, DQ, QP ) ) != 0 )
{
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, ret ) );
}
#endif
@@ -496,6 +490,9 @@
mbedtls_rsa_set_padding( ctx, padding, hash_id );
#if defined(MBEDTLS_THREADING_C)
+ /* Set ctx->ver to nonzero to indicate that the mutex has been
+ * initialized and will need to be freed. */
+ ctx->ver = 1;
mbedtls_mutex_init( &ctx->mutex );
#endif
}
@@ -543,9 +540,6 @@
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( f_rng != NULL );
- if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
- return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
-
/*
* If the modulus is 1024 bit long or shorter, then the security strength of
* the RSA algorithm is less than or equal to 80 bits and therefore an error
@@ -558,6 +552,12 @@
mbedtls_mpi_init( &G );
mbedtls_mpi_init( &L );
+ if( nbits < 128 || exponent < 3 || nbits % 2 != 0 )
+ {
+ ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
+ goto cleanup;
+ }
+
/*
* find primes P and Q with Q < P so that:
* 1. |P-Q| > 2^( nbits / 2 - 100 )
@@ -635,7 +635,10 @@
if( ret != 0 )
{
mbedtls_rsa_free( ctx );
- return( MBEDTLS_ERR_RSA_KEY_GEN_FAILED + ret );
+
+ if( ( -ret & ~0x7f ) == 0 )
+ ret = MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_KEY_GEN_FAILED, ret );
+ return( ret );
}
return( 0 );
@@ -767,7 +770,7 @@
mbedtls_mpi_free( &T );
if( ret != 0 )
- return( MBEDTLS_ERR_RSA_PUBLIC_FAILED + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PUBLIC_FAILED, ret ) );
return( 0 );
}
@@ -782,6 +785,9 @@
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
int ret, count = 0;
+ mbedtls_mpi R;
+
+ mbedtls_mpi_init( &R );
if( ctx->Vf.p != NULL )
{
@@ -797,18 +803,40 @@
/* Unblinding value: Vf = random number, invertible mod N */
do {
if( count++ > 10 )
- return( MBEDTLS_ERR_RSA_RNG_FAILED );
+ {
+ ret = MBEDTLS_ERR_RSA_RNG_FAILED;
+ goto cleanup;
+ }
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &ctx->Vf, ctx->len - 1, f_rng, p_rng ) );
- MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( &ctx->Vi, &ctx->Vf, &ctx->N ) );
- } while( mbedtls_mpi_cmp_int( &ctx->Vi, 1 ) != 0 );
- /* Blinding value: Vi = Vf^(-e) mod N */
- MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vf, &ctx->N ) );
+ /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from inv_mod. */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, ctx->len - 1, f_rng, p_rng ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vf, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
+
+ /* At this point, Vi is invertible mod N if and only if both Vf and R
+ * are invertible mod N. If one of them isn't, we don't need to know
+ * which one, we just loop and choose new values for both of them.
+ * (Each iteration succeeds with overwhelming probability.) */
+ ret = mbedtls_mpi_inv_mod( &ctx->Vi, &ctx->Vi, &ctx->N );
+ if( ret != 0 && ret != MBEDTLS_ERR_MPI_NOT_ACCEPTABLE )
+ goto cleanup;
+
+ } while( ret == MBEDTLS_ERR_MPI_NOT_ACCEPTABLE );
+
+ /* Finish the computation of Vf^-1 = R * (R Vf)^-1 */
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &ctx->Vi, &ctx->Vi, &R ) );
+ MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &ctx->Vi, &ctx->Vi, &ctx->N ) );
+
+ /* Blinding value: Vi = Vf^(-e) mod N
+ * (Vi already contains Vf^-1 at this point) */
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &ctx->Vi, &ctx->Vi, &ctx->E, &ctx->N, &ctx->RN ) );
cleanup:
+ mbedtls_mpi_free( &R );
+
return( ret );
}
@@ -1057,10 +1085,10 @@
mbedtls_mpi_free( &C );
mbedtls_mpi_free( &I );
- if( ret != 0 )
- return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret );
+ if( ret != 0 && ret >= -0x007f )
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_PRIVATE_FAILED, ret ) );
- return( 0 );
+ return( ret );
}
#if defined(MBEDTLS_PKCS1_V21)
@@ -1171,7 +1199,7 @@
/* Generate a random octet string seed */
if( ( ret = f_rng( p_rng, p, hlen ) ) != 0 )
- return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
p += hlen;
@@ -1260,7 +1288,7 @@
/* Check if RNG failed to generate data */
if( rng_dl == 0 || ret != 0 )
- return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
p++;
}
@@ -1773,21 +1801,19 @@
}
#if defined(MBEDTLS_PKCS1_V21)
-/*
- * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
- */
-int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
+static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
+ int saltlen,
unsigned char *sig )
{
size_t olen;
unsigned char *p = sig;
- unsigned char salt[MBEDTLS_MD_MAX_SIZE];
+ unsigned char *salt = NULL;
size_t slen, min_slen, hlen, offset = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t msb;
@@ -1825,31 +1851,44 @@
hlen = mbedtls_md_get_size( md_info );
- /* Calculate the largest possible salt length. Normally this is the hash
- * length, which is the maximum length the salt can have. If there is not
- * enough room, use the maximum salt length that fits. The constraint is
- * that the hash length plus the salt length plus 2 bytes must be at most
- * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
- * (PKCS#1 v2.2) §9.1.1 step 3. */
- min_slen = hlen - 2;
- if( olen < hlen + min_slen + 2 )
+ if (saltlen == MBEDTLS_RSA_SALT_LEN_ANY)
+ {
+ /* Calculate the largest possible salt length, up to the hash size.
+ * Normally this is the hash length, which is the maximum salt length
+ * according to FIPS 185-4 §5.5 (e) and common practice. If there is not
+ * enough room, use the maximum salt length that fits. The constraint is
+ * that the hash length plus the salt length plus 2 bytes must be at most
+ * the key length. This complies with FIPS 186-4 §5.5 (e) and RFC 8017
+ * (PKCS#1 v2.2) §9.1.1 step 3. */
+ min_slen = hlen - 2;
+ if( olen < hlen + min_slen + 2 )
+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
+ else if( olen >= hlen + hlen + 2 )
+ slen = hlen;
+ else
+ slen = olen - hlen - 2;
+ }
+ else if ( (saltlen < 0) || (saltlen + hlen + 2 > olen) )
+ {
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
- else if( olen >= hlen + hlen + 2 )
- slen = hlen;
+ }
else
- slen = olen - hlen - 2;
+ {
+ slen = (size_t) saltlen;
+ }
memset( sig, 0, olen );
- /* Generate salt of length slen */
- if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
- return( MBEDTLS_ERR_RSA_RNG_FAILED + ret );
-
/* Note: EMSA-PSS encoding is over the length of N - 1 bits */
msb = mbedtls_mpi_bitlen( &ctx->N ) - 1;
p += olen - hlen - slen - 2;
*p++ = 0x01;
- memcpy( p, salt, slen );
+
+ /* Generate salt of length slen in place in the encoded message */
+ salt = p;
+ if( ( ret = f_rng( p_rng, salt, slen ) ) != 0 )
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) );
+
p += slen;
mbedtls_md_init( &md_ctx );
@@ -1883,8 +1922,6 @@
p += hlen;
*p++ = 0xBC;
- mbedtls_platform_zeroize( salt, sizeof( salt ) );
-
exit:
mbedtls_md_free( &md_ctx );
@@ -1900,6 +1937,40 @@
? mbedtls_rsa_public( ctx, sig, sig )
: mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) );
}
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
+ * the option to pass in the salt length.
+ */
+int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ int saltlen,
+ unsigned char *sig )
+{
+ return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, md_alg,
+ hashlen, hash, saltlen, sig );
+}
+
+
+/*
+ * Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
+ */
+int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ int mode,
+ mbedtls_md_type_t md_alg,
+ unsigned int hashlen,
+ const unsigned char *hash,
+ unsigned char *sig )
+{
+ return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg,
+ hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig );
+}
#endif /* MBEDTLS_PKCS1_V21 */
#if defined(MBEDTLS_PKCS1_V15)
@@ -2472,7 +2543,6 @@
RSA_VALIDATE_RET( dst != NULL );
RSA_VALIDATE_RET( src != NULL );
- dst->ver = src->ver;
dst->len = src->len;
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &dst->N, &src->N ) );
@@ -2531,7 +2601,12 @@
#endif /* MBEDTLS_RSA_NO_CRT */
#if defined(MBEDTLS_THREADING_C)
- mbedtls_mutex_free( &ctx->mutex );
+ /* Free the mutex, but only if it hasn't been freed already. */
+ if( ctx->ver != 0 )
+ {
+ mbedtls_mutex_free( &ctx->mutex );
+ ctx->ver = 0;
+ }
#endif
}
@@ -2583,7 +2658,7 @@
#if defined(MBEDTLS_PKCS1_V15)
static int myrand( void *rng_state, unsigned char *output, size_t len )
{
-#if !defined(__OpenBSD__)
+#if !defined(__OpenBSD__) && !defined(__NetBSD__)
size_t i;
if( rng_state != NULL )
@@ -2596,7 +2671,7 @@
rng_state = NULL;
arc4random_buf( output, len );
-#endif /* !OpenBSD */
+#endif /* !OpenBSD && !NetBSD */
return( 0 );
}
diff --git a/lib/libmbedtls/mbedtls/library/rsa_internal.c b/lib/libmbedtls/mbedtls/library/rsa_internal.c
index d0e2168..d6ba97a 100644
--- a/lib/libmbedtls/mbedtls/library/rsa_internal.c
+++ b/lib/libmbedtls/mbedtls/library/rsa_internal.c
@@ -1,8 +1,8 @@
-/* SPDX-License-Identifier: Apache-2.0 */
/*
* Helper functions for the RSA module
*
- * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -16,15 +16,9 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*
- * This file is part of mbed TLS (https://tls.mbed.org)
- *
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_RSA_C)
diff --git a/lib/libmbedtls/mbedtls/library/sha1.c b/lib/libmbedtls/mbedtls/library/sha1.c
index 4aeafaf..6b0f58e 100644
--- a/lib/libmbedtls/mbedtls/library/sha1.c
+++ b/lib/libmbedtls/mbedtls/library/sha1.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* FIPS-180-1 compliant SHA-1 implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The SHA-1 standard was published by NIST in 1993.
@@ -24,11 +22,7 @@
* http://www.itl.nist.gov/fipspubs/fip180-1.htm
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SHA1_C)
@@ -131,35 +125,40 @@
int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
const unsigned char data[64] )
{
- uint32_t temp, W[16], A, B, C, D, E;
+ struct
+ {
+ uint32_t temp, W[16], A, B, C, D, E;
+ } local;
SHA1_VALIDATE_RET( ctx != NULL );
SHA1_VALIDATE_RET( (const unsigned char *)data != NULL );
- GET_UINT32_BE( W[ 0], data, 0 );
- GET_UINT32_BE( W[ 1], data, 4 );
- GET_UINT32_BE( W[ 2], data, 8 );
- GET_UINT32_BE( W[ 3], data, 12 );
- GET_UINT32_BE( W[ 4], data, 16 );
- GET_UINT32_BE( W[ 5], data, 20 );
- GET_UINT32_BE( W[ 6], data, 24 );
- GET_UINT32_BE( W[ 7], data, 28 );
- GET_UINT32_BE( W[ 8], data, 32 );
- GET_UINT32_BE( W[ 9], data, 36 );
- GET_UINT32_BE( W[10], data, 40 );
- GET_UINT32_BE( W[11], data, 44 );
- GET_UINT32_BE( W[12], data, 48 );
- GET_UINT32_BE( W[13], data, 52 );
- GET_UINT32_BE( W[14], data, 56 );
- GET_UINT32_BE( W[15], data, 60 );
+ GET_UINT32_BE( local.W[ 0], data, 0 );
+ GET_UINT32_BE( local.W[ 1], data, 4 );
+ GET_UINT32_BE( local.W[ 2], data, 8 );
+ GET_UINT32_BE( local.W[ 3], data, 12 );
+ GET_UINT32_BE( local.W[ 4], data, 16 );
+ GET_UINT32_BE( local.W[ 5], data, 20 );
+ GET_UINT32_BE( local.W[ 6], data, 24 );
+ GET_UINT32_BE( local.W[ 7], data, 28 );
+ GET_UINT32_BE( local.W[ 8], data, 32 );
+ GET_UINT32_BE( local.W[ 9], data, 36 );
+ GET_UINT32_BE( local.W[10], data, 40 );
+ GET_UINT32_BE( local.W[11], data, 44 );
+ GET_UINT32_BE( local.W[12], data, 48 );
+ GET_UINT32_BE( local.W[13], data, 52 );
+ GET_UINT32_BE( local.W[14], data, 56 );
+ GET_UINT32_BE( local.W[15], data, 60 );
#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
#define R(t) \
( \
- temp = W[( (t) - 3 ) & 0x0F] ^ W[( (t) - 8 ) & 0x0F] ^ \
- W[( (t) - 14 ) & 0x0F] ^ W[ (t) & 0x0F], \
- ( W[(t) & 0x0F] = S(temp,1) ) \
+ local.temp = local.W[( (t) - 3 ) & 0x0F] ^ \
+ local.W[( (t) - 8 ) & 0x0F] ^ \
+ local.W[( (t) - 14 ) & 0x0F] ^ \
+ local.W[ (t) & 0x0F], \
+ ( local.W[(t) & 0x0F] = S(local.temp,1) ) \
)
#define P(a,b,c,d,e,x) \
@@ -169,35 +168,35 @@
(b) = S((b),30); \
} while( 0 )
- A = ctx->state[0];
- B = ctx->state[1];
- C = ctx->state[2];
- D = ctx->state[3];
- E = ctx->state[4];
+ local.A = ctx->state[0];
+ local.B = ctx->state[1];
+ local.C = ctx->state[2];
+ local.D = ctx->state[3];
+ local.E = ctx->state[4];
#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
#define K 0x5A827999
- P( A, B, C, D, E, W[0] );
- P( E, A, B, C, D, W[1] );
- P( D, E, A, B, C, W[2] );
- P( C, D, E, A, B, W[3] );
- P( B, C, D, E, A, W[4] );
- P( A, B, C, D, E, W[5] );
- P( E, A, B, C, D, W[6] );
- P( D, E, A, B, C, W[7] );
- P( C, D, E, A, B, W[8] );
- P( B, C, D, E, A, W[9] );
- P( A, B, C, D, E, W[10] );
- P( E, A, B, C, D, W[11] );
- P( D, E, A, B, C, W[12] );
- P( C, D, E, A, B, W[13] );
- P( B, C, D, E, A, W[14] );
- P( A, B, C, D, E, W[15] );
- P( E, A, B, C, D, R(16) );
- P( D, E, A, B, C, R(17) );
- P( C, D, E, A, B, R(18) );
- P( B, C, D, E, A, R(19) );
+ P( local.A, local.B, local.C, local.D, local.E, local.W[0] );
+ P( local.E, local.A, local.B, local.C, local.D, local.W[1] );
+ P( local.D, local.E, local.A, local.B, local.C, local.W[2] );
+ P( local.C, local.D, local.E, local.A, local.B, local.W[3] );
+ P( local.B, local.C, local.D, local.E, local.A, local.W[4] );
+ P( local.A, local.B, local.C, local.D, local.E, local.W[5] );
+ P( local.E, local.A, local.B, local.C, local.D, local.W[6] );
+ P( local.D, local.E, local.A, local.B, local.C, local.W[7] );
+ P( local.C, local.D, local.E, local.A, local.B, local.W[8] );
+ P( local.B, local.C, local.D, local.E, local.A, local.W[9] );
+ P( local.A, local.B, local.C, local.D, local.E, local.W[10] );
+ P( local.E, local.A, local.B, local.C, local.D, local.W[11] );
+ P( local.D, local.E, local.A, local.B, local.C, local.W[12] );
+ P( local.C, local.D, local.E, local.A, local.B, local.W[13] );
+ P( local.B, local.C, local.D, local.E, local.A, local.W[14] );
+ P( local.A, local.B, local.C, local.D, local.E, local.W[15] );
+ P( local.E, local.A, local.B, local.C, local.D, R(16) );
+ P( local.D, local.E, local.A, local.B, local.C, R(17) );
+ P( local.C, local.D, local.E, local.A, local.B, R(18) );
+ P( local.B, local.C, local.D, local.E, local.A, R(19) );
#undef K
#undef F
@@ -205,26 +204,26 @@
#define F(x,y,z) ((x) ^ (y) ^ (z))
#define K 0x6ED9EBA1
- P( A, B, C, D, E, R(20) );
- P( E, A, B, C, D, R(21) );
- P( D, E, A, B, C, R(22) );
- P( C, D, E, A, B, R(23) );
- P( B, C, D, E, A, R(24) );
- P( A, B, C, D, E, R(25) );
- P( E, A, B, C, D, R(26) );
- P( D, E, A, B, C, R(27) );
- P( C, D, E, A, B, R(28) );
- P( B, C, D, E, A, R(29) );
- P( A, B, C, D, E, R(30) );
- P( E, A, B, C, D, R(31) );
- P( D, E, A, B, C, R(32) );
- P( C, D, E, A, B, R(33) );
- P( B, C, D, E, A, R(34) );
- P( A, B, C, D, E, R(35) );
- P( E, A, B, C, D, R(36) );
- P( D, E, A, B, C, R(37) );
- P( C, D, E, A, B, R(38) );
- P( B, C, D, E, A, R(39) );
+ P( local.A, local.B, local.C, local.D, local.E, R(20) );
+ P( local.E, local.A, local.B, local.C, local.D, R(21) );
+ P( local.D, local.E, local.A, local.B, local.C, R(22) );
+ P( local.C, local.D, local.E, local.A, local.B, R(23) );
+ P( local.B, local.C, local.D, local.E, local.A, R(24) );
+ P( local.A, local.B, local.C, local.D, local.E, R(25) );
+ P( local.E, local.A, local.B, local.C, local.D, R(26) );
+ P( local.D, local.E, local.A, local.B, local.C, R(27) );
+ P( local.C, local.D, local.E, local.A, local.B, R(28) );
+ P( local.B, local.C, local.D, local.E, local.A, R(29) );
+ P( local.A, local.B, local.C, local.D, local.E, R(30) );
+ P( local.E, local.A, local.B, local.C, local.D, R(31) );
+ P( local.D, local.E, local.A, local.B, local.C, R(32) );
+ P( local.C, local.D, local.E, local.A, local.B, R(33) );
+ P( local.B, local.C, local.D, local.E, local.A, R(34) );
+ P( local.A, local.B, local.C, local.D, local.E, R(35) );
+ P( local.E, local.A, local.B, local.C, local.D, R(36) );
+ P( local.D, local.E, local.A, local.B, local.C, R(37) );
+ P( local.C, local.D, local.E, local.A, local.B, R(38) );
+ P( local.B, local.C, local.D, local.E, local.A, R(39) );
#undef K
#undef F
@@ -232,26 +231,26 @@
#define F(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
#define K 0x8F1BBCDC
- P( A, B, C, D, E, R(40) );
- P( E, A, B, C, D, R(41) );
- P( D, E, A, B, C, R(42) );
- P( C, D, E, A, B, R(43) );
- P( B, C, D, E, A, R(44) );
- P( A, B, C, D, E, R(45) );
- P( E, A, B, C, D, R(46) );
- P( D, E, A, B, C, R(47) );
- P( C, D, E, A, B, R(48) );
- P( B, C, D, E, A, R(49) );
- P( A, B, C, D, E, R(50) );
- P( E, A, B, C, D, R(51) );
- P( D, E, A, B, C, R(52) );
- P( C, D, E, A, B, R(53) );
- P( B, C, D, E, A, R(54) );
- P( A, B, C, D, E, R(55) );
- P( E, A, B, C, D, R(56) );
- P( D, E, A, B, C, R(57) );
- P( C, D, E, A, B, R(58) );
- P( B, C, D, E, A, R(59) );
+ P( local.A, local.B, local.C, local.D, local.E, R(40) );
+ P( local.E, local.A, local.B, local.C, local.D, R(41) );
+ P( local.D, local.E, local.A, local.B, local.C, R(42) );
+ P( local.C, local.D, local.E, local.A, local.B, R(43) );
+ P( local.B, local.C, local.D, local.E, local.A, R(44) );
+ P( local.A, local.B, local.C, local.D, local.E, R(45) );
+ P( local.E, local.A, local.B, local.C, local.D, R(46) );
+ P( local.D, local.E, local.A, local.B, local.C, R(47) );
+ P( local.C, local.D, local.E, local.A, local.B, R(48) );
+ P( local.B, local.C, local.D, local.E, local.A, R(49) );
+ P( local.A, local.B, local.C, local.D, local.E, R(50) );
+ P( local.E, local.A, local.B, local.C, local.D, R(51) );
+ P( local.D, local.E, local.A, local.B, local.C, R(52) );
+ P( local.C, local.D, local.E, local.A, local.B, R(53) );
+ P( local.B, local.C, local.D, local.E, local.A, R(54) );
+ P( local.A, local.B, local.C, local.D, local.E, R(55) );
+ P( local.E, local.A, local.B, local.C, local.D, R(56) );
+ P( local.D, local.E, local.A, local.B, local.C, R(57) );
+ P( local.C, local.D, local.E, local.A, local.B, R(58) );
+ P( local.B, local.C, local.D, local.E, local.A, R(59) );
#undef K
#undef F
@@ -259,35 +258,38 @@
#define F(x,y,z) ((x) ^ (y) ^ (z))
#define K 0xCA62C1D6
- P( A, B, C, D, E, R(60) );
- P( E, A, B, C, D, R(61) );
- P( D, E, A, B, C, R(62) );
- P( C, D, E, A, B, R(63) );
- P( B, C, D, E, A, R(64) );
- P( A, B, C, D, E, R(65) );
- P( E, A, B, C, D, R(66) );
- P( D, E, A, B, C, R(67) );
- P( C, D, E, A, B, R(68) );
- P( B, C, D, E, A, R(69) );
- P( A, B, C, D, E, R(70) );
- P( E, A, B, C, D, R(71) );
- P( D, E, A, B, C, R(72) );
- P( C, D, E, A, B, R(73) );
- P( B, C, D, E, A, R(74) );
- P( A, B, C, D, E, R(75) );
- P( E, A, B, C, D, R(76) );
- P( D, E, A, B, C, R(77) );
- P( C, D, E, A, B, R(78) );
- P( B, C, D, E, A, R(79) );
+ P( local.A, local.B, local.C, local.D, local.E, R(60) );
+ P( local.E, local.A, local.B, local.C, local.D, R(61) );
+ P( local.D, local.E, local.A, local.B, local.C, R(62) );
+ P( local.C, local.D, local.E, local.A, local.B, R(63) );
+ P( local.B, local.C, local.D, local.E, local.A, R(64) );
+ P( local.A, local.B, local.C, local.D, local.E, R(65) );
+ P( local.E, local.A, local.B, local.C, local.D, R(66) );
+ P( local.D, local.E, local.A, local.B, local.C, R(67) );
+ P( local.C, local.D, local.E, local.A, local.B, R(68) );
+ P( local.B, local.C, local.D, local.E, local.A, R(69) );
+ P( local.A, local.B, local.C, local.D, local.E, R(70) );
+ P( local.E, local.A, local.B, local.C, local.D, R(71) );
+ P( local.D, local.E, local.A, local.B, local.C, R(72) );
+ P( local.C, local.D, local.E, local.A, local.B, R(73) );
+ P( local.B, local.C, local.D, local.E, local.A, R(74) );
+ P( local.A, local.B, local.C, local.D, local.E, R(75) );
+ P( local.E, local.A, local.B, local.C, local.D, R(76) );
+ P( local.D, local.E, local.A, local.B, local.C, R(77) );
+ P( local.C, local.D, local.E, local.A, local.B, R(78) );
+ P( local.B, local.C, local.D, local.E, local.A, R(79) );
#undef K
#undef F
- ctx->state[0] += A;
- ctx->state[1] += B;
- ctx->state[2] += C;
- ctx->state[3] += D;
- ctx->state[4] += E;
+ ctx->state[0] += local.A;
+ ctx->state[1] += local.B;
+ ctx->state[2] += local.C;
+ ctx->state[3] += local.D;
+ ctx->state[4] += local.E;
+
+ /* Zeroise buffers and variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 );
}
diff --git a/lib/libmbedtls/mbedtls/library/sha256.c b/lib/libmbedtls/mbedtls/library/sha256.c
index d0142a9..be373d9 100644
--- a/lib/libmbedtls/mbedtls/library/sha256.c
+++ b/lib/libmbedtls/mbedtls/library/sha256.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* FIPS-180-2 compliant SHA-256 implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The SHA-256 Secure Hash Standard was published by NIST in 2002.
@@ -24,11 +22,7 @@
* http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SHA256_C)
@@ -185,77 +179,104 @@
#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
-#define R(t) \
- ( \
- W[t] = S1(W[(t) - 2]) + W[(t) - 7] + \
- S0(W[(t) - 15]) + W[(t) - 16] \
+#define R(t) \
+ ( \
+ local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
+ S0(local.W[(t) - 15]) + local.W[(t) - 16] \
)
-#define P(a,b,c,d,e,f,g,h,x,K) \
- do \
- { \
- temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
- temp2 = S2(a) + F0((a),(b),(c)); \
- (d) += temp1; (h) = temp1 + temp2; \
+#define P(a,b,c,d,e,f,g,h,x,K) \
+ do \
+ { \
+ local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
+ local.temp2 = S2(a) + F0((a),(b),(c)); \
+ (d) += local.temp1; (h) = local.temp1 + local.temp2; \
} while( 0 )
int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
const unsigned char data[64] )
{
- uint32_t temp1, temp2, W[64];
- uint32_t A[8];
+ struct
+ {
+ uint32_t temp1, temp2, W[64];
+ uint32_t A[8];
+ } local;
+
unsigned int i;
SHA256_VALIDATE_RET( ctx != NULL );
SHA256_VALIDATE_RET( (const unsigned char *)data != NULL );
for( i = 0; i < 8; i++ )
- A[i] = ctx->state[i];
+ local.A[i] = ctx->state[i];
#if defined(MBEDTLS_SHA256_SMALLER)
for( i = 0; i < 64; i++ )
{
if( i < 16 )
- GET_UINT32_BE( W[i], data, 4 * i );
+ GET_UINT32_BE( local.W[i], data, 4 * i );
else
R( i );
- P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
+ P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+ local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
- temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
- A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
+ local.temp1 = local.A[7]; local.A[7] = local.A[6];
+ local.A[6] = local.A[5]; local.A[5] = local.A[4];
+ local.A[4] = local.A[3]; local.A[3] = local.A[2];
+ local.A[2] = local.A[1]; local.A[1] = local.A[0];
+ local.A[0] = local.temp1;
}
#else /* MBEDTLS_SHA256_SMALLER */
for( i = 0; i < 16; i++ )
- GET_UINT32_BE( W[i], data, 4 * i );
+ GET_UINT32_BE( local.W[i], data, 4 * i );
for( i = 0; i < 16; i += 8 )
{
- P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] );
- P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] );
- P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] );
- P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] );
- P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] );
- P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] );
- P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] );
- P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] );
+ P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+ local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0] );
+ P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+ local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1] );
+ P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+ local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2] );
+ P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+ local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3] );
+ P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+ local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4] );
+ P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+ local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5] );
+ P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+ local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6] );
+ P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+ local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7] );
}
for( i = 16; i < 64; i += 8 )
{
- P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] );
- P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] );
- P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] );
- P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] );
- P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] );
- P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] );
- P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] );
- P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] );
+ P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+ local.A[5], local.A[6], local.A[7], R(i+0), K[i+0] );
+ P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+ local.A[4], local.A[5], local.A[6], R(i+1), K[i+1] );
+ P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+ local.A[3], local.A[4], local.A[5], R(i+2), K[i+2] );
+ P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+ local.A[2], local.A[3], local.A[4], R(i+3), K[i+3] );
+ P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+ local.A[1], local.A[2], local.A[3], R(i+4), K[i+4] );
+ P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+ local.A[0], local.A[1], local.A[2], R(i+5), K[i+5] );
+ P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+ local.A[7], local.A[0], local.A[1], R(i+6), K[i+6] );
+ P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+ local.A[6], local.A[7], local.A[0], R(i+7), K[i+7] );
}
#endif /* MBEDTLS_SHA256_SMALLER */
for( i = 0; i < 8; i++ )
- ctx->state[i] += A[i];
+ ctx->state[i] += local.A[i];
+
+ /* Zeroise buffers and variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 );
}
diff --git a/lib/libmbedtls/mbedtls/library/sha512.c b/lib/libmbedtls/mbedtls/library/sha512.c
index d5a5b51..06a628a 100644
--- a/lib/libmbedtls/mbedtls/library/sha512.c
+++ b/lib/libmbedtls/mbedtls/library/sha512.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* FIPS-180-2 compliant SHA-384/512 implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The SHA-512 Secure Hash Standard was published by NIST in 2002.
@@ -24,11 +22,7 @@
* http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SHA512_C)
@@ -238,8 +232,11 @@
const unsigned char data[128] )
{
int i;
- uint64_t temp1, temp2, W[80];
- uint64_t A[8];
+ struct
+ {
+ uint64_t temp1, temp2, W[80];
+ uint64_t A[8];
+ } local;
SHA512_VALIDATE_RET( ctx != NULL );
SHA512_VALIDATE_RET( (const unsigned char *)data != NULL );
@@ -256,64 +253,79 @@
#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
-#define P(a,b,c,d,e,f,g,h,x,K) \
- do \
- { \
- temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
- temp2 = S2(a) + F0((a),(b),(c)); \
- (d) += temp1; (h) = temp1 + temp2; \
+#define P(a,b,c,d,e,f,g,h,x,K) \
+ do \
+ { \
+ local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
+ local.temp2 = S2(a) + F0((a),(b),(c)); \
+ (d) += local.temp1; (h) = local.temp1 + local.temp2; \
} while( 0 )
for( i = 0; i < 8; i++ )
- A[i] = ctx->state[i];
+ local.A[i] = ctx->state[i];
#if defined(MBEDTLS_SHA512_SMALLER)
for( i = 0; i < 80; i++ )
{
if( i < 16 )
{
- GET_UINT64_BE( W[i], data, i << 3 );
+ GET_UINT64_BE( local.W[i], data, i << 3 );
}
else
{
- W[i] = S1(W[i - 2]) + W[i - 7] +
- S0(W[i - 15]) + W[i - 16];
+ local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
+ S0(local.W[i - 15]) + local.W[i - 16];
}
- P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] );
+ P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+ local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
- temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3];
- A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1;
+ local.temp1 = local.A[7]; local.A[7] = local.A[6];
+ local.A[6] = local.A[5]; local.A[5] = local.A[4];
+ local.A[4] = local.A[3]; local.A[3] = local.A[2];
+ local.A[2] = local.A[1]; local.A[1] = local.A[0];
+ local.A[0] = local.temp1;
}
#else /* MBEDTLS_SHA512_SMALLER */
for( i = 0; i < 16; i++ )
{
- GET_UINT64_BE( W[i], data, i << 3 );
+ GET_UINT64_BE( local.W[i], data, i << 3 );
}
for( ; i < 80; i++ )
{
- W[i] = S1(W[i - 2]) + W[i - 7] +
- S0(W[i - 15]) + W[i - 16];
+ local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
+ S0(local.W[i - 15]) + local.W[i - 16];
}
i = 0;
do
{
- P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); i++;
- P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i], K[i] ); i++;
- P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i], K[i] ); i++;
- P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i], K[i] ); i++;
- P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i], K[i] ); i++;
- P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i], K[i] ); i++;
- P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i], K[i] ); i++;
- P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i], K[i] ); i++;
+ P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
+ local.A[5], local.A[6], local.A[7], local.W[i], K[i] ); i++;
+ P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
+ local.A[4], local.A[5], local.A[6], local.W[i], K[i] ); i++;
+ P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
+ local.A[3], local.A[4], local.A[5], local.W[i], K[i] ); i++;
+ P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
+ local.A[2], local.A[3], local.A[4], local.W[i], K[i] ); i++;
+ P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
+ local.A[1], local.A[2], local.A[3], local.W[i], K[i] ); i++;
+ P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
+ local.A[0], local.A[1], local.A[2], local.W[i], K[i] ); i++;
+ P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
+ local.A[7], local.A[0], local.A[1], local.W[i], K[i] ); i++;
+ P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
+ local.A[6], local.A[7], local.A[0], local.W[i], K[i] ); i++;
}
while( i < 80 );
#endif /* MBEDTLS_SHA512_SMALLER */
for( i = 0; i < 8; i++ )
- ctx->state[i] += A[i];
+ ctx->state[i] += local.A[i];
+
+ /* Zeroise buffers and variables to clear sensitive data from memory. */
+ mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 );
}
diff --git a/lib/libmbedtls/mbedtls/library/ssl_cache.c b/lib/libmbedtls/mbedtls/library/ssl_cache.c
index 07dcc88..32188cf 100644
--- a/lib/libmbedtls/mbedtls/library/ssl_cache.c
+++ b/lib/libmbedtls/mbedtls/library/ssl_cache.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* SSL session cache implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,19 +15,13 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* These session callbacks use a simple chained list
* to store and retrieve the session information.
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SSL_CACHE_C)
@@ -84,14 +78,12 @@
continue;
#endif
- if( session->ciphersuite != entry->session.ciphersuite ||
- session->compression != entry->session.compression ||
- session->id_len != entry->session.id_len )
- continue;
-
- if( memcmp( session->id, entry->session.id,
+ if( session->id_len != entry->session.id_len ||
+ memcmp( session->id, entry->session.id,
entry->session.id_len ) != 0 )
+ {
continue;
+ }
ret = mbedtls_ssl_session_copy( session, &entry->session );
if( ret != 0 )
diff --git a/lib/libmbedtls/mbedtls/library/ssl_ciphersuites.c b/lib/libmbedtls/mbedtls/library/ssl_ciphersuites.c
index 967981c..3826ad2 100644
--- a/lib/libmbedtls/mbedtls/library/ssl_ciphersuites.c
+++ b/lib/libmbedtls/mbedtls/library/ssl_ciphersuites.c
@@ -1,10 +1,10 @@
-// SPDX-License-Identifier: Apache-2.0
/**
* \file ssl_ciphersuites.c
*
* \brief SSL ciphersuites for mbed TLS
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -17,15 +17,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SSL_TLS_C)
@@ -40,6 +34,11 @@
#include <string.h>
+#undef HAVE_SHA384
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
+#define HAVE_SHA384
+#endif
+
/*
* Ordered from most preferred to least preferred in terms of security.
*
@@ -417,7 +416,7 @@
0 },
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
#if defined(MBEDTLS_CIPHER_MODE_CBC)
{ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
@@ -432,7 +431,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_GCM_C */
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#if defined(MBEDTLS_CCM_C)
{ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, "TLS-ECDHE-ECDSA-WITH-AES-256-CCM",
MBEDTLS_CIPHER_AES_256_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
@@ -466,13 +465,13 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_GCM_C)
@@ -483,13 +482,13 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_CAMELLIA_C */
@@ -558,7 +557,7 @@
0 },
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
#if defined(MBEDTLS_CIPHER_MODE_CBC)
{ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
@@ -573,7 +572,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_GCM_C */
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_AES_C */
#if defined(MBEDTLS_CAMELLIA_C)
@@ -585,13 +584,13 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_GCM_C)
@@ -602,13 +601,13 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_CAMELLIA_C */
@@ -647,13 +646,13 @@
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
#if defined(MBEDTLS_AES_C)
-#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_GCM_C)
+#if defined(HAVE_SHA384) && defined(MBEDTLS_GCM_C)
{ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C && MBEDTLS_GCM_C */
+#endif /* HAVE_SHA384 && MBEDTLS_GCM_C */
#if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_GCM_C)
@@ -757,13 +756,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_CAMELLIA_C */
@@ -782,13 +781,13 @@
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
#if defined(MBEDTLS_AES_C)
-#if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_GCM_C)
+#if defined(HAVE_SHA384) && defined(MBEDTLS_GCM_C)
{ MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS-RSA-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C && MBEDTLS_GCM_C */
+#endif /* HAVE_SHA384 && MBEDTLS_GCM_C */
#if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_GCM_C)
@@ -893,13 +892,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA1_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA1_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_CAMELLIA_C */
@@ -966,7 +965,7 @@
0 },
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
#if defined(MBEDTLS_CIPHER_MODE_CBC)
{ MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
@@ -981,7 +980,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_GCM_C */
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_AES_C */
#if defined(MBEDTLS_CAMELLIA_C)
@@ -993,13 +992,13 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_GCM_C)
@@ -1010,13 +1009,13 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_CAMELLIA_C */
@@ -1085,7 +1084,7 @@
0 },
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
#if defined(MBEDTLS_CIPHER_MODE_CBC)
{ MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
@@ -1100,7 +1099,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_GCM_C */
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_AES_C */
#if defined(MBEDTLS_CAMELLIA_C)
@@ -1112,13 +1111,13 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_GCM_C)
@@ -1129,13 +1128,13 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_CAMELLIA_C */
@@ -1183,13 +1182,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, "TLS-PSK-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#if defined(MBEDTLS_CIPHER_MODE_CBC)
@@ -1201,13 +1200,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384, "TLS-PSK-WITH-AES-256-CBC-SHA384",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#if defined(MBEDTLS_SHA1_C)
{ MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA, "TLS-PSK-WITH-AES-128-CBC-SHA",
@@ -1257,13 +1256,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_GCM_C)
@@ -1275,13 +1274,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-PSK-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_CAMELLIA_C */
@@ -1319,13 +1318,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384, "TLS-DHE-PSK-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#if defined(MBEDTLS_CIPHER_MODE_CBC)
@@ -1337,13 +1336,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-DHE-PSK-WITH-AES-256-CBC-SHA384",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#if defined(MBEDTLS_SHA1_C)
{ MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA, "TLS-DHE-PSK-WITH-AES-128-CBC-SHA",
@@ -1393,13 +1392,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_GCM_C)
@@ -1411,13 +1410,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-DHE-PSK-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_CAMELLIA_C */
@@ -1456,13 +1455,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-AES-256-CBC-SHA384",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#if defined(MBEDTLS_SHA1_C)
{ MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, "TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA",
@@ -1490,13 +1489,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-ECDHE-PSK-WITH-CAMELLIA-256-CBC-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#endif /* MBEDTLS_CAMELLIA_C */
@@ -1534,13 +1533,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384, "TLS-RSA-PSK-WITH-AES-256-GCM-SHA384",
MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#if defined(MBEDTLS_CIPHER_MODE_CBC)
@@ -1552,13 +1551,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384, "TLS-RSA-PSK-WITH-AES-256-CBC-SHA384",
MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#if defined(MBEDTLS_SHA1_C)
{ MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA, "TLS-RSA-PSK-WITH-AES-128-CBC-SHA",
@@ -1586,13 +1585,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_GCM_C)
@@ -1604,13 +1603,13 @@
0 },
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384, "TLS-RSA-PSK-WITH-CAMELLIA-256-GCM-SHA384",
MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
-#endif /* MBEDTLS_SHA512_C */
+#endif /* HAVE_SHA384 */
#endif /* MBEDTLS_GCM_C */
#endif /* MBEDTLS_CAMELLIA_C */
@@ -1694,7 +1693,7 @@
MBEDTLS_CIPHERSUITE_WEAK },
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_PSK_WITH_NULL_SHA384, "TLS-PSK-WITH-NULL-SHA384",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
@@ -1720,7 +1719,7 @@
MBEDTLS_CIPHERSUITE_WEAK },
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384, "TLS-DHE-PSK-WITH-NULL-SHA384",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
@@ -1746,7 +1745,7 @@
MBEDTLS_CIPHERSUITE_WEAK },
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384, "TLS-ECDHE-PSK-WITH-NULL-SHA384",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
@@ -1772,7 +1771,7 @@
MBEDTLS_CIPHERSUITE_WEAK },
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(HAVE_SHA384)
{ MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384, "TLS-RSA-PSK-WITH-NULL-SHA384",
MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1,
@@ -1811,7 +1810,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_GCM_C) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
"TLS-RSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
@@ -1819,7 +1818,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
"TLS-RSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA,
@@ -1848,7 +1847,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_GCM_C) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
"TLS-RSA-PSK-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
@@ -1856,7 +1855,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
"TLS-RSA-PSK-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_RSA_PSK,
@@ -1885,7 +1884,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_GCM_C) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
"TLS-PSK-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384,MBEDTLS_KEY_EXCHANGE_PSK,
@@ -1893,7 +1892,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
"TLS-PSK-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_PSK,
@@ -1922,7 +1921,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_GCM_C) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
"TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
@@ -1930,7 +1929,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
"TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
@@ -1959,7 +1958,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_GCM_C) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
"TLS-ECDHE-RSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
@@ -1967,7 +1966,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
"TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
@@ -1996,7 +1995,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
"TLS-ECDHE-PSK-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
@@ -2017,7 +2016,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_GCM_C) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
"TLS-ECDHE-ECDSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
@@ -2025,7 +2024,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
"TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
@@ -2054,7 +2053,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_GCM_C) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
"TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
@@ -2062,7 +2061,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
"TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
@@ -2091,7 +2090,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_GCM_C) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
"TLS-DHE-RSA-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
@@ -2099,7 +2098,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
"TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_RSA,
@@ -2128,7 +2127,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
-#if (defined(MBEDTLS_GCM_C) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_GCM_C) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
"TLS-DHE-PSK-WITH-ARIA-256-GCM-SHA384",
MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
@@ -2136,7 +2135,7 @@
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
0 },
#endif
-#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_SHA512_C))
+#if (defined(MBEDTLS_CIPHER_MODE_CBC) && defined(HAVE_SHA384))
{ MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
"TLS-DHE-PSK-WITH-ARIA-256-CBC-SHA384",
MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_DHE_PSK,
diff --git a/lib/libmbedtls/mbedtls/library/ssl_cli.c b/lib/libmbedtls/mbedtls/library/ssl_cli.c
index 47b6d0c..f49178c 100644
--- a/lib/libmbedtls/mbedtls/library/ssl_cli.c
+++ b/lib/libmbedtls/mbedtls/library/ssl_cli.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* SSLv3/TLSv1 client-side functions
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SSL_CLI_C)
@@ -69,7 +63,7 @@
return( 1 );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( conf->psk_opaque != 0 )
+ if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -95,29 +89,26 @@
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf,
- size_t *olen )
+static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t hostname_len;
*olen = 0;
if( ssl->hostname == NULL )
- return;
+ return( 0 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding server name extension: %s",
- ssl->hostname ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding server name extension: %s",
+ ssl->hostname ) );
hostname_len = strlen( ssl->hostname );
- if( end < p || (size_t)( end - p ) < hostname_len + 9 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
/*
* Sect. 3, RFC 6066 (TLS Extensions Definitions)
@@ -161,16 +152,18 @@
memcpy( p, ssl->hostname, hostname_len );
*olen = hostname_len + 9;
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
-static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf,
- size_t *olen )
+static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
@@ -178,21 +171,20 @@
* initial ClientHello, in which case also adding the renegotiation
* info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
- return;
+ return( 0 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding renegotiation extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding renegotiation extension" ) );
- if( end < p || (size_t)( end - p ) < 5 + ssl->verify_data_len )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 + ssl->verify_data_len );
/*
* Secure renegotiation
*/
- *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
- *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO >> 8 )
+ & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_RENEGOTIATION_INFO )
+ & 0xFF );
*p++ = 0x00;
*p++ = ( ssl->verify_data_len + 1 ) & 0xFF;
@@ -201,6 +193,8 @@
memcpy( p, ssl->own_verify_data, ssl->verify_data_len );
*olen = 5 + ssl->verify_data_len;
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
@@ -209,14 +203,15 @@
*/
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf,
- size_t *olen )
+static int ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t sig_alg_len = 0;
const int *md;
+
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
unsigned char *sig_alg_list = buf + 6;
#endif
@@ -224,9 +219,13 @@
*olen = 0;
if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
- return;
+ return( 0 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding signature_algorithms extension" ) );
+
+ if( ssl->conf->sig_hashes == NULL )
+ return( MBEDTLS_ERR_SSL_BAD_CONFIG );
for( md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++ )
{
@@ -236,13 +235,19 @@
#if defined(MBEDTLS_RSA_C)
sig_alg_len += 2;
#endif
+ if( sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "length in bytes of sig-hash-alg extension too big" ) );
+ return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+ }
}
- if( end < p || (size_t)( end - p ) < sig_alg_len + 6 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ /* Empty signature algorithms list, this is a configuration error. */
+ if( sig_alg_len == 0 )
+ return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, sig_alg_len + 6 );
/*
* Prepare signature_algorithms extension (TLS 1.2)
@@ -288,75 +293,75 @@
*p++ = (unsigned char)( ( sig_alg_len ) & 0xFF );
*olen = 6 + sig_alg_len;
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf,
- size_t *olen )
+static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
unsigned char *elliptic_curve_list = p + 6;
size_t elliptic_curve_len = 0;
const mbedtls_ecp_curve_info *info;
-#if defined(MBEDTLS_ECP_C)
const mbedtls_ecp_group_id *grp_id;
-#else
- ((void) ssl);
-#endif
*olen = 0;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding supported_elliptic_curves extension" ) );
-#if defined(MBEDTLS_ECP_C)
- for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
-#else
- for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
-#endif
+ if( ssl->conf->curve_list == NULL )
+ return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+
+ for( grp_id = ssl->conf->curve_list;
+ *grp_id != MBEDTLS_ECP_DP_NONE;
+ grp_id++ )
{
-#if defined(MBEDTLS_ECP_C)
info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
-#endif
if( info == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) );
- return;
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "invalid curve in ssl configuration" ) );
+ return( MBEDTLS_ERR_SSL_BAD_CONFIG );
}
-
elliptic_curve_len += 2;
+
+ if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "malformed supported_elliptic_curves extension in config" ) );
+ return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+ }
}
- if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ /* Empty elliptic curve list, this is a configuration error. */
+ if( elliptic_curve_len == 0 )
+ return( MBEDTLS_ERR_SSL_BAD_CONFIG );
+
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len );
elliptic_curve_len = 0;
-#if defined(MBEDTLS_ECP_C)
- for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
-#else
- for( info = mbedtls_ecp_curve_list(); info->grp_id != MBEDTLS_ECP_DP_NONE; info++ )
-#endif
+ for( grp_id = ssl->conf->curve_list;
+ *grp_id != MBEDTLS_ECP_DP_NONE;
+ grp_id++ )
{
-#if defined(MBEDTLS_ECP_C)
info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
-#endif
elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
}
- if( elliptic_curve_len == 0 )
- return;
-
- *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF );
- *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 )
+ & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES )
+ & 0xFF );
*p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ( elliptic_curve_len + 2 ) ) & 0xFF );
@@ -365,27 +370,28 @@
*p++ = (unsigned char)( ( ( elliptic_curve_len ) ) & 0xFF );
*olen = 6 + elliptic_curve_len;
+
+ return( 0 );
}
-static void ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf,
- size_t *olen )
+static int ssl_write_supported_point_formats_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+ (void) ssl; /* ssl used for debugging only */
*olen = 0;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_point_formats extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding supported_point_formats extension" ) );
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 );
- if( end < p || (size_t)( end - p ) < 6 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
-
- *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 ) & 0xFF );
- *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS ) & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS >> 8 )
+ & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS )
+ & 0xFF );
*p++ = 0x00;
*p++ = 2;
@@ -394,33 +400,32 @@
*p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
*olen = 6;
+
+ return( 0 );
}
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf,
- size_t *olen )
+static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t kkpp_len;
*olen = 0;
/* Skip costly extension if we can't use EC J-PAKE anyway */
if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
- return;
+ return( 0 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding ecjpake_kkpp extension" ) );
- if( end - p < 4 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ECJPAKE_KKPP ) & 0xFF );
@@ -436,19 +441,20 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) );
ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx,
- p + 2, end - p - 2, &kkpp_len,
- ssl->conf->f_rng, ssl->conf->p_rng );
+ p + 2, end - p - 2, &kkpp_len,
+ ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
- MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret );
- return;
+ MBEDTLS_SSL_DEBUG_RET( 1 ,
+ "mbedtls_ecjpake_write_round_one", ret );
+ return( ret );
}
ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len );
if( ssl->handshake->ecjpake_cache == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "allocation failed" ) );
- return;
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
}
memcpy( ssl->handshake->ecjpake_cache, p + 2, kkpp_len );
@@ -459,12 +465,7 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "re-using cached ecjpake parameters" ) );
kkpp_len = ssl->handshake->ecjpake_cache_len;
-
- if( (size_t)( end - p - 2 ) < kkpp_len )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p + 2, end, kkpp_len );
memcpy( p + 2, ssl->handshake->ecjpake_cache, kkpp_len );
}
@@ -473,17 +474,19 @@
*p++ = (unsigned char)( ( kkpp_len ) & 0xFF );
*olen = kkpp_len + 4;
+
+ return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf,
- size_t *olen )
+static int ssl_write_cid_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
size_t ext_len;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
/*
* Quoting draft-ietf-tls-dtls-connection-id-05
@@ -498,17 +501,13 @@
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
{
- return;
+ return( 0 );
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
/* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
* which is at most 255, so the increment cannot overflow. */
- if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, (unsigned)( ssl->own_cid_len + 5 ) );
/* Add extension ID + size */
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
@@ -521,33 +520,33 @@
memcpy( p, ssl->own_cid, ssl->own_cid_len );
*olen = ssl->own_cid_len + 5;
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
-static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf,
- size_t *olen )
+static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
- if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ) {
- return;
- }
+ if( ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE )
+ return( 0 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding max_fragment_length extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding max_fragment_length extension" ) );
- if( end < p || (size_t)( end - p ) < 5 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 5 );
- *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 ) & 0xFF );
- *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH ) & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH >> 8 )
+ & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH )
+ & 0xFF );
*p++ = 0x00;
*p++ = 1;
@@ -555,30 +554,28 @@
*p++ = ssl->conf->mfl_code;
*olen = 5;
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
-static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf, size_t *olen )
+static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
- {
- return;
- }
+ return( 0 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding truncated_hmac extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding truncated_hmac extension" ) );
- if( end < p || (size_t)( end - p ) < 4 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
@@ -587,32 +584,29 @@
*p++ = 0x00;
*olen = 4;
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
-static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf, size_t *olen )
+static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
- {
- return;
- }
+ return( 0 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding encrypt_then_mac "
- "extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding encrypt_then_mac extension" ) );
- if( end < p || (size_t)( end - p ) < 4 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC ) & 0xFF );
@@ -621,65 +615,63 @@
*p++ = 0x00;
*olen = 4;
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
-static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf, size_t *olen )
+static int ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
*olen = 0;
if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
- {
- return;
- }
+ return( 0 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding extended_master_secret "
- "extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding extended_master_secret extension" ) );
- if( end < p || (size_t)( end - p ) < 4 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
- *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 ) & 0xFF );
- *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET ) & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET >> 8 )
+ & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET )
+ & 0xFF );
*p++ = 0x00;
*p++ = 0x00;
*olen = 4;
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
-static void ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf, size_t *olen )
+static int ssl_write_session_ticket_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t tlen = ssl->session_negotiate->ticket_len;
*olen = 0;
if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED )
- {
- return;
- }
+ return( 0 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding session ticket extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, adding session ticket extension" ) );
- if( end < p || (size_t)( end - p ) < 4 + tlen )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ /* The addition is safe here since the ticket length is 16 bit. */
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 + tlen );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SESSION_TICKET ) & 0xFF );
@@ -690,44 +682,40 @@
*olen = 4;
if( ssl->session_negotiate->ticket == NULL || tlen == 0 )
- {
- return;
- }
+ return( 0 );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "sending session ticket of length %d", tlen ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen ) );
memcpy( p, ssl->session_negotiate->ticket, tlen );
*olen += tlen;
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_ALPN)
-static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
- unsigned char *buf, size_t *olen )
+static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
{
unsigned char *p = buf;
- const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
size_t alpnlen = 0;
const char **cur;
*olen = 0;
if( ssl->conf->alpn_list == NULL )
- {
- return;
- }
+ return( 0 );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding alpn extension" ) );
for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
- alpnlen += (unsigned char)( strlen( *cur ) & 0xFF ) + 1;
+ alpnlen += strlen( *cur ) + 1;
- if( end < p || (size_t)( end - p ) < 6 + alpnlen )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
- return;
- }
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + alpnlen );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_ALPN ) & 0xFF );
@@ -745,7 +733,11 @@
for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
{
- *p = (unsigned char)( strlen( *cur ) & 0xFF );
+ /*
+ * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
+ * protocol names is less than 255.
+ */
+ *p = (unsigned char)strlen( *cur );
memcpy( p + 1, *cur, *p );
p += 1 + *p;
}
@@ -759,9 +751,131 @@
/* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
buf[2] = (unsigned char)( ( ( *olen - 4 ) >> 8 ) & 0xFF );
buf[3] = (unsigned char)( ( ( *olen - 4 ) ) & 0xFF );
+
+ return( 0 );
}
#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+static int ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ const unsigned char *end,
+ size_t *olen )
+{
+ unsigned char *p = buf;
+ size_t protection_profiles_index = 0, ext_len = 0;
+ uint16_t mki_len = 0, profile_value = 0;
+
+ *olen = 0;
+
+ if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
+ ( ssl->conf->dtls_srtp_profile_list == NULL ) ||
+ ( ssl->conf->dtls_srtp_profile_list_len == 0 ) )
+ {
+ return( 0 );
+ }
+
+ /* RFC 5764 section 4.1.1
+ * uint8 SRTPProtectionProfile[2];
+ *
+ * struct {
+ * SRTPProtectionProfiles SRTPProtectionProfiles;
+ * opaque srtp_mki<0..255>;
+ * } UseSRTPData;
+ * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
+ */
+ if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED )
+ {
+ mki_len = ssl->dtls_srtp_info.mki_len;
+ }
+ /* Extension length = 2 bytes for profiles length,
+ * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
+ * 1 byte for srtp_mki vector length and the mki_len value
+ */
+ ext_len = 2 + 2 * ( ssl->conf->dtls_srtp_profile_list_len ) + 1 + mki_len;
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding use_srtp extension" ) );
+
+ /* Check there is room in the buffer for the extension + 4 bytes
+ * - the extension tag (2 bytes)
+ * - the extension length (2 bytes)
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, ext_len + 4 );
+
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF );
+
+
+ *p++ = (unsigned char)( ( ( ext_len & 0xFF00 ) >> 8 ) & 0xFF );
+ *p++ = (unsigned char)( ext_len & 0xFF );
+
+ /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
+ /* micro-optimization:
+ * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
+ * which is lower than 127, so the upper byte of the length is always 0
+ * For the documentation, the more generic code is left in comments
+ * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
+ * >> 8 ) & 0xFF );
+ */
+ *p++ = 0;
+ *p++ = (unsigned char)( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
+ & 0xFF );
+
+ for( protection_profiles_index=0;
+ protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
+ protection_profiles_index++ )
+ {
+ profile_value = mbedtls_ssl_check_srtp_profile_value
+ ( ssl->conf->dtls_srtp_profile_list[protection_profiles_index] );
+ if( profile_value != MBEDTLS_TLS_SRTP_UNSET )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_write_use_srtp_ext, add profile: %04x",
+ profile_value ) );
+ *p++ = ( ( profile_value >> 8 ) & 0xFF );
+ *p++ = ( profile_value & 0xFF );
+ }
+ else
+ {
+ /*
+ * Note: we shall never arrive here as protection profiles
+ * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
+ */
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, "
+ "illegal DTLS-SRTP protection profile %d",
+ ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
+ ) );
+ return( MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED );
+ }
+ }
+
+ *p++ = mki_len & 0xFF;
+
+ if( mki_len != 0 )
+ {
+ memcpy( p, ssl->dtls_srtp_info.mki_value, mki_len );
+ /*
+ * Increment p to point to the current position.
+ */
+ p += mki_len;
+ MBEDTLS_SSL_DEBUG_BUF( 3, "sending mki", ssl->dtls_srtp_info.mki_value,
+ ssl->dtls_srtp_info.mki_len );
+ }
+
+ /*
+ * total extension length: extension type (2 bytes)
+ * + extension length (2 bytes)
+ * + protection profile length (2 bytes)
+ * + 2 * number of protection profiles
+ * + srtp_mki vector length(1 byte)
+ * + mki value
+ */
+ *olen = p - buf;
+
+ return( 0 );
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
/*
* Generate random bytes for ClientHello
*/
@@ -791,7 +905,8 @@
*p++ = (unsigned char)( t >> 8 );
*p++ = (unsigned char)( t );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %lu", t ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
+ (long long) t ) );
#else
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
return( ret );
@@ -815,9 +930,10 @@
*
* \return 0 if valid, else 1
*/
-static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info,
- const mbedtls_ssl_context * ssl,
- int min_minor_ver, int max_minor_ver )
+static int ssl_validate_ciphersuite(
+ const mbedtls_ssl_ciphersuite_t * suite_info,
+ const mbedtls_ssl_context * ssl,
+ int min_minor_ver, int max_minor_ver )
{
(void) ssl;
if( suite_info == NULL )
@@ -861,8 +977,11 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i, n, olen, ext_len = 0;
+
unsigned char *buf;
unsigned char *p, *q;
+ const unsigned char *end;
+
unsigned char offer_compress;
const int *ciphersuites;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
@@ -889,23 +1008,41 @@
if( ssl->conf->max_major_ver == 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
- "consider using mbedtls_ssl_config_defaults()" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()" ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
+ buf = ssl->out_msg;
+ end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
/*
- * 0 . 0 handshake type
- * 1 . 3 handshake length
+ * Check if there's enough space for the first part of the ClientHello
+ * consisting of the 38 bytes described below, the session identifier (at
+ * most 32 bytes) and its length (1 byte).
+ *
+ * Use static upper bounds instead of the actual values
+ * to allow the compiler to optimize this away.
+ */
+ MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );
+
+ /*
+ * The 38 first bytes of the ClientHello:
+ * 0 . 0 handshake type (written later)
+ * 1 . 3 handshake length (written later)
* 4 . 5 highest version supported
* 6 . 9 current UNIX time
* 10 . 37 random bytes
+ *
+ * The current UNIX time (4 bytes) and following 28 random bytes are written
+ * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
+ * copied from there into the output buffer.
*/
- buf = ssl->out_msg;
- p = buf + 4;
- mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
- ssl->conf->transport, p );
+ p = buf + 4;
+ mbedtls_ssl_write_version( ssl->conf->max_major_ver,
+ ssl->conf->max_minor_ver,
+ ssl->conf->transport, p );
p += 2;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
@@ -925,7 +1062,7 @@
* 38 . 38 session id length
* 39 . 39+n session id
* 39+n . 39+n DTLS only: cookie length (1 byte)
- * 40+n . .. DTSL only: cookie
+ * 40+n . .. DTLS only: cookie
* .. . .. ciphersuitelist length (2 bytes)
* .. . .. ciphersuitelist
* .. . .. compression methods length (1 byte)
@@ -956,7 +1093,8 @@
if( ssl->session_negotiate->ticket != NULL &&
ssl->session_negotiate->ticket_len != 0 )
{
- ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->session_negotiate->id, 32 );
+ ret = ssl->conf->f_rng( ssl->conf->p_rng,
+ ssl->session_negotiate->id, 32 );
if( ret != 0 )
return( ret );
@@ -966,20 +1104,41 @@
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+ /*
+ * The first check of the output buffer size above (
+ * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
+ * has checked that there is enough space in the output buffer for the
+ * session identifier length byte and the session identifier (n <= 32).
+ */
*p++ = (unsigned char) n;
for( i = 0; i < n; i++ )
*p++ = ssl->session_negotiate->id[i];
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
/*
+ * With 'n' being the length of the session identifier
+ *
+ * 39+n . 39+n DTLS only: cookie length (1 byte)
+ * 40+n . .. DTLS only: cookie
+ * .. . .. ciphersuitelist length (2 bytes)
+ * .. . .. ciphersuitelist
+ * .. . .. compression methods length (1 byte)
+ * .. . .. compression methods
+ * .. . .. extensions length (2 bytes)
+ * .. . .. extensions
+ */
+
+ /*
* DTLS cookie
*/
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
+
if( ssl->handshake->verify_cookie == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
@@ -992,6 +1151,9 @@
ssl->handshake->verify_cookie_len );
*p++ = ssl->handshake->verify_cookie_len;
+
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end,
+ ssl->handshake->verify_cookie_len );
memcpy( p, ssl->handshake->verify_cookie,
ssl->handshake->verify_cookie_len );
p += ssl->handshake->verify_cookie_len;
@@ -1007,6 +1169,8 @@
/* Skip writing ciphersuite length for now */
n = 0;
q = p;
+
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
p += 2;
for( i = 0; ciphersuites[i] != 0; i++ )
@@ -1018,20 +1182,23 @@
ssl->conf->max_minor_ver ) != 0 )
continue;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
- ciphersuites[i] ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %#04x (%s)",
+ (unsigned int)ciphersuites[i], ciphersuite_info->name ) );
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
#endif
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+
n++;
*p++ = (unsigned char)( ciphersuites[i] >> 8 );
*p++ = (unsigned char)( ciphersuites[i] );
}
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "client hello, got %" MBEDTLS_PRINTF_SIZET " ciphersuites (excluding SCSVs)", n ) );
/*
* Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
@@ -1041,6 +1208,7 @@
#endif
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
*p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
*p++ = (unsigned char)( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO );
n++;
@@ -1051,6 +1219,8 @@
if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) );
+
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
*p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 );
*p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE );
n++;
@@ -1081,8 +1251,10 @@
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d",
- MBEDTLS_SSL_COMPRESS_DEFLATE, MBEDTLS_SSL_COMPRESS_NULL ) );
+ MBEDTLS_SSL_COMPRESS_DEFLATE,
+ MBEDTLS_SSL_COMPRESS_NULL ) );
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
*p++ = 2;
*p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
*p++ = MBEDTLS_SSL_COMPRESS_NULL;
@@ -1093,27 +1265,45 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d",
MBEDTLS_SSL_COMPRESS_NULL ) );
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
*p++ = 1;
*p++ = MBEDTLS_SSL_COMPRESS_NULL;
}
- // First write extensions, then the total length
- //
+ /* First write extensions, then the total length */
+
+ MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
+
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_hostname_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_hostname_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif
/* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
* even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
- ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_renegotiation_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_renegotiation_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
- ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_signature_algorithms_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif
@@ -1121,62 +1311,123 @@
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( uses_ec )
{
- ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_elliptic_curves_ext", ret );
+ return( ret );
+ }
ext_len += olen;
- ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_supported_point_formats_ext", ret );
+ return( ret );
+ }
ext_len += olen;
}
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_ecjpake_kkpp_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_ecjpake_kkpp_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
- ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_cid_ext( ssl, p + 2 + ext_len, end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_cid_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_max_fragment_length_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
- ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_encrypt_then_mac_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
- ssl_write_extended_ms_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_extended_ms_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_extended_ms_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_ALPN)
- ssl_write_alpn_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_alpn_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_alpn_ext", ret );
+ return( ret );
+ }
+ ext_len += olen;
+#endif
+
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ if( ( ret = ssl_write_use_srtp_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_use_srtp_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
+ if( ( ret = ssl_write_session_ticket_ext( ssl, p + 2 + ext_len,
+ end, &olen ) ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_session_ticket_ext", ret );
+ return( ret );
+ }
ext_len += olen;
#endif
/* olen unused if all extensions are disabled */
((void) olen);
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %d",
- ext_len ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
+ ext_len ) );
if( ext_len > 0 )
{
+ /* No need to check for space here, because the extension
+ * writing functions already took care of that. */
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( ext_len ) & 0xFF );
p += ext_len;
@@ -1229,8 +1480,10 @@
ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
}
@@ -1239,9 +1492,12 @@
{
if( len != 1 || buf[0] != 0x00 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "non-zero length renegotiation info" ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -1264,9 +1520,12 @@
len != 1 ||
buf[0] != ssl->conf->mfl_code )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching max fragment length extension" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "non-matching max fragment length extension" ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -1282,9 +1541,12 @@
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
len != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching truncated HMAC extension" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "non-matching truncated HMAC extension" ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -1310,7 +1572,7 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -1361,9 +1623,12 @@
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
len != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "non-matching encrypt-then-MAC extension" ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -1384,9 +1649,12 @@
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
len != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "non-matching extended master secret extension" ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -1406,9 +1674,12 @@
if( ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
len != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching session ticket extension" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "non-matching session ticket extension" ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -1489,8 +1760,10 @@
buf, len ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( ret );
}
@@ -1509,8 +1782,10 @@
if( ssl->conf->alpn_list == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching ALPN extension" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -1566,6 +1841,123 @@
}
#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len )
+{
+ mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
+ size_t i, mki_len = 0;
+ uint16_t server_protection_profile_value = 0;
+
+ /* If use_srtp is not configured, just ignore the extension */
+ if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
+ ( ssl->conf->dtls_srtp_profile_list == NULL ) ||
+ ( ssl->conf->dtls_srtp_profile_list_len == 0 ) )
+ return( 0 );
+
+ /* RFC 5764 section 4.1.1
+ * uint8 SRTPProtectionProfile[2];
+ *
+ * struct {
+ * SRTPProtectionProfiles SRTPProtectionProfiles;
+ * opaque srtp_mki<0..255>;
+ * } UseSRTPData;
+
+ * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
+ *
+ */
+ if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED )
+ {
+ mki_len = ssl->dtls_srtp_info.mki_len;
+ }
+
+ /*
+ * Length is 5 + optional mki_value : one protection profile length (2 bytes)
+ * + protection profile (2 bytes)
+ * + mki_len(1 byte)
+ * and optional srtp_mki
+ */
+ if( ( len < 5 ) || ( len != ( buf[4] + 5u ) ) )
+ return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+
+ /*
+ * get the server protection profile
+ */
+
+ /*
+ * protection profile length must be 0x0002 as we must have only
+ * one protection profile in server Hello
+ */
+ if( ( buf[0] != 0 ) || ( buf[1] != 2 ) )
+ return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+
+ server_protection_profile_value = ( buf[2] << 8 ) | buf[3];
+ server_protection = mbedtls_ssl_check_srtp_profile_value(
+ server_protection_profile_value );
+ if( server_protection != MBEDTLS_TLS_SRTP_UNSET )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found srtp profile: %s",
+ mbedtls_ssl_get_srtp_profile_as_string(
+ server_protection ) ) );
+ }
+
+ ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
+
+ /*
+ * Check we have the server profile in our list
+ */
+ for( i=0; i < ssl->conf->dtls_srtp_profile_list_len; i++)
+ {
+ if( server_protection == ssl->conf->dtls_srtp_profile_list[i] )
+ {
+ ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected srtp profile: %s",
+ mbedtls_ssl_get_srtp_profile_as_string(
+ server_protection ) ) );
+ break;
+ }
+ }
+
+ /* If no match was found : server problem, it shall never answer with incompatible profile */
+ if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
+ {
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+ }
+
+ /* If server does not use mki in its reply, make sure the client won't keep
+ * one as negotiated */
+ if( len == 5 )
+ {
+ ssl->dtls_srtp_info.mki_len = 0;
+ }
+
+ /*
+ * RFC5764:
+ * If the client detects a nonzero-length MKI in the server's response
+ * that is different than the one the client offered, then the client
+ * MUST abort the handshake and SHOULD send an invalid_parameter alert.
+ */
+ if( len > 5 && ( buf[4] != mki_len ||
+ ( memcmp( ssl->dtls_srtp_info.mki_value, &buf[5], mki_len ) ) ) )
+ {
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
+ }
+#if defined (MBEDTLS_DEBUG_C)
+ if( len > 5 )
+ {
+ MBEDTLS_SSL_DEBUG_BUF( 3, "received mki", ssl->dtls_srtp_info.mki_value,
+ ssl->dtls_srtp_info.mki_len );
+ }
+#endif
+ return( 0 );
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
/*
* Parse HelloVerifyRequest. Only called after verifying the HS type.
*/
@@ -1690,12 +2082,13 @@
if( ssl->conf->renego_max_records >= 0 &&
ssl->renego_records_seen > ssl->conf->renego_max_records )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
- "but not honored by server" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "renegotiation requested, but not honored by server" ) );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "non-handshake message during renegotiation" ) );
ssl->keep_current_message = 1;
return( MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
@@ -1703,8 +2096,10 @@
#endif /* MBEDTLS_SSL_RENEGOTIATION */
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
@@ -1758,11 +2153,13 @@
ssl->major_ver > ssl->conf->max_major_ver ||
ssl->minor_ver > ssl->conf->max_minor_ver )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
- " min: [%d:%d], server: [%d:%d], max: [%d:%d]",
- ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
- ssl->major_ver, ssl->minor_ver,
- ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
+ ssl->conf->min_major_ver,
+ ssl->conf->min_minor_ver,
+ ssl->major_ver, ssl->minor_ver,
+ ssl->conf->max_major_ver,
+ ssl->conf->max_minor_ver ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
@@ -1771,10 +2168,10 @@
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
- ( (uint32_t) buf[2] << 24 ) |
- ( (uint32_t) buf[3] << 16 ) |
- ( (uint32_t) buf[4] << 8 ) |
- ( (uint32_t) buf[5] ) ) );
+ ( (unsigned long) buf[2] << 24 ) |
+ ( (unsigned long) buf[3] << 16 ) |
+ ( (unsigned long) buf[4] << 8 ) |
+ ( (unsigned long) buf[5] ) ) );
memcpy( ssl->handshake->randbytes + 32, buf + 2, 32 );
@@ -1799,8 +2196,10 @@
ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + 40 + n + ext_len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
}
@@ -1839,9 +2238,12 @@
if( comp != MBEDTLS_SSL_COMPRESS_NULL )
#endif/* MBEDTLS_ZLIB_SUPPORT */
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "server hello, bad compression: %d", comp ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "server hello, bad compression: %d", comp ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
@@ -1851,7 +2253,8 @@
ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
if( ssl->handshake->ciphersuite_info == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "ciphersuite info for %04x not found", (unsigned int)i ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -1859,7 +2262,7 @@
mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
/*
@@ -1891,8 +2294,10 @@
if( ( ret = mbedtls_ssl_derive_keys( ssl ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_derive_keys", ret );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
return( ret );
}
}
@@ -1900,8 +2305,9 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
ssl->handshake->resume ? "a" : "no" ) );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", (unsigned) i ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d",
+ buf[37 + n] ) );
/*
* Perform cipher suite validation in same way as in ssl_write_client_hello.
@@ -1912,8 +2318,10 @@
if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -1924,16 +2332,21 @@
}
}
- suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
- if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 )
+ suite_info = mbedtls_ssl_ciphersuite_from_id(
+ ssl->session_negotiate->ciphersuite );
+ if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver,
+ ssl->minor_ver ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
@@ -1950,15 +2363,18 @@
)
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
ssl->session_negotiate->compression = comp;
ext = buf + 40 + n;
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2,
+ ( "server hello, total extension length: %" MBEDTLS_PRINTF_SIZET, ext_len ) );
while( ext_len )
{
@@ -1970,8 +2386,9 @@
if( ext_size + 4 > ext_len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ mbedtls_ssl_send_alert_message(
+ ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -1991,7 +2408,8 @@
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max_fragment_length extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "found max_fragment_length extension" ) );
if( ( ret = ssl_parse_max_fragment_length_ext( ssl,
ext + 4, ext_size ) ) != 0 )
@@ -2044,7 +2462,8 @@
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended_master_secret extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "found extended_master_secret extension" ) );
if( ( ret = ssl_parse_extended_ms_ext( ssl,
ext + 4, ext_size ) ) != 0 )
@@ -2071,7 +2490,8 @@
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported_point_formats extension" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "found supported_point_formats extension" ) );
if( ( ret = ssl_parse_supported_point_formats_ext( ssl,
ext + 4, ext_size ) ) != 0 )
@@ -2106,9 +2526,19 @@
break;
#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ case MBEDTLS_TLS_EXT_USE_SRTP:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) );
+
+ if( ( ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size ) ) != 0 )
+ return( ret );
+
+ break;
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
default:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
- ext_id ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "unknown extension found: %u (ignoring)", ext_id ) );
}
ext_len -= 4 + ext_size;
@@ -2125,9 +2555,11 @@
* Renegotiation security checks
*/
if( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
+ ssl->conf->allow_legacy_renegotiation ==
+ MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "legacy renegotiation, breaking off handshake" ) );
handshake_failure = 1;
}
#if defined(MBEDTLS_SSL_RENEGOTIATION)
@@ -2135,12 +2567,14 @@
ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
renegotiation_info_seen == 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension missing (secure)" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "renegotiation_info extension missing (secure)" ) );
handshake_failure = 1;
}
else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
- ssl->conf->allow_legacy_renegotiation == MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
+ ssl->conf->allow_legacy_renegotiation ==
+ MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "legacy renegotiation not allowed" ) );
handshake_failure = 1;
@@ -2149,15 +2583,18 @@
ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
renegotiation_info_seen == 1 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "renegotiation_info extension present (legacy)" ) );
handshake_failure = 1;
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
if( handshake_failure == 1 )
{
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
}
@@ -2168,10 +2605,12 @@
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
-static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char **p,
+static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl,
+ unsigned char **p,
unsigned char *end )
{
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
+ size_t dhm_actual_bitlen;
/*
* Ephemeral DH parameters:
@@ -2182,16 +2621,18 @@
* opaque dh_Ys<1..2^16-1>;
* } ServerDHParams;
*/
- if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx, p, end ) ) != 0 )
+ if( ( ret = mbedtls_dhm_read_params( &ssl->handshake->dhm_ctx,
+ p, end ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 2, ( "mbedtls_dhm_read_params" ), ret );
return( ret );
}
- if( ssl->handshake->dhm_ctx.len * 8 < ssl->conf->dhm_min_bitlen )
+ dhm_actual_bitlen = mbedtls_mpi_bitlen( &ssl->handshake->dhm_ctx.P );
+ if( dhm_actual_bitlen < ssl->conf->dhm_min_bitlen )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %d < %d",
- ssl->handshake->dhm_ctx.len * 8,
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
+ dhm_actual_bitlen,
ssl->conf->dhm_min_bitlen ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
@@ -2340,7 +2781,8 @@
if( ssl_check_server_ecdh_params( ssl ) != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message (ECDHE curve)" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "bad server key exchange message (ECDHE curve)" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
@@ -2366,8 +2808,8 @@
*/
if( end - (*p) < 2 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
- "(psk_identity_hint length)" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "bad server key exchange message (psk_identity_hint length)" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
len = (*p)[0] << 8 | (*p)[1];
@@ -2375,8 +2817,8 @@
if( end - (*p) < len )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message "
- "(psk_identity_hint length)" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "bad server key exchange message (psk_identity_hint length)" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
@@ -2419,8 +2861,9 @@
* opaque random[46];
* } PreMasterSecret;
*/
- mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
- ssl->conf->transport, p );
+ mbedtls_ssl_write_version( ssl->conf->max_major_ver,
+ ssl->conf->max_minor_ver,
+ ssl->conf->transport, p );
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
{
@@ -2506,20 +2949,22 @@
/*
* Get hash algorithm
*/
- if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) ) == MBEDTLS_MD_NONE )
+ if( ( *md_alg = mbedtls_ssl_md_alg_from_hash( (*p)[0] ) )
+ == MBEDTLS_MD_NONE )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server used unsupported "
- "HashAlgorithm %d", *(p)[0] ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "Server used unsupported HashAlgorithm %d", *(p)[0] ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
/*
* Get signature algorithm
*/
- if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) ) == MBEDTLS_PK_NONE )
+ if( ( *pk_alg = mbedtls_ssl_pk_alg_from_sig( (*p)[1] ) )
+ == MBEDTLS_PK_NONE )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used unsupported "
- "SignatureAlgorithm %d", (*p)[1] ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "server used unsupported SignatureAlgorithm %d", (*p)[1] ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
@@ -2528,13 +2973,15 @@
*/
if( mbedtls_ssl_check_sig_hash( ssl, *md_alg ) != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "server used HashAlgorithm %d that was not offered",
- *(p)[0] ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "server used HashAlgorithm %d that was not offered", *(p)[0] ) );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d", (*p)[1] ) );
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d", (*p)[0] ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used SignatureAlgorithm %d",
+ (*p)[1] ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Server used HashAlgorithm %d",
+ (*p)[0] ) );
*p += 2;
return( 0 );
@@ -2625,8 +3072,10 @@
if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( ret );
}
@@ -2656,8 +3105,10 @@
if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
@@ -2676,10 +3127,12 @@
goto exit;
}
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key exchange message must "
- "not be skipped" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "server key exchange message must not be skipped" ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
@@ -2703,8 +3156,10 @@
if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
} /* FALLTROUGH */
@@ -2726,8 +3181,10 @@
if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
}
@@ -2743,8 +3200,10 @@
if( ssl_parse_server_ecdh_params_psa( ssl, &p, end ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
}
@@ -2762,8 +3221,10 @@
if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
}
@@ -2779,8 +3240,10 @@
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_two", ret );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
}
@@ -2813,17 +3276,24 @@
if( ssl_parse_signature_algorithm( ssl, &p, end,
&md_alg, &pk_alg ) != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "bad server key exchange message" ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
- if( pk_alg != mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
+ if( pk_alg !=
+ mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ) )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "bad server key exchange message" ) );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
}
@@ -2853,8 +3323,10 @@
if( p > end - 2 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
sig_len = ( p[0] << 8 ) | p[1];
@@ -2863,8 +3335,10 @@
if( p != end - sig_len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
@@ -2924,8 +3398,10 @@
if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH );
}
@@ -2940,8 +3416,10 @@
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if( ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
#endif
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
@@ -3013,8 +3491,10 @@
if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
@@ -3090,8 +3570,9 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
- size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
- | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
+ size_t sig_alg_len =
+ ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
+ | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
#if defined(MBEDTLS_DEBUG_C)
unsigned char* sig_alg;
size_t i;
@@ -3109,11 +3590,14 @@
* buf[...hdr_len + 3 + n + sig_alg_len],
* which is one less than we need the buf to be.
*/
- if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
+ if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl )
+ + 3 + n + sig_alg_len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
}
@@ -3121,8 +3605,9 @@
sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
for( i = 0; i < sig_alg_len; i += 2 )
{
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "Supported Signature Algorithm found: %d"
- ",%d", sig_alg[i], sig_alg[i + 1] ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3,
+ ( "Supported Signature Algorithm found: %d,%d",
+ sig_alg[i], sig_alg[i + 1] ) );
}
#endif
@@ -3213,9 +3698,9 @@
header_len = 6;
ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx,
- (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
- &ssl->out_msg[header_len], content_len,
- ssl->conf->f_rng, ssl->conf->p_rng );
+ (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ),
+ &ssl->out_msg[header_len], content_len,
+ ssl->conf->f_rng, ssl->conf->p_rng );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret );
@@ -3226,10 +3711,10 @@
MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX );
if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
- ssl->handshake->premaster,
- MBEDTLS_PREMASTER_SIZE,
- &ssl->handshake->pmslen,
- ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+ ssl->handshake->premaster,
+ MBEDTLS_PREMASTER_SIZE,
+ &ssl->handshake->pmslen,
+ ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
return( ret );
@@ -3320,7 +3805,7 @@
status = psa_destroy_key( handshake->ecdh_psa_privkey );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
- handshake->ecdh_psa_privkey = 0;
+ handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
}
else
#endif /* MBEDTLS_USE_PSA_CRYPTO &&
@@ -3379,10 +3864,10 @@
content_len = ssl->handshake->ecrs_n;
#endif
if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
- &ssl->handshake->pmslen,
- ssl->handshake->premaster,
- MBEDTLS_MPI_MAX_SIZE,
- ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
+ &ssl->handshake->pmslen,
+ ssl->handshake->premaster,
+ MBEDTLS_MPI_MAX_SIZE,
+ ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
@@ -3419,8 +3904,8 @@
if( header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or "
- "SSL buffer too short" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "psk identity too long or SSL buffer too short" ) );
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
@@ -3471,8 +3956,8 @@
if( header_len + 2 + content_len >
MBEDTLS_SSL_OUT_CONTENT_LEN )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long"
- " or SSL buffer too short" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "psk identity or DHM size too long or SSL buffer too short" ) );
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
@@ -3530,7 +4015,8 @@
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "skip PMS generation for opaque PSK" ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1,
+ ( "skip PMS generation for opaque PSK" ) );
}
else
#endif /* MBEDTLS_USE_PSA_CRYPTO &&
@@ -3538,7 +4024,8 @@
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
ciphersuite_info->key_exchange ) ) != 0 )
{
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
+ MBEDTLS_SSL_DEBUG_RET( 1,
+ "mbedtls_ssl_psk_derive_premaster", ret );
return( ret );
}
}
@@ -3736,8 +4223,9 @@
* Until we encounter a server that does not, we will take this
* shortcut.
*
- * Reason: Otherwise we should have running hashes for SHA512 and SHA224
- * in order to satisfy 'weird' needs from the server side.
+ * Reason: Otherwise we should have running hashes for SHA512 and
+ * SHA224 in order to satisfy 'weird' needs from the server
+ * side.
*/
if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
{
@@ -3821,8 +4309,10 @@
if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad new session ticket message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
+ mbedtls_ssl_send_alert_message(
+ ssl,
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
@@ -3860,7 +4350,7 @@
return( MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET );
}
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", ticket_len ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len ) );
/* We're not waiting for a NewSessionTicket message any more */
ssl->handshake->new_session_ticket = 0;
diff --git a/lib/libmbedtls/mbedtls/library/ssl_cookie.c b/lib/libmbedtls/mbedtls/library/ssl_cookie.c
index 0b566d6..69d1b32 100644
--- a/lib/libmbedtls/mbedtls/library/ssl_cookie.c
+++ b/lib/libmbedtls/mbedtls/library/ssl_cookie.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* DTLS cookie callbacks implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,19 +15,13 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* These session callbacks use a simple chained list
* to store and retrieve the session information.
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SSL_COOKIE_C)
@@ -134,8 +128,7 @@
{
unsigned char hmac_out[COOKIE_MD_OUTLEN];
- if( (size_t)( end - *p ) < COOKIE_HMAC_LEN )
- return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+ MBEDTLS_SSL_CHK_BUF_PTR( *p, end, COOKIE_HMAC_LEN );
if( mbedtls_md_hmac_reset( hmac_ctx ) != 0 ||
mbedtls_md_hmac_update( hmac_ctx, time, 4 ) != 0 ||
@@ -165,8 +158,7 @@
if( ctx == NULL || cli_id == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
- if( (size_t)( end - *p ) < COOKIE_LEN )
- return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+ MBEDTLS_SSL_CHK_BUF_PTR( *p, end, COOKIE_LEN );
#if defined(MBEDTLS_HAVE_TIME)
t = (unsigned long) mbedtls_time( NULL );
@@ -182,7 +174,7 @@
#if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret ) );
#endif
ret = ssl_cookie_hmac( &ctx->hmac_ctx, *p - 4,
@@ -190,8 +182,8 @@
#if defined(MBEDTLS_THREADING_C)
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
- MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_SSL_INTERNAL_ERROR,
+ MBEDTLS_ERR_THREADING_MUTEX_ERROR ) );
#endif
return( ret );
@@ -218,7 +210,7 @@
#if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_SSL_INTERNAL_ERROR, ret ) );
#endif
if( ssl_cookie_hmac( &ctx->hmac_ctx, cookie,
@@ -228,8 +220,8 @@
#if defined(MBEDTLS_THREADING_C)
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
- MBEDTLS_ERR_THREADING_MUTEX_ERROR );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_SSL_INTERNAL_ERROR,
+ MBEDTLS_ERR_THREADING_MUTEX_ERROR ) );
#endif
if( ret != 0 )
diff --git a/lib/libmbedtls/mbedtls/library/ssl_invasive.h b/lib/libmbedtls/mbedtls/library/ssl_invasive.h
new file mode 100644
index 0000000..babbc27
--- /dev/null
+++ b/lib/libmbedtls/mbedtls/library/ssl_invasive.h
@@ -0,0 +1,100 @@
+/**
+ * \file ssl_invasive.h
+ *
+ * \brief SSL module: interfaces for invasive testing only.
+ *
+ * The interfaces in this file are intended for testing purposes only.
+ * They SHOULD NOT be made available in library integrations except when
+ * building the library for testing.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef MBEDTLS_SSL_INVASIVE_H
+#define MBEDTLS_SSL_INVASIVE_H
+
+#include "common.h"
+#include "mbedtls/md.h"
+
+#if defined(MBEDTLS_TEST_HOOKS) && \
+ defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+/** \brief Compute the HMAC of variable-length data with constant flow.
+ *
+ * This function computes the HMAC of the concatenation of \p add_data and \p
+ * data, and does with a code flow and memory access pattern that does not
+ * depend on \p data_len_secret, but only on \p min_data_len and \p
+ * max_data_len. In particular, this function always reads exactly \p
+ * max_data_len bytes from \p data.
+ *
+ * \param ctx The HMAC context. It must have keys configured
+ * with mbedtls_md_hmac_starts() and use one of the
+ * following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
+ * It is reset using mbedtls_md_hmac_reset() after
+ * the computation is complete to prepare for the
+ * next computation.
+ * \param add_data The additional data prepended to \p data. This
+ * must point to a readable buffer of \p add_data_len
+ * bytes.
+ * \param add_data_len The length of \p add_data in bytes.
+ * \param data The data appended to \p add_data. This must point
+ * to a readable buffer of \p max_data_len bytes.
+ * \param data_len_secret The length of the data to process in \p data.
+ * This must be no less than \p min_data_len and no
+ * greater than \p max_data_len.
+ * \param min_data_len The minimal length of \p data in bytes.
+ * \param max_data_len The maximal length of \p data in bytes.
+ * \param output The HMAC will be written here. This must point to
+ * a writable buffer of sufficient size to hold the
+ * HMAC value.
+ *
+ * \retval 0
+ * Success.
+ * \retval MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
+ * The hardware accelerator failed.
+ */
+int mbedtls_ssl_cf_hmac(
+ mbedtls_md_context_t *ctx,
+ const unsigned char *add_data, size_t add_data_len,
+ const unsigned char *data, size_t data_len_secret,
+ size_t min_data_len, size_t max_data_len,
+ unsigned char *output );
+
+/** \brief Copy data from a secret position with constant flow.
+ *
+ * This function copies \p len bytes from \p src_base + \p offset_secret to \p
+ * dst, with a code flow and memory access pattern that does not depend on \p
+ * offset_secret, but only on \p offset_min, \p offset_max and \p len.
+ *
+ * \param dst The destination buffer. This must point to a writable
+ * buffer of at least \p len bytes.
+ * \param src_base The base of the source buffer. This must point to a
+ * readable buffer of at least \p offset_max + \p len
+ * bytes.
+ * \param offset_secret The offset in the source buffer from which to copy.
+ * This must be no less than \p offset_min and no greater
+ * than \p offset_max.
+ * \param offset_min The minimal value of \p offset_secret.
+ * \param offset_max The maximal value of \p offset_secret.
+ * \param len The number of bytes to copy.
+ */
+void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst,
+ const unsigned char *src_base,
+ size_t offset_secret,
+ size_t offset_min, size_t offset_max,
+ size_t len );
+#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+
+#endif /* MBEDTLS_SSL_INVASIVE_H */
diff --git a/lib/libmbedtls/mbedtls/library/ssl_msg.c b/lib/libmbedtls/mbedtls/library/ssl_msg.c
index 976fc7b..1352b49 100644
--- a/lib/libmbedtls/mbedtls/library/ssl_msg.c
+++ b/lib/libmbedtls/mbedtls/library/ssl_msg.c
@@ -2,7 +2,7 @@
* Generic SSL/TLS messaging layer functions
* (record layer + retransmission state machine)
*
- * Copyright (C) 2006-2020, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -16,8 +16,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The SSL 3.0 specification was drafted by Netscape in 1996,
@@ -28,11 +26,7 @@
* http://www.ietf.org/rfc/rfc4346.txt
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SSL_TLS_C)
@@ -51,6 +45,8 @@
#include "mbedtls/platform_util.h"
#include "mbedtls/version.h"
+#include "ssl_invasive.h"
+
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -287,8 +283,8 @@
}
ssl->handshake->retransmit_timeout = new_timeout;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
- ssl->handshake->retransmit_timeout ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs",
+ (unsigned long) ssl->handshake->retransmit_timeout ) );
return( 0 );
}
@@ -296,8 +292,8 @@
static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
{
ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
- ssl->handshake->retransmit_timeout ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs",
+ (unsigned long) ssl->handshake->retransmit_timeout ) );
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
@@ -316,40 +312,29 @@
int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
-/* The function below is only used in the Lucky 13 counter-measure in
- * mbedtls_ssl_decrypt_buf(). These are the defines that guard the call site. */
-#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) && \
- ( defined(MBEDTLS_SSL_PROTO_TLS1) || \
- defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
- defined(MBEDTLS_SSL_PROTO_TLS1_2) )
-/* This function makes sure every byte in the memory region is accessed
- * (in ascending addresses order) */
-static void ssl_read_memory( unsigned char *p, size_t len )
-{
- unsigned char acc = 0;
- volatile unsigned char force;
-
- for( ; len != 0; p++, len-- )
- acc ^= *p;
-
- force = acc;
- (void) force;
-}
-#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */
-
/*
* Encryption/decryption functions
*/
-#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-/* This functions transforms a DTLS plaintext fragment and a record content
- * type into an instance of the DTLSInnerPlaintext structure:
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || \
+ defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+
+static size_t ssl_compute_padding_length( size_t len,
+ size_t granularity )
+{
+ return( ( granularity - ( len + 1 ) % granularity ) % granularity );
+}
+
+/* This functions transforms a (D)TLS plaintext fragment and a record content
+ * type into an instance of the (D)TLSInnerPlaintext structure. This is used
+ * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
+ * a record's content type.
*
* struct {
* opaque content[DTLSPlaintext.length];
* ContentType real_type;
* uint8 zeros[length_of_padding];
- * } DTLSInnerPlaintext;
+ * } (D)TLSInnerPlaintext;
*
* Input:
* - `content`: The beginning of the buffer holding the
@@ -360,23 +345,21 @@
* - `rec_type`: The desired record content type.
*
* Output:
- * - `content`: The beginning of the resulting DTLSInnerPlaintext structure.
- * - `*content_size`: The length of the resulting DTLSInnerPlaintext structure.
+ * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
+ * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
*
* Returns:
* - `0` on success.
* - A negative error code if `max_len` didn't offer enough space
* for the expansion.
*/
-static int ssl_cid_build_inner_plaintext( unsigned char *content,
- size_t *content_size,
- size_t remaining,
- uint8_t rec_type )
+static int ssl_build_inner_plaintext( unsigned char *content,
+ size_t *content_size,
+ size_t remaining,
+ uint8_t rec_type,
+ size_t pad )
{
size_t len = *content_size;
- size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY -
- ( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) %
- MBEDTLS_SSL_CID_PADDING_GRANULARITY;
/* Write real content type */
if( remaining == 0 )
@@ -395,9 +378,9 @@
return( 0 );
}
-/* This function parses a DTLSInnerPlaintext structure.
- * See ssl_cid_build_inner_plaintext() for details. */
-static int ssl_cid_parse_inner_plaintext( unsigned char const *content,
+/* This function parses a (D)TLSInnerPlaintext structure.
+ * See ssl_build_inner_plaintext() for details. */
+static int ssl_parse_inner_plaintext( unsigned char const *content,
size_t *content_size,
uint8_t *rec_type )
{
@@ -416,13 +399,15 @@
return( 0 );
}
-#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID ||
+ MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/* `add_data` must have size 13 Bytes if the CID extension is disabled,
* and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
static void ssl_extract_add_data_from_record( unsigned char* add_data,
size_t *add_data_len,
- mbedtls_record *rec )
+ mbedtls_record *rec,
+ unsigned minor_ver )
{
/* Quoting RFC 5246 (TLS 1.2):
*
@@ -438,28 +423,50 @@
* cid +
* cid_length +
* length_of_DTLSInnerPlaintext;
+ *
+ * For TLS 1.3, the record sequence number is dropped from the AAD
+ * and encoded within the nonce of the AEAD operation instead.
*/
- memcpy( add_data, rec->ctr, sizeof( rec->ctr ) );
- add_data[8] = rec->type;
- memcpy( add_data + 9, rec->ver, sizeof( rec->ver ) );
+ unsigned char *cur = add_data;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+ if( minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 )
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+ {
+ ((void) minor_ver);
+ memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
+ cur += sizeof( rec->ctr );
+ }
+
+ *cur = rec->type;
+ cur++;
+
+ memcpy( cur, rec->ver, sizeof( rec->ver ) );
+ cur += sizeof( rec->ver );
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( rec->cid_len != 0 )
{
- memcpy( add_data + 11, rec->cid, rec->cid_len );
- add_data[11 + rec->cid_len + 0] = rec->cid_len;
- add_data[11 + rec->cid_len + 1] = ( rec->data_len >> 8 ) & 0xFF;
- add_data[11 + rec->cid_len + 2] = ( rec->data_len >> 0 ) & 0xFF;
- *add_data_len = 13 + 1 + rec->cid_len;
+ memcpy( cur, rec->cid, rec->cid_len );
+ cur += rec->cid_len;
+
+ *cur = rec->cid_len;
+ cur++;
+
+ cur[0] = ( rec->data_len >> 8 ) & 0xFF;
+ cur[1] = ( rec->data_len >> 0 ) & 0xFF;
+ cur += 2;
}
else
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
{
- add_data[11 + 0] = ( rec->data_len >> 8 ) & 0xFF;
- add_data[11 + 1] = ( rec->data_len >> 0 ) & 0xFF;
- *add_data_len = 13;
+ cur[0] = ( rec->data_len >> 8 ) & 0xFF;
+ cur[1] = ( rec->data_len >> 0 ) & 0xFF;
+ cur += 2;
}
+
+ *add_data_len = cur - add_data;
}
#if defined(MBEDTLS_SSL_PROTO_SSL3)
@@ -509,6 +516,57 @@
}
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
+#if defined(MBEDTLS_GCM_C) || \
+ defined(MBEDTLS_CCM_C) || \
+ defined(MBEDTLS_CHACHAPOLY_C)
+static int ssl_transform_aead_dynamic_iv_is_explicit(
+ mbedtls_ssl_transform const *transform )
+{
+ return( transform->ivlen != transform->fixed_ivlen );
+}
+
+/* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV )
+ *
+ * Concretely, this occurs in two variants:
+ *
+ * a) Fixed and dynamic IV lengths add up to total IV length, giving
+ * IV = fixed_iv || dynamic_iv
+ *
+ * This variant is used in TLS 1.2 when used with GCM or CCM.
+ *
+ * b) Fixed IV lengths matches total IV length, giving
+ * IV = fixed_iv XOR ( 0 || dynamic_iv )
+ *
+ * This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly.
+ *
+ * See also the documentation of mbedtls_ssl_transform.
+ *
+ * This function has the precondition that
+ *
+ * dst_iv_len >= max( fixed_iv_len, dynamic_iv_len )
+ *
+ * which has to be ensured by the caller. If this precondition
+ * violated, the behavior of this function is undefined.
+ */
+static void ssl_build_record_nonce( unsigned char *dst_iv,
+ size_t dst_iv_len,
+ unsigned char const *fixed_iv,
+ size_t fixed_iv_len,
+ unsigned char const *dynamic_iv,
+ size_t dynamic_iv_len )
+{
+ size_t i;
+
+ /* Start with Fixed IV || 0 */
+ memset( dst_iv, 0, dst_iv_len );
+ memcpy( dst_iv, fixed_iv, fixed_iv_len );
+
+ dst_iv += dst_iv_len - dynamic_iv_len;
+ for( i = 0; i < dynamic_iv_len; i++ )
+ dst_iv[i] ^= dynamic_iv[i];
+}
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
+
int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform,
mbedtls_record *rec,
@@ -530,10 +588,7 @@
/* The PRNG is used for dynamic IV generation that's used
* for CBC transformations in TLS 1.1 and TLS 1.2. */
-#if !( defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || \
- defined(MBEDTLS_ARIA_C) || \
- defined(MBEDTLS_CAMELLIA_C) ) && \
+#if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )
((void) f_rng);
((void) p_rng);
@@ -568,12 +623,44 @@
if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",
- (unsigned) rec->data_len,
- MBEDTLS_SSL_OUT_CONTENT_LEN ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET
+ " too large, maximum %" MBEDTLS_PRINTF_SIZET,
+ rec->data_len,
+ (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
+ /* The following two code paths implement the (D)TLSInnerPlaintext
+ * structure present in TLS 1.3 and DTLS 1.2 + CID.
+ *
+ * See ssl_build_inner_plaintext() for more information.
+ *
+ * Note that this changes `rec->data_len`, and hence
+ * `post_avail` needs to be recalculated afterwards.
+ *
+ * Note also that the two code paths cannot occur simultaneously
+ * since they apply to different versions of the protocol. There
+ * is hence no risk of double-addition of the inner plaintext.
+ */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+ if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
+ {
+ size_t padding =
+ ssl_compute_padding_length( rec->data_len,
+ MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY );
+ if( ssl_build_inner_plaintext( data,
+ &rec->data_len,
+ post_avail,
+ rec->type,
+ padding ) != 0 )
+ {
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+ }
+
+ rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
/*
* Add CID information
@@ -584,17 +671,21 @@
if( rec->cid_len != 0 )
{
+ size_t padding =
+ ssl_compute_padding_length( rec->data_len,
+ MBEDTLS_SSL_CID_PADDING_GRANULARITY );
/*
* Wrap plaintext into DTLSInnerPlaintext structure.
- * See ssl_cid_build_inner_plaintext() for more information.
+ * See ssl_build_inner_plaintext() for more information.
*
* Note that this changes `rec->data_len`, and hence
* `post_avail` needs to be recalculated afterwards.
*/
- if( ssl_cid_build_inner_plaintext( data,
+ if( ssl_build_inner_plaintext( data,
&rec->data_len,
post_avail,
- rec->type ) != 0 )
+ rec->type,
+ padding ) != 0 )
{
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
@@ -638,7 +729,8 @@
{
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
- ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
+ transform->minor_ver );
mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
add_data_len );
@@ -673,7 +765,7 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t olen;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
"including %d bytes of padding",
rec->data_len, 0 ) );
@@ -704,55 +796,54 @@
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char iv[12];
- size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
+ unsigned char *dynamic_iv;
+ size_t dynamic_iv_len;
+ int dynamic_iv_is_explicit =
+ ssl_transform_aead_dynamic_iv_is_explicit( transform );
- /* Check that there's space for both the authentication tag
- * and the explicit IV before and after the record content. */
- if( post_avail < transform->taglen ||
- rec->data_offset < explicit_iv_len )
+ /* Check that there's space for the authentication tag. */
+ if( post_avail < transform->taglen )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
/*
- * Generate IV
+ * Build nonce for AEAD encryption.
+ *
+ * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
+ * part of the IV is prepended to the ciphertext and
+ * can be chosen freely - in particular, it need not
+ * agree with the record sequence number.
+ * However, since ChaChaPoly as well as all AEAD modes
+ * in TLS 1.3 use the record sequence number as the
+ * dynamic part of the nonce, we uniformly use the
+ * record sequence number here in all cases.
*/
- if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
- {
- /* GCM and CCM: fixed || explicit (=seqnum) */
- memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
- memcpy( iv + transform->fixed_ivlen, rec->ctr,
- explicit_iv_len );
- /* Prefix record content with explicit IV. */
- memcpy( data - explicit_iv_len, rec->ctr, explicit_iv_len );
- }
- else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
- {
- /* ChachaPoly: fixed XOR sequence number */
- unsigned char i;
+ dynamic_iv = rec->ctr;
+ dynamic_iv_len = sizeof( rec->ctr );
- memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
+ ssl_build_record_nonce( iv, sizeof( iv ),
+ transform->iv_enc,
+ transform->fixed_ivlen,
+ dynamic_iv,
+ dynamic_iv_len );
- for( i = 0; i < 8; i++ )
- iv[i+4] ^= rec->ctr[i];
- }
- else
- {
- /* Reminder if we ever add an AEAD mode with a different size */
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- }
-
- ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+ /*
+ * Build additional data for AEAD encryption.
+ * This depends on the TLS version.
+ */
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
+ transform->minor_ver );
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
- iv, transform->ivlen );
+ iv, transform->ivlen );
MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
- data - explicit_iv_len, explicit_iv_len );
+ dynamic_iv,
+ dynamic_iv_is_explicit ? dynamic_iv_len : 0 );
MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
add_data, add_data_len );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
"including 0 bytes of padding",
rec->data_len ) );
@@ -760,29 +851,44 @@
* Encrypt and authenticate
*/
- if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
+ if( ( ret = mbedtls_cipher_auth_encrypt_ext( &transform->cipher_ctx_enc,
iv, transform->ivlen,
- add_data, add_data_len, /* add data */
- data, rec->data_len, /* source */
- data, &rec->data_len, /* destination */
- data + rec->data_len, transform->taglen ) ) != 0 )
+ add_data, add_data_len,
+ data, rec->data_len, /* src */
+ data, rec->buf_len - (data - rec->buf), /* dst */
+ &rec->data_len,
+ transform->taglen ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
return( ret );
}
-
MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
- data + rec->data_len, transform->taglen );
-
- rec->data_len += transform->taglen + explicit_iv_len;
- rec->data_offset -= explicit_iv_len;
+ data + rec->data_len - transform->taglen,
+ transform->taglen );
+ /* Account for authentication tag. */
post_avail -= transform->taglen;
+
+ /*
+ * Prefix record content with dynamic IV in case it is explicit.
+ */
+ if( dynamic_iv_is_explicit != 0 )
+ {
+ if( rec->data_offset < dynamic_iv_len )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+ }
+
+ memcpy( data - dynamic_iv_len, dynamic_iv, dynamic_iv_len );
+ rec->data_offset -= dynamic_iv_len;
+ rec->data_len += dynamic_iv_len;
+ }
+
auth_done++;
}
else
-#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
-#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
if( mode == MBEDTLS_MODE_CBC )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -840,8 +946,9 @@
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
- "including %d bytes of IV and %d bytes of padding",
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
+ "including %" MBEDTLS_PRINTF_SIZET
+ " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding",
rec->data_len, transform->ivlen,
padlen + 1 ) );
@@ -898,7 +1005,8 @@
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
}
- ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+ ssl_extract_add_data_from_record( add_data, &add_data_len,
+ rec, transform->minor_ver );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
@@ -920,8 +1028,7 @@
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
}
else
-#endif /* MBEDTLS_CIPHER_MODE_CBC &&
- ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@@ -939,6 +1046,242 @@
return( 0 );
}
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
+/*
+ * Turn a bit into a mask:
+ * - if bit == 1, return the all-bits 1 mask, aka (size_t) -1
+ * - if bit == 0, return the all-bits 0 mask, aka 0
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations using masks.
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static size_t mbedtls_ssl_cf_mask_from_bit( size_t bit )
+{
+ /* MSVC has a warning about unary minus on unsigned integer types,
+ * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+ return -bit;
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+}
+
+/*
+ * Constant-flow mask generation for "less than" comparison:
+ * - if x < y, return all bits 1, that is (size_t) -1
+ * - otherwise, return all bits 0, that is 0
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations using masks.
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y )
+{
+ /* This has the most significant bit set if and only if x < y */
+ const size_t sub = x - y;
+
+ /* sub1 = (x < y) ? 1 : 0 */
+ const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 );
+
+ /* mask = (x < y) ? 0xff... : 0x00... */
+ const size_t mask = mbedtls_ssl_cf_mask_from_bit( sub1 );
+
+ return( mask );
+}
+
+/*
+ * Constant-flow mask generation for "greater or equal" comparison:
+ * - if x >= y, return all bits 1, that is (size_t) -1
+ * - otherwise, return all bits 0, that is 0
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations using masks.
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static size_t mbedtls_ssl_cf_mask_ge( size_t x, size_t y )
+{
+ return( ~mbedtls_ssl_cf_mask_lt( x, y ) );
+}
+
+/*
+ * Constant-flow boolean "equal" comparison:
+ * return x == y
+ *
+ * This function can be used to write constant-time code by replacing branches
+ * with bit operations - it can be used in conjunction with
+ * mbedtls_ssl_cf_mask_from_bit().
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static size_t mbedtls_ssl_cf_bool_eq( size_t x, size_t y )
+{
+ /* diff = 0 if x == y, non-zero otherwise */
+ const size_t diff = x ^ y;
+
+ /* MSVC has a warning about unary minus on unsigned integer types,
+ * but this is well-defined and precisely what we want to do here. */
+#if defined(_MSC_VER)
+#pragma warning( push )
+#pragma warning( disable : 4146 )
+#endif
+
+ /* diff_msb's most significant bit is equal to x != y */
+ const size_t diff_msb = ( diff | -diff );
+
+#if defined(_MSC_VER)
+#pragma warning( pop )
+#endif
+
+ /* diff1 = (x != y) ? 1 : 0 */
+ const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
+
+ return( 1 ^ diff1 );
+}
+
+/*
+ * Constant-flow conditional memcpy:
+ * - if c1 == c2, equivalent to memcpy(dst, src, len),
+ * - otherwise, a no-op,
+ * but with execution flow independent of the values of c1 and c2.
+ *
+ * This function is implemented without using comparison operators, as those
+ * might be translated to branches by some compilers on some platforms.
+ */
+static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst,
+ const unsigned char *src,
+ size_t len,
+ size_t c1, size_t c2 )
+{
+ /* mask = c1 == c2 ? 0xff : 0x00 */
+ const size_t equal = mbedtls_ssl_cf_bool_eq( c1, c2 );
+ const unsigned char mask = (unsigned char) mbedtls_ssl_cf_mask_from_bit( equal );
+
+ /* dst[i] = c1 == c2 ? src[i] : dst[i] */
+ for( size_t i = 0; i < len; i++ )
+ dst[i] = ( src[i] & mask ) | ( dst[i] & ~mask );
+}
+
+/*
+ * Compute HMAC of variable-length data with constant flow.
+ *
+ * Only works with MD-5, SHA-1, SHA-256 and SHA-384.
+ * (Otherwise, computation of block_size needs to be adapted.)
+ */
+MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac(
+ mbedtls_md_context_t *ctx,
+ const unsigned char *add_data, size_t add_data_len,
+ const unsigned char *data, size_t data_len_secret,
+ size_t min_data_len, size_t max_data_len,
+ unsigned char *output )
+{
+ /*
+ * This function breaks the HMAC abstraction and uses the md_clone()
+ * extension to the MD API in order to get constant-flow behaviour.
+ *
+ * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
+ * concatenation, and okey/ikey are the XOR of the key with some fixed bit
+ * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
+ *
+ * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
+ * minlen, then cloning the context, and for each byte up to maxlen
+ * finishing up the hash computation, keeping only the correct result.
+ *
+ * Then we only need to compute HASH(okey + inner_hash) and we're done.
+ */
+ const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info );
+ /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5,
+ * all of which have the same block size except SHA-384. */
+ const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
+ const unsigned char * const ikey = ctx->hmac_ctx;
+ const unsigned char * const okey = ikey + block_size;
+ const size_t hash_size = mbedtls_md_get_size( ctx->md_info );
+
+ unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
+ mbedtls_md_context_t aux;
+ size_t offset;
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
+ mbedtls_md_init( &aux );
+
+#define MD_CHK( func_call ) \
+ do { \
+ ret = (func_call); \
+ if( ret != 0 ) \
+ goto cleanup; \
+ } while( 0 )
+
+ MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );
+
+ /* After hmac_start() of hmac_reset(), ikey has already been hashed,
+ * so we can start directly with the message */
+ MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
+ MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
+
+ /* For each possible length, compute the hash up to that point */
+ for( offset = min_data_len; offset <= max_data_len; offset++ )
+ {
+ MD_CHK( mbedtls_md_clone( &aux, ctx ) );
+ MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
+ /* Keep only the correct inner_hash in the output buffer */
+ mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size,
+ offset, data_len_secret );
+
+ if( offset < max_data_len )
+ MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
+ }
+
+ /* The context needs to finish() before it starts() again */
+ MD_CHK( mbedtls_md_finish( ctx, aux_out ) );
+
+ /* Now compute HASH(okey + inner_hash) */
+ MD_CHK( mbedtls_md_starts( ctx ) );
+ MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );
+ MD_CHK( mbedtls_md_update( ctx, output, hash_size ) );
+ MD_CHK( mbedtls_md_finish( ctx, output ) );
+
+ /* Done, get ready for next time */
+ MD_CHK( mbedtls_md_hmac_reset( ctx ) );
+
+#undef MD_CHK
+
+cleanup:
+ mbedtls_md_free( &aux );
+ return( ret );
+}
+
+/*
+ * Constant-flow memcpy from variable position in buffer.
+ * - functionally equivalent to memcpy(dst, src + offset_secret, len)
+ * - but with execution flow independent from the value of offset_secret.
+ */
+MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset(
+ unsigned char *dst,
+ const unsigned char *src_base,
+ size_t offset_secret,
+ size_t offset_min, size_t offset_max,
+ size_t len )
+{
+ size_t offset;
+
+ for( offset = offset_min; offset <= offset_max; offset++ )
+ {
+ mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len,
+ offset, offset_secret );
+ }
+}
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
+
int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
mbedtls_ssl_transform *transform,
mbedtls_record *rec )
@@ -1012,61 +1355,65 @@
mode == MBEDTLS_MODE_CHACHAPOLY )
{
unsigned char iv[12];
- size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
+ unsigned char *dynamic_iv;
+ size_t dynamic_iv_len;
/*
- * Prepare IV from explicit and implicit data.
+ * Extract dynamic part of nonce for AEAD decryption.
+ *
+ * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
+ * part of the IV is prepended to the ciphertext and
+ * can be chosen freely - in particular, it need not
+ * agree with the record sequence number.
*/
-
- /* Check that there's enough space for the explicit IV
- * (at the beginning of the record) and the MAC (at the
- * end of the record). */
- if( rec->data_len < explicit_iv_len + transform->taglen )
+ dynamic_iv_len = sizeof( rec->ctr );
+ if( ssl_transform_aead_dynamic_iv_is_explicit( transform ) == 1 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
- "+ taglen (%d)", rec->data_len,
- explicit_iv_len, transform->taglen ) );
+ if( rec->data_len < dynamic_iv_len )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
+ " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ",
+ rec->data_len,
+ dynamic_iv_len ) );
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );
+ }
+ dynamic_iv = data;
+
+ data += dynamic_iv_len;
+ rec->data_offset += dynamic_iv_len;
+ rec->data_len -= dynamic_iv_len;
+ }
+ else
+ {
+ dynamic_iv = rec->ctr;
+ }
+
+ /* Check that there's space for the authentication tag. */
+ if( rec->data_len < transform->taglen )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
+ ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ",
+ rec->data_len,
+ transform->taglen ) );
return( MBEDTLS_ERR_SSL_INVALID_MAC );
}
+ rec->data_len -= transform->taglen;
-#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
- if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
- {
- /* GCM and CCM: fixed || explicit */
+ /*
+ * Prepare nonce from dynamic and static parts.
+ */
+ ssl_build_record_nonce( iv, sizeof( iv ),
+ transform->iv_dec,
+ transform->fixed_ivlen,
+ dynamic_iv,
+ dynamic_iv_len );
- /* Fixed */
- memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
- /* Explicit */
- memcpy( iv + transform->fixed_ivlen, data, 8 );
- }
- else
-#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
-#if defined(MBEDTLS_CHACHAPOLY_C)
- if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
- {
- /* ChachaPoly: fixed XOR sequence number */
- unsigned char i;
-
- memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
-
- for( i = 0; i < 8; i++ )
- iv[i+4] ^= rec->ctr[i];
- }
- else
-#endif /* MBEDTLS_CHACHAPOLY_C */
- {
- /* Reminder if we ever add an AEAD mode with a different size */
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- }
-
- /* Group changes to data, data_len, and add_data, because
- * add_data depends on data_len. */
- data += explicit_iv_len;
- rec->data_offset += explicit_iv_len;
- rec->data_len -= explicit_iv_len + transform->taglen;
-
- ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+ /*
+ * Build additional data for AEAD encryption.
+ * This depends on the TLS version.
+ */
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
+ transform->minor_ver );
MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
add_data, add_data_len );
@@ -1083,12 +1430,11 @@
/*
* Decrypt and authenticate
*/
- if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx_dec,
+ if( ( ret = mbedtls_cipher_auth_decrypt_ext( &transform->cipher_ctx_dec,
iv, transform->ivlen,
add_data, add_data_len,
- data, rec->data_len,
- data, &olen,
- data + rec->data_len,
+ data, rec->data_len + transform->taglen, /* src */
+ data, rec->buf_len - (data - rec->buf), &olen, /* dst */
transform->taglen ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
@@ -1109,8 +1455,7 @@
}
else
#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
-#if defined(MBEDTLS_CIPHER_MODE_CBC) && \
- ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )
+#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
if( mode == MBEDTLS_MODE_CBC )
{
size_t minlen = 0;
@@ -1150,7 +1495,9 @@
if( rec->data_len < minlen + transform->ivlen ||
rec->data_len < minlen + transform->maclen + 1 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
+ ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET
+ "), maclen (%" MBEDTLS_PRINTF_SIZET ") "
"+ 1 ) ( + expl IV )", rec->data_len,
transform->ivlen,
transform->maclen ) );
@@ -1178,7 +1525,8 @@
*
* Further, we still know that data_len > minlen */
rec->data_len -= transform->maclen;
- ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
+ transform->minor_ver );
/* Calculate expected MAC. */
MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
@@ -1215,7 +1563,8 @@
* data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
if( rec->data_len % transform->ivlen != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
+ ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0",
rec->data_len, transform->ivlen ) );
return( MBEDTLS_ERR_SSL_INVALID_MAC );
}
@@ -1274,23 +1623,31 @@
if( auth_done == 1 )
{
- correct *= ( rec->data_len >= padlen + 1 );
- padlen *= ( rec->data_len >= padlen + 1 );
+ const size_t mask = mbedtls_ssl_cf_mask_ge(
+ rec->data_len,
+ padlen + 1 );
+ correct &= mask;
+ padlen &= mask;
}
else
{
#if defined(MBEDTLS_SSL_DEBUG_ALL)
if( rec->data_len < transform->maclen + padlen + 1 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
+ ") < maclen (%" MBEDTLS_PRINTF_SIZET
+ ") + padlen (%" MBEDTLS_PRINTF_SIZET ")",
rec->data_len,
transform->maclen,
padlen + 1 ) );
}
#endif
- correct *= ( rec->data_len >= transform->maclen + padlen + 1 );
- padlen *= ( rec->data_len >= transform->maclen + padlen + 1 );
+ const size_t mask = mbedtls_ssl_cf_mask_ge(
+ rec->data_len,
+ transform->maclen + padlen + 1 );
+ correct &= mask;
+ padlen &= mask;
}
padlen++;
@@ -1301,11 +1658,15 @@
#if defined(MBEDTLS_SSL_PROTO_SSL3)
if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
{
+ /* This is the SSL 3.0 path, we don't have to worry about Lucky
+ * 13, because there's a strictly worse padding attack built in
+ * the protocol (known as part of POODLE), so we don't care if the
+ * code is not constant-time, in particular branches are OK. */
if( padlen > transform->ivlen )
{
#if defined(MBEDTLS_SSL_DEBUG_ALL)
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
- "should be no more than %d",
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %" MBEDTLS_PRINTF_SIZET ", "
+ "should be no more than %" MBEDTLS_PRINTF_SIZET,
padlen, transform->ivlen ) );
#endif
correct = 0;
@@ -1324,7 +1685,6 @@
* `min(256,plaintext_len)` reads (but take into account
* only the last `padlen` bytes for the padding check). */
size_t pad_count = 0;
- size_t real_count = 0;
volatile unsigned char* const check = data;
/* Index of first padding byte; it has been ensured above
@@ -1336,16 +1696,21 @@
for( idx = start_idx; idx < rec->data_len; idx++ )
{
- real_count |= ( idx >= padding_idx );
- pad_count += real_count * ( check[idx] == padlen - 1 );
+ /* pad_count += (idx >= padding_idx) &&
+ * (check[idx] == padlen - 1);
+ */
+ const size_t mask = mbedtls_ssl_cf_mask_ge( idx, padding_idx );
+ const size_t equal = mbedtls_ssl_cf_bool_eq( check[idx],
+ padlen - 1 );
+ pad_count += mask & equal;
}
- correct &= ( pad_count == padlen );
+ correct &= mbedtls_ssl_cf_bool_eq( pad_count, padlen );
#if defined(MBEDTLS_SSL_DEBUG_ALL)
if( padlen > 0 && correct == 0 )
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
#endif
- padlen &= correct * 0x1FF;
+ padlen &= mbedtls_ssl_cf_mask_from_bit( correct );
}
else
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
@@ -1362,8 +1727,7 @@
rec->data_len -= padlen;
}
else
-#endif /* MBEDTLS_CIPHER_MODE_CBC &&
- ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */
+#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@@ -1382,6 +1746,7 @@
if( auth_done == 0 )
{
unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
+ unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
/* If the initial value of padlen was such that
* data_len < maclen + padlen + 1, then padlen
@@ -1397,7 +1762,8 @@
* hence data_len >= maclen in any case.
*/
rec->data_len -= transform->maclen;
- ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
+ transform->minor_ver );
#if defined(MBEDTLS_SSL_PROTO_SSL3)
if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
@@ -1407,6 +1773,7 @@
data, rec->data_len,
rec->ctr, rec->type,
mac_expect );
+ memcpy( mac_peer, data + rec->data_len, transform->maclen );
}
else
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
@@ -1415,38 +1782,8 @@
if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
{
/*
- * Process MAC and always update for padlen afterwards to make
- * total time independent of padlen.
- *
- * Known timing attacks:
- * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
- *
- * To compensate for different timings for the MAC calculation
- * depending on how much padding was removed (which is determined
- * by padlen), process extra_run more blocks through the hash
- * function.
- *
- * The formula in the paper is
- * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )
- * where L1 is the size of the header plus the decrypted message
- * plus CBC padding and L2 is the size of the header plus the
- * decrypted message. This is for an underlying hash function
- * with 64-byte blocks.
- * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values
- * correctly. We round down instead of up, so -56 is the correct
- * value for our calculations instead of -55.
- *
- * Repeat the formula rather than defining a block_size variable.
- * This avoids requiring division by a variable at runtime
- * (which would be marginally less efficient and would require
- * linking an extra division function in some builds).
- */
- size_t j, extra_run = 0;
- unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];
-
- /*
* The next two sizes are the minimum and maximum values of
- * in_msglen over all padlen values.
+ * data_len over all padlen values.
*
* They're independent of padlen, since we previously did
* data_len -= padlen.
@@ -1457,59 +1794,20 @@
const size_t max_len = rec->data_len + padlen;
const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
- memset( tmp, 0, sizeof( tmp ) );
-
- switch( mbedtls_md_get_type( transform->md_ctx_dec.md_info ) )
+ ret = mbedtls_ssl_cf_hmac( &transform->md_ctx_dec,
+ add_data, add_data_len,
+ data, rec->data_len, min_len, max_len,
+ mac_expect );
+ if( ret != 0 )
{
-#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \
- defined(MBEDTLS_SHA256_C)
- case MBEDTLS_MD_MD5:
- case MBEDTLS_MD_SHA1:
- case MBEDTLS_MD_SHA256:
- /* 8 bytes of message size, 64-byte compression blocks */
- extra_run =
- ( add_data_len + rec->data_len + padlen + 8 ) / 64 -
- ( add_data_len + rec->data_len + 8 ) / 64;
- break;
-#endif
-#if defined(MBEDTLS_SHA512_C)
- case MBEDTLS_MD_SHA384:
- /* 16 bytes of message size, 128-byte compression blocks */
- extra_run =
- ( add_data_len + rec->data_len + padlen + 16 ) / 128 -
- ( add_data_len + rec->data_len + 16 ) / 128;
- break;
-#endif
- default:
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret );
+ return( ret );
}
- extra_run &= correct * 0xFF;
-
- mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
- add_data_len );
- mbedtls_md_hmac_update( &transform->md_ctx_dec, data,
- rec->data_len );
- /* Make sure we access everything even when padlen > 0. This
- * makes the synchronisation requirements for just-in-time
- * Prime+Probe attacks much tighter and hopefully impractical. */
- ssl_read_memory( data + rec->data_len, padlen );
- mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
-
- /* Call mbedtls_md_process at least once due to cache attacks
- * that observe whether md_process() was called of not */
- for( j = 0; j < extra_run + 1; j++ )
- mbedtls_md_process( &transform->md_ctx_dec, tmp );
-
- mbedtls_md_hmac_reset( &transform->md_ctx_dec );
-
- /* Make sure we access all the memory that could contain the MAC,
- * before we check it in the next code block. This makes the
- * synchronisation requirements for just-in-time Prime+Probe
- * attacks much tighter and hopefully impractical. */
- ssl_read_memory( data + min_len,
- max_len - min_len + transform->maclen );
+ mbedtls_ssl_cf_memcpy_offset( mac_peer, data,
+ rec->data_len,
+ min_len, max_len,
+ transform->maclen );
}
else
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
@@ -1521,10 +1819,10 @@
#if defined(MBEDTLS_SSL_DEBUG_ALL)
MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
- MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, transform->maclen );
+ MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen );
#endif
- if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
+ if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect,
transform->maclen ) != 0 )
{
#if defined(MBEDTLS_SSL_DEBUG_ALL)
@@ -1549,11 +1847,23 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+ if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
+ {
+ /* Remove inner padding and infer true content type. */
+ ret = ssl_parse_inner_plaintext( data, &rec->data_len,
+ &rec->type );
+
+ if( ret != 0 )
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );
+ }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( rec->cid_len != 0 )
{
- ret = ssl_cid_parse_inner_plaintext( data, &rec->data_len,
- &rec->type );
+ ret = ssl_parse_inner_plaintext( data, &rec->data_len,
+ &rec->type );
if( ret != 0 )
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}
@@ -1592,7 +1902,7 @@
memcpy( msg_pre, ssl->out_msg, len_pre );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
ssl->out_msglen ) );
MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
@@ -1613,7 +1923,7 @@
ssl->out_msglen = out_buf_len -
ssl->transform_out->ctx_deflate.avail_out - bytes_written;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
ssl->out_msglen ) );
MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
@@ -1644,7 +1954,7 @@
memcpy( msg_pre, ssl->in_msg, len_pre );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
ssl->in_msglen ) );
MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
@@ -1665,7 +1975,7 @@
ssl->in_msglen = in_buf_len -
ssl->transform_in->ctx_inflate.avail_out - header_bytes;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %" MBEDTLS_PRINTF_SIZET ", ",
ssl->in_msglen ) );
MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
@@ -1722,14 +2032,6 @@
{
uint32_t timeout;
- /* Just to be sure */
- if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
- "mbedtls_ssl_set_timer_cb() for DTLS" ) );
- return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
- }
-
/*
* The point is, we need to always read a full datagram at once, so we
* sometimes read more then requested, and handle the additional data.
@@ -1752,7 +2054,8 @@
if( ssl->in_left != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %"
+ MBEDTLS_PRINTF_SIZET,
ssl->next_record_offset ) );
memmove( ssl->in_hdr,
ssl->in_hdr + ssl->next_record_offset,
@@ -1762,7 +2065,8 @@
ssl->next_record_offset = 0;
}
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
+ ", nb_want: %" MBEDTLS_PRINTF_SIZET,
ssl->in_left, nb_want ) );
/*
@@ -1804,7 +2108,7 @@
else
timeout = ssl->conf->read_timeout;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %lu ms", (unsigned long) timeout ) );
if( ssl->f_recv_timeout != NULL )
ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
@@ -1863,7 +2167,8 @@
else
#endif
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
+ ", nb_want: %" MBEDTLS_PRINTF_SIZET,
ssl->in_left, nb_want ) );
while( ssl->in_left < nb_want )
@@ -1887,7 +2192,8 @@
}
}
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
+ ", nb_want: %" MBEDTLS_PRINTF_SIZET,
ssl->in_left, nb_want ) );
MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
@@ -1897,11 +2203,11 @@
if( ret < 0 )
return( ret );
- if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+ if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "f_recv returned %d bytes but only %lu were requested",
- ret, (unsigned long)len ) );
+ ( "f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " were requested",
+ ret, len ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
@@ -1940,7 +2246,8 @@
while( ssl->out_left > 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %" MBEDTLS_PRINTF_SIZET
+ ", out_left: %" MBEDTLS_PRINTF_SIZET,
mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
buf = ssl->out_hdr - ssl->out_left;
@@ -1951,11 +2258,11 @@
if( ret <= 0 )
return( ret );
- if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )
+ if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "f_send returned %d bytes but only %lu bytes were sent",
- ret, (unsigned long)ssl->out_left ) );
+ ( "f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " bytes were sent",
+ ret, ssl->out_left ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
@@ -1996,14 +2303,15 @@
/* Allocate space for current message */
if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
sizeof( mbedtls_ssl_flight_item ) ) );
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
}
if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
+ ssl->out_msglen ) );
mbedtls_free( msg );
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
}
@@ -2409,9 +2717,10 @@
if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
- "size %u, maximum %u",
- (unsigned) ssl->out_msglen,
- (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
+ "size %" MBEDTLS_PRINTF_SIZET
+ ", maximum %" MBEDTLS_PRINTF_SIZET,
+ ssl->out_msglen,
+ (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
@@ -2438,9 +2747,9 @@
if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
- "size %u, maximum %u",
- (unsigned) ( hs_len ),
- (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
+ "size %" MBEDTLS_PRINTF_SIZET ", maximum %" MBEDTLS_PRINTF_SIZET,
+ hs_len,
+ (size_t) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -2632,8 +2941,8 @@
/* Now write the potentially updated record content type. */
ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
- "version = [%d:%d], msglen = %d",
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %u, "
+ "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET,
ssl->out_hdr[0], ssl->out_hdr[1],
ssl->out_hdr[2], len ) );
@@ -2829,7 +3138,7 @@
{
if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}
@@ -2837,7 +3146,7 @@
ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
- " %d, type = %d, hslen = %d",
+ " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -2873,7 +3182,7 @@
ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
- "message_seq = %d, start_of_flight = %d",
+ "message_seq = %u, start_of_flight = %u",
recv_msg_seq,
ssl->handshake->in_flight_start_seq ) );
@@ -2886,7 +3195,7 @@
else
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
- "message_seq = %d, expected = %d",
+ "message_seq = %u, expected = %u",
recv_msg_seq,
ssl->handshake->in_msg_seq ) );
}
@@ -3456,8 +3765,8 @@
( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 );
MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
- "version = [%d:%d], msglen = %d",
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %u, "
+ "version = [%d:%d], msglen = %" MBEDTLS_PRINTF_SIZET,
rec->type,
major_ver, minor_ver, rec->data_len ) );
@@ -3500,8 +3809,8 @@
if( rec_epoch != ssl->in_epoch )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
- "expected %d, received %d",
- ssl->in_epoch, rec_epoch ) );
+ "expected %u, received %lu",
+ ssl->in_epoch, (unsigned long) rec_epoch ) );
/* Records from the next epoch are considered for buffering
* (concretely: early Finished messages). */
@@ -4035,31 +4344,41 @@
{
/* If we can't buffer a future message because
* of space limitations -- ignore. */
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
- (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
- (unsigned) hs->buffering.total_bytes_buffered ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
+ " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
+ " (already %" MBEDTLS_PRINTF_SIZET
+ " bytes buffered) -- ignore\n",
+ msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+ hs->buffering.total_bytes_buffered ) );
goto exit;
}
else
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
- (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
- (unsigned) hs->buffering.total_bytes_buffered ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
+ " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
+ " (already %" MBEDTLS_PRINTF_SIZET
+ " bytes buffered) -- attempt to make space by freeing buffered future messages\n",
+ msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+ hs->buffering.total_bytes_buffered ) );
}
if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
- (unsigned) msg_len,
- (unsigned) reassembly_buf_sz,
- MBEDTLS_SSL_DTLS_MAX_BUFFERING,
- (unsigned) hs->buffering.total_bytes_buffered ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %" MBEDTLS_PRINTF_SIZET
+ " (%" MBEDTLS_PRINTF_SIZET " with bitmap) would exceed"
+ " the compile-time limit %" MBEDTLS_PRINTF_SIZET
+ " (already %" MBEDTLS_PRINTF_SIZET
+ " bytes buffered) -- fail\n",
+ msg_len,
+ reassembly_buf_sz,
+ (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+ hs->buffering.total_bytes_buffered ) );
ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
goto exit;
}
}
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %" MBEDTLS_PRINTF_SIZET,
msg_len ) );
hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
@@ -4105,7 +4424,8 @@
frag_off = ssl_get_hs_frag_off( ssl );
frag_len = ssl_get_hs_frag_len( ssl );
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %" MBEDTLS_PRINTF_SIZET
+ ", length = %" MBEDTLS_PRINTF_SIZET,
frag_off, frag_len ) );
memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
@@ -4332,15 +4652,18 @@
if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
hs->buffering.total_bytes_buffered ) )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
- (unsigned) rec->buf_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
- (unsigned) hs->buffering.total_bytes_buffered ) );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET
+ " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
+ " (already %" MBEDTLS_PRINTF_SIZET
+ " bytes buffered) -- ignore\n",
+ rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
+ hs->buffering.total_bytes_buffered ) );
return( 0 );
}
/* Buffer record */
MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
- ssl->in_epoch + 1 ) );
+ ssl->in_epoch + 1U ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len );
/* ssl_parse_record_header() only considers records
@@ -4613,7 +4936,7 @@
{
if( ssl->in_msglen != 1 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}
@@ -4649,12 +4972,12 @@
/* Note: Standard allows for more than one 2 byte alert
to be packed in a single message, but Mbed TLS doesn't
currently support this. */
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %" MBEDTLS_PRINTF_SIZET,
ssl->in_msglen ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
}
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%u:%u]",
ssl->in_msg[0], ssl->in_msg[1] ) );
/*
@@ -4866,6 +5189,15 @@
* and the caller has to make sure there's space for this.
*/
+static size_t ssl_transform_get_explicit_iv_len(
+ mbedtls_ssl_transform const *transform )
+{
+ if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
+ return( 0 );
+
+ return( transform->ivlen - transform->fixed_ivlen );
+}
+
void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
mbedtls_ssl_transform *transform )
{
@@ -4894,14 +5226,10 @@
ssl->out_iv = ssl->out_hdr + 5;
}
+ ssl->out_msg = ssl->out_iv;
/* Adjust out_msg to make space for explicit IV, if used. */
- if( transform != NULL &&
- ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
- {
- ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
- }
- else
- ssl->out_msg = ssl->out_iv;
+ if( transform != NULL )
+ ssl->out_msg += ssl_transform_get_explicit_iv_len( transform );
}
/* Once ssl->in_hdr as the address of the beginning of the
@@ -5425,6 +5753,10 @@
memcpy( buf, ssl->in_offt, n );
ssl->in_msglen -= n;
+ /* Zeroising the plaintext buffer to erase unused application data
+ from the memory. */
+ mbedtls_platform_zeroize( ssl->in_offt, n );
+
if( ssl->in_msglen == 0 )
{
/* all bytes consumed */
@@ -5472,7 +5804,8 @@
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
- "maximum fragment length: %d > %d",
+ "maximum fragment length: %" MBEDTLS_PRINTF_SIZET
+ " > %" MBEDTLS_PRINTF_SIZET,
len, max_len ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
diff --git a/lib/libmbedtls/mbedtls/library/ssl_srv.c b/lib/libmbedtls/mbedtls/library/ssl_srv.c
index 5f184e8..aca871e 100644
--- a/lib/libmbedtls/mbedtls/library/ssl_srv.c
+++ b/lib/libmbedtls/mbedtls/library/ssl_srv.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* SSLv3/TLSv1 server-side functions
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SSL_SRV_C)
@@ -163,7 +157,7 @@
return( 1 );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( conf->psk_opaque != 0 )
+ if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -178,13 +172,13 @@
/* If we've used a callback to select the PSK,
* the static configuration is irrelevant. */
- if( ssl->handshake->psk_opaque != 0 )
+ if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
return( 1 );
return( 0 );
}
- if( ssl->conf->psk_opaque != 0 )
+ if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
return( 1 );
return( 0 );
@@ -304,13 +298,13 @@
{
mbedtls_ssl_sig_hash_set_add( &ssl->handshake->hash_algs, sig_cur, md_cur );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext:"
- " match sig %d and hash %d",
- sig_cur, md_cur ) );
+ " match sig %u and hash %u",
+ (unsigned) sig_cur, (unsigned) md_cur ) );
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello v3, signature_algorithm ext: "
- "hash alg %d not supported", md_cur ) );
+ "hash alg %u not supported", (unsigned) md_cur ) );
}
}
@@ -639,7 +633,7 @@
/* Remember the client asked us to send a new ticket */
ssl->handshake->new_session_ticket = 1;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %d", len ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket length: %" MBEDTLS_PRINTF_SIZET, len ) );
if( len == 0 )
return( 0 );
@@ -782,6 +776,126 @@
}
#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ size_t len )
+{
+ mbedtls_ssl_srtp_profile client_protection = MBEDTLS_TLS_SRTP_UNSET;
+ size_t i,j;
+ size_t profile_length;
+ uint16_t mki_length;
+ /*! 2 bytes for profile length and 1 byte for mki len */
+ const size_t size_of_lengths = 3;
+
+ /* If use_srtp is not configured, just ignore the extension */
+ if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
+ ( ssl->conf->dtls_srtp_profile_list == NULL ) ||
+ ( ssl->conf->dtls_srtp_profile_list_len == 0 ) )
+ {
+ return( 0 );
+ }
+
+ /* RFC5764 section 4.1.1
+ * uint8 SRTPProtectionProfile[2];
+ *
+ * struct {
+ * SRTPProtectionProfiles SRTPProtectionProfiles;
+ * opaque srtp_mki<0..255>;
+ * } UseSRTPData;
+
+ * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
+ */
+
+ /*
+ * Min length is 5: at least one protection profile(2 bytes)
+ * and length(2 bytes) + srtp_mki length(1 byte)
+ * Check here that we have at least 2 bytes of protection profiles length
+ * and one of srtp_mki length
+ */
+ if( len < size_of_lengths )
+ {
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
+
+ ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
+
+ /* first 2 bytes are protection profile length(in bytes) */
+ profile_length = ( buf[0] << 8 ) | buf[1];
+ buf += 2;
+
+ /* The profile length cannot be bigger than input buffer size - lengths fields */
+ if( profile_length > len - size_of_lengths ||
+ profile_length % 2 != 0 ) /* profiles are 2 bytes long, so the length must be even */
+ {
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
+ /*
+ * parse the extension list values are defined in
+ * http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
+ */
+ for( j = 0; j < profile_length; j += 2 )
+ {
+ uint16_t protection_profile_value = buf[j] << 8 | buf[j + 1];
+ client_protection = mbedtls_ssl_check_srtp_profile_value( protection_profile_value );
+
+ if( client_protection != MBEDTLS_TLS_SRTP_UNSET )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found srtp profile: %s",
+ mbedtls_ssl_get_srtp_profile_as_string(
+ client_protection ) ) );
+ }
+ else
+ {
+ continue;
+ }
+ /* check if suggested profile is in our list */
+ for( i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++)
+ {
+ if( client_protection == ssl->conf->dtls_srtp_profile_list[i] )
+ {
+ ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected srtp profile: %s",
+ mbedtls_ssl_get_srtp_profile_as_string(
+ client_protection ) ) );
+ break;
+ }
+ }
+ if( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_TLS_SRTP_UNSET )
+ break;
+ }
+ buf += profile_length; /* buf points to the mki length */
+ mki_length = *buf;
+ buf++;
+
+ if( mki_length > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH ||
+ mki_length + profile_length + size_of_lengths != len )
+ {
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
+
+ /* Parse the mki only if present and mki is supported locally */
+ if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED &&
+ mki_length > 0 )
+ {
+ ssl->dtls_srtp_info.mki_len = mki_length;
+
+ memcpy( ssl->dtls_srtp_info.mki_value, buf, mki_length );
+
+ MBEDTLS_SSL_DEBUG_BUF( 3, "using mki", ssl->dtls_srtp_info.mki_value,
+ ssl->dtls_srtp_info.mki_len );
+ }
+
+ return( 0 );
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
/*
* Auxiliary functions for ServerHello parsing and related actions
*/
@@ -933,7 +1047,8 @@
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %#04x (%s)",
+ (unsigned int) suite_id, suite_info->name ) );
if( suite_info->min_minor_ver > ssl->minor_ver ||
suite_info->max_minor_ver < ssl->minor_ver )
@@ -1001,7 +1116,7 @@
mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, sig_type ) == MBEDTLS_MD_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no suitable hash algorithm "
- "for signature algorithm %d", sig_type ) );
+ "for signature algorithm %u", (unsigned) sig_type ) );
return( 0 );
}
}
@@ -1132,7 +1247,7 @@
sess_len = ( buf[2] << 8 ) | buf[3];
chal_len = ( buf[4] << 8 ) | buf[5];
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %d, sess_len: %d, chal_len: %d",
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciph_len: %u, sess_len: %u, chal_len: %u",
ciph_len, sess_len, chal_len ) );
/*
@@ -1514,7 +1629,7 @@
if( cli_msg_seq != ssl->handshake->in_msg_seq )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message_seq: "
- "%d (expected %d)", cli_msg_seq,
+ "%u (expected %u)", cli_msg_seq,
ssl->handshake->in_msg_seq ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
@@ -1772,8 +1887,7 @@
ext_len = ( buf[ext_offset + 0] << 8 )
| ( buf[ext_offset + 1] );
- if( ( ext_len > 0 && ext_len < 4 ) ||
- msg_len != ext_offset + 2 + ext_len )
+ if( msg_len != ext_offset + 2 + ext_len )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
@@ -1947,21 +2061,23 @@
break;
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ case MBEDTLS_TLS_EXT_USE_SRTP:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) );
+
+ ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
default:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %u (ignoring)",
ext_id ) );
}
ext_len -= 4 + ext_size;
ext += 4 + ext_size;
-
- if( ext_len > 0 && ext_len < 4 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
- return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
- }
}
#if defined(MBEDTLS_SSL_PROTO_SSL3)
}
@@ -2149,7 +2265,7 @@
else
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no hash algorithm for signature algorithm "
- "%d - should not happen", sig_alg ) );
+ "%u - should not happen", (unsigned) sig_alg ) );
}
}
#endif
@@ -2505,6 +2621,78 @@
}
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
+#if defined(MBEDTLS_SSL_DTLS_SRTP ) && defined(MBEDTLS_SSL_PROTO_DTLS)
+static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
+ unsigned char *buf,
+ size_t *olen )
+{
+ size_t mki_len = 0, ext_len = 0;
+ uint16_t profile_value = 0;
+ const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
+
+ *olen = 0;
+
+ if( ( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) ||
+ ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET ) )
+ {
+ return;
+ }
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding use_srtp extension" ) );
+
+ if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED )
+ {
+ mki_len = ssl->dtls_srtp_info.mki_len;
+ }
+
+ /* The extension total size is 9 bytes :
+ * - 2 bytes for the extension tag
+ * - 2 bytes for the total size
+ * - 2 bytes for the protection profile length
+ * - 2 bytes for the protection profile
+ * - 1 byte for the mki length
+ * + the actual mki length
+ * Check we have enough room in the output buffer */
+ if( (size_t)( end - buf ) < mki_len + 9 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
+ return;
+ }
+
+ /* extension */
+ buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
+ buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP ) & 0xFF );
+ /*
+ * total length 5 and mki value: only one profile(2 bytes)
+ * and length(2 bytes) and srtp_mki )
+ */
+ ext_len = 5 + mki_len;
+ buf[2] = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
+ buf[3] = (unsigned char)( ext_len & 0xFF );
+
+ /* protection profile length: 2 */
+ buf[4] = 0x00;
+ buf[5] = 0x02;
+ profile_value = mbedtls_ssl_check_srtp_profile_value(
+ ssl->dtls_srtp_info.chosen_dtls_srtp_profile );
+ if( profile_value != MBEDTLS_TLS_SRTP_UNSET )
+ {
+ buf[6] = (unsigned char)( ( profile_value >> 8 ) & 0xFF );
+ buf[7] = (unsigned char)( profile_value & 0xFF );
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "use_srtp extension invalid profile" ) );
+ return;
+ }
+
+ buf[8] = mki_len & 0xFF;
+ memcpy( &buf[9], ssl->dtls_srtp_info.mki_value, mki_len );
+
+ *olen = 9 + mki_len;
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
{
@@ -2577,6 +2765,55 @@
}
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+static void ssl_handle_id_based_session_resumption( mbedtls_ssl_context *ssl )
+{
+ int ret;
+ mbedtls_ssl_session session_tmp;
+ mbedtls_ssl_session * const session = ssl->session_negotiate;
+
+ /* Resume is 0 by default, see ssl_handshake_init().
+ * It may be already set to 1 by ssl_parse_session_ticket_ext(). */
+ if( ssl->handshake->resume == 1 )
+ return;
+ if( session->id_len == 0 )
+ return;
+ if( ssl->conf->f_get_cache == NULL )
+ return;
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ if( ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE )
+ return;
+#endif
+
+ mbedtls_ssl_session_init( &session_tmp );
+
+ session_tmp.id_len = session->id_len;
+ memcpy( session_tmp.id, session->id, session->id_len );
+
+ ret = ssl->conf->f_get_cache( ssl->conf->p_cache,
+ &session_tmp );
+ if( ret != 0 )
+ goto exit;
+
+ if( session->ciphersuite != session_tmp.ciphersuite ||
+ session->compression != session_tmp.compression )
+ {
+ /* Mismatch between cached and negotiated session */
+ goto exit;
+ }
+
+ /* Move semantics */
+ mbedtls_ssl_session_free( session );
+ *session = session_tmp;
+ memset( &session_tmp, 0, sizeof( session_tmp ) );
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
+ ssl->handshake->resume = 1;
+
+exit:
+
+ mbedtls_ssl_session_free( &session_tmp );
+}
+
static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_HAVE_TIME)
@@ -2629,7 +2866,8 @@
*p++ = (unsigned char)( t >> 8 );
*p++ = (unsigned char)( t );
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", t ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
+ (long long) t ) );
#else
if( ( ret = ssl->conf->f_rng( ssl->conf->p_rng, p, 4 ) ) != 0 )
return( ret );
@@ -2646,22 +2884,7 @@
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", buf + 6, 32 );
- /*
- * Resume is 0 by default, see ssl_handshake_init().
- * It may be already set to 1 by ssl_parse_session_ticket_ext().
- * If not, try looking up session ID in our cache.
- */
- if( ssl->handshake->resume == 0 &&
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
- ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
-#endif
- ssl->session_negotiate->id_len != 0 &&
- ssl->conf->f_get_cache != NULL &&
- ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
- ssl->handshake->resume = 1;
- }
+ ssl_handle_id_based_session_resumption( ssl );
if( ssl->handshake->resume == 0 )
{
@@ -2717,7 +2940,7 @@
memcpy( p, ssl->session_negotiate->id, ssl->session_negotiate->id_len );
p += ssl->session_negotiate->id_len;
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n ) );
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 39, n );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
ssl->handshake->resume ? "a" : "no" ) );
@@ -2729,7 +2952,7 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
- ssl->session_negotiate->compression ) );
+ (unsigned int) ssl->session_negotiate->compression ) );
/* Do not write the extensions if the protocol is SSLv3 */
#if defined(MBEDTLS_SSL_PROTO_SSL3)
@@ -2793,7 +3016,13 @@
ext_len += olen;
#endif
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ ssl_write_use_srtp_ext( ssl, p + 2 + ext_len, &olen );
+ ext_len += olen;
+#endif
+
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
+ ext_len ) );
if( ext_len > 0 )
{
@@ -2841,7 +3070,7 @@
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->handshake->ciphersuite_info;
- size_t dn_size, total_dn_size; /* excluding length bytes */
+ uint16_t dn_size, total_dn_size; /* excluding length bytes */
size_t ct_len, sa_len; /* including length bytes */
unsigned char *buf, *p;
const unsigned char * const end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
@@ -2969,11 +3198,11 @@
while( crt != NULL && crt->version != 0 )
{
- dn_size = crt->subject_raw.len;
+ /* It follows from RFC 5280 A.1 that this length
+ * can be represented in at most 11 bits. */
+ dn_size = (uint16_t) crt->subject_raw.len;
- if( end < p ||
- (size_t)( end - p ) < dn_size ||
- (size_t)( end - p ) < 2 + dn_size )
+ if( end < p || (size_t)( end - p ) < 2 + (size_t) dn_size )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
break;
@@ -3300,7 +3529,7 @@
md_alg = MBEDTLS_MD_NONE;
}
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %u for signing", (unsigned) md_alg ) );
/*
* 2.2: Compute the hash to be signed
@@ -3727,11 +3956,12 @@
/* In case of a failure in decryption, the decryption may write less than
* 2 bytes of output, but we always read the first two bytes. It doesn't
* matter in the end because diff will be nonzero in that case due to
- * peer_pmslen being less than 48, and we only care whether diff is 0.
- * But do initialize peer_pms for robustness anyway. This also makes
- * memory analyzers happy (don't access uninitialized memory, even
- * if it's an unsigned char). */
+ * ret being nonzero, and we only care whether diff is 0.
+ * But do initialize peer_pms and peer_pmslen for robustness anyway. This
+ * also makes memory analyzers happy (don't access uninitialized memory,
+ * even if it's an unsigned char). */
peer_pms[0] = peer_pms[1] = ~0;
+ peer_pmslen = 0;
ret = ssl_decrypt_encrypted_pms( ssl, p, end,
peer_pms,
diff --git a/lib/libmbedtls/mbedtls/library/ssl_ticket.c b/lib/libmbedtls/mbedtls/library/ssl_ticket.c
index ddc88db..626d137 100644
--- a/lib/libmbedtls/mbedtls/library/ssl_ticket.c
+++ b/lib/libmbedtls/mbedtls/library/ssl_ticket.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* TLS server tickets callbacks implementation
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SSL_TICKET_C)
@@ -35,6 +29,7 @@
#define mbedtls_free free
#endif
+#include "mbedtls/ssl_internal.h"
#include "mbedtls/ssl_ticket.h"
#include "mbedtls/error.h"
#include "mbedtls/platform_util.h"
@@ -214,7 +209,6 @@
unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
- unsigned char *tag;
size_t clear_len, ciph_len;
*tlen = 0;
@@ -224,8 +218,7 @@
/* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
* in addition to session itself, that will be checked when writing it. */
- if( end - start < TICKET_MIN_LEN )
- return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
+ MBEDTLS_SSL_CHK_BUF_PTR( start, end, TICKET_MIN_LEN );
#if defined(MBEDTLS_THREADING_C)
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
@@ -256,23 +249,23 @@
state_len_bytes[1] = ( clear_len ) & 0xff;
/* Encrypt and authenticate */
- tag = state + clear_len;
- if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
+ if( ( ret = mbedtls_cipher_auth_encrypt_ext( &key->ctx,
iv, TICKET_IV_BYTES,
/* Additional data: key name, IV and length */
key_name, TICKET_ADD_DATA_LEN,
- state, clear_len, state, &ciph_len,
- tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
+ state, clear_len,
+ state, end - state, &ciph_len,
+ TICKET_AUTH_TAG_BYTES ) ) != 0 )
{
goto cleanup;
}
- if( ciph_len != clear_len )
+ if( ciph_len != clear_len + TICKET_AUTH_TAG_BYTES )
{
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto cleanup;
}
- *tlen = TICKET_MIN_LEN + ciph_len;
+ *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES;
cleanup:
#if defined(MBEDTLS_THREADING_C)
@@ -314,7 +307,6 @@
unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
- unsigned char *tag;
size_t enc_len, clear_len;
if( ctx == NULL || ctx->f_rng == NULL )
@@ -332,7 +324,6 @@
goto cleanup;
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
- tag = ticket + enc_len;
if( len != TICKET_MIN_LEN + enc_len )
{
@@ -350,13 +341,13 @@
}
/* Decrypt and authenticate */
- if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx,
+ if( ( ret = mbedtls_cipher_auth_decrypt_ext( &key->ctx,
iv, TICKET_IV_BYTES,
/* Additional data: key name, IV and length */
key_name, TICKET_ADD_DATA_LEN,
- ticket, enc_len,
- ticket, &clear_len,
- tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
+ ticket, enc_len + TICKET_AUTH_TAG_BYTES,
+ ticket, enc_len, &clear_len,
+ TICKET_AUTH_TAG_BYTES ) ) != 0 )
{
if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
diff --git a/lib/libmbedtls/mbedtls/library/ssl_tls.c b/lib/libmbedtls/mbedtls/library/ssl_tls.c
index e2bdfd5..976a87c 100644
--- a/lib/libmbedtls/mbedtls/library/ssl_tls.c
+++ b/lib/libmbedtls/mbedtls/library/ssl_tls.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* SSLv3/TLSv1 shared functions
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The SSL 3.0 specification was drafted by Netscape in 1996,
@@ -27,11 +25,7 @@
* http://www.ietf.org/rfc/rfc4346.txt
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SSL_TLS_C)
@@ -266,6 +260,72 @@
return 0;
}
+
+static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing,
+ size_t in_buf_new_len,
+ size_t out_buf_new_len )
+{
+ int modified = 0;
+ size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
+ size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
+ if( ssl->in_buf != NULL )
+ {
+ written_in = ssl->in_msg - ssl->in_buf;
+ iv_offset_in = ssl->in_iv - ssl->in_buf;
+ len_offset_in = ssl->in_len - ssl->in_buf;
+ if( downsizing ?
+ ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
+ ssl->in_buf_len < in_buf_new_len )
+ {
+ if( resize_buffer( &ssl->in_buf, in_buf_new_len, &ssl->in_buf_len ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
+ in_buf_new_len ) );
+ modified = 1;
+ }
+ }
+ }
+
+ if( ssl->out_buf != NULL )
+ {
+ written_out = ssl->out_msg - ssl->out_buf;
+ iv_offset_out = ssl->out_iv - ssl->out_buf;
+ len_offset_out = ssl->out_len - ssl->out_buf;
+ if( downsizing ?
+ ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
+ ssl->out_buf_len < out_buf_new_len )
+ {
+ if( resize_buffer( &ssl->out_buf, out_buf_new_len, &ssl->out_buf_len ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
+ }
+ else
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
+ out_buf_new_len ) );
+ modified = 1;
+ }
+ }
+ }
+ if( modified )
+ {
+ /* Update pointers here to avoid doing it twice. */
+ mbedtls_ssl_reset_in_out_pointers( ssl );
+ /* Fields below might not be properly updated with record
+ * splitting or with CID, so they are manually updated here. */
+ ssl->out_msg = ssl->out_buf + written_out;
+ ssl->out_len = ssl->out_buf + len_offset_out;
+ ssl->out_iv = ssl->out_buf + iv_offset_out;
+
+ ssl->in_msg = ssl->in_buf + written_in;
+ ssl->in_len = ssl->in_buf + len_offset_in;
+ ssl->in_iv = ssl->in_buf + iv_offset_in;
+ }
+}
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
/*
@@ -452,7 +512,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
- psa_key_handle_t slot,
+ psa_key_id_t key,
psa_algorithm_t alg,
const unsigned char* seed, size_t seed_length,
const unsigned char* label, size_t label_length,
@@ -472,7 +532,7 @@
if( status != PSA_SUCCESS )
return( status );
- if( slot == 0 )
+ if( mbedtls_svc_key_id_is_null( key ) )
{
status = psa_key_derivation_input_bytes(
derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
@@ -481,8 +541,7 @@
else
{
status = psa_key_derivation_input_key(
- derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
- slot );
+ derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key );
}
if( status != PSA_SUCCESS )
return( status );
@@ -513,7 +572,7 @@
{
psa_status_t status;
psa_algorithm_t alg;
- psa_key_handle_t master_slot = 0;
+ psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_derivation_operation_t derivation =
PSA_KEY_DERIVATION_OPERATION_INIT;
@@ -527,7 +586,7 @@
* this PRF is also used to derive an IV, in particular in EAP-TLS,
* and for this use case it makes sense to have a 0-length "secret".
* Since the key API doesn't allow importing a key of length 0,
- * keep master_slot=0, which setup_psa_key_derivation() understands
+ * keep master_key=0, which setup_psa_key_derivation() understands
* to mean a 0-length "secret" input. */
if( slen != 0 )
{
@@ -536,13 +595,13 @@
psa_set_key_algorithm( &key_attributes, alg );
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
- status = psa_import_key( &key_attributes, secret, slen, &master_slot );
+ status = psa_import_key( &key_attributes, secret, slen, &master_key );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = setup_psa_key_derivation( &derivation,
- master_slot, alg,
+ master_key, alg,
random, rlen,
(unsigned char const *) label,
(size_t) strlen( label ),
@@ -550,7 +609,7 @@
if( status != PSA_SUCCESS )
{
psa_key_derivation_abort( &derivation );
- psa_destroy_key( master_slot );
+ psa_destroy_key( master_key );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
@@ -558,19 +617,19 @@
if( status != PSA_SUCCESS )
{
psa_key_derivation_abort( &derivation );
- psa_destroy_key( master_slot );
+ psa_destroy_key( master_key );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = psa_key_derivation_abort( &derivation );
if( status != PSA_SUCCESS )
{
- psa_destroy_key( master_slot );
+ psa_destroy_key( master_key );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
- if( master_slot != 0 )
- status = psa_destroy_key( master_slot );
+ if( ! mbedtls_svc_key_id_is_null( master_key ) )
+ status = psa_destroy_key( master_key );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
@@ -662,7 +721,7 @@
}
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
static int tls_prf_sha384( const unsigned char *secret, size_t slen,
const char *label,
const unsigned char *random, size_t rlen,
@@ -671,7 +730,7 @@
return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
label, random, rlen, dstbuf, dlen ) );
}
-#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
@@ -687,20 +746,20 @@
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
-static void ssl_calc_verify_tls( const mbedtls_ssl_context *, unsigned char *, size_t * );
+static void ssl_calc_verify_tls( const mbedtls_ssl_context *, unsigned char*, size_t * );
static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C)
static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
-static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char *, size_t * );
+static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * );
static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
-static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char *, size_t * );
+static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * );
static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
@@ -713,13 +772,13 @@
{
/* If we've used a callback to select the PSK,
* the static configuration is irrelevant. */
- if( ssl->handshake->psk_opaque != 0 )
+ if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
return( 1 );
return( 0 );
}
- if( ssl->conf->psk_opaque != 0 )
+ if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
return( 1 );
return( 0 );
@@ -745,7 +804,7 @@
else
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
if( tls_prf == tls_prf_sha384 )
{
return( MBEDTLS_SSL_TLS_PRF_SHA384 );
@@ -786,11 +845,11 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
case MBEDTLS_SSL_TLS_PRF_SHA384:
tls_prf = tls_prf_sha384;
break;
-#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
#if defined(MBEDTLS_SHA256_C)
case MBEDTLS_SSL_TLS_PRF_SHA256:
tls_prf = tls_prf_sha256;
@@ -863,7 +922,7 @@
unsigned char *key2;
unsigned char *mac_enc;
unsigned char *mac_dec;
- size_t mac_key_len;
+ size_t mac_key_len = 0;
size_t iv_copy_len;
unsigned keylen;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
@@ -904,7 +963,7 @@
cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
if( cipher_info == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
ciphersuite_info->cipher ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -912,8 +971,8 @@
md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
if( md_info == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
- ciphersuite_info->mac ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
+ (unsigned) ciphersuite_info->mac ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -973,15 +1032,28 @@
transform->taglen =
ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
- /* All modes haves 96-bit IVs;
- * GCM and CCM has 4 implicit and 8 explicit bytes
- * ChachaPoly has all 12 bytes implicit
+ /* All modes haves 96-bit IVs, but the length of the static parts vary
+ * with mode and version:
+ * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
+ * (to be concatenated with a dynamically chosen IV of 8 Bytes)
+ * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
+ * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
+ * sequence number).
*/
transform->ivlen = 12;
- if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+ if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
+ {
transform->fixed_ivlen = 12;
+ }
else
- transform->fixed_ivlen = 4;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+ {
+ if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
+ transform->fixed_ivlen = 12;
+ else
+ transform->fixed_ivlen = 4;
+ }
/* Minimum length of encrypted record */
explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
@@ -1175,7 +1247,7 @@
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_init != NULL )
{
- int ret = 0;
+ ret = 0;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
@@ -1378,7 +1450,8 @@
int minor_ver,
mbedtls_md_type_t hash )
{
-#if !defined(MBEDTLS_SSL_PROTO_TLS1_2) || !defined(MBEDTLS_SHA512_C)
+#if !defined(MBEDTLS_SSL_PROTO_TLS1_2) || \
+ !( defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384) )
(void) hash;
#endif
@@ -1401,7 +1474,7 @@
else
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
hash == MBEDTLS_MD_SHA384 )
{
@@ -1507,16 +1580,14 @@
/* Perform PSK-to-MS expansion in a single step. */
psa_status_t status;
psa_algorithm_t alg;
- psa_key_handle_t psk;
+ psa_key_id_t psk;
psa_key_derivation_operation_t derivation =
PSA_KEY_DERIVATION_OPERATION_INIT;
mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
- psk = ssl->conf->psk_opaque;
- if( handshake->psk_opaque != 0 )
- psk = handshake->psk_opaque;
+ psk = mbedtls_ssl_get_opaque_psk( ssl );
if( hash_alg == MBEDTLS_MD_SHA384 )
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
@@ -1663,7 +1734,7 @@
#if defined(MBEDTLS_SSL_PROTO_SSL3)
void ssl_calc_verify_ssl( const mbedtls_ssl_context *ssl,
- unsigned char hash[36],
+ unsigned char *hash,
size_t *hlen )
{
mbedtls_md5_context md5;
@@ -1716,7 +1787,7 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
void ssl_calc_verify_tls( const mbedtls_ssl_context *ssl,
- unsigned char hash[36],
+ unsigned char *hash,
size_t *hlen )
{
mbedtls_md5_context md5;
@@ -1748,7 +1819,7 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C)
void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl,
- unsigned char hash[32],
+ unsigned char *hash,
size_t *hlen )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -1795,9 +1866,9 @@
}
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl,
- unsigned char hash[48],
+ unsigned char *hash,
size_t *hlen )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -1842,7 +1913,7 @@
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return;
}
-#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
@@ -1850,14 +1921,18 @@
{
unsigned char *p = ssl->handshake->premaster;
unsigned char *end = p + sizeof( ssl->handshake->premaster );
- const unsigned char *psk = ssl->conf->psk;
- size_t psk_len = ssl->conf->psk_len;
+ const unsigned char *psk = NULL;
+ size_t psk_len = 0;
- /* If the psk callback was called, use its result */
- if( ssl->handshake->psk != NULL )
+ if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
+ == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
{
- psk = ssl->handshake->psk;
- psk_len = ssl->handshake->psk_len;
+ /*
+ * This should never happen because the existence of a PSK is always
+ * checked before calling this function
+ */
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
/*
@@ -2143,8 +2218,9 @@
n = crt->raw.len;
if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
- i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET
+ " > %" MBEDTLS_PRINTF_SIZET,
+ i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
}
@@ -2635,8 +2711,8 @@
#if defined(MBEDTLS_DEBUG_C)
if( ssl->session_negotiate->verify_result != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
- ssl->session_negotiate->verify_result ) );
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
+ (unsigned int) ssl->session_negotiate->verify_result ) );
}
else
{
@@ -2745,9 +2821,7 @@
{
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
- if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
- ret = 0;
- else
+ if( authmode != MBEDTLS_SSL_VERIFY_OPTIONAL )
ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
goto exit;
@@ -2761,7 +2835,7 @@
chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
if( chain == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
sizeof( mbedtls_x509_crt ) ) );
mbedtls_ssl_send_alert_message( ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
@@ -2863,7 +2937,7 @@
else
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
ssl->handshake->update_checksum = ssl_update_checksum_sha384;
else
@@ -2896,7 +2970,7 @@
mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
#endif
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort( &ssl->handshake->fin_sha384_psa );
psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
@@ -2923,7 +2997,7 @@
mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
#endif
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
#else
@@ -2956,7 +3030,7 @@
}
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len )
{
@@ -3190,7 +3264,8 @@
}
#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
+
static void ssl_calc_finished_tls_sha384(
mbedtls_ssl_context *ssl, unsigned char *buf, int from )
{
@@ -3249,8 +3324,20 @@
MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
sha512.state, sizeof( sha512.state ) );
#endif
-
+ /* mbedtls_sha512_finish_ret's output parameter is declared as a
+ * 64-byte buffer, but sice we're using SHA-384, we know that the
+ * output fits in 48 bytes. This is correct C, but GCC 11.1 warns
+ * about it.
+ */
+#if defined(__GNUC__) && __GNUC__ >= 11
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
+#endif
mbedtls_sha512_finish_ret( &sha512, padbuf );
+#if defined(__GNUC__) && __GNUC__ >= 11
+#pragma GCC diagnostic pop
+#endif
+
mbedtls_sha512_free( &sha512 );
#endif
@@ -3263,7 +3350,7 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
}
-#endif /* MBEDTLS_SHA512_C */
+#endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
@@ -3523,7 +3610,7 @@
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
+ MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
}
@@ -3577,7 +3664,7 @@
mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
#endif
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
handshake->fin_sha384_psa = psa_hash_operation_init();
psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
@@ -3671,55 +3758,9 @@
}
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
/* If the buffers are too small - reallocate */
- {
- int modified = 0;
- size_t written_in = 0;
- size_t written_out = 0;
- if( ssl->in_buf != NULL )
- {
- written_in = ssl->in_msg - ssl->in_buf;
- if( ssl->in_buf_len < MBEDTLS_SSL_IN_BUFFER_LEN )
- {
- if( resize_buffer( &ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN,
- &ssl->in_buf_len ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
- }
- else
- {
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %d", MBEDTLS_SSL_IN_BUFFER_LEN ) );
- modified = 1;
- }
- }
- }
- if( ssl->out_buf != NULL )
- {
- written_out = ssl->out_msg - ssl->out_buf;
- if( ssl->out_buf_len < MBEDTLS_SSL_OUT_BUFFER_LEN )
- {
- if( resize_buffer( &ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN,
- &ssl->out_buf_len ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
- }
- else
- {
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %d", MBEDTLS_SSL_OUT_BUFFER_LEN ) );
- modified = 1;
- }
- }
- }
- if( modified )
- {
- /* Update pointers here to avoid doing it twice. */
- mbedtls_ssl_reset_in_out_pointers( ssl );
- /* Fields below might not be properly updated with record
- * splitting, so they are manually updated here. */
- ssl->out_msg = ssl->out_buf + written_out;
- ssl->in_msg = ssl->in_buf + written_in;
- }
- }
+ handle_buffer_resizing( ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
+ MBEDTLS_SSL_OUT_BUFFER_LEN );
#endif
/* All pointers should exist and can be directly freed without issue */
@@ -3825,7 +3866,7 @@
ssl->in_buf = mbedtls_calloc( 1, in_buf_len );
if( ssl->in_buf == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", in_buf_len ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len ) );
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto error;
}
@@ -3836,13 +3877,17 @@
ssl->out_buf = mbedtls_calloc( 1, out_buf_len );
if( ssl->out_buf == NULL )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", out_buf_len ) );
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len ) );
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto error;
}
mbedtls_ssl_reset_in_out_pointers( ssl );
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ memset( &ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info) );
+#endif
+
if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
goto error;
@@ -4324,11 +4369,11 @@
{
/* Remove reference to existing PSK, if any. */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( conf->psk_opaque != 0 )
+ if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
{
/* The maintenance of the PSK key slot is the
* user's responsibility. */
- conf->psk_opaque = 0;
+ conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
/* This and the following branch should never
* be taken simultaenously as we maintain the
@@ -4412,9 +4457,9 @@
static void ssl_remove_psk( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( ssl->handshake->psk_opaque != 0 )
+ if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
{
- ssl->handshake->psk_opaque = 0;
+ ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -4449,7 +4494,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
- psa_key_handle_t psk_slot,
+ psa_key_id_t psk,
const unsigned char *psk_identity,
size_t psk_identity_len )
{
@@ -4458,9 +4503,9 @@
ssl_conf_remove_psk( conf );
/* Check and set opaque PSK */
- if( psk_slot == 0 )
+ if( mbedtls_svc_key_id_is_null( psk ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
- conf->psk_opaque = psk_slot;
+ conf->psk_opaque = psk;
/* Check and set PSK Identity */
ret = ssl_conf_set_psk_identity( conf, psk_identity,
@@ -4472,13 +4517,14 @@
}
int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
- psa_key_handle_t psk_slot )
+ psa_key_id_t psk )
{
- if( psk_slot == 0 || ssl->handshake == NULL )
+ if( ( mbedtls_svc_key_id_is_null( psk ) ) ||
+ ( ssl->handshake == NULL ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
ssl_remove_psk( ssl );
- ssl->handshake->psk_opaque = psk_slot;
+ ssl->handshake->psk_opaque = psk;
return( 0 );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -4652,7 +4698,9 @@
cur_len = strlen( *p );
tot_len += cur_len;
- if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )
+ if( ( cur_len == 0 ) ||
+ ( cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN ) ||
+ ( tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
@@ -4667,6 +4715,86 @@
}
#endif /* MBEDTLS_SSL_ALPN */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf,
+ int support_mki_value )
+{
+ conf->dtls_srtp_mki_support = support_mki_value;
+}
+
+int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
+ unsigned char *mki_value,
+ uint16_t mki_len )
+{
+ if( mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH )
+ {
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ }
+
+ if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED )
+ {
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+ }
+
+ memcpy( ssl->dtls_srtp_info.mki_value, mki_value, mki_len );
+ ssl->dtls_srtp_info.mki_len = mki_len;
+ return( 0 );
+}
+
+int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
+ const mbedtls_ssl_srtp_profile *profiles )
+{
+ const mbedtls_ssl_srtp_profile *p;
+ size_t list_size = 0;
+
+ /* check the profiles list: all entry must be valid,
+ * its size cannot be more than the total number of supported profiles, currently 4 */
+ for( p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
+ list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
+ p++ )
+ {
+ if( mbedtls_ssl_check_srtp_profile_value( *p ) != MBEDTLS_TLS_SRTP_UNSET )
+ {
+ list_size++;
+ }
+ else
+ {
+ /* unsupported value, stop parsing and set the size to an error value */
+ list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
+ }
+ }
+
+ if( list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH )
+ {
+ conf->dtls_srtp_profile_list = NULL;
+ conf->dtls_srtp_profile_list_len = 0;
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ }
+
+ conf->dtls_srtp_profile_list = profiles;
+ conf->dtls_srtp_profile_list_len = list_size;
+
+ return( 0 );
+}
+
+void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl,
+ mbedtls_dtls_srtp_info *dtls_srtp_info )
+{
+ dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
+ /* do not copy the mki value if there is no chosen profile */
+ if( dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
+ {
+ dtls_srtp_info->mki_len = 0;
+ }
+ else
+ {
+ dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
+ memcpy( dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
+ ssl->dtls_srtp_info.mki_len );
+ }
+}
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
+
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
{
conf->max_major_ver = major;
@@ -5664,11 +5792,24 @@
{
int ret = 0;
+ /* Sanity checks */
+
if( ssl == NULL || ssl->conf == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
+ ( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
+ "mbedtls_ssl_set_timer_cb() for DTLS" ) );
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ }
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
+ /* Main handshake loop */
while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
{
ret = mbedtls_ssl_handshake_step( ssl );
@@ -5854,7 +5995,7 @@
mbedtls_sha256_free( &handshake->fin_sha256 );
#endif
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort( &handshake->fin_sha384_psa );
#else
@@ -5944,58 +6085,8 @@
* processes datagrams and the fact that a datagram is allowed to have
* several records in it, it is possible that the I/O buffers are not
* empty at this stage */
- {
- int modified = 0;
- uint32_t buf_len = mbedtls_ssl_get_input_buflen( ssl );
- size_t written_in = 0;
- size_t written_out = 0;
- if( ssl->in_buf != NULL )
- {
- written_in = ssl->in_msg - ssl->in_buf;
- if( ssl->in_buf_len > buf_len && ssl->in_left < buf_len )
- {
- written_in = ssl->in_msg - ssl->in_buf;
- if( resize_buffer( &ssl->in_buf, buf_len, &ssl->in_buf_len ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
- }
- else
- {
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %d", buf_len ) );
- modified = 1;
- }
- }
- }
-
-
- buf_len = mbedtls_ssl_get_output_buflen( ssl );
- if(ssl->out_buf != NULL )
- {
- written_out = ssl->out_msg - ssl->out_buf;
- if( ssl->out_buf_len > mbedtls_ssl_get_output_buflen( ssl ) &&
- ssl->out_left < buf_len )
- {
- if( resize_buffer( &ssl->out_buf, buf_len, &ssl->out_buf_len ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
- }
- else
- {
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %d", buf_len ) );
- modified = 1;
- }
- }
- }
- if( modified )
- {
- /* Update pointers here to avoid doing it twice. */
- mbedtls_ssl_reset_in_out_pointers( ssl );
- /* Fields below might not be properly updated with record
- * splitting, so they are manually updated here. */
- ssl->out_msg = ssl->out_buf + written_out;
- ssl->in_msg = ssl->in_buf + written_in;
- }
- }
+ handle_buffer_resizing( ssl, 1, mbedtls_ssl_get_input_buflen( ssl ),
+ mbedtls_ssl_get_output_buflen( ssl ) );
#endif
}
@@ -6346,7 +6437,7 @@
unsigned char *dstbuf, size_t dlen );
static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
{
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
@@ -6661,14 +6752,6 @@
*/
void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
{
-#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
- size_t in_buf_len = ssl->in_buf_len;
- size_t out_buf_len = ssl->out_buf_len;
-#else
- size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
- size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
-#endif
-
if( ssl == NULL )
return;
@@ -6676,6 +6759,12 @@
if( ssl->out_buf != NULL )
{
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t out_buf_len = ssl->out_buf_len;
+#else
+ size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
+#endif
+
mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
mbedtls_free( ssl->out_buf );
ssl->out_buf = NULL;
@@ -6683,6 +6772,12 @@
if( ssl->in_buf != NULL )
{
+#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
+ size_t in_buf_len = ssl->in_buf_len;
+#else
+ size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
+#endif
+
mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
mbedtls_free( ssl->in_buf );
ssl->in_buf = NULL;
@@ -6757,6 +6852,8 @@
static int ssl_preset_default_hashes[] = {
#if defined(MBEDTLS_SHA512_C)
MBEDTLS_MD_SHA512,
+#endif
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
MBEDTLS_MD_SHA384,
#endif
#if defined(MBEDTLS_SHA256_C)
@@ -7116,9 +7213,11 @@
case MBEDTLS_SSL_HASH_SHA256:
return( MBEDTLS_MD_SHA256 );
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
case MBEDTLS_SSL_HASH_SHA384:
return( MBEDTLS_MD_SHA384 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_SSL_HASH_SHA512:
return( MBEDTLS_MD_SHA512 );
#endif
@@ -7148,9 +7247,11 @@
case MBEDTLS_MD_SHA256:
return( MBEDTLS_SSL_HASH_SHA256 );
#endif
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
case MBEDTLS_MD_SHA384:
return( MBEDTLS_SSL_HASH_SHA384 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_MD_SHA512:
return( MBEDTLS_SSL_HASH_SHA512 );
#endif
@@ -7310,7 +7411,7 @@
break;
#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
case MBEDTLS_SSL_HASH_SHA384:
ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
break;
diff --git a/lib/libmbedtls/mbedtls/library/ssl_tls13_keys.c b/lib/libmbedtls/mbedtls/library/ssl_tls13_keys.c
new file mode 100644
index 0000000..c39e032
--- /dev/null
+++ b/lib/libmbedtls/mbedtls/library/ssl_tls13_keys.c
@@ -0,0 +1,349 @@
+/*
+ * TLS 1.3 key schedule
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 ( the "License" ); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "common.h"
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+
+#include "mbedtls/hkdf.h"
+#include "mbedtls/ssl_internal.h"
+#include "ssl_tls13_keys.h"
+
+#include <stdint.h>
+#include <string.h>
+
+#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
+ .name = string,
+
+struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels =
+{
+ /* This seems to work in C, despite the string literal being one
+ * character too long due to the 0-termination. */
+ MBEDTLS_SSL_TLS1_3_LABEL_LIST
+};
+
+#undef MBEDTLS_SSL_TLS1_3_LABEL
+
+/*
+ * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
+ *
+ * The HkdfLabel is specified in RFC 8446 as follows:
+ *
+ * struct HkdfLabel {
+ * uint16 length; // Length of expanded key material
+ * opaque label<7..255>; // Always prefixed by "tls13 "
+ * opaque context<0..255>; // Usually a communication transcript hash
+ * };
+ *
+ * Parameters:
+ * - desired_length: Length of expanded key material
+ * Even though the standard allows expansion to up to
+ * 2**16 Bytes, TLS 1.3 never uses expansion to more than
+ * 255 Bytes, so we require `desired_length` to be at most
+ * 255. This allows us to save a few Bytes of code by
+ * hardcoding the writing of the high bytes.
+ * - (label, llen): label + label length, without "tls13 " prefix
+ * The label length MUST be less than or equal to
+ * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
+ * It is the caller's responsibility to ensure this.
+ * All (label, label length) pairs used in TLS 1.3
+ * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
+ * - (ctx, clen): context + context length
+ * The context length MUST be less than or equal to
+ * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
+ * It is the caller's responsibility to ensure this.
+ * - dst: Target buffer for HkdfLabel structure,
+ * This MUST be a writable buffer of size
+ * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
+ * - dlen: Pointer at which to store the actual length of
+ * the HkdfLabel structure on success.
+ */
+
+static const char tls1_3_label_prefix[6] = "tls13 ";
+
+#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \
+ ( 2 /* expansion length */ \
+ + 1 /* label length */ \
+ + label_len \
+ + 1 /* context length */ \
+ + context_len )
+
+#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
+ SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
+ sizeof(tls1_3_label_prefix) + \
+ MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
+ MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
+
+static void ssl_tls1_3_hkdf_encode_label(
+ size_t desired_length,
+ const unsigned char *label, size_t llen,
+ const unsigned char *ctx, size_t clen,
+ unsigned char *dst, size_t *dlen )
+{
+ size_t total_label_len =
+ sizeof(tls1_3_label_prefix) + llen;
+ size_t total_hkdf_lbl_len =
+ SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, clen );
+
+ unsigned char *p = dst;
+
+ /* Add the size of the expanded key material.
+ * We're hardcoding the high byte to 0 here assuming that we never use
+ * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
+#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
+#error "The implementation of ssl_tls1_3_hkdf_encode_label() is not fit for the \
+ value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
+#endif
+
+ *p++ = 0;
+ *p++ = (unsigned char)( ( desired_length >> 0 ) & 0xFF );
+
+ /* Add label incl. prefix */
+ *p++ = (unsigned char)( total_label_len & 0xFF );
+ memcpy( p, tls1_3_label_prefix, sizeof(tls1_3_label_prefix) );
+ p += sizeof(tls1_3_label_prefix);
+ memcpy( p, label, llen );
+ p += llen;
+
+ /* Add context value */
+ *p++ = (unsigned char)( clen & 0xFF );
+ if( clen != 0 )
+ memcpy( p, ctx, clen );
+
+ /* Return total length to the caller. */
+ *dlen = total_hkdf_lbl_len;
+}
+
+int mbedtls_ssl_tls1_3_hkdf_expand_label(
+ mbedtls_md_type_t hash_alg,
+ const unsigned char *secret, size_t slen,
+ const unsigned char *label, size_t llen,
+ const unsigned char *ctx, size_t clen,
+ unsigned char *buf, size_t blen )
+{
+ const mbedtls_md_info_t *md;
+ unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
+ size_t hkdf_label_len;
+
+ if( llen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN )
+ {
+ /* Should never happen since this is an internal
+ * function, and we know statically which labels
+ * are allowed. */
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ if( clen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
+ {
+ /* Should not happen, as above. */
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ if( blen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN )
+ {
+ /* Should not happen, as above. */
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ md = mbedtls_md_info_from_type( hash_alg );
+ if( md == NULL )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+ ssl_tls1_3_hkdf_encode_label( blen,
+ label, llen,
+ ctx, clen,
+ hkdf_label,
+ &hkdf_label_len );
+
+ return( mbedtls_hkdf_expand( md,
+ secret, slen,
+ hkdf_label, hkdf_label_len,
+ buf, blen ) );
+}
+
+/*
+ * The traffic keying material is generated from the following inputs:
+ *
+ * - One secret value per sender.
+ * - A purpose value indicating the specific value being generated
+ * - The desired lengths of key and IV.
+ *
+ * The expansion itself is based on HKDF:
+ *
+ * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
+ * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
+ *
+ * [sender] denotes the sending side and the Secret value is provided
+ * by the function caller. Note that we generate server and client side
+ * keys in a single function call.
+ */
+int mbedtls_ssl_tls1_3_make_traffic_keys(
+ mbedtls_md_type_t hash_alg,
+ const unsigned char *client_secret,
+ const unsigned char *server_secret,
+ size_t slen, size_t key_len, size_t iv_len,
+ mbedtls_ssl_key_set *keys )
+{
+ int ret = 0;
+
+ ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
+ client_secret, slen,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
+ NULL, 0,
+ keys->client_write_key, key_len );
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
+ server_secret, slen,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
+ NULL, 0,
+ keys->server_write_key, key_len );
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
+ client_secret, slen,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
+ NULL, 0,
+ keys->client_write_iv, iv_len );
+ if( ret != 0 )
+ return( ret );
+
+ ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
+ server_secret, slen,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
+ NULL, 0,
+ keys->server_write_iv, iv_len );
+ if( ret != 0 )
+ return( ret );
+
+ keys->key_len = key_len;
+ keys->iv_len = iv_len;
+
+ return( 0 );
+}
+
+int mbedtls_ssl_tls1_3_derive_secret(
+ mbedtls_md_type_t hash_alg,
+ const unsigned char *secret, size_t slen,
+ const unsigned char *label, size_t llen,
+ const unsigned char *ctx, size_t clen,
+ int ctx_hashed,
+ unsigned char *dstbuf, size_t buflen )
+{
+ int ret;
+ unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ];
+
+ const mbedtls_md_info_t *md;
+ md = mbedtls_md_info_from_type( hash_alg );
+ if( md == NULL )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+ if( ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED )
+ {
+ ret = mbedtls_md( md, ctx, clen, hashed_context );
+ if( ret != 0 )
+ return( ret );
+ clen = mbedtls_md_get_size( md );
+ }
+ else
+ {
+ if( clen > sizeof(hashed_context) )
+ {
+ /* This should never happen since this function is internal
+ * and the code sets `ctx_hashed` correctly.
+ * Let's double-check nonetheless to not run at the risk
+ * of getting a stack overflow. */
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ }
+
+ memcpy( hashed_context, ctx, clen );
+ }
+
+ return( mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
+ secret, slen,
+ label, llen,
+ hashed_context, clen,
+ dstbuf, buflen ) );
+}
+
+int mbedtls_ssl_tls1_3_evolve_secret(
+ mbedtls_md_type_t hash_alg,
+ const unsigned char *secret_old,
+ const unsigned char *input, size_t input_len,
+ unsigned char *secret_new )
+{
+ int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ size_t hlen, ilen;
+ unsigned char tmp_secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 };
+ unsigned char tmp_input [ MBEDTLS_MD_MAX_SIZE ] = { 0 };
+
+ const mbedtls_md_info_t *md;
+ md = mbedtls_md_info_from_type( hash_alg );
+ if( md == NULL )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+ hlen = mbedtls_md_get_size( md );
+
+ /* For non-initial runs, call Derive-Secret( ., "derived", "")
+ * on the old secret. */
+ if( secret_old != NULL )
+ {
+ ret = mbedtls_ssl_tls1_3_derive_secret(
+ hash_alg,
+ secret_old, hlen,
+ MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ),
+ NULL, 0, /* context */
+ MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
+ tmp_secret, hlen );
+ if( ret != 0 )
+ goto cleanup;
+ }
+
+ if( input != NULL )
+ {
+ memcpy( tmp_input, input, input_len );
+ ilen = input_len;
+ }
+ else
+ {
+ ilen = hlen;
+ }
+
+ /* HKDF-Extract takes a salt and input key material.
+ * The salt is the old secret, and the input key material
+ * is the input secret (PSK / ECDHE). */
+ ret = mbedtls_hkdf_extract( md,
+ tmp_secret, hlen,
+ tmp_input, ilen,
+ secret_new );
+ if( ret != 0 )
+ goto cleanup;
+
+ ret = 0;
+
+ cleanup:
+
+ mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) );
+ mbedtls_platform_zeroize( tmp_input, sizeof(tmp_input) );
+ return( ret );
+}
+
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
diff --git a/lib/libmbedtls/mbedtls/library/ssl_tls13_keys.h b/lib/libmbedtls/mbedtls/library/ssl_tls13_keys.h
new file mode 100644
index 0000000..7089049
--- /dev/null
+++ b/lib/libmbedtls/mbedtls/library/ssl_tls13_keys.h
@@ -0,0 +1,274 @@
+/*
+ * TLS 1.3 key schedule
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 ( the "License" ); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H)
+#define MBEDTLS_SSL_TLS1_3_KEYS_H
+
+/* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at
+ * the point of use. See e.g. the definition of mbedtls_ssl_tls1_3_labels_union
+ * below. */
+#define MBEDTLS_SSL_TLS1_3_LABEL_LIST \
+ MBEDTLS_SSL_TLS1_3_LABEL( finished , "finished" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( resumption , "resumption" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( traffic_upd , "traffic upd" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( exporter , "exporter" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( key , "key" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( iv , "iv" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( c_hs_traffic, "c hs traffic" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( c_ap_traffic, "c ap traffic" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( c_e_traffic , "c e traffic" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( s_hs_traffic, "s hs traffic" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( s_ap_traffic, "s ap traffic" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( s_e_traffic , "s e traffic" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( e_exp_master, "e exp master" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( res_master , "res master" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( exp_master , "exp master" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( ext_binder , "ext binder" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( res_binder , "res binder" ) \
+ MBEDTLS_SSL_TLS1_3_LABEL( derived , "derived" )
+
+#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
+ const unsigned char name [ sizeof(string) - 1 ];
+
+union mbedtls_ssl_tls1_3_labels_union
+{
+ MBEDTLS_SSL_TLS1_3_LABEL_LIST
+};
+struct mbedtls_ssl_tls1_3_labels_struct
+{
+ MBEDTLS_SSL_TLS1_3_LABEL_LIST
+};
+#undef MBEDTLS_SSL_TLS1_3_LABEL
+
+extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels;
+
+#define MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( LABEL ) \
+ mbedtls_ssl_tls1_3_labels.LABEL, \
+ sizeof(mbedtls_ssl_tls1_3_labels.LABEL)
+
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \
+ sizeof( union mbedtls_ssl_tls1_3_labels_union )
+
+/* The maximum length of HKDF contexts used in the TLS 1.3 standard.
+ * Since contexts are always hashes of message transcripts, this can
+ * be approximated from above by the maximum hash size. */
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \
+ MBEDTLS_MD_MAX_SIZE
+
+/* Maximum desired length for expanded key material generated
+ * by HKDF-Expand-Label.
+ *
+ * Warning: If this ever needs to be increased, the implementation
+ * ssl_tls1_3_hkdf_encode_label() in ssl_tls13_keys.c needs to be
+ * adjusted since it currently assumes that HKDF key expansion
+ * is never used with more than 255 Bytes of output. */
+#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255
+
+/**
+ * \brief The \c HKDF-Expand-Label function from
+ * the TLS 1.3 standard RFC 8446.
+ *
+ * <tt>
+ * HKDF-Expand-Label( Secret, Label, Context, Length ) =
+ * HKDF-Expand( Secret, HkdfLabel, Length )
+ * </tt>
+ *
+ * \param hash_alg The identifier for the hash algorithm to use.
+ * \param secret The \c Secret argument to \c HKDF-Expand-Label.
+ * This must be a readable buffer of length \p slen Bytes.
+ * \param slen The length of \p secret in Bytes.
+ * \param label The \c Label argument to \c HKDF-Expand-Label.
+ * This must be a readable buffer of length \p llen Bytes.
+ * \param llen The length of \p label in Bytes.
+ * \param ctx The \c Context argument to \c HKDF-Expand-Label.
+ * This must be a readable buffer of length \p clen Bytes.
+ * \param clen The length of \p context in Bytes.
+ * \param buf The destination buffer to hold the expanded secret.
+ * This must be a writable buffer of length \p blen Bytes.
+ * \param blen The desired size of the expanded secret in Bytes.
+ *
+ * \returns \c 0 on success.
+ * \return A negative error code on failure.
+ */
+
+int mbedtls_ssl_tls1_3_hkdf_expand_label(
+ mbedtls_md_type_t hash_alg,
+ const unsigned char *secret, size_t slen,
+ const unsigned char *label, size_t llen,
+ const unsigned char *ctx, size_t clen,
+ unsigned char *buf, size_t blen );
+
+/**
+ * \brief This function is part of the TLS 1.3 key schedule.
+ * It extracts key and IV for the actual client/server traffic
+ * from the client/server traffic secrets.
+ *
+ * From RFC 8446:
+ *
+ * <tt>
+ * [sender]_write_key = HKDF-Expand-Label(Secret, "key", "", key_length)
+ * [sender]_write_iv = HKDF-Expand-Label(Secret, "iv", "", iv_length)*
+ * </tt>
+ *
+ * \param hash_alg The identifier for the hash algorithm to be used
+ * for the HKDF-based expansion of the secret.
+ * \param client_secret The client traffic secret.
+ * This must be a readable buffer of size \p slen Bytes
+ * \param server_secret The server traffic secret.
+ * This must be a readable buffer of size \p slen Bytes
+ * \param slen Length of the secrets \p client_secret and
+ * \p server_secret in Bytes.
+ * \param key_len The desired length of the key to be extracted in Bytes.
+ * \param iv_len The desired length of the IV to be extracted in Bytes.
+ * \param keys The address of the structure holding the generated
+ * keys and IVs.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+
+int mbedtls_ssl_tls1_3_make_traffic_keys(
+ mbedtls_md_type_t hash_alg,
+ const unsigned char *client_secret,
+ const unsigned char *server_secret,
+ size_t slen, size_t key_len, size_t iv_len,
+ mbedtls_ssl_key_set *keys );
+
+
+#define MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED 0
+#define MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED 1
+
+/**
+ * \brief The \c Derive-Secret function from the TLS 1.3 standard RFC 8446.
+ *
+ * <tt>
+ * Derive-Secret( Secret, Label, Messages ) =
+ * HKDF-Expand-Label( Secret, Label,
+ * Hash( Messages ),
+ * Hash.Length ) )
+ * </tt>
+ *
+ * \param hash_alg The identifier for the hash function used for the
+ * applications of HKDF.
+ * \param secret The \c Secret argument to the \c Derive-Secret function.
+ * This must be a readable buffer of length \p slen Bytes.
+ * \param slen The length of \p secret in Bytes.
+ * \param label The \c Label argument to the \c Derive-Secret function.
+ * This must be a readable buffer of length \p llen Bytes.
+ * \param llen The length of \p label in Bytes.
+ * \param ctx The hash of the \c Messages argument to the
+ * \c Derive-Secret function, or the \c Messages argument
+ * itself, depending on \p context_already_hashed.
+ * \param clen The length of \p hash.
+ * \param ctx_hashed This indicates whether the \p ctx contains the hash of
+ * the \c Messages argument in the application of the
+ * \c Derive-Secret function
+ * (value MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED), or whether
+ * it is the content of \c Messages itself, in which case
+ * the function takes care of the hashing
+ * (value MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED).
+ * \param dstbuf The target buffer to write the output of
+ * \c Derive-Secret to. This must be a writable buffer of
+ * size \p buflen Bytes.
+ * \param buflen The length of \p dstbuf in Bytes.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+int mbedtls_ssl_tls1_3_derive_secret(
+ mbedtls_md_type_t hash_alg,
+ const unsigned char *secret, size_t slen,
+ const unsigned char *label, size_t llen,
+ const unsigned char *ctx, size_t clen,
+ int ctx_hashed,
+ unsigned char *dstbuf, size_t buflen );
+
+/**
+ * \brief Compute the next secret in the TLS 1.3 key schedule
+ *
+ * The TLS 1.3 key schedule proceeds as follows to compute
+ * the three main secrets during the handshake: The early
+ * secret for early data, the handshake secret for all
+ * other encrypted handshake messages, and the master
+ * secret for all application traffic.
+ *
+ * <tt>
+ * 0
+ * |
+ * v
+ * PSK -> HKDF-Extract = Early Secret
+ * |
+ * v
+ * Derive-Secret( ., "derived", "" )
+ * |
+ * v
+ * (EC)DHE -> HKDF-Extract = Handshake Secret
+ * |
+ * v
+ * Derive-Secret( ., "derived", "" )
+ * |
+ * v
+ * 0 -> HKDF-Extract = Master Secret
+ * </tt>
+ *
+ * Each of the three secrets in turn is the basis for further
+ * key derivations, such as the derivation of traffic keys and IVs;
+ * see e.g. mbedtls_ssl_tls1_3_make_traffic_keys().
+ *
+ * This function implements one step in this evolution of secrets:
+ *
+ * <tt>
+ * old_secret
+ * |
+ * v
+ * Derive-Secret( ., "derived", "" )
+ * |
+ * v
+ * input -> HKDF-Extract = new_secret
+ * </tt>
+ *
+ * \param hash_alg The identifier for the hash function used for the
+ * applications of HKDF.
+ * \param secret_old The address of the buffer holding the old secret
+ * on function entry. If not \c NULL, this must be a
+ * readable buffer whose size matches the output size
+ * of the hash function represented by \p hash_alg.
+ * If \c NULL, an all \c 0 array will be used instead.
+ * \param input The address of the buffer holding the additional
+ * input for the key derivation (e.g., the PSK or the
+ * ephemeral (EC)DH secret). If not \c NULL, this must be
+ * a readable buffer whose size \p input_len Bytes.
+ * If \c NULL, an all \c 0 array will be used instead.
+ * \param input_len The length of \p input in Bytes.
+ * \param secret_new The address of the buffer holding the new secret
+ * on function exit. This must be a writable buffer
+ * whose size matches the output size of the hash
+ * function represented by \p hash_alg.
+ * This may be the same as \p secret_old.
+ *
+ * \returns \c 0 on success.
+ * \returns A negative error code on failure.
+ */
+
+int mbedtls_ssl_tls1_3_evolve_secret(
+ mbedtls_md_type_t hash_alg,
+ const unsigned char *secret_old,
+ const unsigned char *input, size_t input_len,
+ unsigned char *secret_new );
+
+#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */
diff --git a/lib/libmbedtls/mbedtls/library/threading.c b/lib/libmbedtls/mbedtls/library/threading.c
index dc7896e..2de117f 100644
--- a/lib/libmbedtls/mbedtls/library/threading.c
+++ b/lib/libmbedtls/mbedtls/library/threading.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Threading abstraction layer
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
@@ -27,11 +25,7 @@
#define _POSIX_C_SOURCE 200112L
#endif
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_THREADING_C)
@@ -48,7 +42,7 @@
#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
- _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) )
+ _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) )
/*
* This is a convenience shorthand macro to avoid checking the long
* preprocessor conditions above. Ideally, we could expose this macro in
@@ -63,7 +57,7 @@
#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
- _POSIX_THREAD_SAFE_FUNCTIONS >= 20112L ) ) */
+ _POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
#endif /* MBEDTLS_HAVE_TIME_DATE && !MBEDTLS_PLATFORM_GMTIME_R_ALT */
@@ -73,6 +67,12 @@
if( mutex == NULL )
return;
+ /* A nonzero value of is_valid indicates a successfully initialized
+ * mutex. This is a workaround for not being able to return an error
+ * code for this function. The lock/unlock functions return an error
+ * if is_valid is nonzero. The Mbed TLS unit test code uses this field
+ * to distinguish more states of the mutex; see
+ * tests/src/threading_helpers for details. */
mutex->is_valid = pthread_mutex_init( &mutex->mutex, NULL ) == 0;
}
diff --git a/lib/libmbedtls/mbedtls/library/timing.c b/lib/libmbedtls/mbedtls/library/timing.c
index 0358214..eb41461 100644
--- a/lib/libmbedtls/mbedtls/library/timing.c
+++ b/lib/libmbedtls/mbedtls/library/timing.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Portable interface to the CPU cycle counter
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
@@ -40,7 +34,7 @@
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
!defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
- !defined(__HAIKU__)
+ !defined(__HAIKU__) && !defined(__midipix__)
#error "This module only works on Unix and Windows, see MBEDTLS_TIMING_C in config.h"
#endif
diff --git a/lib/libmbedtls/mbedtls/library/version.c b/lib/libmbedtls/mbedtls/library/version.c
index cd789a9..32a0d7d 100644
--- a/lib/libmbedtls/mbedtls/library/version.c
+++ b/lib/libmbedtls/mbedtls/library/version.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Version information
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_VERSION_C)
diff --git a/lib/libmbedtls/mbedtls/library/version_features.c b/lib/libmbedtls/mbedtls/library/version_features.c
index 300760c..f665a23 100644
--- a/lib/libmbedtls/mbedtls/library/version_features.c
+++ b/lib/libmbedtls/mbedtls/library/version_features.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* Version feature information
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_VERSION_C)
@@ -231,6 +225,9 @@
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
"MBEDTLS_ECP_INTERNAL_ALT",
#endif /* MBEDTLS_ECP_INTERNAL_ALT */
+#if defined(MBEDTLS_ECP_NO_FALLBACK)
+ "MBEDTLS_ECP_NO_FALLBACK",
+#endif /* MBEDTLS_ECP_NO_FALLBACK */
#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
"MBEDTLS_ECP_RANDOMIZE_JAC_ALT",
#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */
@@ -354,6 +351,9 @@
#if defined(MBEDTLS_ECP_NIST_OPTIM)
"MBEDTLS_ECP_NIST_OPTIM",
#endif /* MBEDTLS_ECP_NIST_OPTIM */
+#if defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
+ "MBEDTLS_ECP_NO_INTERNAL_RNG",
+#endif /* MBEDTLS_ECP_NO_INTERNAL_RNG */
#if defined(MBEDTLS_ECP_RESTARTABLE)
"MBEDTLS_ECP_RESTARTABLE",
#endif /* MBEDTLS_ECP_RESTARTABLE */
@@ -420,9 +420,9 @@
#if defined(MBEDTLS_ENTROPY_NV_SEED)
"MBEDTLS_ENTROPY_NV_SEED",
#endif /* MBEDTLS_ENTROPY_NV_SEED */
-#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER)
- "MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER",
-#endif /* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER */
+#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
+ "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER",
+#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
#if defined(MBEDTLS_MEMORY_DEBUG)
"MBEDTLS_MEMORY_DEBUG",
#endif /* MBEDTLS_MEMORY_DEBUG */
@@ -438,6 +438,18 @@
#if defined(MBEDTLS_PKCS1_V21)
"MBEDTLS_PKCS1_V21",
#endif /* MBEDTLS_PKCS1_V21 */
+#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
+ "MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS",
+#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
+#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
+ "MBEDTLS_PSA_CRYPTO_CLIENT",
+#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
+#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS)
+ "MBEDTLS_PSA_CRYPTO_DRIVERS",
+#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */
+#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+ "MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG",
+#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
#if defined(MBEDTLS_PSA_CRYPTO_SPM)
"MBEDTLS_PSA_CRYPTO_SPM",
#endif /* MBEDTLS_PSA_CRYPTO_SPM */
@@ -519,6 +531,9 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
"MBEDTLS_SSL_PROTO_TLS1_2",
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+ "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL",
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
"MBEDTLS_SSL_PROTO_DTLS",
#endif /* MBEDTLS_SSL_PROTO_DTLS */
@@ -531,6 +546,9 @@
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
"MBEDTLS_SSL_DTLS_HELLO_VERIFY",
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
+#if defined(MBEDTLS_SSL_DTLS_SRTP)
+ "MBEDTLS_SSL_DTLS_SRTP",
+#endif /* MBEDTLS_SSL_DTLS_SRTP */
#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
"MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE",
#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE */
@@ -555,6 +573,15 @@
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
"MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH",
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
+ "MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN",
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN */
+#if defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND)
+ "MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND",
+#endif /* MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND */
+#if defined(MBEDTLS_TEST_HOOKS)
+ "MBEDTLS_TEST_HOOKS",
+#endif /* MBEDTLS_TEST_HOOKS */
#if defined(MBEDTLS_THREADING_ALT)
"MBEDTLS_THREADING_ALT",
#endif /* MBEDTLS_THREADING_ALT */
@@ -564,6 +591,9 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
"MBEDTLS_USE_PSA_CRYPTO",
#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+ "MBEDTLS_PSA_CRYPTO_CONFIG",
+#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
#if defined(MBEDTLS_VERSION_FEATURES)
"MBEDTLS_VERSION_FEATURES",
#endif /* MBEDTLS_VERSION_FEATURES */
diff --git a/lib/libmbedtls/mbedtls/library/x509.c b/lib/libmbedtls/mbedtls/library/x509.c
index 9e6ba68..f21e9e6 100644
--- a/lib/libmbedtls/mbedtls/library/x509.c
+++ b/lib/libmbedtls/mbedtls/library/x509.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* X.509 common functions for parsing and verification
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The ITU-T X.509 standard defines a certificate format for PKI.
@@ -29,11 +27,7 @@
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_X509_USE_C)
@@ -87,18 +81,18 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ( end - *p ) < 1 )
- return( MBEDTLS_ERR_X509_INVALID_SERIAL +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_SERIAL,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
if( **p != ( MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_PRIMITIVE | 2 ) &&
**p != MBEDTLS_ASN1_INTEGER )
- return( MBEDTLS_ERR_X509_INVALID_SERIAL +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_SERIAL,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
serial->tag = *(*p)++;
if( ( ret = mbedtls_asn1_get_len( p, end, &serial->len ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_SERIAL + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_SERIAL, ret ) );
serial->p = *p;
*p += serial->len;
@@ -118,7 +112,7 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ( ret = mbedtls_asn1_get_alg_null( p, end, alg ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
return( 0 );
}
@@ -132,7 +126,7 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ( ret = mbedtls_asn1_get_alg( p, end, alg, params ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
return( 0 );
}
@@ -157,39 +151,39 @@
/* Make sure we got a SEQUENCE and setup bounds */
if( alg->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
- return( MBEDTLS_ERR_X509_INVALID_ALG +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
- p = (unsigned char *) alg->p;
+ p = alg->p;
end = p + alg->len;
if( p >= end )
- return( MBEDTLS_ERR_X509_INVALID_ALG +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
/* Parse md_oid */
md_oid.tag = *p;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &md_oid.len, MBEDTLS_ASN1_OID ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
md_oid.p = p;
p += md_oid.len;
/* Get md_alg from md_oid */
if( ( ret = mbedtls_oid_get_md_alg( &md_oid, md_alg ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
/* Make sure params is absent of NULL */
if( p == end )
return( 0 );
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_NULL ) ) != 0 || len != 0 )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
if( p != end )
- return( MBEDTLS_ERR_X509_INVALID_ALG +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -223,8 +217,8 @@
/* Make sure params is a SEQUENCE and setup bounds */
if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
- return( MBEDTLS_ERR_X509_INVALID_ALG +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
p = (unsigned char *) params->p;
end = p + params->len;
@@ -245,14 +239,14 @@
return( ret );
if( ( ret = mbedtls_oid_get_md_alg( &alg_id, md_alg ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
if( p != end2 )
- return( MBEDTLS_ERR_X509_INVALID_ALG +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
if( p == end )
return( 0 );
@@ -271,19 +265,19 @@
/* Only MFG1 is recognised for now */
if( MBEDTLS_OID_CMP( MBEDTLS_OID_MGF1, &alg_id ) != 0 )
- return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE +
- MBEDTLS_ERR_OID_NOT_FOUND );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE,
+ MBEDTLS_ERR_OID_NOT_FOUND ) );
/* Parse HashAlgorithm */
if( ( ret = x509_get_hash_alg( &alg_params, mgf_md ) ) != 0 )
return( ret );
if( p != end2 )
- return( MBEDTLS_ERR_X509_INVALID_ALG +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
if( p == end )
return( 0 );
@@ -297,14 +291,14 @@
end2 = p + len;
if( ( ret = mbedtls_asn1_get_int( &p, end2, salt_len ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
if( p != end2 )
- return( MBEDTLS_ERR_X509_INVALID_ALG +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
if( p == end )
return( 0 );
@@ -320,21 +314,21 @@
end2 = p + len;
if( ( ret = mbedtls_asn1_get_int( &p, end2, &trailer_field ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
if( p != end2 )
- return( MBEDTLS_ERR_X509_INVALID_ALG +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
if( trailer_field != 1 )
return( MBEDTLS_ERR_X509_INVALID_ALG );
}
else if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
- return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG, ret ) );
if( p != end )
- return( MBEDTLS_ERR_X509_INVALID_ALG +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_ALG,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -360,47 +354,47 @@
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME, ret ) );
end = *p + len;
if( ( end - *p ) < 1 )
- return( MBEDTLS_ERR_X509_INVALID_NAME +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
oid = &cur->oid;
oid->tag = **p;
if( ( ret = mbedtls_asn1_get_tag( p, end, &oid->len, MBEDTLS_ASN1_OID ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME, ret ) );
oid->p = *p;
*p += oid->len;
if( ( end - *p ) < 1 )
- return( MBEDTLS_ERR_X509_INVALID_NAME +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
if( **p != MBEDTLS_ASN1_BMP_STRING && **p != MBEDTLS_ASN1_UTF8_STRING &&
**p != MBEDTLS_ASN1_T61_STRING && **p != MBEDTLS_ASN1_PRINTABLE_STRING &&
**p != MBEDTLS_ASN1_IA5_STRING && **p != MBEDTLS_ASN1_UNIVERSAL_STRING &&
**p != MBEDTLS_ASN1_BIT_STRING )
- return( MBEDTLS_ERR_X509_INVALID_NAME +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
val = &cur->val;
val->tag = *(*p)++;
if( ( ret = mbedtls_asn1_get_len( p, end, &val->len ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME, ret ) );
val->p = *p;
*p += val->len;
if( *p != end )
{
- return( MBEDTLS_ERR_X509_INVALID_NAME +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
cur->next = NULL;
@@ -446,7 +440,7 @@
*/
if( ( ret = mbedtls_asn1_get_tag( p, end, &set_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_NAME + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_NAME, ret ) );
end_set = *p + set_len;
@@ -610,8 +604,8 @@
unsigned char tag;
if( ( end - *p ) < 1 )
- return( MBEDTLS_ERR_X509_INVALID_DATE +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
tag = **p;
@@ -620,14 +614,14 @@
else if( tag == MBEDTLS_ASN1_GENERALIZED_TIME )
year_len = 4;
else
- return( MBEDTLS_ERR_X509_INVALID_DATE +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
(*p)++;
ret = mbedtls_asn1_get_len( p, end, &len );
if( ret != 0 )
- return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE, ret ) );
return x509_parse_time( p, len, year_len, tm );
}
@@ -639,13 +633,13 @@
int tag_type;
if( ( end - *p ) < 1 )
- return( MBEDTLS_ERR_X509_INVALID_SIGNATURE +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_SIGNATURE,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA ) );
tag_type = **p;
if( ( ret = mbedtls_asn1_get_bitstring_null( p, end, &len ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_SIGNATURE + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_SIGNATURE, ret ) );
sig->tag = tag_type;
sig->len = len;
@@ -669,7 +663,7 @@
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
if( ( ret = mbedtls_oid_get_sig_alg( sig_oid, md_alg, pk_alg ) ) != 0 )
- return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret ) );
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if( *pk_alg == MBEDTLS_PK_RSASSA_PSS )
@@ -720,7 +714,7 @@
ret = mbedtls_asn1_get_tag( p, end, &ext->len,
MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag );
if( ret != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
ext->tag = MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | tag;
ext->p = *p;
@@ -731,11 +725,11 @@
*/
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( end != *p + len )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -787,7 +781,7 @@
break;
c = name->val.p[i];
- if( c < 32 || c == 127 || ( c > 128 && c < 160 ) )
+ if( c < 32 || c >= 127 )
s[i] = '?';
else s[i] = c;
}
@@ -870,7 +864,7 @@
ret = mbedtls_snprintf( p, n, " (%s, MGF1-%s, 0x%02X)",
md_info ? mbedtls_md_get_name( md_info ) : "???",
mgf_md_info ? mbedtls_md_get_name( mgf_md_info ) : "???",
- pss_opts->expected_salt_len );
+ (unsigned int) pss_opts->expected_salt_len );
MBEDTLS_X509_SAFE_SNPRINTF;
}
#else
diff --git a/lib/libmbedtls/mbedtls/library/x509_create.c b/lib/libmbedtls/mbedtls/library/x509_create.c
index fd3aad1..056bbaa 100644
--- a/lib/libmbedtls/mbedtls/library/x509_create.c
+++ b/lib/libmbedtls/mbedtls/library/x509_create.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* X.509 base functions for creating certificates / CSRs
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_X509_CREATE_C)
diff --git a/lib/libmbedtls/mbedtls/library/x509_crl.c b/lib/libmbedtls/mbedtls/library/x509_crl.c
index 54b5591..ac4fc75 100644
--- a/lib/libmbedtls/mbedtls/library/x509_crl.c
+++ b/lib/libmbedtls/mbedtls/library/x509_crl.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* X.509 Certidicate Revocation List (CRL) parsing
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The ITU-T X.509 standard defines a certificate format for PKI.
@@ -29,11 +27,7 @@
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_X509_CRL_PARSE_C)
@@ -85,7 +79,7 @@
return( 0 );
}
- return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_VERSION, ret ) );
}
return( 0 );
@@ -131,7 +125,7 @@
/* Get enclosing sequence tag */
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
end_ext_data = *p + len;
@@ -139,7 +133,7 @@
if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
MBEDTLS_ASN1_OID ) ) != 0 )
{
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
}
*p += len;
@@ -148,29 +142,29 @@
&is_critical ) ) != 0 &&
( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
{
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
}
/* Data should be octet string type */
if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
/* Ignore data so far and just check its length */
*p += len;
if( *p != end_ext_data )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
/* Abort on (unsupported) critical extensions */
if( is_critical )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
}
if( *p != end )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -204,27 +198,27 @@
ext->p = NULL;
return( 0 );
}
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
}
end = *p + ext->len;
if( end != *p + ext->len )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
while( *p < end )
{
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
*p += len;
}
if( *p != end )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -259,13 +253,13 @@
size_t len2;
const unsigned char *end2;
+ cur_entry->raw.tag = **p;
if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
{
return( ret );
}
- cur_entry->raw.tag = **p;
cur_entry->raw.p = *p;
cur_entry->raw.len = len2;
end2 = *p + len2;
@@ -370,8 +364,8 @@
if( len != (size_t) ( end - p ) )
{
mbedtls_x509_crl_free( crl );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
/*
@@ -383,7 +377,7 @@
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
mbedtls_x509_crl_free( crl );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
}
end = p + len;
@@ -427,7 +421,7 @@
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
mbedtls_x509_crl_free( crl );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
}
if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
@@ -450,10 +444,10 @@
if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 )
{
- if( ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) &&
- ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA ) )
+ if( ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) ) &&
+ ret != ( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE,
+ MBEDTLS_ERR_ASN1_OUT_OF_DATA ) ) )
{
mbedtls_x509_crl_free( crl );
return( ret );
@@ -492,8 +486,8 @@
if( p != end )
{
mbedtls_x509_crl_free( crl );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
end = crl->raw.p + crl->raw.len;
@@ -527,8 +521,8 @@
if( p != end )
{
mbedtls_x509_crl_free( crl );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
return( 0 );
diff --git a/lib/libmbedtls/mbedtls/library/x509_crt.c b/lib/libmbedtls/mbedtls/library/x509_crt.c
index edad392..acdd545 100644
--- a/lib/libmbedtls/mbedtls/library/x509_crt.c
+++ b/lib/libmbedtls/mbedtls/library/x509_crt.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* X.509 certificate parsing and verification
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The ITU-T X.509 standard defines a certificate format for PKI.
@@ -31,11 +29,7 @@
* [SIRO] https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -97,9 +91,8 @@
*/
#define X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
-/*
- * Default profile
- */
+/* Default profile. Do not remove items unless there are serious security
+ * concerns. */
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
{
#if defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES)
@@ -403,17 +396,17 @@
return( 0 );
}
- return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
}
end = *p + len;
if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_VERSION, ret ) );
if( *p != end )
- return( MBEDTLS_ERR_X509_INVALID_VERSION +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_VERSION,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -433,7 +426,7 @@
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_DATE + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE, ret ) );
end = *p + len;
@@ -444,8 +437,8 @@
return( ret );
if( *p != end )
- return( MBEDTLS_ERR_X509_INVALID_DATE +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_DATE,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -470,7 +463,7 @@
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
return( 0 );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
}
uid->p = *p;
@@ -497,7 +490,7 @@
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( *p == end )
return( 0 );
@@ -508,7 +501,7 @@
ret = mbedtls_asn1_get_int( p, end, ca_istrue );
if( ret != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( *ca_istrue != 0 )
*ca_istrue = 1;
@@ -518,11 +511,17 @@
return( 0 );
if( ( ret = mbedtls_asn1_get_int( p, end, max_pathlen ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( *p != end )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
+
+ /* Do not accept max_pathlen equal to INT_MAX to avoid a signed integer
+ * overflow, which is an undefined behavior. */
+ if( *max_pathlen == INT_MAX )
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_LENGTH ) );
(*max_pathlen)++;
@@ -537,11 +536,11 @@
mbedtls_x509_bitstring bs = { 0, 0, NULL };
if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( bs.len != 1 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_LENGTH ) );
/* Get actual bitstring */
*ns_cert_type = *bs.p;
@@ -557,11 +556,11 @@
mbedtls_x509_bitstring bs = { 0, 0, NULL };
if( ( ret = mbedtls_asn1_get_bitstring( p, end, &bs ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( bs.len < 1 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_LENGTH ) );
/* Get actual bitstring */
*key_usage = 0;
@@ -585,12 +584,12 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ( ret = mbedtls_asn1_get_sequence_of( p, end, ext_key_usage, MBEDTLS_ASN1_OID ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
/* Sequence length must be >= 1 */
if( ext_key_usage->buf.p == NULL )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_INVALID_LENGTH ) );
return( 0 );
}
@@ -635,35 +634,31 @@
/* Get main sequence tag */
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( *p + len != end )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
while( *p < end )
{
mbedtls_x509_subject_alternative_name dummy_san_buf;
memset( &dummy_san_buf, 0, sizeof( dummy_san_buf ) );
- if( ( end - *p ) < 1 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_OUT_OF_DATA );
-
tag = **p;
(*p)++;
if( ( ret = mbedtls_asn1_get_len( p, end, &tag_len ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( ( tag & MBEDTLS_ASN1_TAG_CLASS_MASK ) !=
MBEDTLS_ASN1_CONTEXT_SPECIFIC )
{
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
}
/*
- * Check that the SAN are structured correct.
+ * Check that the SAN is structured correctly.
*/
ret = mbedtls_x509_parse_subject_alt_name( &(cur->buf), &dummy_san_buf );
/*
@@ -695,8 +690,8 @@
cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
if( cur->next == NULL )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_ALLOC_FAILED );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_ALLOC_FAILED ) );
cur = cur->next;
}
@@ -712,8 +707,8 @@
cur->next = NULL;
if( *p != end )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -780,18 +775,18 @@
ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE );
if( ret != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( *p + len != end )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
/*
* Cannot be an empty sequence.
*/
if( len == 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
while( *p < end )
{
@@ -803,13 +798,13 @@
*/
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
policy_end = *p + len;
if( ( ret = mbedtls_asn1_get_tag( p, policy_end, &len,
MBEDTLS_ASN1_OID ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
policy_oid.tag = MBEDTLS_ASN1_OID;
policy_oid.len = len;
@@ -837,8 +832,8 @@
cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
if( cur->next == NULL )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_ALLOC_FAILED );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_ALLOC_FAILED ) );
cur = cur->next;
}
@@ -858,7 +853,7 @@
{
if( ( ret = mbedtls_asn1_get_tag( p, policy_end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
/*
* Skip the optional policy qualifiers.
*/
@@ -866,16 +861,16 @@
}
if( *p != policy_end )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
/* Set final sequence entry's next pointer to NULL */
cur->next = NULL;
if( *p != end )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( parse_ret );
}
@@ -886,11 +881,13 @@
*/
static int x509_get_crt_ext( unsigned char **p,
const unsigned char *end,
- mbedtls_x509_crt *crt )
+ mbedtls_x509_crt *crt,
+ mbedtls_x509_crt_ext_cb_t cb,
+ void *p_ctx )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
- unsigned char *end_ext_data, *end_ext_octet;
+ unsigned char *end_ext_data, *start_ext_octet, *end_ext_octet;
if( *p == end )
return( 0 );
@@ -913,14 +910,14 @@
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
end_ext_data = *p + len;
/* Get extension ID */
if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &extn_oid.len,
MBEDTLS_ASN1_OID ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
extn_oid.tag = MBEDTLS_ASN1_OID;
extn_oid.p = *p;
@@ -929,18 +926,19 @@
/* Get optional critical */
if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data, &is_critical ) ) != 0 &&
( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
/* Data should be octet string type */
if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
+ start_ext_octet = *p;
end_ext_octet = *p + len;
if( end_ext_octet != end_ext_data )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
/*
* Detect supported extensions
@@ -949,6 +947,16 @@
if( ret != 0 )
{
+ /* Give the callback (if any) a chance to handle the extension */
+ if( cb != NULL )
+ {
+ ret = cb( p_ctx, crt, &extn_oid, is_critical, *p, end_ext_octet );
+ if( ret != 0 && is_critical )
+ return( ret );
+ *p = end_ext_octet;
+ continue;
+ }
+
/* No parser found, skip extension */
*p = end_ext_octet;
@@ -956,8 +964,8 @@
if( is_critical )
{
/* Data is marked as critical: fail */
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) );
}
#endif
continue;
@@ -1011,6 +1019,13 @@
if( ( ret = x509_get_certificate_policies( p, end_ext_octet,
&crt->certificate_policies ) ) != 0 )
{
+ /* Give the callback (if any) a chance to handle the extension
+ * if it contains unsupported policies */
+ if( ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE && cb != NULL &&
+ cb( p_ctx, crt, &extn_oid, is_critical,
+ start_ext_octet, end_ext_octet ) == 0 )
+ break;
+
#if !defined(MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION)
if( is_critical )
return( ret );
@@ -1043,8 +1058,8 @@
}
if( *p != end )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
return( 0 );
}
@@ -1055,7 +1070,9 @@
static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
const unsigned char *buf,
size_t buflen,
- int make_copy )
+ int make_copy,
+ mbedtls_x509_crt_ext_cb_t cb,
+ void *p_ctx )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
@@ -1120,7 +1137,7 @@
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
mbedtls_x509_crt_free( crt );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
}
end = p + len;
@@ -1167,7 +1184,7 @@
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
mbedtls_x509_crt_free( crt );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
}
if( ( ret = mbedtls_x509_get_name( &p, p + len, &crt->issuer ) ) != 0 )
@@ -1200,7 +1217,7 @@
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
mbedtls_x509_crt_free( crt );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
}
if( len && ( ret = mbedtls_x509_get_name( &p, p + len, &crt->subject ) ) != 0 )
@@ -1254,7 +1271,7 @@
if( crt->version == 3 )
#endif
{
- ret = x509_get_crt_ext( &p, end, crt );
+ ret = x509_get_crt_ext( &p, end, crt, cb, p_ctx );
if( ret != 0 )
{
mbedtls_x509_crt_free( crt );
@@ -1265,8 +1282,8 @@
if( p != end )
{
mbedtls_x509_crt_free( crt );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
end = crt_end;
@@ -1286,6 +1303,7 @@
if( crt->sig_oid.len != sig_oid2.len ||
memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 ||
+ sig_params1.tag != sig_params2.tag ||
sig_params1.len != sig_params2.len ||
( sig_params1.len != 0 &&
memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
@@ -1303,8 +1321,8 @@
if( p != end )
{
mbedtls_x509_crt_free( crt );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
return( 0 );
@@ -1317,7 +1335,9 @@
static int mbedtls_x509_crt_parse_der_internal( mbedtls_x509_crt *chain,
const unsigned char *buf,
size_t buflen,
- int make_copy )
+ int make_copy,
+ mbedtls_x509_crt_ext_cb_t cb,
+ void *p_ctx )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_x509_crt *crt = chain, *prev = NULL;
@@ -1349,7 +1369,8 @@
crt = crt->next;
}
- if( ( ret = x509_crt_parse_der_core( crt, buf, buflen, make_copy ) ) != 0 )
+ ret = x509_crt_parse_der_core( crt, buf, buflen, make_copy, cb, p_ctx );
+ if( ret != 0 )
{
if( prev )
prev->next = NULL;
@@ -1367,14 +1388,24 @@
const unsigned char *buf,
size_t buflen )
{
- return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 0 ) );
+ return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 0, NULL, NULL ) );
+}
+
+int mbedtls_x509_crt_parse_der_with_ext_cb( mbedtls_x509_crt *chain,
+ const unsigned char *buf,
+ size_t buflen,
+ int make_copy,
+ mbedtls_x509_crt_ext_cb_t cb,
+ void *p_ctx )
+{
+ return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, make_copy, cb, p_ctx ) );
}
int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain,
const unsigned char *buf,
size_t buflen )
{
- return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 1 ) );
+ return( mbedtls_x509_crt_parse_der_internal( chain, buf, buflen, 1, NULL, NULL ) );
}
/*
@@ -1597,6 +1628,8 @@
}
#endif /* MBEDTLS_THREADING_C */
+ memset( &sb, 0, sizeof( sb ) );
+
while( ( entry = readdir( dir ) ) != NULL )
{
snp_ret = mbedtls_snprintf( entry_name, sizeof entry_name,
@@ -1672,7 +1705,7 @@
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_OID ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
cur_oid.tag = MBEDTLS_ASN1_OID;
cur_oid.p = p;
@@ -1689,20 +1722,20 @@
if( p + len >= end )
{
mbedtls_platform_zeroize( other_name, sizeof( *other_name ) );
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
p += len;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len, MBEDTLS_ASN1_OID ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
other_name->value.hardware_module_name.oid.tag = MBEDTLS_ASN1_OID;
other_name->value.hardware_module_name.oid.p = p;
@@ -1711,13 +1744,13 @@
if( p + len >= end )
{
mbedtls_platform_zeroize( other_name, sizeof( *other_name ) );
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
p += len;
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret ) );
other_name->value.hardware_module_name.val.tag = MBEDTLS_ASN1_OCTET_STRING;
other_name->value.hardware_module_name.val.p = p;
@@ -1727,8 +1760,8 @@
{
mbedtls_platform_zeroize( other_name,
sizeof( *other_name ) );
- return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
return( 0 );
}
@@ -2291,8 +2324,7 @@
if( crt->serial.len == cur->serial.len &&
memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
{
- if( mbedtls_x509_time_is_past( &cur->revocation_date ) )
- return( 1 );
+ return( 1 );
}
cur = cur->next;
@@ -2975,6 +3007,25 @@
}
/*
+ * Check for SAN match, see RFC 5280 Section 4.2.1.6
+ */
+static int x509_crt_check_san( const mbedtls_x509_buf *name,
+ const char *cn, size_t cn_len )
+{
+ const unsigned char san_type = (unsigned char) name->tag &
+ MBEDTLS_ASN1_TAG_VALUE_MASK;
+
+ /* dNSName */
+ if( san_type == MBEDTLS_X509_SAN_DNS_NAME )
+ return( x509_crt_check_cn( name, cn, cn_len ) );
+
+ /* (We may handle other types here later.) */
+
+ /* Unrecognized type */
+ return( -1 );
+}
+
+/*
* Verify the requested CN - only call this if cn is not NULL!
*/
static void x509_crt_verify_name( const mbedtls_x509_crt *crt,
@@ -2989,7 +3040,7 @@
{
for( cur = &crt->subject_alt_names; cur != NULL; cur = cur->next )
{
- if( x509_crt_check_cn( &cur->buf, cn, cn_len ) == 0 )
+ if( x509_crt_check_san( &cur->buf, cn, cn_len ) == 0 )
break;
}
diff --git a/lib/libmbedtls/mbedtls/library/x509_csr.c b/lib/libmbedtls/mbedtls/library/x509_csr.c
index 37e47e4..e259410 100644
--- a/lib/libmbedtls/mbedtls/library/x509_csr.c
+++ b/lib/libmbedtls/mbedtls/library/x509_csr.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* X.509 Certificate Signing Request (CSR) parsing
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The ITU-T X.509 standard defines a certificate format for PKI.
@@ -29,11 +27,7 @@
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_X509_CSR_PARSE_C)
@@ -79,7 +73,7 @@
return( 0 );
}
- return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_VERSION, ret ) );
}
return( 0 );
@@ -137,8 +131,8 @@
if( len != (size_t) ( end - p ) )
{
mbedtls_x509_csr_free( csr );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
/*
@@ -150,7 +144,7 @@
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
mbedtls_x509_csr_free( csr );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
}
end = p + len;
@@ -182,7 +176,7 @@
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
{
mbedtls_x509_csr_free( csr );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
}
if( ( ret = mbedtls_x509_get_name( &p, p + len, &csr->subject ) ) != 0 )
@@ -216,7 +210,7 @@
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
{
mbedtls_x509_csr_free( csr );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT, ret ) );
}
p += len;
@@ -250,8 +244,8 @@
if( p != end )
{
mbedtls_x509_csr_free( csr );
- return( MBEDTLS_ERR_X509_INVALID_FORMAT +
- MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+ return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_X509_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH ) );
}
return( 0 );
diff --git a/lib/libmbedtls/mbedtls/library/x509write_crt.c b/lib/libmbedtls/mbedtls/library/x509write_crt.c
index 80eb23b..8f4a4f5 100644
--- a/lib/libmbedtls/mbedtls/library/x509write_crt.c
+++ b/lib/libmbedtls/mbedtls/library/x509write_crt.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* X.509 certificate writing
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* References:
@@ -25,11 +23,7 @@
* - attributes: PKCS#9 v2.0 aka RFC 2985
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_X509_CRT_WRITE_C)
@@ -169,7 +163,7 @@
return(
mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ),
- 0, buf + sizeof(buf) - len, len ) );
+ is_ca, buf + sizeof(buf) - len, len ) );
}
#if defined(MBEDTLS_SHA1_C)
@@ -239,7 +233,7 @@
int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
unsigned int key_usage )
{
- unsigned char buf[5], ku[2];
+ unsigned char buf[5] = {0}, ku[2] = {0};
unsigned char *c;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
@@ -278,7 +272,7 @@
int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
unsigned char ns_cert_type )
{
- unsigned char buf[4];
+ unsigned char buf[4] = {0};
unsigned char *c;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
diff --git a/lib/libmbedtls/mbedtls/library/x509write_csr.c b/lib/libmbedtls/mbedtls/library/x509write_csr.c
index 781a527..afda950 100644
--- a/lib/libmbedtls/mbedtls/library/x509write_csr.c
+++ b/lib/libmbedtls/mbedtls/library/x509write_csr.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* X.509 Certificate Signing Request writing
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,8 +15,6 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* References:
@@ -24,11 +22,7 @@
* - attributes: PKCS#9 v2.0 aka RFC 2985
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_X509_CSR_WRITE_C)
@@ -50,6 +44,14 @@
#include "mbedtls/pem.h"
#endif
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_calloc calloc
+#define mbedtls_free free
+#endif
+
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
{
memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
@@ -89,7 +91,7 @@
int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
{
- unsigned char buf[4];
+ unsigned char buf[4] = {0};
unsigned char *c;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -111,7 +113,7 @@
int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
unsigned char ns_cert_type )
{
- unsigned char buf[4];
+ unsigned char buf[4] = {0};
unsigned char *c;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -130,17 +132,18 @@
return( 0 );
}
-int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
- int (*f_rng)(void *, unsigned char *, size_t),
- void *p_rng )
+static int x509write_csr_der_internal( mbedtls_x509write_csr *ctx,
+ unsigned char *buf,
+ size_t size,
+ unsigned char *sig,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const char *sig_oid;
size_t sig_oid_len = 0;
unsigned char *c, *c2;
unsigned char hash[64];
- unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
- unsigned char tmp_buf[2048];
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
mbedtls_pk_type_t pk_alg;
@@ -149,56 +152,69 @@
size_t hash_len;
psa_algorithm_t hash_alg = mbedtls_psa_translate_md( ctx->md_alg );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
- /*
- * Prepare data to be signed in tmp_buf
- */
- c = tmp_buf + sizeof( tmp_buf );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
+ /* Write the CSR backwards starting from the end of buf */
+ c = buf + size;
+
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, buf,
+ ctx->extensions ) );
if( len )
{
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SET ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SET ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &c, tmp_buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
- MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_oid(
+ &c, buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
+ MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
}
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );
MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->key,
- tmp_buf, c - tmp_buf ) );
+ buf, c - buf ) );
c -= pub_len;
len += pub_len;
/*
* Subject ::= Name
*/
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, buf,
+ ctx->subject ) );
/*
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, tmp_buf, 0 ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 0 ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE ) );
+ MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
/*
- * Prepare signature
+ * Sign the written CSR data into the sig buffer
* Note: hash errors can happen only after an internal error
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@@ -232,32 +248,68 @@
return( MBEDTLS_ERR_X509_INVALID_ALG );
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
- &sig_oid, &sig_oid_len ) ) != 0 )
+ &sig_oid, &sig_oid_len ) ) != 0 )
{
return( ret );
}
/*
- * Write data to output buffer
+ * Move the written CSR data to the start of buf to create space for
+ * writing the signature into buf.
+ */
+ memmove( buf, c, len );
+
+ /*
+ * Write sig and its OID into buf backwards from the end of buf.
+ * Note: mbedtls_x509_write_sig will check for c2 - ( buf + len ) < sig_len
+ * and return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL if needed.
*/
c2 = buf + size;
- MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
- sig_oid, sig_oid_len, sig, sig_len ) );
+ MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len,
+ mbedtls_x509_write_sig( &c2, buf + len, sig_oid, sig_oid_len,
+ sig, sig_len ) );
- if( len > (size_t)( c2 - buf ) )
- return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
-
+ /*
+ * Compact the space between the CSR data and signature by moving the
+ * CSR data to the start of the signature.
+ */
c2 -= len;
- memcpy( c2, c, len );
+ memmove( c2, buf, len );
+ /* ASN encode the total size and tag the CSR data with it. */
len += sig_and_oid_len;
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
- MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
- MBEDTLS_ASN1_SEQUENCE ) );
+ MBEDTLS_ASN1_CHK_ADD( len,
+ mbedtls_asn1_write_tag(
+ &c2, buf,
+ MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) );
+
+ /* Zero the unused bytes at the start of buf */
+ memset( buf, 0, c2 - buf);
return( (int) len );
}
+int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf,
+ size_t size,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng )
+{
+ int ret;
+ unsigned char *sig;
+
+ if( ( sig = mbedtls_calloc( 1, MBEDTLS_PK_SIGNATURE_MAX_SIZE ) ) == NULL )
+ {
+ return( MBEDTLS_ERR_X509_ALLOC_FAILED );
+ }
+
+ ret = x509write_csr_der_internal( ctx, buf, size, sig, f_rng, p_rng );
+
+ mbedtls_free( sig );
+
+ return( ret );
+}
+
#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
diff --git a/lib/libmbedtls/mbedtls/library/xtea.c b/lib/libmbedtls/mbedtls/library/xtea.c
index 63821b8..4b8c9c0 100644
--- a/lib/libmbedtls/mbedtls/library/xtea.c
+++ b/lib/libmbedtls/mbedtls/library/xtea.c
@@ -1,8 +1,8 @@
-// SPDX-License-Identifier: Apache-2.0
/*
* An 32-bit implementation of the XTEA algorithm
*
- * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
@@ -15,15 +15,9 @@
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
- *
- * This file is part of mbed TLS (https://tls.mbed.org)
*/
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include "common.h"
#if defined(MBEDTLS_XTEA_C)