Merge remote-tracking branch 'public/pr/2830' into baremetal

This commit is contained in:
Simon Butcher 2019-09-24 15:17:54 +01:00
commit 810ee06689
31 changed files with 499 additions and 121 deletions

137
ChangeLog
View file

@ -1,6 +1,6 @@
mbed TLS ChangeLog (Sorted per branch, date) mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS x.x.x branch released xxxx-xx-xx = mbed TLS "baremetal" branch
Features Features
* Add new configuration option MBEDTLS_SSL_NO_SESSION_CACHE that enables * Add new configuration option MBEDTLS_SSL_NO_SESSION_CACHE that enables
@ -9,56 +9,6 @@ Features
* Add new configuration option MBEDTLS_SSL_NO_SESSION_RESUMPTION that * Add new configuration option MBEDTLS_SSL_NO_SESSION_RESUMPTION that
enables code size savings in configurations where no form of session enables code size savings in configurations where no form of session
resumption is used. resumption is used.
Bugfix
* Fix to allow building test suites with any warning that detects unused
functions. Fixes #1628.
* Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
* Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
* Fix Visual Studio Release x64 build configuration by inheriting
PlatformToolset from the project configuration. Fixes #1430 reported by
irwir.
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
if some curves are not defined. Fixes #1591 reported by dbedev.
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
* Fix incompatibility of HMAC DRBG with Mbed TLS' own entropy module that
lead to HMAC DRBG seeding failure in configurations disabling SHA-512.
* Update test certificates that were about to expire. Reported by
Bernhard M. Wiedemann in #2357.
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
in #2169.
* Fix undefined memset(NULL) call in test_suite_nist_kw.
* Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
* Fix propagation of restart contexts in restartable EC operations.
This could previously lead to segmentation faults in builds using an
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
Changes
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
suggests). #2671
* Make `make clean` clean all programs always. Fixes #1862.
API Changes
* Add a new compile-time option `MBEDTLS_X509_ON_DEMAND_PARSING`,
disabled by default, which allows to parse and cache X.509 CRTs
on demand only, at the benefit of lower RAM usage. Enabling
this option breaks the structure API of X.509 in that most
fields of `mbedtls_x509_crt` are removed, but it keeps the
X.509 function API. See the API changes section as well as
the documentation in `config.h` for more information.
= mbed TLS 2.16.2 branch released 2019-06-11
Security
* Make mbedtls_ecdh_get_params return an error if the second key
belongs to a different group from the first. Before, if an application
passed keys that belonged to different group, the first key's data was
interpreted according to the second group, which could lead to either
an error or a meaningless output from mbedtls_ecdh_get_params. In the
latter case, this could expose at most 5 bits of the private key.
Features
* Add support for draft-05 of the Connection ID extension, as specified * Add support for draft-05 of the Connection ID extension, as specified
in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05. in https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05.
The Connection ID extension allows to keep DTLS connections beyond the The Connection ID extension allows to keep DTLS connections beyond the
@ -97,6 +47,89 @@ API Changes
always return NULL, and removes the peer_cert field from the always return NULL, and removes the peer_cert field from the
mbedtls_ssl_session structure which otherwise stores the peer's mbedtls_ssl_session structure which otherwise stores the peer's
certificate. certificate.
* Add a new compile-time option `MBEDTLS_X509_ON_DEMAND_PARSING`,
disabled by default, which allows to parse and cache X.509 CRTs
on demand only, at the benefit of lower RAM usage. Enabling
this option breaks the structure API of X.509 in that most
fields of `mbedtls_x509_crt` are removed, but it keeps the
X.509 function API. See the API changes section as well as
the documentation in `config.h` for more information.
Changes
* Reduce RAM consumption during session renegotiation by not storing
the peer CRT chain and session ticket twice.
= mbed TLS 2.16.3 branch released 2019-09-06
Security
* Fix a missing error detection in ECJPAKE. This could have caused a
predictable shared secret if a hardware accelerator failed and the other
side of the key exchange had a similar bug.
* The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to
implement blinding. Because of this for the same key and message the same
blinding value was generated. This reduced the effectiveness of the
countermeasure and leaked information about the private key through side
channels. Reported by Jack Lloyd.
* When writing a private EC key, use a constant size for the private
value, as specified in RFC 5915. Previously, the value was written
as an ASN.1 INTEGER, which caused the size of the key to leak
about 1 bit of information on average and could cause the value to be
1 byte too large for the output buffer.
API Changes
* The new function mbedtls_ecdsa_sign_det_ext() is similar to
mbedtls_ecdsa_sign_det() but allows passing an external RNG for the
purpose of blinding.
Bugfix
* Fix to allow building test suites with any warning that detects unused
functions. Fixes #1628.
* Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
* Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
* Fix Visual Studio Release x64 build configuration by inheriting
PlatformToolset from the project configuration. Fixes #1430 reported by
irwir.
* Enable Suite B with subset of ECP curves. Make sure the code compiles even
if some curves are not defined. Fixes #1591 reported by dbedev.
* Fix misuse of signed arithmetic in the HAVEGE module. #2598
* Fix incompatibility of HMAC DRBG with Mbed TLS' own entropy module that
lead to HMAC DRBG seeding failure in configurations disabling SHA-512.
* Update test certificates that were about to expire. Reported by
Bernhard M. Wiedemann in #2357.
* Fix the build on ARMv5TE in ARM mode to not use assembly instructions
that are only available in Thumb mode. Fix contributed by Aurelien Jarno
in #2169.
* Fix undefined memset(NULL) call in test_suite_nist_kw.
* Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
* Fix propagation of restart contexts in restartable EC operations.
This could previously lead to segmentation faults in builds using an
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
* Fix memory leak in in mpi_miller_rabin(). Contributed by
Jens Wiklander <jens.wiklander@linaro.org> in #2363
* Improve code clarity in x509_crt module, removing false-positive
uninitialized variable warnings on some recent toolchains (GCC8, etc).
Discovered and fixed by Andy Gross (Linaro), #2392.
* Zero length buffer check for undefined behavior in
mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49.
* Fix bug in endianness conversion in bignum module. This lead to
functionally incorrect code on bigendian systems which don't have
__BYTE_ORDER__ defined. Reported by Brendan Shanks. Fixes #2622.
Changes
* Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h
suggests). #2671
* Make `make clean` clean all programs always. Fixes #1862.
= mbed TLS 2.16.2 branch released 2019-06-11
Security
* Make mbedtls_ecdh_get_params return an error if the second key
belongs to a different group from the first. Before, if an application
passed keys that belonged to different group, the first key's data was
interpreted according to the second group, which could lead to either
an error or a meaningless output from mbedtls_ecdh_get_params. In the
latter case, this could expose at most 5 bits of the private key.
Bugfix Bugfix
* Server's RSA certificate in certs.c was SHA-1 signed. In the default * Server's RSA certificate in certs.c was SHA-1 signed. In the default
@ -185,8 +218,6 @@ Bugfix
leading content octet. Fixes #1610. leading content octet. Fixes #1610.
Changes Changes
* Reduce RAM consumption during session renegotiation by not storing
the peer CRT chain and session ticket twice.
* Include configuration file in all header files that use configuration, * Include configuration file in all header files that use configuration,
instead of relying on other header files that they include. instead of relying on other header files that they include.
Inserted as an enhancement for #1371 Inserted as an enhancement for #1371

View file

@ -24,7 +24,7 @@
*/ */
/** /**
* @mainpage mbed TLS v2.16.2 source code documentation * @mainpage mbed TLS v2.16.3 source code documentation
* *
* This documentation describes the internal structure of mbed TLS. It was * This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in * automatically generated from specially formatted comment blocks in

View file

@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8
# identify the project. Note that if you do not use Doxywizard you need # identify the project. Note that if you do not use Doxywizard you need
# to put quotes around the project name if it contains spaces. # to put quotes around the project name if it contains spaces.
PROJECT_NAME = "mbed TLS v2.16.2" PROJECT_NAME = "mbed TLS v2.16.3"
# The PROJECT_NUMBER tag can be used to enter a project or revision number. # The PROJECT_NUMBER tag can be used to enter a project or revision number.
# This could be handy for archiving the generated documentation or # This could be handy for archiving the generated documentation or

View file

@ -158,7 +158,7 @@
#error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites" #error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
#endif #endif
#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || ( \ #if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || ( \
!defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \
@ -169,7 +169,9 @@
!defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) && \ !defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) ) ) !defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) && \
!defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ) )
#error "MBEDTLS_ECP_C defined, but not all prerequisites" #error "MBEDTLS_ECP_C defined, but not all prerequisites"
#endif #endif

View file

@ -440,6 +440,16 @@
* dependencies on them, and considering stronger message digests * dependencies on them, and considering stronger message digests
* and ciphers instead. * and ciphers instead.
* *
* \warning If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC are
* enabled, then the deterministic ECDH signature functions pass the
* the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefore
* alternative implementations should use the RNG only for generating
* the ephemeral key and nothing else. If this is not possible, then
* MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
* implementation should be provided for mbedtls_ecdsa_sign_det_ext()
* (and for mbedtls_ecdsa_sign_det() too if backward compatibility is
* desirable).
*
*/ */
//#define MBEDTLS_MD2_PROCESS_ALT //#define MBEDTLS_MD2_PROCESS_ALT
//#define MBEDTLS_MD4_PROCESS_ALT //#define MBEDTLS_MD4_PROCESS_ALT

View file

@ -175,6 +175,19 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.3, step 5. * 4.1.3, step 5.
* *
* \warning Since the output of the internal RNG is always the same for
* the same key and message, this limits the efficiency of
* blinding and leaks information through side channels. For
* secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
*
* (Optimally the blinding is a random value that is different
* on every execution. In this case the blinding is still
* random from the attackers perspective, but is the same on
* each execution. This means that this blinding does not
* prevent attackers from recovering secrets by combining
* several measurement traces, but may prevent some attacks
* that exploit relationships between secret data.)
*
* \see ecp.h * \see ecp.h
* *
* \param grp The context for the elliptic curve to use. * \param grp The context for the elliptic curve to use.
@ -200,6 +213,52 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
mbedtls_mpi *s, const mbedtls_mpi *d, mbedtls_mpi *s, const mbedtls_mpi *d,
const unsigned char *buf, size_t blen, const unsigned char *buf, size_t blen,
mbedtls_md_type_t md_alg ); mbedtls_md_type_t md_alg );
/**
* \brief This function computes the ECDSA signature of a
* previously-hashed message, deterministic version.
*
* For more information, see <em>RFC-6979: Deterministic
* Usage of the Digital Signature Algorithm (DSA) and Elliptic
* Curve Digital Signature Algorithm (ECDSA)</em>.
*
* \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated as
* defined in <em>Standards for Efficient Cryptography Group
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.3, step 5.
*
* \see ecp.h
*
* \param grp The context for the elliptic curve to use.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param r The MPI context in which to store the first part
* the signature. This must be initialized.
* \param s The MPI context in which to store the second part
* the signature. This must be initialized.
* \param d The private signing key. This must be initialized
* and setup, for example through mbedtls_ecp_gen_privkey().
* \param buf The hashed content to be signed. This must be a readable
* buffer of length \p blen Bytes. It may be \c NULL if
* \p blen is zero.
* \param blen The length of \p buf in Bytes.
* \param md_alg The hash algorithm used to hash the original data.
* \param f_rng_blind The RNG function used for blinding. This must not be
* \c NULL.
* \param p_rng_blind The RNG context to be passed to \p f_rng. This may be
* \c NULL if \p f_rng doesn't need a context parameter.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
* error code on failure.
*/
int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
mbedtls_mpi *s, const mbedtls_mpi *d,
const unsigned char *buf, size_t blen,
mbedtls_md_type_t md_alg,
int (*f_rng_blind)(void *, unsigned char *,
size_t),
void *p_rng_blind );
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
/** /**

View file

@ -7,22 +7,22 @@
* specified by RFC 5869. * specified by RFC 5869.
*/ */
/* /*
* Copyright (C) 2016-2018, ARM Limited, All Rights Reserved * Copyright (C) 2016-2019, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
* *
* Licensed under the Apache License, Version 2.0 (the "License"); you may * Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License. * not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
* *
* This file is part of mbed TLS (https://tls.mbed.org) * This file is part of mbed TLS (https://tls.mbed.org)
*/ */
#ifndef MBEDTLS_HKDF_H #ifndef MBEDTLS_HKDF_H
#define MBEDTLS_HKDF_H #define MBEDTLS_HKDF_H

View file

@ -435,6 +435,10 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options,
* *
* \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0. * \note For RSA, md_alg may be MBEDTLS_MD_NONE if hash_len != 0.
* For ECDSA, md_alg may never be MBEDTLS_MD_NONE. * For ECDSA, md_alg may never be MBEDTLS_MD_NONE.
*
* \note In order to ensure enough space for the signature, the
* \p sig buffer size must be of at least
* `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes.
*/ */
int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg, int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len, const unsigned char *hash, size_t hash_len,
@ -449,6 +453,10 @@ int mbedtls_pk_sign( mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
* \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC * \c mbedtls_ecp_set_max_ops() to reduce blocking for ECC
* operations. For RSA, same as \c mbedtls_pk_sign(). * operations. For RSA, same as \c mbedtls_pk_sign().
* *
* \note In order to ensure enough space for the signature, the
* \p sig buffer size must be of at least
* `max(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)` bytes.
*
* \param ctx The PK context to use. It must have been set up * \param ctx The PK context to use. It must have been set up
* with a private key. * with a private key.
* \param md_alg Hash algorithm used (see notes) * \param md_alg Hash algorithm used (see notes)

View file

@ -904,7 +904,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx,
* the size of the hash corresponding to \p md_alg. * the size of the hash corresponding to \p md_alg.
* \param sig The buffer to hold the signature. This must be a writable * \param sig The buffer to hold the signature. This must be a writable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus. * for an 2048-bit RSA modulus. A buffer length of
* #MBEDTLS_MPI_MAX_SIZE is always safe.
* *
* \return \c 0 if the signing operation was successful. * \return \c 0 if the signing operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@ -951,7 +952,8 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
* the size of the hash corresponding to \p md_alg. * the size of the hash corresponding to \p md_alg.
* \param sig The buffer to hold the signature. This must be a writable * \param sig The buffer to hold the signature. This must be a writable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus. * for an 2048-bit RSA modulus. A buffer length of
* #MBEDTLS_MPI_MAX_SIZE is always safe.
* *
* \return \c 0 if the signing operation was successful. * \return \c 0 if the signing operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
@ -1012,7 +1014,8 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
* the size of the hash corresponding to \p md_alg. * the size of the hash corresponding to \p md_alg.
* \param sig The buffer to hold the signature. This must be a writable * \param sig The buffer to hold the signature. This must be a writable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes * buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus. * for an 2048-bit RSA modulus. A buffer length of
* #MBEDTLS_MPI_MAX_SIZE is always safe.
* *
* \return \c 0 if the signing operation was successful. * \return \c 0 if the signing operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.

View file

@ -40,16 +40,16 @@
*/ */
#define MBEDTLS_VERSION_MAJOR 2 #define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 16 #define MBEDTLS_VERSION_MINOR 16
#define MBEDTLS_VERSION_PATCH 2 #define MBEDTLS_VERSION_PATCH 3
/** /**
* The single version number has the following structure: * The single version number has the following structure:
* MMNNPP00 * MMNNPP00
* Major version | Minor version | Patch version * Major version | Minor version | Patch version
*/ */
#define MBEDTLS_VERSION_NUMBER 0x02100200 #define MBEDTLS_VERSION_NUMBER 0x02100300
#define MBEDTLS_VERSION_STRING "2.16.2" #define MBEDTLS_VERSION_STRING "2.16.3"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.2" #define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.16.3"
#if defined(MBEDTLS_VERSION_C) #if defined(MBEDTLS_VERSION_C)

View file

@ -166,15 +166,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY)
add_library(mbedcrypto SHARED ${src_crypto}) add_library(mbedcrypto SHARED ${src_crypto})
set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.2 SOVERSION 3) set_target_properties(mbedcrypto PROPERTIES VERSION 2.16.3 SOVERSION 3)
target_link_libraries(mbedcrypto ${libs}) target_link_libraries(mbedcrypto ${libs})
add_library(mbedx509 SHARED ${src_x509}) add_library(mbedx509 SHARED ${src_x509})
set_target_properties(mbedx509 PROPERTIES VERSION 2.16.2 SOVERSION 0) set_target_properties(mbedx509 PROPERTIES VERSION 2.16.3 SOVERSION 0)
target_link_libraries(mbedx509 ${libs} mbedcrypto) target_link_libraries(mbedx509 ${libs} mbedcrypto)
add_library(mbedtls SHARED ${src_tls}) add_library(mbedtls SHARED ${src_tls})
set_target_properties(mbedtls PROPERTIES VERSION 2.16.2 SOVERSION 12) set_target_properties(mbedtls PROPERTIES VERSION 2.16.3 SOVERSION 12)
target_link_libraries(mbedtls ${libs} mbedx509) target_link_libraries(mbedtls ${libs} mbedx509)
install(TARGETS mbedtls mbedx509 mbedcrypto install(TARGETS mbedtls mbedx509 mbedcrypto

View file

@ -742,10 +742,15 @@ cleanup:
static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c( mbedtls_mpi_uint x ) static mbedtls_mpi_uint mpi_uint_bigendian_to_host_c( mbedtls_mpi_uint x )
{ {
uint8_t i; uint8_t i;
unsigned char *x_ptr;
mbedtls_mpi_uint tmp = 0; mbedtls_mpi_uint tmp = 0;
/* This works regardless of the endianness. */
for( i = 0; i < ciL; i++, x >>= 8 ) for( i = 0, x_ptr = (unsigned char*) &x; i < ciL; i++, x_ptr++ )
tmp |= ( x & 0xFF ) << ( ( ciL - 1 - i ) << 3 ); {
tmp <<= CHAR_BIT;
tmp |= (mbedtls_mpi_uint) *x_ptr;
}
return( tmp ); return( tmp );
} }
@ -2351,7 +2356,8 @@ static int mpi_miller_rabin( const mbedtls_mpi *X, size_t rounds,
} }
if (count++ > 30) { if (count++ > 30) {
return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE; ret = MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
goto cleanup;
} }
} while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 || } while ( mbedtls_mpi_cmp_mpi( &A, &W ) >= 0 ||

View file

@ -254,6 +254,8 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
mbedtls_mpi *r, mbedtls_mpi *s, mbedtls_mpi *r, mbedtls_mpi *s,
const mbedtls_mpi *d, const unsigned char *buf, size_t blen, const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
int (*f_rng_blind)(void *, unsigned char *, size_t),
void *p_rng_blind,
mbedtls_ecdsa_restart_ctx *rs_ctx ) mbedtls_ecdsa_restart_ctx *rs_ctx )
{ {
int ret, key_tries, sign_tries; int ret, key_tries, sign_tries;
@ -323,7 +325,9 @@ static int ecdsa_sign_restartable( mbedtls_ecp_group *grp,
mul: mul:
#endif #endif
MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G, MBEDTLS_MPI_CHK( mbedtls_ecp_mul_restartable( grp, &R, pk, &grp->G,
f_rng, p_rng, ECDSA_RS_ECP ) ); f_rng_blind,
p_rng_blind,
ECDSA_RS_ECP ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( pr, &R.X, &grp->N ) );
} }
while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 ); while( mbedtls_mpi_cmp_int( pr, 0 ) == 0 );
@ -349,7 +353,8 @@ modn:
* Generate a random value to blind inv_mod in next step, * Generate a random value to blind inv_mod in next step,
* avoiding a potential timing leak. * avoiding a potential timing leak.
*/ */
MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_ecp_gen_privkey( grp, &t, f_rng_blind,
p_rng_blind ) );
/* /*
* Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n * Step 6: compute s = (e + r * d) / k = t (e + rd) / (kt) mod n
@ -392,8 +397,9 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
ECDSA_VALIDATE_RET( f_rng != NULL ); ECDSA_VALIDATE_RET( f_rng != NULL );
ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); ECDSA_VALIDATE_RET( buf != NULL || blen == 0 );
/* Use the same RNG for both blinding and ephemeral key generation */
return( ecdsa_sign_restartable( grp, r, s, d, buf, blen, return( ecdsa_sign_restartable( grp, r, s, d, buf, blen,
f_rng, p_rng, NULL ) ); f_rng, p_rng, f_rng, p_rng, NULL ) );
} }
#endif /* !MBEDTLS_ECDSA_SIGN_ALT */ #endif /* !MBEDTLS_ECDSA_SIGN_ALT */
@ -405,6 +411,8 @@ static int ecdsa_sign_det_restartable( mbedtls_ecp_group *grp,
mbedtls_mpi *r, mbedtls_mpi *s, mbedtls_mpi *r, mbedtls_mpi *s,
const mbedtls_mpi *d, const unsigned char *buf, size_t blen, const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
mbedtls_md_type_t md_alg, mbedtls_md_type_t md_alg,
int (*f_rng_blind)(void *, unsigned char *, size_t),
void *p_rng_blind,
mbedtls_ecdsa_restart_ctx *rs_ctx ) mbedtls_ecdsa_restart_ctx *rs_ctx )
{ {
int ret; int ret;
@ -454,8 +462,70 @@ sign:
ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen, ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen,
mbedtls_hmac_drbg_random, p_rng ); mbedtls_hmac_drbg_random, p_rng );
#else #else
ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen, if( f_rng_blind != NULL )
mbedtls_hmac_drbg_random, p_rng, rs_ctx ); ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
mbedtls_hmac_drbg_random, p_rng,
f_rng_blind, p_rng_blind, rs_ctx );
else
{
mbedtls_hmac_drbg_context *p_rng_blind_det;
#if !defined(MBEDTLS_ECP_RESTARTABLE)
/*
* To avoid reusing rng_ctx and risking incorrect behavior we seed a
* second HMAC-DRBG with the same seed. We also apply a label to avoid
* reusing the bits of the ephemeral key for blinding and eliminate the
* risk that they leak this way.
*/
const char* blind_label = "BLINDING CONTEXT";
mbedtls_hmac_drbg_context rng_ctx_blind;
mbedtls_hmac_drbg_init( &rng_ctx_blind );
p_rng_blind_det = &rng_ctx_blind;
mbedtls_hmac_drbg_seed_buf( p_rng_blind_det, md_info,
data, 2 * grp_len );
ret = mbedtls_hmac_drbg_update_ret( p_rng_blind_det,
(const unsigned char*) blind_label,
strlen( blind_label ) );
if( ret != 0 )
{
mbedtls_hmac_drbg_free( &rng_ctx_blind );
goto cleanup;
}
#else
/*
* In the case of restartable computations we would either need to store
* the second RNG in the restart context too or set it up at every
* restart. The first option would penalize the correct application of
* the function and the second would defeat the purpose of the
* restartable feature.
*
* Therefore in this case we reuse the original RNG. This comes with the
* price that the resulting signature might not be a valid deterministic
* ECDSA signature with a very low probability (same magnitude as
* successfully guessing the private key). However even then it is still
* a valid ECDSA signature.
*/
p_rng_blind_det = p_rng;
#endif /* MBEDTLS_ECP_RESTARTABLE */
/*
* Since the output of the RNGs is always the same for the same key and
* message, this limits the efficiency of blinding and leaks information
* through side channels. After mbedtls_ecdsa_sign_det() is removed NULL
* won't be a valid value for f_rng_blind anymore. Therefore it should
* be checked by the caller and this branch and check can be removed.
*/
ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
mbedtls_hmac_drbg_random, p_rng,
mbedtls_hmac_drbg_random, p_rng_blind_det,
rs_ctx );
#if !defined(MBEDTLS_ECP_RESTARTABLE)
mbedtls_hmac_drbg_free( &rng_ctx_blind );
#endif
}
#endif /* MBEDTLS_ECDSA_SIGN_ALT */ #endif /* MBEDTLS_ECDSA_SIGN_ALT */
cleanup: cleanup:
@ -468,11 +538,12 @@ cleanup:
} }
/* /*
* Deterministic signature wrapper * Deterministic signature wrappers
*/ */
int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
const mbedtls_mpi *d, const unsigned char *buf, size_t blen, mbedtls_mpi *s, const mbedtls_mpi *d,
mbedtls_md_type_t md_alg ) const unsigned char *buf, size_t blen,
mbedtls_md_type_t md_alg )
{ {
ECDSA_VALIDATE_RET( grp != NULL ); ECDSA_VALIDATE_RET( grp != NULL );
ECDSA_VALIDATE_RET( r != NULL ); ECDSA_VALIDATE_RET( r != NULL );
@ -480,7 +551,27 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi
ECDSA_VALIDATE_RET( d != NULL ); ECDSA_VALIDATE_RET( d != NULL );
ECDSA_VALIDATE_RET( buf != NULL || blen == 0 ); ECDSA_VALIDATE_RET( buf != NULL || blen == 0 );
return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg, NULL ) ); return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg,
NULL, NULL, NULL ) );
}
int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
mbedtls_mpi *s, const mbedtls_mpi *d,
const unsigned char *buf, size_t blen,
mbedtls_md_type_t md_alg,
int (*f_rng_blind)(void *, unsigned char *,
size_t),
void *p_rng_blind )
{
ECDSA_VALIDATE_RET( grp != NULL );
ECDSA_VALIDATE_RET( r != NULL );
ECDSA_VALIDATE_RET( s != NULL );
ECDSA_VALIDATE_RET( d != NULL );
ECDSA_VALIDATE_RET( buf != NULL || blen == 0 );
ECDSA_VALIDATE_RET( f_rng_blind != NULL );
return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg,
f_rng_blind, p_rng_blind, NULL ) );
} }
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
@ -659,11 +750,9 @@ int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
mbedtls_mpi_init( &s ); mbedtls_mpi_init( &s );
#if defined(MBEDTLS_ECDSA_DETERMINISTIC) #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
(void) f_rng;
(void) p_rng;
MBEDTLS_MPI_CHK( ecdsa_sign_det_restartable( &ctx->grp, &r, &s, &ctx->d, MBEDTLS_MPI_CHK( ecdsa_sign_det_restartable( &ctx->grp, &r, &s, &ctx->d,
hash, hlen, md_alg, rs_ctx ) ); hash, hlen, md_alg, f_rng,
p_rng, rs_ctx ) );
#else #else
(void) md_alg; (void) md_alg;
@ -671,8 +760,10 @@ int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d, MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ctx->grp, &r, &s, &ctx->d,
hash, hlen, f_rng, p_rng ) ); hash, hlen, f_rng, p_rng ) );
#else #else
/* Use the same RNG for both blinding and ephemeral key generation */
MBEDTLS_MPI_CHK( ecdsa_sign_restartable( &ctx->grp, &r, &s, &ctx->d, MBEDTLS_MPI_CHK( ecdsa_sign_restartable( &ctx->grp, &r, &s, &ctx->d,
hash, hlen, f_rng, p_rng, rs_ctx ) ); hash, hlen, f_rng, p_rng, f_rng,
p_rng, rs_ctx ) );
#endif /* MBEDTLS_ECDSA_SIGN_ALT */ #endif /* MBEDTLS_ECDSA_SIGN_ALT */
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ #endif /* MBEDTLS_ECDSA_DETERMINISTIC */

View file

@ -229,7 +229,7 @@ static int ecjpake_hash( mbedtls_md_handle_t md_info,
p += id_len; p += id_len;
/* Compute hash */ /* Compute hash */
mbedtls_md( md_info, buf, p - buf, hash ); MBEDTLS_MPI_CHK( mbedtls_md( md_info, buf, p - buf, hash ) );
/* Turn it into an integer mod n */ /* Turn it into an integer mod n */
MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( h, hash, MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( h, hash,

View file

@ -38,7 +38,9 @@
#include "mbedtls/rsa.h" #include "mbedtls/rsa.h"
#endif #endif
#if defined(MBEDTLS_ECP_C) #if defined(MBEDTLS_ECP_C)
#include "mbedtls/bignum.h"
#include "mbedtls/ecp.h" #include "mbedtls/ecp.h"
#include "mbedtls/platform_util.h"
#endif #endif
#if defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_ECDSA_C)
#include "mbedtls/ecdsa.h" #include "mbedtls/ecdsa.h"
@ -120,6 +122,9 @@ static int pk_write_ec_pubkey( unsigned char **p, unsigned char *start,
return( (int) len ); return( (int) len );
} }
/*
* privateKey OCTET STRING -- always of length ceil(log2(n)/8)
*/
static int pk_write_ec_privkey( unsigned char **p, unsigned char *start, static int pk_write_ec_privkey( unsigned char **p, unsigned char *start,
mbedtls_pk_context const *key ) mbedtls_pk_context const *key )
{ {
@ -181,11 +186,25 @@ static int pk_write_ec_pubkey( unsigned char **p, unsigned char *start,
return( (int) len ); return( (int) len );
} }
/*
* privateKey OCTET STRING -- always of length ceil(log2(n)/8)
*/
static int pk_write_ec_privkey( unsigned char **p, unsigned char *start, static int pk_write_ec_privkey( unsigned char **p, unsigned char *start,
mbedtls_pk_context const *key ) mbedtls_pk_context const *key )
{ {
int ret;
mbedtls_ecp_keypair const * const ec = mbedtls_pk_ec( *key ); mbedtls_ecp_keypair const * const ec = mbedtls_pk_ec( *key );
return( mbedtls_asn1_write_mpi( p, start, &ec->d ) ); size_t byte_length = ( ec->grp.pbits + 7 ) / 8;
unsigned char tmp[MBEDTLS_ECP_MAX_BYTES];
ret = mbedtls_mpi_write_binary( &ec->d, tmp, byte_length );
if( ret != 0 )
goto exit;
ret = mbedtls_asn1_write_octet_string( p, start, tmp, byte_length );
exit:
mbedtls_platform_zeroize( tmp, byte_length );
return( ret );
} }
/* /*
@ -209,6 +228,7 @@ static int pk_write_ec_param( unsigned char **p, unsigned char *start,
return( (int) len ); return( (int) len );
} }
#endif /* MBEDTLS_ECP_C */ #endif /* MBEDTLS_ECP_C */
#endif /* MBEDTLS_USE_TINYCRYPT */ #endif /* MBEDTLS_USE_TINYCRYPT */
@ -423,9 +443,8 @@ int mbedtls_pk_write_key_der( mbedtls_pk_context *key, unsigned char *buf, size_
MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) ); MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
len += par_len; len += par_len;
/* privateKey: write as MPI then fix tag */ /* privateKey */
MBEDTLS_ASN1_CHK_ADD( len, pk_write_ec_privkey( &c, buf, key ) ); MBEDTLS_ASN1_CHK_ADD( len, pk_write_ec_privkey( &c, buf, key ) );
*c = MBEDTLS_ASN1_OCTET_STRING;
/* version */ /* version */
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 1 ) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, 1 ) );

View file

@ -72,7 +72,10 @@ static void * (* const volatile memset_func)( void *, int, size_t ) = memset;
void mbedtls_platform_zeroize( void *buf, size_t len ) void mbedtls_platform_zeroize( void *buf, size_t len )
{ {
memset_func( buf, 0, len ); MBEDTLS_INTERNAL_VALIDATE( len == 0 || buf != NULL );
if( len > 0 )
memset_func( buf, 0, len );
} }
#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */ #endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */

View file

@ -3054,15 +3054,13 @@ check_signature:
continue; continue;
} }
*r_parent = parent_crt;
*r_signature_is_good = signature_is_good;
break; break;
} }
if( parent_crt != NULL ) if( parent_crt == NULL )
{
*r_parent = parent_crt;
*r_signature_is_good = signature_is_good;
}
else
{ {
#if defined(MBEDTLS_HAVE_TIME_DATE) #if defined(MBEDTLS_HAVE_TIME_DATE)
*r_parent = fallback_parent; *r_parent = fallback_parent;

View file

@ -46,6 +46,16 @@
#include "mbedtls/pem.h" #include "mbedtls/pem.h"
#endif /* MBEDTLS_PEM_WRITE_C */ #endif /* MBEDTLS_PEM_WRITE_C */
/*
* For the currently used signature algorithms the buffer to store any signature
* must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
*/
#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
#else
#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
#endif
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx ) void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
{ {
memset( ctx, 0, sizeof( mbedtls_x509write_cert ) ); memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
@ -335,7 +345,7 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf,
size_t sig_oid_len = 0; size_t sig_oid_len = 0;
unsigned char *c, *c2; unsigned char *c, *c2;
unsigned char hash[64]; unsigned char hash[64];
unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; unsigned char sig[SIGNATURE_MAX_SIZE];
unsigned char tmp_buf[2048]; unsigned char tmp_buf[2048];
size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len; size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0; size_t len = 0;

View file

@ -45,6 +45,16 @@
#include "mbedtls/pem.h" #include "mbedtls/pem.h"
#endif #endif
/*
* For the currently used signature algorithms the buffer to store any signature
* must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
*/
#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
#else
#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
#endif
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx ) void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
{ {
memset( ctx, 0, sizeof( mbedtls_x509write_csr ) ); memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
@ -160,7 +170,7 @@ int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, s
size_t sig_oid_len = 0; size_t sig_oid_len = 0;
unsigned char *c, *c2; unsigned char *c, *c2;
unsigned char hash[64]; unsigned char hash[64];
unsigned char sig[MBEDTLS_MPI_MAX_SIZE]; unsigned char sig[SIGNATURE_MAX_SIZE];
unsigned char tmp_buf[2048]; unsigned char tmp_buf[2048];
size_t pub_len = 0, sig_and_oid_len = 0, sig_len; size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0; size_t len = 0;

View file

@ -61,6 +61,16 @@ int main( void )
#include <string.h> #include <string.h>
/*
* For the currently used signature algorithms the buffer to store any signature
* must be at least of size MAX(MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_MPI_MAX_SIZE)
*/
#if MBEDTLS_ECDSA_MAX_LEN > MBEDTLS_MPI_MAX_SIZE
#define SIGNATURE_MAX_SIZE MBEDTLS_ECDSA_MAX_LEN
#else
#define SIGNATURE_MAX_SIZE MBEDTLS_MPI_MAX_SIZE
#endif
int main( int argc, char *argv[] ) int main( int argc, char *argv[] )
{ {
FILE *f; FILE *f;
@ -70,7 +80,7 @@ int main( int argc, char *argv[] )
mbedtls_entropy_context entropy; mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ctr_drbg_context ctr_drbg;
unsigned char hash[32]; unsigned char hash[32];
unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; unsigned char buf[SIGNATURE_MAX_SIZE];
char filename[512]; char filename[512];
const char *pers = "mbedtls_pk_sign"; const char *pers = "mbedtls_pk_sign";
size_t olen = 0; size_t olen = 0;

View file

@ -840,6 +840,14 @@ all_final += ec_prv.pk8param.pem
# The use of 'Server 1' in the DN is intentional here, as the DN is hardcoded in the x509_write test suite.' # The use of 'Server 1' in the DN is intentional here, as the DN is hardcoded in the x509_write test suite.'
###
### A generic SECP521R1 private key
###
secp521r1_prv.der:
$(OPENSSL) ecparam -genkey -name secp521r1 -noout -out secp521r1_prv.der
all_final += secp521r1_prv.der
################################################################ ################################################################
### Generate CSRs for X.509 write test suite ### Generate CSRs for X.509 write test suite
################################################################ ################################################################

View file

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIIcex4mqXsQamUKTVf8vXmTAJrQvGjh5mXG8p9+OR4xAoAoGCCqGSM49
AwEHoUQDQgAEqJ2HQjPpc6fDwE/vSa6U35USXawkTo98y4U6NsAl+rOGuqMPEFXf
P1Srm/Jrzwa/RuppRL5kgyAsGJTUmwZEzQ==
-----END EC PRIVATE KEY-----

View file

@ -0,0 +1,7 @@
-----BEGIN EC PRIVATE KEY-----
MIHcAgEBBEIAOXdk7W+Hf5L7Hc9fKe44wmpaRNs5ERFTkv5CrlXv/Bu3y28M673q
vBNo7a/UE/6NNQHu2pQODEYFpMg6R34b5SigBwYFK4EEACOhgYkDgYYABAFUMHXV
KPA4vkMgq+pFgDoH96XoM517gF2GJFV6h2gLhykzIHL/otAyEpAStw7MBvbU0V21
ixB+hjqzO7Snxaj9mwB8g87OKxm5eGfsqvJNPdJ0RZ/EKy06Ukg6KThlhQeyrtIk
g5PTCrPnNszlffAy6/jCOe3Moi59g15H13sSzwfX6g==
-----END EC PRIVATE KEY-----

Binary file not shown.

View file

@ -590,6 +590,23 @@ component_check_doxygen_warnings () {
#### Build and test many configurations and targets #### Build and test many configurations and targets
################################################################ ################################################################
component_test_large_ecdsa_key_signature () {
SMALL_MPI_MAX_SIZE=136 # Small enough to interfere with the EC signatures
msg "build: cmake + MBEDTLS_MPI_MAX_SIZE=${SMALL_MPI_MAX_SIZE}, gcc, ASan" # ~ 1 min 50s
scripts/config.pl set MBEDTLS_MPI_MAX_SIZE $SMALL_MPI_MAX_SIZE
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
INEVITABLY_PRESENT_FILE=Makefile
SIGNATURE_FILE="${INEVITABLY_PRESENT_FILE}.sig" # Warning, this is rm -f'ed below
msg "test: pk_sign secp521r1_prv.der for MBEDTLS_MPI_MAX_SIZE=${SMALL_MPI_MAX_SIZE} (ASan build)" # ~ 5s
if_build_succeeded programs/pkey/pk_sign tests/data_files/secp521r1_prv.der $INEVITABLY_PRESENT_FILE
rm -f $SIGNATURE_FILE
}
component_test_default_out_of_box () { component_test_default_out_of_box () {
msg "build: make, default config (out-of-box)" # ~1min msg "build: make, default config (out-of-box)" # ~1min
make make

View file

@ -426,9 +426,9 @@ has_mem_err() {
fi fi
} }
# Wait for process $2 to be listening on port $1 # Wait for process $2 named $3 to be listening on port $1. Print error to $4.
if type lsof >/dev/null 2>/dev/null; then if type lsof >/dev/null 2>/dev/null; then
wait_server_start() { wait_app_start() {
START_TIME=$(date +%s) START_TIME=$(date +%s)
if [ "$DTLS" -eq 1 ]; then if [ "$DTLS" -eq 1 ]; then
proto=UDP proto=UDP
@ -438,8 +438,8 @@ if type lsof >/dev/null 2>/dev/null; then
# Make a tight loop, server normally takes less than 1s to start. # Make a tight loop, server normally takes less than 1s to start.
while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do while ! lsof -a -n -b -i "$proto:$1" -p "$2" >/dev/null 2>/dev/null; do
if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then if [ $(( $(date +%s) - $START_TIME )) -gt $DOG_DELAY ]; then
echo "SERVERSTART TIMEOUT" echo "$3 START TIMEOUT"
echo "SERVERSTART TIMEOUT" >> $SRV_OUT echo "$3 START TIMEOUT" >> $4
break break
fi fi
# Linux and *BSD support decimal arguments to sleep. On other # Linux and *BSD support decimal arguments to sleep. On other
@ -448,12 +448,22 @@ if type lsof >/dev/null 2>/dev/null; then
done done
} }
else else
echo "Warning: lsof not available, wait_server_start = sleep" echo "Warning: lsof not available, wait_app_start = sleep"
wait_server_start() { wait_app_start() {
sleep "$START_DELAY" sleep "$START_DELAY"
} }
fi fi
# Wait for server process $2 to be listening on port $1.
wait_server_start() {
wait_app_start $1 $2 "SERVER" $SRV_OUT
}
# Wait for proxy process $2 to be listening on port $1.
wait_proxy_start() {
wait_app_start $1 $2 "PROXY" $PXY_OUT
}
# Given the client or server debug output, parse the unix timestamp that is # Given the client or server debug output, parse the unix timestamp that is
# included in the first 4 bytes of the random bytes and check that it's within # included in the first 4 bytes of the random bytes and check that it's within
# acceptable bounds # acceptable bounds
@ -807,7 +817,7 @@ run_test() {
echo "$PXY_CMD" > $PXY_OUT echo "$PXY_CMD" > $PXY_OUT
$PXY_CMD >> $PXY_OUT 2>&1 & $PXY_CMD >> $PXY_OUT 2>&1 &
PXY_PID=$! PXY_PID=$!
# assume proxy starts faster than server wait_proxy_start "$PXY_PORT" "$PXY_PID"
fi fi
check_osrv_dtls check_osrv_dtls

View file

@ -74,6 +74,31 @@ void ecdsa_invalid_param( )
mbedtls_ecdsa_sign_det( &grp, &m, &m, &m, mbedtls_ecdsa_sign_det( &grp, &m, &m, &m,
NULL, sizeof( buf ), NULL, sizeof( buf ),
valid_md ) ); valid_md ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecdsa_sign_det_ext( NULL, &m, &m, &m,
buf, sizeof( buf ),
valid_md,
rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecdsa_sign_det_ext( &grp, NULL, &m, &m,
buf, sizeof( buf ),
valid_md,
rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecdsa_sign_det_ext( &grp, &m, NULL, &m,
buf, sizeof( buf ),
valid_md,
rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecdsa_sign_det_ext( &grp, &m, &m, NULL,
buf, sizeof( buf ),
valid_md,
rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecdsa_sign_det_ext( &grp, &m, &m, &m,
NULL, sizeof( buf ),
valid_md,
rnd_std_rand, NULL ) );
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ #endif /* MBEDTLS_ECDSA_DETERMINISTIC */
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA, TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
@ -330,6 +355,16 @@ void ecdsa_det_test_vectors( int id, char * d_str, int md_alg, char * msg,
TEST_ASSERT( mbedtls_mpi_cmp_mpi( &r, &r_check ) == 0 ); TEST_ASSERT( mbedtls_mpi_cmp_mpi( &r, &r_check ) == 0 );
TEST_ASSERT( mbedtls_mpi_cmp_mpi( &s, &s_check ) == 0 ); TEST_ASSERT( mbedtls_mpi_cmp_mpi( &s, &s_check ) == 0 );
mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s );
mbedtls_mpi_init( &r ); mbedtls_mpi_init( &s );
TEST_ASSERT(
mbedtls_ecdsa_sign_det_ext( &grp, &r, &s, &d, hash, hlen,
md_alg, rnd_std_rand, NULL )
== 0 );
TEST_ASSERT( mbedtls_mpi_cmp_mpi( &r, &r_check ) == 0 );
TEST_ASSERT( mbedtls_mpi_cmp_mpi( &s, &s_check ) == 0 );
exit: exit:
mbedtls_ecp_group_free( &grp ); mbedtls_ecp_group_free( &grp );
mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s ); mbedtls_mpi_free( &d ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s );

View file

@ -4,6 +4,9 @@ ecjpake_invalid_param:
ECJPAKE selftest ECJPAKE selftest
ecjpake_selftest: ecjpake_selftest:
ECJPAKE fail read corrupt MD
read_bad_md:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb12"
ECJPAKE round one: client, valid ECJPAKE round one: client, valid
read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb12":0 read_round_one:MBEDTLS_ECJPAKE_CLIENT:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb12":0

View file

@ -236,6 +236,27 @@ void ecjpake_selftest( )
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */
void read_bad_md( data_t *msg )
{
mbedtls_ecjpake_context corrupt_ctx;
const unsigned char * pw = NULL;
const size_t pw_len = 0;
int any_role = MBEDTLS_ECJPAKE_CLIENT;
mbedtls_ecjpake_init( &corrupt_ctx );
TEST_ASSERT( mbedtls_ecjpake_setup( &corrupt_ctx, any_role,
MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) == 0 );
corrupt_ctx.md_info = MBEDTLS_MD_INVALID_HANDLE;
TEST_ASSERT( mbedtls_ecjpake_read_round_one( &corrupt_ctx, msg->x,
msg->len ) == MBEDTLS_ERR_MD_BAD_INPUT_DATA );
exit:
mbedtls_ecjpake_free( &corrupt_ctx );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */ /* BEGIN_CASE depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C */
void read_round_one( int role, data_t * msg, int ref_ret ) void read_round_one( int role, data_t * msg, int ref_ret )
{ {

View file

@ -38,10 +38,22 @@ Private key write check EC 256 bits (TinyCrypt)
depends_on:MBEDTLS_BASE64_C:MBEDTLS_USE_TINYCRYPT depends_on:MBEDTLS_BASE64_C:MBEDTLS_USE_TINYCRYPT
pk_write_key_check:"data_files/ec_256_prv.pem" pk_write_key_check:"data_files/ec_256_prv.pem"
Private key write check EC 256 bits (top bit set, legacy ECC)
depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:!MBEDTLS_USE_TINYCRYPT
pk_write_key_check:"data_files/ec_256_long_prv.pem"
Private key write check EC 256 bits (top bit set, TinyCrypt)
depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_USE_TINYCRYPT
pk_write_key_check:"data_files/ec_256_long_prv.pem"
Private key write check EC 521 bits Private key write check EC 521 bits
depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED:!MBEDTLS_USE_TINYCRYPT depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED:!MBEDTLS_USE_TINYCRYPT
pk_write_key_check:"data_files/ec_521_prv.pem" pk_write_key_check:"data_files/ec_521_prv.pem"
Private key write check EC 521 bits (top byte is 0)
depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
pk_write_key_check:"data_files/ec_521_short_prv.pem"
Private key write check EC Brainpool 512 bits Private key write check EC Brainpool 512 bits
depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_BP512R1_ENABLED:!MBEDTLS_USE_TINYCRYPT depends_on:MBEDTLS_ECP_C:MBEDTLS_BASE64_C:MBEDTLS_ECP_DP_BP512R1_ENABLED:!MBEDTLS_USE_TINYCRYPT
pk_write_key_check:"data_files/ec_bp512_prv.pem" pk_write_key_check:"data_files/ec_bp512_prv.pem"

View file

@ -1,8 +1,8 @@
Check compiletime library version Check compiletime library version
check_compiletime_version:"2.16.2" check_compiletime_version:"2.16.3"
Check runtime library version Check runtime library version
check_runtime_version:"2.16.2" check_runtime_version:"2.16.3"
Check for MBEDTLS_VERSION_C Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0 check_feature:"MBEDTLS_VERSION_C":0