From 222e2ff421609a7ff5e0565156028771d284f7ad Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 4 Apr 2017 11:37:15 +0200 Subject: [PATCH 01/14] Allow alternate core implementation of CCM --- include/mbedtls/ccm.h | 16 ++++++++++++++++ include/mbedtls/config.h | 1 + library/ccm.c | 3 +++ 3 files changed, 20 insertions(+) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index ef75839ba..579402fd4 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -28,6 +28,10 @@ #define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /**< Bad input parameters to function. */ #define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F /**< Authenticated decryption failed. */ +#if !defined(MBEDTLS_CCM_ALT) +// Regular implementation +// + #ifdef __cplusplus extern "C" { #endif @@ -125,6 +129,18 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, const unsigned char *input, unsigned char *output, const unsigned char *tag, size_t tag_len ); +#ifdef __cplusplus +} +#endif + +#else /* !MBEDTLS_CCM_ALT */ +#include "ccm_alt.h" +#endif /* !MBEDTLS_CCM_ALT */ + +#ifdef __cplusplus +extern "C" { +#endif + #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) /** * \brief Checkup routine diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 0f7e29bcf..941769fd0 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -237,6 +237,7 @@ //#define MBEDTLS_ARC4_ALT //#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_CAMELLIA_ALT +//#define MBEDTLS_CCM_ALT //#define MBEDTLS_DES_ALT //#define MBEDTLS_XTEA_ALT //#define MBEDTLS_MD2_ALT diff --git a/library/ccm.c b/library/ccm.c index 13a8fd1a2..9101e5f7c 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -49,6 +49,8 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ +#if !defined(MBEDTLS_CCM_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; @@ -348,6 +350,7 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, return( 0 ); } +#endif /* !MBEDTLS_CCM_ALT */ #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) /* From 633427732047dd1e0a3f76cd7d066362698c6692 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 4 Apr 2017 11:47:16 +0200 Subject: [PATCH 02/14] Allow alternate core implementation of CMAC --- include/mbedtls/cmac.h | 14 ++++++++++++++ include/mbedtls/config.h | 1 + library/cmac.c | 4 ++++ 3 files changed, 19 insertions(+) diff --git a/include/mbedtls/cmac.h b/include/mbedtls/cmac.h index 9a2b96bc9..4d3f2d2f4 100644 --- a/include/mbedtls/cmac.h +++ b/include/mbedtls/cmac.h @@ -39,6 +39,8 @@ extern "C" { #define MBEDTLS_CIPHER_BLKSIZE_MAX 8 /* longest used by CMAC is 3DES */ #endif +#if !defined(MBEDTLS_CMAC_ALT) + /** * CMAC context structure - Contains internal state information only */ @@ -154,6 +156,18 @@ int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len, unsigned char output[16] ); #endif /* MBEDTLS_AES_C */ +#ifdef __cplusplus +} +#endif + +#else /* !MBEDTLS_CMAC_ALT */ +#include "cmac_alt.h" +#endif /* !MBEDTLS_CMAC_ALT */ + +#ifdef __cplusplus +extern "C" { +#endif + #if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) ) /** * \brief Checkup routine diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 0f7e29bcf..2ef052b1e 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -237,6 +237,7 @@ //#define MBEDTLS_ARC4_ALT //#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_CAMELLIA_ALT +//#define MBEDTLS_CMAC_ALT //#define MBEDTLS_DES_ALT //#define MBEDTLS_XTEA_ALT //#define MBEDTLS_MD2_ALT diff --git a/library/cmac.c b/library/cmac.c index b2fe713a0..5575d5c8d 100644 --- a/library/cmac.c +++ b/library/cmac.c @@ -65,6 +65,8 @@ #endif /* MBEDTLS_SELF_TEST */ #endif /* MBEDTLS_PLATFORM_C */ +#if !defined(MBEDTLS_CMAC_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; @@ -468,6 +470,8 @@ exit: } #endif /* MBEDTLS_AES_C */ +#endif /* !MBEDTLS_CMAC_ALT */ + #if defined(MBEDTLS_SELF_TEST) /* * CMAC test data for SP800-38B From 12d9f3c84d14cf1f01d8e8c1f18a430b9d764765 Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 4 Apr 2017 12:01:42 +0200 Subject: [PATCH 03/14] Forgot version-features update for new config flag --- library/version_features.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/version_features.c b/library/version_features.c index e866e67a2..6d2e53f77 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -90,6 +90,9 @@ static const char *features[] = { #if defined(MBEDTLS_CAMELLIA_ALT) "MBEDTLS_CAMELLIA_ALT", #endif /* MBEDTLS_CAMELLIA_ALT */ +#if defined(MBEDTLS_CMAC_ALT) + "MBEDTLS_CMAC_ALT", +#endif /* MBEDTLS_CMAC_ALT */ #if defined(MBEDTLS_DES_ALT) "MBEDTLS_DES_ALT", #endif /* MBEDTLS_DES_ALT */ From 3a93387cea490ea05db35b85cdbea1306345505d Mon Sep 17 00:00:00 2001 From: Steven Cooreman Date: Tue, 4 Apr 2017 12:02:37 +0200 Subject: [PATCH 04/14] Forgot version-features update for new config flag --- library/version_features.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/version_features.c b/library/version_features.c index e866e67a2..9bd40c423 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -90,6 +90,9 @@ static const char *features[] = { #if defined(MBEDTLS_CAMELLIA_ALT) "MBEDTLS_CAMELLIA_ALT", #endif /* MBEDTLS_CAMELLIA_ALT */ +#if defined(MBEDTLS_CCM_ALT) + "MBEDTLS_CCM_ALT", +#endif /* MBEDTLS_CCM_ALT */ #if defined(MBEDTLS_DES_ALT) "MBEDTLS_DES_ALT", #endif /* MBEDTLS_DES_ALT */ From fd487394615f4139d23ef7dbf4a6b298b3a962b5 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 14 Jun 2017 16:19:12 +0100 Subject: [PATCH 05/14] Add AES feature unavailable error code --- include/mbedtls/aes.h | 1 + include/mbedtls/error.h | 2 +- library/error.c | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index b5560cc81..660ec2add 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -38,6 +38,7 @@ #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ +#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x006E /**< Feature not available, e.g. unsupported AES key size. */ #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 5e549f6b6..8dfeb6221 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -52,7 +52,7 @@ * GCM 2 0x0012-0x0014 * BLOWFISH 2 0x0016-0x0018 * THREADING 3 0x001A-0x001E - * AES 2 0x0020-0x0022 + * AES 2 0x0020-0x0022 0x006E-0x006E * CAMELLIA 2 0x0024-0x0026 * XTEA 1 0x0028-0x0028 * BASE64 2 0x002A-0x002C diff --git a/library/error.c b/library/error.c index dd2db0c45..11f7c6025 100644 --- a/library/error.c +++ b/library/error.c @@ -516,6 +516,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "AES - Invalid key length" ); if( use_ret == -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH) ) mbedtls_snprintf( buf, buflen, "AES - Invalid data input length" ); + if( use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE) ) + mbedtls_snprintf( buf, buflen, "AES - Feature not available, e.g. unsupported AES key size" ); #endif /* MBEDTLS_AES_C */ #if defined(MBEDTLS_ASN1_PARSE_C) From 58f98c23d5a37f412edcdce5c9d934161b667a07 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 14 Jun 2017 16:19:42 +0100 Subject: [PATCH 06/14] Run AES-192 selftest if available only This patch modifies the function mbedtls_aes_selftest() function to ensure that AES-192 tests are only run if the key size is supported by the available implementation. This is useful when using MBEDTLS_AES_ALT as some hardware crypto accelerators might not support AES-192. --- library/aes.c | 219 +++++++++++++++++++++++++------------------------- 1 file changed, 111 insertions(+), 108 deletions(-) diff --git a/library/aes.c b/library/aes.c index 5e01c4f2b..b5e892450 100644 --- a/library/aes.c +++ b/library/aes.c @@ -1221,9 +1221,11 @@ static const int aes_test_ctr_len[3] = */ int mbedtls_aes_self_test( int verbose ) { - int ret = 0, i, j, u, v; + int ret = 0, i, j, u, mode; + unsigned int keybits; unsigned char key[32]; unsigned char buf[64]; + const unsigned char *aes_tests; #if defined(MBEDTLS_CIPHER_MODE_CBC) || defined(MBEDTLS_CIPHER_MODE_CFB) unsigned char iv[16]; #endif @@ -1249,45 +1251,47 @@ int mbedtls_aes_self_test( int verbose ) for( i = 0; i < 6; i++ ) { u = i >> 1; - v = i & 1; + keybits = 128 + u * 64; + mode = i & 1; if( verbose != 0 ) - mbedtls_printf( " AES-ECB-%3d (%s): ", 128 + u * 64, - ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); + mbedtls_printf( " AES-ECB-%3d (%s): ", keybits, + ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); memset( buf, 0, 16 ); - if( v == MBEDTLS_AES_DECRYPT ) + if( mode == MBEDTLS_AES_DECRYPT ) { - mbedtls_aes_setkey_dec( &ctx, key, 128 + u * 64 ); - - for( j = 0; j < 10000; j++ ) - mbedtls_aes_crypt_ecb( &ctx, v, buf, buf ); - - if( memcmp( buf, aes_test_ecb_dec[u], 16 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - ret = 1; - goto exit; - } + ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); + aes_tests = aes_test_ecb_dec[u]; } else { - mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 ); + ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); + aes_tests = aes_test_ecb_enc[u]; + } - for( j = 0; j < 10000; j++ ) - mbedtls_aes_crypt_ecb( &ctx, v, buf, buf ); + if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) + { + mbedtls_printf( "skipped\n" ); + continue; + } + else if( ret != 0 ) + { + goto exit; + } - if( memcmp( buf, aes_test_ecb_enc[u], 16 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - ret = 1; + for( j = 0; j < 10000; j++ ) + { + ret = mbedtls_aes_crypt_ecb( &ctx, mode, buf, buf ); + if( ret != 0 ) goto exit; - } + } + + if( memcmp( buf, aes_tests, 16 ) != 0 ) + { + ret = 1; + goto exit; } if( verbose != 0 ) @@ -1304,55 +1308,59 @@ int mbedtls_aes_self_test( int verbose ) for( i = 0; i < 6; i++ ) { u = i >> 1; - v = i & 1; + keybits = 128 + u * 64; + mode = i & 1; if( verbose != 0 ) - mbedtls_printf( " AES-CBC-%3d (%s): ", 128 + u * 64, - ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); + mbedtls_printf( " AES-CBC-%3d (%s): ", keybits, + ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); memset( iv , 0, 16 ); memset( prv, 0, 16 ); memset( buf, 0, 16 ); - if( v == MBEDTLS_AES_DECRYPT ) + if( mode == MBEDTLS_AES_DECRYPT ) { - mbedtls_aes_setkey_dec( &ctx, key, 128 + u * 64 ); - - for( j = 0; j < 10000; j++ ) - mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf ); - - if( memcmp( buf, aes_test_cbc_dec[u], 16 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - ret = 1; - goto exit; - } + ret = mbedtls_aes_setkey_dec( &ctx, key, keybits ); + aes_tests = aes_test_cbc_dec[u]; } else { - mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 ); + ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); + aes_tests = aes_test_cbc_enc[u]; + } - for( j = 0; j < 10000; j++ ) + if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) + { + mbedtls_printf( "skipped\n" ); + continue; + } + else if( ret != 0 ) + { + goto exit; + } + + for( j = 0; j < 10000; j++ ) + { + if( mode == MBEDTLS_AES_ENCRYPT ) { unsigned char tmp[16]; - mbedtls_aes_crypt_cbc( &ctx, v, 16, iv, buf, buf ); - memcpy( tmp, prv, 16 ); memcpy( prv, buf, 16 ); memcpy( buf, tmp, 16 ); } - if( memcmp( prv, aes_test_cbc_enc[u], 16 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - ret = 1; + ret = mbedtls_aes_crypt_cbc( &ctx, mode, 16, iv, buf, buf ); + if( ret != 0 ) goto exit; - } + + } + + if( memcmp( buf, aes_tests, 16 ) != 0 ) + { + ret = 1; + goto exit; } if( verbose != 0 ) @@ -1370,45 +1378,47 @@ int mbedtls_aes_self_test( int verbose ) for( i = 0; i < 6; i++ ) { u = i >> 1; - v = i & 1; + keybits = 128 + u * 64; + mode = i & 1; if( verbose != 0 ) - mbedtls_printf( " AES-CFB128-%3d (%s): ", 128 + u * 64, - ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); + mbedtls_printf( " AES-CFB128-%3d (%s): ", keybits, + ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); memcpy( iv, aes_test_cfb128_iv, 16 ); - memcpy( key, aes_test_cfb128_key[u], 16 + u * 8 ); + memcpy( key, aes_test_cfb128_key[u], keybits / 8 ); offset = 0; - mbedtls_aes_setkey_enc( &ctx, key, 128 + u * 64 ); + ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); + if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) + { + mbedtls_printf( "skipped\n" ); + continue; + } + else if( ret != 0 ) + { + goto exit; + } - if( v == MBEDTLS_AES_DECRYPT ) + if( mode == MBEDTLS_AES_DECRYPT ) { memcpy( buf, aes_test_cfb128_ct[u], 64 ); - mbedtls_aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf ); - - if( memcmp( buf, aes_test_cfb128_pt, 64 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - ret = 1; - goto exit; - } + aes_tests = aes_test_cfb128_pt; } else { memcpy( buf, aes_test_cfb128_pt, 64 ); - mbedtls_aes_crypt_cfb128( &ctx, v, 64, &offset, iv, buf, buf ); + aes_tests = aes_test_cfb128_ct[u]; + } - if( memcmp( buf, aes_test_cfb128_ct[u], 64 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); + ret = mbedtls_aes_crypt_cfb128( &ctx, mode, 64, &offset, iv, buf, buf ); + if( ret != 0 ) + goto exit; - ret = 1; - goto exit; - } + if( memcmp( buf, aes_tests, 64 ) != 0 ) + { + ret = 1; + goto exit; } if( verbose != 0 ) @@ -1426,51 +1436,41 @@ int mbedtls_aes_self_test( int verbose ) for( i = 0; i < 6; i++ ) { u = i >> 1; - v = i & 1; + mode = i & 1; if( verbose != 0 ) mbedtls_printf( " AES-CTR-128 (%s): ", - ( v == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); + ( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" ); memcpy( nonce_counter, aes_test_ctr_nonce_counter[u], 16 ); memcpy( key, aes_test_ctr_key[u], 16 ); offset = 0; - mbedtls_aes_setkey_enc( &ctx, key, 128 ); + if( ( ret = mbedtls_aes_setkey_enc( &ctx, key, 128 ) ) != 0 ) + goto exit; - if( v == MBEDTLS_AES_DECRYPT ) + len = aes_test_ctr_len[u]; + + if( mode == MBEDTLS_AES_DECRYPT ) { - len = aes_test_ctr_len[u]; memcpy( buf, aes_test_ctr_ct[u], len ); - - mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, - buf, buf ); - - if( memcmp( buf, aes_test_ctr_pt[u], len ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - ret = 1; - goto exit; - } + aes_tests = aes_test_ctr_pt[u]; } else { - len = aes_test_ctr_len[u]; memcpy( buf, aes_test_ctr_pt[u], len ); + aes_tests = aes_test_ctr_ct[u]; + } - mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, stream_block, - buf, buf ); + ret = mbedtls_aes_crypt_ctr( &ctx, len, &offset, nonce_counter, + stream_block, buf, buf ); + if( ret != 0 ) + goto exit; - if( memcmp( buf, aes_test_ctr_ct[u], len ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - ret = 1; - goto exit; - } + if( memcmp( buf, aes_tests, len ) != 0 ) + { + ret = 1; + goto exit; } if( verbose != 0 ) @@ -1484,6 +1484,9 @@ int mbedtls_aes_self_test( int verbose ) ret = 0; exit: + if( ret != 0 && verbose != 0 ) + mbedtls_printf( "failed\n" ); + mbedtls_aes_free( &ctx ); return( ret ); From 2a078da134a10a829d9fd33e6450fc6415d463ae Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 15 Jun 2017 11:30:51 +0100 Subject: [PATCH 07/14] Run AES-GCM-192 selftest if available only This patch modifies the function mbedtls_gcm_self_test() function to ensure that AES-GCM-192 tests are only run if the key size is supported by the available implementation. This is useful when using MBEDTLS_AES_ALT as some hardware crypto accelerators might not support AES-192. --- library/gcm.c | 189 ++++++++++++++++++++++++-------------------------- 1 file changed, 92 insertions(+), 97 deletions(-) diff --git a/library/gcm.c b/library/gcm.c index f1210c52c..7b2760a62 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -46,6 +46,7 @@ #endif #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) +#include "mbedtls/aes.h" #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #else @@ -742,34 +743,43 @@ int mbedtls_gcm_self_test( int verbose ) int i, j, ret; mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES; - mbedtls_gcm_init( &ctx ); - for( j = 0; j < 3; j++ ) { int key_len = 128 + 64 * j; for( i = 0; i < MAX_TESTS; i++ ) { + mbedtls_gcm_init( &ctx ); + if( verbose != 0 ) mbedtls_printf( " AES-GCM-%3d #%d (%s): ", - key_len, i, "enc" ); + key_len, i, "enc" ); - mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], key_len ); + ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], + key_len ); + if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && key_len == 192 ) + { + mbedtls_printf( "skipped\n" ); + break; + } + else if( ret != 0 ) + { + goto exit; + } ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_ENCRYPT, - pt_len[i], - iv[iv_index[i]], iv_len[i], - additional[add_index[i]], add_len[i], - pt[pt_index[i]], buf, 16, tag_buf ); + pt_len[i], + iv[iv_index[i]], iv_len[i], + additional[add_index[i]], add_len[i], + pt[pt_index[i]], buf, 16, tag_buf ); + if( ret != 0 ) + goto exit; - if( ret != 0 || - memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 || - memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 ) + if ( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 || + memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 ) { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); + ret = 1; + goto exit; } mbedtls_gcm_free( &ctx ); @@ -777,26 +787,31 @@ int mbedtls_gcm_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n" ); + mbedtls_gcm_init( &ctx ); + if( verbose != 0 ) mbedtls_printf( " AES-GCM-%3d #%d (%s): ", - key_len, i, "dec" ); + key_len, i, "dec" ); - mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], key_len ); + ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], + key_len ); + if( ret != 0 ) + goto exit; ret = mbedtls_gcm_crypt_and_tag( &ctx, MBEDTLS_GCM_DECRYPT, - pt_len[i], - iv[iv_index[i]], iv_len[i], - additional[add_index[i]], add_len[i], - ct[j * 6 + i], buf, 16, tag_buf ); + pt_len[i], + iv[iv_index[i]], iv_len[i], + additional[add_index[i]], add_len[i], + ct[j * 6 + i], buf, 16, tag_buf ); - if( ret != 0 || - memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 || + if( ret != 0 ) + goto exit; + + if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 || memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 ) { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); + ret = 1; + goto exit; } mbedtls_gcm_free( &ctx ); @@ -804,66 +819,51 @@ int mbedtls_gcm_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n" ); + mbedtls_gcm_init( &ctx ); + if( verbose != 0 ) mbedtls_printf( " AES-GCM-%3d #%d split (%s): ", - key_len, i, "enc" ); + key_len, i, "enc" ); - mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], key_len ); + ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], + key_len ); + if( ret != 0 ) + goto exit; ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_ENCRYPT, - iv[iv_index[i]], iv_len[i], - additional[add_index[i]], add_len[i] ); + iv[iv_index[i]], iv_len[i], + additional[add_index[i]], add_len[i] ); if( ret != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto exit; if( pt_len[i] > 32 ) { size_t rest_len = pt_len[i] - 32; ret = mbedtls_gcm_update( &ctx, 32, pt[pt_index[i]], buf ); if( ret != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto exit; ret = mbedtls_gcm_update( &ctx, rest_len, pt[pt_index[i]] + 32, buf + 32 ); if( ret != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto exit; } else { ret = mbedtls_gcm_update( &ctx, pt_len[i], pt[pt_index[i]], buf ); if( ret != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto exit; } ret = mbedtls_gcm_finish( &ctx, tag_buf, 16 ); - if( ret != 0 || - memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 || + if( ret != 0 ) + goto exit; + + if( memcmp( buf, ct[j * 6 + i], pt_len[i] ) != 0 || memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 ) { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); + ret = 1; + goto exit; } mbedtls_gcm_free( &ctx ); @@ -871,80 +871,75 @@ int mbedtls_gcm_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n" ); + mbedtls_gcm_init( &ctx ); + if( verbose != 0 ) mbedtls_printf( " AES-GCM-%3d #%d split (%s): ", - key_len, i, "dec" ); + key_len, i, "dec" ); - mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], key_len ); + ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], + key_len ); + if( ret != 0 ) + goto exit; ret = mbedtls_gcm_starts( &ctx, MBEDTLS_GCM_DECRYPT, iv[iv_index[i]], iv_len[i], additional[add_index[i]], add_len[i] ); if( ret != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto exit; if( pt_len[i] > 32 ) { size_t rest_len = pt_len[i] - 32; ret = mbedtls_gcm_update( &ctx, 32, ct[j * 6 + i], buf ); if( ret != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto exit; ret = mbedtls_gcm_update( &ctx, rest_len, ct[j * 6 + i] + 32, - buf + 32 ); + buf + 32 ); if( ret != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto exit; } else { - ret = mbedtls_gcm_update( &ctx, pt_len[i], ct[j * 6 + i], buf ); + ret = mbedtls_gcm_update( &ctx, pt_len[i], ct[j * 6 + i], + buf ); if( ret != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto exit; } ret = mbedtls_gcm_finish( &ctx, tag_buf, 16 ); - if( ret != 0 || - memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 || + if( ret != 0 ) + goto exit; + + if( memcmp( buf, pt[pt_index[i]], pt_len[i] ) != 0 || memcmp( tag_buf, tag[j * 6 + i], 16 ) != 0 ) { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); + ret = 1; + goto exit; } mbedtls_gcm_free( &ctx ); if( verbose != 0 ) mbedtls_printf( "passed\n" ); - } } if( verbose != 0 ) mbedtls_printf( "\n" ); - return( 0 ); + ret = 0; + +exit: + if( ret != 0 ) + { + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + mbedtls_gcm_free( &ctx ); + } + + return( ret ); } #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ From d3e7e7d83f865591a31e5d1a2da14ca21d7da1fb Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 15 Jun 2017 16:17:46 +0100 Subject: [PATCH 08/14] Add comment for skipped AES-192 test condition --- library/aes.c | 15 +++++++++++++++ library/gcm.c | 5 +++++ 2 files changed, 20 insertions(+) diff --git a/library/aes.c b/library/aes.c index b5e892450..906386930 100644 --- a/library/aes.c +++ b/library/aes.c @@ -1271,6 +1271,11 @@ int mbedtls_aes_self_test( int verbose ) aes_tests = aes_test_ecb_enc[u]; } + /* + * AES-192 is an optional feature that may be unavailable when + * there is an alternative underlying implementation i.e. when + * MBEDTLS_AES_ALT is defined. + */ if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) { mbedtls_printf( "skipped\n" ); @@ -1330,6 +1335,11 @@ int mbedtls_aes_self_test( int verbose ) aes_tests = aes_test_cbc_enc[u]; } + /* + * AES-192 is an optional feature that may be unavailable when + * there is an alternative underlying implementation i.e. when + * MBEDTLS_AES_ALT is defined. + */ if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) { mbedtls_printf( "skipped\n" ); @@ -1390,6 +1400,11 @@ int mbedtls_aes_self_test( int verbose ) offset = 0; ret = mbedtls_aes_setkey_enc( &ctx, key, keybits ); + /* + * AES-192 is an optional feature that may be unavailable when + * there is an alternative underlying implementation i.e. when + * MBEDTLS_AES_ALT is defined. + */ if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && keybits == 192 ) { mbedtls_printf( "skipped\n" ); diff --git a/library/gcm.c b/library/gcm.c index 7b2760a62..97e9d889d 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -757,6 +757,11 @@ int mbedtls_gcm_self_test( int verbose ) ret = mbedtls_gcm_setkey( &ctx, cipher, key[key_index[i]], key_len ); + /* + * AES-192 is an optional feature that may be unavailable when + * there is an alternative underlying implementation i.e. when + * MBEDTLS_AES_ALT is defined. + */ if( ret == MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE && key_len == 192 ) { mbedtls_printf( "skipped\n" ); From 152633093112a78ffbb8158eec4d8944c0d7dc25 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 21 Sep 2017 12:53:48 +0100 Subject: [PATCH 09/14] Allow alternate implementation of GCM Provide the ability to use an alternative implementation of GCM in place of the library-provided implementation. --- ChangeLog | 6 ++++++ include/mbedtls/config.h | 1 + include/mbedtls/gcm.h | 15 +++++++++++++++ library/gcm.c | 4 ++++ library/version_features.c | 3 +++ 5 files changed, 29 insertions(+) diff --git a/ChangeLog b/ChangeLog index 227faed6b..d3833085b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Features + * Add support for alternative implementations of GCM, selected by the + configuration flag MBEDTLS_GCM_ALT in config.h + = mbed TLS 2.6.0 branch released 2017-08-10 Security diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 47c719640..94bf0d120 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -267,6 +267,7 @@ //#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_CAMELLIA_ALT //#define MBEDTLS_DES_ALT +//#define MBEDTLS_GCM_ALT //#define MBEDTLS_XTEA_ALT //#define MBEDTLS_MD2_ALT //#define MBEDTLS_MD4_ALT diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index 1b77aaedd..8f3b56575 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -33,6 +33,8 @@ #define MBEDTLS_ERR_GCM_AUTH_FAILED -0x0012 /**< Authenticated decryption failed. */ #define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 /**< Bad input parameters to function. */ +#if !defined(MBEDTLS_GCM_ALT) + #ifdef __cplusplus extern "C" { #endif @@ -206,6 +208,18 @@ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx, */ void mbedtls_gcm_free( mbedtls_gcm_context *ctx ); +#ifdef __cplusplus +} +#endif + +#else /* !MBEDTLS_GCM_ALT */ +#include "gcm_alt.h" +#endif /* !MBEDTLS_GCM_ALT */ + +#ifdef __cplusplus +extern "C" { +#endif + /** * \brief Checkup routine * @@ -217,4 +231,5 @@ int mbedtls_gcm_self_test( int verbose ); } #endif + #endif /* gcm.h */ diff --git a/library/gcm.c b/library/gcm.c index fccb092bd..2b49fa66c 100644 --- a/library/gcm.c +++ b/library/gcm.c @@ -54,6 +54,8 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ +#if !defined(MBEDTLS_GCM_ALT) + /* * 32-bit integer manipulation macros (big endian) */ @@ -508,6 +510,8 @@ void mbedtls_gcm_free( mbedtls_gcm_context *ctx ) mbedtls_zeroize( ctx, sizeof( mbedtls_gcm_context ) ); } +#endif /* !MBEDTLS_GCM_ALT */ + #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) /* * AES-GCM test vectors from: diff --git a/library/version_features.c b/library/version_features.c index 5cbe8aca3..50afe1e24 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -99,6 +99,9 @@ static const char *features[] = { #if defined(MBEDTLS_DES_ALT) "MBEDTLS_DES_ALT", #endif /* MBEDTLS_DES_ALT */ +#if defined(MBEDTLS_GCM_ALT) + "MBEDTLS_GCM_ALT", +#endif /* MBEDTLS_GCM_ALT */ #if defined(MBEDTLS_XTEA_ALT) "MBEDTLS_XTEA_ALT", #endif /* MBEDTLS_XTEA_ALT */ From c5380649d94e69764e261548087e365262cf4e2e Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 28 Nov 2017 19:57:51 +0000 Subject: [PATCH 10/14] Change value of MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE Change the value of the error MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE to 0x0023 to ensure the errors in the AES module are all in a continuous range. --- include/mbedtls/aes.h | 5 ++++- include/mbedtls/error.h | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index 660ec2add..f1c3d3a8c 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -36,9 +36,12 @@ #define MBEDTLS_AES_ENCRYPT 1 #define MBEDTLS_AES_DECRYPT 0 +/* Error codes in range 0x0020-0x0022 */ #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ -#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x006E /**< Feature not available, e.g. unsupported AES key size. */ + +/* Error codes in range 0x0023-0x0023 */ +#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 /**< Feature not available, e.g. unsupported AES key size. */ #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 8dfeb6221..5fffb0d22 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -52,7 +52,7 @@ * GCM 2 0x0012-0x0014 * BLOWFISH 2 0x0016-0x0018 * THREADING 3 0x001A-0x001E - * AES 2 0x0020-0x0022 0x006E-0x006E + * AES 2 0x0020-0x0022 0x0023-0x0023 * CAMELLIA 2 0x0024-0x0026 * XTEA 1 0x0028-0x0028 * BASE64 2 0x002A-0x002C From 621080d7c68370dca67cfe387508abe685304e3e Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Thu, 21 Dec 2017 10:57:43 +0200 Subject: [PATCH 11/14] Fix compilation issue weh self test defined 1. Surround the generate keys with `#if ! defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST)` to resolve build issue when `MBEDTLS_SELF_TEST` is defined for alternative CMAC as well 2. Update ChangeLog --- ChangeLog | 6 ++++++ library/cmac.c | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 13de8672c..5d43296db 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Changes + * Add hardware acceleration support for cmac, with the configuration definition + of `MBEDTLS_CMAC_ALT`. Submitted by stevew817 + = mbed TLS 2.4.2 branch released 2017-03-08 Security diff --git a/library/cmac.c b/library/cmac.c index 5575d5c8d..d3581d589 100644 --- a/library/cmac.c +++ b/library/cmac.c @@ -65,7 +65,7 @@ #endif /* MBEDTLS_SELF_TEST */ #endif /* MBEDTLS_PLATFORM_C */ -#if !defined(MBEDTLS_CMAC_ALT) +#if !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { @@ -166,7 +166,9 @@ exit: return( ret ); } +#endif /* !defined(MBEDTLS_CMAC_ALT) || defined(MBEDTLS_SELF_TEST) */ +#if !defined(MBEDTLS_CMAC_ALT) static void cmac_xor_block( unsigned char *output, const unsigned char *input1, const unsigned char *input2, const size_t block_size ) From 618d091f2af41c2c60117b6c7fef080687dedc81 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jan 2018 16:04:19 +0100 Subject: [PATCH 12/14] Add ChangeLog entry for CCM_ALT Edit the CMAC_ALT ChangeLog entry to mention CCM_ALT which was added in a sister PR and is being merged together. Use full name rather than Github id as attribution. Move the entry under "Features" for better consistency with historical practice. --- ChangeLog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6377e7f5d..d9e9dc89e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,8 @@ Features line arguments. * New unit tests for timing. Improve the self-test to be more robust when run on a heavily-loaded machine. + * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT, + MBEDTLS_CMAC_ALT). Submitted by Steve Cooreman, Silicon Labs. New deprecations * Deprecate usage of RSA primitives with non-matching key-type @@ -71,8 +73,6 @@ Changes * Extend cert_write example program by options to set the CRT version and the message digest. Further, allow enabling/disabling of authority identifier, subject identifier and basic constraints extensions. - * Add hardware acceleration support for cmac, with the configuration definition - of `MBEDTLS_CMAC_ALT`. Submitted by stevew817 = mbed TLS 2.6.0 branch released 2017-08-10 From 8e09d8f6a5d1b8543ee5fb6e782df88179575ad4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jan 2018 16:09:42 +0100 Subject: [PATCH 13/14] Add full stop to ChangeLog entry --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 32056b80f..365a713b7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,7 +21,7 @@ Features * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT, MBEDTLS_CMAC_ALT). Submitted by Steve Cooreman, Silicon Labs. * Add support for alternative implementations of GCM, selected by the - configuration flag MBEDTLS_GCM_ALT in config.h + configuration flag MBEDTLS_GCM_ALT. New deprecations * Deprecate usage of RSA primitives with non-matching key-type From ec9c626b75aecd99663695d53460c6a79d5c6d44 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 2 Jan 2018 16:27:50 +0100 Subject: [PATCH 14/14] ChangeLog entry for PR #964 --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 365a713b7..2284f3427 100644 --- a/ChangeLog +++ b/ChangeLog @@ -70,11 +70,14 @@ Bugfix MilenkoMitrovic, #1104 * Fix mbedtls_timing_alarm(0) on Unix. * Fix use of uninitialized memory in mbedtls_timing_get_timer when reset=1. + * Fix possible memory leaks in mbedtls_gcm_self_test(). + * Added missing return code checks in mbedtls_aes_self_test(). Changes * Extend cert_write example program by options to set the CRT version and the message digest. Further, allow enabling/disabling of authority identifier, subject identifier and basic constraints extensions. + * Only run AES-192 self-test if AES-192 is available. Fixes #963. = mbed TLS 2.6.0 branch released 2017-08-10