diff --git a/features/mbedtls/VERSION.txt b/features/mbedtls/VERSION.txt index 0226ae069f..256e459392 100644 --- a/features/mbedtls/VERSION.txt +++ b/features/mbedtls/VERSION.txt @@ -1 +1 @@ -mbedtls-2.4.2 +mbedtls-2.5.0-rc1 diff --git a/features/mbedtls/importer/Makefile b/features/mbedtls/importer/Makefile index dae04b8aa6..526de077ac 100644 --- a/features/mbedtls/importer/Makefile +++ b/features/mbedtls/importer/Makefile @@ -27,7 +27,7 @@ # # Set the mbed TLS release to import (this can/should be edited before import) -MBED_TLS_RELEASE ?= mbedtls-2.4.2 +MBED_TLS_RELEASE ?= mbedtls-2.5.0-rc1 # Translate between mbed TLS namespace and mbed namespace TARGET_PREFIX:=../ diff --git a/features/mbedtls/inc/mbedtls/aes.h b/features/mbedtls/inc/mbedtls/aes.h index a36e825a2e..b5560cc813 100644 --- a/features/mbedtls/inc/mbedtls/aes.h +++ b/features/mbedtls/inc/mbedtls/aes.h @@ -39,6 +39,11 @@ #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #if !defined(MBEDTLS_AES_ALT) // Regular implementation // @@ -253,10 +258,12 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, * \param ctx AES context * \param input Plaintext block * \param output Output (ciphertext) block + * + * \return 0 if successful */ -void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, - const unsigned char input[16], - unsigned char output[16] ); +int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, + const unsigned char input[16], + unsigned char output[16] ); /** * \brief Internal AES block decryption function @@ -266,10 +273,59 @@ void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, * \param ctx AES context * \param input Ciphertext block * \param output Output (plaintext) block + * + * \return 0 if successful */ -void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, - const unsigned char input[16], - unsigned char output[16] ); +int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, + const unsigned char input[16], + unsigned char output[16] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief Internal AES block encryption function + * (Only exposed to allow overriding it, + * see MBEDTLS_AES_ENCRYPT_ALT) + * + * \deprecated Superseded by mbedtls_aes_encrypt_ext() in 2.5.0 + * + * \param ctx AES context + * \param input Plaintext block + * \param output Output (ciphertext) block + */ +MBEDTLS_DEPRECATED static inline void mbedtls_aes_encrypt( + mbedtls_aes_context *ctx, + const unsigned char input[16], + unsigned char output[16] ) +{ + mbedtls_internal_aes_encrypt( ctx, input, output ); +} + +/** + * \brief Internal AES block decryption function + * (Only exposed to allow overriding it, + * see MBEDTLS_AES_DECRYPT_ALT) + * + * \deprecated Superseded by mbedtls_aes_decrypt_ext() in 2.5.0 + * + * \param ctx AES context + * \param input Ciphertext block + * \param output Output (plaintext) block + */ +MBEDTLS_DEPRECATED static inline void mbedtls_aes_decrypt( + mbedtls_aes_context *ctx, + const unsigned char input[16], + unsigned char output[16] ) +{ + mbedtls_internal_aes_decrypt( ctx, input, output ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #ifdef __cplusplus } diff --git a/features/mbedtls/inc/mbedtls/check_config.h b/features/mbedtls/inc/mbedtls/check_config.h index fe86c1e8d1..dab1113d8b 100644 --- a/features/mbedtls/inc/mbedtls/check_config.h +++ b/features/mbedtls/inc/mbedtls/check_config.h @@ -150,6 +150,38 @@ #error "MBEDTLS_GCM_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) +#error "MBEDTLS_ECP_RANDOMIZE_JAC_ALT defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) +#error "MBEDTLS_ECP_ADD_MIXED_ALT defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) +#error "MBEDTLS_ECP_DOUBLE_JAC_ALT defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) +#error "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) +#error "MBEDTLS_ECP_NORMALIZE_JAC_ALT defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) +#error "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) +#error "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT defined, but not all prerequisites" +#endif + +#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT) +#error "MBEDTLS_ECP_NORMALIZE_MXZ_ALT defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_HAVEGE_C) && !defined(MBEDTLS_TIMING_C) #error "MBEDTLS_HAVEGE_C defined, but not all prerequisites" #endif diff --git a/features/mbedtls/inc/mbedtls/compat-1.3.h b/features/mbedtls/inc/mbedtls/compat-1.3.h index af51b5f820..bba1d2c247 100644 --- a/features/mbedtls/inc/mbedtls/compat-1.3.h +++ b/features/mbedtls/inc/mbedtls/compat-1.3.h @@ -207,9 +207,6 @@ #if defined MBEDTLS_ERROR_C #define POLARSSL_ERROR_C MBEDTLS_ERROR_C #endif -#if defined MBEDTLS_ERROR_STRERROR_BC -#define POLARSSL_ERROR_STRERROR_BC MBEDTLS_ERROR_STRERROR_BC -#endif #if defined MBEDTLS_ERROR_STRERROR_DUMMY #define POLARSSL_ERROR_STRERROR_DUMMY MBEDTLS_ERROR_STRERROR_DUMMY #endif @@ -318,9 +315,6 @@ #if defined MBEDTLS_MEMORY_BUFFER_ALLOC_C #define POLARSSL_MEMORY_BUFFER_ALLOC_C MBEDTLS_MEMORY_BUFFER_ALLOC_C #endif -#if defined MBEDTLS_MEMORY_C -#define POLARSSL_MEMORY_C MBEDTLS_MEMORY_C -#endif #if defined MBEDTLS_MEMORY_DEBUG #define POLARSSL_MEMORY_DEBUG MBEDTLS_MEMORY_DEBUG #endif @@ -345,9 +339,6 @@ #if defined MBEDTLS_PADLOCK_C #define POLARSSL_PADLOCK_C MBEDTLS_PADLOCK_C #endif -#if defined MBEDTLS_PBKDF2_C -#define POLARSSL_PBKDF2_C MBEDTLS_PBKDF2_C -#endif #if defined MBEDTLS_PEM_PARSE_C #define POLARSSL_PEM_PARSE_C MBEDTLS_PEM_PARSE_C #endif @@ -429,9 +420,6 @@ #if defined MBEDTLS_PLATFORM_STD_FREE #define POLARSSL_PLATFORM_STD_FREE MBEDTLS_PLATFORM_STD_FREE #endif -#if defined MBEDTLS_PLATFORM_STD_MALLOC -#define POLARSSL_PLATFORM_STD_MALLOC MBEDTLS_PLATFORM_STD_MALLOC -#endif #if defined MBEDTLS_PLATFORM_STD_MEM_HDR #define POLARSSL_PLATFORM_STD_MEM_HDR MBEDTLS_PLATFORM_STD_MEM_HDR #endif @@ -492,12 +480,6 @@ #if defined MBEDTLS_SHA512_PROCESS_ALT #define POLARSSL_SHA512_PROCESS_ALT MBEDTLS_SHA512_PROCESS_ALT #endif -#if defined MBEDTLS_SSL_AEAD_RANDOM_IV -#define POLARSSL_SSL_AEAD_RANDOM_IV MBEDTLS_SSL_AEAD_RANDOM_IV -#endif -#if defined MBEDTLS_SSL_ALERT_MESSAGES -#define POLARSSL_SSL_ALERT_MESSAGES MBEDTLS_SSL_ALERT_MESSAGES -#endif #if defined MBEDTLS_SSL_ALL_ALERT_MESSAGES #define POLARSSL_SSL_ALL_ALERT_MESSAGES MBEDTLS_SSL_ALL_ALERT_MESSAGES #endif @@ -522,9 +504,6 @@ #if defined MBEDTLS_SSL_DEBUG_ALL #define POLARSSL_SSL_DEBUG_ALL MBEDTLS_SSL_DEBUG_ALL #endif -#if defined MBEDTLS_SSL_DISABLE_RENEGOTIATION -#define POLARSSL_SSL_DISABLE_RENEGOTIATION MBEDTLS_SSL_DISABLE_RENEGOTIATION -#endif #if defined MBEDTLS_SSL_DTLS_ANTI_REPLAY #define POLARSSL_SSL_DTLS_ANTI_REPLAY MBEDTLS_SSL_DTLS_ANTI_REPLAY #endif @@ -752,7 +731,6 @@ #define KU_KEY_ENCIPHERMENT MBEDTLS_X509_KU_KEY_ENCIPHERMENT #define KU_NON_REPUDIATION MBEDTLS_X509_KU_NON_REPUDIATION #define LN_2_DIV_LN_10_SCALE100 MBEDTLS_LN_2_DIV_LN_10_SCALE100 -#define MD_CONTEXT_T_INIT MBEDTLS_MD_CONTEXT_T_INIT #define MEMORY_VERIFY_ALLOC MBEDTLS_MEMORY_VERIFY_ALLOC #define MEMORY_VERIFY_ALWAYS MBEDTLS_MEMORY_VERIFY_ALWAYS #define MEMORY_VERIFY_FREE MBEDTLS_MEMORY_VERIFY_FREE @@ -1017,19 +995,13 @@ #define POLARSSL_CONFIG_H MBEDTLS_CONFIG_H #define POLARSSL_CTR_DRBG_H MBEDTLS_CTR_DRBG_H #define POLARSSL_DEBUG_H MBEDTLS_DEBUG_H -#define POLARSSL_DEBUG_LOG_FULL MBEDTLS_DEBUG_LOG_FULL -#define POLARSSL_DEBUG_LOG_RAW MBEDTLS_DEBUG_LOG_RAW #define POLARSSL_DECRYPT MBEDTLS_DECRYPT #define POLARSSL_DES_H MBEDTLS_DES_H #define POLARSSL_DHM_H MBEDTLS_DHM_H -#define POLARSSL_DHM_RFC2409_MODP_1024_G MBEDTLS_DHM_RFC2409_MODP_1024_G -#define POLARSSL_DHM_RFC2409_MODP_1024_P MBEDTLS_DHM_RFC2409_MODP_1024_P #define POLARSSL_DHM_RFC3526_MODP_2048_G MBEDTLS_DHM_RFC3526_MODP_2048_G #define POLARSSL_DHM_RFC3526_MODP_2048_P MBEDTLS_DHM_RFC3526_MODP_2048_P #define POLARSSL_DHM_RFC3526_MODP_3072_G MBEDTLS_DHM_RFC3526_MODP_3072_G #define POLARSSL_DHM_RFC3526_MODP_3072_P MBEDTLS_DHM_RFC3526_MODP_3072_P -#define POLARSSL_DHM_RFC5114_MODP_1024_G MBEDTLS_DHM_RFC5114_MODP_1024_G -#define POLARSSL_DHM_RFC5114_MODP_1024_P MBEDTLS_DHM_RFC5114_MODP_1024_P #define POLARSSL_DHM_RFC5114_MODP_2048_G MBEDTLS_DHM_RFC5114_MODP_2048_G #define POLARSSL_DHM_RFC5114_MODP_2048_P MBEDTLS_DHM_RFC5114_MODP_2048_P #define POLARSSL_ECDH_H MBEDTLS_ECDH_H @@ -1117,9 +1089,6 @@ #define POLARSSL_ERR_HMAC_DRBG_FILE_IO_ERROR MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR #define POLARSSL_ERR_HMAC_DRBG_INPUT_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_INPUT_TOO_BIG #define POLARSSL_ERR_HMAC_DRBG_REQUEST_TOO_BIG MBEDTLS_ERR_HMAC_DRBG_REQUEST_TOO_BIG -#define POLARSSL_ERR_MD2_FILE_IO_ERROR MBEDTLS_ERR_MD2_FILE_IO_ERROR -#define POLARSSL_ERR_MD4_FILE_IO_ERROR MBEDTLS_ERR_MD4_FILE_IO_ERROR -#define POLARSSL_ERR_MD5_FILE_IO_ERROR MBEDTLS_ERR_MD5_FILE_IO_ERROR #define POLARSSL_ERR_MD_ALLOC_FAILED MBEDTLS_ERR_MD_ALLOC_FAILED #define POLARSSL_ERR_MD_BAD_INPUT_DATA MBEDTLS_ERR_MD_BAD_INPUT_DATA #define POLARSSL_ERR_MD_FEATURE_UNAVAILABLE MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE @@ -1147,7 +1116,6 @@ #define POLARSSL_ERR_OID_BUF_TOO_SMALL MBEDTLS_ERR_OID_BUF_TOO_SMALL #define POLARSSL_ERR_OID_NOT_FOUND MBEDTLS_ERR_OID_NOT_FOUND #define POLARSSL_ERR_PADLOCK_DATA_MISALIGNED MBEDTLS_ERR_PADLOCK_DATA_MISALIGNED -#define POLARSSL_ERR_PBKDF2_BAD_INPUT_DATA MBEDTLS_ERR_PBKDF2_BAD_INPUT_DATA #define POLARSSL_ERR_PEM_BAD_INPUT_DATA MBEDTLS_ERR_PEM_BAD_INPUT_DATA #define POLARSSL_ERR_PEM_FEATURE_UNAVAILABLE MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE #define POLARSSL_ERR_PEM_INVALID_DATA MBEDTLS_ERR_PEM_INVALID_DATA @@ -1179,7 +1147,6 @@ #define POLARSSL_ERR_PK_TYPE_MISMATCH MBEDTLS_ERR_PK_TYPE_MISMATCH #define POLARSSL_ERR_PK_UNKNOWN_NAMED_CURVE MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE #define POLARSSL_ERR_PK_UNKNOWN_PK_ALG MBEDTLS_ERR_PK_UNKNOWN_PK_ALG -#define POLARSSL_ERR_RIPEMD160_FILE_IO_ERROR MBEDTLS_ERR_RIPEMD160_FILE_IO_ERROR #define POLARSSL_ERR_RSA_BAD_INPUT_DATA MBEDTLS_ERR_RSA_BAD_INPUT_DATA #define POLARSSL_ERR_RSA_INVALID_PADDING MBEDTLS_ERR_RSA_INVALID_PADDING #define POLARSSL_ERR_RSA_KEY_CHECK_FAILED MBEDTLS_ERR_RSA_KEY_CHECK_FAILED @@ -1189,9 +1156,6 @@ #define POLARSSL_ERR_RSA_PUBLIC_FAILED MBEDTLS_ERR_RSA_PUBLIC_FAILED #define POLARSSL_ERR_RSA_RNG_FAILED MBEDTLS_ERR_RSA_RNG_FAILED #define POLARSSL_ERR_RSA_VERIFY_FAILED MBEDTLS_ERR_RSA_VERIFY_FAILED -#define POLARSSL_ERR_SHA1_FILE_IO_ERROR MBEDTLS_ERR_SHA1_FILE_IO_ERROR -#define POLARSSL_ERR_SHA256_FILE_IO_ERROR MBEDTLS_ERR_SHA256_FILE_IO_ERROR -#define POLARSSL_ERR_SHA512_FILE_IO_ERROR MBEDTLS_ERR_SHA512_FILE_IO_ERROR #define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE #define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST #define POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY @@ -1305,7 +1269,6 @@ #define POLARSSL_MD_SHA512 MBEDTLS_MD_SHA512 #define POLARSSL_MD_WRAP_H MBEDTLS_MD_WRAP_H #define POLARSSL_MEMORY_BUFFER_ALLOC_H MBEDTLS_MEMORY_BUFFER_ALLOC_H -#define POLARSSL_MEMORY_H MBEDTLS_MEMORY_H #define POLARSSL_MODE_CBC MBEDTLS_MODE_CBC #define POLARSSL_MODE_CCM MBEDTLS_MODE_CCM #define POLARSSL_MODE_CFB MBEDTLS_MODE_CFB @@ -1319,7 +1282,7 @@ #define POLARSSL_MPI_MAX_BITS_SCALE100 MBEDTLS_MPI_MAX_BITS_SCALE100 #define POLARSSL_MPI_MAX_LIMBS MBEDTLS_MPI_MAX_LIMBS #define POLARSSL_MPI_RW_BUFFER_SIZE MBEDTLS_MPI_RW_BUFFER_SIZE -#define POLARSSL_NET_H MBEDTLS_NET_H +#define POLARSSL_NET_H MBEDTLS_NET_SOCKETS_H #define POLARSSL_NET_LISTEN_BACKLOG MBEDTLS_NET_LISTEN_BACKLOG #define POLARSSL_OID_H MBEDTLS_OID_H #define POLARSSL_OPERATION_NONE MBEDTLS_OPERATION_NONE @@ -1329,7 +1292,6 @@ #define POLARSSL_PADDING_ZEROS MBEDTLS_PADDING_ZEROS #define POLARSSL_PADDING_ZEROS_AND_LEN MBEDTLS_PADDING_ZEROS_AND_LEN #define POLARSSL_PADLOCK_H MBEDTLS_PADLOCK_H -#define POLARSSL_PBKDF2_H MBEDTLS_PBKDF2_H #define POLARSSL_PEM_H MBEDTLS_PEM_H #define POLARSSL_PKCS11_H MBEDTLS_PKCS11_H #define POLARSSL_PKCS12_H MBEDTLS_PKCS12_H @@ -1712,7 +1674,6 @@ #define TLS_RSA_WITH_NULL_SHA256 MBEDTLS_TLS_RSA_WITH_NULL_SHA256 #define TLS_RSA_WITH_RC4_128_MD5 MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 #define TLS_RSA_WITH_RC4_128_SHA MBEDTLS_TLS_RSA_WITH_RC4_128_SHA -#define UL64 MBEDTLS_UL64 #define X509_CRT_VERSION_1 MBEDTLS_X509_CRT_VERSION_1 #define X509_CRT_VERSION_2 MBEDTLS_X509_CRT_VERSION_2 #define X509_CRT_VERSION_3 MBEDTLS_X509_CRT_VERSION_3 @@ -1736,7 +1697,6 @@ #define _ssl_key_cert mbedtls_ssl_key_cert #define _ssl_premaster_secret mbedtls_ssl_premaster_secret #define _ssl_session mbedtls_ssl_session -#define _ssl_ticket_keys mbedtls_ssl_ticket_keys #define _ssl_transform mbedtls_ssl_transform #define _x509_crl mbedtls_x509_crl #define _x509_crl_entry mbedtls_x509_crl_entry @@ -1836,7 +1796,6 @@ #define cipher_definitions mbedtls_cipher_definitions #define cipher_finish mbedtls_cipher_finish #define cipher_free mbedtls_cipher_free -#define cipher_free_ctx mbedtls_cipher_free_ctx #define cipher_get_block_size mbedtls_cipher_get_block_size #define cipher_get_cipher_mode mbedtls_cipher_get_cipher_mode #define cipher_get_iv_size mbedtls_cipher_get_iv_size @@ -1855,7 +1814,6 @@ #define cipher_mode_t mbedtls_cipher_mode_t #define cipher_padding_t mbedtls_cipher_padding_t #define cipher_reset mbedtls_cipher_reset -#define cipher_self_test mbedtls_cipher_self_test #define cipher_set_iv mbedtls_cipher_set_iv #define cipher_set_padding_mode mbedtls_cipher_set_padding_mode #define cipher_setkey mbedtls_cipher_setkey @@ -1866,7 +1824,6 @@ #define ctr_drbg_context mbedtls_ctr_drbg_context #define ctr_drbg_free mbedtls_ctr_drbg_free #define ctr_drbg_init mbedtls_ctr_drbg_init -#define ctr_drbg_init_entropy_len mbedtls_ctr_drbg_init_entropy_len #define ctr_drbg_random mbedtls_ctr_drbg_random #define ctr_drbg_random_with_add mbedtls_ctr_drbg_random_with_add #define ctr_drbg_reseed mbedtls_ctr_drbg_reseed @@ -1877,14 +1834,12 @@ #define ctr_drbg_update mbedtls_ctr_drbg_update #define ctr_drbg_update_seed_file mbedtls_ctr_drbg_update_seed_file #define ctr_drbg_write_seed_file mbedtls_ctr_drbg_write_seed_file -#define debug_fmt mbedtls_debug_fmt #define debug_print_buf mbedtls_debug_print_buf #define debug_print_crt mbedtls_debug_print_crt #define debug_print_ecp mbedtls_debug_print_ecp #define debug_print_mpi mbedtls_debug_print_mpi #define debug_print_msg mbedtls_debug_print_msg #define debug_print_ret mbedtls_debug_print_ret -#define debug_set_log_mode mbedtls_debug_set_log_mode #define debug_set_threshold mbedtls_debug_set_threshold #define des3_context mbedtls_des3_context #define des3_crypt_cbc mbedtls_des3_crypt_cbc @@ -1928,7 +1883,6 @@ #define ecdh_make_public mbedtls_ecdh_make_public #define ecdh_read_params mbedtls_ecdh_read_params #define ecdh_read_public mbedtls_ecdh_read_public -#define ecdh_self_test mbedtls_ecdh_self_test #define ecdh_side mbedtls_ecdh_side #define ecdsa_context mbedtls_ecdsa_context #define ecdsa_free mbedtls_ecdsa_free @@ -1937,7 +1891,6 @@ #define ecdsa_info mbedtls_ecdsa_info #define ecdsa_init mbedtls_ecdsa_init #define ecdsa_read_signature mbedtls_ecdsa_read_signature -#define ecdsa_self_test mbedtls_ecdsa_self_test #define ecdsa_sign mbedtls_ecdsa_sign #define ecdsa_sign_det mbedtls_ecdsa_sign_det #define ecdsa_verify mbedtls_ecdsa_verify @@ -1945,7 +1898,6 @@ #define ecdsa_write_signature_det mbedtls_ecdsa_write_signature_det #define eckey_info mbedtls_eckey_info #define eckeydh_info mbedtls_eckeydh_info -#define ecp_add mbedtls_ecp_add #define ecp_check_privkey mbedtls_ecp_check_privkey #define ecp_check_pub_priv mbedtls_ecp_check_pub_priv #define ecp_check_pubkey mbedtls_ecp_check_pubkey @@ -1962,7 +1914,6 @@ #define ecp_group_free mbedtls_ecp_group_free #define ecp_group_id mbedtls_ecp_group_id #define ecp_group_init mbedtls_ecp_group_init -#define ecp_group_read_string mbedtls_ecp_group_read_string #define ecp_grp_id_list mbedtls_ecp_grp_id_list #define ecp_is_zero mbedtls_ecp_is_zero #define ecp_keypair mbedtls_ecp_keypair @@ -1977,7 +1928,6 @@ #define ecp_point_write_binary mbedtls_ecp_point_write_binary #define ecp_self_test mbedtls_ecp_self_test #define ecp_set_zero mbedtls_ecp_set_zero -#define ecp_sub mbedtls_ecp_sub #define ecp_tls_read_group mbedtls_ecp_tls_read_group #define ecp_tls_read_point mbedtls_ecp_tls_read_point #define ecp_tls_write_group mbedtls_ecp_tls_write_group @@ -2015,7 +1965,6 @@ #define hmac_drbg_context mbedtls_hmac_drbg_context #define hmac_drbg_free mbedtls_hmac_drbg_free #define hmac_drbg_init mbedtls_hmac_drbg_init -#define hmac_drbg_init_buf mbedtls_hmac_drbg_init_buf #define hmac_drbg_random mbedtls_hmac_drbg_random #define hmac_drbg_random_with_add mbedtls_hmac_drbg_random_with_add #define hmac_drbg_reseed mbedtls_hmac_drbg_reseed @@ -2031,14 +1980,8 @@ #define md mbedtls_md #define md2 mbedtls_md2 #define md2_context mbedtls_md2_context -#define md2_file mbedtls_md2_file #define md2_finish mbedtls_md2_finish #define md2_free mbedtls_md2_free -#define md2_hmac mbedtls_md2_hmac -#define md2_hmac_finish mbedtls_md2_hmac_finish -#define md2_hmac_reset mbedtls_md2_hmac_reset -#define md2_hmac_starts mbedtls_md2_hmac_starts -#define md2_hmac_update mbedtls_md2_hmac_update #define md2_info mbedtls_md2_info #define md2_init mbedtls_md2_init #define md2_process mbedtls_md2_process @@ -2047,14 +1990,8 @@ #define md2_update mbedtls_md2_update #define md4 mbedtls_md4 #define md4_context mbedtls_md4_context -#define md4_file mbedtls_md4_file #define md4_finish mbedtls_md4_finish #define md4_free mbedtls_md4_free -#define md4_hmac mbedtls_md4_hmac -#define md4_hmac_finish mbedtls_md4_hmac_finish -#define md4_hmac_reset mbedtls_md4_hmac_reset -#define md4_hmac_starts mbedtls_md4_hmac_starts -#define md4_hmac_update mbedtls_md4_hmac_update #define md4_info mbedtls_md4_info #define md4_init mbedtls_md4_init #define md4_process mbedtls_md4_process @@ -2063,14 +2000,8 @@ #define md4_update mbedtls_md4_update #define md5 mbedtls_md5 #define md5_context mbedtls_md5_context -#define md5_file mbedtls_md5_file #define md5_finish mbedtls_md5_finish #define md5_free mbedtls_md5_free -#define md5_hmac mbedtls_md5_hmac -#define md5_hmac_finish mbedtls_md5_hmac_finish -#define md5_hmac_reset mbedtls_md5_hmac_reset -#define md5_hmac_starts mbedtls_md5_hmac_starts -#define md5_hmac_update mbedtls_md5_hmac_update #define md5_info mbedtls_md5_info #define md5_init mbedtls_md5_init #define md5_process mbedtls_md5_process @@ -2081,7 +2012,6 @@ #define md_file mbedtls_md_file #define md_finish mbedtls_md_finish #define md_free mbedtls_md_free -#define md_free_ctx mbedtls_md_free_ctx #define md_get_name mbedtls_md_get_name #define md_get_size mbedtls_md_get_size #define md_get_type mbedtls_md_get_type @@ -2109,7 +2039,6 @@ #define memory_buffer_alloc_status mbedtls_memory_buffer_alloc_status #define memory_buffer_alloc_verify mbedtls_memory_buffer_alloc_verify #define memory_buffer_set_verify mbedtls_memory_buffer_set_verify -#define memory_set_own mbedtls_memory_set_own #define mpi mbedtls_mpi #define mpi_add_abs mbedtls_mpi_add_abs #define mpi_add_int mbedtls_mpi_add_int @@ -2185,8 +2114,6 @@ #define padlock_supports mbedtls_padlock_has_support #define padlock_xcryptcbc mbedtls_padlock_xcryptcbc #define padlock_xcryptecb mbedtls_padlock_xcryptecb -#define pbkdf2_hmac mbedtls_pbkdf2_hmac -#define pbkdf2_self_test mbedtls_pbkdf2_self_test #define pem_context mbedtls_pem_context #define pem_free mbedtls_pem_free #define pem_init mbedtls_pem_init @@ -2246,13 +2173,11 @@ #define platform_entropy_poll mbedtls_platform_entropy_poll #define platform_set_exit mbedtls_platform_set_exit #define platform_set_fprintf mbedtls_platform_set_fprintf -#define platform_set_malloc_free mbedtls_platform_set_malloc_free #define platform_set_printf mbedtls_platform_set_printf #define platform_set_snprintf mbedtls_platform_set_snprintf #define polarssl_exit mbedtls_exit #define polarssl_fprintf mbedtls_fprintf #define polarssl_free mbedtls_free -#define polarssl_malloc mbedtls_malloc #define polarssl_mutex_free mbedtls_mutex_free #define polarssl_mutex_init mbedtls_mutex_init #define polarssl_mutex_lock mbedtls_mutex_lock @@ -2262,14 +2187,8 @@ #define polarssl_strerror mbedtls_strerror #define ripemd160 mbedtls_ripemd160 #define ripemd160_context mbedtls_ripemd160_context -#define ripemd160_file mbedtls_ripemd160_file #define ripemd160_finish mbedtls_ripemd160_finish #define ripemd160_free mbedtls_ripemd160_free -#define ripemd160_hmac mbedtls_ripemd160_hmac -#define ripemd160_hmac_finish mbedtls_ripemd160_hmac_finish -#define ripemd160_hmac_reset mbedtls_ripemd160_hmac_reset -#define ripemd160_hmac_starts mbedtls_ripemd160_hmac_starts -#define ripemd160_hmac_update mbedtls_ripemd160_hmac_update #define ripemd160_info mbedtls_ripemd160_info #define ripemd160_init mbedtls_ripemd160_init #define ripemd160_process mbedtls_ripemd160_process @@ -2283,12 +2202,10 @@ #define rsa_check_pubkey mbedtls_rsa_check_pubkey #define rsa_context mbedtls_rsa_context #define rsa_copy mbedtls_rsa_copy -#define rsa_decrypt_func mbedtls_rsa_decrypt_func #define rsa_free mbedtls_rsa_free #define rsa_gen_key mbedtls_rsa_gen_key #define rsa_info mbedtls_rsa_info #define rsa_init mbedtls_rsa_init -#define rsa_key_len_func mbedtls_rsa_key_len_func #define rsa_pkcs1_decrypt mbedtls_rsa_pkcs1_decrypt #define rsa_pkcs1_encrypt mbedtls_rsa_pkcs1_encrypt #define rsa_pkcs1_sign mbedtls_rsa_pkcs1_sign @@ -2306,19 +2223,12 @@ #define rsa_rsassa_pss_verify_ext mbedtls_rsa_rsassa_pss_verify_ext #define rsa_self_test mbedtls_rsa_self_test #define rsa_set_padding mbedtls_rsa_set_padding -#define rsa_sign_func mbedtls_rsa_sign_func #define safer_memcmp mbedtls_ssl_safer_memcmp #define set_alarm mbedtls_set_alarm #define sha1 mbedtls_sha1 #define sha1_context mbedtls_sha1_context -#define sha1_file mbedtls_sha1_file #define sha1_finish mbedtls_sha1_finish #define sha1_free mbedtls_sha1_free -#define sha1_hmac mbedtls_sha1_hmac -#define sha1_hmac_finish mbedtls_sha1_hmac_finish -#define sha1_hmac_reset mbedtls_sha1_hmac_reset -#define sha1_hmac_starts mbedtls_sha1_hmac_starts -#define sha1_hmac_update mbedtls_sha1_hmac_update #define sha1_info mbedtls_sha1_info #define sha1_init mbedtls_sha1_init #define sha1_process mbedtls_sha1_process @@ -2328,14 +2238,8 @@ #define sha224_info mbedtls_sha224_info #define sha256 mbedtls_sha256 #define sha256_context mbedtls_sha256_context -#define sha256_file mbedtls_sha256_file #define sha256_finish mbedtls_sha256_finish #define sha256_free mbedtls_sha256_free -#define sha256_hmac mbedtls_sha256_hmac -#define sha256_hmac_finish mbedtls_sha256_hmac_finish -#define sha256_hmac_reset mbedtls_sha256_hmac_reset -#define sha256_hmac_starts mbedtls_sha256_hmac_starts -#define sha256_hmac_update mbedtls_sha256_hmac_update #define sha256_info mbedtls_sha256_info #define sha256_init mbedtls_sha256_init #define sha256_process mbedtls_sha256_process @@ -2345,14 +2249,8 @@ #define sha384_info mbedtls_sha384_info #define sha512 mbedtls_sha512 #define sha512_context mbedtls_sha512_context -#define sha512_file mbedtls_sha512_file #define sha512_finish mbedtls_sha512_finish #define sha512_free mbedtls_sha512_free -#define sha512_hmac mbedtls_sha512_hmac -#define sha512_hmac_finish mbedtls_sha512_hmac_finish -#define sha512_hmac_reset mbedtls_sha512_hmac_reset -#define sha512_hmac_starts mbedtls_sha512_hmac_starts -#define sha512_hmac_update mbedtls_sha512_hmac_update #define sha512_info mbedtls_sha512_info #define sha512_init mbedtls_sha512_init #define sha512_process mbedtls_sha512_process @@ -2385,7 +2283,6 @@ #define ssl_cookie_setup mbedtls_ssl_cookie_setup #define ssl_cookie_write mbedtls_ssl_cookie_write #define ssl_cookie_write_t mbedtls_ssl_cookie_write_t -#define ssl_curve_is_acceptable mbedtls_ssl_curve_is_acceptable #define ssl_derive_keys mbedtls_ssl_derive_keys #define ssl_dtls_replay_check mbedtls_ssl_dtls_replay_check #define ssl_dtls_replay_update mbedtls_ssl_dtls_replay_update @@ -2475,8 +2372,6 @@ #define ssl_set_max_version mbedtls_ssl_conf_max_version #define ssl_set_min_version mbedtls_ssl_conf_min_version #define ssl_set_own_cert mbedtls_ssl_conf_own_cert -#define ssl_set_own_cert_alt mbedtls_ssl_set_own_cert_alt -#define ssl_set_own_cert_rsa mbedtls_ssl_set_own_cert_rsa #define ssl_set_psk mbedtls_ssl_conf_psk #define ssl_set_psk_cb mbedtls_ssl_conf_psk_cb #define ssl_set_renegotiation mbedtls_ssl_conf_renegotiation @@ -2485,7 +2380,6 @@ #define ssl_set_rng mbedtls_ssl_conf_rng #define ssl_set_session mbedtls_ssl_set_session #define ssl_set_session_cache mbedtls_ssl_conf_session_cache -#define ssl_set_session_ticket_lifetime mbedtls_ssl_conf_session_ticket_lifetime #define ssl_set_session_tickets mbedtls_ssl_conf_session_tickets #define ssl_set_sni mbedtls_ssl_conf_sni #define ssl_set_transport mbedtls_ssl_conf_transport @@ -2493,7 +2387,6 @@ #define ssl_set_verify mbedtls_ssl_conf_verify #define ssl_sig_from_pk mbedtls_ssl_sig_from_pk #define ssl_states mbedtls_ssl_states -#define ssl_ticket_keys mbedtls_ssl_ticket_keys #define ssl_transform mbedtls_ssl_transform #define ssl_transform_free mbedtls_ssl_transform_free #define ssl_write mbedtls_ssl_write @@ -2522,7 +2415,6 @@ #define test_cli_key mbedtls_test_cli_key #define test_cli_key_ec mbedtls_test_cli_key_ec #define test_cli_key_rsa mbedtls_test_cli_key_rsa -#define test_dhm_params mbedtls_test_dhm_params #define test_srv_crt mbedtls_test_srv_crt #define test_srv_crt_ec mbedtls_test_srv_crt_ec #define test_srv_crt_rsa mbedtls_test_srv_crt_rsa @@ -2577,8 +2469,6 @@ #define x509_get_time mbedtls_x509_get_time #define x509_key_size_helper mbedtls_x509_key_size_helper #define x509_name mbedtls_x509_name -#define x509_oid_get_description mbedtls_x509_oid_get_description -#define x509_oid_get_numeric_string mbedtls_x509_oid_get_numeric_string #define x509_self_test mbedtls_x509_self_test #define x509_sequence mbedtls_x509_sequence #define x509_serial_gets mbedtls_x509_serial_gets diff --git a/features/mbedtls/inc/mbedtls/config.h b/features/mbedtls/inc/mbedtls/config.h index 5ff325ace7..6d23f0151f 100644 --- a/features/mbedtls/inc/mbedtls/config.h +++ b/features/mbedtls/inc/mbedtls/config.h @@ -233,16 +233,16 @@ * \def MBEDTLS_AES_ALT * * MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let mbed TLS use your - * alternate core implementation of a symmetric crypto or hash module (e.g. - * platform specific assembly optimized implementations). Keep in mind that - * the function prototypes should remain the same. + * alternate core implementation of a symmetric crypto, an arithmetic or hash + * module (e.g. platform specific assembly optimized implementations). Keep + * in mind that the function prototypes should remain the same. * * This replaces the whole module. If you only want to replace one of the * functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags. * * Example: In case you uncomment MBEDTLS_AES_ALT, mbed TLS will no longer - * provide the "struct mbedtls_aes_context" definition and omit the base function - * declarations and implementations. "aes_alt.h" will be included from + * provide the "struct mbedtls_aes_context" definition and omit the base + * function declarations and implementations. "aes_alt.h" will be included from * "aes.h" to include the new function definitions. * * Uncomment a macro to enable alternate implementation of the corresponding @@ -261,6 +261,16 @@ //#define MBEDTLS_SHA1_ALT //#define MBEDTLS_SHA256_ALT //#define MBEDTLS_SHA512_ALT +/* + * When replacing the elliptic curve module, pleace consider, that it is + * implemented with two .c files: + * - ecp.c + * - ecp_curves.c + * You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT + * macros as described above. The only difference is that you have to make sure + * that you provide functionality for both .c files. + */ +//#define MBEDTLS_ECP_ALT /** * \def MBEDTLS_MD2_PROCESS_ALT @@ -300,6 +310,59 @@ //#define MBEDTLS_AES_ENCRYPT_ALT //#define MBEDTLS_AES_DECRYPT_ALT +/** + * \def MBEDTLS_ECP_INTERNAL_ALT + * + * Expose a part of the internal interface of the Elliptic Curve Point module. + * + * MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use your + * alternative core implementation of elliptic curve arithmetic. Keep in mind + * that function prototypes should remain the same. + * + * This partially replaces one function. The header file from mbed TLS is still + * used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation + * is still present and it is used for group structures not supported by the + * alternative. + * + * Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT + * and implementing the following functions: + * unsigned char mbedtls_internal_ecp_grp_capable( + * const mbedtls_ecp_group *grp ) + * int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ) + * void mbedtls_internal_ecp_deinit( const mbedtls_ecp_group *grp ) + * The mbedtls_internal_ecp_grp_capable function should return 1 if the + * replacement functions implement arithmetic for the given group and 0 + * otherwise. + * The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_deinit are + * called before and after each point operation and provide an opportunity to + * implement optimized set up and tear down instructions. + * + * Example: In case you uncomment MBEDTLS_ECP_INTERNAL_ALT and + * MBEDTLS_ECP_DOUBLE_JAC_ALT, mbed TLS will still provide the ecp_double_jac + * function, but will use your mbedtls_internal_ecp_double_jac if the group is + * supported (your mbedtls_internal_ecp_grp_capable function returns 1 when + * receives it as an argument). If the group is not supported then the original + * implementation is used. The other functions and the definition of + * mbedtls_ecp_group and mbedtls_ecp_point will not change, so your + * implementation of mbedtls_internal_ecp_double_jac and + * mbedtls_internal_ecp_grp_capable must be compatible with this definition. + * + * Uncomment a macro to enable alternate implementation of the corresponding + * function. + */ +/* Required for all the functions in this section */ +//#define MBEDTLS_ECP_INTERNAL_ALT +/* Support for Weierstrass curves with Jacobi representation */ +//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT +//#define MBEDTLS_ECP_ADD_MIXED_ALT +//#define MBEDTLS_ECP_DOUBLE_JAC_ALT +//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT +//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT +/* Support for curves with Montgomery arithmetic */ +//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT +//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT +//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT + /** * \def MBEDTLS_TEST_NULL_ENTROPY * diff --git a/features/mbedtls/inc/mbedtls/ecjpake.h b/features/mbedtls/inc/mbedtls/ecjpake.h index b7b61604d0..161a5b213f 100644 --- a/features/mbedtls/inc/mbedtls/ecjpake.h +++ b/features/mbedtls/inc/mbedtls/ecjpake.h @@ -116,7 +116,7 @@ int mbedtls_ecjpake_setup( mbedtls_ecjpake_context *ctx, const unsigned char *secret, size_t len ); -/* +/** * \brief Check if a context is ready for use * * \param ctx Context to check diff --git a/features/mbedtls/inc/mbedtls/ecp.h b/features/mbedtls/inc/mbedtls/ecp.h index 5246c789d3..bf9abeff6b 100644 --- a/features/mbedtls/inc/mbedtls/ecp.h +++ b/features/mbedtls/inc/mbedtls/ecp.h @@ -37,6 +37,15 @@ #define MBEDTLS_ERR_ECP_INVALID_KEY -0x4C80 /**< Invalid private or public key. */ #define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH -0x4C00 /**< Signature is valid but shorter than the user-supplied length. */ +#if !defined(MBEDTLS_ECP_ALT) +/* + * default mbed TLS elliptic curve arithmetic implementation + * + * (in case MBEDTLS_ECP_ALT is defined then the developer has to provide an + * alternative implementation for the whole module and it will replace this + * one.) + */ + #ifdef __cplusplus extern "C" { #endif @@ -654,16 +663,22 @@ int mbedtls_ecp_gen_key( mbedtls_ecp_group_id grp_id, mbedtls_ecp_keypair *key, int mbedtls_ecp_check_pub_priv( const mbedtls_ecp_keypair *pub, const mbedtls_ecp_keypair *prv ); #if defined(MBEDTLS_SELF_TEST) + /** * \brief Checkup routine * * \return 0 if successful, or 1 if a test failed */ int mbedtls_ecp_self_test( int verbose ); -#endif + +#endif /* MBEDTLS_SELF_TEST */ #ifdef __cplusplus } #endif +#else /* MBEDTLS_ECP_ALT */ +#include "ecp_alt.h" +#endif /* MBEDTLS_ECP_ALT */ + #endif /* ecp.h */ diff --git a/features/mbedtls/inc/mbedtls/ecp_internal.h b/features/mbedtls/inc/mbedtls/ecp_internal.h new file mode 100644 index 0000000000..2991e26dd9 --- /dev/null +++ b/features/mbedtls/inc/mbedtls/ecp_internal.h @@ -0,0 +1,292 @@ +/** + * \file ecp_internal.h + * + * \brief Function declarations for alternative implementation of elliptic curve + * point arithmetic. + * + * Copyright (C) 2016, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +/* + * References: + * + * [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records. + * + * + * [2] CORON, Jean-S'ebastien. Resistance against differential power analysis + * for elliptic curve cryptosystems. In : Cryptographic Hardware and + * Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302. + * + * + * [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to + * render ECC resistant against Side Channel Attacks. IACR Cryptology + * ePrint Archive, 2004, vol. 2004, p. 342. + * + * + * [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters. + * + * + * [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic + * Curve Cryptography. + * + * [6] Digital Signature Standard (DSS), FIPS 186-4. + * + * + * [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer + * Security (TLS), RFC 4492. + * + * + * [8] + * + * [9] COHEN, Henri. A Course in Computational Algebraic Number Theory. + * Springer Science & Business Media, 1 Aug 2000 + */ + +#ifndef MBEDTLS_ECP_INTERNAL_H +#define MBEDTLS_ECP_INTERNAL_H + +#if defined(MBEDTLS_ECP_INTERNAL_ALT) + +/** + * \brief Indicate if the Elliptic Curve Point module extension can + * handle the group. + * + * \param grp The pointer to the elliptic curve group that will be the + * basis of the cryptographic computations. + * + * \return Non-zero if successful. + */ +unsigned char mbedtls_internal_ecp_grp_capable( const mbedtls_ecp_group *grp ); + +/** + * \brief Initialise the Elliptic Curve Point module extension. + * + * If mbedtls_internal_ecp_grp_capable returns true for a + * group, this function has to be able to initialise the + * module for it. + * + * This module can be a driver to a crypto hardware + * accelerator, for which this could be an initialise function. + * + * \param grp The pointer to the group the module needs to be + * initialised for. + * + * \return 0 if successful. + */ +int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp ); + +/** + * \brief Frees and deallocates the Elliptic Curve Point module + * extension. + * + * \param grp The pointer to the group the module was initialised for. + */ +void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp ); + +#if defined(ECP_SHORTWEIERSTRASS) + +#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) +/** + * \brief Randomize jacobian coordinates: + * (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l. + * + * \param grp Pointer to the group representing the curve. + * + * \param pt The point on the curve to be randomised, given with Jacobian + * coordinates. + * + * \param f_rng A function pointer to the random number generator. + * + * \param p_rng A pointer to the random number generator state. + * + * \return 0 if successful. + */ +int mbedtls_internal_ecp_randomize_jac( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *pt, int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); +#endif + +#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) +/** + * \brief Addition: R = P + Q, mixed affine-Jacobian coordinates. + * + * The coordinates of Q must be normalized (= affine), + * but those of P don't need to. R is not normalized. + * + * This function is used only as a subrutine of + * ecp_mul_comb(). + * + * Special cases: (1) P or Q is zero, (2) R is zero, + * (3) P == Q. + * None of these cases can happen as intermediate step in + * ecp_mul_comb(): + * - at each step, P, Q and R are multiples of the base + * point, the factor being less than its order, so none of + * them is zero; + * - Q is an odd multiple of the base point, P an even + * multiple, due to the choice of precomputed points in the + * modified comb method. + * So branches for these cases do not leak secret information. + * + * We accept Q->Z being unset (saving memory in tables) as + * meaning 1. + * + * Cost in field operations if done by [5] 3.22: + * 1A := 8M + 3S + * + * \param grp Pointer to the group representing the curve. + * + * \param R Pointer to a point structure to hold the result. + * + * \param P Pointer to the first summand, given with Jacobian + * coordinates + * + * \param Q Pointer to the second summand, given with affine + * coordinates. + * + * \return 0 if successful. + */ +int mbedtls_internal_ecp_add_mixed( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *R, const mbedtls_ecp_point *P, + const mbedtls_ecp_point *Q ); +#endif + +/** + * \brief Point doubling R = 2 P, Jacobian coordinates. + * + * Cost: 1D := 3M + 4S (A == 0) + * 4M + 4S (A == -3) + * 3M + 6S + 1a otherwise + * when the implementation is based on the "dbl-1998-cmo-2" + * doubling formulas in [8] and standard optimizations are + * applied when curve parameter A is one of { 0, -3 }. + * + * \param grp Pointer to the group representing the curve. + * + * \param R Pointer to a point structure to hold the result. + * + * \param P Pointer to the point that has to be doubled, given with + * Jacobian coordinates. + * + * \return 0 if successful. + */ +#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) +int mbedtls_internal_ecp_double_jac( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *R, const mbedtls_ecp_point *P ); +#endif + +/** + * \brief Normalize jacobian coordinates of an array of (pointers to) + * points. + * + * Using Montgomery's trick to perform only one inversion mod P + * the cost is: + * 1N(t) := 1I + (6t - 3)M + 1S + * (See for example Algorithm 10.3.4. in [9]) + * + * This function is used only as a subrutine of + * ecp_mul_comb(). + * + * Warning: fails (returning an error) if one of the points is + * zero! + * This should never happen, see choice of w in ecp_mul_comb(). + * + * \param grp Pointer to the group representing the curve. + * + * \param T Array of pointers to the points to normalise. + * + * \param t_len Number of elements in the array. + * + * \return 0 if successful, + * an error if one of the points is zero. + */ +#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) +int mbedtls_internal_ecp_normalize_jac_many( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *T[], size_t t_len ); +#endif + +/** + * \brief Normalize jacobian coordinates so that Z == 0 || Z == 1. + * + * Cost in field operations if done by [5] 3.2.1: + * 1N := 1I + 3M + 1S + * + * \param grp Pointer to the group representing the curve. + * + * \param pt pointer to the point to be normalised. This is an + * input/output parameter. + * + * \return 0 if successful. + */ +#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) +int mbedtls_internal_ecp_normalize_jac( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *pt ); +#endif + +#endif /* ECP_SHORTWEIERSTRASS */ + +#if defined(ECP_MONTGOMERY) + +#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) +int mbedtls_internal_ecp_double_add_mxz( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *R, mbedtls_ecp_point *S, const mbedtls_ecp_point *P, + const mbedtls_ecp_point *Q, const mbedtls_mpi *d ); +#endif + +/** + * \brief Randomize projective x/z coordinates: + * (X, Z) -> (l X, l Z) for random l + * + * \param grp pointer to the group representing the curve + * + * \param P the point on the curve to be randomised given with + * projective coordinates. This is an input/output parameter. + * + * \param f_rng a function pointer to the random number generator + * + * \param p_rng a pointer to the random number generator state + * + * \return 0 if successful + */ +#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) +int mbedtls_internal_ecp_randomize_mxz( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *P, int (*f_rng)(void *, unsigned char *, size_t), + void *p_rng ); +#endif + +/** + * \brief Normalize Montgomery x/z coordinates: X = X/Z, Z = 1. + * + * \param grp pointer to the group representing the curve + * + * \param P pointer to the point to be normalised. This is an + * input/output parameter. + * + * \return 0 if successful + */ +#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) +int mbedtls_internal_ecp_normalize_mxz( const mbedtls_ecp_group *grp, + mbedtls_ecp_point *P ); +#endif + +#endif /* ECP_MONTGOMERY */ + +#endif /* MBEDTLS_ECP_INTERNAL_ALT */ + +#endif /* ecp_internal.h */ + diff --git a/features/mbedtls/inc/mbedtls/ssl.h b/features/mbedtls/inc/mbedtls/ssl.h index 495e02cb0e..cb29b8383a 100644 --- a/features/mbedtls/inc/mbedtls/ssl.h +++ b/features/mbedtls/inc/mbedtls/ssl.h @@ -185,6 +185,9 @@ #define MBEDTLS_SSL_PRESET_DEFAULT 0 #define MBEDTLS_SSL_PRESET_SUITEB 2 +#define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED 1 +#define MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED 0 + /* * Default range for DTLS retransmission timer value, in milliseconds. * RFC 6347 4.2.4.1 says from 1 second to 60 seconds. @@ -749,6 +752,10 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) unsigned int fallback : 1; /*!< is this a fallback? */ #endif +#if defined(MBEDTLS_SSL_SRV_C) + unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in + Certificate Request messages? */ +#endif }; @@ -2031,6 +2038,20 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 ); #endif /* MBEDTLS_ARC4_C */ +#if defined(MBEDTLS_SSL_SRV_C) +/** + * \brief Whether to send a list of acceptable CAs in + * CertificateRequest messages. + * (Default: do send) + * + * \param conf SSL configuration + * \param cert_req_ca_list MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or + * MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED + */ +void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, + char cert_req_ca_list ); +#endif /* MBEDTLS_SSL_SRV_C */ + #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /** * \brief Set the maximum fragment length to emit and/or negotiate diff --git a/features/mbedtls/inc/mbedtls/threading.h b/features/mbedtls/inc/mbedtls/threading.h index b0c34ecc74..a89fd64967 100644 --- a/features/mbedtls/inc/mbedtls/threading.h +++ b/features/mbedtls/inc/mbedtls/threading.h @@ -97,6 +97,9 @@ extern int (*mbedtls_mutex_unlock)( mbedtls_threading_mutex_t *mutex ); */ extern mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex; extern mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex; +#if defined(MBEDTLS_ECP_INTERNAL_ALT) +extern mbedtls_threading_mutex_t mbedtls_threading_ecp_mutex; +#endif #endif /* MBEDTLS_THREADING_C */ #ifdef __cplusplus diff --git a/features/mbedtls/inc/mbedtls/version.h b/features/mbedtls/inc/mbedtls/version.h index f00e158c41..166096101a 100644 --- a/features/mbedtls/inc/mbedtls/version.h +++ b/features/mbedtls/inc/mbedtls/version.h @@ -38,17 +38,17 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 2 -#define MBEDTLS_VERSION_MINOR 4 -#define MBEDTLS_VERSION_PATCH 2 +#define MBEDTLS_VERSION_MINOR 5 +#define MBEDTLS_VERSION_PATCH 0 /** * The single version number has the following structure: * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02040200 -#define MBEDTLS_VERSION_STRING "2.4.2" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.4.2" +#define MBEDTLS_VERSION_NUMBER 0x02050000 +#define MBEDTLS_VERSION_STRING "2.5.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.5.0" #if defined(MBEDTLS_VERSION_C) diff --git a/features/mbedtls/src/aes.c b/features/mbedtls/src/aes.c index a186dee981..5e01c4f2b4 100644 --- a/features/mbedtls/src/aes.c +++ b/features/mbedtls/src/aes.c @@ -710,9 +710,9 @@ exit: * AES-ECB block encryption */ #if !defined(MBEDTLS_AES_ENCRYPT_ALT) -void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, - const unsigned char input[16], - unsigned char output[16] ) +int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, + const unsigned char input[16], + unsigned char output[16] ) { int i; uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; @@ -760,6 +760,8 @@ void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, PUT_UINT32_LE( X1, output, 4 ); PUT_UINT32_LE( X2, output, 8 ); PUT_UINT32_LE( X3, output, 12 ); + + return( 0 ); } #endif /* !MBEDTLS_AES_ENCRYPT_ALT */ @@ -767,9 +769,9 @@ void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, * AES-ECB block decryption */ #if !defined(MBEDTLS_AES_DECRYPT_ALT) -void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, - const unsigned char input[16], - unsigned char output[16] ) +int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, + const unsigned char input[16], + unsigned char output[16] ) { int i; uint32_t *RK, X0, X1, X2, X3, Y0, Y1, Y2, Y3; @@ -817,6 +819,8 @@ void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, PUT_UINT32_LE( X1, output, 4 ); PUT_UINT32_LE( X2, output, 8 ); PUT_UINT32_LE( X3, output, 12 ); + + return( 0 ); } #endif /* !MBEDTLS_AES_DECRYPT_ALT */ @@ -846,11 +850,9 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, #endif if( mode == MBEDTLS_AES_ENCRYPT ) - mbedtls_aes_encrypt( ctx, input, output ); + return( mbedtls_internal_aes_encrypt( ctx, input, output ) ); else - mbedtls_aes_decrypt( ctx, input, output ); - - return( 0 ); + return( mbedtls_internal_aes_decrypt( ctx, input, output ) ); } #if defined(MBEDTLS_CIPHER_MODE_CBC) diff --git a/features/mbedtls/src/cmac.c b/features/mbedtls/src/cmac.c index b2fe713a03..035ad071d4 100644 --- a/features/mbedtls/src/cmac.c +++ b/features/mbedtls/src/cmac.c @@ -1,4 +1,4 @@ -/* +/** * \file cmac.c * * \brief NIST SP800-38B compliant CMAC implementation for AES and 3DES diff --git a/features/mbedtls/src/ecp.c b/features/mbedtls/src/ecp.c index f51f2251ed..56f22c2726 100644 --- a/features/mbedtls/src/ecp.c +++ b/features/mbedtls/src/ecp.c @@ -49,9 +49,12 @@ #if defined(MBEDTLS_ECP_C) #include "mbedtls/ecp.h" +#include "mbedtls/threading.h" #include +#if !defined(MBEDTLS_ECP_ALT) + #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #else @@ -62,6 +65,8 @@ #define mbedtls_free free #endif +#include "mbedtls/ecp_internal.h" + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) #define inline __inline @@ -748,6 +753,12 @@ static int ecp_normalize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p if( mbedtls_mpi_cmp_int( &pt->Z, 0 ) == 0 ) return( 0 ); +#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) + if ( mbedtls_internal_ecp_grp_capable( grp ) ) + { + return mbedtls_internal_ecp_normalize_jac( grp, pt ); + } +#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */ mbedtls_mpi_init( &Zi ); mbedtls_mpi_init( &ZZi ); /* @@ -796,6 +807,13 @@ static int ecp_normalize_jac_many( const mbedtls_ecp_group *grp, if( t_len < 2 ) return( ecp_normalize_jac( grp, *T ) ); +#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) + if ( mbedtls_internal_ecp_grp_capable( grp ) ) + { + return mbedtls_internal_ecp_normalize_jac_many(grp, T, t_len); + } +#endif + if( ( c = mbedtls_calloc( t_len, sizeof( mbedtls_mpi ) ) ) == NULL ) return( MBEDTLS_ERR_ECP_ALLOC_FAILED ); @@ -912,6 +930,13 @@ static int ecp_double_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R, dbl_count++; #endif +#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) + if ( mbedtls_internal_ecp_grp_capable( grp ) ) + { + return mbedtls_internal_ecp_double_jac( grp, R, P ); + } +#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */ + mbedtls_mpi_init( &M ); mbedtls_mpi_init( &S ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &U ); /* Special case for A = -3 */ @@ -1003,6 +1028,13 @@ static int ecp_add_mixed( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R, add_count++; #endif +#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) + if ( mbedtls_internal_ecp_grp_capable( grp ) ) + { + return mbedtls_internal_ecp_add_mixed( grp, R, P, Q ); + } +#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */ + /* * Trivial cases: P == 0 or Q == 0 (case 1) */ @@ -1080,9 +1112,17 @@ static int ecp_randomize_jac( const mbedtls_ecp_group *grp, mbedtls_ecp_point *p { int ret; mbedtls_mpi l, ll; - size_t p_size = ( grp->pbits + 7 ) / 8; + size_t p_size; int count = 0; +#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) + if ( mbedtls_internal_ecp_grp_capable( grp ) ) + { + return mbedtls_internal_ecp_randomize_jac( grp, pt, f_rng, p_rng ); + } +#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */ + + p_size = ( grp->pbits + 7 ) / 8; mbedtls_mpi_init( &l ); mbedtls_mpi_init( &ll ); /* Generate l such that 1 < l < p */ @@ -1234,6 +1274,7 @@ static int ecp_precompute_comb( const mbedtls_ecp_group *grp, MBEDTLS_MPI_CHK( ecp_normalize_jac_many( grp, TT, k ) ); cleanup: + return( ret ); } @@ -1297,6 +1338,7 @@ static int ecp_mul_comb_core( const mbedtls_ecp_group *grp, mbedtls_ecp_point *R } cleanup: + mbedtls_ecp_point_free( &Txi ); return( ret ); @@ -1441,6 +1483,13 @@ static int ecp_normalize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P { int ret; +#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) + if ( mbedtls_internal_ecp_grp_capable( grp ) ) + { + return mbedtls_internal_ecp_normalize_mxz( grp, P ); + } +#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */ + MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( &P->Z, &P->Z, &grp->P ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &P->X, &P->X, &P->Z ) ); MOD_MUL( P->X ); MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &P->Z, 1 ) ); @@ -1462,9 +1511,17 @@ static int ecp_randomize_mxz( const mbedtls_ecp_group *grp, mbedtls_ecp_point *P { int ret; mbedtls_mpi l; - size_t p_size = ( grp->pbits + 7 ) / 8; + size_t p_size; int count = 0; +#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) + if ( mbedtls_internal_ecp_grp_capable( grp ) ) + { + return mbedtls_internal_ecp_randomize_mxz( grp, P, f_rng, p_rng ); + } +#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */ + + p_size = ( grp->pbits + 7 ) / 8; mbedtls_mpi_init( &l ); /* Generate l such that 1 < l < p */ @@ -1512,6 +1569,13 @@ static int ecp_double_add_mxz( const mbedtls_ecp_group *grp, int ret; mbedtls_mpi A, AA, B, BB, E, C, D, DA, CB; +#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) + if ( mbedtls_internal_ecp_grp_capable( grp ) ) + { + return mbedtls_internal_ecp_double_add_mxz( grp, R, S, P, Q, d ); + } +#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */ + mbedtls_mpi_init( &A ); mbedtls_mpi_init( &AA ); mbedtls_mpi_init( &B ); mbedtls_mpi_init( &BB ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &C ); mbedtls_mpi_init( &D ); mbedtls_mpi_init( &DA ); mbedtls_mpi_init( &CB ); @@ -1612,7 +1676,10 @@ int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, const mbedtls_mpi *m, const mbedtls_ecp_point *P, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { - int ret; + int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA; +#if defined(MBEDTLS_ECP_INTERNAL_ALT) + char is_grp_capable = 0; +#endif /* Common sanity checks */ if( mbedtls_mpi_cmp_int( &P->Z, 1 ) != 0 ) @@ -1622,15 +1689,43 @@ int mbedtls_ecp_mul( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, ( ret = mbedtls_ecp_check_pubkey( grp, P ) ) != 0 ) return( ret ); +#if defined(MBEDTLS_ECP_INTERNAL_ALT) +#if defined(MBEDTLS_THREADING_C) + if( mbedtls_mutex_lock( &mbedtls_threading_ecp_mutex ) != 0 ) + return ( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); + +#endif + if ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp ) ) + { + MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) ); + } + +#endif /* MBEDTLS_ECP_INTERNAL_ALT */ #if defined(ECP_MONTGOMERY) if( ecp_get_type( grp ) == ECP_TYPE_MONTGOMERY ) - return( ecp_mul_mxz( grp, R, m, P, f_rng, p_rng ) ); + ret = ecp_mul_mxz( grp, R, m, P, f_rng, p_rng ); + #endif #if defined(ECP_SHORTWEIERSTRASS) if( ecp_get_type( grp ) == ECP_TYPE_SHORT_WEIERSTRASS ) - return( ecp_mul_comb( grp, R, m, P, f_rng, p_rng ) ); + ret = ecp_mul_comb( grp, R, m, P, f_rng, p_rng ); + #endif - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); +#if defined(MBEDTLS_ECP_INTERNAL_ALT) +cleanup: + + if ( is_grp_capable ) + { + mbedtls_internal_ecp_free( grp ); + } + +#if defined(MBEDTLS_THREADING_C) + if( mbedtls_mutex_unlock( &mbedtls_threading_ecp_mutex ) != 0 ) + return ( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); + +#endif +#endif /* MBEDTLS_ECP_INTERNAL_ALT */ + return( ret ); } #if defined(ECP_SHORTWEIERSTRASS) @@ -1723,6 +1818,9 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, { int ret; mbedtls_ecp_point mP; +#if defined(MBEDTLS_ECP_INTERNAL_ALT) + char is_grp_capable = 0; +#endif if( ecp_get_type( grp ) != ECP_TYPE_SHORT_WEIERSTRASS ) return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE ); @@ -1732,10 +1830,35 @@ int mbedtls_ecp_muladd( mbedtls_ecp_group *grp, mbedtls_ecp_point *R, MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, &mP, m, P ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_mul_shortcuts( grp, R, n, Q ) ); +#if defined(MBEDTLS_ECP_INTERNAL_ALT) +#if defined(MBEDTLS_THREADING_C) + if( mbedtls_mutex_lock( &mbedtls_threading_ecp_mutex ) != 0 ) + return ( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); + +#endif + if ( is_grp_capable = mbedtls_internal_ecp_grp_capable( grp ) ) + { + MBEDTLS_MPI_CHK( mbedtls_internal_ecp_init( grp ) ); + } + +#endif /* MBEDTLS_ECP_INTERNAL_ALT */ MBEDTLS_MPI_CHK( ecp_add_mixed( grp, R, &mP, R ) ); MBEDTLS_MPI_CHK( ecp_normalize_jac( grp, R ) ); cleanup: + +#if defined(MBEDTLS_ECP_INTERNAL_ALT) + if ( is_grp_capable ) + { + mbedtls_internal_ecp_free( grp ); + } + +#if defined(MBEDTLS_THREADING_C) + if( mbedtls_mutex_unlock( &mbedtls_threading_ecp_mutex ) != 0 ) + return ( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); + +#endif +#endif /* MBEDTLS_ECP_INTERNAL_ALT */ mbedtls_ecp_point_free( &mP ); return( ret ); @@ -2089,4 +2212,6 @@ cleanup: #endif /* MBEDTLS_SELF_TEST */ +#endif /* !MBEDTLS_ECP_ALT */ + #endif /* MBEDTLS_ECP_C */ diff --git a/features/mbedtls/src/ecp_curves.c b/features/mbedtls/src/ecp_curves.c index a2a5495a91..df5ac3eea5 100644 --- a/features/mbedtls/src/ecp_curves.c +++ b/features/mbedtls/src/ecp_curves.c @@ -31,6 +31,8 @@ #include +#if !defined(MBEDTLS_ECP_ALT) + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) #define inline __inline @@ -1322,4 +1324,6 @@ static int ecp_mod_p256k1( mbedtls_mpi *N ) } #endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */ +#endif /* !MBEDTLS_ECP_ALT */ + #endif /* MBEDTLS_ECP_C */ diff --git a/features/mbedtls/src/rsa.c b/features/mbedtls/src/rsa.c index 40ef2a9480..122bc13605 100644 --- a/features/mbedtls/src/rsa.c +++ b/features/mbedtls/src/rsa.c @@ -29,6 +29,11 @@ * [2] Handbook of Applied Cryptography - 1997, Chapter 8 * Menezes, van Oorschot and Vanstone * + * [3] Malware Guard Extension: Using SGX to Conceal Cache Attacks + * Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice and + * Stefan Mangard + * https://arxiv.org/abs/1702.08719v2 + * */ #if !defined(MBEDTLS_CONFIG_FILE) @@ -61,6 +66,11 @@ #define mbedtls_free free #endif +/* Implementation that should never be optimized out by the compiler */ +static void mbedtls_zeroize( void *v, size_t n ) { + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; +} + /* * Initialize an RSA context */ @@ -356,6 +366,27 @@ cleanup: return( ret ); } +/* + * Exponent blinding supposed to prevent side-channel attacks using multiple + * traces of measurements to recover the RSA key. The more collisions are there, + * the more bits of the key can be recovered. See [3]. + * + * Collecting n collisions with m bit long blinding value requires 2^(m-m/n) + * observations on avarage. + * + * For example with 28 byte blinding to achieve 2 collisions the adversary has + * to make 2^112 observations on avarage. + * + * (With the currently (as of 2017 April) known best algorithms breaking 2048 + * bit RSA requires approximately as much time as trying out 2^112 random keys. + * Thus in this sense with 28 byte blinding the security is not reduced by + * side-channel attacks like the one in [3]) + * + * This countermeasure does not help if the key recovery is possible with a + * single trace. + */ +#define RSA_EXPONENT_BLINDING 28 + /* * Do an RSA private key operation */ @@ -368,12 +399,34 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, int ret; size_t olen; mbedtls_mpi T, T1, T2; + mbedtls_mpi P1, Q1, R; +#if defined(MBEDTLS_RSA_NO_CRT) + mbedtls_mpi D_blind; + mbedtls_mpi *D = &ctx->D; +#else + mbedtls_mpi DP_blind, DQ_blind; + mbedtls_mpi *DP = &ctx->DP; + mbedtls_mpi *DQ = &ctx->DQ; +#endif /* Make sure we have private key info, prevent possible misuse */ if( ctx->P.p == NULL || ctx->Q.p == NULL || ctx->D.p == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); mbedtls_mpi_init( &T ); mbedtls_mpi_init( &T1 ); mbedtls_mpi_init( &T2 ); + mbedtls_mpi_init( &P1 ); mbedtls_mpi_init( &Q1 ); mbedtls_mpi_init( &R ); + + + if( f_rng != NULL ) + { +#if defined(MBEDTLS_RSA_NO_CRT) + mbedtls_mpi_init( &D_blind ); +#else + mbedtls_mpi_init( &DP_blind ); + mbedtls_mpi_init( &DQ_blind ); +#endif + } + #if defined(MBEDTLS_THREADING_C) if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 ) @@ -396,19 +449,60 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, MBEDTLS_MPI_CHK( rsa_prepare_blinding( ctx, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, &T, &ctx->Vi ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &T, &T, &ctx->N ) ); + + /* + * Exponent blinding + */ + MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &P1, &ctx->P, 1 ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &Q1, &ctx->Q, 1 ) ); + +#if defined(MBEDTLS_RSA_NO_CRT) + /* + * D_blind = ( P - 1 ) * ( Q - 1 ) * R + D + */ + MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, + f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &P1, &Q1 ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &D_blind, &D_blind, &R ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &D_blind, &D_blind, &ctx->D ) ); + + D = &D_blind; +#else + /* + * DP_blind = ( P - 1 ) * R + DP + */ + MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, + f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DP_blind, &P1, &R ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DP_blind, &DP_blind, + &ctx->DP ) ); + + DP = &DP_blind; + + /* + * DQ_blind = ( Q - 1 ) * R + DQ + */ + MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( &R, RSA_EXPONENT_BLINDING, + f_rng, p_rng ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &DQ_blind, &Q1, &R ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &DQ_blind, &DQ_blind, + &ctx->DQ ) ); + + DQ = &DQ_blind; +#endif /* MBEDTLS_RSA_NO_CRT */ } #if defined(MBEDTLS_RSA_NO_CRT) - MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, &ctx->D, &ctx->N, &ctx->RN ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T, &T, D, &ctx->N, &ctx->RN ) ); #else /* - * faster decryption using the CRT + * Faster decryption using the CRT * * T1 = input ^ dP mod P * T2 = input ^ dQ mod Q */ - MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, &ctx->DP, &ctx->P, &ctx->RP ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, &ctx->DQ, &ctx->Q, &ctx->RQ ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T1, &T, DP, &ctx->P, &ctx->RP ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &T2, &T, DQ, &ctx->Q, &ctx->RQ ) ); /* * T = (T1 - T2) * (Q^-1 mod P) mod P @@ -444,6 +538,17 @@ cleanup: #endif mbedtls_mpi_free( &T ); mbedtls_mpi_free( &T1 ); mbedtls_mpi_free( &T2 ); + mbedtls_mpi_free( &P1 ); mbedtls_mpi_free( &Q1 ); mbedtls_mpi_free( &R ); + + if( f_rng != NULL ) + { +#if defined(MBEDTLS_RSA_NO_CRT) + mbedtls_mpi_free( &D_blind ); +#else + mbedtls_mpi_free( &DP_blind ); + mbedtls_mpi_free( &DQ_blind ); +#endif + } if( ret != 0 ) return( MBEDTLS_ERR_RSA_PRIVATE_FAILED + ret ); @@ -496,6 +601,8 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, dlen -= use_len; } + + mbedtls_zeroize( mask, sizeof( mask ) ); } #endif /* MBEDTLS_PKCS1_V21 */ @@ -724,7 +831,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); if( ret != 0 ) - return( ret ); + goto cleanup; /* * Unmask data and generate lHash @@ -733,7 +840,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) { mbedtls_md_free( &md_ctx ); - return( ret ); + goto cleanup; } @@ -784,15 +891,26 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, * the different error conditions. */ if( bad != 0 ) - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); + { + ret = MBEDTLS_ERR_RSA_INVALID_PADDING; + goto cleanup; + } if( ilen - ( p - buf ) > output_max_len ) - return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); + { + ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; + goto cleanup; + } *olen = ilen - (p - buf); memcpy( output, p, *olen ); + ret = 0; - return( 0 ); +cleanup: + mbedtls_zeroize( buf, sizeof( buf ) ); + mbedtls_zeroize( lhash, sizeof( lhash ) ); + + return( ret ); } #endif /* MBEDTLS_PKCS1_V21 */ @@ -826,7 +944,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, : mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf ); if( ret != 0 ) - return( ret ); + goto cleanup; p = buf; bad = 0; @@ -871,15 +989,25 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, bad |= ( pad_count < 8 ); if( bad ) - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); + { + ret = MBEDTLS_ERR_RSA_INVALID_PADDING; + goto cleanup; + } if( ilen - ( p - buf ) > output_max_len ) - return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); + { + ret = MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE; + goto cleanup; + } *olen = ilen - (p - buf); memcpy( output, p, *olen ); + ret = 0; - return( 0 ); +cleanup: + mbedtls_zeroize( buf, sizeof( buf ) ); + + return( ret ); } #endif /* MBEDTLS_PKCS1_V15 */ @@ -981,6 +1109,7 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) { mbedtls_md_free( &md_ctx ); + /* No need to zeroize salt: we didn't use it. */ return( ret ); } @@ -990,6 +1119,7 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, mbedtls_md_update( &md_ctx, hash, hashlen ); mbedtls_md_update( &md_ctx, salt, slen ); mbedtls_md_finish( &md_ctx, p ); + mbedtls_zeroize( salt, sizeof( salt ) ); /* Compensate for boundary condition when applying mask */ if( msb % 8 == 0 ) diff --git a/features/mbedtls/src/ssl_srv.c b/features/mbedtls/src/ssl_srv.c index fc0d2d7b42..4c528bb2e3 100644 --- a/features/mbedtls/src/ssl_srv.c +++ b/features/mbedtls/src/ssl_srv.c @@ -2588,35 +2588,40 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) * opaque DistinguishedName<1..2^16-1>; */ p += 2; -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if( ssl->handshake->sni_ca_chain != NULL ) - crt = ssl->handshake->sni_ca_chain; - else -#endif - crt = ssl->conf->ca_chain; total_dn_size = 0; - while( crt != NULL && crt->version != 0 ) + + if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED ) { - dn_size = crt->subject_raw.len; +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + if( ssl->handshake->sni_ca_chain != NULL ) + crt = ssl->handshake->sni_ca_chain; + else +#endif + crt = ssl->conf->ca_chain; - if( end < p || - (size_t)( end - p ) < dn_size || - (size_t)( end - p ) < 2 + dn_size ) + while( crt != NULL && crt->version != 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); - break; + dn_size = crt->subject_raw.len; + + if( end < p || + (size_t)( end - p ) < dn_size || + (size_t)( end - p ) < 2 + dn_size ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) ); + break; + } + + *p++ = (unsigned char)( dn_size >> 8 ); + *p++ = (unsigned char)( dn_size ); + memcpy( p, crt->subject_raw.p, dn_size ); + p += dn_size; + + MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); + + total_dn_size += 2 + dn_size; + crt = crt->next; } - - *p++ = (unsigned char)( dn_size >> 8 ); - *p++ = (unsigned char)( dn_size ); - memcpy( p, crt->subject_raw.p, dn_size ); - p += dn_size; - - MBEDTLS_SSL_DEBUG_BUF( 3, "requested DN", p - dn_size, dn_size ); - - total_dn_size += 2 + dn_size; - crt = crt->next; } ssl->out_msglen = p - buf; diff --git a/features/mbedtls/src/ssl_tls.c b/features/mbedtls/src/ssl_tls.c index d9ab83291b..00a57ffb82 100644 --- a/features/mbedtls/src/ssl_tls.c +++ b/features/mbedtls/src/ssl_tls.c @@ -6050,6 +6050,14 @@ void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) } #endif +#if defined(MBEDTLS_SSL_SRV_C) +void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, + char cert_req_ca_list ) +{ + conf->cert_req_ca_list = cert_req_ca_list; +} +#endif + #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm ) { @@ -7232,6 +7240,10 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; #endif +#if defined(MBEDTLS_SSL_SRV_C) + conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; +#endif + #if defined(MBEDTLS_SSL_PROTO_DTLS) conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; diff --git a/features/mbedtls/src/threading.c b/features/mbedtls/src/threading.c index 83ec01a45f..55091e8dba 100644 --- a/features/mbedtls/src/threading.c +++ b/features/mbedtls/src/threading.c @@ -32,7 +32,7 @@ #if defined(MBEDTLS_THREADING_PTHREAD) static void threading_mutex_init_pthread( mbedtls_threading_mutex_t *mutex ) { - if( mutex == NULL || mutex->is_valid ) + if( mutex == NULL ) return; mutex->is_valid = pthread_mutex_init( &mutex->mutex, NULL ) == 0; @@ -113,6 +113,9 @@ void mbedtls_threading_set_alt( void (*mutex_init)( mbedtls_threading_mutex_t * mbedtls_mutex_init( &mbedtls_threading_readdir_mutex ); mbedtls_mutex_init( &mbedtls_threading_gmtime_mutex ); +#if defined(MBEDTLS_ECP_INTERNAL_ALT) + mbedtls_mutex_init( &mbedtls_threading_ecp_mutex ); +#endif } /* @@ -122,6 +125,9 @@ void mbedtls_threading_free_alt( void ) { mbedtls_mutex_free( &mbedtls_threading_readdir_mutex ); mbedtls_mutex_free( &mbedtls_threading_gmtime_mutex ); +#if defined(MBEDTLS_ECP_INTERNAL_ALT) + mbedtls_mutex_free( &mbedtls_threading_ecp_mutex ); +#endif } #endif /* MBEDTLS_THREADING_ALT */ @@ -133,5 +139,8 @@ void mbedtls_threading_free_alt( void ) #endif mbedtls_threading_mutex_t mbedtls_threading_readdir_mutex MUTEX_INIT; mbedtls_threading_mutex_t mbedtls_threading_gmtime_mutex MUTEX_INIT; +#if defined(MBEDTLS_ECP_INTERNAL_ALT) +mbedtls_threading_mutex_t mbedtls_threading_ecp_mutex MUTEX_INIT; +#endif #endif /* MBEDTLS_THREADING_C */ diff --git a/features/mbedtls/src/version_features.c b/features/mbedtls/src/version_features.c index e866e67a23..9f97c7bc3e 100644 --- a/features/mbedtls/src/version_features.c +++ b/features/mbedtls/src/version_features.c @@ -117,6 +117,9 @@ static const char *features[] = { #if defined(MBEDTLS_SHA512_ALT) "MBEDTLS_SHA512_ALT", #endif /* MBEDTLS_SHA512_ALT */ +#if defined(MBEDTLS_ECP_ALT) + "MBEDTLS_ECP_ALT", +#endif /* MBEDTLS_ECP_ALT */ #if defined(MBEDTLS_MD2_PROCESS_ALT) "MBEDTLS_MD2_PROCESS_ALT", #endif /* MBEDTLS_MD2_PROCESS_ALT */ @@ -159,6 +162,33 @@ static const char *features[] = { #if defined(MBEDTLS_AES_DECRYPT_ALT) "MBEDTLS_AES_DECRYPT_ALT", #endif /* MBEDTLS_AES_DECRYPT_ALT */ +#if defined(MBEDTLS_ECP_INTERNAL_ALT) + "MBEDTLS_ECP_INTERNAL_ALT", +#endif /* MBEDTLS_ECP_INTERNAL_ALT */ +#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) + "MBEDTLS_ECP_RANDOMIZE_JAC_ALT", +#endif /* MBEDTLS_ECP_RANDOMIZE_JAC_ALT */ +#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) + "MBEDTLS_ECP_ADD_MIXED_ALT", +#endif /* MBEDTLS_ECP_ADD_MIXED_ALT */ +#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) + "MBEDTLS_ECP_DOUBLE_JAC_ALT", +#endif /* MBEDTLS_ECP_DOUBLE_JAC_ALT */ +#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) + "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT", +#endif /* MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT */ +#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) + "MBEDTLS_ECP_NORMALIZE_JAC_ALT", +#endif /* MBEDTLS_ECP_NORMALIZE_JAC_ALT */ +#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) + "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT", +#endif /* MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT */ +#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) + "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT", +#endif /* MBEDTLS_ECP_RANDOMIZE_MXZ_ALT */ +#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) + "MBEDTLS_ECP_NORMALIZE_MXZ_ALT", +#endif /* MBEDTLS_ECP_NORMALIZE_MXZ_ALT */ #if defined(MBEDTLS_TEST_NULL_ENTROPY) "MBEDTLS_TEST_NULL_ENTROPY", #endif /* MBEDTLS_TEST_NULL_ENTROPY */