Merge branch 'development' into md-light
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
This commit is contained in:
Dave Rodgman
GitHub
commit
45cef61fa4
107 changed files with 6916 additions and 1422 deletions
|
|
@ -13,6 +13,7 @@ endif()
|
|||
set(src_crypto
|
||||
aes.c
|
||||
aesni.c
|
||||
aesce.c
|
||||
aria.c
|
||||
asn1parse.c
|
||||
asn1write.c
|
||||
|
|
|
|||
|
|
@ -78,6 +78,7 @@ endif
|
|||
OBJS_CRYPTO= \
|
||||
aes.o \
|
||||
aesni.o \
|
||||
aesce.o \
|
||||
aria.o \
|
||||
asn1parse.o \
|
||||
asn1write.o \
|
||||
|
|
|
|||
|
|
@ -39,6 +39,9 @@
|
|||
#if defined(MBEDTLS_AESNI_C)
|
||||
#include "aesni.h"
|
||||
#endif
|
||||
#if defined(MBEDTLS_AESCE_C)
|
||||
#include "aesce.h"
|
||||
#endif
|
||||
|
||||
#include "mbedtls/platform.h"
|
||||
|
||||
|
|
@ -544,6 +547,12 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
|
|||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
|
||||
if (mbedtls_aesce_has_support()) {
|
||||
return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits);
|
||||
}
|
||||
#endif
|
||||
|
||||
for (i = 0; i < (keybits >> 5); i++) {
|
||||
RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
|
||||
}
|
||||
|
|
@ -652,6 +661,16 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
|
|||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
|
||||
if (mbedtls_aesce_has_support()) {
|
||||
mbedtls_aesce_inverse_key(
|
||||
(unsigned char *) RK,
|
||||
(const unsigned char *) (cty.buf + cty.rk_offset),
|
||||
ctx->nr);
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
|
||||
SK = cty.buf + cty.rk_offset + cty.nr * 4;
|
||||
|
||||
*RK++ = *SK++;
|
||||
|
|
@ -944,6 +963,12 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
|
|||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
|
||||
if (mbedtls_aesce_has_support()) {
|
||||
return mbedtls_aesce_crypt_ecb(ctx, mode, input, output);
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
|
||||
if (aes_padlock_ace > 0) {
|
||||
if (mbedtls_padlock_xcryptecb(ctx, mode, input, output) == 0) {
|
||||
|
|
|
|||
257
library/aesce.c
Normal file
257
library/aesce.c
Normal file
|
|
@ -0,0 +1,257 @@
|
|||
/*
|
||||
* Arm64 crypto extension support functions
|
||||
*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_AESCE_C)
|
||||
|
||||
#include "aesce.h"
|
||||
|
||||
#if defined(MBEDTLS_HAVE_ARM64)
|
||||
|
||||
#if defined(__clang__)
|
||||
# if __clang_major__ < 4
|
||||
# error "A more recent Clang is required for MBEDTLS_AESCE_C"
|
||||
# endif
|
||||
#elif defined(__GNUC__)
|
||||
# if __GNUC__ < 6
|
||||
# error "A more recent GCC is required for MBEDTLS_AESCE_C"
|
||||
# endif
|
||||
#else
|
||||
# error "Only GCC and Clang supported for MBEDTLS_AESCE_C"
|
||||
#endif
|
||||
|
||||
#if !defined(__ARM_FEATURE_CRYPTO)
|
||||
# error "`crypto` feature moddifier MUST be enabled for MBEDTLS_AESCE_C."
|
||||
# error "Typical option for GCC and Clang is `-march=armv8-a+crypto`."
|
||||
#endif /* !__ARM_FEATURE_CRYPTO */
|
||||
|
||||
#include <arm_neon.h>
|
||||
|
||||
#if defined(__linux__)
|
||||
#include <asm/hwcap.h>
|
||||
#include <sys/auxv.h>
|
||||
#endif
|
||||
|
||||
/*
|
||||
* AES instruction support detection routine
|
||||
*/
|
||||
int mbedtls_aesce_has_support(void)
|
||||
{
|
||||
#if defined(__linux__)
|
||||
unsigned long auxval = getauxval(AT_HWCAP);
|
||||
return (auxval & (HWCAP_ASIMD | HWCAP_AES)) ==
|
||||
(HWCAP_ASIMD | HWCAP_AES);
|
||||
#else
|
||||
/* Assume AES instructions are supported. */
|
||||
return 1;
|
||||
#endif
|
||||
}
|
||||
|
||||
static uint8x16_t aesce_encrypt_block(uint8x16_t block,
|
||||
unsigned char *keys,
|
||||
int rounds)
|
||||
{
|
||||
for (int i = 0; i < rounds - 1; i++) {
|
||||
/* AES AddRoundKey, SubBytes, ShiftRows (in this order).
|
||||
* AddRoundKey adds the round key for the previous round. */
|
||||
block = vaeseq_u8(block, vld1q_u8(keys + i * 16));
|
||||
/* AES mix columns */
|
||||
block = vaesmcq_u8(block);
|
||||
}
|
||||
|
||||
/* AES AddRoundKey for the previous round.
|
||||
* SubBytes, ShiftRows for the final round. */
|
||||
block = vaeseq_u8(block, vld1q_u8(keys + (rounds -1) * 16));
|
||||
|
||||
/* Final round: no MixColumns */
|
||||
|
||||
/* Final AddRoundKey */
|
||||
block = veorq_u8(block, vld1q_u8(keys + rounds * 16));
|
||||
|
||||
return block;
|
||||
}
|
||||
|
||||
static uint8x16_t aesce_decrypt_block(uint8x16_t block,
|
||||
unsigned char *keys,
|
||||
int rounds)
|
||||
{
|
||||
|
||||
for (int i = 0; i < rounds - 1; i++) {
|
||||
/* AES AddRoundKey, SubBytes, ShiftRows */
|
||||
block = vaesdq_u8(block, vld1q_u8(keys + i * 16));
|
||||
/* AES inverse MixColumns for the next round.
|
||||
*
|
||||
* This means that we switch the order of the inverse AddRoundKey and
|
||||
* inverse MixColumns operations. We have to do this as AddRoundKey is
|
||||
* done in an atomic instruction together with the inverses of SubBytes
|
||||
* and ShiftRows.
|
||||
*
|
||||
* It works because MixColumns is a linear operation over GF(2^8) and
|
||||
* AddRoundKey is an exclusive or, which is equivalent to addition over
|
||||
* GF(2^8). (The inverse of MixColumns needs to be applied to the
|
||||
* affected round keys separately which has been done when the
|
||||
* decryption round keys were calculated.) */
|
||||
block = vaesimcq_u8(block);
|
||||
}
|
||||
|
||||
/* The inverses of AES AddRoundKey, SubBytes, ShiftRows finishing up the
|
||||
* last full round. */
|
||||
block = vaesdq_u8(block, vld1q_u8(keys + (rounds - 1) * 16));
|
||||
|
||||
/* Inverse AddRoundKey for inverting the initial round key addition. */
|
||||
block = veorq_u8(block, vld1q_u8(keys + rounds * 16));
|
||||
|
||||
return block;
|
||||
}
|
||||
|
||||
/*
|
||||
* AES-ECB block en(de)cryption
|
||||
*/
|
||||
int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx,
|
||||
int mode,
|
||||
const unsigned char input[16],
|
||||
unsigned char output[16])
|
||||
{
|
||||
uint8x16_t block = vld1q_u8(&input[0]);
|
||||
unsigned char *keys = (unsigned char *) (ctx->buf + ctx->rk_offset);
|
||||
|
||||
if (mode == MBEDTLS_AES_ENCRYPT) {
|
||||
block = aesce_encrypt_block(block, keys, ctx->nr);
|
||||
} else {
|
||||
block = aesce_decrypt_block(block, keys, ctx->nr);
|
||||
}
|
||||
vst1q_u8(&output[0], block);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Compute decryption round keys from encryption round keys
|
||||
*/
|
||||
void mbedtls_aesce_inverse_key(unsigned char *invkey,
|
||||
const unsigned char *fwdkey,
|
||||
int nr)
|
||||
{
|
||||
int i, j;
|
||||
j = nr;
|
||||
vst1q_u8(invkey, vld1q_u8(fwdkey + j * 16));
|
||||
for (i = 1, j--; j > 0; i++, j--) {
|
||||
vst1q_u8(invkey + i * 16,
|
||||
vaesimcq_u8(vld1q_u8(fwdkey + j * 16)));
|
||||
}
|
||||
vst1q_u8(invkey + i * 16, vld1q_u8(fwdkey + j * 16));
|
||||
|
||||
}
|
||||
|
||||
static inline uint32_t aes_rot_word(uint32_t word)
|
||||
{
|
||||
return (word << (32 - 8)) | (word >> 8);
|
||||
}
|
||||
|
||||
static inline uint32_t aes_sub_word(uint32_t in)
|
||||
{
|
||||
uint8x16_t v = vreinterpretq_u8_u32(vdupq_n_u32(in));
|
||||
uint8x16_t zero = vdupq_n_u8(0);
|
||||
|
||||
/* vaeseq_u8 does both SubBytes and ShiftRows. Taking the first row yields
|
||||
* the correct result as ShiftRows doesn't change the first row. */
|
||||
v = vaeseq_u8(zero, v);
|
||||
return vgetq_lane_u32(vreinterpretq_u32_u8(v), 0);
|
||||
}
|
||||
|
||||
/*
|
||||
* Key expansion function
|
||||
*/
|
||||
static void aesce_setkey_enc(unsigned char *rk,
|
||||
const unsigned char *key,
|
||||
const size_t key_bit_length)
|
||||
{
|
||||
static uint8_t const rcon[] = { 0x01, 0x02, 0x04, 0x08, 0x10,
|
||||
0x20, 0x40, 0x80, 0x1b, 0x36 };
|
||||
/* See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
|
||||
* - Section 5, Nr = Nk + 6
|
||||
* - Section 5.2, the key expansion size is Nb*(Nr+1)
|
||||
*/
|
||||
const uint32_t key_len_in_words = key_bit_length / 32; /* Nk */
|
||||
const size_t round_key_len_in_words = 4; /* Nb */
|
||||
const size_t round_keys_needed = key_len_in_words + 6; /* Nr */
|
||||
const size_t key_expansion_size_in_words =
|
||||
round_key_len_in_words * (round_keys_needed + 1); /* Nb*(Nr+1) */
|
||||
const uint32_t *rko_end = (uint32_t *) rk + key_expansion_size_in_words;
|
||||
|
||||
memcpy(rk, key, key_len_in_words * 4);
|
||||
|
||||
for (uint32_t *rki = (uint32_t *) rk;
|
||||
rki + key_len_in_words < rko_end;
|
||||
rki += key_len_in_words) {
|
||||
|
||||
size_t iteration = (rki - (uint32_t *) rk) / key_len_in_words;
|
||||
uint32_t *rko;
|
||||
rko = rki + key_len_in_words;
|
||||
rko[0] = aes_rot_word(aes_sub_word(rki[key_len_in_words - 1]));
|
||||
rko[0] ^= rcon[iteration] ^ rki[0];
|
||||
rko[1] = rko[0] ^ rki[1];
|
||||
rko[2] = rko[1] ^ rki[2];
|
||||
rko[3] = rko[2] ^ rki[3];
|
||||
if (rko + key_len_in_words > rko_end) {
|
||||
/* Do not write overflow words.*/
|
||||
continue;
|
||||
}
|
||||
switch (key_bit_length) {
|
||||
case 128:
|
||||
break;
|
||||
case 192:
|
||||
rko[4] = rko[3] ^ rki[4];
|
||||
rko[5] = rko[4] ^ rki[5];
|
||||
break;
|
||||
case 256:
|
||||
rko[4] = aes_sub_word(rko[3]) ^ rki[4];
|
||||
rko[5] = rko[4] ^ rki[5];
|
||||
rko[6] = rko[5] ^ rki[6];
|
||||
rko[7] = rko[6] ^ rki[7];
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Key expansion, wrapper
|
||||
*/
|
||||
int mbedtls_aesce_setkey_enc(unsigned char *rk,
|
||||
const unsigned char *key,
|
||||
size_t bits)
|
||||
{
|
||||
switch (bits) {
|
||||
case 128:
|
||||
case 192:
|
||||
case 256:
|
||||
aesce_setkey_enc(rk, key, bits);
|
||||
break;
|
||||
default:
|
||||
return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_HAVE_ARM64 */
|
||||
|
||||
#endif /* MBEDTLS_AESCE_C */
|
||||
98
library/aesce.h
Normal file
98
library/aesce.h
Normal file
|
|
@ -0,0 +1,98 @@
|
|||
/**
|
||||
* \file aesce.h
|
||||
*
|
||||
* \brief AES-CE for hardware AES acceleration on ARMv8 processors with crypto
|
||||
* extension.
|
||||
*
|
||||
* \warning These functions are only for internal use by other library
|
||||
* functions; you must not call them directly.
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#ifndef MBEDTLS_AESCE_H
|
||||
#define MBEDTLS_AESCE_H
|
||||
|
||||
#include "mbedtls/build_info.h"
|
||||
|
||||
#include "mbedtls/aes.h"
|
||||
|
||||
|
||||
#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \
|
||||
defined(__aarch64__) && !defined(MBEDTLS_HAVE_ARM64)
|
||||
#define MBEDTLS_HAVE_ARM64
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_HAVE_ARM64)
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \brief Internal function to detect the crypto extension in CPUs.
|
||||
*
|
||||
* \return 1 if CPU has support for the feature, 0 otherwise
|
||||
*/
|
||||
int mbedtls_aesce_has_support(void);
|
||||
|
||||
/**
|
||||
* \brief Internal AES-ECB block encryption and decryption
|
||||
*
|
||||
* \param ctx AES context
|
||||
* \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
|
||||
* \param input 16-byte input block
|
||||
* \param output 16-byte output block
|
||||
*
|
||||
* \return 0 on success (cannot fail)
|
||||
*/
|
||||
int mbedtls_aesce_crypt_ecb(mbedtls_aes_context *ctx,
|
||||
int mode,
|
||||
const unsigned char input[16],
|
||||
unsigned char output[16]);
|
||||
|
||||
/**
|
||||
* \brief Internal round key inversion. This function computes
|
||||
* decryption round keys from the encryption round keys.
|
||||
*
|
||||
* \param invkey Round keys for the equivalent inverse cipher
|
||||
* \param fwdkey Original round keys (for encryption)
|
||||
* \param nr Number of rounds (that is, number of round keys minus one)
|
||||
*/
|
||||
void mbedtls_aesce_inverse_key(unsigned char *invkey,
|
||||
const unsigned char *fwdkey,
|
||||
int nr);
|
||||
|
||||
/**
|
||||
* \brief Internal key expansion for encryption
|
||||
*
|
||||
* \param rk Destination buffer where the round keys are written
|
||||
* \param key Encryption key
|
||||
* \param bits Key size in bits (must be 128, 192 or 256)
|
||||
*
|
||||
* \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
|
||||
*/
|
||||
int mbedtls_aesce_setkey_enc(unsigned char *rk,
|
||||
const unsigned char *key,
|
||||
size_t bits);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_HAVE_ARM64 */
|
||||
|
||||
#endif /* MBEDTLS_AESCE_H */
|
||||
|
|
@ -130,7 +130,7 @@ inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
|
|||
* byte from x, where byte 0 is the least significant byte.
|
||||
*/
|
||||
#define MBEDTLS_BYTE_0(x) ((uint8_t) ((x) & 0xff))
|
||||
#define MBEDTLS_BYTE_1(x) ((uint8_t) (((x) >> 8) & 0xff))
|
||||
#define MBEDTLS_BYTE_1(x) ((uint8_t) (((x) >> 8) & 0xff))
|
||||
#define MBEDTLS_BYTE_2(x) ((uint8_t) (((x) >> 16) & 0xff))
|
||||
#define MBEDTLS_BYTE_3(x) ((uint8_t) (((x) >> 24) & 0xff))
|
||||
#define MBEDTLS_BYTE_4(x) ((uint8_t) (((x) >> 32) & 0xff))
|
||||
|
|
@ -155,13 +155,13 @@ inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
|
|||
* Detect Clang built-in byteswap routines
|
||||
*/
|
||||
#if defined(__clang__) && defined(__has_builtin)
|
||||
#if __has_builtin(__builtin_bswap16)
|
||||
#if __has_builtin(__builtin_bswap16) && !defined(MBEDTLS_BSWAP16)
|
||||
#define MBEDTLS_BSWAP16 __builtin_bswap16
|
||||
#endif /* __has_builtin(__builtin_bswap16) */
|
||||
#if __has_builtin(__builtin_bswap32)
|
||||
#if __has_builtin(__builtin_bswap32) && !defined(MBEDTLS_BSWAP32)
|
||||
#define MBEDTLS_BSWAP32 __builtin_bswap32
|
||||
#endif /* __has_builtin(__builtin_bswap32) */
|
||||
#if __has_builtin(__builtin_bswap64)
|
||||
#if __has_builtin(__builtin_bswap64) && !defined(MBEDTLS_BSWAP64)
|
||||
#define MBEDTLS_BSWAP64 __builtin_bswap64
|
||||
#endif /* __has_builtin(__builtin_bswap64) */
|
||||
#endif /* defined(__clang__) && defined(__has_builtin) */
|
||||
|
|
@ -170,13 +170,19 @@ inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
|
|||
* Detect MSVC built-in byteswap routines
|
||||
*/
|
||||
#if defined(_MSC_VER)
|
||||
#if !defined(MBEDTLS_BSWAP16)
|
||||
#define MBEDTLS_BSWAP16 _byteswap_ushort
|
||||
#endif
|
||||
#if !defined(MBEDTLS_BSWAP32)
|
||||
#define MBEDTLS_BSWAP32 _byteswap_ulong
|
||||
#endif
|
||||
#if !defined(MBEDTLS_BSWAP64)
|
||||
#define MBEDTLS_BSWAP64 _byteswap_uint64
|
||||
#endif
|
||||
#endif /* defined(_MSC_VER) */
|
||||
|
||||
/* Detect armcc built-in byteswap routine */
|
||||
#if defined(__ARMCC_VERSION) && (__ARMCC_VERSION >= 410000)
|
||||
#if defined(__ARMCC_VERSION) && (__ARMCC_VERSION >= 410000) && !defined(MBEDTLS_BSWAP32)
|
||||
#define MBEDTLS_BSWAP32 __rev
|
||||
#endif
|
||||
|
||||
|
|
@ -239,8 +245,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* byte of the four bytes to build the 32 bits unsigned
|
||||
* integer from.
|
||||
*/
|
||||
#define MBEDTLS_GET_UINT32_BE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
#define MBEDTLS_GET_UINT32_BE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
? mbedtls_get_unaligned_uint32((data) + (offset)) \
|
||||
: MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \
|
||||
)
|
||||
|
|
@ -254,11 +260,11 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* \param offset Offset from \p data where to put the most significant
|
||||
* byte of the 32 bits unsigned integer \p n.
|
||||
*/
|
||||
#define MBEDTLS_PUT_UINT32_BE(n, data, offset) \
|
||||
#define MBEDTLS_PUT_UINT32_BE(n, data, offset) \
|
||||
{ \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
{ \
|
||||
mbedtls_put_unaligned_uint32((data) + (offset), (uint32_t) (n)); \
|
||||
mbedtls_put_unaligned_uint32((data) + (offset), (uint32_t) (n)); \
|
||||
} \
|
||||
else \
|
||||
{ \
|
||||
|
|
@ -275,8 +281,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* byte of the four bytes to build the 32 bits unsigned
|
||||
* integer from.
|
||||
*/
|
||||
#define MBEDTLS_GET_UINT32_LE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
#define MBEDTLS_GET_UINT32_LE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
? MBEDTLS_BSWAP32(mbedtls_get_unaligned_uint32((data) + (offset))) \
|
||||
: mbedtls_get_unaligned_uint32((data) + (offset)) \
|
||||
)
|
||||
|
|
@ -291,15 +297,15 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* \param offset Offset from \p data where to put the least significant
|
||||
* byte of the 32 bits unsigned integer \p n.
|
||||
*/
|
||||
#define MBEDTLS_PUT_UINT32_LE(n, data, offset) \
|
||||
#define MBEDTLS_PUT_UINT32_LE(n, data, offset) \
|
||||
{ \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
{ \
|
||||
mbedtls_put_unaligned_uint32((data) + (offset), MBEDTLS_BSWAP32((uint32_t) (n))); \
|
||||
} \
|
||||
else \
|
||||
{ \
|
||||
mbedtls_put_unaligned_uint32((data) + (offset), ((uint32_t) (n))); \
|
||||
mbedtls_put_unaligned_uint32((data) + (offset), ((uint32_t) (n))); \
|
||||
} \
|
||||
}
|
||||
|
||||
|
|
@ -312,8 +318,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* byte of the two bytes to build the 16 bits unsigned
|
||||
* integer from.
|
||||
*/
|
||||
#define MBEDTLS_GET_UINT16_LE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
#define MBEDTLS_GET_UINT16_LE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
? MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \
|
||||
: mbedtls_get_unaligned_uint16((data) + (offset)) \
|
||||
)
|
||||
|
|
@ -327,15 +333,15 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* \param offset Offset from \p data where to put the least significant
|
||||
* byte of the 16 bits unsigned integer \p n.
|
||||
*/
|
||||
#define MBEDTLS_PUT_UINT16_LE(n, data, offset) \
|
||||
#define MBEDTLS_PUT_UINT16_LE(n, data, offset) \
|
||||
{ \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
{ \
|
||||
mbedtls_put_unaligned_uint16((data) + (offset), MBEDTLS_BSWAP16((uint16_t) (n))); \
|
||||
} \
|
||||
else \
|
||||
{ \
|
||||
mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \
|
||||
mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \
|
||||
} \
|
||||
}
|
||||
|
||||
|
|
@ -348,8 +354,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* byte of the two bytes to build the 16 bits unsigned
|
||||
* integer from.
|
||||
*/
|
||||
#define MBEDTLS_GET_UINT16_BE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
#define MBEDTLS_GET_UINT16_BE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
? mbedtls_get_unaligned_uint16((data) + (offset)) \
|
||||
: MBEDTLS_BSWAP16(mbedtls_get_unaligned_uint16((data) + (offset))) \
|
||||
)
|
||||
|
|
@ -363,11 +369,11 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* \param offset Offset from \p data where to put the most significant
|
||||
* byte of the 16 bits unsigned integer \p n.
|
||||
*/
|
||||
#define MBEDTLS_PUT_UINT16_BE(n, data, offset) \
|
||||
#define MBEDTLS_PUT_UINT16_BE(n, data, offset) \
|
||||
{ \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
{ \
|
||||
mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \
|
||||
mbedtls_put_unaligned_uint16((data) + (offset), (uint16_t) (n)); \
|
||||
} \
|
||||
else \
|
||||
{ \
|
||||
|
|
@ -384,11 +390,11 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* byte of the three bytes to build the 24 bits unsigned
|
||||
* integer from.
|
||||
*/
|
||||
#define MBEDTLS_GET_UINT24_BE(data, offset) \
|
||||
( \
|
||||
((uint32_t) (data)[(offset)] << 16) \
|
||||
| ((uint32_t) (data)[(offset) + 1] << 8) \
|
||||
| ((uint32_t) (data)[(offset) + 2]) \
|
||||
#define MBEDTLS_GET_UINT24_BE(data, offset) \
|
||||
( \
|
||||
((uint32_t) (data)[(offset)] << 16) \
|
||||
| ((uint32_t) (data)[(offset) + 1] << 8) \
|
||||
| ((uint32_t) (data)[(offset) + 2]) \
|
||||
)
|
||||
|
||||
/**
|
||||
|
|
@ -401,8 +407,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* byte of the 24 bits unsigned integer \p n.
|
||||
*/
|
||||
#define MBEDTLS_PUT_UINT24_BE(n, data, offset) \
|
||||
{ \
|
||||
(data)[(offset)] = MBEDTLS_BYTE_2(n); \
|
||||
{ \
|
||||
(data)[(offset)] = MBEDTLS_BYTE_2(n); \
|
||||
(data)[(offset) + 1] = MBEDTLS_BYTE_1(n); \
|
||||
(data)[(offset) + 2] = MBEDTLS_BYTE_0(n); \
|
||||
}
|
||||
|
|
@ -416,9 +422,9 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* byte of the three bytes to build the 24 bits unsigned
|
||||
* integer from.
|
||||
*/
|
||||
#define MBEDTLS_GET_UINT24_LE(data, offset) \
|
||||
( \
|
||||
((uint32_t) (data)[(offset)]) \
|
||||
#define MBEDTLS_GET_UINT24_LE(data, offset) \
|
||||
( \
|
||||
((uint32_t) (data)[(offset)]) \
|
||||
| ((uint32_t) (data)[(offset) + 1] << 8) \
|
||||
| ((uint32_t) (data)[(offset) + 2] << 16) \
|
||||
)
|
||||
|
|
@ -433,8 +439,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* byte of the 24 bits unsigned integer \p n.
|
||||
*/
|
||||
#define MBEDTLS_PUT_UINT24_LE(n, data, offset) \
|
||||
{ \
|
||||
(data)[(offset)] = MBEDTLS_BYTE_0(n); \
|
||||
{ \
|
||||
(data)[(offset)] = MBEDTLS_BYTE_0(n); \
|
||||
(data)[(offset) + 1] = MBEDTLS_BYTE_1(n); \
|
||||
(data)[(offset) + 2] = MBEDTLS_BYTE_2(n); \
|
||||
}
|
||||
|
|
@ -448,8 +454,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* byte of the eight bytes to build the 64 bits unsigned
|
||||
* integer from.
|
||||
*/
|
||||
#define MBEDTLS_GET_UINT64_BE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
#define MBEDTLS_GET_UINT64_BE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
? mbedtls_get_unaligned_uint64((data) + (offset)) \
|
||||
: MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \
|
||||
)
|
||||
|
|
@ -463,11 +469,11 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* \param offset Offset from \p data where to put the most significant
|
||||
* byte of the 64 bits unsigned integer \p n.
|
||||
*/
|
||||
#define MBEDTLS_PUT_UINT64_BE(n, data, offset) \
|
||||
#define MBEDTLS_PUT_UINT64_BE(n, data, offset) \
|
||||
{ \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
{ \
|
||||
mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \
|
||||
mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \
|
||||
} \
|
||||
else \
|
||||
{ \
|
||||
|
|
@ -484,8 +490,8 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* byte of the eight bytes to build the 64 bits unsigned
|
||||
* integer from.
|
||||
*/
|
||||
#define MBEDTLS_GET_UINT64_LE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
#define MBEDTLS_GET_UINT64_LE(data, offset) \
|
||||
((MBEDTLS_IS_BIG_ENDIAN) \
|
||||
? MBEDTLS_BSWAP64(mbedtls_get_unaligned_uint64((data) + (offset))) \
|
||||
: mbedtls_get_unaligned_uint64((data) + (offset)) \
|
||||
)
|
||||
|
|
@ -499,15 +505,15 @@ static const uint16_t mbedtls_byte_order_detector = { 0x100 };
|
|||
* \param offset Offset from \p data where to put the least significant
|
||||
* byte of the 64 bits unsigned integer \p n.
|
||||
*/
|
||||
#define MBEDTLS_PUT_UINT64_LE(n, data, offset) \
|
||||
#define MBEDTLS_PUT_UINT64_LE(n, data, offset) \
|
||||
{ \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
if (MBEDTLS_IS_BIG_ENDIAN) \
|
||||
{ \
|
||||
mbedtls_put_unaligned_uint64((data) + (offset), MBEDTLS_BSWAP64((uint64_t) (n))); \
|
||||
} \
|
||||
else \
|
||||
{ \
|
||||
mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \
|
||||
mbedtls_put_unaligned_uint64((data) + (offset), (uint64_t) (n)); \
|
||||
} \
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -239,13 +239,13 @@ cleanup:
|
|||
* Compute ECDSA signature of a hashed message (SEC1 4.1.3)
|
||||
* Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
|
||||
*/
|
||||
static int ecdsa_sign_restartable(mbedtls_ecp_group *grp,
|
||||
mbedtls_mpi *r, mbedtls_mpi *s,
|
||||
const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||
int (*f_rng_blind)(void *, unsigned char *, size_t),
|
||||
void *p_rng_blind,
|
||||
mbedtls_ecdsa_restart_ctx *rs_ctx)
|
||||
int mbedtls_ecdsa_sign_restartable(mbedtls_ecp_group *grp,
|
||||
mbedtls_mpi *r, mbedtls_mpi *s,
|
||||
const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||
int (*f_rng_blind)(void *, unsigned char *, size_t),
|
||||
void *p_rng_blind,
|
||||
mbedtls_ecdsa_restart_ctx *rs_ctx)
|
||||
{
|
||||
int ret, key_tries, sign_tries;
|
||||
int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
|
||||
|
|
@ -394,8 +394,8 @@ int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
|
|||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
|
||||
{
|
||||
/* Use the same RNG for both blinding and ephemeral key generation */
|
||||
return ecdsa_sign_restartable(grp, r, s, d, buf, blen,
|
||||
f_rng, p_rng, f_rng, p_rng, NULL);
|
||||
return mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
|
||||
f_rng, p_rng, f_rng, p_rng, NULL);
|
||||
}
|
||||
#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
|
||||
|
||||
|
|
@ -406,13 +406,13 @@ int mbedtls_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
|
|||
* note: The f_rng_blind parameter must not be NULL.
|
||||
*
|
||||
*/
|
||||
static int ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
|
||||
mbedtls_mpi *r, mbedtls_mpi *s,
|
||||
const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
|
||||
mbedtls_md_type_t md_alg,
|
||||
int (*f_rng_blind)(void *, unsigned char *, size_t),
|
||||
void *p_rng_blind,
|
||||
mbedtls_ecdsa_restart_ctx *rs_ctx)
|
||||
int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
|
||||
mbedtls_mpi *r, mbedtls_mpi *s,
|
||||
const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
|
||||
mbedtls_md_type_t md_alg,
|
||||
int (*f_rng_blind)(void *, unsigned char *, size_t),
|
||||
void *p_rng_blind,
|
||||
mbedtls_ecdsa_restart_ctx *rs_ctx)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_hmac_drbg_context rng_ctx;
|
||||
|
|
@ -462,9 +462,9 @@ sign:
|
|||
ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen,
|
||||
mbedtls_hmac_drbg_random, p_rng);
|
||||
#else
|
||||
ret = ecdsa_sign_restartable(grp, r, s, d, buf, blen,
|
||||
mbedtls_hmac_drbg_random, p_rng,
|
||||
f_rng_blind, p_rng_blind, rs_ctx);
|
||||
ret = mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
|
||||
mbedtls_hmac_drbg_random, p_rng,
|
||||
f_rng_blind, p_rng_blind, rs_ctx);
|
||||
#endif /* MBEDTLS_ECDSA_SIGN_ALT */
|
||||
|
||||
cleanup:
|
||||
|
|
@ -487,8 +487,8 @@ int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
|
|||
size_t),
|
||||
void *p_rng_blind)
|
||||
{
|
||||
return ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
|
||||
f_rng_blind, p_rng_blind, NULL);
|
||||
return mbedtls_ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
|
||||
f_rng_blind, p_rng_blind, NULL);
|
||||
}
|
||||
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
|
||||
|
||||
|
|
@ -497,11 +497,12 @@ int mbedtls_ecdsa_sign_det_ext(mbedtls_ecp_group *grp, mbedtls_mpi *r,
|
|||
* Verify ECDSA signature of hashed message (SEC1 4.1.4)
|
||||
* Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
|
||||
*/
|
||||
static int ecdsa_verify_restartable(mbedtls_ecp_group *grp,
|
||||
const unsigned char *buf, size_t blen,
|
||||
const mbedtls_ecp_point *Q,
|
||||
const mbedtls_mpi *r, const mbedtls_mpi *s,
|
||||
mbedtls_ecdsa_restart_ctx *rs_ctx)
|
||||
int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
|
||||
const unsigned char *buf, size_t blen,
|
||||
const mbedtls_ecp_point *Q,
|
||||
const mbedtls_mpi *r,
|
||||
const mbedtls_mpi *s,
|
||||
mbedtls_ecdsa_restart_ctx *rs_ctx)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_mpi e, s_inv, u1, u2;
|
||||
|
|
@ -610,7 +611,7 @@ int mbedtls_ecdsa_verify(mbedtls_ecp_group *grp,
|
|||
const mbedtls_mpi *r,
|
||||
const mbedtls_mpi *s)
|
||||
{
|
||||
return ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
|
||||
return mbedtls_ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
|
||||
}
|
||||
#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
|
||||
|
||||
|
|
@ -665,9 +666,9 @@ int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
|
|||
mbedtls_mpi_init(&s);
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
||||
MBEDTLS_MPI_CHK(ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
|
||||
hash, hlen, md_alg, f_rng,
|
||||
p_rng, rs_ctx));
|
||||
MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
|
||||
hash, hlen, md_alg, f_rng,
|
||||
p_rng, rs_ctx));
|
||||
#else
|
||||
(void) md_alg;
|
||||
|
||||
|
|
@ -678,9 +679,9 @@ int mbedtls_ecdsa_write_signature_restartable(mbedtls_ecdsa_context *ctx,
|
|||
hash, hlen, f_rng, p_rng));
|
||||
#else
|
||||
/* Use the same RNG for both blinding and ephemeral key generation */
|
||||
MBEDTLS_MPI_CHK(ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
|
||||
hash, hlen, f_rng, p_rng, f_rng,
|
||||
p_rng, rs_ctx));
|
||||
MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
|
||||
hash, hlen, f_rng, p_rng, f_rng,
|
||||
p_rng, rs_ctx));
|
||||
#endif /* MBEDTLS_ECDSA_SIGN_ALT */
|
||||
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
|
||||
|
||||
|
|
@ -760,8 +761,8 @@ int mbedtls_ecdsa_read_signature_restartable(mbedtls_ecdsa_context *ctx,
|
|||
goto cleanup;
|
||||
}
|
||||
#else
|
||||
if ((ret = ecdsa_verify_restartable(&ctx->grp, hash, hlen,
|
||||
&ctx->Q, &r, &s, rs_ctx)) != 0) {
|
||||
if ((ret = mbedtls_ecdsa_verify_restartable(&ctx->grp, hash, hlen,
|
||||
&ctx->Q, &r, &s, rs_ctx)) != 0) {
|
||||
goto cleanup;
|
||||
}
|
||||
#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
|
||||
|
|
|
|||
|
|
@ -4584,6 +4584,8 @@ static int ecp_mod_p384(mbedtls_mpi *);
|
|||
#endif
|
||||
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
|
||||
static int ecp_mod_p521(mbedtls_mpi *);
|
||||
MBEDTLS_STATIC_TESTABLE
|
||||
int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n);
|
||||
#endif
|
||||
|
||||
#define NIST_MODP(P) grp->modp = ecp_mod_ ## P;
|
||||
|
|
@ -5189,11 +5191,6 @@ cleanup:
|
|||
MBEDTLS_ECP_DP_SECP384R1_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
|
||||
/*
|
||||
* Here we have an actual Mersenne prime, so things are more straightforward.
|
||||
* However, chunks are aligned on a 'weird' boundary (521 bits).
|
||||
*/
|
||||
|
||||
/* Size of p521 in terms of mbedtls_mpi_uint */
|
||||
#define P521_WIDTH (521 / 8 / sizeof(mbedtls_mpi_uint) + 1)
|
||||
|
||||
|
|
@ -5201,48 +5198,81 @@ cleanup:
|
|||
#define P521_MASK 0x01FF
|
||||
|
||||
/*
|
||||
* Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
|
||||
* Write N as A1 + 2^521 A0, return A0 + A1
|
||||
* Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
|
||||
*/
|
||||
static int ecp_mod_p521(mbedtls_mpi *N)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t i;
|
||||
mbedtls_mpi M;
|
||||
mbedtls_mpi_uint Mp[P521_WIDTH + 1];
|
||||
/* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
|
||||
* we need to hold bits 513 to 1056, which is 34 limbs, that is
|
||||
* P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
|
||||
|
||||
if (N->n < P521_WIDTH) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* M = A1 */
|
||||
M.s = 1;
|
||||
M.n = N->n - (P521_WIDTH - 1);
|
||||
if (M.n > P521_WIDTH + 1) {
|
||||
M.n = P521_WIDTH + 1;
|
||||
}
|
||||
M.p = Mp;
|
||||
memcpy(Mp, N->p + P521_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint));
|
||||
MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 521 % (8 * sizeof(mbedtls_mpi_uint))));
|
||||
|
||||
/* N = A0 */
|
||||
N->p[P521_WIDTH - 1] &= P521_MASK;
|
||||
for (i = P521_WIDTH; i < N->n; i++) {
|
||||
N->p[i] = 0;
|
||||
}
|
||||
|
||||
/* N = A0 + A1 */
|
||||
MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
|
||||
|
||||
size_t expected_width = 2 * P521_WIDTH;
|
||||
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
|
||||
ret = mbedtls_ecp_mod_p521_raw(N->p, expected_width);
|
||||
cleanup:
|
||||
return ret;
|
||||
}
|
||||
|
||||
MBEDTLS_STATIC_TESTABLE
|
||||
int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs)
|
||||
{
|
||||
mbedtls_mpi_uint carry = 0;
|
||||
|
||||
if (X_limbs != 2 * P521_WIDTH || X[2 * P521_WIDTH - 1] != 0) {
|
||||
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
/* Step 1: Reduction to P521_WIDTH limbs */
|
||||
/* Helper references for bottom part of X */
|
||||
mbedtls_mpi_uint *X0 = X;
|
||||
size_t X0_limbs = P521_WIDTH;
|
||||
/* Helper references for top part of X */
|
||||
mbedtls_mpi_uint *X1 = X + X0_limbs;
|
||||
size_t X1_limbs = X_limbs - X0_limbs;
|
||||
/* Split X as X0 + 2^P521_WIDTH X1 and compute X0 + 2^(biL - 9) X1.
|
||||
* (We are using that 2^P521_WIDTH = 2^(512 + biL) and that
|
||||
* 2^(512 + biL) X1 = 2^(biL - 9) X1 mod P521.)
|
||||
* The high order limb of the result will be held in carry and the rest
|
||||
* in X0 (that is the result will be represented as
|
||||
* 2^P521_WIDTH carry + X0).
|
||||
*
|
||||
* Also, note that the resulting carry is either 0 or 1:
|
||||
* X0 < 2^P521_WIDTH = 2^(512 + biL) and X1 < 2^(P521_WIDTH-biL) = 2^512
|
||||
* therefore
|
||||
* X0 + 2^(biL - 9) X1 < 2^(512 + biL) + 2^(512 + biL - 9)
|
||||
* which in turn is less than 2 * 2^(512 + biL).
|
||||
*/
|
||||
mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9);
|
||||
carry = mbedtls_mpi_core_mla(X0, X0_limbs, X1, X1_limbs, shift);
|
||||
/* Set X to X0 (by clearing the top part). */
|
||||
memset(X1, 0, X1_limbs * sizeof(mbedtls_mpi_uint));
|
||||
|
||||
/* Step 2: Reduction modulo P521
|
||||
*
|
||||
* At this point X is reduced to P521_WIDTH limbs. What remains is to add
|
||||
* the carry (that is 2^P521_WIDTH carry) and to reduce mod P521. */
|
||||
|
||||
/* 2^P521_WIDTH carry = 2^(512 + biL) carry = 2^(biL - 9) carry mod P521.
|
||||
* Also, recall that carry is either 0 or 1. */
|
||||
mbedtls_mpi_uint addend = carry << (biL - 9);
|
||||
/* Keep the top 9 bits and reduce the rest, using 2^521 = 1 mod P521. */
|
||||
addend += (X[P521_WIDTH - 1] >> 9);
|
||||
X[P521_WIDTH - 1] &= P521_MASK;
|
||||
|
||||
/* Resuse the top part of X (already zeroed) as a helper array for
|
||||
* carrying out the addition. */
|
||||
mbedtls_mpi_uint *addend_arr = X + P521_WIDTH;
|
||||
addend_arr[0] = addend;
|
||||
(void) mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH);
|
||||
/* Both addends were less than P521 therefore X < 2 * P521. (This also means
|
||||
* that the result fit in P521_WIDTH limbs and there won't be any carry.) */
|
||||
|
||||
/* Clear the reused part of X. */
|
||||
addend_arr[0] = 0;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#undef P521_WIDTH
|
||||
#undef P521_MASK
|
||||
|
||||
#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
|
||||
|
||||
#endif /* MBEDTLS_ECP_NIST_OPTIM */
|
||||
|
|
@ -5504,6 +5534,188 @@ static int ecp_mod_p256k1(mbedtls_mpi *N)
|
|||
}
|
||||
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
|
||||
|
||||
#endif /* !MBEDTLS_ECP_ALT */
|
||||
#if defined(MBEDTLS_TEST_HOOKS)
|
||||
MBEDTLS_STATIC_TESTABLE
|
||||
int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
|
||||
const mbedtls_ecp_group_id id,
|
||||
const mbedtls_ecp_curve_type ctype)
|
||||
{
|
||||
mbedtls_mpi_uint *p = NULL;
|
||||
size_t p_limbs;
|
||||
|
||||
if (!(ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE || \
|
||||
ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_SCALAR)) {
|
||||
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
switch (id) {
|
||||
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_SECP192R1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) secp192r1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) secp192r1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_SECP224R1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) secp224r1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) secp224r1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_SECP256R1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) secp256r1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) secp256r1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_SECP384R1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) secp384r1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) secp384r1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_SECP521R1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) secp521r1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) secp521r1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_BP256R1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) brainpoolP256r1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) brainpoolP256r1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_BP384R1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) brainpoolP384r1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) brainpoolP384r1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_BP512R1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) brainpoolP512r1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) brainpoolP512r1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
|
||||
case MBEDTLS_ECP_DP_CURVE25519:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) curve25519_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) curve25519_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_SECP192K1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) secp192k1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) secp192k1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_SECP224K1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) secp224k1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) secp224k1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
|
||||
case MBEDTLS_ECP_DP_SECP256K1:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) secp256k1_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) secp256k1_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
|
||||
case MBEDTLS_ECP_DP_CURVE448:
|
||||
if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
|
||||
p = (mbedtls_mpi_uint *) curve448_p;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(curve448_p));
|
||||
} else {
|
||||
p = (mbedtls_mpi_uint *) curve448_n;
|
||||
p_limbs = CHARS_TO_LIMBS(sizeof(curve448_n));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
|
||||
default:
|
||||
case MBEDTLS_ECP_DP_NONE:
|
||||
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
if (mbedtls_mpi_mod_modulus_setup(N, p, p_limbs,
|
||||
MBEDTLS_MPI_MOD_REP_MONTGOMERY)) {
|
||||
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
#endif /* MBEDTLS_TEST_HOOKS */
|
||||
#endif /* !MBEDTLS_ECP_ALT */
|
||||
#endif /* MBEDTLS_ECP_C */
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@
|
|||
|
||||
#include "common.h"
|
||||
#include "mbedtls/bignum.h"
|
||||
#include "bignum_mod.h"
|
||||
#include "mbedtls/ecp.h"
|
||||
|
||||
#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_ECP_C)
|
||||
|
|
@ -95,6 +96,50 @@ int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
|
|||
|
||||
#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
|
||||
|
||||
/** Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
|
||||
*
|
||||
* \param[in,out] X The address of the MPI to be converted.
|
||||
* Must have twice as many limbs as the modulus
|
||||
* (the modulus is 521 bits long). Upon return this
|
||||
* holds the reduced value. The reduced value is
|
||||
* in range `0 <= X < 2 * N` (where N is the modulus).
|
||||
* and its the bitlength is one plus the bitlength
|
||||
* of the modulus.
|
||||
* \param[in] X_limbs The length of \p X in limbs.
|
||||
*
|
||||
* \return \c 0 on success.
|
||||
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs does not have
|
||||
* twice as many limbs as the modulus.
|
||||
*/
|
||||
MBEDTLS_STATIC_TESTABLE
|
||||
int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs);
|
||||
|
||||
#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
|
||||
|
||||
/** Initialise a modulus with hard-coded const curve data.
|
||||
*
|
||||
* \note The caller is responsible for the \p N modulus' memory.
|
||||
* mbedtls_mpi_mod_modulus_free(&N) should be invoked at the
|
||||
* end of its lifecycle.
|
||||
*
|
||||
* \param[in,out] N The address of the modulus structure to populate.
|
||||
* Must be initialized.
|
||||
* \param[in] id The mbedtls_ecp_group_id for which to initialise the modulus.
|
||||
* \param[in] ctype The mbedtls_ecp_curve_type identifier for a coordinate modulus (P)
|
||||
* or a scalar modulus (N).
|
||||
*
|
||||
* \return \c 0 if successful.
|
||||
* \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the given MPIs do not
|
||||
* have the correct number of limbs.
|
||||
*
|
||||
*/
|
||||
MBEDTLS_STATIC_TESTABLE
|
||||
int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
|
||||
const mbedtls_ecp_group_id id,
|
||||
const mbedtls_ecp_curve_type ctype);
|
||||
|
||||
#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */
|
||||
|
||||
#endif /* MBEDTLS_ECP_INVASIVE_H */
|
||||
|
|
|
|||
|
|
@ -834,21 +834,55 @@ int mbedtls_oid_get_numeric_string(char *buf, size_t size,
|
|||
p = buf;
|
||||
n = size;
|
||||
|
||||
/* First byte contains first two dots */
|
||||
if (oid->len > 0) {
|
||||
ret = mbedtls_snprintf(p, n, "%d.%d", oid->p[0] / 40, oid->p[0] % 40);
|
||||
OID_SAFE_SNPRINTF;
|
||||
/* First subidentifier contains first two OID components */
|
||||
i = 0;
|
||||
value = 0;
|
||||
if ((oid->p[0]) == 0x80) {
|
||||
/* Overlong encoding is not allowed */
|
||||
return MBEDTLS_ERR_ASN1_INVALID_DATA;
|
||||
}
|
||||
|
||||
value = 0;
|
||||
for (i = 1; i < oid->len; i++) {
|
||||
while (i < oid->len && ((oid->p[i] & 0x80) != 0)) {
|
||||
/* Prevent overflow in value. */
|
||||
if (((value << 7) >> 7) != value) {
|
||||
return MBEDTLS_ERR_OID_BUF_TOO_SMALL;
|
||||
if (value > (UINT_MAX >> 7)) {
|
||||
return MBEDTLS_ERR_ASN1_INVALID_DATA;
|
||||
}
|
||||
|
||||
value |= oid->p[i] & 0x7F;
|
||||
value <<= 7;
|
||||
i++;
|
||||
}
|
||||
if (i >= oid->len) {
|
||||
return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
|
||||
}
|
||||
/* Last byte of first subidentifier */
|
||||
value |= oid->p[i] & 0x7F;
|
||||
i++;
|
||||
|
||||
unsigned int component1 = value / 40;
|
||||
if (component1 > 2) {
|
||||
/* The first component can only be 0, 1 or 2.
|
||||
* If oid->p[0] / 40 is greater than 2, the leftover belongs to
|
||||
* the second component. */
|
||||
component1 = 2;
|
||||
}
|
||||
unsigned int component2 = value - (40 * component1);
|
||||
ret = mbedtls_snprintf(p, n, "%u.%u", component1, component2);
|
||||
OID_SAFE_SNPRINTF;
|
||||
|
||||
value = 0;
|
||||
for (; i < oid->len; i++) {
|
||||
/* Prevent overflow in value. */
|
||||
if (value > (UINT_MAX >> 7)) {
|
||||
return MBEDTLS_ERR_ASN1_INVALID_DATA;
|
||||
}
|
||||
if ((value == 0) && ((oid->p[i]) == 0x80)) {
|
||||
/* Overlong encoding is not allowed */
|
||||
return MBEDTLS_ERR_ASN1_INVALID_DATA;
|
||||
}
|
||||
|
||||
value <<= 7;
|
||||
value += oid->p[i] & 0x7F;
|
||||
value |= oid->p[i] & 0x7F;
|
||||
|
||||
if (!(oid->p[i] & 0x80)) {
|
||||
/* Last byte */
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@
|
|||
|
||||
#include "common.h"
|
||||
|
||||
#include "mbedtls/platform_util.h"
|
||||
|
||||
#if defined(MBEDTLS_PK_C)
|
||||
#include "pk_wrap.h"
|
||||
#include "mbedtls/error.h"
|
||||
|
|
@ -26,39 +28,34 @@
|
|||
/* Even if RSA not activated, for the sake of RSA-alt */
|
||||
#include "mbedtls/rsa.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
#include "mbedtls/ecp.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECP_C)
|
||||
#include "pkwrite.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
#include "mbedtls/ecdsa.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#include "mbedtls/asn1write.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
|
||||
#include "mbedtls/platform_util.h"
|
||||
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PSA_CRYPTO_C)
|
||||
#include "pkwrite.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#include "psa/crypto.h"
|
||||
#include "mbedtls/psa_util.h"
|
||||
#include "mbedtls/asn1.h"
|
||||
#include "hash_info.h"
|
||||
|
||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
||||
#include "mbedtls/asn1write.h"
|
||||
#include "mbedtls/asn1.h"
|
||||
#endif
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#include "mbedtls/platform.h"
|
||||
|
||||
#include <limits.h>
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||
int mbedtls_pk_error_from_psa(psa_status_t status)
|
||||
|
|
@ -685,11 +682,14 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
|
|||
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
||||
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
psa_status_t status;
|
||||
mbedtls_pk_context key;
|
||||
int key_len;
|
||||
unsigned char buf[MBEDTLS_PK_ECP_PUB_DER_MAX_BYTES];
|
||||
size_t key_len;
|
||||
/* This buffer will initially contain the public key and then the signature
|
||||
* but at different points in time. For all curves except secp224k1, which
|
||||
* is not currently supported in PSA, the public key is one byte longer
|
||||
* (header byte + 2 numbers, while the signature is only 2 numbers),
|
||||
* so use that as the buffer size. */
|
||||
unsigned char buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
|
||||
unsigned char *p;
|
||||
mbedtls_pk_info_t pk_info = mbedtls_eckey_info;
|
||||
psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA_ANY;
|
||||
size_t curve_bits;
|
||||
psa_ecc_family_t curve =
|
||||
|
|
@ -701,22 +701,19 @@ static int ecdsa_verify_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
|
|||
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
/* mbedtls_pk_write_pubkey() expects a full PK context;
|
||||
* re-construct one to make it happy */
|
||||
key.pk_info = &pk_info;
|
||||
key.pk_ctx = ctx;
|
||||
p = buf + sizeof(buf);
|
||||
key_len = mbedtls_pk_write_pubkey(&p, buf, &key);
|
||||
if (key_len <= 0) {
|
||||
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(curve));
|
||||
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
|
||||
psa_set_key_algorithm(&attributes, psa_sig_md);
|
||||
|
||||
ret = mbedtls_ecp_point_write_binary(&ctx->grp, &ctx->Q,
|
||||
MBEDTLS_ECP_PF_UNCOMPRESSED,
|
||||
&key_len, buf, sizeof(buf));
|
||||
if (ret != 0) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
status = psa_import_key(&attributes,
|
||||
buf + sizeof(buf) - key_len, key_len,
|
||||
buf, key_len,
|
||||
&key_id);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = mbedtls_pk_error_from_psa(status);
|
||||
|
|
@ -864,54 +861,6 @@ static int pk_ecdsa_sig_asn1_from_psa(unsigned char *sig, size_t *sig_len,
|
|||
return 0;
|
||||
}
|
||||
|
||||
/* Locate an ECDSA privateKey in a RFC 5915, or SEC1 Appendix C.4 ASN.1 buffer
|
||||
*
|
||||
* [in/out] buf: ASN.1 buffer start as input - ECDSA privateKey start as output
|
||||
* [in] end: ASN.1 buffer end
|
||||
* [out] key_len: the ECDSA privateKey length in bytes
|
||||
*/
|
||||
static int find_ecdsa_private_key(unsigned char **buf, unsigned char *end,
|
||||
size_t *key_len)
|
||||
{
|
||||
size_t len;
|
||||
int ret;
|
||||
|
||||
/*
|
||||
* RFC 5915, or SEC1 Appendix C.4
|
||||
*
|
||||
* ECPrivateKey ::= SEQUENCE {
|
||||
* version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
|
||||
* privateKey OCTET STRING,
|
||||
* parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
|
||||
* publicKey [1] BIT STRING OPTIONAL
|
||||
* }
|
||||
*/
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(buf, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* version */
|
||||
if ((ret = mbedtls_asn1_get_tag(buf, end, &len,
|
||||
MBEDTLS_ASN1_INTEGER)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
*buf += len;
|
||||
|
||||
/* privateKey */
|
||||
if ((ret = mbedtls_asn1_get_tag(buf, end, &len,
|
||||
MBEDTLS_ASN1_OCTET_STRING)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
*key_len = len;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
|
||||
const unsigned char *hash, size_t hash_len,
|
||||
unsigned char *sig, size_t sig_size, size_t *sig_len,
|
||||
|
|
@ -922,19 +871,18 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
|
|||
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
|
||||
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
psa_status_t status;
|
||||
mbedtls_pk_context key;
|
||||
size_t key_len;
|
||||
unsigned char buf[MBEDTLS_PK_ECP_PRV_DER_MAX_BYTES];
|
||||
unsigned char *p;
|
||||
psa_algorithm_t psa_hash = mbedtls_hash_info_psa_from_md(md_alg);
|
||||
unsigned char buf[MBEDTLS_PSA_MAX_EC_KEY_PAIR_LENGTH];
|
||||
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
|
||||
psa_algorithm_t psa_sig_md = PSA_ALG_DETERMINISTIC_ECDSA(psa_hash);
|
||||
psa_algorithm_t psa_sig_md =
|
||||
PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_hash_info_psa_from_md(md_alg));
|
||||
#else
|
||||
psa_algorithm_t psa_sig_md = PSA_ALG_ECDSA(psa_hash);
|
||||
psa_algorithm_t psa_sig_md =
|
||||
PSA_ALG_ECDSA(mbedtls_hash_info_psa_from_md(md_alg));
|
||||
#endif
|
||||
size_t curve_bits;
|
||||
psa_ecc_family_t curve =
|
||||
mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits);
|
||||
size_t key_len = PSA_BITS_TO_BYTES(curve_bits);
|
||||
|
||||
/* PSA has its own RNG */
|
||||
((void) f_rng);
|
||||
|
|
@ -944,17 +892,10 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
|
|||
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
/* mbedtls_pk_write_key_der() expects a full PK context;
|
||||
* re-construct one to make it happy */
|
||||
key.pk_info = &mbedtls_eckey_info;
|
||||
key.pk_ctx = ctx;
|
||||
key_len = mbedtls_pk_write_key_der(&key, buf, sizeof(buf));
|
||||
if (key_len <= 0) {
|
||||
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
|
||||
if (key_len > sizeof(buf)) {
|
||||
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
}
|
||||
|
||||
p = buf + sizeof(buf) - key_len;
|
||||
ret = find_ecdsa_private_key(&p, buf + sizeof(buf), &key_len);
|
||||
ret = mbedtls_mpi_write_binary(&ctx->d, buf, key_len);
|
||||
if (ret != 0) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
|
@ -964,7 +905,7 @@ static int ecdsa_sign_wrap(void *ctx_arg, mbedtls_md_type_t md_alg,
|
|||
psa_set_key_algorithm(&attributes, psa_sig_md);
|
||||
|
||||
status = psa_import_key(&attributes,
|
||||
p, key_len,
|
||||
buf, key_len,
|
||||
&key_id);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = mbedtls_pk_error_from_psa(status);
|
||||
|
|
@ -1003,8 +944,7 @@ static int ecdsa_sign_wrap(void *ctx, mbedtls_md_type_t md_alg,
|
|||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
/* Forward declarations */
|
||||
static int ecdsa_verify_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
|
||||
const unsigned char *hash, size_t hash_len,
|
||||
|
|
@ -1110,8 +1050,7 @@ static int eckey_sign_rs_wrap(void *ctx, mbedtls_md_type_t md_alg,
|
|||
cleanup:
|
||||
return ret;
|
||||
}
|
||||
#endif /* MBEDTLS_ECP_RESTARTABLE */
|
||||
#endif /* MBEDTLS_ECDSA_C */
|
||||
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||
|
||||
static int eckey_check_pair(const void *pub, const void *prv,
|
||||
int (*f_rng)(void *, unsigned char *, size_t),
|
||||
|
|
|
|||
213
library/pkcs7.c
213
library/pkcs7.c
|
|
@ -57,7 +57,10 @@ static int pkcs7_get_next_content_len(unsigned char **p, unsigned char *end,
|
|||
ret = mbedtls_asn1_get_tag(p, end, len, MBEDTLS_ASN1_CONSTRUCTED
|
||||
| MBEDTLS_ASN1_CONTEXT_SPECIFIC);
|
||||
if (ret != 0) {
|
||||
ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
|
||||
ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
|
||||
} else if ((size_t) (end - *p) != *len) {
|
||||
ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
|
||||
return ret;
|
||||
|
|
@ -184,13 +187,13 @@ static int pkcs7_get_certificates(unsigned char **p, unsigned char *end,
|
|||
size_t len2 = 0;
|
||||
unsigned char *end_set, *end_cert, *start;
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED
|
||||
| MBEDTLS_ASN1_CONTEXT_SPECIFIC)) != 0) {
|
||||
if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
|
||||
return 0;
|
||||
} else {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
|
||||
}
|
||||
ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED
|
||||
| MBEDTLS_ASN1_CONTEXT_SPECIFIC);
|
||||
if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
|
||||
return 0;
|
||||
}
|
||||
if (ret != 0) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
|
||||
}
|
||||
start = *p;
|
||||
end_set = *p + len1;
|
||||
|
|
@ -213,12 +216,11 @@ static int pkcs7_get_certificates(unsigned char **p, unsigned char *end,
|
|||
return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
|
||||
}
|
||||
|
||||
*p = start;
|
||||
if ((ret = mbedtls_x509_crt_parse_der(certs, *p, len1)) < 0) {
|
||||
if ((ret = mbedtls_x509_crt_parse_der(certs, start, len1)) < 0) {
|
||||
return MBEDTLS_ERR_PKCS7_INVALID_CERT;
|
||||
}
|
||||
|
||||
*p = *p + len1;
|
||||
*p = end_cert;
|
||||
|
||||
/*
|
||||
* Since in this version we strictly support single certificate, and reaching
|
||||
|
|
@ -285,7 +287,8 @@ static void pkcs7_free_signer_info(mbedtls_pkcs7_signer_info *signer)
|
|||
* and unauthenticatedAttributes.
|
||||
**/
|
||||
static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
|
||||
mbedtls_pkcs7_signer_info *signer)
|
||||
mbedtls_pkcs7_signer_info *signer,
|
||||
mbedtls_x509_buf *alg)
|
||||
{
|
||||
unsigned char *end_signer, *end_issuer_and_sn;
|
||||
int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
|
@ -343,8 +346,15 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
|
|||
goto out;
|
||||
}
|
||||
|
||||
/* Assume authenticatedAttributes is nonexistent */
|
||||
/* Check that the digest algorithm used matches the one provided earlier */
|
||||
if (signer->alg_identifier.tag != alg->tag ||
|
||||
signer->alg_identifier.len != alg->len ||
|
||||
memcmp(signer->alg_identifier.p, alg->p, alg->len) != 0) {
|
||||
ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Asssume authenticatedAttributes is nonexistent */
|
||||
ret = pkcs7_get_digest_algorithm(p, end_signer, &signer->sig_alg_identifier);
|
||||
if (ret != 0) {
|
||||
goto out;
|
||||
|
|
@ -377,7 +387,8 @@ out:
|
|||
* Return negative error code for failure.
|
||||
**/
|
||||
static int pkcs7_get_signers_info_set(unsigned char **p, unsigned char *end,
|
||||
mbedtls_pkcs7_signer_info *signers_set)
|
||||
mbedtls_pkcs7_signer_info *signers_set,
|
||||
mbedtls_x509_buf *digest_alg)
|
||||
{
|
||||
unsigned char *end_set;
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
|
@ -397,7 +408,7 @@ static int pkcs7_get_signers_info_set(unsigned char **p, unsigned char *end,
|
|||
|
||||
end_set = *p + len;
|
||||
|
||||
ret = pkcs7_get_signer_info(p, end_set, signers_set);
|
||||
ret = pkcs7_get_signer_info(p, end_set, signers_set, digest_alg);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
|
@ -412,7 +423,7 @@ static int pkcs7_get_signers_info_set(unsigned char **p, unsigned char *end,
|
|||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = pkcs7_get_signer_info(p, end_set, signer);
|
||||
ret = pkcs7_get_signer_info(p, end_set, signer, digest_alg);
|
||||
if (ret != 0) {
|
||||
mbedtls_free(signer);
|
||||
goto cleanup;
|
||||
|
|
@ -454,7 +465,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
|
|||
{
|
||||
unsigned char *p = buf;
|
||||
unsigned char *end = buf + buflen;
|
||||
unsigned char *end_set, *end_content_info;
|
||||
unsigned char *end_content_info = NULL;
|
||||
size_t len = 0;
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_md_type_t md_alg;
|
||||
|
|
@ -465,16 +476,19 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
|
|||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
|
||||
}
|
||||
|
||||
end_set = p + len;
|
||||
if (p + len != end) {
|
||||
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
}
|
||||
|
||||
/* Get version of signed data */
|
||||
ret = pkcs7_get_version(&p, end_set, &signed_data->version);
|
||||
ret = pkcs7_get_version(&p, end, &signed_data->version);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Get digest algorithm */
|
||||
ret = pkcs7_get_digest_algorithm_set(&p, end_set,
|
||||
ret = pkcs7_get_digest_algorithm_set(&p, end,
|
||||
&signed_data->digest_alg_identifiers);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
|
|
@ -485,12 +499,15 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
|
|||
return MBEDTLS_ERR_PKCS7_INVALID_ALG;
|
||||
}
|
||||
|
||||
/* Do not expect any content */
|
||||
ret = pkcs7_get_content_info_type(&p, end_set, &end_content_info,
|
||||
&signed_data->content.oid);
|
||||
mbedtls_pkcs7_buf content_type;
|
||||
memset(&content_type, 0, sizeof(content_type));
|
||||
ret = pkcs7_get_content_info_type(&p, end, &end_content_info, &content_type);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
|
||||
return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
|
||||
}
|
||||
|
||||
if (p != end_content_info) {
|
||||
/* Determine if valid content is present */
|
||||
|
|
@ -509,13 +526,9 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
|
|||
return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
|
||||
}
|
||||
|
||||
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid)) {
|
||||
return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
|
||||
}
|
||||
|
||||
/* Look for certificates, there may or may not be any */
|
||||
mbedtls_x509_crt_init(&signed_data->certs);
|
||||
ret = pkcs7_get_certificates(&p, end_set, &signed_data->certs);
|
||||
ret = pkcs7_get_certificates(&p, end, &signed_data->certs);
|
||||
if (ret < 0) {
|
||||
return ret;
|
||||
}
|
||||
|
|
@ -531,7 +544,10 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
|
|||
signed_data->no_of_crls = 0;
|
||||
|
||||
/* Get signers info */
|
||||
ret = pkcs7_get_signers_info_set(&p, end_set, &signed_data->signers);
|
||||
ret = pkcs7_get_signers_info_set(&p,
|
||||
end,
|
||||
&signed_data->signers,
|
||||
&signed_data->digest_alg_identifiers);
|
||||
if (ret < 0) {
|
||||
return ret;
|
||||
}
|
||||
|
|
@ -550,10 +566,9 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
|
|||
const size_t buflen)
|
||||
{
|
||||
unsigned char *p;
|
||||
unsigned char *end, *end_content_info;
|
||||
unsigned char *end;
|
||||
size_t len = 0;
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
int isoidset = 0;
|
||||
|
||||
if (pkcs7 == NULL) {
|
||||
return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
|
||||
|
|
@ -569,34 +584,45 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
|
|||
pkcs7->raw.len = buflen;
|
||||
end = p + buflen;
|
||||
|
||||
ret = pkcs7_get_content_info_type(&p, end, &end_content_info,
|
||||
&pkcs7->content_type_oid);
|
||||
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
|
||||
| MBEDTLS_ASN1_SEQUENCE);
|
||||
if (ret != 0) {
|
||||
ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
|
||||
goto out;
|
||||
}
|
||||
|
||||
if ((size_t) (end - p) != len) {
|
||||
ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT,
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||
goto out;
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
|
||||
if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
|
||||
goto out;
|
||||
}
|
||||
p = pkcs7->raw.p;
|
||||
len = buflen;
|
||||
goto try_data;
|
||||
}
|
||||
|
||||
/* Ensure PKCS7 data uses the exact number of bytes specified in buflen */
|
||||
if (end_content_info != end) {
|
||||
ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
|
||||
if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_DATA, p, len)) {
|
||||
/* OID is not MBEDTLS_OID_PKCS7_SIGNED_DATA, which is the only supported feature */
|
||||
if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DATA, p, len)
|
||||
|| !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, p, len)
|
||||
|| !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, p, len)
|
||||
|| !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, p, len)
|
||||
|| !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DIGESTED_DATA, p, len)) {
|
||||
/* OID is valid according to the spec, but unsupported */
|
||||
ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
|
||||
} else {
|
||||
/* OID is invalid according to the spec */
|
||||
ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
|
||||
}
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid)
|
||||
|| !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, &pkcs7->content_type_oid)
|
||||
|| !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, &pkcs7->content_type_oid)
|
||||
|| !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DIGESTED_DATA, &pkcs7->content_type_oid)
|
||||
|| !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid)) {
|
||||
ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_SIGNED_DATA, &pkcs7->content_type_oid)) {
|
||||
ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
|
||||
goto out;
|
||||
}
|
||||
|
||||
isoidset = 1;
|
||||
p += len;
|
||||
|
||||
ret = pkcs7_get_next_content_len(&p, end, &len);
|
||||
if (ret != 0) {
|
||||
|
|
@ -615,12 +641,6 @@ try_data:
|
|||
goto out;
|
||||
}
|
||||
|
||||
if (!isoidset) {
|
||||
pkcs7->content_type_oid.tag = MBEDTLS_ASN1_OID;
|
||||
pkcs7->content_type_oid.len = MBEDTLS_OID_SIZE(MBEDTLS_OID_PKCS7_SIGNED_DATA);
|
||||
pkcs7->content_type_oid.p = (unsigned char *) MBEDTLS_OID_PKCS7_SIGNED_DATA;
|
||||
}
|
||||
|
||||
ret = MBEDTLS_PKCS7_SIGNED_DATA;
|
||||
|
||||
out:
|
||||
|
|
@ -653,6 +673,39 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7,
|
|||
return MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID;
|
||||
}
|
||||
|
||||
ret = mbedtls_oid_get_md_alg(&pkcs7->signed_data.digest_alg_identifiers, &md_alg);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
md_info = mbedtls_md_info_from_type(md_alg);
|
||||
if (md_info == NULL) {
|
||||
return MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
|
||||
}
|
||||
|
||||
hash = mbedtls_calloc(mbedtls_md_get_size(md_info), 1);
|
||||
if (hash == NULL) {
|
||||
return MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
|
||||
}
|
||||
|
||||
/* BEGIN must free hash before jumping out */
|
||||
if (is_data_hash) {
|
||||
if (datalen != mbedtls_md_get_size(md_info)) {
|
||||
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
|
||||
} else {
|
||||
memcpy(hash, data, datalen);
|
||||
}
|
||||
} else {
|
||||
ret = mbedtls_md(md_info, data, datalen, hash);
|
||||
}
|
||||
if (ret != 0) {
|
||||
mbedtls_free(hash);
|
||||
return MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
|
||||
}
|
||||
|
||||
/* assume failure */
|
||||
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
|
||||
|
||||
/*
|
||||
* Potential TODOs
|
||||
* Currently we iterate over all signers and return success if any of them
|
||||
|
|
@ -662,61 +715,30 @@ static int mbedtls_pkcs7_data_or_hash_verify(mbedtls_pkcs7 *pkcs7,
|
|||
* identification and SignerIdentifier fields first. That would also allow
|
||||
* us to distinguish between 'no signature for key' and 'signature for key
|
||||
* failed to validate'.
|
||||
*
|
||||
* We could also cache hashes by md, so if there are several sigs all using
|
||||
* the same algo we don't recalculate the hash each time.
|
||||
*/
|
||||
for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) {
|
||||
ret = mbedtls_oid_get_md_alg(&signer->alg_identifier, &md_alg);
|
||||
if (ret != 0) {
|
||||
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
|
||||
continue;
|
||||
}
|
||||
|
||||
md_info = mbedtls_md_info_from_type(md_alg);
|
||||
if (md_info == NULL) {
|
||||
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
|
||||
continue;
|
||||
}
|
||||
|
||||
hash = mbedtls_calloc(mbedtls_md_get_size(md_info), 1);
|
||||
if (hash == NULL) {
|
||||
return MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
|
||||
}
|
||||
/* BEGIN must free hash before jumping out */
|
||||
if (is_data_hash) {
|
||||
if (datalen != mbedtls_md_get_size(md_info)) {
|
||||
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
|
||||
} else {
|
||||
memcpy(hash, data, datalen);
|
||||
}
|
||||
} else {
|
||||
ret = mbedtls_md(md_info, data, datalen, hash);
|
||||
}
|
||||
if (ret != 0) {
|
||||
ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
|
||||
mbedtls_free(hash);
|
||||
continue;
|
||||
}
|
||||
|
||||
ret = mbedtls_pk_verify(&pk_cxt, md_alg, hash,
|
||||
mbedtls_md_get_size(md_info),
|
||||
signer->sig.p, signer->sig.len);
|
||||
mbedtls_free(hash);
|
||||
/* END must free hash before jumping out */
|
||||
|
||||
if (ret == 0) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
mbedtls_free(hash);
|
||||
/* END must free hash before jumping out */
|
||||
return ret;
|
||||
}
|
||||
|
||||
int mbedtls_pkcs7_signed_data_verify(mbedtls_pkcs7 *pkcs7,
|
||||
const mbedtls_x509_crt *cert,
|
||||
const unsigned char *data,
|
||||
size_t datalen)
|
||||
{
|
||||
if (data == NULL) {
|
||||
return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
|
||||
}
|
||||
return mbedtls_pkcs7_data_or_hash_verify(pkcs7, cert, data, datalen, 0);
|
||||
}
|
||||
|
||||
|
|
@ -725,6 +747,9 @@ int mbedtls_pkcs7_signed_hash_verify(mbedtls_pkcs7 *pkcs7,
|
|||
const unsigned char *hash,
|
||||
size_t hashlen)
|
||||
{
|
||||
if (hash == NULL) {
|
||||
return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
|
||||
}
|
||||
return mbedtls_pkcs7_data_or_hash_verify(pkcs7, cert, hash, hashlen, 1);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -81,6 +81,7 @@
|
|||
#include "mbedtls/sha1.h"
|
||||
#include "mbedtls/sha256.h"
|
||||
#include "mbedtls/sha512.h"
|
||||
#include "hash_info.h"
|
||||
|
||||
#define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array)))
|
||||
|
||||
|
|
@ -310,6 +311,9 @@ psa_status_t mbedtls_to_psa_error(int ret)
|
|||
case MBEDTLS_ERR_ECP_RANDOM_FAILED:
|
||||
return PSA_ERROR_INSUFFICIENT_ENTROPY;
|
||||
|
||||
case MBEDTLS_ERR_ECP_IN_PROGRESS:
|
||||
return PSA_OPERATION_INCOMPLETE;
|
||||
|
||||
case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
|
||||
return PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
|
|
@ -318,6 +322,44 @@ psa_status_t mbedtls_to_psa_error(int ret)
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* \brief For output buffers which contain "tags"
|
||||
* (outputs that may be checked for validity like
|
||||
* hashes, MACs and signatures), fill the unused
|
||||
* part of the output buffer (the whole buffer on
|
||||
* error, the trailing part on success) with
|
||||
* something that isn't a valid tag (barring an
|
||||
* attack on the tag and deliberately-crafted
|
||||
* input), in case the caller doesn't check the
|
||||
* return status properly.
|
||||
*
|
||||
* \param output_buffer Pointer to buffer to wipe. May not be NULL
|
||||
* unless \p output_buffer_size is zero.
|
||||
* \param status Status of function called to generate
|
||||
* output_buffer originally
|
||||
* \param output_buffer_size Size of output buffer. If zero, \p output_buffer
|
||||
* could be NULL.
|
||||
* \param output_buffer_length Length of data written to output_buffer, must be
|
||||
* less than \p output_buffer_size
|
||||
*/
|
||||
static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status,
|
||||
size_t output_buffer_size, size_t output_buffer_length)
|
||||
{
|
||||
size_t offset = 0;
|
||||
|
||||
if (output_buffer_size == 0) {
|
||||
/* If output_buffer_size is 0 then we have nothing to do. We must not
|
||||
call memset because output_buffer may be NULL in this case */
|
||||
return;
|
||||
}
|
||||
|
||||
if (status == PSA_SUCCESS) {
|
||||
offset = output_buffer_length;
|
||||
}
|
||||
|
||||
memset(output_buffer + offset, '!', output_buffer_size - offset);
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -1673,12 +1715,12 @@ static psa_status_t psa_start_key_creation(
|
|||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* The key was successfully created.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE
|
||||
* \retval #PSA_ERROR_ALREADY_EXISTS
|
||||
* \retval #PSA_ERROR_DATA_INVALID
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
|
||||
* \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
*
|
||||
* \return If this function fails, the key slot is an invalid state.
|
||||
* You must call psa_fail_key_creation() to wipe and free the slot.
|
||||
|
|
@ -2500,10 +2542,7 @@ exit:
|
|||
operation->mac_size = 0;
|
||||
}
|
||||
|
||||
if (mac_size > operation->mac_size) {
|
||||
memset(&mac[operation->mac_size], '!',
|
||||
mac_size - operation->mac_size);
|
||||
}
|
||||
psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
|
||||
|
||||
abort_status = psa_mac_abort(operation);
|
||||
|
||||
|
|
@ -2597,9 +2636,8 @@ exit:
|
|||
*mac_length = mac_size;
|
||||
operation_mac_size = 0;
|
||||
}
|
||||
if (mac_size > operation_mac_size) {
|
||||
memset(&mac[operation_mac_size], '!', mac_size - operation_mac_size);
|
||||
}
|
||||
|
||||
psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
|
||||
|
||||
unlock_status = psa_unlock_key_slot(slot);
|
||||
|
||||
|
|
@ -2741,18 +2779,8 @@ static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key,
|
|||
|
||||
|
||||
exit:
|
||||
/* Fill the unused part of the output buffer (the whole buffer on error,
|
||||
* the trailing part on success) with something that isn't a valid signature
|
||||
* (barring an attack on the signature and deliberately-crafted input),
|
||||
* in case the caller doesn't check the return status properly. */
|
||||
if (status == PSA_SUCCESS) {
|
||||
memset(signature + *signature_length, '!',
|
||||
signature_size - *signature_length);
|
||||
} else {
|
||||
memset(signature, '!', signature_size);
|
||||
}
|
||||
/* If signature_size is 0 then we have nothing to do. We must not call
|
||||
* memset because signature may be NULL in this case. */
|
||||
psa_wipe_tag_output_buffer(signature, status, signature_size,
|
||||
*signature_length);
|
||||
|
||||
unlock_status = psa_unlock_key_slot(slot);
|
||||
|
||||
|
|
@ -3124,7 +3152,756 @@ exit:
|
|||
return (status == PSA_SUCCESS) ? unlock_status : status;
|
||||
}
|
||||
|
||||
/****************************************************************/
|
||||
/* Asymmetric interruptible cryptography */
|
||||
/****************************************************************/
|
||||
|
||||
static uint32_t psa_interruptible_max_ops = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
|
||||
|
||||
void psa_interruptible_set_max_ops(uint32_t max_ops)
|
||||
{
|
||||
psa_interruptible_max_ops = max_ops;
|
||||
}
|
||||
|
||||
uint32_t psa_interruptible_get_max_ops(void)
|
||||
{
|
||||
return psa_interruptible_max_ops;
|
||||
}
|
||||
|
||||
uint32_t psa_sign_hash_get_num_ops(
|
||||
const psa_sign_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
return operation->num_ops;
|
||||
}
|
||||
|
||||
uint32_t psa_verify_hash_get_num_ops(
|
||||
const psa_verify_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
return operation->num_ops;
|
||||
}
|
||||
|
||||
static psa_status_t psa_sign_hash_abort_internal(
|
||||
psa_sign_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
if (operation->id == 0) {
|
||||
/* The object has (apparently) been initialized but it is not (yet)
|
||||
* in use. It's ok to call abort on such an object, and there's
|
||||
* nothing to do. */
|
||||
return PSA_SUCCESS;
|
||||
}
|
||||
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
status = psa_driver_wrapper_sign_hash_abort(operation);
|
||||
|
||||
operation->id = 0;
|
||||
|
||||
/* Do not clear either the error_occurred or num_ops elements here as they
|
||||
* only want to be cleared by the application calling abort, not by abort
|
||||
* being called at completion of an operation. */
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
psa_status_t psa_sign_hash_start(
|
||||
psa_sign_hash_interruptible_operation_t *operation,
|
||||
mbedtls_svc_key_id_t key, psa_algorithm_t alg,
|
||||
const uint8_t *hash, size_t hash_length)
|
||||
{
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
psa_key_slot_t *slot;
|
||||
|
||||
/* Check that start has not been previously called, or operation has not
|
||||
* previously errored. */
|
||||
if (operation->id != 0 || operation->error_occurred) {
|
||||
return PSA_ERROR_BAD_STATE;
|
||||
}
|
||||
|
||||
status = psa_sign_verify_check_alg(0, alg);
|
||||
if (status != PSA_SUCCESS) {
|
||||
operation->error_occurred = 1;
|
||||
return status;
|
||||
}
|
||||
|
||||
status = psa_get_and_lock_key_slot_with_policy(key, &slot,
|
||||
PSA_KEY_USAGE_SIGN_HASH,
|
||||
alg);
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
|
||||
status = PSA_ERROR_INVALID_ARGUMENT;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
psa_key_attributes_t attributes = {
|
||||
.core = slot->attr
|
||||
};
|
||||
|
||||
/* Ensure ops count gets reset, in case of operation re-use. */
|
||||
operation->num_ops = 0;
|
||||
|
||||
status = psa_driver_wrapper_sign_hash_start(operation, &attributes,
|
||||
slot->key.data,
|
||||
slot->key.bytes, alg,
|
||||
hash, hash_length);
|
||||
exit:
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
operation->error_occurred = 1;
|
||||
psa_sign_hash_abort_internal(operation);
|
||||
}
|
||||
|
||||
unlock_status = psa_unlock_key_slot(slot);
|
||||
|
||||
if (unlock_status != PSA_SUCCESS) {
|
||||
operation->error_occurred = 1;
|
||||
}
|
||||
|
||||
return (status == PSA_SUCCESS) ? unlock_status : status;
|
||||
}
|
||||
|
||||
|
||||
psa_status_t psa_sign_hash_complete(
|
||||
psa_sign_hash_interruptible_operation_t *operation,
|
||||
uint8_t *signature, size_t signature_size,
|
||||
size_t *signature_length)
|
||||
{
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
*signature_length = 0;
|
||||
|
||||
/* Check that start has been called first, and that operation has not
|
||||
* previously errored. */
|
||||
if (operation->id == 0 || operation->error_occurred) {
|
||||
status = PSA_ERROR_BAD_STATE;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* Immediately reject a zero-length signature buffer. This guarantees that
|
||||
* signature must be a valid pointer. */
|
||||
if (signature_size == 0) {
|
||||
status = PSA_ERROR_BUFFER_TOO_SMALL;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
status = psa_driver_wrapper_sign_hash_complete(operation, signature,
|
||||
signature_size,
|
||||
signature_length);
|
||||
|
||||
/* Update ops count with work done. */
|
||||
operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
|
||||
|
||||
exit:
|
||||
|
||||
psa_wipe_tag_output_buffer(signature, status, signature_size,
|
||||
*signature_length);
|
||||
|
||||
if (status != PSA_OPERATION_INCOMPLETE) {
|
||||
if (status != PSA_SUCCESS) {
|
||||
operation->error_occurred = 1;
|
||||
}
|
||||
|
||||
psa_sign_hash_abort_internal(operation);
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
psa_status_t psa_sign_hash_abort(
|
||||
psa_sign_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
status = psa_sign_hash_abort_internal(operation);
|
||||
|
||||
/* We clear the number of ops done here, so that it is not cleared when
|
||||
* the operation fails or succeeds, only on manual abort. */
|
||||
operation->num_ops = 0;
|
||||
|
||||
/* Likewise, failure state. */
|
||||
operation->error_occurred = 0;
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
static psa_status_t psa_verify_hash_abort_internal(
|
||||
psa_verify_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
if (operation->id == 0) {
|
||||
/* The object has (apparently) been initialized but it is not (yet)
|
||||
* in use. It's ok to call abort on such an object, and there's
|
||||
* nothing to do. */
|
||||
return PSA_SUCCESS;
|
||||
}
|
||||
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
status = psa_driver_wrapper_verify_hash_abort(operation);
|
||||
|
||||
operation->id = 0;
|
||||
|
||||
/* Do not clear either the error_occurred or num_ops elements here as they
|
||||
* only want to be cleared by the application calling abort, not by abort
|
||||
* being called at completion of an operation. */
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
psa_status_t psa_verify_hash_start(
|
||||
psa_verify_hash_interruptible_operation_t *operation,
|
||||
mbedtls_svc_key_id_t key, psa_algorithm_t alg,
|
||||
const uint8_t *hash, size_t hash_length,
|
||||
const uint8_t *signature, size_t signature_length)
|
||||
{
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
psa_key_slot_t *slot;
|
||||
|
||||
/* Check that start has not been previously called, or operation has not
|
||||
* previously errored. */
|
||||
if (operation->id != 0 || operation->error_occurred) {
|
||||
return PSA_ERROR_BAD_STATE;
|
||||
}
|
||||
|
||||
status = psa_sign_verify_check_alg(0, alg);
|
||||
if (status != PSA_SUCCESS) {
|
||||
operation->error_occurred = 1;
|
||||
return status;
|
||||
}
|
||||
|
||||
status = psa_get_and_lock_key_slot_with_policy(key, &slot,
|
||||
PSA_KEY_USAGE_VERIFY_HASH,
|
||||
alg);
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
operation->error_occurred = 1;
|
||||
return status;
|
||||
}
|
||||
|
||||
psa_key_attributes_t attributes = {
|
||||
.core = slot->attr
|
||||
};
|
||||
|
||||
/* Ensure ops count gets reset, in case of operation re-use. */
|
||||
operation->num_ops = 0;
|
||||
|
||||
status = psa_driver_wrapper_verify_hash_start(operation, &attributes,
|
||||
slot->key.data,
|
||||
slot->key.bytes,
|
||||
alg, hash, hash_length,
|
||||
signature, signature_length);
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
operation->error_occurred = 1;
|
||||
psa_verify_hash_abort_internal(operation);
|
||||
}
|
||||
|
||||
unlock_status = psa_unlock_key_slot(slot);
|
||||
|
||||
if (unlock_status != PSA_SUCCESS) {
|
||||
operation->error_occurred = 1;
|
||||
}
|
||||
|
||||
return (status == PSA_SUCCESS) ? unlock_status : status;
|
||||
}
|
||||
|
||||
psa_status_t psa_verify_hash_complete(
|
||||
psa_verify_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
/* Check that start has been called first, and that operation has not
|
||||
* previously errored. */
|
||||
if (operation->id == 0 || operation->error_occurred) {
|
||||
status = PSA_ERROR_BAD_STATE;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
status = psa_driver_wrapper_verify_hash_complete(operation);
|
||||
|
||||
/* Update ops count with work done. */
|
||||
operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
|
||||
operation);
|
||||
|
||||
exit:
|
||||
|
||||
if (status != PSA_OPERATION_INCOMPLETE) {
|
||||
if (status != PSA_SUCCESS) {
|
||||
operation->error_occurred = 1;
|
||||
}
|
||||
|
||||
psa_verify_hash_abort_internal(operation);
|
||||
}
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
psa_status_t psa_verify_hash_abort(
|
||||
psa_verify_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
status = psa_verify_hash_abort_internal(operation);
|
||||
|
||||
/* We clear the number of ops done here, so that it is not cleared when
|
||||
* the operation fails or succeeds, only on manual abort. */
|
||||
operation->num_ops = 0;
|
||||
|
||||
/* Likewise, failure state. */
|
||||
operation->error_occurred = 0;
|
||||
|
||||
return status;
|
||||
}
|
||||
|
||||
/****************************************************************/
|
||||
/* Asymmetric interruptible cryptography internal */
|
||||
/* implementations */
|
||||
/****************************************************************/
|
||||
|
||||
void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
|
||||
{
|
||||
|
||||
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
|
||||
defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
|
||||
/* Internal implementation uses zero to indicate infinite number max ops,
|
||||
* therefore avoid this value, and set to minimum possible. */
|
||||
if (max_ops == 0) {
|
||||
max_ops = 1;
|
||||
}
|
||||
|
||||
mbedtls_ecp_set_max_ops(max_ops);
|
||||
#else
|
||||
(void) max_ops;
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
|
||||
* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
|
||||
* defined( MBEDTLS_ECP_RESTARTABLE ) */
|
||||
}
|
||||
|
||||
uint32_t mbedtls_psa_sign_hash_get_num_ops(
|
||||
const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
|
||||
defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
|
||||
return operation->num_ops;
|
||||
#else
|
||||
(void) operation;
|
||||
return 0;
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
|
||||
* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
|
||||
* defined( MBEDTLS_ECP_RESTARTABLE ) */
|
||||
}
|
||||
|
||||
uint32_t mbedtls_psa_verify_hash_get_num_ops(
|
||||
const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
|
||||
defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
|
||||
return operation->num_ops;
|
||||
#else
|
||||
(void) operation;
|
||||
return 0;
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
|
||||
* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
|
||||
* defined( MBEDTLS_ECP_RESTARTABLE ) */
|
||||
}
|
||||
|
||||
psa_status_t mbedtls_psa_sign_hash_start(
|
||||
mbedtls_psa_sign_hash_interruptible_operation_t *operation,
|
||||
const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
|
||||
size_t key_buffer_size, psa_algorithm_t alg,
|
||||
const uint8_t *hash, size_t hash_length)
|
||||
{
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
size_t required_hash_length;
|
||||
|
||||
if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
|
||||
return PSA_ERROR_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
if (!PSA_ALG_IS_ECDSA(alg)) {
|
||||
return PSA_ERROR_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
|
||||
defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
|
||||
mbedtls_ecdsa_restart_init(&operation->restart_ctx);
|
||||
|
||||
/* Ensure num_ops is zero'ed in case of context re-use. */
|
||||
operation->num_ops = 0;
|
||||
|
||||
status = mbedtls_psa_ecp_load_representation(attributes->core.type,
|
||||
attributes->core.bits,
|
||||
key_buffer,
|
||||
key_buffer_size,
|
||||
&operation->ctx);
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
return status;
|
||||
}
|
||||
|
||||
operation->coordinate_bytes = PSA_BITS_TO_BYTES(
|
||||
operation->ctx->grp.nbits);
|
||||
|
||||
psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
|
||||
operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
|
||||
operation->alg = alg;
|
||||
|
||||
/* We only need to store the same length of hash as the private key size
|
||||
* here, it would be truncated by the internal implementation anyway. */
|
||||
required_hash_length = (hash_length < operation->coordinate_bytes ?
|
||||
hash_length : operation->coordinate_bytes);
|
||||
|
||||
if (required_hash_length > sizeof(operation->hash)) {
|
||||
/* Shouldn't happen, but better safe than sorry. */
|
||||
return PSA_ERROR_CORRUPTION_DETECTED;
|
||||
}
|
||||
|
||||
memcpy(operation->hash, hash, required_hash_length);
|
||||
operation->hash_length = required_hash_length;
|
||||
|
||||
return PSA_SUCCESS;
|
||||
|
||||
#else
|
||||
(void) operation;
|
||||
(void) key_buffer;
|
||||
(void) key_buffer_size;
|
||||
(void) alg;
|
||||
(void) hash;
|
||||
(void) hash_length;
|
||||
(void) status;
|
||||
(void) required_hash_length;
|
||||
|
||||
return PSA_ERROR_NOT_SUPPORTED;
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
|
||||
* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
|
||||
* defined( MBEDTLS_ECP_RESTARTABLE ) */
|
||||
}
|
||||
|
||||
psa_status_t mbedtls_psa_sign_hash_complete(
|
||||
mbedtls_psa_sign_hash_interruptible_operation_t *operation,
|
||||
uint8_t *signature, size_t signature_size,
|
||||
size_t *signature_length)
|
||||
{
|
||||
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
|
||||
defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_mpi r;
|
||||
mbedtls_mpi s;
|
||||
|
||||
mbedtls_mpi_init(&r);
|
||||
mbedtls_mpi_init(&s);
|
||||
|
||||
/* Ensure max_ops is set to the current value (or default). */
|
||||
mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
|
||||
|
||||
if (signature_size < 2 * operation->coordinate_bytes) {
|
||||
status = PSA_ERROR_BUFFER_TOO_SMALL;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
|
||||
|
||||
#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
|
||||
status = mbedtls_to_psa_error(
|
||||
mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
|
||||
&r,
|
||||
&s,
|
||||
&operation->ctx->d,
|
||||
operation->hash,
|
||||
operation->hash_length,
|
||||
operation->md_alg,
|
||||
mbedtls_psa_get_random,
|
||||
MBEDTLS_PSA_RANDOM_STATE,
|
||||
&operation->restart_ctx));
|
||||
#else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
|
||||
status = PSA_ERROR_NOT_SUPPORTED;
|
||||
goto exit;
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
|
||||
} else {
|
||||
status = mbedtls_to_psa_error(
|
||||
mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
|
||||
&r,
|
||||
&s,
|
||||
&operation->ctx->d,
|
||||
operation->hash,
|
||||
operation->hash_length,
|
||||
mbedtls_psa_get_random,
|
||||
MBEDTLS_PSA_RANDOM_STATE,
|
||||
mbedtls_psa_get_random,
|
||||
MBEDTLS_PSA_RANDOM_STATE,
|
||||
&operation->restart_ctx));
|
||||
}
|
||||
|
||||
/* Hide the fact that the restart context only holds a delta of number of
|
||||
* ops done during the last operation, not an absolute value. */
|
||||
operation->num_ops += operation->restart_ctx.ecp.ops_done;
|
||||
|
||||
if (status == PSA_SUCCESS) {
|
||||
status = mbedtls_to_psa_error(
|
||||
mbedtls_mpi_write_binary(&r,
|
||||
signature,
|
||||
operation->coordinate_bytes)
|
||||
);
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
goto exit;
|
||||
}
|
||||
|
||||
status = mbedtls_to_psa_error(
|
||||
mbedtls_mpi_write_binary(&s,
|
||||
signature +
|
||||
operation->coordinate_bytes,
|
||||
operation->coordinate_bytes)
|
||||
);
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
goto exit;
|
||||
}
|
||||
|
||||
*signature_length = operation->coordinate_bytes * 2;
|
||||
|
||||
status = PSA_SUCCESS;
|
||||
}
|
||||
|
||||
exit:
|
||||
|
||||
mbedtls_mpi_free(&r);
|
||||
mbedtls_mpi_free(&s);
|
||||
return status;
|
||||
|
||||
#else
|
||||
|
||||
(void) operation;
|
||||
(void) signature;
|
||||
(void) signature_size;
|
||||
(void) signature_length;
|
||||
|
||||
return PSA_ERROR_NOT_SUPPORTED;
|
||||
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
|
||||
* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
|
||||
* defined( MBEDTLS_ECP_RESTARTABLE ) */
|
||||
}
|
||||
|
||||
psa_status_t mbedtls_psa_sign_hash_abort(
|
||||
mbedtls_psa_sign_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
|
||||
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
|
||||
defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
|
||||
if (operation->ctx) {
|
||||
mbedtls_ecdsa_free(operation->ctx);
|
||||
mbedtls_free(operation->ctx);
|
||||
operation->ctx = NULL;
|
||||
}
|
||||
|
||||
mbedtls_ecdsa_restart_free(&operation->restart_ctx);
|
||||
|
||||
operation->num_ops = 0;
|
||||
|
||||
return PSA_SUCCESS;
|
||||
|
||||
#else
|
||||
|
||||
(void) operation;
|
||||
|
||||
return PSA_ERROR_NOT_SUPPORTED;
|
||||
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
|
||||
* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
|
||||
* defined( MBEDTLS_ECP_RESTARTABLE ) */
|
||||
}
|
||||
|
||||
psa_status_t mbedtls_psa_verify_hash_start(
|
||||
mbedtls_psa_verify_hash_interruptible_operation_t *operation,
|
||||
const psa_key_attributes_t *attributes,
|
||||
const uint8_t *key_buffer, size_t key_buffer_size,
|
||||
psa_algorithm_t alg,
|
||||
const uint8_t *hash, size_t hash_length,
|
||||
const uint8_t *signature, size_t signature_length)
|
||||
{
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
size_t coordinate_bytes = 0;
|
||||
size_t required_hash_length = 0;
|
||||
|
||||
if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
|
||||
return PSA_ERROR_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
if (!PSA_ALG_IS_ECDSA(alg)) {
|
||||
return PSA_ERROR_NOT_SUPPORTED;
|
||||
}
|
||||
|
||||
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
|
||||
defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
|
||||
mbedtls_ecdsa_restart_init(&operation->restart_ctx);
|
||||
mbedtls_mpi_init(&operation->r);
|
||||
mbedtls_mpi_init(&operation->s);
|
||||
|
||||
/* Ensure num_ops is zero'ed in case of context re-use. */
|
||||
operation->num_ops = 0;
|
||||
|
||||
status = mbedtls_psa_ecp_load_representation(attributes->core.type,
|
||||
attributes->core.bits,
|
||||
key_buffer,
|
||||
key_buffer_size,
|
||||
&operation->ctx);
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
return status;
|
||||
}
|
||||
|
||||
coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits);
|
||||
|
||||
if (signature_length != 2 * coordinate_bytes) {
|
||||
return PSA_ERROR_INVALID_SIGNATURE;
|
||||
}
|
||||
|
||||
status = mbedtls_to_psa_error(
|
||||
mbedtls_mpi_read_binary(&operation->r,
|
||||
signature,
|
||||
coordinate_bytes));
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
return status;
|
||||
}
|
||||
|
||||
status = mbedtls_to_psa_error(
|
||||
mbedtls_mpi_read_binary(&operation->s,
|
||||
signature +
|
||||
coordinate_bytes,
|
||||
coordinate_bytes));
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
return status;
|
||||
}
|
||||
|
||||
status = mbedtls_psa_ecp_load_public_part(operation->ctx);
|
||||
|
||||
if (status != PSA_SUCCESS) {
|
||||
return status;
|
||||
}
|
||||
|
||||
/* We only need to store the same length of hash as the private key size
|
||||
* here, it would be truncated by the internal implementation anyway. */
|
||||
required_hash_length = (hash_length < coordinate_bytes ? hash_length :
|
||||
coordinate_bytes);
|
||||
|
||||
if (required_hash_length > sizeof(operation->hash)) {
|
||||
/* Shouldn't happen, but better safe than sorry. */
|
||||
return PSA_ERROR_CORRUPTION_DETECTED;
|
||||
}
|
||||
|
||||
memcpy(operation->hash, hash, required_hash_length);
|
||||
operation->hash_length = required_hash_length;
|
||||
|
||||
return PSA_SUCCESS;
|
||||
#else
|
||||
(void) operation;
|
||||
(void) key_buffer;
|
||||
(void) key_buffer_size;
|
||||
(void) alg;
|
||||
(void) hash;
|
||||
(void) hash_length;
|
||||
(void) signature;
|
||||
(void) signature_length;
|
||||
(void) status;
|
||||
(void) coordinate_bytes;
|
||||
(void) required_hash_length;
|
||||
|
||||
return PSA_ERROR_NOT_SUPPORTED;
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
|
||||
* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
|
||||
* defined( MBEDTLS_ECP_RESTARTABLE ) */
|
||||
}
|
||||
|
||||
psa_status_t mbedtls_psa_verify_hash_complete(
|
||||
mbedtls_psa_verify_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
|
||||
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
|
||||
defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
/* Ensure max_ops is set to the current value (or default). */
|
||||
mbedtls_psa_interruptible_set_max_ops(psa_interruptible_get_max_ops());
|
||||
|
||||
status = mbedtls_to_psa_error(
|
||||
mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
|
||||
operation->hash,
|
||||
operation->hash_length,
|
||||
&operation->ctx->Q,
|
||||
&operation->r,
|
||||
&operation->s,
|
||||
&operation->restart_ctx));
|
||||
|
||||
/* Hide the fact that the restart context only holds a delta of number of
|
||||
* ops done during the last operation, not an absolute value. */
|
||||
operation->num_ops += operation->restart_ctx.ecp.ops_done;
|
||||
|
||||
return status;
|
||||
#else
|
||||
(void) operation;
|
||||
|
||||
return PSA_ERROR_NOT_SUPPORTED;
|
||||
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
|
||||
* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
|
||||
* defined( MBEDTLS_ECP_RESTARTABLE ) */
|
||||
}
|
||||
|
||||
psa_status_t mbedtls_psa_verify_hash_abort(
|
||||
mbedtls_psa_verify_hash_interruptible_operation_t *operation)
|
||||
{
|
||||
|
||||
#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
|
||||
defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
|
||||
if (operation->ctx) {
|
||||
mbedtls_ecdsa_free(operation->ctx);
|
||||
mbedtls_free(operation->ctx);
|
||||
operation->ctx = NULL;
|
||||
}
|
||||
|
||||
mbedtls_ecdsa_restart_free(&operation->restart_ctx);
|
||||
|
||||
operation->num_ops = 0;
|
||||
|
||||
mbedtls_mpi_free(&operation->r);
|
||||
mbedtls_mpi_free(&operation->s);
|
||||
|
||||
return PSA_SUCCESS;
|
||||
|
||||
#else
|
||||
(void) operation;
|
||||
|
||||
return PSA_ERROR_NOT_SUPPORTED;
|
||||
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
|
||||
* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
|
||||
* defined( MBEDTLS_ECP_RESTARTABLE ) */
|
||||
}
|
||||
|
||||
/****************************************************************/
|
||||
/* Symmetric cryptography */
|
||||
|
|
@ -4126,18 +4903,14 @@ psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
|
|||
tag, tag_size, tag_length);
|
||||
|
||||
exit:
|
||||
|
||||
|
||||
/* In case the operation fails and the user fails to check for failure or
|
||||
* the zero tag size, make sure the tag is set to something implausible.
|
||||
* Even if the operation succeeds, make sure we clear the rest of the
|
||||
* buffer to prevent potential leakage of anything previously placed in
|
||||
* the same buffer.*/
|
||||
if (tag != NULL) {
|
||||
if (status != PSA_SUCCESS) {
|
||||
memset(tag, '!', tag_size);
|
||||
} else if (*tag_length < tag_size) {
|
||||
memset(tag + *tag_length, '!', (tag_size - *tag_length));
|
||||
}
|
||||
}
|
||||
psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length);
|
||||
|
||||
psa_aead_abort(operation);
|
||||
|
||||
|
|
|
|||
|
|
@ -71,10 +71,10 @@
|
|||
* \retval #PSA_SUCCESS Success.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \p alg is not supported.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* ciphertext_size is too small.
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_aead_encrypt(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -134,10 +134,10 @@ psa_status_t mbedtls_psa_aead_encrypt(
|
|||
* The cipher is not authentic.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \p alg is not supported.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* plaintext_size is too small.
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_aead_decrypt(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
|
|||
|
|
@ -59,10 +59,10 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
|
|||
* (\c PSA_ALG_XXX value such that
|
||||
* #PSA_ALG_IS_CIPHER(\p alg) is true).
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_cipher_encrypt_setup(
|
||||
mbedtls_psa_cipher_operation_t *operation,
|
||||
|
|
@ -89,10 +89,10 @@ psa_status_t mbedtls_psa_cipher_encrypt_setup(
|
|||
* (\c PSA_ALG_XXX value such that
|
||||
* #PSA_ALG_IS_CIPHER(\p alg) is true).
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_cipher_decrypt_setup(
|
||||
mbedtls_psa_cipher_operation_t *operation,
|
||||
|
|
@ -116,11 +116,11 @@ psa_status_t mbedtls_psa_cipher_decrypt_setup(
|
|||
* the core to be less or equal to
|
||||
* PSA_CIPHER_IV_MAX_SIZE.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* The size of \p iv is not acceptable for the chosen algorithm,
|
||||
* or the chosen algorithm does not use an IV.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_cipher_set_iv(
|
||||
mbedtls_psa_cipher_operation_t *operation,
|
||||
|
|
@ -142,10 +142,10 @@ psa_status_t mbedtls_psa_cipher_set_iv(
|
|||
* \param[out] output_length On success, the number of bytes
|
||||
* that make up the returned output.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p output buffer is too small.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_cipher_update(
|
||||
mbedtls_psa_cipher_operation_t *operation,
|
||||
|
|
@ -165,7 +165,7 @@ psa_status_t mbedtls_psa_cipher_update(
|
|||
* \param[out] output_length On success, the number of bytes
|
||||
* that make up the returned output.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* The total input size passed to this operation is not valid for
|
||||
* this particular algorithm. For example, the algorithm is a based
|
||||
|
|
@ -176,7 +176,7 @@ psa_status_t mbedtls_psa_cipher_update(
|
|||
* padding, and the ciphertext does not contain valid padding.
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p output buffer is too small.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_cipher_finish(
|
||||
mbedtls_psa_cipher_operation_t *operation,
|
||||
|
|
@ -195,7 +195,7 @@ psa_status_t mbedtls_psa_cipher_finish(
|
|||
*
|
||||
* \param[in,out] operation Initialized cipher operation.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_cipher_abort(mbedtls_psa_cipher_operation_t *operation);
|
||||
|
||||
|
|
@ -224,10 +224,10 @@ psa_status_t mbedtls_psa_cipher_abort(mbedtls_psa_cipher_operation_t *operation)
|
|||
* the returned output. Initialized to zero
|
||||
* by the core.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p output buffer is too small.
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
|
|
@ -275,10 +275,10 @@ psa_status_t mbedtls_psa_cipher_encrypt(const psa_key_attributes_t *attributes,
|
|||
* the returned output. Initialized to zero
|
||||
* by the core.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p output buffer is too small.
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
|
|
|
|||
|
|
@ -209,7 +209,7 @@ psa_status_t psa_get_and_lock_key_slot_with_policy(mbedtls_svc_key_id_t key,
|
|||
* \retval #PSA_SUCCESS
|
||||
* Success. This includes the case of a key slot that was
|
||||
* already fully wiped.
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot);
|
||||
|
||||
|
|
@ -285,9 +285,9 @@ psa_status_t mbedtls_to_psa_error(int ret);
|
|||
* \retval #PSA_SUCCESS The key was imported successfully.
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* The key data is not correctly formatted.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t psa_import_key_into_slot(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -310,12 +310,12 @@ psa_status_t psa_import_key_into_slot(
|
|||
* \p data
|
||||
*
|
||||
* \retval #PSA_SUCCESS The key was exported successfully.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t psa_export_key_internal(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -338,12 +338,12 @@ psa_status_t psa_export_key_internal(
|
|||
* \p data
|
||||
*
|
||||
* \retval #PSA_SUCCESS The public key was exported successfully.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t psa_export_public_key_internal(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -364,7 +364,7 @@ psa_status_t psa_export_public_key_internal(
|
|||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* The key was generated successfully.
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* Key size in bits or type not supported.
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
|
|
@ -399,18 +399,18 @@ psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes,
|
|||
* \param[out] signature_length On success, the number of bytes
|
||||
* that make up the returned signature value.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p signature buffer is too small. You can
|
||||
* determine a sufficient buffer size by calling
|
||||
* #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
|
||||
* where \c key_type and \c key_bits are the type and bit-size
|
||||
* respectively of the key.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
|
||||
*/
|
||||
psa_status_t psa_sign_message_builtin(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -445,9 +445,9 @@ psa_status_t psa_sign_message_builtin(
|
|||
* \retval #PSA_ERROR_INVALID_SIGNATURE
|
||||
* The calculation was performed successfully, but the passed
|
||||
* signature is not a valid signature.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t psa_verify_message_builtin(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -475,18 +475,18 @@ psa_status_t psa_verify_message_builtin(
|
|||
* \param[out] signature_length On success, the number of bytes
|
||||
* that make up the returned signature value.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p signature buffer is too small. You can
|
||||
* determine a sufficient buffer size by calling
|
||||
* #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
|
||||
* where \c key_type and \c key_bits are the type and bit-size
|
||||
* respectively of the key.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
|
||||
*/
|
||||
psa_status_t psa_sign_hash_builtin(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -519,9 +519,9 @@ psa_status_t psa_sign_hash_builtin(
|
|||
* \retval #PSA_ERROR_INVALID_SIGNATURE
|
||||
* The calculation was performed successfully, but the passed
|
||||
* signature is not a valid signature.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t psa_verify_hash_builtin(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -577,8 +577,8 @@ psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
|
|||
* up the returned shared secret.
|
||||
* \retval #PSA_SUCCESS
|
||||
* Success. Shared secret successfully calculated.
|
||||
* \retval #PSA_ERROR_INVALID_HANDLE
|
||||
* \retval #PSA_ERROR_NOT_PERMITTED
|
||||
* \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
|
||||
* \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \p alg is not a key agreement algorithm, or
|
||||
* \p private_key is not compatible with \p alg,
|
||||
|
|
@ -588,12 +588,12 @@ psa_status_t psa_validate_unstructured_key_bit_size(psa_key_type_t type,
|
|||
* \p shared_secret_size is too small
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \p alg is not a supported key agreement algorithm.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_BAD_STATE \emptydescription
|
||||
*/
|
||||
psa_status_t psa_key_agreement_raw_builtin(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -606,4 +606,272 @@ psa_status_t psa_key_agreement_raw_builtin(
|
|||
size_t shared_secret_size,
|
||||
size_t *shared_secret_length);
|
||||
|
||||
/**
|
||||
* \brief Set the maximum number of ops allowed to be executed by an
|
||||
* interruptible function in a single call.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver
|
||||
* interruptible_set_max_ops entry point. This function behaves as an
|
||||
* interruptible_set_max_ops entry point as defined in the PSA driver
|
||||
* interface specification for transparent drivers.
|
||||
*
|
||||
* \param[in] max_ops The maximum number of ops to be executed in a
|
||||
* single call, this can be a number from 0 to
|
||||
* #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
|
||||
* is obviously the least amount of work done per
|
||||
* call.
|
||||
*/
|
||||
void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops);
|
||||
|
||||
/**
|
||||
* \brief Get the maximum number of ops allowed to be executed by an
|
||||
* interruptible function in a single call.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver
|
||||
* interruptible_get_max_ops entry point. This function behaves as an
|
||||
* interruptible_get_max_ops entry point as defined in the PSA driver
|
||||
* interface specification for transparent drivers.
|
||||
*
|
||||
* \return Maximum number of ops allowed to be executed
|
||||
* by an interruptible function in a single call.
|
||||
*/
|
||||
uint32_t mbedtls_psa_interruptible_get_max_ops(void);
|
||||
|
||||
/**
|
||||
* \brief Get the number of ops that a hash signing operation has taken for the
|
||||
* previous call. If no call or work has taken place, this will return
|
||||
* zero.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver
|
||||
* sign_hash_get_num_ops entry point. This function behaves as an
|
||||
* sign_hash_get_num_ops entry point as defined in the PSA driver
|
||||
* interface specification for transparent drivers.
|
||||
*
|
||||
* \param operation The \c
|
||||
* mbedtls_psa_sign_hash_interruptible_operation_t
|
||||
* to use. This must be initialized first.
|
||||
*
|
||||
* \return Number of ops that were completed
|
||||
* in the last call to \c
|
||||
* mbedtls_psa_sign_hash_complete().
|
||||
*/
|
||||
uint32_t mbedtls_psa_sign_hash_get_num_ops(
|
||||
const mbedtls_psa_sign_hash_interruptible_operation_t *operation);
|
||||
|
||||
/**
|
||||
* \brief Get the number of ops that a hash verification operation has taken for
|
||||
* the previous call. If no call or work has taken place, this will
|
||||
* return zero.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver
|
||||
* verify_hash_get_num_ops entry point. This function behaves as an
|
||||
* verify_hash_get_num_ops entry point as defined in the PSA driver
|
||||
* interface specification for transparent drivers.
|
||||
*
|
||||
* \param operation The \c
|
||||
* mbedtls_psa_verify_hash_interruptible_operation_t
|
||||
* to use. This must be initialized first.
|
||||
*
|
||||
* \return Number of ops that were completed
|
||||
* in the last call to \c
|
||||
* mbedtls_psa_verify_hash_complete().
|
||||
*/
|
||||
uint32_t mbedtls_psa_verify_hash_get_num_ops(
|
||||
const mbedtls_psa_verify_hash_interruptible_operation_t *operation);
|
||||
|
||||
/**
|
||||
* \brief Start signing a hash or short message with a private key, in an
|
||||
* interruptible manner.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver
|
||||
* sign_hash_start entry point. This function behaves as a
|
||||
* sign_hash_start entry point as defined in the PSA driver interface
|
||||
* specification for transparent drivers.
|
||||
*
|
||||
* \param[in] operation The \c
|
||||
* mbedtls_psa_sign_hash_interruptible_operation_t
|
||||
* to use. This must be initialized first.
|
||||
* \param[in] attributes The attributes of the key to use for the
|
||||
* operation.
|
||||
* \param[in] key_buffer The buffer containing the key context.
|
||||
* \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
|
||||
* \param[in] alg A signature algorithm that is compatible with
|
||||
* the type of the key.
|
||||
* \param[in] hash The hash or message to sign.
|
||||
* \param hash_length Size of the \p hash buffer in bytes.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* The operation started successfully - call \c psa_sign_hash_complete()
|
||||
* with the same context to complete the operation
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* An unsupported, incorrectly formatted or incorrect type of key was
|
||||
* used.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations
|
||||
* are currently supported, or the key type is currently unsupported.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* There was insufficient memory to load the key representation.
|
||||
*/
|
||||
psa_status_t mbedtls_psa_sign_hash_start(
|
||||
mbedtls_psa_sign_hash_interruptible_operation_t *operation,
|
||||
const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
|
||||
size_t key_buffer_size, psa_algorithm_t alg,
|
||||
const uint8_t *hash, size_t hash_length);
|
||||
|
||||
/**
|
||||
* \brief Continue and eventually complete the action of signing a hash or
|
||||
* short message with a private key, in an interruptible manner.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver
|
||||
* sign_hash_complete entry point. This function behaves as a
|
||||
* sign_hash_complete entry point as defined in the PSA driver interface
|
||||
* specification for transparent drivers.
|
||||
*
|
||||
* \param[in] operation The \c
|
||||
* mbedtls_psa_sign_hash_interruptible_operation_t
|
||||
* to use. This must be initialized first.
|
||||
*
|
||||
* \param[out] signature Buffer where the signature is to be written.
|
||||
* \param signature_size Size of the \p signature buffer in bytes. This
|
||||
* must be appropriate for the selected
|
||||
* algorithm and key.
|
||||
* \param[out] signature_length On success, the number of bytes that make up
|
||||
* the returned signature value.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* Operation completed successfully
|
||||
*
|
||||
* \retval #PSA_OPERATION_INCOMPLETE
|
||||
* Operation was interrupted due to the setting of \c
|
||||
* psa_interruptible_set_max_ops(), there is still work to be done,
|
||||
* please call this function again with the same operation object.
|
||||
*
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p signature buffer is too small. You can
|
||||
* determine a sufficient buffer size by calling
|
||||
* #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
|
||||
* where \c key_type and \c key_bits are the type and bit-size
|
||||
* respectively of \p key.
|
||||
*
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_sign_hash_complete(
|
||||
mbedtls_psa_sign_hash_interruptible_operation_t *operation,
|
||||
uint8_t *signature, size_t signature_size,
|
||||
size_t *signature_length);
|
||||
|
||||
/**
|
||||
* \brief Abort a sign hash operation.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver sign_hash_abort
|
||||
* entry point. This function behaves as a sign_hash_abort entry point as
|
||||
* defined in the PSA driver interface specification for transparent
|
||||
* drivers.
|
||||
*
|
||||
* \param[in] operation The \c
|
||||
* mbedtls_psa_sign_hash_interruptible_operation_t
|
||||
* to abort.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* The operation was aborted successfully.
|
||||
*/
|
||||
psa_status_t mbedtls_psa_sign_hash_abort(
|
||||
mbedtls_psa_sign_hash_interruptible_operation_t *operation);
|
||||
|
||||
/**
|
||||
* \brief Start reading and verifying a hash or short message, in an
|
||||
* interruptible manner.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver
|
||||
* verify_hash_start entry point. This function behaves as a
|
||||
* verify_hash_start entry point as defined in the PSA driver interface
|
||||
* specification for transparent drivers.
|
||||
*
|
||||
* \param[in] operation The \c
|
||||
* mbedtls_psa_verify_hash_interruptible_operation_t
|
||||
* to use. This must be initialized first.
|
||||
* \param[in] attributes The attributes of the key to use for the
|
||||
* operation.
|
||||
* \param[in] key_buffer The buffer containing the key context.
|
||||
* \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
|
||||
* \param[in] alg A signature algorithm that is compatible with
|
||||
* the type of the key.
|
||||
* \param[in] hash The hash whose signature is to be verified.
|
||||
* \param hash_length Size of the \p hash buffer in bytes.
|
||||
* \param[in] signature Buffer containing the signature to verify.
|
||||
* \param signature_length Size of the \p signature buffer in bytes.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* The operation started successfully - call \c psa_sign_hash_complete()
|
||||
* with the same context to complete the operation
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* An unsupported or incorrect type of key was used.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* Either no internal interruptible operations are currently supported,
|
||||
* or the key type is currently unsupported.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* There was insufficient memory either to load the key representation,
|
||||
* or to prepare the operation.
|
||||
*/
|
||||
psa_status_t mbedtls_psa_verify_hash_start(
|
||||
mbedtls_psa_verify_hash_interruptible_operation_t *operation,
|
||||
const psa_key_attributes_t *attributes,
|
||||
const uint8_t *key_buffer, size_t key_buffer_size,
|
||||
psa_algorithm_t alg,
|
||||
const uint8_t *hash, size_t hash_length,
|
||||
const uint8_t *signature, size_t signature_length);
|
||||
|
||||
/**
|
||||
* \brief Continue and eventually complete the action of signing a hash or
|
||||
* short message with a private key, in an interruptible manner.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver
|
||||
* sign_hash_complete entry point. This function behaves as a
|
||||
* sign_hash_complete entry point as defined in the PSA driver interface
|
||||
* specification for transparent drivers.
|
||||
*
|
||||
* \param[in] operation The \c
|
||||
* mbedtls_psa_sign_hash_interruptible_operation_t
|
||||
* to use. This must be initialized first.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* Operation completed successfully, and the passed signature is valid.
|
||||
*
|
||||
* \retval #PSA_OPERATION_INCOMPLETE
|
||||
* Operation was interrupted due to the setting of \c
|
||||
* psa_interruptible_set_max_ops(), there is still work to be done,
|
||||
* please call this function again with the same operation object.
|
||||
*
|
||||
* \retval #PSA_ERROR_INVALID_SIGNATURE
|
||||
* The calculation was performed successfully, but the passed
|
||||
* signature is not a valid signature.
|
||||
*
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_verify_hash_complete(
|
||||
mbedtls_psa_verify_hash_interruptible_operation_t *operation);
|
||||
|
||||
/**
|
||||
* \brief Abort a verify signed hash operation.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver
|
||||
* verify_hash_abort entry point. This function behaves as a
|
||||
* verify_hash_abort entry point as defined in the PSA driver interface
|
||||
* specification for transparent drivers.
|
||||
*
|
||||
* \param[in] operation The \c
|
||||
* mbedtls_psa_verify_hash_interruptible_operation_t
|
||||
* to abort.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* The operation was aborted successfully.
|
||||
*/
|
||||
psa_status_t mbedtls_psa_verify_hash_abort(
|
||||
mbedtls_psa_verify_hash_interruptible_operation_t *operation);
|
||||
|
||||
#endif /* PSA_CRYPTO_CORE_H */
|
||||
|
|
|
|||
|
|
@ -66,6 +66,43 @@ psa_status_t psa_driver_wrapper_verify_hash(
|
|||
psa_algorithm_t alg, const uint8_t *hash, size_t hash_length,
|
||||
const uint8_t *signature, size_t signature_length);
|
||||
|
||||
/*
|
||||
* Interruptible Signature functions
|
||||
*/
|
||||
|
||||
uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
|
||||
psa_sign_hash_interruptible_operation_t *operation);
|
||||
|
||||
uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
|
||||
psa_verify_hash_interruptible_operation_t *operation);
|
||||
|
||||
psa_status_t psa_driver_wrapper_sign_hash_start(
|
||||
psa_sign_hash_interruptible_operation_t *operation,
|
||||
const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
|
||||
size_t key_buffer_size, psa_algorithm_t alg,
|
||||
const uint8_t *hash, size_t hash_length);
|
||||
|
||||
psa_status_t psa_driver_wrapper_sign_hash_complete(
|
||||
psa_sign_hash_interruptible_operation_t *operation,
|
||||
uint8_t *signature, size_t signature_size,
|
||||
size_t *signature_length);
|
||||
|
||||
psa_status_t psa_driver_wrapper_sign_hash_abort(
|
||||
psa_sign_hash_interruptible_operation_t *operation);
|
||||
|
||||
psa_status_t psa_driver_wrapper_verify_hash_start(
|
||||
psa_verify_hash_interruptible_operation_t *operation,
|
||||
const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
|
||||
size_t key_buffer_size, psa_algorithm_t alg,
|
||||
const uint8_t *hash, size_t hash_length,
|
||||
const uint8_t *signature, size_t signature_length);
|
||||
|
||||
psa_status_t psa_driver_wrapper_verify_hash_complete(
|
||||
psa_verify_hash_interruptible_operation_t *operation);
|
||||
|
||||
psa_status_t psa_driver_wrapper_verify_hash_abort(
|
||||
psa_verify_hash_interruptible_operation_t *operation);
|
||||
|
||||
/*
|
||||
* Key handling functions
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -404,6 +404,21 @@ cleanup:
|
|||
return mbedtls_to_psa_error(ret);
|
||||
}
|
||||
|
||||
psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
/* Check whether the public part is loaded. If not, load it. */
|
||||
if (mbedtls_ecp_is_zero(&ecp->Q)) {
|
||||
ret = mbedtls_ecp_mul(&ecp->grp, &ecp->Q,
|
||||
&ecp->d, &ecp->grp.G,
|
||||
mbedtls_psa_get_random,
|
||||
MBEDTLS_PSA_RANDOM_STATE);
|
||||
}
|
||||
|
||||
return mbedtls_to_psa_error(ret);
|
||||
}
|
||||
|
||||
psa_status_t mbedtls_psa_ecdsa_verify_hash(
|
||||
const psa_key_attributes_t *attributes,
|
||||
const uint8_t *key_buffer, size_t key_buffer_size,
|
||||
|
|
@ -412,7 +427,6 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash(
|
|||
{
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_ecp_keypair *ecp = NULL;
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t curve_bytes;
|
||||
mbedtls_mpi r, s;
|
||||
|
||||
|
|
@ -432,34 +446,39 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash(
|
|||
mbedtls_mpi_init(&s);
|
||||
|
||||
if (signature_length != 2 * curve_bytes) {
|
||||
ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
|
||||
status = PSA_ERROR_INVALID_SIGNATURE;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r,
|
||||
signature,
|
||||
curve_bytes));
|
||||
MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&s,
|
||||
signature + curve_bytes,
|
||||
curve_bytes));
|
||||
|
||||
/* Check whether the public part is loaded. If not, load it. */
|
||||
if (mbedtls_ecp_is_zero(&ecp->Q)) {
|
||||
MBEDTLS_MPI_CHK(
|
||||
mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
|
||||
mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE));
|
||||
status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&r,
|
||||
signature,
|
||||
curve_bytes));
|
||||
if (status != PSA_SUCCESS) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = mbedtls_ecdsa_verify(&ecp->grp, hash, hash_length,
|
||||
&ecp->Q, &r, &s);
|
||||
status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&s,
|
||||
signature + curve_bytes,
|
||||
curve_bytes));
|
||||
if (status != PSA_SUCCESS) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
status = mbedtls_psa_ecp_load_public_part(ecp);
|
||||
if (status != PSA_SUCCESS) {
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
status = mbedtls_to_psa_error(mbedtls_ecdsa_verify(&ecp->grp, hash,
|
||||
hash_length, &ecp->Q,
|
||||
&r, &s));
|
||||
cleanup:
|
||||
mbedtls_mpi_free(&r);
|
||||
mbedtls_mpi_free(&s);
|
||||
mbedtls_ecp_keypair_free(ecp);
|
||||
mbedtls_free(ecp);
|
||||
|
||||
return mbedtls_to_psa_error(ret);
|
||||
return status;
|
||||
}
|
||||
|
||||
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
|
||||
|
|
|
|||
|
|
@ -48,6 +48,15 @@ psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type,
|
|||
size_t data_length,
|
||||
mbedtls_ecp_keypair **p_ecp);
|
||||
|
||||
/** Load the public part of an internal ECP, if required.
|
||||
*
|
||||
* \param ecp The ECP context to load the public part for.
|
||||
*
|
||||
* \return PSA_SUCCESS on success, otherwise an MPI error.
|
||||
*/
|
||||
|
||||
psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp);
|
||||
|
||||
/** Import an ECP key in binary format.
|
||||
*
|
||||
* \note The signature of this function is that of a PSA driver
|
||||
|
|
@ -70,9 +79,9 @@ psa_status_t mbedtls_psa_ecp_load_representation(psa_key_type_t type,
|
|||
* \retval #PSA_SUCCESS The ECP key was imported successfully.
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* The key data is not correctly formatted.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_ecp_import_key(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -111,12 +120,12 @@ psa_status_t mbedtls_psa_ecp_export_key(psa_key_type_t type,
|
|||
* \p data
|
||||
*
|
||||
* \retval #PSA_SUCCESS The ECP public key was exported successfully.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_ecp_export_public_key(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -166,17 +175,17 @@ psa_status_t mbedtls_psa_ecp_generate_key(
|
|||
* \param[out] signature_length On success, the number of bytes
|
||||
* that make up the returned signature value.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p signature buffer is too small. You can
|
||||
* determine a sufficient buffer size by calling
|
||||
* #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_ECC_KEY_PAIR, \c key_bits,
|
||||
* \p alg) where \c key_bits is the bit-size of the ECC key.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_ecdsa_sign_hash(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -209,9 +218,9 @@ psa_status_t mbedtls_psa_ecdsa_sign_hash(
|
|||
* \retval #PSA_ERROR_INVALID_SIGNATURE
|
||||
* The calculation was performed successfully, but the passed
|
||||
* signature is not a valid signature.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_ecdsa_verify_hash(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -247,8 +256,8 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash(
|
|||
* up the returned shared secret.
|
||||
* \retval #PSA_SUCCESS
|
||||
* Success. Shared secret successfully calculated.
|
||||
* \retval #PSA_ERROR_INVALID_HANDLE
|
||||
* \retval #PSA_ERROR_NOT_PERMITTED
|
||||
* \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
|
||||
* \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \p alg is not a key agreement algorithm, or
|
||||
* \p private_key is not compatible with \p alg,
|
||||
|
|
@ -258,8 +267,8 @@ psa_status_t mbedtls_psa_ecdsa_verify_hash(
|
|||
* \p shared_secret_size is too small
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \p alg is not a supported key agreement algorithm.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_key_agreement_ecdh(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
|
|||
|
|
@ -48,8 +48,8 @@
|
|||
* \p alg is not supported
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* \p hash_size is too small
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_hash_compute(
|
||||
psa_algorithm_t alg,
|
||||
|
|
@ -88,8 +88,8 @@ psa_status_t mbedtls_psa_hash_compute(
|
|||
* \p alg is not supported
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The operation state is not valid (it must be inactive).
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_hash_setup(
|
||||
mbedtls_psa_hash_operation_t *operation,
|
||||
|
|
@ -115,13 +115,13 @@ psa_status_t mbedtls_psa_hash_setup(
|
|||
* \param[in,out] target_operation The operation object to set up.
|
||||
* It must be initialized but not active.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The \p source_operation state is not valid (it must be active).
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The \p target_operation state is not valid (it must be inactive).
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_hash_clone(
|
||||
const mbedtls_psa_hash_operation_t *source_operation,
|
||||
|
|
@ -147,8 +147,8 @@ psa_status_t mbedtls_psa_hash_clone(
|
|||
* Success.
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The operation state is not valid (it must be active).
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_hash_update(
|
||||
mbedtls_psa_hash_operation_t *operation,
|
||||
|
|
@ -186,8 +186,8 @@ psa_status_t mbedtls_psa_hash_update(
|
|||
* The size of the \p hash buffer is too small. You can determine a
|
||||
* sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
|
||||
* where \c alg is the hash algorithm that is calculated.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_hash_finish(
|
||||
mbedtls_psa_hash_operation_t *operation,
|
||||
|
|
@ -216,8 +216,8 @@ psa_status_t mbedtls_psa_hash_finish(
|
|||
*
|
||||
* \param[in,out] operation Initialized hash operation.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_hash_abort(
|
||||
mbedtls_psa_hash_operation_t *operation);
|
||||
|
|
|
|||
|
|
@ -52,8 +52,8 @@
|
|||
* \p alg is not supported.
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* \p mac_size is too small
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_mac_compute(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -89,8 +89,8 @@ psa_status_t mbedtls_psa_mac_compute(
|
|||
* Success.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \p alg is not supported.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The operation state is not valid (it must be inactive).
|
||||
*/
|
||||
|
|
@ -124,8 +124,8 @@ psa_status_t mbedtls_psa_mac_sign_setup(
|
|||
* Success.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \p alg is not supported.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The operation state is not valid (it must be inactive).
|
||||
*/
|
||||
|
|
@ -158,8 +158,8 @@ psa_status_t mbedtls_psa_mac_verify_setup(
|
|||
* Success.
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The operation state is not valid (it must be active).
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_mac_update(
|
||||
mbedtls_psa_mac_operation_t *operation,
|
||||
|
|
@ -200,8 +200,8 @@ psa_status_t mbedtls_psa_mac_update(
|
|||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p mac buffer is too small. A sufficient buffer size
|
||||
* can be determined by calling PSA_MAC_LENGTH().
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_mac_sign_finish(
|
||||
mbedtls_psa_mac_operation_t *operation,
|
||||
|
|
@ -241,8 +241,8 @@ psa_status_t mbedtls_psa_mac_sign_finish(
|
|||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The operation state is not valid (it must be an active mac verify
|
||||
* operation).
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_mac_verify_finish(
|
||||
mbedtls_psa_mac_operation_t *operation,
|
||||
|
|
@ -267,8 +267,8 @@ psa_status_t mbedtls_psa_mac_verify_finish(
|
|||
*
|
||||
* \param[in,out] operation Initialized MAC operation.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_mac_abort(
|
||||
mbedtls_psa_mac_operation_t *operation);
|
||||
|
|
|
|||
|
|
@ -61,9 +61,9 @@ psa_status_t mbedtls_psa_rsa_load_representation(psa_key_type_t type,
|
|||
* \retval #PSA_SUCCESS The RSA key was imported successfully.
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* The key data is not correctly formatted.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_rsa_import_key(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -102,12 +102,12 @@ psa_status_t mbedtls_psa_rsa_export_key(psa_key_type_t type,
|
|||
* \p data.
|
||||
*
|
||||
* \retval #PSA_SUCCESS The RSA public key was exported successfully.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_rsa_export_public_key(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -158,17 +158,17 @@ psa_status_t mbedtls_psa_rsa_generate_key(
|
|||
* \param[out] signature_length On success, the number of bytes
|
||||
* that make up the returned signature value.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p signature buffer is too small. You can
|
||||
* determine a sufficient buffer size by calling
|
||||
* #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_RSA_KEY_PAIR, \c key_bits,
|
||||
* \p alg) where \c key_bits is the bit-size of the RSA key.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_rsa_sign_hash(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -202,9 +202,9 @@ psa_status_t mbedtls_psa_rsa_sign_hash(
|
|||
* \retval #PSA_ERROR_INVALID_SIGNATURE
|
||||
* The calculation was performed successfully, but the passed
|
||||
* signature is not a valid signature.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
*/
|
||||
psa_status_t mbedtls_psa_rsa_verify_hash(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
@ -237,20 +237,20 @@ psa_status_t mbedtls_psa_rsa_verify_hash(
|
|||
* \param[out] output_length On success, the number of bytes
|
||||
* that make up the returned output.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p output buffer is too small. You can
|
||||
* determine a sufficient buffer size by calling
|
||||
* #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
|
||||
* where \c key_type and \c key_bits are the type and bit-size
|
||||
* respectively of \p key.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The library has not been previously initialized by psa_crypto_init().
|
||||
* It is implementation-dependent whether a failure to initialize
|
||||
|
|
@ -294,21 +294,21 @@ psa_status_t mbedtls_psa_asymmetric_encrypt(const psa_key_attributes_t *attribut
|
|||
* \param[out] output_length On success, the number of bytes
|
||||
* that make up the returned output.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of the \p output buffer is too small. You can
|
||||
* determine a sufficient buffer size by calling
|
||||
* #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
|
||||
* where \c key_type and \c key_bits are the type and bit-size
|
||||
* respectively of \p key.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
|
||||
* \retval #PSA_ERROR_INVALID_PADDING
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_PADDING \emptydescription
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The library has not been previously initialized by psa_crypto_init().
|
||||
* It is implementation-dependent whether a failure to initialize
|
||||
|
|
|
|||
|
|
@ -88,9 +88,9 @@ static inline int psa_key_id_is_volatile(psa_key_id_t key_id)
|
|||
* due to a lack of empty key slot, or available memory.
|
||||
* \retval #PSA_ERROR_DOES_NOT_EXIST
|
||||
* There is no key with key identifier \p key.
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
|
||||
*/
|
||||
psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
|
||||
psa_key_slot_t **p_slot);
|
||||
|
|
@ -118,9 +118,9 @@ void psa_wipe_all_key_slots(void);
|
|||
* associated to the returned slot.
|
||||
* \param[out] p_slot On success, a pointer to the slot.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_BAD_STATE \emptydescription
|
||||
*/
|
||||
psa_status_t psa_get_empty_key_slot(psa_key_id_t *volatile_key_id,
|
||||
psa_key_slot_t **p_slot);
|
||||
|
|
@ -195,8 +195,8 @@ static inline int psa_key_lifetime_is_external(psa_key_lifetime_t lifetime)
|
|||
* storage, returns a pointer to the driver table
|
||||
* associated with the key's storage location.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
*/
|
||||
psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
|
||||
psa_se_drv_table_entry_t **p_drv);
|
||||
|
|
@ -205,7 +205,7 @@ psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
|
|||
*
|
||||
* \param[in] lifetime The key lifetime attribute.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED The key is persistent but persistent keys
|
||||
* are not supported.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -79,11 +79,11 @@ static psa_storage_uid_t psa_its_identifier_of_slot(mbedtls_svc_key_id_t key)
|
|||
* \param[out] data Buffer where the data is to be written.
|
||||
* \param data_size Size of the \c data buffer in bytes.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_DATA_INVALID
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_DOES_NOT_EXIST
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
|
||||
*/
|
||||
static psa_status_t psa_crypto_storage_load(
|
||||
const mbedtls_svc_key_id_t key, uint8_t *data, size_t data_size)
|
||||
|
|
@ -131,11 +131,11 @@ int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key)
|
|||
* \param data_length The number of bytes
|
||||
* that make up the data.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE
|
||||
* \retval #PSA_ERROR_ALREADY_EXISTS
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_DATA_INVALID
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
|
||||
* \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
|
||||
*/
|
||||
static psa_status_t psa_crypto_storage_store(const mbedtls_svc_key_id_t key,
|
||||
const uint8_t *data,
|
||||
|
|
@ -205,10 +205,10 @@ psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key)
|
|||
* is to be obtained.
|
||||
* \param[out] data_length The number of bytes that make up the data.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_DOES_NOT_EXIST
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
|
||||
*/
|
||||
static psa_status_t psa_crypto_storage_get_data_length(
|
||||
const mbedtls_svc_key_id_t key,
|
||||
|
|
|
|||
|
|
@ -96,14 +96,14 @@ int psa_is_key_present_in_storage(const mbedtls_svc_key_id_t key);
|
|||
* \param[in] data Buffer containing the key data.
|
||||
* \param data_length The number of bytes that make up the key data.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_ALREADY_EXISTS
|
||||
* \retval #PSA_ERROR_DATA_INVALID
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
|
||||
*/
|
||||
psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr,
|
||||
const uint8_t *data,
|
||||
|
|
@ -129,11 +129,11 @@ psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr,
|
|||
* \param[out] data Pointer to an allocated key data buffer on return.
|
||||
* \param[out] data_length The number of bytes that make up the key data.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_DATA_INVALID
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT
|
||||
* \retval #PSA_ERROR_DOES_NOT_EXIST
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
|
||||
* \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
|
||||
*/
|
||||
psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr,
|
||||
uint8_t **data,
|
||||
|
|
@ -148,7 +148,7 @@ psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr,
|
|||
* \retval #PSA_SUCCESS
|
||||
* The key was successfully removed,
|
||||
* or the key did not exist.
|
||||
* \retval #PSA_ERROR_DATA_INVALID
|
||||
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
|
||||
*/
|
||||
psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key);
|
||||
|
||||
|
|
@ -190,9 +190,9 @@ void psa_format_key_data_for_storage(const uint8_t *data,
|
|||
* \param[out] attr On success, the attribute structure is filled
|
||||
* with the loaded key metadata.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* \retval #PSA_ERROR_DATA_INVALID
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
|
||||
*/
|
||||
psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
|
||||
size_t storage_data_length,
|
||||
|
|
@ -322,10 +322,10 @@ static inline void psa_crypto_prepare_transaction(
|
|||
* You may call this function multiple times during a transaction to
|
||||
* atomically update the transaction state.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
*/
|
||||
psa_status_t psa_crypto_save_transaction(void);
|
||||
|
||||
|
|
@ -339,9 +339,9 @@ psa_status_t psa_crypto_save_transaction(void);
|
|||
* #psa_crypto_transaction.
|
||||
* \retval #PSA_ERROR_DOES_NOT_EXIST
|
||||
* There is no ongoing transaction.
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_DATA_INVALID
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
|
||||
*/
|
||||
psa_status_t psa_crypto_load_transaction(void);
|
||||
|
||||
|
|
@ -380,8 +380,8 @@ psa_status_t psa_crypto_stop_transaction(void);
|
|||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* Success
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
|
||||
* \retval #PSA_ERROR_NOT_PERMITTED
|
||||
* The entropy seed file already exists.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -22,6 +22,23 @@
|
|||
* http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
|
||||
*/
|
||||
|
||||
#if defined(__aarch64__) && !defined(__ARM_FEATURE_CRYPTO) && \
|
||||
defined(__clang__) && __clang_major__ < 18 && __clang_major__ > 3
|
||||
/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
|
||||
*
|
||||
* The intrinsic declaration are guarded by predefined ACLE macros in clang:
|
||||
* these are normally only enabled by the -march option on the command line.
|
||||
* By defining the macros ourselves we gain access to those declarations without
|
||||
* requiring -march on the command line.
|
||||
*
|
||||
* `arm_neon.h` could be included by any header file, so we put these defines
|
||||
* at the top of this file, before any includes.
|
||||
*/
|
||||
#define __ARM_FEATURE_CRYPTO 1
|
||||
#define NEED_TARGET_OPTIONS
|
||||
#endif /* __aarch64__ && __clang__ &&
|
||||
!__ARM_FEATURE_CRYPTO && __clang_major__ < 18 && __clang_major__ > 3 */
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C)
|
||||
|
|
@ -37,6 +54,30 @@
|
|||
#if defined(__aarch64__)
|
||||
# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
|
||||
defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
|
||||
/* *INDENT-OFF* */
|
||||
# if !defined(__ARM_FEATURE_CRYPTO) || defined(NEED_TARGET_OPTIONS)
|
||||
# if defined(__clang__)
|
||||
# if __clang_major__ < 4
|
||||
# error "A more recent Clang is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
|
||||
# endif
|
||||
# pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)
|
||||
# define MBEDTLS_POP_TARGET_PRAGMA
|
||||
# elif defined(__GNUC__)
|
||||
/* FIXME: GCC-5 annouce crypto extension, but some intrinsic are missed.
|
||||
* Known miss intrinsic can be workaround.
|
||||
*/
|
||||
# if __GNUC__ < 6
|
||||
# error "A more recent GCC is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
|
||||
# else
|
||||
# pragma GCC push_options
|
||||
# pragma GCC target ("arch=armv8-a+crypto")
|
||||
# define MBEDTLS_POP_TARGET_PRAGMA
|
||||
# endif
|
||||
# else
|
||||
# error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_A64_CRYPTO_*"
|
||||
# endif
|
||||
# endif
|
||||
/* *INDENT-ON* */
|
||||
# include <arm_neon.h>
|
||||
# endif
|
||||
# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
|
||||
|
|
@ -353,8 +394,16 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx,
|
|||
SHA256_BLOCK_SIZE) ? 0 : -1;
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
|
||||
#if defined(MBEDTLS_POP_TARGET_PRAGMA)
|
||||
#if defined(__clang__)
|
||||
#pragma clang attribute pop
|
||||
#elif defined(__GNUC__)
|
||||
#pragma GCC pop_options
|
||||
#endif
|
||||
#undef MBEDTLS_POP_TARGET_PRAGMA
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */
|
||||
|
||||
#if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT)
|
||||
#define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many
|
||||
|
|
|
|||
|
|
@ -22,6 +22,26 @@
|
|||
* http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
|
||||
*/
|
||||
|
||||
#if defined(__aarch64__) && !defined(__ARM_FEATURE_SHA512) && \
|
||||
defined(__clang__) && __clang_major__ < 18 && \
|
||||
__clang_major__ >= 13 && __clang_minor__ > 0 && __clang_patchlevel__ > 0
|
||||
/* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged.
|
||||
*
|
||||
* The intrinsic declaration are guarded by predefined ACLE macros in clang:
|
||||
* these are normally only enabled by the -march option on the command line.
|
||||
* By defining the macros ourselves we gain access to those declarations without
|
||||
* requiring -march on the command line.
|
||||
*
|
||||
* `arm_neon.h` could be included by any header file, so we put these defines
|
||||
* at the top of this file, before any includes.
|
||||
*/
|
||||
#define __ARM_FEATURE_SHA512 1
|
||||
#define NEED_TARGET_OPTIONS
|
||||
#endif /* __aarch64__ && __clang__ &&
|
||||
!__ARM_FEATURE_SHA512 && __clang_major__ < 18 &&
|
||||
__clang_major__ >= 13 && __clang_minor__ > 0 &&
|
||||
__clang_patchlevel__ > 0 */
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_SHA384_C)
|
||||
|
|
@ -43,6 +63,47 @@
|
|||
#if defined(__aarch64__)
|
||||
# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \
|
||||
defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY)
|
||||
/* *INDENT-OFF* */
|
||||
/*
|
||||
* Best performance comes from most recent compilers, with intrinsics and -O3.
|
||||
* Must compile with -march=armv8.2-a+sha3, but we can't detect armv8.2-a, and
|
||||
* can't always detect __ARM_FEATURE_SHA512 (notably clang 7-12).
|
||||
*
|
||||
* GCC < 8 won't work at all (lacks the sha512 instructions)
|
||||
* GCC >= 8 uses intrinsics, sets __ARM_FEATURE_SHA512
|
||||
*
|
||||
* Clang < 7 won't work at all (lacks the sha512 instructions)
|
||||
* Clang 7-12 don't have intrinsics (but we work around that with inline
|
||||
* assembler) or __ARM_FEATURE_SHA512
|
||||
* Clang == 13.0.0 same as clang 12 (only seen on macOS)
|
||||
* Clang >= 13.0.1 has __ARM_FEATURE_SHA512 and intrinsics
|
||||
*/
|
||||
# if !defined(__ARM_FEATURE_SHA512) || defined(NEED_TARGET_OPTIONS)
|
||||
/* Test Clang first, as it defines __GNUC__ */
|
||||
# if defined(__clang__)
|
||||
# if __clang_major__ < 7
|
||||
# error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
|
||||
# elif __clang_major__ < 13 || \
|
||||
(__clang_major__ == 13 && __clang_minor__ == 0 && \
|
||||
__clang_patchlevel__ == 0)
|
||||
/* We implement the intrinsics with inline assembler, so don't error */
|
||||
# else
|
||||
# pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function)
|
||||
# define MBEDTLS_POP_TARGET_PRAGMA
|
||||
# endif
|
||||
# elif defined(__GNUC__)
|
||||
# if __GNUC__ < 8
|
||||
# error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
|
||||
# else
|
||||
# pragma GCC push_options
|
||||
# pragma GCC target ("arch=armv8.2-a+sha3")
|
||||
# define MBEDTLS_POP_TARGET_PRAGMA
|
||||
# endif
|
||||
# else
|
||||
# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*"
|
||||
# endif
|
||||
# endif
|
||||
/* *INDENT-ON* */
|
||||
# include <arm_neon.h>
|
||||
# endif
|
||||
# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT)
|
||||
|
|
@ -516,6 +577,15 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx,
|
|||
SHA512_BLOCK_SIZE) ? 0 : -1;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_POP_TARGET_PRAGMA)
|
||||
#if defined(__clang__)
|
||||
#pragma clang attribute pop
|
||||
#elif defined(__GNUC__)
|
||||
#pragma GCC pop_options
|
||||
#endif
|
||||
#undef MBEDTLS_POP_TARGET_PRAGMA
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -945,16 +945,29 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl)
|
|||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
|
||||
{
|
||||
|
||||
mbedtls_ssl_add_hs_hdr_to_checksum(ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
|
||||
msg_len);
|
||||
ssl->handshake->update_checksum(ssl, buf, msg_len - binders_len);
|
||||
ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_CLIENT_HELLO,
|
||||
msg_len);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_add_hs_hdr_to_checksum", ret);
|
||||
return ret;
|
||||
}
|
||||
ret = ssl->handshake->update_checksum(ssl, buf, msg_len - binders_len);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
|
||||
return ret;
|
||||
}
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
if (binders_len > 0) {
|
||||
MBEDTLS_SSL_PROC_CHK(
|
||||
mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
|
||||
ssl, buf + msg_len - binders_len, buf + msg_len));
|
||||
ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len,
|
||||
binders_len);
|
||||
ret = ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len,
|
||||
binders_len);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
|
||||
|
|
|
|||
|
|
@ -705,9 +705,12 @@ struct mbedtls_ssl_handshake_params {
|
|||
|
||||
mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
|
||||
|
||||
void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
|
||||
void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
|
||||
mbedtls_ssl_tls_prf_cb *tls_prf;
|
||||
|
||||
/*
|
||||
|
|
@ -1317,7 +1320,8 @@ static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
|
||||
|
||||
void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
|
|
@ -1328,7 +1332,8 @@ MBEDTLS_CHECK_RETURN_CRITICAL
|
|||
int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
|
||||
void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
|
||||
|
||||
/**
|
||||
* \brief Update record layer
|
||||
|
|
@ -1461,14 +1466,16 @@ void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
|
|||
/*
|
||||
* Update checksum of handshake messages.
|
||||
*/
|
||||
void mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
|
||||
unsigned hs_type,
|
||||
unsigned char const *msg,
|
||||
size_t msg_len);
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
|
||||
unsigned hs_type,
|
||||
unsigned char const *msg,
|
||||
size_t msg_len);
|
||||
|
||||
void mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
|
||||
unsigned hs_type,
|
||||
size_t total_hs_len);
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
|
||||
unsigned hs_type,
|
||||
size_t total_hs_len);
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
|
|
|
|||
|
|
@ -2639,7 +2639,12 @@ int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
|
|||
|
||||
/* Update running hashes of handshake messages seen */
|
||||
if (hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0) {
|
||||
ssl->handshake->update_checksum(ssl, ssl->out_msg, ssl->out_msglen);
|
||||
ret = ssl->handshake->update_checksum(ssl, ssl->out_msg,
|
||||
ssl->out_msglen);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -3067,12 +3072,17 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
|
|||
return 0;
|
||||
}
|
||||
|
||||
void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl)
|
||||
int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_ssl_handshake_params * const hs = ssl->handshake;
|
||||
|
||||
if (mbedtls_ssl_is_handshake_over(ssl) == 0 && hs != NULL) {
|
||||
ssl->handshake->update_checksum(ssl, ssl->in_msg, ssl->in_hslen);
|
||||
ret = ssl->handshake->update_checksum(ssl, ssl->in_msg, ssl->in_hslen);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
||||
/* Handshake message is complete, increment counter */
|
||||
|
|
@ -3103,6 +3113,7 @@ void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl)
|
|||
memset(hs_buf, 0, sizeof(mbedtls_ssl_hs_buffer));
|
||||
}
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
@ -3928,7 +3939,11 @@ int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
|
|||
|
||||
if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
|
||||
update_hs_digest == 1) {
|
||||
mbedtls_ssl_update_handshake_status(ssl);
|
||||
ret = mbedtls_ssl_update_handshake_status(ssl);
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("reuse previously read message"));
|
||||
|
|
|
|||
|
|
@ -418,8 +418,8 @@ static int tls_prf_sha256(const unsigned char *secret, size_t slen,
|
|||
const char *label,
|
||||
const unsigned char *random, size_t rlen,
|
||||
unsigned char *dstbuf, size_t dlen);
|
||||
static void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
|
||||
static void ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
|
||||
static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
|
||||
static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
|
||||
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
|
||||
|
||||
|
|
@ -430,8 +430,8 @@ static int tls_prf_sha384(const unsigned char *secret, size_t slen,
|
|||
const unsigned char *random, size_t rlen,
|
||||
unsigned char *dstbuf, size_t dlen);
|
||||
|
||||
static void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
|
||||
static void ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
|
||||
static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
|
||||
static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
|
||||
|
||||
static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
|
||||
|
|
@ -444,14 +444,14 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session,
|
|||
size_t len);
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
static void ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
static void ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
|
||||
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
static void ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
|
||||
|
||||
int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
|
||||
|
|
@ -788,9 +788,9 @@ void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
|
|||
}
|
||||
}
|
||||
|
||||
void mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
|
||||
unsigned hs_type,
|
||||
size_t total_hs_len)
|
||||
int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
|
||||
unsigned hs_type,
|
||||
size_t total_hs_len)
|
||||
{
|
||||
unsigned char hs_hdr[4];
|
||||
|
||||
|
|
@ -800,84 +800,137 @@ void mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
|
|||
hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
|
||||
hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
|
||||
|
||||
ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
|
||||
return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
|
||||
}
|
||||
|
||||
void mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
|
||||
unsigned hs_type,
|
||||
unsigned char const *msg,
|
||||
size_t msg_len)
|
||||
int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
|
||||
unsigned hs_type,
|
||||
unsigned char const *msg,
|
||||
size_t msg_len)
|
||||
{
|
||||
mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
|
||||
ssl->handshake->update_checksum(ssl, msg, msg_len);
|
||||
int ret;
|
||||
ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
return ssl->handshake->update_checksum(ssl, msg, msg_len);
|
||||
}
|
||||
|
||||
void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
|
||||
int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
|
||||
defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_status_t status;
|
||||
#else
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
#endif
|
||||
#else /* SHA-256 or SHA-384 */
|
||||
((void) ssl);
|
||||
#endif /* SHA-256 or SHA-384 */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_abort(&ssl->handshake->fin_sha256_psa);
|
||||
psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
|
||||
status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
|
||||
if (status != PSA_SUCCESS) {
|
||||
return mbedtls_md_error_from_psa(status);
|
||||
}
|
||||
status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
|
||||
if (status != PSA_SUCCESS) {
|
||||
return mbedtls_md_error_from_psa(status);
|
||||
}
|
||||
#else
|
||||
mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0);
|
||||
ret = mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_abort(&ssl->handshake->fin_sha384_psa);
|
||||
psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
|
||||
status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
|
||||
if (status != PSA_SUCCESS) {
|
||||
return mbedtls_md_error_from_psa(status);
|
||||
}
|
||||
status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
|
||||
if (status != PSA_SUCCESS) {
|
||||
return mbedtls_md_error_from_psa(status);
|
||||
}
|
||||
#else
|
||||
mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1);
|
||||
ret = mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void ssl_update_checksum_start(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len)
|
||||
static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len)
|
||||
{
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
|
||||
defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
|
||||
psa_status_t status;
|
||||
#else
|
||||
mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len);
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
#endif
|
||||
#endif
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
|
||||
#else
|
||||
mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len);
|
||||
#endif
|
||||
#endif
|
||||
#if !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
|
||||
!defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
(void) ssl;
|
||||
#else /* SHA-256 or SHA-384 */
|
||||
((void) ssl);
|
||||
(void) buf;
|
||||
(void) len;
|
||||
#endif /* SHA-256 or SHA-384 */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
|
||||
if (status != PSA_SUCCESS) {
|
||||
return mbedtls_md_error_from_psa(status);
|
||||
}
|
||||
#else
|
||||
ret = mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
|
||||
if (status != PSA_SUCCESS) {
|
||||
return mbedtls_md_error_from_psa(status);
|
||||
}
|
||||
#else
|
||||
ret = mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
static void ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len)
|
||||
static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len)
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
|
||||
return mbedtls_md_error_from_psa(psa_hash_update(
|
||||
&ssl->handshake->fin_sha256_psa, buf, len));
|
||||
#else
|
||||
mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len);
|
||||
return mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len);
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
static void ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len)
|
||||
static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf, size_t len)
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
|
||||
return mbedtls_md_error_from_psa(psa_hash_update(
|
||||
&ssl->handshake->fin_sha384_psa, buf, len));
|
||||
#else
|
||||
mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len);
|
||||
return mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len);
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
|
@ -889,19 +942,15 @@ static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
|
|||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
handshake->fin_sha256_psa = psa_hash_operation_init();
|
||||
psa_hash_setup(&handshake->fin_sha256_psa, PSA_ALG_SHA_256);
|
||||
#else
|
||||
mbedtls_sha256_init(&handshake->fin_sha256);
|
||||
mbedtls_sha256_starts(&handshake->fin_sha256, 0);
|
||||
#endif
|
||||
#endif
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
handshake->fin_sha384_psa = psa_hash_operation_init();
|
||||
psa_hash_setup(&handshake->fin_sha384_psa, PSA_ALG_SHA_384);
|
||||
#else
|
||||
mbedtls_sha512_init(&handshake->fin_sha384);
|
||||
mbedtls_sha512_starts(&handshake->fin_sha384, 1);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
|
@ -971,6 +1020,8 @@ void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
|
|||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_handshake_init(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
/* Clear old handshake information if present */
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
if (ssl->transform_negotiate) {
|
||||
|
|
@ -1038,6 +1089,13 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl)
|
|||
mbedtls_ssl_transform_init(ssl->transform_negotiate);
|
||||
#endif
|
||||
|
||||
/* Setup handshake checksums */
|
||||
ret = mbedtls_ssl_reset_checksum(ssl);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
|
||||
defined(MBEDTLS_SSL_SRV_C) && \
|
||||
defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
|
|
@ -6285,7 +6343,10 @@ static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
|
|||
if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
|
||||
lbl = "extended master secret";
|
||||
seed = session_hash;
|
||||
handshake->calc_verify(ssl, session_hash, &seed_len);
|
||||
ret = handshake->calc_verify(ssl, session_hash, &seed_len);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
|
||||
session_hash, seed_len);
|
||||
|
|
@ -6513,9 +6574,9 @@ int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
|
|||
}
|
||||
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
|
||||
unsigned char *hash,
|
||||
size_t *hlen)
|
||||
int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
|
||||
unsigned char *hash,
|
||||
size_t *hlen)
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
size_t hash_size;
|
||||
|
|
@ -6525,20 +6586,23 @@ void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha256"));
|
||||
status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
|
||||
if (status != PSA_SUCCESS) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
|
||||
return;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
status = psa_hash_finish(&sha256_psa, hash, 32, &hash_size);
|
||||
if (status != PSA_SUCCESS) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
|
||||
return;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
*hlen = 32;
|
||||
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
|
||||
|
||||
exit:
|
||||
psa_hash_abort(&sha256_psa);
|
||||
return mbedtls_md_error_from_psa(status);
|
||||
#else
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_sha256_context sha256;
|
||||
|
||||
mbedtls_sha256_init(&sha256);
|
||||
|
|
@ -6546,23 +6610,28 @@ void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256"));
|
||||
|
||||
mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256);
|
||||
mbedtls_sha256_finish(&sha256, hash);
|
||||
|
||||
ret = mbedtls_sha256_finish(&sha256, hash);
|
||||
if (ret != 0) {
|
||||
goto exit;
|
||||
}
|
||||
|
||||
*hlen = 32;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
|
||||
|
||||
exit:
|
||||
mbedtls_sha256_free(&sha256);
|
||||
return ret;
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
return;
|
||||
}
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
|
||||
unsigned char *hash,
|
||||
size_t *hlen)
|
||||
int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
|
||||
unsigned char *hash,
|
||||
size_t *hlen)
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
size_t hash_size;
|
||||
|
|
@ -6572,20 +6641,23 @@ void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha384"));
|
||||
status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
|
||||
if (status != PSA_SUCCESS) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
|
||||
return;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
status = psa_hash_finish(&sha384_psa, hash, 48, &hash_size);
|
||||
if (status != PSA_SUCCESS) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
|
||||
return;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
*hlen = 48;
|
||||
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
|
||||
|
||||
exit:
|
||||
psa_hash_abort(&sha384_psa);
|
||||
return mbedtls_md_error_from_psa(status);
|
||||
#else
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_sha512_context sha512;
|
||||
|
||||
mbedtls_sha512_init(&sha512);
|
||||
|
|
@ -6593,16 +6665,21 @@ void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384"));
|
||||
|
||||
mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha384);
|
||||
mbedtls_sha512_finish(&sha512, hash);
|
||||
|
||||
ret = mbedtls_sha512_finish(&sha512, hash);
|
||||
if (ret != 0) {
|
||||
goto exit;
|
||||
}
|
||||
|
||||
*hlen = 48;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
|
||||
|
||||
exit:
|
||||
mbedtls_sha512_free(&sha512);
|
||||
return ret;
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
return;
|
||||
}
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
|
||||
|
|
@ -7545,7 +7622,7 @@ exit:
|
|||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
static void ssl_calc_finished_tls_sha256(
|
||||
static int ssl_calc_finished_tls_sha256(
|
||||
mbedtls_ssl_context *ssl, unsigned char *buf, int from)
|
||||
{
|
||||
int len = 12;
|
||||
|
|
@ -7556,6 +7633,7 @@ static void ssl_calc_finished_tls_sha256(
|
|||
psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
|
||||
psa_status_t status;
|
||||
#else
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_sha256_context sha256;
|
||||
#endif
|
||||
|
||||
|
|
@ -7575,14 +7653,12 @@ static void ssl_calc_finished_tls_sha256(
|
|||
|
||||
status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
|
||||
if (status != PSA_SUCCESS) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
|
||||
return;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size);
|
||||
if (status != PSA_SUCCESS) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
|
||||
return;
|
||||
goto exit;
|
||||
}
|
||||
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32);
|
||||
#else
|
||||
|
|
@ -7604,8 +7680,10 @@ static void ssl_calc_finished_tls_sha256(
|
|||
sha256.state, sizeof(sha256.state));
|
||||
#endif
|
||||
|
||||
mbedtls_sha256_finish(&sha256, padbuf);
|
||||
mbedtls_sha256_free(&sha256);
|
||||
ret = mbedtls_sha256_finish(&sha256, padbuf);
|
||||
if (ret != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
ssl->handshake->tls_prf(session->master, 48, sender,
|
||||
|
|
@ -7616,12 +7694,21 @@ static void ssl_calc_finished_tls_sha256(
|
|||
mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
|
||||
|
||||
exit:
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_abort(&sha256_psa);
|
||||
return mbedtls_md_error_from_psa(status);
|
||||
#else
|
||||
mbedtls_sha256_free(&sha256);
|
||||
return ret;
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
}
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
|
||||
|
||||
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
static void ssl_calc_finished_tls_sha384(
|
||||
static int ssl_calc_finished_tls_sha384(
|
||||
mbedtls_ssl_context *ssl, unsigned char *buf, int from)
|
||||
{
|
||||
int len = 12;
|
||||
|
|
@ -7632,6 +7719,7 @@ static void ssl_calc_finished_tls_sha384(
|
|||
psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
|
||||
psa_status_t status;
|
||||
#else
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_sha512_context sha512;
|
||||
#endif
|
||||
|
||||
|
|
@ -7651,14 +7739,12 @@ static void ssl_calc_finished_tls_sha384(
|
|||
|
||||
status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
|
||||
if (status != PSA_SUCCESS) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
|
||||
return;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size);
|
||||
if (status != PSA_SUCCESS) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
|
||||
return;
|
||||
goto exit;
|
||||
}
|
||||
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48);
|
||||
#else
|
||||
|
|
@ -7678,9 +7764,10 @@ static void ssl_calc_finished_tls_sha384(
|
|||
MBEDTLS_SSL_DEBUG_BUF(4, "finished sha512 state", (unsigned char *)
|
||||
sha512.state, sizeof(sha512.state));
|
||||
#endif
|
||||
mbedtls_sha512_finish(&sha512, padbuf);
|
||||
|
||||
mbedtls_sha512_free(&sha512);
|
||||
ret = mbedtls_sha512_finish(&sha512, padbuf);
|
||||
if (ret != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
|
||||
ssl->handshake->tls_prf(session->master, 48, sender,
|
||||
|
|
@ -7691,6 +7778,15 @@ static void ssl_calc_finished_tls_sha384(
|
|||
mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
|
||||
|
||||
exit:
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_abort(&sha384_psa);
|
||||
return mbedtls_md_error_from_psa(status);
|
||||
#else
|
||||
mbedtls_sha512_free(&sha512);
|
||||
return ret;
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
}
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
|
||||
|
||||
|
|
@ -7787,7 +7883,10 @@ int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
|
|||
|
||||
mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
|
||||
|
||||
ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
|
||||
ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
|
||||
|
|
@ -7897,7 +7996,10 @@ int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
|
|||
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
|
||||
|
||||
ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
|
||||
ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
|
||||
|
|
|
|||
|
|
@ -1090,6 +1090,7 @@ static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
||||
const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
|
||||
uint16_t dtls_legacy_version;
|
||||
|
||||
|
|
@ -1160,7 +1161,11 @@ static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
|
|||
|
||||
/* Start over at ClientHello */
|
||||
ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
|
||||
mbedtls_ssl_reset_checksum(ssl);
|
||||
ret = mbedtls_ssl_reset_checksum(ssl);
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
mbedtls_ssl_recv_flight_completed(ssl);
|
||||
|
||||
|
|
@ -3283,7 +3288,11 @@ static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
|
|||
sign:
|
||||
#endif
|
||||
|
||||
ssl->handshake->calc_verify(ssl, hash, &hashlen);
|
||||
ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* digitally-signed struct {
|
||||
|
|
|
|||
|
|
@ -1020,7 +1020,11 @@ read_record_header:
|
|||
|
||||
MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
|
||||
|
||||
ssl->handshake->update_checksum(ssl, buf, msg_len);
|
||||
ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Handshake layer:
|
||||
|
|
@ -4129,7 +4133,11 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
|
|||
/* Calculate hash and verify signature */
|
||||
{
|
||||
size_t dummy_hlen;
|
||||
ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
|
||||
ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_pk_verify(peer_pk,
|
||||
|
|
@ -4139,7 +4147,11 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
|
|||
return ret;
|
||||
}
|
||||
|
||||
mbedtls_ssl_update_handshake_status(ssl);
|
||||
ret = mbedtls_ssl_update_handshake_status(ssl);
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
|
||||
|
||||
|
|
|
|||
|
|
@ -1489,8 +1489,9 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
|
|||
|
||||
ssl->keep_current_message = 1;
|
||||
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
|
||||
buf, (size_t) (end - buf));
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_SERVER_HELLO,
|
||||
buf, (size_t) (end - buf)));
|
||||
|
||||
if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
|
||||
ret = ssl_tls13_reset_key_share(ssl);
|
||||
|
|
@ -2056,8 +2057,9 @@ static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
|
|||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
|
||||
}
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
|
||||
buf, buf_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_SERVER_HELLO, buf,
|
||||
buf_len));
|
||||
|
||||
if (is_hrr) {
|
||||
MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
|
||||
|
|
@ -2214,8 +2216,9 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
|
|||
}
|
||||
#endif
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
|
||||
buf, buf_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
|
||||
buf, buf_len));
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
|
||||
|
|
@ -2259,8 +2262,8 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl)
|
|||
ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
|
||||
&buf, &buf_len));
|
||||
|
||||
mbedtls_ssl_add_hs_hdr_to_checksum(
|
||||
ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(
|
||||
ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK(
|
||||
mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));
|
||||
|
|
@ -2458,8 +2461,9 @@ static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
|
|||
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(ssl,
|
||||
buf, buf + buf_len));
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
|
||||
buf, buf_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
|
||||
buf, buf_len));
|
||||
} else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
|
||||
ret = 0;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -322,8 +322,9 @@ int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
|
|||
buf + buf_len, verify_buffer,
|
||||
verify_buffer_len));
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
|
||||
buf, buf_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
|
||||
buf, buf_len));
|
||||
|
||||
cleanup:
|
||||
|
||||
|
|
@ -752,8 +753,9 @@ int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl)
|
|||
/* Validate the certificate chain and set the verification results. */
|
||||
MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl));
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE,
|
||||
buf, buf_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_CERTIFICATE, buf,
|
||||
buf_len));
|
||||
|
||||
cleanup:
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||
|
|
@ -868,8 +870,9 @@ int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl)
|
|||
buf + buf_len,
|
||||
&msg_len));
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE,
|
||||
buf, msg_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_CERTIFICATE, buf,
|
||||
msg_len));
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
|
||||
ssl, buf_len, msg_len));
|
||||
|
|
@ -1070,8 +1073,9 @@ int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
|
|||
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body(
|
||||
ssl, buf, buf + buf_len, &msg_len));
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
|
||||
buf, msg_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf,
|
||||
msg_len));
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
|
||||
ssl, buf_len, msg_len));
|
||||
|
|
@ -1171,8 +1175,8 @@ int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl)
|
|||
|
||||
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(ssl, buf, buf + buf_len));
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_FINISHED,
|
||||
buf, buf_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_FINISHED, buf, buf_len));
|
||||
|
||||
cleanup:
|
||||
|
||||
|
|
@ -1248,8 +1252,8 @@ int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl)
|
|||
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_finished_message_body(
|
||||
ssl, buf, buf + buf_len, &msg_len));
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_FINISHED,
|
||||
buf, msg_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_FINISHED, buf, msg_len));
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
|
||||
ssl, buf_len, msg_len));
|
||||
|
|
@ -1388,7 +1392,7 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
|
|||
PSA_HASH_MAX_SIZE,
|
||||
&hash_len);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(4, "mbedtls_ssl_get_handshake_transcript", ret);
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
@ -1399,37 +1403,20 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl)
|
|||
|
||||
hash_len += 4;
|
||||
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
if (ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
|
||||
MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-256 handshake transcript",
|
||||
hash_transcript, hash_len);
|
||||
MBEDTLS_SSL_DEBUG_BUF(4, "Truncated handshake transcript",
|
||||
hash_transcript, hash_len);
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_abort(&ssl->handshake->fin_sha256_psa);
|
||||
psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
|
||||
#else
|
||||
mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0);
|
||||
#endif
|
||||
/* Reset running hash and replace it with a hash of the transcript */
|
||||
ret = mbedtls_ssl_reset_checksum(ssl);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
|
||||
return ret;
|
||||
}
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
|
||||
MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-384 handshake transcript",
|
||||
hash_transcript, hash_len);
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_abort(&ssl->handshake->fin_sha384_psa);
|
||||
psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
|
||||
#else
|
||||
mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1);
|
||||
#endif
|
||||
ret = ssl->handshake->update_checksum(ssl, hash_transcript, hash_len);
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
|
||||
return ret;
|
||||
}
|
||||
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
|
||||
defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||
ssl->handshake->update_checksum(ssl, hash_transcript, hash_len);
|
||||
#endif \
|
||||
/* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -486,6 +486,7 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,
|
|||
const unsigned char *ciphersuites,
|
||||
const unsigned char *ciphersuites_end)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
const unsigned char *identities = pre_shared_key_ext;
|
||||
const unsigned char *p_identity_len;
|
||||
size_t identities_len;
|
||||
|
|
@ -521,8 +522,12 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len);
|
||||
binders_end = p_binder_len + binders_len;
|
||||
|
||||
ssl->handshake->update_checksum(ssl, pre_shared_key_ext,
|
||||
identities_end - pre_shared_key_ext);
|
||||
ret = ssl->handshake->update_checksum(ssl, pre_shared_key_ext,
|
||||
identities_end - pre_shared_key_ext);
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
while (p_identity_len < identities_end && p_binder_len < binders_end) {
|
||||
const unsigned char *identity;
|
||||
|
|
@ -530,7 +535,6 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,
|
|||
uint32_t obfuscated_ticket_age;
|
||||
const unsigned char *binder;
|
||||
size_t binder_len;
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
int psk_type;
|
||||
uint16_t cipher_suite;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
|
|
@ -642,9 +646,13 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,
|
|||
}
|
||||
|
||||
/* Update the handshake transcript with the binder list. */
|
||||
ssl->handshake->update_checksum(ssl,
|
||||
identities_end,
|
||||
(size_t) (binders_end - identities_end));
|
||||
ret = ssl->handshake->update_checksum(ssl,
|
||||
identities_end,
|
||||
(size_t) (binders_end - identities_end));
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
|
||||
return ret;
|
||||
}
|
||||
if (matched_identity == -1) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket."));
|
||||
return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
|
||||
|
|
@ -1590,9 +1598,13 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO,
|
||||
handshake->received_extensions);
|
||||
|
||||
mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_CLIENT_HELLO,
|
||||
p - buf);
|
||||
ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
|
||||
MBEDTLS_SSL_HS_CLIENT_HELLO,
|
||||
p - buf);
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
/* Update checksum with either
|
||||
|
|
@ -1603,8 +1615,12 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
|
|||
if (mbedtls_ssl_tls13_some_psk_enabled(ssl) &&
|
||||
mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
|
||||
(handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY))) {
|
||||
handshake->update_checksum(ssl, buf,
|
||||
pre_shared_key_ext - buf);
|
||||
ret = handshake->update_checksum(ssl, buf,
|
||||
pre_shared_key_ext - buf);
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
|
||||
return ret;
|
||||
}
|
||||
ret = ssl_tls13_parse_pre_shared_key_ext(ssl,
|
||||
pre_shared_key_ext,
|
||||
pre_shared_key_ext_end,
|
||||
|
|
@ -1620,7 +1636,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
|
|||
} else
|
||||
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
|
||||
{
|
||||
handshake->update_checksum(ssl, buf, p - buf);
|
||||
ret = handshake->update_checksum(ssl, buf, p - buf);
|
||||
if (0 != ret) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
||||
ret = ssl_tls13_determine_key_exchange_mode(ssl);
|
||||
|
|
@ -2134,8 +2154,8 @@ static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl)
|
|||
&msg_len,
|
||||
0));
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(
|
||||
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
|
||||
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
|
||||
ssl, buf_len, msg_len));
|
||||
|
|
@ -2207,8 +2227,8 @@ static int ssl_tls13_write_hello_retry_request(mbedtls_ssl_context *ssl)
|
|||
buf + buf_len,
|
||||
&msg_len,
|
||||
1));
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(
|
||||
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
|
||||
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
|
||||
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len,
|
||||
|
|
@ -2306,8 +2326,8 @@ static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
|
|||
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(
|
||||
ssl, buf, buf + buf_len, &msg_len));
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(
|
||||
ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
|
||||
ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len));
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
|
||||
ssl, buf_len, msg_len));
|
||||
|
|
@ -2439,8 +2459,8 @@ static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl)
|
|||
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(
|
||||
ssl, buf, buf + buf_len, &msg_len));
|
||||
|
||||
mbedtls_ssl_add_hs_msg_to_checksum(
|
||||
ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len);
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
|
||||
ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len));
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
|
||||
ssl, buf_len, msg_len));
|
||||
|
|
|
|||
|
|
@ -1227,8 +1227,9 @@ static int x509_get_other_name(const mbedtls_x509_buf *subject_alt_name,
|
|||
* nameAssigner [0] DirectoryString OPTIONAL,
|
||||
* partyName [1] DirectoryString }
|
||||
*
|
||||
* NOTE: we list all types, but only use dNSName and otherName
|
||||
* of type HwModuleName, as defined in RFC 4108, at this point.
|
||||
* We list all types, but use the following GeneralName types from RFC 5280:
|
||||
* "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
|
||||
* of type "otherName", as defined in RFC 4108.
|
||||
*/
|
||||
int mbedtls_x509_get_subject_alt_name(unsigned char **p,
|
||||
const unsigned char *end,
|
||||
|
|
@ -1397,7 +1398,19 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
|
|||
|
||||
}
|
||||
break;
|
||||
/*
|
||||
* uniformResourceIdentifier
|
||||
*/
|
||||
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER):
|
||||
{
|
||||
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
|
||||
san->type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
|
||||
|
||||
memcpy(&san->san.unstructured_name,
|
||||
san_buf, sizeof(*san_buf));
|
||||
|
||||
}
|
||||
break;
|
||||
/*
|
||||
* dNSName
|
||||
*/
|
||||
|
|
@ -1408,7 +1421,17 @@ int mbedtls_x509_parse_subject_alt_name(const mbedtls_x509_buf *san_buf,
|
|||
|
||||
memcpy(&san->san.unstructured_name,
|
||||
san_buf, sizeof(*san_buf));
|
||||
}
|
||||
break;
|
||||
|
||||
/*
|
||||
* RFC822 Name
|
||||
*/
|
||||
case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_RFC822_NAME):
|
||||
{
|
||||
memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
|
||||
san->type = MBEDTLS_X509_SAN_RFC822_NAME;
|
||||
memcpy(&san->san.unstructured_name, san_buf, sizeof(*san_buf));
|
||||
}
|
||||
break;
|
||||
|
||||
|
|
@ -1488,13 +1511,38 @@ int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
|
|||
}/* MBEDTLS_OID_ON_HW_MODULE_NAME */
|
||||
}
|
||||
break;
|
||||
/*
|
||||
* uniformResourceIdentifier
|
||||
*/
|
||||
case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
|
||||
{
|
||||
ret = mbedtls_snprintf(p, n, "\n%s uniformResourceIdentifier : ", prefix);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
if (san.san.unstructured_name.len >= n) {
|
||||
*p = '\0';
|
||||
return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
|
||||
p += san.san.unstructured_name.len;
|
||||
n -= san.san.unstructured_name.len;
|
||||
}
|
||||
break;
|
||||
/*
|
||||
* dNSName
|
||||
* RFC822 Name
|
||||
*/
|
||||
case MBEDTLS_X509_SAN_DNS_NAME:
|
||||
case MBEDTLS_X509_SAN_RFC822_NAME:
|
||||
{
|
||||
ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix);
|
||||
const char *dns_name = "dNSName";
|
||||
const char *rfc822_name = "rfc822Name";
|
||||
|
||||
ret = mbedtls_snprintf(p, n,
|
||||
"\n%s %s : ",
|
||||
prefix,
|
||||
san.type ==
|
||||
MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name);
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
if (san.san.unstructured_name.len >= n) {
|
||||
*p = '\0';
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue