yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-02-02 04:51:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'public/pr/2835' into baremetal

Browse source
This commit is contained in:
Simon Butcher 2019-09-24 15:28:35 +01:00
parent 810ee06689 8b5e6bd6ae
commit 8d0684dd06
24 changed files with 1628 additions and 1129 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
configs/baremetal.h
View file

@ -52,7 +52,9 @@
#define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_MD_ID MBEDTLS_MD_SHA256
#define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_TLS_ID MBEDTLS_SSL_HASH_SHA256
/* Harcoded options in abstraction layers */
#define MBEDTLS_MD_SINGLE_HASH MBEDTLS_MD_INFO_SHA256
#define MBEDTLS_PK_SINGLE_TYPE MBEDTLS_PK_INFO_ECKEY
/* Key exchanges */
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED

31
include/mbedtls/check_config.h
View file

@ -855,6 +855,37 @@
#undef MBEDTLS_HASHES_ENABLED
#endif /* MBEDTLS_MD_SINGLE_HASH */
/*
* Note: the dependency on TinyCrypt is reflected in several ways in the code:
*
* 1. We only define the various MBEDTLS_PK_INFO_{TYPE}_{FIELD} macros for
* TYPE == ECKEY, resolving to the TinyCrypt version.
* 2. In pk_init() and pk_free() we assume that zeroization is a proper way
* to init/free the context, which is true of mbedtls_uecc_keypair, but
* might not always hold otherwise (think hardware-accelerated ECP_ALT).
* 3. We rely on the fact that MBEDTLS_ECP_RESTARTABLE is disabled - code
* paths (and pk_info fields) that are guarded by this are currently not
* handled by the internal abstraction layers enabling PK_SINGLE_TYPE.
*
* If this dependency is ever removed, the above points need to be addressed
* in the code.
*/
#if defined(MBEDTLS_PK_SINGLE_TYPE) && !defined(MBEDTLS_USE_TINYCRYPT)
#error "MBEDTLS_PK_SINGLE_TYPE can only be used with MBEDTLS_USE_TINYCRYPT"
#endif
/* Note: code paths that depend on MBEDTLS_PK_RSA_ALT_SUPPORT are not ported
* to the internal abstraction layers that enable PK_SINGLE_TYPE. */
#if defined(MBEDTLS_PK_SINGLE_TYPE) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
#error "MBEDTLS_PK_SINGLE_TYPE is not compatible with MBEDTLS_PK_RSA_ALT_SUPPORT"
#endif
/* This is to avoid a situation where RSA is available, but not through the PK
* layer, which might surprise user code. */
#if defined(MBEDTLS_PK_SINGLE_TYPE) && defined(MBEDTLS_RSA_C)
#error "MBEDTLS_PK_SINGLE_TYPE is not compatible with MBEDTLS_RSA_C"
#endif
#if defined(MBEDTLS_THREADING_ALT)
#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
#error "MBEDTLS_THREADING_ALT defined, but not all prerequisites"

11
include/mbedtls/config.h
View file

@ -3850,6 +3850,17 @@
*/
//#define MBEDTLS_MD_SINGLE_HASH MBEDTLS_MD_INFO_SHA256
/* Enable support for a single PK type in the PK layer.
*
* This is mainly intented to reduce code size on highly constrained system
* with large control over the set of algorithms they need to support. It will
* also reduce dynamic memory allocation.
*
* Currently this is only supported with EC keys in conjunction with the
* MBEDTLS_USE_TINYCRYPT option. Set this to MBEDTLS_PK_INFO_ECKEY to enable.
*/
//#define MBEDTLS_PK_SINGLE_TYPE MBEDTLS_PK_INFO_ECKEY
/* \} SECTION: Compile-time SSL configuration */
/* Target and application specific configurations

51
include/mbedtls/pk.h
View file

@ -49,6 +49,10 @@
#include "tinycrypt/ecc.h"
#endif
#if defined(MBEDTLS_PK_SINGLE_TYPE)
#include "pk_internal.h"
#endif
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
!defined(inline) && !defined(__cplusplus)
#define inline __inline
@ -126,16 +130,16 @@ typedef struct mbedtls_pk_debug_item
/**
* \brief Public key information and operations
*/
#if defined(MBEDTLS_PK_SINGLE_TYPE)
typedef enum {
MBEDTLS_PK_INVALID_HANDLE,
MBEDTLS_PK_UNIQUE_VALID_HANDLE,
} mbedtls_pk_handle_t;
#else /* MBEDTLS_PK_SINGLE_TYPE */
typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
/**
* \brief Public key container
*/
typedef struct mbedtls_pk_context
{
const mbedtls_pk_info_t * pk_info; /**< Public key information */
void * pk_ctx; /**< Underlying public key context */
} mbedtls_pk_context;
typedef const mbedtls_pk_info_t *mbedtls_pk_handle_t;
#define MBEDTLS_PK_INVALID_HANDLE ( (mbedtls_pk_handle_t) NULL )
#endif /* MBEDTLS_PK_SINGLE_TYPE */
#if defined(MBEDTLS_USE_TINYCRYPT)
typedef struct
@ -145,13 +149,29 @@ typedef struct
} mbedtls_uecc_keypair;
#endif
/**
* \brief Public key container
*/
typedef struct mbedtls_pk_context
{
#if defined(MBEDTLS_PK_SINGLE_TYPE)
/* This is an array to make access to it more uniform with the case where
* it's a pointer to void - either way it needs casting before use. */
unsigned char pk_ctx[sizeof(
MBEDTLS_PK_INFO_CONTEXT( MBEDTLS_PK_SINGLE_TYPE ) )];
#else
mbedtls_pk_handle_t pk_info; /**< Public key information */
void * pk_ctx; /**< Underlying public key context */
#endif
} mbedtls_pk_context;
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
/**
* \brief Context for resuming operations
*/
typedef struct
{
const mbedtls_pk_info_t * pk_info; /**< Public key information */
mbedtls_pk_handle_t pk_info; /**< Public key information */
void * rs_ctx; /**< Underlying restart context */
} mbedtls_pk_restart_ctx;
#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
@ -173,11 +193,18 @@ static inline mbedtls_rsa_context *mbedtls_pk_rsa( const mbedtls_pk_context pk )
#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_USE_TINYCRYPT)
#if !defined(MBEDTLS_PK_SINGLE_TYPE)
static inline mbedtls_uecc_keypair *mbedtls_pk_uecc( const mbedtls_pk_context pk )
{
return( (mbedtls_uecc_keypair *) (pk).pk_ctx );
}
#else
/* Go with a macro in order to avoid making a copy of the struct (the argument
* is not a pointer so it's passed by value) and then returning an address
* inside that copy, which would be undefined behaviour. */
#define mbedtls_pk_uecc( pk ) ( (mbedtls_uecc_keypair *) (pk).pk_ctx )
#endif
#endif /* MBEDTLS_USE_TINYCRYPT */
#if defined(MBEDTLS_ECP_C)
/**
@ -213,7 +240,7 @@ typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)( void *ctx );
*
* \return The PK info associated with the type or NULL if not found.
*/
const mbedtls_pk_info_t *mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type );
mbedtls_pk_handle_t mbedtls_pk_info_from_type( mbedtls_pk_type_t pk_type );
/**
* \brief Initialize a #mbedtls_pk_context (as NONE).
@ -264,7 +291,7 @@ void mbedtls_pk_restart_free( mbedtls_pk_restart_ctx *ctx );
* \note For contexts holding an RSA-alt key, use
* \c mbedtls_pk_setup_rsa_alt() instead.
*/
int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );
int mbedtls_pk_setup( mbedtls_pk_context *ctx, mbedtls_pk_handle_t info );
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
/**

170
include/mbedtls/pk_internal.h
View file

@ -33,6 +33,90 @@
#include "pk.h"
/*
* PK information macro definitions
*/
/*
* Each PK type that can be used with MBEDTLS_PK_SINGLE_TYPE needs to have
* the following MBEDTLS_PK_INFO_{FIELD} definitions, plus a dummy one for the
* base name. For now, only ECKEY with MBEDTLS_USE_TINYCRYPT is defined.
*
* For optional functions that are omitted, we need both the _FUNC field
* defined to NULL, and an extra macro _OMIT defined to 1.
*/
#if defined(MBEDTLS_USE_TINYCRYPT)
/* Dummy definition to keep check-names.sh happy - don't uncomment */
//#define MBEDTLS_PK_INFO_ECKEY
#define MBEDTLS_PK_INFO_ECKEY_CONTEXT mbedtls_uecc_keypair
#define MBEDTLS_PK_INFO_ECKEY_TYPE MBEDTLS_PK_ECKEY
#define MBEDTLS_PK_INFO_ECKEY_NAME "EC"
#define MBEDTLS_PK_INFO_ECKEY_GET_BITLEN uecc_eckey_get_bitlen
#define MBEDTLS_PK_INFO_ECKEY_CAN_DO uecc_eckey_can_do
#define MBEDTLS_PK_INFO_ECKEY_VERIFY_FUNC uecc_eckey_verify_wrap
#define MBEDTLS_PK_INFO_ECKEY_SIGN_FUNC uecc_eckey_sign_wrap
#define MBEDTLS_PK_INFO_ECKEY_DECRYPT_FUNC NULL
#define MBEDTLS_PK_INFO_ECKEY_DECRYPT_OMIT 1
#define MBEDTLS_PK_INFO_ECKEY_ENCRYPT_FUNC NULL
#define MBEDTLS_PK_INFO_ECKEY_ENCRYPT_OMIT 1
#define MBEDTLS_PK_INFO_ECKEY_CHECK_PAIR_FUNC uecc_eckey_check_pair
#define MBEDTLS_PK_INFO_ECKEY_CTX_ALLOC_FUNC uecc_eckey_alloc_wrap
#define MBEDTLS_PK_INFO_ECKEY_CTX_FREE_FUNC uecc_eckey_free_wrap
#define MBEDTLS_PK_INFO_ECKEY_DEBUG_FUNC NULL
#define MBEDTLS_PK_INFO_ECKEY_DEBUG_OMIT 1
#endif /* MBEDTLS_USE_TINYCRYPT */
/*
* Helper macros to extract fields from PK types
*/
#define MBEDTLS_PK_INFO_CONTEXT_T( PK ) PK ## _CONTEXT
#define MBEDTLS_PK_INFO_TYPE_T( PK ) PK ## _TYPE
#define MBEDTLS_PK_INFO_NAME_T( PK ) PK ## _NAME
#define MBEDTLS_PK_INFO_GET_BITLEN_T( PK ) PK ## _GET_BITLEN
#define MBEDTLS_PK_INFO_CAN_DO_T( PK ) PK ## _CAN_DO
#define MBEDTLS_PK_INFO_VERIFY_FUNC_T( PK ) PK ## _VERIFY_FUNC
#define MBEDTLS_PK_INFO_VERIFY_OMIT_T( PK ) PK ## _VERIFY_OMIT
#define MBEDTLS_PK_INFO_SIGN_FUNC_T( PK ) PK ## _SIGN_FUNC
#define MBEDTLS_PK_INFO_SIGN_OMIT_T( PK ) PK ## _SIGN_OMIT
#define MBEDTLS_PK_INFO_DECRYPT_FUNC_T( PK ) PK ## _DECRYPT_FUNC
#define MBEDTLS_PK_INFO_DECRYPT_OMIT_T( PK ) PK ## _DECRYPT_OMIT
#define MBEDTLS_PK_INFO_ENCRYPT_FUNC_T( PK ) PK ## _ENCRYPT_FUNC
#define MBEDTLS_PK_INFO_ENCRYPT_OMIT_T( PK ) PK ## _ENCRYPT_OMIT
#define MBEDTLS_PK_INFO_CHECK_PAIR_FUNC_T( PK ) PK ## _CHECK_PAIR_FUNC
#define MBEDTLS_PK_INFO_CHECK_PAIR_OMIT_T( PK ) PK ## _CHECK_PAIR_OMIT
#define MBEDTLS_PK_INFO_CTX_ALLOC_FUNC_T( PK ) PK ## _CTX_ALLOC_FUNC
#define MBEDTLS_PK_INFO_CTX_FREE_FUNC_T( PK ) PK ## _CTX_FREE_FUNC
#define MBEDTLS_PK_INFO_DEBUG_FUNC_T( PK ) PK ## _DEBUG_FUNC
#define MBEDTLS_PK_INFO_DEBUG_OMIT_T( PK ) PK ## _DEBUG_OMIT
/* Wrappers around MBEDTLS_PK_INFO_{FIELD}_T() which makes sure that
* the argument is macro-expanded before concatenated with the
* field name. This allows to call these macros as
* MBEDTLS_PK_INFO_{FIELD}( MBEDTLS_PK_SINGLE_TYPE ).
* where MBEDTLS_PK_SINGLE_TYPE expands to MBEDTLS_PK_INFO_{TYPE}. */
#define MBEDTLS_PK_INFO_CONTEXT( PK ) MBEDTLS_PK_INFO_CONTEXT_T( PK )
#define MBEDTLS_PK_INFO_TYPE( PK ) MBEDTLS_PK_INFO_TYPE_T( PK )
#define MBEDTLS_PK_INFO_NAME( PK ) MBEDTLS_PK_INFO_NAME_T( PK )
#define MBEDTLS_PK_INFO_GET_BITLEN( PK ) MBEDTLS_PK_INFO_GET_BITLEN_T( PK )
#define MBEDTLS_PK_INFO_CAN_DO( PK ) MBEDTLS_PK_INFO_CAN_DO_T( PK )
#define MBEDTLS_PK_INFO_VERIFY_FUNC( PK ) MBEDTLS_PK_INFO_VERIFY_FUNC_T( PK )
#define MBEDTLS_PK_INFO_VERIFY_OMIT( PK ) MBEDTLS_PK_INFO_VERIFY_OMIT_T( PK )
#define MBEDTLS_PK_INFO_SIGN_FUNC( PK ) MBEDTLS_PK_INFO_SIGN_FUNC_T( PK )
#define MBEDTLS_PK_INFO_SIGN_OMIT( PK ) MBEDTLS_PK_INFO_SIGN_OMIT_T( PK )
#define MBEDTLS_PK_INFO_DECRYPT_FUNC( PK ) MBEDTLS_PK_INFO_DECRYPT_FUNC_T( PK )
#define MBEDTLS_PK_INFO_DECRYPT_OMIT( PK ) MBEDTLS_PK_INFO_DECRYPT_OMIT_T( PK )
#define MBEDTLS_PK_INFO_ENCRYPT_FUNC( PK ) MBEDTLS_PK_INFO_ENCRYPT_FUNC_T( PK )
#define MBEDTLS_PK_INFO_ENCRYPT_OMIT( PK ) MBEDTLS_PK_INFO_ENCRYPT_OMIT_T( PK )
#define MBEDTLS_PK_INFO_CHECK_PAIR_FUNC( PK ) MBEDTLS_PK_INFO_CHECK_PAIR_FUNC_T( PK )
#define MBEDTLS_PK_INFO_CHECK_PAIR_OMIT( PK ) MBEDTLS_PK_INFO_CHECK_PAIR_OMIT_T( PK )
#define MBEDTLS_PK_INFO_CTX_ALLOC_FUNC( PK ) MBEDTLS_PK_INFO_CTX_ALLOC_FUNC_T( PK )
#define MBEDTLS_PK_INFO_CTX_FREE_FUNC( PK ) MBEDTLS_PK_INFO_CTX_FREE_FUNC_T( PK )
#define MBEDTLS_PK_INFO_DEBUG_FUNC( PK ) MBEDTLS_PK_INFO_DEBUG_FUNC_T( PK )
#define MBEDTLS_PK_INFO_DEBUG_OMIT( PK ) MBEDTLS_PK_INFO_DEBUG_OMIT_T( PK )
#if !defined(MBEDTLS_PK_SINGLE_TYPE)
struct mbedtls_pk_info_t
{
/** Public key type */
@ -41,18 +125,19 @@ struct mbedtls_pk_info_t
/** Type name */
const char *name;
/** Get key size in bits */
/** Get key size in bits (must be valid)*/
size_t (*get_bitlen)( const void * );
/** Tell if the context implements this type (e.g. ECKEY can do ECDSA) */
/** Tell if the context implements this type (e.g. ECKEY can do ECDSA)
* (must be valid) */
int (*can_do)( mbedtls_pk_type_t type );
/** Verify signature */
/** Verify signature (may be NULL) */
int (*verify_func)( void *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len );
/** Make signature */
/** Make signature (may be NULL)*/
int (*sign_func)( void *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
@ -60,13 +145,13 @@ struct mbedtls_pk_info_t
void *p_rng );
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
/** Verify signature (restartable) */
/** Verify signature (restartable) (may be NULL) */
int (*verify_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
const unsigned char *sig, size_t sig_len,
void *rs_ctx );
/** Make signature (restartable) */
/** Make signature (restartable) (may be NULL) */
int (*sign_rs_func)( void *ctx, mbedtls_md_type_t md_alg,
const unsigned char *hash, size_t hash_len,
unsigned char *sig, size_t *sig_len,
@ -74,39 +159,94 @@ struct mbedtls_pk_info_t
void *p_rng, void *rs_ctx );
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
/** Decrypt message */
/** Decrypt message (may be NULL) */
int (*decrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/** Encrypt message */
/** Encrypt message (may be NULL ) */
int (*encrypt_func)( void *ctx, const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, size_t osize,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
/** Check public-private key pair */
/** Check public-private key pair (may be NULL) */
int (*check_pair_func)( const void *pub, const void *prv );
/** Allocate a new context */
/** Allocate a new context (must be valid) */
void * (*ctx_alloc_func)( void );
/** Free the given context */
/** Free the given context (must be valid) */
void (*ctx_free_func)( void *ctx );
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
/** Allocate the restart context */
/** Allocate the restart context (may be NULL)*/
void * (*rs_alloc_func)( void );
/** Free the restart context */
/** Free the restart context (may be NULL) */
void (*rs_free_func)( void *rs_ctx );
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
/** Interface with the debug module */
/** Interface with the debug module (may be NULL) */
void (*debug_func)( const void *ctx, mbedtls_pk_debug_item *items );
};
/**
* \brief This macro builds an instance of ::mbedtls_pk_info_t
* from an \c MBEDTLS_PK_INFO_{TYPE} identifier.
*/
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
#define MBEDTLS_PK_INFO( PK ) \
{ \
MBEDTLS_PK_INFO_TYPE( PK ), \
MBEDTLS_PK_INFO_NAME( PK ), \
MBEDTLS_PK_INFO_GET_BITLEN( PK ), \
MBEDTLS_PK_INFO_CAN_DO( PK ), \
MBEDTLS_PK_INFO_VERIFY_FUNC( PK ), \
MBEDTLS_PK_INFO_SIGN_FUNC( PK ), \
NULL, \
NULL, \
MBEDTLS_PK_INFO_DECRYPT_FUNC( PK ), \
MBEDTLS_PK_INFO_ENCRYPT_FUNC( PK ), \
MBEDTLS_PK_INFO_CHECK_PAIR_FUNC( PK ), \
MBEDTLS_PK_INFO_CTX_ALLOC_FUNC( PK ), \
MBEDTLS_PK_INFO_CTX_FREE_FUNC( PK ), \
NULL, \
NULL, \
MBEDTLS_PK_INFO_DEBUG_FUNC( PK ), \
}
#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
#define MBEDTLS_PK_INFO( PK ) \
{ \
MBEDTLS_PK_INFO_TYPE( PK ), \
MBEDTLS_PK_INFO_NAME( PK ), \
MBEDTLS_PK_INFO_GET_BITLEN( PK ), \
MBEDTLS_PK_INFO_CAN_DO( PK ), \
MBEDTLS_PK_INFO_VERIFY_FUNC( PK ), \
MBEDTLS_PK_INFO_SIGN_FUNC( PK ), \
MBEDTLS_PK_INFO_DECRYPT_FUNC( PK ), \
MBEDTLS_PK_INFO_ENCRYPT_FUNC( PK ), \
MBEDTLS_PK_INFO_CHECK_PAIR_FUNC( PK ), \
MBEDTLS_PK_INFO_CTX_ALLOC_FUNC( PK ), \
MBEDTLS_PK_INFO_CTX_FREE_FUNC( PK ), \
MBEDTLS_PK_INFO_DEBUG_FUNC( PK ), \
}
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
#endif /* MBEDTLS_PK_SINGLE_TYPE */
/*
* Macros to access pk_info
*/
#if defined(MBEDTLS_PK_SINGLE_TYPE)
#define MBEDTLS_PK_CTX_INFO( ctx ) MBEDTLS_PK_UNIQUE_VALID_HANDLE
#else
#define MBEDTLS_PK_CTX_INFO( ctx ) ( (ctx)->pk_info )
#endif
#define MBEDTLS_PK_CTX_IS_VALID( ctx ) \
( MBEDTLS_PK_CTX_INFO( (ctx) ) != MBEDTLS_PK_INVALID_HANDLE )
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
/* Container for RSA-alt */
typedef struct
@ -118,6 +258,7 @@ typedef struct
} mbedtls_rsa_alt_context;
#endif
#if !defined(MBEDTLS_PK_SINGLE_TYPE)
#if defined(MBEDTLS_RSA_C)
extern const mbedtls_pk_info_t mbedtls_rsa_info;
#endif
@ -138,5 +279,6 @@ extern const mbedtls_pk_info_t mbedtls_uecc_eckey_info;
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
#endif
#endif /* MBEDTLS_PK_SINGLE_TYPE */
#endif /* MBEDTLS_PK_WRAP_H */

6
include/mbedtls/ssl_internal.h
View file

@ -382,9 +382,9 @@ struct mbedtls_ssl_sig_hash_set_t
*/
struct mbedtls_ssl_handshake_params
{
/*
* Handshake specific crypto variables
*/
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
uint8_t got_peer_pubkey; /*!< Did we store the peer's public key from its certificate? */
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned char verify_cookie_len; /*!< Cli: cookie length
Srv: flag for sending a cookie */

1
library/CMakeLists.txt
View file

@ -44,7 +44,6 @@ set(src_crypto
padlock.c
pem.c
pk.c
pk_wrap.c
pkcs12.c
pkcs5.c
pkparse.c

2
library/Makefile
View file

@ -80,7 +80,7 @@ OBJS_CRYPTO= aes.o aesni.o arc4.o \
md4.o md5.o \
memory_buffer_alloc.o nist_kw.o \
oid.o padlock.o pem.o \
pk.o pk_wrap.o pkcs12.o \
pk.o pkcs12.o \
pkcs5.o pkparse.o pkwrite.o \
platform.o platform_util.o poly1305.o \
ripemd160.o rsa_internal.o rsa.o \

1365
library/pk.c
View file

File diff suppressed because it is too large Load diff

1005
library/pk_wrap.c
View file

File diff suppressed because it is too large Load diff

16
library/pkparse.c
View file

@ -687,7 +687,7 @@ int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
size_t len;
mbedtls_asn1_buf alg_params;
mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
const mbedtls_pk_info_t *pk_info;
mbedtls_pk_handle_t pk_info;
PK_VALIDATE_RET( p != NULL );
PK_VALIDATE_RET( *p != NULL );
@ -712,7 +712,7 @@ int mbedtls_pk_parse_subpubkey( unsigned char **p, const unsigned char *end,
return( MBEDTLS_ERR_PK_INVALID_PUBKEY +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == MBEDTLS_PK_INVALID_HANDLE )
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
@ -1150,7 +1150,7 @@ static int pk_parse_key_pkcs8_unencrypted_der(
unsigned char *p = (unsigned char *) key;
unsigned char *end = p + keylen;
mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
const mbedtls_pk_info_t *pk_info;
mbedtls_pk_handle_t pk_info;
/*
* This function parses the PrivateKeyInfo object (PKCS#8 v1.2 = RFC 5208)
@ -1192,7 +1192,7 @@ static int pk_parse_key_pkcs8_unencrypted_der(
return( MBEDTLS_ERR_PK_KEY_INVALID_FORMAT +
MBEDTLS_ERR_ASN1_OUT_OF_DATA );
if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == NULL )
if( ( pk_info = mbedtls_pk_info_from_type( pk_alg ) ) == MBEDTLS_PK_INVALID_HANDLE )
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
if( ( ret = mbedtls_pk_setup( pk, pk_info ) ) != 0 )
@ -1374,7 +1374,7 @@ int mbedtls_pk_parse_key( mbedtls_pk_context *pk,
defined(MBEDTLS_PEM_PARSE_C)
int ret;
#endif
const mbedtls_pk_info_t *pk_info;
mbedtls_pk_handle_t pk_info;
#if defined(MBEDTLS_PEM_PARSE_C)
size_t len;
mbedtls_pem_context pem;
@ -1604,7 +1604,7 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
int ret;
unsigned char *p;
#if defined(MBEDTLS_RSA_C)
const mbedtls_pk_info_t *pk_info;
mbedtls_pk_handle_t pk_info;
#endif
#if defined(MBEDTLS_PEM_PARSE_C)
size_t len;
@ -1631,7 +1631,7 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
if( ret == 0 )
{
p = pem.buf;
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == MBEDTLS_PK_INVALID_HANDLE )
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )
@ -1679,7 +1679,7 @@ int mbedtls_pk_parse_public_key( mbedtls_pk_context *ctx,
#endif /* MBEDTLS_PEM_PARSE_C */
#if defined(MBEDTLS_RSA_C)
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == NULL )
if( ( pk_info = mbedtls_pk_info_from_type( MBEDTLS_PK_RSA ) ) == MBEDTLS_PK_INVALID_HANDLE )
return( MBEDTLS_ERR_PK_UNKNOWN_PK_ALG );
if( ( ret = mbedtls_pk_setup( ctx, pk_info ) ) != 0 )

10
library/pkwrite.c
View file

@ -543,9 +543,19 @@ int mbedtls_pk_write_key_der( mbedtls_pk_context *key, unsigned char *buf, size_
#else /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_USE_TINYCRYPT)
/* see above, replacing ECP_MAX_BYTES with 32 (256-bit) */
#define ECP_PUB_DER_MAX_BYTES 30 + 2 * 32
#define ECP_PRV_DER_MAX_BYTES 29 + 3 * 32
#else /* MBEDTLS_USE_TINYCRYPT */
#define ECP_PUB_DER_MAX_BYTES 0
#define ECP_PRV_DER_MAX_BYTES 0
#endif /* MBEDTLS_USE_TINYCRYPT */
#endif /* MBEDTLS_ECP_C */
#define PUB_DER_MAX_BYTES RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \

6
library/ssl_cli.c
View file

@ -2379,11 +2379,7 @@ static int ssl_rsa_encrypt_partial_pms( mbedtls_ssl_context *ssl,
}
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* Because the peer CRT pubkey is embedded into the handshake
* params currently, and there's no 'is_init' functions for PK
* contexts, we need to break the abstraction and peek into
* the PK context to see if it has been initialized. */
if( ssl->handshake->peer_pubkey.pk_info != NULL )
if( ssl->handshake->got_peer_pubkey )
peer_pk = &ssl->handshake->peer_pubkey;
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if( ssl->session_negotiate->peer_cert != NULL )

11
library/ssl_srv.c
View file

@ -4454,15 +4454,10 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
/* Skip if we haven't received a certificate from the client.
* If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is set, this can be
* inferred from the setting of mbedtls_ssl_session::peer_cert.
* If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is not set, it can
* be inferred from whether we've held back the peer CRT's
* public key in mbedtls_ssl_handshake_params::peer_pubkey. */
* If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is not set, it is tracked in a
* specific variable. */
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* Because the peer CRT pubkey is embedded into the handshake
* params currently, and there's no 'is_init' functions for PK
* contexts, we need to break the abstraction and peek into
* the PK context to see if it has been initialized. */
if( ssl->handshake->peer_pubkey.pk_info != NULL )
if( ssl->handshake->got_peer_pubkey )
peer_pk = &ssl->handshake->peer_pubkey;
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if( ssl->session_negotiate->peer_cert != NULL )

1
library/ssl_tls.c
View file

@ -7357,6 +7357,7 @@ static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
ssl->handshake->got_peer_pubkey = 1;
return( 0 );
}
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */

1
programs/pkey/key_app_writer.c
View file

@ -39,6 +39,7 @@
#if defined(MBEDTLS_PK_WRITE_C) && defined(MBEDTLS_FS_IO)
#include "mbedtls/error.h"
#include "mbedtls/pk.h"
#include "mbedtls/bignum.h"
#include "mbedtls/error.h"
#include <stdio.h>

1
programs/pkey/pk_sign.c
View file

@ -56,6 +56,7 @@ int main( void )
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/md.h"
#include "mbedtls/pk.h"
#include "mbedtls/bignum.h"
#include <stdio.h>
#include <string.h>

1
programs/pkey/pk_verify.c
View file

@ -52,6 +52,7 @@ int main( void )
#include "mbedtls/error.h"
#include "mbedtls/md.h"
#include "mbedtls/pk.h"
#include "mbedtls/bignum.h"
#include <stdio.h>
#include <string.h>

8
programs/ssl/query_config.c
View file

@ -2922,6 +2922,14 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_MD_SINGLE_HASH */
#if defined(MBEDTLS_PK_SINGLE_TYPE)
if( strcmp( "MBEDTLS_PK_SINGLE_TYPE", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_PK_SINGLE_TYPE );
return( 0 );
}
#endif /* MBEDTLS_PK_SINGLE_TYPE */
/* If the symbol is not found, return an error */
return( 1 );
}

41
tests/scripts/all.sh
View file

@ -1511,6 +1511,47 @@ component_test_default_tinycrypt_without_legacy_ecc () {
if_build_succeeded tests/compat.sh -f 'ECDHE-ECDSA\|ECDHE-PSK\|ECDH-ECDSA'
}
component_test_hardcoded_pk_type () {
msg "build: default config + single PK type harcoded (tinycrypt)"
# need to enable tinycrypt first - copied from tinycrypt component
scripts/config.pl set MBEDTLS_USE_TINYCRYPT
scripts/config.pl set MBEDTLS_SSL_CONF_RNG rng_wrap
scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_EC
scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID 23
scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_UECC_GRP_ID MBEDTLS_UECC_DP_SECP256R1
scripts/config.pl unset MBEDTLS_ECP_C
scripts/config.pl unset MBEDTLS_ECDH_C
scripts/config.pl unset MBEDTLS_ECDSA_C
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP192R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP224R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP256R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP384R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP521R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_BP256R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_BP384R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_BP512R1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP192K1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP224K1_ENABLED
scripts/config.pl unset MBEDTLS_ECP_DP_SECP256K1_ENABLED
# now single-PK specific configs
scripts/config.pl set MBEDTLS_PK_SINGLE_TYPE MBEDTLS_PK_INFO_ECKEY
scripts/config.pl unset MBEDTLS_PK_RSA_ALT_SUPPORT
scripts/config.pl unset MBEDTLS_RSA_C
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
scripts/config.pl unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
make CFLAGS='-Werror -O1'
msg "test: default config + single PK type harcoded (tinycrypt)"
make test
if_build_succeeded tests/ssl-opt.sh -f '^Default, DTLS$'
}
component_test_baremetal () {
msg "build: lib+test+programs for baremetal.h + baremetal_test.h"
record_status scripts/baremetal.sh --ram --build-only

6
tests/suites/test_suite_pk.function
View file

@ -95,9 +95,11 @@ size_t mbedtls_rsa_key_len_func( void *ctx )
void valid_parameters( )
{
mbedtls_pk_context pk;
#if !defined(MBEDTLS_PK_SINGLE_TYPE)
unsigned char buf[1];
size_t len;
void *options = NULL;
#endif
mbedtls_pk_init( &pk );
@ -107,7 +109,7 @@ void valid_parameters( )
TEST_VALID_PARAM( mbedtls_pk_restart_free( NULL ) );
#endif
TEST_ASSERT( mbedtls_pk_setup( &pk, NULL ) ==
TEST_ASSERT( mbedtls_pk_setup( &pk, MBEDTLS_PK_INVALID_HANDLE ) ==
MBEDTLS_ERR_PK_BAD_INPUT_DATA );
/* In informational functions, we accept NULL where a context pointer
@ -118,6 +120,7 @@ void valid_parameters( )
TEST_ASSERT( mbedtls_pk_get_len( NULL ) == 0 );
TEST_ASSERT( mbedtls_pk_can_do( NULL, MBEDTLS_PK_NONE ) == 0 );
#if !defined(MBEDTLS_PK_SINGLE_TYPE)
TEST_ASSERT( mbedtls_pk_sign_restartable( &pk,
MBEDTLS_MD_NONE,
NULL, 0,
@ -172,6 +175,7 @@ void valid_parameters( )
NULL, &len, 0,
rnd_std_rand, NULL ) ==
MBEDTLS_ERR_PK_BAD_INPUT_DATA );
#endif /* MBEDTLS_PK_SINGLE_TYPE */
#if defined(MBEDTLS_PK_PARSE_C)
TEST_ASSERT( mbedtls_pk_parse_key( &pk, NULL, 0, NULL, 1 ) ==

8
tests/suites/test_suite_x509write.data
View file

@ -67,19 +67,19 @@ depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:1:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":0
Certificate write check Server1 SHA1, RSA_ALT
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C:MBEDTLS_PK_RSA_ALT_SUPPORT
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:0:-1:"data_files/server1.noauthid.crt":1
Certificate write check Server1 SHA1, RSA_ALT, key_usage
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C:MBEDTLS_PK_RSA_ALT_SUPPORT
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:0:0:0:-1:"data_files/server1.key_usage_noauthid.crt":1
Certificate write check Server1 SHA1, RSA_ALT, ns_cert_type
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C:MBEDTLS_PK_RSA_ALT_SUPPORT
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0:-1:"data_files/server1.cert_type_noauthid.crt":1
Certificate write check Server1 SHA1, RSA_ALT, version 1
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C
depends_on:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_DES_C:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_MD5_C:MBEDTLS_PK_RSA_ALT_SUPPORT
x509_crt_check:"data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"data_files/test-ca.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"1":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:0:0:0:MBEDTLS_X509_CRT_VERSION_1:"data_files/server1.v1.crt":1

2
tests/suites/test_suite_x509write.function
View file

@ -134,7 +134,7 @@ void x509_crt_check( char *subject_key_file, char *subject_pwd,
TEST_ASSERT( mbedtls_pk_parse_keyfile( &issuer_key, issuer_key_file,
issuer_pwd ) == 0 );
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
/* For RSA PK contexts, create a copy as an alternative RSA context. */
if( rsa_alt == 1 && mbedtls_pk_get_type( &issuer_key ) == MBEDTLS_PK_RSA )
{

1
visualc/VS2010/mbedTLS.vcxproj
View file

@ -271,7 +271,6 @@
<ClCompile Include="..\..\library\padlock.c" />
<ClCompile Include="..\..\library\pem.c" />
<ClCompile Include="..\..\library\pk.c" />
<ClCompile Include="..\..\library\pk_wrap.c" />
<ClCompile Include="..\..\library\pkcs11.c" />
<ClCompile Include="..\..\library\pkcs12.c" />
<ClCompile Include="..\..\library\pkcs5.c" />