Commit graph

3510 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
79d9b50421 Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
* development: (180 commits)
  Change the library version to 2.11.0
  Fix version in ChangeLog for fix for #552
  Add ChangeLog entry for clang version fix. Issue #1072
  Compilation warning fixes on 32b platfrom with IAR
  Revert "Turn on MBEDTLS_SSL_ASYNC_PRIVATE by default"
  Fix for missing len var when XTS config'd and CTR not
  ssl_server2: handle mbedtls_x509_dn_gets failure
  Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
  SSL async tests: add a few test cases for error in decrypt
  Fix memory leak in ssl_server2 with SNI + async callback
  SNI + SSL async callback: make all keys async
  ssl_async_resume: free the operation context on error
  ssl_server2: get op_name from context in ssl_async_resume as well
  Clarify "as directed here" in SSL async callback documentation
  SSL async callbacks documentation: clarify resource cleanup
  Async callback: use mbedtls_pk_check_pair to compare keys
  Rename mbedtls_ssl_async_{get,set}_data for clarity
  Fix copypasta in the async callback documentation
  SSL async callback: cert is not always from mbedtls_ssl_conf_own_cert
  ssl_async_set_key: detect if ctx->slots overflows
  ...
2018-06-20 09:46:17 +02:00
Simon Butcher
2fcd3e4441 Change the library version to 2.11.0
* Change the Mbed TLS library version to 2.11.0
 * Increase the soversion of libmbedcrypto
 * Increase the soversion of libmbedtls
2018-06-18 14:39:06 +01:00
Simon Butcher
cbe248a3f5 Merge remote-tracking branch 'public/pr/1727' into development 2018-06-17 17:37:29 +01:00
Simon Butcher
1f91575546 Merge remote-tracking branch 'public/pr/1681' into development 2018-06-17 17:35:54 +01:00
Simon Butcher
2711ad7505 Merge remote-tracking branch 'public/pr/1736' into development 2018-06-17 17:34:55 +01:00
Simon Butcher
600c5e6d20 Compilation warning fixes on 32b platfrom with IAR
Fix compilation warnings with IAR toolchain, on 32 bit platform.
Reported by rahmanih in #683

This is based on work by Ron Eldor in PR #750, some of which was independently
fixed by Azim Khan and already merged in PR #1646.
2018-06-17 17:24:56 +01:00
Simon Butcher
2dbecc04cc Merge remote-tracking branch 'public/pr/1602' into development 2018-06-15 20:15:00 +01:00
Simon Butcher
66a8903f4a Fix for missing len var when XTS config'd and CTR not
The AES XTS self-test was using a variable len, which was declared only when CTR
was enabled. Changed the declaration of len to be conditional on CTR and XTS.
2018-06-15 18:20:29 +01:00
Simon Butcher
5f57f1e3cc Merge remote-tracking branch 'public/pr/1270' into development 2018-06-15 14:17:31 +01:00
Simon Butcher
675590519a Merge remote-tracking branch 'public/pr/1602' into development 2018-06-15 14:13:14 +01:00
Jaeden Amero
ff2f493432 config: List cipher modes in alphabetical order
Keeping the cipher modes list in alphabetical order makes it easier to
find things. Move OFB and XTS to their appropriate locations in the
list.
2018-06-14 11:42:27 +01:00
Simon Butcher
6ac1cf6f5f Merge remote-tracking branch 'public/pr/1182' into development 2018-06-14 10:33:29 +01:00
Simon Butcher
c1bf1aaee5 Merge remote-tracking branch 'public/pr/1555' into development 2018-06-14 10:24:56 +01:00
Simon Butcher
73a4b80475 Merge remote-tracking branch 'public/pr/1672' into development 2018-06-14 10:24:02 +01:00
Simon Butcher
2ff0e52087 Fix missing preprocessor condition in AES self-test
The AES OFB self-test made use of a variable `offset` but failed to have a
preprocessor condition around it, so unless CTR and CBC were enabled, the
variable would be undeclared.
2018-06-14 09:57:07 +01:00
Gilles Peskine
0a8352b4c2 Fix harmless use of uninitialized memory in ssl_parse_encrypted_pms
In ssl_parse_encrypted_pms, some operational failures from
ssl_decrypt_encrypted_pms lead to diff being set to a value that
depended on some uninitialized unsigned char and size_t values. This didn't
affect the behavior of the program (assuming an implementation with no
trap values for size_t) because all that matters is whether diff is 0,
but Valgrind rightfully complained about the use of uninitialized
memory. Behave nicely and initialize the offending memory.
2018-06-13 18:21:25 +02:00
Jaeden Amero
8cfc75f603 aes: xts: Fix style issues with gf128mul 2018-06-13 12:13:58 +01:00
Jaeden Amero
5f0b06aeda aes: xts: Fix description of gf128mul
THe function `mbedtls_gf128mul_x_ble()` doesn't multiply by x, x^4, and
x^8. Update the function description to properly describe what the function
does.
2018-06-13 12:13:58 +01:00
Jaeden Amero
c653990ed5 cipher: Add wrappers for AES-XTS
AES-XTS does not support multipart use as it can only operate on an entire
sector at a time.
2018-06-13 12:13:56 +01:00
Jaeden Amero
21d79cf947 aes: Add self test for AES-XTS 2018-06-13 12:05:04 +01:00
Jaeden Amero
cd9fc5e541 aes: xts: Rename iv to data_unit
XTS doesn't have an IV, it has a "Data Unit". Rename iv for parity with the
XTS standard.
2018-06-13 12:05:04 +01:00
Jaeden Amero
d82cd860b2 aes: xts: Rewrite to avoid use of goto
The flow was a bit hard to follow with the `goto` everywhere. Rewrite the
XTS implementation to avoid the use of `goto`.
2018-06-13 12:05:04 +01:00
Jaeden Amero
0a8b02087a aes: xts: Enforce NIST SP 800-38E data unit size
NIST SP 800-38E requites the data unit size be limited to at most 2^20 AES
blocks in size. Enforce this restriction.
2018-06-13 12:05:04 +01:00
Jaeden Amero
5162b932a2 aes: Use length instead of bits_length in XTS
mbedtls_aes_crypt_xts() currently takes a `bits_length` parameter, unlike
the other block modes. Change the parameter to accept a bytes length
instead, as the `bits_length` parameter is not actually ever used in the
current implementation.
2018-06-13 12:05:04 +01:00
Jaeden Amero
9366feb504 aes: xts: Add new context structure
Add a new context structure for XTS. Adjust the API for XTS to use the new
context structure, including tests suites and the benchmark program. Update
Doxgen documentation accordingly.
2018-06-13 12:05:04 +01:00
Jaeden Amero
e9ecf00007 aes: Remove AES-XEX
AES-XEX is a building block for other cryptographic standards and not yet a
standard in and of itself. We'll just provide the standardized AES-XTS
algorithm, and not AES-XEX. The AES-XTS algorithm and interface provided
can be used to perform the AES-XEX algorithm when the length of the input
is a multiple of the AES block size.
2018-06-13 12:03:29 +01:00
Jaeden Amero
010c2cb456 gf128mul: Inline instead of making a new module 2018-06-13 12:03:29 +01:00
Jaeden Amero
97cc3b1354 gf128mul: Remove the jump table
If we're unlucky with memory placement, gf128mul_table_bbe may spread over
two cache lines and this would leak b >> 63 to a cache timing attack.
Instead, take an approach that is less likely to make different memory
loads depending on the value of b >> 63 and is also unlikely to be compiled
to a condition.
2018-06-13 12:03:29 +01:00
Aorimn
5f77801ac3 Implement AES-XTS mode
XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing".
This is the generalization of the XEX mode.
This implementation is limited to an 8-bits (1 byte) boundary, which
doesn't seem to be what was thought considering some test vectors [1].

This commit comes with tests, extracted from [1], and benchmarks.
Although, benchmarks aren't really nice here, as they work with a buffer
of a multiple of 16 bytes, which isn't a challenge for XTS compared to
XEX.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2018-06-13 12:03:27 +01:00
Aorimn
380162c34c Double perf for AES-XEX
As seen from the first benchmark run, AES-XEX was running pourly (even
slower than AES-CBC). This commit doubles the performances of the
current implementation.
2018-06-13 12:02:30 +01:00
Aorimn
8bb817a4c1 Add AES-XEX to the version features 2018-06-13 12:02:29 +01:00
Aorimn
9bbe3632e4 Rename exported symbols to please check-names.sh
Exported symbols seem to need the "mbedtls_" prefix, which has been
added to be128 and gf128mul_x_ble.
2018-06-13 12:01:50 +01:00
Aorimn
0089d36ae5 Implement AES-XEX mode
XEX mode, known as "xor-encrypt-xor", is the simple case of the XTS
mode, known as "XEX with ciphertext stealing". When the buffers to be
encrypted/decrypted have a length divisible by the length of a standard
AES block (16), XTS is exactly like XEX.
2018-06-13 11:56:03 +01:00
Aorimn
b053658f95 Add 2 files for multiplication in GF(128)
Multiplication in GF(128) is required by the AES-XEX mode for computing
X in the XEX formula from
https://en.wikipedia.org/wiki/Disk_encryption_theory#Xor-encrypt-xor_.28XEX.29
2018-06-13 11:56:03 +01:00
Manuel Pégourié-Gonnard
558da9c3fe Make SSL error code more generic
It's undesirable to have users of the SSL layer check for an error code
specific to a lower-level layer, both out of general layering principles, and
also because if we later make another crypto module gain resume capabilities,
we would need to change the contract again (checking for a new module-specific
error code).
2018-06-13 12:02:12 +02:00
Roberto Vargas
7decfe8c1e Convert mbedtls_free and mbedtls_calloc into functions
When MBEDTLS_PLATFORM_MEMORY is defined but MBEDTLS_PLATFORM_FREE_MACRO or
MBEDTLS_PLATFORM_CALLOC_MACRO are not defined then the actual functions
used to allocate and free memory are stored in function pointers.
These pointers are exposed to the caller, and it means that the caller
and the library have to share a data section.

In TF-A, we execute in a very constrained environment, where some images
are executed from ROM and other images are executed from SRAM. The
images that are executed from ROM cannot be modified. The SRAM size
is very small and we are moving libraries to the ROM that can be shared
between the different SRAM images.  These SRAM images could import all the
symbols used in mbedtls, but it would create an undesirable hard binary
dependency between the different images. For this reason, all the library
functions in ROM are accesed using a jump table whose base address is
known, allowing the images to execute with different versions of the ROM.

This commit changes the function pointers to actual functions,
so that the SRAM images only have to use the new exported symbols
(mbedtls_calloc and mbedtls_free) using the jump table. In
our scenario, mbedtls_platform_set_calloc_free is called from
mbedtls_memory_buffer_alloc_init which initializes the function pointers
to the internal buffer_alloc_calloc and buffer_alloc_free functions.

No functional changes to mbedtls_memory_buffer_alloc_init.

Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-06-13 09:17:59 +01:00
Manuel Pégourié-Gonnard
da19f4c79f Merge branch 'development' into iotssl-1260-non-blocking-ecc-restricted
Summary of merge conflicts:

include/mbedtls/ecdh.h -> documentation style
include/mbedtls/ecdsa.h -> documentation style
include/mbedtls/ecp.h -> alt style, new error codes, documentation style
include/mbedtls/error.h -> new error codes
library/error.c -> new error codes (generated anyway)
library/ecp.c:
    - code of an extracted function was changed
library/ssl_cli.c:
    - code addition on one side near code change on the other side
      (ciphersuite validation)
library/x509_crt.c -> various things
    - top fo file: helper structure added near old zeroize removed
    - documentation of find_parent_in()'s signature: improved on one side,
      added arguments on the other side
    - documentation of find_parent()'s signature: same as above
    - verify_chain(): variables initialised later to give compiler an
      opportunity to warn us if not initialised on a code path
    - find_parent(): funcion structure completely changed, for some reason git
      tried to insert a paragraph of the old structure...
    - merge_flags_with_cb(): data structure changed, one line was fixed with a
      cast to keep MSVC happy, this cast is already in the new version
    - in verify_restratable(): adjacent independent changes (function
      signature on one line, variable type on the next)
programs/ssl/ssl_client2.c:
    - testing for IN_PROGRESS return code near idle() (event-driven):
      don't wait for data in the the socket if ECP_IN_PROGRESS
tests/data_files/Makefile: adjacent independent additions
tests/suites/test_suite_ecdsa.data: adjacent independent additions
tests/suites/test_suite_x509parse.data: adjacent independent additions

* development: (1059 commits)
  Change symlink to hardlink to avoid permission issues
  Fix out-of-tree testing symlinks on Windows
  Updated version number to 2.10.0 for release
  Add a disabled CMAC define in the no-entropy configuration
  Adapt the ARIA test cases for new ECB function
  Fix file permissions for ssl.h
  Add ChangeLog entry for PR#1651
  Fix MicroBlaze register typo.
  Fix typo in doc and copy missing warning
  Fix edit mistake in cipher_wrap.c
  Update CTR doc for the 64-bit block cipher
  Update CTR doc for other 128-bit block ciphers
  Slightly tune ARIA CTR documentation
  Remove double declaration of mbedtls_ssl_list_ciphersuites
  Update CTR documentation
  Use zeroize function from new platform_util
  Move to new header style for ALT implementations
  Add ifdef for selftest in header file
  Fix typo in comments
  Use more appropriate type for local variable
  ...
2018-06-13 09:52:54 +02:00
Darryl Green
b11de306c4 Fix braces in mbedtls_memory_buffer_alloc_status() 2018-06-12 16:56:04 +01:00
Simon Butcher
e47d6fd97e Merge remote-tracking branch 'public/pr/1497' into development 2018-06-12 16:53:04 +01:00
Simon Butcher
f0d7629771 Merge remote-tracking branch 'public/pr/1593' into development 2018-06-12 16:41:41 +01:00
Simon Butcher
ebb6427992 Merge remote-tracking branch 'public/pr/1646' into development 2018-06-12 16:41:04 +01:00
Simon Butcher
263498ac36 Merge remote-tracking branch 'public/pr/1667' into development 2018-06-12 16:40:07 +01:00
Simon Butcher
4844bf2b5c Add OFB as additional block mode
Following rebasing on the development branch which introduced the ARIA cipher,
OFB was missing as a block mode from some cipher tables.
2018-06-11 15:21:05 +01:00
Simon Butcher
5db13621ec Clarify documentation for AES OFB
1. Changed reference/link to NIST SP800-38A
 2. Clarified language around AES-OFB usage
2018-06-11 14:03:22 +01:00
Simon Butcher
00131446be Fix style and formatting for OFB feature 2018-06-11 14:03:22 +01:00
Simon Butcher
ad4e4938d1 Fix AES-OFB support for errors, tests and self-test
Adds error handling into mbedtls_aes_crypt_ofb for AES errors, a self-test
for the OFB mode using NIST SP 800-38A test vectors and adds a check to
potential return errors in setting the AES encryption key in the OFB test
suite.
2018-06-11 14:03:22 +01:00
Simon Butcher
7487c5b2c8 Add missing OFB entry to null ciphersuite
The OFB entry has been omitted from the the null cipher suite definition,
null_base_info.
2018-06-11 14:03:22 +01:00
Simon Butcher
8c0fd1e881 Add cipher abstraction and test cases for OFB block mode
Adds OFB as additional block mode in the cipher abstraction, and additional
test cases for that block mode.
2018-06-11 14:03:22 +01:00
Simon Butcher
76a5b22973 Add OFB block mode to AES-128/192/256
Adds a new configuration of MBEDTLS_CIPHER_MODE_OFB and OFB mode to AES.
2018-06-11 14:03:22 +01:00
Thomas Fossati
656864b360 Add an HKDF (RFC 5869) implementation 2018-06-11 13:10:14 +01:00