Commit graph

73 commits

Author SHA1 Message Date
Tom Cosgrove
87fbfb5d82 SECLIB-667: Accelerate SHA-512 with A64 crypto extensions
Provide an additional pair of #defines, MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
and MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY. At most one of them may be
specified. If used, it is necessary to compile with -march=armv8.2-a+sha3.

The MBEDTLS_SHA512_PROCESS_ALT and MBEDTLS_SHA512_ALT mechanisms
continue to work, and are mutually exclusive with SHA512_USE_A64_CRYPTO.

There should be minimal code size impact if no A64_CRYPTO option is set.

The SHA-512 implementation was originally written by Simon Tatham for PuTTY,
under the MIT licence; dual-licensed as Apache 2 with his kind permission.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-03-23 21:40:53 +00:00
Joe Subbiani
99edd6c810 Add UINT64 GET and PUT macros
Copy over the GET/PUT_UINT64_LE/BE macros from aes.c and sha512.c
Add the MBEDTLS_ prefix to all 4 macros.
Modify the GET_UINT64 macros to no longer take a target variable
as a parameter, so when the macro function is called it must be
assigned to a variable in the same statement.

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-08-19 09:56:47 +01:00
TRodziewicz
26371e4793 Rename the _ret() functions
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-08 16:45:41 +02:00
Mateusz Starzyk
17011a3185 Merge branch 'development' into convert_NO_SHA384_to_positive
Conflicts:
	library/version_features.c
	programs/test/query_config.c

Files were removed in development branch and modified by current branch.
Conflicts fixes by removing them.
2021-05-20 14:18:12 +02:00
Gilles Peskine
e02e02f203 Change sha512 output type from an array to a pointer
The output parameter of mbedtls_sha512_finish_ret and mbedtls_sha512_ret
now has a pointer type rather than array type. This removes spurious
warnings in some compilers when outputting a SHA-384 hash into a
48-byte buffer.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-13 00:32:45 +02:00
Mateusz Starzyk
3352a53475 Modify config option for SHA384.
Although SHA512 is currently required to enable SHA384, this
is expected to change in the future. This commit is an
intermediate step towards fully separating SHA384 and SHA512.

check_config is the only module which enforces that SHA512 is
enabled together with SHA384.

Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-04-28 14:38:37 +02:00
TRodziewicz
136b3989cb Remove deprecated things from hashing modules
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-04-15 12:34:09 +02:00
Manuel Pégourié-Gonnard
489c058b52 Merge branch 'development' into development-restricted
* development: (488 commits)
  Fix removal of deprecated PSA constants
  Use GitHub-compatible table formatting
  Remove psa header files in uninstall part
  Change function casting in `ssl_calc_finished_tls_sha384`
  Fix GCC warning in `ssl_calc_finished_tls_sha384`
  Add changelog entry file to `ChangeLog.d`
  Fix GCC warning in `ssl_calc_finished_tls_sha384`
  Fix GCC warning about `test_snprintf`
  Fix mismatched function parameters (prototype/definition)
  Fix build failure on gcc-11
  Copyediting
  Clarifications around key import
  Fix copypasta
  A variable is unused in some configurations
  Rename test_driver_keygen to test_driver_key_management
  Move "internal use" sentence attached to the wrong function
  Added changelog
  Plug in the entry point for public key export through driver
  tests: psa: Reset key attributes where needed
  Improve/fix documentation
  ...
2020-12-03 09:59:42 +01:00
Gilles Peskine
bbc6032444
Merge pull request #731 from gabor-mezei-arm/692_missing_zeroizations_of_sensitive_data
Missing zeroizations of sensitive data
2020-09-18 16:20:13 +02:00
gabor-mezei-arm
4cb56f83cb
Put local variables and buffers in a struct
This reduces the impact of the code size increase due to the addition
of calls to mbedtls_platform_zeroize.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-08-25 19:13:59 +02:00
gabor-mezei-arm
76749aea78
Zeroize internal buffers and variables in PKCS and SHA
Zeroising of local buffers and variables which are used for calculations in
mbedtls_pkcs5_pbkdf2_hmac() and mbedtls_internal_sha*_process() functions
to erase sensitive data from memory.
Checked all function for possible missing zeroisation in PKCS and SHA.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-08-25 19:13:58 +02:00
Guido Vranken
962e4ee4a6 Use single-line string literals.
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
2020-08-21 21:08:56 +02:00
Guido Vranken
027fe00d2e Prevent triggering Clang 12 -Wstring-concatenation warning
Wrap multi-line string literals in parentheses
to prevent a Clang 12 -Wstring-concatenation warning
(activated by -Wall), which caused the build to fail.

Fixes https://github.com/ARMmbed/mbedtls/issues/3586

Signed-off-by: Guido Vranken <guidovranken@gmail.com>
2020-08-21 10:05:52 +02:00
Bence Szépkúti
1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Gilles Peskine
db09ef6d22 Include common.h instead of config.h in library source files
In library source files, include "common.h", which takes care of
including "mbedtls/config.h" (or the alternative MBEDTLS_CONFIG_FILE)
and other things that are used throughout the library.

FROM=$'#if !defined(MBEDTLS_CONFIG_FILE)\n#include "mbedtls/config.h"\n#else\n#include MBEDTLS_CONFIG_FILE\n#endif' perl -i -0777 -pe 's~\Q$ENV{FROM}~#include "common.h"~' library/*.c 3rdparty/*/library/*.c scripts/data_files/error.fmt scripts/data_files/version_features.fmt

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-07-02 11:26:57 +02:00
Manuel Pégourié-Gonnard
74ca84a7a9 Fix some whitespace issues 2020-01-29 09:46:49 +01:00
Manuel Pégourié-Gonnard
2b9b780ac0 Rename internal macro for consistency
Other modules have similar internal macros using _LENGTH in the name.
2020-01-24 11:01:02 +01:00
Manuel Pégourié-Gonnard
2d88549c6b Improve readability of macro in selftest 2020-01-07 10:17:35 +01:00
Manuel Pégourié-Gonnard
0b9db441c8 Make optional parameter validation more precise 2020-01-07 10:14:54 +01:00
Manuel Pégourié-Gonnard
39ea19a35c Adapt sha512 selftest to NO_SHA384 option 2020-01-06 11:40:23 +01:00
Manuel Pégourié-Gonnard
3df4e60561 Implement SHA512_NO_SHA384 in sha512 module
Saves 140 bytes on sha512.o, measured with:

arm-none-eabi-gcc -Wall -Wextra -Iinclude -Os -mcpu=cortex-m0plus -mthumb -c library/sha512.c && arm-none-eabi-size sha512.o

arm-none-eabi-gcc (GNU Tools for Arm Embedded Processors 7-2018-q2-update) 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]

Todo:
- fix selftest
- fix dependencies in test suites
- implement in MD layer
2020-01-06 11:40:23 +01:00
Janos Follath
24eed8d2d2 Initialise return values to an error
Initialising the return values to and error is best practice and makes
the library more robust.
2019-12-03 16:07:18 +00:00
Manuel Pégourié-Gonnard
49d65ba929 Re-roll main loop with SHA512_SMALLER
Saves 1924 bytes (same measurement as before).
2019-07-17 13:16:54 +02:00
Manuel Pégourié-Gonnard
0270ed99bb Use tables and roll up some loops
Saves 108 bytes (measured as in previous commit).
2019-07-17 13:08:02 +02:00
Manuel Pégourié-Gonnard
7f0719598f Make SHA512_SMALLER turn a macro into a function
Saves 356 bytes on sha512.o compiling for Cortex-M0+ with ARM-GCC

Size measured with:
arm-none-eabi-gcc -Wall -Wextra -Iinclude -Os -mcpu=cortex-m0plus -mthumb -c library/sha512.c
arm-none-eabi-size sha512.o

GCC version:
arm-none-eabi-gcc (GNU Tools for Arm Embedded Processors 7-2018-q2-update) 7.3.1 20180622 (release) [ARM/embedded-7-branch revision 261907]
2019-07-17 13:06:55 +02:00
Hanno Becker
26d02e1327 Add more missing parentheses around macro parameters 2019-02-19 17:59:57 +00:00
Hanno Becker
818bac55ef Add further missing brackets around macro parameters 2019-02-19 17:59:57 +00:00
Hanno Becker
1eeca41472 Improve macro hygiene
This commit improves hygiene and formatting of macro definitions
throughout the library. Specifically:
- It adds brackets around parameters to avoid unintended
  interpretation of arguments, e.g. due to operator precedence.
- It adds uses of the `do { ... } while( 0 )` idiom for macros that
  can be used as commands.
2019-02-19 17:59:00 +00:00
Hanno Becker
c756049dc3 Move SHA512_VALIDATE[_RET] outside of MBEDTLS_SHA512_ALT guard
Somehow, mbedtls_sha512_ret() is defined even if MBEDTLS_SHA512_ALT
is set, and it is using SHA512_VALIDATE_RET. The documentation should
be enhanced to indicate that MBEDTLS_SHA512_ALT does _not_ replace
the entire module, but only the core SHA-512 functions.
2018-12-20 10:24:00 +00:00
Hanno Becker
38e15d49f3 Don't declare MBEDTLS-namespace identifiers in sha512.c 2018-12-18 17:54:00 +00:00
Hanno Becker
ca6f4585c7 Fix parameter validation in SHA-512 module 2018-12-18 16:36:26 +00:00
Andres Amaya Garcia
ba519b94a5 Add parameter validation to SHA-512 module 2018-12-18 15:06:39 +00:00
Manuel Pégourié-Gonnard
1cc1fb0599 Fix Lucky 13 cache attack on MD/SHA padding
The basis for the Lucky 13 family of attacks is for an attacker to be able to
distinguish between (long) valid TLS-CBC padding and invalid TLS-CBC padding.
Since our code sets padlen = 0 for invalid padding, the length of the input to
the HMAC function gives information about that.

Information about this length (modulo the MD/SHA block size) can be deduced
from how much MD/SHA padding (this is distinct from TLS-CBC padding) is used.
If MD/SHA padding is read from a (static) buffer, a local attacker could get
information about how much is used via a cache attack targeting that buffer.

Let's get rid of this buffer. Now the only buffer used is the internal MD/SHA
one, which is always read fully by the process() function.
2018-07-05 10:47:00 +02:00
Andres Amaya Garcia
1f6301b3c8 Rename mbedtls_zeroize to mbedtls_platform_zeroize 2018-04-17 10:00:21 -05:00
Andres Amaya Garcia
e32df087fb Remove individual copies of mbedtls_zeroize()
This commit removes all the static occurrencies of the function
mbedtls_zeroize() in each of the individual .c modules. Instead the
function has been moved to utils.h that is included in each of the
modules.
2018-04-17 09:19:05 -05:00
Jaeden Amero
041039f81e MD: Make deprecated functions not inline
In 2.7.0, we replaced a number of MD functions with deprecated inline
versions. This causes ABI compatibility issues, as the functions are no
longer guaranteed to be callable when built into a shared library.
Instead, deprecate the functions without also inlining them, to help
maintain ABI backwards compatibility.
2018-02-22 10:24:30 +00:00
Gilles Peskine
9e4f77c606 New MD API: rename functions from _ext to _ret
The _ext suffix suggests "new arguments", but the new functions have
the same arguments. Use _ret instead, to convey that the difference is
that the new functions return a value.
2018-01-22 11:54:42 +01:00
Andres Amaya Garcia
2d0aa8be97 Fix MD selftest to use correct type and expose ret 2017-07-21 14:57:26 +01:00
Andres Amaya Garcia
0963e6cfac Fix possible memory leak in <MD>_ext() 2017-07-20 14:41:10 +01:00
Andres Amaya Garcia
6a3f30514a Ensure MD self_test ret codes are not hidden
Also fix a potential memory leak and an incorrect goto statement in
sha1.c self_test
2017-07-20 14:18:54 +01:00
Andres Amaya Garcia
cccfe08530 Rename md process functions with _internal_ 2017-06-28 12:52:16 +01:00
Andres Amaya Garcia
614c689e05 Add int return values to SHA-512 function calls
The following function calls are being deprecated to introduce int
return values.
    * mbedtls_sha512()
    * mbedtls_sha512_starts()
    * mbedtls_sha512_update()
    * mbedtls_sha512_finish()
    * mbedtls_sha512_process()
The return codes can be used to return error values. This is important
when using hardware accelerators.
2017-06-28 12:52:16 +01:00
Russ Butler
bb83b42700 Use allocated memory for SHA self tests
Reduce the stack usage of the testing framework by dynamically
allocating the memory used for the test.
2016-10-13 15:10:14 +01:00
Alexey Skalozub
00b78a9c54 Move K inside MBEDTLS_SHA512_PROCESS_ALT block
It is used only by `mbedtls_sha512_process()`, and in case `MBEDTLS_SHA512_PROCESS_ALT` is defined, it still cannot be reused because of `static` declaration.
2016-01-13 17:39:58 +02:00
Manuel Pégourié-Gonnard
37ff14062e Change main license to Apache 2.0 2015-09-04 14:21:07 +02:00
Manuel Pégourié-Gonnard
8b2641d36f Fix warning with MD/SHA ALT implementation
fixes #239
2015-08-31 10:34:26 +02:00
Manuel Pégourié-Gonnard
6fb8187279 Update date in copyright line 2015-07-28 17:11:58 +02:00
Manuel Pégourié-Gonnard
16d412f465 Add md/shaXXX_clone() API
Will be used in the SSL/TLS modules
2015-07-06 15:48:34 +02:00
Manuel Pégourié-Gonnard
41b9c2b418 Remove individual mdX_file() and shaX_file() 2015-05-28 17:28:38 +02:00
Manuel Pégourié-Gonnard
2cf5a7c98e The Great Renaming
A simple execution of tmp/invoke-rename.pl
2015-04-08 13:25:31 +02:00