Squashed commit upgrading to mbedtls-3.6.0
Squash merging branch import/mbedtls-3.6.0
0fc9291f4 ("libmbedtls: bignum: restore mbedtls_mpi_exp_mod() from v3.5.2")
0ef87b1e6 ("libmbedtls: reset minimum rsa key size")
70b079496 ("libmbedtls: adjust use of rsa pk_wrap API")
6cf76464f ("libmbedtls: allow inclusion of arm_neon.h")
27df5c911 ("libmbedtls: fix cipher_wrap.c for NIST AES Key Wrap mode")
aa584f9ed ("libmbedtls: fix cipher_wrap.c for chacha20 and chachapoly")
523ae957e ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify()")
30bdb1bbf ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext()")
e45cdab62 ("libmbedtls: add SM2 curve")
d2fda4fc2 ("libmbedtls: fix no CRT issue")
ab0eb5515 ("libmbedtls: add interfaces in mbedtls for context memory operation")
7925a6f26 ("libmedtls: mpi_miller_rabin: increase count limit")
8eaf69279 ("libmbedtls: add mbedtls_mpi_init_mempool()")
12e83fc8d ("libmbedtls: make mbedtls_mpi_mont*() available")
f9e261da5 ("mbedtls: configure mbedtls to reach for config")
7b6f378d7 ("mbedtls: remove default include/mbedtls/config.h")
c16331743 ("Import mbedtls-3.6.0")
Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
diff --git a/lib/libmbedtls/mbedtls/library/sha512.c b/lib/libmbedtls/mbedtls/library/sha512.c
index 67acfee..6dcea8d 100644
--- a/lib/libmbedtls/mbedtls/library/sha512.c
+++ b/lib/libmbedtls/mbedtls/library/sha512.c
@@ -2,19 +2,7 @@
* FIPS-180-2 compliant SHA-384/512 implementation
*
* Copyright The Mbed TLS Contributors
- * SPDX-License-Identifier: Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may
- * not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/*
* The SHA-512 Secure Hash Standard was published by NIST in 2002.
@@ -31,7 +19,7 @@
* By defining the macros ourselves we gain access to those declarations without
* requiring -march on the command line.
*
- * `arm_neon.h` could be included by any header file, so we put these defines
+ * `arm_neon.h` is included by common.h, so we put these defines
* at the top of this file, before any includes.
*/
#define __ARM_FEATURE_SHA512 1
@@ -60,6 +48,9 @@
# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
/* *INDENT-OFF* */
+# if !defined(MBEDTLS_HAVE_NEON_INTRINSICS)
+# error "Target does not support NEON instructions"
+# endif
/*
* Best performance comes from most recent compilers, with intrinsics and -O3.
* Must compile with -march=armv8.2-a+sha3, but we can't detect armv8.2-a, and
@@ -76,7 +67,16 @@
*/
# if !defined(__ARM_FEATURE_SHA512) || defined(MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG)
/* Test Clang first, as it defines __GNUC__ */
-# if defined(__clang__)
+# if defined(__ARMCOMPILER_VERSION)
+# if __ARMCOMPILER_VERSION < 6090000
+# error "A more recent armclang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+# elif __ARMCOMPILER_VERSION == 6090000
+# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
+# else
+# pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function)
+# define MBEDTLS_POP_TARGET_PRAGMA
+# endif
+# elif defined(__clang__)
# if __clang_major__ < 7
# error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
# else
@@ -96,24 +96,26 @@
# endif
# endif
/* *INDENT-ON* */
-# include <arm_neon.h>
# endif
# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
# if defined(__unix__)
# if defined(__linux__)
/* Our preferred method of detection is getauxval() */
# include <sys/auxv.h>
+# if !defined(HWCAP_SHA512)
+/* The same header that declares getauxval() should provide the HWCAP_xxx
+ * constants to analyze its return value. However, the libc may be too
+ * old to have the constant that we need. So if it's missing, assume that
+ * the value is the same one used by the Linux kernel ABI.
+ */
+# define HWCAP_SHA512 (1 << 21)
+# endif
# endif
/* Use SIGILL on Unix, and fall back to it on Linux */
# include <signal.h>
# endif
# endif
-#elif defined(_M_ARM64)
-# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
- defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
-# include <arm64_neon.h>
-# endif
-#else
+#elif !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
# undef MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
# undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
#endif
@@ -141,7 +143,7 @@
NULL, 0);
return ret == 0 && value != 0;
}
-#elif defined(_M_ARM64)
+#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
/*
* As of March 2022, there don't appear to be any PF_ARM_V8_* flags
* available to pass to IsProcessorFeaturePresent() to check for
@@ -569,6 +571,8 @@
SHA512_BLOCK_SIZE) ? 0 : -1;
}
+#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
+
#if defined(MBEDTLS_POP_TARGET_PRAGMA)
#if defined(__clang__)
#pragma clang attribute pop
@@ -578,8 +582,6 @@
#undef MBEDTLS_POP_TARGET_PRAGMA
#endif
-#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
-
#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
#define mbedtls_internal_sha512_process_many_c mbedtls_internal_sha512_process_many
@@ -815,6 +817,7 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned used;
uint64_t high, low;
+ int truncated = 0;
/*
* Add padding: 0x80 then 0x00 until 16 bytes remain for the length
@@ -831,7 +834,7 @@
memset(ctx->buffer + used, 0, SHA512_BLOCK_SIZE - used);
if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
- return ret;
+ goto exit;
}
memset(ctx->buffer, 0, 112);
@@ -848,7 +851,7 @@
sha512_put_uint64_be(low, ctx->buffer, 120);
if ((ret = mbedtls_internal_sha512_process(ctx, ctx->buffer)) != 0) {
- return ret;
+ goto exit;
}
/*
@@ -861,7 +864,6 @@
sha512_put_uint64_be(ctx->state[4], output, 32);
sha512_put_uint64_be(ctx->state[5], output, 40);
- int truncated = 0;
#if defined(MBEDTLS_SHA384_C)
truncated = ctx->is384;
#endif
@@ -870,7 +872,11 @@
sha512_put_uint64_be(ctx->state[7], output, 56);
}
- return 0;
+ ret = 0;
+
+exit:
+ mbedtls_sha512_free(ctx);
+ return ret;
}
#endif /* !MBEDTLS_SHA512_ALT */
@@ -1001,8 +1007,6 @@
};
#endif /* MBEDTLS_SHA512_C */
-#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
-
static int mbedtls_sha512_common_self_test(int verbose, int is384)
{
int i, buflen, ret = 0;