eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1038 from Mbed-TLS/development

Browse source 
Merge development into development-restricted
This commit is contained in:
Gilles Peskine 2023-07-21 15:40:36 +02:00 committed by GitHub
commit 2387bdab0f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
530 changed files with 35120 additions and 12769 deletions
Download patch file Download diff file Expand all files Collapse all files

1
library/.gitignore vendored
View file

@ -1,4 +1,3 @@
*.o
libmbed*
*.sln
*.vcxproj

13
library/CMakeLists.txt
View file

@ -37,12 +37,12 @@ set(src_crypto
ecdsa.c
ecjpake.c
ecp.c
ecp_new.c
ecp_curves.c
entropy.c
entropy_poll.c
error.c
gcm.c
hash_info.c
hkdf.c
hmac_drbg.c
lmots.c
@ -69,6 +69,7 @@ set(src_crypto
psa_crypto_client.c
psa_crypto_driver_wrappers.c
psa_crypto_ecp.c
psa_crypto_ffdh.c
psa_crypto_hash.c
psa_crypto_mac.c
psa_crypto_pake.c
@ -84,6 +85,7 @@ set(src_crypto
sha1.c
sha256.c
sha512.c
sha3.c
threading.c
timing.c
version.c
@ -319,6 +321,15 @@ foreach(target IN LISTS target_libraries)
PUBLIC $<BUILD_INTERFACE:${MBEDTLS_DIR}/include/>
$<INSTALL_INTERFACE:include/>
PRIVATE ${MBEDTLS_DIR}/library/)
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
if(MBEDTLS_CONFIG_FILE)
target_compile_definitions(${target}
PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
endif()
if(MBEDTLS_USER_CONFIG_FILE)
target_compile_definitions(${target}
PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
endif()
install(
TARGETS ${target}
EXPORT MbedTLSTargets

4
library/Makefile
View file

@ -102,12 +102,12 @@ OBJS_CRYPTO= \
ecdsa.o \
ecjpake.o \
ecp.o \
ecp_new.o \
ecp_curves.o \
entropy.o \
entropy_poll.o \
error.o \
gcm.o \
hash_info.o \
hkdf.o \
hmac_drbg.o \
lmots.o \
@ -134,6 +134,7 @@ OBJS_CRYPTO= \
psa_crypto_client.o \
psa_crypto_driver_wrappers.o \
psa_crypto_ecp.o \
psa_crypto_ffdh.o \
psa_crypto_hash.o \
psa_crypto_mac.o \
psa_crypto_pake.o \
@ -149,6 +150,7 @@ OBJS_CRYPTO= \
sha1.o \
sha256.o \
sha512.o \
sha3.o \
threading.o \
timing.o \
version.o \

589
library/aes.c
View file

File diff suppressed because it is too large Load diff

129
library/aesce.c
View file

@ -66,20 +66,33 @@
# endif
#endif
#if !defined(__ARM_FEATURE_AES) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
# if defined(__clang__)
# pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
#ifdef __ARM_NEON
#include <arm_neon.h>
#else
#error "Target does not support NEON instructions"
#endif
#if !(defined(__ARM_FEATURE_CRYPTO) || defined(__ARM_FEATURE_AES)) || \
defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
# if defined(__ARMCOMPILER_VERSION)
# if __ARMCOMPILER_VERSION <= 6090000
# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_AESCE_C"
# else
# pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
# define MBEDTLS_POP_TARGET_PRAGMA
# endif
# elif defined(__clang__)
# pragma clang attribute push (__attribute__((target("aes"))), apply_to=function)
# define MBEDTLS_POP_TARGET_PRAGMA
# elif defined(__GNUC__)
# pragma GCC push_options
# pragma GCC target ("arch=armv8-a+crypto")
# pragma GCC target ("+crypto")
# define MBEDTLS_POP_TARGET_PRAGMA
# elif defined(_MSC_VER)
# error "Required feature(__ARM_FEATURE_AES) is not enabled."
# endif
#endif /* !__ARM_FEATURE_AES || MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG */
#include <arm_neon.h>
#endif /* !(__ARM_FEATURE_CRYPTO || __ARM_FEATURE_AES) ||
MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG */
#if defined(__linux__)
#include <asm/hwcap.h>
@ -101,59 +114,105 @@ int mbedtls_aesce_has_support(void)
#endif
}
/* Single round of AESCE encryption */
#define AESCE_ENCRYPT_ROUND \
block = vaeseq_u8(block, vld1q_u8(keys)); \
block = vaesmcq_u8(block); \
keys += 16
/* Two rounds of AESCE encryption */
#define AESCE_ENCRYPT_ROUND_X2 AESCE_ENCRYPT_ROUND; AESCE_ENCRYPT_ROUND
MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
static uint8x16_t aesce_encrypt_block(uint8x16_t block,
unsigned char *keys,
int rounds)
{
for (int i = 0; i < rounds - 1; i++) {
/* AES AddRoundKey, SubBytes, ShiftRows (in this order).
* AddRoundKey adds the round key for the previous round. */
block = vaeseq_u8(block, vld1q_u8(keys + i * 16));
/* AES mix columns */
block = vaesmcq_u8(block);
/* 10, 12 or 14 rounds. Unroll loop. */
if (rounds == 10) {
goto rounds_10;
}
if (rounds == 12) {
goto rounds_12;
}
AESCE_ENCRYPT_ROUND_X2;
rounds_12:
AESCE_ENCRYPT_ROUND_X2;
rounds_10:
AESCE_ENCRYPT_ROUND_X2;
AESCE_ENCRYPT_ROUND_X2;
AESCE_ENCRYPT_ROUND_X2;
AESCE_ENCRYPT_ROUND_X2;
AESCE_ENCRYPT_ROUND;
/* AES AddRoundKey for the previous round.
* SubBytes, ShiftRows for the final round. */
block = vaeseq_u8(block, vld1q_u8(keys + (rounds -1) * 16));
block = vaeseq_u8(block, vld1q_u8(keys));
keys += 16;
/* Final round: no MixColumns */
/* Final AddRoundKey */
block = veorq_u8(block, vld1q_u8(keys + rounds * 16));
block = veorq_u8(block, vld1q_u8(keys));
return block;
}
/* Single round of AESCE decryption
*
* AES AddRoundKey, SubBytes, ShiftRows
*
* block = vaesdq_u8(block, vld1q_u8(keys));
*
* AES inverse MixColumns for the next round.
*
* This means that we switch the order of the inverse AddRoundKey and
* inverse MixColumns operations. We have to do this as AddRoundKey is
* done in an atomic instruction together with the inverses of SubBytes
* and ShiftRows.
*
* It works because MixColumns is a linear operation over GF(2^8) and
* AddRoundKey is an exclusive or, which is equivalent to addition over
* GF(2^8). (The inverse of MixColumns needs to be applied to the
* affected round keys separately which has been done when the
* decryption round keys were calculated.)
*
* block = vaesimcq_u8(block);
*/
#define AESCE_DECRYPT_ROUND \
block = vaesdq_u8(block, vld1q_u8(keys)); \
block = vaesimcq_u8(block); \
keys += 16
/* Two rounds of AESCE decryption */
#define AESCE_DECRYPT_ROUND_X2 AESCE_DECRYPT_ROUND; AESCE_DECRYPT_ROUND
static uint8x16_t aesce_decrypt_block(uint8x16_t block,
unsigned char *keys,
int rounds)
{
for (int i = 0; i < rounds - 1; i++) {
/* AES AddRoundKey, SubBytes, ShiftRows */
block = vaesdq_u8(block, vld1q_u8(keys + i * 16));
/* AES inverse MixColumns for the next round.
*
* This means that we switch the order of the inverse AddRoundKey and
* inverse MixColumns operations. We have to do this as AddRoundKey is
* done in an atomic instruction together with the inverses of SubBytes
* and ShiftRows.
*
* It works because MixColumns is a linear operation over GF(2^8) and
* AddRoundKey is an exclusive or, which is equivalent to addition over
* GF(2^8). (The inverse of MixColumns needs to be applied to the
* affected round keys separately which has been done when the
* decryption round keys were calculated.) */
block = vaesimcq_u8(block);
/* 10, 12 or 14 rounds. Unroll loop. */
if (rounds == 10) {
goto rounds_10;
}
if (rounds == 12) {
goto rounds_12;
}
AESCE_DECRYPT_ROUND_X2;
rounds_12:
AESCE_DECRYPT_ROUND_X2;
rounds_10:
AESCE_DECRYPT_ROUND_X2;
AESCE_DECRYPT_ROUND_X2;
AESCE_DECRYPT_ROUND_X2;
AESCE_DECRYPT_ROUND_X2;
AESCE_DECRYPT_ROUND;
/* The inverses of AES AddRoundKey, SubBytes, ShiftRows finishing up the
* last full round. */
block = vaesdq_u8(block, vld1q_u8(keys + (rounds - 1) * 16));
block = vaesdq_u8(block, vld1q_u8(keys));
keys += 16;
/* Inverse AddRoundKey for inverting the initial round key addition. */
block = veorq_u8(block, vld1q_u8(keys + rounds * 16));
block = veorq_u8(block, vld1q_u8(keys));
return block;
}
@ -251,6 +310,7 @@ static void aesce_setkey_enc(unsigned char *rk,
/* Do not write overflow words.*/
continue;
}
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
switch (key_bit_length) {
case 128:
break;
@ -265,6 +325,7 @@ static void aesce_setkey_enc(unsigned char *rk,
rko[7] = rko[6] ^ rki[7];
break;
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
}
}

3
library/aesce.h
View file

@ -52,6 +52,9 @@ int mbedtls_aesce_has_support(void);
/**
* \brief Internal AES-ECB block encryption and decryption
*
* \warning This assumes that the context specifies either 10, 12 or 14
* rounds and will behave incorrectly if this is not the case.
*
* \param ctx AES context
* \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
* \param input 16-byte input block

10
library/aesni.c
View file

@ -273,6 +273,7 @@ static void aesni_setkey_enc_128(unsigned char *rk_bytes,
/*
* Key expansion, 192-bit case
*/
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static void aesni_set_rk_192(__m128i *state0, __m128i *state1, __m128i xword,
unsigned char *rk)
{
@ -327,10 +328,12 @@ static void aesni_setkey_enc_192(unsigned char *rk,
aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x40), rk + 24 * 7);
aesni_set_rk_192(&state0, &state1, _mm_aeskeygenassist_si128(state1, 0x80), rk + 24 * 8);
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
/*
* Key expansion, 256-bit case
*/
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static void aesni_set_rk_256(__m128i state0, __m128i state1, __m128i xword,
__m128i *rk0, __m128i *rk1)
{
@ -387,6 +390,7 @@ static void aesni_setkey_enc_256(unsigned char *rk_bytes,
aesni_set_rk_256(rk[10], rk[11], _mm_aeskeygenassist_si128(rk[11], 0x20), &rk[12], &rk[13]);
aesni_set_rk_256(rk[12], rk[13], _mm_aeskeygenassist_si128(rk[13], 0x40), &rk[14], &rk[15]);
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#else /* MBEDTLS_AESNI_HAVE_CODE == 1 */
@ -656,6 +660,7 @@ static void aesni_setkey_enc_128(unsigned char *rk,
/*
* Key expansion, 192-bit case
*/
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static void aesni_setkey_enc_192(unsigned char *rk,
const unsigned char *key)
{
@ -709,10 +714,12 @@ static void aesni_setkey_enc_192(unsigned char *rk,
: "r" (rk), "r" (key)
: "memory", "cc", "0");
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
/*
* Key expansion, 256-bit case
*/
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static void aesni_setkey_enc_256(unsigned char *rk,
const unsigned char *key)
{
@ -775,6 +782,7 @@ static void aesni_setkey_enc_256(unsigned char *rk,
: "r" (rk), "r" (key)
: "memory", "cc", "0");
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#endif /* MBEDTLS_AESNI_HAVE_CODE */
@ -787,8 +795,10 @@ int mbedtls_aesni_setkey_enc(unsigned char *rk,
{
switch (bits) {
case 128: aesni_setkey_enc_128(rk, key); break;
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
case 192: aesni_setkey_enc_192(rk, key); break;
case 256: aesni_setkey_enc_256(rk, key); break;
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
default: return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
}

18
library/aesni.h
View file

@ -59,16 +59,16 @@
#define MBEDTLS_AESNI_HAVE_INTRINSICS
#endif
/* Choose the implementation of AESNI, if one is available. */
#undef MBEDTLS_AESNI_HAVE_CODE
/* To minimize disruption when releasing the intrinsics-based implementation,
* favor the assembly-based implementation if it's available. We intend to
* revise this in a later release of Mbed TLS 3.x. In the long run, we will
* likely remove the assembly implementation. */
#if defined(MBEDTLS_HAVE_X86_64)
#define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
#elif defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
/* Choose the implementation of AESNI, if one is available.
*
* Favor the intrinsics-based implementation if it's available, for better
* maintainability.
* Performance is about the same (see #7380).
* In the long run, we will likely remove the assembly implementation. */
#if defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
#define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics
#elif defined(MBEDTLS_HAVE_X86_64)
#define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
#endif
#if defined(MBEDTLS_AESNI_HAVE_CODE)

3
library/alignment.h
View file

@ -181,6 +181,9 @@ inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
/* Detect armcc built-in byteswap routine */
#if defined(__ARMCC_VERSION) && (__ARMCC_VERSION >= 410000) && !defined(MBEDTLS_BSWAP32)
#if defined(__ARM_ACLE) /* ARM Compiler 6 - earlier versions don't need a header */
#include <arm_acle.h>
#endif
#define MBEDTLS_BSWAP32 __rev
#endif

8
library/base64.c
View file

@ -17,6 +17,8 @@
* limitations under the License.
*/
#include <limits.h>
#include "common.h"
#if defined(MBEDTLS_BASE64_C)
@ -31,8 +33,6 @@
#include "mbedtls/platform.h"
#endif /* MBEDTLS_SELF_TEST */
#define BASE64_SIZE_T_MAX ((size_t) -1) /* SIZE_T_MAX is not standard */
/*
* Encode a buffer into base64 format
*/
@ -50,8 +50,8 @@ int mbedtls_base64_encode(unsigned char *dst, size_t dlen, size_t *olen,
n = slen / 3 + (slen % 3 != 0);
if (n > (BASE64_SIZE_T_MAX - 1) / 4) {
*olen = BASE64_SIZE_T_MAX;
if (n > (SIZE_MAX - 1) / 4) {
*olen = SIZE_MAX;
return MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL;
}

54
library/bignum.c
View file

@ -54,8 +54,6 @@
#define MPI_VALIDATE(cond) \
MBEDTLS_INTERNAL_VALIDATE(cond)
#define MPI_SIZE_T_MAX ((size_t) -1) /* SIZE_T_MAX is not standard */
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_mpi_zeroize(mbedtls_mpi_uint *v, size_t n)
{
@ -116,7 +114,9 @@ int mbedtls_mpi_grow(mbedtls_mpi *X, size_t nblimbs)
mbedtls_free(X->p);
}
X->n = nblimbs;
/* nblimbs fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
* fits, and we've checked that nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
X->n = (unsigned short) nblimbs;
X->p = p;
}
@ -164,7 +164,9 @@ int mbedtls_mpi_shrink(mbedtls_mpi *X, size_t nblimbs)
mbedtls_free(X->p);
}
X->n = i;
/* i fits in n because we ensure that MBEDTLS_MPI_MAX_LIMBS
* fits, and we've checked that i <= nblimbs <= MBEDTLS_MPI_MAX_LIMBS. */
X->n = (unsigned short) i;
X->p = p;
return 0;
@ -416,7 +418,7 @@ int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)
slen = strlen(s);
if (radix == 16) {
if (slen > MPI_SIZE_T_MAX >> 2) {
if (slen > SIZE_MAX >> 2) {
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
}
@ -750,13 +752,9 @@ int mbedtls_mpi_write_binary(const mbedtls_mpi *X,
int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i, v0, t1;
mbedtls_mpi_uint r0 = 0, r1;
size_t i;
MPI_VALIDATE_RET(X != NULL);
v0 = count / (biL);
t1 = count & (biL - 1);
i = mbedtls_mpi_bitlen(X) + count;
if (X->n * biL < i) {
@ -765,31 +763,7 @@ int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t count)
ret = 0;
/*
* shift by count / limb_size
*/
if (v0 > 0) {
for (i = X->n; i > v0; i--) {
X->p[i - 1] = X->p[i - v0 - 1];
}
for (; i > 0; i--) {
X->p[i - 1] = 0;
}
}
/*
* shift by count % limb_size
*/
if (t1 > 0) {
for (i = v0; i < X->n; i++) {
r1 = X->p[i] >> (biL - t1);
X->p[i] <<= t1;
X->p[i] |= r0;
r0 = r1;
}
}
mbedtls_mpi_core_shift_l(X->p, X->n, count);
cleanup:
return ret;
@ -926,6 +900,8 @@ int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t j;
mbedtls_mpi_uint *p;
mbedtls_mpi_uint c;
MPI_VALIDATE_RET(X != NULL);
MPI_VALIDATE_RET(A != NULL);
MPI_VALIDATE_RET(B != NULL);
@ -959,9 +935,9 @@ int mbedtls_mpi_add_abs(mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
/* j is the number of non-zero limbs of B. Add those to X. */
mbedtls_mpi_uint *p = X->p;
p = X->p;
mbedtls_mpi_uint c = mbedtls_mpi_core_add(p, p, B->p, j);
c = mbedtls_mpi_core_add(p, p, B->p, j);
p += j;
@ -1604,8 +1580,8 @@ static void mpi_montred(mbedtls_mpi *A, const mbedtls_mpi *N,
{
mbedtls_mpi_uint z = 1;
mbedtls_mpi U;
U.n = U.s = (int) z;
U.n = 1;
U.s = 1;
U.p = &z;
mpi_montmul(A, &U, N, mm, T);

59
library/bignum_core.c
View file

@ -36,22 +36,17 @@
size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a)
{
#if defined(__has_builtin)
#if __has_builtin(__builtin_clz)
if (sizeof(mbedtls_mpi_uint) == sizeof(unsigned int)) {
return (size_t) __builtin_clz(a);
}
#endif
#if __has_builtin(__builtin_clzl)
if (sizeof(mbedtls_mpi_uint) == sizeof(unsigned long)) {
return (size_t) __builtin_clzl(a);
}
#endif
#if __has_builtin(__builtin_clzll)
if (sizeof(mbedtls_mpi_uint) == sizeof(unsigned long long)) {
return (size_t) __builtin_clzll(a);
}
#if (MBEDTLS_MPI_UINT_MAX == UINT_MAX) && __has_builtin(__builtin_clz)
#define core_clz __builtin_clz
#elif (MBEDTLS_MPI_UINT_MAX == ULONG_MAX) && __has_builtin(__builtin_clzl)
#define core_clz __builtin_clzl
#elif (MBEDTLS_MPI_UINT_MAX == ULLONG_MAX) && __has_builtin(__builtin_clzll)
#define core_clz __builtin_clzll
#endif
#endif
#if defined(core_clz)
return (size_t) core_clz(a);
#else
size_t j;
mbedtls_mpi_uint mask = (mbedtls_mpi_uint) 1 << (biL - 1);
@ -64,6 +59,7 @@ size_t mbedtls_mpi_core_clz(mbedtls_mpi_uint a)
}
return j;
#endif
}
size_t mbedtls_mpi_core_bitlen(const mbedtls_mpi_uint *A, size_t A_limbs)
@ -366,6 +362,41 @@ void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs,
}
}
void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs,
size_t count)
{
size_t i, v0, v1;
mbedtls_mpi_uint r0 = 0, r1;
v0 = count / (biL);
v1 = count & (biL - 1);
/*
* shift by count / limb_size
*/
if (v0 > 0) {
for (i = limbs; i > v0; i--) {
X[i - 1] = X[i - v0 - 1];
}
for (; i > 0; i--) {
X[i - 1] = 0;
}
}
/*
* shift by count % limb_size
*/
if (v1 > 0) {
for (i = v0; i < limbs; i++) {
r1 = X[i] >> (biL - v1);
X[i] <<= v1;
X[i] |= r0;
r0 = r1;
}
}
}
mbedtls_mpi_uint mbedtls_mpi_core_add(mbedtls_mpi_uint *X,
const mbedtls_mpi_uint *A,
const mbedtls_mpi_uint *B,

17
library/bignum_core.h
View file

@ -281,7 +281,7 @@ int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *A,
unsigned char *output,
size_t output_length);
/** \brief Shift an MPI right in place by a number of bits.
/** \brief Shift an MPI in-place right by a number of bits.
*
* Shifting by more bits than there are bit positions
* in \p X is valid and results in setting \p X to 0.
@ -296,6 +296,21 @@ int mbedtls_mpi_core_write_be(const mbedtls_mpi_uint *A,
void mbedtls_mpi_core_shift_r(mbedtls_mpi_uint *X, size_t limbs,
size_t count);
/**
* \brief Shift an MPI in-place left by a number of bits.
*
* Shifting by more bits than there are bit positions
* in \p X will produce an unspecified result.
*
* This function's execution time depends on the value
* of \p count (and of course \p limbs).
* \param[in,out] X The number to shift.
* \param limbs The number of limbs of \p X. This must be at least 1.
* \param count The number of bits to shift by.
*/
void mbedtls_mpi_core_shift_l(mbedtls_mpi_uint *X, size_t limbs,
size_t count);
/**
* \brief Add two fixed-size large unsigned integers, returning the carry.
*

51
library/bignum_mod.c
View file

@ -88,7 +88,7 @@ void mbedtls_mpi_mod_modulus_free(mbedtls_mpi_mod_modulus *N)
N->rep.mont.mm = 0;
break;
case MBEDTLS_MPI_MOD_REP_OPT_RED:
mbedtls_free(N->rep.ored);
N->rep.ored.modp = NULL;
break;
case MBEDTLS_MPI_MOD_REP_INVALID:
break;
@ -136,33 +136,25 @@ cleanup:
return ret;
}
int mbedtls_mpi_mod_modulus_setup(mbedtls_mpi_mod_modulus *N,
const mbedtls_mpi_uint *p,
size_t p_limbs,
mbedtls_mpi_mod_rep_selector int_rep)
static inline void standard_modulus_setup(mbedtls_mpi_mod_modulus *N,
const mbedtls_mpi_uint *p,
size_t p_limbs,
mbedtls_mpi_mod_rep_selector int_rep)
{
int ret = 0;
N->p = p;
N->limbs = p_limbs;
N->bits = mbedtls_mpi_core_bitlen(p, p_limbs);
N->int_rep = int_rep;
}
switch (int_rep) {
case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
N->int_rep = int_rep;
N->rep.mont.mm = mbedtls_mpi_core_montmul_init(N->p);
ret = set_mont_const_square(&N->rep.mont.rr, N->p, N->limbs);
break;
case MBEDTLS_MPI_MOD_REP_OPT_RED:
N->int_rep = int_rep;
N->rep.ored = NULL;
break;
default:
ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
goto exit;
}
exit:
int mbedtls_mpi_mod_modulus_setup(mbedtls_mpi_mod_modulus *N,
const mbedtls_mpi_uint *p,
size_t p_limbs)
{
int ret = 0;
standard_modulus_setup(N, p, p_limbs, MBEDTLS_MPI_MOD_REP_MONTGOMERY);
N->rep.mont.mm = mbedtls_mpi_core_montmul_init(N->p);
ret = set_mont_const_square(&N->rep.mont.rr, N->p, N->limbs);
if (ret != 0) {
mbedtls_mpi_mod_modulus_free(N);
@ -171,6 +163,16 @@ exit:
return ret;
}
int mbedtls_mpi_mod_optred_modulus_setup(mbedtls_mpi_mod_modulus *N,
const mbedtls_mpi_uint *p,
size_t p_limbs,
mbedtls_mpi_modp_fn modp)
{
standard_modulus_setup(N, p, p_limbs, MBEDTLS_MPI_MOD_REP_OPT_RED);
N->rep.ored.modp = modp;
return 0;
}
int mbedtls_mpi_mod_mul(mbedtls_mpi_mod_residue *X,
const mbedtls_mpi_mod_residue *A,
const mbedtls_mpi_mod_residue *B,
@ -235,8 +237,7 @@ static int mbedtls_mpi_mod_inv_non_mont(mbedtls_mpi_mod_residue *X,
mbedtls_mpi_mod_modulus Nmont;
mbedtls_mpi_mod_modulus_init(&Nmont);
MBEDTLS_MPI_CHK(mbedtls_mpi_mod_modulus_setup(&Nmont, N->p, N->limbs,
MBEDTLS_MPI_MOD_REP_MONTGOMERY));
MBEDTLS_MPI_CHK(mbedtls_mpi_mod_modulus_setup(&Nmont, N->p, N->limbs));
/* We'll use X->p to hold the Montgomery form of the input A->p */
mbedtls_mpi_core_to_mont_rep(X->p, A->p, Nmont.p, Nmont.limbs,

38
library/bignum_mod.h
View file

@ -98,10 +98,11 @@ typedef enum {
/* Skip 1 as it is slightly easier to accidentally pass to functions. */
/** Montgomery representation. */
MBEDTLS_MPI_MOD_REP_MONTGOMERY = 2,
/** TODO: document this.
*
* Residues are in canonical representation.
*/
/* Optimised reduction available. This indicates a coordinate modulus (P)
* and one or more of the following have been configured:
* - A nist curve (MBEDTLS_ECP_DP_SECPXXXR1_ENABLED) & MBEDTLS_ECP_NIST_OPTIM.
* - A Kobliz Curve.
* - A Fast Reduction Curve CURVE25519 or CURVE448. */
MBEDTLS_MPI_MOD_REP_OPT_RED,
} mbedtls_mpi_mod_rep_selector;
@ -123,7 +124,11 @@ typedef struct {
mbedtls_mpi_uint mm; /* Montgomery const for -N^{-1} mod 2^{ciL} */
} mbedtls_mpi_mont_struct;
typedef void *mbedtls_mpi_opt_red_struct;
typedef int (*mbedtls_mpi_modp_fn)(mbedtls_mpi_uint *X, size_t X_limbs);
typedef struct {
mbedtls_mpi_modp_fn modp; /* The optimised reduction function pointer */
} mbedtls_mpi_opt_red_struct;
typedef struct {
const mbedtls_mpi_uint *p;
@ -197,16 +202,29 @@ void mbedtls_mpi_mod_modulus_init(mbedtls_mpi_mod_modulus *N);
* not be modified in any way until after
* mbedtls_mpi_mod_modulus_free() is called.
* \param p_limbs The number of limbs of \p p.
* \param int_rep The internal representation to be used for residues
* associated with \p N (see #mbedtls_mpi_mod_rep_selector).
*
* \return \c 0 if successful.
* \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \p int_rep is invalid.
*/
int mbedtls_mpi_mod_modulus_setup(mbedtls_mpi_mod_modulus *N,
const mbedtls_mpi_uint *p,
size_t p_limbs,
mbedtls_mpi_mod_rep_selector int_rep);
size_t p_limbs);
/** Setup an optimised-reduction compatible modulus structure.
*
* \param[out] N The address of the modulus structure to populate.
* \param[in] p The address of the limb array storing the value of \p N.
* The memory pointed to by \p p will be used by \p N and must
* not be modified in any way until after
* mbedtls_mpi_mod_modulus_free() is called.
* \param p_limbs The number of limbs of \p p.
* \param modp A pointer to the optimised reduction function to use. \p p.
*
* \return \c 0 if successful.
*/
int mbedtls_mpi_mod_optred_modulus_setup(mbedtls_mpi_mod_modulus *N,
const mbedtls_mpi_uint *p,
size_t p_limbs,
mbedtls_mpi_modp_fn modp);
/** Free elements of a modulus structure.
*

30
library/bignum_mod_raw.c
View file

@ -114,8 +114,6 @@ void mbedtls_mpi_mod_raw_sub(mbedtls_mpi_uint *X,
(void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) c);
}
#if defined(MBEDTLS_TEST_HOOKS)
MBEDTLS_STATIC_TESTABLE
void mbedtls_mpi_mod_raw_fix_quasi_reduction(mbedtls_mpi_uint *X,
const mbedtls_mpi_mod_modulus *N)
@ -125,7 +123,6 @@ void mbedtls_mpi_mod_raw_fix_quasi_reduction(mbedtls_mpi_uint *X,
(void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) c);
}
#endif /* MBEDTLS_TEST_HOOKS */
void mbedtls_mpi_mod_raw_mul(mbedtls_mpi_uint *X,
const mbedtls_mpi_uint *A,
@ -133,8 +130,31 @@ void mbedtls_mpi_mod_raw_mul(mbedtls_mpi_uint *X,
const mbedtls_mpi_mod_modulus *N,
mbedtls_mpi_uint *T)
{
mbedtls_mpi_core_montmul(X, A, B, N->limbs, N->p, N->limbs,
N->rep.mont.mm, T);
/* Standard (A * B) multiplication stored into pre-allocated T
* buffer of fixed limb size of (2N + 1).
*
* The space may not not fully filled by when
* MBEDTLS_MPI_MOD_REP_OPT_RED is used. */
const size_t T_limbs = BITS_TO_LIMBS(N->bits) * 2;
switch (N->int_rep) {
case MBEDTLS_MPI_MOD_REP_MONTGOMERY:
mbedtls_mpi_core_montmul(X, A, B, N->limbs, N->p, N->limbs,
N->rep.mont.mm, T);
break;
case MBEDTLS_MPI_MOD_REP_OPT_RED:
mbedtls_mpi_core_mul(T, A, N->limbs, B, N->limbs);
/* Optimised Reduction */
(*N->rep.ored.modp)(T, T_limbs);
/* Convert back to canonical representation */
mbedtls_mpi_mod_raw_fix_quasi_reduction(T, N);
memcpy(X, T, N->limbs * sizeof(mbedtls_mpi_uint));
break;
default:
break;
}
}
size_t mbedtls_mpi_mod_raw_inv_prime_working_limbs(size_t AN_limbs)

100
library/bn_mul.h
View file

@ -248,27 +248,39 @@
#endif /* AMD64 */
#if defined(__aarch64__)
// The following assembly code assumes that a pointer will fit in a 64-bit register
// (including ILP32 __aarch64__ ABIs such as on watchOS, hence the 2^32 - 1)
#if defined(__aarch64__) && (UINTPTR_MAX == 0xfffffffful || UINTPTR_MAX == 0xfffffffffffffffful)
/*
* There are some issues around different compilers requiring different constraint
* syntax for updating pointers from assembly code (see notes for
* MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT in common.h), especially on aarch64_32 (aka ILP32).
*
* For this reason we cast the pointers to/from uintptr_t here.
*/
#define MULADDC_X1_INIT \
asm(
do { uintptr_t muladdc_d = (uintptr_t) d, muladdc_s = (uintptr_t) s; asm(
#define MULADDC_X1_CORE \
"ldr x4, [%2], #8 \n\t" \
"ldr x5, [%1] \n\t" \
"ldr x4, [%x2], #8 \n\t" \
"ldr x5, [%x1] \n\t" \
"mul x6, x4, %4 \n\t" \
"umulh x7, x4, %4 \n\t" \
"adds x5, x5, x6 \n\t" \
"adc x7, x7, xzr \n\t" \
"adds x5, x5, %0 \n\t" \
"adc %0, x7, xzr \n\t" \
"str x5, [%1], #8 \n\t"
"str x5, [%x1], #8 \n\t"
#define MULADDC_X1_STOP \
: "+r" (c), "+r" (d), "+r" (s), "+m" (*(uint64_t (*)[16]) d) \
: "+r" (c), \
"+r" (muladdc_d), \
"+r" (muladdc_s), \
"+m" (*(uint64_t (*)[16]) d) \
: "r" (b), "m" (*(const uint64_t (*)[16]) s) \
: "x4", "x5", "x6", "x7", "cc" \
);
); d = (mbedtls_mpi_uint *)muladdc_d; s = (mbedtls_mpi_uint *)muladdc_s; } while (0);
#endif /* Aarch64 */
@ -658,6 +670,16 @@
#endif /* TriCore */
#if defined(__arm__)
#if defined(__thumb__) && !defined(__thumb2__)
#if defined(MBEDTLS_COMPILER_IS_GCC)
/*
* Thumb 1 ISA. This code path has only been tested successfully on gcc;
* it does not compile on clang or armclang.
*/
#if !defined(__OPTIMIZE__) && defined(__GNUC__)
/*
* Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
* our use of r7 below, unless -fomit-frame-pointer is passed.
@ -666,32 +688,39 @@
* x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
* clang and armcc5 under the same conditions).
*
* So, only use the optimized assembly below for optimized build, which avoids
* the build error and is pretty reasonable anyway.
* If gcc needs to use r7, we use r1 as a scratch register and have a few extra
* instructions to preserve/restore it; otherwise, we can use r7 and avoid
* the preserve/restore overhead.
*/
#if defined(__GNUC__) && !defined(__OPTIMIZE__)
#define MULADDC_CANNOT_USE_R7
#endif
#if defined(__arm__) && !defined(MULADDC_CANNOT_USE_R7)
#if defined(__thumb__) && !defined(__thumb2__)
#define MULADDC_SCRATCH "RS .req r1 \n\t"
#define MULADDC_PRESERVE_SCRATCH "mov r10, r1 \n\t"
#define MULADDC_RESTORE_SCRATCH "mov r1, r10 \n\t"
#define MULADDC_SCRATCH_CLOBBER "r10"
#else /* !defined(__OPTIMIZE__) && defined(__GNUC__) */
#define MULADDC_SCRATCH "RS .req r7 \n\t"
#define MULADDC_PRESERVE_SCRATCH ""
#define MULADDC_RESTORE_SCRATCH ""
#define MULADDC_SCRATCH_CLOBBER "r7"
#endif /* !defined(__OPTIMIZE__) && defined(__GNUC__) */
#define MULADDC_X1_INIT \
asm( \
MULADDC_SCRATCH \
"ldr r0, %3 \n\t" \
"ldr r1, %4 \n\t" \
"ldr r2, %5 \n\t" \
"ldr r3, %6 \n\t" \
"lsr r7, r3, #16 \n\t" \
"mov r9, r7 \n\t" \
"lsl r7, r3, #16 \n\t" \
"lsr r7, r7, #16 \n\t" \
"mov r8, r7 \n\t"
"lsr r4, r3, #16 \n\t" \
"mov r9, r4 \n\t" \
"lsl r4, r3, #16 \n\t" \
"lsr r4, r4, #16 \n\t" \
"mov r8, r4 \n\t" \
#define MULADDC_X1_CORE \
MULADDC_PRESERVE_SCRATCH \
"ldmia r0!, {r6} \n\t" \
"lsr r7, r6, #16 \n\t" \
"lsr RS, r6, #16 \n\t" \
"lsl r6, r6, #16 \n\t" \
"lsr r6, r6, #16 \n\t" \
"mov r4, r8 \n\t" \
@ -699,12 +728,12 @@
"mov r3, r9 \n\t" \
"mul r6, r3 \n\t" \
"mov r5, r9 \n\t" \
"mul r5, r7 \n\t" \
"mul r5, RS \n\t" \
"mov r3, r8 \n\t" \
"mul r7, r3 \n\t" \
"mul RS, r3 \n\t" \
"lsr r3, r6, #16 \n\t" \
"add r5, r5, r3 \n\t" \
"lsr r3, r7, #16 \n\t" \
"lsr r3, RS, #16 \n\t" \
"add r5, r5, r3 \n\t" \
"add r4, r4, r2 \n\t" \
"mov r2, #0 \n\t" \
@ -712,9 +741,10 @@
"lsl r3, r6, #16 \n\t" \
"add r4, r4, r3 \n\t" \
"adc r5, r2 \n\t" \
"lsl r3, r7, #16 \n\t" \
"lsl r3, RS, #16 \n\t" \
"add r4, r4, r3 \n\t" \
"adc r5, r2 \n\t" \
MULADDC_RESTORE_SCRATCH \
"ldr r3, [r1] \n\t" \
"add r4, r4, r3 \n\t" \
"adc r2, r5 \n\t" \
@ -727,11 +757,15 @@
: "=m" (c), "=m" (d), "=m" (s) \
: "m" (s), "m" (d), "m" (c), "m" (b) \
: "r0", "r1", "r2", "r3", "r4", "r5", \
"r6", "r7", "r8", "r9", "cc" \
"r6", MULADDC_SCRATCH_CLOBBER, "r8", "r9", "cc" \
);
#endif /* !defined(__ARMCC_VERSION) && !defined(__clang__) */
#elif (__ARM_ARCH >= 6) && \
defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
/* Armv6-M (or later) with DSP Instruction Set Extensions.
* Requires support for either Thumb 2 or Arm ISA.
*/
#define MULADDC_X1_INIT \
{ \
@ -796,7 +830,7 @@
); \
}
#else
#else /* Thumb 2 or Arm ISA, without DSP extensions */
#define MULADDC_X1_INIT \
asm( \
@ -810,9 +844,9 @@
"mov r5, #0 \n\t" \
"ldr r6, [r1] \n\t" \
"umlal r2, r5, r3, r4 \n\t" \
"adds r7, r6, r2 \n\t" \
"adds r4, r6, r2 \n\t" \
"adc r2, r5, #0 \n\t" \
"str r7, [r1], #4 \n\t"
"str r4, [r1], #4 \n\t"
#define MULADDC_X1_STOP \
"str r2, %0 \n\t" \
@ -821,12 +855,12 @@
: "=m" (c), "=m" (d), "=m" (s) \
: "m" (s), "m" (d), "m" (c), "m" (b) \
: "r0", "r1", "r2", "r3", "r4", "r5", \
"r6", "r7", "cc" \
"r6", "cc" \
);
#endif /* Thumb */
#endif /* ISA codepath selection */
#endif /* ARMv3 */
#endif /* defined(__arm__) */
#if defined(__alpha__)

2
library/ccm.c
View file

@ -70,7 +70,7 @@ int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
return MBEDTLS_ERR_CCM_BAD_INPUT;
}
if (cipher_info->block_size != 16) {
if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
return MBEDTLS_ERR_CCM_BAD_INPUT;
}

68
library/check_crypto_config.h
View file

@ -42,13 +42,13 @@
#endif
#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
!(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
!(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
#error "PSA_WANT_ALG_DETERMINISTIC_ECDSA defined, but not all prerequisites"
#endif
#if defined(PSA_WANT_ALG_ECDSA) && \
!(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) || \
!(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY))
#error "PSA_WANT_ALG_ECDSA defined, but not all prerequisites"
#endif
@ -60,32 +60,84 @@
#endif
#if defined(PSA_WANT_ALG_RSA_PKCS1V15_CRYPT) && \
!(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
!(defined(MBEDTLS_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY) || \
defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
#error "PSA_WANT_ALG_RSA_PKCS1V15_CRYPT defined, but not all prerequisites"
#endif
#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN) && \
!(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
!(defined(MBEDTLS_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY) || \
defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
#error "PSA_WANT_ALG_RSA_PKCS1V15_SIGN defined, but not all prerequisites"
#endif
#if defined(PSA_WANT_ALG_RSA_OAEP) && \
!(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
!(defined(MBEDTLS_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY) || \
defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
#error "PSA_WANT_ALG_RSA_OAEP defined, but not all prerequisites"
#endif
#if defined(PSA_WANT_ALG_RSA_PSS) && \
!(defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR) || \
!(defined(MBEDTLS_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY) || \
defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY))
#error "PSA_WANT_ALG_RSA_PSS defined, but not all prerequisites"
#endif
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR) && \
#if (defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE)) && \
!defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR defined, but not all prerequisites"
#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx defined, but not all prerequisites"
#endif
#if (defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)) && \
!defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx defined, but not all prerequisites"
#endif
#if (defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) || \
defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)) && \
!defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
#error "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_xxx defined, but not all prerequisites"
#endif
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR)
#if defined(MBEDTLS_DEPRECATED_REMOVED)
#error "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR is deprecated and will be removed in a \
future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx \
symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
#elif defined(MBEDTLS_DEPRECATED_WARNING)
#warning "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR is deprecated and will be removed in a \
future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_xxx \
symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
#endif /* MBEDTLS_DEPRECATED_WARNING */
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR */
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
#if defined(MBEDTLS_DEPRECATED_REMOVED)
#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR is deprecated and will be removed in a \
future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx \
symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
#elif defined(MBEDTLS_DEPRECATED_WARNING)
#warning "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR is deprecated and will be removed in a \
future version of Mbed TLS. Please switch to new PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_xxx \
symbols, where xxx can be: USE, IMPORT, EXPORT, GENERATE, DERIVE"
#endif /* MBEDTLS_DEPRECATED_WARNING */
#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE)
#error "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE defined, but feature is not supported"
#endif
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE)
#error "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE defined, but feature is not supported"
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_USE_PSA_CRYPTO) && \

346
library/cipher.c
View file

@ -54,10 +54,9 @@
#include "mbedtls/cmac.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_NIST_KW_C)
#include "mbedtls/nist_kw.h"
@ -67,6 +66,12 @@
static int supported_init = 0;
static inline const mbedtls_cipher_base_t *mbedtls_cipher_get_base(
const mbedtls_cipher_info_t *info)
{
return mbedtls_cipher_base_lookup_table[info->base_idx];
}
const int *mbedtls_cipher_list(void)
{
const mbedtls_cipher_definition_t *def;
@ -128,8 +133,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
const mbedtls_cipher_definition_t *def;
for (def = mbedtls_cipher_definitions; def->info != NULL; def++) {
if (def->info->base->cipher == cipher_id &&
def->info->key_bitlen == (unsigned) key_bitlen &&
if (mbedtls_cipher_get_base(def->info)->cipher == cipher_id &&
mbedtls_cipher_info_get_key_bitlen(def->info) == (unsigned) key_bitlen &&
def->info->mode == mode) {
return def->info;
}
@ -138,6 +143,72 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values(
return NULL;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
mbedtls_cipher_type_t cipher)
{
switch (cipher) {
case MBEDTLS_CIPHER_AES_128_CCM:
case MBEDTLS_CIPHER_AES_192_CCM:
case MBEDTLS_CIPHER_AES_256_CCM:
case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_AES_128_GCM:
case MBEDTLS_CIPHER_AES_192_GCM:
case MBEDTLS_CIPHER_AES_256_GCM:
case MBEDTLS_CIPHER_AES_128_CBC:
case MBEDTLS_CIPHER_AES_192_CBC:
case MBEDTLS_CIPHER_AES_256_CBC:
case MBEDTLS_CIPHER_AES_128_ECB:
case MBEDTLS_CIPHER_AES_192_ECB:
case MBEDTLS_CIPHER_AES_256_ECB:
return PSA_KEY_TYPE_AES;
/* ARIA not yet supported in PSA. */
/* case MBEDTLS_CIPHER_ARIA_128_CCM:
case MBEDTLS_CIPHER_ARIA_192_CCM:
case MBEDTLS_CIPHER_ARIA_256_CCM:
case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_ARIA_128_GCM:
case MBEDTLS_CIPHER_ARIA_192_GCM:
case MBEDTLS_CIPHER_ARIA_256_GCM:
case MBEDTLS_CIPHER_ARIA_128_CBC:
case MBEDTLS_CIPHER_ARIA_192_CBC:
case MBEDTLS_CIPHER_ARIA_256_CBC:
return( PSA_KEY_TYPE_ARIA ); */
default:
return 0;
}
}
static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
mbedtls_cipher_mode_t mode, size_t taglen)
{
switch (mode) {
case MBEDTLS_MODE_ECB:
return PSA_ALG_ECB_NO_PADDING;
case MBEDTLS_MODE_GCM:
return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, taglen);
case MBEDTLS_MODE_CCM:
return PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen);
case MBEDTLS_MODE_CCM_STAR_NO_TAG:
return PSA_ALG_CCM_STAR_NO_TAG;
case MBEDTLS_MODE_CBC:
if (taglen == 0) {
return PSA_ALG_CBC_NO_PADDING;
} else {
return 0;
}
default:
return 0;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
{
memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
@ -149,7 +220,7 @@ void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
return;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
if (ctx->cipher_ctx != NULL) {
mbedtls_cipher_context_psa * const cipher_psa =
@ -167,7 +238,7 @@ void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
return;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_CMAC_C)
if (ctx->cmac_ctx) {
@ -178,7 +249,7 @@ void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
#endif
if (ctx->cipher_ctx) {
ctx->cipher_info->base->ctx_free_func(ctx->cipher_ctx);
mbedtls_cipher_get_base(ctx->cipher_info)->ctx_free_func(ctx->cipher_ctx);
}
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_cipher_context_t));
@ -193,7 +264,7 @@ int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
memset(ctx, 0, sizeof(mbedtls_cipher_context_t));
if (NULL == (ctx->cipher_ctx = cipher_info->base->ctx_alloc_func())) {
if (NULL == (ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func())) {
return MBEDTLS_ERR_CIPHER_ALLOC_FAILED;
}
@ -213,8 +284,7 @@ int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
return 0;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
const mbedtls_cipher_info_t *cipher_info,
size_t taglen)
@ -228,11 +298,11 @@ int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
/* Check that the underlying cipher mode and cipher type are
* supported by the underlying PSA Crypto implementation. */
alg = mbedtls_psa_translate_cipher_mode(cipher_info->mode, taglen);
alg = mbedtls_psa_translate_cipher_mode(((mbedtls_cipher_mode_t) cipher_info->mode), taglen);
if (alg == 0) {
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
if (mbedtls_psa_translate_cipher_type(cipher_info->type) == 0) {
if (mbedtls_psa_translate_cipher_type(((mbedtls_cipher_type_t) cipher_info->type)) == 0) {
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
@ -248,8 +318,7 @@ int mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
ctx->psa_enabled = 1;
return 0;
}
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
const unsigned char *key,
@ -263,7 +332,7 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
mbedtls_cipher_context_psa * const cipher_psa =
(mbedtls_cipher_context_psa *) ctx->cipher_ctx;
@ -285,7 +354,7 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
}
key_type = mbedtls_psa_translate_cipher_type(
ctx->cipher_info->type);
((mbedtls_cipher_type_t) ctx->cipher_info->type));
if (key_type == 0) {
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
@ -296,7 +365,6 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
* and use it for AEAD decryption. Until tests relying on this
* are changed, allow any usage in PSA. */
psa_set_key_usage_flags(&attributes,
/* mbedtls_psa_translate_cipher_operation( operation ); */
PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_set_key_algorithm(&attributes, cipher_psa->alg);
@ -320,10 +388,10 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
ctx->operation = operation;
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN) == 0 &&
(int) ctx->cipher_info->key_bitlen != key_bitlen) {
(int) mbedtls_cipher_info_get_key_bitlen(ctx->cipher_info) != key_bitlen) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
@ -334,16 +402,16 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
* For OFB, CFB and CTR mode always use the encryption key schedule
*/
if (MBEDTLS_ENCRYPT == operation ||
MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
MBEDTLS_MODE_CTR == ctx->cipher_info->mode) {
return ctx->cipher_info->base->setkey_enc_func(ctx->cipher_ctx, key,
ctx->key_bitlen);
MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_enc_func(ctx->cipher_ctx, key,
ctx->key_bitlen);
}
if (MBEDTLS_DECRYPT == operation) {
return ctx->cipher_info->base->setkey_dec_func(ctx->cipher_ctx, key,
ctx->key_bitlen);
return mbedtls_cipher_get_base(ctx->cipher_info)->setkey_dec_func(ctx->cipher_ctx, key,
ctx->key_bitlen);
}
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
@ -358,14 +426,14 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
if (ctx->cipher_info == NULL) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* While PSA Crypto has an API for multipart
* operations, we currently don't make it
* accessible through the cipher layer. */
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
/* avoid buffer overflow in ctx->iv */
if (iv_len > MBEDTLS_MAX_IV_LENGTH) {
@ -375,7 +443,7 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
if ((ctx->cipher_info->flags & MBEDTLS_CIPHER_VARIABLE_IV_LEN) != 0) {
actual_iv_size = iv_len;
} else {
actual_iv_size = ctx->cipher_info->iv_size;
actual_iv_size = mbedtls_cipher_info_get_iv_size(ctx->cipher_info);
/* avoid reading past the end of input buffer */
if (actual_iv_size > iv_len) {
@ -384,7 +452,7 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
}
#if defined(MBEDTLS_CHACHA20_C)
if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20) {
if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20) {
/* Even though the actual_iv_size is overwritten with a correct value
* of 12 from the cipher info, return an error to indicate that
* the input iv_len is wrong. */
@ -399,7 +467,7 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
}
}
#if defined(MBEDTLS_CHACHAPOLY_C)
if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305 &&
iv_len != 12) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
@ -407,7 +475,7 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
#endif
#if defined(MBEDTLS_GCM_C)
if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
return mbedtls_gcm_starts((mbedtls_gcm_context *) ctx->cipher_ctx,
ctx->operation,
iv, iv_len);
@ -415,7 +483,7 @@ int mbedtls_cipher_set_iv(mbedtls_cipher_context_t *ctx,
#endif
#if defined(MBEDTLS_CCM_C)
if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
int set_lengths_result;
int ccm_star_mode;
@ -454,13 +522,13 @@ int mbedtls_cipher_reset(mbedtls_cipher_context_t *ctx)
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* We don't support resetting PSA-based
* cipher contexts, yet. */
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
ctx->unprocessed_len = 0;
@ -475,24 +543,24 @@ int mbedtls_cipher_update_ad(mbedtls_cipher_context_t *ctx,
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* While PSA Crypto has an API for multipart
* operations, we currently don't make it
* accessible through the cipher layer. */
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_GCM_C)
if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
return mbedtls_gcm_update_ad((mbedtls_gcm_context *) ctx->cipher_ctx,
ad, ad_len);
}
#endif
#if defined(MBEDTLS_CHACHAPOLY_C)
if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
int result;
mbedtls_chachapoly_mode_t mode;
@ -526,14 +594,14 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* While PSA Crypto has an API for multipart
* operations, we currently don't make it
* accessible through the cipher layer. */
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
*olen = 0;
block_size = mbedtls_cipher_get_block_size(ctx);
@ -541,15 +609,16 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
return MBEDTLS_ERR_CIPHER_INVALID_CONTEXT;
}
if (ctx->cipher_info->mode == MBEDTLS_MODE_ECB) {
if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_ECB) {
if (ilen != block_size) {
return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
}
*olen = ilen;
if (0 != (ret = ctx->cipher_info->base->ecb_func(ctx->cipher_ctx,
ctx->operation, input, output))) {
if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ecb_func(ctx->cipher_ctx,
ctx->operation, input,
output))) {
return ret;
}
@ -557,7 +626,7 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
}
#if defined(MBEDTLS_GCM_C)
if (ctx->cipher_info->mode == MBEDTLS_MODE_GCM) {
if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_GCM) {
return mbedtls_gcm_update((mbedtls_gcm_context *) ctx->cipher_ctx,
input, ilen,
output, ilen, olen);
@ -565,7 +634,7 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
#endif
#if defined(MBEDTLS_CCM_C)
if (ctx->cipher_info->mode == MBEDTLS_MODE_CCM_STAR_NO_TAG) {
if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CCM_STAR_NO_TAG) {
return mbedtls_ccm_update((mbedtls_ccm_context *) ctx->cipher_ctx,
input, ilen,
output, ilen, olen);
@ -573,7 +642,7 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
#endif
#if defined(MBEDTLS_CHACHAPOLY_C)
if (ctx->cipher_info->type == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
if (((mbedtls_cipher_type_t) ctx->cipher_info->type) == MBEDTLS_CIPHER_CHACHA20_POLY1305) {
*olen = ilen;
return mbedtls_chachapoly_update((mbedtls_chachapoly_context *) ctx->cipher_ctx,
ilen, input, output);
@ -586,7 +655,7 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
}
#if defined(MBEDTLS_CIPHER_MODE_CBC)
if (ctx->cipher_info->mode == MBEDTLS_MODE_CBC) {
if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CBC) {
size_t copy_len = 0;
/*
@ -614,9 +683,12 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
memcpy(&(ctx->unprocessed_data[ctx->unprocessed_len]), input,
copy_len);
if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx,
ctx->operation, block_size, ctx->iv,
ctx->unprocessed_data, output))) {
if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
ctx->operation,
block_size, ctx->iv,
ctx->
unprocessed_data,
output))) {
return ret;
}
@ -654,9 +726,11 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
* Process remaining full blocks
*/
if (ilen) {
if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx,
ctx->operation, ilen, ctx->iv, input,
output))) {
if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
ctx->operation,
ilen, ctx->iv,
input,
output))) {
return ret;
}
@ -668,11 +742,12 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
#endif /* MBEDTLS_CIPHER_MODE_CBC */
#if defined(MBEDTLS_CIPHER_MODE_CFB)
if (ctx->cipher_info->mode == MBEDTLS_MODE_CFB) {
if (0 != (ret = ctx->cipher_info->base->cfb_func(ctx->cipher_ctx,
ctx->operation, ilen,
&ctx->unprocessed_len, ctx->iv,
input, output))) {
if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CFB) {
if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cfb_func(ctx->cipher_ctx,
ctx->operation, ilen,
&ctx->unprocessed_len,
ctx->iv,
input, output))) {
return ret;
}
@ -683,10 +758,12 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
#endif /* MBEDTLS_CIPHER_MODE_CFB */
#if defined(MBEDTLS_CIPHER_MODE_OFB)
if (ctx->cipher_info->mode == MBEDTLS_MODE_OFB) {
if (0 != (ret = ctx->cipher_info->base->ofb_func(ctx->cipher_ctx,
ilen, &ctx->unprocessed_len, ctx->iv,
input, output))) {
if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_OFB) {
if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ofb_func(ctx->cipher_ctx,
ilen,
&ctx->unprocessed_len,
ctx->iv,
input, output))) {
return ret;
}
@ -697,10 +774,13 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
#endif /* MBEDTLS_CIPHER_MODE_OFB */
#if defined(MBEDTLS_CIPHER_MODE_CTR)
if (ctx->cipher_info->mode == MBEDTLS_MODE_CTR) {
if (0 != (ret = ctx->cipher_info->base->ctr_func(ctx->cipher_ctx,
ilen, &ctx->unprocessed_len, ctx->iv,
ctx->unprocessed_data, input, output))) {
if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_CTR) {
if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->ctr_func(ctx->cipher_ctx,
ilen,
&ctx->unprocessed_len,
ctx->iv,
ctx->unprocessed_data,
input, output))) {
return ret;
}
@ -711,14 +791,18 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
#endif /* MBEDTLS_CIPHER_MODE_CTR */
#if defined(MBEDTLS_CIPHER_MODE_XTS)
if (ctx->cipher_info->mode == MBEDTLS_MODE_XTS) {
if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_XTS) {
if (ctx->unprocessed_len > 0) {
/* We can only process an entire data unit at a time. */
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
ret = ctx->cipher_info->base->xts_func(ctx->cipher_ctx,
ctx->operation, ilen, ctx->iv, input, output);
ret = mbedtls_cipher_get_base(ctx->cipher_info)->xts_func(ctx->cipher_ctx,
ctx->operation,
ilen,
ctx->iv,
input,
output);
if (ret != 0) {
return ret;
}
@ -730,9 +814,10 @@ int mbedtls_cipher_update(mbedtls_cipher_context_t *ctx, const unsigned char *in
#endif /* MBEDTLS_CIPHER_MODE_XTS */
#if defined(MBEDTLS_CIPHER_MODE_STREAM)
if (ctx->cipher_info->mode == MBEDTLS_MODE_STREAM) {
if (0 != (ret = ctx->cipher_info->base->stream_func(ctx->cipher_ctx,
ilen, input, output))) {
if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) == MBEDTLS_MODE_STREAM) {
if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->stream_func(ctx->cipher_ctx,
ilen, input,
output))) {
return ret;
}
@ -933,33 +1018,33 @@ int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* While PSA Crypto has an API for multipart
* operations, we currently don't make it
* accessible through the cipher layer. */
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
*olen = 0;
if (MBEDTLS_MODE_CFB == ctx->cipher_info->mode ||
MBEDTLS_MODE_OFB == ctx->cipher_info->mode ||
MBEDTLS_MODE_CTR == ctx->cipher_info->mode ||
MBEDTLS_MODE_GCM == ctx->cipher_info->mode ||
MBEDTLS_MODE_CCM_STAR_NO_TAG == ctx->cipher_info->mode ||
MBEDTLS_MODE_XTS == ctx->cipher_info->mode ||
MBEDTLS_MODE_STREAM == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_CCM_STAR_NO_TAG == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_XTS == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_STREAM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
return 0;
}
if ((MBEDTLS_CIPHER_CHACHA20 == ctx->cipher_info->type) ||
(MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type)) {
if ((MBEDTLS_CIPHER_CHACHA20 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) ||
(MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type))) {
return 0;
}
if (MBEDTLS_MODE_ECB == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_ECB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
if (ctx->unprocessed_len != 0) {
return MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED;
}
@ -968,7 +1053,7 @@ int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
}
#if defined(MBEDTLS_CIPHER_MODE_CBC)
if (MBEDTLS_MODE_CBC == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
int ret = 0;
if (MBEDTLS_ENCRYPT == ctx->operation) {
@ -996,11 +1081,13 @@ int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
}
/* cipher block */
if (0 != (ret = ctx->cipher_info->base->cbc_func(ctx->cipher_ctx,
ctx->operation,
mbedtls_cipher_get_block_size(ctx),
ctx->iv,
ctx->unprocessed_data, output))) {
if (0 != (ret = mbedtls_cipher_get_base(ctx->cipher_info)->cbc_func(ctx->cipher_ctx,
ctx->operation,
mbedtls_cipher_get_block_size(
ctx),
ctx->iv,
ctx->unprocessed_data,
output))) {
return ret;
}
@ -1025,11 +1112,12 @@ int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
mbedtls_cipher_padding_t mode)
{
if (NULL == ctx->cipher_info || MBEDTLS_MODE_CBC != ctx->cipher_info->mode) {
if (NULL == ctx->cipher_info ||
MBEDTLS_MODE_CBC != ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* While PSA Crypto knows about CBC padding
* schemes, we currently don't make them
@ -1040,7 +1128,7 @@ int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx,
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
switch (mode) {
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
@ -1092,17 +1180,17 @@ int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* While PSA Crypto has an API for multipart
* operations, we currently don't make it
* accessible through the cipher layer. */
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_GCM_C)
if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
size_t output_length;
/* The code here doesn't yet support alternative implementations
* that can delay up to a block of output. */
@ -1113,7 +1201,7 @@ int mbedtls_cipher_write_tag(mbedtls_cipher_context_t *ctx,
#endif
#if defined(MBEDTLS_CHACHAPOLY_C)
if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
/* Don't allow truncated MAC for Poly1305 */
if (tag_len != 16U) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
@ -1141,20 +1229,20 @@ int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* While PSA Crypto has an API for multipart
* operations, we currently don't make it
* accessible through the cipher layer. */
return MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
/* Status to return on a non-authenticated algorithm. */
ret = MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE;
#if defined(MBEDTLS_GCM_C)
if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
size_t output_length;
/* The code here doesn't yet support alternative implementations
* that can delay up to a block of output. */
@ -1179,7 +1267,7 @@ int mbedtls_cipher_check_tag(mbedtls_cipher_context_t *ctx,
#endif /* MBEDTLS_GCM_C */
#if defined(MBEDTLS_CHACHAPOLY_C)
if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
/* Don't allow truncated MAC for Poly1305 */
if (tag_len != sizeof(check_tag)) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
@ -1216,7 +1304,7 @@ int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t finish_olen;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* As in the non-PSA case, we don't check that
* a key has been set. If not, the key slot will
@ -1250,7 +1338,7 @@ int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
if (ctx->cipher_info->mode != MBEDTLS_MODE_ECB) {
if (((mbedtls_cipher_mode_t) ctx->cipher_info->mode) != MBEDTLS_MODE_ECB) {
status = psa_cipher_set_iv(&cipher_op, iv, iv_len);
if (status != PSA_SUCCESS) {
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
@ -1274,7 +1362,7 @@ int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx,
*olen += part_len;
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
if ((ret = mbedtls_cipher_set_iv(ctx, iv, iv_len)) != 0) {
return ret;
@ -1311,7 +1399,7 @@ static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
unsigned char *output, size_t *olen,
unsigned char *tag, size_t tag_len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* As in the non-PSA case, we don't check that
* a key has been set. If not, the key slot will
@ -1342,10 +1430,10 @@ static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
*olen -= tag_len;
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_GCM_C)
if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
*olen = ilen;
return mbedtls_gcm_crypt_and_tag(ctx->cipher_ctx, MBEDTLS_GCM_ENCRYPT,
ilen, iv, iv_len, ad, ad_len,
@ -1353,7 +1441,7 @@ static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
}
#endif /* MBEDTLS_GCM_C */
#if defined(MBEDTLS_CCM_C)
if (MBEDTLS_MODE_CCM == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
*olen = ilen;
return mbedtls_ccm_encrypt_and_tag(ctx->cipher_ctx, ilen,
iv, iv_len, ad, ad_len, input, output,
@ -1361,9 +1449,9 @@ static int mbedtls_cipher_aead_encrypt(mbedtls_cipher_context_t *ctx,
}
#endif /* MBEDTLS_CCM_C */
#if defined(MBEDTLS_CHACHAPOLY_C)
if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
/* ChachaPoly has fixed length nonce and MAC (tag) */
if ((iv_len != ctx->cipher_info->iv_size) ||
if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
(tag_len != 16U)) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
@ -1388,7 +1476,7 @@ static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
unsigned char *output, size_t *olen,
const unsigned char *tag, size_t tag_len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ctx->psa_enabled == 1) {
/* As in the non-PSA case, we don't check that
* a key has been set. If not, the key slot will
@ -1420,10 +1508,10 @@ static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
return 0;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_GCM_C)
if (MBEDTLS_MODE_GCM == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_GCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*olen = ilen;
@ -1439,7 +1527,7 @@ static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
}
#endif /* MBEDTLS_GCM_C */
#if defined(MBEDTLS_CCM_C)
if (MBEDTLS_MODE_CCM == ctx->cipher_info->mode) {
if (MBEDTLS_MODE_CCM == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
*olen = ilen;
@ -1455,11 +1543,11 @@ static int mbedtls_cipher_aead_decrypt(mbedtls_cipher_context_t *ctx,
}
#endif /* MBEDTLS_CCM_C */
#if defined(MBEDTLS_CHACHAPOLY_C)
if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ctx->cipher_info->type) {
if (MBEDTLS_CIPHER_CHACHA20_POLY1305 == ((mbedtls_cipher_type_t) ctx->cipher_info->type)) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
/* ChachaPoly has fixed length nonce and MAC (tag) */
if ((iv_len != ctx->cipher_info->iv_size) ||
if ((iv_len != mbedtls_cipher_info_get_iv_size(ctx->cipher_info)) ||
(tag_len != 16U)) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
@ -1493,13 +1581,14 @@ int mbedtls_cipher_auth_encrypt_ext(mbedtls_cipher_context_t *ctx,
{
#if defined(MBEDTLS_NIST_KW_C)
if (
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
ctx->psa_enabled == 0 &&
#endif
(MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
MBEDTLS_MODE_KWP == ctx->cipher_info->mode)) {
mbedtls_nist_kw_mode_t mode = (MBEDTLS_MODE_KW == ctx->cipher_info->mode) ?
MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
(MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
mbedtls_nist_kw_mode_t mode =
(MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
/* There is no iv, tag or ad associated with KW and KWP,
* so these length should be 0 as documented. */
@ -1543,13 +1632,14 @@ int mbedtls_cipher_auth_decrypt_ext(mbedtls_cipher_context_t *ctx,
{
#if defined(MBEDTLS_NIST_KW_C)
if (
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_DEPRECATED_REMOVED)
ctx->psa_enabled == 0 &&
#endif
(MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
MBEDTLS_MODE_KWP == ctx->cipher_info->mode)) {
mbedtls_nist_kw_mode_t mode = (MBEDTLS_MODE_KW == ctx->cipher_info->mode) ?
MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
(MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
MBEDTLS_MODE_KWP == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode))) {
mbedtls_nist_kw_mode_t mode =
(MBEDTLS_MODE_KW == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) ?
MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
/* There is no iv, tag or ad associated with KW and KWP,
* so these length should be 0 as documented. */

1034
library/cipher_wrap.c
View file

File diff suppressed because it is too large Load diff

2
library/cipher_wrap.h
View file

@ -135,6 +135,8 @@ extern const mbedtls_cipher_definition_t mbedtls_cipher_definitions[];
extern int mbedtls_cipher_supported[];
extern const mbedtls_cipher_base_t *mbedtls_cipher_base_lookup_table[];
#ifdef __cplusplus
}
#endif

20
library/cmac.c
View file

@ -119,7 +119,7 @@ static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
mbedtls_platform_zeroize(L, sizeof(L));
block_size = ctx->cipher_info->block_size;
block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
/* Calculate Ek(0) */
if ((ret = mbedtls_cipher_update(ctx, L, block_size, L, &olen)) != 0) {
@ -186,7 +186,7 @@ int mbedtls_cipher_cmac_starts(mbedtls_cipher_context_t *ctx,
return retval;
}
type = ctx->cipher_info->type;
type = mbedtls_cipher_info_get_type(ctx->cipher_info);
switch (type) {
case MBEDTLS_CIPHER_AES_128_ECB:
@ -226,7 +226,7 @@ int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
}
cmac_ctx = ctx->cmac_ctx;
block_size = ctx->cipher_info->block_size;
block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
state = ctx->cmac_ctx->state;
/* Is there data still to process from the last call, that's greater in
@ -237,7 +237,7 @@ int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
input,
block_size - cmac_ctx->unprocessed_len);
mbedtls_xor(state, cmac_ctx->unprocessed_block, state, block_size);
mbedtls_xor_no_simd(state, cmac_ctx->unprocessed_block, state, block_size);
if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
&olen)) != 0) {
@ -255,7 +255,7 @@ int mbedtls_cipher_cmac_update(mbedtls_cipher_context_t *ctx,
/* Iterate across the input data in block sized chunks, excluding any
* final partial or complete block */
for (j = 1; j < n; j++) {
mbedtls_xor(state, input, state, block_size);
mbedtls_xor_no_simd(state, input, state, block_size);
if ((ret = mbedtls_cipher_update(ctx, state, block_size, state,
&olen)) != 0) {
@ -295,7 +295,7 @@ int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
}
cmac_ctx = ctx->cmac_ctx;
block_size = ctx->cipher_info->block_size;
block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
state = cmac_ctx->state;
mbedtls_platform_zeroize(K1, sizeof(K1));
@ -521,6 +521,7 @@ static const unsigned char aes_128_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTL
};
/* CMAC-AES192 Test Data */
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static const unsigned char aes_192_key[24] = {
0x8e, 0x73, 0xb0, 0xf7, 0xda, 0x0e, 0x64, 0x52,
0xc8, 0x10, 0xf3, 0x2b, 0x80, 0x90, 0x79, 0xe5,
@ -561,8 +562,10 @@ static const unsigned char aes_192_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTL
0x4d, 0x77, 0x58, 0x96, 0x59, 0xf3, 0x9a, 0x11
}
};
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
/* CMAC-AES256 Test Data */
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
static const unsigned char aes_256_key[32] = {
0x60, 0x3d, 0xeb, 0x10, 0x15, 0xca, 0x71, 0xbe,
0x2b, 0x73, 0xae, 0xf0, 0x85, 0x7d, 0x77, 0x81,
@ -604,6 +607,7 @@ static const unsigned char aes_256_expected_result[NB_CMAC_TESTS_PER_KEY][MBEDTL
0x69, 0x6a, 0x2c, 0x05, 0x6c, 0x31, 0x54, 0x10
}
};
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#endif /* MBEDTLS_AES_C */
#if defined(MBEDTLS_DES_C)
@ -951,6 +955,7 @@ int mbedtls_cmac_self_test(int verbose)
}
/* AES-192 */
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
if ((ret = cmac_test_subkeys(verbose,
"AES 192",
aes_192_key,
@ -974,8 +979,10 @@ int mbedtls_cmac_self_test(int verbose)
NB_CMAC_TESTS_PER_KEY)) != 0) {
return ret;
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
/* AES-256 */
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
if ((ret = cmac_test_subkeys(verbose,
"AES 256",
aes_256_key,
@ -999,6 +1006,7 @@ int mbedtls_cmac_self_test(int verbose)
NB_CMAC_TESTS_PER_KEY)) != 0) {
return ret;
}
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
#endif /* MBEDTLS_AES_C */
#if defined(MBEDTLS_DES_C)

156
library/common.h
View file

@ -31,6 +31,10 @@
#include <stdint.h>
#include <stddef.h>
#if defined(__ARM_NEON)
#include <arm_neon.h>
#endif /* __ARM_NEON */
/** Helper to define a function as static except when building invasive tests.
*
* If a function is only used inside its own source file and should be
@ -65,6 +69,44 @@ extern void (*mbedtls_test_hook_test_fail)(const char *test, int line, const cha
#define MBEDTLS_TEST_HOOK_TEST_ASSERT(TEST)
#endif /* defined(MBEDTLS_TEST_HOOKS) */
/** \def ARRAY_LENGTH
* Return the number of elements of a static or stack array.
*
* \param array A value of array (not pointer) type.
*
* \return The number of elements of the array.
*/
/* A correct implementation of ARRAY_LENGTH, but which silently gives
* a nonsensical result if called with a pointer rather than an array. */
#define ARRAY_LENGTH_UNSAFE(array) \
(sizeof(array) / sizeof(*(array)))
#if defined(__GNUC__)
/* Test if arg and &(arg)[0] have the same type. This is true if arg is
* an array but not if it's a pointer. */
#define IS_ARRAY_NOT_POINTER(arg) \
(!__builtin_types_compatible_p(__typeof__(arg), \
__typeof__(&(arg)[0])))
/* A compile-time constant with the value 0. If `const_expr` is not a
* compile-time constant with a nonzero value, cause a compile-time error. */
#define STATIC_ASSERT_EXPR(const_expr) \
(0 && sizeof(struct { unsigned int STATIC_ASSERT : 1 - 2 * !(const_expr); }))
/* Return the scalar value `value` (possibly promoted). This is a compile-time
* constant if `value` is. `condition` must be a compile-time constant.
* If `condition` is false, arrange to cause a compile-time error. */
#define STATIC_ASSERT_THEN_RETURN(condition, value) \
(STATIC_ASSERT_EXPR(condition) ? 0 : (value))
#define ARRAY_LENGTH(array) \
(STATIC_ASSERT_THEN_RETURN(IS_ARRAY_NOT_POINTER(array), \
ARRAY_LENGTH_UNSAFE(array)))
#else
/* If we aren't sure the compiler supports our non-standard tricks,
* fall back to the unsafe implementation. */
#define ARRAY_LENGTH(array) ARRAY_LENGTH_UNSAFE(array)
#endif
/** Allow library to access its structs' private members.
*
* Although structs defined in header files are publicly available,
@ -125,10 +167,64 @@ inline void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned
{
size_t i = 0;
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
#if defined(__ARM_NEON)
for (; (i + 16) <= n; i += 16) {
uint8x16_t v1 = vld1q_u8(a + i);
uint8x16_t v2 = vld1q_u8(b + i);
uint8x16_t x = veorq_u8(v1, v2);
vst1q_u8(r + i, x);
}
#elif defined(__amd64__) || defined(__x86_64__) || defined(__aarch64__)
/* This codepath probably only makes sense on architectures with 64-bit registers */
for (; (i + 8) <= n; i += 8) {
uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
mbedtls_put_unaligned_uint64(r + i, x);
}
#else
for (; (i + 4) <= n; i += 4) {
uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
mbedtls_put_unaligned_uint32(r + i, x);
}
#endif
#endif
for (; i < n; i++) {
r[i] = a[i] ^ b[i];
}
}
/**
* Perform a fast block XOR operation, such that
* r[i] = a[i] ^ b[i] where 0 <= i < n
*
* In some situations, this can perform better than mbedtls_xor (e.g., it's about 5%
* better in AES-CBC).
*
* \param r Pointer to result (buffer of at least \p n bytes). \p r
* may be equal to either \p a or \p b, but behaviour when
* it overlaps in other ways is undefined.
* \param a Pointer to input (buffer of at least \p n bytes)
* \param b Pointer to input (buffer of at least \p n bytes)
* \param n Number of bytes to process.
*/
static inline void mbedtls_xor_no_simd(unsigned char *r,
const unsigned char *a,
const unsigned char *b,
size_t n)
{
size_t i = 0;
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
#if defined(__amd64__) || defined(__x86_64__) || defined(__aarch64__)
/* This codepath probably only makes sense on architectures with 64-bit registers */
for (; (i + 8) <= n; i += 8) {
uint64_t x = mbedtls_get_unaligned_uint64(a + i) ^ mbedtls_get_unaligned_uint64(b + i);
mbedtls_put_unaligned_uint64(r + i, x);
}
#else
for (; (i + 4) <= n; i += 4) {
uint32_t x = mbedtls_get_unaligned_uint32(a + i) ^ mbedtls_get_unaligned_uint32(b + i);
mbedtls_put_unaligned_uint32(r + i, x);
}
#endif
#endif
for (; i < n; i++) {
r[i] = a[i] ^ b[i];
@ -146,10 +242,42 @@ inline void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned
/* Define `asm` for compilers which don't define it. */
/* *INDENT-OFF* */
#ifndef asm
#if defined(__IAR_SYSTEMS_ICC__)
#define asm __asm
#else
#define asm __asm__
#endif
#endif
/* *INDENT-ON* */
/*
* Define the constraint used for read-only pointer operands to aarch64 asm.
*
* This is normally the usual "r", but for aarch64_32 (aka ILP32,
* as found in watchos), "p" is required to avoid warnings from clang.
*
* Note that clang does not recognise '+p' or '=p', and armclang
* does not recognise 'p' at all. Therefore, to update a pointer from
* aarch64 assembly, it is necessary to use something like:
*
* uintptr_t uptr = (uintptr_t) ptr;
* asm( "ldr x4, [%x0], #8" ... : "+r" (uptr) : : )
* ptr = (void*) uptr;
*
* Note that the "x" in "%x0" is neccessary; writing "%0" will cause warnings.
*/
#if defined(__aarch64__) && defined(MBEDTLS_HAVE_ASM)
#if UINTPTR_MAX == 0xfffffffful
/* ILP32: Specify the pointer operand slightly differently, as per #7787. */
#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "p"
#elif UINTPTR_MAX == 0xfffffffffffffffful
/* Normal case (64-bit pointers): use "r" as the constraint for pointer operands to asm */
#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "r"
#else
#error Unrecognised pointer size for aarch64
#endif
#endif
/* Always provide a static assert macro, so it can be used unconditionally.
* It will expand to nothing on some systems.
* Can be used outside functions (but don't add a trailing ';' in that case:
@ -164,4 +292,32 @@ inline void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned
#define MBEDTLS_STATIC_ASSERT(expr, msg)
#endif
/* Define compiler branch hints */
#if defined(__has_builtin)
#if __has_builtin(__builtin_expect)
#define MBEDTLS_LIKELY(x) __builtin_expect((x), 1)
#define MBEDTLS_UNLIKELY(x) __builtin_expect((x), 0)
#endif
#endif
#if !defined(MBEDTLS_LIKELY)
#define MBEDTLS_LIKELY(x) x
#define MBEDTLS_UNLIKELY(x) x
#endif
#if defined(__GNUC__) && !defined(__ARMCC_VERSION) && !defined(__clang__) \
&& !defined(__llvm__) && !defined(__INTEL_COMPILER)
/* Defined if the compiler really is gcc and not clang, etc */
#define MBEDTLS_COMPILER_IS_GCC
#endif
/* For gcc -Os, override with -O2 for a given function.
*
* This will not affect behaviour for other optimisation settings, e.g. -O0.
*/
#if defined(MBEDTLS_COMPILER_IS_GCC) && defined(__OPTIMIZE_SIZE__)
#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE __attribute__((optimize("-O2")))
#else
#define MBEDTLS_OPTIMIZE_FOR_PERFORMANCE
#endif
#endif /* MBEDTLS_LIBRARY_COMMON_H */

22
library/constant_time.c
View file

@ -46,10 +46,18 @@
#endif
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
#include "psa/crypto.h"
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
ARRAY_LENGTH(psa_to_ssl_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/*
@ -63,7 +71,9 @@
* only used here.
*/
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) && defined(MBEDTLS_HAVE_ASM)
#if defined(__arm__) || defined(__thumb__) || defined(__thumb2__) || defined(__aarch64__)
#if ((defined(__arm__) || defined(__thumb__) || defined(__thumb2__)) && \
(UINTPTR_MAX == 0xfffffffful)) || defined(__aarch64__)
/* We check pointer sizes to avoid issues with them not matching register size requirements */
#define MBEDTLS_EFFICIENT_UNALIGNED_VOLATILE_ACCESS
#endif
#endif
@ -79,7 +89,7 @@ static inline uint32_t mbedtls_get_unaligned_volatile_uint32(volatile const unsi
#if defined(__arm__) || defined(__thumb__) || defined(__thumb2__)
asm volatile ("ldr %0, [%1]" : "=r" (r) : "r" (p) :);
#elif defined(__aarch64__)
asm volatile ("ldr %w0, [%1]" : "=r" (r) : "r" (p) :);
asm volatile ("ldr %w0, [%1]" : "=r" (r) : MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT(p) :);
#endif
return r;
}

65
library/debug.c
View file

@ -30,6 +30,7 @@
#include <stdio.h>
#include <string.h>
/* DEBUG_BUF_SIZE must be at least 2 */
#define DEBUG_BUF_SIZE 512
static int debug_threshold = 0;
@ -69,6 +70,8 @@ void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
char str[DEBUG_BUF_SIZE];
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_STATIC_ASSERT(DEBUG_BUF_SIZE >= 2, "DEBUG_BUF_SIZE too small");
if (NULL == ssl ||
NULL == ssl->conf ||
NULL == ssl->conf->f_dbg ||
@ -80,10 +83,15 @@ void mbedtls_debug_print_msg(const mbedtls_ssl_context *ssl, int level,
ret = mbedtls_vsnprintf(str, DEBUG_BUF_SIZE, format, argp);
va_end(argp);
if (ret >= 0 && ret < DEBUG_BUF_SIZE - 1) {
str[ret] = '\n';
str[ret + 1] = '\0';
if (ret < 0) {
ret = 0;
} else {
if (ret >= DEBUG_BUF_SIZE - 1) {
ret = DEBUG_BUF_SIZE - 2;
}
}
str[ret] = '\n';
str[ret + 1] = '\0';
debug_send_line(ssl, level, file, line, str);
}
@ -195,6 +203,52 @@ void mbedtls_debug_print_ecp(const mbedtls_ssl_context *ssl, int level,
#endif /* MBEDTLS_ECP_LIGHT */
#if defined(MBEDTLS_BIGNUM_C)
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
void mbedtls_debug_print_psa_ec(const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
const char *text, const mbedtls_pk_context *pk)
{
char str[DEBUG_BUF_SIZE];
mbedtls_mpi mpi;
const uint8_t *mpi_start;
size_t mpi_len;
int ret;
if (NULL == ssl ||
NULL == ssl->conf ||
NULL == ssl->conf->f_dbg ||
level > debug_threshold) {
return;
}
/* For the description of pk->pk_raw content please refer to the description
* psa_export_public_key() function. */
mpi_len = (pk->pub_raw_len - 1)/2;
/* X coordinate */
mbedtls_mpi_init(&mpi);
mpi_start = pk->pub_raw + 1;
ret = mbedtls_mpi_read_binary(&mpi, mpi_start, mpi_len);
if (ret != 0) {
return;
}
mbedtls_snprintf(str, sizeof(str), "%s(X)", text);
mbedtls_debug_print_mpi(ssl, level, file, line, str, &mpi);
mbedtls_mpi_free(&mpi);
/* Y coordinate */
mbedtls_mpi_init(&mpi);
mpi_start = mpi_start + mpi_len;
ret = mbedtls_mpi_read_binary(&mpi, mpi_start, mpi_len);
if (ret != 0) {
return;
}
mbedtls_snprintf(str, sizeof(str), "%s(Y)", text);
mbedtls_debug_print_mpi(ssl, level, file, line, str, &mpi);
mbedtls_mpi_free(&mpi);
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
const char *file, int line,
const char *text, const mbedtls_mpi *X)
@ -277,6 +331,11 @@ static void debug_print_pk(const mbedtls_ssl_context *ssl, int level,
if (items[i].type == MBEDTLS_PK_DEBUG_ECP) {
mbedtls_debug_print_ecp(ssl, level, file, line, name, items[i].value);
} else
#endif
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
if (items[i].type == MBEDTLS_PK_DEBUG_PSA_EC) {
mbedtls_debug_print_psa_ec(ssl, level, file, line, name, items[i].value);
} else
#endif
{ debug_send_line(ssl, level, file, line,
"should not happen\n"); }

8
library/ecjpake.c
View file

@ -30,8 +30,6 @@
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
#include "hash_info.h"
#include <string.h>
#if !defined(MBEDTLS_ECJPAKE_ALT)
@ -217,7 +215,7 @@ static int ecjpake_hash(const mbedtls_md_type_t md_type,
unsigned char *p = buf;
const unsigned char *end = buf + sizeof(buf);
const size_t id_len = strlen(id);
unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
/* Write things to temporary buffer */
MBEDTLS_MPI_CHK(ecjpake_write_len_point(&p, end, grp, pf, G));
@ -244,7 +242,7 @@ static int ecjpake_hash(const mbedtls_md_type_t md_type,
/* Turn it into an integer mod n */
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(h, hash,
mbedtls_hash_info_get_size(md_type)));
mbedtls_md_get_size_from_type(md_type)));
MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(h, h, &grp->N));
cleanup:
@ -780,7 +778,7 @@ int mbedtls_ecjpake_derive_secret(mbedtls_ecjpake_context *ctx,
unsigned char kx[MBEDTLS_ECP_MAX_BYTES];
size_t x_bytes;
*olen = mbedtls_hash_info_get_size(ctx->md_type);
*olen = mbedtls_md_get_size_from_type(ctx->md_type);
if (len < *olen) {
return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
}

24
library/ecp.c
View file

@ -43,6 +43,8 @@
#include "common.h"
#if !defined(MBEDTLS_ECP_WITH_MPI_UINT)
/**
* \brief Function level alternative implementation.
*
@ -2930,9 +2932,9 @@ int mbedtls_ecp_muladd(mbedtls_ecp_group *grp, mbedtls_ecp_point *R,
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
#define ECP_MPI_INIT(s, n, p) { s, (n), (mbedtls_mpi_uint *) (p) }
#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
#define ECP_MPI_INIT_ARRAY(x) \
ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
/*
* Constants for the two points other than 0, 1, -1 (mod p) in
* https://cr.yp.to/ecdh.html#validate
@ -3278,16 +3280,14 @@ int mbedtls_ecp_read_key(mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key,
);
}
}
#endif
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
if (mbedtls_ecp_get_type(&key->grp) == MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS) {
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&key->d, buf, buflen));
MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(&key->grp, &key->d));
}
#endif
MBEDTLS_MPI_CHK(mbedtls_ecp_check_privkey(&key->grp, &key->d));
cleanup:
if (ret != 0) {
@ -3636,6 +3636,18 @@ cleanup:
#endif /* MBEDTLS_SELF_TEST */
#if defined(MBEDTLS_TEST_HOOKS)
MBEDTLS_STATIC_TESTABLE
mbedtls_ecp_variant mbedtls_ecp_get_variant()
{
return MBEDTLS_ECP_VARIANT_WITH_MPI_STRUCT;
}
#endif /* MBEDTLS_TEST_HOOKS */
#endif /* !MBEDTLS_ECP_ALT */
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* !MBEDTLS_ECP_WITH_MPI_UINT */

524
library/ecp_curves.c
View file

@ -22,9 +22,14 @@
#if defined(MBEDTLS_ECP_LIGHT)
#include "mbedtls/ecp.h"
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
#include "mbedtls/platform.h"
#include "constant_time_internal.h"
#include "bn_mul.h"
#include "bignum_core.h"
#include "ecp_invasive.h"
@ -39,15 +44,15 @@
#define ECP_VALIDATE(cond) \
MBEDTLS_INTERNAL_VALIDATE(cond)
#define ECP_MPI_INIT(s, n, p) { s, (n), (mbedtls_mpi_uint *) (p) }
#define ECP_MPI_INIT(_p, _n) { .p = (mbedtls_mpi_uint *) (_p), .s = 1, .n = (_n) }
#define ECP_MPI_INIT_ARRAY(x) \
ECP_MPI_INIT(1, sizeof(x) / sizeof(mbedtls_mpi_uint), x)
ECP_MPI_INIT(x, sizeof(x) / sizeof(mbedtls_mpi_uint))
#define ECP_POINT_INIT_XY_Z0(x, y) { \
ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(1, 0, NULL) }
ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(NULL, 0) }
#define ECP_POINT_INIT_XY_Z1(x, y) { \
ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(1, 1, mpi_one) }
ECP_MPI_INIT_ARRAY(x), ECP_MPI_INIT_ARRAY(y), ECP_MPI_INIT(mpi_one, 1) }
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || \
defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
@ -4507,12 +4512,13 @@ static const mbedtls_ecp_point brainpoolP512r1_T[32] = {
defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
/*
* Create an MPI from embedded constants
* (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint))
* (assumes len is an exact multiple of sizeof(mbedtls_mpi_uint) and
* len < 1048576)
*/
static inline void ecp_mpi_load(mbedtls_mpi *X, const mbedtls_mpi_uint *p, size_t len)
{
X->s = 1;
X->n = len / sizeof(mbedtls_mpi_uint);
X->n = (unsigned short) (len / sizeof(mbedtls_mpi_uint));
X->p = (mbedtls_mpi_uint *) p;
}
#endif
@ -4602,26 +4608,28 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n);
/* Additional forward declarations */
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
static int ecp_mod_p255(mbedtls_mpi *);
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
static int ecp_mod_p448(mbedtls_mpi *);
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p448(mbedtls_mpi *);
int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *, size_t);
#endif
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
static int ecp_mod_p192k1(mbedtls_mpi *);
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p192k1(mbedtls_mpi *);
int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
static int ecp_mod_p224k1(mbedtls_mpi *);
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p224k1(mbedtls_mpi *);
int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
static int ecp_mod_p256k1(mbedtls_mpi *);
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p256k1(mbedtls_mpi *);
int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif
#if defined(ECP_LOAD_GROUP)
@ -4915,7 +4923,7 @@ static inline void carry64(mbedtls_mpi_uint *dst, mbedtls_mpi_uint *carry)
static int ecp_mod_p192(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t expected_width = 2 * ((192 + biL - 1) / biL);
size_t expected_width = BITS_TO_LIMBS(192) * 2;
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
ret = mbedtls_ecp_mod_p192_raw(N->p, expected_width);
@ -4929,7 +4937,7 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn)
mbedtls_mpi_uint c = 0, last_carry[WIDTH] = { 0 };
mbedtls_mpi_uint *p, *end;
if (Nn != 2*((192 + biL - 1)/biL)) {
if (Nn != BITS_TO_LIMBS(192) * 2) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
@ -5075,7 +5083,7 @@ static inline int8_t extract_carry(int64_t cur)
static int ecp_mod_p224(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t expected_width = 2 * 224 / biL;
size_t expected_width = BITS_TO_LIMBS(224) * 2;
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
ret = mbedtls_ecp_mod_p224_raw(N->p, expected_width);
cleanup:
@ -5085,7 +5093,7 @@ cleanup:
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
if (X_limbs != 2 * 224 / biL) {
if (X_limbs != BITS_TO_LIMBS(224) * 2) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
@ -5128,7 +5136,7 @@ int mbedtls_ecp_mod_p224_raw(mbedtls_mpi_uint *X, size_t X_limbs)
static int ecp_mod_p256(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t expected_width = 2 * 256 / biL;
size_t expected_width = BITS_TO_LIMBS(256) * 2;
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
ret = mbedtls_ecp_mod_p256_raw(N->p, expected_width);
cleanup:
@ -5138,7 +5146,7 @@ cleanup:
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
if (X_limbs != 2 * 256 / biL) {
if (X_limbs != BITS_TO_LIMBS(256) * 2) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
@ -5208,7 +5216,7 @@ int mbedtls_ecp_mod_p256_raw(mbedtls_mpi_uint *X, size_t X_limbs)
static int ecp_mod_p384(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t expected_width = 2 * ((384 + biL - 1) / biL);
size_t expected_width = BITS_TO_LIMBS(384) * 2;
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
ret = mbedtls_ecp_mod_p384_raw(N->p, expected_width);
cleanup:
@ -5218,7 +5226,7 @@ cleanup:
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
if (X_limbs != 2*((384 + biL - 1)/biL)) {
if (X_limbs != BITS_TO_LIMBS(384) * 2) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
@ -5330,7 +5338,7 @@ int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs)
static int ecp_mod_p521(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t expected_width = 2 * P521_WIDTH;
size_t expected_width = BITS_TO_LIMBS(521) * 2;
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
ret = mbedtls_ecp_mod_p521_raw(N->p, expected_width);
cleanup:
@ -5342,7 +5350,7 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
mbedtls_mpi_uint carry = 0;
if (X_limbs != 2 * P521_WIDTH || X[2 * P521_WIDTH - 1] != 0) {
if (X_limbs != BITS_TO_LIMBS(521) * 2) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
@ -5415,27 +5423,57 @@ int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs)
*/
static int ecp_mod_p255(mbedtls_mpi *N)
{
mbedtls_mpi_uint Mp[P255_WIDTH];
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t expected_width = BITS_TO_LIMBS(255) * 2;
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
ret = mbedtls_ecp_mod_p255_raw(N->p, expected_width);
cleanup:
return ret;
}
/* Helper references for top part of N */
mbedtls_mpi_uint * const NT_p = N->p + P255_WIDTH;
const size_t NT_n = N->n - P255_WIDTH;
if (N->n <= P255_WIDTH) {
return 0;
}
if (NT_n > P255_WIDTH) {
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_Limbs)
{
if (X_Limbs != BITS_TO_LIMBS(255) * 2) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
/* Split N as N + 2^256 M */
memcpy(Mp, NT_p, sizeof(mbedtls_mpi_uint) * NT_n);
memset(NT_p, 0, sizeof(mbedtls_mpi_uint) * NT_n);
mbedtls_mpi_uint *carry = mbedtls_calloc(P255_WIDTH, ciL);
if (carry == NULL) {
return MBEDTLS_ERR_ECP_ALLOC_FAILED;
}
/* N = A0 + 38 * A1 */
mbedtls_mpi_core_mla(N->p, P255_WIDTH + 1,
Mp, NT_n,
38);
/* Step 1: Reduction to P255_WIDTH limbs */
if (X_Limbs > P255_WIDTH) {
/* Helper references for top part of X */
mbedtls_mpi_uint * const A1 = X + P255_WIDTH;
const size_t A1_limbs = X_Limbs - P255_WIDTH;
/* X = A0 + 38 * A1, capture carry out */
*carry = mbedtls_mpi_core_mla(X, P255_WIDTH, A1, A1_limbs, 38);
/* Clear top part */
memset(A1, 0, sizeof(mbedtls_mpi_uint) * A1_limbs);
}
/* Step 2: Reduce to <2p
* Split as A0 + 2^255*c, with c a scalar, and compute A0 + 19*c */
*carry <<= 1;
*carry += (X[P255_WIDTH - 1] >> (biL - 1));
*carry *= 19;
/* Clear top bit */
X[P255_WIDTH - 1] <<= 1; X[P255_WIDTH - 1] >>= 1;
/* Since the top bit for X has been cleared 0 + 0 + Carry
* will not overflow.
*
* Furthermore for 2p = 2^256-38. When a carry propagation on the highest
* limb occurs, X > 2^255 and all the remaining bits on the limb are zero.
* - If X < 2^255 ==> X < 2p
* - If X > 2^255 ==> X < 2^256 - 2^255 < 2p */
(void) mbedtls_mpi_core_add(X, X, carry, P255_WIDTH);
mbedtls_free(carry);
return 0;
}
#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
@ -5447,77 +5485,149 @@ static int ecp_mod_p255(mbedtls_mpi *N)
/* Number of limbs fully occupied by 2^224 (max), and limbs used by it (min) */
#define DIV_ROUND_UP(X, Y) (((X) + (Y) -1) / (Y))
#define P224_WIDTH_MIN (28 / sizeof(mbedtls_mpi_uint))
#define P224_WIDTH_MAX DIV_ROUND_UP(28, sizeof(mbedtls_mpi_uint))
#define P224_SIZE (224 / 8)
#define P224_WIDTH_MIN (P224_SIZE / sizeof(mbedtls_mpi_uint))
#define P224_WIDTH_MAX DIV_ROUND_UP(P224_SIZE, sizeof(mbedtls_mpi_uint))
#define P224_UNUSED_BITS ((P224_WIDTH_MAX * sizeof(mbedtls_mpi_uint) * 8) - 224)
static int ecp_mod_p448(mbedtls_mpi *N)
{
return mbedtls_ecp_mod_p448(N);
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t expected_width = BITS_TO_LIMBS(448) * 2;
/* This is required as some tests and use cases do not pass in a Bignum of
* the correct size, and expect the growth to be done automatically, which
* will no longer happen. */
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
ret = mbedtls_ecp_mod_p448_raw(N->p, N->n);
cleanup:
return ret;
}
/*
* Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
* Write N as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return
* A0 + A1 + B1 + (B0 + B1) * 2^224. This is different to the reference
* implementation of Curve448, which uses its own special 56-bit limbs rather
* than a generic bignum library. We could squeeze some extra speed out on
* 32-bit machines by splitting N up into 32-bit limbs and doing the
* arithmetic using the limbs directly as we do for the NIST primes above,
* but for 64-bit targets it should use half the number of operations if we do
* the reduction with 224-bit limbs, since mpi_add_mpi will then use 64-bit adds.
* Write X as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return A0 + A1 + B1 +
* (B0 + B1) * 2^224. This is different to the reference implementation of
* Curve448, which uses its own special 56-bit limbs rather than a generic
* bignum library. We could squeeze some extra speed out on 32-bit machines by
* splitting N up into 32-bit limbs and doing the arithmetic using the limbs
* directly as we do for the NIST primes above, but for 64-bit targets it should
* use half the number of operations if we do the reduction with 224-bit limbs,
* since mpi_core_add will then use 64-bit adds.
*/
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p448(mbedtls_mpi *N)
int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
size_t round;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t i;
mbedtls_mpi M, Q;
mbedtls_mpi_uint Mp[P448_WIDTH + 1], Qp[P448_WIDTH];
if (N->n <= P448_WIDTH) {
if (X_limbs != BITS_TO_LIMBS(448) * 2) {
return 0;
}
/* M = A1 */
M.s = 1;
M.n = N->n - (P448_WIDTH);
if (M.n > P448_WIDTH) {
/* Shouldn't be called with N larger than 2^896! */
size_t M_limbs = X_limbs - (P448_WIDTH);
if (M_limbs > P448_WIDTH) {
/* Shouldn't be called with X larger than 2^896! */
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
M.p = Mp;
memset(Mp, 0, sizeof(Mp));
memcpy(Mp, N->p + P448_WIDTH, M.n * sizeof(mbedtls_mpi_uint));
/* N = A0 */
for (i = P448_WIDTH; i < N->n; i++) {
N->p[i] = 0;
/* Both M and Q require an extra limb to catch carries. */
M_limbs++;
const size_t Q_limbs = M_limbs;
mbedtls_mpi_uint *M = NULL;
mbedtls_mpi_uint *Q = NULL;
M = mbedtls_calloc(M_limbs, ciL);
if (M == NULL) {
return MBEDTLS_ERR_ECP_ALLOC_FAILED;
}
/* N += A1 */
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
Q = mbedtls_calloc(Q_limbs, ciL);
/* Q = B1, N += B1 */
Q = M;
Q.p = Qp;
memcpy(Qp, Mp, sizeof(Qp));
MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&Q, 224));
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &Q));
if (Q == NULL) {
ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
goto cleanup;
}
/* M = (B0 + B1) * 2^224, N += M */
if (sizeof(mbedtls_mpi_uint) > 4) {
Mp[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
/* M = A1 */
memset(M, 0, (M_limbs * ciL));
/* Do not copy into the overflow limb, as this would read past the end of
* X. */
memcpy(M, X + P448_WIDTH, ((M_limbs - 1) * ciL));
/* X = A0 */
memset(X + P448_WIDTH, 0, ((M_limbs - 1) * ciL));
/* X = X + M = A0 + A1 */
/* Carry here fits in oversize X. Oversize M means it will get
* added in, not returned as carry. */
(void) mbedtls_mpi_core_add(X, X, M, M_limbs);
/* Q = B1 = M >> 224 */
memcpy(Q, (char *) M + P224_SIZE, P224_SIZE);
memset((char *) Q + P224_SIZE, 0, P224_SIZE);
/* X = X + Q = (A0 + A1) + B1
* Oversize Q catches potential carry here when X is already max 448 bits.
*/
(void) mbedtls_mpi_core_add(X, X, Q, Q_limbs);
/* M = B0 */
#ifdef MBEDTLS_HAVE_INT64
M[P224_WIDTH_MIN] &= ((mbedtls_mpi_uint)-1) >> (P224_UNUSED_BITS);
#endif
memset(M + P224_WIDTH_MAX, 0, ((M_limbs - P224_WIDTH_MAX) * ciL));
/* M = M + Q = B0 + B1 */
(void) mbedtls_mpi_core_add(M, M, Q, Q_limbs);
/* M = (B0 + B1) * 2^224 */
/* Shifted carry bit from the addition fits in oversize M. */
memmove((char *) M + P224_SIZE, M, P224_SIZE + ciL);
memset(M, 0, P224_SIZE);
/* X = X + M = (A0 + A1 + B1) + (B0 + B1) * 2^224 */
(void) mbedtls_mpi_core_add(X, X, M, M_limbs);
/* In the second and third rounds A1 and B0 have at most 1 non-zero limb and
* B1=0.
* Using this we need to calculate:
* A0 + A1 + B1 + (B0 + B1) * 2^224 = A0 + A1 + B0 * 2^224. */
for (round = 0; round < 2; ++round) {
/* M = A1 */
memset(M, 0, (M_limbs * ciL));
memcpy(M, X + P448_WIDTH, ((M_limbs - 1) * ciL));
/* X = A0 */
memset(X + P448_WIDTH, 0, ((M_limbs - 1) * ciL));
/* M = A1 + B0 * 2^224
* We know that only one limb of A1 will be non-zero and that it will be
* limb 0. We also know that B0 is the bottom 224 bits of A1 (which is
* then shifted up 224 bits), so, given M is currently A1 this turns
* into:
* M = M + (M << 224)
* As the single non-zero limb in B0 will be A1 limb 0 shifted up by 224
* bits, we can just move that into the right place, shifted up
* accordingly.*/
M[P224_WIDTH_MIN] = M[0] << (224 & (biL - 1));
/* X = A0 + (A1 + B0 * 2^224) */
(void) mbedtls_mpi_core_add(X, X, M, M_limbs);
}
for (i = P224_WIDTH_MAX; i < M.n; ++i) {
Mp[i] = 0;
}
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(&M, &M, &Q));
M.n = P448_WIDTH + 1; /* Make room for shifted carry bit from the addition */
MBEDTLS_MPI_CHK(mbedtls_mpi_shift_l(&M, 224));
MBEDTLS_MPI_CHK(mbedtls_mpi_add_mpi(N, N, &M));
ret = 0;
cleanup:
mbedtls_free(M);
mbedtls_free(Q);
return ret;
}
#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
@ -5525,161 +5635,221 @@ cleanup:
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || \
defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || \
defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
/*
* Fast quasi-reduction modulo P = 2^s - R,
* with R about 33 bits, used by the Koblitz curves.
*
* Write N as A0 + 2^224 A1, return A0 + R * A1.
* Actually do two passes, since R is big.
* Write X as A0 + 2^224 A1, return A0 + R * A1.
*/
#define P_KOBLITZ_MAX (256 / 8 / sizeof(mbedtls_mpi_uint)) // Max limbs in P
#define P_KOBLITZ_R (8 / sizeof(mbedtls_mpi_uint)) // Limbs in R
static inline int ecp_mod_koblitz(mbedtls_mpi *N, mbedtls_mpi_uint *Rp, size_t p_limbs,
size_t adjust, size_t shift, mbedtls_mpi_uint mask)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi M, R;
mbedtls_mpi_uint Mp[P_KOBLITZ_MAX + P_KOBLITZ_R + 1];
if (N->n < p_limbs) {
return 0;
static inline int ecp_mod_koblitz(mbedtls_mpi_uint *X,
size_t X_limbs,
mbedtls_mpi_uint *R,
size_t bits)
{
int ret = 0;
/* Determine if A1 is aligned to limb bitsize. If not then the used limbs
* of P, A0 and A1 must be set accordingly and there is a middle limb
* which is shared by A0 and A1 and need to handle accordingly.
*/
size_t shift = bits % biL;
size_t adjust = (shift + biL - 1) / biL;
size_t P_limbs = bits / biL + adjust;
mbedtls_mpi_uint mask = 0;
mbedtls_mpi_uint *A1 = mbedtls_calloc(P_limbs, ciL);
if (A1 == NULL) {
return MBEDTLS_ERR_ECP_ALLOC_FAILED;
}
/* Init R */
R.s = 1;
R.p = Rp;
R.n = P_KOBLITZ_R;
/* Create a buffer to store the value of `R * A1` */
size_t R_limbs = P_KOBLITZ_R;
size_t M_limbs = P_limbs + R_limbs;
mbedtls_mpi_uint *M = mbedtls_calloc(M_limbs, ciL);
if (M == NULL) {
ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
goto cleanup;
}
/* Common setup for M */
M.s = 1;
M.p = Mp;
if (adjust != 0) {
mask = ((mbedtls_mpi_uint) 1 << shift) - 1;
}
for (size_t pass = 0; pass < 2; pass++) {
/* M = A1 */
M.n = N->n - (p_limbs - adjust);
if (M.n > p_limbs + adjust) {
M.n = p_limbs + adjust;
}
memset(Mp, 0, sizeof(Mp));
memcpy(Mp, N->p + p_limbs - adjust, M.n * sizeof(mbedtls_mpi_uint));
/* Two passes are needed to reduce the value of `A0 + R * A1` and then
* we need an additional one to reduce the possible overflow during
* the addition.
*/
for (size_t pass = 0; pass < 3; pass++) {
/* Copy A1 */
memcpy(A1, X + P_limbs - adjust, P_limbs * ciL);
/* Shift A1 to be aligned */
if (shift != 0) {
MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, shift));
mbedtls_mpi_core_shift_r(A1, P_limbs, shift);
}
M.n += R.n; /* Make room for multiplication by R */
/* N = A0 */
/* Zeroize the A1 part of the shared limb */
if (mask != 0) {
N->p[p_limbs - 1] &= mask;
}
for (size_t i = p_limbs; i < N->n; i++) {
N->p[i] = 0;
X[P_limbs - 1] &= mask;
}
/* N = A0 + R * A1 */
MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&M, &M, &R));
MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
/* X = A0
* Zeroize the A1 part of X to keep only the A0 part.
*/
for (size_t i = P_limbs; i < X_limbs; i++) {
X[i] = 0;
}
/* X = A0 + R * A1 */
mbedtls_mpi_core_mul(M, A1, P_limbs, R, R_limbs);
(void) mbedtls_mpi_core_add(X, X, M, P_limbs + R_limbs);
/* Carry can not be generated since R is a 33-bit value and stored in
* 64 bits. The result value of the multiplication is at most
* P length + 33 bits in length and the result value of the addition
* is at most P length + 34 bits in length. So the result of the
* addition always fits in P length + 64 bits.
*/
}
cleanup:
mbedtls_free(M);
mbedtls_free(A1);
return ret;
}
#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED) ||
MBEDTLS_ECP_DP_SECP224K1_ENABLED) ||
MBEDTLS_ECP_DP_SECP256K1_ENABLED) */
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
/*
* Fast quasi-reduction modulo p192k1 = 2^192 - R,
* with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
* with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
*/
static int ecp_mod_p192k1(mbedtls_mpi *N)
{
return mbedtls_ecp_mod_p192k1(N);
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t expected_width = BITS_TO_LIMBS(192) * 2;
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
ret = mbedtls_ecp_mod_p192k1_raw(N->p, expected_width);
cleanup:
return ret;
}
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p192k1(mbedtls_mpi *N)
int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
static mbedtls_mpi_uint Rp[] = {
MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00)
MBEDTLS_BYTES_TO_T_UINT_8(0xC9, 0x11, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00)
};
return ecp_mod_koblitz(N, Rp, 192 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
0);
if (X_limbs != BITS_TO_LIMBS(192) * 2) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
return ecp_mod_koblitz(X, X_limbs, Rp, 192);
}
#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
static int ecp_mod_p224k1(mbedtls_mpi *N)
{
return mbedtls_ecp_mod_p224k1(N);
}
/*
* Fast quasi-reduction modulo p224k1 = 2^224 - R,
* with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
*/
static int ecp_mod_p224k1(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t expected_width = BITS_TO_LIMBS(224) * 2;
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
ret = mbedtls_ecp_mod_p224k1_raw(N->p, expected_width);
cleanup:
return ret;
}
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p224k1(mbedtls_mpi *N)
int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
static mbedtls_mpi_uint Rp[] = {
MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00)
MBEDTLS_BYTES_TO_T_UINT_8(0x93, 0x1A, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00)
};
#if defined(MBEDTLS_HAVE_INT64)
return ecp_mod_koblitz(N, Rp, 4, 1, 32, 0xFFFFFFFF);
#else
return ecp_mod_koblitz(N, Rp, 224 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
0);
#endif
if (X_limbs != BITS_TO_LIMBS(224) * 2) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
return ecp_mod_koblitz(X, X_limbs, Rp, 224);
}
#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
static int ecp_mod_p256k1(mbedtls_mpi *N)
{
return mbedtls_ecp_mod_p256k1(N);
}
/*
* Fast quasi-reduction modulo p256k1 = 2^256 - R,
* with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
*/
static int ecp_mod_p256k1(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t expected_width = BITS_TO_LIMBS(256) * 2;
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
ret = mbedtls_ecp_mod_p256k1_raw(N->p, expected_width);
cleanup:
return ret;
}
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p256k1(mbedtls_mpi *N)
int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs)
{
static mbedtls_mpi_uint Rp[] = {
MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00,
0x00)
MBEDTLS_BYTES_TO_T_UINT_8(0xD1, 0x03, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00)
};
return ecp_mod_koblitz(N, Rp, 256 / 8 / sizeof(mbedtls_mpi_uint), 0, 0,
0);
if (X_limbs != BITS_TO_LIMBS(256) * 2) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
return ecp_mod_koblitz(X, X_limbs, Rp, 256);
}
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
#if defined(MBEDTLS_TEST_HOOKS)
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
const mbedtls_ecp_group_id id,
const mbedtls_ecp_curve_type ctype)
const mbedtls_ecp_modulus_type ctype)
{
mbedtls_mpi_modp_fn modp = NULL;
mbedtls_mpi_uint *p = NULL;
size_t p_limbs;
if (!(ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE || \
ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_SCALAR)) {
if (!(ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE || \
ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_SCALAR)) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
switch (id) {
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
case MBEDTLS_ECP_DP_SECP192R1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
#if defined(MBEDTLS_ECP_NIST_OPTIM)
modp = &mbedtls_ecp_mod_p192_raw;
#endif
p = (mbedtls_mpi_uint *) secp192r1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_p));
} else {
@ -5691,7 +5861,10 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
case MBEDTLS_ECP_DP_SECP224R1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
#if defined(MBEDTLS_ECP_NIST_OPTIM)
modp = &mbedtls_ecp_mod_p224_raw;
#endif
p = (mbedtls_mpi_uint *) secp224r1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_p));
} else {
@ -5703,7 +5876,10 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
case MBEDTLS_ECP_DP_SECP256R1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
#if defined(MBEDTLS_ECP_NIST_OPTIM)
modp = &mbedtls_ecp_mod_p256_raw;
#endif
p = (mbedtls_mpi_uint *) secp256r1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_p));
} else {
@ -5715,7 +5891,10 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
case MBEDTLS_ECP_DP_SECP384R1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
#if defined(MBEDTLS_ECP_NIST_OPTIM)
modp = &mbedtls_ecp_mod_p384_raw;
#endif
p = (mbedtls_mpi_uint *) secp384r1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_p));
} else {
@ -5727,7 +5906,10 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
case MBEDTLS_ECP_DP_SECP521R1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
#if defined(MBEDTLS_ECP_NIST_OPTIM)
modp = &mbedtls_ecp_mod_p521_raw;
#endif
p = (mbedtls_mpi_uint *) secp521r1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_p));
} else {
@ -5739,7 +5921,7 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
case MBEDTLS_ECP_DP_BP256R1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
p = (mbedtls_mpi_uint *) brainpoolP256r1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_p));
} else {
@ -5751,7 +5933,7 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
case MBEDTLS_ECP_DP_BP384R1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
p = (mbedtls_mpi_uint *) brainpoolP384r1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_p));
} else {
@ -5763,7 +5945,7 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
case MBEDTLS_ECP_DP_BP512R1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
p = (mbedtls_mpi_uint *) brainpoolP512r1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_p));
} else {
@ -5775,7 +5957,8 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
case MBEDTLS_ECP_DP_CURVE25519:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
modp = &mbedtls_ecp_mod_p255_raw;
p = (mbedtls_mpi_uint *) curve25519_p;
p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_p));
} else {
@ -5787,7 +5970,8 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
case MBEDTLS_ECP_DP_SECP192K1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
modp = &mbedtls_ecp_mod_p192k1_raw;
p = (mbedtls_mpi_uint *) secp192k1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_p));
} else {
@ -5799,7 +5983,8 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
case MBEDTLS_ECP_DP_SECP224K1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
modp = &mbedtls_ecp_mod_p224k1_raw;
p = (mbedtls_mpi_uint *) secp224k1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_p));
} else {
@ -5811,7 +5996,8 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
case MBEDTLS_ECP_DP_SECP256K1:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
modp = &mbedtls_ecp_mod_p256k1_raw;
p = (mbedtls_mpi_uint *) secp256k1_p;
p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_p));
} else {
@ -5823,7 +6009,8 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
case MBEDTLS_ECP_DP_CURVE448:
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
if (ctype == (mbedtls_ecp_modulus_type) MBEDTLS_ECP_MOD_COORDINATE) {
modp = &mbedtls_ecp_mod_p448_raw;
p = (mbedtls_mpi_uint *) curve448_p;
p_limbs = CHARS_TO_LIMBS(sizeof(curve448_p));
} else {
@ -5838,9 +6025,14 @@ int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
if (mbedtls_mpi_mod_modulus_setup(N, p, p_limbs,
MBEDTLS_MPI_MOD_REP_MONTGOMERY)) {
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if (modp != NULL) {
if (mbedtls_mpi_mod_optred_modulus_setup(N, p, p_limbs, modp)) {
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
} else {
if (mbedtls_mpi_mod_modulus_setup(N, p, p_limbs)) {
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
}
}
return 0;
}

133
library/ecp_invasive.h
View file

@ -31,8 +31,35 @@
#include "bignum_mod.h"
#include "mbedtls/ecp.h"
/*
* Curve modulus types
*/
typedef enum {
MBEDTLS_ECP_MOD_NONE = 0,
MBEDTLS_ECP_MOD_COORDINATE,
MBEDTLS_ECP_MOD_SCALAR
} mbedtls_ecp_modulus_type;
/* Provide a commented-out definition so that `check_names.py` knows that
* it's not a typo.
*/
//#define MBEDTLS_ECP_WITH_MPI_UINT
typedef enum {
MBEDTLS_ECP_VARIANT_NONE = 0,
MBEDTLS_ECP_VARIANT_WITH_MPI_STRUCT,
MBEDTLS_ECP_VARIANT_WITH_MPI_UINT
} mbedtls_ecp_variant;
#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_ECP_LIGHT)
/** Queries the ecp variant.
*
* \return The id of the ecp variant.
*/
MBEDTLS_STATIC_TESTABLE
mbedtls_ecp_variant mbedtls_ecp_get_variant(void);
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
/** Generate a private key on a Montgomery curve (Curve25519 or Curve448).
*
@ -171,32 +198,120 @@ int mbedtls_ecp_mod_p384_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
/*
* Fast quasi-reduction modulo p192k1 = 2^192 - R,
* with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x0100001119
/** Fast quasi-reduction modulo p192k1 = 2^192 - R,
* with R = 2^32 + 2^12 + 2^8 + 2^7 + 2^6 + 2^3 + 1 = 0x01000011C9
*
* \param[in,out] X The address of the MPI to be converted.
* Must have exact limb size that stores a 384-bit MPI
* (double the bitlength of the modulus).
* Upon return holds the reduced value which is
* in range `0 <= X < 2 * N` (where N is the modulus).
* The bitlength of the reduced value is the same as
* that of the modulus (192 bits).
* \param[in] X_limbs The length of \p X in limbs.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
* twice as many limbs as the modulus.
* \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
*/
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p192k1(mbedtls_mpi *N);
int mbedtls_ecp_mod_p192k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
/** Fast quasi-reduction modulo p224k1 = 2^224 - R,
* with R = 2^32 + 2^12 + 2^11 + 2^9 + 2^7 + 2^4 + 2 + 1 = 0x0100001A93
*
* \param[in,out] X The address of the MPI to be converted.
* Must have exact limb size that stores a 448-bit MPI
* (double the bitlength of the modulus).
* Upon return holds the reduced value which is
* in range `0 <= X < 2 * N` (where N is the modulus).
* The bitlength of the reduced value is the same as
* that of the modulus (224 bits).
* \param[in] X_limbs The length of \p X in limbs.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
* twice as many limbs as the modulus.
* \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
*/
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p224k1(mbedtls_mpi *N);
int mbedtls_ecp_mod_p224k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
/** Fast quasi-reduction modulo p256k1 = 2^256 - R,
* with R = 2^32 + 2^9 + 2^8 + 2^7 + 2^6 + 2^4 + 1 = 0x01000003D1
*
* \param[in,out] X The address of the MPI to be converted.
* Must have exact limb size that stores a 512-bit MPI
* (double the bitlength of the modulus).
* Upon return holds the reduced value which is
* in range `0 <= X < 2 * N` (where N is the modulus).
* The bitlength of the reduced value is the same as
* that of the modulus (256 bits).
* \param[in] X_limbs The length of \p X in limbs.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
* twice as many limbs as the modulus.
* \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
*/
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p256k1(mbedtls_mpi *N);
int mbedtls_ecp_mod_p256k1_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
/** Fast quasi-reduction modulo p255 = 2^255 - 19
*
* \param[in,out] X The address of the MPI to be converted.
* Must have exact limb size that stores a 510-bit MPI
* (double the bitlength of the modulus).
* Upon return holds the reduced value which is
* in range `0 <= X < 2 * N` (where N is the modulus).
* \param[in] X_limbs The length of \p X in limbs.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
* twice as many limbs as the modulus.
* \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation failed.
*/
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p255_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
/** Fast quasi-reduction modulo p448 = 2^448 - 2^224 - 1
* Write X as A0 + 2^448 A1 and A1 as B0 + 2^224 B1, and return A0 + A1 + B1 +
* (B0 + B1) * 2^224.
*
* \param[in,out] X The address of the MPI to be converted.
* Must have exact limb size that stores a 896-bit MPI
* (double the bitlength of the modulus). Upon return
* holds the reduced value which is in range `0 <= X <
* N` (where N is the modulus). The bitlength of the
* reduced value is the same as that of the modulus
* (448 bits).
* \param[in] X_limbs The length of \p X in limbs.
*
* \return \c 0 on Success.
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X does not have
* twice as many limbs as the modulus.
* \return #MBEDTLS_ERR_ECP_ALLOC_FAILED if memory allocation
* failed.
*/
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_mod_p448(mbedtls_mpi *N);
int mbedtls_ecp_mod_p448_raw(mbedtls_mpi_uint *X, size_t X_limbs);
#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
@ -209,7 +324,7 @@ int mbedtls_ecp_mod_p448(mbedtls_mpi *N);
* \param[in,out] N The address of the modulus structure to populate.
* Must be initialized.
* \param[in] id The mbedtls_ecp_group_id for which to initialise the modulus.
* \param[in] ctype The mbedtls_ecp_curve_type identifier for a coordinate modulus (P)
* \param[in] ctype The mbedtls_ecp_modulus_type identifier for a coordinate modulus (P)
* or a scalar modulus (N).
*
* \return \c 0 if successful.
@ -220,7 +335,7 @@ int mbedtls_ecp_mod_p448(mbedtls_mpi *N);
MBEDTLS_STATIC_TESTABLE
int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
const mbedtls_ecp_group_id id,
const mbedtls_ecp_curve_type ctype);
const mbedtls_ecp_modulus_type ctype);
#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */

3655
library/ecp_new.c Normal file
View file

File diff suppressed because it is too large Load diff

7
library/entropy_poll.c
View file

@ -48,10 +48,8 @@
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
#if !defined(_WIN32_WINNT)
#define _WIN32_WINNT 0x0400
#endif
#include <windows.h>
#if _WIN32_WINNT >= 0x0501 /* _WIN32_WINNT_WINXP */
#include <wincrypt.h>
int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
@ -76,6 +74,9 @@ int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
return 0;
}
#else /* !_WIN32_WINNT_WINXP */
#error Entropy not available before Windows XP, use MBEDTLS_NO_PLATFORM_ENTROPY
#endif /* !_WIN32_WINNT_WINXP */
#else /* _WIN32 && !EFIX64 && !EFI32 */
/*

29
library/gcm.c
View file

@ -147,7 +147,7 @@ int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
return MBEDTLS_ERR_GCM_BAD_INPUT;
}
if (cipher_info->block_size != 16) {
if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
return MBEDTLS_ERR_GCM_BAD_INPUT;
}
@ -174,7 +174,7 @@ int mbedtls_gcm_setkey(mbedtls_gcm_context *ctx,
* last4[x] = x times P^128
* where x and last4[x] are seen as elements of GF(2^128) as in [MGV]
*/
static const uint64_t last4[16] =
static const uint16_t last4[16] =
{
0x0000, 0x1c20, 0x3840, 0x2460,
0x7080, 0x6ca0, 0x48c0, 0x54e0,
@ -645,7 +645,7 @@ void mbedtls_gcm_free(mbedtls_gcm_context *ctx)
static const int key_index_test_data[MAX_TESTS] =
{ 0, 0, 1, 1, 1, 1 };
static const unsigned char key_test_data[MAX_TESTS][32] =
static const unsigned char key_test_data[][32] =
{
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@ -663,7 +663,7 @@ static const size_t iv_len_test_data[MAX_TESTS] =
static const int iv_index_test_data[MAX_TESTS] =
{ 0, 0, 1, 1, 1, 2 };
static const unsigned char iv_test_data[MAX_TESTS][64] =
static const unsigned char iv_test_data[][64] =
{
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00 },
@ -685,7 +685,7 @@ static const size_t add_len_test_data[MAX_TESTS] =
static const int add_index_test_data[MAX_TESTS] =
{ 0, 0, 0, 1, 1, 1 };
static const unsigned char additional_test_data[MAX_TESTS][64] =
static const unsigned char additional_test_data[][64] =
{
{ 0x00 },
{ 0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
@ -699,7 +699,7 @@ static const size_t pt_len_test_data[MAX_TESTS] =
static const int pt_index_test_data[MAX_TESTS] =
{ 0, 0, 1, 1, 1, 1 };
static const unsigned char pt_test_data[MAX_TESTS][64] =
static const unsigned char pt_test_data[][64] =
{
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
@ -713,7 +713,7 @@ static const unsigned char pt_test_data[MAX_TESTS][64] =
0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 },
};
static const unsigned char ct_test_data[MAX_TESTS * 3][64] =
static const unsigned char ct_test_data[][64] =
{
{ 0x00 },
{ 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92,
@ -750,6 +750,7 @@ static const unsigned char ct_test_data[MAX_TESTS * 3][64] =
0xcc, 0xdc, 0xb2, 0x81, 0xd4, 0x8c, 0x7c, 0x6f,
0xd6, 0x28, 0x75, 0xd2, 0xac, 0xa4, 0x17, 0x03,
0x4c, 0x34, 0xae, 0xe5 },
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ 0x00 },
{ 0x98, 0xe7, 0x24, 0x7c, 0x07, 0xf0, 0xfe, 0x41,
0x1c, 0x26, 0x7e, 0x43, 0x84, 0xb0, 0xf6, 0x00 },
@ -820,9 +821,10 @@ static const unsigned char ct_test_data[MAX_TESTS * 3][64] =
0x2d, 0xa3, 0xeb, 0xf1, 0xc5, 0xd8, 0x2c, 0xde,
0xa2, 0x41, 0x89, 0x97, 0x20, 0x0e, 0xf8, 0x2e,
0x44, 0xae, 0x7e, 0x3f },
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
};
static const unsigned char tag_test_data[MAX_TESTS * 3][16] =
static const unsigned char tag_test_data[][16] =
{
{ 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61,
0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a },
@ -836,6 +838,7 @@ static const unsigned char tag_test_data[MAX_TESTS * 3][16] =
0x56, 0x1b, 0xe1, 0x4a, 0xac, 0xa2, 0xfc, 0xcb },
{ 0x61, 0x9c, 0xc5, 0xae, 0xff, 0xfe, 0x0b, 0xfa,
0x46, 0x2a, 0xf4, 0x3c, 0x16, 0x99, 0xd0, 0x50 },
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ 0xcd, 0x33, 0xb2, 0x8a, 0xc7, 0x73, 0xf7, 0x4b,
0xa0, 0x0e, 0xd1, 0xf3, 0x12, 0x57, 0x24, 0x35 },
{ 0x2f, 0xf5, 0x8d, 0x80, 0x03, 0x39, 0x27, 0xab,
@ -860,6 +863,7 @@ static const unsigned char tag_test_data[MAX_TESTS * 3][16] =
0x5e, 0x45, 0x49, 0x13, 0xfe, 0x2e, 0xa8, 0xf2 },
{ 0xa4, 0x4a, 0x82, 0x66, 0xee, 0x1c, 0x8e, 0xb0,
0xc8, 0xb5, 0xd4, 0xcf, 0x5a, 0xe9, 0xf1, 0x9a },
#endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
};
int mbedtls_gcm_self_test(int verbose)
@ -884,17 +888,20 @@ int mbedtls_gcm_self_test(int verbose)
#endif /* MBEDTLS_GCM_ALT */
}
for (j = 0; j < 3; j++) {
static const int loop_limit =
(sizeof(ct_test_data) / sizeof(*ct_test_data)) / MAX_TESTS;
for (j = 0; j < loop_limit; j++) {
int key_len = 128 + 64 * j;
for (i = 0; i < MAX_TESTS; i++) {
mbedtls_gcm_init(&ctx);
if (verbose != 0) {
mbedtls_printf(" AES-GCM-%3d #%d (%s): ",
key_len, i, "enc");
}
mbedtls_gcm_init(&ctx);
ret = mbedtls_gcm_setkey(&ctx, cipher,
key_test_data[key_index_test_data[i]],
key_len);

122
library/hash_info.c
View file

@ -1,122 +0,0 @@
/*
* Hash information that's independent from the crypto implementation.
*
* (See the corresponding header file for usage notes.)
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "hash_info.h"
#include "mbedtls/error.h"
typedef struct {
psa_algorithm_t psa_alg;
mbedtls_md_type_t md_type;
unsigned char size;
unsigned char block_size;
} hash_entry;
static const hash_entry hash_table[] = {
#if defined(MBEDTLS_MD_CAN_MD5)
{ PSA_ALG_MD5, MBEDTLS_MD_MD5, 16, 64 },
#endif
#if defined(MBEDTLS_MD_CAN_RIPEMD160)
{ PSA_ALG_RIPEMD160, MBEDTLS_MD_RIPEMD160, 20, 64 },
#endif
#if defined(MBEDTLS_MD_CAN_SHA1)
{ PSA_ALG_SHA_1, MBEDTLS_MD_SHA1, 20, 64 },
#endif
#if defined(MBEDTLS_MD_CAN_SHA224)
{ PSA_ALG_SHA_224, MBEDTLS_MD_SHA224, 28, 64 },
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
{ PSA_ALG_SHA_256, MBEDTLS_MD_SHA256, 32, 64 },
#endif
#if defined(MBEDTLS_MD_CAN_SHA384)
{ PSA_ALG_SHA_384, MBEDTLS_MD_SHA384, 48, 128 },
#endif
#if defined(MBEDTLS_MD_CAN_SHA512)
{ PSA_ALG_SHA_512, MBEDTLS_MD_SHA512, 64, 128 },
#endif
{ PSA_ALG_NONE, MBEDTLS_MD_NONE, 0, 0 },
};
/* Get size from MD type */
unsigned char mbedtls_hash_info_get_size(mbedtls_md_type_t md_type)
{
const hash_entry *entry = hash_table;
while (entry->md_type != MBEDTLS_MD_NONE &&
entry->md_type != md_type) {
entry++;
}
return entry->size;
}
/* Get block size from MD type */
unsigned char mbedtls_hash_info_get_block_size(mbedtls_md_type_t md_type)
{
const hash_entry *entry = hash_table;
while (entry->md_type != MBEDTLS_MD_NONE &&
entry->md_type != md_type) {
entry++;
}
return entry->block_size;
}
/* Get PSA from MD */
psa_algorithm_t mbedtls_hash_info_psa_from_md(mbedtls_md_type_t md_type)
{
const hash_entry *entry = hash_table;
while (entry->md_type != MBEDTLS_MD_NONE &&
entry->md_type != md_type) {
entry++;
}
return entry->psa_alg;
}
/* Get MD from PSA */
mbedtls_md_type_t mbedtls_hash_info_md_from_psa(psa_algorithm_t psa_alg)
{
const hash_entry *entry = hash_table;
while (entry->md_type != MBEDTLS_MD_NONE &&
entry->psa_alg != psa_alg) {
entry++;
}
return entry->md_type;
}
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
int mbedtls_md_error_from_psa(psa_status_t status)
{
switch (status) {
case PSA_SUCCESS:
return 0;
case PSA_ERROR_NOT_SUPPORTED:
return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
case PSA_ERROR_INVALID_ARGUMENT:
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
case PSA_ERROR_INSUFFICIENT_MEMORY:
return MBEDTLS_ERR_MD_ALLOC_FAILED;
default:
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
}
#endif /* !MBEDTLS_DEPRECATED_REMOVED */

101
library/hash_info.h
View file

@ -1,101 +0,0 @@
/**
* Hash information that's independent from the crypto implementation.
*
* This can be used by:
* - code based on PSA
* - code based on the legacy API
* - code based on either of them depending on MBEDTLS_USE_PSA_CRYPTO
* - code based on either of them depending on what's available
*
* Note: this internal module will go away when everything becomes based on
* PSA Crypto; it is a helper for the transition while hash algorithms are
* still represented using mbedtls_md_type_t in most places even when PSA is
* used for the actual crypto computations.
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef MBEDTLS_HASH_INFO_H
#define MBEDTLS_HASH_INFO_H
#include "common.h"
#include "mbedtls/md.h"
#include "psa/crypto.h"
#include "mbedtls/platform_util.h"
/** \def MBEDTLS_HASH_MAX_SIZE
*
* Maximum size of a hash based on configuration.
*/
#if defined(MBEDTLS_MD_C) && ( \
!defined(MBEDTLS_PSA_CRYPTO_C) || \
MBEDTLS_MD_MAX_SIZE >= PSA_HASH_MAX_SIZE)
#define MBEDTLS_HASH_MAX_SIZE MBEDTLS_MD_MAX_SIZE
#elif defined(MBEDTLS_PSA_CRYPTO_C) && ( \
!defined(MBEDTLS_MD_C) || \
PSA_HASH_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE)
#define MBEDTLS_HASH_MAX_SIZE PSA_HASH_MAX_SIZE
#endif
/** Get the output length of the given hash type from its MD type.
*
* \note To get the output length from the PSA alg, use \c PSA_HASH_LENGTH().
*
* \param md_type The hash MD type.
*
* \return The output length in bytes, or 0 if not known.
*/
unsigned char mbedtls_hash_info_get_size(mbedtls_md_type_t md_type);
/** Get the block size of the given hash type from its MD type.
*
* \note To get the output length from the PSA alg, use
* \c PSA_HASH_BLOCK_LENGTH().
*
* \param md_type The hash MD type.
*
* \return The block size in bytes, or 0 if not known.
*/
unsigned char mbedtls_hash_info_get_block_size(mbedtls_md_type_t md_type);
/** Get the PSA alg from the MD type.
*
* \param md_type The hash MD type.
*
* \return The corresponding PSA algorithm identifier,
* or PSA_ALG_NONE if not known.
*/
psa_algorithm_t mbedtls_hash_info_psa_from_md(mbedtls_md_type_t md_type);
/** Get the MD type alg from the PSA algorithm identifier.
*
* \param psa_alg The PSA hash algorithm.
*
* \return The corresponding MD type,
* or MBEDTLS_MD_NONE if not known.
*/
mbedtls_md_type_t mbedtls_hash_info_md_from_psa(psa_algorithm_t psa_alg);
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/** Convert PSA status to MD error code.
*
* \param status PSA status.
*
* \return The corresponding MD error code,
*/
int MBEDTLS_DEPRECATED mbedtls_md_error_from_psa(psa_status_t status);
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_HASH_INFO_H */

14
library/lmots.c
View file

@ -41,13 +41,19 @@
#include "mbedtls/lms.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#include "psa/crypto.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_lms_errors, \
psa_generic_status_to_mbedtls)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_lms_errors,
ARRAY_LENGTH(psa_to_lms_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#define PUBLIC_KEY_TYPE_OFFSET (0)
#define PUBLIC_KEY_I_KEY_ID_OFFSET (PUBLIC_KEY_TYPE_OFFSET + \

14
library/lms.c
View file

@ -39,16 +39,22 @@
#include "lmots.h"
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#include "mbedtls/lms.h"
#include "mbedtls/error.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/platform.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_lms_errors, \
psa_generic_status_to_mbedtls)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_lms_errors,
ARRAY_LENGTH(psa_to_lms_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#define SIG_Q_LEAF_ID_OFFSET (0)
#define SIG_OTS_SIG_OFFSET (SIG_Q_LEAF_ID_OFFSET + \

267
library/md.c
View file

@ -51,9 +51,15 @@
#include "mbedtls/sha1.h"
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
#include "mbedtls/sha3.h"
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include <psa/crypto.h>
#include "md_psa.h"
#include "psa_util_internal.h"
#endif
#if defined(MBEDTLS_MD_SOME_PSA)
#include <psa/crypto.h>
#include "psa_crypto_core.h"
#endif
@ -65,6 +71,11 @@
#include <stdio.h>
#endif
/* See comment above MBEDTLS_MD_MAX_SIZE in md.h */
#if defined(MBEDTLS_PSA_CRYPTO_C) && MBEDTLS_MD_MAX_SIZE < PSA_HASH_MAX_SIZE
#error "Internal error: MBEDTLS_MD_MAX_SIZE < PSA_HASH_MAX_SIZE"
#endif
#if defined(MBEDTLS_MD_CAN_MD5)
const mbedtls_md_info_t mbedtls_md5_info = {
"MD5",
@ -128,6 +139,42 @@ const mbedtls_md_info_t mbedtls_sha512_info = {
};
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_224)
const mbedtls_md_info_t mbedtls_sha3_224_info = {
"SHA3-224",
MBEDTLS_MD_SHA3_224,
28,
144,
};
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_256)
const mbedtls_md_info_t mbedtls_sha3_256_info = {
"SHA3-256",
MBEDTLS_MD_SHA3_256,
32,
136,
};
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_384)
const mbedtls_md_info_t mbedtls_sha3_384_info = {
"SHA3-384",
MBEDTLS_MD_SHA3_384,
48,
104,
};
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_512)
const mbedtls_md_info_t mbedtls_sha3_512_info = {
"SHA3-512",
MBEDTLS_MD_SHA3_512,
64,
72,
};
#endif
const mbedtls_md_info_t *mbedtls_md_info_from_type(mbedtls_md_type_t md_type)
{
switch (md_type) {
@ -158,6 +205,22 @@ const mbedtls_md_info_t *mbedtls_md_info_from_type(mbedtls_md_type_t md_type)
#if defined(MBEDTLS_MD_CAN_SHA512)
case MBEDTLS_MD_SHA512:
return &mbedtls_sha512_info;
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_224)
case MBEDTLS_MD_SHA3_224:
return &mbedtls_sha3_224_info;
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_256)
case MBEDTLS_MD_SHA3_256:
return &mbedtls_sha3_256_info;
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_384)
case MBEDTLS_MD_SHA3_384:
return &mbedtls_sha3_384_info;
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_512)
case MBEDTLS_MD_SHA3_512:
return &mbedtls_sha3_512_info;
#endif
default:
return NULL;
@ -210,20 +273,6 @@ static int md_can_use_psa(const mbedtls_md_info_t *info)
return psa_can_do_hash(alg);
}
static int mbedtls_md_error_from_psa(psa_status_t status)
{
switch (status) {
case PSA_SUCCESS:
return 0;
case PSA_ERROR_NOT_SUPPORTED:
return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
case PSA_ERROR_INSUFFICIENT_MEMORY:
return MBEDTLS_ERR_MD_ALLOC_FAILED;
default:
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
}
#endif /* MBEDTLS_MD_SOME_PSA */
void mbedtls_md_init(mbedtls_md_context_t *ctx)
@ -279,6 +328,14 @@ void mbedtls_md_free(mbedtls_md_context_t *ctx)
case MBEDTLS_MD_SHA512:
mbedtls_sha512_free(ctx->md_ctx);
break;
#endif
#if defined(MBEDTLS_SHA3_C)
case MBEDTLS_MD_SHA3_224:
case MBEDTLS_MD_SHA3_256:
case MBEDTLS_MD_SHA3_384:
case MBEDTLS_MD_SHA3_512:
mbedtls_sha3_free(ctx->md_ctx);
break;
#endif
default:
/* Shouldn't happen */
@ -357,6 +414,14 @@ int mbedtls_md_clone(mbedtls_md_context_t *dst,
case MBEDTLS_MD_SHA512:
mbedtls_sha512_clone(dst->md_ctx, src->md_ctx);
break;
#endif
#if defined(MBEDTLS_SHA3_C)
case MBEDTLS_MD_SHA3_224:
case MBEDTLS_MD_SHA3_256:
case MBEDTLS_MD_SHA3_384:
case MBEDTLS_MD_SHA3_512:
mbedtls_sha3_clone(dst->md_ctx, src->md_ctx);
break;
#endif
default:
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
@ -376,7 +441,12 @@ int mbedtls_md_clone(mbedtls_md_context_t *dst,
int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac)
{
if (md_info == NULL || ctx == NULL) {
#if defined(MBEDTLS_MD_C)
if (ctx == NULL) {
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
}
#endif
if (md_info == NULL) {
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
}
@ -434,6 +504,14 @@ int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info
case MBEDTLS_MD_SHA512:
ALLOC(sha512);
break;
#endif
#if defined(MBEDTLS_SHA3_C)
case MBEDTLS_MD_SHA3_224:
case MBEDTLS_MD_SHA3_256:
case MBEDTLS_MD_SHA3_384:
case MBEDTLS_MD_SHA3_512:
ALLOC(sha3);
break;
#endif
default:
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
@ -455,9 +533,11 @@ int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info
int mbedtls_md_starts(mbedtls_md_context_t *ctx)
{
#if defined(MBEDTLS_MD_C)
if (ctx == NULL || ctx->md_info == NULL) {
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
}
#endif
#if defined(MBEDTLS_MD_SOME_PSA)
if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
@ -496,6 +576,16 @@ int mbedtls_md_starts(mbedtls_md_context_t *ctx)
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_MD_SHA512:
return mbedtls_sha512_starts(ctx->md_ctx, 0);
#endif
#if defined(MBEDTLS_SHA3_C)
case MBEDTLS_MD_SHA3_224:
return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_224);
case MBEDTLS_MD_SHA3_256:
return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_256);
case MBEDTLS_MD_SHA3_384:
return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_384);
case MBEDTLS_MD_SHA3_512:
return mbedtls_sha3_starts(ctx->md_ctx, MBEDTLS_SHA3_512);
#endif
default:
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
@ -504,9 +594,11 @@ int mbedtls_md_starts(mbedtls_md_context_t *ctx)
int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
{
#if defined(MBEDTLS_MD_C)
if (ctx == NULL || ctx->md_info == NULL) {
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
}
#endif
#if defined(MBEDTLS_MD_SOME_PSA)
if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
@ -543,6 +635,13 @@ int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, siz
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_MD_SHA512:
return mbedtls_sha512_update(ctx->md_ctx, input, ilen);
#endif
#if defined(MBEDTLS_SHA3_C)
case MBEDTLS_MD_SHA3_224:
case MBEDTLS_MD_SHA3_256:
case MBEDTLS_MD_SHA3_384:
case MBEDTLS_MD_SHA3_512:
return mbedtls_sha3_update(ctx->md_ctx, input, ilen);
#endif
default:
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
@ -551,9 +650,11 @@ int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, siz
int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output)
{
#if defined(MBEDTLS_MD_C)
if (ctx == NULL || ctx->md_info == NULL) {
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
}
#endif
#if defined(MBEDTLS_MD_SOME_PSA)
if (ctx->engine == MBEDTLS_MD_ENGINE_PSA) {
@ -592,6 +693,13 @@ int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output)
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_MD_SHA512:
return mbedtls_sha512_finish(ctx->md_ctx, output);
#endif
#if defined(MBEDTLS_SHA3_C)
case MBEDTLS_MD_SHA3_224:
case MBEDTLS_MD_SHA3_256:
case MBEDTLS_MD_SHA3_384:
case MBEDTLS_MD_SHA3_512:
return mbedtls_sha3_finish(ctx->md_ctx, output, ctx->md_info->size);
#endif
default:
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
@ -643,6 +751,16 @@ int mbedtls_md(const mbedtls_md_info_t *md_info, const unsigned char *input, siz
#if defined(MBEDTLS_SHA512_C)
case MBEDTLS_MD_SHA512:
return mbedtls_sha512(input, ilen, output, 0);
#endif
#if defined(MBEDTLS_SHA3_C)
case MBEDTLS_MD_SHA3_224:
return mbedtls_sha3(MBEDTLS_SHA3_224, input, ilen, output, md_info->size);
case MBEDTLS_MD_SHA3_256:
return mbedtls_sha3(MBEDTLS_SHA3_256, input, ilen, output, md_info->size);
case MBEDTLS_MD_SHA3_384:
return mbedtls_sha3(MBEDTLS_SHA3_384, input, ilen, output, md_info->size);
case MBEDTLS_MD_SHA3_512:
return mbedtls_sha3(MBEDTLS_SHA3_512, input, ilen, output, md_info->size);
#endif
default:
return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
@ -667,6 +785,87 @@ mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info)
return md_info->type;
}
#if defined(MBEDTLS_PSA_CRYPTO_C)
psa_algorithm_t mbedtls_md_psa_alg_from_type(mbedtls_md_type_t md_type)
{
switch (md_type) {
#if defined(MBEDTLS_MD_CAN_MD5)
case MBEDTLS_MD_MD5:
return PSA_ALG_MD5;
#endif
#if defined(MBEDTLS_MD_CAN_RIPEMD160)
case MBEDTLS_MD_RIPEMD160:
return PSA_ALG_RIPEMD160;
#endif
#if defined(MBEDTLS_MD_CAN_SHA1)
case MBEDTLS_MD_SHA1:
return PSA_ALG_SHA_1;
#endif
#if defined(MBEDTLS_MD_CAN_SHA224)
case MBEDTLS_MD_SHA224:
return PSA_ALG_SHA_224;
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
case MBEDTLS_MD_SHA256:
return PSA_ALG_SHA_256;
#endif
#if defined(MBEDTLS_MD_CAN_SHA384)
case MBEDTLS_MD_SHA384:
return PSA_ALG_SHA_384;
#endif
#if defined(MBEDTLS_MD_CAN_SHA512)
case MBEDTLS_MD_SHA512:
return PSA_ALG_SHA_512;
#endif
default:
return PSA_ALG_NONE;
}
}
mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa_alg)
{
switch (psa_alg) {
#if defined(MBEDTLS_MD_CAN_MD5)
case PSA_ALG_MD5:
return MBEDTLS_MD_MD5;
#endif
#if defined(MBEDTLS_MD_CAN_RIPEMD160)
case PSA_ALG_RIPEMD160:
return MBEDTLS_MD_RIPEMD160;
#endif
#if defined(MBEDTLS_MD_CAN_SHA1)
case PSA_ALG_SHA_1:
return MBEDTLS_MD_SHA1;
#endif
#if defined(MBEDTLS_MD_CAN_SHA224)
case PSA_ALG_SHA_224:
return MBEDTLS_MD_SHA224;
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
case PSA_ALG_SHA_256:
return MBEDTLS_MD_SHA256;
#endif
#if defined(MBEDTLS_MD_CAN_SHA384)
case PSA_ALG_SHA_384:
return MBEDTLS_MD_SHA384;
#endif
#if defined(MBEDTLS_MD_CAN_SHA512)
case PSA_ALG_SHA_512:
return MBEDTLS_MD_SHA512;
#endif
default:
return MBEDTLS_MD_NONE;
}
}
int mbedtls_md_error_from_psa(psa_status_t status)
{
return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_md_errors,
psa_generic_status_to_mbedtls);
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
/************************************************************************
* Functions above this separator are part of MBEDTLS_MD_LIGHT, *
* functions below are only available when MBEDTLS_MD_C is set. *
@ -705,6 +904,22 @@ static const int supported_digests[] = {
MBEDTLS_MD_MD5,
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_224)
MBEDTLS_MD_SHA3_224,
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_256)
MBEDTLS_MD_SHA3_256,
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_384)
MBEDTLS_MD_SHA3_384,
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_512)
MBEDTLS_MD_SHA3_512,
#endif
MBEDTLS_MD_NONE
};
@ -754,6 +969,26 @@ const mbedtls_md_info_t *mbedtls_md_info_from_string(const char *md_name)
if (!strcmp("SHA512", md_name)) {
return mbedtls_md_info_from_type(MBEDTLS_MD_SHA512);
}
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_224)
if (!strcmp("SHA3-224", md_name)) {
return mbedtls_md_info_from_type(MBEDTLS_MD_SHA3_224);
}
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_256)
if (!strcmp("SHA3-256", md_name)) {
return mbedtls_md_info_from_type(MBEDTLS_MD_SHA3_256);
}
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_384)
if (!strcmp("SHA3-384", md_name)) {
return mbedtls_md_info_from_type(MBEDTLS_MD_SHA3_384);
}
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_512)
if (!strcmp("SHA3-512", md_name)) {
return mbedtls_md_info_from_type(MBEDTLS_MD_SHA3_512);
}
#endif
return NULL;
}

60
library/md_psa.h Normal file
View file

@ -0,0 +1,60 @@
/**
* Translation between MD and PSA identifiers (algorithms, errors).
*
* Note: this internal module will go away when everything becomes based on
* PSA Crypto; it is a helper for the transition period.
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef MBEDTLS_MD_PSA_H
#define MBEDTLS_MD_PSA_H
#include "common.h"
#include "mbedtls/md.h"
#include "psa/crypto.h"
/**
* \brief This function returns the PSA algorithm identifier
* associated with the given digest type.
*
* \param md_type The type of digest to search for.
*
* \return The PSA algorithm identifier associated with \p md_type.
* \return PSA_ALG_NONE if the algorithm is not supported.
*/
psa_algorithm_t mbedtls_md_psa_alg_from_type(mbedtls_md_type_t md_type);
/**
* \brief This function returns the given digest type
* associated with the PSA algorithm identifier.
*
* \param psa_alg The PSA algorithm identifier to search for.
*
* \return The MD type associated with \p psa_alg.
* \return MBEDTLS_MD_NONE if the algorithm is not supported.
*/
mbedtls_md_type_t mbedtls_md_type_from_psa_alg(psa_algorithm_t psa_alg);
/** Convert PSA status to MD error code.
*
* \param status PSA status.
*
* \return The corresponding MD error code,
*/
int mbedtls_md_error_from_psa(psa_status_t status);
#endif /* MBEDTLS_MD_PSA_H */

6
library/md_wrap.h
View file

@ -73,6 +73,12 @@ extern const mbedtls_md_info_t mbedtls_sha384_info;
#if defined(MBEDTLS_SHA512_C)
extern const mbedtls_md_info_t mbedtls_sha512_info;
#endif
#if defined(MBEDTLS_SHA3_C)
extern const mbedtls_md_info_t mbedtls_sha3_224_info;
extern const mbedtls_md_info_t mbedtls_sha3_256_info;
extern const mbedtls_md_info_t mbedtls_sha3_384_info;
extern const mbedtls_md_info_t mbedtls_sha3_512_info;
#endif
#ifdef __cplusplus
}

4
library/mps_common.h
View file

@ -169,7 +169,7 @@
*
*/
typedef size_t mbedtls_mps_stored_size_t;
#define MBEDTLS_MPS_STORED_SIZE_MAX ((mbedtls_mps_stored_size_t) -1)
#define MBEDTLS_MPS_STORED_SIZE_MAX (SIZE_MAX)
/** \brief The type of buffer sizes and offsets used in the MPS API
* and implementation.
@ -183,7 +183,7 @@ typedef size_t mbedtls_mps_stored_size_t;
* so almost 10%.
*/
typedef size_t mbedtls_mps_size_t;
#define MBEDTLS_MPS_SIZE_MAX ((mbedtls_mps_size_t) -1)
#define MBEDTLS_MPS_SIZE_MAX (SIZE_MAX)
#if MBEDTLS_MPS_STORED_SIZE_MAX > MBEDTLS_MPS_SIZE_MAX
#error "Misconfiguration of mbedtls_mps_size_t and mbedtls_mps_stored_size_t."

12
library/net_sockets.c
View file

@ -49,11 +49,6 @@
#define IS_EINTR(ret) ((ret) == WSAEINTR)
#if !defined(_WIN32_WINNT)
/* Enables getaddrinfo() & Co */
#define _WIN32_WINNT 0x0501
#endif
#include <ws2tcpip.h>
#include <winsock2.h>
@ -90,6 +85,7 @@ static int wsa_init_done = 0;
#include <errno.h>
#define IS_EINTR(ret) ((ret) == EINTR)
#define SOCKET int
#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
@ -494,13 +490,13 @@ int mbedtls_net_poll(mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout)
FD_ZERO(&read_fds);
if (rw & MBEDTLS_NET_POLL_READ) {
rw &= ~MBEDTLS_NET_POLL_READ;
FD_SET(fd, &read_fds);
FD_SET((SOCKET) fd, &read_fds);
}
FD_ZERO(&write_fds);
if (rw & MBEDTLS_NET_POLL_WRITE) {
rw &= ~MBEDTLS_NET_POLL_WRITE;
FD_SET(fd, &write_fds);
FD_SET((SOCKET) fd, &write_fds);
}
if (rw != 0) {
@ -608,7 +604,7 @@ int mbedtls_net_recv_timeout(void *ctx, unsigned char *buf,
}
FD_ZERO(&read_fds);
FD_SET(fd, &read_fds);
FD_SET((SOCKET) fd, &read_fds);
tv.tv_sec = timeout / 1000;
tv.tv_usec = (timeout % 1000) * 1000;

236
library/nist_kw.c
View file

@ -75,7 +75,7 @@ int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx,
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
if (cipher_info->block_size != 16) {
if (mbedtls_cipher_info_get_block_size(cipher_info) != 16) {
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
}
@ -465,17 +465,22 @@ cleanup:
#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
#define KW_TESTS 3
/*
* Test vectors taken from NIST
* https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/CAVP-TESTING-BLOCK-CIPHER-MODES#KW
*/
static const unsigned int key_len[KW_TESTS] = { 16, 24, 32 };
static const unsigned int key_len[] = {
16,
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
24,
32
#endif
};
static const unsigned char kw_key[KW_TESTS][32] = {
static const unsigned char kw_key[][32] = {
{ 0x75, 0x75, 0xda, 0x3a, 0x93, 0x60, 0x7c, 0xc2,
0xbf, 0xd8, 0xce, 0xc7, 0xaa, 0xdf, 0xd9, 0xa6 },
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ 0x2d, 0x85, 0x26, 0x08, 0x1d, 0x02, 0xfb, 0x5b,
0x85, 0xf6, 0x9a, 0xc2, 0x86, 0xec, 0xd5, 0x7d,
0x40, 0xdf, 0x5d, 0xf3, 0x49, 0x47, 0x44, 0xd3 },
@ -483,11 +488,13 @@ static const unsigned char kw_key[KW_TESTS][32] = {
0x4a, 0x98, 0x48, 0xd3, 0x0f, 0xdd, 0x78, 0x33,
0x5b, 0x03, 0x9a, 0x48, 0xa8, 0x96, 0x2c, 0x4d,
0x1c, 0xb7, 0x8e, 0xab, 0xd5, 0xda, 0xd7, 0x88 }
#endif
};
static const unsigned char kw_msg[KW_TESTS][40] = {
static const unsigned char kw_msg[][40] = {
{ 0x42, 0x13, 0x6d, 0x3c, 0x38, 0x4a, 0x3e, 0xea,
0xc9, 0x5a, 0x06, 0x6f, 0xd2, 0x8f, 0xed, 0x3f },
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ 0x95, 0xc1, 0x1b, 0xf5, 0x35, 0x3a, 0xfe, 0xdb,
0x98, 0xfd, 0xd6, 0xc8, 0xca, 0x6f, 0xdb, 0x6d,
0xa5, 0x4b, 0x74, 0xb4, 0x99, 0x0f, 0xdc, 0x45,
@ -496,14 +503,28 @@ static const unsigned char kw_msg[KW_TESTS][40] = {
{ 0x1b, 0x20, 0xbf, 0x19, 0x90, 0xb0, 0x65, 0xd7,
0x98, 0xe1, 0xb3, 0x22, 0x64, 0xad, 0x50, 0xa8,
0x74, 0x74, 0x92, 0xba, 0x09, 0xa0, 0x4d, 0xd1 }
#endif
};
static const size_t kw_msg_len[KW_TESTS] = { 16, 40, 24 };
static const size_t kw_out_len[KW_TESTS] = { 24, 48, 32 };
static const unsigned char kw_res[KW_TESTS][48] = {
static const size_t kw_msg_len[] = {
16,
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
40,
24
#endif
};
static const size_t kw_out_len[] = {
24,
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
48,
32
#endif
};
static const unsigned char kw_res[][48] = {
{ 0x03, 0x1f, 0x6b, 0xd7, 0xe6, 0x1e, 0x64, 0x3d,
0xf6, 0x85, 0x94, 0x81, 0x6f, 0x64, 0xca, 0xa3,
0xf5, 0x6f, 0xab, 0xea, 0x25, 0x48, 0xf5, 0xfb },
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ 0x44, 0x3c, 0x6f, 0x15, 0x09, 0x83, 0x71, 0x91,
0x3e, 0x5c, 0x81, 0x4c, 0xa1, 0xa0, 0x42, 0xec,
0x68, 0x2f, 0x7b, 0x13, 0x6d, 0x24, 0x3a, 0x4d,
@ -514,11 +535,13 @@ static const unsigned char kw_res[KW_TESTS][48] = {
0xd5, 0xd5, 0x40, 0xec, 0x25, 0xd4, 0x3d, 0x87,
0x20, 0x0f, 0xda, 0xdc, 0x6d, 0x1f, 0x05, 0xd9,
0x16, 0x58, 0x4f, 0xa9, 0xf6, 0xcb, 0xf5, 0x12 }
#endif
};
static const unsigned char kwp_key[KW_TESTS][32] = {
static const unsigned char kwp_key[][32] = {
{ 0x78, 0x65, 0xe2, 0x0f, 0x3c, 0x21, 0x65, 0x9a,
0xb4, 0x69, 0x0b, 0x62, 0x9c, 0xdf, 0x3c, 0xc4 },
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ 0xf5, 0xf8, 0x96, 0xa3, 0xbd, 0x2f, 0x4a, 0x98,
0x23, 0xef, 0x16, 0x2b, 0x00, 0xb8, 0x05, 0xd7,
0xde, 0x1e, 0xa4, 0x66, 0x26, 0x96, 0xa2, 0x58 },
@ -526,23 +549,33 @@ static const unsigned char kwp_key[KW_TESTS][32] = {
0x25, 0x54, 0xee, 0x2a, 0x8d, 0xf1, 0x38, 0x6f,
0x5b, 0x94, 0xa1, 0xa6, 0x0e, 0xd8, 0xa4, 0xae,
0xf6, 0x0a, 0x8d, 0x61, 0xab, 0x5f, 0x22, 0x5a }
#endif
};
static const unsigned char kwp_msg[KW_TESTS][31] = {
static const unsigned char kwp_msg[][31] = {
{ 0xbd, 0x68, 0x43, 0xd4, 0x20, 0x37, 0x8d, 0xc8,
0x96 },
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ 0x6c, 0xcd, 0xd5, 0x85, 0x18, 0x40, 0x97, 0xeb,
0xd5, 0xc3, 0xaf, 0x3e, 0x47, 0xd0, 0x2c, 0x19,
0x14, 0x7b, 0x4d, 0x99, 0x5f, 0x96, 0x43, 0x66,
0x91, 0x56, 0x75, 0x8c, 0x13, 0x16, 0x8f },
{ 0xd1 }
#endif
};
static const size_t kwp_msg_len[] = {
9,
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
31,
1
#endif
};
static const size_t kwp_msg_len[KW_TESTS] = { 9, 31, 1 };
static const unsigned char kwp_res[KW_TESTS][48] = {
static const unsigned char kwp_res[][48] = {
{ 0x41, 0xec, 0xa9, 0x56, 0xd4, 0xaa, 0x04, 0x7e,
0xb5, 0xcf, 0x4e, 0xfe, 0x65, 0x96, 0x61, 0xe7,
0x4d, 0xb6, 0xf8, 0xc5, 0x64, 0xe2, 0x35, 0x00 },
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
{ 0x4e, 0x9b, 0xc2, 0xbc, 0xbc, 0x6c, 0x1e, 0x13,
0xd3, 0x35, 0xbc, 0xc0, 0xf7, 0x73, 0x6a, 0x88,
0xfa, 0x87, 0x53, 0x66, 0x15, 0xbb, 0x8e, 0x63,
@ -550,8 +583,15 @@ static const unsigned char kwp_res[KW_TESTS][48] = {
0x67, 0xcf, 0xa9, 0x8a, 0x9d, 0x0e, 0x33, 0x26 },
{ 0x06, 0xba, 0x7a, 0xe6, 0xf3, 0x24, 0x8c, 0xfd,
0xcf, 0x26, 0x75, 0x07, 0xfa, 0x00, 0x1b, 0xc4 }
#endif
};
static const size_t kwp_out_len[] = {
24,
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
40,
16
#endif
};
static const size_t kwp_out_len[KW_TESTS] = { 24, 40, 16 };
int mbedtls_nist_kw_self_test(int verbose)
{
@ -562,114 +602,128 @@ int mbedtls_nist_kw_self_test(int verbose)
int ret = 0;
mbedtls_nist_kw_init(&ctx);
for (i = 0; i < KW_TESTS; i++) {
if (verbose != 0) {
mbedtls_printf(" KW-AES-%u ", (unsigned int) key_len[i] * 8);
}
/*
* KW mode
*/
{
static const int num_tests = sizeof(kw_key) / sizeof(*kw_key);
ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
kw_key[i], key_len[i] * 8, 1);
if (ret != 0) {
for (i = 0; i < num_tests; i++) {
if (verbose != 0) {
mbedtls_printf(" KW: setup failed ");
mbedtls_printf(" KW-AES-%u ", (unsigned int) key_len[i] * 8);
}
goto end;
}
ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
kw_key[i], key_len[i] * 8, 1);
if (ret != 0) {
if (verbose != 0) {
mbedtls_printf(" KW: setup failed ");
}
ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
kw_msg_len[i], out, &olen, sizeof(out));
if (ret != 0 || kw_out_len[i] != olen ||
memcmp(out, kw_res[i], kw_out_len[i]) != 0) {
if (verbose != 0) {
mbedtls_printf("failed. ");
goto end;
}
ret = 1;
goto end;
}
ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
kw_msg_len[i], out, &olen, sizeof(out));
if (ret != 0 || kw_out_len[i] != olen ||
memcmp(out, kw_res[i], kw_out_len[i]) != 0) {
if (verbose != 0) {
mbedtls_printf("failed. ");
}
if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
kw_key[i], key_len[i] * 8, 0))
!= 0) {
if (verbose != 0) {
mbedtls_printf(" KW: setup failed ");
ret = 1;
goto end;
}
goto end;
}
if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
kw_key[i], key_len[i] * 8, 0))
!= 0) {
if (verbose != 0) {
mbedtls_printf(" KW: setup failed ");
}
ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KW,
out, olen, out, &olen, sizeof(out));
if (ret != 0 || olen != kw_msg_len[i] ||
memcmp(out, kw_msg[i], kw_msg_len[i]) != 0) {
if (verbose != 0) {
mbedtls_printf("failed\n");
goto end;
}
ret = 1;
goto end;
}
ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KW,
out, olen, out, &olen, sizeof(out));
if (verbose != 0) {
mbedtls_printf(" passed\n");
if (ret != 0 || olen != kw_msg_len[i] ||
memcmp(out, kw_msg[i], kw_msg_len[i]) != 0) {
if (verbose != 0) {
mbedtls_printf("failed\n");
}
ret = 1;
goto end;
}
if (verbose != 0) {
mbedtls_printf(" passed\n");
}
}
}
for (i = 0; i < KW_TESTS; i++) {
olen = sizeof(out);
if (verbose != 0) {
mbedtls_printf(" KWP-AES-%u ", (unsigned int) key_len[i] * 8);
}
/*
* KWP mode
*/
{
static const int num_tests = sizeof(kwp_key) / sizeof(*kwp_key);
ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, kwp_key[i],
key_len[i] * 8, 1);
if (ret != 0) {
for (i = 0; i < num_tests; i++) {
olen = sizeof(out);
if (verbose != 0) {
mbedtls_printf(" KWP: setup failed ");
mbedtls_printf(" KWP-AES-%u ", (unsigned int) key_len[i] * 8);
}
goto end;
}
ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KWP, kwp_msg[i],
kwp_msg_len[i], out, &olen, sizeof(out));
ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES, kwp_key[i],
key_len[i] * 8, 1);
if (ret != 0) {
if (verbose != 0) {
mbedtls_printf(" KWP: setup failed ");
}
if (ret != 0 || kwp_out_len[i] != olen ||
memcmp(out, kwp_res[i], kwp_out_len[i]) != 0) {
if (verbose != 0) {
mbedtls_printf("failed. ");
goto end;
}
ret = mbedtls_nist_kw_wrap(&ctx, MBEDTLS_KW_MODE_KWP, kwp_msg[i],
kwp_msg_len[i], out, &olen, sizeof(out));
if (ret != 0 || kwp_out_len[i] != olen ||
memcmp(out, kwp_res[i], kwp_out_len[i]) != 0) {
if (verbose != 0) {
mbedtls_printf("failed. ");
}
ret = 1;
goto end;
}
ret = 1;
goto end;
}
if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
kwp_key[i], key_len[i] * 8, 0))
!= 0) {
if (verbose != 0) {
mbedtls_printf(" KWP: setup failed ");
}
if ((ret = mbedtls_nist_kw_setkey(&ctx, MBEDTLS_CIPHER_ID_AES,
kwp_key[i], key_len[i] * 8, 0))
!= 0) {
if (verbose != 0) {
mbedtls_printf(" KWP: setup failed ");
goto end;
}
goto end;
}
ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KWP, out,
olen, out, &olen, sizeof(out));
ret = mbedtls_nist_kw_unwrap(&ctx, MBEDTLS_KW_MODE_KWP, out,
olen, out, &olen, sizeof(out));
if (ret != 0 || olen != kwp_msg_len[i] ||
memcmp(out, kwp_msg[i], kwp_msg_len[i]) != 0) {
if (verbose != 0) {
mbedtls_printf("failed. ");
}
if (ret != 0 || olen != kwp_msg_len[i] ||
memcmp(out, kwp_msg[i], kwp_msg_len[i]) != 0) {
if (verbose != 0) {
mbedtls_printf("failed. ");
ret = 1;
goto end;
}
ret = 1;
goto end;
}
if (verbose != 0) {
mbedtls_printf(" passed\n");
if (verbose != 0) {
mbedtls_printf(" passed\n");
}
}
}
end:

192
library/oid.c
View file

@ -318,6 +318,18 @@ static const oid_x509_ext_t oid_x509_ext[] =
"Certificate Policies"),
MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES,
},
{
OID_DESCRIPTOR(MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
"id-ce-subjectKeyIdentifier",
"Subject Key Identifier"),
MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER,
},
{
OID_DESCRIPTOR(MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
"id-ce-authorityKeyIdentifier",
"Authority Key Identifier"),
MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER,
},
{
NULL_OID_DESCRIPTOR,
0,
@ -531,7 +543,7 @@ FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_pk_alg,
mbedtls_pk_type_t,
pk_alg)
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/*
* For elliptic curves that use namedCurve inside ECParams (RFC 5480)
*/
@ -662,7 +674,7 @@ FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp_algid,
oid_ecp_grp_algid,
mbedtls_ecp_group_id,
grp_id)
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_CIPHER_C)
/*
@ -921,4 +933,180 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size,
return (int) (size - n);
}
static int oid_parse_number(unsigned int *num, const char **p, const char *bound)
{
int ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
*num = 0;
while (*p < bound && **p >= '0' && **p <= '9') {
ret = 0;
if (*num > (UINT_MAX / 10)) {
return MBEDTLS_ERR_ASN1_INVALID_DATA;
}
*num *= 10;
*num += **p - '0';
(*p)++;
}
return ret;
}
static size_t oid_subidentifier_num_bytes(unsigned int value)
{
size_t num_bytes = 0;
do {
value >>= 7;
num_bytes++;
} while (value != 0);
return num_bytes;
}
static int oid_subidentifier_encode_into(unsigned char **p,
unsigned char *bound,
unsigned int value)
{
size_t num_bytes = oid_subidentifier_num_bytes(value);
if ((size_t) (bound - *p) < num_bytes) {
return MBEDTLS_ERR_OID_BUF_TOO_SMALL;
}
(*p)[num_bytes - 1] = (unsigned char) (value & 0x7f);
value >>= 7;
for (size_t i = 2; i <= num_bytes; i++) {
(*p)[num_bytes - i] = 0x80 | (unsigned char) (value & 0x7f);
value >>= 7;
}
*p += num_bytes;
return 0;
}
/* Return the OID for the given x.y.z.... style numeric string */
int mbedtls_oid_from_numeric_string(mbedtls_asn1_buf *oid,
const char *oid_str, size_t size)
{
int ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
const char *str_ptr = oid_str;
const char *str_bound = oid_str + size;
unsigned int val = 0;
unsigned int component1, component2;
size_t encoded_len;
unsigned char *resized_mem;
/* Count the number of dots to get a worst-case allocation size. */
size_t num_dots = 0;
for (size_t i = 0; i < size; i++) {
if (oid_str[i] == '.') {
num_dots++;
}
}
/* Allocate maximum possible required memory:
* There are (num_dots + 1) integer components, but the first 2 share the
* same subidentifier, so we only need num_dots subidentifiers maximum. */
if (num_dots == 0 || (num_dots > MBEDTLS_OID_MAX_COMPONENTS - 1)) {
return MBEDTLS_ERR_ASN1_INVALID_DATA;
}
/* Each byte can store 7 bits, calculate number of bytes for a
* subidentifier:
*
* bytes = ceil(subidentifer_size * 8 / 7)
*/
size_t bytes_per_subidentifier = (((sizeof(unsigned int) * 8) - 1) / 7)
+ 1;
size_t max_possible_bytes = num_dots * bytes_per_subidentifier;
oid->p = mbedtls_calloc(max_possible_bytes, 1);
if (oid->p == NULL) {
return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
}
unsigned char *out_ptr = oid->p;
unsigned char *out_bound = oid->p + max_possible_bytes;
ret = oid_parse_number(&component1, &str_ptr, str_bound);
if (ret != 0) {
goto error;
}
if (component1 > 2) {
/* First component can't be > 2 */
ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
goto error;
}
if (str_ptr >= str_bound || *str_ptr != '.') {
ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
goto error;
}
str_ptr++;
ret = oid_parse_number(&component2, &str_ptr, str_bound);
if (ret != 0) {
goto error;
}
if ((component1 < 2) && (component2 > 39)) {
/* Root nodes 0 and 1 may have up to 40 children, numbered 0-39 */
ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
goto error;
}
if (str_ptr < str_bound) {
if (*str_ptr == '.') {
str_ptr++;
} else {
ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
goto error;
}
}
if (component2 > (UINT_MAX - (component1 * 40))) {
ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
goto error;
}
ret = oid_subidentifier_encode_into(&out_ptr, out_bound,
(component1 * 40) + component2);
if (ret != 0) {
goto error;
}
while (str_ptr < str_bound) {
ret = oid_parse_number(&val, &str_ptr, str_bound);
if (ret != 0) {
goto error;
}
if (str_ptr < str_bound) {
if (*str_ptr == '.') {
str_ptr++;
} else {
ret = MBEDTLS_ERR_ASN1_INVALID_DATA;
goto error;
}
}
ret = oid_subidentifier_encode_into(&out_ptr, out_bound, val);
if (ret != 0) {
goto error;
}
}
encoded_len = out_ptr - oid->p;
resized_mem = mbedtls_calloc(encoded_len, 1);
if (resized_mem == NULL) {
ret = MBEDTLS_ERR_ASN1_ALLOC_FAILED;
goto error;
}
memcpy(resized_mem, oid->p, encoded_len);
mbedtls_free(oid->p);
oid->p = resized_mem;
oid->len = encoded_len;
oid->tag = MBEDTLS_ASN1_OID;
return 0;
error:
mbedtls_free(oid->p);
oid->p = NULL;
oid->len = 0;
return ret;
}
#endif /* MBEDTLS_OID_C */

1
library/pem.c
View file

@ -29,7 +29,6 @@
#include "mbedtls/cipher.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
#include "hash_info.h"
#include <string.h>

82
library/pk.c
View file

@ -23,8 +23,7 @@
#include "mbedtls/pk.h"
#include "pk_wrap.h"
#include "pkwrite.h"
#include "hash_info.h"
#include "pk_internal.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
@ -32,7 +31,7 @@
#if defined(MBEDTLS_RSA_C)
#include "mbedtls/rsa.h"
#endif
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#include "mbedtls/ecp.h"
#endif
#if defined(MBEDTLS_ECDSA_C)
@ -40,14 +39,8 @@
#endif
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include "mbedtls/psa_util.h"
#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_pk_rsa_errors, \
psa_pk_status_to_mbedtls)
#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_pk_ecdsa_errors, \
psa_pk_status_to_mbedtls)
#include "psa_util_internal.h"
#include "md_psa.h"
#endif
#include <limits.h>
@ -63,6 +56,12 @@ void mbedtls_pk_init(mbedtls_pk_context *ctx)
#if defined(MBEDTLS_PSA_CRYPTO_C)
ctx->priv_id = MBEDTLS_SVC_KEY_ID_INIT;
#endif /* MBEDTLS_PSA_CRYPTO_C */
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
memset(ctx->pub_raw, 0, sizeof(ctx->pub_raw));
ctx->pub_raw_len = 0;
ctx->ec_family = 0;
ctx->ec_bits = 0;
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
}
/*
@ -78,6 +77,14 @@ void mbedtls_pk_free(mbedtls_pk_context *ctx)
ctx->pk_info->ctx_free_func(ctx->pk_ctx);
}
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
/* The ownership of the priv_id key for opaque keys is external of the PK
* module. It's the user responsibility to clear it after use. */
if ((ctx->pk_info != NULL) && (ctx->pk_info->type != MBEDTLS_PK_OPAQUE)) {
psa_destroy_key(ctx->priv_id);
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_pk_context));
}
@ -118,12 +125,12 @@ const mbedtls_pk_info_t *mbedtls_pk_info_from_type(mbedtls_pk_type_t pk_type)
case MBEDTLS_PK_RSA:
return &mbedtls_rsa_info;
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
case MBEDTLS_PK_ECKEY:
return &mbedtls_eckey_info;
case MBEDTLS_PK_ECKEY_DH:
return &mbedtls_eckeydh_info;
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
case MBEDTLS_PK_ECDSA:
return &mbedtls_ecdsa_info;
@ -143,7 +150,7 @@ int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info)
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
if ((info->ctx_alloc_func == NULL) ||
if ((info->ctx_alloc_func != NULL) &&
((ctx->pk_ctx = info->ctx_alloc_func()) == NULL)) {
return MBEDTLS_ERR_PK_ALLOC_FAILED;
}
@ -174,10 +181,13 @@ int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
type = psa_get_key_type(&attributes);
psa_reset_key_attributes(&attributes);
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) {
info = &mbedtls_pk_ecdsa_opaque_info;
} else if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
info = &mbedtls_pk_rsa_opaque_info;
info = &mbedtls_ecdsa_opaque_info;
} else
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) {
info = &mbedtls_rsa_opaque_info;
} else {
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
}
@ -374,7 +384,7 @@ static inline int pk_hashlen_helper(mbedtls_md_type_t md_alg, size_t *hash_len)
return 0;
}
*hash_len = mbedtls_hash_info_get_size(md_alg);
*hash_len = mbedtls_md_get_size_from_type(md_alg);
if (*hash_len == 0) {
return -1;
@ -523,7 +533,7 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
psa_status_t status = PSA_ERROR_DATA_CORRUPT;
psa_status_t destruction_status = PSA_ERROR_DATA_CORRUPT;
psa_algorithm_t psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t psa_sig_alg = PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg);
@ -691,7 +701,7 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
}
#if defined(MBEDTLS_RSA_C)
psa_md_alg = mbedtls_hash_info_psa_from_md(md_alg);
psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
if (psa_md_alg == 0) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
@ -781,7 +791,8 @@ int mbedtls_pk_check_pair(const mbedtls_pk_context *pub,
return MBEDTLS_ERR_PK_TYPE_MISMATCH;
}
} else {
if (pub->pk_info != prv->pk_info) {
if ((prv->pk_info->type != MBEDTLS_PK_OPAQUE) &&
(pub->pk_info != prv->pk_info)) {
return MBEDTLS_ERR_PK_TYPE_MISMATCH;
}
}
@ -859,33 +870,44 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
psa_key_usage_t usage,
psa_algorithm_t alg2)
{
#if !defined(MBEDTLS_ECP_LIGHT) && !defined(MBEDTLS_RSA_C)
#if !defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_RSA_C)
((void) pk);
((void) key);
((void) alg);
((void) usage);
((void) alg2);
#else /* !MBEDTLS_ECP_LIGHT && !MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
#else /* !MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_RSA_C */
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY) {
mbedtls_ecp_keypair *ec;
unsigned char d[MBEDTLS_ECP_MAX_BYTES];
size_t d_len;
psa_ecc_family_t curve_id;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
size_t bits;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status;
/* export the private key material in the format PSA wants */
ec = mbedtls_pk_ec(*pk);
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
unsigned char d[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
status = psa_export_key(pk->priv_id, d, sizeof(d), &d_len);
if (status != PSA_SUCCESS) {
return psa_pk_status_to_mbedtls(status);
}
curve_id = pk->ec_family;
bits = pk->ec_bits;
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
unsigned char d[MBEDTLS_ECP_MAX_BYTES];
mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk);
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
d_len = PSA_BITS_TO_BYTES(ec->grp.nbits);
if ((ret = mbedtls_ecp_write_key(ec, d, d_len)) != 0) {
return ret;
}
curve_id = mbedtls_ecc_group_to_psa(ec->grp.id, &bits);
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(curve_id);
/* prepare the key attributes */
@ -910,7 +932,7 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
return mbedtls_pk_setup_opaque(pk, *key);
} else
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) {
unsigned char buf[MBEDTLS_PK_RSA_PRV_DER_MAX_BYTES];
@ -951,7 +973,7 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk,
return mbedtls_pk_setup_opaque(pk, *key);
} else
#endif /* MBEDTLS_RSA_C */
#endif /* !MBEDTLS_ECP_LIGHT && !MBEDTLS_RSA_C */
#endif /* !MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_RSA_C */
return MBEDTLS_ERR_PK_TYPE_MISMATCH;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */

121
library/pk_internal.h Normal file
View file

@ -0,0 +1,121 @@
/**
* \file pk_internal.h
*
* \brief Public Key abstraction layer: internal (i.e. library only) functions
* and definitions.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef MBEDTLS_PK_INTERNAL_H
#define MBEDTLS_PK_INTERNAL_H
#include "mbedtls/pk.h"
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#include "mbedtls/ecp.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#endif
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include "psa_util_internal.h"
#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_pk_rsa_errors, \
psa_pk_status_to_mbedtls)
#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_pk_ecdsa_errors, \
psa_pk_status_to_mbedtls)
#endif
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/**
* Public function mbedtls_pk_ec() can be used to get direct access to the
* wrapped ecp_keypair structure pointed to the pk_ctx. However this is not
* ideal because it bypasses the PK module on the control of its internal
* structure (pk_context) fields.
* For backward compatibility we keep mbedtls_pk_ec() when ECP_C is defined, but
* we provide 2 very similar functions when only ECP_LIGHT is enabled and not
* ECP_C.
* These variants embed the "ro" or "rw" keywords in their name to make the
* usage of the returned pointer explicit. Of course the returned value is
* const or non-const accordingly.
*/
static inline const mbedtls_ecp_keypair *mbedtls_pk_ec_ro(const mbedtls_pk_context pk)
{
switch (mbedtls_pk_get_type(&pk)) {
case MBEDTLS_PK_ECKEY:
case MBEDTLS_PK_ECKEY_DH:
case MBEDTLS_PK_ECDSA:
return (const mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
default:
return NULL;
}
}
static inline mbedtls_ecp_keypair *mbedtls_pk_ec_rw(const mbedtls_pk_context pk)
{
switch (mbedtls_pk_get_type(&pk)) {
case MBEDTLS_PK_ECKEY:
case MBEDTLS_PK_ECKEY_DH:
case MBEDTLS_PK_ECDSA:
return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx);
default:
return NULL;
}
}
static inline mbedtls_ecp_group_id mbedtls_pk_get_group_id(const mbedtls_pk_context *pk)
{
mbedtls_ecp_group_id id;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t opaque_key_type;
psa_ecc_family_t curve;
if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
return MBEDTLS_ECP_DP_NONE;
}
opaque_key_type = psa_get_key_type(&opaque_attrs);
curve = PSA_KEY_TYPE_ECC_GET_FAMILY(opaque_key_type);
id = mbedtls_ecc_group_of_psa(curve, psa_get_key_bits(&opaque_attrs), 0);
psa_reset_key_attributes(&opaque_attrs);
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
id = mbedtls_ecc_group_of_psa(pk->ec_family, pk->ec_bits, 0);
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
id = mbedtls_pk_ec_ro(*pk)->grp.id;
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
}
return id;
}
/* Helper for Montgomery curves */
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
#define MBEDTLS_PK_HAVE_RFC8410_CURVES
#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED || MBEDTLS_ECP_DP_CURVE448_ENABLED */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#endif /* MBEDTLS_PK_INTERNAL_H */

876
library/pk_wrap.c
View file

File diff suppressed because it is too large Load diff

10
library/pk_wrap.h
View file

@ -120,7 +120,7 @@ typedef struct {
extern const mbedtls_pk_info_t mbedtls_rsa_info;
#endif
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
extern const mbedtls_pk_info_t mbedtls_eckey_info;
extern const mbedtls_pk_info_t mbedtls_eckeydh_info;
#endif
@ -134,8 +134,8 @@ extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
extern const mbedtls_pk_info_t mbedtls_pk_ecdsa_opaque_info;
extern const mbedtls_pk_info_t mbedtls_pk_rsa_opaque_info;
extern const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info;
extern const mbedtls_pk_info_t mbedtls_rsa_opaque_info;
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
@ -150,9 +150,9 @@ int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa_ecdsa(psa_status_t status);
int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa(psa_status_t status);
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
defined(MBEDTLS_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY)
int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa_rsa(psa_status_t status);
#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR */
#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || MBEDTLS_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY */
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_RSA_C)

15
library/pkcs12.c
View file

@ -39,8 +39,7 @@
#include "mbedtls/des.h"
#endif
#include "hash_info.h"
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#if defined(MBEDTLS_ASN1_PARSE_C)
@ -152,11 +151,11 @@ int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
return MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE;
}
keylen = cipher_info->key_bitlen / 8;
keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
key, keylen,
iv, cipher_info->iv_size)) != 0) {
iv, mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {
return ret;
}
@ -172,7 +171,9 @@ int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
goto exit;
}
if ((ret = mbedtls_cipher_set_iv(&cipher_ctx, iv, cipher_info->iv_size)) != 0) {
if ((ret =
mbedtls_cipher_set_iv(&cipher_ctx, iv,
mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {
goto exit;
}
@ -290,7 +291,7 @@ int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
unsigned char diversifier[128];
unsigned char salt_block[128], pwd_block[128], hash_block[128] = { 0 };
unsigned char hash_output[MBEDTLS_HASH_MAX_SIZE];
unsigned char hash_output[MBEDTLS_MD_MAX_SIZE];
unsigned char *p;
unsigned char c;
int use_password = 0;
@ -314,7 +315,7 @@ int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen,
use_password = (pwd && pwdlen != 0);
use_salt = (salt && saltlen != 0);
hlen = mbedtls_hash_info_get_size(md_type);
hlen = mbedtls_md_get_size_from_type(md_type);
if (hlen <= 32) {
v = 64;

7
library/pkcs5.c
View file

@ -44,8 +44,7 @@
#include "mbedtls/platform.h"
#include "hash_info.h"
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#if defined(MBEDTLS_ASN1_PARSE_C)
static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
@ -177,10 +176,10 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
* The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
* since it is optional and we don't know if it was set or not
*/
keylen = cipher_info->key_bitlen / 8;
keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
if (enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING ||
enc_scheme_params.len != cipher_info->iv_size) {
enc_scheme_params.len != mbedtls_cipher_info_get_iv_size(cipher_info)) {
return MBEDTLS_ERR_PKCS5_INVALID_FORMAT;
}

343
library/pkparse.c
View file

@ -26,6 +26,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
#include "pk_internal.h"
#include <string.h>
@ -36,6 +37,9 @@
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C)
#include "pkwrite.h"
#endif
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#include "pk_internal.h"
#endif
#if defined(MBEDTLS_ECDSA_C)
#include "mbedtls/ecdsa.h"
#endif
@ -50,7 +54,7 @@
#endif
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@ -59,6 +63,12 @@
#include "mbedtls/platform.h"
/* Helper for Montgomery curves */
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
#define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id) \
((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448))
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && MBEDTLS_PK_HAVE_RFC8410_CURVES */
#if defined(MBEDTLS_FS_IO)
/*
* Load all data from a file into a given buffer.
@ -164,7 +174,7 @@ int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path)
}
#endif /* MBEDTLS_FS_IO */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf
*
* ECParameters ::= CHOICE {
@ -454,6 +464,29 @@ cleanup:
}
#endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
/* Functions pk_use_ecparams() and pk_use_ecparams_rfc8410() update the
* ecp_keypair structure with proper group ID. The purpose of this helper
* function is to update ec_family and ec_bits accordingly. */
static int pk_update_psa_ecparams(mbedtls_pk_context *pk,
mbedtls_ecp_group_id grp_id)
{
psa_ecc_family_t ec_family;
size_t bits;
ec_family = mbedtls_ecc_group_to_psa(grp_id, &bits);
if ((pk->ec_family != 0) && (pk->ec_family != ec_family)) {
return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
}
pk->ec_family = ec_family;
pk->ec_bits = bits;
return 0;
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/*
* Use EC parameters to initialise an EC group
*
@ -462,7 +495,7 @@ cleanup:
* specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... }
* -- implicitCurve NULL
*/
static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_ecp_group *grp)
static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_pk_context *pk)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ecp_group_id grp_id;
@ -481,43 +514,52 @@ static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_ecp_group *gr
#endif
}
/*
* grp may already be initialized; if so, make sure IDs match
*/
if (grp->id != MBEDTLS_ECP_DP_NONE && grp->id != grp_id) {
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
ret = pk_update_psa_ecparams(pk, grp_id);
#else
/* grp may already be initialized; if so, make sure IDs match */
if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE &&
mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) {
return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
}
if ((ret = mbedtls_ecp_group_load(grp, grp_id)) != 0) {
if ((ret = mbedtls_ecp_group_load(&(mbedtls_pk_ec_rw(*pk)->grp),
grp_id)) != 0) {
return ret;
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
return 0;
return ret;
}
#if defined(MBEDTLS_ECP_LIGHT)
/*
* Helper function for deriving a public key from its private counterpart.
*/
static int pk_derive_public_key(mbedtls_ecp_keypair *eck,
static int pk_derive_public_key(mbedtls_pk_context *pk,
const unsigned char *d, size_t d_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
int ret;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status, destruction_status;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
size_t curve_bits;
psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits);
/* This buffer is used to store the private key at first and then the
* public one (but not at the same time). Therefore we size it for the
* latter since it's bigger. */
psa_status_t status;
(void) f_rng;
(void) p_rng;
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
(void) d;
(void) d_len;
status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw),
&pk->pub_raw_len);
ret = psa_pk_status_to_mbedtls(status);
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
unsigned char key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
size_t key_len;
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
(void) f_rng;
(void) p_rng;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
size_t curve_bits;
psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits);
psa_status_t destruction_status;
psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve));
psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT);
@ -528,8 +570,6 @@ static int pk_derive_public_key(mbedtls_ecp_keypair *eck,
return ret;
}
mbedtls_platform_zeroize(key_buf, sizeof(key_buf));
status = psa_export_public_key(key_id, key_buf, sizeof(key_buf), &key_len);
ret = psa_pk_status_to_mbedtls(status);
destruction_status = psa_destroy_key(key_id);
@ -538,9 +578,10 @@ static int pk_derive_public_key(mbedtls_ecp_keypair *eck,
} else if (destruction_status != PSA_SUCCESS) {
return psa_pk_status_to_mbedtls(destruction_status);
}
ret = mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, key_buf, key_len);
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#else /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx;
(void) d;
(void) d_len;
@ -556,13 +597,24 @@ static int pk_derive_public_key(mbedtls_ecp_keypair *eck,
*/
static int pk_use_ecparams_rfc8410(const mbedtls_asn1_buf *params,
mbedtls_ecp_group_id grp_id,
mbedtls_ecp_group *grp)
mbedtls_pk_context *pk)
{
int ret;
if (params->tag != 0 || params->len != 0) {
return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
}
return mbedtls_ecp_group_load(grp, grp_id);
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
ret = pk_update_psa_ecparams(pk, grp_id);
#else
mbedtls_ecp_keypair *ecp = mbedtls_pk_ec_rw(*pk);
ret = mbedtls_ecp_group_load(&(ecp->grp), grp_id);
if (ret != 0) {
return ret;
}
#endif
return ret;
}
/*
@ -570,7 +622,7 @@ static int pk_use_ecparams_rfc8410(const mbedtls_asn1_buf *params,
*
* CurvePrivateKey ::= OCTET STRING
*/
static int pk_parse_key_rfc8410_der(mbedtls_ecp_keypair *eck,
static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk,
unsigned char *key, size_t keylen, const unsigned char *end,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
@ -585,28 +637,74 @@ static int pk_parse_key_rfc8410_der(mbedtls_ecp_keypair *eck,
return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
}
if ((ret = mbedtls_mpi_read_binary_le(&eck->d, key, len)) != 0) {
mbedtls_ecp_keypair_free(eck);
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
}
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t status;
// pk_parse_key_pkcs8_unencrypted_der() only supports version 1 PKCS8 keys,
// which never contain a public key. As such, derive the public key
// unconditionally.
if ((ret = pk_derive_public_key(eck, key, len, f_rng, p_rng)) != 0) {
mbedtls_ecp_keypair_free(eck);
psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family));
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
PSA_KEY_USAGE_DERIVE);
psa_set_key_algorithm(&attributes, PSA_ALG_ECDH);
status = psa_import_key(&attributes, key, len, &pk->priv_id);
if (status != PSA_SUCCESS) {
ret = psa_pk_status_to_mbedtls(status);
return ret;
}
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk);
if ((ret = mbedtls_ecp_check_privkey(&eck->grp, &eck->d)) != 0) {
mbedtls_ecp_keypair_free(eck);
if ((ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, len)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/* pk_parse_key_pkcs8_unencrypted_der() only supports version 1 PKCS8 keys,
* which never contain a public key. As such, derive the public key
* unconditionally. */
if ((ret = pk_derive_public_key(pk, key, len, f_rng, p_rng)) != 0) {
return ret;
}
return 0;
}
#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
#endif /* MBEDTLS_ECP_LIGHT */
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) && defined(MBEDTLS_PK_PARSE_EC_COMPRESSED)
/*
* Create a temporary ecp_keypair for converting an EC point in compressed
* format to an uncompressed one
*/
static int pk_convert_compressed_ec(mbedtls_pk_context *pk,
const unsigned char *in_start, size_t in_len,
size_t *out_buf_len, unsigned char *out_buf,
size_t out_buf_size)
{
mbedtls_ecp_keypair ecp_key;
mbedtls_ecp_group_id ecp_group_id;
int ret;
ecp_group_id = mbedtls_ecc_group_of_psa(pk->ec_family, pk->ec_bits, 0);
mbedtls_ecp_keypair_init(&ecp_key);
ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id);
if (ret != 0) {
return ret;
}
ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q,
in_start, in_len);
if (ret != 0) {
goto exit;
}
ret = mbedtls_ecp_point_write_binary(&(ecp_key.grp), &ecp_key.Q,
MBEDTLS_ECP_PF_UNCOMPRESSED,
out_buf_len, out_buf, out_buf_size);
exit:
mbedtls_ecp_keypair_free(&ecp_key);
return ret;
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA && MBEDTLS_PK_PARSE_EC_COMPRESSED */
/*
* EC public key is an EC point
@ -616,15 +714,65 @@ static int pk_parse_key_rfc8410_der(mbedtls_ecp_keypair *eck,
* return code of mbedtls_ecp_point_read_binary() and leave p in a usable state.
*/
static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end,
mbedtls_ecp_keypair *key)
mbedtls_pk_context *pk)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if ((ret = mbedtls_ecp_point_read_binary(&key->grp, &key->Q,
(const unsigned char *) *p, end - *p)) == 0) {
ret = mbedtls_ecp_check_pubkey(&key->grp, &key->Q);
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
mbedtls_svc_key_id_t key;
psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT;
size_t len = (end - *p);
if (len > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
/* Compressed point format are not supported yet by PSA crypto. As a
* consequence ecp functions are used to "convert" the point to
* uncompressed format */
if ((**p == 0x02) || (**p == 0x03)) {
#if defined(MBEDTLS_PK_PARSE_EC_COMPRESSED)
ret = pk_convert_compressed_ec(pk, *p, len,
&(pk->pub_raw_len), pk->pub_raw,
PSA_EXPORT_PUBLIC_KEY_MAX_SIZE);
if (ret != 0) {
return ret;
}
#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */
} else {
/* Uncompressed format */
if ((end - *p) > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) {
return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
}
memcpy(pk->pub_raw, *p, (end - *p));
pk->pub_raw_len = end - *p;
}
/* Validate the key by trying to importing it */
psa_set_key_usage_flags(&key_attrs, 0);
psa_set_key_algorithm(&key_attrs, PSA_ALG_ECDSA_ANY);
psa_set_key_type(&key_attrs, PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family));
psa_set_key_bits(&key_attrs, pk->ec_bits);
if ((psa_import_key(&key_attrs, pk->pub_raw, pk->pub_raw_len,
&key) != PSA_SUCCESS) ||
(psa_destroy_key(key) != PSA_SUCCESS)) {
mbedtls_platform_zeroize(pk->pub_raw, MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN);
pk->pub_raw_len = 0;
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
ret = 0;
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
mbedtls_ecp_keypair *ec_key = (mbedtls_ecp_keypair *) pk->pk_ctx;
if ((ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q,
(const unsigned char *) *p,
end - *p)) == 0) {
ret = mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q);
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/*
* We know mbedtls_ecp_point_read_binary consumed all bytes or failed
*/
@ -632,7 +780,7 @@ static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end,
return ret;
}
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_RSA_C)
/*
@ -717,7 +865,7 @@ static int pk_get_pk_alg(unsigned char **p,
}
ret = mbedtls_oid_get_pk_alg(&alg_oid, pk_alg);
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (ret == MBEDTLS_ERR_OID_NOT_FOUND) {
ret = mbedtls_oid_get_ec_grp_algid(&alg_oid, ec_grp_id);
if (ret == 0) {
@ -791,21 +939,21 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end,
ret = pk_get_rsapubkey(p, end, mbedtls_pk_rsa(*pk));
} else
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY) {
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
if (mbedtls_pk_is_rfc8410_curve(ec_grp_id)) {
ret = pk_use_ecparams_rfc8410(&alg_params, ec_grp_id, &mbedtls_pk_ec(*pk)->grp);
if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
ret = pk_use_ecparams_rfc8410(&alg_params, ec_grp_id, pk);
} else
#endif
{
ret = pk_use_ecparams(&alg_params, &mbedtls_pk_ec(*pk)->grp);
ret = pk_use_ecparams(&alg_params, pk);
}
if (ret == 0) {
ret = pk_get_ecpubkey(p, end, mbedtls_pk_ec(*pk));
ret = pk_get_ecpubkey(p, end, pk);
}
} else
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
ret = MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
if (ret == 0 && *p != end) {
@ -1009,11 +1157,11 @@ cleanup:
}
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/*
* Parse a SEC1 encoded private EC key
*/
static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
static int pk_parse_key_sec1_der(mbedtls_pk_context *pk,
const unsigned char *key, size_t keylen,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
@ -1025,6 +1173,12 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
unsigned char *d;
unsigned char *end = p + keylen;
unsigned char *end2;
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t status;
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk);
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/*
* RFC 5915, or SEC1 Appendix C.4
@ -1055,12 +1209,10 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
}
/* Keep a reference to the position fo the private key. It will be used
* later in this function. */
d = p;
d_len = len;
if ((ret = mbedtls_mpi_read_binary(&eck->d, p, len)) != 0) {
mbedtls_ecp_keypair_free(eck);
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
}
p += len;
@ -1073,16 +1225,21 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
0)) == 0) {
if ((ret = pk_get_ecparams(&p, p + len, &params)) != 0 ||
(ret = pk_use_ecparams(&params, &eck->grp)) != 0) {
mbedtls_ecp_keypair_free(eck);
(ret = pk_use_ecparams(&params, pk)) != 0) {
return ret;
}
} else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
mbedtls_ecp_keypair_free(eck);
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
}
}
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
if ((ret = mbedtls_ecp_read_key(eck->grp.id, eck, d, d_len)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
}
#endif
if (p != end) {
/*
* Is 'publickey' present? If not, or if we can't read it (eg because it
@ -1102,7 +1259,7 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
if ((ret = pk_get_ecpubkey(&p, end2, eck)) == 0) {
if ((ret = pk_get_ecpubkey(&p, end2, pk)) == 0) {
pubkey_done = 1;
} else {
/*
@ -1114,26 +1271,40 @@ static int pk_parse_key_sec1_der(mbedtls_ecp_keypair *eck,
}
}
} else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
mbedtls_ecp_keypair_free(eck);
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret);
}
}
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family));
/* Setting largest masks for usage and key algorithms */
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
PSA_KEY_USAGE_SIGN_MESSAGE |
PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE);
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
psa_set_key_algorithm(&attributes,
PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH));
#else
psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH));
#endif
psa_set_key_enrollment_algorithm(&attributes, PSA_ALG_ECDH);
status = psa_import_key(&attributes, d, d_len, &pk->priv_id);
if (status != PSA_SUCCESS) {
ret = psa_pk_status_to_mbedtls(status);
return ret;
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
if (!pubkey_done) {
if ((ret = pk_derive_public_key(eck, d, d_len, f_rng, p_rng)) != 0) {
mbedtls_ecp_keypair_free(eck);
if ((ret = pk_derive_public_key(pk, d, d_len, f_rng, p_rng)) != 0) {
return ret;
}
}
if ((ret = mbedtls_ecp_check_privkey(&eck->grp, &eck->d)) != 0) {
mbedtls_ecp_keypair_free(eck);
return ret;
}
return 0;
}
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
/*
* Parse an unencrypted PKCS#8 encoded private key
@ -1162,7 +1333,7 @@ static int pk_parse_key_pkcs8_unencrypted_der(
mbedtls_ecp_group_id ec_grp_id = MBEDTLS_ECP_DP_NONE;
const mbedtls_pk_info_t *pk_info;
#if !defined(MBEDTLS_ECP_LIGHT)
#if !defined(MBEDTLS_PK_HAVE_ECC_KEYS)
(void) f_rng;
(void) p_rng;
#endif
@ -1227,14 +1398,14 @@ static int pk_parse_key_pkcs8_unencrypted_der(
}
} else
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH) {
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
if (mbedtls_pk_is_rfc8410_curve(ec_grp_id)) {
if (MBEDTLS_PK_IS_RFC8410_GROUP_ID(ec_grp_id)) {
if ((ret =
pk_use_ecparams_rfc8410(&params, ec_grp_id, &mbedtls_pk_ec(*pk)->grp)) != 0 ||
pk_use_ecparams_rfc8410(&params, ec_grp_id, pk)) != 0 ||
(ret =
pk_parse_key_rfc8410_der(mbedtls_pk_ec(*pk), p, len, end, f_rng,
pk_parse_key_rfc8410_der(pk, p, len, end, f_rng,
p_rng)) != 0) {
mbedtls_pk_free(pk);
return ret;
@ -1242,14 +1413,14 @@ static int pk_parse_key_pkcs8_unencrypted_der(
} else
#endif
{
if ((ret = pk_use_ecparams(&params, &mbedtls_pk_ec(*pk)->grp)) != 0 ||
(ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), p, len, f_rng, p_rng)) != 0) {
if ((ret = pk_use_ecparams(&params, pk)) != 0 ||
(ret = pk_parse_key_sec1_der(pk, p, len, f_rng, p_rng)) != 0) {
mbedtls_pk_free(pk);
return ret;
}
}
} else
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
return 0;
@ -1416,7 +1587,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
}
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
if (key[keylen - 1] != '\0') {
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
@ -1430,7 +1601,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 ||
(ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk),
(ret = pk_parse_key_sec1_der(pk,
pem.buf, pem.buflen,
f_rng, p_rng)) != 0) {
mbedtls_pk_free(pk);
@ -1445,7 +1616,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
} else if (ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT) {
return ret;
}
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
if (key[keylen - 1] != '\0') {
@ -1551,21 +1722,21 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
mbedtls_pk_init(pk);
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
if (mbedtls_pk_setup(pk, pk_info) == 0 &&
pk_parse_key_sec1_der(mbedtls_pk_ec(*pk),
pk_parse_key_sec1_der(pk,
key, keylen, f_rng, p_rng) == 0) {
return 0;
}
mbedtls_pk_free(pk);
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
/* If MBEDTLS_RSA_C is defined but MBEDTLS_ECP_C isn't,
/* If MBEDTLS_RSA_C is defined but MBEDTLS_PK_HAVE_ECC_KEYS isn't,
* it is ok to leave the PK context initialized but not
* freed: It is the caller's responsibility to call pk_init()
* before calling this function, and to call pk_free()
* when it fails. If MBEDTLS_ECP_C is defined but MBEDTLS_RSA_C
* when it fails. If MBEDTLS_PK_HAVE_ECC_KEYS is defined but MBEDTLS_RSA_C
* isn't, this leads to mbedtls_pk_free() being called
* twice, once here and once by the caller, but this is
* also ok and in line with the mbedtls_pk_free() calls

558
library/pkwrite.c
View file

@ -26,6 +26,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
#include "pk_internal.h"
#include <string.h>
@ -37,7 +38,10 @@
#include "mbedtls/ecp.h"
#include "mbedtls/platform_util.h"
#endif
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#include "pk_internal.h"
#endif
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#include "pkwrite.h"
#endif
#if defined(MBEDTLS_ECDSA_C)
@ -49,10 +53,66 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#endif
#include "mbedtls/platform.h"
/* Helper for Montgomery curves */
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
static inline int mbedtls_pk_is_rfc8410(const mbedtls_pk_context *pk)
{
mbedtls_ecp_group_id id = mbedtls_pk_get_group_id(pk);
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
if (id == MBEDTLS_ECP_DP_CURVE25519) {
return 1;
}
#endif
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
if (id == MBEDTLS_ECP_DP_CURVE448) {
return 1;
}
#endif
return 0;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* It is assumed that the input key is opaque */
static psa_ecc_family_t pk_get_opaque_ec_family(const mbedtls_pk_context *pk)
{
psa_ecc_family_t ec_family = 0;
psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT;
if (psa_get_key_attributes(pk->priv_id, &key_attrs) != PSA_SUCCESS) {
return 0;
}
ec_family = PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(&key_attrs));
psa_reset_key_attributes(&key_attrs);
return ec_family;
}
#endif /* MBETLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* It is assumed that the input key is opaque */
static psa_key_type_t pk_get_opaque_key_type(const mbedtls_pk_context *pk)
{
psa_key_attributes_t opaque_attrs = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t opaque_key_type;
if (psa_get_key_attributes(pk->priv_id, &opaque_attrs) != PSA_SUCCESS) {
return 0;
}
opaque_key_type = psa_get_key_type(&opaque_attrs);
psa_reset_key_attributes(&opaque_attrs);
return opaque_key_type;
}
#endif /* MBETLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_RSA_C)
/*
* RSAPublicKey ::= SEQUENCE {
@ -61,11 +121,12 @@
* }
*/
static int pk_write_rsa_pubkey(unsigned char **p, unsigned char *start,
mbedtls_rsa_context *rsa)
const mbedtls_pk_context *pk)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
mbedtls_mpi T;
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
mbedtls_mpi_init(&T);
@ -98,21 +159,21 @@ end_of_export:
}
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
/*
* EC public key is an EC point
*/
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
mbedtls_ecp_keypair *ec)
const mbedtls_pk_context *pk)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
uint8_t buf[PSA_EXPORT_KEY_PAIR_MAX_SIZE];
if ((ret = mbedtls_ecp_point_write_binary(&ec->grp, &ec->Q,
MBEDTLS_ECP_PF_UNCOMPRESSED,
&len, buf, sizeof(buf))) != 0) {
return ret;
if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
} else {
len = pk->pub_raw_len;
memcpy(buf, pk->pub_raw, len);
}
if (*p < start || (size_t) (*p - start) < len) {
@ -124,6 +185,47 @@ static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
return (int) len;
}
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
static int pk_write_ec_pubkey(unsigned char **p, unsigned char *start,
const mbedtls_pk_context *pk)
{
size_t len = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
uint8_t buf[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
#else
unsigned char buf[MBEDTLS_ECP_MAX_PT_LEN];
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk);
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
if (psa_export_public_key(pk->priv_id, buf, sizeof(buf), &len) != PSA_SUCCESS) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
*p -= len;
memcpy(*p, buf, len);
return (int) len;
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
if ((ret = mbedtls_ecp_point_write_binary(&ec->grp, &ec->Q,
MBEDTLS_ECP_PF_UNCOMPRESSED,
&len, buf, sizeof(buf))) != 0) {
return ret;
}
}
if (*p < start || (size_t) (*p - start) < len) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
*p -= len;
memcpy(*p, buf, len);
return (int) len;
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
/*
* ECParameters ::= CHOICE {
@ -150,24 +252,96 @@ static int pk_write_ec_param(unsigned char **p, unsigned char *start,
/*
* privateKey OCTET STRING -- always of length ceil(log2(n)/8)
*/
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
static int pk_write_ec_private(unsigned char **p, unsigned char *start,
mbedtls_ecp_keypair *ec)
const mbedtls_pk_context *pk)
{
size_t byte_length;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t byte_length = (ec->grp.pbits + 7) / 8;
unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
unsigned char tmp[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
psa_status_t status;
ret = mbedtls_ecp_write_key(ec, tmp, byte_length);
if (ret != 0) {
goto exit;
if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
if (status != PSA_SUCCESS) {
ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
return ret;
}
} else {
status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
if (status != PSA_SUCCESS) {
ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
goto exit;
}
}
ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
exit:
mbedtls_platform_zeroize(tmp, byte_length);
mbedtls_platform_zeroize(tmp, sizeof(tmp));
return ret;
}
#endif /* MBEDTLS_ECP_LIGHT */
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
static int pk_write_ec_private(unsigned char **p, unsigned char *start,
const mbedtls_pk_context *pk)
{
size_t byte_length;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char tmp[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
psa_status_t status;
#else
unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
status = psa_export_key(pk->priv_id, tmp, sizeof(tmp), &byte_length);
if (status != PSA_SUCCESS) {
ret = PSA_PK_ECDSA_TO_MBEDTLS_ERR(status);
return ret;
}
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*pk);
byte_length = (ec->grp.pbits + 7) / 8;
ret = mbedtls_ecp_write_key(ec, tmp, byte_length);
if (ret != 0) {
goto exit;
}
}
ret = mbedtls_asn1_write_octet_string(p, start, tmp, byte_length);
exit:
mbedtls_platform_zeroize(tmp, sizeof(tmp));
return ret;
}
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static int pk_write_opaque_pubkey(unsigned char **p, unsigned char *start,
const mbedtls_pk_context *pk)
{
size_t buffer_size;
size_t len = 0;
if (*p < start) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
buffer_size = (size_t) (*p - start);
if (psa_export_public_key(pk->priv_id, start, buffer_size,
&len) != PSA_SUCCESS) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
*p -= len;
memmove(*p, start, len);
return (int) len;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
const mbedtls_pk_context *key)
@ -177,30 +351,17 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start,
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) {
MBEDTLS_ASN1_CHK_ADD(len, pk_write_rsa_pubkey(p, start, mbedtls_pk_rsa(*key)));
MBEDTLS_ASN1_CHK_ADD(len, pk_write_rsa_pubkey(p, start, key));
} else
#endif
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_pubkey(p, start, mbedtls_pk_ec(*key)));
MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_pubkey(p, start, key));
} else
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
size_t buffer_size;
if (*p < start) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
buffer_size = (size_t) (*p - start);
if (psa_export_public_key(key->priv_id, start, buffer_size, &len)
!= PSA_SUCCESS) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
} else {
*p -= len;
memmove(*p, start, len);
}
MBEDTLS_ASN1_CHK_ADD(len, pk_write_opaque_pubkey(p, start, key));
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
@ -215,7 +376,7 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu
int has_par = 1;
size_t len = 0, par_len = 0, oid_len = 0;
mbedtls_pk_type_t pk_type;
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
mbedtls_ecp_group_id ec_grp_id = MBEDTLS_ECP_DP_NONE;
#endif
const char *oid;
@ -244,42 +405,24 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_BIT_STRING));
pk_type = mbedtls_pk_get_type(key);
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (pk_type == MBEDTLS_PK_ECKEY) {
ec_grp_id = mbedtls_pk_ec(*key)->grp.id;
ec_grp_id = mbedtls_pk_get_group_id(key);
}
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (pk_type == MBEDTLS_PK_OPAQUE) {
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
if (PSA_SUCCESS != psa_get_key_attributes(key->priv_id,
&attributes)) {
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
}
key_type = psa_get_key_type(&attributes);
#if defined(MBEDTLS_ECP_LIGHT)
if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type)) {
psa_ecc_family_t curve;
curve = PSA_KEY_TYPE_ECC_GET_FAMILY(key_type);
if (curve != 0) {
ec_grp_id = mbedtls_ecc_group_of_psa(curve, psa_get_key_bits(&attributes), 0);
if (ec_grp_id != MBEDTLS_ECP_DP_NONE) {
/* The rest of the function works as for legacy EC contexts. */
pk_type = MBEDTLS_PK_ECKEY;
}
}
}
#endif /* MBEDTLS_ECP_LIGHT */
if (PSA_KEY_TYPE_IS_RSA(key_type)) {
psa_key_type_t opaque_key_type = pk_get_opaque_key_type(key);
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (PSA_KEY_TYPE_IS_ECC(opaque_key_type)) {
pk_type = MBEDTLS_PK_ECKEY;
ec_grp_id = mbedtls_pk_get_group_id(key);
} else
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
if (PSA_KEY_TYPE_IS_RSA(opaque_key_type)) {
/* The rest of the function works as for legacy RSA contexts. */
pk_type = MBEDTLS_PK_RSA;
}
psa_reset_key_attributes(&attributes);
}
/* `pk_type` will have been changed to non-opaque by here if this function can handle it */
if (pk_type == MBEDTLS_PK_OPAQUE) {
@ -287,13 +430,15 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (pk_type == MBEDTLS_PK_ECKEY) {
/* Some groups have their own AlgorithmIdentifier OID, others are handled by mbedtls_oid_get_oid_by_pk_alg() below */
/* Some groups have their own AlgorithmIdentifier OID, others are handled
* by mbedtls_oid_get_oid_by_pk_alg() below */
ret = mbedtls_oid_get_oid_by_ec_grp_algid(ec_grp_id, &oid, &oid_len);
if (ret == 0) {
/* Currently, none of the supported algorithms that have their own AlgorithmIdentifier OID have any parameters */
/* Currently, none of the supported algorithms that have their own
* AlgorithmIdentifier OID have any parameters */
has_par = 0;
} else if (ret == MBEDTLS_ERR_OID_NOT_FOUND) {
MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(&c, buf, ec_grp_id));
@ -301,7 +446,7 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu
return ret;
}
}
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
if (oid_len == 0) {
if ((ret = mbedtls_oid_get_oid_by_pk_alg(pk_type, &oid,
@ -320,10 +465,10 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu
return (int) len;
}
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
/*
* RFC8410
* RFC8410 section 7
*
* OneAsymmetricKey ::= SEQUENCE {
* version Version,
@ -334,24 +479,26 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu
* [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
* ...
* }
*
* ...
* CurvePrivateKey ::= OCTET STRING
*/
static int pk_write_ec_rfc8410_der(unsigned char **p, unsigned char *buf,
mbedtls_ecp_keypair *ec)
const mbedtls_pk_context *pk)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
size_t oid_len = 0;
const char *oid;
mbedtls_ecp_group_id grp_id;
/* privateKey */
MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, ec));
MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, pk));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_OCTET_STRING));
grp_id = mbedtls_pk_get_group_id(pk);
/* privateKeyAlgorithm */
if ((ret = mbedtls_oid_get_oid_by_ec_grp_algid(ec->grp.id, &oid, &oid_len)) != 0) {
if ((ret = mbedtls_oid_get_oid_by_ec_grp_algid(grp_id, &oid, &oid_len)) != 0) {
return ret;
}
MBEDTLS_ASN1_CHK_ADD(len,
@ -367,24 +514,91 @@ static int pk_write_ec_rfc8410_der(unsigned char **p, unsigned char *buf,
return (int) len;
}
#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
#endif /* MBEDTLS_ECP_LIGHT */
int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
/*
* RFC 5915, or SEC1 Appendix C.4
*
* ECPrivateKey ::= SEQUENCE {
* version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
* privateKey OCTET STRING,
* parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
* publicKey [1] BIT STRING OPTIONAL
* }
*/
static int pk_write_ec_der(unsigned char **p, unsigned char *buf,
const mbedtls_pk_context *pk)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *c;
size_t len = 0;
int ret;
size_t pub_len = 0, par_len = 0;
mbedtls_ecp_group_id grp_id;
if (size == 0) {
/* publicKey */
MBEDTLS_ASN1_CHK_ADD(pub_len, pk_write_ec_pubkey(p, buf, pk));
if (*p - buf < 1) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
(*p)--;
**p = 0;
pub_len += 1;
c = buf + size;
MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(p, buf, pub_len));
MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_BIT_STRING));
MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(p, buf, pub_len));
MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(p, buf,
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
MBEDTLS_ASN1_CONSTRUCTED | 1));
len += pub_len;
/* parameters */
grp_id = mbedtls_pk_get_group_id(pk);
MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(p, buf, grp_id));
MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_len(p, buf, par_len));
MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_tag(p, buf,
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
MBEDTLS_ASN1_CONSTRUCTED | 0));
len += par_len;
/* privateKey */
MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(p, buf, pk));
/* version */
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 1));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p, buf, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE));
return (int) len;
}
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) {
static int pk_write_rsa_der(unsigned char **p, unsigned char *buf,
const mbedtls_pk_context *pk)
{
size_t len = 0;
int ret;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_OPAQUE) {
uint8_t tmp[PSA_EXPORT_KEY_PAIR_MAX_SIZE];
size_t tmp_len = 0;
if (psa_export_key(pk->priv_id, tmp, sizeof(tmp), &tmp_len) != PSA_SUCCESS) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
*p -= tmp_len;
memcpy(*p, tmp, tmp_len);
len += tmp_len;
mbedtls_platform_zeroize(tmp, sizeof(tmp));
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
mbedtls_mpi T; /* Temporary holding the exported parameters */
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*key);
mbedtls_rsa_context *rsa = mbedtls_pk_rsa(*pk);
/*
* Export the parameters one after another to avoid simultaneous copies.
@ -394,21 +608,21 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export QP */
if ((ret = mbedtls_rsa_export_crt(rsa, NULL, NULL, &T)) != 0 ||
(ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
(ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
/* Export DQ */
if ((ret = mbedtls_rsa_export_crt(rsa, NULL, &T, NULL)) != 0 ||
(ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
(ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
/* Export DP */
if ((ret = mbedtls_rsa_export_crt(rsa, &T, NULL, NULL)) != 0 ||
(ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
(ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@ -416,7 +630,7 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export Q */
if ((ret = mbedtls_rsa_export(rsa, NULL, NULL,
&T, NULL, NULL)) != 0 ||
(ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
(ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@ -424,7 +638,7 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export P */
if ((ret = mbedtls_rsa_export(rsa, NULL, &T,
NULL, NULL, NULL)) != 0 ||
(ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
(ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@ -432,7 +646,7 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export D */
if ((ret = mbedtls_rsa_export(rsa, NULL, NULL,
NULL, &T, NULL)) != 0 ||
(ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
(ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@ -440,7 +654,7 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export E */
if ((ret = mbedtls_rsa_export(rsa, NULL, NULL,
NULL, NULL, &T)) != 0 ||
(ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
(ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@ -448,7 +662,7 @@ int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf,
/* Export N */
if ((ret = mbedtls_rsa_export(rsa, &T, NULL,
NULL, NULL, NULL)) != 0 ||
(ret = mbedtls_asn1_write_mpi(&c, buf, &T)) < 0) {
(ret = mbedtls_asn1_write_mpi(p, buf, &T)) < 0) {
goto end_of_export;
}
len += ret;
@ -460,73 +674,64 @@ end_of_export:
return ret;
}
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(&c, buf, 0));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c,
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(p, buf, 0));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(p, buf, len));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(p,
buf, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE));
}
return (int) len;
}
#endif /* MBEDTLS_RSA_C */
int mbedtls_pk_write_key_der(const mbedtls_pk_context *key, unsigned char *buf, size_t size)
{
unsigned char *c;
size_t len = 0;
#if defined(MBEDTLS_RSA_C)
int is_rsa_opaque = 0;
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
int is_ec_opaque = 0;
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_type_t opaque_key_type;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (size == 0) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
c = buf + size;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
opaque_key_type = pk_get_opaque_key_type(key);
#if defined(MBEDTLS_RSA_C)
is_rsa_opaque = PSA_KEY_TYPE_IS_RSA(opaque_key_type);
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
is_ec_opaque = PSA_KEY_TYPE_IS_ECC(opaque_key_type);
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_RSA_C)
if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) || is_rsa_opaque) {
return pk_write_rsa_der(&c, buf, key);
} else
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*key);
size_t pub_len = 0, par_len = 0;
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) || is_ec_opaque) {
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
if (mbedtls_pk_is_rfc8410_curve(ec->grp.id)) {
return pk_write_ec_rfc8410_der(&c, buf, ec);
if (mbedtls_pk_is_rfc8410(key)) {
return pk_write_ec_rfc8410_der(&c, buf, key);
}
#endif
/*
* RFC 5915, or SEC1 Appendix C.4
*
* ECPrivateKey ::= SEQUENCE {
* version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
* privateKey OCTET STRING,
* parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
* publicKey [1] BIT STRING OPTIONAL
* }
*/
/* publicKey */
MBEDTLS_ASN1_CHK_ADD(pub_len, pk_write_ec_pubkey(&c, buf, ec));
if (c - buf < 1) {
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
}
*--c = 0;
pub_len += 1;
MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(&c, buf, pub_len));
MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_BIT_STRING));
MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_len(&c, buf, pub_len));
MBEDTLS_ASN1_CHK_ADD(pub_len, mbedtls_asn1_write_tag(&c, buf,
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
MBEDTLS_ASN1_CONSTRUCTED | 1));
len += pub_len;
/* parameters */
MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(&c, buf, ec->grp.id));
MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_len(&c, buf, par_len));
MBEDTLS_ASN1_CHK_ADD(par_len, mbedtls_asn1_write_tag(&c, buf,
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
MBEDTLS_ASN1_CONSTRUCTED | 0));
len += par_len;
/* privateKey */
MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_private(&c, buf, ec));
/* version */
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_int(&c, buf, 1));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE));
#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
return pk_write_ec_der(&c, buf, key);
} else
#endif /* MBEDTLS_ECP_C */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
return (int) len;
@ -577,31 +782,60 @@ int mbedtls_pk_write_key_pem(const mbedtls_pk_context *key, unsigned char *buf,
unsigned char output_buf[PRV_DER_MAX_BYTES];
const char *begin, *end;
size_t olen = 0;
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
int is_ec_opaque = 0;
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
int is_montgomery_opaque = 0;
#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_RSA_C)
int is_rsa_opaque = 0;
#endif
if ((ret = mbedtls_pk_write_key_der(key, output_buf, sizeof(output_buf))) < 0) {
return ret;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_OPAQUE) {
psa_key_type_t opaque_key_type = pk_get_opaque_key_type(key);
#if defined(MBEDTLS_RSA_C)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) {
is_rsa_opaque = PSA_KEY_TYPE_IS_RSA(opaque_key_type);
#endif
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
is_ec_opaque = PSA_KEY_TYPE_IS_ECC(opaque_key_type);
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
if (pk_get_opaque_ec_family(key) == PSA_ECC_FAMILY_MONTGOMERY) {
is_montgomery_opaque = 1;
}
#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_RSA_C)
if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_RSA) || is_rsa_opaque) {
begin = PEM_BEGIN_PRIVATE_KEY_RSA;
end = PEM_END_PRIVATE_KEY_RSA;
} else
#endif
#if defined(MBEDTLS_ECP_LIGHT)
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if ((mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) || is_ec_opaque) {
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
if (mbedtls_pk_is_rfc8410_curve(mbedtls_pk_ec(*key)->grp.id)) {
if (is_montgomery_opaque ||
((mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) &&
(mbedtls_pk_is_rfc8410(key)))) {
begin = PEM_BEGIN_PRIVATE_KEY_PKCS8;
end = PEM_END_PRIVATE_KEY_PKCS8;
} else
#endif
#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
{
begin = PEM_BEGIN_PRIVATE_KEY_EC;
end = PEM_END_PRIVATE_KEY_EC;
}
} else
#endif
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
if ((ret = mbedtls_pem_write_buffer(begin, end,

30
library/pkwrite.h
View file

@ -73,7 +73,7 @@
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_C)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/*
* EC public keys:
* SubjectPublicKeyInfo ::= SEQUENCE { 1 + 2
@ -98,34 +98,10 @@
*/
#define MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES (29 + 3 * MBEDTLS_ECP_MAX_BYTES)
#else /* MBEDTLS_ECP_C */
#else /* MBEDTLS_PK_HAVE_ECC_KEYS */
#define MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES 0
#define MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES 0
#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_ECP_LIGHT)
#include "mbedtls/ecp.h"
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
#define MBEDTLS_PK_HAVE_RFC8410_CURVES
static inline int mbedtls_pk_is_rfc8410_curve(mbedtls_ecp_group_id id)
{
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
if (id == MBEDTLS_ECP_DP_CURVE25519) {
return 1;
}
#endif
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
if (id == MBEDTLS_ECP_DP_CURVE448) {
return 1;
}
#endif
return 0;
}
#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED || MBEDTLS_ECP_DP_CURVE448_ENABLED */
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#endif /* MBEDTLS_PK_WRITE_H */

9
library/platform_util.c
View file

@ -97,7 +97,8 @@
* mbedtls_platform_zeroize() to use a suitable implementation for their
* platform and needs.
*/
#if !defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO) && !defined(__STDC_LIB_EXT1__) \
#if !defined(MBEDTLS_PLATFORM_HAS_EXPLICIT_BZERO) && !(defined(__STDC_LIB_EXT1__) && \
!defined(__IAR_SYSTEMS_ICC__)) \
&& !defined(_WIN32)
static void *(*const volatile memset_func)(void *, int, size_t) = memset;
#endif
@ -118,7 +119,7 @@ void mbedtls_platform_zeroize(void *buf, size_t len)
*/
__msan_unpoison(buf, len);
#endif
#elif defined(__STDC_LIB_EXT1__)
#elif defined(__STDC_LIB_EXT1__) && !defined(__IAR_SYSTEMS_ICC__)
memset_s(buf, len, 0, len);
#elif defined(_WIN32)
SecureZeroMemory(buf, len);
@ -235,7 +236,11 @@ mbedtls_ms_time_t mbedtls_ms_time(void)
struct timespec tv;
mbedtls_ms_time_t current_ms;
#if defined(__linux__)
ret = clock_gettime(CLOCK_BOOTTIME, &tv);
#else
ret = clock_gettime(CLOCK_MONOTONIC, &tv);
#endif
if (ret) {
return time(NULL) * 1000;
}

959
library/psa_crypto.c
View file

File diff suppressed because it is too large Load diff

2
library/psa_crypto_cipher.c
View file

@ -306,7 +306,7 @@ static psa_status_t psa_cipher_update_ecb(
size_t *output_length)
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
size_t block_size = ctx->cipher_info->block_size;
size_t block_size = mbedtls_cipher_info_get_block_size(ctx->cipher_info);
size_t internal_output_length = 0;
*output_length = 0;

22
library/psa_crypto_ecp.c
View file

@ -26,7 +26,7 @@
#include "psa_crypto_core.h"
#include "psa_crypto_ecp.h"
#include "psa_crypto_random_impl.h"
#include "hash_info.h"
#include "md_psa.h"
#include <stdlib.h>
#include <string.h>
@ -37,7 +37,9 @@
#include <mbedtls/ecp.h>
#include <mbedtls/error.h>
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) || \
@ -150,13 +152,16 @@ exit:
return status;
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) ||
* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) ||
* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) */
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) || \
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY)
psa_status_t mbedtls_psa_ecp_import_key(
@ -277,10 +282,11 @@ psa_status_t mbedtls_psa_ecp_export_public_key(
return status;
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) ||
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) */
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR)
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
psa_status_t mbedtls_psa_ecp_generate_key(
const psa_key_attributes_t *attributes,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
@ -325,7 +331,7 @@ psa_status_t mbedtls_psa_ecp_generate_key(
return status;
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) */
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
/****************************************************************/
/* ECDSA sign/verify */
@ -366,7 +372,7 @@ psa_status_t mbedtls_psa_ecdsa_sign_hash(
if (PSA_ALG_ECDSA_IS_DETERMINISTIC(alg)) {
#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
mbedtls_md_type_t md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_ext(
&ecp->grp, &r, &s,
&ecp->d, hash,

302
library/psa_crypto_ffdh.c Normal file
View file

@ -0,0 +1,302 @@
/*
* PSA FFDH layer on top of Mbed TLS crypto
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "common.h"
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include <psa/crypto.h>
#include "psa_crypto_core.h"
#include "psa_crypto_ffdh.h"
#include "psa_crypto_random_impl.h"
#include "mbedtls/platform.h"
#include "mbedtls/error.h"
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_LEGACY) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
static psa_status_t mbedtls_psa_ffdh_set_prime_generator(size_t key_size,
mbedtls_mpi *P,
mbedtls_mpi *G)
{
const unsigned char *dhm_P = NULL;
const unsigned char *dhm_G = NULL;
size_t dhm_size_P = 0;
size_t dhm_size_G = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if (P == NULL && G == NULL) {
return PSA_ERROR_INVALID_ARGUMENT;
}
static const unsigned char dhm_P_2048[] =
MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN;
static const unsigned char dhm_P_3072[] =
MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN;
static const unsigned char dhm_P_4096[] =
MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN;
static const unsigned char dhm_P_6144[] =
MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN;
static const unsigned char dhm_P_8192[] =
MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN;
static const unsigned char dhm_G_2048[] =
MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN;
static const unsigned char dhm_G_3072[] =
MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN;
static const unsigned char dhm_G_4096[] =
MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN;
static const unsigned char dhm_G_6144[] =
MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN;
static const unsigned char dhm_G_8192[] =
MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN;
switch (key_size) {
case sizeof(dhm_P_2048):
dhm_P = dhm_P_2048;
dhm_G = dhm_G_2048;
dhm_size_P = sizeof(dhm_P_2048);
dhm_size_G = sizeof(dhm_G_2048);
break;
case sizeof(dhm_P_3072):
dhm_P = dhm_P_3072;
dhm_G = dhm_G_3072;
dhm_size_P = sizeof(dhm_P_3072);
dhm_size_G = sizeof(dhm_G_3072);
break;
case sizeof(dhm_P_4096):
dhm_P = dhm_P_4096;
dhm_G = dhm_G_4096;
dhm_size_P = sizeof(dhm_P_4096);
dhm_size_G = sizeof(dhm_G_4096);
break;
case sizeof(dhm_P_6144):
dhm_P = dhm_P_6144;
dhm_G = dhm_G_6144;
dhm_size_P = sizeof(dhm_P_6144);
dhm_size_G = sizeof(dhm_G_6144);
break;
case sizeof(dhm_P_8192):
dhm_P = dhm_P_8192;
dhm_G = dhm_G_8192;
dhm_size_P = sizeof(dhm_P_8192);
dhm_size_G = sizeof(dhm_G_8192);
break;
default:
return PSA_ERROR_INVALID_ARGUMENT;
}
if (P != NULL) {
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(P, dhm_P,
dhm_size_P));
}
if (G != NULL) {
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(G, dhm_G,
dhm_size_G));
}
cleanup:
if (ret != 0) {
return mbedtls_to_psa_error(ret);
}
return PSA_SUCCESS;
}
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_LEGACY ||
MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY ||
MBEDTLS_PSA_BUILTIN_ALG_FFDH */
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_LEGACY) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY)
psa_status_t mbedtls_psa_ffdh_export_public_key(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer,
size_t key_buffer_size,
uint8_t *data,
size_t data_size,
size_t *data_length)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi GX, G, X, P;
psa_key_type_t type = attributes->core.type;
if (PSA_KEY_TYPE_IS_PUBLIC_KEY(type)) {
if (key_buffer_size > data_size) {
return PSA_ERROR_BUFFER_TOO_SMALL;
}
memcpy(data, key_buffer, key_buffer_size);
memset(data + key_buffer_size, 0,
data_size - key_buffer_size);
*data_length = key_buffer_size;
return PSA_SUCCESS;
}
mbedtls_mpi_init(&GX); mbedtls_mpi_init(&G);
mbedtls_mpi_init(&X); mbedtls_mpi_init(&P);
size_t key_len = PSA_BITS_TO_BYTES(attributes->core.bits);
status = mbedtls_psa_ffdh_set_prime_generator(key_len, &P, &G);
if (status != PSA_SUCCESS) {
goto cleanup;
}
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
key_buffer_size));
MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&GX, &G, &X, &P, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&GX, data, key_len));
*data_length = key_len;
ret = 0;
cleanup:
mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
mbedtls_mpi_free(&X); mbedtls_mpi_free(&GX);
if (status == PSA_SUCCESS && ret != 0) {
status = mbedtls_to_psa_error(ret);
}
return status;
}
psa_status_t mbedtls_psa_ffdh_generate_key(
const psa_key_attributes_t *attributes,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length)
{
mbedtls_mpi X, P;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi_init(&P); mbedtls_mpi_init(&X);
(void) attributes;
status = mbedtls_psa_ffdh_set_prime_generator(key_buffer_size, &P, NULL);
if (status != PSA_SUCCESS) {
goto cleanup;
}
/* RFC7919: Traditional finite field Diffie-Hellman has each peer choose their
secret exponent from the range [2, P-2].
Select random value in range [3, P-1] and decrease it by 1. */
MBEDTLS_MPI_CHK(mbedtls_mpi_random(&X, 3, &P, mbedtls_psa_get_random,
MBEDTLS_PSA_RANDOM_STATE));
MBEDTLS_MPI_CHK(mbedtls_mpi_sub_int(&X, &X, 1));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&X, key_buffer, key_buffer_size));
*key_buffer_length = key_buffer_size;
cleanup:
mbedtls_mpi_free(&P); mbedtls_mpi_free(&X);
if (status == PSA_SUCCESS && ret != 0) {
return mbedtls_to_psa_error(ret);
}
return status;
}
psa_status_t mbedtls_psa_ffdh_import_key(
const psa_key_attributes_t *attributes,
const uint8_t *data, size_t data_length,
uint8_t *key_buffer, size_t key_buffer_size,
size_t *key_buffer_length, size_t *bits)
{
(void) attributes;
if (key_buffer_size < data_length) {
return PSA_ERROR_BUFFER_TOO_SMALL;
}
memcpy(key_buffer, data, data_length);
*key_buffer_length = data_length;
*bits = PSA_BYTES_TO_BITS(data_length);
return PSA_SUCCESS;
}
#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_LEGACY ||
MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_FFDH)
psa_status_t mbedtls_psa_ffdh_key_agreement(
const psa_key_attributes_t *attributes,
const uint8_t *peer_key,
size_t peer_key_length,
const uint8_t *key_buffer,
size_t key_buffer_size,
uint8_t *shared_secret,
size_t shared_secret_size,
size_t *shared_secret_length)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi P, G, X, GY, K;
const size_t calculated_shared_secret_size = peer_key_length;
if (peer_key_length != key_buffer_size ||
calculated_shared_secret_size > shared_secret_size) {
return PSA_ERROR_INVALID_ARGUMENT;
}
if (!PSA_KEY_TYPE_IS_DH_KEY_PAIR(psa_get_key_type(attributes))) {
return PSA_ERROR_INVALID_ARGUMENT;
}
mbedtls_mpi_init(&P); mbedtls_mpi_init(&G);
mbedtls_mpi_init(&X); mbedtls_mpi_init(&GY);
mbedtls_mpi_init(&K);
status = mbedtls_psa_ffdh_set_prime_generator(
PSA_BITS_TO_BYTES(attributes->core.bits), &P, &G);
if (status != PSA_SUCCESS) {
goto cleanup;
}
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, key_buffer,
key_buffer_size));
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&GY, peer_key,
peer_key_length));
/* Calculate shared secret public key: K = G^(XY) mod P = GY^X mod P */
MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&K, &GY, &X, &P, NULL));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&K, shared_secret,
calculated_shared_secret_size));
*shared_secret_length = calculated_shared_secret_size;
ret = 0;
cleanup:
mbedtls_mpi_free(&P); mbedtls_mpi_free(&G);
mbedtls_mpi_free(&X); mbedtls_mpi_free(&GY);
mbedtls_mpi_free(&K);
if (status == PSA_SUCCESS && ret != 0) {
status = mbedtls_to_psa_error(ret);
}
return status;
}
#endif /* MBEDTLS_PSA_BUILTIN_ALG_FFDH */
#endif /* MBEDTLS_PSA_CRYPTO_C */

144
library/psa_crypto_ffdh.h Normal file
View file

@ -0,0 +1,144 @@
/*
* PSA FFDH layer on top of Mbed TLS crypto
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef PSA_CRYPTO_FFDH_H
#define PSA_CRYPTO_FFDH_H
#include <psa/crypto.h>
#include <mbedtls/dhm.h>
/** Perform a key agreement and return the FFDH shared secret.
*
* \param[in] attributes The attributes of the key to use for the
* operation.
* \param[in] peer_key The buffer containing the key context
* of the peer's public key.
* \param[in] peer_key_length Size of the \p peer_key buffer in
* bytes.
* \param[in] key_buffer The buffer containing the private key
* context.
* \param[in] key_buffer_size Size of the \p key_buffer buffer in
* bytes.
* \param[out] shared_secret The buffer to which the shared secret
* is to be written.
* \param[in] shared_secret_size Size of the \p shared_secret buffer in
* bytes.
* \param[out] shared_secret_length On success, the number of bytes that make
* up the returned shared secret.
* \retval #PSA_SUCCESS
* Success. Shared secret successfully calculated.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key_buffer_size, \p peer_key_length, \p shared_secret_size
* do not match
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_ffdh_key_agreement(
const psa_key_attributes_t *attributes,
const uint8_t *peer_key,
size_t peer_key_length,
const uint8_t *key_buffer,
size_t key_buffer_size,
uint8_t *shared_secret,
size_t shared_secret_size,
size_t *shared_secret_length);
/** Export a public key or the public part of a DH key pair in binary format.
*
* \param[in] attributes The attributes for the key to export.
* \param[in] key_buffer Material or context of the key to export.
* \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
* \param[out] data Buffer where the key data is to be written.
* \param[in] data_size Size of the \p data buffer in bytes.
* \param[out] data_length On success, the number of bytes written in
* \p data
*
* \retval #PSA_SUCCESS The public key was exported successfully.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of \p key_buffer is too small.
* \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_ffdh_export_public_key(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer,
size_t key_buffer_size,
uint8_t *data,
size_t data_size,
size_t *data_length);
/**
* \brief Generate DH key.
*
* \note The signature of the function is that of a PSA driver generate_key
* entry point.
*
* \param[in] attributes The attributes for the key to generate.
* \param[out] key_buffer Buffer where the key data is to be written.
* \param[in] key_buffer_size Size of \p key_buffer in bytes.
* \param[out] key_buffer_length On success, the number of bytes written in
* \p key_buffer.
*
* \retval #PSA_SUCCESS
* The key was generated successfully.
* \retval #PSA_ERROR_NOT_SUPPORTED
* Key size in bits is invalid.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of \p key_buffer is too small.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_ffdh_generate_key(
const psa_key_attributes_t *attributes,
uint8_t *key_buffer,
size_t key_buffer_size,
size_t *key_buffer_length);
/**
* \brief Import DH key.
*
* \note The signature of the function is that of a PSA driver import_key
* entry point.
*
* \param[in] attributes The attributes for the key to import.
* \param[in] data The buffer containing the key data in import
* format.
* \param[in] data_length Size of the \p data buffer in bytes.
* \param[out] key_buffer The buffer containing the key data in output
* format.
* \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes. This
* size is greater or equal to \p data_length.
* \param[out] key_buffer_length The length of the data written in \p
* key_buffer in bytes.
* \param[out] bits The key size in number of bits.
*
* \retval #PSA_SUCCESS
* The key was generated successfully.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of \p key_buffer is too small.
*/
psa_status_t mbedtls_psa_ffdh_import_key(
const psa_key_attributes_t *attributes,
const uint8_t *data, size_t data_length,
uint8_t *key_buffer, size_t key_buffer_size,
size_t *key_buffer_length, size_t *bits);
#endif /* PSA_CRYPTO_FFDH_H */

90
library/psa_crypto_pake.c
View file

@ -28,7 +28,7 @@
#include "psa_crypto_slot_management.h"
#include <mbedtls/ecjpake.h>
#include <mbedtls/psa_util.h>
#include <psa_util_internal.h>
#include <mbedtls/platform.h>
#include <mbedtls/error.h>
@ -80,65 +80,37 @@
*/
/*
* The first PAKE step shares the same sequences of the second PAKE step
* but with a second set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs.
* It's simpler to share the same sequences numbers of the first
* set of KEY_SHARE/ZK_PUBLIC/ZK_PROOF outputs/inputs in both PAKE steps.
* Possible sequence of calls to implementation:
*
* State sequence with step, state & sequence enums:
* => Input & Output Step = PSA_PAKE_STEP_INVALID
* => state = PSA_PAKE_STATE_INVALID
* psa_pake_setup()
* => Input & Output Step = PSA_PAKE_STEP_X1_X2
* => state = PSA_PAKE_STATE_SETUP
* => sequence = PSA_PAKE_SEQ_INVALID
* |
* |--- In any order: (First round input before or after first round output)
* | | First call of psa_pake_output() or psa_pake_input() sets
* | | state = PSA_PAKE_STATE_READY
* | |
* | |------ In Order: => state = PSA_PAKE_OUTPUT_X1_X2
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
* | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_KEY_SHARE
* | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_ZK_PUBLIC
* | | | psa_pake_output() => sequence = PSA_PAKE_X2_STEP_ZK_PROOF
* | | | => state = PSA_PAKE_STATE_READY
* | | | => sequence = PSA_PAKE_SEQ_INVALID
* | | | => Output Step = PSA_PAKE_STEP_X2S
* | |
* | |------ In Order: => state = PSA_PAKE_INPUT_X1_X2
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
* | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_KEY_SHARE
* | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_ZK_PUBLIC
* | | | psa_pake_input() => sequence = PSA_PAKE_X2_STEP_ZK_PROOF
* | | | => state = PSA_PAKE_STATE_READY
* | | | => sequence = PSA_PAKE_SEQ_INVALID
* | | | => Output Step = PSA_PAKE_INPUT_X4S
* |
* |--- In any order: (Second round input before or after second round output)
* | |
* | |------ In Order: => state = PSA_PAKE_OUTPUT_X2S
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
* | | | psa_pake_output() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
* | | | => state = PSA_PAKE_STATE_READY
* | | | => sequence = PSA_PAKE_SEQ_INVALID
* | | | => Output Step = PSA_PAKE_STEP_DERIVE
* | |
* | |------ In Order: => state = PSA_PAKE_INPUT_X4S
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_KEY_SHARE
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PUBLIC
* | | | psa_pake_input() => sequence = PSA_PAKE_X1_STEP_ZK_PROOF
* | | | => state = PSA_PAKE_STATE_READY
* | | | => sequence = PSA_PAKE_SEQ_INVALID
* | | | => Output Step = PSA_PAKE_STEP_DERIVE
* |
* psa_pake_get_implicit_key()
* => Input & Output Step = PSA_PAKE_STEP_INVALID
* |--- In any order:
* | |
* | |------ In Order
* | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_KEY_SHARE)
* | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
* | | | mbedtls_psa_pake_output(PSA_JPAKE_X1_STEP_ZK_PROOF)
* | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_KEY_SHARE)
* | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
* | | | mbedtls_psa_pake_output(PSA_JPAKE_X2_STEP_ZK_PROOF)
* | |
* | |------ In Order:
* | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_KEY_SHARE)
* | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PUBLIC)
* | | mbedtls_psa_pake_input(PSA_JPAKE_X1_STEP_ZK_PROOF)
* | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_KEY_SHARE)
* | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PUBLIC)
* | | mbedtls_psa_pake_input(PSA_JPAKE_X2_STEP_ZK_PROOF)
* |
* |--- In any order:
* | |
* | |------ In Order
* | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_KEY_SHARE)
* | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PUBLIC)
* | | | mbedtls_psa_pake_output(PSA_JPAKE_X2S_STEP_ZK_PROOF)
* | |
* | |------ In Order:
* | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_KEY_SHARE)
* | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PUBLIC)
* | | mbedtls_psa_pake_input(PSA_JPAKE_X4S_STEP_ZK_PROOF)
*/
#if defined(MBEDTLS_PSA_BUILTIN_ALG_JPAKE)

30
library/psa_crypto_pake.h
View file

@ -43,8 +43,8 @@
* compatible with the PAKE algorithm, or the hash algorithm in
* \p cipher_suite is not supported or not compatible with the PAKE
* algorithm and primitive.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_CORRUPTION_DETECTED
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
const psa_crypto_driver_pake_inputs_t *inputs);
@ -78,10 +78,10 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
* Success.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
* \retval #PSA_ERROR_CORRUPTION_DETECTED
* \retval #PSA_ERROR_DATA_CORRUPT
* \retval #PSA_ERROR_DATA_INVALID
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
*/
psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
psa_crypto_driver_pake_step_t step,
@ -116,10 +116,10 @@ psa_status_t mbedtls_psa_pake_output(mbedtls_psa_pake_operation_t *operation,
* \retval #PSA_ERROR_NOT_SUPPORTED
* the \p input is not supported for the \p operation's algorithm, cipher
* suite or \p step.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_CORRUPTION_DETECTED
* \retval #PSA_ERROR_DATA_CORRUPT
* \retval #PSA_ERROR_DATA_INVALID
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
*/
psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
psa_crypto_driver_pake_step_t step,
@ -143,10 +143,10 @@ psa_status_t mbedtls_psa_pake_input(mbedtls_psa_pake_operation_t *operation,
* \retval #PSA_ERROR_NOT_SUPPORTED
* Input from a PAKE is not supported by the algorithm in the \p output
* key derivation operation.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_CORRUPTION_DETECTED
* \retval #PSA_ERROR_DATA_CORRUPT
* \retval #PSA_ERROR_DATA_INVALID
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
*/
psa_status_t mbedtls_psa_pake_get_implicit_key(
mbedtls_psa_pake_operation_t *operation,
@ -164,7 +164,7 @@ psa_status_t mbedtls_psa_pake_get_implicit_key(
*
* \retval #PSA_SUCCESS
* Success.
* \retval #PSA_ERROR_CORRUPTION_DETECTED
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_pake_abort(mbedtls_psa_pake_operation_t *operation);

10
library/psa_crypto_random_impl.h
View file

@ -3,12 +3,12 @@
* \brief PSA crypto random generator implementation abstraction.
*
* The definitions here need to be consistent with the declarations
* in include/mbedtls/psa_util.h. This file contains some redundant
* in include/psa_util_internal.h. This file contains some redundant
* declarations to increase the chance that a compiler will detect
* inconsistencies if one file is changed without updating the other,
* but not all potential inconsistencies can be enforced, so make sure
* to check the public declarations and contracts in
* include/mbedtls/psa_util.h if you modify this file.
* include/psa_util_internal.h if you modify this file.
*/
/*
* Copyright The Mbed TLS Contributors
@ -30,7 +30,7 @@
#ifndef PSA_CRYPTO_RANDOM_IMPL_H
#define PSA_CRYPTO_RANDOM_IMPL_H
#include <mbedtls/psa_util.h>
#include <psa_util_internal.h>
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
@ -123,7 +123,7 @@ typedef struct {
mbedtls_psa_drbg_context_t drbg;
} mbedtls_psa_random_context_t;
/* Defined in include/mbedtls/psa_util.h so that it's visible to
/* Defined in include/psa_util_internal.h so that it's visible to
* application code. The declaration here is redundant, but included
* as a safety net to make it more likely that a future change that
* accidentally causes the implementation to diverge from the interface
@ -154,7 +154,7 @@ static mbedtls_f_rng_t *const mbedtls_psa_get_random;
/* psa_crypto.c sets this variable to a pointer to the DRBG state in the
* global PSA crypto state. */
/* The type `mbedtls_psa_drbg_context_t` is defined in
* include/mbedtls/psa_util.h so that `mbedtls_psa_random_state` can be
* include/psa_util_internal.h so that `mbedtls_psa_random_state` can be
* declared there and be visible to application code. */
extern mbedtls_psa_drbg_context_t *const mbedtls_psa_random_state;

20
library/psa_crypto_rsa.c
View file

@ -28,6 +28,7 @@
#include "psa_crypto_random_impl.h"
#include "psa_crypto_rsa.h"
#include "psa_crypto_hash.h"
#include "md_psa.h"
#include <stdlib.h>
#include <string.h>
@ -37,13 +38,12 @@
#include <mbedtls/error.h>
#include <mbedtls/pk.h>
#include "pk_wrap.h"
#include "hash_info.h"
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_CRYPT) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_LEGACY) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
/* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
@ -123,10 +123,10 @@ exit:
* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP) ||
* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) ||
* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_LEGACY) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_LEGACY) || \
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY)
psa_status_t mbedtls_psa_rsa_import_key(
@ -235,10 +235,10 @@ psa_status_t mbedtls_psa_rsa_export_public_key(
return status;
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) ||
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_LEGACY) ||
* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_LEGACY) && \
defined(MBEDTLS_GENPRIME)
static psa_status_t psa_rsa_read_exponent(const uint8_t *domain_parameters,
size_t domain_parameters_size,
@ -301,7 +301,7 @@ psa_status_t mbedtls_psa_rsa_generate_key(
return status;
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR)
#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_LEGACY)
* defined(MBEDTLS_GENPRIME) */
/****************************************************************/
@ -318,7 +318,7 @@ static psa_status_t psa_rsa_decode_md_type(psa_algorithm_t alg,
mbedtls_md_type_t *md_alg)
{
psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
*md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
*md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
/* The Mbed TLS RSA module uses an unsigned int for hash length
* parameters. Validate that it fits so that we don't risk an
@ -332,7 +332,7 @@ static psa_status_t psa_rsa_decode_md_type(psa_algorithm_t alg,
if (*md_alg == MBEDTLS_MD_NONE) {
return PSA_ERROR_NOT_SUPPORTED;
}
if (mbedtls_hash_info_get_size(*md_alg) != hash_length) {
if (mbedtls_md_get_size_from_type(*md_alg) != hash_length) {
return PSA_ERROR_INVALID_ARGUMENT;
}
}
@ -527,7 +527,7 @@ static int psa_rsa_oaep_set_padding_mode(psa_algorithm_t alg,
mbedtls_rsa_context *rsa)
{
psa_algorithm_t hash_alg = PSA_ALG_RSA_OAEP_GET_HASH(alg);
mbedtls_md_type_t md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
mbedtls_md_type_t md_alg = mbedtls_md_type_from_psa_alg(hash_alg);
return mbedtls_rsa_set_padding(rsa, MBEDTLS_RSA_PKCS_V21, md_alg);
}

2
library/psa_crypto_slot_management.c
View file

@ -36,8 +36,6 @@
#include <string.h>
#include "mbedtls/platform.h"
#define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array)))
typedef struct {
psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT];
unsigned key_slots_initialized : 1;

31
library/psa_util.c
View file

@ -25,15 +25,35 @@
#include <psa/crypto.h>
#include "psa_crypto_core.h"
#include <mbedtls/psa_util.h>
#include <psa_util_internal.h>
/* The following includes are needed for MBEDTLS_ERR_XXX macros */
#include <mbedtls/error.h>
#if defined(MBEDTLS_MD_LIGHT)
#include <mbedtls/md.h>
#endif
#if defined(MBEDTLS_LMS_C)
#include <mbedtls/lms.h>
#endif
#if defined(MBEDTLS_SSL_TLS_C) && \
(defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
#include <mbedtls/ssl.h>
#endif
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(MBEDTLS_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY)
#include <mbedtls/rsa.h>
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
#include <mbedtls/ecp.h>
#endif
#if defined(MBEDTLS_PK_C)
#include <mbedtls/pk.h>
#endif
/* PSA_SUCCESS is kept at the top of each error table since
* it's the most common status when everything functions properly. */
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_MD5_C) || defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_MD_LIGHT)
const mbedtls_error_pair_t psa_to_md_errors[] =
{
{ PSA_SUCCESS, 0 },
@ -50,7 +70,8 @@ const mbedtls_error_pair_t psa_to_lms_errors[] =
{ PSA_ERROR_INVALID_ARGUMENT, MBEDTLS_ERR_LMS_BAD_INPUT_DATA }
};
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#if defined(MBEDTLS_SSL_TLS_C) && \
(defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
const mbedtls_error_pair_t psa_to_ssl_errors[] =
{
{ PSA_SUCCESS, 0 },
@ -64,7 +85,7 @@ const mbedtls_error_pair_t psa_to_ssl_errors[] =
#endif
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
defined(MBEDTLS_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY)
const mbedtls_error_pair_t psa_to_pk_rsa_errors[] =
{
{ PSA_SUCCESS, 0 },
@ -123,6 +144,7 @@ int psa_status_to_mbedtls(psa_status_t status,
return fallback_f(status);
}
#if defined(MBEDTLS_PK_C)
int psa_pk_status_to_mbedtls(psa_status_t status)
{
switch (status) {
@ -146,4 +168,5 @@ int psa_pk_status_to_mbedtls(psa_status_t status)
return psa_generic_status_to_mbedtls(status);
}
}
#endif /* MBEDTLS_PK_C */
#endif /* MBEDTLS_PSA_CRYPTO_C */

108
library/psa_util_internal.h Normal file
View file

@ -0,0 +1,108 @@
/**
* \file psa_util_internal.h
*
* \brief Internal utility functions for use of PSA Crypto.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef MBEDTLS_PSA_UTIL_INTERNAL_H
#define MBEDTLS_PSA_UTIL_INTERNAL_H
/* Include the public header so that users only need one include. */
#include "mbedtls/psa_util.h"
#include "psa/crypto.h"
#if defined(MBEDTLS_PSA_CRYPTO_C)
/*************************************************************************
* FFDH
************************************************************************/
#define MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH \
PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS)
/*************************************************************************
* ECC
************************************************************************/
#define MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH \
PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
#define MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH \
PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
/*************************************************************************
* Error translation
************************************************************************/
typedef struct {
/* Error codes used by PSA crypto are in -255..-128, fitting in 16 bits. */
int16_t psa_status;
/* Error codes used by Mbed TLS are in one of the ranges
* -127..-1 (low-level) or -32767..-4096 (high-level with a low-level
* code optionally added), fitting in 16 bits. */
int16_t mbedtls_error;
} mbedtls_error_pair_t;
#if defined(MBEDTLS_MD_LIGHT)
extern const mbedtls_error_pair_t psa_to_md_errors[4];
#endif
#if defined(MBEDTLS_LMS_C)
extern const mbedtls_error_pair_t psa_to_lms_errors[3];
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
extern const mbedtls_error_pair_t psa_to_ssl_errors[7];
#endif
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(MBEDTLS_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY)
extern const mbedtls_error_pair_t psa_to_pk_rsa_errors[8];
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
extern const mbedtls_error_pair_t psa_to_pk_ecdsa_errors[7];
#endif
/* Generic fallback function for error translation,
* when the received state was not module-specific. */
int psa_generic_status_to_mbedtls(psa_status_t status);
/* This function iterates over provided local error translations,
* and if no match was found - calls the fallback error translation function. */
int psa_status_to_mbedtls(psa_status_t status,
const mbedtls_error_pair_t *local_translations,
size_t local_errors_num,
int (*fallback_f)(psa_status_t));
/* The second out of three-stage error handling functions of the pk module,
* acts as a fallback after RSA / ECDSA error translation, and if no match
* is found, it itself calls psa_generic_status_to_mbedtls. */
int psa_pk_status_to_mbedtls(psa_status_t status);
/* Utility macro to shorten the defines of error translator in modules. */
#define PSA_TO_MBEDTLS_ERR_LIST(status, error_list, fallback_f) \
psa_status_to_mbedtls(status, error_list, \
sizeof(error_list)/sizeof(error_list[0]), \
fallback_f)
#endif /* MBEDTLS_PSA_CRYPTO_C */
#endif /* MBEDTLS_PSA_UTIL_INTERNAL_H */

24
library/rsa.c
View file

@ -46,7 +46,7 @@
#include "mbedtls/error.h"
#include "constant_time_internal.h"
#include "mbedtls/constant_time.h"
#include "hash_info.h"
#include "md_psa.h"
#include <string.h>
@ -478,7 +478,7 @@ int mbedtls_rsa_set_padding(mbedtls_rsa_context *ctx, int padding,
if ((padding == MBEDTLS_RSA_PKCS_V21) &&
(hash_id != MBEDTLS_MD_NONE)) {
/* Just make sure this hash is supported in this build. */
if (mbedtls_hash_info_psa_from_md(hash_id) == PSA_ALG_NONE) {
if (mbedtls_md_info_from_type(hash_id) == NULL) {
return MBEDTLS_ERR_RSA_INVALID_PADDING;
}
}
@ -1076,7 +1076,7 @@ static int mgf_mask(unsigned char *dst, size_t dlen, unsigned char *src,
unsigned char *p;
unsigned int hlen;
size_t i, use_len;
unsigned char mask[MBEDTLS_HASH_MAX_SIZE];
unsigned char mask[MBEDTLS_MD_MAX_SIZE];
int ret = 0;
const mbedtls_md_info_t *md_info;
mbedtls_md_context_t md_ctx;
@ -1229,7 +1229,7 @@ int mbedtls_rsa_rsaes_oaep_encrypt(mbedtls_rsa_context *ctx,
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
if (hlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@ -1380,7 +1380,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
size_t ilen, i, pad_len;
unsigned char *p, bad, pad_done;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
unsigned char lhash[MBEDTLS_HASH_MAX_SIZE];
unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
unsigned int hlen;
/*
@ -1396,7 +1396,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
if (hlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@ -1596,7 +1596,7 @@ static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
if (md_alg != MBEDTLS_MD_NONE) {
/* Gather length of hash to sign */
size_t exp_hashlen = mbedtls_hash_info_get_size(md_alg);
size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
if (exp_hashlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@ -1606,7 +1606,7 @@ static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
}
}
hlen = mbedtls_hash_info_get_size((mbedtls_md_type_t) ctx->hash_id);
hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
if (hlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@ -1744,7 +1744,7 @@ static int rsa_rsassa_pkcs1_v15_encode(mbedtls_md_type_t md_alg,
/* Are we signing hashed or raw data? */
if (md_alg != MBEDTLS_MD_NONE) {
unsigned char md_size = mbedtls_hash_info_get_size(md_alg);
unsigned char md_size = mbedtls_md_get_size_from_type(md_alg);
if (md_size == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@ -1966,7 +1966,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
size_t siglen;
unsigned char *p;
unsigned char *hash_start;
unsigned char result[MBEDTLS_HASH_MAX_SIZE];
unsigned char result[MBEDTLS_MD_MAX_SIZE];
unsigned int hlen;
size_t observed_salt_len, msb;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE] = { 0 };
@ -1995,7 +1995,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
if (md_alg != MBEDTLS_MD_NONE) {
/* Gather length of hash to sign */
size_t exp_hashlen = mbedtls_hash_info_get_size(md_alg);
size_t exp_hashlen = mbedtls_md_get_size_from_type(md_alg);
if (exp_hashlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@ -2005,7 +2005,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext(mbedtls_rsa_context *ctx,
}
}
hlen = mbedtls_hash_info_get_size(mgf1_hash_id);
hlen = mbedtls_md_get_size_from_type(mgf1_hash_id);
if (hlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}

23
library/sha256.c
View file

@ -57,11 +57,26 @@
#include "mbedtls/platform.h"
#if defined(__aarch64__)
# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
/* *INDENT-OFF* */
# ifdef __ARM_NEON
# include <arm_neon.h>
# else
# error "Target does not support NEON instructions"
# endif
# if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG)
# if defined(__clang__)
# if defined(__ARMCOMPILER_VERSION)
# if __ARMCOMPILER_VERSION <= 6090000
# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
# endif
# pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function)
# define MBEDTLS_POP_TARGET_PRAGMA
# elif defined(__clang__)
# if __clang_major__ < 4
# error "A more recent Clang is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
# endif
@ -83,7 +98,7 @@
# endif
# endif
/* *INDENT-ON* */
# include <arm_neon.h>
# endif
# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
# if defined(__unix__)
@ -399,6 +414,8 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
SHA256_BLOCK_SIZE) ? 0 : -1;
}
#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
#if defined(MBEDTLS_POP_TARGET_PRAGMA)
#if defined(__clang__)
#pragma clang attribute pop
@ -408,8 +425,6 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
#undef MBEDTLS_POP_TARGET_PRAGMA
#endif
#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
#if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
#define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
#define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process

631
library/sha3.c Normal file
View file

@ -0,0 +1,631 @@
/*
* FIPS-202 compliant SHA3 implementation
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* The SHA-3 Secure Hash Standard was published by NIST in 2015.
*
* https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf
*/
#include "common.h"
#if defined(MBEDTLS_SHA3_C)
#include "mbedtls/sha3.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
#include <string.h>
#if defined(MBEDTLS_SELF_TEST)
#include "mbedtls/platform.h"
#endif /* MBEDTLS_SELF_TEST */
#define XOR_BYTE 0x6
typedef struct mbedtls_sha3_family_functions {
mbedtls_sha3_id id;
uint16_t r;
uint16_t olen;
}
mbedtls_sha3_family_functions;
/*
* List of supported SHA-3 families
*/
static mbedtls_sha3_family_functions sha3_families[] = {
{ MBEDTLS_SHA3_224, 1152, 224 },
{ MBEDTLS_SHA3_256, 1088, 256 },
{ MBEDTLS_SHA3_384, 832, 384 },
{ MBEDTLS_SHA3_512, 576, 512 },
{ MBEDTLS_SHA3_NONE, 0, 0 }
};
static const uint64_t rc[24] = {
0x0000000000000001, 0x0000000000008082, 0x800000000000808a, 0x8000000080008000,
0x000000000000808b, 0x0000000080000001, 0x8000000080008081, 0x8000000000008009,
0x000000000000008a, 0x0000000000000088, 0x0000000080008009, 0x000000008000000a,
0x000000008000808b, 0x800000000000008b, 0x8000000000008089, 0x8000000000008003,
0x8000000000008002, 0x8000000000000080, 0x000000000000800a, 0x800000008000000a,
0x8000000080008081, 0x8000000000008080, 0x0000000080000001, 0x8000000080008008,
};
static const uint8_t rho[24] = {
1, 62, 28, 27, 36, 44, 6, 55, 20,
3, 10, 43, 25, 39, 41, 45, 15,
21, 8, 18, 2, 61, 56, 14
};
static const uint8_t pi[24] = {
10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4,
15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1,
};
#define ROT64(x, y) (((x) << (y)) | ((x) >> (64U - (y))))
#define ABSORB(ctx, idx, v) do { ctx->state[(idx) >> 3] ^= ((uint64_t) (v)) << (((idx) & 0x7) << 3); \
} while (0)
#define SQUEEZE(ctx, idx) ((uint8_t) (ctx->state[(idx) >> 3] >> (((idx) & 0x7) << 3)))
#define SWAP(x, y) do { uint64_t tmp = (x); (x) = (y); (y) = tmp; } while (0)
/* The permutation function. */
static void keccak_f1600(mbedtls_sha3_context *ctx)
{
uint64_t lane[5];
uint64_t *s = ctx->state;
int i;
for (int round = 0; round < 24; round++) {
uint64_t t;
/* Theta */
lane[0] = s[0] ^ s[5] ^ s[10] ^ s[15] ^ s[20];
lane[1] = s[1] ^ s[6] ^ s[11] ^ s[16] ^ s[21];
lane[2] = s[2] ^ s[7] ^ s[12] ^ s[17] ^ s[22];
lane[3] = s[3] ^ s[8] ^ s[13] ^ s[18] ^ s[23];
lane[4] = s[4] ^ s[9] ^ s[14] ^ s[19] ^ s[24];
t = lane[4] ^ ROT64(lane[1], 1);
s[0] ^= t; s[5] ^= t; s[10] ^= t; s[15] ^= t; s[20] ^= t;
t = lane[0] ^ ROT64(lane[2], 1);
s[1] ^= t; s[6] ^= t; s[11] ^= t; s[16] ^= t; s[21] ^= t;
t = lane[1] ^ ROT64(lane[3], 1);
s[2] ^= t; s[7] ^= t; s[12] ^= t; s[17] ^= t; s[22] ^= t;
t = lane[2] ^ ROT64(lane[4], 1);
s[3] ^= t; s[8] ^= t; s[13] ^= t; s[18] ^= t; s[23] ^= t;
t = lane[3] ^ ROT64(lane[0], 1);
s[4] ^= t; s[9] ^= t; s[14] ^= t; s[19] ^= t; s[24] ^= t;
/* Rho */
for (i = 1; i < 25; i++) {
s[i] = ROT64(s[i], rho[i-1]);
}
/* Pi */
t = s[1];
for (i = 0; i < 24; i++) {
SWAP(s[pi[i]], t);
}
/* Chi */
lane[0] = s[0]; lane[1] = s[1]; lane[2] = s[2]; lane[3] = s[3]; lane[4] = s[4];
s[0] ^= (~lane[1]) & lane[2];
s[1] ^= (~lane[2]) & lane[3];
s[2] ^= (~lane[3]) & lane[4];
s[3] ^= (~lane[4]) & lane[0];
s[4] ^= (~lane[0]) & lane[1];
lane[0] = s[5]; lane[1] = s[6]; lane[2] = s[7]; lane[3] = s[8]; lane[4] = s[9];
s[5] ^= (~lane[1]) & lane[2];
s[6] ^= (~lane[2]) & lane[3];
s[7] ^= (~lane[3]) & lane[4];
s[8] ^= (~lane[4]) & lane[0];
s[9] ^= (~lane[0]) & lane[1];
lane[0] = s[10]; lane[1] = s[11]; lane[2] = s[12]; lane[3] = s[13]; lane[4] = s[14];
s[10] ^= (~lane[1]) & lane[2];
s[11] ^= (~lane[2]) & lane[3];
s[12] ^= (~lane[3]) & lane[4];
s[13] ^= (~lane[4]) & lane[0];
s[14] ^= (~lane[0]) & lane[1];
lane[0] = s[15]; lane[1] = s[16]; lane[2] = s[17]; lane[3] = s[18]; lane[4] = s[19];
s[15] ^= (~lane[1]) & lane[2];
s[16] ^= (~lane[2]) & lane[3];
s[17] ^= (~lane[3]) & lane[4];
s[18] ^= (~lane[4]) & lane[0];
s[19] ^= (~lane[0]) & lane[1];
lane[0] = s[20]; lane[1] = s[21]; lane[2] = s[22]; lane[3] = s[23]; lane[4] = s[24];
s[20] ^= (~lane[1]) & lane[2];
s[21] ^= (~lane[2]) & lane[3];
s[22] ^= (~lane[3]) & lane[4];
s[23] ^= (~lane[4]) & lane[0];
s[24] ^= (~lane[0]) & lane[1];
/* Iota */
s[0] ^= rc[round];
}
}
void mbedtls_sha3_init(mbedtls_sha3_context *ctx)
{
memset(ctx, 0, sizeof(mbedtls_sha3_context));
}
void mbedtls_sha3_free(mbedtls_sha3_context *ctx)
{
if (ctx == NULL) {
return;
}
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_sha3_context));
}
void mbedtls_sha3_clone(mbedtls_sha3_context *dst,
const mbedtls_sha3_context *src)
{
*dst = *src;
}
/*
* SHA-3 context setup
*/
int mbedtls_sha3_starts(mbedtls_sha3_context *ctx, mbedtls_sha3_id id)
{
mbedtls_sha3_family_functions *p = NULL;
for (p = sha3_families; p->id != MBEDTLS_SHA3_NONE; p++) {
if (p->id == id) {
break;
}
}
if (p == NULL || p->id == MBEDTLS_SHA3_NONE) {
return MBEDTLS_ERR_SHA3_BAD_INPUT_DATA;
}
ctx->olen = p->olen / 8;
ctx->max_block_size = p->r / 8;
memset(ctx->state, 0, sizeof(ctx->state));
ctx->index = 0;
return 0;
}
/*
* SHA-3 process buffer
*/
int mbedtls_sha3_update(mbedtls_sha3_context *ctx,
const uint8_t *input,
size_t ilen)
{
if (ilen >= 8) {
// 8-byte align index
int align_bytes = 8 - (ctx->index % 8);
if (align_bytes) {
for (; align_bytes > 0; align_bytes--) {
ABSORB(ctx, ctx->index, *input++);
ilen--;
ctx->index++;
}
if ((ctx->index = ctx->index % ctx->max_block_size) == 0) {
keccak_f1600(ctx);
}
}
// process input in 8-byte chunks
while (ilen >= 8) {
ABSORB(ctx, ctx->index, MBEDTLS_GET_UINT64_LE(input, 0));
input += 8;
ilen -= 8;
if ((ctx->index = (ctx->index + 8) % ctx->max_block_size) == 0) {
keccak_f1600(ctx);
}
}
}
// handle remaining bytes
while (ilen-- > 0) {
ABSORB(ctx, ctx->index, *input++);
if ((ctx->index = (ctx->index + 1) % ctx->max_block_size) == 0) {
keccak_f1600(ctx);
}
}
return 0;
}
int mbedtls_sha3_finish(mbedtls_sha3_context *ctx,
uint8_t *output, size_t olen)
{
/* Catch SHA-3 families, with fixed output length */
if (ctx->olen > 0) {
if (ctx->olen > olen) {
return MBEDTLS_ERR_SHA3_BAD_INPUT_DATA;
}
olen = ctx->olen;
}
ABSORB(ctx, ctx->index, XOR_BYTE);
ABSORB(ctx, ctx->max_block_size - 1, 0x80);
keccak_f1600(ctx);
ctx->index = 0;
while (olen-- > 0) {
*output++ = SQUEEZE(ctx, ctx->index);
if ((ctx->index = (ctx->index + 1) % ctx->max_block_size) == 0) {
keccak_f1600(ctx);
}
}
return 0;
}
/*
* output = SHA-3( input buffer )
*/
int mbedtls_sha3(mbedtls_sha3_id id, const uint8_t *input,
size_t ilen, uint8_t *output, size_t olen)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_sha3_context ctx;
mbedtls_sha3_init(&ctx);
/* Sanity checks are performed in every mbedtls_sha3_xxx() */
if ((ret = mbedtls_sha3_starts(&ctx, id)) != 0) {
goto exit;
}
if ((ret = mbedtls_sha3_update(&ctx, input, ilen)) != 0) {
goto exit;
}
if ((ret = mbedtls_sha3_finish(&ctx, output, olen)) != 0) {
goto exit;
}
exit:
mbedtls_sha3_free(&ctx);
return ret;
}
/**************** Self-tests ****************/
#if defined(MBEDTLS_SELF_TEST)
static const unsigned char test_data[2][4] =
{
"",
"abc",
};
static const size_t test_data_len[2] =
{
0, /* "" */
3 /* "abc" */
};
static const unsigned char test_hash_sha3_224[2][28] =
{
{ /* "" */
0x6B, 0x4E, 0x03, 0x42, 0x36, 0x67, 0xDB, 0xB7,
0x3B, 0x6E, 0x15, 0x45, 0x4F, 0x0E, 0xB1, 0xAB,
0xD4, 0x59, 0x7F, 0x9A, 0x1B, 0x07, 0x8E, 0x3F,
0x5B, 0x5A, 0x6B, 0xC7
},
{ /* "abc" */
0xE6, 0x42, 0x82, 0x4C, 0x3F, 0x8C, 0xF2, 0x4A,
0xD0, 0x92, 0x34, 0xEE, 0x7D, 0x3C, 0x76, 0x6F,
0xC9, 0xA3, 0xA5, 0x16, 0x8D, 0x0C, 0x94, 0xAD,
0x73, 0xB4, 0x6F, 0xDF
}
};
static const unsigned char test_hash_sha3_256[2][32] =
{
{ /* "" */
0xA7, 0xFF, 0xC6, 0xF8, 0xBF, 0x1E, 0xD7, 0x66,
0x51, 0xC1, 0x47, 0x56, 0xA0, 0x61, 0xD6, 0x62,
0xF5, 0x80, 0xFF, 0x4D, 0xE4, 0x3B, 0x49, 0xFA,
0x82, 0xD8, 0x0A, 0x4B, 0x80, 0xF8, 0x43, 0x4A
},
{ /* "abc" */
0x3A, 0x98, 0x5D, 0xA7, 0x4F, 0xE2, 0x25, 0xB2,
0x04, 0x5C, 0x17, 0x2D, 0x6B, 0xD3, 0x90, 0xBD,
0x85, 0x5F, 0x08, 0x6E, 0x3E, 0x9D, 0x52, 0x5B,
0x46, 0xBF, 0xE2, 0x45, 0x11, 0x43, 0x15, 0x32
}
};
static const unsigned char test_hash_sha3_384[2][48] =
{
{ /* "" */
0x0C, 0x63, 0xA7, 0x5B, 0x84, 0x5E, 0x4F, 0x7D,
0x01, 0x10, 0x7D, 0x85, 0x2E, 0x4C, 0x24, 0x85,
0xC5, 0x1A, 0x50, 0xAA, 0xAA, 0x94, 0xFC, 0x61,
0x99, 0x5E, 0x71, 0xBB, 0xEE, 0x98, 0x3A, 0x2A,
0xC3, 0x71, 0x38, 0x31, 0x26, 0x4A, 0xDB, 0x47,
0xFB, 0x6B, 0xD1, 0xE0, 0x58, 0xD5, 0xF0, 0x04
},
{ /* "abc" */
0xEC, 0x01, 0x49, 0x82, 0x88, 0x51, 0x6F, 0xC9,
0x26, 0x45, 0x9F, 0x58, 0xE2, 0xC6, 0xAD, 0x8D,
0xF9, 0xB4, 0x73, 0xCB, 0x0F, 0xC0, 0x8C, 0x25,
0x96, 0xDA, 0x7C, 0xF0, 0xE4, 0x9B, 0xE4, 0xB2,
0x98, 0xD8, 0x8C, 0xEA, 0x92, 0x7A, 0xC7, 0xF5,
0x39, 0xF1, 0xED, 0xF2, 0x28, 0x37, 0x6D, 0x25
}
};
static const unsigned char test_hash_sha3_512[2][64] =
{
{ /* "" */
0xA6, 0x9F, 0x73, 0xCC, 0xA2, 0x3A, 0x9A, 0xC5,
0xC8, 0xB5, 0x67, 0xDC, 0x18, 0x5A, 0x75, 0x6E,
0x97, 0xC9, 0x82, 0x16, 0x4F, 0xE2, 0x58, 0x59,
0xE0, 0xD1, 0xDC, 0xC1, 0x47, 0x5C, 0x80, 0xA6,
0x15, 0xB2, 0x12, 0x3A, 0xF1, 0xF5, 0xF9, 0x4C,
0x11, 0xE3, 0xE9, 0x40, 0x2C, 0x3A, 0xC5, 0x58,
0xF5, 0x00, 0x19, 0x9D, 0x95, 0xB6, 0xD3, 0xE3,
0x01, 0x75, 0x85, 0x86, 0x28, 0x1D, 0xCD, 0x26
},
{ /* "abc" */
0xB7, 0x51, 0x85, 0x0B, 0x1A, 0x57, 0x16, 0x8A,
0x56, 0x93, 0xCD, 0x92, 0x4B, 0x6B, 0x09, 0x6E,
0x08, 0xF6, 0x21, 0x82, 0x74, 0x44, 0xF7, 0x0D,
0x88, 0x4F, 0x5D, 0x02, 0x40, 0xD2, 0x71, 0x2E,
0x10, 0xE1, 0x16, 0xE9, 0x19, 0x2A, 0xF3, 0xC9,
0x1A, 0x7E, 0xC5, 0x76, 0x47, 0xE3, 0x93, 0x40,
0x57, 0x34, 0x0B, 0x4C, 0xF4, 0x08, 0xD5, 0xA5,
0x65, 0x92, 0xF8, 0x27, 0x4E, 0xEC, 0x53, 0xF0
}
};
static const unsigned char long_kat_hash_sha3_224[28] =
{
0xD6, 0x93, 0x35, 0xB9, 0x33, 0x25, 0x19, 0x2E,
0x51, 0x6A, 0x91, 0x2E, 0x6D, 0x19, 0xA1, 0x5C,
0xB5, 0x1C, 0x6E, 0xD5, 0xC1, 0x52, 0x43, 0xE7,
0xA7, 0xFD, 0x65, 0x3C
};
static const unsigned char long_kat_hash_sha3_256[32] =
{
0x5C, 0x88, 0x75, 0xAE, 0x47, 0x4A, 0x36, 0x34,
0xBA, 0x4F, 0xD5, 0x5E, 0xC8, 0x5B, 0xFF, 0xD6,
0x61, 0xF3, 0x2A, 0xCA, 0x75, 0xC6, 0xD6, 0x99,
0xD0, 0xCD, 0xCB, 0x6C, 0x11, 0x58, 0x91, 0xC1
};
static const unsigned char long_kat_hash_sha3_384[48] =
{
0xEE, 0xE9, 0xE2, 0x4D, 0x78, 0xC1, 0x85, 0x53,
0x37, 0x98, 0x34, 0x51, 0xDF, 0x97, 0xC8, 0xAD,
0x9E, 0xED, 0xF2, 0x56, 0xC6, 0x33, 0x4F, 0x8E,
0x94, 0x8D, 0x25, 0x2D, 0x5E, 0x0E, 0x76, 0x84,
0x7A, 0xA0, 0x77, 0x4D, 0xDB, 0x90, 0xA8, 0x42,
0x19, 0x0D, 0x2C, 0x55, 0x8B, 0x4B, 0x83, 0x40
};
static const unsigned char long_kat_hash_sha3_512[64] =
{
0x3C, 0x3A, 0x87, 0x6D, 0xA1, 0x40, 0x34, 0xAB,
0x60, 0x62, 0x7C, 0x07, 0x7B, 0xB9, 0x8F, 0x7E,
0x12, 0x0A, 0x2A, 0x53, 0x70, 0x21, 0x2D, 0xFF,
0xB3, 0x38, 0x5A, 0x18, 0xD4, 0xF3, 0x88, 0x59,
0xED, 0x31, 0x1D, 0x0A, 0x9D, 0x51, 0x41, 0xCE,
0x9C, 0xC5, 0xC6, 0x6E, 0xE6, 0x89, 0xB2, 0x66,
0xA8, 0xAA, 0x18, 0xAC, 0xE8, 0x28, 0x2A, 0x0E,
0x0D, 0xB5, 0x96, 0xC9, 0x0B, 0x0A, 0x7B, 0x87
};
static int mbedtls_sha3_kat_test(int verbose,
const char *type_name,
mbedtls_sha3_id id,
int test_num)
{
uint8_t hash[64];
int result;
result = mbedtls_sha3(id,
test_data[test_num], test_data_len[test_num],
hash, sizeof(hash));
if (result != 0) {
if (verbose != 0) {
mbedtls_printf(" %s test %d error code: %d\n",
type_name, test_num, result);
}
return result;
}
switch (id) {
case MBEDTLS_SHA3_224:
result = memcmp(hash, test_hash_sha3_224[test_num], 28);
break;
case MBEDTLS_SHA3_256:
result = memcmp(hash, test_hash_sha3_256[test_num], 32);
break;
case MBEDTLS_SHA3_384:
result = memcmp(hash, test_hash_sha3_384[test_num], 48);
break;
case MBEDTLS_SHA3_512:
result = memcmp(hash, test_hash_sha3_512[test_num], 64);
break;
default:
break;
}
if (0 != result) {
if (verbose != 0) {
mbedtls_printf(" %s test %d failed\n", type_name, test_num);
}
return -1;
}
if (verbose != 0) {
mbedtls_printf(" %s test %d passed\n", type_name, test_num);
}
return 0;
}
static int mbedtls_sha3_long_kat_test(int verbose,
const char *type_name,
mbedtls_sha3_id id)
{
mbedtls_sha3_context ctx;
unsigned char buffer[1000];
unsigned char hash[64];
int result = 0;
memset(buffer, 'a', 1000);
if (verbose != 0) {
mbedtls_printf(" %s long KAT test ", type_name);
}
mbedtls_sha3_init(&ctx);
result = mbedtls_sha3_starts(&ctx, id);
if (result != 0) {
if (verbose != 0) {
mbedtls_printf("setup failed\n ");
}
}
/* Process 1,000,000 (one million) 'a' characters */
for (int i = 0; i < 1000; i++) {
result = mbedtls_sha3_update(&ctx, buffer, 1000);
if (result != 0) {
if (verbose != 0) {
mbedtls_printf("update error code: %i\n", result);
}
goto cleanup;
}
}
result = mbedtls_sha3_finish(&ctx, hash, sizeof(hash));
if (result != 0) {
if (verbose != 0) {
mbedtls_printf("finish error code: %d\n", result);
}
goto cleanup;
}
switch (id) {
case MBEDTLS_SHA3_224:
result = memcmp(hash, long_kat_hash_sha3_224, 28);
break;
case MBEDTLS_SHA3_256:
result = memcmp(hash, long_kat_hash_sha3_256, 32);
break;
case MBEDTLS_SHA3_384:
result = memcmp(hash, long_kat_hash_sha3_384, 48);
break;
case MBEDTLS_SHA3_512:
result = memcmp(hash, long_kat_hash_sha3_512, 64);
break;
default:
break;
}
if (result != 0) {
if (verbose != 0) {
mbedtls_printf("failed\n");
}
}
if (verbose != 0) {
mbedtls_printf("passed\n");
}
cleanup:
mbedtls_sha3_free(&ctx);
return result;
}
int mbedtls_sha3_self_test(int verbose)
{
int i;
/* SHA-3 Known Answer Tests (KAT) */
for (i = 0; i < 2; i++) {
if (0 != mbedtls_sha3_kat_test(verbose,
"SHA3-224", MBEDTLS_SHA3_224, i)) {
return 1;
}
if (0 != mbedtls_sha3_kat_test(verbose,
"SHA3-256", MBEDTLS_SHA3_256, i)) {
return 1;
}
if (0 != mbedtls_sha3_kat_test(verbose,
"SHA3-384", MBEDTLS_SHA3_384, i)) {
return 1;
}
if (0 != mbedtls_sha3_kat_test(verbose,
"SHA3-512", MBEDTLS_SHA3_512, i)) {
return 1;
}
}
/* SHA-3 long KAT tests */
if (0 != mbedtls_sha3_long_kat_test(verbose,
"SHA3-224", MBEDTLS_SHA3_224)) {
return 1;
}
if (0 != mbedtls_sha3_long_kat_test(verbose,
"SHA3-256", MBEDTLS_SHA3_256)) {
return 1;
}
if (0 != mbedtls_sha3_long_kat_test(verbose,
"SHA3-384", MBEDTLS_SHA3_384)) {
return 1;
}
if (0 != mbedtls_sha3_long_kat_test(verbose,
"SHA3-512", MBEDTLS_SHA3_512)) {
return 1;
}
if (verbose != 0) {
mbedtls_printf("\n");
}
return 0;
}
#endif /* MBEDTLS_SELF_TEST */
#endif /* MBEDTLS_SHA3_C */

23
library/sha512.c
View file

@ -60,6 +60,11 @@
# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
/* *INDENT-OFF* */
# ifdef __ARM_NEON
# include <arm_neon.h>
# else
# error "Target does not support NEON instructions"
# endif
/*
* Best performance comes from most recent compilers, with intrinsics and -O3.
* Must compile with -march=armv8.2-a+sha3, but we can't detect armv8.2-a, and
@ -76,7 +81,16 @@
*/
# if !defined(__ARM_FEATURE_SHA512) || defined(MBEDTLS_ENABLE_ARM_SHA3_EXTENSIONS_COMPILER_FLAG)
/* Test Clang first, as it defines __GNUC__ */
# if defined(__clang__)
# if defined(__ARMCOMPILER_VERSION)
# if __ARMCOMPILER_VERSION < 6090000
# error "A more recent armclang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
# elif __ARMCOMPILER_VERSION == 6090000
# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
# else
# pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function)
# define MBEDTLS_POP_TARGET_PRAGMA
# endif
# elif defined(__clang__)
# if __clang_major__ < 7
# error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
# else
@ -96,7 +110,6 @@
# endif
# endif
/* *INDENT-ON* */
# include <arm_neon.h>
# endif
# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
# if defined(__unix__)
@ -569,6 +582,8 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx,
SHA512_BLOCK_SIZE) ? 0 : -1;
}
#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
#if defined(MBEDTLS_POP_TARGET_PRAGMA)
#if defined(__clang__)
#pragma clang attribute pop
@ -578,8 +593,6 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx,
#undef MBEDTLS_POP_TARGET_PRAGMA
#endif
#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
#define mbedtls_internal_sha512_process_many_c mbedtls_internal_sha512_process_many
@ -1001,8 +1014,6 @@ static sha_test_sum_t sha512_test_sum[] =
};
#endif /* MBEDTLS_SHA512_C */
#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
static int mbedtls_sha512_common_self_test(int verbose, int is384)
{
int i, buflen, ret = 0;

7
library/ssl_ciphersuites.c
View file

@ -28,6 +28,9 @@
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/ssl.h"
#include "ssl_misc.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "md_psa.h"
#endif
#include <string.h>
@ -1966,10 +1969,10 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_cip
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
return PSA_ALG_RSA_PKCS1V15_SIGN(
mbedtls_hash_info_psa_from_md(info->mac));
mbedtls_md_psa_alg_from_type(info->mac));
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
return PSA_ALG_ECDSA(mbedtls_hash_info_psa_from_md(info->mac));
return PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(info->mac));
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:

98
library/ssl_client.c
View file

@ -184,8 +184,8 @@ static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
}
#endif /* MBEDTLS_SSL_ALPN */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
/*
* Function for writing a supported groups (TLS 1.3) or supported elliptic
* curves (TLS 1.2) extension.
@ -223,12 +223,15 @@ static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
* generalization of the TLS 1.2 supported elliptic curves extension. They both
* share the same extension identifier.
*
* DHE groups are not supported yet.
*/
#define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG 1
#define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG 2
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
int flags,
size_t *out_len)
{
unsigned char *p = buf;
@ -255,27 +258,44 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
}
for (; *group_list != 0; group_list++) {
int propose_group = 0;
MBEDTLS_SSL_DEBUG_MSG(1, ("got supported group(%04x)", *group_list));
#if defined(MBEDTLS_ECP_LIGHT)
if ((mbedtls_ssl_conf_is_tls13_enabled(ssl->conf) &&
mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) ||
(mbedtls_ssl_conf_is_tls12_enabled(ssl->conf) &&
mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list))) {
if (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) ==
MBEDTLS_ECP_DP_NONE) {
continue;
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
if (flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG) {
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list) &&
(mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
MBEDTLS_ECP_DP_NONE)) {
propose_group = 1;
}
#endif
#if defined(PSA_WANT_ALG_FFDH)
if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
propose_group = 1;
}
#endif
}
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
if ((flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG) &&
mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list) &&
(mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
MBEDTLS_ECP_DP_NONE)) {
propose_group = 1;
}
#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC */
if (propose_group) {
MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
MBEDTLS_PUT_UINT16_BE(*group_list, p, 0);
p += 2;
MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
mbedtls_ssl_get_curve_name_from_tls_id(*group_list),
mbedtls_ssl_named_group_to_str(*group_list),
*group_list));
}
#endif /* MBEDTLS_ECP_LIGHT */
/* Add DHE groups here */
}
/* Length of named_group_list */
@ -304,9 +324,8 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
return 0;
}
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_client_hello_cipher_suites(
@ -597,24 +616,35 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
}
#endif
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
(propose_tls13 &&
mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) ||
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
(propose_tls12 && tls12_uses_ec) ||
#endif
0) {
ret = ssl_write_supported_groups_ext(ssl, p, end, &output_len);
if (ret != 0) {
return ret;
#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
{
int ssl_write_supported_groups_ext_flags = 0;
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
if (propose_tls13 && mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
ssl_write_supported_groups_ext_flags |=
SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
}
#endif
#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
if (propose_tls12 && tls12_uses_ec) {
ssl_write_supported_groups_ext_flags |=
SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG;
}
#endif
if (ssl_write_supported_groups_ext_flags != 0) {
ret = ssl_write_supported_groups_ext(ssl, p, end,
ssl_write_supported_groups_ext_flags,
&output_len);
if (ret != 0) {
return ret;
}
p += output_len;
}
p += output_len;
}
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
if (

20
library/ssl_cookie.c
View file

@ -36,9 +36,16 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#include "md_psa.h"
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
ARRAY_LENGTH(psa_to_ssl_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/*
@ -114,7 +121,7 @@ int mbedtls_ssl_cookie_setup(mbedtls_ssl_cookie_ctx *ctx,
(void) f_rng;
(void) p_rng;
alg = mbedtls_hash_info_psa_from_md(COOKIE_MD);
alg = mbedtls_md_psa_alg_from_type(COOKIE_MD);
if (alg == 0) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
@ -364,10 +371,7 @@ int mbedtls_ssl_cookie_check(void *p_ctx,
cur_time = ctx->serial;
#endif
cookie_time = ((unsigned long) cookie[0] << 24) |
((unsigned long) cookie[1] << 16) |
((unsigned long) cookie[2] << 8) |
((unsigned long) cookie[3]);
cookie_time = (unsigned long) MBEDTLS_GET_UINT32_BE(cookie, 0);
if (ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout) {
ret = -1;

68
library/ssl_misc.h
View file

@ -24,13 +24,14 @@
#include "mbedtls/build_info.h"
#include "mbedtls/error.h"
#include "mbedtls/ssl.h"
#include "mbedtls/cipher.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "hash_info.h"
#include "psa_util_internal.h"
#endif
#if defined(MBEDTLS_MD_CAN_MD5)
@ -55,6 +56,7 @@
#endif
#include "mbedtls/pk.h"
#include "pk_internal.h"
#include "common.h"
/* Shorthand for restartable ECC */
@ -755,15 +757,27 @@ struct mbedtls_ssl_handshake_params {
mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
#endif /* MBEDTLS_ECDH_C && !MBEDTLS_USE_PSA_CRYPTO */
#if defined(PSA_WANT_ALG_ECDH) && \
#if defined(PSA_WANT_ALG_ECDH) && defined(PSA_WANT_ALG_FFDH)
#if (MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH >= MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH)
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH
#else
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
#endif
#elif defined(PSA_WANT_ALG_ECDH)
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH
#else
#define SSL_XXDH_PSA_PEERKEY_SIZE MBEDTLS_PSA_MAX_FFDH_PUBKEY_LENGTH
#endif
#if (defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)) && \
(defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
psa_key_type_t ecdh_psa_type;
size_t ecdh_bits;
mbedtls_svc_key_id_t ecdh_psa_privkey;
uint8_t ecdh_psa_privkey_is_external;
unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
size_t ecdh_psa_peerkey_len;
#endif /* PSA_WANT_ALG_ECDH &&
psa_key_type_t xxdh_psa_type;
size_t xxdh_bits;
mbedtls_svc_key_id_t xxdh_psa_privkey;
uint8_t xxdh_psa_privkey_is_external;
unsigned char xxdh_psa_peerkey[SSL_XXDH_PSA_PEERKEY_SIZE];
size_t xxdh_psa_peerkey_len;
#endif /* (PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH) &&
(MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3) */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
@ -1553,16 +1567,16 @@ int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
/**
* \brief Return PSA EC info for the specified TLS ID.
*
* \param tls_id The TLS ID to look for
* \param family If the TLD ID is supported, then proper \c psa_ecc_family_t
* \param type If the TLD ID is supported, then proper \c psa_key_type_t
* value is returned here. Can be NULL.
* \param bits If the TLD ID is supported, then proper bit size is returned
* here. Can be NULL.
@ -1575,7 +1589,7 @@ int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id
* simply to check if a specific TLS ID is supported.
*/
int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
psa_ecc_family_t *family,
psa_key_type_t *type,
size_t *bits);
/**
@ -2111,15 +2125,15 @@ int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
#if defined(PSA_WANT_ALG_ECDH)
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
mbedtls_ssl_context *ssl,
uint16_t named_group,
unsigned char *buf,
unsigned char *end,
size_t *out_len);
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
#if defined(MBEDTLS_SSL_EARLY_DATA)
int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
@ -2211,7 +2225,7 @@ static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)
named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448;
}
static inline int mbedtls_ssl_tls13_named_group_is_dhe(uint16_t named_group)
static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
{
return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192;
@ -2244,9 +2258,15 @@ static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
return 1;
}
}
#else
((void) named_group);
#endif /* PSA_WANT_ALG_ECDH */
#endif
#if defined(PSA_WANT_ALG_FFDH)
if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
return 1;
}
#endif
#if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH)
(void) named_group;
#endif
return 0;
}
@ -2639,14 +2659,14 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
const mbedtls_ssl_ciphersuite_t *suite);
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
#if defined(PSA_WANT_ALG_ECDH)
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t buf_len);
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
mbedtls_ssl_context *ssl, int cipher_suite)

14
library/ssl_msg.c
View file

@ -40,7 +40,7 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#include "psa/crypto.h"
#endif
@ -49,9 +49,15 @@
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
ARRAY_LENGTH(psa_to_ssl_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl);

12
library/ssl_ticket.c
View file

@ -31,9 +31,15 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
ARRAY_LENGTH(psa_to_ssl_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/*

562
library/ssl_tls.c
View file

@ -41,7 +41,8 @@
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h"
#include "md_psa.h"
#include "psa_util_internal.h"
#include "psa/crypto.h"
#endif
@ -50,12 +51,15 @@
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#define PSA_TO_MD_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_md_errors, \
psa_generic_status_to_mbedtls)
/* Define local translating functions to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
ARRAY_LENGTH(psa_to_ssl_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
#if defined(MBEDTLS_TEST_HOOKS)
@ -747,8 +751,6 @@ void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
#define ARRAY_LENGTH(a) (sizeof(a) / sizeof(*(a)))
static const char *ticket_flag_name_table[] =
{
[0] = "ALLOW_PSK_RESUMPTION",
@ -843,11 +845,11 @@ int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
if (status != PSA_SUCCESS) {
return PSA_TO_MD_ERR(status);
return mbedtls_md_error_from_psa(status);
}
status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
if (status != PSA_SUCCESS) {
return PSA_TO_MD_ERR(status);
return mbedtls_md_error_from_psa(status);
}
#else
mbedtls_md_free(&ssl->handshake->fin_sha256);
@ -868,11 +870,11 @@ int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
if (status != PSA_SUCCESS) {
return PSA_TO_MD_ERR(status);
return mbedtls_md_error_from_psa(status);
}
status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
if (status != PSA_SUCCESS) {
return PSA_TO_MD_ERR(status);
return mbedtls_md_error_from_psa(status);
}
#else
mbedtls_md_free(&ssl->handshake->fin_sha384);
@ -910,7 +912,7 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
if (status != PSA_SUCCESS) {
return PSA_TO_MD_ERR(status);
return mbedtls_md_error_from_psa(status);
}
#else
ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
@ -923,7 +925,7 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
if (status != PSA_SUCCESS) {
return PSA_TO_MD_ERR(status);
return mbedtls_md_error_from_psa(status);
}
#else
ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
@ -940,8 +942,8 @@ static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
return PSA_TO_MD_ERR(psa_hash_update(
&ssl->handshake->fin_sha256_psa, buf, len));
return mbedtls_md_error_from_psa(psa_hash_update(
&ssl->handshake->fin_sha256_psa, buf, len));
#else
return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
#endif
@ -953,8 +955,8 @@ static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
return PSA_TO_MD_ERR(psa_hash_update(
&ssl->handshake->fin_sha384_psa, buf, len));
return mbedtls_md_error_from_psa(psa_hash_update(
&ssl->handshake->fin_sha384_psa, buf, len));
#else
return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
#endif
@ -1148,15 +1150,14 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl)
* mbedtls_ssl_conf_curves returns void and so can't return
* any error codes.
*/
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/* Heap allocate and translate curve_list from internal to IANA group ids */
if (ssl->conf->curve_list != NULL) {
size_t length;
const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE) &&
(length < MBEDTLS_ECP_DP_MAX); length++) {
for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
}
/* Leave room for zero termination */
@ -1184,7 +1185,7 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl)
ssl->handshake->group_list_heap_allocated = 0;
}
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
@ -2923,7 +2924,7 @@ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/*
* Set the allowed elliptic curves
@ -2940,7 +2941,7 @@ void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
conf->group_list = NULL;
}
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
/*
* Set the allowed groups
@ -2948,7 +2949,7 @@ void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
const uint16_t *group_list)
{
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_DEPRECATED_REMOVED)
conf->curve_list = NULL;
#endif
conf->group_list = group_list;
@ -4083,14 +4084,14 @@ void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
return;
}
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
if (ssl->handshake->group_list_heap_allocated) {
mbedtls_free((void *) handshake->group_list);
}
handshake->group_list = NULL;
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
@ -4215,12 +4216,13 @@ void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
mbedtls_ssl_buffering_free(ssl);
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(PSA_WANT_ALG_ECDH) && \
#if (defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)) && \
(defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
if (handshake->ecdh_psa_privkey_is_external == 0) {
psa_destroy_key(handshake->ecdh_psa_privkey);
if (handshake->xxdh_psa_privkey_is_external == 0) {
psa_destroy_key(handshake->xxdh_psa_privkey);
}
#endif /* PSA_WANT_ALG_ECDH && (MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3) */
#endif /* (PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH) &&
(MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3) */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_transform_free(handshake->transform_handshake);
@ -4613,10 +4615,7 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
session_len = ((size_t) p[0] << 24) |
((size_t) p[1] << 16) |
((size_t) p[2] << 8) |
((size_t) p[3]);
session_len = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
/* This has been allocated by ssl_handshake_init(), called by
@ -4711,10 +4710,7 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
ssl->badmac_seen = ((uint32_t) p[0] << 24) |
((uint32_t) p[1] << 16) |
((uint32_t) p[2] << 8) |
((uint32_t) p[3]);
ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
@ -4722,24 +4718,10 @@ static int ssl_context_load(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
ssl->in_window_top = ((uint64_t) p[0] << 56) |
((uint64_t) p[1] << 48) |
((uint64_t) p[2] << 40) |
((uint64_t) p[3] << 32) |
((uint64_t) p[4] << 24) |
((uint64_t) p[5] << 16) |
((uint64_t) p[6] << 8) |
((uint64_t) p[7]);
ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
p += 8;
ssl->in_window = ((uint64_t) p[0] << 56) |
((uint64_t) p[1] << 48) |
((uint64_t) p[2] << 40) |
((uint64_t) p[3] << 32) |
((uint64_t) p[4] << 24) |
((uint64_t) p[5] << 16) |
((uint64_t) p[6] << 8) |
((uint64_t) p[7]);
ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
p += 8;
#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
@ -4969,6 +4951,13 @@ static uint16_t ssl_preset_default_groups[] = {
#endif
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
#endif
#if defined(PSA_WANT_ALG_FFDH)
MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
#endif
MBEDTLS_SSL_IANA_TLS_GROUP_NONE
};
@ -5337,7 +5326,7 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
conf->sig_algs = ssl_preset_suiteb_sig_algs;
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_DEPRECATED_REMOVED)
conf->curve_list = NULL;
#endif
conf->group_list = ssl_preset_suiteb_groups;
@ -5363,7 +5352,7 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
conf->sig_algs = ssl_preset_default_sig_algs;
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_DEPRECATED_REMOVED)
conf->curve_list = NULL;
#endif
conf->group_list = ssl_preset_default_groups;
@ -5555,7 +5544,7 @@ int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_
return -1;
}
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/*
* Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
*/
@ -5569,72 +5558,65 @@ int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id
return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
}
#endif /* MBEDTLS_ECP_LIGHT */
#if defined(MBEDTLS_DEBUG_C)
#define EC_NAME(_name_) _name_
#else
#define EC_NAME(_name_) NULL
#endif
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
static const struct {
uint16_t tls_id;
mbedtls_ecp_group_id ecp_group_id;
psa_ecc_family_t psa_family;
uint16_t bits;
const char *name;
} tls_id_match_table[] =
{
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
{ 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521, EC_NAME("secp521r1") },
{ 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
#endif
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
{ 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512, EC_NAME("brainpoolP512r1") },
{ 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384)
{ 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384, EC_NAME("secp384r1") },
{ 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
#endif
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
{ 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384, EC_NAME("brainpoolP384r1") },
{ 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256)
{ 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256, EC_NAME("secp256r1") },
{ 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256)
{ 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256, EC_NAME("secp256k1") },
{ 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
#endif
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
{ 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256, EC_NAME("brainpoolP256r1") },
{ 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
{ 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224, EC_NAME("secp224r1") },
{ 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
{ 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224, EC_NAME("secp224k1") },
{ 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
{ 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192, EC_NAME("secp192r1") },
{ 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
#endif
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
{ 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192, EC_NAME("secp192k1") },
{ 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
#endif
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
{ 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255, EC_NAME("x25519") },
{ 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
#endif
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448)
{ 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448, EC_NAME("x448") },
{ 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
#endif
{ 0, MBEDTLS_ECP_DP_NONE, 0, 0, NULL },
{ 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
};
int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
psa_ecc_family_t *family,
psa_key_type_t *type,
size_t *bits)
{
for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
if (tls_id_match_table[i].tls_id == tls_id) {
if (family != NULL) {
*family = tls_id_match_table[i].psa_family;
if (type != NULL) {
*type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
}
if (bits != NULL) {
*bits = tls_id_match_table[i].bits;
@ -5670,11 +5652,32 @@ uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
}
#if defined(MBEDTLS_DEBUG_C)
static const struct {
uint16_t tls_id;
const char *name;
} tls_id_curve_name_table[] =
{
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
{ MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
{ 0, NULL },
};
const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
{
for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
if (tls_id_match_table[i].tls_id == tls_id) {
return tls_id_match_table[i].name;
for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
if (tls_id_curve_name_table[i].tls_id == tls_id) {
return tls_id_curve_name_table[i].name;
}
}
@ -6620,64 +6623,89 @@ int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
return 0;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
const psa_hash_operation_t *hs_op,
size_t buffer_size,
unsigned char *hash,
size_t *hlen)
{
psa_status_t status;
psa_hash_operation_t cloned_op = psa_hash_operation_init();
#if !defined(MBEDTLS_DEBUG_C)
(void) ssl;
#endif
MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
status = psa_hash_clone(hs_op, &cloned_op);
if (status != PSA_SUCCESS) {
goto exit;
}
status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
if (status != PSA_SUCCESS) {
goto exit;
}
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
exit:
psa_hash_abort(&cloned_op);
return mbedtls_md_error_from_psa(status);
}
#else
static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl,
const mbedtls_md_context_t *hs_ctx,
unsigned char *hash,
size_t *hlen)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_context_t cloned_ctx;
mbedtls_md_init(&cloned_ctx);
#if !defined(MBEDTLS_DEBUG_C)
(void) ssl;
#endif
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify"));
ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
if (ret != 0) {
goto exit;
}
ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
if (ret != 0) {
goto exit;
}
ret = mbedtls_md_finish(&cloned_ctx, hash);
if (ret != 0) {
goto exit;
}
*hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx));
MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
exit:
mbedtls_md_free(&cloned_ctx);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_MD_CAN_SHA256)
int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
unsigned char *hash,
size_t *hlen)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t hash_size;
psa_status_t status;
psa_hash_operation_t sha256_psa = psa_hash_operation_init();
MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha256"));
status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
if (status != PSA_SUCCESS) {
goto exit;
}
status = psa_hash_finish(&sha256_psa, hash, 32, &hash_size);
if (status != PSA_SUCCESS) {
goto exit;
}
*hlen = 32;
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
exit:
psa_hash_abort(&sha256_psa);
return PSA_TO_MD_ERR(status);
return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
hash, hlen);
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_context_t sha256;
mbedtls_md_init(&sha256);
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256"));
ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
if (ret != 0) {
goto exit;
}
ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
if (ret != 0) {
goto exit;
}
ret = mbedtls_md_finish(&sha256, hash);
if (ret != 0) {
goto exit;
}
*hlen = 32;
MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
exit:
mbedtls_md_free(&sha256);
return ret;
return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256,
hash, hlen);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_MD_CAN_SHA256 */
@ -6688,58 +6716,11 @@ int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
size_t *hlen)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t hash_size;
psa_status_t status;
psa_hash_operation_t sha384_psa = psa_hash_operation_init();
MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha384"));
status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
if (status != PSA_SUCCESS) {
goto exit;
}
status = psa_hash_finish(&sha384_psa, hash, 48, &hash_size);
if (status != PSA_SUCCESS) {
goto exit;
}
*hlen = 48;
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
exit:
psa_hash_abort(&sha384_psa);
return PSA_TO_MD_ERR(status);
return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
hash, hlen);
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_context_t sha384;
mbedtls_md_init(&sha384);
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384"));
ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
if (ret != 0) {
goto exit;
}
ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
if (ret != 0) {
goto exit;
}
ret = mbedtls_md_finish(&sha384, hash);
if (ret != 0) {
goto exit;
}
*hlen = 48;
MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
exit:
mbedtls_md_free(&sha384);
return ret;
return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384,
hash, hlen);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_MD_CAN_SHA384 */
@ -7377,7 +7358,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
* Secondary checks: always done, but change 'ret' only if it was 0
*/
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
{
const mbedtls_pk_context *pk = &chain->pk;
@ -7388,13 +7369,12 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
/* and in the unlikely case the above assumption no longer holds
* we are making sure that pk_ec() here does not return a NULL
*/
const mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk);
if (ec == NULL) {
MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_pk_ec() returned NULL"));
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(pk);
if (grp_id == MBEDTLS_ECP_DP_NONE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
if (mbedtls_ssl_check_curve(ssl, ec->grp.id) != 0) {
if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
ssl->session_negotiate->verify_result |=
MBEDTLS_X509_BADCERT_BAD_KEY;
@ -7405,7 +7385,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
}
}
}
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
if (mbedtls_ssl_check_cert_usage(chain,
ciphersuite_info,
@ -7682,20 +7662,22 @@ exit:
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_MD_CAN_SHA256)
static int ssl_calc_finished_tls_sha256(
mbedtls_ssl_context *ssl, unsigned char *buf, int from)
static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
unsigned char *padbuf, size_t hlen,
unsigned char *buf, int from)
{
int len = 12;
const char *sender;
unsigned char padbuf[32];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t hash_size;
psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
psa_status_t status;
psa_hash_operation_t *hs_op = ctx;
psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
size_t hash_size;
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_context_t sha256;
mbedtls_md_context_t *hs_ctx = ctx;
mbedtls_md_context_t cloned_ctx;
mbedtls_md_init(&cloned_ctx);
#endif
mbedtls_ssl_session *session = ssl->session_negotiate;
@ -7708,67 +7690,76 @@ static int ssl_calc_finished_tls_sha256(
: "server finished";
#if defined(MBEDTLS_USE_PSA_CRYPTO)
sha256_psa = psa_hash_operation_init();
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha256"));
status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
status = psa_hash_clone(hs_op, &cloned_op);
if (status != PSA_SUCCESS) {
goto exit;
}
status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size);
status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
if (status != PSA_SUCCESS) {
goto exit;
}
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32);
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
#else
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
mbedtls_md_init(&sha256);
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha256"));
ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
if (ret != 0) {
goto exit;
}
ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
if (ret != 0) {
goto exit;
}
ret = mbedtls_md_finish(&cloned_ctx, padbuf);
if (ret != 0) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
/*
* TLSv1.2:
* hash = PRF( master, finished_label,
* Hash( handshake ) )[0.11]
*/
ret = mbedtls_md_finish(&sha256, padbuf);
if (ret != 0) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
MBEDTLS_SSL_DEBUG_BUF(4, "finished sha256 output", padbuf, 32);
ssl->handshake->tls_prf(session->master, 48, sender,
padbuf, 32, buf, len);
padbuf, hlen, buf, len);
MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort(&sha256_psa);
return PSA_TO_MD_ERR(status);
psa_hash_abort(&cloned_op);
return mbedtls_md_error_from_psa(status);
#else
mbedtls_md_free(&sha256);
mbedtls_md_free(&cloned_ctx);
return ret;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#if defined(MBEDTLS_MD_CAN_SHA256)
static int ssl_calc_finished_tls_sha256(
mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{
unsigned char padbuf[32];
return ssl_calc_finished_tls_generic(ssl,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
&ssl->handshake->fin_sha256_psa,
#else
&ssl->handshake->fin_sha256,
#endif
padbuf, sizeof(padbuf),
buf, from);
}
#endif /* MBEDTLS_MD_CAN_SHA256*/
@ -7776,87 +7767,15 @@ exit:
static int ssl_calc_finished_tls_sha384(
mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{
int len = 12;
const char *sender;
unsigned char padbuf[48];
return ssl_calc_finished_tls_generic(ssl,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t hash_size;
psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
psa_status_t status;
&ssl->handshake->fin_sha384_psa,
#else
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_context_t sha384;
&ssl->handshake->fin_sha384,
#endif
mbedtls_ssl_session *session = ssl->session_negotiate;
if (!session) {
session = ssl->session;
}
sender = (from == MBEDTLS_SSL_IS_CLIENT)
? "client finished"
: "server finished";
#if defined(MBEDTLS_USE_PSA_CRYPTO)
sha384_psa = psa_hash_operation_init();
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha384"));
status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
if (status != PSA_SUCCESS) {
goto exit;
}
status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size);
if (status != PSA_SUCCESS) {
goto exit;
}
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48);
#else
mbedtls_md_init(&sha384);
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha384"));
ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
if (ret != 0) {
goto exit;
}
ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
if (ret != 0) {
goto exit;
}
/*
* TLSv1.2:
* hash = PRF( master, finished_label,
* Hash( handshake ) )[0.11]
*/
ret = mbedtls_md_finish(&sha384, padbuf);
if (ret != 0) {
goto exit;
}
#endif
MBEDTLS_SSL_DEBUG_BUF(4, "finished sha384 output", padbuf, 48);
ssl->handshake->tls_prf(session->master, 48, sender,
padbuf, 48, buf, len);
MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort(&sha384_psa);
return PSA_TO_MD_ERR(status);
#else
mbedtls_md_free(&sha384);
return ret;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
padbuf, sizeof(padbuf),
buf, from);
}
#endif /* MBEDTLS_MD_CAN_SHA384*/
@ -8314,9 +8233,9 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mac_alg = mbedtls_hash_info_psa_from_md(ciphersuite_info->mac);
mac_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
if (mac_alg == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_info_psa_from_md for %u not found",
MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
(unsigned) ciphersuite_info->mac));
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
@ -8418,7 +8337,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
#else
size_t block_size = cipher_info->block_size;
size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@ -8441,7 +8360,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
#else
transform->ivlen = cipher_info->iv_size;
transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Minimum length */
@ -8763,7 +8682,7 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
{
psa_status_t status;
psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(md_alg);
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
@ -8892,7 +8811,7 @@ unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
psa_algorithm_t psa_hash_alg =
mbedtls_hash_info_psa_from_md(hash_alg_received);
mbedtls_md_psa_alg_from_type(hash_alg_received);
if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
!mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
@ -9102,14 +9021,7 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
start = ((uint64_t) p[0] << 56) |
((uint64_t) p[1] << 48) |
((uint64_t) p[2] << 40) |
((uint64_t) p[3] << 32) |
((uint64_t) p[4] << 24) |
((uint64_t) p[5] << 16) |
((uint64_t) p[6] << 8) |
((uint64_t) p[7]);
start = MBEDTLS_GET_UINT64_BE(p, 0);
p += 8;
session->start = (time_t) start;
@ -9132,10 +9044,7 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session,
memcpy(session->master, p, 48);
p += 48;
session->verify_result = ((uint32_t) p[0] << 24) |
((uint32_t) p[1] << 16) |
((uint32_t) p[2] << 8) |
((uint32_t) p[3]);
session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
/* Immediately clear invalid pointer values that have been read, in case
@ -9254,10 +9163,7 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session,
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
session->ticket_lifetime = ((uint32_t) p[0] << 24) |
((uint32_t) p[1] << 16) |
((uint32_t) p[2] << 8) |
((uint32_t) p[3]);
session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
p += 4;
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */

126
library/ssl_tls12_client.c
View file

@ -31,11 +31,19 @@
#include "mbedtls/constant_time.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#include "psa/crypto.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
ARRAY_LENGTH(psa_to_ssl_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include <string.h>
@ -50,8 +58,6 @@
#include "mbedtls/platform_util.h"
#endif
#include "hash_info.h"
#if defined(MBEDTLS_SSL_RENEGOTIATION)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
@ -1714,7 +1720,7 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
uint16_t tls_id;
uint8_t ecpoint_len;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
psa_ecc_family_t ec_psa_family = 0;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
size_t ec_bits = 0;
/*
@ -1751,12 +1757,12 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
}
/* Convert EC's TLS ID to PSA key type. */
if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ec_psa_family,
if (mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
&ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family);
handshake->ecdh_bits = ec_bits;
handshake->xxdh_psa_type = key_type;
handshake->xxdh_bits = ec_bits;
/* Keep a copy of the peer's public key */
ecpoint_len = *(*p)++;
@ -1764,12 +1770,21 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) {
/* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
the sizes of the FFDH keys which are at least 2048 bits.
The size of the array is thus greater than 256 bytes which is greater than any
possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
#if !defined(PSA_WANT_ALG_FFDH)
if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
#else
MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
"peer key buffer too small");
#endif
memcpy(handshake->ecdh_psa_peerkey, *p, ecpoint_len);
handshake->ecdh_psa_peerkey_len = ecpoint_len;
memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
handshake->xxdh_psa_peerkey_len = ecpoint_len;
*p += ecpoint_len;
return 0;
@ -1986,7 +2001,6 @@ MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const mbedtls_ecp_keypair *peer_key;
mbedtls_pk_context *peer_pk;
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
@ -2007,45 +2021,53 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
peer_key = mbedtls_pk_ec(*peer_pk);
#if defined(MBEDTLS_ECP_C)
const mbedtls_ecp_keypair *peer_key = mbedtls_pk_ec_ro(*peer_pk);
#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t olen = 0;
uint16_t tls_id = 0;
psa_ecc_family_t ecc_family;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(peer_pk);
if (mbedtls_ssl_check_curve(ssl, peer_key->grp.id) != 0) {
if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(peer_key->grp.id);
tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
if (tls_id == 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not suported",
peer_key->grp.id));
grp_id));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
/* If the above conversion to TLS ID was fine, then also this one will be,
so there is no need to check the return value here */
mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ecc_family,
&ssl->handshake->ecdh_bits);
mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
&ssl->handshake->xxdh_bits);
ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family);
ssl->handshake->xxdh_psa_type = key_type;
/* Store peer's public key in psa format. */
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len);
ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len;
ret = 0;
#else /* MBEDTLS_PK_USE_PSA_EC_DATA */
size_t olen = 0;
ret = mbedtls_ecp_point_write_binary(&peer_key->grp, &peer_key->Q,
MBEDTLS_ECP_PF_UNCOMPRESSED, &olen,
ssl->handshake->ecdh_psa_peerkey,
ssl->handshake->xxdh_psa_peerkey,
MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecp_point_write_binary"), ret);
return ret;
}
ssl->handshake->ecdh_psa_peerkey_len = olen;
#else
ssl->handshake->xxdh_psa_peerkey_len = olen;
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
#else /* MBEDTLS_USE_PSA_CRYPTO */
if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
MBEDTLS_ECDH_THEIRS)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
@ -2056,7 +2078,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
#endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it,
* so that more RAM is available for upcoming expensive
@ -2284,7 +2306,7 @@ start_processing:
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
size_t sig_len, hashlen;
unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
@ -2401,7 +2423,7 @@ start_processing:
mbedtls_pk_rsassa_pss_options rsassa_pss_options;
rsassa_pss_options.mgf1_hash_id = md_alg;
rsassa_pss_options.expected_salt_len =
mbedtls_hash_info_get_size(md_alg);
mbedtls_md_get_size_from_type(md_alg);
if (rsassa_pss_options.expected_salt_len == 0) {
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
@ -2773,12 +2795,12 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
/* Generate ECDH private key. */
status = psa_generate_key(&key_attributes,
&handshake->ecdh_psa_privkey);
&handshake->xxdh_psa_privkey);
if (status != PSA_SUCCESS) {
return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
}
@ -2791,12 +2813,12 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
size_t own_pubkey_len;
status = psa_export_public_key(handshake->ecdh_psa_privkey,
status = psa_export_public_key(handshake->xxdh_psa_privkey,
own_pubkey, own_pubkey_max_len,
&own_pubkey_len);
if (status != PSA_SUCCESS) {
psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
psa_destroy_key(handshake->xxdh_psa_privkey);
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
}
@ -2807,15 +2829,15 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
/* Compute ECDH shared secret. */
status = psa_raw_key_agreement(PSA_ALG_ECDH,
handshake->ecdh_psa_privkey,
handshake->ecdh_psa_peerkey,
handshake->ecdh_psa_peerkey_len,
handshake->xxdh_psa_privkey,
handshake->xxdh_psa_peerkey,
handshake->xxdh_psa_peerkey_len,
ssl->handshake->premaster,
sizeof(ssl->handshake->premaster),
&ssl->handshake->pmslen);
destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
@ -2945,12 +2967,12 @@ ecdh_calc_secret:
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
/* Generate ECDH private key. */
status = psa_generate_key(&key_attributes,
&handshake->ecdh_psa_privkey);
&handshake->xxdh_psa_privkey);
if (status != PSA_SUCCESS) {
return PSA_TO_MBEDTLS_ERR(status);
}
@ -2963,12 +2985,12 @@ ecdh_calc_secret:
size_t own_pubkey_max_len = (size_t) (end - own_pubkey);
size_t own_pubkey_len = 0;
status = psa_export_public_key(handshake->ecdh_psa_privkey,
status = psa_export_public_key(handshake->xxdh_psa_privkey,
own_pubkey, own_pubkey_max_len,
&own_pubkey_len);
if (status != PSA_SUCCESS) {
psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
psa_destroy_key(handshake->xxdh_psa_privkey);
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return PSA_TO_MBEDTLS_ERR(status);
}
@ -2990,15 +3012,15 @@ ecdh_calc_secret:
/* Perform ECDH computation after the uint16 reserved for the length */
status = psa_raw_key_agreement(PSA_ALG_ECDH,
handshake->ecdh_psa_privkey,
handshake->ecdh_psa_peerkey,
handshake->ecdh_psa_peerkey_len,
handshake->xxdh_psa_privkey,
handshake->xxdh_psa_peerkey,
handshake->xxdh_psa_peerkey_len,
pms + zlen_size,
pms_end - (pms + zlen_size),
&zlen);
destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
if (status != PSA_SUCCESS) {
return PSA_TO_MBEDTLS_ERR(status);

179
library/ssl_tls12_server.c
View file

@ -30,14 +30,22 @@
#include "mbedtls/platform_util.h"
#include "constant_time_internal.h"
#include "mbedtls/constant_time.h"
#include "hash_info.h"
#include <string.h>
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
ARRAY_LENGTH(psa_to_ssl_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
#endif
#if defined(MBEDTLS_ECP_C)
@ -179,7 +187,6 @@ static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
* generalization of the TLS 1.2 supported elliptic curves extension. They both
* share the same extension identifier.
*
* DHE groups are not supported yet.
*/
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
@ -666,7 +673,7 @@ static int ssl_check_key_curve(mbedtls_pk_context *pk,
uint16_t *curves_tls_id)
{
uint16_t *curr_tls_id = curves_tls_id;
mbedtls_ecp_group_id grp_id = mbedtls_pk_ec(*pk)->grp.id;
mbedtls_ecp_group_id grp_id = mbedtls_pk_ec_ro(*pk)->grp.id;
mbedtls_ecp_group_id curr_grp_id;
while (*curr_tls_id != 0) {
@ -1088,9 +1095,7 @@ read_record_header:
#if defined(MBEDTLS_SSL_RENEGOTIATION)
if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
/* This couldn't be done in ssl_prepare_handshake_record() */
unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
ssl->in_msg[5];
unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
if (cli_msg_seq != ssl->handshake->in_msg_seq) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message_seq: "
"%u (expected %u)", cli_msg_seq,
@ -1102,8 +1107,7 @@ read_record_header:
} else
#endif
{
unsigned int cli_msg_seq = (ssl->in_msg[4] << 8) |
ssl->in_msg[5];
unsigned int cli_msg_seq = (unsigned int) MBEDTLS_GET_UINT16_BE(ssl->in_msg, 4);
ssl->handshake->out_msg_seq = cli_msg_seq;
ssl->handshake->in_msg_seq = cli_msg_seq + 1;
}
@ -2593,14 +2597,17 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
unsigned char buf[
PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
uint16_t tls_id = 0;
psa_ecc_family_t ecc_family;
size_t key_len;
mbedtls_pk_context *pk;
mbedtls_pk_type_t pk_type;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
uint16_t tls_id = 0;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
size_t key_len;
mbedtls_ecp_group_id grp_id;
unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
mbedtls_ecp_keypair *key;
#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
pk = mbedtls_ssl_own_key(ssl);
@ -2608,40 +2615,48 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
switch (mbedtls_pk_get_type(pk)) {
pk_type = mbedtls_pk_get_type(pk);
switch (pk_type) {
case MBEDTLS_PK_OPAQUE:
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
case MBEDTLS_PK_ECKEY:
case MBEDTLS_PK_ECKEY_DH:
case MBEDTLS_PK_ECDSA:
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
ssl->handshake->ecdh_psa_privkey = pk->priv_id;
ssl->handshake->xxdh_psa_privkey = pk->priv_id;
/* Key should not be destroyed in the TLS library */
ssl->handshake->ecdh_psa_privkey_is_external = 1;
ssl->handshake->xxdh_psa_privkey_is_external = 1;
status = psa_get_key_attributes(ssl->handshake->ecdh_psa_privkey,
status = psa_get_key_attributes(ssl->handshake->xxdh_psa_privkey,
&key_attributes);
if (status != PSA_SUCCESS) {
ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return PSA_TO_MBEDTLS_ERR(status);
}
ssl->handshake->ecdh_psa_type = psa_get_key_type(&key_attributes);
ssl->handshake->ecdh_bits = psa_get_key_bits(&key_attributes);
ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
ssl->handshake->xxdh_bits = psa_get_key_bits(&key_attributes);
psa_reset_key_attributes(&key_attributes);
ret = 0;
break;
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
case MBEDTLS_PK_ECKEY:
case MBEDTLS_PK_ECKEY_DH:
case MBEDTLS_PK_ECDSA:
key = mbedtls_pk_ec(*pk);
if (key == NULL) {
key = mbedtls_pk_ec_rw(*pk);
grp_id = mbedtls_pk_get_group_id(pk);
if (grp_id == MBEDTLS_ECP_DP_NONE) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(key->grp.id);
tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
if (tls_id == 0) {
/* This elliptic curve is not supported */
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
@ -2649,40 +2664,41 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
/* If the above conversion to TLS ID was fine, then also this one will
be, so there is no need to check the return value here */
mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &ecc_family,
&ssl->handshake->ecdh_bits);
mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type,
&ssl->handshake->xxdh_bits);
ssl->handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family);
ssl->handshake->xxdh_psa_type = key_type;
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
psa_set_key_type(&key_attributes,
PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->ecdh_psa_type));
psa_set_key_bits(&key_attributes, ssl->handshake->ecdh_bits);
PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type));
psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_bits);
key_len = PSA_BITS_TO_BYTES(key->grp.pbits);
ret = mbedtls_ecp_write_key(key, buf, key_len);
if (ret != 0) {
goto cleanup;
mbedtls_platform_zeroize(buf, sizeof(buf));
break;
}
status = psa_import_key(&key_attributes, buf, key_len,
&ssl->handshake->ecdh_psa_privkey);
&ssl->handshake->xxdh_psa_privkey);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
goto cleanup;
mbedtls_platform_zeroize(buf, sizeof(buf));
break;
}
mbedtls_platform_zeroize(buf, sizeof(buf));
ret = 0;
break;
#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
default:
ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
}
cleanup:
mbedtls_platform_zeroize(buf, sizeof(buf));
return ret;
}
#elif defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
@ -2704,7 +2720,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
}
if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx,
mbedtls_pk_ec(*mbedtls_ssl_own_key(ssl)),
mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)),
MBEDTLS_ECDH_OURS)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
return ret;
@ -2953,26 +2969,26 @@ curve_matching_done:
const size_t header_size = 4; // curve_type(1), namedcurve(2),
// data length(1)
const size_t data_length_size = 1;
psa_ecc_family_t ec_psa_family = 0;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
size_t ec_bits = 0;
MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
/* Convert EC's TLS ID to PSA key type. */
if (mbedtls_ssl_get_psa_curve_info_from_tls_id(*curr_tls_id,
&ec_psa_family,
&key_type,
&ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid ecc group parse."));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family);
handshake->ecdh_bits = ec_bits;
handshake->xxdh_psa_type = key_type;
handshake->xxdh_bits = ec_bits;
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
/*
* ECParameters curve_params
@ -2989,7 +3005,7 @@ curve_matching_done:
/* Generate ECDH private key. */
status = psa_generate_key(&key_attributes,
&handshake->ecdh_psa_privkey);
&handshake->xxdh_psa_privkey);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
@ -3011,14 +3027,14 @@ curve_matching_done:
size_t own_pubkey_max_len = (size_t) (MBEDTLS_SSL_OUT_CONTENT_LEN
- (own_pubkey - ssl->out_msg));
status = psa_export_public_key(handshake->ecdh_psa_privkey,
status = psa_export_public_key(handshake->xxdh_psa_privkey,
own_pubkey, own_pubkey_max_len,
&len);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
(void) psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
(void) psa_destroy_key(handshake->xxdh_psa_privkey);
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return ret;
}
@ -3073,7 +3089,7 @@ curve_matching_done:
size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
size_t hashlen = 0;
unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -3713,27 +3729,27 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
}
/* Store peer's ECDH public key. */
memcpy(handshake->ecdh_psa_peerkey, p, data_len);
handshake->ecdh_psa_peerkey_len = data_len;
memcpy(handshake->xxdh_psa_peerkey, p, data_len);
handshake->xxdh_psa_peerkey_len = data_len;
/* Compute ECDH shared secret. */
status = psa_raw_key_agreement(
PSA_ALG_ECDH, handshake->ecdh_psa_privkey,
handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len,
PSA_ALG_ECDH, handshake->xxdh_psa_privkey,
handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
handshake->premaster, sizeof(handshake->premaster),
&handshake->pmslen);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
if (handshake->ecdh_psa_privkey_is_external == 0) {
(void) psa_destroy_key(handshake->ecdh_psa_privkey);
if (handshake->xxdh_psa_privkey_is_external == 0) {
(void) psa_destroy_key(handshake->xxdh_psa_privkey);
}
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return ret;
}
if (handshake->ecdh_psa_privkey_is_external == 0) {
status = psa_destroy_key(handshake->ecdh_psa_privkey);
if (handshake->xxdh_psa_privkey_is_external == 0) {
status = psa_destroy_key(handshake->xxdh_psa_privkey);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
@ -3741,7 +3757,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
return ret;
}
}
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
#else
if ((ret = mbedtls_ecdh_read_public(&ssl->handshake->ecdh_ctx,
p, end - p)) != 0) {
@ -3874,33 +3890,42 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, ("ssl_parse_client_psk_identity"), ret);
psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
psa_destroy_key(handshake->xxdh_psa_privkey);
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return ret;
}
/* Keep a copy of the peer's public key */
if (p >= end) {
psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
psa_destroy_key(handshake->xxdh_psa_privkey);
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
ecpoint_len = *(p++);
if ((size_t) (end - p) < ecpoint_len) {
psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
psa_destroy_key(handshake->xxdh_psa_privkey);
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
if (ecpoint_len > sizeof(handshake->ecdh_psa_peerkey)) {
psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
/* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
the sizes of the FFDH keys which are at least 2048 bits.
The size of the array is thus greater than 256 bytes which is greater than any
possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
#if !defined(PSA_WANT_ALG_FFDH)
if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
psa_destroy_key(handshake->xxdh_psa_privkey);
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
#else
MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX,
"peer key buffer too small");
#endif
memcpy(handshake->ecdh_psa_peerkey, p, ecpoint_len);
handshake->ecdh_psa_peerkey_len = ecpoint_len;
memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
handshake->xxdh_psa_peerkey_len = ecpoint_len;
p += ecpoint_len;
/* As RFC 5489 section 2, the premaster secret is formed as follows:
@ -3918,15 +3943,15 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
/* Compute ECDH shared secret. */
status = psa_raw_key_agreement(PSA_ALG_ECDH,
handshake->ecdh_psa_privkey,
handshake->ecdh_psa_peerkey,
handshake->ecdh_psa_peerkey_len,
handshake->xxdh_psa_privkey,
handshake->xxdh_psa_peerkey,
handshake->xxdh_psa_peerkey_len,
psm + zlen_size,
psm_end - (psm + zlen_size),
&zlen);
destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
destruction_status = psa_destroy_key(handshake->xxdh_psa_privkey);
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
if (status != PSA_SUCCESS) {
return PSA_TO_MBEDTLS_ERR(status);

114
library/ssl_tls13_client.c
View file

@ -33,10 +33,19 @@
#include "ssl_client.h"
#include "ssl_tls13_keys.h"
#include "ssl_debug_helpers.h"
#include "md_psa.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
ARRAY_LENGTH(psa_to_ssl_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
/* Write extensions */
@ -185,23 +194,24 @@ static int ssl_tls13_reset_key_share(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id)) {
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
/* Destroy generated private key. */
status = psa_destroy_key(ssl->handshake->ecdh_psa_privkey);
status = psa_destroy_key(ssl->handshake->xxdh_psa_privkey);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
return ret;
}
ssl->handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
ssl->handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
return 0;
} else
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
if (0 /* other KEMs? */) {
/* Do something */
}
@ -220,7 +230,7 @@ static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
#if defined(PSA_WANT_ALG_ECDH)
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
/* Pick first available ECDHE group compatible with TLS 1.3 */
if (group_list == NULL) {
@ -228,22 +238,25 @@ static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
}
for (; *group_list != 0; group_list++) {
#if defined(PSA_WANT_ALG_ECDH)
if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
*group_list, NULL, NULL) == PSA_SUCCESS) &&
mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
*group_id = *group_list;
return 0;
}
#endif
#if defined(PSA_WANT_ALG_FFDH)
if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
*group_id = *group_list;
return 0;
}
#endif
}
#else
((void) ssl);
((void) group_id);
#endif /* PSA_WANT_ALG_ECDH */
/*
* Add DHE named groups here.
* Pick first available DHE group compatible with TLS 1.3
*/
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
return ret;
}
@ -288,7 +301,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
/* HRR could already have requested something else. */
group_id = ssl->handshake->offered_group_id;
if (!mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) &&
!mbedtls_ssl_tls13_named_group_is_dhe(group_id)) {
!mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
MBEDTLS_SSL_PROC_CHK(ssl_tls13_get_default_group_id(ssl,
&group_id));
}
@ -302,8 +315,9 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
* only one key share entry is allowed.
*/
client_shares = p;
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id)) {
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group_id) ||
mbedtls_ssl_tls13_named_group_is_ffdh(group_id)) {
/* Pointer to group */
unsigned char *group = p;
/* Length of key_exchange */
@ -315,7 +329,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
*/
MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
p += 4;
ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
ssl, group_id, p, end, &key_exchange_len);
p += key_exchange_len;
if (ret != 0) {
@ -327,7 +341,7 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
/* Write key_exchange_length */
MBEDTLS_PUT_UINT16_BE(key_exchange_len, group, 2);
} else
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
if (0 /* other KEMs? */) {
/* Do something */
} else {
@ -377,7 +391,7 @@ static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end)
{
#if defined(PSA_WANT_ALG_ECDH)
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
const unsigned char *p = buf;
int selected_group;
int found = 0;
@ -404,15 +418,22 @@ static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
* then the client MUST abort the handshake with an "illegal_parameter" alert.
*/
for (; *group_list != 0; group_list++) {
if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
*group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
*group_list != selected_group) {
continue;
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
*group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
*group_list != selected_group) {
found = 1;
break;
}
}
/* We found a match */
found = 1;
break;
#endif /* PSA_WANT_ALG_ECDH */
#if defined(PSA_WANT_ALG_FFDH)
if (mbedtls_ssl_tls13_named_group_is_ffdh(*group_list)) {
found = 1;
break;
}
#endif /* PSA_WANT_ALG_FFDH */
}
/* Client MUST verify that the selected_group field does not
@ -434,12 +455,12 @@ static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
ssl->handshake->offered_group_id = selected_group;
return 0;
#else
#else /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
(void) ssl;
(void) buf;
(void) end;
return MBEDTLS_ERR_SSL_BAD_CONFIG;
#endif
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
}
/*
@ -482,24 +503,17 @@ static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group)) {
if (mbedtls_ssl_get_psa_curve_info_from_tls_id(group, NULL, NULL)
== PSA_ERROR_NOT_SUPPORTED) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid TLS curve group id"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
MBEDTLS_SSL_DEBUG_MSG(
2,
("ECDH curve: %s", mbedtls_ssl_get_curve_name_from_tls_id(group)));
ret = mbedtls_ssl_tls13_read_public_ecdhe_share(ssl, p, end - p);
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
MBEDTLS_SSL_DEBUG_MSG(2,
("DHE group name: %s", mbedtls_ssl_named_group_to_str(group)));
ret = mbedtls_ssl_tls13_read_public_xxdhe_share(ssl, p, end - p);
if (ret != 0) {
return ret;
}
} else
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
if (0 /* other KEMs? */) {
/* Do something */
} else {
@ -672,7 +686,7 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
if (ciphersuite_info != NULL) {
return mbedtls_psa_translate_md(ciphersuite_info->mac);
return mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
}
return PSA_ALG_NONE;
@ -850,7 +864,7 @@ static int ssl_tls13_write_binder(mbedtls_ssl_context *ssl,
/* Get current state of handshake transcript. */
ret = mbedtls_ssl_get_handshake_transcript(
ssl, mbedtls_hash_info_md_from_psa(hash_alg),
ssl, mbedtls_md_type_from_psa_alg(hash_alg),
transcript, sizeof(transcript), &transcript_len);
if (ret != 0) {
return ret;
@ -1126,7 +1140,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
return ret;
}
if (mbedtls_psa_translate_md(ssl->handshake->ciphersuite_info->mac)
if (mbedtls_md_psa_alg_from_type(ssl->handshake->ciphersuite_info->mac)
!= hash_alg) {
MBEDTLS_SSL_DEBUG_MSG(
1, ("Invalid ciphersuite for external psk."));
@ -1696,7 +1710,7 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
cipher_suite, ciphersuite_info->name));
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = time(NULL);
ssl->session_negotiate->start = mbedtls_time(NULL);
#endif /* MBEDTLS_HAVE_TIME */
/* ...
@ -2844,7 +2858,7 @@ static int ssl_tls13_postprocess_new_session_ticket(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
psa_hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac);
psa_hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
hash_length = PSA_HASH_LENGTH(psa_hash_alg);
if (hash_length == -1 ||
(size_t) hash_length > sizeof(session->resumption_key)) {

113
library/ssl_tls13_generic.c
View file

@ -29,7 +29,7 @@
#include "mbedtls/platform.h"
#include "mbedtls/constant_time.h"
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "md_psa.h"
#include "ssl_misc.h"
#include "ssl_tls13_invasive.h"
@ -37,11 +37,20 @@
#include "ssl_debug_helpers.h"
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) || \
defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
ARRAY_LENGTH(psa_to_ssl_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#endif
const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
@ -274,7 +283,7 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
goto error;
}
hash_alg = mbedtls_hash_info_psa_from_md(md_alg);
hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
if (hash_alg == 0) {
goto error;
}
@ -1076,7 +1085,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
}
/* Hash verify buffer with indicated hash function */
psa_algorithm = mbedtls_hash_info_psa_from_md(md_alg);
psa_algorithm = mbedtls_md_psa_alg_from_type(md_alg);
status = psa_hash_compute(psa_algorithm,
verify_buffer,
verify_buffer_len,
@ -1488,9 +1497,9 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
return ret;
}
#if defined(PSA_WANT_ALG_ECDH)
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t buf_len)
{
@ -1507,13 +1516,42 @@ int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, peerkey_len);
/* Store peer's ECDH public key. */
memcpy(handshake->ecdh_psa_peerkey, p, peerkey_len);
handshake->ecdh_psa_peerkey_len = peerkey_len;
memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len);
handshake->xxdh_psa_peerkey_len = peerkey_len;
return 0;
}
int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
static psa_status_t mbedtls_ssl_get_psa_ffdh_info_from_tls_id(
uint16_t tls_id, size_t *bits, psa_key_type_t *key_type)
{
switch (tls_id) {
case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048:
*bits = 2048;
*key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
return PSA_SUCCESS;
case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072:
*bits = 3072;
*key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
return PSA_SUCCESS;
case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096:
*bits = 4096;
*key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
return PSA_SUCCESS;
case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144:
*bits = 6144;
*key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
return PSA_SUCCESS;
case MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192:
*bits = 8192;
*key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919);
return PSA_SUCCESS;
default:
return PSA_ERROR_NOT_SUPPORTED;
}
}
int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
mbedtls_ssl_context *ssl,
uint16_t named_group,
unsigned char *buf,
@ -1525,28 +1563,47 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
psa_key_attributes_t key_attributes;
size_t own_pubkey_len;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
psa_ecc_family_t ec_psa_family = 0;
size_t ec_bits = 0;
size_t bits = 0;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
psa_algorithm_t alg = PSA_ALG_NONE;
size_t buf_size = (size_t) (end - buf);
MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH/FFDH computation."));
/* Convert EC's TLS ID to PSA key type. */
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_get_psa_curve_info_from_tls_id(
named_group, &ec_psa_family, &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
named_group, &key_type, &bits) == PSA_SUCCESS) {
alg = PSA_ALG_ECDH;
}
#endif
#if defined(PSA_WANT_ALG_FFDH)
if (mbedtls_ssl_get_psa_ffdh_info_from_tls_id(named_group, &bits,
&key_type) == PSA_SUCCESS) {
alg = PSA_ALG_FFDH;
}
#endif
if (key_type == PSA_KEY_TYPE_NONE) {
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family);
ssl->handshake->ecdh_bits = ec_bits;
if (buf_size < PSA_BITS_TO_BYTES(bits)) {
return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
}
handshake->xxdh_psa_type = key_type;
ssl->handshake->xxdh_bits = bits;
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
psa_set_key_algorithm(&key_attributes, alg);
psa_set_key_type(&key_attributes, handshake->xxdh_psa_type);
psa_set_key_bits(&key_attributes, handshake->xxdh_bits);
/* Generate ECDH private key. */
/* Generate ECDH/FFDH private key. */
status = psa_generate_key(&key_attributes,
&handshake->ecdh_psa_privkey);
&handshake->xxdh_psa_privkey);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_generate_key", ret);
@ -1554,22 +1611,22 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
}
/* Export the public part of the ECDH private key from PSA. */
status = psa_export_public_key(handshake->ecdh_psa_privkey,
buf, (size_t) (end - buf),
/* Export the public part of the ECDH/FFDH private key from PSA. */
status = psa_export_public_key(handshake->xxdh_psa_privkey,
buf, buf_size,
&own_pubkey_len);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_export_public_key", ret);
return ret;
}
*out_len = own_pubkey_len;
return 0;
}
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
/* RFC 8446 section 4.2
*

56
library/ssl_tls13_keys.c
View file

@ -34,10 +34,17 @@
#include "ssl_tls13_invasive.h"
#include "psa/crypto.h"
#include "md_psa.h"
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
/* Define a local translating function to save code size by not using too many
* arguments in each translating place. */
static int local_err_translation(psa_status_t status)
{
return psa_status_to_mbedtls(status, psa_to_ssl_errors,
ARRAY_LENGTH(psa_to_ssl_errors),
psa_generic_status_to_mbedtls);
}
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
.name = string,
@ -677,7 +684,7 @@ static int ssl_tls13_key_schedule_stage_application(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
psa_algorithm_t const hash_alg = mbedtls_hash_info_psa_from_md(
psa_algorithm_t const hash_alg = mbedtls_md_psa_alg_from_type(
handshake->ciphersuite_info->mac);
/*
@ -792,7 +799,7 @@ int mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context *ssl,
mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac;
psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(
ssl->handshake->ciphersuite_info->mac);
size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
@ -1012,14 +1019,14 @@ int mbedtls_ssl_tls13_populate_transform(
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc,
key_enc, cipher_info->key_bitlen,
key_enc, mbedtls_cipher_info_get_key_bitlen(cipher_info),
MBEDTLS_ENCRYPT)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
return ret;
}
if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec,
key_dec, cipher_info->key_bitlen,
key_dec, mbedtls_cipher_info_get_key_bitlen(cipher_info),
MBEDTLS_DECRYPT)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
return ret;
@ -1163,7 +1170,7 @@ static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
md_type = ciphersuite_info->mac;
hash_alg = mbedtls_hash_info_psa_from_md(ciphersuite_info->mac);
hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
hash_len = PSA_HASH_LENGTH(hash_alg);
ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
@ -1291,7 +1298,7 @@ int mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context *ssl)
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
hash_alg = mbedtls_hash_info_psa_from_md(handshake->ciphersuite_info->mac);
hash_alg = mbedtls_md_psa_alg_from_type(handshake->ciphersuite_info->mac);
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);
@ -1365,7 +1372,7 @@ static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
md_type = ciphersuite_info->mac;
hash_alg = mbedtls_hash_info_psa_from_md(ciphersuite_info->mac);
hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
hash_len = PSA_HASH_LENGTH(hash_alg);
ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
@ -1472,7 +1479,7 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
psa_algorithm_t const hash_alg = mbedtls_hash_info_psa_from_md(
psa_algorithm_t const hash_alg = mbedtls_md_psa_alg_from_type(
handshake->ciphersuite_info->mac);
unsigned char *shared_secret = NULL;
size_t shared_secret_len = 0;
@ -1484,13 +1491,18 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
* are derived in the handshake secret derivation stage.
*/
if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
if (mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id)) {
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) ||
mbedtls_ssl_tls13_named_group_is_ffdh(handshake->offered_group_id)) {
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
psa_algorithm_t alg =
mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) ?
PSA_ALG_ECDH : PSA_ALG_FFDH;
/* Compute ECDH shared secret. */
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
status = psa_get_key_attributes(handshake->ecdh_psa_privkey,
status = psa_get_key_attributes(handshake->xxdh_psa_privkey,
&key_attributes);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
@ -1504,8 +1516,8 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
}
status = psa_raw_key_agreement(
PSA_ALG_ECDH, handshake->ecdh_psa_privkey,
handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len,
alg, handshake->xxdh_psa_privkey,
handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
shared_secret, shared_secret_len, &shared_secret_len);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
@ -1513,15 +1525,15 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
goto cleanup;
}
status = psa_destroy_key(handshake->ecdh_psa_privkey);
status = psa_destroy_key(handshake->xxdh_psa_privkey);
if (status != PSA_SUCCESS) {
ret = PSA_TO_MBEDTLS_ERR(status);
MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
goto cleanup;
}
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
#endif /* PSA_WANT_ALG_ECDH */
handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
} else {
MBEDTLS_SSL_DEBUG_MSG(1, ("Group not supported."));
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
@ -1608,7 +1620,7 @@ static int ssl_tls13_generate_application_keys(
md_type = handshake->ciphersuite_info->mac;
hash_alg = mbedtls_hash_info_psa_from_md(handshake->ciphersuite_info->mac);
hash_alg = mbedtls_md_psa_alg_from_type(handshake->ciphersuite_info->mac);
hash_len = PSA_HASH_LENGTH(hash_alg);
/* Compute current handshake transcript. It's the caller's responsibility
@ -1766,7 +1778,7 @@ int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl)
}
ret = mbedtls_ssl_tls13_derive_resumption_master_secret(
mbedtls_psa_translate_md(md_type),
mbedtls_md_psa_alg_from_type(md_type),
handshake->tls13_master_secrets.app,
transcript, transcript_len,
&ssl->session_negotiate->app_secrets);
@ -1781,7 +1793,7 @@ int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_BUF(
4, "Resumption master secret",
ssl->session_negotiate->app_secrets.resumption_master_secret,
PSA_HASH_LENGTH(mbedtls_psa_translate_md(md_type)));
PSA_HASH_LENGTH(mbedtls_md_psa_alg_from_type(md_type)));
MBEDTLS_SSL_DEBUG_MSG(
2, ("<= mbedtls_ssl_tls13_compute_resumption_master_secret"));

58
library/ssl_tls13_server.c
View file

@ -25,6 +25,8 @@
#include "mbedtls/error.h"
#include "mbedtls/platform.h"
#include "mbedtls/constant_time.h"
#include "mbedtls/oid.h"
#include "md_psa.h"
#include "ssl_misc.h"
#include "ssl_tls13_keys.h"
@ -332,7 +334,7 @@ static int ssl_tls13_offered_psks_check_binder_match(
/* Get current state of handshake transcript. */
ret = mbedtls_ssl_get_handshake_transcript(
ssl, mbedtls_hash_info_md_from_psa(psk_hash_alg),
ssl, mbedtls_md_type_from_psa_alg(psk_hash_alg),
transcript, sizeof(transcript), &transcript_len);
if (ret != 0) {
return ret;
@ -406,7 +408,7 @@ static int ssl_tls13_select_ciphersuite_for_psk(
/* MAC of selected ciphersuite MUST be same with PSK binder if exist.
* Otherwise, client should reject.
*/
if (psk_hash_alg == mbedtls_psa_translate_md(ciphersuite_info->mac)) {
if (psk_hash_alg == mbedtls_md_psa_alg_from_type(ciphersuite_info->mac)) {
*selected_ciphersuite = cipher_suite;
*selected_ciphersuite_info = ciphersuite_info;
return 0;
@ -612,7 +614,7 @@ static int ssl_tls13_parse_pre_shared_key_ext(
ret = ssl_tls13_offered_psks_check_binder_match(
ssl, binder, binder_len, psk_type,
mbedtls_psa_translate_md(ciphersuite_info->mac));
mbedtls_md_psa_alg_from_type(ciphersuite_info->mac));
if (ret != SSL_TLS1_3_OFFERED_PSK_MATCH) {
/* For security reasons, the handshake should be aborted when we
* fail to validate a binder value. See RFC 8446 section 4.2.11.2
@ -776,7 +778,7 @@ static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
return (int) tls_version;
}
#if defined(PSA_WANT_ALG_ECDH)
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
/*
*
* From RFC 8446:
@ -832,11 +834,11 @@ static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
return 0;
}
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
#define SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH 1
#if defined(PSA_WANT_ALG_ECDH)
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
/*
* ssl_tls13_parse_key_shares_ext() verifies whether the information in the
* extension is correct and stores the first acceptable key share and its
@ -910,13 +912,14 @@ static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,
}
/*
* For now, we only support ECDHE groups.
* ECDHE and FFDHE groups are supported
*/
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH group: %s (%04x)",
if (mbedtls_ssl_tls13_named_group_is_ecdhe(group) ||
mbedtls_ssl_tls13_named_group_is_ffdh(group)) {
MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH/FFDH group: %s (%04x)",
mbedtls_ssl_named_group_to_str(group),
group));
ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
ret = mbedtls_ssl_tls13_read_public_xxdhe_share(
ssl, key_exchange - 2, key_exchange_len + 2);
if (ret != 0) {
return ret;
@ -938,7 +941,7 @@ static int ssl_tls13_parse_key_shares_ext(mbedtls_ssl_context *ssl,
}
return 0;
}
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_client_hello_has_exts(mbedtls_ssl_context *ssl,
@ -1260,6 +1263,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
const unsigned char *supported_versions_data_end;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
int hrr_required = 0;
int no_usable_share_for_key_agreement = 0;
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
const unsigned char *pre_shared_key_ext = NULL;
@ -1540,7 +1544,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
break;
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(PSA_WANT_ALG_ECDH)
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
MBEDTLS_SSL_DEBUG_MSG(3, ("found supported group extension"));
@ -1559,9 +1563,9 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
}
break;
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH*/
#if defined(PSA_WANT_ALG_ECDH)
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
case MBEDTLS_TLS_EXT_KEY_SHARE:
MBEDTLS_SSL_DEBUG_MSG(3, ("found key share extension"));
@ -1575,8 +1579,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
ret = ssl_tls13_parse_key_shares_ext(
ssl, p, extension_data_end);
if (ret == SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH) {
MBEDTLS_SSL_DEBUG_MSG(2, ("HRR needed "));
hrr_required = 1;
MBEDTLS_SSL_DEBUG_MSG(2, ("No usable share for key agreement."));
no_usable_share_for_key_agreement = 1;
}
if (ret < 0) {
@ -1586,7 +1590,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
}
break;
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
/* Already parsed */
@ -1734,6 +1738,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
return ret;
}
if (ssl->handshake->key_exchange_mode !=
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) {
hrr_required = (no_usable_share_for_key_agreement != 0);
}
mbedtls_ssl_optimize_checksum(ssl, handshake->ciphersuite_info);
return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK;
@ -1846,7 +1855,7 @@ static int ssl_tls13_prepare_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SERVER_HELLO_RANDOM_LEN);
#if defined(MBEDTLS_HAVE_TIME)
ssl->session_negotiate->start = time(NULL);
ssl->session_negotiate->start = mbedtls_time(NULL);
#endif /* MBEDTLS_HAVE_TIME */
return ret;
@ -1911,18 +1920,19 @@ static int ssl_tls13_generate_and_write_key_share(mbedtls_ssl_context *ssl,
*out_len = 0;
#if defined(PSA_WANT_ALG_ECDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
ret = mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
#if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group) ||
mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
ret = mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
ssl, named_group, buf, end, out_len);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange",
1, "mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange",
ret);
return ret;
}
} else
#endif /* PSA_WANT_ALG_ECDH */
#endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
if (0 /* Other kinds of KEMs */) {
} else {
((void) ssl);
@ -2783,7 +2793,7 @@ static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
ciphersuite_info =
(mbedtls_ssl_ciphersuite_t *) ssl->handshake->ciphersuite_info;
psa_hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac);
psa_hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
hash_length = PSA_HASH_LENGTH(psa_hash_alg);
if (hash_length == -1 ||
(size_t) hash_length > sizeof(session->resumption_key)) {

501
library/x509.c
View file

@ -53,13 +53,17 @@
#include <time.h>
#endif
#define CHECK(code) if ((ret = (code)) != 0) { return ret; }
#define CHECK(code) \
do { \
if ((ret = (code)) != 0) { \
return ret; \
} \
} while (0)
#define CHECK_RANGE(min, max, val) \
do \
{ \
if ((val) < (min) || (val) > (max)) \
{ \
return ret; \
do { \
if ((val) < (min) || (val) > (max)) { \
return ret; \
} \
} while (0)
@ -130,6 +134,8 @@ int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
/*
* Convert md type to string
*/
#if !defined(MBEDTLS_X509_REMOVE_INFO) && defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
static inline const char *md_type_to_string(mbedtls_md_type_t md_alg)
{
switch (md_alg) {
@ -168,6 +174,8 @@ static inline const char *md_type_to_string(mbedtls_md_type_t md_alg)
}
}
#endif /* !defined(MBEDTLS_X509_REMOVE_INFO) && defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
/*
* HashAlgorithm ::= AlgorithmIdentifier
@ -565,117 +573,82 @@ error:
return ret;
}
static int x509_parse_int(unsigned char **p, size_t n, int *res)
static int x509_date_is_valid(const mbedtls_x509_time *t)
{
*res = 0;
for (; n > 0; --n) {
if ((**p < '0') || (**p > '9')) {
unsigned int month_days;
unsigned int year;
switch (t->mon) {
case 1: case 3: case 5: case 7: case 8: case 10: case 12:
month_days = 31;
break;
case 4: case 6: case 9: case 11:
month_days = 30;
break;
case 2:
year = (unsigned int) t->year;
month_days = ((year & 3) || (!(year % 100)
&& (year % 400)))
? 28 : 29;
break;
default:
return MBEDTLS_ERR_X509_INVALID_DATE;
}
}
*res *= 10;
*res += (*(*p)++ - '0');
if ((unsigned int) (t->day - 1) >= month_days || /* (1 - days in month) */
/* (unsigned int) (t->mon - 1) >= 12 || */ /* (1 - 12) checked above */
(unsigned int) t->year > 9999 || /* (0 - 9999) */
(unsigned int) t->hour > 23 || /* (0 - 23) */
(unsigned int) t->min > 59 || /* (0 - 59) */
(unsigned int) t->sec > 59) { /* (0 - 59) */
return MBEDTLS_ERR_X509_INVALID_DATE;
}
return 0;
}
static int x509_date_is_valid(const mbedtls_x509_time *t)
static int x509_parse2_int(const unsigned char *p)
{
int ret = MBEDTLS_ERR_X509_INVALID_DATE;
int month_len;
CHECK_RANGE(0, 9999, t->year);
CHECK_RANGE(0, 23, t->hour);
CHECK_RANGE(0, 59, t->min);
CHECK_RANGE(0, 59, t->sec);
switch (t->mon) {
case 1: case 3: case 5: case 7: case 8: case 10: case 12:
month_len = 31;
break;
case 4: case 6: case 9: case 11:
month_len = 30;
break;
case 2:
if ((!(t->year % 4) && t->year % 100) ||
!(t->year % 400)) {
month_len = 29;
} else {
month_len = 28;
}
break;
default:
return ret;
}
CHECK_RANGE(1, month_len, t->day);
return 0;
uint32_t d1 = p[0] - '0';
uint32_t d2 = p[1] - '0';
return (d1 < 10 && d2 < 10) ? (int) (d1 * 10 + d2) : -1;
}
/*
* Parse an ASN1_UTC_TIME (yearlen=2) or ASN1_GENERALIZED_TIME (yearlen=4)
* field.
*/
static int x509_parse_time(unsigned char **p, size_t len, size_t yearlen,
mbedtls_x509_time *tm)
static int x509_parse_time(const unsigned char *p, mbedtls_x509_time *tm,
size_t yearlen)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int x;
/*
* Minimum length is 10 or 12 depending on yearlen
* Parse year, month, day, hour, minute, second
*/
if (len < yearlen + 8) {
tm->year = x509_parse2_int(p);
if (tm->year < 0) {
return MBEDTLS_ERR_X509_INVALID_DATE;
}
len -= yearlen + 8;
/*
* Parse year, month, day, hour, minute
*/
CHECK(x509_parse_int(p, yearlen, &tm->year));
if (2 == yearlen) {
if (tm->year < 50) {
tm->year += 100;
if (4 == yearlen) {
x = tm->year * 100;
p += 2;
tm->year = x509_parse2_int(p);
if (tm->year < 0) {
return MBEDTLS_ERR_X509_INVALID_DATE;
}
tm->year += 1900;
}
CHECK(x509_parse_int(p, 2, &tm->mon));
CHECK(x509_parse_int(p, 2, &tm->day));
CHECK(x509_parse_int(p, 2, &tm->hour));
CHECK(x509_parse_int(p, 2, &tm->min));
/*
* Parse seconds if present
*/
if (len >= 2) {
CHECK(x509_parse_int(p, 2, &tm->sec));
len -= 2;
} else {
return MBEDTLS_ERR_X509_INVALID_DATE;
x = (tm->year < 50) ? 2000 : 1900;
}
tm->year += x;
/*
* Parse trailing 'Z' if present
*/
if (1 == len && 'Z' == **p) {
(*p)++;
len--;
}
tm->mon = x509_parse2_int(p + 2);
tm->day = x509_parse2_int(p + 4);
tm->hour = x509_parse2_int(p + 6);
tm->min = x509_parse2_int(p + 8);
tm->sec = x509_parse2_int(p + 10);
/*
* We should have parsed all characters at this point
*/
if (0 != len) {
return MBEDTLS_ERR_X509_INVALID_DATE;
}
CHECK(x509_date_is_valid(tm));
return 0;
return x509_date_is_valid(tm);
}
/*
@ -713,7 +686,14 @@ int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end,
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_DATE, ret);
}
return x509_parse_time(p, len, year_len, tm);
/* len is 12 or 14 depending on year_len, plus optional trailing 'Z' */
if (len != year_len + 10 &&
!(len == year_len + 11 && (*p)[(len - 1)] == 'Z')) {
return MBEDTLS_ERR_X509_INVALID_DATE;
}
(*p) += len;
return x509_parse_time(*p - len, tm, year_len);
}
int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig)
@ -994,81 +974,45 @@ int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name)
return 0;
}
#if defined(MBEDTLS_HAVE_TIME_DATE)
/*
* Set the time structure to the current time.
* Return 0 on success, non-zero on failure.
*/
static int x509_get_current_time(mbedtls_x509_time *now)
int mbedtls_x509_time_cmp(const mbedtls_x509_time *t1,
const mbedtls_x509_time *t2)
{
struct tm *lt, tm_buf;
mbedtls_time_t tt;
int ret = 0;
int x;
tt = mbedtls_time(NULL);
lt = mbedtls_platform_gmtime_r(&tt, &tm_buf);
if (lt == NULL) {
ret = -1;
} else {
now->year = lt->tm_year + 1900;
now->mon = lt->tm_mon + 1;
now->day = lt->tm_mday;
now->hour = lt->tm_hour;
now->min = lt->tm_min;
now->sec = lt->tm_sec;
x = (((t1->year << 9) | (t1->mon << 5) | (t1->day)) -
((t2->year << 9) | (t2->mon << 5) | (t2->day)));
if (x != 0) {
return x;
}
return ret;
x = (((t1->hour << 12) | (t1->min << 6) | (t1->sec)) -
((t2->hour << 12) | (t2->min << 6) | (t2->sec)));
return x;
}
/*
* Return 0 if before <= after, 1 otherwise
*/
static int x509_check_time(const mbedtls_x509_time *before, const mbedtls_x509_time *after)
#if defined(MBEDTLS_HAVE_TIME_DATE)
int mbedtls_x509_time_gmtime(mbedtls_time_t tt, mbedtls_x509_time *now)
{
if (before->year > after->year) {
return 1;
}
if (before->year == after->year &&
before->mon > after->mon) {
return 1;
}
if (before->year == after->year &&
before->mon == after->mon &&
before->day > after->day) {
return 1;
}
if (before->year == after->year &&
before->mon == after->mon &&
before->day == after->day &&
before->hour > after->hour) {
return 1;
}
if (before->year == after->year &&
before->mon == after->mon &&
before->day == after->day &&
before->hour == after->hour &&
before->min > after->min) {
return 1;
}
if (before->year == after->year &&
before->mon == after->mon &&
before->day == after->day &&
before->hour == after->hour &&
before->min == after->min &&
before->sec > after->sec) {
return 1;
struct tm tm;
if (mbedtls_platform_gmtime_r(&tt, &tm) == NULL) {
return -1;
}
now->year = tm.tm_year + 1900;
now->mon = tm.tm_mon + 1;
now->day = tm.tm_mday;
now->hour = tm.tm_hour;
now->min = tm.tm_min;
now->sec = tm.tm_sec;
return 0;
}
static int x509_get_current_time(mbedtls_x509_time *now)
{
return mbedtls_x509_time_gmtime(mbedtls_time(NULL), now);
}
int mbedtls_x509_time_is_past(const mbedtls_x509_time *to)
{
mbedtls_x509_time now;
@ -1077,7 +1021,7 @@ int mbedtls_x509_time_is_past(const mbedtls_x509_time *to)
return 1;
}
return x509_check_time(&now, to);
return mbedtls_x509_time_cmp(to, &now) < 0;
}
int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)
@ -1088,7 +1032,7 @@ int mbedtls_x509_time_is_future(const mbedtls_x509_time *from)
return 1;
}
return x509_check_time(from, &now);
return mbedtls_x509_time_cmp(from, &now) > 0;
}
#else /* MBEDTLS_HAVE_TIME_DATE */
@ -1201,6 +1145,87 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
return 0;
}
/* Check mbedtls_x509_get_subject_alt_name for detailed description.
*
* In some cases while parsing subject alternative names the sequence tag is optional
* (e.g. CertSerialNumber). This function is designed to handle such case.
*/
int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p,
const unsigned char *end,
mbedtls_x509_sequence *subject_alt_name)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t tag_len;
mbedtls_asn1_sequence *cur = subject_alt_name;
while (*p < end) {
mbedtls_x509_subject_alternative_name tmp_san_name;
mbedtls_x509_buf tmp_san_buf;
memset(&tmp_san_name, 0, sizeof(tmp_san_name));
tmp_san_buf.tag = **p;
(*p)++;
if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
tmp_san_buf.p = *p;
tmp_san_buf.len = tag_len;
if ((tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
}
/*
* Check that the SAN is structured correctly by parsing it.
* The SAN structure is discarded afterwards.
*/
ret = mbedtls_x509_parse_subject_alt_name(&tmp_san_buf, &tmp_san_name);
/*
* In case the extension is malformed, return an error,
* and clear the allocated sequences.
*/
if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
mbedtls_asn1_sequence_free(subject_alt_name->next);
subject_alt_name->next = NULL;
return ret;
}
mbedtls_x509_free_subject_alt_name(&tmp_san_name);
/* Allocate and assign next pointer */
if (cur->buf.p != NULL) {
if (cur->next != NULL) {
return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
}
cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
if (cur->next == NULL) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_ALLOC_FAILED);
}
cur = cur->next;
}
cur->buf = tmp_san_buf;
*p += tmp_san_buf.len;
}
/* Set final sequence entry's next pointer to NULL */
cur->next = NULL;
if (*p != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return 0;
}
/*
* SubjectAltName ::= GeneralNames
*
@ -1234,8 +1259,7 @@ int mbedtls_x509_get_subject_alt_name(unsigned char **p,
mbedtls_x509_sequence *subject_alt_name)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len, tag_len;
mbedtls_asn1_sequence *cur = subject_alt_name;
size_t len;
/* Get main sequence tag */
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
@ -1248,71 +1272,7 @@ int mbedtls_x509_get_subject_alt_name(unsigned char **p,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
while (*p < end) {
mbedtls_x509_subject_alternative_name dummy_san_buf;
mbedtls_x509_buf tmp_san_buf;
memset(&dummy_san_buf, 0, sizeof(dummy_san_buf));
tmp_san_buf.tag = **p;
(*p)++;
if ((ret = mbedtls_asn1_get_len(p, end, &tag_len)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
tmp_san_buf.p = *p;
tmp_san_buf.len = tag_len;
if ((tmp_san_buf.tag & MBEDTLS_ASN1_TAG_CLASS_MASK) !=
MBEDTLS_ASN1_CONTEXT_SPECIFIC) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG);
}
/*
* Check that the SAN is structured correctly.
*/
ret = mbedtls_x509_parse_subject_alt_name(&tmp_san_buf, &dummy_san_buf);
/*
* In case the extension is malformed, return an error,
* and clear the allocated sequences.
*/
if (ret != 0 && ret != MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) {
mbedtls_asn1_sequence_free(subject_alt_name->next);
subject_alt_name->next = NULL;
return ret;
}
mbedtls_x509_free_subject_alt_name(&dummy_san_buf);
/* Allocate and assign next pointer */
if (cur->buf.p != NULL) {
if (cur->next != NULL) {
return MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
}
cur->next = mbedtls_calloc(1, sizeof(mbedtls_asn1_sequence));
if (cur->next == NULL) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_ALLOC_FAILED);
}
cur = cur->next;
}
cur->buf = tmp_san_buf;
*p += tmp_san_buf.len;
}
/* Set final sequence entry's next pointer to NULL */
cur->next = NULL;
if (*p != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return 0;
return mbedtls_x509_get_subject_alt_name_ext(p, end, subject_alt_name);
}
int mbedtls_x509_get_ns_cert_type(unsigned char **p,
@ -1422,9 +1382,24 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
san_buf, sizeof(*san_buf));
}
break;
/*
* RFC822 Name
* IP address
*/
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_IP_ADDRESS):
{
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
san->type = MBEDTLS_X509_SAN_IP_ADDRESS;
// Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported
if (san_buf->len == 4 || san_buf->len == 16) {
memcpy(&san->san.unstructured_name,
san_buf, sizeof(*san_buf));
} else {
return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
}
}
break;
/*
* rfc822Name
*/
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_RFC822_NAME):
{
@ -1433,7 +1408,6 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
memcpy(&san->san.unstructured_name, san_buf, sizeof(*san_buf));
}
break;
/*
* directoryName
*/
@ -1548,7 +1522,9 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
ret = mbedtls_snprintf(p, n, "\n%s uniformResourceIdentifier : ", prefix);
MBEDTLS_X509_SAFE_SNPRINTF;
if (san.san.unstructured_name.len >= n) {
*p = '\0';
if (n > 0) {
*p = '\0';
}
return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
}
@ -1574,7 +1550,9 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name);
MBEDTLS_X509_SAFE_SNPRINTF;
if (san.san.unstructured_name.len >= n) {
*p = '\0';
if (n > 0) {
*p = '\0';
}
return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
}
@ -1583,7 +1561,41 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
n -= san.san.unstructured_name.len;
}
break;
/*
* iPAddress
*/
case MBEDTLS_X509_SAN_IP_ADDRESS:
{
ret = mbedtls_snprintf(p, n, "\n%s %s : ",
prefix, "iPAddress");
MBEDTLS_X509_SAFE_SNPRINTF;
if (san.san.unstructured_name.len >= n) {
if (n > 0) {
*p = '\0';
}
return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
}
unsigned char *ip = san.san.unstructured_name.p;
// Only IPv6 (16 bytes) and IPv4 (4 bytes) types are supported
if (san.san.unstructured_name.len == 4) {
ret = mbedtls_snprintf(p, n, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
MBEDTLS_X509_SAFE_SNPRINTF;
} else if (san.san.unstructured_name.len == 16) {
ret = mbedtls_snprintf(p, n,
"%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X:%X%X",
ip[0], ip[1], ip[2], ip[3], ip[4], ip[5], ip[6],
ip[7], ip[8], ip[9], ip[10], ip[11], ip[12], ip[13],
ip[14], ip[15]);
MBEDTLS_X509_SAFE_SNPRINTF;
} else {
if (n > 0) {
*p = '\0';
}
return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
}
}
break;
/*
* directoryName
*/
@ -1599,6 +1611,9 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
if (ret < 0) {
mbedtls_x509_free_subject_alt_name(&san);
if (n > 0) {
*p = '\0';
}
return ret;
}
@ -1629,16 +1644,19 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
return 0;
}
#define PRINT_ITEM(i) \
{ \
ret = mbedtls_snprintf(p, n, "%s" i, sep); \
MBEDTLS_X509_SAFE_SNPRINTF; \
sep = ", "; \
}
#define PRINT_ITEM(i) \
do { \
ret = mbedtls_snprintf(p, n, "%s" i, sep); \
MBEDTLS_X509_SAFE_SNPRINTF; \
sep = ", "; \
} while (0)
#define CERT_TYPE(type, name) \
if (ns_cert_type & (type)) \
PRINT_ITEM(name);
#define CERT_TYPE(type, name) \
do { \
if (ns_cert_type & (type)) { \
PRINT_ITEM(name); \
} \
} while (0)
int mbedtls_x509_info_cert_type(char **buf, size_t *size,
unsigned char ns_cert_type)
@ -1663,9 +1681,12 @@ int mbedtls_x509_info_cert_type(char **buf, size_t *size,
return 0;
}
#define KEY_USAGE(code, name) \
if (key_usage & (code)) \
PRINT_ITEM(name);
#define KEY_USAGE(code, name) \
do { \
if ((key_usage) & (code)) { \
PRINT_ITEM(name); \
} \
} while (0)
int mbedtls_x509_info_key_usage(char **buf, size_t *size,
unsigned int key_usage)

5
library/x509_create.c
View file

@ -125,7 +125,7 @@ static const x509_attr_descriptor_t *x509_attr_descr_from_name(const char *name,
int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *name)
{
int ret = 0;
int ret = MBEDTLS_ERR_X509_INVALID_NAME;
const char *s = name, *c = s;
const char *end = s + strlen(s);
const char *oid = NULL;
@ -177,6 +177,9 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
s = c + 1;
in_tag = 1;
/* Successfully parsed one name, update ret to success */
ret = 0;
}
if (!in_tag && s != c + 1) {

283
library/x509_crt.c
View file

@ -46,10 +46,10 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#include "md_psa.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include "hash_info.h"
#include "x509_invasive.h"
#include "pk_internal.h"
#include "mbedtls/platform.h"
@ -60,9 +60,6 @@
#if defined(MBEDTLS_HAVE_TIME)
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
#define WIN32_LEAN_AND_MEAN
#ifndef _WIN32_WINNT
#define _WIN32_WINNT 0x0600
#endif
#include <windows.h>
#else
#include <time.h>
@ -106,7 +103,7 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
0xFFFFFFF, /* Any PK alg */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/* Curves at or above 128-bit security level. Note that this selection
* should be aligned with ssl_preset_default_curves in ssl_tls.c. */
MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
@ -116,9 +113,9 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP384R1) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_BP512R1) |
0,
#else /* MBEDTLS_ECP_LIGHT */
#else /* MBEDTLS_PK_HAVE_ECC_KEYS */
0,
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
2048,
};
@ -157,13 +154,13 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb =
/* Only ECDSA */
MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECDSA) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_PK_ECKEY),
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
/* Only NIST P-256 and P-384 */
MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP256R1) |
MBEDTLS_X509_ID_FLAG(MBEDTLS_ECP_DP_SECP384R1),
#else /* MBEDTLS_ECP_LIGHT */
#else /* MBEDTLS_PK_HAVE_ECC_KEYS */
0,
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
0,
};
@ -233,11 +230,11 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
}
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_LIGHT)
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
if (pk_alg == MBEDTLS_PK_ECDSA ||
pk_alg == MBEDTLS_PK_ECKEY ||
pk_alg == MBEDTLS_PK_ECKEY_DH) {
const mbedtls_ecp_group_id gid = mbedtls_pk_ec(*pk)->grp.id;
const mbedtls_ecp_group_id gid = mbedtls_pk_get_group_id(pk);
if (gid == MBEDTLS_ECP_DP_NONE) {
return -1;
@ -249,7 +246,7 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
return -1;
}
#endif /* MBEDTLS_ECP_LIGHT */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
return -1;
}
@ -591,6 +588,114 @@ static int x509_get_ext_key_usage(unsigned char **p,
return 0;
}
/*
* SubjectKeyIdentifier ::= KeyIdentifier
*
* KeyIdentifier ::= OCTET STRING
*/
static int x509_get_subject_key_id(unsigned char **p,
const unsigned char *end,
mbedtls_x509_buf *subject_key_id)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0u;
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
subject_key_id->len = len;
subject_key_id->tag = MBEDTLS_ASN1_OCTET_STRING;
subject_key_id->p = *p;
*p += len;
if (*p != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return 0;
}
/*
* AuthorityKeyIdentifier ::= SEQUENCE {
* keyIdentifier [0] KeyIdentifier OPTIONAL,
* authorityCertIssuer [1] GeneralNames OPTIONAL,
* authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
*
* KeyIdentifier ::= OCTET STRING
*/
static int x509_get_authority_key_id(unsigned char **p,
unsigned char *end,
mbedtls_x509_authority *authority_key_id)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0u;
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if (*p + len != end) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS,
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONTEXT_SPECIFIC);
/* KeyIdentifier is an OPTIONAL field */
if (ret == 0) {
authority_key_id->keyIdentifier.len = len;
authority_key_id->keyIdentifier.p = *p;
/* Setting tag of the keyIdentfier intentionally to 0x04.
* Although the .keyIdentfier field is CONTEXT_SPECIFIC ([0] OPTIONAL),
* its tag with the content is the payload of on OCTET STRING primitive */
authority_key_id->keyIdentifier.tag = MBEDTLS_ASN1_OCTET_STRING;
*p += len;
} else if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
if (*p < end) {
/* Getting authorityCertIssuer using the required specific class tag [1] */
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED |
1)) != 0) {
/* authorityCertIssuer and authorityCertSerialNumber MUST both
be present or both be absent. At this point we expect to have both. */
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
/* "end" also includes the CertSerialNumber field so "len" shall be used */
ret = mbedtls_x509_get_subject_alt_name_ext(p,
(*p+len),
&authority_key_id->authorityCertIssuer);
if (ret != 0) {
return ret;
}
/* Getting authorityCertSerialNumber using the required specific class tag [2] */
if ((ret = mbedtls_asn1_get_tag(p, end, &len,
MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2)) != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_INVALID_EXTENSIONS, ret);
}
authority_key_id->authorityCertSerialNumber.len = len;
authority_key_id->authorityCertSerialNumber.p = *p;
authority_key_id->authorityCertSerialNumber.tag = MBEDTLS_ASN1_INTEGER;
*p += len;
}
if (*p != end) {
return MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH;
}
return 0;
}
/*
* id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
*
@ -889,8 +994,25 @@ static int x509_get_crt_ext(unsigned char **p,
}
break;
case MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER:
/* Parse subject key identifier */
if ((ret = x509_get_subject_key_id(p, end_ext_data,
&crt->subject_key_id)) != 0) {
return ret;
}
break;
case MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER:
/* Parse authority key identifier */
if ((ret = x509_get_authority_key_id(p, end_ext_octet,
&crt->authority_key_id)) != 0) {
return ret;
}
break;
case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
/* Parse subject alt name */
/* Parse subject alt name
* SubjectAltName ::= GeneralNames
*/
if ((ret = mbedtls_x509_get_subject_alt_name(p, end_ext_octet,
&crt->subject_alt_names)) != 0) {
return ret;
@ -1414,6 +1536,7 @@ int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
{
int ret = 0;
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
#if _WIN32_WINNT >= 0x0501 /* _WIN32_WINNT_XP */
int w_ret;
WCHAR szDir[MAX_PATH];
char filename[MAX_PATH];
@ -1476,6 +1599,9 @@ int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
cleanup:
FindClose(hFind);
#else /* !_WIN32_WINNT_XP */
#error mbedtls_x509_crt_parse_path not available before Windows XP
#endif /* !_WIN32_WINNT_XP */
#else /* _WIN32 */
int t_ret;
int snp_ret;
@ -1550,6 +1676,27 @@ cleanup:
#endif /* MBEDTLS_FS_IO */
#if !defined(MBEDTLS_X509_REMOVE_INFO)
#define PRINT_ITEM(i) \
do { \
ret = mbedtls_snprintf(p, n, "%s" i, sep); \
MBEDTLS_X509_SAFE_SNPRINTF; \
sep = ", "; \
} while (0)
#define CERT_TYPE(type, name) \
do { \
if (ns_cert_type & (type)) { \
PRINT_ITEM(name); \
} \
} while (0)
#define KEY_USAGE(code, name) \
do { \
if (key_usage & (code)) { \
PRINT_ITEM(name); \
} \
} while (0)
static int x509_info_ext_key_usage(char **buf, size_t *size,
const mbedtls_x509_sequence *extended_key_usage)
{
@ -1874,10 +2021,11 @@ int mbedtls_x509_crt_is_revoked(const mbedtls_x509_crt *crt, const mbedtls_x509_
*/
static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
mbedtls_x509_crl *crl_list,
const mbedtls_x509_crt_profile *profile)
const mbedtls_x509_crt_profile *profile,
const mbedtls_x509_time *now)
{
int flags = 0;
unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t psa_algorithm;
#else
@ -1917,7 +2065,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm = mbedtls_hash_info_psa_from_md(crl_list->sig_md);
psa_algorithm = mbedtls_md_psa_alg_from_type(crl_list->sig_md);
if (psa_hash_compute(psa_algorithm,
crl_list->tbs.p,
crl_list->tbs.len,
@ -1952,16 +2100,20 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
break;
}
#if defined(MBEDTLS_HAVE_TIME_DATE)
/*
* Check for validity of CRL (Do not drop out)
*/
if (mbedtls_x509_time_is_past(&crl_list->next_update)) {
if (mbedtls_x509_time_cmp(&crl_list->next_update, now) < 0) {
flags |= MBEDTLS_X509_BADCRL_EXPIRED;
}
if (mbedtls_x509_time_is_future(&crl_list->this_update)) {
if (mbedtls_x509_time_cmp(&crl_list->this_update, now) > 0) {
flags |= MBEDTLS_X509_BADCRL_FUTURE;
}
#else
((void) now);
#endif
/*
* Check if certificate is revoked
@ -1986,7 +2138,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
mbedtls_x509_crt_restart_ctx *rs_ctx)
{
size_t hash_len;
unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
const mbedtls_md_info_t *md_info;
md_info = mbedtls_md_info_from_type(child->sig_md);
@ -1997,7 +2149,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
return -1;
}
#else
psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(child->sig_md);
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(child->sig_md);
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
status = psa_hash_compute(hash_alg,
@ -2119,7 +2271,8 @@ static int x509_crt_find_parent_in(
int top,
unsigned path_cnt,
unsigned self_cnt,
mbedtls_x509_crt_restart_ctx *rs_ctx)
mbedtls_x509_crt_restart_ctx *rs_ctx,
const mbedtls_x509_time *now)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_x509_crt *parent, *fallback_parent;
@ -2182,9 +2335,10 @@ check_signature:
continue;
}
#if defined(MBEDTLS_HAVE_TIME_DATE)
/* optional time check */
if (mbedtls_x509_time_is_past(&parent->valid_to) ||
mbedtls_x509_time_is_future(&parent->valid_from)) {
if (mbedtls_x509_time_cmp(&parent->valid_to, now) < 0 || /* past */
mbedtls_x509_time_cmp(&parent->valid_from, now) > 0) { /* future */
if (fallback_parent == NULL) {
fallback_parent = parent;
fallback_signature_is_good = signature_is_good;
@ -2192,6 +2346,9 @@ check_signature:
continue;
}
#else
((void) now);
#endif
*r_parent = parent;
*r_signature_is_good = signature_is_good;
@ -2237,7 +2394,8 @@ static int x509_crt_find_parent(
int *signature_is_good,
unsigned path_cnt,
unsigned self_cnt,
mbedtls_x509_crt_restart_ctx *rs_ctx)
mbedtls_x509_crt_restart_ctx *rs_ctx,
const mbedtls_x509_time *now)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_x509_crt *search_list;
@ -2258,7 +2416,7 @@ static int x509_crt_find_parent(
ret = x509_crt_find_parent_in(child, search_list,
parent, signature_is_good,
*parent_is_trusted,
path_cnt, self_cnt, rs_ctx);
path_cnt, self_cnt, rs_ctx, now);
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
@ -2379,6 +2537,13 @@ static int x509_crt_verify_chain(
int signature_is_good;
unsigned self_cnt;
mbedtls_x509_crt *cur_trust_ca = NULL;
mbedtls_x509_time now;
#if defined(MBEDTLS_HAVE_TIME_DATE)
if (mbedtls_x509_time_gmtime(mbedtls_time(NULL), &now) != 0) {
return MBEDTLS_ERR_X509_FATAL_ERROR;
}
#endif
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
/* resume if we had an operation in progress */
@ -2409,14 +2574,16 @@ static int x509_crt_verify_chain(
ver_chain->len++;
flags = &cur->flags;
#if defined(MBEDTLS_HAVE_TIME_DATE)
/* Check time-validity (all certificates) */
if (mbedtls_x509_time_is_past(&child->valid_to)) {
if (mbedtls_x509_time_cmp(&child->valid_to, &now) < 0) {
*flags |= MBEDTLS_X509_BADCERT_EXPIRED;
}
if (mbedtls_x509_time_is_future(&child->valid_from)) {
if (mbedtls_x509_time_cmp(&child->valid_from, &now) > 0) {
*flags |= MBEDTLS_X509_BADCERT_FUTURE;
}
#endif
/* Stop here for trusted roots (but not for trusted EE certs) */
if (child_is_trusted) {
@ -2467,7 +2634,8 @@ find_parent:
/* Look for a parent in trusted CAs or up the chain */
ret = x509_crt_find_parent(child, cur_trust_ca, &parent,
&parent_is_trusted, &signature_is_good,
ver_chain->len - 1, self_cnt, rs_ctx);
ver_chain->len - 1, self_cnt, rs_ctx,
&now);
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
@ -2516,7 +2684,7 @@ find_parent:
#if defined(MBEDTLS_X509_CRL_PARSE_C)
/* Check trusted CA's CRL for the given crt */
*flags |= x509_crt_verifycrl(child, parent, ca_crl, profile);
*flags |= x509_crt_verifycrl(child, parent, ca_crl, profile, &now);
#else
(void) ca_crl;
#endif
@ -2537,6 +2705,9 @@ find_parent:
#elif (defined(__MINGW32__) || defined(__MINGW64__)) && _WIN32_WINNT >= 0x0600
#include <winsock2.h>
#include <ws2tcpip.h>
#else
/* inet_pton() is not supported, fallback to software version */
#define MBEDTLS_TEST_SW_INET_PTON
#endif
#elif defined(__sun)
/* Solaris requires -lsocket -lnsl for inet_pton() */
@ -2667,7 +2838,6 @@ static int x509_inet_pton_ipv6(const char *src, void *dst)
static int x509_inet_pton_ipv4(const char *src, void *dst)
{
/* note: allows leading 0's, e.g. 000.000.000.000 */
const unsigned char *p = (const unsigned char *) src;
uint8_t *res = (uint8_t *) dst;
uint8_t digit, num_digits = 0;
@ -2681,13 +2851,20 @@ static int x509_inet_pton_ipv4(const char *src, void *dst)
if (digit > 9) {
break;
}
/* Don't allow leading zeroes. These might mean octal format,
* which this implementation does not support. */
if (octet == 0 && num_digits > 0) {
return -1;
}
octet = octet * 10 + digit;
num_digits++;
p++;
} while (num_digits < 3);
if (octet >= 256 || num_digits > 3 || num_digits == 0) {
break;
return -1;
}
*res++ = (uint8_t) octet;
num_octets++;
@ -2709,7 +2886,6 @@ static int x509_inet_pton_ipv4(const char *src, void *dst)
#endif /* !AF_INET6 || MBEDTLS_TEST_SW_INET_PTON */ //no-check-names
MBEDTLS_STATIC_TESTABLE
size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst)
{
return strchr(cn, ':') == NULL
@ -2758,6 +2934,21 @@ static int x509_crt_check_san_ip(const mbedtls_x509_sequence *san,
return -1;
}
static int x509_crt_check_san_uri(const mbedtls_x509_sequence *san,
const char *cn, size_t cn_len)
{
for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
const unsigned char san_type = (unsigned char) cur->buf.tag &
MBEDTLS_ASN1_TAG_VALUE_MASK;
if (san_type == MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER &&
cur->buf.len == cn_len && memcmp(cur->buf.p, cn, cn_len) == 0) {
return 0;
}
}
return -1;
}
/*
* Check for SAN match, see RFC 5280 Section 4.2.1.6
*/
@ -2765,23 +2956,38 @@ static int x509_crt_check_san(const mbedtls_x509_sequence *san,
const char *cn, size_t cn_len)
{
int san_ip = 0;
int san_uri = 0;
/* Prioritize DNS name over other subtypes due to popularity */
for (const mbedtls_x509_sequence *cur = san; cur != NULL; cur = cur->next) {
switch ((unsigned char) cur->buf.tag & MBEDTLS_ASN1_TAG_VALUE_MASK) {
case MBEDTLS_X509_SAN_DNS_NAME: /* dNSName */
case MBEDTLS_X509_SAN_DNS_NAME:
if (x509_crt_check_cn(&cur->buf, cn, cn_len) == 0) {
return 0;
}
break;
case MBEDTLS_X509_SAN_IP_ADDRESS: /* iPAddress */
case MBEDTLS_X509_SAN_IP_ADDRESS:
san_ip = 1;
break;
case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
san_uri = 1;
break;
/* (We may handle other types here later.) */
default: /* Unrecognized type */
break;
}
}
if (san_ip) {
if (x509_crt_check_san_ip(san, cn, cn_len) == 0) {
return 0;
}
}
if (san_uri) {
if (x509_crt_check_san_uri(san, cn, cn_len) == 0) {
return 0;
}
}
return san_ip ? x509_crt_check_san_ip(san, cn, cn_len) : -1;
return -1;
}
/*
@ -3049,6 +3255,7 @@ void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
mbedtls_asn1_sequence_free(cert_cur->ext_key_usage.next);
mbedtls_asn1_sequence_free(cert_cur->subject_alt_names.next);
mbedtls_asn1_sequence_free(cert_cur->certificate_policies.next);
mbedtls_asn1_sequence_free(cert_cur->authority_key_id.authorityCertIssuer.next);
if (cert_cur->raw.p != NULL && cert_cur->own_buffer) {
mbedtls_platform_zeroize(cert_cur->raw.p, cert_cur->raw.len);

53
library/x509_invasive.h
View file

@ -1,53 +0,0 @@
/**
* \file x509_invasive.h
*
* \brief x509 module: interfaces for invasive testing only.
*
* The interfaces in this file are intended for testing purposes only.
* They SHOULD NOT be made available in library integrations except when
* building the library for testing.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef MBEDTLS_X509_INVASIVE_H
#define MBEDTLS_X509_INVASIVE_H
#include "common.h"
#if defined(MBEDTLS_TEST_HOOKS)
/**
* \brief This function parses a CN string as an IP address.
*
* \param cn The CN string to parse. CN string MUST be NUL-terminated.
* \param dst The target buffer to populate with the binary IP address.
* The buffer MUST be 16 bytes to save IPv6, and should be
* 4-byte aligned if the result will be used as struct in_addr.
* e.g. uint32_t dst[4]
*
* \note \cn is parsed as an IPv6 address if string contains ':',
* else \cn is parsed as an IPv4 address.
*
* \return Length of binary IP address; num bytes written to target.
* \return \c 0 on failure to parse CN string as an IP address.
*/
size_t mbedtls_x509_crt_parse_cn_inet_pton(const char *cn, void *dst);
#endif /* MBEDTLS_TEST_HOOKS */
#endif /* MBEDTLS_X509_INVASIVE_H */

150
library/x509write_crt.c
View file

@ -31,10 +31,12 @@
#include "mbedtls/asn1write.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/md.h"
#include <string.h>
#include <stdint.h>
#if defined(MBEDTLS_PEM_WRITE_C)
#include "mbedtls/pem.h"
@ -42,10 +44,19 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#include "md_psa.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include "hash_info.h"
#define CHECK_OVERFLOW_ADD(a, b) \
do \
{ \
if (a > SIZE_MAX - (b)) \
{ \
return MBEDTLS_ERR_X509_BAD_INPUT_DATA; \
} \
a += b; \
} while (0)
void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
{
@ -152,6 +163,137 @@ int mbedtls_x509write_crt_set_validity(mbedtls_x509write_cert *ctx,
return 0;
}
int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx,
const mbedtls_x509_san_list *san_list)
{
int ret = 0;
const mbedtls_x509_san_list *cur;
unsigned char *buf;
unsigned char *p;
size_t len;
size_t buflen = 0;
/* Determine the maximum size of the SubjectAltName list */
for (cur = san_list; cur != NULL; cur = cur->next) {
/* Calculate size of the required buffer */
switch (cur->node.type) {
case MBEDTLS_X509_SAN_DNS_NAME:
case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
case MBEDTLS_X509_SAN_IP_ADDRESS:
case MBEDTLS_X509_SAN_RFC822_NAME:
/* length of value for each name entry,
* maximum 4 bytes for the length field,
* 1 byte for the tag/type.
*/
CHECK_OVERFLOW_ADD(buflen, cur->node.san.unstructured_name.len);
CHECK_OVERFLOW_ADD(buflen, 4 + 1);
break;
case MBEDTLS_X509_SAN_DIRECTORY_NAME:
{
const mbedtls_asn1_named_data *chunk = &cur->node.san.directory_name;
while (chunk != NULL) {
// Max 4 bytes for length, +1 for tag,
// additional 4 max for length, +1 for tag.
// See x509_write_name for more information.
CHECK_OVERFLOW_ADD(buflen, 4 + 1 + 4 + 1);
CHECK_OVERFLOW_ADD(buflen, chunk->oid.len);
CHECK_OVERFLOW_ADD(buflen, chunk->val.len);
chunk = chunk->next;
}
CHECK_OVERFLOW_ADD(buflen, 4 + 1);
break;
}
default:
/* Not supported - return. */
return MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
}
}
/* Add the extra length field and tag */
CHECK_OVERFLOW_ADD(buflen, 4 + 1);
/* Allocate buffer */
buf = mbedtls_calloc(1, buflen);
if (buf == NULL) {
return MBEDTLS_ERR_ASN1_ALLOC_FAILED;
}
p = buf + buflen;
/* Write ASN.1-based structure */
cur = san_list;
len = 0;
while (cur != NULL) {
size_t single_san_len = 0;
switch (cur->node.type) {
case MBEDTLS_X509_SAN_DNS_NAME:
case MBEDTLS_X509_SAN_RFC822_NAME:
case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
case MBEDTLS_X509_SAN_IP_ADDRESS:
{
const unsigned char *unstructured_name =
(const unsigned char *) cur->node.san.unstructured_name.p;
size_t unstructured_name_len = cur->node.san.unstructured_name.len;
MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
mbedtls_asn1_write_raw_buffer(
&p, buf,
unstructured_name, unstructured_name_len));
MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len, mbedtls_asn1_write_len(
&p, buf, unstructured_name_len));
MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
mbedtls_asn1_write_tag(
&p, buf,
MBEDTLS_ASN1_CONTEXT_SPECIFIC | cur->node.type));
}
break;
case MBEDTLS_X509_SAN_DIRECTORY_NAME:
MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
mbedtls_x509_write_names(&p, buf,
(mbedtls_asn1_named_data *) &
cur->node
.san.directory_name));
MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
mbedtls_asn1_write_len(&p, buf, single_san_len));
MBEDTLS_ASN1_CHK_CLEANUP_ADD(single_san_len,
mbedtls_asn1_write_tag(&p, buf,
MBEDTLS_ASN1_CONTEXT_SPECIFIC |
MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_X509_SAN_DIRECTORY_NAME));
break;
default:
/* Error out on an unsupported SAN */
ret = MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE;
goto cleanup;
}
cur = cur->next;
/* check for overflow */
if (len > SIZE_MAX - single_san_len) {
ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA;
goto cleanup;
}
len += single_san_len;
}
MBEDTLS_ASN1_CHK_CLEANUP_ADD(len, mbedtls_asn1_write_len(&p, buf, len));
MBEDTLS_ASN1_CHK_CLEANUP_ADD(len,
mbedtls_asn1_write_tag(&p, buf,
MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE));
ret = mbedtls_x509write_crt_set_extension(
ctx,
MBEDTLS_OID_SUBJECT_ALT_NAME,
MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_ALT_NAME),
0,
buf + buflen - len,
len);
cleanup:
mbedtls_free(buf);
return ret;
}
int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx,
const char *oid, size_t oid_len,
int critical,
@ -426,7 +568,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
unsigned char *c, *c2;
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
size_t hash_length = 0;
unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_algorithm_t psa_algorithm;
@ -585,7 +727,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx,
/* Compute hash of CRT. */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm = mbedtls_hash_info_psa_from_md(ctx->md_alg);
psa_algorithm = mbedtls_md_psa_alg_from_type(ctx->md_alg);
status = psa_hash_compute(psa_algorithm,
c,

8
library/x509write_csr.c
View file

@ -35,9 +35,9 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#include "psa_util_internal.h"
#include "md_psa.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include "hash_info.h"
#include <string.h>
#include <stdlib.h>
@ -243,13 +243,13 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx,
const char *sig_oid;
size_t sig_oid_len = 0;
unsigned char *c, *c2;
unsigned char hash[MBEDTLS_HASH_MAX_SIZE];
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
mbedtls_pk_type_t pk_alg;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t hash_len;
psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(ctx->md_alg);
psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ctx->md_alg);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Write the CSR backwards starting from the end of buf */