Merge pull request #1090 from Mbed-TLS/mbedtls-3.5.0rc0-pr
Mbedtls 3.5.0rc0 pr DO NOT MERGE
This commit is contained in:
commit
1ec69067fa
210 changed files with 140159 additions and 1488 deletions
12
3rdparty/CMakeLists.txt
vendored
12
3rdparty/CMakeLists.txt
vendored
|
@ -1,10 +1,2 @@
|
||||||
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE everest_result)
|
add_subdirectory(everest)
|
||||||
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h get MBEDTLS_PSA_P256M_DRIVER_ENABLED RESULT_VARIABLE p256m_result)
|
add_subdirectory(p256-m)
|
||||||
|
|
||||||
if(${everest_result} EQUAL 0)
|
|
||||||
add_subdirectory(everest)
|
|
||||||
endif()
|
|
||||||
|
|
||||||
if(${p256m_result} EQUAL 0)
|
|
||||||
add_subdirectory(p256-m)
|
|
||||||
endif()
|
|
||||||
|
|
21
3rdparty/everest/CMakeLists.txt
vendored
21
3rdparty/everest/CMakeLists.txt
vendored
|
@ -1,9 +1,11 @@
|
||||||
add_library(everest
|
set(everest_target "${MBEDTLS_TARGET_PREFIX}everest")
|
||||||
|
|
||||||
|
add_library(${everest_target}
|
||||||
library/everest.c
|
library/everest.c
|
||||||
library/x25519.c
|
library/x25519.c
|
||||||
library/Hacl_Curve25519_joined.c)
|
library/Hacl_Curve25519_joined.c)
|
||||||
|
|
||||||
target_include_directories(everest
|
target_include_directories(${everest_target}
|
||||||
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
|
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
|
||||||
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
|
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
|
||||||
$<INSTALL_INTERFACE:include>
|
$<INSTALL_INTERFACE:include>
|
||||||
|
@ -11,6 +13,19 @@ target_include_directories(everest
|
||||||
include/everest/kremlib
|
include/everest/kremlib
|
||||||
${MBEDTLS_DIR}/library/)
|
${MBEDTLS_DIR}/library/)
|
||||||
|
|
||||||
|
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
|
||||||
|
# This must be duplicated from library/CMakeLists.txt because
|
||||||
|
# everest is not directly linked against any mbedtls targets
|
||||||
|
# so does not inherit the compile definitions.
|
||||||
|
if(MBEDTLS_CONFIG_FILE)
|
||||||
|
target_compile_definitions(everest
|
||||||
|
PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
|
||||||
|
endif()
|
||||||
|
if(MBEDTLS_USER_CONFIG_FILE)
|
||||||
|
target_compile_definitions(everest
|
||||||
|
PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
|
||||||
|
endif()
|
||||||
|
|
||||||
if(INSTALL_MBEDTLS_HEADERS)
|
if(INSTALL_MBEDTLS_HEADERS)
|
||||||
|
|
||||||
install(DIRECTORY include/everest
|
install(DIRECTORY include/everest
|
||||||
|
@ -21,7 +36,7 @@ if(INSTALL_MBEDTLS_HEADERS)
|
||||||
|
|
||||||
endif(INSTALL_MBEDTLS_HEADERS)
|
endif(INSTALL_MBEDTLS_HEADERS)
|
||||||
|
|
||||||
install(TARGETS everest
|
install(TARGETS ${everest_target}
|
||||||
EXPORT MbedTLSTargets
|
EXPORT MbedTLSTargets
|
||||||
DESTINATION ${CMAKE_INSTALL_LIBDIR}
|
DESTINATION ${CMAKE_INSTALL_LIBDIR}
|
||||||
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
|
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
|
||||||
|
|
21
3rdparty/p256-m/CMakeLists.txt
vendored
21
3rdparty/p256-m/CMakeLists.txt
vendored
|
@ -1,14 +1,29 @@
|
||||||
add_library(p256m
|
set(p256m_target ${MBEDTLS_TARGET_PREFIX}p256m)
|
||||||
|
|
||||||
|
add_library(${p256m_target}
|
||||||
p256-m_driver_entrypoints.c
|
p256-m_driver_entrypoints.c
|
||||||
p256-m/p256-m.c)
|
p256-m/p256-m.c)
|
||||||
|
|
||||||
target_include_directories(p256m
|
target_include_directories(${p256m_target}
|
||||||
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
|
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
|
||||||
$<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m>
|
$<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m>
|
||||||
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
|
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
|
||||||
$<INSTALL_INTERFACE:include>
|
$<INSTALL_INTERFACE:include>
|
||||||
PRIVATE ${MBEDTLS_DIR}/library/)
|
PRIVATE ${MBEDTLS_DIR}/library/)
|
||||||
|
|
||||||
|
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
|
||||||
|
# This must be duplicated from library/CMakeLists.txt because
|
||||||
|
# p256m is not directly linked against any mbedtls targets
|
||||||
|
# so does not inherit the compile definitions.
|
||||||
|
if(MBEDTLS_CONFIG_FILE)
|
||||||
|
target_compile_definitions(p256m
|
||||||
|
PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
|
||||||
|
endif()
|
||||||
|
if(MBEDTLS_USER_CONFIG_FILE)
|
||||||
|
target_compile_definitions(p256m
|
||||||
|
PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
|
||||||
|
endif()
|
||||||
|
|
||||||
if(INSTALL_MBEDTLS_HEADERS)
|
if(INSTALL_MBEDTLS_HEADERS)
|
||||||
|
|
||||||
install(DIRECTORY :${CMAKE_CURRENT_SOURCE_DIR}
|
install(DIRECTORY :${CMAKE_CURRENT_SOURCE_DIR}
|
||||||
|
@ -19,7 +34,7 @@ if(INSTALL_MBEDTLS_HEADERS)
|
||||||
|
|
||||||
endif(INSTALL_MBEDTLS_HEADERS)
|
endif(INSTALL_MBEDTLS_HEADERS)
|
||||||
|
|
||||||
install(TARGETS p256m
|
install(TARGETS ${p256m_target}
|
||||||
EXPORT MbedTLSTargets
|
EXPORT MbedTLSTargets
|
||||||
DESTINATION ${CMAKE_INSTALL_LIBDIR}
|
DESTINATION ${CMAKE_INSTALL_LIBDIR}
|
||||||
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
|
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
|
||||||
|
|
|
@ -106,6 +106,6 @@ The following branches are currently maintained:
|
||||||
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
|
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
|
||||||
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
|
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
|
||||||
maintained until at least the end of 2024, see
|
maintained until at least the end of 2024, see
|
||||||
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3>.
|
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5>.
|
||||||
|
|
||||||
Users are urged to always use the latest version of a maintained branch.
|
Users are urged to always use the latest version of a maintained branch.
|
||||||
|
|
|
@ -62,7 +62,7 @@ if(CMAKE_HOST_WIN32)
|
||||||
# CMakeLists.txt.
|
# CMakeLists.txt.
|
||||||
option(GEN_FILES "Generate the auto-generated files as needed" OFF) # off in development
|
option(GEN_FILES "Generate the auto-generated files as needed" OFF) # off in development
|
||||||
else()
|
else()
|
||||||
option(GEN_FILES "Generate the auto-generated files as needed" ON)
|
option(GEN_FILES "Generate the auto-generated files as needed" OFF)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
option(DISABLE_PACKAGE_CONFIG_AND_INSTALL "Disable package configuration, target export and installation" ${MBEDTLS_AS_SUBPROJECT})
|
option(DISABLE_PACKAGE_CONFIG_AND_INSTALL "Disable package configuration, target export and installation" ${MBEDTLS_AS_SUBPROJECT})
|
||||||
|
@ -377,7 +377,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
|
||||||
write_basic_package_version_file(
|
write_basic_package_version_file(
|
||||||
"cmake/MbedTLSConfigVersion.cmake"
|
"cmake/MbedTLSConfigVersion.cmake"
|
||||||
COMPATIBILITY SameMajorVersion
|
COMPATIBILITY SameMajorVersion
|
||||||
VERSION 3.4.1)
|
VERSION 3.5.0)
|
||||||
|
|
||||||
install(
|
install(
|
||||||
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
|
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
|
||||||
|
|
288
ChangeLog
288
ChangeLog
|
@ -1,5 +1,293 @@
|
||||||
Mbed TLS ChangeLog (Sorted per branch, date)
|
Mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
|
|
||||||
|
= Mbed TLS 3.5.0 branch released 2023-10-05
|
||||||
|
|
||||||
|
API changes
|
||||||
|
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
|
||||||
|
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
|
||||||
|
their was a flaw in the logic checking if the built-in implementation, in
|
||||||
|
that if failed to check if all the relevant curves were supported by the
|
||||||
|
accelerator. As a result, it was possible to declare no curves as
|
||||||
|
accelerated and still have the built-in implementation compiled out.
|
||||||
|
Starting with this release, it is necessary to declare which curves are
|
||||||
|
accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
|
||||||
|
considered not accelerated, and the built-in implementation of the curves
|
||||||
|
and any algorithm possible using them will be included in the build.
|
||||||
|
* Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
|
||||||
|
function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
|
||||||
|
can be created using an ALT interface.
|
||||||
|
|
||||||
|
Requirement changes
|
||||||
|
* Officially require Python 3.8 now that earlier versions are out of support.
|
||||||
|
* Minimum required Windows version is now Windows Vista, or
|
||||||
|
Windows Server 2008.
|
||||||
|
|
||||||
|
New deprecations
|
||||||
|
* PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
|
||||||
|
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
|
||||||
|
are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
|
||||||
|
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
|
||||||
|
IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
|
||||||
|
the capabilities of the PSA side for either key.
|
||||||
|
* MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
|
||||||
|
MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
|
||||||
|
maximum size of any supported block cipher) or the new name
|
||||||
|
MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
|
||||||
|
maximum size of a block cipher supported by the CMAC module).
|
||||||
|
* mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
|
||||||
|
deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
|
||||||
|
mbedtls_pkcs12_pbe_ext() as they offer more security by checking
|
||||||
|
for overflow of the output buffer and reporting the actual length
|
||||||
|
of the output.
|
||||||
|
|
||||||
|
Features
|
||||||
|
* All modules that use hashes or HMAC can now take advantage of PSA Crypto
|
||||||
|
drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
|
||||||
|
been called. Previously (in 3.3), this was restricted to a few modules,
|
||||||
|
and only in builds where MBEDTLS_MD_C was disabled; in particular the
|
||||||
|
entropy module was not covered which meant an external RNG had to be
|
||||||
|
provided - these limitations are lifted in this version. A new set of
|
||||||
|
feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
|
||||||
|
to check for availability of hash algorithms, regardless of whether
|
||||||
|
they're provided by a built-in implementation, a driver or both. See
|
||||||
|
docs/driver-only-builds.md.
|
||||||
|
* When a PSA driver for ECDH is present, it is now possible to disable
|
||||||
|
MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
|
||||||
|
key exchanges based on ECDH(E) to work, this requires
|
||||||
|
MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
|
||||||
|
TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
|
||||||
|
as PSA does not have an API for restartable ECDH yet.
|
||||||
|
* When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
|
||||||
|
a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
|
||||||
|
if not required by another module) and still get support for ECC keys and
|
||||||
|
algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
|
||||||
|
for details.
|
||||||
|
* Add parsing of directoryName subtype for subjectAltName extension in
|
||||||
|
x509 certificates.
|
||||||
|
* Add support for server-side TLS version negotiation. If both TLS 1.2 and
|
||||||
|
TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
|
||||||
|
TLS 1.3 depending on the capabilities and preferences of TLS clients.
|
||||||
|
Fixes #6867.
|
||||||
|
* X.509 hostname verification now supports IPAddress Subject Alternate Names.
|
||||||
|
* Add support for reading and writing X25519 and X448
|
||||||
|
public and private keys in RFC 8410 format using the existing PK APIs.
|
||||||
|
* When parsing X.509 certificates, support the extensions
|
||||||
|
SignatureKeyIdentifier and AuthorityKeyIdentifier.
|
||||||
|
* Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
|
||||||
|
if no PAKE algorithms are requested
|
||||||
|
* Add support for the FFDH algorithm and DH key types in PSA, with
|
||||||
|
parameters from RFC 7919. This includes a built-in implementation based
|
||||||
|
on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
|
||||||
|
implementations of FFDH through the driver entry points.
|
||||||
|
* It is now possible to generate certificates with SubjectAltNames.
|
||||||
|
Currently supported subtypes: DnsName, UniformResourceIdentifier,
|
||||||
|
IP address, OtherName, and DirectoryName, as defined in RFC 5280.
|
||||||
|
See mbedtls_x509write_crt_set_subject_alternative_name for
|
||||||
|
more information.
|
||||||
|
* X.509 hostname verification now partially supports URI Subject Alternate
|
||||||
|
Names. Only exact matching, without any normalization procedures
|
||||||
|
described in 7.4 of RFC5280, will result in a positive URI verification.
|
||||||
|
* Add function mbedtls_oid_from_numeric_string() to parse an OID from a
|
||||||
|
string to a DER-encoded mbedtls_asn1_buf.
|
||||||
|
* Add SHA-3 family hash functions.
|
||||||
|
* Add support to restrict AES to 128-bit keys in order to save code size.
|
||||||
|
A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
|
||||||
|
used to enable this feature.
|
||||||
|
* AES performance improvements. Uplift varies by platform,
|
||||||
|
toolchain, optimisation flags and mode.
|
||||||
|
Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
|
||||||
|
On Aarch64, uplift is typically around 20 - 110%.
|
||||||
|
When compiling with gcc -Os on Aarch64, AES-XTS improves
|
||||||
|
by 4.5x.
|
||||||
|
* Add support for PBKDF2-HMAC through the PSA API.
|
||||||
|
* New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
|
||||||
|
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
|
||||||
|
or DH) were introduced in order to have finer accuracy in defining the
|
||||||
|
PSA capabilities for each key. These capabilities, named yyy above, can be
|
||||||
|
any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
|
||||||
|
- DERIVE is only available for ECC keys, not for RSA or DH ones.
|
||||||
|
- implementations are free to enable more than what it was strictly
|
||||||
|
requested. For example BASIC internally enables IMPORT and EXPORT
|
||||||
|
(useful for testing purposes), but this might change in the future.
|
||||||
|
* Add support for FFDH key exchange in TLS 1.3.
|
||||||
|
This is automatically enabled as soon as PSA_WANT_ALG_FFDH
|
||||||
|
and the ephemeral or psk-ephemeral key exchange mode are enabled.
|
||||||
|
By default, all groups are offered; the list of groups can be
|
||||||
|
configured using the existing API function mbedtls_ssl_conf_groups().
|
||||||
|
* Improve mbedtls_x509_time performance and reduce memory use.
|
||||||
|
* Reduce syscalls to time() during certificate verification.
|
||||||
|
* Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
|
||||||
|
setting the CMake variable of the same name at configuration time.
|
||||||
|
* Add getter (mbedtls_ssl_cache_get_timeout()) to access
|
||||||
|
`mbedtls_ssl_cache_context.timeout`.
|
||||||
|
* Add getter (mbedtls_ssl_get_hostname()) to access
|
||||||
|
`mbedtls_ssl_context.hostname`.
|
||||||
|
* Add getter (mbedtls_ssl_conf_get_endpoint()) to access
|
||||||
|
`mbedtls_ssl_config.endpoint`.
|
||||||
|
* Support for "opaque" (PSA-held) ECC keys in the PK module has been
|
||||||
|
extended: it is now possible to use mbedtls_pk_write_key_der(),
|
||||||
|
mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
|
||||||
|
mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
|
||||||
|
allow it).
|
||||||
|
* The documentation of mbedtls_ecp_group now describes the optimized
|
||||||
|
representation of A for some curves. Fixes #8045.
|
||||||
|
* Add a possibility to generate CSR's with RCF822 and directoryName subtype
|
||||||
|
of subjectAltName extension in x509 certificates.
|
||||||
|
* Add support for PBKDF2-CMAC through the PSA API.
|
||||||
|
* New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
|
||||||
|
using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
|
||||||
|
disables the plain C implementation and the run-time detection for the
|
||||||
|
CPU feature, which reduces code size and avoids the vulnerability of the
|
||||||
|
plain C implementation.
|
||||||
|
* Accept arbitrary AttributeType and AttributeValue in certificate
|
||||||
|
Distinguished Names using RFC 4514 syntax.
|
||||||
|
* Applications using ECC over secp256r1 through the PSA API can use a
|
||||||
|
new implementation with a much smaller footprint, but some minor
|
||||||
|
usage restrictions. See the documentation of the new configuration
|
||||||
|
option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Fix a case where potentially sensitive information held in memory would not
|
||||||
|
be completely zeroized during TLS 1.2 handshake, in both server and client
|
||||||
|
configurations.
|
||||||
|
* In configurations with ARIA or Camellia but not AES, the value of
|
||||||
|
MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
|
||||||
|
suggest. This did not affect any library code, because this macro was
|
||||||
|
only used in relation with CMAC which does not support these ciphers.
|
||||||
|
This may affect application code that uses this macro.
|
||||||
|
* Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
|
||||||
|
review the size of the output buffer passed to this function, and note
|
||||||
|
that the output after decryption may include CBC padding. Consider moving
|
||||||
|
to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
|
||||||
|
which checks for overflow of the output buffer and reports the actual
|
||||||
|
length of the output.
|
||||||
|
* Improve padding calculations in CBC decryption, NIST key unwrapping and
|
||||||
|
RSA OAEP decryption. With the previous implementation, some compilers
|
||||||
|
(notably recent versions of Clang and IAR) could produce non-constant
|
||||||
|
time code, which could allow a padding oracle attack if the attacker
|
||||||
|
has access to precise timing measurements.
|
||||||
|
* Updates to constant-time C code so that compilers are less likely to use
|
||||||
|
conditional instructions, which can have an observable difference in
|
||||||
|
timing. (Clang has been seen to do this.) Also introduce assembly
|
||||||
|
implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
|
||||||
|
guaranteed not to use conditional instructions.
|
||||||
|
* Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too
|
||||||
|
small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was
|
||||||
|
undefined. Mbed TLS itself was unaffected by this, but user code
|
||||||
|
which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only
|
||||||
|
release containing this bug was Mbed TLS 3.4.0.
|
||||||
|
* Fix a buffer overread when parsing short TLS application data records in
|
||||||
|
null-cipher cipher suites. Credit to OSS-Fuzz.
|
||||||
|
* Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
|
||||||
|
In TLS 1.3, all configurations are affected except PSK-only ones, and
|
||||||
|
both clients and servers are affected.
|
||||||
|
In TLS 1.2, the affected configurations are those with
|
||||||
|
MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled,
|
||||||
|
and only servers are affected, not clients.
|
||||||
|
Credit to OSS-Fuzz.
|
||||||
|
|
||||||
|
Bugfix
|
||||||
|
* Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
|
||||||
|
PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
|
||||||
|
than all built-in ones and RSA is disabled.
|
||||||
|
Resolves #6622.
|
||||||
|
* Add missing md.h includes to some of the external programs from
|
||||||
|
the programs directory. Without this, even though the configuration
|
||||||
|
was sufficient for a particular program to work, it would only print
|
||||||
|
a message that one of the required defines is missing.
|
||||||
|
* Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
|
||||||
|
in the ecdsa.h header file. There was a build warning when the
|
||||||
|
configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
|
||||||
|
Resolves #7407.
|
||||||
|
* Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
|
||||||
|
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
|
||||||
|
* Fix missing PSA initialization in sample programs when
|
||||||
|
MBEDTLS_USE_PSA_CRYPTO is enabled.
|
||||||
|
* Fix the J-PAKE driver interface for user and peer to accept any values
|
||||||
|
(previously accepted values were limited to "client" or "server").
|
||||||
|
* Fix clang and armclang compilation error when targeting certain Arm
|
||||||
|
M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
|
||||||
|
SecurCore SC000). Fixes #1077.
|
||||||
|
* Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
|
||||||
|
built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
|
||||||
|
way to detect the crypto extensions required. A warning is still issued.
|
||||||
|
* Fixed an issue that caused compile errors when using CMake and the IAR
|
||||||
|
toolchain.
|
||||||
|
* Fix very high stack usage in SSL debug code. Reported by Maximilian
|
||||||
|
Gerhardt in #7804.
|
||||||
|
* Fix a compilation failure in the constant_time module when
|
||||||
|
building for arm64_32 (e.g., for watchos). Reported by Paulo
|
||||||
|
Coutinho in #7787.
|
||||||
|
* Fix crypt_and_hash decryption fail when used with a stream cipher
|
||||||
|
mode of operation due to the input not being multiple of block size.
|
||||||
|
Resolves #7417.
|
||||||
|
* Fix a bug in which mbedtls_x509_string_to_names() would return success
|
||||||
|
when given a invalid name string if it did not contain '=' or ','.
|
||||||
|
* Fix compilation warnings in aes.c, which prevented the
|
||||||
|
example TF-M configuration in configs/ from building cleanly:
|
||||||
|
tfm_mbedcrypto_config_profile_medium.h with
|
||||||
|
crypto_config_profile_medium.h.
|
||||||
|
* In TLS 1.3, fix handshake failure when a client in its ClientHello
|
||||||
|
proposes an handshake based on PSK only key exchange mode or at least
|
||||||
|
one of the key exchange modes using ephemeral keys to a server that
|
||||||
|
supports only the PSK key exchange mode.
|
||||||
|
* Fix CCM* with no tag being not supported in a build with CCM as the only
|
||||||
|
symmetric encryption algorithm and the PSA configuration enabled.
|
||||||
|
* Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
|
||||||
|
* Fix a compilation error on some platforms when including mbedtls/ssl.h
|
||||||
|
with all TLS support disabled. Fixes #6628.
|
||||||
|
* Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
|
||||||
|
using ECC key. The certificate was rejected by some crypto frameworks.
|
||||||
|
Fixes #2924.
|
||||||
|
* Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
|
||||||
|
is called with zero length and padlock is not enabled.
|
||||||
|
* Fix compile failure due to empty enum in cipher_wrap.c, when building
|
||||||
|
with a very minimal configuration. Fixes #7625.
|
||||||
|
* Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
|
||||||
|
signature can silently return an incorrect result in low memory conditions.
|
||||||
|
* Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
|
||||||
|
MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
|
||||||
|
* Fix IAR compiler warnings.
|
||||||
|
* Fix an issue when parsing an otherName subject alternative name into a
|
||||||
|
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
|
||||||
|
copied to the struct. This meant that the struct had incomplete
|
||||||
|
information about the otherName SAN and contained uninitialized memory.
|
||||||
|
* Fix the detection of HardwareModuleName otherName SANs. These were being
|
||||||
|
detected by comparing the wrong field and the check was erroneously
|
||||||
|
inverted.
|
||||||
|
* Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
|
||||||
|
enabled, where some low-level modules required by requested PSA crypto
|
||||||
|
features were not getting automatically enabled. Fixes #7420.
|
||||||
|
* Fix undefined symbols in some builds using TLS 1.3 with a custom
|
||||||
|
configuration file.
|
||||||
|
* Fix log level for the got supported group message. Fixes #6765
|
||||||
|
* Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
|
||||||
|
error code on failure. Before, they returned 1 to indicate failure in
|
||||||
|
some cases involving a missing entry or a full cache.
|
||||||
|
* mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
|
||||||
|
* Fix the build with CMake when Everest or P256-m is enabled through
|
||||||
|
a user configuration file or the compiler command line. Fixes #8165.
|
||||||
|
|
||||||
|
Changes
|
||||||
|
* Enable Arm / Thumb bignum assembly for most Arm platforms when
|
||||||
|
compiling with gcc, clang or armclang and -O0.
|
||||||
|
* Enforce minimum RSA key size when generating a key
|
||||||
|
to avoid accidental misuse.
|
||||||
|
* Use heap memory to allocate DER encoded RSA private key.
|
||||||
|
This reduces stack usage significantly for RSA signature
|
||||||
|
operations when MBEDTLS_PSA_CRYPTO_C is defined.
|
||||||
|
* Update Windows code to use BCryptGenRandom and wcslen, and
|
||||||
|
ensure that conversions between size_t, ULONG, and int are
|
||||||
|
always done safely. Original contribution by Kevin Kane #635, #730
|
||||||
|
followed by Simon Butcher #1453.
|
||||||
|
* Users integrating their own PSA drivers should be aware that
|
||||||
|
the file library/psa_crypto_driver_wrappers.c has been renamed
|
||||||
|
to psa_crypto_driver_wrappers_no_static.c.
|
||||||
|
* When using CBC with the cipher module, the requirement to call
|
||||||
|
mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
|
||||||
|
this call accidentally applied a default padding mode chosen at compile
|
||||||
|
time.
|
||||||
|
|
||||||
= Mbed TLS 3.4.1 branch released 2023-08-04
|
= Mbed TLS 3.4.1 branch released 2023-08-04
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
|
|
|
@ -1,18 +0,0 @@
|
||||||
New deprecations
|
|
||||||
* PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
|
|
||||||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
|
|
||||||
are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
|
|
||||||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
|
|
||||||
IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
|
|
||||||
the capabilities of the PSA side for either key.
|
|
||||||
|
|
||||||
Features
|
|
||||||
* New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
|
|
||||||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
|
|
||||||
or DH) were introduced in order to have finer accuracy in defining the
|
|
||||||
PSA capabilities for each key. These capabilities, named yyy above, can be
|
|
||||||
any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
|
|
||||||
- DERIVE is only available for ECC keys, not for RSA or DH ones.
|
|
||||||
- implementations are free to enable more than what it was strictly
|
|
||||||
requested. For example BASIC internally enables IMPORT and EXPORT
|
|
||||||
(useful for testing purposes), but this might change in the future.
|
|
|
@ -1,4 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
|
|
||||||
error code on failure. Before, they returned 1 to indicate failure in
|
|
||||||
some cases involving a missing entry or a full cache.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* When parsing X.509 certificates, support the extensions
|
|
||||||
SignatureKeyIdentifier and AuthorityKeyIdentifier.
|
|
|
@ -1,4 +0,0 @@
|
||||||
Features
|
|
||||||
* Add support to restrict AES to 128-bit keys in order to save code size.
|
|
||||||
A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
|
|
||||||
used to enable this feature.
|
|
|
@ -1,6 +0,0 @@
|
||||||
Features
|
|
||||||
* New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
|
|
||||||
using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
|
|
||||||
disables the plain C implementation and the run-time detection for the
|
|
||||||
CPU feature, which reduces code size and avoids the vulnerability of the
|
|
||||||
plain C implementation.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* Add parsing of directoryName subtype for subjectAltName extension in
|
|
||||||
x509 certificates.
|
|
|
@ -1,7 +0,0 @@
|
||||||
Features
|
|
||||||
* Add getter (mbedtls_ssl_cache_get_timeout()) to access
|
|
||||||
`mbedtls_ssl_cache_context.timeout`.
|
|
||||||
* Add getter (mbedtls_ssl_get_hostname()) to access
|
|
||||||
`mbedtls_ssl_context.hostname`.
|
|
||||||
* Add getter (mbedtls_ssl_conf_get_endpoint()) to access
|
|
||||||
`mbedtls_ssl_config.endpoint`.
|
|
|
@ -1,5 +0,0 @@
|
||||||
API changes
|
|
||||||
* Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
|
|
||||||
function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
|
|
||||||
can be created using an ALT interface.
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Add missing md.h includes to some of the external programs from
|
|
||||||
the programs directory. Without this, even though the configuration
|
|
||||||
was sufficient for a particular program to work, it would only print
|
|
||||||
a message that one of the required defines is missing.
|
|
|
@ -1,2 +0,0 @@
|
||||||
Features
|
|
||||||
* Add support for PBKDF2-CMAC through the PSA API.
|
|
|
@ -1,2 +0,0 @@
|
||||||
Features
|
|
||||||
* Add support for PBKDF2-HMAC through the PSA API.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
|
|
||||||
if no PAKE algorithms are requested
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* Add a possibility to generate CSR's with RCF822 and directoryName subtype
|
|
||||||
of subjectAltName extension in x509 certificates.
|
|
|
@ -1,6 +0,0 @@
|
||||||
Features
|
|
||||||
* It is now possible to generate certificates with SubjectAltNames.
|
|
||||||
Currently supported subtypes: DnsName, UniformResourceIdentifier,
|
|
||||||
IP address, OtherName, and DirectoryName, as defined in RFC 5280.
|
|
||||||
See mbedtls_x509write_crt_set_subject_alternative_name for
|
|
||||||
more information.
|
|
|
@ -1,7 +0,0 @@
|
||||||
Features
|
|
||||||
* AES performance improvements. Uplift varies by platform,
|
|
||||||
toolchain, optimisation flags and mode.
|
|
||||||
Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
|
|
||||||
On Aarch64, uplift is typically around 20 - 110%.
|
|
||||||
When compiling with gcc -Os on Aarch64, AES-XTS improves
|
|
||||||
by 4.5x.
|
|
|
@ -1,7 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix clang and armclang compilation error when targeting certain Arm
|
|
||||||
M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
|
|
||||||
SecurCore SC000). Fixes #1077.
|
|
||||||
Changes
|
|
||||||
* Enable Arm / Thumb bignum assembly for most Arm platforms when
|
|
||||||
compiling with gcc, clang or armclang and -O0.
|
|
|
@ -1,4 +0,0 @@
|
||||||
Features
|
|
||||||
* X.509 hostname verification now partially supports URI Subject Alternate
|
|
||||||
Names. Only exact matching, without any normalization procedures
|
|
||||||
described in 7.4 of RFC5280, will result in a positive URI verification.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fixed an issue that caused compile errors when using CMake and the IAR
|
|
||||||
toolchain.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
|
|
||||||
setting the CMake variable of the same name at configuration time.
|
|
|
@ -1,4 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
|
|
||||||
enabled, where some low-level modules required by requested PSA crypto
|
|
||||||
features were not getting automatically enabled. Fixes #7420.
|
|
|
@ -1,5 +0,0 @@
|
||||||
Features
|
|
||||||
* Add support for the FFDH algorithm and DH key types in PSA, with
|
|
||||||
parameters from RFC 7919. This includes a built-in implementation based
|
|
||||||
on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
|
|
||||||
implementations of FFDH through the driver entry points.
|
|
|
@ -1,23 +0,0 @@
|
||||||
Features
|
|
||||||
* When a PSA driver for ECDH is present, it is now possible to disable
|
|
||||||
MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
|
|
||||||
key exchanges based on ECDH(E) to work, this requires
|
|
||||||
MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
|
|
||||||
TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
|
|
||||||
as PSA does not have an API for restartable ECDH yet.
|
|
||||||
* When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
|
|
||||||
a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
|
|
||||||
if not required by another module) and still get support for ECC keys and
|
|
||||||
algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
|
|
||||||
for details.
|
|
||||||
API changes
|
|
||||||
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
|
|
||||||
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
|
|
||||||
their was a flaw in the logic checking if the built-in implementation, in
|
|
||||||
that if failed to check if all the relevant curves were supported by the
|
|
||||||
accelerator. As a result, it was possible to declare no curves as
|
|
||||||
accelerated and still have the built-in implementation compiled out.
|
|
||||||
Starting with this release, it is necessary to declare which curves are
|
|
||||||
accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
|
|
||||||
considered not accelerated, and the built-in implementation of the curves
|
|
||||||
and any algorithm possible using them will be included in the build.
|
|
|
@ -1,11 +0,0 @@
|
||||||
Features
|
|
||||||
* All modules that use hashes or HMAC can now take advantage of PSA Crypto
|
|
||||||
drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
|
|
||||||
been called. Previously (in 3.3), this was restricted to a few modules,
|
|
||||||
and only in builds where MBEDTLS_MD_C was disabled; in particular the
|
|
||||||
entropy module was not covered which meant an external RNG had to be
|
|
||||||
provided - these limitations are lifted in this version. A new set of
|
|
||||||
feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
|
|
||||||
to check for availability of hash algorithms, regardless of whether
|
|
||||||
they're provided by a built-in implementation, a driver or both. See
|
|
||||||
docs/driver-only-builds.md.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix the J-PAKE driver interface for user and peer to accept any values
|
|
||||||
(previously accepted values were limited to "client" or "server").
|
|
|
@ -1,3 +0,0 @@
|
||||||
Changes
|
|
||||||
* Enforce minimum RSA key size when generating a key
|
|
||||||
to avoid accidental misuse.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* Accept arbitrary AttributeType and AttributeValue in certificate
|
|
||||||
Distinguished Names using RFC 4514 syntax.
|
|
|
@ -1,6 +0,0 @@
|
||||||
Features
|
|
||||||
* Support for "opaque" (PSA-held) ECC keys in the PK module has been
|
|
||||||
extended: it is now possible to use mbedtls_pk_write_key_der(),
|
|
||||||
mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
|
|
||||||
mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
|
|
||||||
allow it).
|
|
|
@ -1,6 +0,0 @@
|
||||||
Features
|
|
||||||
* Add support for FFDH key exchange in TLS 1.3.
|
|
||||||
This is automatically enabled as soon as PSA_WANT_ALG_FFDH
|
|
||||||
and the ephemeral or psk-ephemeral key exchange mode are enabled.
|
|
||||||
By default, all groups are offered; the list of groups can be
|
|
||||||
configured using the existing API function mbedtls_ssl_conf_groups().
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
|
|
||||||
signature can silently return an incorrect result in low memory conditions.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
|
|
||||||
is called with zero length and padlock is not enabled.
|
|
|
@ -1,4 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix crypt_and_hash decryption fail when used with a stream cipher
|
|
||||||
mode of operation due to the input not being multiple of block size.
|
|
||||||
Resolves #7417.
|
|
|
@ -1,5 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
|
|
||||||
in the ecdsa.h header file. There was a build warning when the
|
|
||||||
configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
|
|
||||||
Resolves #7407.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix compile failure due to empty enum in cipher_wrap.c, when building
|
|
||||||
with a very minimal configuration. Fixes #7625.
|
|
|
@ -1,5 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* In TLS 1.3, fix handshake failure when a client in its ClientHello
|
|
||||||
proposes an handshake based on PSK only key exchange mode or at least
|
|
||||||
one of the key exchange modes using ephemeral keys to a server that
|
|
||||||
supports only the PSK key exchange mode.
|
|
|
@ -1,2 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix IAR compiler warnings.
|
|
|
@ -1,4 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix a compilation failure in the constant_time module when
|
|
||||||
building for arm64_32 (e.g., for watchos). Reported by Paulo
|
|
||||||
Coutinho in #7787.
|
|
|
@ -1,2 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix log level for the got supported group message. Fixes #6765
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix a bug in which mbedtls_x509_string_to_names() would return success
|
|
||||||
when given a invalid name string if it did not contain '=' or ','.
|
|
|
@ -1,5 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix compilation warnings in aes.c, which prevented the
|
|
||||||
example TF-M configuration in configs/ from building cleanly:
|
|
||||||
tfm_mbedcrypto_config_profile_medium.h with
|
|
||||||
crypto_config_profile_medium.h.
|
|
|
@ -1,4 +0,0 @@
|
||||||
Security
|
|
||||||
* Fix a case where potentially sensitive information held in memory would not
|
|
||||||
be completely zeroized during TLS 1.2 handshake, in both server and client
|
|
||||||
configurations.
|
|
|
@ -1,4 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
|
|
||||||
built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
|
|
||||||
way to detect the crypto extensions required. A warning is still issued.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* The documentation of mbedtls_ecp_group now describes the optimized
|
|
||||||
representation of A for some curves. Fixes #8045.
|
|
|
@ -1,8 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix an issue when parsing an otherName subject alternative name into a
|
|
||||||
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
|
|
||||||
copied to the struct. This meant that the struct had incomplete
|
|
||||||
information about the otherName SAN and contained uninitialized memory.
|
|
||||||
* Fix the detection of HardwareModuleName otherName SANs. These were being
|
|
||||||
detected by comparing the wrong field and the check was erroneously
|
|
||||||
inverted.
|
|
|
@ -1,2 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
|
|
||||||
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* Improve mbedtls_x509_time performance and reduce memory use.
|
|
||||||
* Reduce syscalls to time() during certificate verification.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix CCM* with no tag being not supported in a build with CCM as the only
|
|
||||||
symmetric encryption algorithm and the PSA configuration enabled.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* Add function mbedtls_oid_from_numeric_string() to parse an OID from a
|
|
||||||
string to a DER-encoded mbedtls_asn1_buf.
|
|
|
@ -1,5 +0,0 @@
|
||||||
Features
|
|
||||||
* Applications using ECC over secp256r1 through the PSA API can use a
|
|
||||||
new implementation with a much smaller footprint, but some minor
|
|
||||||
usage restrictions. See the documentation of the new configuration
|
|
||||||
option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix missing PSA initialization in sample programs when
|
|
||||||
MBEDTLS_USE_PSA_CRYPTO is enabled.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
|
|
||||||
MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
|
|
|
@ -1,2 +0,0 @@
|
||||||
Requirement changes
|
|
||||||
* Officially require Python 3.8 now that earlier versions are out of support.
|
|
|
@ -1,5 +0,0 @@
|
||||||
Changes
|
|
||||||
* Users intergrating their own PSA drivers should be aware that
|
|
||||||
the file library/psa_crypto_driver_wrappers.c has been renamed
|
|
||||||
to psa_crypto_driver_wrappers_no_static.c.
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* Add support for reading and writing X25519 and X448
|
|
||||||
public and private keys in RFC 8410 format using the existing PK APIs.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Features
|
|
||||||
* Add SHA-3 family hash functions.
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
|
|
||||||
PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
|
|
||||||
than all built-in ones and RSA is disabled.
|
|
||||||
Resolves #6622.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix very high stack usage in SSL debug code. Reported by Maximilian
|
|
||||||
Gerhardt in #7804.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix a compilation error on some platforms when including mbedtls/ssl.h
|
|
||||||
with all TLS support disabled. Fixes #6628.
|
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix undefined symbols in some builds using TLS 1.3 with a custom
|
|
||||||
configuration file.
|
|
|
@ -1,5 +0,0 @@
|
||||||
Features
|
|
||||||
* Add support for server-side TLS version negotiation. If both TLS 1.2 and
|
|
||||||
TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
|
|
||||||
TLS 1.3 depending on the capabilities and preferences of TLS clients.
|
|
||||||
Fixes #6867.
|
|
|
@ -1,9 +0,0 @@
|
||||||
Requirement changes
|
|
||||||
* Minimum required Windows version is now Windows Vista, or
|
|
||||||
Windows Server 2008.
|
|
||||||
|
|
||||||
Changes
|
|
||||||
* Update Windows code to use BCryptGenRandom and wcslen, and
|
|
||||||
ensure that conversions between size_t, ULONG, and int are
|
|
||||||
always done safely. Original contribution by Kevin Kane #635, #730
|
|
||||||
followed by Simon Butcher #1453.
|
|
|
@ -1,4 +0,0 @@
|
||||||
Changes
|
|
||||||
* Use heap memory to allocate DER encoded RSA private key.
|
|
||||||
This reduces stack usage significantly for RSA signature
|
|
||||||
operations when MBEDTLS_PSA_CRYPTO_C is defined.
|
|
|
@ -1,2 +0,0 @@
|
||||||
Features
|
|
||||||
* X.509 hostname verification now supports IPAddress Subject Alternate Names.
|
|
|
@ -1,4 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
|
|
||||||
using ECC key. The certificate was rejected by some crypto frameworks.
|
|
||||||
Fixes #2924.
|
|
2
Makefile
2
Makefile
|
@ -45,7 +45,7 @@ generated_files: visualc_files
|
||||||
# that lacks some of the necessary tools to re-generate the files.
|
# that lacks some of the necessary tools to re-generate the files.
|
||||||
# If $(GEN_FILES) is non-empty, the generated source files' dependencies
|
# If $(GEN_FILES) is non-empty, the generated source files' dependencies
|
||||||
# are treated ordinarily, based on file timestamps.
|
# are treated ordinarily, based on file timestamps.
|
||||||
GEN_FILES ?= yes
|
GEN_FILES ?=
|
||||||
|
|
||||||
# In dependencies where the target is a configuration-independent generated
|
# In dependencies where the target is a configuration-independent generated
|
||||||
# file, use `TARGET: $(gen_file_dep) DEPENDENCY1 DEPENDENCY2 ...`
|
# file, use `TARGET: $(gen_file_dep) DEPENDENCY1 DEPENDENCY2 ...`
|
||||||
|
|
|
@ -135,3 +135,12 @@ Guide](docs/architecture/alternative-implementations.md) for more information.
|
||||||
- Use cryptographic mechanisms that are not based on block ciphers. In
|
- Use cryptographic mechanisms that are not based on block ciphers. In
|
||||||
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
|
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
|
||||||
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
|
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
|
||||||
|
|
||||||
|
#### Everest
|
||||||
|
|
||||||
|
The HACL* implementation of X25519 taken from the Everest project only protects
|
||||||
|
against remote timing attacks. (See their [Security
|
||||||
|
Policy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).)
|
||||||
|
|
||||||
|
The Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED`
|
||||||
|
configuration option is defined. This option is off by default.
|
||||||
|
|
|
@ -22,7 +22,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @mainpage Mbed TLS v3.4.1 API Documentation
|
* @mainpage Mbed TLS v3.5.0 API Documentation
|
||||||
*
|
*
|
||||||
* This documentation describes the internal structure of Mbed TLS. It was
|
* This documentation describes the internal structure of Mbed TLS. It was
|
||||||
* automatically generated from specially formatted comment blocks in
|
* automatically generated from specially formatted comment blocks in
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
PROJECT_NAME = "Mbed TLS v3.4.1"
|
PROJECT_NAME = "Mbed TLS v3.5.0"
|
||||||
OUTPUT_DIRECTORY = ../apidoc/
|
OUTPUT_DIRECTORY = ../apidoc/
|
||||||
FULL_PATH_NAMES = NO
|
FULL_PATH_NAMES = NO
|
||||||
OPTIMIZE_OUTPUT_FOR_C = YES
|
OPTIMIZE_OUTPUT_FOR_C = YES
|
||||||
|
|
|
@ -37,17 +37,17 @@
|
||||||
* Major, Minor, Patchlevel
|
* Major, Minor, Patchlevel
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_VERSION_MAJOR 3
|
#define MBEDTLS_VERSION_MAJOR 3
|
||||||
#define MBEDTLS_VERSION_MINOR 4
|
#define MBEDTLS_VERSION_MINOR 5
|
||||||
#define MBEDTLS_VERSION_PATCH 1
|
#define MBEDTLS_VERSION_PATCH 0
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The single version number has the following structure:
|
* The single version number has the following structure:
|
||||||
* MMNNPP00
|
* MMNNPP00
|
||||||
* Major version | Minor version | Patch version
|
* Major version | Minor version | Patch version
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_VERSION_NUMBER 0x03040100
|
#define MBEDTLS_VERSION_NUMBER 0x03050000
|
||||||
#define MBEDTLS_VERSION_STRING "3.4.1"
|
#define MBEDTLS_VERSION_STRING "3.5.0"
|
||||||
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.4.1"
|
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.5.0"
|
||||||
|
|
||||||
/* Macros for build-time platform detection */
|
/* Macros for build-time platform detection */
|
||||||
|
|
||||||
|
|
|
@ -852,7 +852,6 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
|
||||||
* \brief This function sets the padding mode, for cipher modes
|
* \brief This function sets the padding mode, for cipher modes
|
||||||
* that use padding.
|
* that use padding.
|
||||||
*
|
*
|
||||||
* The default passing mode is PKCS7 padding.
|
|
||||||
*
|
*
|
||||||
* \param ctx The generic cipher context. This must be initialized and
|
* \param ctx The generic cipher context. This must be initialized and
|
||||||
* bound to a cipher information structure.
|
* bound to a cipher information structure.
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
*
|
*
|
||||||
* The Cipher-based Message Authentication Code (CMAC) Mode for
|
* The Cipher-based Message Authentication Code (CMAC) Mode for
|
||||||
* Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
|
* Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
|
||||||
|
* It is supported with AES and DES.
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
|
@ -38,12 +39,30 @@ extern "C" {
|
||||||
#define MBEDTLS_AES_BLOCK_SIZE 16
|
#define MBEDTLS_AES_BLOCK_SIZE 16
|
||||||
#define MBEDTLS_DES3_BLOCK_SIZE 8
|
#define MBEDTLS_DES3_BLOCK_SIZE 8
|
||||||
|
|
||||||
|
/* We don't support Camellia or ARIA in this module */
|
||||||
#if defined(MBEDTLS_AES_C)
|
#if defined(MBEDTLS_AES_C)
|
||||||
#define MBEDTLS_CIPHER_BLKSIZE_MAX 16 /**< The longest block used by CMAC is that of AES. */
|
#define MBEDTLS_CMAC_MAX_BLOCK_SIZE 16 /**< The longest block used by CMAC is that of AES. */
|
||||||
#else
|
#else
|
||||||
#define MBEDTLS_CIPHER_BLKSIZE_MAX 8 /**< The longest block used by CMAC is that of 3DES. */
|
#define MBEDTLS_CMAC_MAX_BLOCK_SIZE 8 /**< The longest block used by CMAC is that of 3DES. */
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||||
|
/** The longest block supported by the cipher module.
|
||||||
|
*
|
||||||
|
* \deprecated
|
||||||
|
* For the maximum block size of a cipher supported by the CMAC module,
|
||||||
|
* use #MBEDTLS_CMAC_MAX_BLOCK_SIZE.
|
||||||
|
* For the maximum block size of a cipher supported by the cipher module,
|
||||||
|
* use #MBEDTLS_MAX_BLOCK_LENGTH.
|
||||||
|
*/
|
||||||
|
/* Before Mbed TLS 3.5, this was the maximum block size supported by the CMAC
|
||||||
|
* module, so it didn't take Camellia or ARIA into account. Since the name
|
||||||
|
* of the macro doesn't even convey "CMAC", this was misleading. Now the size
|
||||||
|
* is sufficient for any cipher, but the name is defined in cmac.h for
|
||||||
|
* backward compatibility. */
|
||||||
|
#define MBEDTLS_CIPHER_BLKSIZE_MAX MBEDTLS_MAX_BLOCK_LENGTH
|
||||||
|
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
||||||
|
|
||||||
#if !defined(MBEDTLS_CMAC_ALT)
|
#if !defined(MBEDTLS_CMAC_ALT)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -51,11 +70,11 @@ extern "C" {
|
||||||
*/
|
*/
|
||||||
struct mbedtls_cmac_context_t {
|
struct mbedtls_cmac_context_t {
|
||||||
/** The internal state of the CMAC algorithm. */
|
/** The internal state of the CMAC algorithm. */
|
||||||
unsigned char MBEDTLS_PRIVATE(state)[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
unsigned char MBEDTLS_PRIVATE(state)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||||
|
|
||||||
/** Unprocessed data - either data that was not block aligned and is still
|
/** Unprocessed data - either data that was not block aligned and is still
|
||||||
* pending processing, or the final block. */
|
* pending processing, or the final block. */
|
||||||
unsigned char MBEDTLS_PRIVATE(unprocessed_block)[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
unsigned char MBEDTLS_PRIVATE(unprocessed_block)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||||
|
|
||||||
/** The length of data pending processing. */
|
/** The length of data pending processing. */
|
||||||
size_t MBEDTLS_PRIVATE(unprocessed_len);
|
size_t MBEDTLS_PRIVATE(unprocessed_len);
|
||||||
|
|
|
@ -184,4 +184,12 @@
|
||||||
#define MBEDTLS_PK_HAVE_ECC_KEYS
|
#define MBEDTLS_PK_HAVE_ECC_KEYS
|
||||||
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
|
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
|
||||||
|
|
||||||
|
/* Historically pkparse did not check the CBC padding when decrypting
|
||||||
|
* a key. This was a bug, which is now fixed. As a consequence, pkparse
|
||||||
|
* now needs PKCS7 padding support, but existing configurations might not
|
||||||
|
* enable it, so we enable it here. */
|
||||||
|
#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||||
|
#define MBEDTLS_CIPHER_PADDING_PKCS7
|
||||||
|
#endif
|
||||||
|
|
||||||
#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */
|
#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */
|
||||||
|
|
|
@ -52,10 +52,30 @@ extern "C" {
|
||||||
|
|
||||||
#if defined(MBEDTLS_ASN1_PARSE_C)
|
#if defined(MBEDTLS_ASN1_PARSE_C)
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||||
/**
|
/**
|
||||||
* \brief PKCS12 Password Based function (encryption / decryption)
|
* \brief PKCS12 Password Based function (encryption / decryption)
|
||||||
* for cipher-based and mbedtls_md-based PBE's
|
* for cipher-based and mbedtls_md-based PBE's
|
||||||
*
|
*
|
||||||
|
* \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
|
||||||
|
* be enabled at compile time.
|
||||||
|
*
|
||||||
|
* \deprecated This function is deprecated and will be removed in a
|
||||||
|
* future version of the library.
|
||||||
|
* Please use mbedtls_pkcs12_pbe_ext() instead.
|
||||||
|
*
|
||||||
|
* \warning When decrypting:
|
||||||
|
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
|
||||||
|
* time, this function validates the CBC padding and returns
|
||||||
|
* #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
|
||||||
|
* invalid. Note that this can help active adversaries
|
||||||
|
* attempting to brute-forcing the password. Note also that
|
||||||
|
* there is no guarantee that an invalid password will be
|
||||||
|
* detected (the chances of a valid padding with a random
|
||||||
|
* password are about 1/255).
|
||||||
|
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
|
||||||
|
* time, this function does not validate the CBC padding.
|
||||||
|
*
|
||||||
* \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
|
* \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
|
||||||
* \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or
|
* \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or
|
||||||
* #MBEDTLS_PKCS12_PBE_DECRYPT
|
* #MBEDTLS_PKCS12_PBE_DECRYPT
|
||||||
|
@ -64,17 +84,78 @@ extern "C" {
|
||||||
* \param pwd Latin1-encoded password used. This may only be \c NULL when
|
* \param pwd Latin1-encoded password used. This may only be \c NULL when
|
||||||
* \p pwdlen is 0. No null terminator should be used.
|
* \p pwdlen is 0. No null terminator should be used.
|
||||||
* \param pwdlen length of the password (may be 0)
|
* \param pwdlen length of the password (may be 0)
|
||||||
* \param input the input data
|
* \param data the input data
|
||||||
* \param len data length
|
* \param len data length
|
||||||
* \param output the output buffer
|
* \param output Output buffer.
|
||||||
|
* On success, it contains the encrypted or decrypted data,
|
||||||
|
* possibly followed by the CBC padding.
|
||||||
|
* On failure, the content is indeterminate.
|
||||||
|
* For decryption, there must be enough room for \p len
|
||||||
|
* bytes.
|
||||||
|
* For encryption, there must be enough room for
|
||||||
|
* \p len + 1 bytes, rounded up to the block size of
|
||||||
|
* the block cipher identified by \p pbe_params.
|
||||||
*
|
*
|
||||||
* \return 0 if successful, or a MBEDTLS_ERR_XXX code
|
* \return 0 if successful, or a MBEDTLS_ERR_XXX code
|
||||||
*/
|
*/
|
||||||
int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
|
int MBEDTLS_DEPRECATED mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
|
mbedtls_cipher_type_t cipher_type,
|
||||||
const unsigned char *pwd, size_t pwdlen,
|
mbedtls_md_type_t md_type,
|
||||||
const unsigned char *input, size_t len,
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
unsigned char *output);
|
const unsigned char *data, size_t len,
|
||||||
|
unsigned char *output);
|
||||||
|
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief PKCS12 Password Based function (encryption / decryption)
|
||||||
|
* for cipher-based and mbedtls_md-based PBE's
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* \warning When decrypting:
|
||||||
|
* - This function validates the CBC padding and returns
|
||||||
|
* #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
|
||||||
|
* invalid. Note that this can help active adversaries
|
||||||
|
* attempting to brute-forcing the password. Note also that
|
||||||
|
* there is no guarantee that an invalid password will be
|
||||||
|
* detected (the chances of a valid padding with a random
|
||||||
|
* password are about 1/255).
|
||||||
|
*
|
||||||
|
* \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
|
||||||
|
* \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or
|
||||||
|
* #MBEDTLS_PKCS12_PBE_DECRYPT
|
||||||
|
* \param cipher_type the cipher used
|
||||||
|
* \param md_type the mbedtls_md used
|
||||||
|
* \param pwd Latin1-encoded password used. This may only be \c NULL when
|
||||||
|
* \p pwdlen is 0. No null terminator should be used.
|
||||||
|
* \param pwdlen length of the password (may be 0)
|
||||||
|
* \param data the input data
|
||||||
|
* \param len data length
|
||||||
|
* \param output Output buffer.
|
||||||
|
* On success, it contains the encrypted or decrypted data,
|
||||||
|
* possibly followed by the CBC padding.
|
||||||
|
* On failure, the content is indeterminate.
|
||||||
|
* For decryption, there must be enough room for \p len
|
||||||
|
* bytes.
|
||||||
|
* For encryption, there must be enough room for
|
||||||
|
* \p len + 1 bytes, rounded up to the block size of
|
||||||
|
* the block cipher identified by \p pbe_params.
|
||||||
|
* \param output_size size of output buffer.
|
||||||
|
* This must be big enough to accommodate for output plus
|
||||||
|
* padding data.
|
||||||
|
* \param output_len On success, length of actual data written to the output buffer.
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a MBEDTLS_ERR_XXX code
|
||||||
|
*/
|
||||||
|
int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
|
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
|
||||||
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
|
const unsigned char *data, size_t len,
|
||||||
|
unsigned char *output, size_t output_size,
|
||||||
|
size_t *output_len);
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
|
||||||
|
|
||||||
#endif /* MBEDTLS_ASN1_PARSE_C */
|
#endif /* MBEDTLS_ASN1_PARSE_C */
|
||||||
|
|
||||||
|
|
|
@ -25,6 +25,7 @@
|
||||||
#define MBEDTLS_PKCS5_H
|
#define MBEDTLS_PKCS5_H
|
||||||
|
|
||||||
#include "mbedtls/build_info.h"
|
#include "mbedtls/build_info.h"
|
||||||
|
#include "mbedtls/platform_util.h"
|
||||||
|
|
||||||
#include "mbedtls/asn1.h"
|
#include "mbedtls/asn1.h"
|
||||||
#include "mbedtls/md.h"
|
#include "mbedtls/md.h"
|
||||||
|
@ -50,23 +51,95 @@ extern "C" {
|
||||||
|
|
||||||
#if defined(MBEDTLS_ASN1_PARSE_C)
|
#if defined(MBEDTLS_ASN1_PARSE_C)
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||||
/**
|
/**
|
||||||
* \brief PKCS#5 PBES2 function
|
* \brief PKCS#5 PBES2 function
|
||||||
*
|
*
|
||||||
|
* \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
|
||||||
|
* be enabled at compile time.
|
||||||
|
*
|
||||||
|
* \deprecated This function is deprecated and will be removed in a
|
||||||
|
* future version of the library.
|
||||||
|
* Please use mbedtls_pkcs5_pbes2_ext() instead.
|
||||||
|
*
|
||||||
|
* \warning When decrypting:
|
||||||
|
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
|
||||||
|
* time, this function validates the CBC padding and returns
|
||||||
|
* #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
|
||||||
|
* invalid. Note that this can help active adversaries
|
||||||
|
* attempting to brute-forcing the password. Note also that
|
||||||
|
* there is no guarantee that an invalid password will be
|
||||||
|
* detected (the chances of a valid padding with a random
|
||||||
|
* password are about 1/255).
|
||||||
|
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
|
||||||
|
* time, this function does not validate the CBC padding.
|
||||||
|
*
|
||||||
* \param pbe_params the ASN.1 algorithm parameters
|
* \param pbe_params the ASN.1 algorithm parameters
|
||||||
* \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT
|
* \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
|
||||||
* \param pwd password to use when generating key
|
* \param pwd password to use when generating key
|
||||||
* \param pwdlen length of password
|
* \param pwdlen length of password
|
||||||
* \param data data to process
|
* \param data data to process
|
||||||
* \param datalen length of data
|
* \param datalen length of data
|
||||||
* \param output output buffer
|
* \param output Output buffer.
|
||||||
|
* On success, it contains the encrypted or decrypted data,
|
||||||
|
* possibly followed by the CBC padding.
|
||||||
|
* On failure, the content is indeterminate.
|
||||||
|
* For decryption, there must be enough room for \p datalen
|
||||||
|
* bytes.
|
||||||
|
* For encryption, there must be enough room for
|
||||||
|
* \p datalen + 1 bytes, rounded up to the block size of
|
||||||
|
* the block cipher identified by \p pbe_params.
|
||||||
*
|
*
|
||||||
* \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
|
* \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
|
||||||
*/
|
*/
|
||||||
int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
|
int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
const unsigned char *pwd, size_t pwdlen,
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
const unsigned char *data, size_t datalen,
|
const unsigned char *data, size_t datalen,
|
||||||
unsigned char *output);
|
unsigned char *output);
|
||||||
|
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief PKCS#5 PBES2 function
|
||||||
|
*
|
||||||
|
* \warning When decrypting:
|
||||||
|
* - This function validates the CBC padding and returns
|
||||||
|
* #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
|
||||||
|
* invalid. Note that this can help active adversaries
|
||||||
|
* attempting to brute-forcing the password. Note also that
|
||||||
|
* there is no guarantee that an invalid password will be
|
||||||
|
* detected (the chances of a valid padding with a random
|
||||||
|
* password are about 1/255).
|
||||||
|
*
|
||||||
|
* \param pbe_params the ASN.1 algorithm parameters
|
||||||
|
* \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
|
||||||
|
* \param pwd password to use when generating key
|
||||||
|
* \param pwdlen length of password
|
||||||
|
* \param data data to process
|
||||||
|
* \param datalen length of data
|
||||||
|
* \param output Output buffer.
|
||||||
|
* On success, it contains the decrypted data.
|
||||||
|
* On failure, the content is indetermidate.
|
||||||
|
* For decryption, there must be enough room for \p datalen
|
||||||
|
* bytes.
|
||||||
|
* For encryption, there must be enough room for
|
||||||
|
* \p datalen + 1 bytes, rounded up to the block size of
|
||||||
|
* the block cipher identified by \p pbe_params.
|
||||||
|
* \param output_size size of output buffer.
|
||||||
|
* This must be big enough to accommodate for output plus
|
||||||
|
* padding data.
|
||||||
|
* \param output_len On success, length of actual data written to the output buffer.
|
||||||
|
*
|
||||||
|
* \returns 0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails.
|
||||||
|
*/
|
||||||
|
int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
|
const unsigned char *data, size_t datalen,
|
||||||
|
unsigned char *output, size_t output_size,
|
||||||
|
size_t *output_len);
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
|
||||||
|
|
||||||
#endif /* MBEDTLS_ASN1_PARSE_C */
|
#endif /* MBEDTLS_ASN1_PARSE_C */
|
||||||
|
|
||||||
|
|
14
library/.gitignore
vendored
14
library/.gitignore
vendored
|
@ -2,10 +2,10 @@ libmbed*
|
||||||
*.sln
|
*.sln
|
||||||
*.vcxproj
|
*.vcxproj
|
||||||
|
|
||||||
###START_GENERATED_FILES###
|
# ###START_COMMENTED_GENERATED_FILES###
|
||||||
/error.c
|
# /error.c
|
||||||
/version_features.c
|
# /version_features.c
|
||||||
/ssl_debug_helpers_generated.c
|
# /ssl_debug_helpers_generated.c
|
||||||
/psa_crypto_driver_wrappers.h
|
# /psa_crypto_driver_wrappers.h
|
||||||
/psa_crypto_driver_wrappers_no_static.c
|
# /psa_crypto_driver_wrappers_no_static.c
|
||||||
###END_GENERATED_FILES###
|
# ###END_COMMENTED_GENERATED_FILES###
|
||||||
|
|
|
@ -268,17 +268,20 @@ if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
|
||||||
${mbedtls_static_target})
|
${mbedtls_static_target})
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
set(p256m_target "${MBEDTLS_TARGET_PREFIX}p256m")
|
||||||
|
set(everest_target "${MBEDTLS_TARGET_PREFIX}everest")
|
||||||
|
|
||||||
if(USE_STATIC_MBEDTLS_LIBRARY)
|
if(USE_STATIC_MBEDTLS_LIBRARY)
|
||||||
add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
|
add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
|
||||||
set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
|
set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
|
||||||
target_link_libraries(${mbedcrypto_static_target} PUBLIC ${libs})
|
target_link_libraries(${mbedcrypto_static_target} PUBLIC ${libs})
|
||||||
|
|
||||||
if(TARGET everest)
|
if(TARGET ${everest_target})
|
||||||
target_link_libraries(${mbedcrypto_static_target} PUBLIC everest)
|
target_link_libraries(${mbedcrypto_static_target} PUBLIC ${everest_target})
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
if(TARGET p256m)
|
if(TARGET ${p256m_target})
|
||||||
target_link_libraries(${mbedcrypto_static_target} PUBLIC p256m)
|
target_link_libraries(${mbedcrypto_static_target} PUBLIC ${p256m_target})
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
add_library(${mbedx509_static_target} STATIC ${src_x509})
|
add_library(${mbedx509_static_target} STATIC ${src_x509})
|
||||||
|
@ -293,23 +296,23 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
|
||||||
if(USE_SHARED_MBEDTLS_LIBRARY)
|
if(USE_SHARED_MBEDTLS_LIBRARY)
|
||||||
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
|
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
|
||||||
add_library(${mbedcrypto_target} SHARED ${src_crypto})
|
add_library(${mbedcrypto_target} SHARED ${src_crypto})
|
||||||
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.4.1 SOVERSION 14)
|
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.5.0 SOVERSION 15)
|
||||||
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
|
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
|
||||||
|
|
||||||
if(TARGET everest)
|
if(TARGET ${everest_target})
|
||||||
target_link_libraries(${mbedcrypto_target} PUBLIC everest)
|
target_link_libraries(${mbedcrypto_target} PUBLIC ${everest_target})
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
if(TARGET p256m)
|
if(TARGET ${p256m_target})
|
||||||
target_link_libraries(${mbedcrypto_target} PUBLIC p256m)
|
target_link_libraries(${mbedcrypto_target} PUBLIC ${p256m_target})
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
add_library(${mbedx509_target} SHARED ${src_x509})
|
add_library(${mbedx509_target} SHARED ${src_x509})
|
||||||
set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.4.1 SOVERSION 5)
|
set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.5.0 SOVERSION 6)
|
||||||
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
|
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
|
||||||
|
|
||||||
add_library(${mbedtls_target} SHARED ${src_tls})
|
add_library(${mbedtls_target} SHARED ${src_tls})
|
||||||
set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.4.1 SOVERSION 19)
|
set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.5.0 SOVERSION 20)
|
||||||
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
|
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
|
||||||
endif(USE_SHARED_MBEDTLS_LIBRARY)
|
endif(USE_SHARED_MBEDTLS_LIBRARY)
|
||||||
|
|
||||||
|
|
|
@ -51,9 +51,9 @@ LOCAL_CFLAGS += -fPIC -fpic
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
SOEXT_TLS?=so.19
|
SOEXT_TLS?=so.20
|
||||||
SOEXT_X509?=so.5
|
SOEXT_X509?=so.6
|
||||||
SOEXT_CRYPTO?=so.14
|
SOEXT_CRYPTO?=so.15
|
||||||
|
|
||||||
# Set AR_DASH= (empty string) to use an ar implementation that does not accept
|
# Set AR_DASH= (empty string) to use an ar implementation that does not accept
|
||||||
# the - prefix for command line options (e.g. llvm-ar)
|
# the - prefix for command line options (e.g. llvm-ar)
|
||||||
|
@ -321,7 +321,7 @@ GENERATED_FILES = \
|
||||||
generated_files: $(GENERATED_FILES)
|
generated_files: $(GENERATED_FILES)
|
||||||
|
|
||||||
# See root Makefile
|
# See root Makefile
|
||||||
GEN_FILES ?= yes
|
GEN_FILES ?=
|
||||||
ifdef GEN_FILES
|
ifdef GEN_FILES
|
||||||
gen_file_dep =
|
gen_file_dep =
|
||||||
else
|
else
|
||||||
|
|
|
@ -83,7 +83,7 @@ int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,
|
||||||
* That is if X is negative (X_is_negative == 1), then X < Y is true and it
|
* That is if X is negative (X_is_negative == 1), then X < Y is true and it
|
||||||
* is false if X is positive (X_is_negative == 0).
|
* is false if X is positive (X_is_negative == 0).
|
||||||
*/
|
*/
|
||||||
different_sign = mbedtls_ct_bool_xor(X_is_negative, Y_is_negative); // true if different sign
|
different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign
|
||||||
result = mbedtls_ct_bool_and(different_sign, X_is_negative);
|
result = mbedtls_ct_bool_and(different_sign, X_is_negative);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -33,6 +33,7 @@
|
||||||
#include "mbedtls/ccm.h"
|
#include "mbedtls/ccm.h"
|
||||||
#include "mbedtls/platform_util.h"
|
#include "mbedtls/platform_util.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
|
#include "mbedtls/constant_time.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
|
@ -532,13 +533,8 @@ static int mbedtls_ccm_compare_tags(const unsigned char *tag1,
|
||||||
const unsigned char *tag2,
|
const unsigned char *tag2,
|
||||||
size_t tag_len)
|
size_t tag_len)
|
||||||
{
|
{
|
||||||
unsigned char i;
|
|
||||||
int diff;
|
|
||||||
|
|
||||||
/* Check tag in "constant-time" */
|
/* Check tag in "constant-time" */
|
||||||
for (diff = 0, i = 0; i < tag_len; i++) {
|
int diff = mbedtls_ct_memcmp(tag1, tag2, tag_len);
|
||||||
diff |= tag1[i] ^ tag2[i];
|
|
||||||
}
|
|
||||||
|
|
||||||
if (diff != 0) {
|
if (diff != 0) {
|
||||||
return MBEDTLS_ERR_CCM_AUTH_FAILED;
|
return MBEDTLS_ERR_CCM_AUTH_FAILED;
|
||||||
|
|
|
@ -25,6 +25,7 @@
|
||||||
#include "mbedtls/chachapoly.h"
|
#include "mbedtls/chachapoly.h"
|
||||||
#include "mbedtls/platform_util.h"
|
#include "mbedtls/platform_util.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
|
#include "mbedtls/constant_time.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
|
@ -310,7 +311,6 @@ int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
|
||||||
{
|
{
|
||||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
unsigned char check_tag[16];
|
unsigned char check_tag[16];
|
||||||
size_t i;
|
|
||||||
int diff;
|
int diff;
|
||||||
|
|
||||||
if ((ret = chachapoly_crypt_and_tag(ctx,
|
if ((ret = chachapoly_crypt_and_tag(ctx,
|
||||||
|
@ -320,9 +320,7 @@ int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check tag in "constant-time" */
|
/* Check tag in "constant-time" */
|
||||||
for (diff = 0, i = 0; i < sizeof(check_tag); i++) {
|
diff = mbedtls_ct_memcmp(tag, check_tag, sizeof(check_tag));
|
||||||
diff |= tag[i] ^ check_tag[i];
|
|
||||||
}
|
|
||||||
|
|
||||||
if (diff != 0) {
|
if (diff != 0) {
|
||||||
mbedtls_platform_zeroize(output, length);
|
mbedtls_platform_zeroize(output, length);
|
||||||
|
|
|
@ -30,6 +30,7 @@
|
||||||
#include "mbedtls/platform_util.h"
|
#include "mbedtls/platform_util.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
#include "mbedtls/constant_time.h"
|
#include "mbedtls/constant_time.h"
|
||||||
|
#include "constant_time_internal.h"
|
||||||
|
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
@ -268,17 +269,6 @@ int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
|
||||||
|
|
||||||
ctx->cipher_info = cipher_info;
|
ctx->cipher_info = cipher_info;
|
||||||
|
|
||||||
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
|
||||||
/*
|
|
||||||
* Ignore possible errors caused by a cipher mode that doesn't use padding
|
|
||||||
*/
|
|
||||||
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
|
||||||
(void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_PKCS7);
|
|
||||||
#else
|
|
||||||
(void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_NONE);
|
|
||||||
#endif
|
|
||||||
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -848,7 +838,7 @@ static int get_pkcs_padding(unsigned char *input, size_t input_len,
|
||||||
size_t *data_len)
|
size_t *data_len)
|
||||||
{
|
{
|
||||||
size_t i, pad_idx;
|
size_t i, pad_idx;
|
||||||
unsigned char padding_len, bad = 0;
|
unsigned char padding_len;
|
||||||
|
|
||||||
if (NULL == input || NULL == data_len) {
|
if (NULL == input || NULL == data_len) {
|
||||||
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||||
|
@ -857,18 +847,19 @@ static int get_pkcs_padding(unsigned char *input, size_t input_len,
|
||||||
padding_len = input[input_len - 1];
|
padding_len = input[input_len - 1];
|
||||||
*data_len = input_len - padding_len;
|
*data_len = input_len - padding_len;
|
||||||
|
|
||||||
/* Avoid logical || since it results in a branch */
|
mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
|
||||||
bad |= padding_len > input_len;
|
bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
|
||||||
bad |= padding_len == 0;
|
|
||||||
|
|
||||||
/* The number of bytes checked must be independent of padding_len,
|
/* The number of bytes checked must be independent of padding_len,
|
||||||
* so pick input_len, which is usually 8 or 16 (one block) */
|
* so pick input_len, which is usually 8 or 16 (one block) */
|
||||||
pad_idx = input_len - padding_len;
|
pad_idx = input_len - padding_len;
|
||||||
for (i = 0; i < input_len; i++) {
|
for (i = 0; i < input_len; i++) {
|
||||||
bad |= (input[i] ^ padding_len) * (i >= pad_idx);
|
mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
|
||||||
|
mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len);
|
||||||
|
bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
|
||||||
}
|
}
|
||||||
|
|
||||||
return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0);
|
return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
|
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
|
||||||
|
|
||||||
|
@ -891,24 +882,28 @@ static void add_one_and_zeros_padding(unsigned char *output,
|
||||||
static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
|
static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
|
||||||
size_t *data_len)
|
size_t *data_len)
|
||||||
{
|
{
|
||||||
size_t i;
|
|
||||||
unsigned char done = 0, prev_done, bad;
|
|
||||||
|
|
||||||
if (NULL == input || NULL == data_len) {
|
if (NULL == input || NULL == data_len) {
|
||||||
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||||
}
|
}
|
||||||
|
|
||||||
bad = 0x80;
|
mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;
|
||||||
|
mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;
|
||||||
|
|
||||||
*data_len = 0;
|
*data_len = 0;
|
||||||
for (i = input_len; i > 0; i--) {
|
|
||||||
prev_done = done;
|
for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
|
||||||
done |= (input[i - 1] != 0);
|
mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);
|
||||||
*data_len |= (i - 1) * (done != prev_done);
|
|
||||||
bad ^= input[i - 1] * (done != prev_done);
|
mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
|
||||||
|
|
||||||
|
*data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
|
||||||
|
|
||||||
|
bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
|
||||||
|
|
||||||
|
in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
|
||||||
}
|
}
|
||||||
|
|
||||||
return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0);
|
return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
|
||||||
|
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
|
#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
|
||||||
|
|
||||||
|
@ -932,7 +927,8 @@ static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
|
||||||
size_t *data_len)
|
size_t *data_len)
|
||||||
{
|
{
|
||||||
size_t i, pad_idx;
|
size_t i, pad_idx;
|
||||||
unsigned char padding_len, bad = 0;
|
unsigned char padding_len;
|
||||||
|
mbedtls_ct_condition_t bad;
|
||||||
|
|
||||||
if (NULL == input || NULL == data_len) {
|
if (NULL == input || NULL == data_len) {
|
||||||
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||||
|
@ -942,16 +938,19 @@ static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
|
||||||
*data_len = input_len - padding_len;
|
*data_len = input_len - padding_len;
|
||||||
|
|
||||||
/* Avoid logical || since it results in a branch */
|
/* Avoid logical || since it results in a branch */
|
||||||
bad |= padding_len > input_len;
|
bad = mbedtls_ct_uint_gt(padding_len, input_len);
|
||||||
bad |= padding_len == 0;
|
bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
|
||||||
|
|
||||||
/* The number of bytes checked must be independent of padding_len */
|
/* The number of bytes checked must be independent of padding_len */
|
||||||
pad_idx = input_len - padding_len;
|
pad_idx = input_len - padding_len;
|
||||||
for (i = 0; i < input_len - 1; i++) {
|
for (i = 0; i < input_len - 1; i++) {
|
||||||
bad |= input[i] * (i >= pad_idx);
|
mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
|
||||||
|
mbedtls_ct_condition_t nonzero_pad_byte;
|
||||||
|
nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
|
||||||
|
bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
|
||||||
}
|
}
|
||||||
|
|
||||||
return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0);
|
return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
|
#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
|
||||||
|
|
||||||
|
@ -962,18 +961,14 @@ static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
|
||||||
static void add_zeros_padding(unsigned char *output,
|
static void add_zeros_padding(unsigned char *output,
|
||||||
size_t output_len, size_t data_len)
|
size_t output_len, size_t data_len)
|
||||||
{
|
{
|
||||||
size_t i;
|
memset(output + data_len, 0, output_len - data_len);
|
||||||
|
|
||||||
for (i = data_len; i < output_len; i++) {
|
|
||||||
output[i] = 0x00;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static int get_zeros_padding(unsigned char *input, size_t input_len,
|
static int get_zeros_padding(unsigned char *input, size_t input_len,
|
||||||
size_t *data_len)
|
size_t *data_len)
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
unsigned char done = 0, prev_done;
|
mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;
|
||||||
|
|
||||||
if (NULL == input || NULL == data_len) {
|
if (NULL == input || NULL == data_len) {
|
||||||
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||||
|
@ -982,8 +977,8 @@ static int get_zeros_padding(unsigned char *input, size_t input_len,
|
||||||
*data_len = 0;
|
*data_len = 0;
|
||||||
for (i = input_len; i > 0; i--) {
|
for (i = input_len; i > 0; i--) {
|
||||||
prev_done = done;
|
prev_done = done;
|
||||||
done |= (input[i-1] != 0);
|
done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));
|
||||||
*data_len |= i * (done != prev_done);
|
*data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -1027,6 +1022,16 @@ int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
|
||||||
|
|
||||||
*olen = 0;
|
*olen = 0;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
||||||
|
/* CBC mode requires padding so we make sure a call to
|
||||||
|
* mbedtls_cipher_set_padding_mode has been done successfully. */
|
||||||
|
if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
|
||||||
|
if (ctx->get_padding == NULL) {
|
||||||
|
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
|
if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
|
||||||
MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
|
MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
|
||||||
MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
|
MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
|
||||||
|
|
|
@ -114,7 +114,7 @@ static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
|
||||||
unsigned char *K1, unsigned char *K2)
|
unsigned char *K1, unsigned char *K2)
|
||||||
{
|
{
|
||||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
unsigned char L[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||||
size_t olen, block_size;
|
size_t olen, block_size;
|
||||||
|
|
||||||
mbedtls_platform_zeroize(L, sizeof(L));
|
mbedtls_platform_zeroize(L, sizeof(L));
|
||||||
|
@ -152,7 +152,7 @@ exit:
|
||||||
* We can't use the padding option from the cipher layer, as it only works for
|
* We can't use the padding option from the cipher layer, as it only works for
|
||||||
* CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
|
* CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
|
||||||
*/
|
*/
|
||||||
static void cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
|
static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],
|
||||||
size_t padded_block_len,
|
size_t padded_block_len,
|
||||||
const unsigned char *last_block,
|
const unsigned char *last_block,
|
||||||
size_t last_block_len)
|
size_t last_block_len)
|
||||||
|
@ -283,9 +283,9 @@ int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
|
||||||
{
|
{
|
||||||
mbedtls_cmac_context_t *cmac_ctx;
|
mbedtls_cmac_context_t *cmac_ctx;
|
||||||
unsigned char *state, *last_block;
|
unsigned char *state, *last_block;
|
||||||
unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||||
unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||||
unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
unsigned char M_last[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
size_t olen, block_size;
|
size_t olen, block_size;
|
||||||
|
|
||||||
|
@ -332,7 +332,7 @@ exit:
|
||||||
mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
|
mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
|
||||||
sizeof(cmac_ctx->unprocessed_block));
|
sizeof(cmac_ctx->unprocessed_block));
|
||||||
|
|
||||||
mbedtls_platform_zeroize(state, MBEDTLS_CIPHER_BLKSIZE_MAX);
|
mbedtls_platform_zeroize(state, MBEDTLS_CMAC_MAX_BLOCK_SIZE);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -750,8 +750,8 @@ static int cmac_test_subkeys(int verbose,
|
||||||
int i, ret = 0;
|
int i, ret = 0;
|
||||||
mbedtls_cipher_context_t ctx;
|
mbedtls_cipher_context_t ctx;
|
||||||
const mbedtls_cipher_info_t *cipher_info;
|
const mbedtls_cipher_info_t *cipher_info;
|
||||||
unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||||
unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||||
|
|
||||||
cipher_info = mbedtls_cipher_info_from_type(cipher_type);
|
cipher_info = mbedtls_cipher_info_from_type(cipher_type);
|
||||||
if (cipher_info == NULL) {
|
if (cipher_info == NULL) {
|
||||||
|
@ -845,7 +845,7 @@ static int cmac_test_wth_cipher(int verbose,
|
||||||
{
|
{
|
||||||
const mbedtls_cipher_info_t *cipher_info;
|
const mbedtls_cipher_info_t *cipher_info;
|
||||||
int i, ret = 0;
|
int i, ret = 0;
|
||||||
unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
unsigned char output[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||||
|
|
||||||
cipher_info = mbedtls_cipher_info_from_type(cipher_type);
|
cipher_info = mbedtls_cipher_info_from_type(cipher_type);
|
||||||
if (cipher_info == NULL) {
|
if (cipher_info == NULL) {
|
||||||
|
|
|
@ -22,6 +22,7 @@
|
||||||
* might be translated to branches by some compilers on some platforms.
|
* might be translated to branches by some compilers on some platforms.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#include <stdint.h>
|
||||||
#include <limits.h>
|
#include <limits.h>
|
||||||
|
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
|
@ -120,9 +121,56 @@ int mbedtls_ct_memcmp(const void *a,
|
||||||
diff |= x ^ y;
|
diff |= x ^ y;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#if (INT_MAX < INT32_MAX)
|
||||||
|
/* We don't support int smaller than 32-bits, but if someone tried to build
|
||||||
|
* with this configuration, there is a risk that, for differing data, the
|
||||||
|
* only bits set in diff are in the top 16-bits, and would be lost by a
|
||||||
|
* simple cast from uint32 to int.
|
||||||
|
* This would have significant security implications, so protect against it. */
|
||||||
|
#error "mbedtls_ct_memcmp() requires minimum 32-bit ints"
|
||||||
|
#else
|
||||||
|
/* The bit-twiddling ensures that when we cast uint32_t to int, we are casting
|
||||||
|
* a value that is in the range 0..INT_MAX - a value larger than this would
|
||||||
|
* result in implementation defined behaviour.
|
||||||
|
*
|
||||||
|
* This ensures that the value returned by the function is non-zero iff
|
||||||
|
* diff is non-zero.
|
||||||
|
*/
|
||||||
|
return (int) ((diff & 0xffff) | (diff >> 16));
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_NIST_KW_C)
|
||||||
|
|
||||||
|
int mbedtls_ct_memcmp_partial(const void *a,
|
||||||
|
const void *b,
|
||||||
|
size_t n,
|
||||||
|
size_t skip_head,
|
||||||
|
size_t skip_tail)
|
||||||
|
{
|
||||||
|
unsigned int diff = 0;
|
||||||
|
|
||||||
|
volatile const unsigned char *A = (volatile const unsigned char *) a;
|
||||||
|
volatile const unsigned char *B = (volatile const unsigned char *) b;
|
||||||
|
|
||||||
|
size_t valid_end = n - skip_tail;
|
||||||
|
|
||||||
|
for (size_t i = 0; i < n; i++) {
|
||||||
|
unsigned char x = A[i], y = B[i];
|
||||||
|
unsigned int d = x ^ y;
|
||||||
|
mbedtls_ct_condition_t valid = mbedtls_ct_bool_and(mbedtls_ct_uint_ge(i, skip_head),
|
||||||
|
mbedtls_ct_uint_lt(i, valid_end));
|
||||||
|
diff |= mbedtls_ct_uint_if_else_0(valid, d);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Since we go byte-by-byte, the only bits set will be in the bottom 8 bits, so the
|
||||||
|
* cast from uint to int is safe. */
|
||||||
return (int) diff;
|
return (int) diff;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
||||||
|
|
||||||
void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset)
|
void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset)
|
||||||
|
|
|
@ -429,7 +429,6 @@ static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
|
||||||
return (unsigned char) (~(low_mask | high_mask)) & to;
|
return (unsigned char) (~(low_mask | high_mask)) & to;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* ============================================================================
|
/* ============================================================================
|
||||||
* Everything below here is trivial wrapper functions
|
* Everything below here is trivial wrapper functions
|
||||||
*/
|
*/
|
||||||
|
@ -448,6 +447,14 @@ static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
|
||||||
return (unsigned) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0);
|
return (unsigned) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
|
||||||
|
mbedtls_ct_condition_t if1,
|
||||||
|
mbedtls_ct_condition_t if0)
|
||||||
|
{
|
||||||
|
return (mbedtls_ct_condition_t) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1,
|
||||||
|
(mbedtls_ct_uint_t) if0);
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_BIGNUM_C)
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
|
||||||
static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition,
|
static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition,
|
||||||
|
@ -471,6 +478,12 @@ static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t conditio
|
||||||
return (unsigned) (condition & if1);
|
return (unsigned) (condition & if1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
|
||||||
|
mbedtls_ct_condition_t if1)
|
||||||
|
{
|
||||||
|
return (mbedtls_ct_condition_t) (condition & if1);
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_BIGNUM_C)
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
|
||||||
static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
|
static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
|
||||||
|
@ -481,6 +494,23 @@ static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_conditio
|
||||||
|
|
||||||
#endif /* MBEDTLS_BIGNUM_C */
|
#endif /* MBEDTLS_BIGNUM_C */
|
||||||
|
|
||||||
|
static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0)
|
||||||
|
{
|
||||||
|
/* Coverting int -> uint -> int here is safe, because we require if1 and if0 to be
|
||||||
|
* in the range -32767..0, and we require 32-bit int and uint types.
|
||||||
|
*
|
||||||
|
* This means that (0 <= -if0 < INT_MAX), so negating if0 is safe, and similarly for
|
||||||
|
* converting back to int.
|
||||||
|
*/
|
||||||
|
return -((int) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) (-if1),
|
||||||
|
(mbedtls_ct_uint_t) (-if0)));
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1)
|
||||||
|
{
|
||||||
|
return -((int) (condition & (-if1)));
|
||||||
|
}
|
||||||
|
|
||||||
static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
|
static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
|
||||||
mbedtls_ct_uint_t y)
|
mbedtls_ct_uint_t y)
|
||||||
{
|
{
|
||||||
|
@ -505,8 +535,8 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
|
||||||
return ~mbedtls_ct_uint_gt(x, y);
|
return ~mbedtls_ct_uint_gt(x, y);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline mbedtls_ct_condition_t mbedtls_ct_bool_xor(mbedtls_ct_condition_t x,
|
static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
|
||||||
mbedtls_ct_condition_t y)
|
mbedtls_ct_condition_t y)
|
||||||
{
|
{
|
||||||
return (mbedtls_ct_condition_t) (x ^ y);
|
return (mbedtls_ct_condition_t) (x ^ y);
|
||||||
}
|
}
|
||||||
|
|
|
@ -194,11 +194,11 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x,
|
||||||
static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
|
static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
|
||||||
mbedtls_ct_uint_t y);
|
mbedtls_ct_uint_t y);
|
||||||
|
|
||||||
/** Boolean "xor" operation.
|
/** Boolean not-equals operation.
|
||||||
*
|
*
|
||||||
* Functionally equivalent to:
|
* Functionally equivalent to:
|
||||||
*
|
*
|
||||||
* \p x ^ \p y
|
* \p x != \p y
|
||||||
*
|
*
|
||||||
* \param x The first value to analyze.
|
* \param x The first value to analyze.
|
||||||
* \param y The second value to analyze.
|
* \param y The second value to analyze.
|
||||||
|
@ -206,11 +206,11 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
|
||||||
* \note This is more efficient than mbedtls_ct_uint_ne if both arguments are
|
* \note This is more efficient than mbedtls_ct_uint_ne if both arguments are
|
||||||
* mbedtls_ct_condition_t.
|
* mbedtls_ct_condition_t.
|
||||||
*
|
*
|
||||||
* \return MBEDTLS_CT_TRUE if \p x ^ \p y,
|
* \return MBEDTLS_CT_TRUE if \p x != \p y,
|
||||||
* otherwise MBEDTLS_CT_FALSE.
|
* otherwise MBEDTLS_CT_FALSE.
|
||||||
*/
|
*/
|
||||||
static inline mbedtls_ct_condition_t mbedtls_ct_bool_xor(mbedtls_ct_condition_t x,
|
static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
|
||||||
mbedtls_ct_condition_t y);
|
mbedtls_ct_condition_t y);
|
||||||
|
|
||||||
/** Boolean "and" operation.
|
/** Boolean "and" operation.
|
||||||
*
|
*
|
||||||
|
@ -291,6 +291,22 @@ static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
|
||||||
unsigned if1,
|
unsigned if1,
|
||||||
unsigned if0);
|
unsigned if0);
|
||||||
|
|
||||||
|
/** Choose between two mbedtls_ct_condition_t values.
|
||||||
|
*
|
||||||
|
* Functionally equivalent to:
|
||||||
|
*
|
||||||
|
* condition ? if1 : if0.
|
||||||
|
*
|
||||||
|
* \param condition Condition to test.
|
||||||
|
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
|
||||||
|
* \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
|
||||||
|
*
|
||||||
|
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
|
||||||
|
*/
|
||||||
|
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
|
||||||
|
mbedtls_ct_condition_t if1,
|
||||||
|
mbedtls_ct_condition_t if0);
|
||||||
|
|
||||||
#if defined(MBEDTLS_BIGNUM_C)
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
|
||||||
/** Choose between two mbedtls_mpi_uint values.
|
/** Choose between two mbedtls_mpi_uint values.
|
||||||
|
@ -327,6 +343,23 @@ static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t con
|
||||||
*/
|
*/
|
||||||
static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1);
|
static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1);
|
||||||
|
|
||||||
|
/** Choose between an mbedtls_ct_condition_t and 0.
|
||||||
|
*
|
||||||
|
* Functionally equivalent to:
|
||||||
|
*
|
||||||
|
* condition ? if1 : 0.
|
||||||
|
*
|
||||||
|
* Functionally equivalent to mbedtls_ct_bool_if(condition, if1, 0) but
|
||||||
|
* results in smaller code size.
|
||||||
|
*
|
||||||
|
* \param condition Condition to test.
|
||||||
|
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
|
||||||
|
*
|
||||||
|
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
|
||||||
|
*/
|
||||||
|
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
|
||||||
|
mbedtls_ct_condition_t if1);
|
||||||
|
|
||||||
/** Choose between a size_t value and 0.
|
/** Choose between a size_t value and 0.
|
||||||
*
|
*
|
||||||
* Functionally equivalent to:
|
* Functionally equivalent to:
|
||||||
|
@ -378,6 +411,35 @@ static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
|
||||||
unsigned char c,
|
unsigned char c,
|
||||||
unsigned char t);
|
unsigned char t);
|
||||||
|
|
||||||
|
/** Choose between two error values. The values must be in the range [-32767..0].
|
||||||
|
*
|
||||||
|
* Functionally equivalent to:
|
||||||
|
*
|
||||||
|
* condition ? if1 : if0.
|
||||||
|
*
|
||||||
|
* \param condition Condition to test.
|
||||||
|
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
|
||||||
|
* \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
|
||||||
|
*
|
||||||
|
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
|
||||||
|
*/
|
||||||
|
static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0);
|
||||||
|
|
||||||
|
/** Choose between an error value and 0. The error value must be in the range [-32767..0].
|
||||||
|
*
|
||||||
|
* Functionally equivalent to:
|
||||||
|
*
|
||||||
|
* condition ? if1 : 0.
|
||||||
|
*
|
||||||
|
* Functionally equivalent to mbedtls_ct_error_if(condition, if1, 0) but
|
||||||
|
* results in smaller code size.
|
||||||
|
*
|
||||||
|
* \param condition Condition to test.
|
||||||
|
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
|
||||||
|
*
|
||||||
|
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
|
||||||
|
*/
|
||||||
|
static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1);
|
||||||
|
|
||||||
/* ============================================================================
|
/* ============================================================================
|
||||||
* Block memory operations
|
* Block memory operations
|
||||||
|
@ -492,6 +554,37 @@ void mbedtls_ct_memcpy_offset(unsigned char *dest,
|
||||||
size_t n);
|
size_t n);
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_NIST_KW_C)
|
||||||
|
|
||||||
|
/** Constant-time buffer comparison without branches.
|
||||||
|
*
|
||||||
|
* Similar to mbedtls_ct_memcmp, except that the result only depends on part of
|
||||||
|
* the input data - differences in the head or tail are ignored. Functionally equivalent to:
|
||||||
|
*
|
||||||
|
* memcmp(a + skip_head, b + skip_head, size - skip_head - skip_tail)
|
||||||
|
*
|
||||||
|
* Time taken depends on \p n, but not on \p skip_head or \p skip_tail .
|
||||||
|
*
|
||||||
|
* Behaviour is undefined if ( \p skip_head + \p skip_tail) > \p n.
|
||||||
|
*
|
||||||
|
* \param a Secret. Pointer to the first buffer, containing at least \p n bytes. May not be NULL.
|
||||||
|
* \param b Secret. Pointer to the second buffer, containing at least \p n bytes. May not be NULL.
|
||||||
|
* \param n The number of bytes to examine (total size of the buffers).
|
||||||
|
* \param skip_head Secret. The number of bytes to treat as non-significant at the start of the buffer.
|
||||||
|
* These bytes will still be read.
|
||||||
|
* \param skip_tail Secret. The number of bytes to treat as non-significant at the end of the buffer.
|
||||||
|
* These bytes will still be read.
|
||||||
|
*
|
||||||
|
* \return Zero if the contents of the two buffers are the same, otherwise non-zero.
|
||||||
|
*/
|
||||||
|
int mbedtls_ct_memcmp_partial(const void *a,
|
||||||
|
const void *b,
|
||||||
|
size_t n,
|
||||||
|
size_t skip_head,
|
||||||
|
size_t skip_tail);
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Include the implementation of static inline functions above. */
|
/* Include the implementation of static inline functions above. */
|
||||||
#include "constant_time_impl.h"
|
#include "constant_time_impl.h"
|
||||||
|
|
||||||
|
|
890
library/error.c
Normal file
890
library/error.c
Normal file
|
@ -0,0 +1,890 @@
|
||||||
|
/*
|
||||||
|
* Error message information
|
||||||
|
*
|
||||||
|
* Copyright The Mbed TLS Contributors
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "common.h"
|
||||||
|
|
||||||
|
#include "mbedtls/error.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ERROR_C) || defined(MBEDTLS_ERROR_STRERROR_DUMMY)
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ERROR_C)
|
||||||
|
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_AES_C)
|
||||||
|
#include "mbedtls/aes.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ARIA_C)
|
||||||
|
#include "mbedtls/aria.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ASN1_PARSE_C)
|
||||||
|
#include "mbedtls/asn1.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BASE64_C)
|
||||||
|
#include "mbedtls/base64.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
#include "mbedtls/bignum.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CAMELLIA_C)
|
||||||
|
#include "mbedtls/camellia.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CCM_C)
|
||||||
|
#include "mbedtls/ccm.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CHACHA20_C)
|
||||||
|
#include "mbedtls/chacha20.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CHACHAPOLY_C)
|
||||||
|
#include "mbedtls/chachapoly.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CIPHER_C)
|
||||||
|
#include "mbedtls/cipher.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CTR_DRBG_C)
|
||||||
|
#include "mbedtls/ctr_drbg.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_DES_C)
|
||||||
|
#include "mbedtls/des.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_DHM_C)
|
||||||
|
#include "mbedtls/dhm.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECP_C)
|
||||||
|
#include "mbedtls/ecp.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ENTROPY_C)
|
||||||
|
#include "mbedtls/entropy.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ERROR_C)
|
||||||
|
#include "mbedtls/error.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_GCM_C)
|
||||||
|
#include "mbedtls/gcm.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HKDF_C)
|
||||||
|
#include "mbedtls/hkdf.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HMAC_DRBG_C)
|
||||||
|
#include "mbedtls/hmac_drbg.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_LMS_C)
|
||||||
|
#include "mbedtls/lms.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_MD_C)
|
||||||
|
#include "mbedtls/md.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_NET_C)
|
||||||
|
#include "mbedtls/net_sockets.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_OID_C)
|
||||||
|
#include "mbedtls/oid.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
|
||||||
|
#include "mbedtls/pem.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PK_C)
|
||||||
|
#include "mbedtls/pk.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PKCS12_C)
|
||||||
|
#include "mbedtls/pkcs12.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PKCS5_C)
|
||||||
|
#include "mbedtls/pkcs5.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PKCS7_C)
|
||||||
|
#include "mbedtls/pkcs7.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_POLY1305_C)
|
||||||
|
#include "mbedtls/poly1305.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_RSA_C)
|
||||||
|
#include "mbedtls/rsa.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA1_C)
|
||||||
|
#include "mbedtls/sha1.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA256_C)
|
||||||
|
#include "mbedtls/sha256.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA3_C)
|
||||||
|
#include "mbedtls/sha3.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA512_C)
|
||||||
|
#include "mbedtls/sha512.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_TLS_C)
|
||||||
|
#include "mbedtls/ssl.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
#include "mbedtls/threading.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
|
||||||
|
#include "mbedtls/x509.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
const char *mbedtls_high_level_strerr(int error_code)
|
||||||
|
{
|
||||||
|
int high_level_error_code;
|
||||||
|
|
||||||
|
if (error_code < 0) {
|
||||||
|
error_code = -error_code;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Extract the high-level part from the error code. */
|
||||||
|
high_level_error_code = error_code & 0xFF80;
|
||||||
|
|
||||||
|
switch (high_level_error_code) {
|
||||||
|
/* Begin Auto-Generated Code. */
|
||||||
|
#if defined(MBEDTLS_CIPHER_C)
|
||||||
|
case -(MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE):
|
||||||
|
return( "CIPHER - The selected feature is not available" );
|
||||||
|
case -(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA):
|
||||||
|
return( "CIPHER - Bad input parameters" );
|
||||||
|
case -(MBEDTLS_ERR_CIPHER_ALLOC_FAILED):
|
||||||
|
return( "CIPHER - Failed to allocate memory" );
|
||||||
|
case -(MBEDTLS_ERR_CIPHER_INVALID_PADDING):
|
||||||
|
return( "CIPHER - Input data contains invalid padding and is rejected" );
|
||||||
|
case -(MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED):
|
||||||
|
return( "CIPHER - Decryption of block requires a full block" );
|
||||||
|
case -(MBEDTLS_ERR_CIPHER_AUTH_FAILED):
|
||||||
|
return( "CIPHER - Authentication failed (for AEAD modes)" );
|
||||||
|
case -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT):
|
||||||
|
return( "CIPHER - The context is invalid. For example, because it was freed" );
|
||||||
|
#endif /* MBEDTLS_CIPHER_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_DHM_C)
|
||||||
|
case -(MBEDTLS_ERR_DHM_BAD_INPUT_DATA):
|
||||||
|
return( "DHM - Bad input parameters" );
|
||||||
|
case -(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED):
|
||||||
|
return( "DHM - Reading of the DHM parameters failed" );
|
||||||
|
case -(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED):
|
||||||
|
return( "DHM - Making of the DHM parameters failed" );
|
||||||
|
case -(MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED):
|
||||||
|
return( "DHM - Reading of the public values failed" );
|
||||||
|
case -(MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED):
|
||||||
|
return( "DHM - Making of the public value failed" );
|
||||||
|
case -(MBEDTLS_ERR_DHM_CALC_SECRET_FAILED):
|
||||||
|
return( "DHM - Calculation of the DHM secret failed" );
|
||||||
|
case -(MBEDTLS_ERR_DHM_INVALID_FORMAT):
|
||||||
|
return( "DHM - The ASN.1 data is not formatted correctly" );
|
||||||
|
case -(MBEDTLS_ERR_DHM_ALLOC_FAILED):
|
||||||
|
return( "DHM - Allocation of memory failed" );
|
||||||
|
case -(MBEDTLS_ERR_DHM_FILE_IO_ERROR):
|
||||||
|
return( "DHM - Read or write of file failed" );
|
||||||
|
case -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED):
|
||||||
|
return( "DHM - Setting the modulus and generator failed" );
|
||||||
|
#endif /* MBEDTLS_DHM_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECP_C)
|
||||||
|
case -(MBEDTLS_ERR_ECP_BAD_INPUT_DATA):
|
||||||
|
return( "ECP - Bad input parameters to function" );
|
||||||
|
case -(MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL):
|
||||||
|
return( "ECP - The buffer is too small to write to" );
|
||||||
|
case -(MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE):
|
||||||
|
return( "ECP - The requested feature is not available, for example, the requested curve is not supported" );
|
||||||
|
case -(MBEDTLS_ERR_ECP_VERIFY_FAILED):
|
||||||
|
return( "ECP - The signature is not valid" );
|
||||||
|
case -(MBEDTLS_ERR_ECP_ALLOC_FAILED):
|
||||||
|
return( "ECP - Memory allocation failed" );
|
||||||
|
case -(MBEDTLS_ERR_ECP_RANDOM_FAILED):
|
||||||
|
return( "ECP - Generation of random value, such as ephemeral key, failed" );
|
||||||
|
case -(MBEDTLS_ERR_ECP_INVALID_KEY):
|
||||||
|
return( "ECP - Invalid private or public key" );
|
||||||
|
case -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH):
|
||||||
|
return( "ECP - The buffer contains a valid signature followed by more data" );
|
||||||
|
case -(MBEDTLS_ERR_ECP_IN_PROGRESS):
|
||||||
|
return( "ECP - Operation in progress, call again with the same parameters to continue" );
|
||||||
|
#endif /* MBEDTLS_ECP_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_MD_C)
|
||||||
|
case -(MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE):
|
||||||
|
return( "MD - The selected feature is not available" );
|
||||||
|
case -(MBEDTLS_ERR_MD_BAD_INPUT_DATA):
|
||||||
|
return( "MD - Bad input parameters to function" );
|
||||||
|
case -(MBEDTLS_ERR_MD_ALLOC_FAILED):
|
||||||
|
return( "MD - Failed to allocate memory" );
|
||||||
|
case -(MBEDTLS_ERR_MD_FILE_IO_ERROR):
|
||||||
|
return( "MD - Opening or reading of file failed" );
|
||||||
|
#endif /* MBEDTLS_MD_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
|
||||||
|
case -(MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT):
|
||||||
|
return( "PEM - No PEM header or footer found" );
|
||||||
|
case -(MBEDTLS_ERR_PEM_INVALID_DATA):
|
||||||
|
return( "PEM - PEM string is not as expected" );
|
||||||
|
case -(MBEDTLS_ERR_PEM_ALLOC_FAILED):
|
||||||
|
return( "PEM - Failed to allocate memory" );
|
||||||
|
case -(MBEDTLS_ERR_PEM_INVALID_ENC_IV):
|
||||||
|
return( "PEM - RSA IV is not in hex-format" );
|
||||||
|
case -(MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG):
|
||||||
|
return( "PEM - Unsupported key encryption algorithm" );
|
||||||
|
case -(MBEDTLS_ERR_PEM_PASSWORD_REQUIRED):
|
||||||
|
return( "PEM - Private key password can't be empty" );
|
||||||
|
case -(MBEDTLS_ERR_PEM_PASSWORD_MISMATCH):
|
||||||
|
return( "PEM - Given private key password does not allow for correct decryption" );
|
||||||
|
case -(MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE):
|
||||||
|
return( "PEM - Unavailable feature, e.g. hashing/encryption combination" );
|
||||||
|
case -(MBEDTLS_ERR_PEM_BAD_INPUT_DATA):
|
||||||
|
return( "PEM - Bad input parameters to function" );
|
||||||
|
#endif /* MBEDTLS_PEM_PARSE_C || MBEDTLS_PEM_WRITE_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PK_C)
|
||||||
|
case -(MBEDTLS_ERR_PK_ALLOC_FAILED):
|
||||||
|
return( "PK - Memory allocation failed" );
|
||||||
|
case -(MBEDTLS_ERR_PK_TYPE_MISMATCH):
|
||||||
|
return( "PK - Type mismatch, eg attempt to encrypt with an ECDSA key" );
|
||||||
|
case -(MBEDTLS_ERR_PK_BAD_INPUT_DATA):
|
||||||
|
return( "PK - Bad input parameters to function" );
|
||||||
|
case -(MBEDTLS_ERR_PK_FILE_IO_ERROR):
|
||||||
|
return( "PK - Read/write of file failed" );
|
||||||
|
case -(MBEDTLS_ERR_PK_KEY_INVALID_VERSION):
|
||||||
|
return( "PK - Unsupported key version" );
|
||||||
|
case -(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT):
|
||||||
|
return( "PK - Invalid key tag or value" );
|
||||||
|
case -(MBEDTLS_ERR_PK_UNKNOWN_PK_ALG):
|
||||||
|
return( "PK - Key algorithm is unsupported (only RSA and EC are supported)" );
|
||||||
|
case -(MBEDTLS_ERR_PK_PASSWORD_REQUIRED):
|
||||||
|
return( "PK - Private key password can't be empty" );
|
||||||
|
case -(MBEDTLS_ERR_PK_PASSWORD_MISMATCH):
|
||||||
|
return( "PK - Given private key password does not allow for correct decryption" );
|
||||||
|
case -(MBEDTLS_ERR_PK_INVALID_PUBKEY):
|
||||||
|
return( "PK - The pubkey tag or value is invalid (only RSA and EC are supported)" );
|
||||||
|
case -(MBEDTLS_ERR_PK_INVALID_ALG):
|
||||||
|
return( "PK - The algorithm tag or value is invalid" );
|
||||||
|
case -(MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE):
|
||||||
|
return( "PK - Elliptic curve is unsupported (only NIST curves are supported)" );
|
||||||
|
case -(MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE):
|
||||||
|
return( "PK - Unavailable feature, e.g. RSA disabled for RSA key" );
|
||||||
|
case -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH):
|
||||||
|
return( "PK - The buffer contains a valid signature followed by more data" );
|
||||||
|
case -(MBEDTLS_ERR_PK_BUFFER_TOO_SMALL):
|
||||||
|
return( "PK - The output buffer is too small" );
|
||||||
|
#endif /* MBEDTLS_PK_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PKCS12_C)
|
||||||
|
case -(MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA):
|
||||||
|
return( "PKCS12 - Bad input parameters to function" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE):
|
||||||
|
return( "PKCS12 - Feature not available, e.g. unsupported encryption scheme" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT):
|
||||||
|
return( "PKCS12 - PBE ASN.1 data not as expected" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH):
|
||||||
|
return( "PKCS12 - Given private key password does not allow for correct decryption" );
|
||||||
|
#endif /* MBEDTLS_PKCS12_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PKCS5_C)
|
||||||
|
case -(MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA):
|
||||||
|
return( "PKCS5 - Bad input parameters to function" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS5_INVALID_FORMAT):
|
||||||
|
return( "PKCS5 - Unexpected ASN.1 data" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE):
|
||||||
|
return( "PKCS5 - Requested encryption or digest alg not available" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH):
|
||||||
|
return( "PKCS5 - Given private key password does not allow for correct decryption" );
|
||||||
|
#endif /* MBEDTLS_PKCS5_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PKCS7_C)
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_INVALID_FORMAT):
|
||||||
|
return( "PKCS7 - The format is invalid, e.g. different type expected" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE):
|
||||||
|
return( "PKCS7 - Unavailable feature, e.g. anything other than signed data" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_INVALID_VERSION):
|
||||||
|
return( "PKCS7 - The PKCS #7 version element is invalid or cannot be parsed" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO):
|
||||||
|
return( "PKCS7 - The PKCS #7 content info is invalid or cannot be parsed" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_INVALID_ALG):
|
||||||
|
return( "PKCS7 - The algorithm tag or value is invalid or cannot be parsed" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_INVALID_CERT):
|
||||||
|
return( "PKCS7 - The certificate tag or value is invalid or cannot be parsed" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE):
|
||||||
|
return( "PKCS7 - Error parsing the signature" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO):
|
||||||
|
return( "PKCS7 - Error parsing the signer's info" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA):
|
||||||
|
return( "PKCS7 - Input invalid" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_ALLOC_FAILED):
|
||||||
|
return( "PKCS7 - Allocation of memory failed" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_VERIFY_FAIL):
|
||||||
|
return( "PKCS7 - Verification Failed" );
|
||||||
|
case -(MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID):
|
||||||
|
return( "PKCS7 - The PKCS #7 date issued/expired dates are invalid" );
|
||||||
|
#endif /* MBEDTLS_PKCS7_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_RSA_C)
|
||||||
|
case -(MBEDTLS_ERR_RSA_BAD_INPUT_DATA):
|
||||||
|
return( "RSA - Bad input parameters to function" );
|
||||||
|
case -(MBEDTLS_ERR_RSA_INVALID_PADDING):
|
||||||
|
return( "RSA - Input data contains invalid padding and is rejected" );
|
||||||
|
case -(MBEDTLS_ERR_RSA_KEY_GEN_FAILED):
|
||||||
|
return( "RSA - Something failed during generation of a key" );
|
||||||
|
case -(MBEDTLS_ERR_RSA_KEY_CHECK_FAILED):
|
||||||
|
return( "RSA - Key failed to pass the validity check of the library" );
|
||||||
|
case -(MBEDTLS_ERR_RSA_PUBLIC_FAILED):
|
||||||
|
return( "RSA - The public key operation failed" );
|
||||||
|
case -(MBEDTLS_ERR_RSA_PRIVATE_FAILED):
|
||||||
|
return( "RSA - The private key operation failed" );
|
||||||
|
case -(MBEDTLS_ERR_RSA_VERIFY_FAILED):
|
||||||
|
return( "RSA - The PKCS#1 verification failed" );
|
||||||
|
case -(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE):
|
||||||
|
return( "RSA - The output buffer for decryption is not large enough" );
|
||||||
|
case -(MBEDTLS_ERR_RSA_RNG_FAILED):
|
||||||
|
return( "RSA - The random generator failed to generate non-zeros" );
|
||||||
|
#endif /* MBEDTLS_RSA_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_TLS_C)
|
||||||
|
case -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS):
|
||||||
|
return( "SSL - A cryptographic operation is in progress. Try again later" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE):
|
||||||
|
return( "SSL - The requested feature is not available" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA):
|
||||||
|
return( "SSL - Bad input parameters to function" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_INVALID_MAC):
|
||||||
|
return( "SSL - Verification of the message MAC failed" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_INVALID_RECORD):
|
||||||
|
return( "SSL - An invalid SSL record was received" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_CONN_EOF):
|
||||||
|
return( "SSL - The connection indicated an EOF" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_DECODE_ERROR):
|
||||||
|
return( "SSL - A message could not be parsed due to a syntactic error" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_NO_RNG):
|
||||||
|
return( "SSL - No RNG was provided to the SSL module" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE):
|
||||||
|
return( "SSL - No client certification received from the client, but required by the authentication mode" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION):
|
||||||
|
return( "SSL - Client received an extended server hello containing an unsupported extension" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL):
|
||||||
|
return( "SSL - No ALPN protocols supported that the client advertises" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED):
|
||||||
|
return( "SSL - The own private key or pre-shared key is not set, but needed" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED):
|
||||||
|
return( "SSL - No CA Chain is set, but required to operate" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE):
|
||||||
|
return( "SSL - An unexpected message was received from our peer" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE):
|
||||||
|
return( "SSL - A fatal alert message was received from our peer" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME):
|
||||||
|
return( "SSL - No server could be identified matching the client's SNI" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY):
|
||||||
|
return( "SSL - The peer notified us that the connection is going to be closed" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_BAD_CERTIFICATE):
|
||||||
|
return( "SSL - Processing of the Certificate handshake message failed" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET):
|
||||||
|
return( "SSL - * Received NewSessionTicket Post Handshake Message. This error code is experimental and may be changed or removed without notice" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA):
|
||||||
|
return( "SSL - Not possible to read early data" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA):
|
||||||
|
return( "SSL - Not possible to write early data" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND):
|
||||||
|
return( "SSL - Cache entry not found" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_ALLOC_FAILED):
|
||||||
|
return( "SSL - Memory allocation failed" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED):
|
||||||
|
return( "SSL - Hardware acceleration function returned with error" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH):
|
||||||
|
return( "SSL - Hardware acceleration function skipped / left alone data" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION):
|
||||||
|
return( "SSL - Handshake protocol not within min/max boundaries" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE):
|
||||||
|
return( "SSL - The handshake negotiation failed" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED):
|
||||||
|
return( "SSL - Session ticket has expired" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH):
|
||||||
|
return( "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY):
|
||||||
|
return( "SSL - Unknown identity received (eg, PSK identity)" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_INTERNAL_ERROR):
|
||||||
|
return( "SSL - Internal error (eg, unexpected failure in lower-level module)" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING):
|
||||||
|
return( "SSL - A counter would wrap (eg, too many messages exchanged)" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO):
|
||||||
|
return( "SSL - Unexpected message at ServerHello in renegotiation" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED):
|
||||||
|
return( "SSL - DTLS client must retry for hello verification" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL):
|
||||||
|
return( "SSL - A buffer is too small to receive or write a message" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_WANT_READ):
|
||||||
|
return( "SSL - No data of requested type currently available on underlying transport" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_WANT_WRITE):
|
||||||
|
return( "SSL - Connection requires a write call" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_TIMEOUT):
|
||||||
|
return( "SSL - The operation timed out" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT):
|
||||||
|
return( "SSL - The client initiated a reconnect from the same port" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD):
|
||||||
|
return( "SSL - Record header looks valid but is not expected" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_NON_FATAL):
|
||||||
|
return( "SSL - The alert message received indicates a non-fatal error" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER):
|
||||||
|
return( "SSL - A field in a message was incorrect or inconsistent with other fields" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING):
|
||||||
|
return( "SSL - Internal-only message signaling that further message-processing should be done" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS):
|
||||||
|
return( "SSL - The asynchronous operation is not completed yet" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_EARLY_MESSAGE):
|
||||||
|
return( "SSL - Internal-only message signaling that a message arrived early" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_UNEXPECTED_CID):
|
||||||
|
return( "SSL - An encrypted DTLS-frame with an unexpected CID was received" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_VERSION_MISMATCH):
|
||||||
|
return( "SSL - An operation failed due to an unexpected version or configuration" );
|
||||||
|
case -(MBEDTLS_ERR_SSL_BAD_CONFIG):
|
||||||
|
return( "SSL - Invalid value in SSL config" );
|
||||||
|
#endif /* MBEDTLS_SSL_TLS_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
|
||||||
|
case -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE):
|
||||||
|
return( "X509 - Unavailable feature, e.g. RSA hashing/encryption combination" );
|
||||||
|
case -(MBEDTLS_ERR_X509_UNKNOWN_OID):
|
||||||
|
return( "X509 - Requested OID is unknown" );
|
||||||
|
case -(MBEDTLS_ERR_X509_INVALID_FORMAT):
|
||||||
|
return( "X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected" );
|
||||||
|
case -(MBEDTLS_ERR_X509_INVALID_VERSION):
|
||||||
|
return( "X509 - The CRT/CRL/CSR version element is invalid" );
|
||||||
|
case -(MBEDTLS_ERR_X509_INVALID_SERIAL):
|
||||||
|
return( "X509 - The serial tag or value is invalid" );
|
||||||
|
case -(MBEDTLS_ERR_X509_INVALID_ALG):
|
||||||
|
return( "X509 - The algorithm tag or value is invalid" );
|
||||||
|
case -(MBEDTLS_ERR_X509_INVALID_NAME):
|
||||||
|
return( "X509 - The name tag or value is invalid" );
|
||||||
|
case -(MBEDTLS_ERR_X509_INVALID_DATE):
|
||||||
|
return( "X509 - The date tag or value is invalid" );
|
||||||
|
case -(MBEDTLS_ERR_X509_INVALID_SIGNATURE):
|
||||||
|
return( "X509 - The signature tag or value invalid" );
|
||||||
|
case -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS):
|
||||||
|
return( "X509 - The extension tag or value is invalid" );
|
||||||
|
case -(MBEDTLS_ERR_X509_UNKNOWN_VERSION):
|
||||||
|
return( "X509 - CRT/CRL/CSR has an unsupported version number" );
|
||||||
|
case -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG):
|
||||||
|
return( "X509 - Signature algorithm (oid) is unsupported" );
|
||||||
|
case -(MBEDTLS_ERR_X509_SIG_MISMATCH):
|
||||||
|
return( "X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)" );
|
||||||
|
case -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED):
|
||||||
|
return( "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
|
||||||
|
case -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT):
|
||||||
|
return( "X509 - Format not recognized as DER or PEM" );
|
||||||
|
case -(MBEDTLS_ERR_X509_BAD_INPUT_DATA):
|
||||||
|
return( "X509 - Input invalid" );
|
||||||
|
case -(MBEDTLS_ERR_X509_ALLOC_FAILED):
|
||||||
|
return( "X509 - Allocation of memory failed" );
|
||||||
|
case -(MBEDTLS_ERR_X509_FILE_IO_ERROR):
|
||||||
|
return( "X509 - Read/write of file failed" );
|
||||||
|
case -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL):
|
||||||
|
return( "X509 - Destination buffer is too small" );
|
||||||
|
case -(MBEDTLS_ERR_X509_FATAL_ERROR):
|
||||||
|
return( "X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed" );
|
||||||
|
#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
|
||||||
|
/* End Auto-Generated Code. */
|
||||||
|
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
const char *mbedtls_low_level_strerr(int error_code)
|
||||||
|
{
|
||||||
|
int low_level_error_code;
|
||||||
|
|
||||||
|
if (error_code < 0) {
|
||||||
|
error_code = -error_code;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Extract the low-level part from the error code. */
|
||||||
|
low_level_error_code = error_code & ~0xFF80;
|
||||||
|
|
||||||
|
switch (low_level_error_code) {
|
||||||
|
/* Begin Auto-Generated Code. */
|
||||||
|
#if defined(MBEDTLS_AES_C)
|
||||||
|
case -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH):
|
||||||
|
return( "AES - Invalid key length" );
|
||||||
|
case -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH):
|
||||||
|
return( "AES - Invalid data input length" );
|
||||||
|
case -(MBEDTLS_ERR_AES_BAD_INPUT_DATA):
|
||||||
|
return( "AES - Invalid input data" );
|
||||||
|
#endif /* MBEDTLS_AES_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ARIA_C)
|
||||||
|
case -(MBEDTLS_ERR_ARIA_BAD_INPUT_DATA):
|
||||||
|
return( "ARIA - Bad input data" );
|
||||||
|
case -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH):
|
||||||
|
return( "ARIA - Invalid data input length" );
|
||||||
|
#endif /* MBEDTLS_ARIA_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ASN1_PARSE_C)
|
||||||
|
case -(MBEDTLS_ERR_ASN1_OUT_OF_DATA):
|
||||||
|
return( "ASN1 - Out of data when parsing an ASN1 data structure" );
|
||||||
|
case -(MBEDTLS_ERR_ASN1_UNEXPECTED_TAG):
|
||||||
|
return( "ASN1 - ASN1 tag was of an unexpected value" );
|
||||||
|
case -(MBEDTLS_ERR_ASN1_INVALID_LENGTH):
|
||||||
|
return( "ASN1 - Error when trying to determine the length or invalid length" );
|
||||||
|
case -(MBEDTLS_ERR_ASN1_LENGTH_MISMATCH):
|
||||||
|
return( "ASN1 - Actual length differs from expected length" );
|
||||||
|
case -(MBEDTLS_ERR_ASN1_INVALID_DATA):
|
||||||
|
return( "ASN1 - Data is invalid" );
|
||||||
|
case -(MBEDTLS_ERR_ASN1_ALLOC_FAILED):
|
||||||
|
return( "ASN1 - Memory allocation failed" );
|
||||||
|
case -(MBEDTLS_ERR_ASN1_BUF_TOO_SMALL):
|
||||||
|
return( "ASN1 - Buffer too small when writing ASN.1 data structure" );
|
||||||
|
#endif /* MBEDTLS_ASN1_PARSE_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BASE64_C)
|
||||||
|
case -(MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL):
|
||||||
|
return( "BASE64 - Output buffer too small" );
|
||||||
|
case -(MBEDTLS_ERR_BASE64_INVALID_CHARACTER):
|
||||||
|
return( "BASE64 - Invalid character in input" );
|
||||||
|
#endif /* MBEDTLS_BASE64_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
case -(MBEDTLS_ERR_MPI_FILE_IO_ERROR):
|
||||||
|
return( "BIGNUM - An error occurred while reading from or writing to a file" );
|
||||||
|
case -(MBEDTLS_ERR_MPI_BAD_INPUT_DATA):
|
||||||
|
return( "BIGNUM - Bad input parameters to function" );
|
||||||
|
case -(MBEDTLS_ERR_MPI_INVALID_CHARACTER):
|
||||||
|
return( "BIGNUM - There is an invalid character in the digit string" );
|
||||||
|
case -(MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL):
|
||||||
|
return( "BIGNUM - The buffer is too small to write to" );
|
||||||
|
case -(MBEDTLS_ERR_MPI_NEGATIVE_VALUE):
|
||||||
|
return( "BIGNUM - The input arguments are negative or result in illegal output" );
|
||||||
|
case -(MBEDTLS_ERR_MPI_DIVISION_BY_ZERO):
|
||||||
|
return( "BIGNUM - The input argument for division is zero, which is not allowed" );
|
||||||
|
case -(MBEDTLS_ERR_MPI_NOT_ACCEPTABLE):
|
||||||
|
return( "BIGNUM - The input arguments are not acceptable" );
|
||||||
|
case -(MBEDTLS_ERR_MPI_ALLOC_FAILED):
|
||||||
|
return( "BIGNUM - Memory allocation failed" );
|
||||||
|
#endif /* MBEDTLS_BIGNUM_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CAMELLIA_C)
|
||||||
|
case -(MBEDTLS_ERR_CAMELLIA_BAD_INPUT_DATA):
|
||||||
|
return( "CAMELLIA - Bad input data" );
|
||||||
|
case -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH):
|
||||||
|
return( "CAMELLIA - Invalid data input length" );
|
||||||
|
#endif /* MBEDTLS_CAMELLIA_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CCM_C)
|
||||||
|
case -(MBEDTLS_ERR_CCM_BAD_INPUT):
|
||||||
|
return( "CCM - Bad input parameters to the function" );
|
||||||
|
case -(MBEDTLS_ERR_CCM_AUTH_FAILED):
|
||||||
|
return( "CCM - Authenticated decryption failed" );
|
||||||
|
#endif /* MBEDTLS_CCM_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CHACHA20_C)
|
||||||
|
case -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA):
|
||||||
|
return( "CHACHA20 - Invalid input parameter(s)" );
|
||||||
|
#endif /* MBEDTLS_CHACHA20_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CHACHAPOLY_C)
|
||||||
|
case -(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE):
|
||||||
|
return( "CHACHAPOLY - The requested operation is not permitted in the current state" );
|
||||||
|
case -(MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED):
|
||||||
|
return( "CHACHAPOLY - Authenticated decryption failed: data was not authentic" );
|
||||||
|
#endif /* MBEDTLS_CHACHAPOLY_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CTR_DRBG_C)
|
||||||
|
case -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED):
|
||||||
|
return( "CTR_DRBG - The entropy source failed" );
|
||||||
|
case -(MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG):
|
||||||
|
return( "CTR_DRBG - The requested random buffer length is too big" );
|
||||||
|
case -(MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG):
|
||||||
|
return( "CTR_DRBG - The input (entropy + additional data) is too large" );
|
||||||
|
case -(MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR):
|
||||||
|
return( "CTR_DRBG - Read or write error in file" );
|
||||||
|
#endif /* MBEDTLS_CTR_DRBG_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_DES_C)
|
||||||
|
case -(MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH):
|
||||||
|
return( "DES - The data input has an invalid length" );
|
||||||
|
#endif /* MBEDTLS_DES_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ENTROPY_C)
|
||||||
|
case -(MBEDTLS_ERR_ENTROPY_SOURCE_FAILED):
|
||||||
|
return( "ENTROPY - Critical entropy source failure" );
|
||||||
|
case -(MBEDTLS_ERR_ENTROPY_MAX_SOURCES):
|
||||||
|
return( "ENTROPY - No more sources can be added" );
|
||||||
|
case -(MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED):
|
||||||
|
return( "ENTROPY - No sources have been added to poll" );
|
||||||
|
case -(MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE):
|
||||||
|
return( "ENTROPY - No strong sources have been added to poll" );
|
||||||
|
case -(MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR):
|
||||||
|
return( "ENTROPY - Read/write error in file" );
|
||||||
|
#endif /* MBEDTLS_ENTROPY_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ERROR_C)
|
||||||
|
case -(MBEDTLS_ERR_ERROR_GENERIC_ERROR):
|
||||||
|
return( "ERROR - Generic error" );
|
||||||
|
case -(MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED):
|
||||||
|
return( "ERROR - This is a bug in the library" );
|
||||||
|
#endif /* MBEDTLS_ERROR_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
|
case -(MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED):
|
||||||
|
return( "PLATFORM - Hardware accelerator failed" );
|
||||||
|
case -(MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED):
|
||||||
|
return( "PLATFORM - The requested feature is not supported by the platform" );
|
||||||
|
#endif /* MBEDTLS_PLATFORM_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_GCM_C)
|
||||||
|
case -(MBEDTLS_ERR_GCM_AUTH_FAILED):
|
||||||
|
return( "GCM - Authenticated decryption failed" );
|
||||||
|
case -(MBEDTLS_ERR_GCM_BAD_INPUT):
|
||||||
|
return( "GCM - Bad input parameters to function" );
|
||||||
|
case -(MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL):
|
||||||
|
return( "GCM - An output buffer is too small" );
|
||||||
|
#endif /* MBEDTLS_GCM_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HKDF_C)
|
||||||
|
case -(MBEDTLS_ERR_HKDF_BAD_INPUT_DATA):
|
||||||
|
return( "HKDF - Bad input parameters to function" );
|
||||||
|
#endif /* MBEDTLS_HKDF_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HMAC_DRBG_C)
|
||||||
|
case -(MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG):
|
||||||
|
return( "HMAC_DRBG - Too many random requested in single call" );
|
||||||
|
case -(MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG):
|
||||||
|
return( "HMAC_DRBG - Input too large (Entropy + additional)" );
|
||||||
|
case -(MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR):
|
||||||
|
return( "HMAC_DRBG - Read/write error in file" );
|
||||||
|
case -(MBEDTLS_ERR_HMAC_DRBG_ENTROPY_SOURCE_FAILED):
|
||||||
|
return( "HMAC_DRBG - The entropy source failed" );
|
||||||
|
#endif /* MBEDTLS_HMAC_DRBG_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_LMS_C)
|
||||||
|
case -(MBEDTLS_ERR_LMS_BAD_INPUT_DATA):
|
||||||
|
return( "LMS - Bad data has been input to an LMS function" );
|
||||||
|
case -(MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS):
|
||||||
|
return( "LMS - Specified LMS key has utilised all of its private keys" );
|
||||||
|
case -(MBEDTLS_ERR_LMS_VERIFY_FAILED):
|
||||||
|
return( "LMS - LMS signature verification failed" );
|
||||||
|
case -(MBEDTLS_ERR_LMS_ALLOC_FAILED):
|
||||||
|
return( "LMS - LMS failed to allocate space for a private key" );
|
||||||
|
case -(MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL):
|
||||||
|
return( "LMS - Input/output buffer is too small to contain requited data" );
|
||||||
|
#endif /* MBEDTLS_LMS_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_NET_C)
|
||||||
|
case -(MBEDTLS_ERR_NET_SOCKET_FAILED):
|
||||||
|
return( "NET - Failed to open a socket" );
|
||||||
|
case -(MBEDTLS_ERR_NET_CONNECT_FAILED):
|
||||||
|
return( "NET - The connection to the given server / port failed" );
|
||||||
|
case -(MBEDTLS_ERR_NET_BIND_FAILED):
|
||||||
|
return( "NET - Binding of the socket failed" );
|
||||||
|
case -(MBEDTLS_ERR_NET_LISTEN_FAILED):
|
||||||
|
return( "NET - Could not listen on the socket" );
|
||||||
|
case -(MBEDTLS_ERR_NET_ACCEPT_FAILED):
|
||||||
|
return( "NET - Could not accept the incoming connection" );
|
||||||
|
case -(MBEDTLS_ERR_NET_RECV_FAILED):
|
||||||
|
return( "NET - Reading information from the socket failed" );
|
||||||
|
case -(MBEDTLS_ERR_NET_SEND_FAILED):
|
||||||
|
return( "NET - Sending information through the socket failed" );
|
||||||
|
case -(MBEDTLS_ERR_NET_CONN_RESET):
|
||||||
|
return( "NET - Connection was reset by peer" );
|
||||||
|
case -(MBEDTLS_ERR_NET_UNKNOWN_HOST):
|
||||||
|
return( "NET - Failed to get an IP address for the given hostname" );
|
||||||
|
case -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL):
|
||||||
|
return( "NET - Buffer is too small to hold the data" );
|
||||||
|
case -(MBEDTLS_ERR_NET_INVALID_CONTEXT):
|
||||||
|
return( "NET - The context is invalid, eg because it was free()ed" );
|
||||||
|
case -(MBEDTLS_ERR_NET_POLL_FAILED):
|
||||||
|
return( "NET - Polling the net context failed" );
|
||||||
|
case -(MBEDTLS_ERR_NET_BAD_INPUT_DATA):
|
||||||
|
return( "NET - Input invalid" );
|
||||||
|
#endif /* MBEDTLS_NET_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_OID_C)
|
||||||
|
case -(MBEDTLS_ERR_OID_NOT_FOUND):
|
||||||
|
return( "OID - OID is not found" );
|
||||||
|
case -(MBEDTLS_ERR_OID_BUF_TOO_SMALL):
|
||||||
|
return( "OID - output buffer is too small" );
|
||||||
|
#endif /* MBEDTLS_OID_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_POLY1305_C)
|
||||||
|
case -(MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA):
|
||||||
|
return( "POLY1305 - Invalid input parameter(s)" );
|
||||||
|
#endif /* MBEDTLS_POLY1305_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA1_C)
|
||||||
|
case -(MBEDTLS_ERR_SHA1_BAD_INPUT_DATA):
|
||||||
|
return( "SHA1 - SHA-1 input data was malformed" );
|
||||||
|
#endif /* MBEDTLS_SHA1_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA256_C)
|
||||||
|
case -(MBEDTLS_ERR_SHA256_BAD_INPUT_DATA):
|
||||||
|
return( "SHA256 - SHA-256 input data was malformed" );
|
||||||
|
#endif /* MBEDTLS_SHA256_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA3_C)
|
||||||
|
case -(MBEDTLS_ERR_SHA3_BAD_INPUT_DATA):
|
||||||
|
return( "SHA3 - SHA-3 input data was malformed" );
|
||||||
|
#endif /* MBEDTLS_SHA3_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA512_C)
|
||||||
|
case -(MBEDTLS_ERR_SHA512_BAD_INPUT_DATA):
|
||||||
|
return( "SHA512 - SHA-512 input data was malformed" );
|
||||||
|
#endif /* MBEDTLS_SHA512_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
case -(MBEDTLS_ERR_THREADING_BAD_INPUT_DATA):
|
||||||
|
return( "THREADING - Bad input parameters to function" );
|
||||||
|
case -(MBEDTLS_ERR_THREADING_MUTEX_ERROR):
|
||||||
|
return( "THREADING - Locking / unlocking / free failed with error code" );
|
||||||
|
#endif /* MBEDTLS_THREADING_C */
|
||||||
|
/* End Auto-Generated Code. */
|
||||||
|
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_strerror(int ret, char *buf, size_t buflen)
|
||||||
|
{
|
||||||
|
size_t len;
|
||||||
|
int use_ret;
|
||||||
|
const char *high_level_error_description = NULL;
|
||||||
|
const char *low_level_error_description = NULL;
|
||||||
|
|
||||||
|
if (buflen == 0) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
memset(buf, 0x00, buflen);
|
||||||
|
|
||||||
|
if (ret < 0) {
|
||||||
|
ret = -ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ret & 0xFF80) {
|
||||||
|
use_ret = ret & 0xFF80;
|
||||||
|
|
||||||
|
// Translate high level error code.
|
||||||
|
high_level_error_description = mbedtls_high_level_strerr(ret);
|
||||||
|
|
||||||
|
if (high_level_error_description == NULL) {
|
||||||
|
mbedtls_snprintf(buf, buflen, "UNKNOWN ERROR CODE (%04X)", (unsigned int) use_ret);
|
||||||
|
} else {
|
||||||
|
mbedtls_snprintf(buf, buflen, "%s", high_level_error_description);
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_TLS_C)
|
||||||
|
// Early return in case of a fatal error - do not try to translate low
|
||||||
|
// level code.
|
||||||
|
if (use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_TLS_C */
|
||||||
|
}
|
||||||
|
|
||||||
|
use_ret = ret & ~0xFF80;
|
||||||
|
|
||||||
|
if (use_ret == 0) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If high level code is present, make a concatenation between both
|
||||||
|
// error strings.
|
||||||
|
//
|
||||||
|
len = strlen(buf);
|
||||||
|
|
||||||
|
if (len > 0) {
|
||||||
|
if (buflen - len < 5) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_snprintf(buf + len, buflen - len, " : ");
|
||||||
|
|
||||||
|
buf += len + 3;
|
||||||
|
buflen -= len + 3;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Translate low level error code.
|
||||||
|
low_level_error_description = mbedtls_low_level_strerr(ret);
|
||||||
|
|
||||||
|
if (low_level_error_description == NULL) {
|
||||||
|
mbedtls_snprintf(buf, buflen, "UNKNOWN ERROR CODE (%04X)", (unsigned int) use_ret);
|
||||||
|
} else {
|
||||||
|
mbedtls_snprintf(buf, buflen, "%s", low_level_error_description);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#else /* MBEDTLS_ERROR_C */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Provide a dummy implementation when MBEDTLS_ERROR_C is not defined
|
||||||
|
*/
|
||||||
|
void mbedtls_strerror(int ret, char *buf, size_t buflen)
|
||||||
|
{
|
||||||
|
((void) ret);
|
||||||
|
|
||||||
|
if (buflen > 0) {
|
||||||
|
buf[0] = '\0';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_ERROR_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_TEST_HOOKS)
|
||||||
|
void (*mbedtls_test_hook_error_add)(int, int, const char *, int);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_ERROR_C || MBEDTLS_ERROR_STRERROR_DUMMY */
|
|
@ -35,6 +35,7 @@
|
||||||
#include "mbedtls/platform.h"
|
#include "mbedtls/platform.h"
|
||||||
#include "mbedtls/platform_util.h"
|
#include "mbedtls/platform_util.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
|
#include "mbedtls/constant_time.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
|
@ -601,7 +602,6 @@ int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
|
||||||
{
|
{
|
||||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
unsigned char check_tag[16];
|
unsigned char check_tag[16];
|
||||||
size_t i;
|
|
||||||
int diff;
|
int diff;
|
||||||
|
|
||||||
if ((ret = mbedtls_gcm_crypt_and_tag(ctx, MBEDTLS_GCM_DECRYPT, length,
|
if ((ret = mbedtls_gcm_crypt_and_tag(ctx, MBEDTLS_GCM_DECRYPT, length,
|
||||||
|
@ -611,9 +611,7 @@ int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check tag in "constant-time" */
|
/* Check tag in "constant-time" */
|
||||||
for (diff = 0, i = 0; i < tag_len; i++) {
|
diff = mbedtls_ct_memcmp(tag, check_tag, tag_len);
|
||||||
diff |= tag[i] ^ check_tag[i];
|
|
||||||
}
|
|
||||||
|
|
||||||
if (diff != 0) {
|
if (diff != 0) {
|
||||||
mbedtls_platform_zeroize(output, length);
|
mbedtls_platform_zeroize(output, length);
|
||||||
|
|
|
@ -35,6 +35,7 @@
|
||||||
#include "mbedtls/platform_util.h"
|
#include "mbedtls/platform_util.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
#include "mbedtls/constant_time.h"
|
#include "mbedtls/constant_time.h"
|
||||||
|
#include "constant_time_internal.h"
|
||||||
|
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
@ -333,9 +334,9 @@ int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx,
|
||||||
unsigned char *output, size_t *out_len, size_t out_size)
|
unsigned char *output, size_t *out_len, size_t out_size)
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
size_t i, olen;
|
size_t olen;
|
||||||
unsigned char A[KW_SEMIBLOCK_LENGTH];
|
unsigned char A[KW_SEMIBLOCK_LENGTH];
|
||||||
unsigned char diff, bad_padding = 0;
|
int diff;
|
||||||
|
|
||||||
*out_len = 0;
|
*out_len = 0;
|
||||||
if (out_size < in_len - KW_SEMIBLOCK_LENGTH) {
|
if (out_size < in_len - KW_SEMIBLOCK_LENGTH) {
|
||||||
|
@ -420,19 +421,15 @@ int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx,
|
||||||
* larger than 8, because of the type wrap around.
|
* larger than 8, because of the type wrap around.
|
||||||
*/
|
*/
|
||||||
padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
|
padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
|
||||||
if (padlen > 7) {
|
ret = mbedtls_ct_error_if(mbedtls_ct_uint_gt(padlen, 7),
|
||||||
padlen &= 7;
|
MBEDTLS_ERR_CIPHER_AUTH_FAILED, ret);
|
||||||
ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
padlen &= 7;
|
||||||
}
|
|
||||||
|
|
||||||
/* Check padding in "constant-time" */
|
/* Check padding in "constant-time" */
|
||||||
for (diff = 0, i = 0; i < KW_SEMIBLOCK_LENGTH; i++) {
|
const uint8_t zero[KW_SEMIBLOCK_LENGTH] = { 0 };
|
||||||
if (i >= KW_SEMIBLOCK_LENGTH - padlen) {
|
diff = mbedtls_ct_memcmp_partial(
|
||||||
diff |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
|
&output[*out_len - KW_SEMIBLOCK_LENGTH], zero,
|
||||||
} else {
|
KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH - padlen, 0);
|
||||||
bad_padding |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (diff != 0) {
|
if (diff != 0) {
|
||||||
ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
||||||
|
@ -454,7 +451,6 @@ cleanup:
|
||||||
*out_len = 0;
|
*out_len = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_platform_zeroize(&bad_padding, sizeof(bad_padding));
|
|
||||||
mbedtls_platform_zeroize(&diff, sizeof(diff));
|
mbedtls_platform_zeroize(&diff, sizeof(diff));
|
||||||
mbedtls_platform_zeroize(A, sizeof(A));
|
mbedtls_platform_zeroize(A, sizeof(A));
|
||||||
|
|
||||||
|
|
|
@ -117,5 +117,14 @@ static inline mbedtls_ecp_group_id mbedtls_pk_get_group_id(const mbedtls_pk_cont
|
||||||
#endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */
|
#endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */
|
||||||
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
|
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_TEST_HOOKS)
|
||||||
|
|
||||||
|
MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
|
||||||
|
mbedtls_pk_context *pk,
|
||||||
|
unsigned char *key, size_t keylen,
|
||||||
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
#endif /* MBEDTLS_PK_INTERNAL_H */
|
#endif /* MBEDTLS_PK_INTERNAL_H */
|
||||||
|
|
|
@ -129,18 +129,48 @@ static int pkcs12_pbe_derive_key_iv(mbedtls_asn1_buf *pbe_params, mbedtls_md_typ
|
||||||
|
|
||||||
#undef PKCS12_MAX_PWDLEN
|
#undef PKCS12_MAX_PWDLEN
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
||||||
|
int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
|
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
|
||||||
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
|
const unsigned char *data, size_t len,
|
||||||
|
unsigned char *output, size_t output_size,
|
||||||
|
size_t *output_len);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||||
int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
|
int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
|
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
|
||||||
const unsigned char *pwd, size_t pwdlen,
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
const unsigned char *data, size_t len,
|
const unsigned char *data, size_t len,
|
||||||
unsigned char *output)
|
unsigned char *output)
|
||||||
|
{
|
||||||
|
size_t output_len = 0;
|
||||||
|
|
||||||
|
/* We assume caller of the function is providing a big enough output buffer
|
||||||
|
* so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
|
||||||
|
* for the output size actually being correct.
|
||||||
|
*/
|
||||||
|
return mbedtls_pkcs12_pbe_ext(pbe_params, mode, cipher_type, md_type,
|
||||||
|
pwd, pwdlen, data, len, output, SIZE_MAX,
|
||||||
|
&output_len);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
|
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
|
||||||
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
|
const unsigned char *data, size_t len,
|
||||||
|
unsigned char *output, size_t output_size,
|
||||||
|
size_t *output_len)
|
||||||
{
|
{
|
||||||
int ret, keylen = 0;
|
int ret, keylen = 0;
|
||||||
unsigned char key[32];
|
unsigned char key[32];
|
||||||
unsigned char iv[16];
|
unsigned char iv[16];
|
||||||
const mbedtls_cipher_info_t *cipher_info;
|
const mbedtls_cipher_info_t *cipher_info;
|
||||||
mbedtls_cipher_context_t cipher_ctx;
|
mbedtls_cipher_context_t cipher_ctx;
|
||||||
size_t olen = 0;
|
size_t finish_olen = 0;
|
||||||
|
unsigned int padlen = 0;
|
||||||
|
|
||||||
if (pwd == NULL && pwdlen != 0) {
|
if (pwd == NULL && pwdlen != 0) {
|
||||||
return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
|
return MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA;
|
||||||
|
@ -153,6 +183,19 @@ int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
|
|
||||||
keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
|
keylen = (int) mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
|
||||||
|
|
||||||
|
if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
|
||||||
|
if (output_size < len) {
|
||||||
|
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mode == MBEDTLS_PKCS12_PBE_ENCRYPT) {
|
||||||
|
padlen = cipher_info->block_size - (len % cipher_info->block_size);
|
||||||
|
if (output_size < (len + padlen)) {
|
||||||
|
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
|
if ((ret = pkcs12_pbe_derive_key_iv(pbe_params, md_type, pwd, pwdlen,
|
||||||
key, keylen,
|
key, keylen,
|
||||||
iv, mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {
|
iv, mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {
|
||||||
|
@ -171,6 +214,25 @@ int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
||||||
|
/* PKCS12 uses CBC with PKCS7 padding */
|
||||||
|
|
||||||
|
mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
|
||||||
|
#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
||||||
|
/* For historical reasons, when decrypting, this function works when
|
||||||
|
* decrypting even when support for PKCS7 padding is disabled. In this
|
||||||
|
* case, it ignores the padding, and so will never report a
|
||||||
|
* password mismatch.
|
||||||
|
*/
|
||||||
|
if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) {
|
||||||
|
padding = MBEDTLS_PADDING_NONE;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
||||||
|
|
||||||
if ((ret =
|
if ((ret =
|
||||||
mbedtls_cipher_set_iv(&cipher_ctx, iv,
|
mbedtls_cipher_set_iv(&cipher_ctx, iv,
|
||||||
mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {
|
mbedtls_cipher_info_get_iv_size(cipher_info))) != 0) {
|
||||||
|
@ -182,14 +244,16 @@ int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((ret = mbedtls_cipher_update(&cipher_ctx, data, len,
|
if ((ret = mbedtls_cipher_update(&cipher_ctx, data, len,
|
||||||
output, &olen)) != 0) {
|
output, output_len)) != 0) {
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((ret = mbedtls_cipher_finish(&cipher_ctx, output + olen, &olen)) != 0) {
|
if ((ret = mbedtls_cipher_finish(&cipher_ctx, output + (*output_len), &finish_olen)) != 0) {
|
||||||
ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
|
ret = MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
*output_len += finish_olen;
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
mbedtls_platform_zeroize(key, sizeof(key));
|
mbedtls_platform_zeroize(key, sizeof(key));
|
||||||
mbedtls_platform_zeroize(iv, sizeof(iv));
|
mbedtls_platform_zeroize(iv, sizeof(iv));
|
||||||
|
|
|
@ -111,10 +111,36 @@ static int pkcs5_parse_pbkdf2_params(const mbedtls_asn1_buf *params,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
||||||
|
int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
|
const unsigned char *data, size_t datalen,
|
||||||
|
unsigned char *output, size_t output_size,
|
||||||
|
size_t *output_len);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||||
int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
|
int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
const unsigned char *pwd, size_t pwdlen,
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
const unsigned char *data, size_t datalen,
|
const unsigned char *data, size_t datalen,
|
||||||
unsigned char *output)
|
unsigned char *output)
|
||||||
|
{
|
||||||
|
size_t output_len = 0;
|
||||||
|
|
||||||
|
/* We assume caller of the function is providing a big enough output buffer
|
||||||
|
* so we pass output_size as SIZE_MAX to pass checks, However, no guarantees
|
||||||
|
* for the output size actually being correct.
|
||||||
|
*/
|
||||||
|
return mbedtls_pkcs5_pbes2_ext(pbe_params, mode, pwd, pwdlen, data,
|
||||||
|
datalen, output, SIZE_MAX, &output_len);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
|
const unsigned char *data, size_t datalen,
|
||||||
|
unsigned char *output, size_t output_size,
|
||||||
|
size_t *output_len)
|
||||||
{
|
{
|
||||||
int ret, iterations = 0, keylen = 0;
|
int ret, iterations = 0, keylen = 0;
|
||||||
unsigned char *p, *end;
|
unsigned char *p, *end;
|
||||||
|
@ -122,10 +148,10 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
mbedtls_asn1_buf salt;
|
mbedtls_asn1_buf salt;
|
||||||
mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
|
mbedtls_md_type_t md_type = MBEDTLS_MD_SHA1;
|
||||||
unsigned char key[32], iv[32];
|
unsigned char key[32], iv[32];
|
||||||
size_t olen = 0;
|
|
||||||
const mbedtls_cipher_info_t *cipher_info;
|
const mbedtls_cipher_info_t *cipher_info;
|
||||||
mbedtls_cipher_type_t cipher_alg;
|
mbedtls_cipher_type_t cipher_alg;
|
||||||
mbedtls_cipher_context_t cipher_ctx;
|
mbedtls_cipher_context_t cipher_ctx;
|
||||||
|
unsigned int padlen = 0;
|
||||||
|
|
||||||
p = pbe_params->p;
|
p = pbe_params->p;
|
||||||
end = p + pbe_params->len;
|
end = p + pbe_params->len;
|
||||||
|
@ -183,6 +209,19 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
return MBEDTLS_ERR_PKCS5_INVALID_FORMAT;
|
return MBEDTLS_ERR_PKCS5_INVALID_FORMAT;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (mode == MBEDTLS_PKCS5_DECRYPT) {
|
||||||
|
if (output_size < datalen) {
|
||||||
|
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mode == MBEDTLS_PKCS5_ENCRYPT) {
|
||||||
|
padlen = cipher_info->block_size - (datalen % cipher_info->block_size);
|
||||||
|
if (output_size < (datalen + padlen)) {
|
||||||
|
return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
mbedtls_cipher_init(&cipher_ctx);
|
mbedtls_cipher_init(&cipher_ctx);
|
||||||
|
|
||||||
memcpy(iv, enc_scheme_params.p, enc_scheme_params.len);
|
memcpy(iv, enc_scheme_params.p, enc_scheme_params.len);
|
||||||
|
@ -202,8 +241,28 @@ int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
||||||
|
/* PKCS5 uses CBC with PKCS7 padding (which is the same as
|
||||||
|
* "PKCS5 padding" except that it's typically only called PKCS5
|
||||||
|
* with 64-bit-block ciphers).
|
||||||
|
*/
|
||||||
|
mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7;
|
||||||
|
#if !defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
||||||
|
/* For historical reasons, when decrypting, this function works when
|
||||||
|
* decrypting even when support for PKCS7 padding is disabled. In this
|
||||||
|
* case, it ignores the padding, and so will never report a
|
||||||
|
* password mismatch.
|
||||||
|
*/
|
||||||
|
if (mode == MBEDTLS_DECRYPT) {
|
||||||
|
padding = MBEDTLS_PADDING_NONE;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) {
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
||||||
if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len,
|
if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len,
|
||||||
data, datalen, output, &olen)) != 0) {
|
data, datalen, output, output_len)) != 0) {
|
||||||
ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
|
ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1417,6 +1417,12 @@ static int pk_parse_key_pkcs8_unencrypted_der(
|
||||||
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
|
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
|
||||||
return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
|
return MBEDTLS_ERR_PK_UNKNOWN_PK_ALG;
|
||||||
|
|
||||||
|
end = p + len;
|
||||||
|
if (end != (key + keylen)) {
|
||||||
|
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT,
|
||||||
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1430,7 +1436,7 @@ static int pk_parse_key_pkcs8_unencrypted_der(
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
|
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
|
||||||
static int pk_parse_key_pkcs8_encrypted_der(
|
MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
|
||||||
mbedtls_pk_context *pk,
|
mbedtls_pk_context *pk,
|
||||||
unsigned char *key, size_t keylen,
|
unsigned char *key, size_t keylen,
|
||||||
const unsigned char *pwd, size_t pwdlen,
|
const unsigned char *pwd, size_t pwdlen,
|
||||||
|
@ -1445,6 +1451,7 @@ static int pk_parse_key_pkcs8_encrypted_der(
|
||||||
mbedtls_cipher_type_t cipher_alg;
|
mbedtls_cipher_type_t cipher_alg;
|
||||||
mbedtls_md_type_t md_alg;
|
mbedtls_md_type_t md_alg;
|
||||||
#endif
|
#endif
|
||||||
|
size_t outlen = 0;
|
||||||
|
|
||||||
p = key;
|
p = key;
|
||||||
end = p + keylen;
|
end = p + keylen;
|
||||||
|
@ -1490,9 +1497,9 @@ static int pk_parse_key_pkcs8_encrypted_der(
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_PKCS12_C)
|
#if defined(MBEDTLS_PKCS12_C)
|
||||||
if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) {
|
if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) {
|
||||||
if ((ret = mbedtls_pkcs12_pbe(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
|
if ((ret = mbedtls_pkcs12_pbe_ext(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT,
|
||||||
cipher_alg, md_alg,
|
cipher_alg, md_alg,
|
||||||
pwd, pwdlen, p, len, buf)) != 0) {
|
pwd, pwdlen, p, len, buf, len, &outlen)) != 0) {
|
||||||
if (ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) {
|
if (ret == MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH) {
|
||||||
return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
|
return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
|
||||||
}
|
}
|
||||||
|
@ -1505,8 +1512,8 @@ static int pk_parse_key_pkcs8_encrypted_der(
|
||||||
#endif /* MBEDTLS_PKCS12_C */
|
#endif /* MBEDTLS_PKCS12_C */
|
||||||
#if defined(MBEDTLS_PKCS5_C)
|
#if defined(MBEDTLS_PKCS5_C)
|
||||||
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) {
|
if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) {
|
||||||
if ((ret = mbedtls_pkcs5_pbes2(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
|
if ((ret = mbedtls_pkcs5_pbes2_ext(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen,
|
||||||
p, len, buf)) != 0) {
|
p, len, buf, len, &outlen)) != 0) {
|
||||||
if (ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) {
|
if (ret == MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH) {
|
||||||
return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
|
return MBEDTLS_ERR_PK_PASSWORD_MISMATCH;
|
||||||
}
|
}
|
||||||
|
@ -1524,8 +1531,7 @@ static int pk_parse_key_pkcs8_encrypted_der(
|
||||||
if (decrypted == 0) {
|
if (decrypted == 0) {
|
||||||
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
|
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
|
||||||
}
|
}
|
||||||
|
return pk_parse_key_pkcs8_unencrypted_der(pk, buf, outlen, f_rng, p_rng);
|
||||||
return pk_parse_key_pkcs8_unencrypted_der(pk, buf, len, f_rng, p_rng);
|
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
|
#endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */
|
||||||
|
|
||||||
|
@ -1644,8 +1650,8 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
|
||||||
key, NULL, 0, &len);
|
key, NULL, 0, &len);
|
||||||
}
|
}
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
if ((ret = pk_parse_key_pkcs8_encrypted_der(pk, pem.buf, pem.buflen,
|
if ((ret = mbedtls_pk_parse_key_pkcs8_encrypted_der(pk, pem.buf, pem.buflen,
|
||||||
pwd, pwdlen, f_rng, p_rng)) != 0) {
|
pwd, pwdlen, f_rng, p_rng)) != 0) {
|
||||||
mbedtls_pk_free(pk);
|
mbedtls_pk_free(pk);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1677,8 +1683,8 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
|
||||||
|
|
||||||
memcpy(key_copy, key, keylen);
|
memcpy(key_copy, key, keylen);
|
||||||
|
|
||||||
ret = pk_parse_key_pkcs8_encrypted_der(pk, key_copy, keylen,
|
ret = mbedtls_pk_parse_key_pkcs8_encrypted_der(pk, key_copy, keylen,
|
||||||
pwd, pwdlen, f_rng, p_rng);
|
pwd, pwdlen, f_rng, p_rng);
|
||||||
|
|
||||||
mbedtls_zeroize_and_free(key_copy, keylen);
|
mbedtls_zeroize_and_free(key_copy, keylen);
|
||||||
}
|
}
|
||||||
|
|
2883
library/psa_crypto_driver_wrappers.h
Normal file
2883
library/psa_crypto_driver_wrappers.h
Normal file
File diff suppressed because it is too large
Load diff
268
library/psa_crypto_driver_wrappers_no_static.c
Normal file
268
library/psa_crypto_driver_wrappers_no_static.c
Normal file
|
@ -0,0 +1,268 @@
|
||||||
|
/*
|
||||||
|
* Functions to delegate cryptographic operations to an available
|
||||||
|
* and appropriate accelerator.
|
||||||
|
* Warning: This file is now auto-generated.
|
||||||
|
*/
|
||||||
|
/* Copyright The Mbed TLS Contributors
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
/* BEGIN-common headers */
|
||||||
|
#include "common.h"
|
||||||
|
#include "psa_crypto_aead.h"
|
||||||
|
#include "psa_crypto_cipher.h"
|
||||||
|
#include "psa_crypto_core.h"
|
||||||
|
#include "psa_crypto_driver_wrappers_no_static.h"
|
||||||
|
#include "psa_crypto_hash.h"
|
||||||
|
#include "psa_crypto_mac.h"
|
||||||
|
#include "psa_crypto_pake.h"
|
||||||
|
#include "psa_crypto_rsa.h"
|
||||||
|
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
/* END-common headers */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||||
|
|
||||||
|
/* BEGIN-driver headers */
|
||||||
|
/* Headers for mbedtls_test opaque driver */
|
||||||
|
#if defined(PSA_CRYPTO_DRIVER_TEST)
|
||||||
|
#include "test/drivers/test_driver.h"
|
||||||
|
|
||||||
|
#endif
|
||||||
|
/* Headers for mbedtls_test transparent driver */
|
||||||
|
#if defined(PSA_CRYPTO_DRIVER_TEST)
|
||||||
|
#include "test/drivers/test_driver.h"
|
||||||
|
|
||||||
|
#endif
|
||||||
|
/* Headers for p256 transparent driver */
|
||||||
|
#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
|
||||||
|
#include "../3rdparty/p256-m/p256-m_driver_entrypoints.h"
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* END-driver headers */
|
||||||
|
|
||||||
|
/* Auto-generated values depending on which drivers are registered.
|
||||||
|
* ID 0 is reserved for unallocated operations.
|
||||||
|
* ID 1 is reserved for the Mbed TLS software driver. */
|
||||||
|
/* BEGIN-driver id definition */
|
||||||
|
#define PSA_CRYPTO_MBED_TLS_DRIVER_ID (1)
|
||||||
|
#define MBEDTLS_TEST_OPAQUE_DRIVER_ID (2)
|
||||||
|
#define MBEDTLS_TEST_TRANSPARENT_DRIVER_ID (3)
|
||||||
|
#define P256_TRANSPARENT_DRIVER_ID (4)
|
||||||
|
|
||||||
|
/* END-driver id */
|
||||||
|
|
||||||
|
/* BEGIN-Common Macro definitions */
|
||||||
|
|
||||||
|
/* END-Common Macro definitions */
|
||||||
|
|
||||||
|
/* Support the 'old' SE interface when asked to */
|
||||||
|
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
|
||||||
|
/* PSA_CRYPTO_DRIVER_PRESENT is defined when either a new-style or old-style
|
||||||
|
* SE driver is present, to avoid unused argument errors at compile time. */
|
||||||
|
#ifndef PSA_CRYPTO_DRIVER_PRESENT
|
||||||
|
#define PSA_CRYPTO_DRIVER_PRESENT
|
||||||
|
#endif
|
||||||
|
#include "psa_crypto_se.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/** Get the key buffer size required to store the key material of a key
|
||||||
|
* associated with an opaque driver.
|
||||||
|
*
|
||||||
|
* \param[in] attributes The key attributes.
|
||||||
|
* \param[out] key_buffer_size Minimum buffer size to contain the key material
|
||||||
|
*
|
||||||
|
* \retval #PSA_SUCCESS
|
||||||
|
* The minimum size for a buffer to contain the key material has been
|
||||||
|
* returned successfully.
|
||||||
|
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||||
|
* The type and/or the size in bits of the key or the combination of
|
||||||
|
* the two is not supported.
|
||||||
|
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||||
|
* The key is declared with a lifetime not known to us.
|
||||||
|
*/
|
||||||
|
psa_status_t psa_driver_wrapper_get_key_buffer_size(
|
||||||
|
const psa_key_attributes_t *attributes,
|
||||||
|
size_t *key_buffer_size )
|
||||||
|
{
|
||||||
|
psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
|
||||||
|
psa_key_type_t key_type = attributes->core.type;
|
||||||
|
size_t key_bits = attributes->core.bits;
|
||||||
|
|
||||||
|
*key_buffer_size = 0;
|
||||||
|
switch( location )
|
||||||
|
{
|
||||||
|
#if defined(PSA_CRYPTO_DRIVER_TEST)
|
||||||
|
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
|
||||||
|
#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
|
||||||
|
/* Emulate property 'builtin_key_size' */
|
||||||
|
if( psa_key_id_is_builtin(
|
||||||
|
MBEDTLS_SVC_KEY_ID_GET_KEY_ID(
|
||||||
|
psa_get_key_id( attributes ) ) ) )
|
||||||
|
{
|
||||||
|
*key_buffer_size = sizeof( psa_drv_slot_number_t );
|
||||||
|
return( PSA_SUCCESS );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
|
||||||
|
*key_buffer_size = mbedtls_test_opaque_size_function( key_type,
|
||||||
|
key_bits );
|
||||||
|
return( ( *key_buffer_size != 0 ) ?
|
||||||
|
PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED );
|
||||||
|
#endif /* PSA_CRYPTO_DRIVER_TEST */
|
||||||
|
|
||||||
|
default:
|
||||||
|
(void)key_type;
|
||||||
|
(void)key_bits;
|
||||||
|
return( PSA_ERROR_INVALID_ARGUMENT );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
psa_status_t psa_driver_wrapper_export_public_key(
|
||||||
|
const psa_key_attributes_t *attributes,
|
||||||
|
const uint8_t *key_buffer, size_t key_buffer_size,
|
||||||
|
uint8_t *data, size_t data_size, size_t *data_length )
|
||||||
|
|
||||||
|
{
|
||||||
|
|
||||||
|
psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;
|
||||||
|
psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
|
||||||
|
psa_get_key_lifetime( attributes ) );
|
||||||
|
|
||||||
|
/* Try dynamically-registered SE interface first */
|
||||||
|
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
|
||||||
|
const psa_drv_se_t *drv;
|
||||||
|
psa_drv_se_context_t *drv_context;
|
||||||
|
|
||||||
|
if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) )
|
||||||
|
{
|
||||||
|
if( ( drv->key_management == NULL ) ||
|
||||||
|
( drv->key_management->p_export_public == NULL ) )
|
||||||
|
{
|
||||||
|
return( PSA_ERROR_NOT_SUPPORTED );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( drv->key_management->p_export_public(
|
||||||
|
drv_context,
|
||||||
|
*( (psa_key_slot_number_t *)key_buffer ),
|
||||||
|
data, data_size, data_length ) );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
|
||||||
|
|
||||||
|
switch( location )
|
||||||
|
{
|
||||||
|
case PSA_KEY_LOCATION_LOCAL_STORAGE:
|
||||||
|
/* Key is stored in the slot in export representation, so
|
||||||
|
* cycle through all known transparent accelerators */
|
||||||
|
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
|
||||||
|
|
||||||
|
#if (defined(PSA_CRYPTO_DRIVER_TEST) )
|
||||||
|
status = mbedtls_test_transparent_export_public_key
|
||||||
|
(attributes,
|
||||||
|
key_buffer,
|
||||||
|
key_buffer_size,
|
||||||
|
data,
|
||||||
|
data_size,
|
||||||
|
data_length
|
||||||
|
);
|
||||||
|
|
||||||
|
if( status != PSA_ERROR_NOT_SUPPORTED )
|
||||||
|
return( status );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if (defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED) )
|
||||||
|
status = p256_transparent_export_public_key
|
||||||
|
(attributes,
|
||||||
|
key_buffer,
|
||||||
|
key_buffer_size,
|
||||||
|
data,
|
||||||
|
data_size,
|
||||||
|
data_length
|
||||||
|
);
|
||||||
|
|
||||||
|
if( status != PSA_ERROR_NOT_SUPPORTED )
|
||||||
|
return( status );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
|
||||||
|
/* Fell through, meaning no accelerator supports this operation */
|
||||||
|
return( psa_export_public_key_internal( attributes,
|
||||||
|
key_buffer,
|
||||||
|
key_buffer_size,
|
||||||
|
data,
|
||||||
|
data_size,
|
||||||
|
data_length ) );
|
||||||
|
|
||||||
|
/* Add cases for opaque driver here */
|
||||||
|
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
|
||||||
|
|
||||||
|
#if (defined(PSA_CRYPTO_DRIVER_TEST) )
|
||||||
|
case 0x7fffff:
|
||||||
|
return( mbedtls_test_opaque_export_public_key
|
||||||
|
(attributes,
|
||||||
|
key_buffer,
|
||||||
|
key_buffer_size,
|
||||||
|
data,
|
||||||
|
data_size,
|
||||||
|
data_length
|
||||||
|
));
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
|
||||||
|
default:
|
||||||
|
/* Key is declared with a lifetime not known to us */
|
||||||
|
return( status );
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
psa_status_t psa_driver_wrapper_get_builtin_key(
|
||||||
|
psa_drv_slot_number_t slot_number,
|
||||||
|
psa_key_attributes_t *attributes,
|
||||||
|
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
|
||||||
|
{
|
||||||
|
|
||||||
|
psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
|
||||||
|
switch( location )
|
||||||
|
{
|
||||||
|
#if defined(PSA_CRYPTO_DRIVER_TEST)
|
||||||
|
|
||||||
|
#if (defined(PSA_CRYPTO_DRIVER_TEST) )
|
||||||
|
case 0x7fffff:
|
||||||
|
return( mbedtls_test_opaque_get_builtin_key
|
||||||
|
(slot_number,
|
||||||
|
attributes,
|
||||||
|
key_buffer,
|
||||||
|
key_buffer_size,
|
||||||
|
key_buffer_length
|
||||||
|
));
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
#endif /* PSA_CRYPTO_DRIVER_TEST */
|
||||||
|
default:
|
||||||
|
(void) slot_number;
|
||||||
|
(void) key_buffer;
|
||||||
|
(void) key_buffer_size;
|
||||||
|
(void) key_buffer_length;
|
||||||
|
return( PSA_ERROR_DOES_NOT_EXIST );
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue