Commit graph

2121 commits

Author SHA1 Message Date
Simon Butcher
2fcd3e4441 Change the library version to 2.11.0
* Change the Mbed TLS library version to 2.11.0
 * Increase the soversion of libmbedcrypto
 * Increase the soversion of libmbedtls
2018-06-18 14:39:06 +01:00
Simon Butcher
1f91575546 Merge remote-tracking branch 'public/pr/1681' into development 2018-06-17 17:35:54 +01:00
Jaeden Amero
d9c71dad50 Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
This reverts commit 5ffe41c8f9.

Turn off MBEDTLS_SSL_ASYNC_PRIVATE by default because we don't want to
change the ABI yet.
2018-06-15 20:31:26 +01:00
Simon Butcher
2dbecc04cc Merge remote-tracking branch 'public/pr/1602' into development 2018-06-15 20:15:00 +01:00
Simon Butcher
5f57f1e3cc Merge remote-tracking branch 'public/pr/1270' into development 2018-06-15 14:17:31 +01:00
Jaeden Amero
ff2f493432 config: List cipher modes in alphabetical order
Keeping the cipher modes list in alphabetical order makes it easier to
find things. Move OFB and XTS to their appropriate locations in the
list.
2018-06-14 11:42:27 +01:00
Jaeden Amero
ed91a79c4b config: Update documentation for XTS option
The XTS configuration option MBEDTLS_CIPHER_MODE_XTS currently only enables
XTS for AES. So, don't say it enables XTS for "symmetric ciphers", just
AES. This helps to avoid being misleading.
2018-06-13 12:13:58 +01:00
Jaeden Amero
f167deb6e0 aes: xts: Add a reference to the standard
It's useful to add a reference to the standard one implements. Add a
reference to the AES-XTS standard to the top of `aes.h`.
2018-06-13 12:13:58 +01:00
Jaeden Amero
c653990ed5 cipher: Add wrappers for AES-XTS
AES-XTS does not support multipart use as it can only operate on an entire
sector at a time.
2018-06-13 12:13:56 +01:00
Jaeden Amero
cd9fc5e541 aes: xts: Rename iv to data_unit
XTS doesn't have an IV, it has a "Data Unit". Rename iv for parity with the
XTS standard.
2018-06-13 12:05:04 +01:00
Jaeden Amero
0a8b02087a aes: xts: Enforce NIST SP 800-38E data unit size
NIST SP 800-38E requites the data unit size be limited to at most 2^20 AES
blocks in size. Enforce this restriction.
2018-06-13 12:05:04 +01:00
Jaeden Amero
5162b932a2 aes: Use length instead of bits_length in XTS
mbedtls_aes_crypt_xts() currently takes a `bits_length` parameter, unlike
the other block modes. Change the parameter to accept a bytes length
instead, as the `bits_length` parameter is not actually ever used in the
current implementation.
2018-06-13 12:05:04 +01:00
Jaeden Amero
9366feb504 aes: xts: Add new context structure
Add a new context structure for XTS. Adjust the API for XTS to use the new
context structure, including tests suites and the benchmark program. Update
Doxgen documentation accordingly.
2018-06-13 12:05:04 +01:00
Jaeden Amero
e9ecf00007 aes: Remove AES-XEX
AES-XEX is a building block for other cryptographic standards and not yet a
standard in and of itself. We'll just provide the standardized AES-XTS
algorithm, and not AES-XEX. The AES-XTS algorithm and interface provided
can be used to perform the AES-XEX algorithm when the length of the input
is a multiple of the AES block size.
2018-06-13 12:03:29 +01:00
Jaeden Amero
010c2cb456 gf128mul: Inline instead of making a new module 2018-06-13 12:03:29 +01:00
Aorimn
5f77801ac3 Implement AES-XTS mode
XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing".
This is the generalization of the XEX mode.
This implementation is limited to an 8-bits (1 byte) boundary, which
doesn't seem to be what was thought considering some test vectors [1].

This commit comes with tests, extracted from [1], and benchmarks.
Although, benchmarks aren't really nice here, as they work with a buffer
of a multiple of 16 bytes, which isn't a challenge for XTS compared to
XEX.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2018-06-13 12:03:27 +01:00
Aorimn
9bbe3632e4 Rename exported symbols to please check-names.sh
Exported symbols seem to need the "mbedtls_" prefix, which has been
added to be128 and gf128mul_x_ble.
2018-06-13 12:01:50 +01:00
Aorimn
75e3661ebe Add AES-XEX mode to the default config file
Adding the AES-XEX mode to the default config file permits this mode to
be compiled, and tested, which may be needed for some programs in the
future.
2018-06-13 12:01:48 +01:00
Aorimn
0089d36ae5 Implement AES-XEX mode
XEX mode, known as "xor-encrypt-xor", is the simple case of the XTS
mode, known as "XEX with ciphertext stealing". When the buffers to be
encrypted/decrypted have a length divisible by the length of a standard
AES block (16), XTS is exactly like XEX.
2018-06-13 11:56:03 +01:00
Aorimn
b053658f95 Add 2 files for multiplication in GF(128)
Multiplication in GF(128) is required by the AES-XEX mode for computing
X in the XEX formula from
https://en.wikipedia.org/wiki/Disk_encryption_theory#Xor-encrypt-xor_.28XEX.29
2018-06-13 11:56:03 +01:00
Roberto Vargas
7decfe8c1e Convert mbedtls_free and mbedtls_calloc into functions
When MBEDTLS_PLATFORM_MEMORY is defined but MBEDTLS_PLATFORM_FREE_MACRO or
MBEDTLS_PLATFORM_CALLOC_MACRO are not defined then the actual functions
used to allocate and free memory are stored in function pointers.
These pointers are exposed to the caller, and it means that the caller
and the library have to share a data section.

In TF-A, we execute in a very constrained environment, where some images
are executed from ROM and other images are executed from SRAM. The
images that are executed from ROM cannot be modified. The SRAM size
is very small and we are moving libraries to the ROM that can be shared
between the different SRAM images.  These SRAM images could import all the
symbols used in mbedtls, but it would create an undesirable hard binary
dependency between the different images. For this reason, all the library
functions in ROM are accesed using a jump table whose base address is
known, allowing the images to execute with different versions of the ROM.

This commit changes the function pointers to actual functions,
so that the SRAM images only have to use the new exported symbols
(mbedtls_calloc and mbedtls_free) using the jump table. In
our scenario, mbedtls_platform_set_calloc_free is called from
mbedtls_memory_buffer_alloc_init which initializes the function pointers
to the internal buffer_alloc_calloc and buffer_alloc_free functions.

No functional changes to mbedtls_memory_buffer_alloc_init.

Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-06-13 09:17:59 +01:00
Simon Butcher
e47d6fd97e Merge remote-tracking branch 'public/pr/1497' into development 2018-06-12 16:53:04 +01:00
Simon Butcher
f0d7629771 Merge remote-tracking branch 'public/pr/1593' into development 2018-06-12 16:41:41 +01:00
Simon Butcher
ebb6427992 Merge remote-tracking branch 'public/pr/1646' into development 2018-06-12 16:41:04 +01:00
Simon Butcher
263498ac36 Merge remote-tracking branch 'public/pr/1667' into development 2018-06-12 16:40:07 +01:00
Simon Butcher
dbe80c6957 Merge remote-tracking branch 'public/pr/1668' into development 2018-06-12 16:39:56 +01:00
Jaeden Amero
cb2c935a54 aes: Clarify IV requirements for OFB mode
Combine the two "must be unique" phrases into one for clarity. An IV
that is universally unique is also unique for each encryption operation.
2018-06-11 14:03:22 +01:00
Simon Butcher
5db13621ec Clarify documentation for AES OFB
1. Changed reference/link to NIST SP800-38A
 2. Clarified language around AES-OFB usage
2018-06-11 14:03:22 +01:00
Simon Butcher
968646c079 Clarify comments on use of AES OFB block mode 2018-06-11 14:03:22 +01:00
Simon Butcher
00131446be Fix style and formatting for OFB feature 2018-06-11 14:03:22 +01:00
Simon Butcher
6873c845e8 Update cipher.h for OFB block mode documentation
Raises the doxygen comments for OFB to the same level as other block modes.
2018-06-11 14:03:22 +01:00
Simon Butcher
8c0fd1e881 Add cipher abstraction and test cases for OFB block mode
Adds OFB as additional block mode in the cipher abstraction, and additional
test cases for that block mode.
2018-06-11 14:03:22 +01:00
Simon Butcher
76a5b22973 Add OFB block mode to AES-128/192/256
Adds a new configuration of MBEDTLS_CIPHER_MODE_OFB and OFB mode to AES.
2018-06-11 14:03:22 +01:00
Thomas Fossati
656864b360 Add an HKDF (RFC 5869) implementation 2018-06-11 13:10:14 +01:00
Gilles Peskine
0a0e08a618 mbedtls_gcm_crypt_and_tag: clarify what each mode does and doesn't do 2018-06-07 14:47:38 +02:00
Gilles Peskine
80f679b938 Correct and clarify the documentation of GCM whole-message functions
Clarify the roles of the buffer parameter and their sizes.

Remove a statement about input size restrictions that only applies to
mbedtls_gcm_update, not to the whole-message functions.

Document the possible error codes.

Warn that mbedtls_gcm_crypt_and_tag in decrypt mode does not
authenticate the data and recommend using mbedtls_gcm_auth_decrypt
instead.
2018-06-06 16:55:41 +02:00
Simon Butcher
d5a09f1e68 Updated version number to 2.10.0 for release 2018-06-06 14:52:00 +01:00
Simon Butcher
6e962b2762 Fix file permissions for ssl.h
Correct the file permissions for ssl.h which were inadvertently made executable
in PR#1402
2018-06-05 10:25:04 +01:00
Simon Butcher
2041a31ca8 Merge remote-tracking branch 'public/pr/1402' into development 2018-06-01 19:27:23 +01:00
Simon Butcher
246cb05a92 Merge remote-tracking branch 'public/pr/1410' into development 2018-06-01 19:25:56 +01:00
Simon Butcher
b02f7893f6 Merge remote-tracking branch 'public/pr/1470' into development 2018-06-01 19:20:25 +01:00
Janos Follath
143b319773 CCM*: Make documentation consistent 2018-05-30 13:57:29 +01:00
Janos Follath
6b4bd3dcc4 CCM*: Improve documentation 2018-05-29 11:59:22 +01:00
Janos Follath
5dc8cfa8f1 CCM*: Add public API
Interface for CCM* (described in IEEE Std 802.15.4.).
2018-05-29 11:59:22 +01:00
Azim Khan
45b79cf12b Treat warnings as errors for IAR
Fix IAR compiler warnings

Two warnings have been fixed:
1. code 'if( len <= 0xFFFFFFFF )' gave warning 'pointless integer comparison'.
   This was fixed by wraping the condition in '#if SIZE_MAX > 0xFFFFFFFF'.
2. code 'diff |= A[i] ^ B[i];' gave warning 'the order of volatile accesses is undefined in'.
   This was fixed by read the volatile data in temporary variables before the computation.

Explain IAR warning on volatile access

Consistent use of CMAKE_C_COMPILER_ID
2018-05-25 14:54:14 +01:00
Zach van Rijn
e7d3f8e2ea Fix MicroBlaze register typo. 2018-05-25 08:02:18 -04:00
Manuel Pégourié-Gonnard
fa0c47d4c8 Fix typo in doc and copy missing warning 2018-05-24 19:02:06 +02:00
Manuel Pégourié-Gonnard
d0f143b1c9 Update CTR doc for the 64-bit block cipher
- constants need adjustment
- don't mention "random nonces" as the space is too small
2018-05-24 12:01:58 +02:00
Manuel Pégourié-Gonnard
4f24e9502e Update CTR doc for other 128-bit block ciphers 2018-05-24 11:59:30 +02:00
Manuel Pégourié-Gonnard
f5842864d8 Slightly tune ARIA CTR documentation 2018-05-24 11:51:58 +02:00