Merge branch 'development' into sha-armce-thumb2
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
This commit is contained in:
commit
b0d9830373
156 changed files with 3182 additions and 1584 deletions
12
3rdparty/CMakeLists.txt
vendored
12
3rdparty/CMakeLists.txt
vendored
|
@ -1,10 +1,2 @@
|
|||
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h get MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED RESULT_VARIABLE everest_result)
|
||||
execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h get MBEDTLS_PSA_P256M_DRIVER_ENABLED RESULT_VARIABLE p256m_result)
|
||||
|
||||
if(${everest_result} EQUAL 0)
|
||||
add_subdirectory(everest)
|
||||
endif()
|
||||
|
||||
if(${p256m_result} EQUAL 0)
|
||||
add_subdirectory(p256-m)
|
||||
endif()
|
||||
add_subdirectory(everest)
|
||||
add_subdirectory(p256-m)
|
||||
|
|
21
3rdparty/everest/CMakeLists.txt
vendored
21
3rdparty/everest/CMakeLists.txt
vendored
|
@ -1,9 +1,11 @@
|
|||
add_library(everest
|
||||
set(everest_target "${MBEDTLS_TARGET_PREFIX}everest")
|
||||
|
||||
add_library(${everest_target}
|
||||
library/everest.c
|
||||
library/x25519.c
|
||||
library/Hacl_Curve25519_joined.c)
|
||||
|
||||
target_include_directories(everest
|
||||
target_include_directories(${everest_target}
|
||||
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
|
||||
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
|
||||
$<INSTALL_INTERFACE:include>
|
||||
|
@ -11,6 +13,19 @@ target_include_directories(everest
|
|||
include/everest/kremlib
|
||||
${MBEDTLS_DIR}/library/)
|
||||
|
||||
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
|
||||
# This must be duplicated from library/CMakeLists.txt because
|
||||
# everest is not directly linked against any mbedtls targets
|
||||
# so does not inherit the compile definitions.
|
||||
if(MBEDTLS_CONFIG_FILE)
|
||||
target_compile_definitions(${everest_target}
|
||||
PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
|
||||
endif()
|
||||
if(MBEDTLS_USER_CONFIG_FILE)
|
||||
target_compile_definitions(${everest_target}
|
||||
PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
|
||||
endif()
|
||||
|
||||
if(INSTALL_MBEDTLS_HEADERS)
|
||||
|
||||
install(DIRECTORY include/everest
|
||||
|
@ -21,7 +36,7 @@ if(INSTALL_MBEDTLS_HEADERS)
|
|||
|
||||
endif(INSTALL_MBEDTLS_HEADERS)
|
||||
|
||||
install(TARGETS everest
|
||||
install(TARGETS ${everest_target}
|
||||
EXPORT MbedTLSTargets
|
||||
DESTINATION ${CMAKE_INSTALL_LIBDIR}
|
||||
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
|
||||
|
|
21
3rdparty/p256-m/CMakeLists.txt
vendored
21
3rdparty/p256-m/CMakeLists.txt
vendored
|
@ -1,14 +1,29 @@
|
|||
add_library(p256m
|
||||
set(p256m_target ${MBEDTLS_TARGET_PREFIX}p256m)
|
||||
|
||||
add_library(${p256m_target}
|
||||
p256-m_driver_entrypoints.c
|
||||
p256-m/p256-m.c)
|
||||
|
||||
target_include_directories(p256m
|
||||
target_include_directories(${p256m_target}
|
||||
PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}>
|
||||
$<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/p256-m>
|
||||
$<BUILD_INTERFACE:${MBEDTLS_DIR}/include>
|
||||
$<INSTALL_INTERFACE:include>
|
||||
PRIVATE ${MBEDTLS_DIR}/library/)
|
||||
|
||||
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
|
||||
# This must be duplicated from library/CMakeLists.txt because
|
||||
# p256m is not directly linked against any mbedtls targets
|
||||
# so does not inherit the compile definitions.
|
||||
if(MBEDTLS_CONFIG_FILE)
|
||||
target_compile_definitions(${p256m_target}
|
||||
PUBLIC MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
|
||||
endif()
|
||||
if(MBEDTLS_USER_CONFIG_FILE)
|
||||
target_compile_definitions(${p256m_target}
|
||||
PUBLIC MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}")
|
||||
endif()
|
||||
|
||||
if(INSTALL_MBEDTLS_HEADERS)
|
||||
|
||||
install(DIRECTORY :${CMAKE_CURRENT_SOURCE_DIR}
|
||||
|
@ -19,7 +34,7 @@ if(INSTALL_MBEDTLS_HEADERS)
|
|||
|
||||
endif(INSTALL_MBEDTLS_HEADERS)
|
||||
|
||||
install(TARGETS p256m
|
||||
install(TARGETS ${p256m_target}
|
||||
EXPORT MbedTLSTargets
|
||||
DESTINATION ${CMAKE_INSTALL_LIBDIR}
|
||||
PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
|
||||
|
|
|
@ -106,6 +106,6 @@ The following branches are currently maintained:
|
|||
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
|
||||
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
|
||||
maintained until at least the end of 2024, see
|
||||
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3>.
|
||||
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5>.
|
||||
|
||||
Users are urged to always use the latest version of a maintained branch.
|
||||
|
|
|
@ -377,7 +377,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
|
|||
write_basic_package_version_file(
|
||||
"cmake/MbedTLSConfigVersion.cmake"
|
||||
COMPATIBILITY SameMajorVersion
|
||||
VERSION 3.4.1)
|
||||
VERSION 3.5.0)
|
||||
|
||||
install(
|
||||
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
|
||||
|
|
288
ChangeLog
288
ChangeLog
|
@ -1,5 +1,293 @@
|
|||
Mbed TLS ChangeLog (Sorted per branch, date)
|
||||
|
||||
= Mbed TLS 3.5.0 branch released 2023-10-05
|
||||
|
||||
API changes
|
||||
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
|
||||
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
|
||||
their was a flaw in the logic checking if the built-in implementation, in
|
||||
that if failed to check if all the relevant curves were supported by the
|
||||
accelerator. As a result, it was possible to declare no curves as
|
||||
accelerated and still have the built-in implementation compiled out.
|
||||
Starting with this release, it is necessary to declare which curves are
|
||||
accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
|
||||
considered not accelerated, and the built-in implementation of the curves
|
||||
and any algorithm possible using them will be included in the build.
|
||||
* Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
|
||||
function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
|
||||
can be created using an ALT interface.
|
||||
|
||||
Requirement changes
|
||||
* Officially require Python 3.8 now that earlier versions are out of support.
|
||||
* Minimum required Windows version is now Windows Vista, or
|
||||
Windows Server 2008.
|
||||
|
||||
New deprecations
|
||||
* PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
|
||||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
|
||||
are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
|
||||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
|
||||
IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
|
||||
the capabilities of the PSA side for either key.
|
||||
* MBEDTLS_CIPHER_BLKSIZE_MAX is deprecated in favor of
|
||||
MBEDTLS_MAX_BLOCK_LENGTH (if you intended what the name suggests:
|
||||
maximum size of any supported block cipher) or the new name
|
||||
MBEDTLS_CMAC_MAX_BLOCK_SIZE (if you intended the actual semantics:
|
||||
maximum size of a block cipher supported by the CMAC module).
|
||||
* mbedtls_pkcs5_pbes2() and mbedtls_pkcs12_pbe() functions are now
|
||||
deprecated in favor of mbedtls_pkcs5_pbes2_ext() and
|
||||
mbedtls_pkcs12_pbe_ext() as they offer more security by checking
|
||||
for overflow of the output buffer and reporting the actual length
|
||||
of the output.
|
||||
|
||||
Features
|
||||
* All modules that use hashes or HMAC can now take advantage of PSA Crypto
|
||||
drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
|
||||
been called. Previously (in 3.3), this was restricted to a few modules,
|
||||
and only in builds where MBEDTLS_MD_C was disabled; in particular the
|
||||
entropy module was not covered which meant an external RNG had to be
|
||||
provided - these limitations are lifted in this version. A new set of
|
||||
feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
|
||||
to check for availability of hash algorithms, regardless of whether
|
||||
they're provided by a built-in implementation, a driver or both. See
|
||||
docs/driver-only-builds.md.
|
||||
* When a PSA driver for ECDH is present, it is now possible to disable
|
||||
MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
|
||||
key exchanges based on ECDH(E) to work, this requires
|
||||
MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
|
||||
TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
|
||||
as PSA does not have an API for restartable ECDH yet.
|
||||
* When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
|
||||
a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
|
||||
if not required by another module) and still get support for ECC keys and
|
||||
algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
|
||||
for details.
|
||||
* Add parsing of directoryName subtype for subjectAltName extension in
|
||||
x509 certificates.
|
||||
* Add support for server-side TLS version negotiation. If both TLS 1.2 and
|
||||
TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
|
||||
TLS 1.3 depending on the capabilities and preferences of TLS clients.
|
||||
Fixes #6867.
|
||||
* X.509 hostname verification now supports IPAddress Subject Alternate Names.
|
||||
* Add support for reading and writing X25519 and X448
|
||||
public and private keys in RFC 8410 format using the existing PK APIs.
|
||||
* When parsing X.509 certificates, support the extensions
|
||||
SignatureKeyIdentifier and AuthorityKeyIdentifier.
|
||||
* Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
|
||||
if no PAKE algorithms are requested
|
||||
* Add support for the FFDH algorithm and DH key types in PSA, with
|
||||
parameters from RFC 7919. This includes a built-in implementation based
|
||||
on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
|
||||
implementations of FFDH through the driver entry points.
|
||||
* It is now possible to generate certificates with SubjectAltNames.
|
||||
Currently supported subtypes: DnsName, UniformResourceIdentifier,
|
||||
IP address, OtherName, and DirectoryName, as defined in RFC 5280.
|
||||
See mbedtls_x509write_crt_set_subject_alternative_name for
|
||||
more information.
|
||||
* X.509 hostname verification now partially supports URI Subject Alternate
|
||||
Names. Only exact matching, without any normalization procedures
|
||||
described in 7.4 of RFC5280, will result in a positive URI verification.
|
||||
* Add function mbedtls_oid_from_numeric_string() to parse an OID from a
|
||||
string to a DER-encoded mbedtls_asn1_buf.
|
||||
* Add SHA-3 family hash functions.
|
||||
* Add support to restrict AES to 128-bit keys in order to save code size.
|
||||
A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
|
||||
used to enable this feature.
|
||||
* AES performance improvements. Uplift varies by platform,
|
||||
toolchain, optimisation flags and mode.
|
||||
Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
|
||||
On Aarch64, uplift is typically around 20 - 110%.
|
||||
When compiling with gcc -Os on Aarch64, AES-XTS improves
|
||||
by 4.5x.
|
||||
* Add support for PBKDF2-HMAC through the PSA API.
|
||||
* New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
|
||||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
|
||||
or DH) were introduced in order to have finer accuracy in defining the
|
||||
PSA capabilities for each key. These capabilities, named yyy above, can be
|
||||
any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
|
||||
- DERIVE is only available for ECC keys, not for RSA or DH ones.
|
||||
- implementations are free to enable more than what it was strictly
|
||||
requested. For example BASIC internally enables IMPORT and EXPORT
|
||||
(useful for testing purposes), but this might change in the future.
|
||||
* Add support for FFDH key exchange in TLS 1.3.
|
||||
This is automatically enabled as soon as PSA_WANT_ALG_FFDH
|
||||
and the ephemeral or psk-ephemeral key exchange mode are enabled.
|
||||
By default, all groups are offered; the list of groups can be
|
||||
configured using the existing API function mbedtls_ssl_conf_groups().
|
||||
* Improve mbedtls_x509_time performance and reduce memory use.
|
||||
* Reduce syscalls to time() during certificate verification.
|
||||
* Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
|
||||
setting the CMake variable of the same name at configuration time.
|
||||
* Add getter (mbedtls_ssl_cache_get_timeout()) to access
|
||||
`mbedtls_ssl_cache_context.timeout`.
|
||||
* Add getter (mbedtls_ssl_get_hostname()) to access
|
||||
`mbedtls_ssl_context.hostname`.
|
||||
* Add getter (mbedtls_ssl_conf_get_endpoint()) to access
|
||||
`mbedtls_ssl_config.endpoint`.
|
||||
* Support for "opaque" (PSA-held) ECC keys in the PK module has been
|
||||
extended: it is now possible to use mbedtls_pk_write_key_der(),
|
||||
mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
|
||||
mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
|
||||
allow it).
|
||||
* The documentation of mbedtls_ecp_group now describes the optimized
|
||||
representation of A for some curves. Fixes #8045.
|
||||
* Add a possibility to generate CSR's with RCF822 and directoryName subtype
|
||||
of subjectAltName extension in x509 certificates.
|
||||
* Add support for PBKDF2-CMAC through the PSA API.
|
||||
* New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
|
||||
using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
|
||||
disables the plain C implementation and the run-time detection for the
|
||||
CPU feature, which reduces code size and avoids the vulnerability of the
|
||||
plain C implementation.
|
||||
* Accept arbitrary AttributeType and AttributeValue in certificate
|
||||
Distinguished Names using RFC 4514 syntax.
|
||||
* Applications using ECC over secp256r1 through the PSA API can use a
|
||||
new implementation with a much smaller footprint, but some minor
|
||||
usage restrictions. See the documentation of the new configuration
|
||||
option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
|
||||
|
||||
Security
|
||||
* Fix a case where potentially sensitive information held in memory would not
|
||||
be completely zeroized during TLS 1.2 handshake, in both server and client
|
||||
configurations.
|
||||
* In configurations with ARIA or Camellia but not AES, the value of
|
||||
MBEDTLS_CIPHER_BLKSIZE_MAX was 8, rather than 16 as the name might
|
||||
suggest. This did not affect any library code, because this macro was
|
||||
only used in relation with CMAC which does not support these ciphers.
|
||||
This may affect application code that uses this macro.
|
||||
* Developers using mbedtls_pkcs5_pbes2() or mbedtls_pkcs12_pbe() should
|
||||
review the size of the output buffer passed to this function, and note
|
||||
that the output after decryption may include CBC padding. Consider moving
|
||||
to the new functions mbedtls_pkcs5_pbes2_ext() or mbedtls_pkcs12_pbe_ext()
|
||||
which checks for overflow of the output buffer and reports the actual
|
||||
length of the output.
|
||||
* Improve padding calculations in CBC decryption, NIST key unwrapping and
|
||||
RSA OAEP decryption. With the previous implementation, some compilers
|
||||
(notably recent versions of Clang and IAR) could produce non-constant
|
||||
time code, which could allow a padding oracle attack if the attacker
|
||||
has access to precise timing measurements.
|
||||
* Updates to constant-time C code so that compilers are less likely to use
|
||||
conditional instructions, which can have an observable difference in
|
||||
timing. (Clang has been seen to do this.) Also introduce assembly
|
||||
implementations for 32- and 64-bit Arm and for x86 and x86-64, which are
|
||||
guaranteed not to use conditional instructions.
|
||||
* Fix definition of MBEDTLS_MD_MAX_BLOCK_SIZE, which was too
|
||||
small when MBEDTLS_SHA384_C was defined and MBEDTLS_SHA512_C was
|
||||
undefined. Mbed TLS itself was unaffected by this, but user code
|
||||
which used MBEDTLS_MD_MAX_BLOCK_SIZE could be affected. The only
|
||||
release containing this bug was Mbed TLS 3.4.0.
|
||||
* Fix a buffer overread when parsing short TLS application data records in
|
||||
null-cipher cipher suites. Credit to OSS-Fuzz.
|
||||
* Fix a remotely exploitable heap buffer overflow in TLS handshake parsing.
|
||||
In TLS 1.3, all configurations are affected except PSK-only ones, and
|
||||
both clients and servers are affected.
|
||||
In TLS 1.2, the affected configurations are those with
|
||||
MBEDTLS_USE_PSA_CRYPTO and ECDH enabled but DHM and RSA disabled,
|
||||
and only servers are affected, not clients.
|
||||
Credit to OSS-Fuzz.
|
||||
|
||||
Bugfix
|
||||
* Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
|
||||
PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
|
||||
than all built-in ones and RSA is disabled.
|
||||
Resolves #6622.
|
||||
* Add missing md.h includes to some of the external programs from
|
||||
the programs directory. Without this, even though the configuration
|
||||
was sufficient for a particular program to work, it would only print
|
||||
a message that one of the required defines is missing.
|
||||
* Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
|
||||
in the ecdsa.h header file. There was a build warning when the
|
||||
configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
|
||||
Resolves #7407.
|
||||
* Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
|
||||
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
|
||||
* Fix missing PSA initialization in sample programs when
|
||||
MBEDTLS_USE_PSA_CRYPTO is enabled.
|
||||
* Fix the J-PAKE driver interface for user and peer to accept any values
|
||||
(previously accepted values were limited to "client" or "server").
|
||||
* Fix clang and armclang compilation error when targeting certain Arm
|
||||
M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
|
||||
SecurCore SC000). Fixes #1077.
|
||||
* Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
|
||||
built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
|
||||
way to detect the crypto extensions required. A warning is still issued.
|
||||
* Fixed an issue that caused compile errors when using CMake and the IAR
|
||||
toolchain.
|
||||
* Fix very high stack usage in SSL debug code. Reported by Maximilian
|
||||
Gerhardt in #7804.
|
||||
* Fix a compilation failure in the constant_time module when
|
||||
building for arm64_32 (e.g., for watchos). Reported by Paulo
|
||||
Coutinho in #7787.
|
||||
* Fix crypt_and_hash decryption fail when used with a stream cipher
|
||||
mode of operation due to the input not being multiple of block size.
|
||||
Resolves #7417.
|
||||
* Fix a bug in which mbedtls_x509_string_to_names() would return success
|
||||
when given a invalid name string if it did not contain '=' or ','.
|
||||
* Fix compilation warnings in aes.c, which prevented the
|
||||
example TF-M configuration in configs/ from building cleanly:
|
||||
tfm_mbedcrypto_config_profile_medium.h with
|
||||
crypto_config_profile_medium.h.
|
||||
* In TLS 1.3, fix handshake failure when a client in its ClientHello
|
||||
proposes an handshake based on PSK only key exchange mode or at least
|
||||
one of the key exchange modes using ephemeral keys to a server that
|
||||
supports only the PSK key exchange mode.
|
||||
* Fix CCM* with no tag being not supported in a build with CCM as the only
|
||||
symmetric encryption algorithm and the PSA configuration enabled.
|
||||
* Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
|
||||
* Fix a compilation error on some platforms when including mbedtls/ssl.h
|
||||
with all TLS support disabled. Fixes #6628.
|
||||
* Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
|
||||
using ECC key. The certificate was rejected by some crypto frameworks.
|
||||
Fixes #2924.
|
||||
* Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
|
||||
is called with zero length and padlock is not enabled.
|
||||
* Fix compile failure due to empty enum in cipher_wrap.c, when building
|
||||
with a very minimal configuration. Fixes #7625.
|
||||
* Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
|
||||
signature can silently return an incorrect result in low memory conditions.
|
||||
* Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
|
||||
MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
|
||||
* Fix IAR compiler warnings.
|
||||
* Fix an issue when parsing an otherName subject alternative name into a
|
||||
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
|
||||
copied to the struct. This meant that the struct had incomplete
|
||||
information about the otherName SAN and contained uninitialized memory.
|
||||
* Fix the detection of HardwareModuleName otherName SANs. These were being
|
||||
detected by comparing the wrong field and the check was erroneously
|
||||
inverted.
|
||||
* Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
enabled, where some low-level modules required by requested PSA crypto
|
||||
features were not getting automatically enabled. Fixes #7420.
|
||||
* Fix undefined symbols in some builds using TLS 1.3 with a custom
|
||||
configuration file.
|
||||
* Fix log level for the got supported group message. Fixes #6765
|
||||
* Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
|
||||
error code on failure. Before, they returned 1 to indicate failure in
|
||||
some cases involving a missing entry or a full cache.
|
||||
* mbedtls_pk_parse_key() now rejects trailing garbage in encrypted keys.
|
||||
* Fix the build with CMake when Everest or P256-m is enabled through
|
||||
a user configuration file or the compiler command line. Fixes #8165.
|
||||
|
||||
Changes
|
||||
* Enable Arm / Thumb bignum assembly for most Arm platforms when
|
||||
compiling with gcc, clang or armclang and -O0.
|
||||
* Enforce minimum RSA key size when generating a key
|
||||
to avoid accidental misuse.
|
||||
* Use heap memory to allocate DER encoded RSA private key.
|
||||
This reduces stack usage significantly for RSA signature
|
||||
operations when MBEDTLS_PSA_CRYPTO_C is defined.
|
||||
* Update Windows code to use BCryptGenRandom and wcslen, and
|
||||
ensure that conversions between size_t, ULONG, and int are
|
||||
always done safely. Original contribution by Kevin Kane #635, #730
|
||||
followed by Simon Butcher #1453.
|
||||
* Users integrating their own PSA drivers should be aware that
|
||||
the file library/psa_crypto_driver_wrappers.c has been renamed
|
||||
to psa_crypto_driver_wrappers_no_static.c.
|
||||
* When using CBC with the cipher module, the requirement to call
|
||||
mbedtls_cipher_set_padding_mode() is now enforced. Previously, omitting
|
||||
this call accidentally applied a default padding mode chosen at compile
|
||||
time.
|
||||
|
||||
= Mbed TLS 3.4.1 branch released 2023-08-04
|
||||
|
||||
Bugfix
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
New deprecations
|
||||
* PSA_WANT_KEY_TYPE_xxx_KEY_PAIR and
|
||||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR, where xxx is either ECC or RSA,
|
||||
are now being deprecated in favor of PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
|
||||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy. Here yyy can be: BASIC,
|
||||
IMPORT, EXPORT, GENERATE, DERIVE. The goal is to have a finer detail about
|
||||
the capabilities of the PSA side for either key.
|
||||
|
||||
Features
|
||||
* New symbols PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy and
|
||||
MBEDTLS_PSA_ACCEL_KEY_TYPE_xxx_KEY_PAIR_yyy (where xxx is either ECC, RSA
|
||||
or DH) were introduced in order to have finer accuracy in defining the
|
||||
PSA capabilities for each key. These capabilities, named yyy above, can be
|
||||
any of: BASIC, IMPORT, EXPORT, GENERATE, DERIVE.
|
||||
- DERIVE is only available for ECC keys, not for RSA or DH ones.
|
||||
- implementations are free to enable more than what it was strictly
|
||||
requested. For example BASIC internally enables IMPORT and EXPORT
|
||||
(useful for testing purposes), but this might change in the future.
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Functions in the ssl_cache module now return a negative MBEDTLS_ERR_xxx
|
||||
error code on failure. Before, they returned 1 to indicate failure in
|
||||
some cases involving a missing entry or a full cache.
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* When parsing X.509 certificates, support the extensions
|
||||
SignatureKeyIdentifier and AuthorityKeyIdentifier.
|
|
@ -1,4 +0,0 @@
|
|||
Features
|
||||
* Add support to restrict AES to 128-bit keys in order to save code size.
|
||||
A new configuration option, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH, can be
|
||||
used to enable this feature.
|
|
@ -1,6 +0,0 @@
|
|||
Features
|
||||
* New configuration option MBEDTLS_AES_USE_HARDWARE_ONLY introduced. When
|
||||
using CPU-accelerated AES (e.g., Arm Crypto Extensions), this option
|
||||
disables the plain C implementation and the run-time detection for the
|
||||
CPU feature, which reduces code size and avoids the vulnerability of the
|
||||
plain C implementation.
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Add parsing of directoryName subtype for subjectAltName extension in
|
||||
x509 certificates.
|
|
@ -1,7 +0,0 @@
|
|||
Features
|
||||
* Add getter (mbedtls_ssl_cache_get_timeout()) to access
|
||||
`mbedtls_ssl_cache_context.timeout`.
|
||||
* Add getter (mbedtls_ssl_get_hostname()) to access
|
||||
`mbedtls_ssl_context.hostname`.
|
||||
* Add getter (mbedtls_ssl_conf_get_endpoint()) to access
|
||||
`mbedtls_ssl_config.endpoint`.
|
|
@ -1,5 +0,0 @@
|
|||
API changes
|
||||
* Add new millisecond time type `mbedtls_ms_time_t` and `mbedtls_ms_time()`
|
||||
function, needed for TLS 1.3 ticket lifetimes. Alternative implementations
|
||||
can be created using an ALT interface.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
Bugfix
|
||||
* Add missing md.h includes to some of the external programs from
|
||||
the programs directory. Without this, even though the configuration
|
||||
was sufficient for a particular program to work, it would only print
|
||||
a message that one of the required defines is missing.
|
|
@ -1,2 +0,0 @@
|
|||
Features
|
||||
* Add support for PBKDF2-CMAC through the PSA API.
|
|
@ -1,2 +0,0 @@
|
|||
Features
|
||||
* Add support for PBKDF2-HMAC through the PSA API.
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Don't include the PSA dispatch functions for PAKEs (psa_pake_setup() etc)
|
||||
if no PAKE algorithms are requested
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Add a possibility to generate CSR's with RCF822 and directoryName subtype
|
||||
of subjectAltName extension in x509 certificates.
|
|
@ -1,6 +0,0 @@
|
|||
Features
|
||||
* It is now possible to generate certificates with SubjectAltNames.
|
||||
Currently supported subtypes: DnsName, UniformResourceIdentifier,
|
||||
IP address, OtherName, and DirectoryName, as defined in RFC 5280.
|
||||
See mbedtls_x509write_crt_set_subject_alternative_name for
|
||||
more information.
|
|
@ -1,7 +0,0 @@
|
|||
Features
|
||||
* AES performance improvements. Uplift varies by platform,
|
||||
toolchain, optimisation flags and mode.
|
||||
Aarch64, gcc -Os and CCM, GCM and XTS benefit the most.
|
||||
On Aarch64, uplift is typically around 20 - 110%.
|
||||
When compiling with gcc -Os on Aarch64, AES-XTS improves
|
||||
by 4.5x.
|
|
@ -1,7 +0,0 @@
|
|||
Bugfix
|
||||
* Fix clang and armclang compilation error when targeting certain Arm
|
||||
M-class CPUs (Cortex-M0, Cortex-M0+, Cortex-M1, Cortex-M23,
|
||||
SecurCore SC000). Fixes #1077.
|
||||
Changes
|
||||
* Enable Arm / Thumb bignum assembly for most Arm platforms when
|
||||
compiling with gcc, clang or armclang and -O0.
|
|
@ -1,4 +0,0 @@
|
|||
Features
|
||||
* X.509 hostname verification now partially supports URI Subject Alternate
|
||||
Names. Only exact matching, without any normalization procedures
|
||||
described in 7.4 of RFC5280, will result in a positive URI verification.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fixed an issue that caused compile errors when using CMake and the IAR
|
||||
toolchain.
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Allow MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE to be set by
|
||||
setting the CMake variable of the same name at configuration time.
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Fix a build error in some configurations with MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
enabled, where some low-level modules required by requested PSA crypto
|
||||
features were not getting automatically enabled. Fixes #7420.
|
|
@ -1,5 +0,0 @@
|
|||
Features
|
||||
* Add support for the FFDH algorithm and DH key types in PSA, with
|
||||
parameters from RFC 7919. This includes a built-in implementation based
|
||||
on MBEDTLS_BIGNUM_C, and a driver dispatch layer enabling alternative
|
||||
implementations of FFDH through the driver entry points.
|
|
@ -1,23 +0,0 @@
|
|||
Features
|
||||
* When a PSA driver for ECDH is present, it is now possible to disable
|
||||
MBEDTLS_ECDH_C in the build in order to save code size. For TLS 1.2
|
||||
key exchanges based on ECDH(E) to work, this requires
|
||||
MBEDTLS_USE_PSA_CRYPTO. Restartable/interruptible ECDHE operations in
|
||||
TLS 1.2 (ECDHE-ECDSA key exchange) are not supported in those builds yet,
|
||||
as PSA does not have an API for restartable ECDH yet.
|
||||
* When all of ECDH, ECDSA and EC J-PAKE are either disabled or provided by
|
||||
a driver, it is possible to disable MBEDTLS_ECP_C (and MBEDTLS_BIGNUM_C
|
||||
if not required by another module) and still get support for ECC keys and
|
||||
algorithms in PSA, with some limitations. See docs/driver-only-builds.txt
|
||||
for details.
|
||||
API changes
|
||||
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
|
||||
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
|
||||
their was a flaw in the logic checking if the built-in implementation, in
|
||||
that if failed to check if all the relevant curves were supported by the
|
||||
accelerator. As a result, it was possible to declare no curves as
|
||||
accelerated and still have the built-in implementation compiled out.
|
||||
Starting with this release, it is necessary to declare which curves are
|
||||
accelerated (using MBEDTLS_PSA_ACCEL_ECC_xxx macros), or they will be
|
||||
considered not accelerated, and the built-in implementation of the curves
|
||||
and any algorithm possible using them will be included in the build.
|
|
@ -1,11 +0,0 @@
|
|||
Features
|
||||
* All modules that use hashes or HMAC can now take advantage of PSA Crypto
|
||||
drivers when MBEDTLS_PSA_CRYPTO_C is enabled and psa_crypto_init() has
|
||||
been called. Previously (in 3.3), this was restricted to a few modules,
|
||||
and only in builds where MBEDTLS_MD_C was disabled; in particular the
|
||||
entropy module was not covered which meant an external RNG had to be
|
||||
provided - these limitations are lifted in this version. A new set of
|
||||
feature macros, MBEDTLS_MD_CAN_xxx, has been introduced that can be used
|
||||
to check for availability of hash algorithms, regardless of whether
|
||||
they're provided by a built-in implementation, a driver or both. See
|
||||
docs/driver-only-builds.md.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix the J-PAKE driver interface for user and peer to accept any values
|
||||
(previously accepted values were limited to "client" or "server").
|
|
@ -1,3 +0,0 @@
|
|||
Changes
|
||||
* Enforce minimum RSA key size when generating a key
|
||||
to avoid accidental misuse.
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Accept arbitrary AttributeType and AttributeValue in certificate
|
||||
Distinguished Names using RFC 4514 syntax.
|
|
@ -1,6 +0,0 @@
|
|||
Features
|
||||
* Support for "opaque" (PSA-held) ECC keys in the PK module has been
|
||||
extended: it is now possible to use mbedtls_pk_write_key_der(),
|
||||
mbedtls_pk_write_key_pem(), mbedtls_pk_check_pair(), and
|
||||
mbedtls_pk_verify() with opaque ECC keys (provided the PSA attributes
|
||||
allow it).
|
|
@ -1,6 +0,0 @@
|
|||
Features
|
||||
* Add support for FFDH key exchange in TLS 1.3.
|
||||
This is automatically enabled as soon as PSA_WANT_ALG_FFDH
|
||||
and the ephemeral or psk-ephemeral key exchange mode are enabled.
|
||||
By default, all groups are offered; the list of groups can be
|
||||
configured using the existing API function mbedtls_ssl_conf_groups().
|
3
ChangeLog.d/fix-3rdparty-target-prefix.txt
Normal file
3
ChangeLog.d/fix-3rdparty-target-prefix.txt
Normal file
|
@ -0,0 +1,3 @@
|
|||
Bugfix
|
||||
* Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
|
||||
in CMake.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
|
||||
signature can silently return an incorrect result in low memory conditions.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix a potential corruption of the passed-in IV when mbedtls_aes_crypt_cbc()
|
||||
is called with zero length and padlock is not enabled.
|
3
ChangeLog.d/fix-cmake-3rdparty-custom-config.txt
Normal file
3
ChangeLog.d/fix-cmake-3rdparty-custom-config.txt
Normal file
|
@ -0,0 +1,3 @@
|
|||
Bugfix
|
||||
* Fix the build with CMake when Everest or P256-m is enabled through
|
||||
a user configuration file or the compiler command line. Fixes #8165.
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Fix crypt_and_hash decryption fail when used with a stream cipher
|
||||
mode of operation due to the input not being multiple of block size.
|
||||
Resolves #7417.
|
|
@ -1,5 +0,0 @@
|
|||
Bugfix
|
||||
* Fix declaration of mbedtls_ecdsa_sign_det_restartable() function
|
||||
in the ecdsa.h header file. There was a build warning when the
|
||||
configuration macro MBEDTLS_ECDSA_SIGN_ALT was defined.
|
||||
Resolves #7407.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix compile failure due to empty enum in cipher_wrap.c, when building
|
||||
with a very minimal configuration. Fixes #7625.
|
|
@ -1,5 +0,0 @@
|
|||
Bugfix
|
||||
* In TLS 1.3, fix handshake failure when a client in its ClientHello
|
||||
proposes an handshake based on PSK only key exchange mode or at least
|
||||
one of the key exchange modes using ephemeral keys to a server that
|
||||
supports only the PSK key exchange mode.
|
|
@ -1,2 +0,0 @@
|
|||
Bugfix
|
||||
* Fix IAR compiler warnings.
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Fix a compilation failure in the constant_time module when
|
||||
building for arm64_32 (e.g., for watchos). Reported by Paulo
|
||||
Coutinho in #7787.
|
|
@ -1,2 +0,0 @@
|
|||
Bugfix
|
||||
* Fix log level for the got supported group message. Fixes #6765
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix a bug in which mbedtls_x509_string_to_names() would return success
|
||||
when given a invalid name string if it did not contain '=' or ','.
|
|
@ -1,5 +0,0 @@
|
|||
Bugfix
|
||||
* Fix compilation warnings in aes.c, which prevented the
|
||||
example TF-M configuration in configs/ from building cleanly:
|
||||
tfm_mbedcrypto_config_profile_medium.h with
|
||||
crypto_config_profile_medium.h.
|
|
@ -1,4 +0,0 @@
|
|||
Security
|
||||
* Fix a case where potentially sensitive information held in memory would not
|
||||
be completely zeroized during TLS 1.2 handshake, in both server and client
|
||||
configurations.
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c when
|
||||
built with MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT but don't have a
|
||||
way to detect the crypto extensions required. A warning is still issued.
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* The documentation of mbedtls_ecp_group now describes the optimized
|
||||
representation of A for some curves. Fixes #8045.
|
|
@ -1,8 +0,0 @@
|
|||
Bugfix
|
||||
* Fix an issue when parsing an otherName subject alternative name into a
|
||||
mbedtls_x509_san_other_name struct. The type-id of the otherName was not
|
||||
copied to the struct. This meant that the struct had incomplete
|
||||
information about the otherName SAN and contained uninitialized memory.
|
||||
* Fix the detection of HardwareModuleName otherName SANs. These were being
|
||||
detected by comparing the wrong field and the check was erroneously
|
||||
inverted.
|
|
@ -1,2 +0,0 @@
|
|||
Bugfix
|
||||
* Fix the build with MBEDTLS_PSA_INJECT_ENTROPY. Fixes #7516.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix an error when MBEDTLS_ECDSA_SIGN_ALT is defined but not
|
||||
MBEDTLS_ECDSA_VERIFY_ALT, causing ecdsa verify to fail. Fixes #7498.
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Improve mbedtls_x509_time performance and reduce memory use.
|
||||
* Reduce syscalls to time() during certificate verification.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix CCM* with no tag being not supported in a build with CCM as the only
|
||||
symmetric encryption algorithm and the PSA configuration enabled.
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Add function mbedtls_oid_from_numeric_string() to parse an OID from a
|
||||
string to a DER-encoded mbedtls_asn1_buf.
|
|
@ -1,5 +0,0 @@
|
|||
Features
|
||||
* Applications using ECC over secp256r1 through the PSA API can use a
|
||||
new implementation with a much smaller footprint, but some minor
|
||||
usage restrictions. See the documentation of the new configuration
|
||||
option MBEDTLS_PSA_P256M_DRIVER_ENABLED for details.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix missing PSA initialization in sample programs when
|
||||
MBEDTLS_USE_PSA_CRYPTO is enabled.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
|
||||
MBEDTLS_PSA_CRYPTO_CONFIG is disabled.
|
|
@ -1,2 +0,0 @@
|
|||
Requirement changes
|
||||
* Officially require Python 3.8 now that earlier versions are out of support.
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Add support for reading and writing X25519 and X448
|
||||
public and private keys in RFC 8410 format using the existing PK APIs.
|
|
@ -1,3 +0,0 @@
|
|||
Features
|
||||
* Add SHA-3 family hash functions.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
Bugfix
|
||||
* Fix proper sizing for PSA_EXPORT_[KEY_PAIR/PUBLIC_KEY]_MAX_SIZE and
|
||||
PSA_SIGNATURE_MAX_SIZE buffers when at least one accelerated EC is bigger
|
||||
than all built-in ones and RSA is disabled.
|
||||
Resolves #6622.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix very high stack usage in SSL debug code. Reported by Maximilian
|
||||
Gerhardt in #7804.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix a compilation error on some platforms when including mbedtls/ssl.h
|
||||
with all TLS support disabled. Fixes #6628.
|
|
@ -1,3 +0,0 @@
|
|||
Bugfix
|
||||
* Fix undefined symbols in some builds using TLS 1.3 with a custom
|
||||
configuration file.
|
|
@ -1,5 +0,0 @@
|
|||
Features
|
||||
* Add support for server-side TLS version negotiation. If both TLS 1.2 and
|
||||
TLS 1.3 protocols are enabled, the TLS server now selects TLS 1.2 or
|
||||
TLS 1.3 depending on the capabilities and preferences of TLS clients.
|
||||
Fixes #6867.
|
|
@ -1,9 +0,0 @@
|
|||
Requirement changes
|
||||
* Minimum required Windows version is now Windows Vista, or
|
||||
Windows Server 2008.
|
||||
|
||||
Changes
|
||||
* Update Windows code to use BCryptGenRandom and wcslen, and
|
||||
ensure that conversions between size_t, ULONG, and int are
|
||||
always done safely. Original contribution by Kevin Kane #635, #730
|
||||
followed by Simon Butcher #1453.
|
|
@ -1,4 +0,0 @@
|
|||
Changes
|
||||
* Use heap memory to allocate DER encoded RSA private key.
|
||||
This reduces stack usage significantly for RSA signature
|
||||
operations when MBEDTLS_PSA_CRYPTO_C is defined.
|
|
@ -1,2 +0,0 @@
|
|||
Features
|
||||
* X.509 hostname verification now supports IPAddress Subject Alternate Names.
|
|
@ -1,4 +0,0 @@
|
|||
Bugfix
|
||||
* Fix x509 certificate generation to conform to RFC 5480 / RFC 5758 when
|
||||
using ECC key. The certificate was rejected by some crypto frameworks.
|
||||
Fixes #2924.
|
|
@ -135,3 +135,12 @@ Guide](docs/architecture/alternative-implementations.md) for more information.
|
|||
- Use cryptographic mechanisms that are not based on block ciphers. In
|
||||
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
|
||||
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
|
||||
|
||||
#### Everest
|
||||
|
||||
The HACL* implementation of X25519 taken from the Everest project only protects
|
||||
against remote timing attacks. (See their [Security
|
||||
Policy](https://github.com/hacl-star/hacl-star/blob/main/SECURITY.md).)
|
||||
|
||||
The Everest variant is only used when `MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED`
|
||||
configuration option is defined. This option is off by default.
|
||||
|
|
|
@ -67,16 +67,32 @@ In the medium to long term, performing a slow or blocking operation (for example
|
|||
|
||||
We may want to go directly to a more sophisticated approach because when a system works with a global lock, it's typically hard to get rid of it to get more fine-grained concurrency.
|
||||
|
||||
### Key destruction short-term requirements
|
||||
|
||||
#### Summary of guarantees in the short term
|
||||
|
||||
When `psa_destroy_key` returns:
|
||||
|
||||
1. The key identifier doesn't exist. Rationale: this is a functional requirement for persistent keys: the caller can immediately create a new key with the same identifier.
|
||||
2. The resources from the key have been freed. Rationale: in a low-resource condition, this may be necessary for the caller to re-create a similar key, which should be possible.
|
||||
3. The call must not block indefinitely, and in particular cannot wait for an event that is triggered by application code such as calling an abort function. Rationale: this may not strictly be a functional requirement, but it is an expectation `psa_destroy_key` does not block forever due to another thread, which could potentially be another process on a multi-process system. In particular, it is only acceptable for `psa_destroy_key` to block, when waiting for another thread to complete a PSA Cryptography API call that it had already started.
|
||||
|
||||
When `psa_destroy_key` is called on a key that is in use, guarantee 2. might be violated. (This is consistent with the requirement [“Correctness out of the box”](#correctness-out-of-the-box), as destroying a key while it's in use is undefined behavior.)
|
||||
|
||||
### Key destruction long-term requirements
|
||||
|
||||
As noted above in [“Correctness out of the box”](#correctness-out-of-the-box), when a key is destroyed, it's ok if `psa_destroy_key` allows copies of the key to live until ongoing operations using the key return. In the long term, it would be good to guarantee that `psa_destroy_key` wipes all copies of the key material.
|
||||
The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#key-destruction) mandates that implementations make a best effort to ensure that the key material cannot be recovered. In the long term, it would be good to guarantee that `psa_destroy_key` wipes all copies of the key material.
|
||||
|
||||
#### Summary of guarantees when `psa_destroy_key` returns
|
||||
#### Summary of guarantees in the long term
|
||||
|
||||
* The key identifier doesn't exist. Rationale: this is a functional requirement for persistent keys: the caller can immediately create a new key with the same identifier.
|
||||
* The resources from the key have been freed. Rationale: in a low-resource condition, this may be necessary for the caller to re-create a similar key, which should be possible.
|
||||
* The call must not block indefinitely, and in particular cannot wait for an event that is triggered by application code such as calling an abort function. Rationale: this may not strictly be a functional requirement, but it is an expectation `psa_destroy_key` does not block forever due to another thread, which could potentially be another process on a multi-process system.
|
||||
* In the long term, no copy of the key material exists. Rationale: this is a security requirement. We do not have this requirement yet, but we need to document this as a security weakness, and we would like to become compliant.
|
||||
When `psa_destroy_key` returns:
|
||||
|
||||
1. The key identifier doesn't exist. Rationale: this is a functional requirement for persistent keys: the caller can immediately create a new key with the same identifier.
|
||||
2. The resources from the key have been freed. Rationale: in a low-resource condition, this may be necessary for the caller to re-create a similar key, which should be possible.
|
||||
3. The call must not block indefinitely, and in particular cannot wait for an event that is triggered by application code such as calling an abort function. Rationale: this may not strictly be a functional requirement, but it is an expectation `psa_destroy_key` does not block forever due to another thread, which could potentially be another process on a multi-process system. In particular, it is only acceptable for `psa_destroy_key` to block, when waiting for another thread to complete a PSA Cryptography API call that it had already started.
|
||||
4. No copy of the key material exists. Rationale: this is a security requirement. We do not have this requirement yet, but we need to document this as a security weakness, and we would like to satisfy this security requirement in the future.
|
||||
|
||||
As opposed to the short term requirements, all the above guarantees hold even if `psa_destroy_key` is called on a key that is in use.
|
||||
|
||||
## Resources to protect
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
*/
|
||||
|
||||
/**
|
||||
* @mainpage Mbed TLS v3.4.1 API Documentation
|
||||
* @mainpage Mbed TLS v3.5.0 API Documentation
|
||||
*
|
||||
* This documentation describes the internal structure of Mbed TLS. It was
|
||||
* automatically generated from specially formatted comment blocks in
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
PROJECT_NAME = "Mbed TLS v3.4.1"
|
||||
PROJECT_NAME = "Mbed TLS v3.5.0"
|
||||
OUTPUT_DIRECTORY = ../apidoc/
|
||||
FULL_PATH_NAMES = NO
|
||||
OPTIMIZE_OUTPUT_FOR_C = YES
|
||||
|
|
|
@ -37,17 +37,17 @@
|
|||
* Major, Minor, Patchlevel
|
||||
*/
|
||||
#define MBEDTLS_VERSION_MAJOR 3
|
||||
#define MBEDTLS_VERSION_MINOR 4
|
||||
#define MBEDTLS_VERSION_PATCH 1
|
||||
#define MBEDTLS_VERSION_MINOR 5
|
||||
#define MBEDTLS_VERSION_PATCH 0
|
||||
|
||||
/**
|
||||
* The single version number has the following structure:
|
||||
* MMNNPP00
|
||||
* Major version | Minor version | Patch version
|
||||
*/
|
||||
#define MBEDTLS_VERSION_NUMBER 0x03040100
|
||||
#define MBEDTLS_VERSION_STRING "3.4.1"
|
||||
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.4.1"
|
||||
#define MBEDTLS_VERSION_NUMBER 0x03050000
|
||||
#define MBEDTLS_VERSION_STRING "3.5.0"
|
||||
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.5.0"
|
||||
|
||||
/* Macros for build-time platform detection */
|
||||
|
||||
|
|
|
@ -852,7 +852,6 @@ int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx,
|
|||
* \brief This function sets the padding mode, for cipher modes
|
||||
* that use padding.
|
||||
*
|
||||
* The default passing mode is PKCS7 padding.
|
||||
*
|
||||
* \param ctx The generic cipher context. This must be initialized and
|
||||
* bound to a cipher information structure.
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
*
|
||||
* The Cipher-based Message Authentication Code (CMAC) Mode for
|
||||
* Authentication is defined in <em>RFC-4493: The AES-CMAC Algorithm</em>.
|
||||
* It is supported with AES and DES.
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
|
@ -38,12 +39,30 @@ extern "C" {
|
|||
#define MBEDTLS_AES_BLOCK_SIZE 16
|
||||
#define MBEDTLS_DES3_BLOCK_SIZE 8
|
||||
|
||||
/* We don't support Camellia or ARIA in this module */
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
#define MBEDTLS_CIPHER_BLKSIZE_MAX 16 /**< The longest block used by CMAC is that of AES. */
|
||||
#define MBEDTLS_CMAC_MAX_BLOCK_SIZE 16 /**< The longest block used by CMAC is that of AES. */
|
||||
#else
|
||||
#define MBEDTLS_CIPHER_BLKSIZE_MAX 8 /**< The longest block used by CMAC is that of 3DES. */
|
||||
#define MBEDTLS_CMAC_MAX_BLOCK_SIZE 8 /**< The longest block used by CMAC is that of 3DES. */
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
/** The longest block supported by the cipher module.
|
||||
*
|
||||
* \deprecated
|
||||
* For the maximum block size of a cipher supported by the CMAC module,
|
||||
* use #MBEDTLS_CMAC_MAX_BLOCK_SIZE.
|
||||
* For the maximum block size of a cipher supported by the cipher module,
|
||||
* use #MBEDTLS_MAX_BLOCK_LENGTH.
|
||||
*/
|
||||
/* Before Mbed TLS 3.5, this was the maximum block size supported by the CMAC
|
||||
* module, so it didn't take Camellia or ARIA into account. Since the name
|
||||
* of the macro doesn't even convey "CMAC", this was misleading. Now the size
|
||||
* is sufficient for any cipher, but the name is defined in cmac.h for
|
||||
* backward compatibility. */
|
||||
#define MBEDTLS_CIPHER_BLKSIZE_MAX MBEDTLS_MAX_BLOCK_LENGTH
|
||||
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
||||
|
||||
#if !defined(MBEDTLS_CMAC_ALT)
|
||||
|
||||
/**
|
||||
|
@ -51,11 +70,11 @@ extern "C" {
|
|||
*/
|
||||
struct mbedtls_cmac_context_t {
|
||||
/** The internal state of the CMAC algorithm. */
|
||||
unsigned char MBEDTLS_PRIVATE(state)[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
||||
unsigned char MBEDTLS_PRIVATE(state)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||
|
||||
/** Unprocessed data - either data that was not block aligned and is still
|
||||
* pending processing, or the final block. */
|
||||
unsigned char MBEDTLS_PRIVATE(unprocessed_block)[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
||||
unsigned char MBEDTLS_PRIVATE(unprocessed_block)[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||
|
||||
/** The length of data pending processing. */
|
||||
size_t MBEDTLS_PRIVATE(unprocessed_len);
|
||||
|
|
|
@ -79,7 +79,7 @@
|
|||
#define MBEDTLS_ECP_LIGHT
|
||||
#endif
|
||||
|
||||
/* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in MbedTLS version 3.5, while
|
||||
/* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in Mbed TLS version 3.5, while
|
||||
* in previous version compressed points were automatically supported as long
|
||||
* as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward
|
||||
* compatibility, we auto-enable PK_PARSE_EC_COMPRESSED when these conditions
|
||||
|
@ -184,6 +184,14 @@
|
|||
#define MBEDTLS_PK_HAVE_ECC_KEYS
|
||||
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */
|
||||
|
||||
/* Historically pkparse did not check the CBC padding when decrypting
|
||||
* a key. This was a bug, which is now fixed. As a consequence, pkparse
|
||||
* now needs PKCS7 padding support, but existing configurations might not
|
||||
* enable it, so we enable it here. */
|
||||
#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||
#define MBEDTLS_CIPHER_PADDING_PKCS7
|
||||
#endif
|
||||
|
||||
/* Backwards compatibility for some macros which were renamed to reflect that
|
||||
* they are related to Armv8, not aarch64. */
|
||||
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \
|
||||
|
|
|
@ -52,10 +52,30 @@ extern "C" {
|
|||
|
||||
#if defined(MBEDTLS_ASN1_PARSE_C)
|
||||
|
||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
/**
|
||||
* \brief PKCS12 Password Based function (encryption / decryption)
|
||||
* for cipher-based and mbedtls_md-based PBE's
|
||||
*
|
||||
* \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
|
||||
* be enabled at compile time.
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a
|
||||
* future version of the library.
|
||||
* Please use mbedtls_pkcs12_pbe_ext() instead.
|
||||
*
|
||||
* \warning When decrypting:
|
||||
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
|
||||
* time, this function validates the CBC padding and returns
|
||||
* #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
|
||||
* invalid. Note that this can help active adversaries
|
||||
* attempting to brute-forcing the password. Note also that
|
||||
* there is no guarantee that an invalid password will be
|
||||
* detected (the chances of a valid padding with a random
|
||||
* password are about 1/255).
|
||||
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
|
||||
* time, this function does not validate the CBC padding.
|
||||
*
|
||||
* \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
|
||||
* \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or
|
||||
* #MBEDTLS_PKCS12_PBE_DECRYPT
|
||||
|
@ -64,17 +84,78 @@ extern "C" {
|
|||
* \param pwd Latin1-encoded password used. This may only be \c NULL when
|
||||
* \p pwdlen is 0. No null terminator should be used.
|
||||
* \param pwdlen length of the password (may be 0)
|
||||
* \param input the input data
|
||||
* \param data the input data
|
||||
* \param len data length
|
||||
* \param output the output buffer
|
||||
* \param output Output buffer.
|
||||
* On success, it contains the encrypted or decrypted data,
|
||||
* possibly followed by the CBC padding.
|
||||
* On failure, the content is indeterminate.
|
||||
* For decryption, there must be enough room for \p len
|
||||
* bytes.
|
||||
* For encryption, there must be enough room for
|
||||
* \p len + 1 bytes, rounded up to the block size of
|
||||
* the block cipher identified by \p pbe_params.
|
||||
*
|
||||
* \return 0 if successful, or a MBEDTLS_ERR_XXX code
|
||||
*/
|
||||
int mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
|
||||
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
|
||||
const unsigned char *pwd, size_t pwdlen,
|
||||
const unsigned char *input, size_t len,
|
||||
unsigned char *output);
|
||||
int MBEDTLS_DEPRECATED mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode,
|
||||
mbedtls_cipher_type_t cipher_type,
|
||||
mbedtls_md_type_t md_type,
|
||||
const unsigned char *pwd, size_t pwdlen,
|
||||
const unsigned char *data, size_t len,
|
||||
unsigned char *output);
|
||||
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
||||
|
||||
/**
|
||||
* \brief PKCS12 Password Based function (encryption / decryption)
|
||||
* for cipher-based and mbedtls_md-based PBE's
|
||||
*
|
||||
*
|
||||
* \warning When decrypting:
|
||||
* - This function validates the CBC padding and returns
|
||||
* #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is
|
||||
* invalid. Note that this can help active adversaries
|
||||
* attempting to brute-forcing the password. Note also that
|
||||
* there is no guarantee that an invalid password will be
|
||||
* detected (the chances of a valid padding with a random
|
||||
* password are about 1/255).
|
||||
*
|
||||
* \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure
|
||||
* \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or
|
||||
* #MBEDTLS_PKCS12_PBE_DECRYPT
|
||||
* \param cipher_type the cipher used
|
||||
* \param md_type the mbedtls_md used
|
||||
* \param pwd Latin1-encoded password used. This may only be \c NULL when
|
||||
* \p pwdlen is 0. No null terminator should be used.
|
||||
* \param pwdlen length of the password (may be 0)
|
||||
* \param data the input data
|
||||
* \param len data length
|
||||
* \param output Output buffer.
|
||||
* On success, it contains the encrypted or decrypted data,
|
||||
* possibly followed by the CBC padding.
|
||||
* On failure, the content is indeterminate.
|
||||
* For decryption, there must be enough room for \p len
|
||||
* bytes.
|
||||
* For encryption, there must be enough room for
|
||||
* \p len + 1 bytes, rounded up to the block size of
|
||||
* the block cipher identified by \p pbe_params.
|
||||
* \param output_size size of output buffer.
|
||||
* This must be big enough to accommodate for output plus
|
||||
* padding data.
|
||||
* \param output_len On success, length of actual data written to the output buffer.
|
||||
*
|
||||
* \return 0 if successful, or a MBEDTLS_ERR_XXX code
|
||||
*/
|
||||
int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode,
|
||||
mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type,
|
||||
const unsigned char *pwd, size_t pwdlen,
|
||||
const unsigned char *data, size_t len,
|
||||
unsigned char *output, size_t output_size,
|
||||
size_t *output_len);
|
||||
|
||||
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
|
||||
|
||||
#endif /* MBEDTLS_ASN1_PARSE_C */
|
||||
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
#define MBEDTLS_PKCS5_H
|
||||
|
||||
#include "mbedtls/build_info.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
|
||||
#include "mbedtls/asn1.h"
|
||||
#include "mbedtls/md.h"
|
||||
|
@ -50,23 +51,95 @@ extern "C" {
|
|||
|
||||
#if defined(MBEDTLS_ASN1_PARSE_C)
|
||||
|
||||
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||
/**
|
||||
* \brief PKCS#5 PBES2 function
|
||||
*
|
||||
* \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must
|
||||
* be enabled at compile time.
|
||||
*
|
||||
* \deprecated This function is deprecated and will be removed in a
|
||||
* future version of the library.
|
||||
* Please use mbedtls_pkcs5_pbes2_ext() instead.
|
||||
*
|
||||
* \warning When decrypting:
|
||||
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile
|
||||
* time, this function validates the CBC padding and returns
|
||||
* #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
|
||||
* invalid. Note that this can help active adversaries
|
||||
* attempting to brute-forcing the password. Note also that
|
||||
* there is no guarantee that an invalid password will be
|
||||
* detected (the chances of a valid padding with a random
|
||||
* password are about 1/255).
|
||||
* - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile
|
||||
* time, this function does not validate the CBC padding.
|
||||
*
|
||||
* \param pbe_params the ASN.1 algorithm parameters
|
||||
* \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT
|
||||
* \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
|
||||
* \param pwd password to use when generating key
|
||||
* \param pwdlen length of password
|
||||
* \param data data to process
|
||||
* \param datalen length of data
|
||||
* \param output output buffer
|
||||
* \param output Output buffer.
|
||||
* On success, it contains the encrypted or decrypted data,
|
||||
* possibly followed by the CBC padding.
|
||||
* On failure, the content is indeterminate.
|
||||
* For decryption, there must be enough room for \p datalen
|
||||
* bytes.
|
||||
* For encryption, there must be enough room for
|
||||
* \p datalen + 1 bytes, rounded up to the block size of
|
||||
* the block cipher identified by \p pbe_params.
|
||||
*
|
||||
* \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
|
||||
*/
|
||||
int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||
const unsigned char *pwd, size_t pwdlen,
|
||||
const unsigned char *data, size_t datalen,
|
||||
unsigned char *output);
|
||||
int MBEDTLS_DEPRECATED mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||
const unsigned char *pwd, size_t pwdlen,
|
||||
const unsigned char *data, size_t datalen,
|
||||
unsigned char *output);
|
||||
#endif /* MBEDTLS_DEPRECATED_REMOVED */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
||||
|
||||
/**
|
||||
* \brief PKCS#5 PBES2 function
|
||||
*
|
||||
* \warning When decrypting:
|
||||
* - This function validates the CBC padding and returns
|
||||
* #MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH if the padding is
|
||||
* invalid. Note that this can help active adversaries
|
||||
* attempting to brute-forcing the password. Note also that
|
||||
* there is no guarantee that an invalid password will be
|
||||
* detected (the chances of a valid padding with a random
|
||||
* password are about 1/255).
|
||||
*
|
||||
* \param pbe_params the ASN.1 algorithm parameters
|
||||
* \param mode either #MBEDTLS_PKCS5_DECRYPT or #MBEDTLS_PKCS5_ENCRYPT
|
||||
* \param pwd password to use when generating key
|
||||
* \param pwdlen length of password
|
||||
* \param data data to process
|
||||
* \param datalen length of data
|
||||
* \param output Output buffer.
|
||||
* On success, it contains the decrypted data.
|
||||
* On failure, the content is indetermidate.
|
||||
* For decryption, there must be enough room for \p datalen
|
||||
* bytes.
|
||||
* For encryption, there must be enough room for
|
||||
* \p datalen + 1 bytes, rounded up to the block size of
|
||||
* the block cipher identified by \p pbe_params.
|
||||
* \param output_size size of output buffer.
|
||||
* This must be big enough to accommodate for output plus
|
||||
* padding data.
|
||||
* \param output_len On success, length of actual data written to the output buffer.
|
||||
*
|
||||
* \returns 0 on success, or a MBEDTLS_ERR_XXX code if parsing or decryption fails.
|
||||
*/
|
||||
int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode,
|
||||
const unsigned char *pwd, size_t pwdlen,
|
||||
const unsigned char *data, size_t datalen,
|
||||
unsigned char *output, size_t output_size,
|
||||
size_t *output_len);
|
||||
|
||||
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
|
||||
|
||||
#endif /* MBEDTLS_ASN1_PARSE_C */
|
||||
|
||||
|
|
|
@ -53,8 +53,10 @@ typedef struct mbedtls_sha256_context {
|
|||
unsigned char MBEDTLS_PRIVATE(buffer)[64]; /*!< The data block being processed. */
|
||||
uint32_t MBEDTLS_PRIVATE(total)[2]; /*!< The number of Bytes processed. */
|
||||
uint32_t MBEDTLS_PRIVATE(state)[8]; /*!< The intermediate digest state. */
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
int MBEDTLS_PRIVATE(is224); /*!< Determines which function to use:
|
||||
0: Use SHA-256, or 1: Use SHA-224. */
|
||||
#endif
|
||||
}
|
||||
mbedtls_sha256_context;
|
||||
|
||||
|
|
|
@ -35,10 +35,10 @@
|
|||
#include "mbedtls/private_access.h"
|
||||
|
||||
/*
|
||||
* Include the build-time configuration information file. Here, we do not
|
||||
* Include the build-time configuration information header. Here, we do not
|
||||
* include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
|
||||
* is basically just an alias to it. This is to ease the maintenance of the
|
||||
* PSA cryptography repository which has a different build system and
|
||||
* TF-PSA-Crypto repository which has a different build system and
|
||||
* configuration.
|
||||
*/
|
||||
#include "psa/build_info.h"
|
||||
|
|
|
@ -41,10 +41,10 @@
|
|||
#define PSA_CRYPTO_SIZES_H
|
||||
|
||||
/*
|
||||
* Include the build-time configuration information file. Here, we do not
|
||||
* Include the build-time configuration information header. Here, we do not
|
||||
* include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
|
||||
* is basically just an alias to it. This is to ease the maintenance of the
|
||||
* PSA cryptography repository which has a different build system and
|
||||
* TF-PSA-Crypto repository which has a different build system and
|
||||
* configuration.
|
||||
*/
|
||||
#include "psa/build_info.h"
|
||||
|
|
|
@ -66,9 +66,14 @@
|
|||
extern "C" {
|
||||
#endif
|
||||
|
||||
/* Include the Mbed TLS configuration file, the way Mbed TLS does it
|
||||
* in each of its header files. */
|
||||
#include "mbedtls/build_info.h"
|
||||
/*
|
||||
* Include the build-time configuration information header. Here, we do not
|
||||
* include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
|
||||
* is basically just an alias to it. This is to ease the maintenance of the
|
||||
* TF-PSA-Crypto repository which has a different build system and
|
||||
* configuration.
|
||||
*/
|
||||
#include "psa/build_info.h"
|
||||
|
||||
/* Include the context definition for the compiled-in drivers for the primitive
|
||||
* algorithms. */
|
||||
|
|
|
@ -33,8 +33,15 @@
|
|||
#ifndef PSA_CRYPTO_TYPES_H
|
||||
#define PSA_CRYPTO_TYPES_H
|
||||
|
||||
/* Make sure the Mbed TLS configuration is visible. */
|
||||
#include "mbedtls/build_info.h"
|
||||
/*
|
||||
* Include the build-time configuration information header. Here, we do not
|
||||
* include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which
|
||||
* is basically just an alias to it. This is to ease the maintenance of the
|
||||
* TF-PSA-Crypto repository which has a different build system and
|
||||
* configuration.
|
||||
*/
|
||||
#include "psa/build_info.h"
|
||||
|
||||
/* Define the MBEDTLS_PRIVATE macro. */
|
||||
#include "mbedtls/private_access.h"
|
||||
|
||||
|
|
|
@ -268,17 +268,20 @@ if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
|
|||
${mbedtls_static_target})
|
||||
endif()
|
||||
|
||||
set(p256m_target "${MBEDTLS_TARGET_PREFIX}p256m")
|
||||
set(everest_target "${MBEDTLS_TARGET_PREFIX}everest")
|
||||
|
||||
if(USE_STATIC_MBEDTLS_LIBRARY)
|
||||
add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
|
||||
set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
|
||||
target_link_libraries(${mbedcrypto_static_target} PUBLIC ${libs})
|
||||
|
||||
if(TARGET everest)
|
||||
target_link_libraries(${mbedcrypto_static_target} PUBLIC everest)
|
||||
if(TARGET ${everest_target})
|
||||
target_link_libraries(${mbedcrypto_static_target} PUBLIC ${everest_target})
|
||||
endif()
|
||||
|
||||
if(TARGET p256m)
|
||||
target_link_libraries(${mbedcrypto_static_target} PUBLIC p256m)
|
||||
if(TARGET ${p256m_target})
|
||||
target_link_libraries(${mbedcrypto_static_target} PUBLIC ${p256m_target})
|
||||
endif()
|
||||
|
||||
add_library(${mbedx509_static_target} STATIC ${src_x509})
|
||||
|
@ -293,23 +296,23 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
|
|||
if(USE_SHARED_MBEDTLS_LIBRARY)
|
||||
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
|
||||
add_library(${mbedcrypto_target} SHARED ${src_crypto})
|
||||
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.4.1 SOVERSION 14)
|
||||
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 3.5.0 SOVERSION 15)
|
||||
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
|
||||
|
||||
if(TARGET everest)
|
||||
target_link_libraries(${mbedcrypto_target} PUBLIC everest)
|
||||
if(TARGET ${everest_target})
|
||||
target_link_libraries(${mbedcrypto_target} PUBLIC ${everest_target})
|
||||
endif()
|
||||
|
||||
if(TARGET p256m)
|
||||
target_link_libraries(${mbedcrypto_target} PUBLIC p256m)
|
||||
if(TARGET ${p256m_target})
|
||||
target_link_libraries(${mbedcrypto_target} PUBLIC ${p256m_target})
|
||||
endif()
|
||||
|
||||
add_library(${mbedx509_target} SHARED ${src_x509})
|
||||
set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.4.1 SOVERSION 5)
|
||||
set_target_properties(${mbedx509_target} PROPERTIES VERSION 3.5.0 SOVERSION 6)
|
||||
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
|
||||
|
||||
add_library(${mbedtls_target} SHARED ${src_tls})
|
||||
set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.4.1 SOVERSION 19)
|
||||
set_target_properties(${mbedtls_target} PROPERTIES VERSION 3.5.0 SOVERSION 20)
|
||||
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
|
||||
endif(USE_SHARED_MBEDTLS_LIBRARY)
|
||||
|
||||
|
|
|
@ -51,9 +51,9 @@ LOCAL_CFLAGS += -fPIC -fpic
|
|||
endif
|
||||
endif
|
||||
|
||||
SOEXT_TLS?=so.19
|
||||
SOEXT_X509?=so.5
|
||||
SOEXT_CRYPTO?=so.14
|
||||
SOEXT_TLS?=so.20
|
||||
SOEXT_X509?=so.6
|
||||
SOEXT_CRYPTO?=so.15
|
||||
|
||||
# Set AR_DASH= (empty string) to use an ar implementation that does not accept
|
||||
# the - prefix for command line options (e.g. llvm-ar)
|
||||
|
|
|
@ -34,23 +34,15 @@
|
|||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/error.h"
|
||||
|
||||
#if defined(MBEDTLS_ARCH_IS_ARM64)
|
||||
#if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
|
||||
#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ARCH_IS_X64)
|
||||
#if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
|
||||
#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
|
||||
#if !((defined(MBEDTLS_ARCH_IS_ARM64) && defined(MBEDTLS_AESCE_C)) || \
|
||||
(defined(MBEDTLS_ARCH_IS_X64) && defined(MBEDTLS_AESNI_C)) || \
|
||||
(defined(MBEDTLS_ARCH_IS_X86) && defined(MBEDTLS_AESNI_C)))
|
||||
#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ARCH_IS_X86)
|
||||
#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && !defined(MBEDTLS_AESNI_C)
|
||||
#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PADLOCK_C)
|
||||
#if !defined(MBEDTLS_HAVE_ASM)
|
||||
#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
|
||||
|
|
|
@ -83,7 +83,7 @@ int mbedtls_mpi_lt_mpi_ct(const mbedtls_mpi *X,
|
|||
* That is if X is negative (X_is_negative == 1), then X < Y is true and it
|
||||
* is false if X is positive (X_is_negative == 0).
|
||||
*/
|
||||
different_sign = mbedtls_ct_bool_xor(X_is_negative, Y_is_negative); // true if different sign
|
||||
different_sign = mbedtls_ct_bool_ne(X_is_negative, Y_is_negative); // true if different sign
|
||||
result = mbedtls_ct_bool_and(different_sign, X_is_negative);
|
||||
|
||||
/*
|
||||
|
|
|
@ -33,6 +33,7 @@
|
|||
#include "mbedtls/ccm.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/error.h"
|
||||
#include "mbedtls/constant_time.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
|
@ -532,13 +533,8 @@ static int mbedtls_ccm_compare_tags(const unsigned char *tag1,
|
|||
const unsigned char *tag2,
|
||||
size_t tag_len)
|
||||
{
|
||||
unsigned char i;
|
||||
int diff;
|
||||
|
||||
/* Check tag in "constant-time" */
|
||||
for (diff = 0, i = 0; i < tag_len; i++) {
|
||||
diff |= tag1[i] ^ tag2[i];
|
||||
}
|
||||
int diff = mbedtls_ct_memcmp(tag1, tag2, tag_len);
|
||||
|
||||
if (diff != 0) {
|
||||
return MBEDTLS_ERR_CCM_AUTH_FAILED;
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
#include "mbedtls/chachapoly.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/error.h"
|
||||
#include "mbedtls/constant_time.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
|
@ -310,7 +311,6 @@ int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
|
|||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char check_tag[16];
|
||||
size_t i;
|
||||
int diff;
|
||||
|
||||
if ((ret = chachapoly_crypt_and_tag(ctx,
|
||||
|
@ -320,9 +320,7 @@ int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
|
|||
}
|
||||
|
||||
/* Check tag in "constant-time" */
|
||||
for (diff = 0, i = 0; i < sizeof(check_tag); i++) {
|
||||
diff |= tag[i] ^ check_tag[i];
|
||||
}
|
||||
diff = mbedtls_ct_memcmp(tag, check_tag, sizeof(check_tag));
|
||||
|
||||
if (diff != 0) {
|
||||
mbedtls_platform_zeroize(output, length);
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/error.h"
|
||||
#include "mbedtls/constant_time.h"
|
||||
#include "constant_time_internal.h"
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
@ -268,17 +269,6 @@ int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx,
|
|||
|
||||
ctx->cipher_info = cipher_info;
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
||||
/*
|
||||
* Ignore possible errors caused by a cipher mode that doesn't use padding
|
||||
*/
|
||||
#if defined(MBEDTLS_CIPHER_PADDING_PKCS7)
|
||||
(void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_PKCS7);
|
||||
#else
|
||||
(void) mbedtls_cipher_set_padding_mode(ctx, MBEDTLS_PADDING_NONE);
|
||||
#endif
|
||||
#endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -848,7 +838,7 @@ static int get_pkcs_padding(unsigned char *input, size_t input_len,
|
|||
size_t *data_len)
|
||||
{
|
||||
size_t i, pad_idx;
|
||||
unsigned char padding_len, bad = 0;
|
||||
unsigned char padding_len;
|
||||
|
||||
if (NULL == input || NULL == data_len) {
|
||||
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||
|
@ -857,18 +847,19 @@ static int get_pkcs_padding(unsigned char *input, size_t input_len,
|
|||
padding_len = input[input_len - 1];
|
||||
*data_len = input_len - padding_len;
|
||||
|
||||
/* Avoid logical || since it results in a branch */
|
||||
bad |= padding_len > input_len;
|
||||
bad |= padding_len == 0;
|
||||
mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
|
||||
bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
|
||||
|
||||
/* The number of bytes checked must be independent of padding_len,
|
||||
* so pick input_len, which is usually 8 or 16 (one block) */
|
||||
pad_idx = input_len - padding_len;
|
||||
for (i = 0; i < input_len; i++) {
|
||||
bad |= (input[i] ^ padding_len) * (i >= pad_idx);
|
||||
mbedtls_ct_condition_t in_padding = mbedtls_ct_uint_ge(i, pad_idx);
|
||||
mbedtls_ct_condition_t different = mbedtls_ct_uint_ne(input[i], padding_len);
|
||||
bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
|
||||
}
|
||||
|
||||
return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0);
|
||||
return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
|
||||
}
|
||||
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */
|
||||
|
||||
|
@ -891,24 +882,28 @@ static void add_one_and_zeros_padding(unsigned char *output,
|
|||
static int get_one_and_zeros_padding(unsigned char *input, size_t input_len,
|
||||
size_t *data_len)
|
||||
{
|
||||
size_t i;
|
||||
unsigned char done = 0, prev_done, bad;
|
||||
|
||||
if (NULL == input || NULL == data_len) {
|
||||
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
bad = 0x80;
|
||||
mbedtls_ct_condition_t in_padding = MBEDTLS_CT_TRUE;
|
||||
mbedtls_ct_condition_t bad = MBEDTLS_CT_TRUE;
|
||||
|
||||
*data_len = 0;
|
||||
for (i = input_len; i > 0; i--) {
|
||||
prev_done = done;
|
||||
done |= (input[i - 1] != 0);
|
||||
*data_len |= (i - 1) * (done != prev_done);
|
||||
bad ^= input[i - 1] * (done != prev_done);
|
||||
|
||||
for (ptrdiff_t i = (ptrdiff_t) (input_len) - 1; i >= 0; i--) {
|
||||
mbedtls_ct_condition_t is_nonzero = mbedtls_ct_bool(input[i]);
|
||||
|
||||
mbedtls_ct_condition_t hit_first_nonzero = mbedtls_ct_bool_and(is_nonzero, in_padding);
|
||||
|
||||
*data_len = mbedtls_ct_size_if(hit_first_nonzero, i, *data_len);
|
||||
|
||||
bad = mbedtls_ct_bool_if(hit_first_nonzero, mbedtls_ct_uint_ne(input[i], 0x80), bad);
|
||||
|
||||
in_padding = mbedtls_ct_bool_and(in_padding, mbedtls_ct_bool_not(is_nonzero));
|
||||
}
|
||||
|
||||
return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0);
|
||||
|
||||
return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
|
||||
}
|
||||
#endif /* MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS */
|
||||
|
||||
|
@ -932,7 +927,8 @@ static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
|
|||
size_t *data_len)
|
||||
{
|
||||
size_t i, pad_idx;
|
||||
unsigned char padding_len, bad = 0;
|
||||
unsigned char padding_len;
|
||||
mbedtls_ct_condition_t bad;
|
||||
|
||||
if (NULL == input || NULL == data_len) {
|
||||
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||
|
@ -942,16 +938,19 @@ static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
|
|||
*data_len = input_len - padding_len;
|
||||
|
||||
/* Avoid logical || since it results in a branch */
|
||||
bad |= padding_len > input_len;
|
||||
bad |= padding_len == 0;
|
||||
bad = mbedtls_ct_uint_gt(padding_len, input_len);
|
||||
bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
|
||||
|
||||
/* The number of bytes checked must be independent of padding_len */
|
||||
pad_idx = input_len - padding_len;
|
||||
for (i = 0; i < input_len - 1; i++) {
|
||||
bad |= input[i] * (i >= pad_idx);
|
||||
mbedtls_ct_condition_t is_padding = mbedtls_ct_uint_ge(i, pad_idx);
|
||||
mbedtls_ct_condition_t nonzero_pad_byte;
|
||||
nonzero_pad_byte = mbedtls_ct_bool_if_else_0(is_padding, mbedtls_ct_bool(input[i]));
|
||||
bad = mbedtls_ct_bool_or(bad, nonzero_pad_byte);
|
||||
}
|
||||
|
||||
return MBEDTLS_ERR_CIPHER_INVALID_PADDING * (bad != 0);
|
||||
return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
|
||||
}
|
||||
#endif /* MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN */
|
||||
|
||||
|
@ -962,18 +961,14 @@ static int get_zeros_and_len_padding(unsigned char *input, size_t input_len,
|
|||
static void add_zeros_padding(unsigned char *output,
|
||||
size_t output_len, size_t data_len)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
for (i = data_len; i < output_len; i++) {
|
||||
output[i] = 0x00;
|
||||
}
|
||||
memset(output + data_len, 0, output_len - data_len);
|
||||
}
|
||||
|
||||
static int get_zeros_padding(unsigned char *input, size_t input_len,
|
||||
size_t *data_len)
|
||||
{
|
||||
size_t i;
|
||||
unsigned char done = 0, prev_done;
|
||||
mbedtls_ct_condition_t done = MBEDTLS_CT_FALSE, prev_done;
|
||||
|
||||
if (NULL == input || NULL == data_len) {
|
||||
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||
|
@ -982,8 +977,8 @@ static int get_zeros_padding(unsigned char *input, size_t input_len,
|
|||
*data_len = 0;
|
||||
for (i = input_len; i > 0; i--) {
|
||||
prev_done = done;
|
||||
done |= (input[i-1] != 0);
|
||||
*data_len |= i * (done != prev_done);
|
||||
done = mbedtls_ct_bool_or(done, mbedtls_ct_uint_ne(input[i-1], 0));
|
||||
*data_len = mbedtls_ct_size_if(mbedtls_ct_bool_ne(done, prev_done), i, *data_len);
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
@ -1027,6 +1022,16 @@ int mbedtls_cipher_finish(mbedtls_cipher_context_t *ctx,
|
|||
|
||||
*olen = 0;
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING)
|
||||
/* CBC mode requires padding so we make sure a call to
|
||||
* mbedtls_cipher_set_padding_mode has been done successfully. */
|
||||
if (MBEDTLS_MODE_CBC == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode)) {
|
||||
if (ctx->get_padding == NULL) {
|
||||
return MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
if (MBEDTLS_MODE_CFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
|
||||
MBEDTLS_MODE_OFB == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
|
||||
MBEDTLS_MODE_CTR == ((mbedtls_cipher_mode_t) ctx->cipher_info->mode) ||
|
||||
|
|
|
@ -114,7 +114,7 @@ static int cmac_generate_subkeys(mbedtls_cipher_context_t *ctx,
|
|||
unsigned char *K1, unsigned char *K2)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char L[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
||||
unsigned char L[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||
size_t olen, block_size;
|
||||
|
||||
mbedtls_platform_zeroize(L, sizeof(L));
|
||||
|
@ -152,7 +152,7 @@ exit:
|
|||
* We can't use the padding option from the cipher layer, as it only works for
|
||||
* CBC and we use ECB mode, and anyway we need to XOR K1 or K2 in addition.
|
||||
*/
|
||||
static void cmac_pad(unsigned char padded_block[MBEDTLS_CIPHER_BLKSIZE_MAX],
|
||||
static void cmac_pad(unsigned char padded_block[MBEDTLS_CMAC_MAX_BLOCK_SIZE],
|
||||
size_t padded_block_len,
|
||||
const unsigned char *last_block,
|
||||
size_t last_block_len)
|
||||
|
@ -283,9 +283,9 @@ int mbedtls_cipher_cmac_finish(mbedtls_cipher_context_t *ctx,
|
|||
{
|
||||
mbedtls_cmac_context_t *cmac_ctx;
|
||||
unsigned char *state, *last_block;
|
||||
unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
||||
unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
||||
unsigned char M_last[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
||||
unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||
unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||
unsigned char M_last[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t olen, block_size;
|
||||
|
||||
|
@ -332,7 +332,7 @@ exit:
|
|||
mbedtls_platform_zeroize(cmac_ctx->unprocessed_block,
|
||||
sizeof(cmac_ctx->unprocessed_block));
|
||||
|
||||
mbedtls_platform_zeroize(state, MBEDTLS_CIPHER_BLKSIZE_MAX);
|
||||
mbedtls_platform_zeroize(state, MBEDTLS_CMAC_MAX_BLOCK_SIZE);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
@ -750,8 +750,8 @@ static int cmac_test_subkeys(int verbose,
|
|||
int i, ret = 0;
|
||||
mbedtls_cipher_context_t ctx;
|
||||
const mbedtls_cipher_info_t *cipher_info;
|
||||
unsigned char K1[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
||||
unsigned char K2[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
||||
unsigned char K1[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||
unsigned char K2[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||
|
||||
cipher_info = mbedtls_cipher_info_from_type(cipher_type);
|
||||
if (cipher_info == NULL) {
|
||||
|
@ -845,7 +845,7 @@ static int cmac_test_wth_cipher(int verbose,
|
|||
{
|
||||
const mbedtls_cipher_info_t *cipher_info;
|
||||
int i, ret = 0;
|
||||
unsigned char output[MBEDTLS_CIPHER_BLKSIZE_MAX];
|
||||
unsigned char output[MBEDTLS_CMAC_MAX_BLOCK_SIZE];
|
||||
|
||||
cipher_info = mbedtls_cipher_info_from_type(cipher_type);
|
||||
if (cipher_info == NULL) {
|
||||
|
|
|
@ -22,6 +22,7 @@
|
|||
* might be translated to branches by some compilers on some platforms.
|
||||
*/
|
||||
|
||||
#include <stdint.h>
|
||||
#include <limits.h>
|
||||
|
||||
#include "common.h"
|
||||
|
@ -120,9 +121,56 @@ int mbedtls_ct_memcmp(const void *a,
|
|||
diff |= x ^ y;
|
||||
}
|
||||
|
||||
|
||||
#if (INT_MAX < INT32_MAX)
|
||||
/* We don't support int smaller than 32-bits, but if someone tried to build
|
||||
* with this configuration, there is a risk that, for differing data, the
|
||||
* only bits set in diff are in the top 16-bits, and would be lost by a
|
||||
* simple cast from uint32 to int.
|
||||
* This would have significant security implications, so protect against it. */
|
||||
#error "mbedtls_ct_memcmp() requires minimum 32-bit ints"
|
||||
#else
|
||||
/* The bit-twiddling ensures that when we cast uint32_t to int, we are casting
|
||||
* a value that is in the range 0..INT_MAX - a value larger than this would
|
||||
* result in implementation defined behaviour.
|
||||
*
|
||||
* This ensures that the value returned by the function is non-zero iff
|
||||
* diff is non-zero.
|
||||
*/
|
||||
return (int) ((diff & 0xffff) | (diff >> 16));
|
||||
#endif
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_NIST_KW_C)
|
||||
|
||||
int mbedtls_ct_memcmp_partial(const void *a,
|
||||
const void *b,
|
||||
size_t n,
|
||||
size_t skip_head,
|
||||
size_t skip_tail)
|
||||
{
|
||||
unsigned int diff = 0;
|
||||
|
||||
volatile const unsigned char *A = (volatile const unsigned char *) a;
|
||||
volatile const unsigned char *B = (volatile const unsigned char *) b;
|
||||
|
||||
size_t valid_end = n - skip_tail;
|
||||
|
||||
for (size_t i = 0; i < n; i++) {
|
||||
unsigned char x = A[i], y = B[i];
|
||||
unsigned int d = x ^ y;
|
||||
mbedtls_ct_condition_t valid = mbedtls_ct_bool_and(mbedtls_ct_uint_ge(i, skip_head),
|
||||
mbedtls_ct_uint_lt(i, valid_end));
|
||||
diff |= mbedtls_ct_uint_if_else_0(valid, d);
|
||||
}
|
||||
|
||||
/* Since we go byte-by-byte, the only bits set will be in the bottom 8 bits, so the
|
||||
* cast from uint to int is safe. */
|
||||
return (int) diff;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
||||
|
||||
void mbedtls_ct_memmove_left(void *start, size_t total, size_t offset)
|
||||
|
|
|
@ -429,7 +429,6 @@ static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
|
|||
return (unsigned char) (~(low_mask | high_mask)) & to;
|
||||
}
|
||||
|
||||
|
||||
/* ============================================================================
|
||||
* Everything below here is trivial wrapper functions
|
||||
*/
|
||||
|
@ -448,6 +447,14 @@ static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
|
|||
return (unsigned) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1, (mbedtls_ct_uint_t) if0);
|
||||
}
|
||||
|
||||
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
|
||||
mbedtls_ct_condition_t if1,
|
||||
mbedtls_ct_condition_t if0)
|
||||
{
|
||||
return (mbedtls_ct_condition_t) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) if1,
|
||||
(mbedtls_ct_uint_t) if0);
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t condition,
|
||||
|
@ -471,6 +478,12 @@ static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t conditio
|
|||
return (unsigned) (condition & if1);
|
||||
}
|
||||
|
||||
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
|
||||
mbedtls_ct_condition_t if1)
|
||||
{
|
||||
return (mbedtls_ct_condition_t) (condition & if1);
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_condition_t condition,
|
||||
|
@ -481,6 +494,23 @@ static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_conditio
|
|||
|
||||
#endif /* MBEDTLS_BIGNUM_C */
|
||||
|
||||
static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0)
|
||||
{
|
||||
/* Coverting int -> uint -> int here is safe, because we require if1 and if0 to be
|
||||
* in the range -32767..0, and we require 32-bit int and uint types.
|
||||
*
|
||||
* This means that (0 <= -if0 < INT_MAX), so negating if0 is safe, and similarly for
|
||||
* converting back to int.
|
||||
*/
|
||||
return -((int) mbedtls_ct_if(condition, (mbedtls_ct_uint_t) (-if1),
|
||||
(mbedtls_ct_uint_t) (-if0)));
|
||||
}
|
||||
|
||||
static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1)
|
||||
{
|
||||
return -((int) (condition & (-if1)));
|
||||
}
|
||||
|
||||
static inline mbedtls_ct_condition_t mbedtls_ct_uint_eq(mbedtls_ct_uint_t x,
|
||||
mbedtls_ct_uint_t y)
|
||||
{
|
||||
|
@ -505,8 +535,8 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
|
|||
return ~mbedtls_ct_uint_gt(x, y);
|
||||
}
|
||||
|
||||
static inline mbedtls_ct_condition_t mbedtls_ct_bool_xor(mbedtls_ct_condition_t x,
|
||||
mbedtls_ct_condition_t y)
|
||||
static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
|
||||
mbedtls_ct_condition_t y)
|
||||
{
|
||||
return (mbedtls_ct_condition_t) (x ^ y);
|
||||
}
|
||||
|
|
|
@ -194,11 +194,11 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_ge(mbedtls_ct_uint_t x,
|
|||
static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
|
||||
mbedtls_ct_uint_t y);
|
||||
|
||||
/** Boolean "xor" operation.
|
||||
/** Boolean not-equals operation.
|
||||
*
|
||||
* Functionally equivalent to:
|
||||
*
|
||||
* \p x ^ \p y
|
||||
* \p x != \p y
|
||||
*
|
||||
* \param x The first value to analyze.
|
||||
* \param y The second value to analyze.
|
||||
|
@ -206,11 +206,11 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_le(mbedtls_ct_uint_t x,
|
|||
* \note This is more efficient than mbedtls_ct_uint_ne if both arguments are
|
||||
* mbedtls_ct_condition_t.
|
||||
*
|
||||
* \return MBEDTLS_CT_TRUE if \p x ^ \p y,
|
||||
* \return MBEDTLS_CT_TRUE if \p x != \p y,
|
||||
* otherwise MBEDTLS_CT_FALSE.
|
||||
*/
|
||||
static inline mbedtls_ct_condition_t mbedtls_ct_bool_xor(mbedtls_ct_condition_t x,
|
||||
mbedtls_ct_condition_t y);
|
||||
static inline mbedtls_ct_condition_t mbedtls_ct_bool_ne(mbedtls_ct_condition_t x,
|
||||
mbedtls_ct_condition_t y);
|
||||
|
||||
/** Boolean "and" operation.
|
||||
*
|
||||
|
@ -291,6 +291,22 @@ static inline unsigned mbedtls_ct_uint_if(mbedtls_ct_condition_t condition,
|
|||
unsigned if1,
|
||||
unsigned if0);
|
||||
|
||||
/** Choose between two mbedtls_ct_condition_t values.
|
||||
*
|
||||
* Functionally equivalent to:
|
||||
*
|
||||
* condition ? if1 : if0.
|
||||
*
|
||||
* \param condition Condition to test.
|
||||
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
|
||||
* \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
|
||||
*
|
||||
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
|
||||
*/
|
||||
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if(mbedtls_ct_condition_t condition,
|
||||
mbedtls_ct_condition_t if1,
|
||||
mbedtls_ct_condition_t if0);
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
/** Choose between two mbedtls_mpi_uint values.
|
||||
|
@ -327,6 +343,23 @@ static inline mbedtls_mpi_uint mbedtls_ct_mpi_uint_if(mbedtls_ct_condition_t con
|
|||
*/
|
||||
static inline unsigned mbedtls_ct_uint_if_else_0(mbedtls_ct_condition_t condition, unsigned if1);
|
||||
|
||||
/** Choose between an mbedtls_ct_condition_t and 0.
|
||||
*
|
||||
* Functionally equivalent to:
|
||||
*
|
||||
* condition ? if1 : 0.
|
||||
*
|
||||
* Functionally equivalent to mbedtls_ct_bool_if(condition, if1, 0) but
|
||||
* results in smaller code size.
|
||||
*
|
||||
* \param condition Condition to test.
|
||||
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
|
||||
*
|
||||
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
|
||||
*/
|
||||
static inline mbedtls_ct_condition_t mbedtls_ct_bool_if_else_0(mbedtls_ct_condition_t condition,
|
||||
mbedtls_ct_condition_t if1);
|
||||
|
||||
/** Choose between a size_t value and 0.
|
||||
*
|
||||
* Functionally equivalent to:
|
||||
|
@ -378,6 +411,35 @@ static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
|
|||
unsigned char c,
|
||||
unsigned char t);
|
||||
|
||||
/** Choose between two error values. The values must be in the range [-32767..0].
|
||||
*
|
||||
* Functionally equivalent to:
|
||||
*
|
||||
* condition ? if1 : if0.
|
||||
*
|
||||
* \param condition Condition to test.
|
||||
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
|
||||
* \param if0 Value to use if \p condition == MBEDTLS_CT_FALSE.
|
||||
*
|
||||
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise \c if0.
|
||||
*/
|
||||
static inline int mbedtls_ct_error_if(mbedtls_ct_condition_t condition, int if1, int if0);
|
||||
|
||||
/** Choose between an error value and 0. The error value must be in the range [-32767..0].
|
||||
*
|
||||
* Functionally equivalent to:
|
||||
*
|
||||
* condition ? if1 : 0.
|
||||
*
|
||||
* Functionally equivalent to mbedtls_ct_error_if(condition, if1, 0) but
|
||||
* results in smaller code size.
|
||||
*
|
||||
* \param condition Condition to test.
|
||||
* \param if1 Value to use if \p condition == MBEDTLS_CT_TRUE.
|
||||
*
|
||||
* \return \c if1 if \p condition == MBEDTLS_CT_TRUE, otherwise 0.
|
||||
*/
|
||||
static inline int mbedtls_ct_error_if_else_0(mbedtls_ct_condition_t condition, int if1);
|
||||
|
||||
/* ============================================================================
|
||||
* Block memory operations
|
||||
|
@ -492,6 +554,37 @@ void mbedtls_ct_memcpy_offset(unsigned char *dest,
|
|||
size_t n);
|
||||
*/
|
||||
|
||||
#if defined(MBEDTLS_NIST_KW_C)
|
||||
|
||||
/** Constant-time buffer comparison without branches.
|
||||
*
|
||||
* Similar to mbedtls_ct_memcmp, except that the result only depends on part of
|
||||
* the input data - differences in the head or tail are ignored. Functionally equivalent to:
|
||||
*
|
||||
* memcmp(a + skip_head, b + skip_head, size - skip_head - skip_tail)
|
||||
*
|
||||
* Time taken depends on \p n, but not on \p skip_head or \p skip_tail .
|
||||
*
|
||||
* Behaviour is undefined if ( \p skip_head + \p skip_tail) > \p n.
|
||||
*
|
||||
* \param a Secret. Pointer to the first buffer, containing at least \p n bytes. May not be NULL.
|
||||
* \param b Secret. Pointer to the second buffer, containing at least \p n bytes. May not be NULL.
|
||||
* \param n The number of bytes to examine (total size of the buffers).
|
||||
* \param skip_head Secret. The number of bytes to treat as non-significant at the start of the buffer.
|
||||
* These bytes will still be read.
|
||||
* \param skip_tail Secret. The number of bytes to treat as non-significant at the end of the buffer.
|
||||
* These bytes will still be read.
|
||||
*
|
||||
* \return Zero if the contents of the two buffers are the same, otherwise non-zero.
|
||||
*/
|
||||
int mbedtls_ct_memcmp_partial(const void *a,
|
||||
const void *b,
|
||||
size_t n,
|
||||
size_t skip_head,
|
||||
size_t skip_tail);
|
||||
|
||||
#endif
|
||||
|
||||
/* Include the implementation of static inline functions above. */
|
||||
#include "constant_time_impl.h"
|
||||
|
||||
|
|
|
@ -35,6 +35,7 @@
|
|||
#include "mbedtls/platform.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/error.h"
|
||||
#include "mbedtls/constant_time.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
|
@ -601,7 +602,6 @@ int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
|
|||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char check_tag[16];
|
||||
size_t i;
|
||||
int diff;
|
||||
|
||||
if ((ret = mbedtls_gcm_crypt_and_tag(ctx, MBEDTLS_GCM_DECRYPT, length,
|
||||
|
@ -611,9 +611,7 @@ int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
|
|||
}
|
||||
|
||||
/* Check tag in "constant-time" */
|
||||
for (diff = 0, i = 0; i < tag_len; i++) {
|
||||
diff |= tag[i] ^ check_tag[i];
|
||||
}
|
||||
diff = mbedtls_ct_memcmp(tag, check_tag, tag_len);
|
||||
|
||||
if (diff != 0) {
|
||||
mbedtls_platform_zeroize(output, length);
|
||||
|
|
|
@ -35,6 +35,7 @@
|
|||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/error.h"
|
||||
#include "mbedtls/constant_time.h"
|
||||
#include "constant_time_internal.h"
|
||||
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
@ -333,9 +334,9 @@ int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx,
|
|||
unsigned char *output, size_t *out_len, size_t out_size)
|
||||
{
|
||||
int ret = 0;
|
||||
size_t i, olen;
|
||||
size_t olen;
|
||||
unsigned char A[KW_SEMIBLOCK_LENGTH];
|
||||
unsigned char diff, bad_padding = 0;
|
||||
int diff;
|
||||
|
||||
*out_len = 0;
|
||||
if (out_size < in_len - KW_SEMIBLOCK_LENGTH) {
|
||||
|
@ -420,19 +421,15 @@ int mbedtls_nist_kw_unwrap(mbedtls_nist_kw_context *ctx,
|
|||
* larger than 8, because of the type wrap around.
|
||||
*/
|
||||
padlen = in_len - KW_SEMIBLOCK_LENGTH - Plen;
|
||||
if (padlen > 7) {
|
||||
padlen &= 7;
|
||||
ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
||||
}
|
||||
ret = mbedtls_ct_error_if(mbedtls_ct_uint_gt(padlen, 7),
|
||||
MBEDTLS_ERR_CIPHER_AUTH_FAILED, ret);
|
||||
padlen &= 7;
|
||||
|
||||
/* Check padding in "constant-time" */
|
||||
for (diff = 0, i = 0; i < KW_SEMIBLOCK_LENGTH; i++) {
|
||||
if (i >= KW_SEMIBLOCK_LENGTH - padlen) {
|
||||
diff |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
|
||||
} else {
|
||||
bad_padding |= output[*out_len - KW_SEMIBLOCK_LENGTH + i];
|
||||
}
|
||||
}
|
||||
const uint8_t zero[KW_SEMIBLOCK_LENGTH] = { 0 };
|
||||
diff = mbedtls_ct_memcmp_partial(
|
||||
&output[*out_len - KW_SEMIBLOCK_LENGTH], zero,
|
||||
KW_SEMIBLOCK_LENGTH, KW_SEMIBLOCK_LENGTH - padlen, 0);
|
||||
|
||||
if (diff != 0) {
|
||||
ret = MBEDTLS_ERR_CIPHER_AUTH_FAILED;
|
||||
|
@ -454,7 +451,6 @@ cleanup:
|
|||
*out_len = 0;
|
||||
}
|
||||
|
||||
mbedtls_platform_zeroize(&bad_padding, sizeof(bad_padding));
|
||||
mbedtls_platform_zeroize(&diff, sizeof(diff));
|
||||
mbedtls_platform_zeroize(A, sizeof(A));
|
||||
|
||||
|
|
|
@ -117,5 +117,14 @@ static inline mbedtls_ecp_group_id mbedtls_pk_get_group_id(const mbedtls_pk_cont
|
|||
#endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */
|
||||
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
|
||||
|
||||
#if defined(MBEDTLS_TEST_HOOKS)
|
||||
|
||||
MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der(
|
||||
mbedtls_pk_context *pk,
|
||||
unsigned char *key, size_t keylen,
|
||||
const unsigned char *pwd, size_t pwdlen,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
|
||||
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_PK_INTERNAL_H */
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue