Merge branch 'development-restricted' into mbedtls-2.25.0r0-pr

This commit is contained in:
Janos Follath 2020-12-08 20:59:45 +00:00
commit a946dcf8b2
27 changed files with 1602 additions and 642 deletions

View file

@ -0,0 +1,23 @@
API changes
* The functions mbedtls_cipher_auth_encrypt() and
mbedtls_cipher_auth_decrypt() no longer accept NIST_KW contexts,
as they have no way to check if the output buffer is large enough.
Please use mbedtls_cipher_auth_encrypt_ext() and
mbedtls_cipher_auth_decrypt_ext() instead. Credit to OSS-Fuzz and
Cryptofuzz. Fixes #3665.
Security
* The functions mbedtls_cipher_auth_encrypt() and
mbedtls_cipher_auth_decrypt() would write past the minimum documented
size of the output buffer when used with NIST_KW. As a result, code using
those functions as documented with NIST_KW could have a buffer overwrite
of up to 15 bytes, with consequences ranging up to arbitrary code
execution depending on the location of the output buffer.
New deprecations
* The functions mbedtls_cipher_auth_encrypt() and
mbedtls_cipher_auth_decrypt() are deprecated in favour of the new
functions mbedtls_cipher_auth_encrypt_ext() and
mbedtls_cipher_auth_decrypt_ext(). Please note that with AEAD ciphers,
these new functions always append the tag to the ciphertext, and include
the tag in the ciphertext length.

View file

@ -0,0 +1,4 @@
Security
* Limit the size of calculations performed by mbedtls_mpi_exp_mod to
MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when
generating Diffie-Hellman key pairs. Credit to OSS-Fuzz.

View file

@ -0,0 +1,8 @@
Security
* A failure of the random generator was ignored in mbedtls_mpi_fill_random(),
which is how most uses of randomization in asymmetric cryptography
(including key generation, intermediate value randomization and blinding)
are implemented. This could cause failures or the silent use of non-random
values. A random generator can fail if it needs reseeding and cannot not
obtain entropy, or due to an internal failure (which, for Mbed TLS's own
CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration).

View file

@ -0,0 +1,11 @@
Security
* Fix a compliance issue whereby we were not checking the tag on the
algorithm parameters (only the size) when comparing the signature in the
description part of the cert to the real signature. This meant that a
NULL algorithm parameters entry would look identical to an array of REAL
(size zero) to the library and thus the certificate would be considered
valid. However, if the parameters do not match in *any* way then the
certificate should be considered invalid, and indeed OpenSSL marks these
certs as invalid when mbedtls did not.
Many thanks to guidovranken who found this issue via differential fuzzing
and reported it in #3629.

View file

@ -0,0 +1,6 @@
Security
* Zeroising of local buffers and variables which are used for calculations
in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(),
mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process()
functions to erase sensitive data from memory. Reported by
Johan Malmgren and Johan Uppman Bruce from Sectra.

View file

@ -857,30 +857,52 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
unsigned char *output, size_t *olen ); unsigned char *output, size_t *olen );
#if defined(MBEDTLS_CIPHER_MODE_AEAD) #if defined(MBEDTLS_CIPHER_MODE_AEAD)
#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif /* MBEDTLS_DEPRECATED_WARNING */
/** /**
* \brief The generic autenticated encryption (AEAD) function. * \brief The generic authenticated encryption (AEAD) function.
*
* \deprecated Superseded by mbedtls_cipher_auth_encrypt_ext().
*
* \note This function only supports AEAD algorithms, not key
* wrapping algorithms such as NIST_KW; for this, see
* mbedtls_cipher_auth_encrypt_ext().
* *
* \param ctx The generic cipher context. This must be initialized and * \param ctx The generic cipher context. This must be initialized and
* bound to a key. * bound to a key associated with an AEAD algorithm.
* \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. * \param iv The nonce to use. This must be a readable buffer of
* This must be a readable buffer of at least \p iv_len * at least \p iv_len Bytes and must not be \c NULL.
* Bytes. * \param iv_len The length of the nonce. This must satisfy the
* \param iv_len The IV length for ciphers with variable-size IV. * constraints imposed by the AEAD cipher used.
* This parameter is discarded by ciphers with fixed-size IV.
* \param ad The additional data to authenticate. This must be a * \param ad The additional data to authenticate. This must be a
* readable buffer of at least \p ad_len Bytes. * readable buffer of at least \p ad_len Bytes, and may
* be \c NULL is \p ad_len is \c 0.
* \param ad_len The length of \p ad. * \param ad_len The length of \p ad.
* \param input The buffer holding the input data. This must be a * \param input The buffer holding the input data. This must be a
* readable buffer of at least \p ilen Bytes. * readable buffer of at least \p ilen Bytes, and may be
* \c NULL if \p ilen is \c 0.
* \param ilen The length of the input data. * \param ilen The length of the input data.
* \param output The buffer for the output data. This must be able to * \param output The buffer for the output data. This must be a
* hold at least \p ilen Bytes. * writable buffer of at least \p ilen Bytes, and must
* \param olen The length of the output data, to be updated with the * not be \c NULL.
* actual number of Bytes written. This must not be * \param olen This will be filled with the actual number of Bytes
* \c NULL. * written to the \p output buffer. This must point to a
* writable object of type \c size_t.
* \param tag The buffer for the authentication tag. This must be a * \param tag The buffer for the authentication tag. This must be a
* writable buffer of at least \p tag_len Bytes. * writable buffer of at least \p tag_len Bytes. See note
* \param tag_len The desired length of the authentication tag. * below regarding restrictions with PSA-based contexts.
* \param tag_len The desired length of the authentication tag. This
* must match the constraints imposed by the AEAD cipher
* used, and in particular must not be \c 0.
*
* \note If the context is based on PSA (that is, it was set up
* with mbedtls_cipher_setup_psa()), then it is required
* that \c tag == output + ilen. That is, the tag must be
* appended to the ciphertext as recommended by RFC 5116.
* *
* \return \c 0 on success. * \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@ -892,36 +914,53 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *ad, size_t ad_len, const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen, const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, unsigned char *output, size_t *olen,
unsigned char *tag, size_t tag_len ); unsigned char *tag, size_t tag_len )
MBEDTLS_DEPRECATED;
/** /**
* \brief The generic autenticated decryption (AEAD) function. * \brief The generic authenticated decryption (AEAD) function.
*
* \deprecated Superseded by mbedtls_cipher_auth_decrypt_ext().
*
* \note This function only supports AEAD algorithms, not key
* wrapping algorithms such as NIST_KW; for this, see
* mbedtls_cipher_auth_decrypt_ext().
* *
* \note If the data is not authentic, then the output buffer * \note If the data is not authentic, then the output buffer
* is zeroed out to prevent the unauthentic plaintext being * is zeroed out to prevent the unauthentic plaintext being
* used, making this interface safer. * used, making this interface safer.
* *
* \param ctx The generic cipher context. This must be initialized and * \param ctx The generic cipher context. This must be initialized and
* and bound to a key. * bound to a key associated with an AEAD algorithm.
* \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. * \param iv The nonce to use. This must be a readable buffer of
* This must be a readable buffer of at least \p iv_len * at least \p iv_len Bytes and must not be \c NULL.
* Bytes. * \param iv_len The length of the nonce. This must satisfy the
* \param iv_len The IV length for ciphers with variable-size IV. * constraints imposed by the AEAD cipher used.
* This parameter is discarded by ciphers with fixed-size IV. * \param ad The additional data to authenticate. This must be a
* \param ad The additional data to be authenticated. This must be a * readable buffer of at least \p ad_len Bytes, and may
* readable buffer of at least \p ad_len Bytes. * be \c NULL is \p ad_len is \c 0.
* \param ad_len The length of \p ad. * \param ad_len The length of \p ad.
* \param input The buffer holding the input data. This must be a * \param input The buffer holding the input data. This must be a
* readable buffer of at least \p ilen Bytes. * readable buffer of at least \p ilen Bytes, and may be
* \c NULL if \p ilen is \c 0.
* \param ilen The length of the input data. * \param ilen The length of the input data.
* \param output The buffer for the output data. * \param output The buffer for the output data. This must be a
* This must be able to hold at least \p ilen Bytes. * writable buffer of at least \p ilen Bytes, and must
* \param olen The length of the output data, to be updated with the * not be \c NULL.
* actual number of Bytes written. This must not be * \param olen This will be filled with the actual number of Bytes
* \c NULL. * written to the \p output buffer. This must point to a
* \param tag The buffer holding the authentication tag. This must be * writable object of type \c size_t.
* a readable buffer of at least \p tag_len Bytes. * \param tag The buffer for the authentication tag. This must be a
* \param tag_len The length of the authentication tag. * readable buffer of at least \p tag_len Bytes. See note
* below regarding restrictions with PSA-based contexts.
* \param tag_len The length of the authentication tag. This must match
* the constraints imposed by the AEAD cipher used, and in
* particular must not be \c 0.
*
* \note If the context is based on PSA (that is, it was set up
* with mbedtls_cipher_setup_psa()), then it is required
* that \c tag == input + len. That is, the tag must be
* appended to the ciphertext as recommended by RFC 5116.
* *
* \return \c 0 on success. * \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on * \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
@ -934,9 +973,120 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *ad, size_t ad_len, const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen, const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, unsigned char *output, size_t *olen,
const unsigned char *tag, size_t tag_len ); const unsigned char *tag, size_t tag_len )
MBEDTLS_DEPRECATED;
#undef MBEDTLS_DEPRECATED
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_CIPHER_MODE_AEAD */ #endif /* MBEDTLS_CIPHER_MODE_AEAD */
#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
/**
* \brief The authenticated encryption (AEAD/NIST_KW) function.
*
* \note For AEAD modes, the tag will be appended to the
* ciphertext, as recommended by RFC 5116.
* (NIST_KW doesn't have a separate tag.)
*
* \param ctx The generic cipher context. This must be initialized and
* bound to a key, with an AEAD algorithm or NIST_KW.
* \param iv The nonce to use. This must be a readable buffer of
* at least \p iv_len Bytes and may be \c NULL if \p
* iv_len is \c 0.
* \param iv_len The length of the nonce. For AEAD ciphers, this must
* satisfy the constraints imposed by the cipher used.
* For NIST_KW, this must be \c 0.
* \param ad The additional data to authenticate. This must be a
* readable buffer of at least \p ad_len Bytes, and may
* be \c NULL is \p ad_len is \c 0.
* \param ad_len The length of \p ad. For NIST_KW, this must be \c 0.
* \param input The buffer holding the input data. This must be a
* readable buffer of at least \p ilen Bytes, and may be
* \c NULL if \p ilen is \c 0.
* \param ilen The length of the input data.
* \param output The buffer for the output data. This must be a
* writable buffer of at least \p output_len Bytes, and
* must not be \c NULL.
* \param output_len The length of the \p output buffer in Bytes. For AEAD
* ciphers, this must be at least \p ilen + \p tag_len.
* For NIST_KW, this must be at least \p ilen + 8
* (rounded up to a multiple of 8 if KWP is used);
* \p ilen + 15 is always a safe value.
* \param olen This will be filled with the actual number of Bytes
* written to the \p output buffer. This must point to a
* writable object of type \c size_t.
* \param tag_len The desired length of the authentication tag. For AEAD
* ciphers, this must match the constraints imposed by
* the cipher used, and in particular must not be \c 0.
* For NIST_KW, this must be \c 0.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* parameter-verification failure.
* \return A cipher-specific error code on failure.
*/
int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t output_len,
size_t *olen, size_t tag_len );
/**
* \brief The authenticated encryption (AEAD/NIST_KW) function.
*
* \note If the data is not authentic, then the output buffer
* is zeroed out to prevent the unauthentic plaintext being
* used, making this interface safer.
*
* \note For AEAD modes, the tag must be appended to the
* ciphertext, as recommended by RFC 5116.
* (NIST_KW doesn't have a separate tag.)
*
* \param ctx The generic cipher context. This must be initialized and
* bound to a key, with an AEAD algorithm or NIST_KW.
* \param iv The nonce to use. This must be a readable buffer of
* at least \p iv_len Bytes and may be \c NULL if \p
* iv_len is \c 0.
* \param iv_len The length of the nonce. For AEAD ciphers, this must
* satisfy the constraints imposed by the cipher used.
* For NIST_KW, this must be \c 0.
* \param ad The additional data to authenticate. This must be a
* readable buffer of at least \p ad_len Bytes, and may
* be \c NULL is \p ad_len is \c 0.
* \param ad_len The length of \p ad. For NIST_KW, this must be \c 0.
* \param input The buffer holding the input data. This must be a
* readable buffer of at least \p ilen Bytes, and may be
* \c NULL if \p ilen is \c 0.
* \param ilen The length of the input data. For AEAD ciphers this
* must be at least \p tag_len. For NIST_KW this must be
* at least \c 8.
* \param output The buffer for the output data. This must be a
* writable buffer of at least \p output_len Bytes, and
* may be \c NULL if \p output_len is \c 0.
* \param output_len The length of the \p output buffer in Bytes. For AEAD
* ciphers, this must be at least \p ilen - \p tag_len.
* For NIST_KW, this must be at least \p ilen - 8.
* \param olen This will be filled with the actual number of Bytes
* written to the \p output buffer. This must point to a
* writable object of type \c size_t.
* \param tag_len The actual length of the authentication tag. For AEAD
* ciphers, this must match the constraints imposed by
* the cipher used, and in particular must not be \c 0.
* For NIST_KW, this must be \c 0.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* parameter-verification failure.
* \return #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
* \return A cipher-specific error code on failure.
*/
int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t output_len,
size_t *olen, size_t tag_len );
#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif #endif

View file

@ -2118,6 +2118,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
if( mbedtls_mpi_cmp_int( E, 0 ) < 0 ) if( mbedtls_mpi_cmp_int( E, 0 ) < 0 )
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
if( mbedtls_mpi_bitlen( E ) > MBEDTLS_MPI_MAX_BITS ||
mbedtls_mpi_bitlen( N ) > MBEDTLS_MPI_MAX_BITS )
return ( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
/* /*
* Init temps and window size * Init temps and window size
*/ */
@ -2394,7 +2398,7 @@ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
Xp = (unsigned char*) X->p; Xp = (unsigned char*) X->p;
f_rng( p_rng, Xp + overhead, size ); MBEDTLS_MPI_CHK( f_rng( p_rng, Xp + overhead, size ) );
mpi_bigendian_to_host( X->p, limbs ); mpi_bigendian_to_host( X->p, limbs );

View file

@ -1288,23 +1288,16 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
#if defined(MBEDTLS_CIPHER_MODE_AEAD) #if defined(MBEDTLS_CIPHER_MODE_AEAD)
/* /*
* Packet-oriented encryption for AEAD modes * Packet-oriented encryption for AEAD modes: internal function shared by
* mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
*/ */
int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len, const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len, const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen, const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, unsigned char *output, size_t *olen,
unsigned char *tag, size_t tag_len ) unsigned char *tag, size_t tag_len )
{ {
CIPHER_VALIDATE_RET( ctx != NULL );
CIPHER_VALIDATE_RET( iv != NULL );
CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
CIPHER_VALIDATE_RET( output != NULL );
CIPHER_VALIDATE_RET( olen != NULL );
CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ctx->psa_enabled == 1 ) if( ctx->psa_enabled == 1 )
{ {
@ -1320,7 +1313,7 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
/* PSA Crypto API always writes the authentication tag /* PSA Crypto API always writes the authentication tag
* at the end of the encrypted message. */ * at the end of the encrypted message. */
if( tag != output + ilen ) if( output == NULL || tag != output + ilen )
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
status = psa_aead_encrypt( cipher_psa->slot, status = psa_aead_encrypt( cipher_psa->slot,
@ -1370,44 +1363,21 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
ilen, iv, ad, ad_len, input, output, tag ) ); ilen, iv, ad, ad_len, input, output, tag ) );
} }
#endif /* MBEDTLS_CHACHAPOLY_C */ #endif /* MBEDTLS_CHACHAPOLY_C */
#if defined(MBEDTLS_NIST_KW_C)
if( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
MBEDTLS_MODE_KWP == ctx->cipher_info->mode )
{
mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
/* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */
if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
{
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
}
return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) );
}
#endif /* MBEDTLS_NIST_KW_C */
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
} }
/* /*
* Packet-oriented decryption for AEAD modes * Packet-oriented encryption for AEAD modes: internal function shared by
* mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
*/ */
int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len, const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len, const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen, const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen, unsigned char *output, size_t *olen,
const unsigned char *tag, size_t tag_len ) const unsigned char *tag, size_t tag_len )
{ {
CIPHER_VALIDATE_RET( ctx != NULL );
CIPHER_VALIDATE_RET( iv != NULL );
CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
CIPHER_VALIDATE_RET( output != NULL );
CIPHER_VALIDATE_RET( olen != NULL );
CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ctx->psa_enabled == 1 ) if( ctx->psa_enabled == 1 )
{ {
@ -1423,7 +1393,7 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
/* PSA Crypto API always writes the authentication tag /* PSA Crypto API always writes the authentication tag
* at the end of the encrypted message. */ * at the end of the encrypted message. */
if( tag != input + ilen ) if( input == NULL || tag != input + ilen )
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
status = psa_aead_decrypt( cipher_psa->slot, status = psa_aead_decrypt( cipher_psa->slot,
@ -1495,25 +1465,169 @@ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
return( ret ); return( ret );
} }
#endif /* MBEDTLS_CHACHAPOLY_C */ #endif /* MBEDTLS_CHACHAPOLY_C */
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/*
* Packet-oriented encryption for AEAD modes: public legacy function.
*/
int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen,
unsigned char *tag, size_t tag_len )
{
CIPHER_VALIDATE_RET( ctx != NULL );
CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
CIPHER_VALIDATE_RET( olen != NULL );
CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
input, ilen, output, olen,
tag, tag_len ) );
}
/*
* Packet-oriented decryption for AEAD modes: public legacy function.
*/
int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen,
const unsigned char *tag, size_t tag_len )
{
CIPHER_VALIDATE_RET( ctx != NULL );
CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
CIPHER_VALIDATE_RET( olen != NULL );
CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
input, ilen, output, olen,
tag, tag_len ) );
}
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_CIPHER_MODE_AEAD */
#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
/*
* Packet-oriented encryption for AEAD/NIST_KW: public function.
*/
int mbedtls_cipher_auth_encrypt_ext( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t output_len,
size_t *olen, size_t tag_len )
{
CIPHER_VALIDATE_RET( ctx != NULL );
CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
CIPHER_VALIDATE_RET( output != NULL );
CIPHER_VALIDATE_RET( olen != NULL );
#if defined(MBEDTLS_NIST_KW_C) #if defined(MBEDTLS_NIST_KW_C)
if( MBEDTLS_MODE_KW == ctx->cipher_info->mode || if(
MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) #if defined(MBEDTLS_USE_PSA_CRYPTO)
ctx->psa_enabled == 0 &&
#endif
( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
{ {
mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ? mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP; MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
/* There is no iv, tag or ad associated with KW and KWP, these length should be 0 */ /* There is no iv, tag or ad associated with KW and KWP,
* so these length should be 0 as documented. */
if( iv_len != 0 || tag_len != 0 || ad_len != 0 ) if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
{
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
}
return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen, output, olen, SIZE_MAX ) ); (void) iv;
(void) ad;
return( mbedtls_nist_kw_wrap( ctx->cipher_ctx, mode, input, ilen,
output, olen, output_len ) );
} }
#endif /* MBEDTLS_NIST_KW_C */ #endif /* MBEDTLS_NIST_KW_C */
#if defined(MBEDTLS_CIPHER_MODE_AEAD)
/* AEAD case: check length before passing on to shared function */
if( output_len < ilen + tag_len )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
int ret = mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
input, ilen, output, olen,
output + ilen, tag_len );
*olen += tag_len;
return( ret );
#else
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE ); return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
#endif /* MBEDTLS_CIPHER_MODE_AEAD */ #endif /* MBEDTLS_CIPHER_MODE_AEAD */
}
/*
* Packet-oriented decryption for AEAD/NIST_KW: public function.
*/
int mbedtls_cipher_auth_decrypt_ext( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t output_len,
size_t *olen, size_t tag_len )
{
CIPHER_VALIDATE_RET( ctx != NULL );
CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
CIPHER_VALIDATE_RET( output_len == 0 || output != NULL );
CIPHER_VALIDATE_RET( olen != NULL );
#if defined(MBEDTLS_NIST_KW_C)
if(
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ctx->psa_enabled == 0 &&
#endif
( MBEDTLS_MODE_KW == ctx->cipher_info->mode ||
MBEDTLS_MODE_KWP == ctx->cipher_info->mode ) )
{
mbedtls_nist_kw_mode_t mode = ( MBEDTLS_MODE_KW == ctx->cipher_info->mode ) ?
MBEDTLS_KW_MODE_KW : MBEDTLS_KW_MODE_KWP;
/* There is no iv, tag or ad associated with KW and KWP,
* so these length should be 0 as documented. */
if( iv_len != 0 || tag_len != 0 || ad_len != 0 )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
(void) iv;
(void) ad;
return( mbedtls_nist_kw_unwrap( ctx->cipher_ctx, mode, input, ilen,
output, olen, output_len ) );
}
#endif /* MBEDTLS_NIST_KW_C */
#if defined(MBEDTLS_CIPHER_MODE_AEAD)
/* AEAD case: check length before passing on to shared function */
if( ilen < tag_len || output_len < ilen - tag_len )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
input, ilen - tag_len, output, olen,
input + ilen - tag_len, tag_len ) );
#else
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
#endif /* MBEDTLS_CIPHER_MODE_AEAD */
}
#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
#endif /* MBEDTLS_CIPHER_C */ #endif /* MBEDTLS_CIPHER_C */

View file

@ -147,6 +147,9 @@ int mbedtls_internal_md2_process( mbedtls_md2_context *ctx )
t = ctx->cksum[i]; t = ctx->cksum[i];
} }
/* Zeroise variables to clear sensitive data from memory. */
mbedtls_platform_zeroize( &t, sizeof( t ) );
return( 0 ); return( 0 );
} }

View file

@ -112,32 +112,35 @@ void mbedtls_md4_starts( mbedtls_md4_context *ctx )
#if !defined(MBEDTLS_MD4_PROCESS_ALT) #if !defined(MBEDTLS_MD4_PROCESS_ALT)
int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
const unsigned char data[64] ) const unsigned char data[64] )
{
struct
{ {
uint32_t X[16], A, B, C, D; uint32_t X[16], A, B, C, D;
} local;
GET_UINT32_LE( X[ 0], data, 0 ); GET_UINT32_LE( local.X[ 0], data, 0 );
GET_UINT32_LE( X[ 1], data, 4 ); GET_UINT32_LE( local.X[ 1], data, 4 );
GET_UINT32_LE( X[ 2], data, 8 ); GET_UINT32_LE( local.X[ 2], data, 8 );
GET_UINT32_LE( X[ 3], data, 12 ); GET_UINT32_LE( local.X[ 3], data, 12 );
GET_UINT32_LE( X[ 4], data, 16 ); GET_UINT32_LE( local.X[ 4], data, 16 );
GET_UINT32_LE( X[ 5], data, 20 ); GET_UINT32_LE( local.X[ 5], data, 20 );
GET_UINT32_LE( X[ 6], data, 24 ); GET_UINT32_LE( local.X[ 6], data, 24 );
GET_UINT32_LE( X[ 7], data, 28 ); GET_UINT32_LE( local.X[ 7], data, 28 );
GET_UINT32_LE( X[ 8], data, 32 ); GET_UINT32_LE( local.X[ 8], data, 32 );
GET_UINT32_LE( X[ 9], data, 36 ); GET_UINT32_LE( local.X[ 9], data, 36 );
GET_UINT32_LE( X[10], data, 40 ); GET_UINT32_LE( local.X[10], data, 40 );
GET_UINT32_LE( X[11], data, 44 ); GET_UINT32_LE( local.X[11], data, 44 );
GET_UINT32_LE( X[12], data, 48 ); GET_UINT32_LE( local.X[12], data, 48 );
GET_UINT32_LE( X[13], data, 52 ); GET_UINT32_LE( local.X[13], data, 52 );
GET_UINT32_LE( X[14], data, 56 ); GET_UINT32_LE( local.X[14], data, 56 );
GET_UINT32_LE( X[15], data, 60 ); GET_UINT32_LE( local.X[15], data, 60 );
#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n)))) #define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
A = ctx->state[0]; local.A = ctx->state[0];
B = ctx->state[1]; local.B = ctx->state[1];
C = ctx->state[2]; local.C = ctx->state[2];
D = ctx->state[3]; local.D = ctx->state[3];
#define F(x, y, z) (((x) & (y)) | ((~(x)) & (z))) #define F(x, y, z) (((x) & (y)) | ((~(x)) & (z)))
#define P(a,b,c,d,x,s) \ #define P(a,b,c,d,x,s) \
@ -148,22 +151,22 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
} while( 0 ) } while( 0 )
P( A, B, C, D, X[ 0], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 0], 3 );
P( D, A, B, C, X[ 1], 7 ); P( local.D, local.A, local.B, local.C, local.X[ 1], 7 );
P( C, D, A, B, X[ 2], 11 ); P( local.C, local.D, local.A, local.B, local.X[ 2], 11 );
P( B, C, D, A, X[ 3], 19 ); P( local.B, local.C, local.D, local.A, local.X[ 3], 19 );
P( A, B, C, D, X[ 4], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 4], 3 );
P( D, A, B, C, X[ 5], 7 ); P( local.D, local.A, local.B, local.C, local.X[ 5], 7 );
P( C, D, A, B, X[ 6], 11 ); P( local.C, local.D, local.A, local.B, local.X[ 6], 11 );
P( B, C, D, A, X[ 7], 19 ); P( local.B, local.C, local.D, local.A, local.X[ 7], 19 );
P( A, B, C, D, X[ 8], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 8], 3 );
P( D, A, B, C, X[ 9], 7 ); P( local.D, local.A, local.B, local.C, local.X[ 9], 7 );
P( C, D, A, B, X[10], 11 ); P( local.C, local.D, local.A, local.B, local.X[10], 11 );
P( B, C, D, A, X[11], 19 ); P( local.B, local.C, local.D, local.A, local.X[11], 19 );
P( A, B, C, D, X[12], 3 ); P( local.A, local.B, local.C, local.D, local.X[12], 3 );
P( D, A, B, C, X[13], 7 ); P( local.D, local.A, local.B, local.C, local.X[13], 7 );
P( C, D, A, B, X[14], 11 ); P( local.C, local.D, local.A, local.B, local.X[14], 11 );
P( B, C, D, A, X[15], 19 ); P( local.B, local.C, local.D, local.A, local.X[15], 19 );
#undef P #undef P
#undef F #undef F
@ -176,22 +179,22 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
(a) = S((a),(s)); \ (a) = S((a),(s)); \
} while( 0 ) } while( 0 )
P( A, B, C, D, X[ 0], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 0], 3 );
P( D, A, B, C, X[ 4], 5 ); P( local.D, local.A, local.B, local.C, local.X[ 4], 5 );
P( C, D, A, B, X[ 8], 9 ); P( local.C, local.D, local.A, local.B, local.X[ 8], 9 );
P( B, C, D, A, X[12], 13 ); P( local.B, local.C, local.D, local.A, local.X[12], 13 );
P( A, B, C, D, X[ 1], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 1], 3 );
P( D, A, B, C, X[ 5], 5 ); P( local.D, local.A, local.B, local.C, local.X[ 5], 5 );
P( C, D, A, B, X[ 9], 9 ); P( local.C, local.D, local.A, local.B, local.X[ 9], 9 );
P( B, C, D, A, X[13], 13 ); P( local.B, local.C, local.D, local.A, local.X[13], 13 );
P( A, B, C, D, X[ 2], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 2], 3 );
P( D, A, B, C, X[ 6], 5 ); P( local.D, local.A, local.B, local.C, local.X[ 6], 5 );
P( C, D, A, B, X[10], 9 ); P( local.C, local.D, local.A, local.B, local.X[10], 9 );
P( B, C, D, A, X[14], 13 ); P( local.B, local.C, local.D, local.A, local.X[14], 13 );
P( A, B, C, D, X[ 3], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 3], 3 );
P( D, A, B, C, X[ 7], 5 ); P( local.D, local.A, local.B, local.C, local.X[ 7], 5 );
P( C, D, A, B, X[11], 9 ); P( local.C, local.D, local.A, local.B, local.X[11], 9 );
P( B, C, D, A, X[15], 13 ); P( local.B, local.C, local.D, local.A, local.X[15], 13 );
#undef P #undef P
#undef F #undef F
@ -204,30 +207,33 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx,
(a) = S((a),(s)); \ (a) = S((a),(s)); \
} while( 0 ) } while( 0 )
P( A, B, C, D, X[ 0], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 0], 3 );
P( D, A, B, C, X[ 8], 9 ); P( local.D, local.A, local.B, local.C, local.X[ 8], 9 );
P( C, D, A, B, X[ 4], 11 ); P( local.C, local.D, local.A, local.B, local.X[ 4], 11 );
P( B, C, D, A, X[12], 15 ); P( local.B, local.C, local.D, local.A, local.X[12], 15 );
P( A, B, C, D, X[ 2], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 2], 3 );
P( D, A, B, C, X[10], 9 ); P( local.D, local.A, local.B, local.C, local.X[10], 9 );
P( C, D, A, B, X[ 6], 11 ); P( local.C, local.D, local.A, local.B, local.X[ 6], 11 );
P( B, C, D, A, X[14], 15 ); P( local.B, local.C, local.D, local.A, local.X[14], 15 );
P( A, B, C, D, X[ 1], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 1], 3 );
P( D, A, B, C, X[ 9], 9 ); P( local.D, local.A, local.B, local.C, local.X[ 9], 9 );
P( C, D, A, B, X[ 5], 11 ); P( local.C, local.D, local.A, local.B, local.X[ 5], 11 );
P( B, C, D, A, X[13], 15 ); P( local.B, local.C, local.D, local.A, local.X[13], 15 );
P( A, B, C, D, X[ 3], 3 ); P( local.A, local.B, local.C, local.D, local.X[ 3], 3 );
P( D, A, B, C, X[11], 9 ); P( local.D, local.A, local.B, local.C, local.X[11], 9 );
P( C, D, A, B, X[ 7], 11 ); P( local.C, local.D, local.A, local.B, local.X[ 7], 11 );
P( B, C, D, A, X[15], 15 ); P( local.B, local.C, local.D, local.A, local.X[15], 15 );
#undef F #undef F
#undef P #undef P
ctx->state[0] += A; ctx->state[0] += local.A;
ctx->state[1] += B; ctx->state[1] += local.B;
ctx->state[2] += C; ctx->state[2] += local.C;
ctx->state[3] += D; ctx->state[3] += local.D;
/* Zeroise variables to clear sensitive data from memory. */
mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 ); return( 0 );
} }

View file

@ -111,25 +111,28 @@ void mbedtls_md5_starts( mbedtls_md5_context *ctx )
#if !defined(MBEDTLS_MD5_PROCESS_ALT) #if !defined(MBEDTLS_MD5_PROCESS_ALT)
int mbedtls_internal_md5_process( mbedtls_md5_context *ctx, int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
const unsigned char data[64] ) const unsigned char data[64] )
{
struct
{ {
uint32_t X[16], A, B, C, D; uint32_t X[16], A, B, C, D;
} local;
GET_UINT32_LE( X[ 0], data, 0 ); GET_UINT32_LE( local.X[ 0], data, 0 );
GET_UINT32_LE( X[ 1], data, 4 ); GET_UINT32_LE( local.X[ 1], data, 4 );
GET_UINT32_LE( X[ 2], data, 8 ); GET_UINT32_LE( local.X[ 2], data, 8 );
GET_UINT32_LE( X[ 3], data, 12 ); GET_UINT32_LE( local.X[ 3], data, 12 );
GET_UINT32_LE( X[ 4], data, 16 ); GET_UINT32_LE( local.X[ 4], data, 16 );
GET_UINT32_LE( X[ 5], data, 20 ); GET_UINT32_LE( local.X[ 5], data, 20 );
GET_UINT32_LE( X[ 6], data, 24 ); GET_UINT32_LE( local.X[ 6], data, 24 );
GET_UINT32_LE( X[ 7], data, 28 ); GET_UINT32_LE( local.X[ 7], data, 28 );
GET_UINT32_LE( X[ 8], data, 32 ); GET_UINT32_LE( local.X[ 8], data, 32 );
GET_UINT32_LE( X[ 9], data, 36 ); GET_UINT32_LE( local.X[ 9], data, 36 );
GET_UINT32_LE( X[10], data, 40 ); GET_UINT32_LE( local.X[10], data, 40 );
GET_UINT32_LE( X[11], data, 44 ); GET_UINT32_LE( local.X[11], data, 44 );
GET_UINT32_LE( X[12], data, 48 ); GET_UINT32_LE( local.X[12], data, 48 );
GET_UINT32_LE( X[13], data, 52 ); GET_UINT32_LE( local.X[13], data, 52 );
GET_UINT32_LE( X[14], data, 56 ); GET_UINT32_LE( local.X[14], data, 56 );
GET_UINT32_LE( X[15], data, 60 ); GET_UINT32_LE( local.X[15], data, 60 );
#define S(x,n) \ #define S(x,n) \
( ( (x) << (n) ) | ( ( (x) & 0xFFFFFFFF) >> ( 32 - (n) ) ) ) ( ( (x) << (n) ) | ( ( (x) & 0xFFFFFFFF) >> ( 32 - (n) ) ) )
@ -137,103 +140,106 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx,
#define P(a,b,c,d,k,s,t) \ #define P(a,b,c,d,k,s,t) \
do \ do \
{ \ { \
(a) += F((b),(c),(d)) + X[(k)] + (t); \ (a) += F((b),(c),(d)) + local.X[(k)] + (t); \
(a) = S((a),(s)) + (b); \ (a) = S((a),(s)) + (b); \
} while( 0 ) } while( 0 )
A = ctx->state[0]; local.A = ctx->state[0];
B = ctx->state[1]; local.B = ctx->state[1];
C = ctx->state[2]; local.C = ctx->state[2];
D = ctx->state[3]; local.D = ctx->state[3];
#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) #define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
P( A, B, C, D, 0, 7, 0xD76AA478 ); P( local.A, local.B, local.C, local.D, 0, 7, 0xD76AA478 );
P( D, A, B, C, 1, 12, 0xE8C7B756 ); P( local.D, local.A, local.B, local.C, 1, 12, 0xE8C7B756 );
P( C, D, A, B, 2, 17, 0x242070DB ); P( local.C, local.D, local.A, local.B, 2, 17, 0x242070DB );
P( B, C, D, A, 3, 22, 0xC1BDCEEE ); P( local.B, local.C, local.D, local.A, 3, 22, 0xC1BDCEEE );
P( A, B, C, D, 4, 7, 0xF57C0FAF ); P( local.A, local.B, local.C, local.D, 4, 7, 0xF57C0FAF );
P( D, A, B, C, 5, 12, 0x4787C62A ); P( local.D, local.A, local.B, local.C, 5, 12, 0x4787C62A );
P( C, D, A, B, 6, 17, 0xA8304613 ); P( local.C, local.D, local.A, local.B, 6, 17, 0xA8304613 );
P( B, C, D, A, 7, 22, 0xFD469501 ); P( local.B, local.C, local.D, local.A, 7, 22, 0xFD469501 );
P( A, B, C, D, 8, 7, 0x698098D8 ); P( local.A, local.B, local.C, local.D, 8, 7, 0x698098D8 );
P( D, A, B, C, 9, 12, 0x8B44F7AF ); P( local.D, local.A, local.B, local.C, 9, 12, 0x8B44F7AF );
P( C, D, A, B, 10, 17, 0xFFFF5BB1 ); P( local.C, local.D, local.A, local.B, 10, 17, 0xFFFF5BB1 );
P( B, C, D, A, 11, 22, 0x895CD7BE ); P( local.B, local.C, local.D, local.A, 11, 22, 0x895CD7BE );
P( A, B, C, D, 12, 7, 0x6B901122 ); P( local.A, local.B, local.C, local.D, 12, 7, 0x6B901122 );
P( D, A, B, C, 13, 12, 0xFD987193 ); P( local.D, local.A, local.B, local.C, 13, 12, 0xFD987193 );
P( C, D, A, B, 14, 17, 0xA679438E ); P( local.C, local.D, local.A, local.B, 14, 17, 0xA679438E );
P( B, C, D, A, 15, 22, 0x49B40821 ); P( local.B, local.C, local.D, local.A, 15, 22, 0x49B40821 );
#undef F #undef F
#define F(x,y,z) ((y) ^ ((z) & ((x) ^ (y)))) #define F(x,y,z) ((y) ^ ((z) & ((x) ^ (y))))
P( A, B, C, D, 1, 5, 0xF61E2562 ); P( local.A, local.B, local.C, local.D, 1, 5, 0xF61E2562 );
P( D, A, B, C, 6, 9, 0xC040B340 ); P( local.D, local.A, local.B, local.C, 6, 9, 0xC040B340 );
P( C, D, A, B, 11, 14, 0x265E5A51 ); P( local.C, local.D, local.A, local.B, 11, 14, 0x265E5A51 );
P( B, C, D, A, 0, 20, 0xE9B6C7AA ); P( local.B, local.C, local.D, local.A, 0, 20, 0xE9B6C7AA );
P( A, B, C, D, 5, 5, 0xD62F105D ); P( local.A, local.B, local.C, local.D, 5, 5, 0xD62F105D );
P( D, A, B, C, 10, 9, 0x02441453 ); P( local.D, local.A, local.B, local.C, 10, 9, 0x02441453 );
P( C, D, A, B, 15, 14, 0xD8A1E681 ); P( local.C, local.D, local.A, local.B, 15, 14, 0xD8A1E681 );
P( B, C, D, A, 4, 20, 0xE7D3FBC8 ); P( local.B, local.C, local.D, local.A, 4, 20, 0xE7D3FBC8 );
P( A, B, C, D, 9, 5, 0x21E1CDE6 ); P( local.A, local.B, local.C, local.D, 9, 5, 0x21E1CDE6 );
P( D, A, B, C, 14, 9, 0xC33707D6 ); P( local.D, local.A, local.B, local.C, 14, 9, 0xC33707D6 );
P( C, D, A, B, 3, 14, 0xF4D50D87 ); P( local.C, local.D, local.A, local.B, 3, 14, 0xF4D50D87 );
P( B, C, D, A, 8, 20, 0x455A14ED ); P( local.B, local.C, local.D, local.A, 8, 20, 0x455A14ED );
P( A, B, C, D, 13, 5, 0xA9E3E905 ); P( local.A, local.B, local.C, local.D, 13, 5, 0xA9E3E905 );
P( D, A, B, C, 2, 9, 0xFCEFA3F8 ); P( local.D, local.A, local.B, local.C, 2, 9, 0xFCEFA3F8 );
P( C, D, A, B, 7, 14, 0x676F02D9 ); P( local.C, local.D, local.A, local.B, 7, 14, 0x676F02D9 );
P( B, C, D, A, 12, 20, 0x8D2A4C8A ); P( local.B, local.C, local.D, local.A, 12, 20, 0x8D2A4C8A );
#undef F #undef F
#define F(x,y,z) ((x) ^ (y) ^ (z)) #define F(x,y,z) ((x) ^ (y) ^ (z))
P( A, B, C, D, 5, 4, 0xFFFA3942 ); P( local.A, local.B, local.C, local.D, 5, 4, 0xFFFA3942 );
P( D, A, B, C, 8, 11, 0x8771F681 ); P( local.D, local.A, local.B, local.C, 8, 11, 0x8771F681 );
P( C, D, A, B, 11, 16, 0x6D9D6122 ); P( local.C, local.D, local.A, local.B, 11, 16, 0x6D9D6122 );
P( B, C, D, A, 14, 23, 0xFDE5380C ); P( local.B, local.C, local.D, local.A, 14, 23, 0xFDE5380C );
P( A, B, C, D, 1, 4, 0xA4BEEA44 ); P( local.A, local.B, local.C, local.D, 1, 4, 0xA4BEEA44 );
P( D, A, B, C, 4, 11, 0x4BDECFA9 ); P( local.D, local.A, local.B, local.C, 4, 11, 0x4BDECFA9 );
P( C, D, A, B, 7, 16, 0xF6BB4B60 ); P( local.C, local.D, local.A, local.B, 7, 16, 0xF6BB4B60 );
P( B, C, D, A, 10, 23, 0xBEBFBC70 ); P( local.B, local.C, local.D, local.A, 10, 23, 0xBEBFBC70 );
P( A, B, C, D, 13, 4, 0x289B7EC6 ); P( local.A, local.B, local.C, local.D, 13, 4, 0x289B7EC6 );
P( D, A, B, C, 0, 11, 0xEAA127FA ); P( local.D, local.A, local.B, local.C, 0, 11, 0xEAA127FA );
P( C, D, A, B, 3, 16, 0xD4EF3085 ); P( local.C, local.D, local.A, local.B, 3, 16, 0xD4EF3085 );
P( B, C, D, A, 6, 23, 0x04881D05 ); P( local.B, local.C, local.D, local.A, 6, 23, 0x04881D05 );
P( A, B, C, D, 9, 4, 0xD9D4D039 ); P( local.A, local.B, local.C, local.D, 9, 4, 0xD9D4D039 );
P( D, A, B, C, 12, 11, 0xE6DB99E5 ); P( local.D, local.A, local.B, local.C, 12, 11, 0xE6DB99E5 );
P( C, D, A, B, 15, 16, 0x1FA27CF8 ); P( local.C, local.D, local.A, local.B, 15, 16, 0x1FA27CF8 );
P( B, C, D, A, 2, 23, 0xC4AC5665 ); P( local.B, local.C, local.D, local.A, 2, 23, 0xC4AC5665 );
#undef F #undef F
#define F(x,y,z) ((y) ^ ((x) | ~(z))) #define F(x,y,z) ((y) ^ ((x) | ~(z)))
P( A, B, C, D, 0, 6, 0xF4292244 ); P( local.A, local.B, local.C, local.D, 0, 6, 0xF4292244 );
P( D, A, B, C, 7, 10, 0x432AFF97 ); P( local.D, local.A, local.B, local.C, 7, 10, 0x432AFF97 );
P( C, D, A, B, 14, 15, 0xAB9423A7 ); P( local.C, local.D, local.A, local.B, 14, 15, 0xAB9423A7 );
P( B, C, D, A, 5, 21, 0xFC93A039 ); P( local.B, local.C, local.D, local.A, 5, 21, 0xFC93A039 );
P( A, B, C, D, 12, 6, 0x655B59C3 ); P( local.A, local.B, local.C, local.D, 12, 6, 0x655B59C3 );
P( D, A, B, C, 3, 10, 0x8F0CCC92 ); P( local.D, local.A, local.B, local.C, 3, 10, 0x8F0CCC92 );
P( C, D, A, B, 10, 15, 0xFFEFF47D ); P( local.C, local.D, local.A, local.B, 10, 15, 0xFFEFF47D );
P( B, C, D, A, 1, 21, 0x85845DD1 ); P( local.B, local.C, local.D, local.A, 1, 21, 0x85845DD1 );
P( A, B, C, D, 8, 6, 0x6FA87E4F ); P( local.A, local.B, local.C, local.D, 8, 6, 0x6FA87E4F );
P( D, A, B, C, 15, 10, 0xFE2CE6E0 ); P( local.D, local.A, local.B, local.C, 15, 10, 0xFE2CE6E0 );
P( C, D, A, B, 6, 15, 0xA3014314 ); P( local.C, local.D, local.A, local.B, 6, 15, 0xA3014314 );
P( B, C, D, A, 13, 21, 0x4E0811A1 ); P( local.B, local.C, local.D, local.A, 13, 21, 0x4E0811A1 );
P( A, B, C, D, 4, 6, 0xF7537E82 ); P( local.A, local.B, local.C, local.D, 4, 6, 0xF7537E82 );
P( D, A, B, C, 11, 10, 0xBD3AF235 ); P( local.D, local.A, local.B, local.C, 11, 10, 0xBD3AF235 );
P( C, D, A, B, 2, 15, 0x2AD7D2BB ); P( local.C, local.D, local.A, local.B, 2, 15, 0x2AD7D2BB );
P( B, C, D, A, 9, 21, 0xEB86D391 ); P( local.B, local.C, local.D, local.A, 9, 21, 0xEB86D391 );
#undef F #undef F
ctx->state[0] += A; ctx->state[0] += local.A;
ctx->state[1] += B; ctx->state[1] += local.B;
ctx->state[2] += C; ctx->state[2] += local.C;
ctx->state[3] += D; ctx->state[3] += local.D;
/* Zeroise variables to clear sensitive data from memory. */
mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 ); return( 0 );
} }

View file

@ -221,7 +221,8 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx,
unsigned int iteration_count, unsigned int iteration_count,
uint32_t key_length, unsigned char *output ) uint32_t key_length, unsigned char *output )
{ {
int ret, j; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int j;
unsigned int i; unsigned int i;
unsigned char md1[MBEDTLS_MD_MAX_SIZE]; unsigned char md1[MBEDTLS_MD_MAX_SIZE];
unsigned char work[MBEDTLS_MD_MAX_SIZE]; unsigned char work[MBEDTLS_MD_MAX_SIZE];
@ -245,16 +246,16 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx,
// U1 ends up in work // U1 ends up in work
// //
if( ( ret = mbedtls_md_hmac_update( ctx, salt, slen ) ) != 0 ) if( ( ret = mbedtls_md_hmac_update( ctx, salt, slen ) ) != 0 )
return( ret ); goto cleanup;
if( ( ret = mbedtls_md_hmac_update( ctx, counter, 4 ) ) != 0 ) if( ( ret = mbedtls_md_hmac_update( ctx, counter, 4 ) ) != 0 )
return( ret ); goto cleanup;
if( ( ret = mbedtls_md_hmac_finish( ctx, work ) ) != 0 ) if( ( ret = mbedtls_md_hmac_finish( ctx, work ) ) != 0 )
return( ret ); goto cleanup;
if( ( ret = mbedtls_md_hmac_reset( ctx ) ) != 0 ) if( ( ret = mbedtls_md_hmac_reset( ctx ) ) != 0 )
return( ret ); goto cleanup;
memcpy( md1, work, md_size ); memcpy( md1, work, md_size );
@ -263,13 +264,13 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx,
// U2 ends up in md1 // U2 ends up in md1
// //
if( ( ret = mbedtls_md_hmac_update( ctx, md1, md_size ) ) != 0 ) if( ( ret = mbedtls_md_hmac_update( ctx, md1, md_size ) ) != 0 )
return( ret ); goto cleanup;
if( ( ret = mbedtls_md_hmac_finish( ctx, md1 ) ) != 0 ) if( ( ret = mbedtls_md_hmac_finish( ctx, md1 ) ) != 0 )
return( ret ); goto cleanup;
if( ( ret = mbedtls_md_hmac_reset( ctx ) ) != 0 ) if( ( ret = mbedtls_md_hmac_reset( ctx ) ) != 0 )
return( ret ); goto cleanup;
// U1 xor U2 // U1 xor U2
// //
@ -288,7 +289,12 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx,
break; break;
} }
return( 0 ); cleanup:
/* Zeroise buffers to clear sensitive data from memory. */
mbedtls_platform_zeroize( work, MBEDTLS_MD_MAX_SIZE );
mbedtls_platform_zeroize( md1, MBEDTLS_MD_MAX_SIZE );
return( ret );
} }
#if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_SELF_TEST)

View file

@ -116,31 +116,34 @@ void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx )
*/ */
int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
const unsigned char data[64] ) const unsigned char data[64] )
{
struct
{ {
uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16]; uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16];
} local;
GET_UINT32_LE( X[ 0], data, 0 ); GET_UINT32_LE( local.X[ 0], data, 0 );
GET_UINT32_LE( X[ 1], data, 4 ); GET_UINT32_LE( local.X[ 1], data, 4 );
GET_UINT32_LE( X[ 2], data, 8 ); GET_UINT32_LE( local.X[ 2], data, 8 );
GET_UINT32_LE( X[ 3], data, 12 ); GET_UINT32_LE( local.X[ 3], data, 12 );
GET_UINT32_LE( X[ 4], data, 16 ); GET_UINT32_LE( local.X[ 4], data, 16 );
GET_UINT32_LE( X[ 5], data, 20 ); GET_UINT32_LE( local.X[ 5], data, 20 );
GET_UINT32_LE( X[ 6], data, 24 ); GET_UINT32_LE( local.X[ 6], data, 24 );
GET_UINT32_LE( X[ 7], data, 28 ); GET_UINT32_LE( local.X[ 7], data, 28 );
GET_UINT32_LE( X[ 8], data, 32 ); GET_UINT32_LE( local.X[ 8], data, 32 );
GET_UINT32_LE( X[ 9], data, 36 ); GET_UINT32_LE( local.X[ 9], data, 36 );
GET_UINT32_LE( X[10], data, 40 ); GET_UINT32_LE( local.X[10], data, 40 );
GET_UINT32_LE( X[11], data, 44 ); GET_UINT32_LE( local.X[11], data, 44 );
GET_UINT32_LE( X[12], data, 48 ); GET_UINT32_LE( local.X[12], data, 48 );
GET_UINT32_LE( X[13], data, 52 ); GET_UINT32_LE( local.X[13], data, 52 );
GET_UINT32_LE( X[14], data, 56 ); GET_UINT32_LE( local.X[14], data, 56 );
GET_UINT32_LE( X[15], data, 60 ); GET_UINT32_LE( local.X[15], data, 60 );
A = Ap = ctx->state[0]; local.A = local.Ap = ctx->state[0];
B = Bp = ctx->state[1]; local.B = local.Bp = ctx->state[1];
C = Cp = ctx->state[2]; local.C = local.Cp = ctx->state[2];
D = Dp = ctx->state[3]; local.D = local.Dp = ctx->state[3];
E = Ep = ctx->state[4]; local.E = local.Ep = ctx->state[4];
#define F1( x, y, z ) ( (x) ^ (y) ^ (z) ) #define F1( x, y, z ) ( (x) ^ (y) ^ (z) )
#define F2( x, y, z ) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) #define F2( x, y, z ) ( ( (x) & (y) ) | ( ~(x) & (z) ) )
@ -153,7 +156,7 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
#define P( a, b, c, d, e, r, s, f, k ) \ #define P( a, b, c, d, e, r, s, f, k ) \
do \ do \
{ \ { \
(a) += f( (b), (c), (d) ) + X[r] + (k); \ (a) += f( (b), (c), (d) ) + local.X[r] + (k); \
(a) = S( (a), (s) ) + (e); \ (a) = S( (a), (s) ) + (e); \
(c) = S( (c), 10 ); \ (c) = S( (c), 10 ); \
} while( 0 ) } while( 0 )
@ -170,22 +173,22 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
#define K 0x00000000 #define K 0x00000000
#define Fp F5 #define Fp F5
#define Kp 0x50A28BE6 #define Kp 0x50A28BE6
P2( A, B, C, D, E, 0, 11, 5, 8 ); P2( local.A, local.B, local.C, local.D, local.E, 0, 11, 5, 8 );
P2( E, A, B, C, D, 1, 14, 14, 9 ); P2( local.E, local.A, local.B, local.C, local.D, 1, 14, 14, 9 );
P2( D, E, A, B, C, 2, 15, 7, 9 ); P2( local.D, local.E, local.A, local.B, local.C, 2, 15, 7, 9 );
P2( C, D, E, A, B, 3, 12, 0, 11 ); P2( local.C, local.D, local.E, local.A, local.B, 3, 12, 0, 11 );
P2( B, C, D, E, A, 4, 5, 9, 13 ); P2( local.B, local.C, local.D, local.E, local.A, 4, 5, 9, 13 );
P2( A, B, C, D, E, 5, 8, 2, 15 ); P2( local.A, local.B, local.C, local.D, local.E, 5, 8, 2, 15 );
P2( E, A, B, C, D, 6, 7, 11, 15 ); P2( local.E, local.A, local.B, local.C, local.D, 6, 7, 11, 15 );
P2( D, E, A, B, C, 7, 9, 4, 5 ); P2( local.D, local.E, local.A, local.B, local.C, 7, 9, 4, 5 );
P2( C, D, E, A, B, 8, 11, 13, 7 ); P2( local.C, local.D, local.E, local.A, local.B, 8, 11, 13, 7 );
P2( B, C, D, E, A, 9, 13, 6, 7 ); P2( local.B, local.C, local.D, local.E, local.A, 9, 13, 6, 7 );
P2( A, B, C, D, E, 10, 14, 15, 8 ); P2( local.A, local.B, local.C, local.D, local.E, 10, 14, 15, 8 );
P2( E, A, B, C, D, 11, 15, 8, 11 ); P2( local.E, local.A, local.B, local.C, local.D, 11, 15, 8, 11 );
P2( D, E, A, B, C, 12, 6, 1, 14 ); P2( local.D, local.E, local.A, local.B, local.C, 12, 6, 1, 14 );
P2( C, D, E, A, B, 13, 7, 10, 14 ); P2( local.C, local.D, local.E, local.A, local.B, 13, 7, 10, 14 );
P2( B, C, D, E, A, 14, 9, 3, 12 ); P2( local.B, local.C, local.D, local.E, local.A, 14, 9, 3, 12 );
P2( A, B, C, D, E, 15, 8, 12, 6 ); P2( local.A, local.B, local.C, local.D, local.E, 15, 8, 12, 6 );
#undef F #undef F
#undef K #undef K
#undef Fp #undef Fp
@ -195,22 +198,22 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
#define K 0x5A827999 #define K 0x5A827999
#define Fp F4 #define Fp F4
#define Kp 0x5C4DD124 #define Kp 0x5C4DD124
P2( E, A, B, C, D, 7, 7, 6, 9 ); P2( local.E, local.A, local.B, local.C, local.D, 7, 7, 6, 9 );
P2( D, E, A, B, C, 4, 6, 11, 13 ); P2( local.D, local.E, local.A, local.B, local.C, 4, 6, 11, 13 );
P2( C, D, E, A, B, 13, 8, 3, 15 ); P2( local.C, local.D, local.E, local.A, local.B, 13, 8, 3, 15 );
P2( B, C, D, E, A, 1, 13, 7, 7 ); P2( local.B, local.C, local.D, local.E, local.A, 1, 13, 7, 7 );
P2( A, B, C, D, E, 10, 11, 0, 12 ); P2( local.A, local.B, local.C, local.D, local.E, 10, 11, 0, 12 );
P2( E, A, B, C, D, 6, 9, 13, 8 ); P2( local.E, local.A, local.B, local.C, local.D, 6, 9, 13, 8 );
P2( D, E, A, B, C, 15, 7, 5, 9 ); P2( local.D, local.E, local.A, local.B, local.C, 15, 7, 5, 9 );
P2( C, D, E, A, B, 3, 15, 10, 11 ); P2( local.C, local.D, local.E, local.A, local.B, 3, 15, 10, 11 );
P2( B, C, D, E, A, 12, 7, 14, 7 ); P2( local.B, local.C, local.D, local.E, local.A, 12, 7, 14, 7 );
P2( A, B, C, D, E, 0, 12, 15, 7 ); P2( local.A, local.B, local.C, local.D, local.E, 0, 12, 15, 7 );
P2( E, A, B, C, D, 9, 15, 8, 12 ); P2( local.E, local.A, local.B, local.C, local.D, 9, 15, 8, 12 );
P2( D, E, A, B, C, 5, 9, 12, 7 ); P2( local.D, local.E, local.A, local.B, local.C, 5, 9, 12, 7 );
P2( C, D, E, A, B, 2, 11, 4, 6 ); P2( local.C, local.D, local.E, local.A, local.B, 2, 11, 4, 6 );
P2( B, C, D, E, A, 14, 7, 9, 15 ); P2( local.B, local.C, local.D, local.E, local.A, 14, 7, 9, 15 );
P2( A, B, C, D, E, 11, 13, 1, 13 ); P2( local.A, local.B, local.C, local.D, local.E, 11, 13, 1, 13 );
P2( E, A, B, C, D, 8, 12, 2, 11 ); P2( local.E, local.A, local.B, local.C, local.D, 8, 12, 2, 11 );
#undef F #undef F
#undef K #undef K
#undef Fp #undef Fp
@ -220,22 +223,22 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
#define K 0x6ED9EBA1 #define K 0x6ED9EBA1
#define Fp F3 #define Fp F3
#define Kp 0x6D703EF3 #define Kp 0x6D703EF3
P2( D, E, A, B, C, 3, 11, 15, 9 ); P2( local.D, local.E, local.A, local.B, local.C, 3, 11, 15, 9 );
P2( C, D, E, A, B, 10, 13, 5, 7 ); P2( local.C, local.D, local.E, local.A, local.B, 10, 13, 5, 7 );
P2( B, C, D, E, A, 14, 6, 1, 15 ); P2( local.B, local.C, local.D, local.E, local.A, 14, 6, 1, 15 );
P2( A, B, C, D, E, 4, 7, 3, 11 ); P2( local.A, local.B, local.C, local.D, local.E, 4, 7, 3, 11 );
P2( E, A, B, C, D, 9, 14, 7, 8 ); P2( local.E, local.A, local.B, local.C, local.D, 9, 14, 7, 8 );
P2( D, E, A, B, C, 15, 9, 14, 6 ); P2( local.D, local.E, local.A, local.B, local.C, 15, 9, 14, 6 );
P2( C, D, E, A, B, 8, 13, 6, 6 ); P2( local.C, local.D, local.E, local.A, local.B, 8, 13, 6, 6 );
P2( B, C, D, E, A, 1, 15, 9, 14 ); P2( local.B, local.C, local.D, local.E, local.A, 1, 15, 9, 14 );
P2( A, B, C, D, E, 2, 14, 11, 12 ); P2( local.A, local.B, local.C, local.D, local.E, 2, 14, 11, 12 );
P2( E, A, B, C, D, 7, 8, 8, 13 ); P2( local.E, local.A, local.B, local.C, local.D, 7, 8, 8, 13 );
P2( D, E, A, B, C, 0, 13, 12, 5 ); P2( local.D, local.E, local.A, local.B, local.C, 0, 13, 12, 5 );
P2( C, D, E, A, B, 6, 6, 2, 14 ); P2( local.C, local.D, local.E, local.A, local.B, 6, 6, 2, 14 );
P2( B, C, D, E, A, 13, 5, 10, 13 ); P2( local.B, local.C, local.D, local.E, local.A, 13, 5, 10, 13 );
P2( A, B, C, D, E, 11, 12, 0, 13 ); P2( local.A, local.B, local.C, local.D, local.E, 11, 12, 0, 13 );
P2( E, A, B, C, D, 5, 7, 4, 7 ); P2( local.E, local.A, local.B, local.C, local.D, 5, 7, 4, 7 );
P2( D, E, A, B, C, 12, 5, 13, 5 ); P2( local.D, local.E, local.A, local.B, local.C, 12, 5, 13, 5 );
#undef F #undef F
#undef K #undef K
#undef Fp #undef Fp
@ -245,22 +248,22 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
#define K 0x8F1BBCDC #define K 0x8F1BBCDC
#define Fp F2 #define Fp F2
#define Kp 0x7A6D76E9 #define Kp 0x7A6D76E9
P2( C, D, E, A, B, 1, 11, 8, 15 ); P2( local.C, local.D, local.E, local.A, local.B, 1, 11, 8, 15 );
P2( B, C, D, E, A, 9, 12, 6, 5 ); P2( local.B, local.C, local.D, local.E, local.A, 9, 12, 6, 5 );
P2( A, B, C, D, E, 11, 14, 4, 8 ); P2( local.A, local.B, local.C, local.D, local.E, 11, 14, 4, 8 );
P2( E, A, B, C, D, 10, 15, 1, 11 ); P2( local.E, local.A, local.B, local.C, local.D, 10, 15, 1, 11 );
P2( D, E, A, B, C, 0, 14, 3, 14 ); P2( local.D, local.E, local.A, local.B, local.C, 0, 14, 3, 14 );
P2( C, D, E, A, B, 8, 15, 11, 14 ); P2( local.C, local.D, local.E, local.A, local.B, 8, 15, 11, 14 );
P2( B, C, D, E, A, 12, 9, 15, 6 ); P2( local.B, local.C, local.D, local.E, local.A, 12, 9, 15, 6 );
P2( A, B, C, D, E, 4, 8, 0, 14 ); P2( local.A, local.B, local.C, local.D, local.E, 4, 8, 0, 14 );
P2( E, A, B, C, D, 13, 9, 5, 6 ); P2( local.E, local.A, local.B, local.C, local.D, 13, 9, 5, 6 );
P2( D, E, A, B, C, 3, 14, 12, 9 ); P2( local.D, local.E, local.A, local.B, local.C, 3, 14, 12, 9 );
P2( C, D, E, A, B, 7, 5, 2, 12 ); P2( local.C, local.D, local.E, local.A, local.B, 7, 5, 2, 12 );
P2( B, C, D, E, A, 15, 6, 13, 9 ); P2( local.B, local.C, local.D, local.E, local.A, 15, 6, 13, 9 );
P2( A, B, C, D, E, 14, 8, 9, 12 ); P2( local.A, local.B, local.C, local.D, local.E, 14, 8, 9, 12 );
P2( E, A, B, C, D, 5, 6, 7, 5 ); P2( local.E, local.A, local.B, local.C, local.D, 5, 6, 7, 5 );
P2( D, E, A, B, C, 6, 5, 10, 15 ); P2( local.D, local.E, local.A, local.B, local.C, 6, 5, 10, 15 );
P2( C, D, E, A, B, 2, 12, 14, 8 ); P2( local.C, local.D, local.E, local.A, local.B, 2, 12, 14, 8 );
#undef F #undef F
#undef K #undef K
#undef Fp #undef Fp
@ -270,33 +273,36 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx,
#define K 0xA953FD4E #define K 0xA953FD4E
#define Fp F1 #define Fp F1
#define Kp 0x00000000 #define Kp 0x00000000
P2( B, C, D, E, A, 4, 9, 12, 8 ); P2( local.B, local.C, local.D, local.E, local.A, 4, 9, 12, 8 );
P2( A, B, C, D, E, 0, 15, 15, 5 ); P2( local.A, local.B, local.C, local.D, local.E, 0, 15, 15, 5 );
P2( E, A, B, C, D, 5, 5, 10, 12 ); P2( local.E, local.A, local.B, local.C, local.D, 5, 5, 10, 12 );
P2( D, E, A, B, C, 9, 11, 4, 9 ); P2( local.D, local.E, local.A, local.B, local.C, 9, 11, 4, 9 );
P2( C, D, E, A, B, 7, 6, 1, 12 ); P2( local.C, local.D, local.E, local.A, local.B, 7, 6, 1, 12 );
P2( B, C, D, E, A, 12, 8, 5, 5 ); P2( local.B, local.C, local.D, local.E, local.A, 12, 8, 5, 5 );
P2( A, B, C, D, E, 2, 13, 8, 14 ); P2( local.A, local.B, local.C, local.D, local.E, 2, 13, 8, 14 );
P2( E, A, B, C, D, 10, 12, 7, 6 ); P2( local.E, local.A, local.B, local.C, local.D, 10, 12, 7, 6 );
P2( D, E, A, B, C, 14, 5, 6, 8 ); P2( local.D, local.E, local.A, local.B, local.C, 14, 5, 6, 8 );
P2( C, D, E, A, B, 1, 12, 2, 13 ); P2( local.C, local.D, local.E, local.A, local.B, 1, 12, 2, 13 );
P2( B, C, D, E, A, 3, 13, 13, 6 ); P2( local.B, local.C, local.D, local.E, local.A, 3, 13, 13, 6 );
P2( A, B, C, D, E, 8, 14, 14, 5 ); P2( local.A, local.B, local.C, local.D, local.E, 8, 14, 14, 5 );
P2( E, A, B, C, D, 11, 11, 0, 15 ); P2( local.E, local.A, local.B, local.C, local.D, 11, 11, 0, 15 );
P2( D, E, A, B, C, 6, 8, 3, 13 ); P2( local.D, local.E, local.A, local.B, local.C, 6, 8, 3, 13 );
P2( C, D, E, A, B, 15, 5, 9, 11 ); P2( local.C, local.D, local.E, local.A, local.B, 15, 5, 9, 11 );
P2( B, C, D, E, A, 13, 6, 11, 11 ); P2( local.B, local.C, local.D, local.E, local.A, 13, 6, 11, 11 );
#undef F #undef F
#undef K #undef K
#undef Fp #undef Fp
#undef Kp #undef Kp
C = ctx->state[1] + C + Dp; local.C = ctx->state[1] + local.C + local.Dp;
ctx->state[1] = ctx->state[2] + D + Ep; ctx->state[1] = ctx->state[2] + local.D + local.Ep;
ctx->state[2] = ctx->state[3] + E + Ap; ctx->state[2] = ctx->state[3] + local.E + local.Ap;
ctx->state[3] = ctx->state[4] + A + Bp; ctx->state[3] = ctx->state[4] + local.A + local.Bp;
ctx->state[4] = ctx->state[0] + B + Cp; ctx->state[4] = ctx->state[0] + local.B + local.Cp;
ctx->state[0] = C; ctx->state[0] = local.C;
/* Zeroise variables to clear sensitive data from memory. */
mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 ); return( 0 );
} }

View file

@ -124,36 +124,41 @@ void mbedtls_sha1_starts( mbedtls_sha1_context *ctx )
#if !defined(MBEDTLS_SHA1_PROCESS_ALT) #if !defined(MBEDTLS_SHA1_PROCESS_ALT)
int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
const unsigned char data[64] ) const unsigned char data[64] )
{
struct
{ {
uint32_t temp, W[16], A, B, C, D, E; uint32_t temp, W[16], A, B, C, D, E;
} local;
SHA1_VALIDATE_RET( ctx != NULL ); SHA1_VALIDATE_RET( ctx != NULL );
SHA1_VALIDATE_RET( (const unsigned char *)data != NULL ); SHA1_VALIDATE_RET( (const unsigned char *)data != NULL );
GET_UINT32_BE( W[ 0], data, 0 ); GET_UINT32_BE( local.W[ 0], data, 0 );
GET_UINT32_BE( W[ 1], data, 4 ); GET_UINT32_BE( local.W[ 1], data, 4 );
GET_UINT32_BE( W[ 2], data, 8 ); GET_UINT32_BE( local.W[ 2], data, 8 );
GET_UINT32_BE( W[ 3], data, 12 ); GET_UINT32_BE( local.W[ 3], data, 12 );
GET_UINT32_BE( W[ 4], data, 16 ); GET_UINT32_BE( local.W[ 4], data, 16 );
GET_UINT32_BE( W[ 5], data, 20 ); GET_UINT32_BE( local.W[ 5], data, 20 );
GET_UINT32_BE( W[ 6], data, 24 ); GET_UINT32_BE( local.W[ 6], data, 24 );
GET_UINT32_BE( W[ 7], data, 28 ); GET_UINT32_BE( local.W[ 7], data, 28 );
GET_UINT32_BE( W[ 8], data, 32 ); GET_UINT32_BE( local.W[ 8], data, 32 );
GET_UINT32_BE( W[ 9], data, 36 ); GET_UINT32_BE( local.W[ 9], data, 36 );
GET_UINT32_BE( W[10], data, 40 ); GET_UINT32_BE( local.W[10], data, 40 );
GET_UINT32_BE( W[11], data, 44 ); GET_UINT32_BE( local.W[11], data, 44 );
GET_UINT32_BE( W[12], data, 48 ); GET_UINT32_BE( local.W[12], data, 48 );
GET_UINT32_BE( W[13], data, 52 ); GET_UINT32_BE( local.W[13], data, 52 );
GET_UINT32_BE( W[14], data, 56 ); GET_UINT32_BE( local.W[14], data, 56 );
GET_UINT32_BE( W[15], data, 60 ); GET_UINT32_BE( local.W[15], data, 60 );
#define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n)))) #define S(x,n) (((x) << (n)) | (((x) & 0xFFFFFFFF) >> (32 - (n))))
#define R(t) \ #define R(t) \
( \ ( \
temp = W[( (t) - 3 ) & 0x0F] ^ W[( (t) - 8 ) & 0x0F] ^ \ local.temp = local.W[( (t) - 3 ) & 0x0F] ^ \
W[( (t) - 14 ) & 0x0F] ^ W[ (t) & 0x0F], \ local.W[( (t) - 8 ) & 0x0F] ^ \
( W[(t) & 0x0F] = S(temp,1) ) \ local.W[( (t) - 14 ) & 0x0F] ^ \
local.W[ (t) & 0x0F], \
( local.W[(t) & 0x0F] = S(local.temp,1) ) \
) )
#define P(a,b,c,d,e,x) \ #define P(a,b,c,d,e,x) \
@ -163,35 +168,35 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
(b) = S((b),30); \ (b) = S((b),30); \
} while( 0 ) } while( 0 )
A = ctx->state[0]; local.A = ctx->state[0];
B = ctx->state[1]; local.B = ctx->state[1];
C = ctx->state[2]; local.C = ctx->state[2];
D = ctx->state[3]; local.D = ctx->state[3];
E = ctx->state[4]; local.E = ctx->state[4];
#define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z)))) #define F(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
#define K 0x5A827999 #define K 0x5A827999
P( A, B, C, D, E, W[0] ); P( local.A, local.B, local.C, local.D, local.E, local.W[0] );
P( E, A, B, C, D, W[1] ); P( local.E, local.A, local.B, local.C, local.D, local.W[1] );
P( D, E, A, B, C, W[2] ); P( local.D, local.E, local.A, local.B, local.C, local.W[2] );
P( C, D, E, A, B, W[3] ); P( local.C, local.D, local.E, local.A, local.B, local.W[3] );
P( B, C, D, E, A, W[4] ); P( local.B, local.C, local.D, local.E, local.A, local.W[4] );
P( A, B, C, D, E, W[5] ); P( local.A, local.B, local.C, local.D, local.E, local.W[5] );
P( E, A, B, C, D, W[6] ); P( local.E, local.A, local.B, local.C, local.D, local.W[6] );
P( D, E, A, B, C, W[7] ); P( local.D, local.E, local.A, local.B, local.C, local.W[7] );
P( C, D, E, A, B, W[8] ); P( local.C, local.D, local.E, local.A, local.B, local.W[8] );
P( B, C, D, E, A, W[9] ); P( local.B, local.C, local.D, local.E, local.A, local.W[9] );
P( A, B, C, D, E, W[10] ); P( local.A, local.B, local.C, local.D, local.E, local.W[10] );
P( E, A, B, C, D, W[11] ); P( local.E, local.A, local.B, local.C, local.D, local.W[11] );
P( D, E, A, B, C, W[12] ); P( local.D, local.E, local.A, local.B, local.C, local.W[12] );
P( C, D, E, A, B, W[13] ); P( local.C, local.D, local.E, local.A, local.B, local.W[13] );
P( B, C, D, E, A, W[14] ); P( local.B, local.C, local.D, local.E, local.A, local.W[14] );
P( A, B, C, D, E, W[15] ); P( local.A, local.B, local.C, local.D, local.E, local.W[15] );
P( E, A, B, C, D, R(16) ); P( local.E, local.A, local.B, local.C, local.D, R(16) );
P( D, E, A, B, C, R(17) ); P( local.D, local.E, local.A, local.B, local.C, R(17) );
P( C, D, E, A, B, R(18) ); P( local.C, local.D, local.E, local.A, local.B, R(18) );
P( B, C, D, E, A, R(19) ); P( local.B, local.C, local.D, local.E, local.A, R(19) );
#undef K #undef K
#undef F #undef F
@ -199,26 +204,26 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
#define F(x,y,z) ((x) ^ (y) ^ (z)) #define F(x,y,z) ((x) ^ (y) ^ (z))
#define K 0x6ED9EBA1 #define K 0x6ED9EBA1
P( A, B, C, D, E, R(20) ); P( local.A, local.B, local.C, local.D, local.E, R(20) );
P( E, A, B, C, D, R(21) ); P( local.E, local.A, local.B, local.C, local.D, R(21) );
P( D, E, A, B, C, R(22) ); P( local.D, local.E, local.A, local.B, local.C, R(22) );
P( C, D, E, A, B, R(23) ); P( local.C, local.D, local.E, local.A, local.B, R(23) );
P( B, C, D, E, A, R(24) ); P( local.B, local.C, local.D, local.E, local.A, R(24) );
P( A, B, C, D, E, R(25) ); P( local.A, local.B, local.C, local.D, local.E, R(25) );
P( E, A, B, C, D, R(26) ); P( local.E, local.A, local.B, local.C, local.D, R(26) );
P( D, E, A, B, C, R(27) ); P( local.D, local.E, local.A, local.B, local.C, R(27) );
P( C, D, E, A, B, R(28) ); P( local.C, local.D, local.E, local.A, local.B, R(28) );
P( B, C, D, E, A, R(29) ); P( local.B, local.C, local.D, local.E, local.A, R(29) );
P( A, B, C, D, E, R(30) ); P( local.A, local.B, local.C, local.D, local.E, R(30) );
P( E, A, B, C, D, R(31) ); P( local.E, local.A, local.B, local.C, local.D, R(31) );
P( D, E, A, B, C, R(32) ); P( local.D, local.E, local.A, local.B, local.C, R(32) );
P( C, D, E, A, B, R(33) ); P( local.C, local.D, local.E, local.A, local.B, R(33) );
P( B, C, D, E, A, R(34) ); P( local.B, local.C, local.D, local.E, local.A, R(34) );
P( A, B, C, D, E, R(35) ); P( local.A, local.B, local.C, local.D, local.E, R(35) );
P( E, A, B, C, D, R(36) ); P( local.E, local.A, local.B, local.C, local.D, R(36) );
P( D, E, A, B, C, R(37) ); P( local.D, local.E, local.A, local.B, local.C, R(37) );
P( C, D, E, A, B, R(38) ); P( local.C, local.D, local.E, local.A, local.B, R(38) );
P( B, C, D, E, A, R(39) ); P( local.B, local.C, local.D, local.E, local.A, R(39) );
#undef K #undef K
#undef F #undef F
@ -226,26 +231,26 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
#define F(x,y,z) (((x) & (y)) | ((z) & ((x) | (y)))) #define F(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
#define K 0x8F1BBCDC #define K 0x8F1BBCDC
P( A, B, C, D, E, R(40) ); P( local.A, local.B, local.C, local.D, local.E, R(40) );
P( E, A, B, C, D, R(41) ); P( local.E, local.A, local.B, local.C, local.D, R(41) );
P( D, E, A, B, C, R(42) ); P( local.D, local.E, local.A, local.B, local.C, R(42) );
P( C, D, E, A, B, R(43) ); P( local.C, local.D, local.E, local.A, local.B, R(43) );
P( B, C, D, E, A, R(44) ); P( local.B, local.C, local.D, local.E, local.A, R(44) );
P( A, B, C, D, E, R(45) ); P( local.A, local.B, local.C, local.D, local.E, R(45) );
P( E, A, B, C, D, R(46) ); P( local.E, local.A, local.B, local.C, local.D, R(46) );
P( D, E, A, B, C, R(47) ); P( local.D, local.E, local.A, local.B, local.C, R(47) );
P( C, D, E, A, B, R(48) ); P( local.C, local.D, local.E, local.A, local.B, R(48) );
P( B, C, D, E, A, R(49) ); P( local.B, local.C, local.D, local.E, local.A, R(49) );
P( A, B, C, D, E, R(50) ); P( local.A, local.B, local.C, local.D, local.E, R(50) );
P( E, A, B, C, D, R(51) ); P( local.E, local.A, local.B, local.C, local.D, R(51) );
P( D, E, A, B, C, R(52) ); P( local.D, local.E, local.A, local.B, local.C, R(52) );
P( C, D, E, A, B, R(53) ); P( local.C, local.D, local.E, local.A, local.B, R(53) );
P( B, C, D, E, A, R(54) ); P( local.B, local.C, local.D, local.E, local.A, R(54) );
P( A, B, C, D, E, R(55) ); P( local.A, local.B, local.C, local.D, local.E, R(55) );
P( E, A, B, C, D, R(56) ); P( local.E, local.A, local.B, local.C, local.D, R(56) );
P( D, E, A, B, C, R(57) ); P( local.D, local.E, local.A, local.B, local.C, R(57) );
P( C, D, E, A, B, R(58) ); P( local.C, local.D, local.E, local.A, local.B, R(58) );
P( B, C, D, E, A, R(59) ); P( local.B, local.C, local.D, local.E, local.A, R(59) );
#undef K #undef K
#undef F #undef F
@ -253,35 +258,38 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
#define F(x,y,z) ((x) ^ (y) ^ (z)) #define F(x,y,z) ((x) ^ (y) ^ (z))
#define K 0xCA62C1D6 #define K 0xCA62C1D6
P( A, B, C, D, E, R(60) ); P( local.A, local.B, local.C, local.D, local.E, R(60) );
P( E, A, B, C, D, R(61) ); P( local.E, local.A, local.B, local.C, local.D, R(61) );
P( D, E, A, B, C, R(62) ); P( local.D, local.E, local.A, local.B, local.C, R(62) );
P( C, D, E, A, B, R(63) ); P( local.C, local.D, local.E, local.A, local.B, R(63) );
P( B, C, D, E, A, R(64) ); P( local.B, local.C, local.D, local.E, local.A, R(64) );
P( A, B, C, D, E, R(65) ); P( local.A, local.B, local.C, local.D, local.E, R(65) );
P( E, A, B, C, D, R(66) ); P( local.E, local.A, local.B, local.C, local.D, R(66) );
P( D, E, A, B, C, R(67) ); P( local.D, local.E, local.A, local.B, local.C, R(67) );
P( C, D, E, A, B, R(68) ); P( local.C, local.D, local.E, local.A, local.B, R(68) );
P( B, C, D, E, A, R(69) ); P( local.B, local.C, local.D, local.E, local.A, R(69) );
P( A, B, C, D, E, R(70) ); P( local.A, local.B, local.C, local.D, local.E, R(70) );
P( E, A, B, C, D, R(71) ); P( local.E, local.A, local.B, local.C, local.D, R(71) );
P( D, E, A, B, C, R(72) ); P( local.D, local.E, local.A, local.B, local.C, R(72) );
P( C, D, E, A, B, R(73) ); P( local.C, local.D, local.E, local.A, local.B, R(73) );
P( B, C, D, E, A, R(74) ); P( local.B, local.C, local.D, local.E, local.A, R(74) );
P( A, B, C, D, E, R(75) ); P( local.A, local.B, local.C, local.D, local.E, R(75) );
P( E, A, B, C, D, R(76) ); P( local.E, local.A, local.B, local.C, local.D, R(76) );
P( D, E, A, B, C, R(77) ); P( local.D, local.E, local.A, local.B, local.C, R(77) );
P( C, D, E, A, B, R(78) ); P( local.C, local.D, local.E, local.A, local.B, R(78) );
P( B, C, D, E, A, R(79) ); P( local.B, local.C, local.D, local.E, local.A, R(79) );
#undef K #undef K
#undef F #undef F
ctx->state[0] += A; ctx->state[0] += local.A;
ctx->state[1] += B; ctx->state[1] += local.B;
ctx->state[2] += C; ctx->state[2] += local.C;
ctx->state[3] += D; ctx->state[3] += local.D;
ctx->state[4] += E; ctx->state[4] += local.E;
/* Zeroise buffers and variables to clear sensitive data from memory. */
mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 ); return( 0 );
} }

View file

@ -181,75 +181,102 @@ static const uint32_t K[] =
#define R(t) \ #define R(t) \
( \ ( \
W[t] = S1(W[(t) - 2]) + W[(t) - 7] + \ local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
S0(W[(t) - 15]) + W[(t) - 16] \ S0(local.W[(t) - 15]) + local.W[(t) - 16] \
) )
#define P(a,b,c,d,e,f,g,h,x,K) \ #define P(a,b,c,d,e,f,g,h,x,K) \
do \ do \
{ \ { \
temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \ local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
temp2 = S2(a) + F0((a),(b),(c)); \ local.temp2 = S2(a) + F0((a),(b),(c)); \
(d) += temp1; (h) = temp1 + temp2; \ (d) += local.temp1; (h) = local.temp1 + local.temp2; \
} while( 0 ) } while( 0 )
int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
const unsigned char data[64] ) const unsigned char data[64] )
{
struct
{ {
uint32_t temp1, temp2, W[64]; uint32_t temp1, temp2, W[64];
uint32_t A[8]; uint32_t A[8];
} local;
unsigned int i; unsigned int i;
SHA256_VALIDATE_RET( ctx != NULL ); SHA256_VALIDATE_RET( ctx != NULL );
SHA256_VALIDATE_RET( (const unsigned char *)data != NULL ); SHA256_VALIDATE_RET( (const unsigned char *)data != NULL );
for( i = 0; i < 8; i++ ) for( i = 0; i < 8; i++ )
A[i] = ctx->state[i]; local.A[i] = ctx->state[i];
#if defined(MBEDTLS_SHA256_SMALLER) #if defined(MBEDTLS_SHA256_SMALLER)
for( i = 0; i < 64; i++ ) for( i = 0; i < 64; i++ )
{ {
if( i < 16 ) if( i < 16 )
GET_UINT32_BE( W[i], data, 4 * i ); GET_UINT32_BE( local.W[i], data, 4 * i );
else else
R( i ); R( i );
P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3]; local.temp1 = local.A[7]; local.A[7] = local.A[6];
A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1; local.A[6] = local.A[5]; local.A[5] = local.A[4];
local.A[4] = local.A[3]; local.A[3] = local.A[2];
local.A[2] = local.A[1]; local.A[1] = local.A[0];
local.A[0] = local.temp1;
} }
#else /* MBEDTLS_SHA256_SMALLER */ #else /* MBEDTLS_SHA256_SMALLER */
for( i = 0; i < 16; i++ ) for( i = 0; i < 16; i++ )
GET_UINT32_BE( W[i], data, 4 * i ); GET_UINT32_BE( local.W[i], data, 4 * i );
for( i = 0; i < 16; i += 8 ) for( i = 0; i < 16; i += 8 )
{ {
P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i+0], K[i+0] ); P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i+1], K[i+1] ); local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0] );
P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i+2], K[i+2] ); P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i+3], K[i+3] ); local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1] );
P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i+4], K[i+4] ); P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i+5], K[i+5] ); local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2] );
P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i+6], K[i+6] ); P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i+7], K[i+7] ); local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3] );
P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4] );
P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5] );
P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6] );
P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7] );
} }
for( i = 16; i < 64; i += 8 ) for( i = 16; i < 64; i += 8 )
{ {
P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], R(i+0), K[i+0] ); P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], R(i+1), K[i+1] ); local.A[5], local.A[6], local.A[7], R(i+0), K[i+0] );
P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], R(i+2), K[i+2] ); P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], R(i+3), K[i+3] ); local.A[4], local.A[5], local.A[6], R(i+1), K[i+1] );
P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], R(i+4), K[i+4] ); P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], R(i+5), K[i+5] ); local.A[3], local.A[4], local.A[5], R(i+2), K[i+2] );
P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], R(i+6), K[i+6] ); P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], R(i+7), K[i+7] ); local.A[2], local.A[3], local.A[4], R(i+3), K[i+3] );
P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
local.A[1], local.A[2], local.A[3], R(i+4), K[i+4] );
P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
local.A[0], local.A[1], local.A[2], R(i+5), K[i+5] );
P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
local.A[7], local.A[0], local.A[1], R(i+6), K[i+6] );
P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
local.A[6], local.A[7], local.A[0], R(i+7), K[i+7] );
} }
#endif /* MBEDTLS_SHA256_SMALLER */ #endif /* MBEDTLS_SHA256_SMALLER */
for( i = 0; i < 8; i++ ) for( i = 0; i < 8; i++ )
ctx->state[i] += A[i]; ctx->state[i] += local.A[i];
/* Zeroise buffers and variables to clear sensitive data from memory. */
mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 ); return( 0 );
} }

View file

@ -232,8 +232,11 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
const unsigned char data[128] ) const unsigned char data[128] )
{ {
int i; int i;
struct
{
uint64_t temp1, temp2, W[80]; uint64_t temp1, temp2, W[80];
uint64_t A[8]; uint64_t A[8];
} local;
SHA512_VALIDATE_RET( ctx != NULL ); SHA512_VALIDATE_RET( ctx != NULL );
SHA512_VALIDATE_RET( (const unsigned char *)data != NULL ); SHA512_VALIDATE_RET( (const unsigned char *)data != NULL );
@ -253,61 +256,76 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
#define P(a,b,c,d,e,f,g,h,x,K) \ #define P(a,b,c,d,e,f,g,h,x,K) \
do \ do \
{ \ { \
temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \ local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
temp2 = S2(a) + F0((a),(b),(c)); \ local.temp2 = S2(a) + F0((a),(b),(c)); \
(d) += temp1; (h) = temp1 + temp2; \ (d) += local.temp1; (h) = local.temp1 + local.temp2; \
} while( 0 ) } while( 0 )
for( i = 0; i < 8; i++ ) for( i = 0; i < 8; i++ )
A[i] = ctx->state[i]; local.A[i] = ctx->state[i];
#if defined(MBEDTLS_SHA512_SMALLER) #if defined(MBEDTLS_SHA512_SMALLER)
for( i = 0; i < 80; i++ ) for( i = 0; i < 80; i++ )
{ {
if( i < 16 ) if( i < 16 )
{ {
GET_UINT64_BE( W[i], data, i << 3 ); GET_UINT64_BE( local.W[i], data, i << 3 );
} }
else else
{ {
W[i] = S1(W[i - 2]) + W[i - 7] + local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
S0(W[i - 15]) + W[i - 16]; S0(local.W[i - 15]) + local.W[i - 16];
} }
P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
temp1 = A[7]; A[7] = A[6]; A[6] = A[5]; A[5] = A[4]; A[4] = A[3]; local.temp1 = local.A[7]; local.A[7] = local.A[6];
A[3] = A[2]; A[2] = A[1]; A[1] = A[0]; A[0] = temp1; local.A[6] = local.A[5]; local.A[5] = local.A[4];
local.A[4] = local.A[3]; local.A[3] = local.A[2];
local.A[2] = local.A[1]; local.A[1] = local.A[0];
local.A[0] = local.temp1;
} }
#else /* MBEDTLS_SHA512_SMALLER */ #else /* MBEDTLS_SHA512_SMALLER */
for( i = 0; i < 16; i++ ) for( i = 0; i < 16; i++ )
{ {
GET_UINT64_BE( W[i], data, i << 3 ); GET_UINT64_BE( local.W[i], data, i << 3 );
} }
for( ; i < 80; i++ ) for( ; i < 80; i++ )
{ {
W[i] = S1(W[i - 2]) + W[i - 7] + local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
S0(W[i - 15]) + W[i - 16]; S0(local.W[i - 15]) + local.W[i - 16];
} }
i = 0; i = 0;
do do
{ {
P( A[0], A[1], A[2], A[3], A[4], A[5], A[6], A[7], W[i], K[i] ); i++; P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
P( A[7], A[0], A[1], A[2], A[3], A[4], A[5], A[6], W[i], K[i] ); i++; local.A[5], local.A[6], local.A[7], local.W[i], K[i] ); i++;
P( A[6], A[7], A[0], A[1], A[2], A[3], A[4], A[5], W[i], K[i] ); i++; P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
P( A[5], A[6], A[7], A[0], A[1], A[2], A[3], A[4], W[i], K[i] ); i++; local.A[4], local.A[5], local.A[6], local.W[i], K[i] ); i++;
P( A[4], A[5], A[6], A[7], A[0], A[1], A[2], A[3], W[i], K[i] ); i++; P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
P( A[3], A[4], A[5], A[6], A[7], A[0], A[1], A[2], W[i], K[i] ); i++; local.A[3], local.A[4], local.A[5], local.W[i], K[i] ); i++;
P( A[2], A[3], A[4], A[5], A[6], A[7], A[0], A[1], W[i], K[i] ); i++; P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
P( A[1], A[2], A[3], A[4], A[5], A[6], A[7], A[0], W[i], K[i] ); i++; local.A[2], local.A[3], local.A[4], local.W[i], K[i] ); i++;
P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
local.A[1], local.A[2], local.A[3], local.W[i], K[i] ); i++;
P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
local.A[0], local.A[1], local.A[2], local.W[i], K[i] ); i++;
P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
local.A[7], local.A[0], local.A[1], local.W[i], K[i] ); i++;
P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
local.A[6], local.A[7], local.A[0], local.W[i], K[i] ); i++;
} }
while( i < 80 ); while( i < 80 );
#endif /* MBEDTLS_SHA512_SMALLER */ #endif /* MBEDTLS_SHA512_SMALLER */
for( i = 0; i < 8; i++ ) for( i = 0; i < 8; i++ )
ctx->state[i] += A[i]; ctx->state[i] += local.A[i];
/* Zeroise buffers and variables to clear sensitive data from memory. */
mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 ); return( 0 );
} }

View file

@ -850,20 +850,21 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
* Encrypt and authenticate * Encrypt and authenticate
*/ */
if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc, if( ( ret = mbedtls_cipher_auth_encrypt_ext( &transform->cipher_ctx_enc,
iv, transform->ivlen, iv, transform->ivlen,
add_data, add_data_len, /* add data */ add_data, add_data_len,
data, rec->data_len, /* source */ data, rec->data_len, /* src */
data, &rec->data_len, /* destination */ data, rec->buf_len - (data - rec->buf), /* dst */
data + rec->data_len, transform->taglen ) ) != 0 ) &rec->data_len,
transform->taglen ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
return( ret ); return( ret );
} }
MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
data + rec->data_len, transform->taglen ); data + rec->data_len - transform->taglen,
transform->taglen );
/* Account for authentication tag. */ /* Account for authentication tag. */
rec->data_len += transform->taglen;
post_avail -= transform->taglen; post_avail -= transform->taglen;
/* /*
@ -1422,12 +1423,11 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
/* /*
* Decrypt and authenticate * Decrypt and authenticate
*/ */
if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx_dec, if( ( ret = mbedtls_cipher_auth_decrypt_ext( &transform->cipher_ctx_dec,
iv, transform->ivlen, iv, transform->ivlen,
add_data, add_data_len, add_data, add_data_len,
data, rec->data_len, data, rec->data_len + transform->taglen, /* src */
data, &olen, data, rec->buf_len - (data - rec->buf), &olen, /* dst */
data + rec->data_len,
transform->taglen ) ) != 0 ) transform->taglen ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );

View file

@ -209,7 +209,6 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
unsigned char *iv = start + TICKET_KEY_NAME_BYTES; unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
unsigned char *state_len_bytes = iv + TICKET_IV_BYTES; unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES; unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
unsigned char *tag;
size_t clear_len, ciph_len; size_t clear_len, ciph_len;
*tlen = 0; *tlen = 0;
@ -250,23 +249,23 @@ int mbedtls_ssl_ticket_write( void *p_ticket,
state_len_bytes[1] = ( clear_len ) & 0xff; state_len_bytes[1] = ( clear_len ) & 0xff;
/* Encrypt and authenticate */ /* Encrypt and authenticate */
tag = state + clear_len; if( ( ret = mbedtls_cipher_auth_encrypt_ext( &key->ctx,
if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
iv, TICKET_IV_BYTES, iv, TICKET_IV_BYTES,
/* Additional data: key name, IV and length */ /* Additional data: key name, IV and length */
key_name, TICKET_ADD_DATA_LEN, key_name, TICKET_ADD_DATA_LEN,
state, clear_len, state, &ciph_len, state, clear_len,
tag, TICKET_AUTH_TAG_BYTES ) ) != 0 ) state, end - state, &ciph_len,
TICKET_AUTH_TAG_BYTES ) ) != 0 )
{ {
goto cleanup; goto cleanup;
} }
if( ciph_len != clear_len ) if( ciph_len != clear_len + TICKET_AUTH_TAG_BYTES )
{ {
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto cleanup; goto cleanup;
} }
*tlen = TICKET_MIN_LEN + ciph_len; *tlen = TICKET_MIN_LEN + ciph_len - TICKET_AUTH_TAG_BYTES;
cleanup: cleanup:
#if defined(MBEDTLS_THREADING_C) #if defined(MBEDTLS_THREADING_C)
@ -308,7 +307,6 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
unsigned char *iv = buf + TICKET_KEY_NAME_BYTES; unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
unsigned char *enc_len_p = iv + TICKET_IV_BYTES; unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES; unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
unsigned char *tag;
size_t enc_len, clear_len; size_t enc_len, clear_len;
if( ctx == NULL || ctx->f_rng == NULL ) if( ctx == NULL || ctx->f_rng == NULL )
@ -326,7 +324,6 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
goto cleanup; goto cleanup;
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1]; enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
tag = ticket + enc_len;
if( len != TICKET_MIN_LEN + enc_len ) if( len != TICKET_MIN_LEN + enc_len )
{ {
@ -344,13 +341,13 @@ int mbedtls_ssl_ticket_parse( void *p_ticket,
} }
/* Decrypt and authenticate */ /* Decrypt and authenticate */
if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx, if( ( ret = mbedtls_cipher_auth_decrypt_ext( &key->ctx,
iv, TICKET_IV_BYTES, iv, TICKET_IV_BYTES,
/* Additional data: key name, IV and length */ /* Additional data: key name, IV and length */
key_name, TICKET_ADD_DATA_LEN, key_name, TICKET_ADD_DATA_LEN,
ticket, enc_len, ticket, enc_len + TICKET_AUTH_TAG_BYTES,
ticket, &clear_len, ticket, enc_len, &clear_len,
tag, TICKET_AUTH_TAG_BYTES ) ) != 0 ) TICKET_AUTH_TAG_BYTES ) ) != 0 )
{ {
if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
ret = MBEDTLS_ERR_SSL_INVALID_MAC; ret = MBEDTLS_ERR_SSL_INVALID_MAC;

View file

@ -1304,6 +1304,7 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
if( crt->sig_oid.len != sig_oid2.len || if( crt->sig_oid.len != sig_oid2.len ||
memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 || memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 ||
sig_params1.tag != sig_params2.tag ||
sig_params1.len != sig_params2.len || sig_params1.len != sig_params2.len ||
( sig_params1.len != 0 && ( sig_params1.len != 0 &&
memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) ) memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )

View file

@ -208,6 +208,10 @@ cli-rsa-sha256.crt.der: cli-rsa-sha256.crt
$(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER $(OPENSSL) x509 -in $< -out $@ -inform PEM -outform DER
all_final += cli-rsa-sha256.crt.der all_final += cli-rsa-sha256.crt.der
cli-rsa-sha256-badalg.crt.der: cli-rsa-sha256.crt.der
hexdump -ve '1/1 "%.2X"' $< | sed "s/06092A864886F70D01010B0500/06092A864886F70D01010B0900/2" | xxd -r -p > $@
all_final += cli-rsa-sha256-badalg.crt.der
cli-rsa.key.der: $(cli_crt_key_file_rsa) cli-rsa.key.der: $(cli_crt_key_file_rsa)
$(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER $(OPENSSL) pkey -in $< -out $@ -inform PEM -outform DER
all_final += cli-rsa.key.der all_final += cli-rsa.key.der

Binary file not shown.

View file

@ -13,6 +13,65 @@
#include "test/psa_crypto_helpers.h" #include "test/psa_crypto_helpers.h"
#endif #endif
#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
#define MBEDTLS_CIPHER_AUTH_CRYPT
#endif
#if defined(MBEDTLS_CIPHER_AUTH_CRYPT)
/* Helper for resetting key/direction
*
* The documentation doesn't explicitly say whether calling
* mbedtls_cipher_setkey() twice is allowed or not. This currently works with
* the default software implementation, but only by accident. It isn't
* guaranteed to work with new ciphers or with alternative implementations of
* individual ciphers, and it doesn't work with the PSA wrappers. So don't do
* it, and instead start with a fresh context.
*/
static int cipher_reset_key( mbedtls_cipher_context_t *ctx, int cipher_id,
int use_psa, size_t tag_len, const data_t *key, int direction )
{
mbedtls_cipher_free( ctx );
mbedtls_cipher_init( ctx );
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
(void) use_psa;
(void) tag_len;
#else
if( use_psa == 1 )
{
TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( ctx,
mbedtls_cipher_info_from_type( cipher_id ),
tag_len ) );
}
else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
TEST_ASSERT( 0 == mbedtls_cipher_setup( ctx,
mbedtls_cipher_info_from_type( cipher_id ) ) );
}
TEST_ASSERT( 0 == mbedtls_cipher_setkey( ctx, key->x, 8 * key->len,
direction ) );
return( 1 );
exit:
return( 0 );
}
/*
* Check if a buffer is all-0 bytes:
* return 1 if it is,
* 0 if it isn't.
*/
int buffer_is_all_zero( const uint8_t *buf, size_t size )
{
for( size_t i = 0; i < size; i++ )
if( buf[i] != 0 )
return 0;
return 1;
}
#endif /* MBEDTLS_CIPHER_AUTH_CRYPT */
/* END_HEADER */ /* END_HEADER */
/* BEGIN_DEPENDENCIES /* BEGIN_DEPENDENCIES
@ -485,6 +544,108 @@ void cipher_invalid_param_conditional( )
NULL, valid_size ) ); NULL, valid_size ) );
#endif /* defined(MBEDTLS_CIPHER_MODE_AEAD) */ #endif /* defined(MBEDTLS_CIPHER_MODE_AEAD) */
#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
/* mbedtls_cipher_auth_encrypt_ext */
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_encrypt_ext( NULL,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size, &size_t_var,
valid_size ) );
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_encrypt_ext( &valid_ctx,
NULL, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size, &size_t_var,
valid_size ) );
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_encrypt_ext( &valid_ctx,
valid_buffer, valid_size,
NULL, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size, &size_t_var,
valid_size ) );
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_encrypt_ext( &valid_ctx,
valid_buffer, valid_size,
valid_buffer, valid_size,
NULL, valid_size,
valid_buffer, valid_size, &size_t_var,
valid_size ) );
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_encrypt_ext( &valid_ctx,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size,
NULL, valid_size, &size_t_var,
valid_size ) );
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_encrypt_ext( &valid_ctx,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size, NULL,
valid_size ) );
/* mbedtls_cipher_auth_decrypt_ext */
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_decrypt_ext( NULL,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size, &size_t_var,
valid_size ) );
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_decrypt_ext( &valid_ctx,
NULL, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size, &size_t_var,
valid_size ) );
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_decrypt_ext( &valid_ctx,
valid_buffer, valid_size,
NULL, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size, &size_t_var,
valid_size ) );
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_decrypt_ext( &valid_ctx,
valid_buffer, valid_size,
valid_buffer, valid_size,
NULL, valid_size,
valid_buffer, valid_size, &size_t_var,
valid_size ) );
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_decrypt_ext( &valid_ctx,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size,
NULL, valid_size, &size_t_var,
valid_size ) );
TEST_INVALID_PARAM_RET(
MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
mbedtls_cipher_auth_decrypt_ext( &valid_ctx,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size,
valid_buffer, valid_size, NULL,
valid_size ) );
#endif /* MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C */
/* mbedtls_cipher_free() */ /* mbedtls_cipher_free() */
TEST_VALID_PARAM( mbedtls_cipher_free( NULL ) ); TEST_VALID_PARAM( mbedtls_cipher_free( NULL ) );
exit: exit:
@ -959,129 +1120,338 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_AEAD */ /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_AUTH_CRYPT */
void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv, void auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
data_t * ad, data_t * cipher, data_t * tag, data_t * ad, data_t * cipher, data_t * tag,
char * result, data_t * clear, int use_psa ) char * result, data_t * clear, int use_psa )
{ {
/* Takes an AEAD ciphertext + tag and performs a pair /*
* of AEAD decryption and AEAD encryption. It checks that * Take an AEAD ciphertext + tag and perform a pair
* of AEAD decryption and AEAD encryption. Check that
* this results in the expected plaintext, and that * this results in the expected plaintext, and that
* decryption and encryption are inverse to one another. */ * decryption and encryption are inverse to one another.
*
* Do that twice:
* - once with legacy functions auth_decrypt/auth_encrypt
* - once with new functions auth_decrypt_ext/auth_encrypt_ext
* This allows testing both without duplicating test cases.
*/
int ret; int ret;
unsigned char output[300]; /* Temporary buffer for results of int using_nist_kw, using_nist_kw_padding;
* encryption and decryption. */
unsigned char *output_tag = NULL; /* Temporary buffer for tag in the
* encryption step. */
mbedtls_cipher_context_t ctx; mbedtls_cipher_context_t ctx;
size_t outlen; size_t outlen;
unsigned char *cipher_plus_tag = NULL;
size_t cipher_plus_tag_len;
unsigned char *decrypt_buf = NULL;
size_t decrypt_buf_len = 0;
unsigned char *encrypt_buf = NULL;
size_t encrypt_buf_len = 0;
#if !defined(MBEDTLS_DEPRECATED_WARNING) && \
!defined(MBEDTLS_DEPRECATED_REMOVED)
unsigned char *tmp_tag = NULL; unsigned char *tmp_tag = NULL;
unsigned char *tmp_cipher = NULL; unsigned char *tmp_cipher = NULL;
unsigned char *tag_buf = NULL;
#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */
/* Null pointers are documented as valid for inputs of length 0.
* The test framework passes non-null pointers, so set them to NULL.
* key, cipher and tag can't be empty. */
if( iv->len == 0 )
iv->x = NULL;
if( ad->len == 0 )
ad->x = NULL;
if( clear->len == 0 )
clear->x = NULL;
mbedtls_cipher_init( &ctx ); mbedtls_cipher_init( &ctx );
memset( output, 0xFF, sizeof( output ) );
/* Prepare context */ /* Initialize PSA Crypto */
#if !defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
(void) use_psa;
#else
if( use_psa == 1 ) if( use_psa == 1 )
{
PSA_ASSERT( psa_crypto_init( ) ); PSA_ASSERT( psa_crypto_init( ) );
#else
/* PSA requires that the tag immediately follows the ciphertext. */ (void) use_psa;
tmp_cipher = mbedtls_calloc( 1, cipher->len + tag->len );
TEST_ASSERT( tmp_cipher != NULL );
tmp_tag = tmp_cipher + cipher->len;
memcpy( tmp_cipher, cipher->x, cipher->len );
memcpy( tmp_tag, tag->x, tag->len );
TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( &ctx,
mbedtls_cipher_info_from_type( cipher_id ),
tag->len ) );
}
else
#endif #endif
/*
* Are we using NIST_KW? with padding?
*/
using_nist_kw_padding = cipher_id == MBEDTLS_CIPHER_AES_128_KWP ||
cipher_id == MBEDTLS_CIPHER_AES_192_KWP ||
cipher_id == MBEDTLS_CIPHER_AES_256_KWP;
using_nist_kw = cipher_id == MBEDTLS_CIPHER_AES_128_KW ||
cipher_id == MBEDTLS_CIPHER_AES_192_KW ||
cipher_id == MBEDTLS_CIPHER_AES_256_KW ||
using_nist_kw_padding;
/****************************************************************
* *
* Part 1: non-deprecated API *
* *
****************************************************************/
/*
* Prepare context for decryption
*/
if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key,
MBEDTLS_DECRYPT ) )
goto exit;
/*
* prepare buffer for decryption
* (we need the tag appended to the ciphertext)
*/
cipher_plus_tag_len = cipher->len + tag->len;
ASSERT_ALLOC( cipher_plus_tag, cipher_plus_tag_len );
memcpy( cipher_plus_tag, cipher->x, cipher->len );
memcpy( cipher_plus_tag + cipher->len, tag->x, tag->len );
/*
* Compute length of output buffer according to the documentation
*/
if( using_nist_kw )
decrypt_buf_len = cipher_plus_tag_len - 8;
else
decrypt_buf_len = cipher_plus_tag_len - tag->len;
/*
* Try decrypting to a buffer that's 1B too small
*/
if( decrypt_buf_len != 0 )
{ {
tmp_tag = tag->x; ASSERT_ALLOC( decrypt_buf, decrypt_buf_len - 1 );
tmp_cipher = cipher->x;
TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, outlen = 0;
mbedtls_cipher_info_from_type( cipher_id ) ) ); ret = mbedtls_cipher_auth_decrypt_ext( &ctx, iv->x, iv->len,
ad->x, ad->len, cipher_plus_tag, cipher_plus_tag_len,
decrypt_buf, decrypt_buf_len - 1, &outlen, tag->len );
TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
mbedtls_free( decrypt_buf );
decrypt_buf = NULL;
} }
TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len, /*
MBEDTLS_DECRYPT ) ); * Authenticate and decrypt, and check result
*/
ASSERT_ALLOC( decrypt_buf, decrypt_buf_len );
/* decode buffer and check tag->x */ outlen = 0;
ret = mbedtls_cipher_auth_decrypt_ext( &ctx, iv->x, iv->len,
ad->x, ad->len, cipher_plus_tag, cipher_plus_tag_len,
decrypt_buf, decrypt_buf_len, &outlen, tag->len );
/* Sanity check that we don't use overly long inputs. */
TEST_ASSERT( sizeof( output ) >= cipher->len );
ret = mbedtls_cipher_auth_decrypt( &ctx, iv->x, iv->len, ad->x, ad->len,
tmp_cipher, cipher->len, output, &outlen,
tmp_tag, tag->len );
/* make sure the message is rejected if it should be */
if( strcmp( result, "FAIL" ) == 0 ) if( strcmp( result, "FAIL" ) == 0 )
{ {
TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ); TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED );
goto exit; TEST_ASSERT( buffer_is_all_zero( decrypt_buf, decrypt_buf_len ) );
}
else
{
TEST_ASSERT( ret == 0 );
ASSERT_COMPARE( decrypt_buf, outlen, clear->x, clear->len );
} }
/* otherwise, make sure it was decrypted properly */ /* Free this, but keep cipher_plus_tag for deprecated function with PSA */
mbedtls_free( decrypt_buf );
decrypt_buf = NULL;
/*
* Encrypt back if test data was authentic
*/
if( strcmp( result, "FAIL" ) != 0 )
{
/* prepare context for encryption */
if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key,
MBEDTLS_ENCRYPT ) )
goto exit;
/*
* Compute size of output buffer according to documentation
*/
if( using_nist_kw )
{
encrypt_buf_len = clear->len + 8;
if( using_nist_kw_padding && encrypt_buf_len % 8 != 0 )
encrypt_buf_len += 8 - encrypt_buf_len % 8;
}
else
{
encrypt_buf_len = clear->len + tag->len;
}
/*
* Try encrypting with an output buffer that's 1B too small
*/
ASSERT_ALLOC( encrypt_buf, encrypt_buf_len - 1 );
outlen = 0;
ret = mbedtls_cipher_auth_encrypt_ext( &ctx, iv->x, iv->len,
ad->x, ad->len, clear->x, clear->len,
encrypt_buf, encrypt_buf_len - 1, &outlen, tag->len );
TEST_ASSERT( ret != 0 );
mbedtls_free( encrypt_buf );
encrypt_buf = NULL;
/*
* Encrypt and check the result
*/
ASSERT_ALLOC( encrypt_buf, encrypt_buf_len );
outlen = 0;
ret = mbedtls_cipher_auth_encrypt_ext( &ctx, iv->x, iv->len,
ad->x, ad->len, clear->x, clear->len,
encrypt_buf, encrypt_buf_len, &outlen, tag->len );
TEST_ASSERT( ret == 0 ); TEST_ASSERT( ret == 0 );
TEST_ASSERT( outlen == clear->len ); TEST_ASSERT( outlen == cipher->len + tag->len );
TEST_ASSERT( memcmp( output, clear->x, clear->len ) == 0 ); TEST_ASSERT( memcmp( encrypt_buf, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( memcmp( encrypt_buf + cipher->len,
tag->x, tag->len ) == 0 );
/* then encrypt the clear->x and make sure we get the same ciphertext and tag->x */ mbedtls_free( encrypt_buf );
mbedtls_cipher_free( &ctx ); encrypt_buf = NULL;
}
/****************************************************************
* *
* Part 2: deprecated API *
* *
****************************************************************/
#if !defined(MBEDTLS_DEPRECATED_WARNING) && \
!defined(MBEDTLS_DEPRECATED_REMOVED)
/*
* Prepare context for decryption
*/
if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key,
MBEDTLS_DECRYPT ) )
goto exit;
/*
* Prepare pointers for decryption
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( use_psa == 1 ) if( use_psa == 1 )
{ {
TEST_ASSERT( 0 == mbedtls_cipher_setup_psa( &ctx, /* PSA requires that the tag immediately follows the ciphertext.
mbedtls_cipher_info_from_type( cipher_id ), * Fortunately, we already have that from testing the new API. */
tag->len ) ); tmp_cipher = cipher_plus_tag;
tmp_tag = tmp_cipher + cipher->len;
} }
else else
#endif #endif /* MBEDTLS_USE_PSA_CRYPTO */
{ {
TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx, tmp_cipher = cipher->x;
mbedtls_cipher_info_from_type( cipher_id ) ) ); tmp_tag = tag->x;
} }
TEST_ASSERT( 0 == mbedtls_cipher_setkey( &ctx, key->x, 8 * key->len,
MBEDTLS_ENCRYPT ) );
memset( output, 0xFF, sizeof( output ) ); /*
* Authenticate and decrypt, and check result
*/
ASSERT_ALLOC( decrypt_buf, cipher->len );
outlen = 0; outlen = 0;
ret = mbedtls_cipher_auth_decrypt( &ctx, iv->x, iv->len, ad->x, ad->len,
tmp_cipher, cipher->len, decrypt_buf, &outlen,
tmp_tag, tag->len );
/* Sanity check that we don't use overly long inputs. */ if( using_nist_kw )
TEST_ASSERT( sizeof( output ) >= clear->len + tag->len ); {
/* NIST_KW with legacy API */
TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
else if( strcmp( result, "FAIL" ) == 0 )
{
/* unauthentic message */
TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED );
TEST_ASSERT( buffer_is_all_zero( decrypt_buf, cipher->len ) );
}
else
{
/* authentic message: is the plaintext correct? */
TEST_ASSERT( ret == 0 );
ASSERT_COMPARE( decrypt_buf, outlen, clear->x, clear->len );
}
output_tag = output + clear->len; mbedtls_free( decrypt_buf );
decrypt_buf = NULL;
mbedtls_free( cipher_plus_tag );
cipher_plus_tag = NULL;
/*
* Encrypt back if test data was authentic
*/
if( strcmp( result, "FAIL" ) != 0 )
{
/* prepare context for encryption */
if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key,
MBEDTLS_ENCRYPT ) )
goto exit;
/* prepare buffers for encryption */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( use_psa )
{
ASSERT_ALLOC( cipher_plus_tag, cipher->len + tag->len );
tmp_cipher = cipher_plus_tag;
tmp_tag = cipher_plus_tag + cipher->len;
}
else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
ASSERT_ALLOC( encrypt_buf, cipher->len );
ASSERT_ALLOC( tag_buf, tag->len );
tmp_cipher = encrypt_buf;
tmp_tag = tag_buf;
}
/*
* Encrypt and check the result
*/
outlen = 0;
ret = mbedtls_cipher_auth_encrypt( &ctx, iv->x, iv->len, ad->x, ad->len, ret = mbedtls_cipher_auth_encrypt( &ctx, iv->x, iv->len, ad->x, ad->len,
clear->x, clear->len, output, &outlen, clear->x, clear->len, tmp_cipher, &outlen,
output_tag, tag->len ); tmp_tag, tag->len );
if( using_nist_kw )
{
TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
}
else
{
TEST_ASSERT( ret == 0 ); TEST_ASSERT( ret == 0 );
TEST_ASSERT( outlen == cipher->len ); TEST_ASSERT( outlen == cipher->len );
TEST_ASSERT( memcmp( output, cipher->x, cipher->len ) == 0 ); if( cipher->len != 0 )
TEST_ASSERT( memcmp( output_tag, tag->x, tag->len ) == 0 ); TEST_ASSERT( memcmp( tmp_cipher, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( memcmp( tmp_tag, tag->x, tag->len ) == 0 );
}
}
#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */
exit: exit:
mbedtls_cipher_free( &ctx ); mbedtls_cipher_free( &ctx );
mbedtls_free( decrypt_buf );
mbedtls_free( encrypt_buf );
mbedtls_free( cipher_plus_tag );
#if !defined(MBEDTLS_DEPRECATED_WARNING) && \
!defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_free( tag_buf );
#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( use_psa == 1 ) if( use_psa == 1 )
{
mbedtls_free( tmp_cipher );
PSA_DONE( ); PSA_DONE( );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
} }
/* END_CASE */ /* END_CASE */

View file

@ -22,6 +22,12 @@ dhm_do_dhm:10:"3":10:"5":MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED
Diffie-Hellman zero modulus Diffie-Hellman zero modulus
dhm_do_dhm:10:"0":10:"5":MBEDTLS_ERR_DHM_BAD_INPUT_DATA dhm_do_dhm:10:"0":10:"5":MBEDTLS_ERR_DHM_BAD_INPUT_DATA
Diffie-Hellman MPI_MAX_SIZE modulus
dhm_make_public:MBEDTLS_MPI_MAX_SIZE:10:"5":0
Diffie-Hellman MPI_MAX_SIZE + 1 modulus
dhm_make_public:MBEDTLS_MPI_MAX_SIZE + 1:10:"5":MBEDTLS_ERR_DHM_MAKE_PUBLIC_FAILED+MBEDTLS_ERR_MPI_BAD_INPUT_DATA
Diffie-Hellman load parameters from file [#1] Diffie-Hellman load parameters from file [#1]
dhm_file:"data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128 dhm_file:"data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128

View file

@ -223,6 +223,36 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE */
void dhm_make_public( int P_bytes, int radix_G, char *input_G, int result )
{
mbedtls_mpi P, G;
mbedtls_dhm_context ctx;
unsigned char output[MBEDTLS_MPI_MAX_SIZE];
mbedtls_mpi_init( &P );
mbedtls_mpi_init( &G );
mbedtls_dhm_init( &ctx );
TEST_ASSERT( mbedtls_mpi_lset( &P, 1 ) == 0 );
TEST_ASSERT( mbedtls_mpi_shift_l( &P, ( P_bytes * 8 ) - 1 ) == 0 );
TEST_ASSERT( mbedtls_mpi_set_bit( &P, 0, 1 ) == 0 );
TEST_ASSERT( mbedtls_mpi_read_string( &G, radix_G, input_G ) == 0 );
TEST_ASSERT( mbedtls_dhm_set_group( &ctx, &P, &G ) == 0 );
TEST_ASSERT( mbedtls_dhm_make_public( &ctx, (int) mbedtls_mpi_size( &P ),
output, sizeof(output),
&mbedtls_test_rnd_pseudo_rand,
NULL ) == result );
exit:
mbedtls_mpi_free( &P );
mbedtls_mpi_free( &G );
mbedtls_dhm_free( &ctx );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */ /* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
void dhm_file( char * filename, char * p, char * g, int len ) void dhm_file( char * filename, char * p, char * g, int len )
{ {

View file

@ -685,16 +685,36 @@ mbedtls_mpi_exp_mod:10:"-23":10:"13":10:"29":10:"":10:"5":0
Base test mbedtls_mpi_exp_mod #5 (Negative exponent) Base test mbedtls_mpi_exp_mod #5 (Negative exponent)
mbedtls_mpi_exp_mod:10:"23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA mbedtls_mpi_exp_mod:10:"23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
Base test mbedtls_mpi_exp_mod #7 (Negative base + exponent) Base test mbedtls_mpi_exp_mod #6 (Negative base + exponent)
mbedtls_mpi_exp_mod:10:"-23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA mbedtls_mpi_exp_mod:10:"-23":10:"-13":10:"29":10:"":10:"0":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
Test mbedtls_mpi_exp_mod: MAX_SIZE exponent
mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE:10:10:"":0
Test mbedtls_mpi_exp_mod: MAX_SIZE + 1 exponent
mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE + 1:10:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
Test mbedtls_mpi_exp_mod: MAX_SIZE modulus
mbedtls_mpi_exp_mod_size:2:2:MBEDTLS_MPI_MAX_SIZE:10:"":0
Test mbedtls_mpi_exp_mod: MAX_SIZE + 1 modulus
mbedtls_mpi_exp_mod_size:2:2:MBEDTLS_MPI_MAX_SIZE + 1:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
Test mbedtls_mpi_exp_mod: MAX_SIZE exponent and modulus
mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE:MBEDTLS_MPI_MAX_SIZE:10:"":0
Test mbedtls_mpi_exp_mod: MAX_SIZE + 1 exponent and modulus
mbedtls_mpi_exp_mod_size:2:MBEDTLS_MPI_MAX_SIZE + 1:MBEDTLS_MPI_MAX_SIZE + 1:10:"":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
Test mbedtls_mpi_exp_mod #1 Test mbedtls_mpi_exp_mod #1
depends_on:MPI_MAX_BITS_LARGER_THAN_792
mbedtls_mpi_exp_mod:10:"433019240910377478217373572959560109819648647016096560523769010881172869083338285573756574557395862965095016483867813043663981946477698466501451832407592327356331263124555137732393938242285782144928753919588632679050799198937132922145084847":10:"5781538327977828897150909166778407659250458379645823062042492461576758526757490910073628008613977550546382774775570888130029763571528699574717583228939535960234464230882573615930384979100379102915657483866755371559811718767760594919456971354184113721":10:"583137007797276923956891216216022144052044091311388601652961409557516421612874571554415606746479105795833145583959622117418531166391184939066520869800857530421873250114773204354963864729386957427276448683092491947566992077136553066273207777134303397724679138833126700957":10:"":10:"114597449276684355144920670007147953232659436380163461553186940113929777196018164149703566472936578890991049344459204199888254907113495794730452699842273939581048142004834330369483813876618772578869083248061616444392091693787039636316845512292127097865026290173004860736":0 mbedtls_mpi_exp_mod:10:"433019240910377478217373572959560109819648647016096560523769010881172869083338285573756574557395862965095016483867813043663981946477698466501451832407592327356331263124555137732393938242285782144928753919588632679050799198937132922145084847":10:"5781538327977828897150909166778407659250458379645823062042492461576758526757490910073628008613977550546382774775570888130029763571528699574717583228939535960234464230882573615930384979100379102915657483866755371559811718767760594919456971354184113721":10:"583137007797276923956891216216022144052044091311388601652961409557516421612874571554415606746479105795833145583959622117418531166391184939066520869800857530421873250114773204354963864729386957427276448683092491947566992077136553066273207777134303397724679138833126700957":10:"":10:"114597449276684355144920670007147953232659436380163461553186940113929777196018164149703566472936578890991049344459204199888254907113495794730452699842273939581048142004834330369483813876618772578869083248061616444392091693787039636316845512292127097865026290173004860736":0
Test mbedtls_mpi_exp_mod (Negative base) [#1] Test mbedtls_mpi_exp_mod (Negative base) [#1]
mbedtls_mpi_exp_mod:10:"-10000000000":10:"10000000000":10:"99999":10:"":10:"1":0 mbedtls_mpi_exp_mod:10:"-10000000000":10:"10000000000":10:"99999":10:"":10:"1":0
Test mbedtls_mpi_exp_mod (Negative base) [#2] Test mbedtls_mpi_exp_mod (Negative base) [#2]
depends_on:MPI_MAX_BITS_LARGER_THAN_792
mbedtls_mpi_exp_mod:16:"-9f13012cd92aa72fb86ac8879d2fde4f7fd661aaae43a00971f081cc60ca277059d5c37e89652e2af2585d281d66ef6a9d38a117e9608e9e7574cd142dc55278838a2161dd56db9470d4c1da2d5df15a908ee2eb886aaa890f23be16de59386663a12f1afbb325431a3e835e3fd89b98b96a6f77382f458ef9a37e1f84a03045c8676ab55291a94c2228ea15448ee96b626b998":16:"40a54d1b9e86789f06d9607fb158672d64867665c73ee9abb545fc7a785634b354c7bae5b962ce8040cf45f2c1f3d3659b2ee5ede17534c8fc2ec85c815e8df1fe7048d12c90ee31b88a68a081f17f0d8ce5f4030521e9400083bcea73a429031d4ca7949c2000d597088e0c39a6014d8bf962b73bb2e8083bd0390a4e00b9b3":16:"eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3":16:"":16:"21acc7199e1b90f9b4844ffe12c19f00ec548c5d32b21c647d48b6015d8eb9ec9db05b4f3d44db4227a2b5659c1a7cceb9d5fa8fa60376047953ce7397d90aaeb7465e14e820734f84aa52ad0fc66701bcbb991d57715806a11531268e1e83dd48288c72b424a6287e9ce4e5cc4db0dd67614aecc23b0124a5776d36e5c89483":0 mbedtls_mpi_exp_mod:16:"-9f13012cd92aa72fb86ac8879d2fde4f7fd661aaae43a00971f081cc60ca277059d5c37e89652e2af2585d281d66ef6a9d38a117e9608e9e7574cd142dc55278838a2161dd56db9470d4c1da2d5df15a908ee2eb886aaa890f23be16de59386663a12f1afbb325431a3e835e3fd89b98b96a6f77382f458ef9a37e1f84a03045c8676ab55291a94c2228ea15448ee96b626b998":16:"40a54d1b9e86789f06d9607fb158672d64867665c73ee9abb545fc7a785634b354c7bae5b962ce8040cf45f2c1f3d3659b2ee5ede17534c8fc2ec85c815e8df1fe7048d12c90ee31b88a68a081f17f0d8ce5f4030521e9400083bcea73a429031d4ca7949c2000d597088e0c39a6014d8bf962b73bb2e8083bd0390a4e00b9b3":16:"eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3":16:"":16:"21acc7199e1b90f9b4844ffe12c19f00ec548c5d32b21c647d48b6015d8eb9ec9db05b4f3d44db4227a2b5659c1a7cceb9d5fa8fa60376047953ce7397d90aaeb7465e14e820734f84aa52ad0fc66701bcbb991d57715806a11531268e1e83dd48288c72b424a6287e9ce4e5cc4db0dd67614aecc23b0124a5776d36e5c89483":0
Base test GCD #1 Base test GCD #1
@ -935,6 +955,48 @@ mbedtls_mpi_set_bit:16:"00":32:1:16:"0100000000":0
Test bit set (Invalid bit value) Test bit set (Invalid bit value)
mbedtls_mpi_set_bit:16:"00":5:2:16:"00":MBEDTLS_ERR_MPI_BAD_INPUT_DATA mbedtls_mpi_set_bit:16:"00":5:2:16:"00":MBEDTLS_ERR_MPI_BAD_INPUT_DATA
Fill random: 0 bytes
mpi_fill_random:0:0:0
Fill random: 1 byte, good
mpi_fill_random:1:1:0
Fill random: 2 bytes, good, no leading zero
mpi_fill_random:2:2:0
Fill random: 2 bytes, good, 1 leading zero
mpi_fill_random:2:256:0
Fill random: MAX_SIZE - 7, good
mpi_fill_random:MBEDTLS_MPI_MAX_SIZE - 7:MBEDTLS_MPI_MAX_SIZE - 7:0
Fill random: MAX_SIZE, good
mpi_fill_random:MBEDTLS_MPI_MAX_SIZE:MBEDTLS_MPI_MAX_SIZE:0
Fill random: 1 byte, RNG failure
mpi_fill_random:1:0:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
Fill random: 2 bytes, RNG failure after 1 byte
mpi_fill_random:2:1:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
Fill random: 4 bytes, RNG failure after 3 bytes
mpi_fill_random:4:3:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
Fill random: 8 bytes, RNG failure after 7 bytes
mpi_fill_random:8:7:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
Fill random: 16 bytes, RNG failure after 1 bytes
mpi_fill_random:16:1:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
Fill random: 16 bytes, RNG failure after 8 bytes
mpi_fill_random:16:8:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
Fill random: 16 bytes, RNG failure after 15 bytes
mpi_fill_random:16:15:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
Fill random: MAX_SIZE bytes, RNG failure after MAX_SIZE-1 bytes
mpi_fill_random:MBEDTLS_MPI_MAX_SIZE:MBEDTLS_MPI_MAX_SIZE-1:MBEDTLS_ERR_ENTROPY_SOURCE_FAILED
MPI Selftest MPI Selftest
depends_on:MBEDTLS_SELF_TEST depends_on:MBEDTLS_SELF_TEST
mpi_selftest: mpi_selftest:

View file

@ -1,5 +1,10 @@
/* BEGIN_HEADER */ /* BEGIN_HEADER */
#include "mbedtls/bignum.h" #include "mbedtls/bignum.h"
#include "mbedtls/entropy.h"
#if MBEDTLS_MPI_MAX_BITS > 792
#define MPI_MAX_BITS_LARGER_THAN_792
#endif
typedef struct mbedtls_test_mpi_random typedef struct mbedtls_test_mpi_random
{ {
@ -43,6 +48,22 @@ int mbedtls_test_mpi_miller_rabin_determinizer( void* state,
return( 0 ); return( 0 );
} }
/* Random generator that is told how many bytes to return. */
static int f_rng_bytes_left( void *state, unsigned char *buf, size_t len )
{
size_t *bytes_left = state;
size_t i;
for( i = 0; i < len; i++ )
{
if( *bytes_left == 0 )
return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED );
buf[i] = *bytes_left & 0xff;
--( *bytes_left );
}
return( 0 );
}
/* END_HEADER */ /* END_HEADER */
/* BEGIN_DEPENDENCIES /* BEGIN_DEPENDENCIES
@ -1166,6 +1187,40 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE */
void mbedtls_mpi_exp_mod_size( int A_bytes, int E_bytes, int N_bytes,
int radix_RR, char * input_RR, int exp_result )
{
mbedtls_mpi A, E, N, RR, Z;
mbedtls_mpi_init( &A ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &N );
mbedtls_mpi_init( &RR ); mbedtls_mpi_init( &Z );
/* Set A to 2^(A_bytes - 1) + 1 */
TEST_ASSERT( mbedtls_mpi_lset( &A, 1 ) == 0 );
TEST_ASSERT( mbedtls_mpi_shift_l( &A, ( A_bytes * 8 ) - 1 ) == 0 );
TEST_ASSERT( mbedtls_mpi_set_bit( &A, 0, 1 ) == 0 );
/* Set E to 2^(E_bytes - 1) + 1 */
TEST_ASSERT( mbedtls_mpi_lset( &E, 1 ) == 0 );
TEST_ASSERT( mbedtls_mpi_shift_l( &E, ( E_bytes * 8 ) - 1 ) == 0 );
TEST_ASSERT( mbedtls_mpi_set_bit( &E, 0, 1 ) == 0 );
/* Set N to 2^(N_bytes - 1) + 1 */
TEST_ASSERT( mbedtls_mpi_lset( &N, 1 ) == 0 );
TEST_ASSERT( mbedtls_mpi_shift_l( &N, ( N_bytes * 8 ) - 1 ) == 0 );
TEST_ASSERT( mbedtls_mpi_set_bit( &N, 0, 1 ) == 0 );
if( strlen( input_RR ) )
TEST_ASSERT( mbedtls_mpi_read_string( &RR, radix_RR, input_RR ) == 0 );
TEST_ASSERT( mbedtls_mpi_exp_mod( &Z, &A, &E, &N, &RR ) == exp_result );
exit:
mbedtls_mpi_free( &A ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &N );
mbedtls_mpi_free( &RR ); mbedtls_mpi_free( &Z );
}
/* END_CASE */
/* BEGIN_CASE */ /* BEGIN_CASE */
void mbedtls_mpi_inv_mod( int radix_X, char * input_X, int radix_Y, void mbedtls_mpi_inv_mod( int radix_X, char * input_X, int radix_Y,
char * input_Y, int radix_A, char * input_A, char * input_Y, int radix_A, char * input_A,
@ -1310,6 +1365,37 @@ exit:
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE */
void mpi_fill_random( int wanted_bytes, int rng_bytes, int expected_ret )
{
mbedtls_mpi X;
int ret;
size_t bytes_left = rng_bytes;
mbedtls_mpi_init( &X );
ret = mbedtls_mpi_fill_random( &X, wanted_bytes,
f_rng_bytes_left, &bytes_left );
TEST_ASSERT( ret == expected_ret );
if( expected_ret == 0 )
{
/* mbedtls_mpi_fill_random is documented to use bytes from the RNG
* as a big-endian representation of the number. We know when
* our RNG function returns null bytes, so we know how many
* leading zero bytes the number has. */
size_t leading_zeros = 0;
if( wanted_bytes > 0 && rng_bytes % 256 == 0 )
leading_zeros = 1;
TEST_ASSERT( mbedtls_mpi_size( &X ) + leading_zeros ==
(size_t) wanted_bytes );
TEST_ASSERT( (int) bytes_left == rng_bytes - wanted_bytes );
}
exit:
mbedtls_mpi_free( &X );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */ /* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
void mpi_selftest( ) void mpi_selftest( )
{ {

View file

@ -2652,6 +2652,10 @@ X509 File parse (trailing spaces, OK)
depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
x509parse_crt_file:"data_files/server7_trailing_space.crt":0 x509parse_crt_file:"data_files/server7_trailing_space.crt":0
X509 File parse (Algorithm Params Tag mismatch)
depends_on:MBEDTLS_SHA256_C:MBEDTLS_RSA_C
x509parse_crt_file:"data_files/cli-rsa-sha256-badalg.crt.der":MBEDTLS_ERR_X509_SIG_MISMATCH
X509 Get time (UTC no issues) X509 Get time (UTC no issues)
depends_on:MBEDTLS_X509_USE_C depends_on:MBEDTLS_X509_USE_C
x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0 x509_get_time:MBEDTLS_ASN1_UTC_TIME:"500101000000Z":0:1950:1:1:0:0:0