ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Added missing optimizations based on mbedtls/baremetal.h config

pull/12729/head
Teppo Järvelin 2020-02-20 12:08:57 +02:00 committed by Antti Kauppila
parent 0f889c3764
commit c5d5d21f05
10 changed files with 162 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
TESTS/mbedtls/multi/main.cpp
View File

@ -33,7 +33,7 @@
using namespace utest::v1;
#if defined(MBEDTLS_SHA256_C)
/* Tests several call to mbedtls_sha256_update function that are not modulo 64 bytes */
/* Tests several call to mbedtls_sha256_update_ret function that are not modulo 64 bytes */
void test_case_sha256_split()
{
const unsigned char test_buf[] = {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"};
@ -50,18 +50,18 @@ void test_case_sha256_split()
mbedtls_sha256_context ctx;
printf("test sha256\n");
mbedtls_sha256_init(&ctx);
mbedtls_sha256_starts(&ctx, 0);
(void)mbedtls_sha256_starts_ret(&ctx, 0);
#if 0
printf("test not splitted\n");
mbedtls_sha256_update(&ctx, test_buf, 168);
(void)mbedtls_sha256_update_ret(&ctx, test_buf, 168);
#else
printf("test splitted into 3 pieces\n");
mbedtls_sha256_update(&ctx, test_buf, 2);
mbedtls_sha256_update(&ctx, test_buf + 2, 66);
mbedtls_sha256_update(&ctx, test_buf + 68, 100);
(void)mbedtls_sha256_update_ret(&ctx, test_buf, 2);
(void)mbedtls_sha256_update_ret(&ctx, test_buf + 2, 66);
(void)mbedtls_sha256_update_ret(&ctx, test_buf + 68, 100);
#endif
mbedtls_sha256_finish(&ctx, outsum);
(void)mbedtls_sha256_finish_ret(&ctx, outsum);
mbedtls_sha256_free(&ctx);
printf("\nreceived result : ");
@ -113,29 +113,29 @@ void test_case_sha256_multi()
mbedtls_sha256_init(&ctx2);
mbedtls_sha256_init(&ctx3);
//Start both contexts
mbedtls_sha256_starts(&ctx1, 0);
mbedtls_sha256_starts(&ctx2, 0);
(void)mbedtls_sha256_starts_ret(&ctx1, 0);
(void)mbedtls_sha256_starts_ret(&ctx2, 0);
printf("upd ctx1\n");
mbedtls_sha256_update(&ctx1, test_buf, 56);
(void)mbedtls_sha256_update_ret(&ctx1, test_buf, 56);
printf("upd ctx2\n");
mbedtls_sha256_update(&ctx2, test_buf, 66);
(void)mbedtls_sha256_update_ret(&ctx2, test_buf, 66);
printf("finish ctx1\n");
mbedtls_sha256_finish(&ctx1, outsum1);
(void)mbedtls_sha256_finish_ret(&ctx1, outsum1);
printf("upd ctx2\n");
mbedtls_sha256_update(&ctx2, test_buf + 66, 46);
(void)mbedtls_sha256_update_ret(&ctx2, test_buf + 66, 46);
printf("clone ctx2 in ctx3\n");
mbedtls_sha256_clone(&ctx3, (const mbedtls_sha256_context *)&ctx2);
printf("free ctx1\n");
mbedtls_sha256_free(&ctx1);
printf("upd ctx2\n");
mbedtls_sha256_update(&ctx2, test_buf + 112, 56);
(void)mbedtls_sha256_update_ret(&ctx2, test_buf + 112, 56);
printf("upd ctx3 with different values than ctx2\n");
mbedtls_sha256_update(&ctx3, test_buf2, 56);
(void)mbedtls_sha256_update_ret(&ctx3, test_buf2, 56);
printf("finish ctx2\n");
mbedtls_sha256_finish(&ctx2, outsum2);
(void)mbedtls_sha256_finish_ret(&ctx2, outsum2);
printf("finish ctx3\n");
mbedtls_sha256_finish(&ctx3, outsum3);
(void)mbedtls_sha256_finish_ret(&ctx3, outsum3);
printf("free ctx2\n");
mbedtls_sha256_free(&ctx2);
printf("free ctx3\n");

6
features/device_key/TESTS/device_key/functionality/main.cpp
View File

@ -72,10 +72,12 @@ void generate_derived_key_long_consistency_test()
generate_derived_key_consistency_16_byte_key_long_consistency_test(key);
strcpy(key, MSG_KEY_DEVICE_TEST_STEP2);
generate_derived_key_consistency_16_byte_key_long_consistency_test(key);
#ifndef MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
strcpy(key, MSG_KEY_DEVICE_TEST_STEP3);
generate_derived_key_consistency_32_byte_key_long_consistency_test(key);
strcpy(key, MSG_KEY_DEVICE_TEST_STEP4);
generate_derived_key_consistency_32_byte_key_long_consistency_test(key);
#endif
}
@ -497,12 +499,16 @@ Case cases[] = {
Case("Device Key - long consistency test", generate_derived_key_long_consistency_test, greentea_failure_handler),
Case("Device Key - inject value wrong size", device_inject_root_of_trust_wrong_size_test, greentea_failure_handler),
Case("Device Key - inject value 16 byte size", device_inject_root_of_trust_16_byte_size_test, greentea_failure_handler),
#ifndef MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
Case("Device Key - inject value 32 byte size", device_inject_root_of_trust_32_byte_size_test, greentea_failure_handler),
#endif
Case("Device Key - inject value several times", device_inject_root_of_trust_several_times_test, greentea_failure_handler),
Case("Device Key - derived key consistency 16 byte key", generate_derived_key_consistency_16_byte_key_test, greentea_failure_handler),
Case("Device Key - derived key consistency 32 byte key", generate_derived_key_consistency_32_byte_key_test, greentea_failure_handler),
Case("Device Key - derived key key type 16", generate_derived_key_key_type_16_test, greentea_failure_handler),
#ifndef MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
Case("Device Key - derived key key type 32", generate_derived_key_key_type_32_test, greentea_failure_handler),
#endif
Case("Device Key - derived key wrong key type", generate_derived_key_wrong_key_type_test, greentea_failure_handler)
};

28
features/lwipstack/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
View File

@ -69,6 +69,7 @@
/* @todo: which includes are really needed? */
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/certs.h"
#include "mbedtls/x509.h"
#include "mbedtls/ssl.h"
@ -98,7 +99,21 @@ extern const struct altcp_functions altcp_mbedtls_functions;
struct altcp_tls_config {
mbedtls_ssl_config conf;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_context _drbg;
#define DRBG_INIT mbedtls_ctr_drbg_init
#define DRBG_SEED mbedtls_ctr_drbg_seed
#define DRBG_SEED_ERROR "mbedtls_ctr_drbg_seed failed: %d\n"
#define DRBG_RANDOM mbedtls_ctr_drbg_random
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_context _drbg;
#define DRBG_INIT mbedtls_hmac_drbg_init
#define DRBG_SEED mbedtls_hmac_drbg_seed
#define DRBG_SEED_ERROR "mbedtls_hmac_drbg_seed failed: %d\n"
#define DRBG_RANDOM mbedtls_hmac_drbg_random
#else
#error "CTR or HMAC must be defined for coap_security_handler!"
#endif
mbedtls_x509_crt *cert;
mbedtls_pk_context *pkey;
mbedtls_x509_crt *ca;
@ -721,12 +736,15 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca
mbedtls_ssl_config_init(&conf->conf);
mbedtls_entropy_init(&conf->entropy);
mbedtls_ctr_drbg_init(&conf->ctr_drbg);
DRBG_INIT(&conf->_drbg);
/* Seed the RNG */
ret = mbedtls_ctr_drbg_seed(&conf->ctr_drbg, ALTCP_MBEDTLS_RNG_FN, &conf->entropy, ALTCP_MBEDTLS_ENTROPY_PTR, ALTCP_MBEDTLS_ENTROPY_LEN);
ret = DRBG_SEED(&conf->_drbg, ALTCP_MBEDTLS_RNG_FN, &conf->entropy, ALTCP_MBEDTLS_ENTROPY_PTR, ALTCP_MBEDTLS_ENTROPY_LEN);
if (ret != 0) {
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ctr_drbg_seed failed: %d\n", ret));
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, (DRBG_SEED_ERROR, ret));
altcp_mbedtls_free_config(conf);
return NULL;
}
@ -742,7 +760,7 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca
mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
#if !defined(MBEDTLS_SSL_CONF_RNG)
mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &conf->ctr_drbg);
mbedtls_ssl_conf_rng(&conf->conf, DRBG_RANDOM, &conf->ctr_drbg);
#endif
#if ALTCP_MBEDTLS_DEBUG != LWIP_DBG_OFF

6
features/mbedtls/platform/src/shared_rng.cpp
View File

@ -33,8 +33,9 @@ int init_global_rng()
mbedtls_entropy_init(&global_entropy);
mbedtls_hmac_drbg_init(&global_hmac_drbg);
int ret = mbedtls_hmac_drbg_seed(&global_hmac_drbg, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
mbedtls_entropy_func, &global_entropy, NULL, 0);
int ret = mbedtls_hmac_drbg_seed(&global_hmac_drbg,
mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
mbedtls_entropy_func, &global_entropy, NULL, 0);
if (ret != 0) {
tr_error(" init_global_rng failed! mbedtls_hmac_drbg_seed returned -0x%x", -ret);
@ -44,7 +45,6 @@ int init_global_rng()
}
return ret;
This conversation was marked as resolved by jarvte
}
void free_global_rng()

40
features/nanostack/coap-service/source/coap_security_handler.c
View File

@ -30,6 +30,7 @@
#include "mbedtls/entropy.h"
#include "mbedtls/entropy_poll.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/ssl_ciphersuites.h"
#include "ns_trace.h"
@ -41,7 +42,14 @@ struct coap_security_s {
mbedtls_ssl_config _conf;
mbedtls_ssl_context _ssl;
mbedtls_ctr_drbg_context _ctr_drbg;
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_context _drbg;
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_context _drbg;
#else
#error "CTR or HMAC must be defined for coap_security_handler!"
#endif
mbedtls_entropy_context _entropy;
bool _is_started;
simple_cookie_t _cookie;
@ -114,7 +122,11 @@ static int coap_security_handler_init(coap_security_t *sec)
mbedtls_ssl_init(&sec->_ssl);
mbedtls_ssl_config_init(&sec->_conf);
mbedtls_ctr_drbg_init(&sec->_ctr_drbg);
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_init(&sec->_drbg);
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_init(&sec->_drbg);
#endif
mbedtls_entropy_init(&sec->_entropy);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@ -132,12 +144,20 @@ static int coap_security_handler_init(coap_security_t *sec)
128, entropy_source_type) < 0) {
return -1;
}
if ((mbedtls_ctr_drbg_seed(&sec->_ctr_drbg, mbedtls_entropy_func, &sec->_entropy,
#if defined(MBEDTLS_CTR_DRBG_C)
if ((mbedtls_ctr_drbg_seed(&sec->_drbg, mbedtls_entropy_func, &sec->_entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
return -1;
}
#elif defined(MBEDTLS_HMAC_DRBG_C)
if ((mbedtls_hmac_drbg_seed(&sec->_drbg, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
mbedtls_entropy_func, &sec->_entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
return -1;
}
#endif
return 0;
}
@ -160,7 +180,11 @@ static void coap_security_handler_reset(coap_security_t *sec)
#endif
mbedtls_entropy_free(&sec->_entropy);
mbedtls_ctr_drbg_free(&sec->_ctr_drbg);
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_free(&sec->_drbg);
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_free(&sec->_drbg);
#endif
mbedtls_ssl_config_free(&sec->_conf);
mbedtls_ssl_free(&sec->_ssl);
#if defined(MBEDTLS_PLATFORM_C)
@ -397,7 +421,11 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser
}
#if !defined(MBEDTLS_SSL_CONF_RNG)
mbedtls_ssl_conf_rng(&sec->_conf, mbedtls_ctr_drbg_random, &sec->_ctr_drbg);
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ssl_conf_rng(&sec->_conf, mbedtls_ctr_drbg_random, &sec->_drbg);
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_ssl_conf_rng(&sec->_conf, mbedtls_hmac_drbg_random, &sec->_drbg);
#endif
#endif
if ((mbedtls_ssl_setup(&sec->_ssl, &sec->_conf)) != 0) {

32
features/nanostack/coap-service/test/coap-service/unittest/stub/mbedtls_stub.c
View File

@ -248,6 +248,38 @@ int mbedtls_ctr_drbg_random(void *p_rng,
return mbedtls_stub.crt_expected_int;
}
// from hmac_drbg.h
void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx )
{
}
void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx )
{
}
int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
mbedtls_md_handle_t md_info,
int (*f_entropy)(void *, unsigned char *, size_t),
void *p_entropy,
const unsigned char *custom,
size_t len )
{
return mbedtls_stub.crt_expected_int;
}
int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len )
{
return mbedtls_stub.crt_expected_int;
}
// from md.h
mbedtls_md_handle_t mbedtls_md_info_from_type( mbedtls_md_type_t md_type )
{
return 0;
}
//From x509_crt.h
void mbedtls_x509_crt_init(mbedtls_x509_crt *a)
{

2
features/nanostack/coap-service/test/coap-service/unittest/stub/mbedtls_stub.h
View File

@ -24,11 +24,13 @@
#include "mbedtls/platform.h"
#include "mbedtls/ssl.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/sha256.h"
#include "mbedtls/entropy.h"
#include "mbedtls/pk.h"
#include "mbedtls/platform.h"
#include "mbedtls/md.h"
#define HANDSHAKE_FINISHED_VALUE 8888

16
features/nanostack/sal-stack-nanostack/nanostack/ns_sha256.h
View File

@ -61,23 +61,23 @@ static inline void ns_sha256_clone(ns_sha256_context *dst,
static inline void ns_sha256_starts(ns_sha256_context *ctx)
{
mbedtls_sha256_starts(ctx, 0);
(void)mbedtls_sha256_starts_ret(ctx, 0);
}
static inline void ns_sha256_update(ns_sha256_context *ctx, const void *input,
size_t ilen)
{
mbedtls_sha256_update(ctx, input, ilen);
(void)mbedtls_sha256_update_ret(ctx, input, ilen);
}
static inline void ns_sha256_finish(ns_sha256_context *ctx, void *output)
{
mbedtls_sha256_finish(ctx, output);
(void)mbedtls_sha256_finish_ret(ctx, output);
}
static inline void ns_sha256(const void *input, size_t ilen, void *output)
{
mbedtls_sha256(input, ilen, output, 0);
(void)mbedtls_sha256_ret(input, ilen, output, 0);
}
/* Extensions to standard mbed TLS - output the first bits of a hash only */
@ -85,10 +85,10 @@ static inline void ns_sha256(const void *input, size_t ilen, void *output)
static inline void ns_sha256_finish_nbits(ns_sha256_context *ctx, void *output, unsigned obits)
{
if (obits == 256) {
mbedtls_sha256_finish(ctx, output);
(void)mbedtls_sha256_finish_ret(ctx, output);
} else {
uint8_t sha256[32];
mbedtls_sha256_finish(ctx, sha256);
(void)mbedtls_sha256_finish_ret(ctx, sha256);
memcpy(output, sha256, obits / 8);
}
}
@ -96,10 +96,10 @@ static inline void ns_sha256_finish_nbits(ns_sha256_context *ctx, void *output,
static inline void ns_sha256_nbits(const void *input, size_t ilen, void *output, unsigned obits)
{
if (obits == 256) {
mbedtls_sha256(input, ilen, output, 0);
(void)mbedtls_sha256_ret(input, ilen, output, 0);
} else {
uint8_t sha256[32];
mbedtls_sha256(input, ilen, sha256, 0);
(void)mbedtls_sha256_ret(input, ilen, sha256, 0);
memcpy(output, sha256, obits / 8);
}
}

33
features/netsocket/TLSSocketWrapper.cpp
View File

@ -47,7 +47,12 @@ TLSSocketWrapper::TLSSocketWrapper(Socket *transport, const char *hostname, cont
}
#endif /* MBEDTLS_PLATFORM_C */
mbedtls_entropy_init(&_entropy);
mbedtls_ctr_drbg_init(&_ctr_drbg);
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_init(&_drbg);
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_init(&_drbg);
#endif
mbedtls_ssl_init(&_ssl);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_pk_init(&_pkctx);
@ -64,7 +69,11 @@ TLSSocketWrapper::~TLSSocketWrapper()
close();
}
mbedtls_entropy_free(&_entropy);
mbedtls_ctr_drbg_free(&_ctr_drbg);
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_free(&_drbg);
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_free(&_drbg);
#endif
mbedtls_ssl_free(&_ssl);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_pk_free(&_pkctx);
@ -177,15 +186,29 @@ nsapi_error_t TLSSocketWrapper::start_handshake(bool first_call)
/*
* Initialize TLS-related stuf.
*/
if ((ret = mbedtls_ctr_drbg_seed(&_ctr_drbg, mbedtls_entropy_func, &_entropy,
#if defined(MBEDTLS_CTR_DRBG_C)
if ((ret = mbedtls_ctr_drbg_seed(&_drbg, mbedtls_entropy_func, &_entropy,
(const unsigned char *) DRBG_PERS,
sizeof(DRBG_PERS))) != 0) {
print_mbedtls_error("mbedtls_crt_drbg_init", ret);
return NSAPI_ERROR_AUTH_FAILURE;
}
#elif defined(MBEDTLS_HMAC_DRBG_C)
if ((ret = mbedtls_hmac_drbg_seed(&_drbg, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
mbedtls_entropy_func, &_entropy,
(const unsigned char *) DRBG_PERS,
sizeof(DRBG_PERS))) != 0) {
print_mbedtls_error("mbedtls_hmac_drbg_seed", ret);
return NSAPI_ERROR_AUTH_FAILURE;
}
#endif
#if !defined(MBEDTLS_SSL_CONF_RNG)
mbedtls_ssl_conf_rng(get_ssl_config(), mbedtls_ctr_drbg_random, &_ctr_drbg);
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ssl_conf_rng(get_ssl_config(), mbedtls_ctr_drbg_random, &_drbg);
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_ssl_conf_rng(get_ssl_config(), mbedtls_hmac_drbg_random, &_drbg);
#endif
#endif
@ -268,7 +291,7 @@ nsapi_error_t TLSSocketWrapper::continue_handshake()
tr_info("TLS connection established");
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(FEA_TRACE_SUPPORT)
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(FEA_TRACE_SUPPORT) && !defined(MBEDTLS_X509_REMOVE_INFO)
/* Prints the server certificate and verify it. */
const size_t buf_size = 1024;
char *buf = new char[buf_size];

11
features/netsocket/TLSSocketWrapper.h
View File

@ -29,6 +29,7 @@
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/error.h"
// This class requires Mbed TLS SSL/TLS client code
@ -244,7 +245,7 @@ protected:
* @retval NSAPI_ERROR_IN_PROGRESS if the first call did not complete the request.
* @retval NSAPI_ERROR_NO_SOCKET in case the transport socket was not created correctly.
* @retval NSAPI_ERROR_AUTH_FAILURE in case of tls-related authentication errors.
* See @ref mbedtls_ctr_drbg_seed, @ref mbedtls_ssl_setup. @ref mbedtls_ssl_handshake.
* See @ref mbedtls_ctr_drbg_seed or @ref mbedtls_hmac_drbg_seed, @ref mbedtls_ssl_setup. @ref mbedtls_ssl_handshake.
*/
nsapi_error_t start_handshake(bool first_call);
@ -293,7 +294,13 @@ private:
#ifdef MBEDTLS_X509_CRT_PARSE_C
mbedtls_pk_context _pkctx;
#endif
mbedtls_ctr_drbg_context _ctr_drbg;
#if defined(MBEDTLS_CTR_DRBG_C)
mbedtls_ctr_drbg_context _drbg;
#elif defined(MBEDTLS_HMAC_DRBG_C)
mbedtls_hmac_drbg_context _drbg;
#endif
mbedtls_entropy_context _entropy;
rtos::EventFlags _event_flag;