From bdbca7b383b72f65f9a2bf2671e1f76f9f789703 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 23 Jun 2017 16:23:21 +0100 Subject: [PATCH 001/177] Zeroize tmp buf on fail in load_file() dhm.c --- library/dhm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/dhm.c b/library/dhm.c index a4715d170..f7e71f3f6 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -542,7 +542,10 @@ static int load_file( const char *path, unsigned char **buf, size_t *n ) if( fread( *buf, 1, *n, f ) != *n ) { fclose( f ); + + mbedtls_zeroize( *buf, *n + 1 ); mbedtls_free( *buf ); + return( MBEDTLS_ERR_DHM_FILE_IO_ERROR ); } From eb132b655c86607237d23b249edde6150029d27f Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 23 Jun 2017 16:30:31 +0100 Subject: [PATCH 002/177] Zeroize tmp buf in mbedtls_md_file() md.c --- library/md.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/library/md.c b/library/md.c index eda98f636..75b971795 100644 --- a/library/md.c +++ b/library/md.c @@ -312,12 +312,11 @@ int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigne md_info->update_func( ctx.md_ctx, buf, n ); if( ferror( f ) != 0 ) - { ret = MBEDTLS_ERR_MD_FILE_IO_ERROR; - goto cleanup; - } + else + md_info->finish_func( ctx.md_ctx, output ); - md_info->finish_func( ctx.md_ctx, output ); + mbedtls_zeroize( buf, sizeof( buf ) ); cleanup: fclose( f ); From f3612483ccf61c569ccc3efd79c64ac326e6f74c Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Sun, 25 Jun 2017 11:24:18 +0300 Subject: [PATCH 003/177] Support verbose output of the test suites generate add ctest test-suites, with the --verbose argument to be given to the test suites. The verbose output will be shown **only** if ctest is run with `-v` parameter The verbose argument is to the test-suites, only when run through `ctest` --- tests/CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index dc2797968..16e19a927 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -31,7 +31,7 @@ function(add_test_suite suite_name) include_directories(${CMAKE_CURRENT_SOURCE_DIR}) add_executable(test_suite_${data_name} test_suite_${data_name}.c) target_link_libraries(test_suite_${data_name} ${libs}) - add_test(${data_name}-suite test_suite_${data_name}) + add_test(${data_name}-suite test_suite_${data_name} --verbose) endfunction(add_test_suite) if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG) From 1adcd95a259c14cbb7f2d3525561ab03360e1339 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 26 Jun 2017 09:58:59 +0100 Subject: [PATCH 004/177] Zeroize tmp bufs in entropy.c functions --- library/entropy.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/library/entropy.c b/library/entropy.c index d4d1b27b7..a500b5312 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -242,7 +242,7 @@ static int entropy_gather_internal( mbedtls_entropy_context *ctx ) if( ( ret = ctx->source[i].f_source( ctx->source[i].p_source, buf, MBEDTLS_ENTROPY_MAX_GATHER, &olen ) ) != 0 ) { - return( ret ); + goto cleanup; } /* @@ -256,9 +256,12 @@ static int entropy_gather_internal( mbedtls_entropy_context *ctx ) } if( have_one_strong == 0 ) - return( MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE ); + ret = MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE; - return( 0 ); +cleanup: + mbedtls_zeroize( buf, sizeof( buf ) ); + + return( ret ); } /* @@ -370,6 +373,8 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len ) ret = 0; exit: + mbedtls_zeroize( buf, sizeof( buf ) ); + #if defined(MBEDTLS_THREADING_C) if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 ) return( MBEDTLS_ERR_THREADING_MUTEX_ERROR ); @@ -393,9 +398,9 @@ int mbedtls_entropy_update_nv_seed( mbedtls_entropy_context *ctx ) /* Manually update the remaining stream with a separator value to diverge */ memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE ); - mbedtls_entropy_update_manual( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ); + ret = mbedtls_entropy_update_manual( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ); - return( 0 ); + return( ret ); } #endif /* MBEDTLS_ENTROPY_NV_SEED */ @@ -421,12 +426,15 @@ int mbedtls_entropy_write_seed_file( mbedtls_entropy_context *ctx, const char *p ret = 0; exit: + mbedtls_zeroize( buf, sizeof( buf ) ); + fclose( f ); return( ret ); } int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char *path ) { + int ret = 0; FILE *f; size_t n; unsigned char buf[ MBEDTLS_ENTROPY_MAX_SEED_SIZE ]; @@ -442,14 +450,16 @@ int mbedtls_entropy_update_seed_file( mbedtls_entropy_context *ctx, const char * n = MBEDTLS_ENTROPY_MAX_SEED_SIZE; if( fread( buf, 1, n, f ) != n ) - { - fclose( f ); - return( MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR ); - } + ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR; + else + ret = mbedtls_entropy_update_manual( ctx, buf, n ); fclose( f ); - mbedtls_entropy_update_manual( ctx, buf, n ); + mbedtls_zeroize( buf, sizeof( buf ) ); + + if( ret != 0 ) + return( ret ); return( mbedtls_entropy_write_seed_file( ctx, path ) ); } From 3fee7593a968f7f8a306501d5ea3e5e76a56669a Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 26 Jun 2017 10:22:24 +0100 Subject: [PATCH 005/177] Zeroize tmp bufs in hmac_drbg.c functions --- library/hmac_drbg.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c index bf5f9b5bd..24c609e9c 100644 --- a/library/hmac_drbg.c +++ b/library/hmac_drbg.c @@ -364,11 +364,14 @@ int mbedtls_hmac_drbg_write_seed_file( mbedtls_hmac_drbg_context *ctx, const cha exit: fclose( f ); + mbedtls_zeroize( buf, sizeof( buf ) ); + return( ret ); } int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const char *path ) { + int ret = 0; FILE *f; size_t n; unsigned char buf[ MBEDTLS_HMAC_DRBG_MAX_INPUT ]; @@ -387,14 +390,16 @@ int mbedtls_hmac_drbg_update_seed_file( mbedtls_hmac_drbg_context *ctx, const ch } if( fread( buf, 1, n, f ) != n ) - { - fclose( f ); - return( MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR ); - } + ret = MBEDTLS_ERR_HMAC_DRBG_FILE_IO_ERROR; + else + mbedtls_hmac_drbg_update( ctx, buf, n ); fclose( f ); - mbedtls_hmac_drbg_update( ctx, buf, n ); + mbedtls_zeroize( buf, sizeof( buf ) ); + + if( ret != 0 ) + return( ret ); return( mbedtls_hmac_drbg_write_seed_file( ctx, path ) ); } From 1f2666f9ec38ad5b44b30202241fd30789ecc48d Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 26 Jun 2017 10:36:20 +0100 Subject: [PATCH 006/177] Zeroize return buf on failure in pkparse.c --- library/pkparse.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/pkparse.c b/library/pkparse.c index efdf43746..06bde5317 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -101,7 +101,10 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n ) if( fread( *buf, 1, *n, f ) != *n ) { fclose( f ); + + mbedtls_zeroize( *buf, *n ); mbedtls_free( *buf ); + return( MBEDTLS_ERR_PK_FILE_IO_ERROR ); } From 13f41e1c20a4a2ed81af332a4be32bd8265fc073 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 26 Jun 2017 10:56:58 +0100 Subject: [PATCH 007/177] Zeroize tmp bufs in ctr_drbg.c functions --- library/ctr_drbg.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 55612c7fc..7828c4e37 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -430,12 +430,11 @@ int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char goto exit; if( fwrite( buf, 1, MBEDTLS_CTR_DRBG_MAX_INPUT, f ) != MBEDTLS_CTR_DRBG_MAX_INPUT ) - { ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR; - goto exit; - } + else + ret = 0; - ret = 0; + mbedtls_zeroize( buf, sizeof( buf ) ); exit: fclose( f ); @@ -444,6 +443,7 @@ exit: int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path ) { + int ret = 0; FILE *f; size_t n; unsigned char buf[ MBEDTLS_CTR_DRBG_MAX_INPUT ]; @@ -456,20 +456,18 @@ int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char fseek( f, 0, SEEK_SET ); if( n > MBEDTLS_CTR_DRBG_MAX_INPUT ) - { - fclose( f ); - return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG ); - } - - if( fread( buf, 1, n, f ) != n ) - { - fclose( f ); - return( MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR ); - } + ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG; + else if( fread( buf, 1, n, f ) != n ) + ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR; + else + mbedtls_ctr_drbg_update( ctx, buf, n ); fclose( f ); - mbedtls_ctr_drbg_update( ctx, buf, n ); + mbedtls_zeroize( buf, sizeof( buf ) ); + + if( ret != 0 ) + return( ret ); return( mbedtls_ctr_drbg_write_seed_file( ctx, path ) ); } From 79a2e7ef069d6420070562e2fd8a9802fa3aa6ff Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 26 Jun 2017 11:10:22 +0100 Subject: [PATCH 008/177] Zeroize return buf on failure in platform.c --- library/platform.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/platform.c b/library/platform.c index 8b336c38e..441298bde 100644 --- a/library/platform.c +++ b/library/platform.c @@ -228,12 +228,13 @@ int mbedtls_platform_std_nv_seed_read( unsigned char *buf, size_t buf_len ) size_t n; if( ( file = fopen( MBEDTLS_PLATFORM_STD_NV_SEED_FILE, "rb" ) ) == NULL ) - return -1; + return( -1 ); if( ( n = fread( buf, 1, buf_len, file ) ) != buf_len ) { fclose( file ); - return -1; + mbedtls_zeroize( buf, buf_len ); + return( -1 ); } fclose( file ); From 7351e124108f048c1fd526c5189f2945ad750bcf Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 26 Jun 2017 11:20:02 +0100 Subject: [PATCH 009/177] Zeroize tmp buf in mbedtls_mpi_fill_random() --- library/bignum.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/bignum.c b/library/bignum.c index d3a150c3c..bd8280b6f 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -63,6 +63,10 @@ static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n ) { volatile mbedtls_mpi_uint *p = v; while( n-- ) *p++ = 0; } +static void mbedtls_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */ #define biL (ciL << 3) /* bits in limb */ #define biH (ciL << 2) /* half limb size */ @@ -1882,6 +1886,8 @@ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size, MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( X, buf, size ) ); cleanup: + mbedtls_zeroize( buf, sizeof( buf ) ); + return( ret ); } From a00498819f16f2d4970e598537791fb05f28ebe2 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 26 Jun 2017 11:35:17 +0100 Subject: [PATCH 010/177] Zeroize old psk buf when changing value in ssl_tls --- library/ssl_tls.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 661ae7065..9b5fccb5c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6051,6 +6051,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, if( conf->psk != NULL || conf->psk_identity != NULL ) { + mbedtls_zeroize( conf->psk, conf->psk_len ); mbedtls_free( conf->psk ); mbedtls_free( conf->psk_identity ); conf->psk = NULL; @@ -6086,7 +6087,10 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); if( ssl->handshake->psk != NULL ) + { + mbedtls_zeroize( ssl->handshake->psk, ssl->handshake->psk_len ); mbedtls_free( ssl->handshake->psk ); + } if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); From 03d70504ca3bf06a5c2bd6ad948effb25c59ed7f Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 26 Jun 2017 11:44:54 +0100 Subject: [PATCH 011/177] Zeroize heap buf on failure in pem.c --- library/pem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/pem.c b/library/pem.c index 8dd86a4ac..a09257cc7 100644 --- a/library/pem.c +++ b/library/pem.c @@ -341,6 +341,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) ) if( pwd == NULL ) { + mbedtls_zeroize( buf, len ); mbedtls_free( buf ); return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ); } @@ -369,10 +370,12 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const */ if( len <= 2 || buf[0] != 0x30 || buf[1] > 0x83 ) { + mbedtls_zeroize( buf, len ); mbedtls_free( buf ); return( MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ); } #else + mbedtls_zeroize( buf, len ); mbedtls_free( buf ); return( MBEDTLS_ERR_PEM_FEATURE_UNAVAILABLE ); #endif /* MBEDTLS_MD5_C && MBEDTLS_CIPHER_MODE_CBC && From 59e6963a37a615b137ee4f9824f798dc704fdd96 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 26 Jun 2017 13:26:58 +0100 Subject: [PATCH 012/177] Prevent clever optimization to prematurely quit loop in safe memcmp The previous version of `mbedtls_ssl_safer_memcmp` did not qualify the pointers to the arrays to be compared as volatile, theoretically opening the possibility for the compiler to notice that the loop operation `diff |= A[i] ^ B[i]` is pointless if `diff = -1`. This commit changes this. It also declares the stack variable `diff` as volatile, to force read and write in every loop; omitting that, the compiler would still be allowed to get away with reading `A[i]` and `B[i]` but not doing the XOR and not updating `diff`. --- include/mbedtls/ssl_internal.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 756360b18..8d3ab61ef 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -600,9 +600,9 @@ void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ); static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n ) { size_t i; - const unsigned char *A = (const unsigned char *) a; - const unsigned char *B = (const unsigned char *) b; - unsigned char diff = 0; + volatile const unsigned char *A = (volatile const unsigned char *) a; + volatile const unsigned char *B = (volatile const unsigned char *) b; + volatile unsigned char diff = 0; for( i = 0; i < n; i++ ) diff |= A[i] ^ B[i]; From 83c9f495ffe70c7dd280b41fdfd4881485a3bc28 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 26 Jun 2017 13:52:14 +0100 Subject: [PATCH 013/177] Prevent bounds check bypass through overflow in PSK identity parsing The check `if( *p + n > end )` in `ssl_parse_client_psk_identity` is unsafe because `*p + n` might overflow, thus bypassing the check. As `n` is a user-specified value up to 65K, this is relevant if the library happens to be located in the last 65K of virtual memory. This commit replaces the check by a safe version. --- library/ssl_srv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index f137c3dce..97d7a9e80 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3436,7 +3436,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha /* * Receive client pre-shared key identity name */ - if( *p + 2 > end ) + if( end - *p < 2 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); @@ -3445,7 +3445,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha n = ( (*p)[0] << 8 ) | (*p)[1]; *p += 2; - if( n < 1 || n > 65535 || *p + n > end ) + if( n < 1 || n > 65535 || n > (size_t) ( end - *p ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); From 4e2c07c6e10737cd780df8bb84c9795cecae3ab4 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 27 Jun 2017 16:57:26 +0100 Subject: [PATCH 014/177] Zeroize tmp buf in ctr_drbg_write_seed_file() --- library/ctr_drbg.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 7828c4e37..a31f7b816 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -434,9 +434,9 @@ int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char else ret = 0; +exit: mbedtls_zeroize( buf, sizeof( buf ) ); -exit: fclose( f ); return( ret ); } @@ -456,8 +456,12 @@ int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char fseek( f, 0, SEEK_SET ); if( n > MBEDTLS_CTR_DRBG_MAX_INPUT ) - ret = MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG; - else if( fread( buf, 1, n, f ) != n ) + { + fclose( f ); + return( MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG ); + } + + if( fread( buf, 1, n, f ) != n ) ret = MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR; else mbedtls_ctr_drbg_update( ctx, buf, n ); From 034ea7e754e74a94945e25615aea8f39e9e06222 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 28 Apr 2017 15:14:50 +0100 Subject: [PATCH 015/177] Add int return values to SHA1 function calls The following function calls are being deprecated to introduce int return values. * mbedtls_sha1() * mbedtls_sha1_starts() * mbedtls_sha1_update() * mbedtls_sha1_finish() * mbedtls_sha1_process() The return codes can be used to return error values. This is important when using hardware accelerators. --- include/mbedtls/sha1.h | 132 +++++++++++++++++++++++++++++++++++++++-- library/sha1.c | 90 ++++++++++++++++++++-------- 2 files changed, 192 insertions(+), 30 deletions(-) diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index 7a67c6c1f..9dde5b89e 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -32,6 +32,11 @@ #include #include +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #if !defined(MBEDTLS_SHA1_ALT) // Regular implementation // @@ -78,8 +83,10 @@ void mbedtls_sha1_clone( mbedtls_sha1_context *dst, * \brief SHA-1 context setup * * \param ctx context to be initialized + * + * \return 0 if successful */ -void mbedtls_sha1_starts( mbedtls_sha1_context *ctx ); +int mbedtls_sha1_starts_ext( mbedtls_sha1_context *ctx ); /** * \brief SHA-1 process buffer @@ -87,19 +94,103 @@ void mbedtls_sha1_starts( mbedtls_sha1_context *ctx ); * \param ctx SHA-1 context * \param input buffer holding the data * \param ilen length of the input data + * + * \return 0 if successful */ -void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen ); +int mbedtls_sha1_update_ext( mbedtls_sha1_context *ctx, + const unsigned char *input, + size_t ilen ); /** * \brief SHA-1 final digest * * \param ctx SHA-1 context * \param output SHA-1 checksum result + * + * \return 0 if successful */ -void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[20] ); +int mbedtls_sha1_finish_ext( mbedtls_sha1_context *ctx, + unsigned char output[20] ); -/* Internal use */ -void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] ); +/** + * \brief SHA-1 process data block (internal use only) + * + * \param ctx SHA-1 context + * \param data buffer holding one block of data + * + * \return 0 if successful + */ +int mbedtls_sha1_process_ext( mbedtls_sha1_context *ctx, + const unsigned char data[64] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief SHA-1 context setup + * + * \deprecated Superseded by mbedtls_sha1_starts_ext() in 2.5.0 + * + * \param ctx context to be initialized + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha1_starts( + mbedtls_sha1_context *ctx ) +{ + mbedtls_sha1_starts_ext( ctx ); +} + +/** + * \brief SHA-1 process buffer + * + * \deprecated Superseded by mbedtls_sha1_update_ext() in 2.5.0 + * + * \param ctx SHA-1 context + * \param input buffer holding the data + * \param ilen length of the input data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha1_update( + mbedtls_sha1_context *ctx, + const unsigned char *input, + size_t ilen ) +{ + mbedtls_sha1_update_ext( ctx, input, ilen ); +} + +/** + * \brief SHA-1 final digest + * + * \deprecated Superseded by mbedtls_sha1_finish_ext() in 2.5.0 + * + * \param ctx SHA-1 context + * \param output SHA-1 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha1_finish( + mbedtls_sha1_context *ctx, + unsigned char output[20] ) +{ + mbedtls_sha1_finish_ext( ctx, output ); +} + +/** + * \brief SHA-1 process data block (internal use only) + * + * \deprecated Superseded by mbedtls_sha1_process_ext() in 2.5.0 + * + * \param ctx SHA-1 context + * \param data buffer holding one block of data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha1_process( + mbedtls_sha1_context *ctx, + const unsigned char data[64] ) +{ + mbedtls_sha1_process_ext( ctx, data ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #ifdef __cplusplus } @@ -119,8 +210,37 @@ extern "C" { * \param input buffer holding the data * \param ilen length of the input data * \param output SHA-1 checksum result + * + * \return 0 if successful */ -void mbedtls_sha1( const unsigned char *input, size_t ilen, unsigned char output[20] ); +int mbedtls_sha1_ext( const unsigned char *input, + size_t ilen, + unsigned char output[20] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief Output = SHA-1( input buffer ) + * + * \deprecated Superseded by mbedtls_sha1_ext() in 2.5.0 + * + * \param input buffer holding the data + * \param ilen length of the input data + * \param output SHA-1 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha1( const unsigned char *input, + size_t ilen, + unsigned char output[20] ) +{ + mbedtls_sha1_ext( input, ilen, output ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Checkup routine diff --git a/library/sha1.c b/library/sha1.c index 2ccf2a2f5..d2ec8bae9 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -97,7 +97,7 @@ void mbedtls_sha1_clone( mbedtls_sha1_context *dst, /* * SHA-1 context setup */ -void mbedtls_sha1_starts( mbedtls_sha1_context *ctx ) +int mbedtls_sha1_starts_ext( mbedtls_sha1_context *ctx ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -107,10 +107,13 @@ void mbedtls_sha1_starts( mbedtls_sha1_context *ctx ) ctx->state[2] = 0x98BADCFE; ctx->state[3] = 0x10325476; ctx->state[4] = 0xC3D2E1F0; + + return( 0 ); } #if !defined(MBEDTLS_SHA1_PROCESS_ALT) -void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] ) +int mbedtls_sha1_process_ext( mbedtls_sha1_context *ctx, + const unsigned char data[64] ) { uint32_t temp, W[16], A, B, C, D, E; @@ -264,19 +267,24 @@ void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[6 ctx->state[2] += C; ctx->state[3] += D; ctx->state[4] += E; + + return( 0 ); } #endif /* !MBEDTLS_SHA1_PROCESS_ALT */ /* * SHA-1 process buffer */ -void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen ) +int mbedtls_sha1_update_ext( mbedtls_sha1_context *ctx, + const unsigned char *input, + size_t ilen ) { + int ret; size_t fill; uint32_t left; if( ilen == 0 ) - return; + return( 0 ); left = ctx->total[0] & 0x3F; fill = 64 - left; @@ -290,7 +298,10 @@ void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, if( left && ilen >= fill ) { memcpy( (void *) (ctx->buffer + left), input, fill ); - mbedtls_sha1_process( ctx, ctx->buffer ); + + if( ( ret = mbedtls_sha1_process_ext( ctx, ctx->buffer ) ) != 0 ) + return( ret ); + input += fill; ilen -= fill; left = 0; @@ -298,13 +309,17 @@ void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, while( ilen >= 64 ) { - mbedtls_sha1_process( ctx, input ); + if( ( ret = mbedtls_sha1_process_ext( ctx, input ) ) != 0 ) + return( ret ); + input += 64; ilen -= 64; } if( ilen > 0 ) memcpy( (void *) (ctx->buffer + left), input, ilen ); + + return( 0 ); } static const unsigned char sha1_padding[64] = @@ -318,8 +333,10 @@ static const unsigned char sha1_padding[64] = /* * SHA-1 final digest */ -void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[20] ) +int mbedtls_sha1_finish_ext( mbedtls_sha1_context *ctx, + unsigned char output[20] ) { + int ret; uint32_t last, padn; uint32_t high, low; unsigned char msglen[8]; @@ -334,14 +351,18 @@ void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[20] ) last = ctx->total[0] & 0x3F; padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - mbedtls_sha1_update( ctx, sha1_padding, padn ); - mbedtls_sha1_update( ctx, msglen, 8 ); + if( ( ret = mbedtls_sha1_update_ext( ctx, sha1_padding, padn ) ) != 0 ) + return( ret ); + if( ( ret = mbedtls_sha1_update_ext( ctx, msglen, 8 ) ) != 0 ) + return( ret ); PUT_UINT32_BE( ctx->state[0], output, 0 ); PUT_UINT32_BE( ctx->state[1], output, 4 ); PUT_UINT32_BE( ctx->state[2], output, 8 ); PUT_UINT32_BE( ctx->state[3], output, 12 ); PUT_UINT32_BE( ctx->state[4], output, 16 ); + + return( 0 ); } #endif /* !MBEDTLS_SHA1_ALT */ @@ -349,15 +370,27 @@ void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[20] ) /* * output = SHA-1( input buffer ) */ -void mbedtls_sha1( const unsigned char *input, size_t ilen, unsigned char output[20] ) +int mbedtls_sha1_ext( const unsigned char *input, + size_t ilen, + unsigned char output[20] ) { + int ret; mbedtls_sha1_context ctx; mbedtls_sha1_init( &ctx ); - mbedtls_sha1_starts( &ctx ); - mbedtls_sha1_update( &ctx, input, ilen ); - mbedtls_sha1_finish( &ctx, output ); + + if( ( ret = mbedtls_sha1_starts_ext( &ctx ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_sha1_update_ext( &ctx, input, ilen ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_sha1_finish_ext( &ctx, output ) ) != 0 ) + return( ret ); + mbedtls_sha1_free( &ctx ); + + return( 0 ); } #if defined(MBEDTLS_SELF_TEST) @@ -406,29 +439,30 @@ int mbedtls_sha1_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " SHA-1 test #%d: ", i + 1 ); - mbedtls_sha1_starts( &ctx ); + if( mbedtls_sha1_starts_ext( &ctx ) != 0 ) + goto fail; if( i == 2 ) { memset( buf, 'a', buflen = 1000 ); for( j = 0; j < 1000; j++ ) - mbedtls_sha1_update( &ctx, buf, buflen ); + { + if( mbedtls_sha1_update_ext( &ctx, buf, buflen ) != 0 ) + goto fail; + } } else - mbedtls_sha1_update( &ctx, sha1_test_buf[i], - sha1_test_buflen[i] ); + { + if( mbedtls_sha1_update_ext( &ctx, sha1_test_buf[i], + sha1_test_buflen[i] ) != 0 ) + goto fail; + } - mbedtls_sha1_finish( &ctx, sha1sum ); + mbedtls_sha1_finish_ext( &ctx, sha1sum ); if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - ret = 1; goto exit; - } if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -437,6 +471,14 @@ int mbedtls_sha1_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "\n" ); + goto exit; + +fail: + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + + ret = 1; + exit: mbedtls_sha1_free( &ctx ); From 1d85213602167ddfed3e5b52c2916321e1688dbf Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 28 Apr 2017 16:21:40 +0100 Subject: [PATCH 016/177] Add int return values to MD2 function calls The following function calls are being deprecated to introduce int return values. * mbedtls_md2() * mbedtls_md2_starts() * mbedtls_md2_update() * mbedtls_md2_finish() * mbedtls_md2_process() The return codes can be used to return error values. This is important when using hardware accelerators. --- include/mbedtls/md2.h | 130 +++++++++++++++++++++++++++++++++++++++--- library/md2.c | 69 ++++++++++++++++------ 2 files changed, 173 insertions(+), 26 deletions(-) diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index 0f93fbf42..1f3b10773 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -31,6 +31,11 @@ #include +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #if !defined(MBEDTLS_MD2_ALT) // Regular implementation // @@ -78,8 +83,10 @@ void mbedtls_md2_clone( mbedtls_md2_context *dst, * \brief MD2 context setup * * \param ctx context to be initialized + * + * \return 0 if successful */ -void mbedtls_md2_starts( mbedtls_md2_context *ctx ); +int mbedtls_md2_starts_ext( mbedtls_md2_context *ctx ); /** * \brief MD2 process buffer @@ -87,16 +94,99 @@ void mbedtls_md2_starts( mbedtls_md2_context *ctx ); * \param ctx MD2 context * \param input buffer holding the data * \param ilen length of the input data + * + * \return 0 if successful */ -void mbedtls_md2_update( mbedtls_md2_context *ctx, const unsigned char *input, size_t ilen ); +int mbedtls_md2_update_ext( mbedtls_md2_context *ctx, + const unsigned char *input, + size_t ilen ); /** * \brief MD2 final digest * * \param ctx MD2 context * \param output MD2 checksum result + * + * \return 0 if successful */ -void mbedtls_md2_finish( mbedtls_md2_context *ctx, unsigned char output[16] ); +int mbedtls_md2_finish_ext( mbedtls_md2_context *ctx, + unsigned char output[16] ); + +/** + * \brief MD2 process data block (internal use only) + * + * \param ctx MD2 context + * + * \return 0 if successful + */ +int mbedtls_md2_process_ext( mbedtls_md2_context *ctx ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief MD2 context setup + * + * \deprecated Superseded by mbedtls_md2_starts_ext() in 2.5.0 + * + * \param ctx context to be initialized + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md2_starts( + mbedtls_md2_context *ctx ) +{ + mbedtls_md2_starts_ext( ctx ); +} + +/** + * \brief MD2 process buffer + * + * \deprecated Superseded by mbedtls_md2_update_ext() in 2.5.0 + * + * \param ctx MD2 context + * \param input buffer holding the data + * \param ilen length of the input data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md2_update( + mbedtls_md2_context *ctx, + const unsigned char *input, + size_t ilen ) +{ + mbedtls_md2_update_ext( ctx, input, ilen ); +} + +/** + * \brief MD2 final digest + * + * \deprecated Superseded by mbedtls_md2_finish_ext() in 2.5.0 + * + * \param ctx MD2 context + * \param output MD2 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md2_finish( + mbedtls_md2_context *ctx, + unsigned char output[16] ) +{ + mbedtls_md2_finish_ext( ctx, output ); +} + +/** + * \brief MD2 process data block (internal use only) + * + * \deprecated Superseded by mbedtls_md2_process_ext() in 2.5.0 + * + * \param ctx MD2 context + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md2_process( + mbedtls_md2_context *ctx ) +{ + mbedtls_md2_process_ext( ctx ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #ifdef __cplusplus } @@ -117,7 +207,36 @@ extern "C" { * \param ilen length of the input data * \param output MD2 checksum result */ -void mbedtls_md2( const unsigned char *input, size_t ilen, unsigned char output[16] ); +int mbedtls_md2_ext( const unsigned char *input, + size_t ilen, + unsigned char output[16] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief Output = MD2( input buffer ) + * + * \deprecated Superseded by mbedtls_md2() in 2.5.0 + * + * \param input buffer holding the data + * \param ilen length of the input data + * \param output MD2 checksum result + * + * \return 0 if successful + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md2( const unsigned char *input, + size_t ilen, + unsigned char output[16] ) +{ + mbedtls_md2_ext( input, ilen, output ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Checkup routine @@ -126,9 +245,6 @@ void mbedtls_md2( const unsigned char *input, size_t ilen, unsigned char output[ */ int mbedtls_md2_self_test( int verbose ); -/* Internal use */ -void mbedtls_md2_process( mbedtls_md2_context *ctx ); - #ifdef __cplusplus } #endif diff --git a/library/md2.c b/library/md2.c index 95cbcce65..7dd2b6bcb 100644 --- a/library/md2.c +++ b/library/md2.c @@ -105,16 +105,18 @@ void mbedtls_md2_clone( mbedtls_md2_context *dst, /* * MD2 context setup */ -void mbedtls_md2_starts( mbedtls_md2_context *ctx ) +int mbedtls_md2_starts_ext( mbedtls_md2_context *ctx ) { memset( ctx->cksum, 0, 16 ); memset( ctx->state, 0, 46 ); memset( ctx->buffer, 0, 16 ); ctx->left = 0; + + return( 0 ); } #if !defined(MBEDTLS_MD2_PROCESS_ALT) -void mbedtls_md2_process( mbedtls_md2_context *ctx ) +int mbedtls_md2_process_ext( mbedtls_md2_context *ctx ) { int i, j; unsigned char t = 0; @@ -146,14 +148,19 @@ void mbedtls_md2_process( mbedtls_md2_context *ctx ) ( ctx->cksum[i] ^ PI_SUBST[ctx->buffer[i] ^ t] ); t = ctx->cksum[i]; } + + return( 0 ); } #endif /* !MBEDTLS_MD2_PROCESS_ALT */ /* * MD2 process buffer */ -void mbedtls_md2_update( mbedtls_md2_context *ctx, const unsigned char *input, size_t ilen ) +int mbedtls_md2_update_ext( mbedtls_md2_context *ctx, + const unsigned char *input, + size_t ilen ) { + int ret; size_t fill; while( ilen > 0 ) @@ -172,16 +179,21 @@ void mbedtls_md2_update( mbedtls_md2_context *ctx, const unsigned char *input, s if( ctx->left == 16 ) { ctx->left = 0; - mbedtls_md2_process( ctx ); + if( ( ret = mbedtls_md2_process_ext( ctx ) ) != 0 ) + return( ret ); } } + + return( 0 ); } /* * MD2 final digest */ -void mbedtls_md2_finish( mbedtls_md2_context *ctx, unsigned char output[16] ) +int mbedtls_md2_finish_ext( mbedtls_md2_context *ctx, + unsigned char output[16] ) { + int ret; size_t i; unsigned char x; @@ -190,12 +202,16 @@ void mbedtls_md2_finish( mbedtls_md2_context *ctx, unsigned char output[16] ) for( i = ctx->left; i < 16; i++ ) ctx->buffer[i] = x; - mbedtls_md2_process( ctx ); + if( ( ret = mbedtls_md2_process_ext( ctx ) ) != 0 ) + return( ret ); memcpy( ctx->buffer, ctx->cksum, 16 ); - mbedtls_md2_process( ctx ); + if( ( ret = mbedtls_md2_process_ext( ctx ) ) != 0 ) + return( ret ); memcpy( output, ctx->state, 16 ); + + return( 0 ); } #endif /* !MBEDTLS_MD2_ALT */ @@ -203,15 +219,28 @@ void mbedtls_md2_finish( mbedtls_md2_context *ctx, unsigned char output[16] ) /* * output = MD2( input buffer ) */ -void mbedtls_md2( const unsigned char *input, size_t ilen, unsigned char output[16] ) +int mbedtls_md2_ext( const unsigned char *input, + size_t ilen, + unsigned char output[16] ) { + int ret; mbedtls_md2_context ctx; mbedtls_md2_init( &ctx ); - mbedtls_md2_starts( &ctx ); - mbedtls_md2_update( &ctx, input, ilen ); - mbedtls_md2_finish( &ctx, output ); + + if( ( ret = mbedtls_md2_starts_ext( &ctx ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_md2_update_ext( &ctx, input, ilen ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_md2_finish_ext( &ctx, output ) ) != 0 ) + return( ret ); + + mbedtls_md2_free( &ctx ); + + return( 0 ); } #if defined(MBEDTLS_SELF_TEST) @@ -262,16 +291,12 @@ int mbedtls_md2_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " MD2 test #%d: ", i + 1 ); - mbedtls_md2( (unsigned char *) md2_test_str[i], - strlen( md2_test_str[i] ), md2sum ); + if( mbedtls_md2_ext( (unsigned char *)md2_test_str[i], + strlen( md2_test_str[i] ), md2sum ) != 0 ) + goto fail; if( memcmp( md2sum, md2_test_sum[i], 16 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto fail; if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -281,6 +306,12 @@ int mbedtls_md2_self_test( int verbose ) mbedtls_printf( "\n" ); return( 0 ); + +fail: + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + + return( 1 ); } #endif /* MBEDTLS_SELF_TEST */ From bee0635b1593d879504e04136c3d10ce36cd6e34 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 28 Apr 2017 17:00:30 +0100 Subject: [PATCH 017/177] Add int return values to MD4 function calls The following function calls are being deprecated to introduce int return values. * mbedtls_md4() * mbedtls_md4_starts() * mbedtls_md4_update() * mbedtls_md4_finish() * mbedtls_md4_process() The return codes can be used to return error values. This is important when using hardware accelerators. --- include/mbedtls/md4.h | 134 +++++++++++++++++++++++++++++++++++++++--- library/md4.c | 80 ++++++++++++++++++------- 2 files changed, 186 insertions(+), 28 deletions(-) diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h index 45214d41d..7968b69a0 100644 --- a/include/mbedtls/md4.h +++ b/include/mbedtls/md4.h @@ -32,6 +32,11 @@ #include #include +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #if !defined(MBEDTLS_MD4_ALT) // Regular implementation // @@ -78,8 +83,10 @@ void mbedtls_md4_clone( mbedtls_md4_context *dst, * \brief MD4 context setup * * \param ctx context to be initialized + * + * \return 0 if successful */ -void mbedtls_md4_starts( mbedtls_md4_context *ctx ); +int mbedtls_md4_starts_ext( mbedtls_md4_context *ctx ); /** * \brief MD4 process buffer @@ -87,16 +94,103 @@ void mbedtls_md4_starts( mbedtls_md4_context *ctx ); * \param ctx MD4 context * \param input buffer holding the data * \param ilen length of the input data + * + * \return 0 if successful */ -void mbedtls_md4_update( mbedtls_md4_context *ctx, const unsigned char *input, size_t ilen ); +int mbedtls_md4_update_ext( mbedtls_md4_context *ctx, + const unsigned char *input, + size_t ilen ); /** * \brief MD4 final digest * * \param ctx MD4 context * \param output MD4 checksum result + * + * \return 0 if successful */ -void mbedtls_md4_finish( mbedtls_md4_context *ctx, unsigned char output[16] ); +int mbedtls_md4_finish_ext( mbedtls_md4_context *ctx, + unsigned char output[16] ); + +/** + * \brief MD4 process data block (internal use only) + * + * \param ctx MD4 context + * \param data buffer holding one block of data + * + * \return 0 if successful + */ +int mbedtls_md4_process_ext( mbedtls_md4_context *ctx, + const unsigned char data[64] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief MD4 context setup + * + * \deprecated Superseded by mbedtls_md4_starts_ext() in 2.5.0 + * + * \param ctx context to be initialized + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md4_starts( + mbedtls_md4_context *ctx ) +{ + mbedtls_md4_starts_ext( ctx ); +} + +/** + * \brief MD4 process buffer + * + * \deprecated Superseded by mbedtls_md4_update_ext() in 2.5.0 + * + * \param ctx MD4 context + * \param input buffer holding the data + * \param ilen length of the input data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md4_update( + mbedtls_md4_context *ctx, + const unsigned char *input, + size_t ilen ) +{ + mbedtls_md4_update_ext( ctx, input, ilen ); +} + +/** + * \brief MD4 final digest + * + * \deprecated Superseded by mbedtls_md4_finish_ext() in 2.5.0 + * + * \param ctx MD4 context + * \param output MD4 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md4_finish( + mbedtls_md4_context *ctx, + unsigned char output[16] ) +{ + mbedtls_md4_finish_ext( ctx, output ); +} + +/** + * \brief MD4 process data block (internal use only) + * + * \deprecated Superseded by mbedtls_md4_process_ext() in 2.5.0 + * + * \param ctx MD4 context + * \param data buffer holding one block of data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md4_process( + mbedtls_md4_context *ctx, + const unsigned char data[64] ) +{ + mbedtls_md4_process_ext( ctx, data ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #ifdef __cplusplus } @@ -116,8 +210,37 @@ extern "C" { * \param input buffer holding the data * \param ilen length of the input data * \param output MD4 checksum result + * + * \return 0 if successful */ -void mbedtls_md4( const unsigned char *input, size_t ilen, unsigned char output[16] ); +int mbedtls_md4_ext( const unsigned char *input, + size_t ilen, + unsigned char output[16] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief Output = MD4( input buffer ) + * + * \deprecated Superseded by mbedtls_md4_ext() in 2.5.0 + * + * \param input buffer holding the data + * \param ilen length of the input data + * \param output MD4 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md4( const unsigned char *input, + size_t ilen, + unsigned char output[16] ) +{ + mbedtls_md4_ext( input, ilen, output ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Checkup routine @@ -126,9 +249,6 @@ void mbedtls_md4( const unsigned char *input, size_t ilen, unsigned char output[ */ int mbedtls_md4_self_test( int verbose ); -/* Internal use */ -void mbedtls_md4_process( mbedtls_md4_context *ctx, const unsigned char data[64] ); - #ifdef __cplusplus } #endif diff --git a/library/md4.c b/library/md4.c index 11a77e3ae..9239b6344 100644 --- a/library/md4.c +++ b/library/md4.c @@ -98,7 +98,7 @@ void mbedtls_md4_clone( mbedtls_md4_context *dst, /* * MD4 context setup */ -void mbedtls_md4_starts( mbedtls_md4_context *ctx ) +int mbedtls_md4_starts_ext( mbedtls_md4_context *ctx ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -107,10 +107,13 @@ void mbedtls_md4_starts( mbedtls_md4_context *ctx ) ctx->state[1] = 0xEFCDAB89; ctx->state[2] = 0x98BADCFE; ctx->state[3] = 0x10325476; + + return( 0 ); } #if !defined(MBEDTLS_MD4_PROCESS_ALT) -void mbedtls_md4_process( mbedtls_md4_context *ctx, const unsigned char data[64] ) +int mbedtls_md4_process_ext( mbedtls_md4_context *ctx, + const unsigned char data[64] ) { uint32_t X[16], A, B, C, D; @@ -211,19 +214,24 @@ void mbedtls_md4_process( mbedtls_md4_context *ctx, const unsigned char data[64] ctx->state[1] += B; ctx->state[2] += C; ctx->state[3] += D; + + return( 0 ); } #endif /* !MBEDTLS_MD4_PROCESS_ALT */ /* * MD4 process buffer */ -void mbedtls_md4_update( mbedtls_md4_context *ctx, const unsigned char *input, size_t ilen ) +int mbedtls_md4_update_ext( mbedtls_md4_context *ctx, + const unsigned char *input, + size_t ilen ) { + int ret; size_t fill; uint32_t left; if( ilen == 0 ) - return; + return( 0 ); left = ctx->total[0] & 0x3F; fill = 64 - left; @@ -238,7 +246,10 @@ void mbedtls_md4_update( mbedtls_md4_context *ctx, const unsigned char *input, s { memcpy( (void *) (ctx->buffer + left), (void *) input, fill ); - mbedtls_md4_process( ctx, ctx->buffer ); + + if( ( ret = mbedtls_md4_process_ext( ctx, ctx->buffer ) ) != 0 ) + return( ret ); + input += fill; ilen -= fill; left = 0; @@ -246,7 +257,9 @@ void mbedtls_md4_update( mbedtls_md4_context *ctx, const unsigned char *input, s while( ilen >= 64 ) { - mbedtls_md4_process( ctx, input ); + if( ( ret = mbedtls_md4_process_ext( ctx, input ) ) != 0 ) + return( ret ); + input += 64; ilen -= 64; } @@ -256,6 +269,8 @@ void mbedtls_md4_update( mbedtls_md4_context *ctx, const unsigned char *input, s memcpy( (void *) (ctx->buffer + left), (void *) input, ilen ); } + + return( 0 ); } static const unsigned char md4_padding[64] = @@ -269,8 +284,10 @@ static const unsigned char md4_padding[64] = /* * MD4 final digest */ -void mbedtls_md4_finish( mbedtls_md4_context *ctx, unsigned char output[16] ) +int mbedtls_md4_finish_ext( mbedtls_md4_context *ctx, + unsigned char output[16] ) { + int ret; uint32_t last, padn; uint32_t high, low; unsigned char msglen[8]; @@ -285,13 +302,20 @@ void mbedtls_md4_finish( mbedtls_md4_context *ctx, unsigned char output[16] ) last = ctx->total[0] & 0x3F; padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - mbedtls_md4_update( ctx, (unsigned char *) md4_padding, padn ); - mbedtls_md4_update( ctx, msglen, 8 ); + ret = mbedtls_md4_update_ext( ctx, (unsigned char *)md4_padding, padn ); + if( ret != 0 ) + return( ret ); + + if( ( ret = mbedtls_md4_update_ext( ctx, msglen, 8 ) ) != 0 ) + return( ret ); + PUT_UINT32_LE( ctx->state[0], output, 0 ); PUT_UINT32_LE( ctx->state[1], output, 4 ); PUT_UINT32_LE( ctx->state[2], output, 8 ); PUT_UINT32_LE( ctx->state[3], output, 12 ); + + return( 0 ); } #endif /* !MBEDTLS_MD4_ALT */ @@ -299,15 +323,27 @@ void mbedtls_md4_finish( mbedtls_md4_context *ctx, unsigned char output[16] ) /* * output = MD4( input buffer ) */ -void mbedtls_md4( const unsigned char *input, size_t ilen, unsigned char output[16] ) +int mbedtls_md4_ext( const unsigned char *input, + size_t ilen, + unsigned char output[16] ) { + int ret; mbedtls_md4_context ctx; mbedtls_md4_init( &ctx ); - mbedtls_md4_starts( &ctx ); - mbedtls_md4_update( &ctx, input, ilen ); - mbedtls_md4_finish( &ctx, output ); + + if( ( ret = mbedtls_md4_starts_ext( &ctx ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_md4_update_ext( &ctx, input, ilen ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_md4_finish_ext( &ctx, output ) ) != 0 ) + return( ret ); + mbedtls_md4_free( &ctx ); + + return( 0 ); } #if defined(MBEDTLS_SELF_TEST) @@ -358,16 +394,12 @@ int mbedtls_md4_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " MD4 test #%d: ", i + 1 ); - mbedtls_md4( (unsigned char *) md4_test_str[i], - strlen( md4_test_str[i] ), md4sum ); + if( mbedtls_md4_ext( (unsigned char *) md4_test_str[i], + strlen( md4_test_str[i] ), md4sum ) != 0 ) + goto fail; if( memcmp( md4sum, md4_test_sum[i], 16 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto fail; if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -377,6 +409,12 @@ int mbedtls_md4_self_test( int verbose ) mbedtls_printf( "\n" ); return( 0 ); + +fail: + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + + return( 1 ); } #endif /* MBEDTLS_SELF_TEST */ From 2cfd7a982cd8de8a091104c081f61135b4487e47 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 2 May 2017 10:19:27 +0100 Subject: [PATCH 018/177] Add int return values to MD5 function calls The following function calls are being deprecated to introduce int return values. * mbedtls_md5() * mbedtls_md5_starts() * mbedtls_md5_update() * mbedtls_md5_finish() * mbedtls_md5_process() The return codes can be used to return error values. This is important when using hardware accelerators. --- include/mbedtls/md5.h | 127 ++++++++++++++++++++++++++++++++++++++++-- library/md5.c | 76 ++++++++++++++++++------- 2 files changed, 177 insertions(+), 26 deletions(-) diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index 5a64061aa..7ecf49f90 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -78,8 +78,10 @@ void mbedtls_md5_clone( mbedtls_md5_context *dst, * \brief MD5 context setup * * \param ctx context to be initialized + * + * \return 0 if successful */ -void mbedtls_md5_starts( mbedtls_md5_context *ctx ); +int mbedtls_md5_starts_ext( mbedtls_md5_context *ctx ); /** * \brief MD5 process buffer @@ -87,19 +89,103 @@ void mbedtls_md5_starts( mbedtls_md5_context *ctx ); * \param ctx MD5 context * \param input buffer holding the data * \param ilen length of the input data + * + * \return 0 if successful */ -void mbedtls_md5_update( mbedtls_md5_context *ctx, const unsigned char *input, size_t ilen ); +int mbedtls_md5_update_ext( mbedtls_md5_context *ctx, + const unsigned char *input, + size_t ilen ); /** * \brief MD5 final digest * * \param ctx MD5 context * \param output MD5 checksum result + * + * \return 0 if successful */ -void mbedtls_md5_finish( mbedtls_md5_context *ctx, unsigned char output[16] ); +int mbedtls_md5_finish_ext( mbedtls_md5_context *ctx, + unsigned char output[16] ); -/* Internal use */ -void mbedtls_md5_process( mbedtls_md5_context *ctx, const unsigned char data[64] ); +/** + * \brief MD5 process data block (internal use only) + * + * \param ctx MD5 context + * \param data buffer holding one block of data + * + * \return 0 if successful + */ +int mbedtls_md5_process_ext( mbedtls_md5_context *ctx, + const unsigned char data[64] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief MD5 context setup + * + * \deprecated Superseded by mbedtls_md5_starts_ext() in 2.5.0 + * + * \param ctx context to be initialized + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md5_starts( + mbedtls_md5_context *ctx ) +{ + mbedtls_md5_starts_ext( ctx ); +} + +/** + * \brief MD5 process buffer + * + * \deprecated Superseded by mbedtls_md5_update_ext() in 2.5.0 + * + * \param ctx MD5 context + * \param input buffer holding the data + * \param ilen length of the input data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md5_update( + mbedtls_md5_context *ctx, + const unsigned char *input, + size_t ilen ) +{ + mbedtls_md5_update_ext( ctx, input, ilen ); +} + +/** + * \brief MD5 final digest + * + * \deprecated Superseded by mbedtls_md5_finish_ext() in 2.5.0 + * + * \param ctx MD5 context + * \param output MD5 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md5_finish( + mbedtls_md5_context *ctx, + unsigned char output[16] ) +{ + mbedtls_md5_finish_ext( ctx, output ); +} + +/** + * \brief MD5 process data block (internal use only) + * + * \deprecated Superseded by mbedtls_md5_process_ext() in 2.5.0 + * + * \param ctx MD5 context + * \param data buffer holding one block of data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md5_process( + mbedtls_md5_context *ctx, + const unsigned char data[64] ) +{ + mbedtls_md5_process_ext( ctx, data ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #ifdef __cplusplus } @@ -119,8 +205,37 @@ extern "C" { * \param input buffer holding the data * \param ilen length of the input data * \param output MD5 checksum result + * + * \return 0 if successful */ -void mbedtls_md5( const unsigned char *input, size_t ilen, unsigned char output[16] ); +int mbedtls_md5_ext( const unsigned char *input, + size_t ilen, + unsigned char output[16] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief Output = MD5( input buffer ) + * + * \deprecated Superseded by mbedtls_md5_ext() in 2.5.0 + * + * \param input buffer holding the data + * \param ilen length of the input data + * \param output MD5 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_md5( const unsigned char *input, + size_t ilen, + unsigned char output[16] ) +{ + mbedtls_md5_ext( input, ilen, output ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Checkup routine diff --git a/library/md5.c b/library/md5.c index 5d972dc9d..dd046af85 100644 --- a/library/md5.c +++ b/library/md5.c @@ -97,7 +97,7 @@ void mbedtls_md5_clone( mbedtls_md5_context *dst, /* * MD5 context setup */ -void mbedtls_md5_starts( mbedtls_md5_context *ctx ) +int mbedtls_md5_starts_ext( mbedtls_md5_context *ctx ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -106,10 +106,13 @@ void mbedtls_md5_starts( mbedtls_md5_context *ctx ) ctx->state[1] = 0xEFCDAB89; ctx->state[2] = 0x98BADCFE; ctx->state[3] = 0x10325476; + + return( 0 ); } #if !defined(MBEDTLS_MD5_PROCESS_ALT) -void mbedtls_md5_process( mbedtls_md5_context *ctx, const unsigned char data[64] ) +int mbedtls_md5_process_ext( mbedtls_md5_context *ctx, + const unsigned char data[64] ) { uint32_t X[16], A, B, C, D; @@ -230,19 +233,24 @@ void mbedtls_md5_process( mbedtls_md5_context *ctx, const unsigned char data[64] ctx->state[1] += B; ctx->state[2] += C; ctx->state[3] += D; + + return( 0 ); } #endif /* !MBEDTLS_MD5_PROCESS_ALT */ /* * MD5 process buffer */ -void mbedtls_md5_update( mbedtls_md5_context *ctx, const unsigned char *input, size_t ilen ) +int mbedtls_md5_update_ext( mbedtls_md5_context *ctx, + const unsigned char *input, + size_t ilen ) { + int ret; size_t fill; uint32_t left; if( ilen == 0 ) - return; + return( 0 ); left = ctx->total[0] & 0x3F; fill = 64 - left; @@ -256,7 +264,9 @@ void mbedtls_md5_update( mbedtls_md5_context *ctx, const unsigned char *input, s if( left && ilen >= fill ) { memcpy( (void *) (ctx->buffer + left), input, fill ); - mbedtls_md5_process( ctx, ctx->buffer ); + if( ( ret = mbedtls_md5_process_ext( ctx, ctx->buffer ) ) != 0 ) + return( ret ); + input += fill; ilen -= fill; left = 0; @@ -264,7 +274,9 @@ void mbedtls_md5_update( mbedtls_md5_context *ctx, const unsigned char *input, s while( ilen >= 64 ) { - mbedtls_md5_process( ctx, input ); + if( ( ret = mbedtls_md5_process_ext( ctx, input ) ) != 0 ) + return( ret ); + input += 64; ilen -= 64; } @@ -273,6 +285,8 @@ void mbedtls_md5_update( mbedtls_md5_context *ctx, const unsigned char *input, s { memcpy( (void *) (ctx->buffer + left), input, ilen ); } + + return( 0 ); } static const unsigned char md5_padding[64] = @@ -286,8 +300,10 @@ static const unsigned char md5_padding[64] = /* * MD5 final digest */ -void mbedtls_md5_finish( mbedtls_md5_context *ctx, unsigned char output[16] ) +int mbedtls_md5_finish_ext( mbedtls_md5_context *ctx, + unsigned char output[16] ) { + int ret; uint32_t last, padn; uint32_t high, low; unsigned char msglen[8]; @@ -302,13 +318,18 @@ void mbedtls_md5_finish( mbedtls_md5_context *ctx, unsigned char output[16] ) last = ctx->total[0] & 0x3F; padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - mbedtls_md5_update( ctx, md5_padding, padn ); - mbedtls_md5_update( ctx, msglen, 8 ); + if( ( ret = mbedtls_md5_update_ext( ctx, md5_padding, padn ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_md5_update_ext( ctx, msglen, 8 ) ) != 0 ) + return( ret ); PUT_UINT32_LE( ctx->state[0], output, 0 ); PUT_UINT32_LE( ctx->state[1], output, 4 ); PUT_UINT32_LE( ctx->state[2], output, 8 ); PUT_UINT32_LE( ctx->state[3], output, 12 ); + + return( 0 ); } #endif /* !MBEDTLS_MD5_ALT */ @@ -316,15 +337,27 @@ void mbedtls_md5_finish( mbedtls_md5_context *ctx, unsigned char output[16] ) /* * output = MD5( input buffer ) */ -void mbedtls_md5( const unsigned char *input, size_t ilen, unsigned char output[16] ) +int mbedtls_md5_ext( const unsigned char *input, + size_t ilen, + unsigned char output[16] ) { + int ret; mbedtls_md5_context ctx; mbedtls_md5_init( &ctx ); - mbedtls_md5_starts( &ctx ); - mbedtls_md5_update( &ctx, input, ilen ); - mbedtls_md5_finish( &ctx, output ); + + if( ( ret = mbedtls_md5_starts_ext( &ctx ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_md5_update_ext( &ctx, input, ilen ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_md5_finish_ext( &ctx, output ) ) != 0 ) + return( ret ); + mbedtls_md5_free( &ctx ); + + return( 0 ); } #if defined(MBEDTLS_SELF_TEST) @@ -379,15 +412,12 @@ int mbedtls_md5_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " MD5 test #%d: ", i + 1 ); - mbedtls_md5( md5_test_buf[i], md5_test_buflen[i], md5sum ); + if( mbedtls_md5_ext( md5_test_buf[i], + md5_test_buflen[i], md5sum ) != 0 ) + goto fail; if( memcmp( md5sum, md5_test_sum[i], 16 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto fail; if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -397,6 +427,12 @@ int mbedtls_md5_self_test( int verbose ) mbedtls_printf( "\n" ); return( 0 ); + +fail: + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + + return( 1 ); } #endif /* MBEDTLS_SELF_TEST */ From b1a8bf9725501333ffe535c6a5bce8d08bd6167b Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 2 May 2017 10:59:46 +0100 Subject: [PATCH 019/177] Add int return values to RIPEMD-160 function calls The following function calls are being deprecated to introduce int return values. * mbedtls_ripemd160() * mbedtls_ripemd160_starts() * mbedtls_ripemd160_update() * mbedtls_ripemd160_finish() * mbedtls_ripemd160_process() The return codes can be used to return error values. This is important when using hardware accelerators. --- include/mbedtls/ripemd160.h | 135 +++++++++++++++++++++++++++++++++--- library/ripemd160.c | 87 ++++++++++++++++------- 2 files changed, 189 insertions(+), 33 deletions(-) diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h index 7083fc859..5ef4700c6 100644 --- a/include/mbedtls/ripemd160.h +++ b/include/mbedtls/ripemd160.h @@ -32,6 +32,11 @@ #include #include +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #if !defined(MBEDTLS_RIPEMD160_ALT) // Regular implementation // @@ -78,8 +83,10 @@ void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst, * \brief RIPEMD-160 context setup * * \param ctx context to be initialized + * + * \return 0 if successful */ -void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx ); +int mbedtls_ripemd160_starts_ext( mbedtls_ripemd160_context *ctx ); /** * \brief RIPEMD-160 process buffer @@ -87,20 +94,103 @@ void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx ); * \param ctx RIPEMD-160 context * \param input buffer holding the data * \param ilen length of the input data + * + * \return 0 if successful */ -void mbedtls_ripemd160_update( mbedtls_ripemd160_context *ctx, - const unsigned char *input, size_t ilen ); +int mbedtls_ripemd160_update_ext( mbedtls_ripemd160_context *ctx, + const unsigned char *input, + size_t ilen ); /** * \brief RIPEMD-160 final digest * * \param ctx RIPEMD-160 context * \param output RIPEMD-160 checksum result + * + * \return 0 if successful */ -void mbedtls_ripemd160_finish( mbedtls_ripemd160_context *ctx, unsigned char output[20] ); +int mbedtls_ripemd160_finish_ext( mbedtls_ripemd160_context *ctx, + unsigned char output[20] ); -/* Internal use */ -void mbedtls_ripemd160_process( mbedtls_ripemd160_context *ctx, const unsigned char data[64] ); +/** + * \brief RIPEMD-160 process data block (internal use only) + * + * \param ctx RIPEMD-160 context + * \param data buffer holding one block of data + * + * \return 0 if successful + */ +int mbedtls_ripemd160_process_ext( mbedtls_ripemd160_context *ctx, + const unsigned char data[64] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief RIPEMD-160 context setup + * + * \deprecated Superseded by mbedtls_ripemd160_starts_ext() in 2.5.0 + * + * \param ctx context to be initialized + */ +MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_starts( + mbedtls_ripemd160_context *ctx ) +{ + mbedtls_ripemd160_starts_ext( ctx ); +} + +/** + * \brief RIPEMD-160 process buffer + * + * \deprecated Superseded by mbedtls_ripemd160_update_ext() in 2.5.0 + * + * \param ctx RIPEMD-160 context + * \param input buffer holding the data + * \param ilen length of the input data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_update( + mbedtls_ripemd160_context *ctx, + const unsigned char *input, + size_t ilen ) +{ + mbedtls_ripemd160_update_ext( ctx, input, ilen ); +} + +/** + * \brief RIPEMD-160 final digest + * + * \deprecated Superseded by mbedtls_ripemd160_finish_ext() in 2.5.0 + * + * \param ctx RIPEMD-160 context + * \param output RIPEMD-160 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_finish( + mbedtls_ripemd160_context *ctx, + unsigned char output[20] ) +{ + mbedtls_ripemd160_finish_ext( ctx, output ); +} + +/** + * \brief RIPEMD-160 process data block (internal use only) + * + * \deprecated Superseded by mbedtls_ripemd160_process_ext() in 2.5.0 + * + * \param ctx RIPEMD-160 context + * \param data buffer holding one block of data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_process( + mbedtls_ripemd160_context *ctx, + const unsigned char data[64] ) +{ + mbedtls_ripemd160_process_ext( ctx, data ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #ifdef __cplusplus } @@ -120,9 +210,38 @@ extern "C" { * \param input buffer holding the data * \param ilen length of the input data * \param output RIPEMD-160 checksum result + * + * \return 0 if successful */ -void mbedtls_ripemd160( const unsigned char *input, size_t ilen, - unsigned char output[20] ); +int mbedtls_ripemd160_ext( const unsigned char *input, + size_t ilen, + unsigned char output[20] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief Output = RIPEMD-160( input buffer ) + * + * \deprecated Superseded by mbedtls_ripemd160_ext() in 2.5.0 + * + * \param input buffer holding the data + * \param ilen length of the input data + * \param output RIPEMD-160 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160( + const unsigned char *input, + size_t ilen, + unsigned char output[20] ) +{ + mbedtls_ripemd160_ext( input, ilen, output ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Checkup routine diff --git a/library/ripemd160.c b/library/ripemd160.c index cdb0a63c0..f1d1f1e9d 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -96,7 +96,7 @@ void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst, /* * RIPEMD-160 context setup */ -void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx ) +int mbedtls_ripemd160_starts_ext( mbedtls_ripemd160_context *ctx ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -106,13 +106,16 @@ void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx ) ctx->state[2] = 0x98BADCFE; ctx->state[3] = 0x10325476; ctx->state[4] = 0xC3D2E1F0; + + return( 0 ); } #if !defined(MBEDTLS_RIPEMD160_PROCESS_ALT) /* * Process one block */ -void mbedtls_ripemd160_process( mbedtls_ripemd160_context *ctx, const unsigned char data[64] ) +int mbedtls_ripemd160_process_ext( mbedtls_ripemd160_context *ctx, + const unsigned char data[64] ) { uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16]; @@ -287,20 +290,24 @@ void mbedtls_ripemd160_process( mbedtls_ripemd160_context *ctx, const unsigned c ctx->state[3] = ctx->state[4] + A + Bp; ctx->state[4] = ctx->state[0] + B + Cp; ctx->state[0] = C; + + return( 0 ); } #endif /* !MBEDTLS_RIPEMD160_PROCESS_ALT */ /* * RIPEMD-160 process buffer */ -void mbedtls_ripemd160_update( mbedtls_ripemd160_context *ctx, - const unsigned char *input, size_t ilen ) +int mbedtls_ripemd160_update_ext( mbedtls_ripemd160_context *ctx, + const unsigned char *input, + size_t ilen ) { + int ret; size_t fill; uint32_t left; if( ilen == 0 ) - return; + return( 0 ); left = ctx->total[0] & 0x3F; fill = 64 - left; @@ -314,7 +321,10 @@ void mbedtls_ripemd160_update( mbedtls_ripemd160_context *ctx, if( left && ilen >= fill ) { memcpy( (void *) (ctx->buffer + left), input, fill ); - mbedtls_ripemd160_process( ctx, ctx->buffer ); + + if( ( ret = mbedtls_ripemd160_process_ext( ctx, ctx->buffer ) ) != 0 ) + return( ret ); + input += fill; ilen -= fill; left = 0; @@ -322,7 +332,9 @@ void mbedtls_ripemd160_update( mbedtls_ripemd160_context *ctx, while( ilen >= 64 ) { - mbedtls_ripemd160_process( ctx, input ); + if( ( ret = mbedtls_ripemd160_process_ext( ctx, input ) ) != 0 ) + return( ret ); + input += 64; ilen -= 64; } @@ -331,6 +343,8 @@ void mbedtls_ripemd160_update( mbedtls_ripemd160_context *ctx, { memcpy( (void *) (ctx->buffer + left), input, ilen ); } + + return( 0 ); } static const unsigned char ripemd160_padding[64] = @@ -344,8 +358,10 @@ static const unsigned char ripemd160_padding[64] = /* * RIPEMD-160 final digest */ -void mbedtls_ripemd160_finish( mbedtls_ripemd160_context *ctx, unsigned char output[20] ) +int mbedtls_ripemd160_finish_ext( mbedtls_ripemd160_context *ctx, + unsigned char output[20] ) { + int ret; uint32_t last, padn; uint32_t high, low; unsigned char msglen[8]; @@ -360,29 +376,47 @@ void mbedtls_ripemd160_finish( mbedtls_ripemd160_context *ctx, unsigned char out last = ctx->total[0] & 0x3F; padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - mbedtls_ripemd160_update( ctx, ripemd160_padding, padn ); - mbedtls_ripemd160_update( ctx, msglen, 8 ); + ret = mbedtls_ripemd160_update_ext( ctx, ripemd160_padding, padn ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ripemd160_update_ext( ctx, msglen, 8 ); + if( ret != 0 ) + return( ret ); PUT_UINT32_LE( ctx->state[0], output, 0 ); PUT_UINT32_LE( ctx->state[1], output, 4 ); PUT_UINT32_LE( ctx->state[2], output, 8 ); PUT_UINT32_LE( ctx->state[3], output, 12 ); PUT_UINT32_LE( ctx->state[4], output, 16 ); + + return( 0 ); } /* * output = RIPEMD-160( input buffer ) */ -void mbedtls_ripemd160( const unsigned char *input, size_t ilen, - unsigned char output[20] ) +int mbedtls_ripemd160_ext( const unsigned char *input, + size_t ilen, + unsigned char output[20] ) { + int ret; mbedtls_ripemd160_context ctx; mbedtls_ripemd160_init( &ctx ); - mbedtls_ripemd160_starts( &ctx ); - mbedtls_ripemd160_update( &ctx, input, ilen ); - mbedtls_ripemd160_finish( &ctx, output ); + + if( ( ret = mbedtls_ripemd160_starts_ext( &ctx ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_ripemd160_update_ext( &ctx, input, ilen ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_ripemd160_finish_ext( &ctx, output ) ) != 0 ) + return( ret ); + mbedtls_ripemd160_free( &ctx ); + + return( 0 ); } #if defined(MBEDTLS_SELF_TEST) @@ -430,7 +464,7 @@ static const unsigned char ripemd160_test_md[TESTS][20] = */ int mbedtls_ripemd160_self_test( int verbose ) { - int i; + int i, ret; unsigned char output[20]; memset( output, 0, sizeof output ); @@ -440,17 +474,14 @@ int mbedtls_ripemd160_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " RIPEMD-160 test #%d: ", i + 1 ); - mbedtls_ripemd160( (const unsigned char *) ripemd160_test_input[i], - strlen( ripemd160_test_input[i] ), - output ); + ret = mbedtls_ripemd160_ext( + (const unsigned char *)ripemd160_test_input[i], + strlen( ripemd160_test_input[i] ), output ); + if( ret != 0 ) + goto fail; if( memcmp( output, ripemd160_test_md[i], 20 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - return( 1 ); - } + goto fail; if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -460,6 +491,12 @@ int mbedtls_ripemd160_self_test( int verbose ) mbedtls_printf( "\n" ); return( 0 ); + +fail: + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + + return( 1 ); } #endif /* MBEDTLS_SELF_TEST */ From 72a7f53064e489471a130a06aea0b01a9039899c Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 2 May 2017 11:38:47 +0100 Subject: [PATCH 020/177] Add int return values to SHA-256 function calls The following function calls are being deprecated to introduce int return values. * mbedtls_sha256() * mbedtls_sha256_starts() * mbedtls_sha256_update() * mbedtls_sha256_finish() * mbedtls_sha256_process() The return codes can be used to return error values. This is important when using hardware accelerators. --- include/mbedtls/sha256.h | 140 ++++++++++++++++++++++++++++++++++++--- library/sha256.c | 97 +++++++++++++++++++-------- 2 files changed, 202 insertions(+), 35 deletions(-) diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index f8041adf0..3667e8c10 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -32,6 +32,11 @@ #include #include +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #if !defined(MBEDTLS_SHA256_ALT) // Regular implementation // @@ -80,8 +85,10 @@ void mbedtls_sha256_clone( mbedtls_sha256_context *dst, * * \param ctx context to be initialized * \param is224 0 = use SHA256, 1 = use SHA224 + * + * \return 0 if successful */ -void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 ); +int mbedtls_sha256_starts_ext( mbedtls_sha256_context *ctx, int is224 ); /** * \brief SHA-256 process buffer @@ -89,20 +96,105 @@ void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 ); * \param ctx SHA-256 context * \param input buffer holding the data * \param ilen length of the input data + * + * \return 0 if successful */ -void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *input, - size_t ilen ); +int mbedtls_sha256_update_ext( mbedtls_sha256_context *ctx, + const unsigned char *input, + size_t ilen ); /** * \brief SHA-256 final digest * * \param ctx SHA-256 context * \param output SHA-224/256 checksum result + * + * \return 0 if successful */ -void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32] ); +int mbedtls_sha256_finish_ext( mbedtls_sha256_context *ctx, + unsigned char output[32] ); -/* Internal use */ -void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] ); +/** + * \brief SHA-256 process data block (internal use only) + * + * \param ctx SHA-256 context + * \param data buffer holding one block of data + * + * \return 0 if successful + */ +int mbedtls_sha256_process_ext( mbedtls_sha256_context *ctx, + const unsigned char data[64] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief SHA-256 context setup + * + * \deprecated Superseded by mbedtls_sha256_starts_ext() in 2.5.0 + * + * \param ctx context to be initialized + * \param is224 0 = use SHA256, 1 = use SHA224 + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha256_starts( + mbedtls_sha256_context *ctx, + int is224 ) +{ + mbedtls_sha256_starts_ext( ctx, is224 ); +} + +/** + * \brief SHA-256 process buffer + * + * \deprecated Superseded by mbedtls_sha256_update_ext() in 2.5.0 + * + * \param ctx SHA-256 context + * \param input buffer holding the data + * \param ilen length of the input data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha256_update( + mbedtls_sha256_context *ctx, + const unsigned char *input, + size_t ilen ) +{ + mbedtls_sha256_update_ext( ctx, input, ilen ); +} + +/** + * \brief SHA-256 final digest + * + * \deprecated Superseded by mbedtls_sha256_finish_ext() in 2.5.0 + * + * \param ctx SHA-256 context + * \param output SHA-224/256 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha256_finish( + mbedtls_sha256_context *ctx, + unsigned char output[32] ) +{ + mbedtls_sha256_finish_ext( ctx, output ); +} + +/** + * \brief SHA-256 process data block (internal use only) + * + * \deprecated Superseded by mbedtls_sha256_process_ext() in 2.5.0 + * + * \param ctx SHA-256 context + * \param data buffer holding one block of data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha256_process( + mbedtls_sha256_context *ctx, + const unsigned char data[64] ) +{ + mbedtls_sha256_process_ext( ctx, data ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #ifdef __cplusplus } @@ -123,9 +215,41 @@ extern "C" { * \param ilen length of the input data * \param output SHA-224/256 checksum result * \param is224 0 = use SHA256, 1 = use SHA224 + * + * \return 0 if successful */ -void mbedtls_sha256( const unsigned char *input, size_t ilen, - unsigned char output[32], int is224 ); +int mbedtls_sha256_ext( const unsigned char *input, + size_t ilen, + unsigned char output[32], + int is224 ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief Output = SHA-256( input buffer ) + * + * \deprecated Superseded by mbedtls_sha256_ext() in 2.5.0 + * + * \param input buffer holding the data + * \param ilen length of the input data + * \param output SHA-224/256 checksum result + * \param is224 0 = use SHA256, 1 = use SHA224 + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha256( + const unsigned char *input, + size_t ilen, + unsigned char output[32], + int is224 ) +{ + mbedtls_sha256_ext( input, ilen, output, is224 ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Checkup routine diff --git a/library/sha256.c b/library/sha256.c index ad25d3833..337b8e643 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -100,7 +100,7 @@ void mbedtls_sha256_clone( mbedtls_sha256_context *dst, /* * SHA-256 context setup */ -void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 ) +int mbedtls_sha256_starts_ext( mbedtls_sha256_context *ctx, int is224 ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -131,6 +131,8 @@ void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 ) } ctx->is224 = is224; + + return( 0 ); } #if !defined(MBEDTLS_SHA256_PROCESS_ALT) @@ -179,7 +181,8 @@ static const uint32_t K[] = d += temp1; h = temp1 + temp2; \ } -void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] ) +int mbedtls_sha256_process_ext( mbedtls_sha256_context *ctx, + const unsigned char data[64] ) { uint32_t temp1, temp2, W[64]; uint32_t A[8]; @@ -232,20 +235,24 @@ void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char da for( i = 0; i < 8; i++ ) ctx->state[i] += A[i]; + + return( 0 ); } #endif /* !MBEDTLS_SHA256_PROCESS_ALT */ /* * SHA-256 process buffer */ -void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *input, - size_t ilen ) +int mbedtls_sha256_update_ext( mbedtls_sha256_context *ctx, + const unsigned char *input, + size_t ilen ) { + int ret; size_t fill; uint32_t left; if( ilen == 0 ) - return; + return( 0 ); left = ctx->total[0] & 0x3F; fill = 64 - left; @@ -259,7 +266,10 @@ void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *in if( left && ilen >= fill ) { memcpy( (void *) (ctx->buffer + left), input, fill ); - mbedtls_sha256_process( ctx, ctx->buffer ); + + if( ( ret = mbedtls_sha256_process_ext( ctx, ctx->buffer ) ) != 0 ) + return( ret ); + input += fill; ilen -= fill; left = 0; @@ -267,13 +277,17 @@ void mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *in while( ilen >= 64 ) { - mbedtls_sha256_process( ctx, input ); + if( ( ret = mbedtls_sha256_process_ext( ctx, input ) ) != 0 ) + return( ret ); + input += 64; ilen -= 64; } if( ilen > 0 ) memcpy( (void *) (ctx->buffer + left), input, ilen ); + + return( 0 ); } static const unsigned char sha256_padding[64] = @@ -287,8 +301,10 @@ static const unsigned char sha256_padding[64] = /* * SHA-256 final digest */ -void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32] ) +int mbedtls_sha256_finish_ext( mbedtls_sha256_context *ctx, + unsigned char output[32] ) { + int ret; uint32_t last, padn; uint32_t high, low; unsigned char msglen[8]; @@ -303,8 +319,11 @@ void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32 last = ctx->total[0] & 0x3F; padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - mbedtls_sha256_update( ctx, sha256_padding, padn ); - mbedtls_sha256_update( ctx, msglen, 8 ); + if( ( ret = mbedtls_sha256_update_ext( ctx, sha256_padding, padn ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_sha256_update_ext( ctx, msglen, 8 ) ) != 0 ) + return( ret ); PUT_UINT32_BE( ctx->state[0], output, 0 ); PUT_UINT32_BE( ctx->state[1], output, 4 ); @@ -316,6 +335,8 @@ void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32 if( ctx->is224 == 0 ) PUT_UINT32_BE( ctx->state[7], output, 28 ); + + return( 0 ); } #endif /* !MBEDTLS_SHA256_ALT */ @@ -323,16 +344,28 @@ void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32 /* * output = SHA-256( input buffer ) */ -void mbedtls_sha256( const unsigned char *input, size_t ilen, - unsigned char output[32], int is224 ) +int mbedtls_sha256_ext( const unsigned char *input, + size_t ilen, + unsigned char output[32], + int is224 ) { + int ret; mbedtls_sha256_context ctx; mbedtls_sha256_init( &ctx ); - mbedtls_sha256_starts( &ctx, is224 ); - mbedtls_sha256_update( &ctx, input, ilen ); - mbedtls_sha256_finish( &ctx, output ); + + if( ( ret = mbedtls_sha256_starts_ext( &ctx, is224 ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_sha256_update_ext( &ctx, input, ilen ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_sha256_finish_ext( &ctx, output ) ) != 0 ) + return( ret ); + mbedtls_sha256_free( &ctx ); + + return( 0 ); } #if defined(MBEDTLS_SELF_TEST) @@ -415,29 +448,31 @@ int mbedtls_sha256_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 ); - mbedtls_sha256_starts( &ctx, k ); + if( mbedtls_sha256_starts_ext( &ctx, k ) != 0 ) + goto fail; if( j == 2 ) { memset( buf, 'a', buflen = 1000 ); for( j = 0; j < 1000; j++ ) - mbedtls_sha256_update( &ctx, buf, buflen ); + if( mbedtls_sha256_update_ext( &ctx, buf, buflen ) != 0 ) + goto fail; + } else - mbedtls_sha256_update( &ctx, sha256_test_buf[j], - sha256_test_buflen[j] ); + { + if( mbedtls_sha256_update_ext( &ctx, sha256_test_buf[j], + sha256_test_buflen[j] ) != 0 ) + goto fail; + } + + if( mbedtls_sha256_finish_ext( &ctx, sha256sum ) != 0 ) + goto fail; - mbedtls_sha256_finish( &ctx, sha256sum ); if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - ret = 1; - goto exit; - } + goto fail; if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -446,6 +481,14 @@ int mbedtls_sha256_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "\n" ); + goto exit; + +fail: + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + + ret = 1; + exit: mbedtls_sha256_free( &ctx ); mbedtls_free( buf ); From 614c689e0548b07a014da93f34fa0f1b147ea369 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 2 May 2017 12:07:26 +0100 Subject: [PATCH 021/177] Add int return values to SHA-512 function calls The following function calls are being deprecated to introduce int return values. * mbedtls_sha512() * mbedtls_sha512_starts() * mbedtls_sha512_update() * mbedtls_sha512_finish() * mbedtls_sha512_process() The return codes can be used to return error values. This is important when using hardware accelerators. --- include/mbedtls/sha512.h | 142 ++++++++++++++++++++++++++++++++++++--- library/sha512.c | 95 ++++++++++++++++++-------- 2 files changed, 201 insertions(+), 36 deletions(-) diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h index 627694f42..3049110ab 100644 --- a/include/mbedtls/sha512.h +++ b/include/mbedtls/sha512.h @@ -32,6 +32,11 @@ #include #include +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #if !defined(MBEDTLS_SHA512_ALT) // Regular implementation // @@ -80,8 +85,10 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst, * * \param ctx context to be initialized * \param is384 0 = use SHA512, 1 = use SHA384 + * + * \return 0 if successful */ -void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 ); +int mbedtls_sha512_starts_ext( mbedtls_sha512_context *ctx, int is384 ); /** * \brief SHA-512 process buffer @@ -89,17 +96,105 @@ void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 ); * \param ctx SHA-512 context * \param input buffer holding the data * \param ilen length of the input data + * + * \return 0 if successful */ -void mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *input, - size_t ilen ); +int mbedtls_sha512_update_ext( mbedtls_sha512_context *ctx, + const unsigned char *input, + size_t ilen ); /** * \brief SHA-512 final digest * * \param ctx SHA-512 context * \param output SHA-384/512 checksum result + * + * \return 0 if successful */ -void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char output[64] ); +int mbedtls_sha512_finish_ext( mbedtls_sha512_context *ctx, + unsigned char output[64] ); + +/** + * \brief SHA-512 process data block (internal use only) + * + * \param ctx SHA-512 context + * \param data buffer holding one block of data + * + * \return 0 if successful + */ +int mbedtls_sha512_process_ext( mbedtls_sha512_context *ctx, + const unsigned char data[128] ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief SHA-512 context setup + * + * \deprecated Superseded by mbedtls_sha512_starts_ext() in 2.5.0 + * + * \param ctx context to be initialized + * \param is384 0 = use SHA512, 1 = use SHA384 + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha512_starts( + mbedtls_sha512_context *ctx, + int is384 ) +{ + mbedtls_sha512_starts_ext( ctx, is384 ); +} + +/** + * \brief SHA-512 process buffer + * + * \deprecated Superseded by mbedtls_sha512_update_ext() in 2.5.0 + * + * \param ctx SHA-512 context + * \param input buffer holding the data + * \param ilen length of the input data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha512_update( + mbedtls_sha512_context *ctx, + const unsigned char *input, + size_t ilen ) +{ + mbedtls_sha512_update_ext( ctx, input, ilen ); +} + +/** + * \brief SHA-512 final digest + * + * \deprecated Superseded by mbedtls_sha512_finish_ext() in 2.5.0 + * + * \param ctx SHA-512 context + * \param output SHA-384/512 checksum result + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha512_finish( + mbedtls_sha512_context *ctx, + unsigned char output[64] ) +{ + mbedtls_sha512_finish_ext( ctx, output ); +} + +/** + * \brief SHA-512 process data block (internal use only) + * + * \deprecated Superseded by mbedtls_sha512_process_ext() in 2.5.0 + * + * \param ctx SHA-512 context + * \param data buffer holding one block of data + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha512_process( + mbedtls_sha512_context *ctx, + const unsigned char data[128] ) +{ + mbedtls_sha512_process_ext( ctx, data ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #ifdef __cplusplus } @@ -120,9 +215,41 @@ extern "C" { * \param ilen length of the input data * \param output SHA-384/512 checksum result * \param is384 0 = use SHA512, 1 = use SHA384 + * + * \return 0 if successful */ -void mbedtls_sha512( const unsigned char *input, size_t ilen, - unsigned char output[64], int is384 ); +int mbedtls_sha512_ext( const unsigned char *input, + size_t ilen, + unsigned char output[64], + int is384 ); + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +/** + * \brief Output = SHA-512( input buffer ) + * + * \deprecated Superseded by mbedtls_sha512_ext() in 2.5.0 + * + * \param input buffer holding the data + * \param ilen length of the input data + * \param output SHA-384/512 checksum result + * \param is384 0 = use SHA512, 1 = use SHA384 + */ +MBEDTLS_DEPRECATED static inline void mbedtls_sha512( + const unsigned char *input, + size_t ilen, + unsigned char output[64], + int is384 ) +{ + mbedtls_sha512_ext( input, ilen, output, is384 ); +} + +#undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Checkup routine @@ -131,9 +258,6 @@ void mbedtls_sha512( const unsigned char *input, size_t ilen, */ int mbedtls_sha512_self_test( int verbose ); -/* Internal use */ -void mbedtls_sha512_process( mbedtls_sha512_context *ctx, const unsigned char data[128] ); - #ifdef __cplusplus } #endif diff --git a/library/sha512.c b/library/sha512.c index 724522ac6..74c7533b3 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -114,7 +114,7 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst, /* * SHA-512 context setup */ -void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 ) +int mbedtls_sha512_starts_ext( mbedtls_sha512_context *ctx, int is384 ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -145,6 +145,8 @@ void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 ) } ctx->is384 = is384; + + return( 0 ); } #if !defined(MBEDTLS_SHA512_PROCESS_ALT) @@ -196,7 +198,8 @@ static const uint64_t K[80] = UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817) }; -void mbedtls_sha512_process( mbedtls_sha512_context *ctx, const unsigned char data[128] ) +int mbedtls_sha512_process_ext( mbedtls_sha512_context *ctx, + const unsigned char data[128] ) { int i; uint64_t temp1, temp2, W[80]; @@ -263,20 +266,24 @@ void mbedtls_sha512_process( mbedtls_sha512_context *ctx, const unsigned char da ctx->state[5] += F; ctx->state[6] += G; ctx->state[7] += H; + + return( 0 ); } #endif /* !MBEDTLS_SHA512_PROCESS_ALT */ /* * SHA-512 process buffer */ -void mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *input, - size_t ilen ) +int mbedtls_sha512_update_ext( mbedtls_sha512_context *ctx, + const unsigned char *input, + size_t ilen ) { + int ret; size_t fill; unsigned int left; if( ilen == 0 ) - return; + return( 0 ); left = (unsigned int) (ctx->total[0] & 0x7F); fill = 128 - left; @@ -289,7 +296,10 @@ void mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *in if( left && ilen >= fill ) { memcpy( (void *) (ctx->buffer + left), input, fill ); - mbedtls_sha512_process( ctx, ctx->buffer ); + + if( ( ret = mbedtls_sha512_process_ext( ctx, ctx->buffer ) ) != 0 ) + return( ret ); + input += fill; ilen -= fill; left = 0; @@ -297,13 +307,17 @@ void mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *in while( ilen >= 128 ) { - mbedtls_sha512_process( ctx, input ); + if( ( ret = mbedtls_sha512_process_ext( ctx, input ) ) != 0 ) + return( ret ); + input += 128; ilen -= 128; } if( ilen > 0 ) memcpy( (void *) (ctx->buffer + left), input, ilen ); + + return( 0 ); } static const unsigned char sha512_padding[128] = @@ -321,8 +335,10 @@ static const unsigned char sha512_padding[128] = /* * SHA-512 final digest */ -void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char output[64] ) +int mbedtls_sha512_finish_ext( mbedtls_sha512_context *ctx, + unsigned char output[64] ) { + int ret; size_t last, padn; uint64_t high, low; unsigned char msglen[16]; @@ -337,8 +353,11 @@ void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char output[64 last = (size_t)( ctx->total[0] & 0x7F ); padn = ( last < 112 ) ? ( 112 - last ) : ( 240 - last ); - mbedtls_sha512_update( ctx, sha512_padding, padn ); - mbedtls_sha512_update( ctx, msglen, 16 ); + if( ( ret = mbedtls_sha512_update_ext( ctx, sha512_padding, padn ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_sha512_update_ext( ctx, msglen, 16 ) ) != 0 ) + return( ret ); PUT_UINT64_BE( ctx->state[0], output, 0 ); PUT_UINT64_BE( ctx->state[1], output, 8 ); @@ -352,6 +371,8 @@ void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char output[64 PUT_UINT64_BE( ctx->state[6], output, 48 ); PUT_UINT64_BE( ctx->state[7], output, 56 ); } + + return( 0 ); } #endif /* !MBEDTLS_SHA512_ALT */ @@ -359,16 +380,28 @@ void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char output[64 /* * output = SHA-512( input buffer ) */ -void mbedtls_sha512( const unsigned char *input, size_t ilen, - unsigned char output[64], int is384 ) +int mbedtls_sha512_ext( const unsigned char *input, + size_t ilen, + unsigned char output[64], + int is384 ) { + int ret; mbedtls_sha512_context ctx; mbedtls_sha512_init( &ctx ); - mbedtls_sha512_starts( &ctx, is384 ); - mbedtls_sha512_update( &ctx, input, ilen ); - mbedtls_sha512_finish( &ctx, output ); + + if( ( ret = mbedtls_sha512_starts_ext( &ctx, is384 ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_sha512_update_ext( &ctx, input, ilen ) ) != 0 ) + return( ret ); + + if( ( ret = mbedtls_sha512_finish_ext( &ctx, output ) ) != 0 ) + return( ret ); + mbedtls_sha512_free( &ctx ); + + return( 0 ); } #if defined(MBEDTLS_SELF_TEST) @@ -471,29 +504,29 @@ int mbedtls_sha512_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " SHA-%d test #%d: ", 512 - k * 128, j + 1 ); - mbedtls_sha512_starts( &ctx, k ); + if( mbedtls_sha512_starts_ext( &ctx, k ) != 0 ) + goto fail; if( j == 2 ) { memset( buf, 'a', buflen = 1000 ); for( j = 0; j < 1000; j++ ) - mbedtls_sha512_update( &ctx, buf, buflen ); + if( mbedtls_sha512_update_ext( &ctx, buf, buflen ) != 0 ) + goto fail; } else - mbedtls_sha512_update( &ctx, sha512_test_buf[j], - sha512_test_buflen[j] ); + { + if( mbedtls_sha512_update_ext( &ctx, sha512_test_buf[j], + sha512_test_buflen[j] ) != 0 ) + goto fail; + } - mbedtls_sha512_finish( &ctx, sha512sum ); + if( mbedtls_sha512_finish_ext( &ctx, sha512sum ) != 0 ) + goto fail; if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 ) - { - if( verbose != 0 ) - mbedtls_printf( "failed\n" ); - - ret = 1; - goto exit; - } + goto fail; if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -502,6 +535,14 @@ int mbedtls_sha512_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "\n" ); + goto exit; + +fail: + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + + ret = 1; + exit: mbedtls_sha512_free( &ctx ); mbedtls_free( buf ); From cccfe08530a986a7f8df19df06f2c8b0ee72d1ca Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 28 Jun 2017 10:36:39 +0100 Subject: [PATCH 022/177] Rename md process functions with _internal_ --- include/mbedtls/md2.h | 6 +++--- include/mbedtls/md4.h | 8 ++++---- include/mbedtls/md5.h | 8 ++++---- include/mbedtls/ripemd160.h | 8 ++++---- include/mbedtls/sha1.h | 8 ++++---- include/mbedtls/sha256.h | 8 ++++---- include/mbedtls/sha512.h | 8 ++++---- library/md2.c | 8 ++++---- library/md4.c | 8 ++++---- library/md5.c | 8 ++++---- library/ripemd160.c | 8 ++++---- library/sha1.c | 8 ++++---- library/sha256.c | 6 +++--- library/sha512.c | 8 ++++---- 14 files changed, 54 insertions(+), 54 deletions(-) diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index 1f3b10773..2c133a2aa 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -119,7 +119,7 @@ int mbedtls_md2_finish_ext( mbedtls_md2_context *ctx, * * \return 0 if successful */ -int mbedtls_md2_process_ext( mbedtls_md2_context *ctx ); +int mbedtls_internal_md2_process( mbedtls_md2_context *ctx ); #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) @@ -175,14 +175,14 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2_finish( /** * \brief MD2 process data block (internal use only) * - * \deprecated Superseded by mbedtls_md2_process_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_md2_process() in 2.5.0 * * \param ctx MD2 context */ MBEDTLS_DEPRECATED static inline void mbedtls_md2_process( mbedtls_md2_context *ctx ) { - mbedtls_md2_process_ext( ctx ); + mbedtls_internal_md2_process( ctx ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h index 7968b69a0..671c6a4f1 100644 --- a/include/mbedtls/md4.h +++ b/include/mbedtls/md4.h @@ -120,8 +120,8 @@ int mbedtls_md4_finish_ext( mbedtls_md4_context *ctx, * * \return 0 if successful */ -int mbedtls_md4_process_ext( mbedtls_md4_context *ctx, - const unsigned char data[64] ); +int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, + const unsigned char data[64] ); #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) @@ -177,7 +177,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_finish( /** * \brief MD4 process data block (internal use only) * - * \deprecated Superseded by mbedtls_md4_process_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_md4_process() in 2.5.0 * * \param ctx MD4 context * \param data buffer holding one block of data @@ -186,7 +186,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_process( mbedtls_md4_context *ctx, const unsigned char data[64] ) { - mbedtls_md4_process_ext( ctx, data ); + mbedtls_internal_md4_process( ctx, data ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index 7ecf49f90..816d081ab 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -115,8 +115,8 @@ int mbedtls_md5_finish_ext( mbedtls_md5_context *ctx, * * \return 0 if successful */ -int mbedtls_md5_process_ext( mbedtls_md5_context *ctx, - const unsigned char data[64] ); +int mbedtls_internal_md5_process( mbedtls_md5_context *ctx, + const unsigned char data[64] ); #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) @@ -172,7 +172,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_finish( /** * \brief MD5 process data block (internal use only) * - * \deprecated Superseded by mbedtls_md5_process_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_md5_process() in 2.5.0 * * \param ctx MD5 context * \param data buffer holding one block of data @@ -181,7 +181,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_process( mbedtls_md5_context *ctx, const unsigned char data[64] ) { - mbedtls_md5_process_ext( ctx, data ); + mbedtls_internal_md5_process( ctx, data ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h index 5ef4700c6..aea16b366 100644 --- a/include/mbedtls/ripemd160.h +++ b/include/mbedtls/ripemd160.h @@ -120,8 +120,8 @@ int mbedtls_ripemd160_finish_ext( mbedtls_ripemd160_context *ctx, * * \return 0 if successful */ -int mbedtls_ripemd160_process_ext( mbedtls_ripemd160_context *ctx, - const unsigned char data[64] ); +int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, + const unsigned char data[64] ); #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) @@ -177,7 +177,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_finish( /** * \brief RIPEMD-160 process data block (internal use only) * - * \deprecated Superseded by mbedtls_ripemd160_process_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_ripemd160_process() in 2.5.0 * * \param ctx RIPEMD-160 context * \param data buffer holding one block of data @@ -186,7 +186,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_process( mbedtls_ripemd160_context *ctx, const unsigned char data[64] ) { - mbedtls_ripemd160_process_ext( ctx, data ); + mbedtls_internal_ripemd160_process( ctx, data ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index 9dde5b89e..47a9f996f 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -120,8 +120,8 @@ int mbedtls_sha1_finish_ext( mbedtls_sha1_context *ctx, * * \return 0 if successful */ -int mbedtls_sha1_process_ext( mbedtls_sha1_context *ctx, - const unsigned char data[64] ); +int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, + const unsigned char data[64] ); #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) @@ -177,7 +177,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_finish( /** * \brief SHA-1 process data block (internal use only) * - * \deprecated Superseded by mbedtls_sha1_process_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_sha1_process() in 2.5.0 * * \param ctx SHA-1 context * \param data buffer holding one block of data @@ -186,7 +186,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] ) { - mbedtls_sha1_process_ext( ctx, data ); + mbedtls_internal_sha1_process( ctx, data ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index 3667e8c10..76555f4fd 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -122,8 +122,8 @@ int mbedtls_sha256_finish_ext( mbedtls_sha256_context *ctx, * * \return 0 if successful */ -int mbedtls_sha256_process_ext( mbedtls_sha256_context *ctx, - const unsigned char data[64] ); +int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, + const unsigned char data[64] ); #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) @@ -181,7 +181,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_finish( /** * \brief SHA-256 process data block (internal use only) * - * \deprecated Superseded by mbedtls_sha256_process_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_sha256_process() in 2.5.0 * * \param ctx SHA-256 context * \param data buffer holding one block of data @@ -190,7 +190,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] ) { - mbedtls_sha256_process_ext( ctx, data ); + mbedtls_internal_sha256_process( ctx, data ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h index 3049110ab..0fbdb3b71 100644 --- a/include/mbedtls/sha512.h +++ b/include/mbedtls/sha512.h @@ -122,8 +122,8 @@ int mbedtls_sha512_finish_ext( mbedtls_sha512_context *ctx, * * \return 0 if successful */ -int mbedtls_sha512_process_ext( mbedtls_sha512_context *ctx, - const unsigned char data[128] ); +int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, + const unsigned char data[128] ); #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) @@ -181,7 +181,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_finish( /** * \brief SHA-512 process data block (internal use only) * - * \deprecated Superseded by mbedtls_sha512_process_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_sha512_process() in 2.5.0 * * \param ctx SHA-512 context * \param data buffer holding one block of data @@ -190,7 +190,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_process( mbedtls_sha512_context *ctx, const unsigned char data[128] ) { - mbedtls_sha512_process_ext( ctx, data ); + mbedtls_internal_sha512_process( ctx, data ); } #undef MBEDTLS_DEPRECATED diff --git a/library/md2.c b/library/md2.c index 7dd2b6bcb..a5d768b25 100644 --- a/library/md2.c +++ b/library/md2.c @@ -116,7 +116,7 @@ int mbedtls_md2_starts_ext( mbedtls_md2_context *ctx ) } #if !defined(MBEDTLS_MD2_PROCESS_ALT) -int mbedtls_md2_process_ext( mbedtls_md2_context *ctx ) +int mbedtls_internal_md2_process( mbedtls_md2_context *ctx ) { int i, j; unsigned char t = 0; @@ -179,7 +179,7 @@ int mbedtls_md2_update_ext( mbedtls_md2_context *ctx, if( ctx->left == 16 ) { ctx->left = 0; - if( ( ret = mbedtls_md2_process_ext( ctx ) ) != 0 ) + if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 ) return( ret ); } } @@ -202,11 +202,11 @@ int mbedtls_md2_finish_ext( mbedtls_md2_context *ctx, for( i = ctx->left; i < 16; i++ ) ctx->buffer[i] = x; - if( ( ret = mbedtls_md2_process_ext( ctx ) ) != 0 ) + if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 ) return( ret ); memcpy( ctx->buffer, ctx->cksum, 16 ); - if( ( ret = mbedtls_md2_process_ext( ctx ) ) != 0 ) + if( ( ret = mbedtls_internal_md2_process( ctx ) ) != 0 ) return( ret ); memcpy( output, ctx->state, 16 ); diff --git a/library/md4.c b/library/md4.c index 9239b6344..da4df7b14 100644 --- a/library/md4.c +++ b/library/md4.c @@ -112,8 +112,8 @@ int mbedtls_md4_starts_ext( mbedtls_md4_context *ctx ) } #if !defined(MBEDTLS_MD4_PROCESS_ALT) -int mbedtls_md4_process_ext( mbedtls_md4_context *ctx, - const unsigned char data[64] ) +int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, + const unsigned char data[64] ) { uint32_t X[16], A, B, C, D; @@ -247,7 +247,7 @@ int mbedtls_md4_update_ext( mbedtls_md4_context *ctx, memcpy( (void *) (ctx->buffer + left), (void *) input, fill ); - if( ( ret = mbedtls_md4_process_ext( ctx, ctx->buffer ) ) != 0 ) + if( ( ret = mbedtls_internal_md4_process( ctx, ctx->buffer ) ) != 0 ) return( ret ); input += fill; @@ -257,7 +257,7 @@ int mbedtls_md4_update_ext( mbedtls_md4_context *ctx, while( ilen >= 64 ) { - if( ( ret = mbedtls_md4_process_ext( ctx, input ) ) != 0 ) + if( ( ret = mbedtls_internal_md4_process( ctx, input ) ) != 0 ) return( ret ); input += 64; diff --git a/library/md5.c b/library/md5.c index dd046af85..8150f941d 100644 --- a/library/md5.c +++ b/library/md5.c @@ -111,8 +111,8 @@ int mbedtls_md5_starts_ext( mbedtls_md5_context *ctx ) } #if !defined(MBEDTLS_MD5_PROCESS_ALT) -int mbedtls_md5_process_ext( mbedtls_md5_context *ctx, - const unsigned char data[64] ) +int mbedtls_internal_md5_process( mbedtls_md5_context *ctx, + const unsigned char data[64] ) { uint32_t X[16], A, B, C, D; @@ -264,7 +264,7 @@ int mbedtls_md5_update_ext( mbedtls_md5_context *ctx, if( left && ilen >= fill ) { memcpy( (void *) (ctx->buffer + left), input, fill ); - if( ( ret = mbedtls_md5_process_ext( ctx, ctx->buffer ) ) != 0 ) + if( ( ret = mbedtls_internal_md5_process( ctx, ctx->buffer ) ) != 0 ) return( ret ); input += fill; @@ -274,7 +274,7 @@ int mbedtls_md5_update_ext( mbedtls_md5_context *ctx, while( ilen >= 64 ) { - if( ( ret = mbedtls_md5_process_ext( ctx, input ) ) != 0 ) + if( ( ret = mbedtls_internal_md5_process( ctx, input ) ) != 0 ) return( ret ); input += 64; diff --git a/library/ripemd160.c b/library/ripemd160.c index f1d1f1e9d..8bf988eae 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -114,8 +114,8 @@ int mbedtls_ripemd160_starts_ext( mbedtls_ripemd160_context *ctx ) /* * Process one block */ -int mbedtls_ripemd160_process_ext( mbedtls_ripemd160_context *ctx, - const unsigned char data[64] ) +int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, + const unsigned char data[64] ) { uint32_t A, B, C, D, E, Ap, Bp, Cp, Dp, Ep, X[16]; @@ -322,7 +322,7 @@ int mbedtls_ripemd160_update_ext( mbedtls_ripemd160_context *ctx, { memcpy( (void *) (ctx->buffer + left), input, fill ); - if( ( ret = mbedtls_ripemd160_process_ext( ctx, ctx->buffer ) ) != 0 ) + if( ( ret = mbedtls_internal_ripemd160_process( ctx, ctx->buffer ) ) != 0 ) return( ret ); input += fill; @@ -332,7 +332,7 @@ int mbedtls_ripemd160_update_ext( mbedtls_ripemd160_context *ctx, while( ilen >= 64 ) { - if( ( ret = mbedtls_ripemd160_process_ext( ctx, input ) ) != 0 ) + if( ( ret = mbedtls_internal_ripemd160_process( ctx, input ) ) != 0 ) return( ret ); input += 64; diff --git a/library/sha1.c b/library/sha1.c index d2ec8bae9..fdd087868 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -112,8 +112,8 @@ int mbedtls_sha1_starts_ext( mbedtls_sha1_context *ctx ) } #if !defined(MBEDTLS_SHA1_PROCESS_ALT) -int mbedtls_sha1_process_ext( mbedtls_sha1_context *ctx, - const unsigned char data[64] ) +int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, + const unsigned char data[64] ) { uint32_t temp, W[16], A, B, C, D, E; @@ -299,7 +299,7 @@ int mbedtls_sha1_update_ext( mbedtls_sha1_context *ctx, { memcpy( (void *) (ctx->buffer + left), input, fill ); - if( ( ret = mbedtls_sha1_process_ext( ctx, ctx->buffer ) ) != 0 ) + if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 ) return( ret ); input += fill; @@ -309,7 +309,7 @@ int mbedtls_sha1_update_ext( mbedtls_sha1_context *ctx, while( ilen >= 64 ) { - if( ( ret = mbedtls_sha1_process_ext( ctx, input ) ) != 0 ) + if( ( ret = mbedtls_internal_sha1_process( ctx, input ) ) != 0 ) return( ret ); input += 64; diff --git a/library/sha256.c b/library/sha256.c index 337b8e643..88435a3c4 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -181,7 +181,7 @@ static const uint32_t K[] = d += temp1; h = temp1 + temp2; \ } -int mbedtls_sha256_process_ext( mbedtls_sha256_context *ctx, +int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] ) { uint32_t temp1, temp2, W[64]; @@ -267,7 +267,7 @@ int mbedtls_sha256_update_ext( mbedtls_sha256_context *ctx, { memcpy( (void *) (ctx->buffer + left), input, fill ); - if( ( ret = mbedtls_sha256_process_ext( ctx, ctx->buffer ) ) != 0 ) + if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 ) return( ret ); input += fill; @@ -277,7 +277,7 @@ int mbedtls_sha256_update_ext( mbedtls_sha256_context *ctx, while( ilen >= 64 ) { - if( ( ret = mbedtls_sha256_process_ext( ctx, input ) ) != 0 ) + if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 ) return( ret ); input += 64; diff --git a/library/sha512.c b/library/sha512.c index 74c7533b3..ff7e5ca5b 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -198,8 +198,8 @@ static const uint64_t K[80] = UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817) }; -int mbedtls_sha512_process_ext( mbedtls_sha512_context *ctx, - const unsigned char data[128] ) +int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, + const unsigned char data[128] ) { int i; uint64_t temp1, temp2, W[80]; @@ -297,7 +297,7 @@ int mbedtls_sha512_update_ext( mbedtls_sha512_context *ctx, { memcpy( (void *) (ctx->buffer + left), input, fill ); - if( ( ret = mbedtls_sha512_process_ext( ctx, ctx->buffer ) ) != 0 ) + if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 ) return( ret ); input += fill; @@ -307,7 +307,7 @@ int mbedtls_sha512_update_ext( mbedtls_sha512_context *ctx, while( ilen >= 128 ) { - if( ( ret = mbedtls_sha512_process_ext( ctx, input ) ) != 0 ) + if( ( ret = mbedtls_internal_sha512_process( ctx, input ) ) != 0 ) return( ret ); input += 128; From b71b6307308b6615f006b9c9e450ba54eb109b7e Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 28 Jun 2017 10:51:17 +0100 Subject: [PATCH 023/177] Change test suites to use new MD API with ret code --- tests/suites/test_suite_mdx.function | 16 ++++++++++++---- tests/suites/test_suite_shax.function | 10 +++++----- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_mdx.function b/tests/suites/test_suite_mdx.function index 9d0ee471f..387e7eeb7 100644 --- a/tests/suites/test_suite_mdx.function +++ b/tests/suites/test_suite_mdx.function @@ -8,6 +8,7 @@ /* BEGIN_CASE depends_on:MBEDTLS_MD2_C */ void md2_text( char *text_src_string, char *hex_hash_string ) { + int ret; unsigned char src_str[100]; unsigned char hash_str[33]; unsigned char output[16]; @@ -18,7 +19,8 @@ void md2_text( char *text_src_string, char *hex_hash_string ) strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 ); - mbedtls_md2( src_str, strlen( (char *) src_str ), output ); + ret = mbedtls_md2_ext( src_str, strlen( (char *) src_str ), output ); + TEST_ASSERT( ret == 0 ) ; hexify( hash_str, output, sizeof output ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -28,6 +30,7 @@ void md2_text( char *text_src_string, char *hex_hash_string ) /* BEGIN_CASE depends_on:MBEDTLS_MD4_C */ void md4_text( char *text_src_string, char *hex_hash_string ) { + int ret; unsigned char src_str[100]; unsigned char hash_str[33]; unsigned char output[16]; @@ -38,7 +41,8 @@ void md4_text( char *text_src_string, char *hex_hash_string ) strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 ); - mbedtls_md4( src_str, strlen( (char *) src_str ), output ); + ret = mbedtls_md4_ext( src_str, strlen( (char *) src_str ), output ); + TEST_ASSERT( ret == 0 ); hexify( hash_str, output, sizeof output ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -48,6 +52,7 @@ void md4_text( char *text_src_string, char *hex_hash_string ) /* BEGIN_CASE depends_on:MBEDTLS_MD5_C */ void md5_text( char *text_src_string, char *hex_hash_string ) { + int ret; unsigned char src_str[100]; unsigned char hash_str[33]; unsigned char output[16]; @@ -58,7 +63,8 @@ void md5_text( char *text_src_string, char *hex_hash_string ) strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 ); - mbedtls_md5( src_str, strlen( (char *) src_str ), output ); + ret = mbedtls_md5_ext( src_str, strlen( (char *) src_str ), output ); + TEST_ASSERT( ret == 0 ); hexify( hash_str, output, sizeof output ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -68,6 +74,7 @@ void md5_text( char *text_src_string, char *hex_hash_string ) /* BEGIN_CASE depends_on:MBEDTLS_RIPEMD160_C */ void ripemd160_text( char *text_src_string, char *hex_hash_string ) { + int ret; unsigned char src_str[100]; unsigned char hash_str[41]; unsigned char output[20]; @@ -78,7 +85,8 @@ void ripemd160_text( char *text_src_string, char *hex_hash_string ) strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 ); - mbedtls_ripemd160( src_str, strlen( (char *) src_str ), output ); + ret = mbedtls_ripemd160_ext( src_str, strlen( (char *) src_str ), output ); + TEST_ASSERT( ret == 0 ); hexify( hash_str, output, sizeof output ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); diff --git a/tests/suites/test_suite_shax.function b/tests/suites/test_suite_shax.function index 6b3ee9c54..b6f8f510c 100644 --- a/tests/suites/test_suite_shax.function +++ b/tests/suites/test_suite_shax.function @@ -18,7 +18,7 @@ void mbedtls_sha1( char *hex_src_string, char *hex_hash_string ) src_len = unhexify( src_str, hex_src_string ); - mbedtls_sha1( src_str, src_len, output ); + TEST_ASSERT( mbedtls_sha1_ext( src_str, src_len, output ) == 0 ); hexify( hash_str, output, 20 ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -39,7 +39,7 @@ void sha224(char *hex_src_string, char *hex_hash_string ) src_len = unhexify( src_str, hex_src_string ); - mbedtls_sha256( src_str, src_len, output, 1 ); + TEST_ASSERT( mbedtls_sha256_ext( src_str, src_len, output, 1 ) == 0 ); hexify( hash_str, output, 28 ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -60,7 +60,7 @@ void mbedtls_sha256(char *hex_src_string, char *hex_hash_string ) src_len = unhexify( src_str, hex_src_string ); - mbedtls_sha256( src_str, src_len, output, 0 ); + TEST_ASSERT( mbedtls_sha256_ext( src_str, src_len, output, 0 ) == 0 ); hexify( hash_str, output, 32 ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -81,7 +81,7 @@ void sha384(char *hex_src_string, char *hex_hash_string ) src_len = unhexify( src_str, hex_src_string ); - mbedtls_sha512( src_str, src_len, output, 1 ); + TEST_ASSERT( mbedtls_sha512_ext( src_str, src_len, output, 1 ) == 0 ); hexify( hash_str, output, 48 ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -102,7 +102,7 @@ void mbedtls_sha512(char *hex_src_string, char *hex_hash_string ) src_len = unhexify( src_str, hex_src_string ); - mbedtls_sha512( src_str, src_len, output, 0); + TEST_ASSERT( mbedtls_sha512_ext( src_str, src_len, output, 0 ) == 0 ); hexify( hash_str, output, 64 ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); From 8d8204fc6f71375f8163961900a6c8852ad5b4e8 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 28 Jun 2017 11:07:30 +0100 Subject: [PATCH 024/177] Change x509write_crt to use new MD API ret code --- library/x509write_crt.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/library/x509write_crt.c b/library/x509write_crt.c index d1d9a22a7..3faad7c5a 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -177,8 +177,11 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct memset( buf, 0, sizeof(buf) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) ); - mbedtls_sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 ); - c = buf + sizeof(buf) - 20; + ret = mbedtls_sha1_ext( buf + sizeof( buf ) - len, len, + buf + sizeof( buf ) - 20 ); + if( ret != 0 ) + return( ret ); + c = buf + sizeof( buf ) - 20; len = 20; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); @@ -199,8 +202,11 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * memset( buf, 0, sizeof(buf) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); - mbedtls_sha1( buf + sizeof(buf) - len, len, buf + sizeof(buf) - 20 ); - c = buf + sizeof(buf) - 20; + ret = mbedtls_sha1_ext( buf + sizeof( buf ) - len, len, + buf + sizeof( buf ) - 20 ); + if( ret != 0 ) + return( ret ); + c = buf + sizeof( buf ) - 20; len = 20; MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) ); @@ -398,7 +404,11 @@ int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, /* * Make signature */ - mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash ); + if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, + len, hash ) ) != 0 ) + { + return( ret ); + } if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len, f_rng, p_rng ) ) != 0 ) From 698089e07e59c61cd84414f48230506145ee96e0 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 28 Jun 2017 11:46:46 +0100 Subject: [PATCH 025/177] Change RSA to use new MD API and check return code --- library/rsa.c | 149 ++++++++++++++++++++++++++++++-------------------- 1 file changed, 91 insertions(+), 58 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index bdd2538c3..bd97d521b 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -566,7 +566,7 @@ cleanup: * \param slen length of the source buffer * \param md_ctx message digest context to use */ -static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, +static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, size_t slen, mbedtls_md_context_t *md_ctx ) { unsigned char mask[MBEDTLS_MD_MAX_SIZE]; @@ -574,6 +574,7 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, unsigned char *p; unsigned int hlen; size_t i, use_len; + int ret; memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); memset( counter, 0, 4 ); @@ -589,10 +590,14 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, if( dlen < hlen ) use_len = dlen; - mbedtls_md_starts( md_ctx ); - mbedtls_md_update( md_ctx, src, slen ); - mbedtls_md_update( md_ctx, counter, 4 ); - mbedtls_md_finish( md_ctx, mask ); + if( ( ret = mbedtls_md_starts( md_ctx ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( md_ctx, src, slen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( md_ctx, counter, 4 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_finish( md_ctx, mask ) ) != 0 ) + goto exit; for( i = 0; i < use_len; ++i ) *p++ ^= mask[i]; @@ -602,7 +607,10 @@ static void mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, dlen -= use_len; } +exit: mbedtls_zeroize( mask, sizeof( mask ) ); + + return( ret ); } #endif /* MBEDTLS_PKCS1_V21 */ @@ -654,7 +662,8 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, p += hlen; /* Construct DB */ - mbedtls_md( md_info, label, label_len, p ); + if( ( ret = mbedtls_md( md_info, label, label_len, p ) ) != 0 ) + return( ret ); p += hlen; p += olen - 2 * hlen - 2 - ilen; *p++ = 1; @@ -662,21 +671,24 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, mbedtls_md_init( &md_ctx ); if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - { - mbedtls_md_free( &md_ctx ); - return( ret ); - } + goto exit; /* maskedDB: Apply dbMask to DB */ - mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, - &md_ctx ); + if( ( ret = mgf_mask( output + hlen + 1, olen - hlen - 1, output + 1, hlen, + &md_ctx ) ) != 0 ) + goto exit; /* maskedSeed: Apply seedMask to seed */ - mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, - &md_ctx ); + if( ( ret = mgf_mask( output + 1, hlen, output + hlen + 1, olen - hlen - 1, + &md_ctx ) ) != 0 ) + goto exit; +exit: mbedtls_md_free( &md_ctx ); + if( ret != 0 ) + return( ret ); + return( ( mode == MBEDTLS_RSA_PUBLIC ) ? mbedtls_rsa_public( ctx, output, output ) : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); @@ -843,20 +855,23 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, goto cleanup; } - - /* Generate lHash */ - mbedtls_md( md_info, label, label_len, lhash ); - /* seed: Apply seedMask to maskedSeed */ - mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, - &md_ctx ); - + if( ( ret = mgf_mask( buf + 1, hlen, buf + hlen + 1, ilen - hlen - 1, + &md_ctx ) ) != 0 || /* DB: Apply dbMask to maskedDB */ - mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, - &md_ctx ); + ( ret = mgf_mask( buf + hlen + 1, ilen - hlen - 1, buf + 1, hlen, + &md_ctx ) ) != 0 ) + { + mbedtls_md_free( &md_ctx ); + goto cleanup; + } mbedtls_md_free( &md_ctx ); + /* Generate lHash */ + if( ( ret = mbedtls_md( md_info, label, label_len, lhash ) ) != 0 ) + goto cleanup; + /* * Check contents, in "constant-time" */ @@ -1107,28 +1122,28 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, mbedtls_md_init( &md_ctx ); if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - { - mbedtls_md_free( &md_ctx ); - /* No need to zeroize salt: we didn't use it. */ - return( ret ); - } + goto exit; /* Generate H = Hash( M' ) */ - mbedtls_md_starts( &md_ctx ); - mbedtls_md_update( &md_ctx, p, 8 ); - mbedtls_md_update( &md_ctx, hash, hashlen ); - mbedtls_md_update( &md_ctx, salt, slen ); - mbedtls_md_finish( &md_ctx, p ); - mbedtls_zeroize( salt, sizeof( salt ) ); + if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, p, 8 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, salt, slen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_finish( &md_ctx, p ) ) != 0 ) + goto exit; /* Compensate for boundary condition when applying mask */ if( msb % 8 == 0 ) offset = 1; /* maskedDB: Apply dbMask to DB */ - mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, &md_ctx ); - - mbedtls_md_free( &md_ctx ); + if( ( ret = mgf_mask( sig + offset, olen - hlen - 1 - offset, p, hlen, + &md_ctx ) ) != 0 ) + goto exit; msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; sig[0] &= 0xFF >> ( olen * 8 - msb ); @@ -1136,6 +1151,14 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, p += hlen; *p++ = 0xBC; + mbedtls_zeroize( salt, sizeof( salt ) ); + +exit: + mbedtls_md_free( &md_ctx ); + + if( ret != 0 ) + return( ret ); + return( ( mode == MBEDTLS_RSA_PUBLIC ) ? mbedtls_rsa_public( ctx, sig, sig ) : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); @@ -1382,23 +1405,21 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, mbedtls_md_init( &md_ctx ); if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) - { - mbedtls_md_free( &md_ctx ); - return( ret ); - } + goto exit; - mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); + if( ( ret = mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, + &md_ctx ) ) != 0 ) + goto exit; buf[0] &= 0xFF >> ( siglen * 8 - msb ); while( p < buf + siglen && *p == 0 ) p++; - if( p == buf + siglen || - *p++ != 0x01 ) + if( p == buf + siglen || *p++ != 0x01 ) { - mbedtls_md_free( &md_ctx ); - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); + ret = MBEDTLS_ERR_RSA_INVALID_PADDING; + goto exit; } /* Actual salt len */ @@ -1407,25 +1428,31 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && slen != (size_t) expected_salt_len ) { - mbedtls_md_free( &md_ctx ); - return( MBEDTLS_ERR_RSA_INVALID_PADDING ); + ret = MBEDTLS_ERR_RSA_INVALID_PADDING; + goto exit; } /* * Generate H = Hash( M' ) */ - mbedtls_md_starts( &md_ctx ); - mbedtls_md_update( &md_ctx, zeros, 8 ); - mbedtls_md_update( &md_ctx, hash, hashlen ); - mbedtls_md_update( &md_ctx, p, slen ); - mbedtls_md_finish( &md_ctx, result ); + if( ( ret = mbedtls_md_starts( &md_ctx ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, zeros, 8 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, hash, hashlen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_update( &md_ctx, p, slen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md_finish( &md_ctx, result ) ) != 0 ) + goto exit; + if( ( ret = memcmp( p + slen, result, hlen ) ) != 0 ) + ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; + +exit: mbedtls_md_free( &md_ctx ); - if( memcmp( p + slen, result, hlen ) == 0 ) - return( 0 ); - else - return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); + return( ret ); } /* @@ -1829,7 +1856,13 @@ int mbedtls_rsa_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " PKCS#1 data sign : " ); - mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ); + if( mbedtls_sha1_ext( rsa_plaintext, PT_LEN, sha1sum ) != 0 ) + { + if( verbose != 0 ) + mbedtls_printf( "failed\n" ); + + return( 1 ); + } if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, sha1sum, rsa_ciphertext ) != 0 ) From f0e521e9f10c8552601b2f078c05ff1ecc69fec5 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 28 Jun 2017 12:11:42 +0100 Subject: [PATCH 026/177] Change ssl_cli to new MD API and check return code --- library/ssl_cli.c | 59 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 41 insertions(+), 18 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index a2b9f8cfe..86267f5c1 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2493,8 +2493,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) mbedtls_md5_context mbedtls_md5; mbedtls_sha1_context mbedtls_sha1; - mbedtls_md5_init( &mbedtls_md5 ); - mbedtls_sha1_init( &mbedtls_sha1 ); + mbedtls_md5_init( &mbedtls_md5 ); hashlen = 36; @@ -2511,17 +2510,39 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) * SHA(ClientHello.random + ServerHello.random * + ServerParams); */ - mbedtls_md5_starts( &mbedtls_md5 ); - mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); - mbedtls_md5_update( &mbedtls_md5, params, params_len ); - mbedtls_md5_finish( &mbedtls_md5, hash ); + if( ( ret = mbedtls_md5_starts_ext( &mbedtls_md5 ) ) != 0 || + ( ret = mbedtls_md5_update_ext( &mbedtls_md5, + ssl->handshake->randbytes, 64 ) ) != 0 || + ( ret = mbedtls_md5_update_ext( &mbedtls_md5, params, + params_len ) ) != 0 || + ( ret = mbedtls_md5_finish_ext( &mbedtls_md5, hash ) ) != 0 ) + { + mbedtls_md5_free( &mbedtls_md5 ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_*", ret ); + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( ret ); + } - mbedtls_sha1_starts( &mbedtls_sha1 ); - mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); - mbedtls_sha1_update( &mbedtls_sha1, params, params_len ); - mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); + mbedtls_md5_free( &mbedtls_md5 ); + + mbedtls_sha1_init( &mbedtls_sha1 ); + + if( ( ret = mbedtls_sha1_starts_ext( &mbedtls_sha1 ) ) != 0 || + ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, + ssl->handshake->randbytes, 64 ) ) != 0 || + ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, params, + params_len ) ) != 0 || + ( ret = mbedtls_sha1_finish_ext( &mbedtls_sha1, + hash + 16 ) ) != 0 ) + { + mbedtls_sha1_free( &mbedtls_sha1 ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_*", ret ); + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + return( ret ); + } - mbedtls_md5_free( &mbedtls_md5 ); mbedtls_sha1_free( &mbedtls_sha1 ); } else @@ -2532,6 +2553,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) if( md_alg != MBEDTLS_MD_NONE ) { mbedtls_md_context_t ctx; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); mbedtls_md_init( &ctx ); @@ -2545,19 +2567,20 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) * ServerDHParams params; * }; */ - if( ( ret = mbedtls_md_setup( &ctx, - mbedtls_md_info_from_type( md_alg ), 0 ) ) != 0 ) + if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 || + ( ret = mbedtls_md_starts( &ctx ) ) != 0 || + ( ret = mbedtls_md_update( &ctx, + ssl->handshake->randbytes, 64 ) ) != 0 || + ( ret = mbedtls_md_update( &ctx, params, params_len ) ) != 0 || + ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); + mbedtls_md_free( &ctx ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_*", ret ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); return( ret ); } - mbedtls_md_starts( &ctx ); - mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); - mbedtls_md_update( &ctx, params, params_len ); - mbedtls_md_finish( &ctx, hash ); mbedtls_md_free( &ctx ); } else From d21d625e1fa8838286ac0daa06ae5aebca20c367 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 28 Jun 2017 12:49:17 +0100 Subject: [PATCH 027/177] Change ssl_srv to new MD API and check return code --- library/ssl_srv.c | 59 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index f137c3dce..f08a9bde1 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3099,8 +3099,7 @@ curve_matching_done: mbedtls_md5_context mbedtls_md5; mbedtls_sha1_context mbedtls_sha1; - mbedtls_md5_init( &mbedtls_md5 ); - mbedtls_sha1_init( &mbedtls_sha1 ); + mbedtls_md5_init( &mbedtls_md5 ); /* * digitally-signed struct { @@ -3116,20 +3115,38 @@ curve_matching_done: * + ServerParams); */ - mbedtls_md5_starts( &mbedtls_md5 ); - mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); - mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len ); - mbedtls_md5_finish( &mbedtls_md5, hash ); + if( ( ret = mbedtls_md5_starts_ext( &mbedtls_md5 ) ) != 0 || + ( ret = mbedtls_md5_update_ext( &mbedtls_md5, + ssl->handshake->randbytes, 64 ) ) != 0 || + ( ret = mbedtls_md5_update_ext( &mbedtls_md5, dig_signed, + dig_signed_len ) ) != 0 || + ( ret = mbedtls_md5_finish_ext( &mbedtls_md5, hash ) ) != 0 ) + { + mbedtls_md5_free( &mbedtls_md5 ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_*", ret ); + return( ret ); + } - mbedtls_sha1_starts( &mbedtls_sha1 ); - mbedtls_sha1_update( &mbedtls_sha1, ssl->handshake->randbytes, 64 ); - mbedtls_sha1_update( &mbedtls_sha1, dig_signed, dig_signed_len ); - mbedtls_sha1_finish( &mbedtls_sha1, hash + 16 ); + mbedtls_md5_free( &mbedtls_md5 ); + + mbedtls_sha1_init( &mbedtls_sha1 ); + + if( ( ret = mbedtls_sha1_starts_ext( &mbedtls_sha1 ) ) != 0 || + ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, + ssl->handshake->randbytes, 64 ) ) != 0 || + ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, dig_signed, + dig_signed_len ) ) != 0 || + ( ret = mbedtls_sha1_finish_ext( &mbedtls_sha1, + hash + 16 ) ) != 0 ) + { + mbedtls_sha1_free( &mbedtls_sha1 ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_*", ret ); + return( ret ); + } + + mbedtls_sha1_free( &mbedtls_sha1 ); hashlen = 36; - - mbedtls_md5_free( &mbedtls_md5 ); - mbedtls_sha1_free( &mbedtls_sha1 ); } else #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ @@ -3153,16 +3170,20 @@ curve_matching_done: * ServerDHParams params; * }; */ - if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 ) + if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 || + ( ret = mbedtls_md_starts( &ctx ) ) != 0 || + ( ret = mbedtls_md_update( &ctx, + ssl->handshake->randbytes, 64 ) ) != 0 || + ( ret = mbedtls_md_update( &ctx, dig_signed, + dig_signed_len ) ) != 0 || + ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); + mbedtls_md_free( &ctx ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_*", ret ); return( ret ); } - mbedtls_md_starts( &ctx ); - mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ); - mbedtls_md_update( &ctx, dig_signed, dig_signed_len ); - mbedtls_md_finish( &ctx, hash ); + mbedtls_md_free( &ctx ); } else From 1ff60f437f8a5bfe5b7a1107a3149f1ce0a50dc9 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 28 Jun 2017 13:26:36 +0100 Subject: [PATCH 028/177] Change examples to use the new MD API and check ret code --- programs/hash/hello.c | 11 +++++++---- programs/pkey/dh_client.c | 6 +++++- programs/pkey/dh_server.c | 6 +++++- programs/pkey/ecdsa.c | 11 +++++------ programs/test/benchmark.c | 12 ++++++------ 5 files changed, 28 insertions(+), 18 deletions(-) diff --git a/programs/hash/hello.c b/programs/hash/hello.c index df420f284..a69154f55 100644 --- a/programs/hash/hello.c +++ b/programs/hash/hello.c @@ -29,7 +29,9 @@ #include "mbedtls/platform.h" #else #include -#define mbedtls_printf printf +#define mbedtls_printf printf +#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS +#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE #endif #if defined(MBEDTLS_MD5_C) @@ -45,13 +47,14 @@ int main( void ) #else int main( void ) { - int i; + int i, ret; unsigned char digest[16]; char str[] = "Hello, world!"; mbedtls_printf( "\n MD5('%s') = ", str ); - mbedtls_md5( (unsigned char *) str, 13, digest ); + if( ( ret = mbedtls_md5_ext( (unsigned char *) str, 13, digest ) ) != 0 ) + return( MBEDTLS_EXIT_FAILURE ); for( i = 0; i < 16; i++ ) mbedtls_printf( "%02x", digest[i] ); @@ -63,6 +66,6 @@ int main( void ) fflush( stdout ); getchar(); #endif - return( 0 ); + return( MBEDTLS_EXIT_SUCCESS ); } #endif /* MBEDTLS_MD5_C */ diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index 875d0b083..21c4a815f 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -212,7 +212,11 @@ int main( void ) goto exit; } - mbedtls_sha1( buf, (int)( p - 2 - buf ), hash ); + if( ( ret = mbedtls_sha1_ext( buf, (int)( p - 2 - buf ), hash ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_sha1_ext returned %d\n\n", ret ); + goto exit; + } if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, 0, hash, p ) ) != 0 ) diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 8bf2b1b29..daa96e64c 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -203,7 +203,11 @@ int main( void ) /* * 5. Sign the parameters and send them */ - mbedtls_sha1( buf, n, hash ); + if( ( ret = mbedtls_sha1_ext( buf, n, hash ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_sha1_ext returned %d\n\n", ret ); + goto exit; + } buf[n ] = (unsigned char)( rsa.len >> 8 ); buf[n + 1] = (unsigned char)( rsa.len ); diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c index c3ce56a0f..ecb6c2230 100644 --- a/programs/pkey/ecdsa.c +++ b/programs/pkey/ecdsa.c @@ -102,7 +102,6 @@ int main( int argc, char *argv[] ) mbedtls_ecdsa_context ctx_sign, ctx_verify; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; - mbedtls_sha256_context sha256_ctx; unsigned char message[100]; unsigned char hash[32]; unsigned char sig[MBEDTLS_ECDSA_MAX_LEN]; @@ -113,7 +112,6 @@ int main( int argc, char *argv[] ) mbedtls_ecdsa_init( &ctx_sign ); mbedtls_ecdsa_init( &ctx_verify ); mbedtls_ctr_drbg_init( &ctr_drbg ); - mbedtls_sha256_init( &sha256_ctx ); memset( sig, 0, sizeof( sig ) ); memset( message, 0x25, sizeof( message ) ); @@ -165,9 +163,11 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Computing message hash..." ); fflush( stdout ); - mbedtls_sha256_starts( &sha256_ctx, 0 ); - mbedtls_sha256_update( &sha256_ctx, message, sizeof( message ) ); - mbedtls_sha256_finish( &sha256_ctx, hash ); + if( ( ret = mbedtls_sha256_ext( message, sizeof( message ), hash, 0 ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_sha256_ext returned %d\n", ret ); + goto exit; + } mbedtls_printf( " ok\n" ); @@ -242,7 +242,6 @@ exit: mbedtls_ecdsa_free( &ctx_sign ); mbedtls_ctr_drbg_free( &ctr_drbg ); mbedtls_entropy_free( &entropy ); - mbedtls_sha256_free( &sha256_ctx ); return( ret ); } diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index eb578e730..6ec7cf561 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -327,32 +327,32 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_MD4_C) if( todo.md4 ) - TIME_AND_TSC( "MD4", mbedtls_md4( buf, BUFSIZE, tmp ) ); + TIME_AND_TSC( "MD4", mbedtls_md4_ext( buf, BUFSIZE, tmp ) ); #endif #if defined(MBEDTLS_MD5_C) if( todo.md5 ) - TIME_AND_TSC( "MD5", mbedtls_md5( buf, BUFSIZE, tmp ) ); + TIME_AND_TSC( "MD5", mbedtls_md5_ext( buf, BUFSIZE, tmp ) ); #endif #if defined(MBEDTLS_RIPEMD160_C) if( todo.ripemd160 ) - TIME_AND_TSC( "RIPEMD160", mbedtls_ripemd160( buf, BUFSIZE, tmp ) ); + TIME_AND_TSC( "RIPEMD160", mbedtls_ripemd160_ext( buf, BUFSIZE, tmp ) ); #endif #if defined(MBEDTLS_SHA1_C) if( todo.sha1 ) - TIME_AND_TSC( "SHA-1", mbedtls_sha1( buf, BUFSIZE, tmp ) ); + TIME_AND_TSC( "SHA-1", mbedtls_sha1_ext( buf, BUFSIZE, tmp ) ); #endif #if defined(MBEDTLS_SHA256_C) if( todo.sha256 ) - TIME_AND_TSC( "SHA-256", mbedtls_sha256( buf, BUFSIZE, tmp, 0 ) ); + TIME_AND_TSC( "SHA-256", mbedtls_sha256_ext( buf, BUFSIZE, tmp, 0 ) ); #endif #if defined(MBEDTLS_SHA512_C) if( todo.sha512 ) - TIME_AND_TSC( "SHA-512", mbedtls_sha512( buf, BUFSIZE, tmp, 0 ) ); + TIME_AND_TSC( "SHA-512", mbedtls_sha512_ext( buf, BUFSIZE, tmp, 0 ) ); #endif #if defined(MBEDTLS_ARC4_C) From 5f872df26a8d96f35eb9a66b675eea7cc3e7d582 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 28 Jun 2017 14:12:44 +0100 Subject: [PATCH 029/177] Change func ptrs to have ret val in MD layer This patch modifies the internal md context structure in md_wrap.c to add return values to the function pointers. This enables us to use the new API in the corresponding MD modules so that failures can be found at any point in an MD computation. --- include/mbedtls/md_internal.h | 12 +-- library/md_wrap.c | 171 ++++++++++++++++++---------------- 2 files changed, 97 insertions(+), 86 deletions(-) diff --git a/include/mbedtls/md_internal.h b/include/mbedtls/md_internal.h index e2441bbc4..c20259816 100644 --- a/include/mbedtls/md_internal.h +++ b/include/mbedtls/md_internal.h @@ -58,17 +58,17 @@ struct mbedtls_md_info_t int block_size; /** Digest initialisation function */ - void (*starts_func)( void *ctx ); + int (*starts_func)( void *ctx ); /** Digest update function */ - void (*update_func)( void *ctx, const unsigned char *input, size_t ilen ); + int (*update_func)( void *ctx, const unsigned char *input, size_t ilen ); /** Digest finalisation function */ - void (*finish_func)( void *ctx, unsigned char *output ); + int (*finish_func)( void *ctx, unsigned char *output ); /** Generic digest function */ - void (*digest_func)( const unsigned char *input, size_t ilen, - unsigned char *output ); + int (*digest_func)( const unsigned char *input, size_t ilen, + unsigned char *output ); /** Allocate a new context */ void * (*ctx_alloc_func)( void ); @@ -80,7 +80,7 @@ struct mbedtls_md_info_t void (*clone_func)( void *dst, const void *src ); /** Internal use only */ - void (*process_func)( void *ctx, const unsigned char *input ); + int (*process_func)( void *ctx, const unsigned char *input ); }; #if defined(MBEDTLS_MD2_C) diff --git a/library/md_wrap.c b/library/md_wrap.c index 2cfcae200..bfd492736 100644 --- a/library/md_wrap.c +++ b/library/md_wrap.c @@ -71,20 +71,20 @@ #if defined(MBEDTLS_MD2_C) -static void md2_starts_wrap( void *ctx ) +static int md2_starts_wrap( void *ctx ) { - mbedtls_md2_starts( (mbedtls_md2_context *) ctx ); + return( mbedtls_md2_starts_ext( (mbedtls_md2_context *) ctx ) ); } -static void md2_update_wrap( void *ctx, const unsigned char *input, +static int md2_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - mbedtls_md2_update( (mbedtls_md2_context *) ctx, input, ilen ); + return( mbedtls_md2_update_ext( (mbedtls_md2_context *) ctx, input, ilen ) ); } -static void md2_finish_wrap( void *ctx, unsigned char *output ) +static int md2_finish_wrap( void *ctx, unsigned char *output ) { - mbedtls_md2_finish( (mbedtls_md2_context *) ctx, output ); + return( mbedtls_md2_finish_ext( (mbedtls_md2_context *) ctx, output ) ); } static void *md2_ctx_alloc( void ) @@ -109,11 +109,11 @@ static void md2_clone_wrap( void *dst, const void *src ) (const mbedtls_md2_context *) src ); } -static void md2_process_wrap( void *ctx, const unsigned char *data ) +static int md2_process_wrap( void *ctx, const unsigned char *data ) { ((void) data); - mbedtls_md2_process( (mbedtls_md2_context *) ctx ); + return( mbedtls_internal_md2_process( (mbedtls_md2_context *) ctx ) ); } const mbedtls_md_info_t mbedtls_md2_info = { @@ -124,7 +124,7 @@ const mbedtls_md_info_t mbedtls_md2_info = { md2_starts_wrap, md2_update_wrap, md2_finish_wrap, - mbedtls_md2, + mbedtls_md2_ext, md2_ctx_alloc, md2_ctx_free, md2_clone_wrap, @@ -135,20 +135,20 @@ const mbedtls_md_info_t mbedtls_md2_info = { #if defined(MBEDTLS_MD4_C) -static void md4_starts_wrap( void *ctx ) +static int md4_starts_wrap( void *ctx ) { - mbedtls_md4_starts( (mbedtls_md4_context *) ctx ); + return( mbedtls_md4_starts_ext( (mbedtls_md4_context *) ctx ) ); } -static void md4_update_wrap( void *ctx, const unsigned char *input, +static int md4_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - mbedtls_md4_update( (mbedtls_md4_context *) ctx, input, ilen ); + return( mbedtls_md4_update_ext( (mbedtls_md4_context *) ctx, input, ilen ) ); } -static void md4_finish_wrap( void *ctx, unsigned char *output ) +static int md4_finish_wrap( void *ctx, unsigned char *output ) { - mbedtls_md4_finish( (mbedtls_md4_context *) ctx, output ); + return( mbedtls_md4_finish_ext( (mbedtls_md4_context *) ctx, output ) ); } static void *md4_ctx_alloc( void ) @@ -170,12 +170,12 @@ static void md4_ctx_free( void *ctx ) static void md4_clone_wrap( void *dst, const void *src ) { mbedtls_md4_clone( (mbedtls_md4_context *) dst, - (const mbedtls_md4_context *) src ); + (const mbedtls_md4_context *) src ); } -static void md4_process_wrap( void *ctx, const unsigned char *data ) +static int md4_process_wrap( void *ctx, const unsigned char *data ) { - mbedtls_md4_process( (mbedtls_md4_context *) ctx, data ); + return( mbedtls_internal_md4_process( (mbedtls_md4_context *) ctx, data ) ); } const mbedtls_md_info_t mbedtls_md4_info = { @@ -186,7 +186,7 @@ const mbedtls_md_info_t mbedtls_md4_info = { md4_starts_wrap, md4_update_wrap, md4_finish_wrap, - mbedtls_md4, + mbedtls_md4_ext, md4_ctx_alloc, md4_ctx_free, md4_clone_wrap, @@ -197,20 +197,20 @@ const mbedtls_md_info_t mbedtls_md4_info = { #if defined(MBEDTLS_MD5_C) -static void md5_starts_wrap( void *ctx ) +static int md5_starts_wrap( void *ctx ) { - mbedtls_md5_starts( (mbedtls_md5_context *) ctx ); + return( mbedtls_md5_starts_ext( (mbedtls_md5_context *) ctx ) ); } -static void md5_update_wrap( void *ctx, const unsigned char *input, +static int md5_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - mbedtls_md5_update( (mbedtls_md5_context *) ctx, input, ilen ); + return( mbedtls_md5_update_ext( (mbedtls_md5_context *) ctx, input, ilen ) ); } -static void md5_finish_wrap( void *ctx, unsigned char *output ) +static int md5_finish_wrap( void *ctx, unsigned char *output ) { - mbedtls_md5_finish( (mbedtls_md5_context *) ctx, output ); + return( mbedtls_md5_finish_ext( (mbedtls_md5_context *) ctx, output ) ); } static void *md5_ctx_alloc( void ) @@ -232,12 +232,12 @@ static void md5_ctx_free( void *ctx ) static void md5_clone_wrap( void *dst, const void *src ) { mbedtls_md5_clone( (mbedtls_md5_context *) dst, - (const mbedtls_md5_context *) src ); + (const mbedtls_md5_context *) src ); } -static void md5_process_wrap( void *ctx, const unsigned char *data ) +static int md5_process_wrap( void *ctx, const unsigned char *data ) { - mbedtls_md5_process( (mbedtls_md5_context *) ctx, data ); + return( mbedtls_internal_md5_process( (mbedtls_md5_context *) ctx, data ) ); } const mbedtls_md_info_t mbedtls_md5_info = { @@ -248,7 +248,7 @@ const mbedtls_md_info_t mbedtls_md5_info = { md5_starts_wrap, md5_update_wrap, md5_finish_wrap, - mbedtls_md5, + mbedtls_md5_ext, md5_ctx_alloc, md5_ctx_free, md5_clone_wrap, @@ -259,20 +259,22 @@ const mbedtls_md_info_t mbedtls_md5_info = { #if defined(MBEDTLS_RIPEMD160_C) -static void ripemd160_starts_wrap( void *ctx ) +static int ripemd160_starts_wrap( void *ctx ) { - mbedtls_ripemd160_starts( (mbedtls_ripemd160_context *) ctx ); + return( mbedtls_ripemd160_starts_ext( (mbedtls_ripemd160_context *) ctx ) ); } -static void ripemd160_update_wrap( void *ctx, const unsigned char *input, +static int ripemd160_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - mbedtls_ripemd160_update( (mbedtls_ripemd160_context *) ctx, input, ilen ); + return( mbedtls_ripemd160_update_ext( (mbedtls_ripemd160_context *) ctx, + input, ilen ) ); } -static void ripemd160_finish_wrap( void *ctx, unsigned char *output ) +static int ripemd160_finish_wrap( void *ctx, unsigned char *output ) { - mbedtls_ripemd160_finish( (mbedtls_ripemd160_context *) ctx, output ); + return( mbedtls_ripemd160_finish_ext( (mbedtls_ripemd160_context *) ctx, + output ) ); } static void *ripemd160_ctx_alloc( void ) @@ -297,9 +299,10 @@ static void ripemd160_clone_wrap( void *dst, const void *src ) (const mbedtls_ripemd160_context *) src ); } -static void ripemd160_process_wrap( void *ctx, const unsigned char *data ) +static int ripemd160_process_wrap( void *ctx, const unsigned char *data ) { - mbedtls_ripemd160_process( (mbedtls_ripemd160_context *) ctx, data ); + return( mbedtls_internal_ripemd160_process( + (mbedtls_ripemd160_context *) ctx, data ) ); } const mbedtls_md_info_t mbedtls_ripemd160_info = { @@ -310,7 +313,7 @@ const mbedtls_md_info_t mbedtls_ripemd160_info = { ripemd160_starts_wrap, ripemd160_update_wrap, ripemd160_finish_wrap, - mbedtls_ripemd160, + mbedtls_ripemd160_ext, ripemd160_ctx_alloc, ripemd160_ctx_free, ripemd160_clone_wrap, @@ -321,20 +324,21 @@ const mbedtls_md_info_t mbedtls_ripemd160_info = { #if defined(MBEDTLS_SHA1_C) -static void sha1_starts_wrap( void *ctx ) +static int sha1_starts_wrap( void *ctx ) { - mbedtls_sha1_starts( (mbedtls_sha1_context *) ctx ); + return( mbedtls_sha1_starts_ext( (mbedtls_sha1_context *) ctx ) ); } -static void sha1_update_wrap( void *ctx, const unsigned char *input, +static int sha1_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - mbedtls_sha1_update( (mbedtls_sha1_context *) ctx, input, ilen ); + return( mbedtls_sha1_update_ext( (mbedtls_sha1_context *) ctx, + input, ilen ) ); } -static void sha1_finish_wrap( void *ctx, unsigned char *output ) +static int sha1_finish_wrap( void *ctx, unsigned char *output ) { - mbedtls_sha1_finish( (mbedtls_sha1_context *) ctx, output ); + return( mbedtls_sha1_finish_ext( (mbedtls_sha1_context *) ctx, output ) ); } static void *sha1_ctx_alloc( void ) @@ -359,9 +363,10 @@ static void sha1_ctx_free( void *ctx ) mbedtls_free( ctx ); } -static void sha1_process_wrap( void *ctx, const unsigned char *data ) +static int sha1_process_wrap( void *ctx, const unsigned char *data ) { - mbedtls_sha1_process( (mbedtls_sha1_context *) ctx, data ); + return( mbedtls_internal_sha1_process( (mbedtls_sha1_context *) ctx, + data ) ); } const mbedtls_md_info_t mbedtls_sha1_info = { @@ -372,7 +377,7 @@ const mbedtls_md_info_t mbedtls_sha1_info = { sha1_starts_wrap, sha1_update_wrap, sha1_finish_wrap, - mbedtls_sha1, + mbedtls_sha1_ext, sha1_ctx_alloc, sha1_ctx_free, sha1_clone_wrap, @@ -386,26 +391,28 @@ const mbedtls_md_info_t mbedtls_sha1_info = { */ #if defined(MBEDTLS_SHA256_C) -static void sha224_starts_wrap( void *ctx ) +static int sha224_starts_wrap( void *ctx ) { - mbedtls_sha256_starts( (mbedtls_sha256_context *) ctx, 1 ); + return( mbedtls_sha256_starts_ext( (mbedtls_sha256_context *) ctx, 1 ) ); } -static void sha224_update_wrap( void *ctx, const unsigned char *input, +static int sha224_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - mbedtls_sha256_update( (mbedtls_sha256_context *) ctx, input, ilen ); + return( mbedtls_sha256_update_ext( (mbedtls_sha256_context *) ctx, + input, ilen ) ); } -static void sha224_finish_wrap( void *ctx, unsigned char *output ) +static int sha224_finish_wrap( void *ctx, unsigned char *output ) { - mbedtls_sha256_finish( (mbedtls_sha256_context *) ctx, output ); + return( mbedtls_sha256_finish_ext( (mbedtls_sha256_context *) ctx, + output ) ); } -static void sha224_wrap( const unsigned char *input, size_t ilen, - unsigned char *output ) +static int sha224_wrap( const unsigned char *input, size_t ilen, + unsigned char *output ) { - mbedtls_sha256( input, ilen, output, 1 ); + return( mbedtls_sha256_ext( input, ilen, output, 1 ) ); } static void *sha224_ctx_alloc( void ) @@ -430,9 +437,10 @@ static void sha224_clone_wrap( void *dst, const void *src ) (const mbedtls_sha256_context *) src ); } -static void sha224_process_wrap( void *ctx, const unsigned char *data ) +static int sha224_process_wrap( void *ctx, const unsigned char *data ) { - mbedtls_sha256_process( (mbedtls_sha256_context *) ctx, data ); + return( mbedtls_internal_sha256_process( (mbedtls_sha256_context *) ctx, + data ) ); } const mbedtls_md_info_t mbedtls_sha224_info = { @@ -450,15 +458,15 @@ const mbedtls_md_info_t mbedtls_sha224_info = { sha224_process_wrap, }; -static void sha256_starts_wrap( void *ctx ) +static int sha256_starts_wrap( void *ctx ) { - mbedtls_sha256_starts( (mbedtls_sha256_context *) ctx, 0 ); + return( mbedtls_sha256_starts_ext( (mbedtls_sha256_context *) ctx, 0 ) ); } -static void sha256_wrap( const unsigned char *input, size_t ilen, - unsigned char *output ) +static int sha256_wrap( const unsigned char *input, size_t ilen, + unsigned char *output ) { - mbedtls_sha256( input, ilen, output, 0 ); + return( mbedtls_sha256_ext( input, ilen, output, 0 ) ); } const mbedtls_md_info_t mbedtls_sha256_info = { @@ -480,26 +488,28 @@ const mbedtls_md_info_t mbedtls_sha256_info = { #if defined(MBEDTLS_SHA512_C) -static void sha384_starts_wrap( void *ctx ) +static int sha384_starts_wrap( void *ctx ) { - mbedtls_sha512_starts( (mbedtls_sha512_context *) ctx, 1 ); + return( mbedtls_sha512_starts_ext( (mbedtls_sha512_context *) ctx, 1 ) ); } -static void sha384_update_wrap( void *ctx, const unsigned char *input, - size_t ilen ) +static int sha384_update_wrap( void *ctx, const unsigned char *input, + size_t ilen ) { - mbedtls_sha512_update( (mbedtls_sha512_context *) ctx, input, ilen ); + return( mbedtls_sha512_update_ext( (mbedtls_sha512_context *) ctx, + input, ilen ) ); } -static void sha384_finish_wrap( void *ctx, unsigned char *output ) +static int sha384_finish_wrap( void *ctx, unsigned char *output ) { - mbedtls_sha512_finish( (mbedtls_sha512_context *) ctx, output ); + return( mbedtls_sha512_finish_ext( (mbedtls_sha512_context *) ctx, + output ) ); } -static void sha384_wrap( const unsigned char *input, size_t ilen, - unsigned char *output ) +static int sha384_wrap( const unsigned char *input, size_t ilen, + unsigned char *output ) { - mbedtls_sha512( input, ilen, output, 1 ); + return( mbedtls_sha512_ext( input, ilen, output, 1 ) ); } static void *sha384_ctx_alloc( void ) @@ -524,9 +534,10 @@ static void sha384_clone_wrap( void *dst, const void *src ) (const mbedtls_sha512_context *) src ); } -static void sha384_process_wrap( void *ctx, const unsigned char *data ) +static int sha384_process_wrap( void *ctx, const unsigned char *data ) { - mbedtls_sha512_process( (mbedtls_sha512_context *) ctx, data ); + return( mbedtls_internal_sha512_process( (mbedtls_sha512_context *) ctx, + data ) ); } const mbedtls_md_info_t mbedtls_sha384_info = { @@ -544,15 +555,15 @@ const mbedtls_md_info_t mbedtls_sha384_info = { sha384_process_wrap, }; -static void sha512_starts_wrap( void *ctx ) +static int sha512_starts_wrap( void *ctx ) { - mbedtls_sha512_starts( (mbedtls_sha512_context *) ctx, 0 ); + return( mbedtls_sha512_starts_ext( (mbedtls_sha512_context *) ctx, 0 ) ); } -static void sha512_wrap( const unsigned char *input, size_t ilen, - unsigned char *output ) +static int sha512_wrap( const unsigned char *input, size_t ilen, + unsigned char *output ) { - mbedtls_sha512( input, ilen, output, 0 ); + return( mbedtls_sha512_ext( input, ilen, output, 0 ) ); } const mbedtls_md_info_t mbedtls_sha512_info = { From 0dd4fa0f45f0e426eaa3e2c8a058c32b6ff087eb Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 28 Jun 2017 14:16:07 +0100 Subject: [PATCH 030/177] Fix functions in MD layer to check return codes --- library/md.c | 101 +++++++++++++++++++++++++++------------------------ 1 file changed, 54 insertions(+), 47 deletions(-) diff --git a/library/md.c b/library/md.c index eda98f636..a84f3042d 100644 --- a/library/md.c +++ b/library/md.c @@ -250,9 +250,7 @@ int mbedtls_md_starts( mbedtls_md_context_t *ctx ) if( ctx == NULL || ctx->md_info == NULL ) return( MBEDTLS_ERR_MD_BAD_INPUT_DATA ); - ctx->md_info->starts_func( ctx->md_ctx ); - - return( 0 ); + return( ctx->md_info->starts_func( ctx->md_ctx ) ); } int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen ) @@ -260,9 +258,7 @@ int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, si if( ctx == NULL || ctx->md_info == NULL ) return( MBEDTLS_ERR_MD_BAD_INPUT_DATA ); - ctx->md_info->update_func( ctx->md_ctx, input, ilen ); - - return( 0 ); + return( ctx->md_info->update_func( ctx->md_ctx, input, ilen ) ); } int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output ) @@ -270,9 +266,7 @@ int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output ) if( ctx == NULL || ctx->md_info == NULL ) return( MBEDTLS_ERR_MD_BAD_INPUT_DATA ); - ctx->md_info->finish_func( ctx->md_ctx, output ); - - return( 0 ); + return( ctx->md_info->finish_func( ctx->md_ctx, output ) ); } int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen, @@ -281,9 +275,7 @@ int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, si if( md_info == NULL ) return( MBEDTLS_ERR_MD_BAD_INPUT_DATA ); - md_info->digest_func( input, ilen, output ); - - return( 0 ); + return( md_info->digest_func( input, ilen, output ) ); } #if defined(MBEDTLS_FS_IO) @@ -306,10 +298,12 @@ int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigne if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 ) goto cleanup; - md_info->starts_func( ctx.md_ctx ); + if( ( ret = md_info->starts_func( ctx.md_ctx ) ) != 0 ) + goto cleanup; while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 ) - md_info->update_func( ctx.md_ctx, buf, n ); + if( ( ret = md_info->update_func( ctx.md_ctx, buf, n ) ) != 0 ) + goto cleanup; if( ferror( f ) != 0 ) { @@ -317,7 +311,7 @@ int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigne goto cleanup; } - md_info->finish_func( ctx.md_ctx, output ); + ret = md_info->finish_func( ctx.md_ctx, output ); cleanup: fclose( f ); @@ -329,6 +323,7 @@ cleanup: int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen ) { + int ret; unsigned char sum[MBEDTLS_MD_MAX_SIZE]; unsigned char *ipad, *opad; size_t i; @@ -338,9 +333,12 @@ int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, if( keylen > (size_t) ctx->md_info->block_size ) { - ctx->md_info->starts_func( ctx->md_ctx ); - ctx->md_info->update_func( ctx->md_ctx, key, keylen ); - ctx->md_info->finish_func( ctx->md_ctx, sum ); + if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 ) + goto cleanup; + if( ( ret = ctx->md_info->update_func( ctx->md_ctx, key, keylen ) ) != 0 ) + goto cleanup; + if( ( ret = ctx->md_info->finish_func( ctx->md_ctx, sum ) ) != 0 ) + goto cleanup; keylen = ctx->md_info->size; key = sum; @@ -358,12 +356,15 @@ int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, opad[i] = (unsigned char)( opad[i] ^ key[i] ); } + if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 ) + goto cleanup; + ret = ctx->md_info->update_func( ctx->md_ctx, ipad, + ctx->md_info->block_size ); + +cleanup: mbedtls_zeroize( sum, sizeof( sum ) ); - ctx->md_info->starts_func( ctx->md_ctx ); - ctx->md_info->update_func( ctx->md_ctx, ipad, ctx->md_info->block_size ); - - return( 0 ); + return( ret ); } int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen ) @@ -371,13 +372,12 @@ int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *inpu if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL ) return( MBEDTLS_ERR_MD_BAD_INPUT_DATA ); - ctx->md_info->update_func( ctx->md_ctx, input, ilen ); - - return( 0 ); + return( ctx->md_info->update_func( ctx->md_ctx, input, ilen ) ); } int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output ) { + int ret; unsigned char tmp[MBEDTLS_MD_MAX_SIZE]; unsigned char *opad; @@ -386,17 +386,22 @@ int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output ) opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size; - ctx->md_info->finish_func( ctx->md_ctx, tmp ); - ctx->md_info->starts_func( ctx->md_ctx ); - ctx->md_info->update_func( ctx->md_ctx, opad, ctx->md_info->block_size ); - ctx->md_info->update_func( ctx->md_ctx, tmp, ctx->md_info->size ); - ctx->md_info->finish_func( ctx->md_ctx, output ); - - return( 0 ); + if( ( ret = ctx->md_info->finish_func( ctx->md_ctx, tmp ) ) != 0 ) + return( ret ); + if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 ) + return( ret ); + if( ( ret = ctx->md_info->update_func( ctx->md_ctx, opad, + ctx->md_info->block_size ) ) != 0 ) + return( ret ); + if( ( ret = ctx->md_info->update_func( ctx->md_ctx, tmp, + ctx->md_info->size ) ) != 0 ) + return( ret ); + return( ctx->md_info->finish_func( ctx->md_ctx, output ) ); } int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx ) { + int ret; unsigned char *ipad; if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL ) @@ -404,15 +409,16 @@ int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx ) ipad = (unsigned char *) ctx->hmac_ctx; - ctx->md_info->starts_func( ctx->md_ctx ); - ctx->md_info->update_func( ctx->md_ctx, ipad, ctx->md_info->block_size ); - - return( 0 ); + if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 ) + return( ret ); + return( ctx->md_info->update_func( ctx->md_ctx, ipad, + ctx->md_info->block_size ) ); } -int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen, - const unsigned char *input, size_t ilen, - unsigned char *output ) +int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, + const unsigned char *key, size_t keylen, + const unsigned char *input, size_t ilen, + unsigned char *output ) { mbedtls_md_context_t ctx; int ret; @@ -423,15 +429,18 @@ int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, const unsigned char *key, mbedtls_md_init( &ctx ); if( ( ret = mbedtls_md_setup( &ctx, md_info, 1 ) ) != 0 ) - return( ret ); + goto cleanup; - mbedtls_md_hmac_starts( &ctx, key, keylen ); - mbedtls_md_hmac_update( &ctx, input, ilen ); - mbedtls_md_hmac_finish( &ctx, output ); + if( ( ret = mbedtls_md_hmac_starts( &ctx, key, keylen ) ) != 0 ) + goto cleanup; + if( ( ret = mbedtls_md_hmac_update( &ctx, input, ilen ) ) != 0 ) + goto cleanup; + ret = mbedtls_md_hmac_finish( &ctx, output ); +cleanup: mbedtls_md_free( &ctx ); - return( 0 ); + return( ret ); } int mbedtls_md_process( mbedtls_md_context_t *ctx, const unsigned char *data ) @@ -439,9 +448,7 @@ int mbedtls_md_process( mbedtls_md_context_t *ctx, const unsigned char *data ) if( ctx == NULL || ctx->md_info == NULL ) return( MBEDTLS_ERR_MD_BAD_INPUT_DATA ); - ctx->md_info->process_func( ctx->md_ctx, data ); - - return( 0 ); + return( ctx->md_info->process_func( ctx->md_ctx, data ) ); } unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info ) From 8d08c4489ea2676f64c0b8f6eca6a9fe458b9f72 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 29 Jun 2017 11:16:38 +0100 Subject: [PATCH 031/177] Change pem to use new MD API and check ret code --- library/pem.c | 99 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 66 insertions(+), 33 deletions(-) diff --git a/library/pem.c b/library/pem.c index 8dd86a4ac..5303adcc4 100644 --- a/library/pem.c +++ b/library/pem.c @@ -82,31 +82,33 @@ static int pem_get_iv( const unsigned char *s, unsigned char *iv, return( 0 ); } -static void pem_pbkdf1( unsigned char *key, size_t keylen, - unsigned char *iv, - const unsigned char *pwd, size_t pwdlen ) +static int pem_pbkdf1( unsigned char *key, size_t keylen, + unsigned char *iv, + const unsigned char *pwd, size_t pwdlen ) { mbedtls_md5_context md5_ctx; unsigned char md5sum[16]; size_t use_len; + int ret; mbedtls_md5_init( &md5_ctx ); /* * key[ 0..15] = MD5(pwd || IV) */ - mbedtls_md5_starts( &md5_ctx ); - mbedtls_md5_update( &md5_ctx, pwd, pwdlen ); - mbedtls_md5_update( &md5_ctx, iv, 8 ); - mbedtls_md5_finish( &md5_ctx, md5sum ); + if( ( ret = mbedtls_md5_starts_ext( &md5_ctx ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md5_update_ext( &md5_ctx, pwd, pwdlen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md5_update_ext( &md5_ctx, iv, 8 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md5_finish_ext( &md5_ctx, md5sum ) ) != 0 ) + goto exit; if( keylen <= 16 ) { memcpy( key, md5sum, keylen ); - - mbedtls_md5_free( &md5_ctx ); - mbedtls_zeroize( md5sum, 16 ); - return; + goto exit; } memcpy( key, md5sum, 16 ); @@ -114,11 +116,16 @@ static void pem_pbkdf1( unsigned char *key, size_t keylen, /* * key[16..23] = MD5(key[ 0..15] || pwd || IV]) */ - mbedtls_md5_starts( &md5_ctx ); - mbedtls_md5_update( &md5_ctx, md5sum, 16 ); - mbedtls_md5_update( &md5_ctx, pwd, pwdlen ); - mbedtls_md5_update( &md5_ctx, iv, 8 ); - mbedtls_md5_finish( &md5_ctx, md5sum ); + if( ( ret = mbedtls_md5_starts_ext( &md5_ctx ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md5_update_ext( &md5_ctx, md5sum, 16 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md5_update_ext( &md5_ctx, pwd, pwdlen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md5_update_ext( &md5_ctx, iv, 8 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md5_finish_ext( &md5_ctx, md5sum ) ) != 0 ) + goto exit; use_len = 16; if( keylen < 32 ) @@ -126,53 +133,66 @@ static void pem_pbkdf1( unsigned char *key, size_t keylen, memcpy( key + 16, md5sum, use_len ); +exit: mbedtls_md5_free( &md5_ctx ); mbedtls_zeroize( md5sum, 16 ); + + return( ret ); } #if defined(MBEDTLS_DES_C) /* * Decrypt with DES-CBC, using PBKDF1 for key derivation */ -static void pem_des_decrypt( unsigned char des_iv[8], - unsigned char *buf, size_t buflen, - const unsigned char *pwd, size_t pwdlen ) +static int pem_des_decrypt( unsigned char des_iv[8], + unsigned char *buf, size_t buflen, + const unsigned char *pwd, size_t pwdlen ) { mbedtls_des_context des_ctx; unsigned char des_key[8]; + int ret; mbedtls_des_init( &des_ctx ); - pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen ); + if( ( ret = pem_pbkdf1( des_key, 8, des_iv, pwd, pwdlen ) ) != 0 ) + goto exit; mbedtls_des_setkey_dec( &des_ctx, des_key ); mbedtls_des_crypt_cbc( &des_ctx, MBEDTLS_DES_DECRYPT, buflen, des_iv, buf, buf ); +exit: mbedtls_des_free( &des_ctx ); mbedtls_zeroize( des_key, 8 ); + + return( ret ); } /* * Decrypt with 3DES-CBC, using PBKDF1 for key derivation */ -static void pem_des3_decrypt( unsigned char des3_iv[8], - unsigned char *buf, size_t buflen, - const unsigned char *pwd, size_t pwdlen ) +static int pem_des3_decrypt( unsigned char des3_iv[8], + unsigned char *buf, size_t buflen, + const unsigned char *pwd, size_t pwdlen ) { mbedtls_des3_context des3_ctx; unsigned char des3_key[24]; + int ret; mbedtls_des3_init( &des3_ctx ); - pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen ); + if( ( ret = pem_pbkdf1( des3_key, 24, des3_iv, pwd, pwdlen ) ) != 0 ) + goto exit; mbedtls_des3_set3key_dec( &des3_ctx, des3_key ); mbedtls_des3_crypt_cbc( &des3_ctx, MBEDTLS_DES_DECRYPT, buflen, des3_iv, buf, buf ); +exit: mbedtls_des3_free( &des3_ctx ); mbedtls_zeroize( des3_key, 24 ); + + return( ret ); } #endif /* MBEDTLS_DES_C */ @@ -180,23 +200,28 @@ static void pem_des3_decrypt( unsigned char des3_iv[8], /* * Decrypt with AES-XXX-CBC, using PBKDF1 for key derivation */ -static void pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen, - unsigned char *buf, size_t buflen, - const unsigned char *pwd, size_t pwdlen ) +static int pem_aes_decrypt( unsigned char aes_iv[16], unsigned int keylen, + unsigned char *buf, size_t buflen, + const unsigned char *pwd, size_t pwdlen ) { mbedtls_aes_context aes_ctx; unsigned char aes_key[32]; + int ret; mbedtls_aes_init( &aes_ctx ); - pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen ); + if( ( ret = pem_pbkdf1( aes_key, keylen, aes_iv, pwd, pwdlen ) ) != 0 ) + goto exit; mbedtls_aes_setkey_dec( &aes_ctx, aes_key, keylen * 8 ); mbedtls_aes_crypt_cbc( &aes_ctx, MBEDTLS_AES_DECRYPT, buflen, aes_iv, buf, buf ); +exit: mbedtls_aes_free( &aes_ctx ); mbedtls_zeroize( aes_key, keylen ); + + return( ret ); } #endif /* MBEDTLS_AES_C */ @@ -345,22 +370,30 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ); } + ret = 0; + #if defined(MBEDTLS_DES_C) if( enc_alg == MBEDTLS_CIPHER_DES_EDE3_CBC ) - pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen ); + ret = pem_des3_decrypt( pem_iv, buf, len, pwd, pwdlen ); else if( enc_alg == MBEDTLS_CIPHER_DES_CBC ) - pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen ); + ret = pem_des_decrypt( pem_iv, buf, len, pwd, pwdlen ); #endif /* MBEDTLS_DES_C */ #if defined(MBEDTLS_AES_C) if( enc_alg == MBEDTLS_CIPHER_AES_128_CBC ) - pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen ); + ret = pem_aes_decrypt( pem_iv, 16, buf, len, pwd, pwdlen ); else if( enc_alg == MBEDTLS_CIPHER_AES_192_CBC ) - pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen ); + ret = pem_aes_decrypt( pem_iv, 24, buf, len, pwd, pwdlen ); else if( enc_alg == MBEDTLS_CIPHER_AES_256_CBC ) - pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen ); + ret = pem_aes_decrypt( pem_iv, 32, buf, len, pwd, pwdlen ); #endif /* MBEDTLS_AES_C */ + if( ret != 0 ) + { + mbedtls_free( buf ); + return( ret ); + } + /* * The result will be ASN.1 starting with a SEQUENCE tag, with 1 to 3 * length bytes (allow 4 to be sure) in all known use cases. From 207cea57f984fa90e3ad2f6982cd18278b9db320 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 29 Jun 2017 13:28:13 +0100 Subject: [PATCH 032/177] Change entropy to use new MD API and check ret code --- library/entropy.c | 51 ++++++++++++++++++++++++++++++----------------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/library/entropy.c b/library/entropy.c index d4d1b27b7..72e0773cf 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -75,9 +75,9 @@ void mbedtls_entropy_init( mbedtls_entropy_context *ctx ) #endif #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) - mbedtls_sha512_starts( &ctx->accumulator, 0 ); + mbedtls_sha512_starts_ext( &ctx->accumulator, 0 ); #else - mbedtls_sha256_starts( &ctx->accumulator, 0 ); + mbedtls_sha256_starts_ext( &ctx->accumulator, 0 ); #endif #if defined(MBEDTLS_HAVEGE_C) mbedtls_havege_init( &ctx->havege_data ); @@ -172,13 +172,16 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id unsigned char tmp[MBEDTLS_ENTROPY_BLOCK_SIZE]; size_t use_len = len; const unsigned char *p = data; + int ret; if( use_len > MBEDTLS_ENTROPY_BLOCK_SIZE ) { #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) - mbedtls_sha512( data, len, tmp, 0 ); + if( ( ret = mbedtls_sha512_ext( data, len, tmp, 0 ) ) != 0 ) + return( ret ); #else - mbedtls_sha256( data, len, tmp, 0 ); + if( ( ret = mbedtls_sha256_ext( data, len, tmp, 0 ) ) != 0 ) + return( ret ); #endif p = tmp; use_len = MBEDTLS_ENTROPY_BLOCK_SIZE; @@ -188,14 +191,14 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id header[1] = use_len & 0xFF; #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) - mbedtls_sha512_update( &ctx->accumulator, header, 2 ); - mbedtls_sha512_update( &ctx->accumulator, p, use_len ); + if( ( ret = mbedtls_sha512_update_ext( &ctx->accumulator, header, 2 ) ) != 0 ) + return( ret ); + return( mbedtls_sha512_update_ext( &ctx->accumulator, p, use_len ) ); #else - mbedtls_sha256_update( &ctx->accumulator, header, 2 ); - mbedtls_sha256_update( &ctx->accumulator, p, use_len ); + if( ( ret = mbedtls_sha256_update_ext( &ctx->accumulator, header, 2 ) ) != 0 ) + return( ret ); + return( mbedtls_sha256_update_ext( &ctx->accumulator, p, use_len ) ); #endif - - return( 0 ); } int mbedtls_entropy_update_manual( mbedtls_entropy_context *ctx, @@ -333,33 +336,45 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len ) memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE ); #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) - mbedtls_sha512_finish( &ctx->accumulator, buf ); + if( ( ret = mbedtls_sha512_finish_ext( &ctx->accumulator, buf ) ) != 0 ) + goto exit; /* * Reset accumulator and counters and recycle existing entropy */ memset( &ctx->accumulator, 0, sizeof( mbedtls_sha512_context ) ); - mbedtls_sha512_starts( &ctx->accumulator, 0 ); - mbedtls_sha512_update( &ctx->accumulator, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ); + if( ( ret = mbedtls_sha512_starts_ext( &ctx->accumulator, 0 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_sha512_update_ext( &ctx->accumulator, buf, + MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 ) + goto exit; /* * Perform second SHA-512 on entropy */ - mbedtls_sha512( buf, MBEDTLS_ENTROPY_BLOCK_SIZE, buf, 0 ); + if( ( ret = mbedtls_sha512_ext( buf, MBEDTLS_ENTROPY_BLOCK_SIZE, + buf, 0 ) ) != 0 ) + goto exit; #else /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */ - mbedtls_sha256_finish( &ctx->accumulator, buf ); + if( ( ret = mbedtls_sha256_finish_ext( &ctx->accumulator, buf ) ) != 0 ) + goto exit; /* * Reset accumulator and counters and recycle existing entropy */ memset( &ctx->accumulator, 0, sizeof( mbedtls_sha256_context ) ); - mbedtls_sha256_starts( &ctx->accumulator, 0 ); - mbedtls_sha256_update( &ctx->accumulator, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ); + if( ( ret = mbedtls_sha256_starts_ext( &ctx->accumulator, 0 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_sha256_update_ext( &ctx->accumulator, buf, + MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 ) + goto exit; /* * Perform second SHA-256 on entropy */ - mbedtls_sha256( buf, MBEDTLS_ENTROPY_BLOCK_SIZE, buf, 0 ); + if( ( ret = mbedtls_sha256_ext( buf, MBEDTLS_ENTROPY_BLOCK_SIZE, + buf, 0 ) ) != 0 ) + goto exit; #endif /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */ for( i = 0; i < ctx->source_count; i++ ) From a7559cb7bab36b1da981f13073f1bcdc311f3407 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 29 Jun 2017 16:12:31 +0100 Subject: [PATCH 033/177] Fix entropy module to work with hw accelerator This patch modifies the entropy.c module to ensure that the sha256 and sha512 contexts are correctly initialised and freed instead of skipping these calls or simply zeroizing with memset() or mbedtls_zeroize(). This is important as the sha contexts might otherwise leak memory or other resources, and even more so in the context of hardware accelerators where the configuration of the device might be done in the init and free calls. --- library/entropy.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/library/entropy.c b/library/entropy.c index 72e0773cf..06dec9956 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -68,15 +68,18 @@ static void mbedtls_zeroize( void *v, size_t n ) { void mbedtls_entropy_init( mbedtls_entropy_context *ctx ) { - memset( ctx, 0, sizeof(mbedtls_entropy_context) ); + ctx->source_count = 0; + memset( ctx->source, 0, sizeof( ctx->source ) ); #if defined(MBEDTLS_THREADING_C) mbedtls_mutex_init( &ctx->mutex ); #endif #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) + mbedtls_sha512_init( &ctx->accumulator ); mbedtls_sha512_starts_ext( &ctx->accumulator, 0 ); #else + mbedtls_sha256_init( &ctx->accumulator ); mbedtls_sha256_starts_ext( &ctx->accumulator, 0 ); #endif #if defined(MBEDTLS_HAVEGE_C) @@ -113,6 +116,7 @@ void mbedtls_entropy_init( mbedtls_entropy_context *ctx ) mbedtls_entropy_add_source( ctx, mbedtls_nv_seed_poll, NULL, MBEDTLS_ENTROPY_BLOCK_SIZE, MBEDTLS_ENTROPY_SOURCE_STRONG ); + ctx->initial_entropy_run = 0; #endif #endif /* MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES */ } @@ -125,7 +129,16 @@ void mbedtls_entropy_free( mbedtls_entropy_context *ctx ) #if defined(MBEDTLS_THREADING_C) mbedtls_mutex_free( &ctx->mutex ); #endif - mbedtls_zeroize( ctx, sizeof( mbedtls_entropy_context ) ); +#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) + mbedtls_sha512_free( &ctx->accumulator ); +#else + mbedtls_sha256_free( &ctx->accumulator ); +#endif +#if defined(MBEDTLS_ENTROPY_NV_SEED) + ctx->initial_entropy_run = 0; +#endif + ctx->source_count = 0; + mbedtls_zeroize( ctx->source, sizeof( ctx->source ) ); } int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx, @@ -342,7 +355,8 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len ) /* * Reset accumulator and counters and recycle existing entropy */ - memset( &ctx->accumulator, 0, sizeof( mbedtls_sha512_context ) ); + mbedtls_sha512_free( &ctx->accumulator ); + mbedtls_sha512_init( &ctx->accumulator ); if( ( ret = mbedtls_sha512_starts_ext( &ctx->accumulator, 0 ) ) != 0 ) goto exit; if( ( ret = mbedtls_sha512_update_ext( &ctx->accumulator, buf, @@ -362,7 +376,8 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len ) /* * Reset accumulator and counters and recycle existing entropy */ - memset( &ctx->accumulator, 0, sizeof( mbedtls_sha256_context ) ); + mbedtls_sha256_free( &ctx->accumulator ); + mbedtls_sha256_init( &ctx->accumulator ); if( ( ret = mbedtls_sha256_starts_ext( &ctx->accumulator, 0 ) ) != 0 ) goto exit; if( ( ret = mbedtls_sha256_update_ext( &ctx->accumulator, buf, From 95869c4934bd695d808ded3954c6a26c73fe2710 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 29 Jun 2017 16:31:44 +0100 Subject: [PATCH 034/177] Do not start md accumulator in mbedtls_entropy_init This change moves the calls to mbedtls_sha256_starts() and mbedtls_sha512_starts() out of the mbedtls_entropy_init() function as these now have return codes which need to be checked. --- include/mbedtls/entropy.h | 1 + library/entropy.c | 23 ++++++++++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h index 747aca4df..addb9616c 100644 --- a/include/mbedtls/entropy.h +++ b/include/mbedtls/entropy.h @@ -121,6 +121,7 @@ mbedtls_entropy_source_state; */ typedef struct { + int accumulator_started; #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) mbedtls_sha512_context accumulator; #else diff --git a/library/entropy.c b/library/entropy.c index 06dec9956..67ec9010c 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -75,12 +75,11 @@ void mbedtls_entropy_init( mbedtls_entropy_context *ctx ) mbedtls_mutex_init( &ctx->mutex ); #endif + ctx->accumulator_started = 0; #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) mbedtls_sha512_init( &ctx->accumulator ); - mbedtls_sha512_starts_ext( &ctx->accumulator, 0 ); #else mbedtls_sha256_init( &ctx->accumulator ); - mbedtls_sha256_starts_ext( &ctx->accumulator, 0 ); #endif #if defined(MBEDTLS_HAVEGE_C) mbedtls_havege_init( &ctx->havege_data ); @@ -139,6 +138,7 @@ void mbedtls_entropy_free( mbedtls_entropy_context *ctx ) #endif ctx->source_count = 0; mbedtls_zeroize( ctx->source, sizeof( ctx->source ) ); + ctx->accumulator_started = 0; } int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx, @@ -203,11 +203,26 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id header[0] = source_id; header[1] = use_len & 0xFF; + /* + * Start the accumulator if this has not already happened. Note that + * it is sufficient to start the accumulator here only because all calls to + * gather entropy eventually execute this code. + */ #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) + if( ctx->accumulator_started == 0 && + ( ret = mbedtls_sha512_starts_ext( &ctx->accumulator, 0 ) ) != 0 ) + return( ret ); + else + ctx->accumulator_started = 1; if( ( ret = mbedtls_sha512_update_ext( &ctx->accumulator, header, 2 ) ) != 0 ) return( ret ); return( mbedtls_sha512_update_ext( &ctx->accumulator, p, use_len ) ); #else + if( ctx->accumulator_started == 0 && + ( ret = mbedtls_sha256_starts_ext( &ctx->accumulator, 0 ) ) != 0 ) + return( ret ); + else + ctx->accumulator_started = 1; if( ( ret = mbedtls_sha256_update_ext( &ctx->accumulator, header, 2 ) ) != 0 ) return( ret ); return( mbedtls_sha256_update_ext( &ctx->accumulator, p, use_len ) ); @@ -266,7 +281,9 @@ static int entropy_gather_internal( mbedtls_entropy_context *ctx ) */ if( olen > 0 ) { - entropy_update( ctx, (unsigned char) i, buf, olen ); + if( ( ret = entropy_update( ctx, (unsigned char) i, + buf, olen ) ) != 0 ) + return( ret ); ctx->source[i].size += olen; } } From 1a607a1b9aed054ed3cc14e882997b01da1c5807 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 29 Jun 2017 17:09:42 +0100 Subject: [PATCH 035/177] Change ssl_tls to use new MD API and check ret code --- library/ssl_tls.c | 147 +++++++++++++++++++++++++--------------------- 1 file changed, 79 insertions(+), 68 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 661ae7065..b04917d14 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -221,6 +221,7 @@ static int ssl3_prf( const unsigned char *secret, size_t slen, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen ) { + int ret; size_t i; mbedtls_md5_context md5; mbedtls_sha1_context sha1; @@ -243,25 +244,35 @@ static int ssl3_prf( const unsigned char *secret, size_t slen, { memset( padding, (unsigned char) ('A' + i), 1 + i ); - mbedtls_sha1_starts( &sha1 ); - mbedtls_sha1_update( &sha1, padding, 1 + i ); - mbedtls_sha1_update( &sha1, secret, slen ); - mbedtls_sha1_update( &sha1, random, rlen ); - mbedtls_sha1_finish( &sha1, sha1sum ); + if( ( ret = mbedtls_sha1_starts_ext( &sha1 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_sha1_update_ext( &sha1, padding, 1 + i ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_sha1_update_ext( &sha1, secret, slen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_sha1_update_ext( &sha1, random, rlen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_sha1_finish_ext( &sha1, sha1sum ) ) != 0 ) + goto exit; - mbedtls_md5_starts( &md5 ); - mbedtls_md5_update( &md5, secret, slen ); - mbedtls_md5_update( &md5, sha1sum, 20 ); - mbedtls_md5_finish( &md5, dstbuf + i * 16 ); + if( ( ret = mbedtls_md5_starts_ext( &md5 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md5_update_ext( &md5, secret, slen ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md5_update_ext( &md5, sha1sum, 20 ) ) != 0 ) + goto exit; + if( ( ret = mbedtls_md5_finish_ext( &md5, dstbuf + i * 16 ) ) != 0 ) + goto exit; } +exit: mbedtls_md5_free( &md5 ); mbedtls_sha1_free( &sha1 ); mbedtls_zeroize( padding, sizeof( padding ) ); mbedtls_zeroize( sha1sum, sizeof( sha1sum ) ); - return( 0 ); + return( ret ); } #endif /* MBEDTLS_SSL_PROTO_SSL3 */ @@ -978,25 +989,25 @@ void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] ) memset( pad_1, 0x36, 48 ); memset( pad_2, 0x5C, 48 ); - mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 ); - mbedtls_md5_update( &md5, pad_1, 48 ); - mbedtls_md5_finish( &md5, hash ); + mbedtls_md5_update_ext( &md5, ssl->session_negotiate->master, 48 ); + mbedtls_md5_update_ext( &md5, pad_1, 48 ); + mbedtls_md5_finish_ext( &md5, hash ); - mbedtls_md5_starts( &md5 ); - mbedtls_md5_update( &md5, ssl->session_negotiate->master, 48 ); - mbedtls_md5_update( &md5, pad_2, 48 ); - mbedtls_md5_update( &md5, hash, 16 ); - mbedtls_md5_finish( &md5, hash ); + mbedtls_md5_starts_ext( &md5 ); + mbedtls_md5_update_ext( &md5, ssl->session_negotiate->master, 48 ); + mbedtls_md5_update_ext( &md5, pad_2, 48 ); + mbedtls_md5_update_ext( &md5, hash, 16 ); + mbedtls_md5_finish_ext( &md5, hash ); - mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 ); - mbedtls_sha1_update( &sha1, pad_1, 40 ); - mbedtls_sha1_finish( &sha1, hash + 16 ); + mbedtls_sha1_update_ext( &sha1, ssl->session_negotiate->master, 48 ); + mbedtls_sha1_update_ext( &sha1, pad_1, 40 ); + mbedtls_sha1_finish_ext( &sha1, hash + 16 ); - mbedtls_sha1_starts( &sha1 ); - mbedtls_sha1_update( &sha1, ssl->session_negotiate->master, 48 ); - mbedtls_sha1_update( &sha1, pad_2, 40 ); - mbedtls_sha1_update( &sha1, hash + 16, 20 ); - mbedtls_sha1_finish( &sha1, hash + 16 ); + mbedtls_sha1_starts_ext( &sha1 ); + mbedtls_sha1_update_ext( &sha1, ssl->session_negotiate->master, 48 ); + mbedtls_sha1_update_ext( &sha1, pad_2, 40 ); + mbedtls_sha1_update_ext( &sha1, hash + 16, 20 ); + mbedtls_sha1_finish_ext( &sha1, hash + 16 ); MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); @@ -1022,8 +1033,8 @@ void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); - mbedtls_md5_finish( &md5, hash ); - mbedtls_sha1_finish( &sha1, hash + 16 ); + mbedtls_md5_finish_ext( &md5, hash ); + mbedtls_sha1_finish_ext( &sha1, hash + 16 ); MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); @@ -1046,7 +1057,7 @@ void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) ); mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); - mbedtls_sha256_finish( &sha256, hash ); + mbedtls_sha256_finish_ext( &sha256, hash ); MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); @@ -1067,7 +1078,7 @@ void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) ); mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); - mbedtls_sha512_finish( &sha512, hash ); + mbedtls_sha512_finish_ext( &sha512, hash ); MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); @@ -4836,15 +4847,15 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_starts( &ssl->handshake->fin_md5 ); - mbedtls_sha1_starts( &ssl->handshake->fin_sha1 ); + mbedtls_md5_starts_ext( &ssl->handshake->fin_md5 ); + mbedtls_sha1_starts_ext( &ssl->handshake->fin_sha1 ); #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 ); + mbedtls_sha256_starts_ext( &ssl->handshake->fin_sha256, 0 ); #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); + mbedtls_sha512_starts_ext( &ssl->handshake->fin_sha512, 1 ); #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } @@ -4854,15 +4865,15 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, { #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len ); - mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len ); + mbedtls_md5_update_ext( &ssl->handshake->fin_md5 , buf, len ); + mbedtls_sha1_update_ext( &ssl->handshake->fin_sha1, buf, len ); #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); + mbedtls_sha256_update_ext( &ssl->handshake->fin_sha256, buf, len ); #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); + mbedtls_sha512_update_ext( &ssl->handshake->fin_sha512, buf, len ); #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } @@ -4872,8 +4883,8 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - mbedtls_md5_update( &ssl->handshake->fin_md5 , buf, len ); - mbedtls_sha1_update( &ssl->handshake->fin_sha1, buf, len ); + mbedtls_md5_update_ext( &ssl->handshake->fin_md5 , buf, len ); + mbedtls_sha1_update_ext( &ssl->handshake->fin_sha1, buf, len ); } #endif @@ -4882,7 +4893,7 @@ static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); + mbedtls_sha256_update_ext( &ssl->handshake->fin_sha256, buf, len ); } #endif @@ -4890,7 +4901,7 @@ static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); + mbedtls_sha512_update_ext( &ssl->handshake->fin_sha512, buf, len ); } #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ @@ -4943,29 +4954,29 @@ static void ssl_calc_finished_ssl( memset( padbuf, 0x36, 48 ); - mbedtls_md5_update( &md5, (const unsigned char *) sender, 4 ); - mbedtls_md5_update( &md5, session->master, 48 ); - mbedtls_md5_update( &md5, padbuf, 48 ); - mbedtls_md5_finish( &md5, md5sum ); + mbedtls_md5_update_ext( &md5, (const unsigned char *) sender, 4 ); + mbedtls_md5_update_ext( &md5, session->master, 48 ); + mbedtls_md5_update_ext( &md5, padbuf, 48 ); + mbedtls_md5_finish_ext( &md5, md5sum ); - mbedtls_sha1_update( &sha1, (const unsigned char *) sender, 4 ); - mbedtls_sha1_update( &sha1, session->master, 48 ); - mbedtls_sha1_update( &sha1, padbuf, 40 ); - mbedtls_sha1_finish( &sha1, sha1sum ); + mbedtls_sha1_update_ext( &sha1, (const unsigned char *) sender, 4 ); + mbedtls_sha1_update_ext( &sha1, session->master, 48 ); + mbedtls_sha1_update_ext( &sha1, padbuf, 40 ); + mbedtls_sha1_finish_ext( &sha1, sha1sum ); memset( padbuf, 0x5C, 48 ); - mbedtls_md5_starts( &md5 ); - mbedtls_md5_update( &md5, session->master, 48 ); - mbedtls_md5_update( &md5, padbuf, 48 ); - mbedtls_md5_update( &md5, md5sum, 16 ); - mbedtls_md5_finish( &md5, buf ); + mbedtls_md5_starts_ext( &md5 ); + mbedtls_md5_update_ext( &md5, session->master, 48 ); + mbedtls_md5_update_ext( &md5, padbuf, 48 ); + mbedtls_md5_update_ext( &md5, md5sum, 16 ); + mbedtls_md5_finish_ext( &md5, buf ); - mbedtls_sha1_starts( &sha1 ); - mbedtls_sha1_update( &sha1, session->master, 48 ); - mbedtls_sha1_update( &sha1, padbuf , 40 ); - mbedtls_sha1_update( &sha1, sha1sum, 20 ); - mbedtls_sha1_finish( &sha1, buf + 16 ); + mbedtls_sha1_starts_ext( &sha1 ); + mbedtls_sha1_update_ext( &sha1, session->master, 48 ); + mbedtls_sha1_update_ext( &sha1, padbuf , 40 ); + mbedtls_sha1_update_ext( &sha1, sha1sum, 20 ); + mbedtls_sha1_finish_ext( &sha1, buf + 16 ); MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 ); @@ -5022,8 +5033,8 @@ static void ssl_calc_finished_tls( ? "client finished" : "server finished"; - mbedtls_md5_finish( &md5, padbuf ); - mbedtls_sha1_finish( &sha1, padbuf + 16 ); + mbedtls_md5_finish_ext( &md5, padbuf ); + mbedtls_sha1_finish_ext( &sha1, padbuf + 16 ); ssl->handshake->tls_prf( session->master, 48, sender, padbuf, 36, buf, len ); @@ -5074,7 +5085,7 @@ static void ssl_calc_finished_tls_sha256( ? "client finished" : "server finished"; - mbedtls_sha256_finish( &sha256, padbuf ); + mbedtls_sha256_finish_ext( &sha256, padbuf ); ssl->handshake->tls_prf( session->master, 48, sender, padbuf, 32, buf, len ); @@ -5123,7 +5134,7 @@ static void ssl_calc_finished_tls_sha384( ? "client finished" : "server finished"; - mbedtls_sha512_finish( &sha512, padbuf ); + mbedtls_sha512_finish_ext( &sha512, padbuf ); ssl->handshake->tls_prf( session->master, 48, sender, padbuf, 48, buf, len ); @@ -5437,17 +5448,17 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) defined(MBEDTLS_SSL_PROTO_TLS1_1) mbedtls_md5_init( &handshake->fin_md5 ); mbedtls_sha1_init( &handshake->fin_sha1 ); - mbedtls_md5_starts( &handshake->fin_md5 ); - mbedtls_sha1_starts( &handshake->fin_sha1 ); + mbedtls_md5_starts_ext( &handshake->fin_md5 ); + mbedtls_sha1_starts_ext( &handshake->fin_sha1 ); #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) mbedtls_sha256_init( &handshake->fin_sha256 ); - mbedtls_sha256_starts( &handshake->fin_sha256, 0 ); + mbedtls_sha256_starts_ext( &handshake->fin_sha256, 0 ); #endif #if defined(MBEDTLS_SHA512_C) mbedtls_sha512_init( &handshake->fin_sha512 ); - mbedtls_sha512_starts( &handshake->fin_sha512, 1 ); + mbedtls_sha512_starts_ext( &handshake->fin_sha512, 1 ); #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ From 276ebb650ed631c6748486d2f3344ed83b763a6a Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 3 Jul 2017 11:16:57 +0100 Subject: [PATCH 036/177] Add stdlib.h include to hello.c sample --- programs/hash/hello.c | 1 + 1 file changed, 1 insertion(+) diff --git a/programs/hash/hello.c b/programs/hash/hello.c index a69154f55..a0c08c734 100644 --- a/programs/hash/hello.c +++ b/programs/hash/hello.c @@ -28,6 +28,7 @@ #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #else +#include #include #define mbedtls_printf printf #define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS From 7a005e2fa413fa828309221bb3ce03360c432aaa Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 3 Jul 2017 14:42:34 +0100 Subject: [PATCH 037/177] Remove invalid doxygen docs from deprecated func --- include/mbedtls/md2.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index 2c133a2aa..1d81c2844 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -225,8 +225,6 @@ int mbedtls_md2_ext( const unsigned char *input, * \param input buffer holding the data * \param ilen length of the input data * \param output MD2 checksum result - * - * \return 0 if successful */ MBEDTLS_DEPRECATED static inline void mbedtls_md2( const unsigned char *input, size_t ilen, From f01a644aac123e2dc6f1d119a5f9fd9959bc9673 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Mon, 3 Jul 2017 16:00:59 +0100 Subject: [PATCH 038/177] Add ChangeLog entry --- ChangeLog | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/ChangeLog b/ChangeLog index 2f0116bcf..0c8f541d0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,27 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x released xxxx-xx-xx + +Bugfix + * Fix the entropy.c module to not call mbedtls_sha256_starts() or + mbedtls_sha512_starts() in the mbedtls_entropy_init() function. + * Fix the entropy.c module to ensure that mbedtls_sha256_init() or + mbedtls_sha512_init() is called before operating on the relevant context + structure. Also, ensure that message digest contexts are freed when + calling mbedtls_entropy_free(). + +API Changes + * The following functions in the MD2, MD4, MD5, SHA1, SHA256 and SHA512 + modules have been deprecated and replaced as shown below. The new + functions change the return type from void to int to allow returning error + codes when using MBEDTLS__ALT. + mbedtls__starts() -> mbedtls__starts_ext() + mbedtls__update() -> mbedtls__update_ext() + mbedtls__finish() -> mbedtls__finish_ext() + mbedtls__process() -> mbedtls_internal__process() + The type of the function pointers in the mbedtls_md_info_t struct have + also been modified taking into account the functions return code. + = mbed TLS 2.5.1 released 2017-06-21 Security From af0b31d76faa9f1a23bd46a2afc2cbf020b7361c Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 5 Jul 2017 14:23:54 +0100 Subject: [PATCH 039/177] Correctly set buf size in entropy_update_nv_seed() --- library/entropy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/entropy.c b/library/entropy.c index a500b5312..e6da98b10 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -387,7 +387,7 @@ exit: int mbedtls_entropy_update_nv_seed( mbedtls_entropy_context *ctx ) { int ret = MBEDTLS_ERR_ENTROPY_FILE_IO_ERROR; - unsigned char buf[ MBEDTLS_ENTROPY_MAX_SEED_SIZE ]; + unsigned char buf[MBEDTLS_ENTROPY_BLOCK_SIZE]; /* Read new seed and write it to NV */ if( ( ret = mbedtls_entropy_func( ctx, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 ) From bbafd34ebb94b67ccd86b972dac266ccb563a0b3 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 5 Jul 2017 14:25:21 +0100 Subject: [PATCH 040/177] Set len var to 0 when buf is freed in ssl_tls.c --- library/ssl_tls.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9b5fccb5c..c85cc72d3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6049,13 +6049,19 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - if( conf->psk != NULL || conf->psk_identity != NULL ) + if( conf->psk != NULL ) { mbedtls_zeroize( conf->psk, conf->psk_len ); + mbedtls_free( conf->psk ); - mbedtls_free( conf->psk_identity ); conf->psk = NULL; + conf->psk_len = 0; + } + if( conf->psk_identity != NULL ) + { + mbedtls_free( conf->psk_identity ); conf->psk_identity = NULL; + conf->psk_identity_len = 0; } if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL || @@ -6090,6 +6096,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, { mbedtls_zeroize( ssl->handshake->psk, ssl->handshake->psk_len ); mbedtls_free( ssl->handshake->psk ); + ssl->handshake->psk_len = 0; } if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) From 364051ff5742d995eb93df926d6e9d0d58fb4c6d Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 5 Jul 2017 15:40:17 +0100 Subject: [PATCH 041/177] Add ChangeLog entry for buf zeroize --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 84a05d003..e933cc5e8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x released xxxx-xx-xx + +Security + * Ensure that buffers are cleared after use if they contain sensitive data. + Changes were introduced in multiple places in the library. Cannot be + triggered remotely. + = mbed TLS 2.5.1 released xxxx-xx-xx Security From 6512193efff3b0be6ba144b8a0b4d7ec63099cb8 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 5 Jul 2017 15:45:47 +0100 Subject: [PATCH 042/177] Zeroize tmp buffer in entropy_update() --- library/entropy.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/entropy.c b/library/entropy.c index e6da98b10..90d09ebb1 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -195,6 +195,8 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id mbedtls_sha256_update( &ctx->accumulator, p, use_len ); #endif + mbedtls_zeroize( tmp, sizeof( tmp ) ); + return( 0 ); } From d48ba2b336b03a15aa905a0b9a45c8541fbe237f Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 6 Jul 2017 17:17:43 +0100 Subject: [PATCH 043/177] Improve ChangeLog entry --- ChangeLog | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e933cc5e8..810bcb261 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,8 +4,7 @@ mbed TLS ChangeLog (Sorted per branch, date) Security * Ensure that buffers are cleared after use if they contain sensitive data. - Changes were introduced in multiple places in the library. Cannot be - triggered remotely. + Changes were introduced in multiple places in the library. = mbed TLS 2.5.1 released xxxx-xx-xx From b194a283a96727f50e74fec50efd2497b995b8ce Mon Sep 17 00:00:00 2001 From: Martijn de Milliano Date: Thu, 6 Jul 2017 23:55:59 +0200 Subject: [PATCH 044/177] dh_server: Fixed expected number of bytes received from client when receiving public value. --- programs/pkey/dh_server.c | 1 + 1 file changed, 1 insertion(+) diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 8bf2b1b29..7906ac1b8 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -234,6 +234,7 @@ int main( void ) memset( buf, 0, sizeof( buf ) ); + n = dhm.len; if( ( ret = mbedtls_net_recv( &client_fd, buf, n ) ) != (int) n ) { mbedtls_printf( " failed\n ! mbedtls_net_recv returned %d\n\n", ret ); From 92d46f02460afa9765b5ca37a4de786b796adb78 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 7 Jul 2017 10:46:51 +0100 Subject: [PATCH 045/177] Zeroize buf if mbedtls_base64_decode() fails --- library/pem.c | 1 + 1 file changed, 1 insertion(+) diff --git a/library/pem.c b/library/pem.c index a09257cc7..ea36df882 100644 --- a/library/pem.c +++ b/library/pem.c @@ -331,6 +331,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const if( ( ret = mbedtls_base64_decode( buf, len, &len, s1, s2 - s1 ) ) != 0 ) { + mbedtls_zeroize( buf, len ); mbedtls_free( buf ); return( MBEDTLS_ERR_PEM_INVALID_DATA + ret ); } From a21247ead7d64298ca1e9194b39447954566ceb6 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 20 Jul 2017 14:01:08 +0100 Subject: [PATCH 046/177] Remove unwanted whitespace in MD comments --- include/mbedtls/md2.h | 8 ++++---- include/mbedtls/md4.h | 8 ++++---- include/mbedtls/md5.h | 8 ++++---- include/mbedtls/ripemd160.h | 8 ++++---- include/mbedtls/sha1.h | 8 ++++---- include/mbedtls/sha256.h | 8 ++++---- include/mbedtls/sha512.h | 8 ++++---- 7 files changed, 28 insertions(+), 28 deletions(-) diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index 1d81c2844..2a14b1002 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -92,7 +92,7 @@ int mbedtls_md2_starts_ext( mbedtls_md2_context *ctx ); * \brief MD2 process buffer * * \param ctx MD2 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * * \return 0 if successful @@ -146,7 +146,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2_starts( * \deprecated Superseded by mbedtls_md2_update_ext() in 2.5.0 * * \param ctx MD2 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data */ MBEDTLS_DEPRECATED static inline void mbedtls_md2_update( @@ -203,7 +203,7 @@ extern "C" { /** * \brief Output = MD2( input buffer ) * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output MD2 checksum result */ @@ -222,7 +222,7 @@ int mbedtls_md2_ext( const unsigned char *input, * * \deprecated Superseded by mbedtls_md2() in 2.5.0 * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output MD2 checksum result */ diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h index 671c6a4f1..f5d335d8f 100644 --- a/include/mbedtls/md4.h +++ b/include/mbedtls/md4.h @@ -92,7 +92,7 @@ int mbedtls_md4_starts_ext( mbedtls_md4_context *ctx ); * \brief MD4 process buffer * * \param ctx MD4 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * * \return 0 if successful @@ -148,7 +148,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_starts( * \deprecated Superseded by mbedtls_md4_update_ext() in 2.5.0 * * \param ctx MD4 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data */ MBEDTLS_DEPRECATED static inline void mbedtls_md4_update( @@ -207,7 +207,7 @@ extern "C" { /** * \brief Output = MD4( input buffer ) * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output MD4 checksum result * @@ -228,7 +228,7 @@ int mbedtls_md4_ext( const unsigned char *input, * * \deprecated Superseded by mbedtls_md4_ext() in 2.5.0 * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output MD4 checksum result */ diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index 816d081ab..5a7a00a6b 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -87,7 +87,7 @@ int mbedtls_md5_starts_ext( mbedtls_md5_context *ctx ); * \brief MD5 process buffer * * \param ctx MD5 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * * \return 0 if successful @@ -143,7 +143,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_starts( * \deprecated Superseded by mbedtls_md5_update_ext() in 2.5.0 * * \param ctx MD5 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data */ MBEDTLS_DEPRECATED static inline void mbedtls_md5_update( @@ -202,7 +202,7 @@ extern "C" { /** * \brief Output = MD5( input buffer ) * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output MD5 checksum result * @@ -223,7 +223,7 @@ int mbedtls_md5_ext( const unsigned char *input, * * \deprecated Superseded by mbedtls_md5_ext() in 2.5.0 * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output MD5 checksum result */ diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h index aea16b366..318635988 100644 --- a/include/mbedtls/ripemd160.h +++ b/include/mbedtls/ripemd160.h @@ -92,7 +92,7 @@ int mbedtls_ripemd160_starts_ext( mbedtls_ripemd160_context *ctx ); * \brief RIPEMD-160 process buffer * * \param ctx RIPEMD-160 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * * \return 0 if successful @@ -148,7 +148,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_starts( * \deprecated Superseded by mbedtls_ripemd160_update_ext() in 2.5.0 * * \param ctx RIPEMD-160 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data */ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_update( @@ -207,7 +207,7 @@ extern "C" { /** * \brief Output = RIPEMD-160( input buffer ) * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output RIPEMD-160 checksum result * @@ -228,7 +228,7 @@ int mbedtls_ripemd160_ext( const unsigned char *input, * * \deprecated Superseded by mbedtls_ripemd160_ext() in 2.5.0 * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output RIPEMD-160 checksum result */ diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index 47a9f996f..e18e6ac99 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -92,7 +92,7 @@ int mbedtls_sha1_starts_ext( mbedtls_sha1_context *ctx ); * \brief SHA-1 process buffer * * \param ctx SHA-1 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * * \return 0 if successful @@ -148,7 +148,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_starts( * \deprecated Superseded by mbedtls_sha1_update_ext() in 2.5.0 * * \param ctx SHA-1 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_update( @@ -207,7 +207,7 @@ extern "C" { /** * \brief Output = SHA-1( input buffer ) * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output SHA-1 checksum result * @@ -228,7 +228,7 @@ int mbedtls_sha1_ext( const unsigned char *input, * * \deprecated Superseded by mbedtls_sha1_ext() in 2.5.0 * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output SHA-1 checksum result */ diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index 76555f4fd..5fce7ee93 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -94,7 +94,7 @@ int mbedtls_sha256_starts_ext( mbedtls_sha256_context *ctx, int is224 ); * \brief SHA-256 process buffer * * \param ctx SHA-256 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * * \return 0 if successful @@ -152,7 +152,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_starts( * \deprecated Superseded by mbedtls_sha256_update_ext() in 2.5.0 * * \param ctx SHA-256 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data */ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_update( @@ -211,7 +211,7 @@ extern "C" { /** * \brief Output = SHA-256( input buffer ) * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output SHA-224/256 checksum result * \param is224 0 = use SHA256, 1 = use SHA224 @@ -234,7 +234,7 @@ int mbedtls_sha256_ext( const unsigned char *input, * * \deprecated Superseded by mbedtls_sha256_ext() in 2.5.0 * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output SHA-224/256 checksum result * \param is224 0 = use SHA256, 1 = use SHA224 diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h index 0fbdb3b71..7cba3f63c 100644 --- a/include/mbedtls/sha512.h +++ b/include/mbedtls/sha512.h @@ -94,7 +94,7 @@ int mbedtls_sha512_starts_ext( mbedtls_sha512_context *ctx, int is384 ); * \brief SHA-512 process buffer * * \param ctx SHA-512 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * * \return 0 if successful @@ -152,7 +152,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_starts( * \deprecated Superseded by mbedtls_sha512_update_ext() in 2.5.0 * * \param ctx SHA-512 context - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data */ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_update( @@ -211,7 +211,7 @@ extern "C" { /** * \brief Output = SHA-512( input buffer ) * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output SHA-384/512 checksum result * \param is384 0 = use SHA512, 1 = use SHA384 @@ -234,7 +234,7 @@ int mbedtls_sha512_ext( const unsigned char *input, * * \deprecated Superseded by mbedtls_sha512_ext() in 2.5.0 * - * \param input buffer holding the data + * \param input buffer holding the data * \param ilen length of the input data * \param output SHA-384/512 checksum result * \param is384 0 = use SHA512, 1 = use SHA384 From 6a3f30514a21d06aa27acd9cc63ab0c0f53f17b7 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 20 Jul 2017 14:18:54 +0100 Subject: [PATCH 047/177] Ensure MD self_test ret codes are not hidden Also fix a potential memory leak and an incorrect goto statement in sha1.c self_test --- library/ripemd160.c | 7 +++++-- library/sha1.c | 20 ++++++++++++-------- library/sha256.c | 21 +++++++++++++-------- library/sha512.c | 19 ++++++++++++------- 4 files changed, 42 insertions(+), 25 deletions(-) diff --git a/library/ripemd160.c b/library/ripemd160.c index 8bf988eae..4e92bb735 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -464,7 +464,7 @@ static const unsigned char ripemd160_test_md[TESTS][20] = */ int mbedtls_ripemd160_self_test( int verbose ) { - int i, ret; + int i, ret = 0; unsigned char output[20]; memset( output, 0, sizeof output ); @@ -481,7 +481,10 @@ int mbedtls_ripemd160_self_test( int verbose ) goto fail; if( memcmp( output, ripemd160_test_md[i], 20 ) != 0 ) + { + ret = 1; goto fail; + } if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -496,7 +499,7 @@ fail: if( verbose != 0 ) mbedtls_printf( "failed\n" ); - return( 1 ); + return( ret ); } #endif /* MBEDTLS_SELF_TEST */ diff --git a/library/sha1.c b/library/sha1.c index fdd087868..64b70f051 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -439,7 +439,7 @@ int mbedtls_sha1_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " SHA-1 test #%d: ", i + 1 ); - if( mbedtls_sha1_starts_ext( &ctx ) != 0 ) + if( ( ret = mbedtls_sha1_starts_ext( &ctx ) ) != 0 ) goto fail; if( i == 2 ) @@ -448,21 +448,27 @@ int mbedtls_sha1_self_test( int verbose ) for( j = 0; j < 1000; j++ ) { - if( mbedtls_sha1_update_ext( &ctx, buf, buflen ) != 0 ) + ret = mbedtls_sha1_update_ext( &ctx, buf, buflen ); + if( ret != 0 ) goto fail; } } else { - if( mbedtls_sha1_update_ext( &ctx, sha1_test_buf[i], - sha1_test_buflen[i] ) != 0 ) + ret = mbedtls_sha1_update_ext( &ctx, sha1_test_buf[i], + sha1_test_buflen[i] ); + if( ret != 0 ) goto fail; } - mbedtls_sha1_finish_ext( &ctx, sha1sum ); + if( ( ret = mbedtls_sha1_finish_ext( &ctx, sha1sum ) ) != 0 ) + goto fail; if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 ) - goto exit; + { + ret = 1; + goto fail; + } if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -477,8 +483,6 @@ fail: if( verbose != 0 ) mbedtls_printf( "failed\n" ); - ret = 1; - exit: mbedtls_sha1_free( &ctx ); diff --git a/library/sha256.c b/library/sha256.c index 88435a3c4..16a2f0b2f 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -448,7 +448,7 @@ int mbedtls_sha256_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 ); - if( mbedtls_sha256_starts_ext( &ctx, k ) != 0 ) + if( ( ret = mbedtls_sha256_starts_ext( &ctx, k ) ) != 0 ) goto fail; if( j == 2 ) @@ -456,23 +456,30 @@ int mbedtls_sha256_self_test( int verbose ) memset( buf, 'a', buflen = 1000 ); for( j = 0; j < 1000; j++ ) - if( mbedtls_sha256_update_ext( &ctx, buf, buflen ) != 0 ) + { + ret = mbedtls_sha256_update_ext( &ctx, buf, buflen ); + if( ret != 0 ) goto fail; + } } else { - if( mbedtls_sha256_update_ext( &ctx, sha256_test_buf[j], - sha256_test_buflen[j] ) != 0 ) - goto fail; + ret = mbedtls_sha256_update_ext( &ctx, sha256_test_buf[j], + sha256_test_buflen[j] ); + if( ret != 0 ) + goto fail; } - if( mbedtls_sha256_finish_ext( &ctx, sha256sum ) != 0 ) + if( ( ret = mbedtls_sha256_finish_ext( &ctx, sha256sum ) ) != 0 ) goto fail; if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 ) + { + ret = 1; goto fail; + } if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -487,8 +494,6 @@ fail: if( verbose != 0 ) mbedtls_printf( "failed\n" ); - ret = 1; - exit: mbedtls_sha256_free( &ctx ); mbedtls_free( buf ); diff --git a/library/sha512.c b/library/sha512.c index ff7e5ca5b..76d21ddfa 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -504,7 +504,7 @@ int mbedtls_sha512_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " SHA-%d test #%d: ", 512 - k * 128, j + 1 ); - if( mbedtls_sha512_starts_ext( &ctx, k ) != 0 ) + if( ( ret = mbedtls_sha512_starts_ext( &ctx, k ) ) != 0 ) goto fail; if( j == 2 ) @@ -512,21 +512,28 @@ int mbedtls_sha512_self_test( int verbose ) memset( buf, 'a', buflen = 1000 ); for( j = 0; j < 1000; j++ ) - if( mbedtls_sha512_update_ext( &ctx, buf, buflen ) != 0 ) + { + ret = mbedtls_sha512_update_ext( &ctx, buf, buflen ); + if( ret != 0 ) goto fail; + } } else { - if( mbedtls_sha512_update_ext( &ctx, sha512_test_buf[j], - sha512_test_buflen[j] ) != 0 ) + ret = mbedtls_sha512_update_ext( &ctx, sha512_test_buf[j], + sha512_test_buflen[j] ); + if( ret != 0 ) goto fail; } - if( mbedtls_sha512_finish_ext( &ctx, sha512sum ) != 0 ) + if( ( ret = mbedtls_sha512_finish_ext( &ctx, sha512sum ) ) != 0 ) goto fail; if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 ) + { + ret = 1; goto fail; + } if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -541,8 +548,6 @@ fail: if( verbose != 0 ) mbedtls_printf( "failed\n" ); - ret = 1; - exit: mbedtls_sha512_free( &ctx ); mbedtls_free( buf ); From 94682d1d7d4a8492b0e832318bad670b427167b8 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 20 Jul 2017 14:26:37 +0100 Subject: [PATCH 048/177] Fix use of unitialized ret in rsa.c --- library/rsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/rsa.c b/library/rsa.c index bd97d521b..4daa5b310 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -574,7 +574,7 @@ static int mgf_mask( unsigned char *dst, size_t dlen, unsigned char *src, unsigned char *p; unsigned int hlen; size_t i, use_len; - int ret; + int ret = 0; memset( mask, 0, MBEDTLS_MD_MAX_SIZE ); memset( counter, 0, 4 ); From 0963e6cfac2230d68c6ed1aa220ac41f096796ff Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 20 Jul 2017 14:34:08 +0100 Subject: [PATCH 049/177] Fix possible memory leak in _ext() --- library/md2.c | 10 +++++----- library/md4.c | 9 +++++---- library/md5.c | 9 +++++---- library/ripemd160.c | 9 +++++---- library/sha1.c | 9 +++++---- library/sha256.c | 9 +++++---- library/sha512.c | 9 +++++---- 7 files changed, 35 insertions(+), 29 deletions(-) diff --git a/library/md2.c b/library/md2.c index a5d768b25..8d887a102 100644 --- a/library/md2.c +++ b/library/md2.c @@ -229,18 +229,18 @@ int mbedtls_md2_ext( const unsigned char *input, mbedtls_md2_init( &ctx ); if( ( ret = mbedtls_md2_starts_ext( &ctx ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_md2_update_ext( &ctx, input, ilen ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_md2_finish_ext( &ctx, output ) ) != 0 ) - return( ret ); - + goto exit; +exit: mbedtls_md2_free( &ctx ); - return( 0 ); + return( ret ); } #if defined(MBEDTLS_SELF_TEST) diff --git a/library/md4.c b/library/md4.c index da4df7b14..1121fd190 100644 --- a/library/md4.c +++ b/library/md4.c @@ -333,17 +333,18 @@ int mbedtls_md4_ext( const unsigned char *input, mbedtls_md4_init( &ctx ); if( ( ret = mbedtls_md4_starts_ext( &ctx ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_md4_update_ext( &ctx, input, ilen ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_md4_finish_ext( &ctx, output ) ) != 0 ) - return( ret ); + goto exit; +exit: mbedtls_md4_free( &ctx ); - return( 0 ); + return( ret ); } #if defined(MBEDTLS_SELF_TEST) diff --git a/library/md5.c b/library/md5.c index 8150f941d..93f6434a1 100644 --- a/library/md5.c +++ b/library/md5.c @@ -347,17 +347,18 @@ int mbedtls_md5_ext( const unsigned char *input, mbedtls_md5_init( &ctx ); if( ( ret = mbedtls_md5_starts_ext( &ctx ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_md5_update_ext( &ctx, input, ilen ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_md5_finish_ext( &ctx, output ) ) != 0 ) - return( ret ); + goto exit; +exit: mbedtls_md5_free( &ctx ); - return( 0 ); + return( ret ); } #if defined(MBEDTLS_SELF_TEST) diff --git a/library/ripemd160.c b/library/ripemd160.c index 4e92bb735..0fc12a1ff 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -406,17 +406,18 @@ int mbedtls_ripemd160_ext( const unsigned char *input, mbedtls_ripemd160_init( &ctx ); if( ( ret = mbedtls_ripemd160_starts_ext( &ctx ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_ripemd160_update_ext( &ctx, input, ilen ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_ripemd160_finish_ext( &ctx, output ) ) != 0 ) - return( ret ); + goto exit; +exit: mbedtls_ripemd160_free( &ctx ); - return( 0 ); + return( ret ); } #if defined(MBEDTLS_SELF_TEST) diff --git a/library/sha1.c b/library/sha1.c index 64b70f051..42f3d6cd5 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -380,17 +380,18 @@ int mbedtls_sha1_ext( const unsigned char *input, mbedtls_sha1_init( &ctx ); if( ( ret = mbedtls_sha1_starts_ext( &ctx ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_sha1_update_ext( &ctx, input, ilen ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_sha1_finish_ext( &ctx, output ) ) != 0 ) - return( ret ); + goto exit; +exit: mbedtls_sha1_free( &ctx ); - return( 0 ); + return( ret ); } #if defined(MBEDTLS_SELF_TEST) diff --git a/library/sha256.c b/library/sha256.c index 16a2f0b2f..fb03cd1dc 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -355,17 +355,18 @@ int mbedtls_sha256_ext( const unsigned char *input, mbedtls_sha256_init( &ctx ); if( ( ret = mbedtls_sha256_starts_ext( &ctx, is224 ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_sha256_update_ext( &ctx, input, ilen ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_sha256_finish_ext( &ctx, output ) ) != 0 ) - return( ret ); + goto exit; +exit: mbedtls_sha256_free( &ctx ); - return( 0 ); + return( ret ); } #if defined(MBEDTLS_SELF_TEST) diff --git a/library/sha512.c b/library/sha512.c index 76d21ddfa..b1947f1ea 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -391,17 +391,18 @@ int mbedtls_sha512_ext( const unsigned char *input, mbedtls_sha512_init( &ctx ); if( ( ret = mbedtls_sha512_starts_ext( &ctx, is384 ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_sha512_update_ext( &ctx, input, ilen ) ) != 0 ) - return( ret ); + goto exit; if( ( ret = mbedtls_sha512_finish_ext( &ctx, output ) ) != 0 ) - return( ret ); + goto exit; +exit: mbedtls_sha512_free( &ctx ); - return( 0 ); + return( ret ); } #if defined(MBEDTLS_SELF_TEST) From c5c7d76bf5693578241382e729b73367c8775702 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 20 Jul 2017 14:42:16 +0100 Subject: [PATCH 050/177] Add goto exit; stmt in rsa.c for consistency --- library/rsa.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/rsa.c b/library/rsa.c index 4daa5b310..2f78ce366 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1446,8 +1446,11 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, if( ( ret = mbedtls_md_finish( &md_ctx, result ) ) != 0 ) goto exit; - if( ( ret = memcmp( p + slen, result, hlen ) ) != 0 ) + if( memcmp( p + slen, result, hlen ) != 0 ) + { ret = MBEDTLS_ERR_RSA_VERIFY_FAILED; + goto exit; + } exit: mbedtls_md_free( &md_ctx ); From 8798a10ff0473b216411e818127c57a4d1ca94b4 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 20 Jul 2017 14:46:23 +0100 Subject: [PATCH 051/177] Update ChangeLog entry as ssl_tls.c needs fixing --- ChangeLog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 0c8f541d0..b9bc93155 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,7 +20,10 @@ API Changes mbedtls__finish() -> mbedtls__finish_ext() mbedtls__process() -> mbedtls_internal__process() The type of the function pointers in the mbedtls_md_info_t struct have - also been modified taking into account the functions return code. + also been modified taking into account the functions return code. Every + usage of the deprecated functions was updated. Furthermore, the MD return + codes are checked for error after every usage, except in the ssl_tls.c + module. = mbed TLS 2.5.1 released 2017-06-21 From 46f5a3e9b4d5db3cacfe2ba33480a27317c62d46 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 20 Jul 2017 16:17:51 +0100 Subject: [PATCH 052/177] Check return codes from MD in ssl code --- include/mbedtls/ssl_internal.h | 17 ++++ library/ssl_cli.c | 85 ++----------------- library/ssl_srv.c | 87 +++----------------- library/ssl_tls.c | 144 +++++++++++++++++++++++++++++++++ 4 files changed, 177 insertions(+), 156 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 756360b18..c39c02db2 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -610,6 +610,23 @@ static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t return( diff ); } +#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_1) +int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, + unsigned char *output, + unsigned char *data, size_t data_len ); +#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ + MBEDTLS_SSL_PROTO_TLS1_1 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_2) +int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, + unsigned char *output, + unsigned char *data, size_t data_len, + mbedtls_md_type_t md_alg ); +#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ + MBEDTLS_SSL_PROTO_TLS1_2 */ + #ifdef __cplusplus } #endif diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 86267f5c1..312e2ec51 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2490,60 +2490,11 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) defined(MBEDTLS_SSL_PROTO_TLS1_1) if( md_alg == MBEDTLS_MD_NONE ) { - mbedtls_md5_context mbedtls_md5; - mbedtls_sha1_context mbedtls_sha1; - - mbedtls_md5_init( &mbedtls_md5 ); - hashlen = 36; - - /* - * digitally-signed struct { - * opaque md5_hash[16]; - * opaque sha_hash[20]; - * }; - * - * md5_hash - * MD5(ClientHello.random + ServerHello.random - * + ServerParams); - * sha_hash - * SHA(ClientHello.random + ServerHello.random - * + ServerParams); - */ - if( ( ret = mbedtls_md5_starts_ext( &mbedtls_md5 ) ) != 0 || - ( ret = mbedtls_md5_update_ext( &mbedtls_md5, - ssl->handshake->randbytes, 64 ) ) != 0 || - ( ret = mbedtls_md5_update_ext( &mbedtls_md5, params, - params_len ) ) != 0 || - ( ret = mbedtls_md5_finish_ext( &mbedtls_md5, hash ) ) != 0 ) - { - mbedtls_md5_free( &mbedtls_md5 ); - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_*", ret ); - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, + params_len ); + if( ret != 0 ) return( ret ); - } - - mbedtls_md5_free( &mbedtls_md5 ); - - mbedtls_sha1_init( &mbedtls_sha1 ); - - if( ( ret = mbedtls_sha1_starts_ext( &mbedtls_sha1 ) ) != 0 || - ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, - ssl->handshake->randbytes, 64 ) ) != 0 || - ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, params, - params_len ) ) != 0 || - ( ret = mbedtls_sha1_finish_ext( &mbedtls_sha1, - hash + 16 ) ) != 0 ) - { - mbedtls_sha1_free( &mbedtls_sha1 ); - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_*", ret ); - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); - return( ret ); - } - - mbedtls_sha1_free( &mbedtls_sha1 ); } else #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ @@ -2552,36 +2503,12 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) defined(MBEDTLS_SSL_PROTO_TLS1_2) if( md_alg != MBEDTLS_MD_NONE ) { - mbedtls_md_context_t ctx; - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); - - mbedtls_md_init( &ctx ); - /* Info from md_alg will be used instead */ hashlen = 0; - - /* - * digitally-signed struct { - * opaque client_random[32]; - * opaque server_random[32]; - * ServerDHParams params; - * }; - */ - if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 || - ( ret = mbedtls_md_starts( &ctx ) ) != 0 || - ( ret = mbedtls_md_update( &ctx, - ssl->handshake->randbytes, 64 ) ) != 0 || - ( ret = mbedtls_md_update( &ctx, params, params_len ) ) != 0 || - ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 ) - { - mbedtls_md_free( &ctx ); - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_*", ret ); - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, params, + params_len, md_alg ); + if( ret != 0 ) return( ret ); - } - - mbedtls_md_free( &ctx ); } else #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ diff --git a/library/ssl_srv.c b/library/ssl_srv.c index f08a9bde1..ab687159d 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3096,57 +3096,12 @@ curve_matching_done: defined(MBEDTLS_SSL_PROTO_TLS1_1) if( md_alg == MBEDTLS_MD_NONE ) { - mbedtls_md5_context mbedtls_md5; - mbedtls_sha1_context mbedtls_sha1; - - mbedtls_md5_init( &mbedtls_md5 ); - - /* - * digitally-signed struct { - * opaque md5_hash[16]; - * opaque sha_hash[20]; - * }; - * - * md5_hash - * MD5(ClientHello.random + ServerHello.random - * + ServerParams); - * sha_hash - * SHA(ClientHello.random + ServerHello.random - * + ServerParams); - */ - - if( ( ret = mbedtls_md5_starts_ext( &mbedtls_md5 ) ) != 0 || - ( ret = mbedtls_md5_update_ext( &mbedtls_md5, - ssl->handshake->randbytes, 64 ) ) != 0 || - ( ret = mbedtls_md5_update_ext( &mbedtls_md5, dig_signed, - dig_signed_len ) ) != 0 || - ( ret = mbedtls_md5_finish_ext( &mbedtls_md5, hash ) ) != 0 ) - { - mbedtls_md5_free( &mbedtls_md5 ); - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_*", ret ); - return( ret ); - } - - mbedtls_md5_free( &mbedtls_md5 ); - - mbedtls_sha1_init( &mbedtls_sha1 ); - - if( ( ret = mbedtls_sha1_starts_ext( &mbedtls_sha1 ) ) != 0 || - ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, - ssl->handshake->randbytes, 64 ) ) != 0 || - ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, dig_signed, - dig_signed_len ) ) != 0 || - ( ret = mbedtls_sha1_finish_ext( &mbedtls_sha1, - hash + 16 ) ) != 0 ) - { - mbedtls_sha1_free( &mbedtls_sha1 ); - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_*", ret ); - return( ret ); - } - - mbedtls_sha1_free( &mbedtls_sha1 ); - hashlen = 36; + ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, + dig_signed, + dig_signed_len ); + if( ret != 0 ) + return( ret ); } else #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ @@ -3155,36 +3110,14 @@ curve_matching_done: defined(MBEDTLS_SSL_PROTO_TLS1_2) if( md_alg != MBEDTLS_MD_NONE ) { - mbedtls_md_context_t ctx; - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); - - mbedtls_md_init( &ctx ); - /* Info from md_alg will be used instead */ hashlen = 0; - - /* - * digitally-signed struct { - * opaque client_random[32]; - * opaque server_random[32]; - * ServerDHParams params; - * }; - */ - if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 || - ( ret = mbedtls_md_starts( &ctx ) ) != 0 || - ( ret = mbedtls_md_update( &ctx, - ssl->handshake->randbytes, 64 ) ) != 0 || - ( ret = mbedtls_md_update( &ctx, dig_signed, - dig_signed_len ) ) != 0 || - ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 ) - { - mbedtls_md_free( &ctx ); - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_*", ret ); + ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, + dig_signed, + dig_signed_len, + md_alg ); + if( ret != 0 ) return( ret ); - } - - - mbedtls_md_free( &ctx ); } else #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b04917d14..f93537a2c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8043,4 +8043,148 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } +#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_1) +int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, + unsigned char *output, + unsigned char *data, size_t data_len ) +{ + int ret = 0; + mbedtls_md5_context mbedtls_md5; + mbedtls_sha1_context mbedtls_sha1; + + mbedtls_md5_init( &mbedtls_md5 ); + mbedtls_sha1_init( &mbedtls_sha1 ); + + /* + * digitally-signed struct { + * opaque md5_hash[16]; + * opaque sha_hash[20]; + * }; + * + * md5_hash + * MD5(ClientHello.random + ServerHello.random + * + ServerParams); + * sha_hash + * SHA(ClientHello.random + ServerHello.random + * + ServerParams); + */ + if( ( ret = mbedtls_md5_starts_ext( &mbedtls_md5 ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ext", ret ); + goto exit; + } + if( ( ret = mbedtls_md5_update_ext( &mbedtls_md5, + ssl->handshake->randbytes, 64 ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ext", ret ); + goto exit; + } + if( ( ret = mbedtls_md5_update_ext( &mbedtls_md5, data, data_len ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ext", ret ); + goto exit; + } + if( ( ret = mbedtls_md5_finish_ext( &mbedtls_md5, output ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ext", ret ); + goto exit; + } + + if( ( ret = mbedtls_sha1_starts_ext( &mbedtls_sha1 ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ext", ret ); + goto exit; + } + if( ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, + ssl->handshake->randbytes, 64 ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ext", ret ); + goto exit; + } + if( ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, data, + data_len ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ext", ret ); + goto exit; + } + if( ( ret = mbedtls_sha1_finish_ext( &mbedtls_sha1, + output + 16 ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ext", ret ); + goto exit; + } + +exit: + mbedtls_md5_free( &mbedtls_md5 ); + mbedtls_sha1_free( &mbedtls_sha1 ); + + if( ret != 0 ) + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + + return( ret ); + +} +#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ + MBEDTLS_SSL_PROTO_TLS1_1 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ + defined(MBEDTLS_SSL_PROTO_TLS1_2) +int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, + unsigned char *output, + unsigned char *data, size_t data_len, + mbedtls_md_type_t md_alg ) +{ + int ret = 0; + mbedtls_md_context_t ctx; + const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); + + mbedtls_md_init( &ctx ); + + /* + * digitally-signed struct { + * opaque client_random[32]; + * opaque server_random[32]; + * ServerDHParams params; + * }; + */ + if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret ); + goto exit; + } + if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret ); + goto exit; + } + if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret ); + goto exit; + } + if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret ); + goto exit; + } + if( ( ret = mbedtls_md_finish( &ctx, output ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret ); + goto exit; + } + +exit: + mbedtls_md_free( &ctx ); + + if( ret != 0 ) + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); + + return( ret ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ + MBEDTLS_SSL_PROTO_TLS1_2 */ + #endif /* MBEDTLS_SSL_TLS_C */ From 42e5e1084eeecf4b80cfba3557388b4d0942772c Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 20 Jul 2017 16:27:03 +0100 Subject: [PATCH 053/177] Add goto cleanup; for consistency md.c --- library/md.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/md.c b/library/md.c index a84f3042d..625b34c5e 100644 --- a/library/md.c +++ b/library/md.c @@ -358,8 +358,9 @@ int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, if( ( ret = ctx->md_info->starts_func( ctx->md_ctx ) ) != 0 ) goto cleanup; - ret = ctx->md_info->update_func( ctx->md_ctx, ipad, - ctx->md_info->block_size ); + if( ( ret = ctx->md_info->update_func( ctx->md_ctx, ipad, + ctx->md_info->block_size ) ) != 0 ) + goto cleanup; cleanup: mbedtls_zeroize( sum, sizeof( sum ) ); From 3395250f5fb8a996d1a85621446dc752d62f1785 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 20 Jul 2017 16:29:16 +0100 Subject: [PATCH 054/177] Fix use of uninitialised ret ssl_tls.c --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f93537a2c..0f7d015d8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -221,7 +221,7 @@ static int ssl3_prf( const unsigned char *secret, size_t slen, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen ) { - int ret; + int ret = 0; size_t i; mbedtls_md5_context md5; mbedtls_sha1_context sha1; From b2b063ff3538f1a8f8a027009712e67b5a5fc4a9 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 20 Jul 2017 16:45:24 +0100 Subject: [PATCH 055/177] Add comment in entropy.c --- library/entropy.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/library/entropy.c b/library/entropy.c index 67ec9010c..baca87cf7 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -366,6 +366,11 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len ) memset( buf, 0, MBEDTLS_ENTROPY_BLOCK_SIZE ); #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) + /* + * Note that at this stage it is assumed that the accumulator was started + * in a previous call to entropy_update(). If this is not guaranteed, the + * code below will fail. + */ if( ( ret = mbedtls_sha512_finish_ext( &ctx->accumulator, buf ) ) != 0 ) goto exit; From aa464ef23a49e386515e5245c444f202e45e2e4f Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 21 Jul 2017 14:21:53 +0100 Subject: [PATCH 056/177] Fix indentation and add goto cleanup; stmt --- library/md.c | 3 ++- library/ripemd160.c | 4 ++-- library/sha256.c | 4 ++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/library/md.c b/library/md.c index 625b34c5e..cec4243fd 100644 --- a/library/md.c +++ b/library/md.c @@ -436,7 +436,8 @@ int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, goto cleanup; if( ( ret = mbedtls_md_hmac_update( &ctx, input, ilen ) ) != 0 ) goto cleanup; - ret = mbedtls_md_hmac_finish( &ctx, output ); + if( ( ret = mbedtls_md_hmac_finish( &ctx, output ) ) != 0 ) + goto cleanup; cleanup: mbedtls_md_free( &ctx ); diff --git a/library/ripemd160.c b/library/ripemd160.c index 0fc12a1ff..bf5058fe9 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -378,11 +378,11 @@ int mbedtls_ripemd160_finish_ext( mbedtls_ripemd160_context *ctx, ret = mbedtls_ripemd160_update_ext( ctx, ripemd160_padding, padn ); if( ret != 0 ) - return( ret ); + return( ret ); ret = mbedtls_ripemd160_update_ext( ctx, msglen, 8 ); if( ret != 0 ) - return( ret ); + return( ret ); PUT_UINT32_LE( ctx->state[0], output, 0 ); PUT_UINT32_LE( ctx->state[1], output, 4 ); diff --git a/library/sha256.c b/library/sha256.c index fb03cd1dc..0e24d6982 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -320,10 +320,10 @@ int mbedtls_sha256_finish_ext( mbedtls_sha256_context *ctx, padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); if( ( ret = mbedtls_sha256_update_ext( ctx, sha256_padding, padn ) ) != 0 ) - return( ret ); + return( ret ); if( ( ret = mbedtls_sha256_update_ext( ctx, msglen, 8 ) ) != 0 ) - return( ret ); + return( ret ); PUT_UINT32_BE( ctx->state[0], output, 0 ); PUT_UINT32_BE( ctx->state[1], output, 4 ); From 2d0aa8be97bad9e8d65276716833f1e6d117c5b2 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Fri, 21 Jul 2017 14:57:26 +0100 Subject: [PATCH 057/177] Fix MD selftest to use correct type and expose ret --- library/md2.c | 20 ++++++++++++++------ library/md4.c | 20 ++++++++++++++------ library/md5.c | 15 +++++++++------ library/ripemd160.c | 31 +++++++++++++++++-------------- library/sha1.c | 2 +- library/sha256.c | 2 +- library/sha512.c | 2 +- 7 files changed, 57 insertions(+), 35 deletions(-) diff --git a/library/md2.c b/library/md2.c index 8d887a102..06d6ac288 100644 --- a/library/md2.c +++ b/library/md2.c @@ -248,7 +248,7 @@ exit: /* * RFC 1319 test vectors */ -static const char md2_test_str[7][81] = +static const unsigned char md2_test_str[7][81] = { { "" }, { "a" }, @@ -256,10 +256,15 @@ static const char md2_test_str[7][81] = { "message digest" }, { "abcdefghijklmnopqrstuvwxyz" }, { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" }, - { "12345678901234567890123456789012345678901234567890123456789012" \ + { "12345678901234567890123456789012345678901234567890123456789012" "345678901234567890" } }; +static const size_t md2_test_strlen[7] = +{ + 0, 1, 3, 14, 26, 62, 80 +}; + static const unsigned char md2_test_sum[7][16] = { { 0x83, 0x50, 0xE5, 0xA3, 0xE2, 0x4C, 0x15, 0x3D, @@ -283,7 +288,7 @@ static const unsigned char md2_test_sum[7][16] = */ int mbedtls_md2_self_test( int verbose ) { - int i; + int i, ret = 0; unsigned char md2sum[16]; for( i = 0; i < 7; i++ ) @@ -291,12 +296,15 @@ int mbedtls_md2_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " MD2 test #%d: ", i + 1 ); - if( mbedtls_md2_ext( (unsigned char *)md2_test_str[i], - strlen( md2_test_str[i] ), md2sum ) != 0 ) + ret = mbedtls_md2_ext( md2_test_str[i], md2_test_strlen[i], md2sum ); + if( ret != 0 ) goto fail; if( memcmp( md2sum, md2_test_sum[i], 16 ) != 0 ) + { + ret = 1; goto fail; + } if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -311,7 +319,7 @@ fail: if( verbose != 0 ) mbedtls_printf( "failed\n" ); - return( 1 ); + return( ret ); } #endif /* MBEDTLS_SELF_TEST */ diff --git a/library/md4.c b/library/md4.c index 1121fd190..f5972eb63 100644 --- a/library/md4.c +++ b/library/md4.c @@ -352,7 +352,7 @@ exit: /* * RFC 1320 test vectors */ -static const char md4_test_str[7][81] = +static const unsigned char md4_test_str[7][81] = { { "" }, { "a" }, @@ -360,10 +360,15 @@ static const char md4_test_str[7][81] = { "message digest" }, { "abcdefghijklmnopqrstuvwxyz" }, { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" }, - { "12345678901234567890123456789012345678901234567890123456789012" \ + { "12345678901234567890123456789012345678901234567890123456789012" "345678901234567890" } }; +static const size_t md4_test_strlen[7] = +{ + 0, 1, 3, 14, 26, 62, 80 +}; + static const unsigned char md4_test_sum[7][16] = { { 0x31, 0xD6, 0xCF, 0xE0, 0xD1, 0x6A, 0xE9, 0x31, @@ -387,7 +392,7 @@ static const unsigned char md4_test_sum[7][16] = */ int mbedtls_md4_self_test( int verbose ) { - int i; + int i, ret = 0; unsigned char md4sum[16]; for( i = 0; i < 7; i++ ) @@ -395,12 +400,15 @@ int mbedtls_md4_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " MD4 test #%d: ", i + 1 ); - if( mbedtls_md4_ext( (unsigned char *) md4_test_str[i], - strlen( md4_test_str[i] ), md4sum ) != 0 ) + ret = mbedtls_md4_ext( md4_test_str[i], md4_test_strlen[i], md4sum ); + if( ret != 0 ) goto fail; if( memcmp( md4sum, md4_test_sum[i], 16 ) != 0 ) + { + ret = 1; goto fail; + } if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -415,7 +423,7 @@ fail: if( verbose != 0 ) mbedtls_printf( "failed\n" ); - return( 1 ); + return( ret ); } #endif /* MBEDTLS_SELF_TEST */ diff --git a/library/md5.c b/library/md5.c index 93f6434a1..68a112ab7 100644 --- a/library/md5.c +++ b/library/md5.c @@ -373,11 +373,11 @@ static const unsigned char md5_test_buf[7][81] = { "message digest" }, { "abcdefghijklmnopqrstuvwxyz" }, { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" }, - { "12345678901234567890123456789012345678901234567890123456789012" \ + { "12345678901234567890123456789012345678901234567890123456789012" "345678901234567890" } }; -static const int md5_test_buflen[7] = +static const size_t md5_test_buflen[7] = { 0, 1, 3, 14, 26, 62, 80 }; @@ -405,7 +405,7 @@ static const unsigned char md5_test_sum[7][16] = */ int mbedtls_md5_self_test( int verbose ) { - int i; + int i, ret = 0; unsigned char md5sum[16]; for( i = 0; i < 7; i++ ) @@ -413,12 +413,15 @@ int mbedtls_md5_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " MD5 test #%d: ", i + 1 ); - if( mbedtls_md5_ext( md5_test_buf[i], - md5_test_buflen[i], md5sum ) != 0 ) + ret = mbedtls_md5_ext( md5_test_buf[i], md5_test_buflen[i], md5sum ); + if( ret != 0 ) goto fail; if( memcmp( md5sum, md5_test_sum[i], 16 ) != 0 ) + { + ret = 1; goto fail; + } if( verbose != 0 ) mbedtls_printf( "passed\n" ); @@ -433,7 +436,7 @@ fail: if( verbose != 0 ) mbedtls_printf( "failed\n" ); - return( 1 ); + return( ret ); } #endif /* MBEDTLS_SELF_TEST */ diff --git a/library/ripemd160.c b/library/ripemd160.c index bf5058fe9..274a7c9c7 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -426,18 +426,22 @@ exit: * http://homes.esat.kuleuven.be/~bosselae/mbedtls_ripemd160.html#HMAC */ #define TESTS 8 -#define KEYS 2 -static const char *ripemd160_test_input[TESTS] = +static const unsigned char ripemd160_test_str[TESTS][81] = { - "", - "a", - "abc", - "message digest", - "abcdefghijklmnopqrstuvwxyz", - "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", - "1234567890123456789012345678901234567890" - "1234567890123456789012345678901234567890", + { "" }, + { "a" }, + { "abc" }, + { "message digest" }, + { "abcdefghijklmnopqrstuvwxyz" }, + { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" }, + { "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" }, + { "12345678901234567890123456789012345678901234567890123456789012" + "345678901234567890" }, +}; + +static const size_t ripemd160_test_strlen[TESTS] = +{ + 0, 1, 3, 14, 26, 56, 62, 80 }; static const unsigned char ripemd160_test_md[TESTS][20] = @@ -475,9 +479,8 @@ int mbedtls_ripemd160_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " RIPEMD-160 test #%d: ", i + 1 ); - ret = mbedtls_ripemd160_ext( - (const unsigned char *)ripemd160_test_input[i], - strlen( ripemd160_test_input[i] ), output ); + ret = mbedtls_ripemd160_ext( ripemd160_test_str[i], + ripemd160_test_strlen[i], output ); if( ret != 0 ) goto fail; diff --git a/library/sha1.c b/library/sha1.c index 42f3d6cd5..8d3895035 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -405,7 +405,7 @@ static const unsigned char sha1_test_buf[3][57] = { "" } }; -static const int sha1_test_buflen[3] = +static const size_t sha1_test_buflen[3] = { 3, 56, 1000 }; diff --git a/library/sha256.c b/library/sha256.c index 0e24d6982..b76569792 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -380,7 +380,7 @@ static const unsigned char sha256_test_buf[3][57] = { "" } }; -static const int sha256_test_buflen[3] = +static const size_t sha256_test_buflen[3] = { 3, 56, 1000 }; diff --git a/library/sha512.c b/library/sha512.c index b1947f1ea..d0faba941 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -418,7 +418,7 @@ static const unsigned char sha512_test_buf[3][113] = { "" } }; -static const int sha512_test_buflen[3] = +static const size_t sha512_test_buflen[3] = { 3, 112, 1000 }; From 38fc3a05484e750d626ec9092534bca2cc4de1a5 Mon Sep 17 00:00:00 2001 From: Peter Huewe Date: Sat, 29 Jul 2017 02:01:22 +0200 Subject: [PATCH 058/177] Remove duplicated defintion of PRINT_ERROR The PRINT_ERROR macros are already defined exactly the same in line 101ff, so we can remove them here. --- programs/test/benchmark.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index eb578e730..20adad445 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -131,15 +131,6 @@ do { \ ( mbedtls_timing_hardclock() - tsc ) / ( jj * BUFSIZE ) ); \ } while( 0 ) -#if defined(MBEDTLS_ERROR_C) -#define PRINT_ERROR \ - mbedtls_strerror( ret, ( char * )tmp, sizeof( tmp ) ); \ - mbedtls_printf( "FAILED: %s\n", tmp ); -#else -#define PRINT_ERROR \ - mbedtls_printf( "FAILED: -0x%04x\n", -ret ); -#endif - #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && defined(MBEDTLS_MEMORY_DEBUG) #define MEMORY_MEASURE_INIT \ From 31162e44239cb1f70b220a96163400e5775ec1d2 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 5 Sep 2017 15:34:35 +0300 Subject: [PATCH 059/177] Set PEM buffer to zero before freeing it Set PEM buffer to zero before freeing it, to avoid private keys being leaked to memory after releasing it. --- ChangeLog | 6 ++++++ library/pem.c | 1 + 2 files changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 227faed6b..9dcd1a0da 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Security + * Set PEM buffer to zero before freeing it, to avoid decoded private keys + being leaked to memory after release. + = mbed TLS 2.6.0 branch released 2017-08-10 Security diff --git a/library/pem.c b/library/pem.c index 8dd86a4ac..4c2337393 100644 --- a/library/pem.c +++ b/library/pem.c @@ -387,6 +387,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const void mbedtls_pem_free( mbedtls_pem_context *ctx ) { + memset( ctx->buf, 0, ctx->buflen ); mbedtls_free( ctx->buf ); mbedtls_free( ctx->info ); From 9d84b4c102e2b5f1a5b2ed8d86c70c5047c919b8 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 5 Sep 2017 17:17:31 +0300 Subject: [PATCH 060/177] update after Andres comments Update after Andres coments: 1. zeroize the buffer in `mbedtls_pem_read_buffer()` before freeing it 2. use `mbedtls_zeroize()` instead of `memset()` --- library/pem.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/library/pem.c b/library/pem.c index 4c2337393..f7051ecd2 100644 --- a/library/pem.c +++ b/library/pem.c @@ -331,7 +331,9 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const if( ( ret = mbedtls_base64_decode( buf, len, &len, s1, s2 - s1 ) ) != 0 ) { + mbedtls_zeroize( buf, len ); mbedtls_free( buf ); + buf = NULL; return( MBEDTLS_ERR_PEM_INVALID_DATA + ret ); } @@ -341,7 +343,9 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) ) if( pwd == NULL ) { + mbedtls_zeroize( buf, len ); mbedtls_free( buf ); + buf = NULL; return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ); } @@ -369,7 +373,9 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const */ if( len <= 2 || buf[0] != 0x30 || buf[1] > 0x83 ) { + mbedtls_zeroize( buf, len ); mbedtls_free( buf ); + buf = NULL; return( MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ); } #else @@ -387,7 +393,8 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const void mbedtls_pem_free( mbedtls_pem_context *ctx ) { - memset( ctx->buf, 0, ctx->buflen ); + if( ctx->buf ) + mbedtls_zeroize( ctx->buf, ctx->buflen ); mbedtls_free( ctx->buf ); mbedtls_free( ctx->info ); From 65112b15e6129cc24ac5861f6802b6e38a121468 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 6 Sep 2017 17:09:41 +0300 Subject: [PATCH 061/177] Adress Hannos's comments Remove zeroizing buffer, as it was done already in PR #369 Check that buffer is not null by `!= NULL` statement --- library/pem.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/library/pem.c b/library/pem.c index f7051ecd2..2f20b1e44 100644 --- a/library/pem.c +++ b/library/pem.c @@ -331,9 +331,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const if( ( ret = mbedtls_base64_decode( buf, len, &len, s1, s2 - s1 ) ) != 0 ) { - mbedtls_zeroize( buf, len ); mbedtls_free( buf ); - buf = NULL; return( MBEDTLS_ERR_PEM_INVALID_DATA + ret ); } @@ -343,9 +341,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const ( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) ) if( pwd == NULL ) { - mbedtls_zeroize( buf, len ); mbedtls_free( buf ); - buf = NULL; return( MBEDTLS_ERR_PEM_PASSWORD_REQUIRED ); } @@ -373,9 +369,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const */ if( len <= 2 || buf[0] != 0x30 || buf[1] > 0x83 ) { - mbedtls_zeroize( buf, len ); mbedtls_free( buf ); - buf = NULL; return( MBEDTLS_ERR_PEM_PASSWORD_MISMATCH ); } #else @@ -393,7 +387,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const void mbedtls_pem_free( mbedtls_pem_context *ctx ) { - if( ctx->buf ) + if( ctx->buf != NULL ) mbedtls_zeroize( ctx->buf, ctx->buflen ); mbedtls_free( ctx->buf ); mbedtls_free( ctx->info ); From a8434e8f95290b0429c3ce77a7764ed7dc985143 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 10:54:39 +0100 Subject: [PATCH 062/177] Add compile-time checks for size of record content and payload --- include/mbedtls/ssl_internal.h | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 756360b18..916817a22 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -24,6 +24,7 @@ #define MBEDTLS_SSL_INTERNAL_H #include "ssl.h" +#include "cipher.h" #if defined(MBEDTLS_MD5_C) #include "md5.h" @@ -138,13 +139,31 @@ #define MBEDTLS_SSL_PADDING_ADD 0 #endif -#define MBEDTLS_SSL_BUFFER_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \ - + MBEDTLS_SSL_COMPRESSION_ADD \ - + 29 /* counter + header + IV */ \ - + MBEDTLS_SSL_MAC_ADD \ - + MBEDTLS_SSL_PADDING_ADD \ +#define MBEDTLS_SSL_PAYLOAD_LEN ( MBEDTLS_SSL_MAX_CONTENT_LEN \ + + MBEDTLS_SSL_COMPRESSION_ADD \ + + MBEDTLS_MAX_IV_LENGTH \ + + MBEDTLS_SSL_MAC_ADD \ + + MBEDTLS_SSL_PADDING_ADD \ ) +/* + * Check that we obey the standard's message size bounds + */ + +#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384 +#error Bad configuration - record content too large. +#endif + +#if MBEDTLS_SSL_PAYLOAD_LEN > 16384 + 2048 +#error Bad configuration - protected record payload too large. +#endif + +#define MBEDTLS_SSL_BUFFER_LEN ( MBEDTLS_SSL_PAYLOAD_LEN \ + + 5 /* TLS record header */ \ + + 8 /* Additional DTLS fields */ \ + ) + + /* * TLS extension flags (for extensions with outgoing ServerHello content * that need it (e.g. for RENEGOTIATION_INFO the server already knows because From d33f1ca34c39cd42e11f5d0997603a291a4d08df Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 10:55:31 +0100 Subject: [PATCH 063/177] Add run-time check for record content size in ssl_encrypt_buf --- library/ssl_tls.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b388156df..970a043e4 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1268,6 +1268,13 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", ssl->out_msg, ssl->out_msglen ); + if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content too large, maximum %d", + MBEDTLS_SSL_MAX_CONTENT_LEN ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + /* * Add MAC before if needed */ From 9648f8b59cbea751921f5da49c5bcb8cad823b64 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 10:55:54 +0100 Subject: [PATCH 064/177] Add run-time check for handshake message size in ssl_write_record --- library/ssl_tls.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 970a043e4..d2ca10157 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2742,6 +2742,15 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl ) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { /* Make room for the additional DTLS fields */ + if( MBEDTLS_SSL_MAX_CONTENT_LEN - ssl->out_msglen < 8 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: " + "size %u, maximum %u", + (unsigned) ( ssl->in_hslen - 4 ), + (unsigned) ( MBEDTLS_SSL_MAX_CONTENT_LEN - 12 ) ) ); + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + memmove( ssl->out_msg + 12, ssl->out_msg + 4, len - 4 ); ssl->out_msglen += 8; len += 8; From 81e96dd54afa16e2be9a91c5465be6cc4a420071 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 11:07:25 +0100 Subject: [PATCH 065/177] Adapt ChangeLog --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index e199682ea..1e3614b9b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ mbed TLS ChangeLog (Sorted per branch, date) Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section 4.1.2.7. + * Add size-checks for record and handshake message content, securing + fragile yet non-exploitable code-paths. = mbed TLS 2.6.0 branch released 2017-08-10 From 4b151fabb7b65a774f5fb5cbcb061314e54564c9 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 20 Sep 2017 13:46:37 +0100 Subject: [PATCH 066/177] DHM: Add negative tests for parameter checking A bug in the dhm_check_range() function makes it pass even when the parameters are not in the range. This commit adds tests for signalling this problem as well as a couple of other negative tests. --- tests/suites/test_suite_dhm.data | 18 +++++++++++++++--- tests/suites/test_suite_dhm.function | 7 +++++-- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/tests/suites/test_suite_dhm.data b/tests/suites/test_suite_dhm.data index f2cdeffa5..e351ebdd4 100644 --- a/tests/suites/test_suite_dhm.data +++ b/tests/suites/test_suite_dhm.data @@ -1,11 +1,23 @@ Diffie-Hellman full exchange #1 -dhm_do_dhm:10:"23":10:"5" +dhm_do_dhm:10:"23":10:"5":0 Diffie-Hellman full exchange #2 -dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622" +dhm_do_dhm:10:"93450983094850938450983409623":10:"9345098304850938450983409622":0 Diffie-Hellman full exchange #3 -dhm_do_dhm:10:"93450983094850938450983409623982317398171298719873918739182739712938719287391879381271":10:"9345098309485093845098340962223981329819812792137312973297123912791271" +dhm_do_dhm:10:"93450983094850938450983409623982317398171298719873918739182739712938719287391879381271":10:"9345098309485093845098340962223981329819812792137312973297123912791271":0 + +Diffie-Hellman trivial subgroup #1 +dhm_do_dhm:10:"23":10:"1":MBEDTLS_ERR_DHM_BAD_INPUT_DATA + +Diffie-Hellman trivial subgroup #2 +dhm_do_dhm:10:"23":10:"-1":MBEDTLS_ERR_DHM_BAD_INPUT_DATA + +Diffie-Hellman small modulus +dhm_do_dhm:10:"3":10:"5":MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED + +Diffie-Hellman zero modulus +dhm_do_dhm:10:"0":10:"5":MBEDTLS_ERR_DHM_BAD_INPUT_DATA Diffie-Hallman load parameters from file dhm_file:"data_files/dhparams.pem":"9e35f430443a09904f3a39a979797d070df53378e79c2438bef4e761f3c714553328589b041c809be1d6c6b5f1fc9f47d3a25443188253a992a56818b37ba9de5a40d362e56eff0be5417474c125c199272c8fe41dea733df6f662c92ae76556e755d10c64e6a50968f67fc6ea73d0dca8569be2ba204e23580d8bca2f4975b3":"02":128 diff --git a/tests/suites/test_suite_dhm.function b/tests/suites/test_suite_dhm.function index b9b8e1956..4fd8fff23 100644 --- a/tests/suites/test_suite_dhm.function +++ b/tests/suites/test_suite_dhm.function @@ -9,7 +9,7 @@ /* BEGIN_CASE */ void dhm_do_dhm( int radix_P, char *input_P, - int radix_G, char *input_G ) + int radix_G, char *input_G, int result ) { mbedtls_dhm_context ctx_srv; mbedtls_dhm_context ctx_cli; @@ -44,7 +44,10 @@ void dhm_do_dhm( int radix_P, char *input_P, /* * First key exchange */ - TEST_ASSERT( mbedtls_dhm_make_params( &ctx_srv, x_size, ske, &ske_len, &rnd_pseudo_rand, &rnd_info ) == 0 ); + TEST_ASSERT( mbedtls_dhm_make_params( &ctx_srv, x_size, ske, &ske_len, &rnd_pseudo_rand, &rnd_info ) == result ); + if ( result != 0 ) + goto exit; + ske[ske_len++] = 0; ske[ske_len++] = 0; TEST_ASSERT( mbedtls_dhm_read_params( &ctx_cli, &p, ske + ske_len ) == 0 ); From aa325d7b7f5656edfb2b61cbab2189fd01818975 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 20 Sep 2017 15:33:24 +0100 Subject: [PATCH 067/177] DHM: Fix dhm_check_range() always returning 0 Although the variable ret was initialised to an error, the MBEDTLS_MPI_CHK macro was overwriting it. Therefore it ended up being 0 whenewer the bignum computation was successfull and stayed 0 independently of the actual check. --- ChangeLog | 6 +++++- library/dhm.c | 11 +++++++---- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index e199682ea..ce0e83173 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS x.x.x released xxxx-xx-xx += mbed TLS x.x.x branch released xxxx-xx-xx + +Security + * Fix dhm_check_range() failing to detect trivial subgroups and essentially + always returning 0. Reported by prashantkspatil. Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records diff --git a/library/dhm.c b/library/dhm.c index bec52a11d..620610dab 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -93,6 +93,9 @@ static int dhm_read_bignum( mbedtls_mpi *X, * * Parameter should be: 2 <= public_param <= P - 2 * + * This means that we need to return an error if + * public_param < 2 or public param > P-2 + * * For more information on the attack, see: * http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643 @@ -100,17 +103,17 @@ static int dhm_read_bignum( mbedtls_mpi *X, static int dhm_check_range( const mbedtls_mpi *param, const mbedtls_mpi *P ) { mbedtls_mpi L, U; - int ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA; + int ret = 0; mbedtls_mpi_init( &L ); mbedtls_mpi_init( &U ); MBEDTLS_MPI_CHK( mbedtls_mpi_lset( &L, 2 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &U, P, 2 ) ); - if( mbedtls_mpi_cmp_mpi( param, &L ) >= 0 && - mbedtls_mpi_cmp_mpi( param, &U ) <= 0 ) + if( mbedtls_mpi_cmp_mpi( param, &L ) < 0 || + mbedtls_mpi_cmp_mpi( param, &U ) > 0 ) { - ret = 0; + ret = MBEDTLS_ERR_DHM_BAD_INPUT_DATA; } cleanup: From b174c84a3b5aa3353e02a565a9cfe36cc6795384 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Wed, 20 Sep 2017 16:26:04 +0100 Subject: [PATCH 068/177] Refine dhm_check_range() fix Changelog entry --- ChangeLog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ce0e83173..3da4a84d7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,8 +3,8 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x branch released xxxx-xx-xx Security - * Fix dhm_check_range() failing to detect trivial subgroups and essentially - always returning 0. Reported by prashantkspatil. + * Fix dhm_check_range() failing to detect trivial subgroups and potentially + leaking 1 bit of the private key. Reported by prashantkspatil. Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records From 1ad1c6d4e18b32118863a63a42f4a6d70084e6ca Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 21 Sep 2017 09:02:11 +0100 Subject: [PATCH 069/177] Fix typo --- library/dhm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/dhm.c b/library/dhm.c index 620610dab..71b4f85d7 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -94,7 +94,7 @@ static int dhm_read_bignum( mbedtls_mpi *X, * Parameter should be: 2 <= public_param <= P - 2 * * This means that we need to return an error if - * public_param < 2 or public param > P-2 + * public_param < 2 or public_param > P-2 * * For more information on the attack, see: * http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf From 0e6dc84f3ec1e67a93dc3221ccd605da79589da4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 11:48:02 +0100 Subject: [PATCH 070/177] Deprecate Diffie-Hellman groups from RFC 5114 Also, change the way the standardized Diffie-Hellman groups are provided from macro-based string-literals to global variables. --- include/mbedtls/dhm.h | 127 +++++++++++++++--------------------------- library/dhm.c | 97 ++++++++++++++++++++++++++++++++ 2 files changed, 142 insertions(+), 82 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index d7ab1522e..f3ee14f65 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -38,6 +38,14 @@ #define MBEDTLS_ERR_DHM_ALLOC_FAILED -0x3400 /**< Allocation of memory failed. */ #define MBEDTLS_ERR_DHM_FILE_IO_ERROR -0x3480 /**< Read/write of file failed. */ +#if ! defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif +#endif + /** * RFC 3526 defines a number of standardized Diffie-Hellman groups * for IKE. @@ -51,93 +59,48 @@ * RFC 3526 4. 3072-bit MODP Group * RFC 3526 5. 4096-bit MODP Group * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup + * The constants with suffix "_p" denote the chosen prime moduli, while + * the constants with suffix "_g" denote the chosen generator + * of the associated prime field. + * + * All constants are represented as null-terminated strings containing the + * hexadecimal presentation of the respective numbers. + * + * \warning The origin of the primes in RFC 5114 is not documented and + * their use therefore constitutes a security risk! + * + * \deprecated The primes from RFC 5114 are superseded by the primes + * from RFC 3526 and RFC 7919 and should no longer be used. + * They will be removed in the next major revision. */ -#define MBEDTLS_DHM_RFC3526_MODP_2048_P \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ - "15728E5A8AACAA68FFFFFFFFFFFFFFFF" -#define MBEDTLS_DHM_RFC3526_MODP_2048_G "02" +const char *mbedtls_dhm_rfc3526_modp_2048_p; +const char *mbedtls_dhm_rfc3526_modp_2048_g; +const char *mbedtls_dhm_rfc3526_modp_3072_p; +const char *mbedtls_dhm_rfc3526_modp_3072_g; +const char *mbedtls_dhm_rfc3526_modp_4096_p; +const char *mbedtls_dhm_rfc3526_modp_4096_g; -#define MBEDTLS_DHM_RFC3526_MODP_3072_P \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \ - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \ - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \ - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \ - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ - "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" -#define MBEDTLS_DHM_RFC3526_MODP_3072_G "02" +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +MBEDTLS_DEPRECATED const char *mbedtls_dhm_rfc5114_modp_2048_p; +MBEDTLS_DEPRECATED const char *mbedtls_dhm_rfc5114_modp_2048_g; +#endif -#define MBEDTLS_DHM_RFC3526_MODP_4096_P \ - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \ - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \ - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \ - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \ - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ - "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" \ - "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" \ - "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" \ - "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" \ - "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" \ - "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" \ - "FFFFFFFFFFFFFFFF" - -#define MBEDTLS_DHM_RFC3526_MODP_4096_G "02" - -#define MBEDTLS_DHM_RFC5114_MODP_2048_P \ - "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" \ - "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" \ - "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" \ - "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" \ - "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" \ - "B3BF8A317091883681286130BC8985DB1602E714415D9330" \ - "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" \ - "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" \ - "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" \ - "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" \ - "CF9DE5384E71B81C0AC4DFFE0C10E64F" - -#define MBEDTLS_DHM_RFC5114_MODP_2048_G \ - "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF"\ - "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA"\ - "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7"\ - "C17669101999024AF4D027275AC1348BB8A762D0521BC98A"\ - "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE"\ - "F180EB34118E98D119529A45D6F834566E3025E316A330EF"\ - "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB"\ - "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381"\ - "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269"\ - "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179"\ - "81BC087F2A7065B384B890D3191F2BFA" +/** + * \deprecated These macros are superseded by direct access to the corresponding + * global variables and will be removed in the next major revision. + */ +#if !defined(MBEDTLS_DEPRECATED_REMOVED) +#define MBEDTLS_DHM_RFC5114_MODP_2048_P mbedtls_dhm_rfc5114_modp_2048_p +#define MBEDTLS_DHM_RFC5114_MODP_2048_G mbedtls_dhm_rfc5114_modp_2048_g +#define MBEDTLS_DHM_RFC3526_MODP_2048_P mbedtls_dhm_rfc3526_modp_2048_p +#define MBEDTLS_DHM_RFC3526_MODP_2048_G mbedtls_dhm_rfc3526_modp_2048_g +#define MBEDTLS_DHM_RFC3526_MODP_3072_P mbedtls_dhm_rfc3526_modp_3072_p +#define MBEDTLS_DHM_RFC3526_MODP_3072_G mbedtls_dhm_rfc3526_modp_3072_g +#define MBEDTLS_DHM_RFC3526_MODP_4096_P mbedtls_dhm_rfc3526_modp_4096_p +#define MBEDTLS_DHM_RFC3526_MODP_4096_G mbedtls_dhm_rfc3526_modp_4096_g +#endif #ifdef __cplusplus extern "C" { diff --git a/library/dhm.c b/library/dhm.c index bec52a11d..9da33c901 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -57,6 +57,103 @@ #define mbedtls_free free #endif +/* + * Diffie-Hellman groups from RFC 5114 + * + * \warning The origin of the primes in RFC 5114 is not documented and + * their use therefore constitutes a security risk! + * + * \deprecated The primes from RFC 5114 are superseded by the primes + * from RFC 3526 and RFC 7919 and should no longer be used. + * They will be removed in the next major version. + */ + +const char * mbedtls_dhm_rfc5114_modp_2048_p = + "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" + "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" + "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" + "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" + "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" + "B3BF8A317091883681286130BC8985DB1602E714415D9330" + "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" + "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" + "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" + "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" + "CF9DE5384E71B81C0AC4DFFE0C10E64F"; +const char * mbedtls_dhm_rfc5114_modp_2048_g = + "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" + "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" + "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" + "C17669101999024AF4D027275AC1348BB8A762D0521BC98A" + "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE" + "F180EB34118E98D119529A45D6F834566E3025E316A330EF" + "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB" + "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381" + "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269" + "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179" + "81BC087F2A7065B384B890D3191F2BFA"; + +/* + * Diffie-Hellman groups from RFC 3526 + */ + +const char * mbedtls_dhm_rfc3526_modp_2048_p = + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" + "15728E5A8AACAA68FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc3526_modp_2048_g = "02"; + +const char * mbedtls_dhm_rfc3526_modp_3072_p = + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" + "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc3526_modp_3072_g = "02"; + +const char * mbedtls_dhm_rfc3526_modp_4096_p = + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" + "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" + "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" + "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" + "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" + "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" + "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" + "FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc3526_modp_4096_g = "02"; /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; From b2bad800e4df444eacd8230d56cc6fb0f32eea82 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 11:49:31 +0100 Subject: [PATCH 071/177] Introduce Diffie-Hellman parameters from RFC 7919 --- include/mbedtls/dhm.h | 29 +++++++-- library/dhm.c | 146 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 168 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index f3ee14f65..c26b5a2d6 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -47,18 +47,23 @@ #endif /** - * RFC 3526 defines a number of standardized Diffie-Hellman groups - * for IKE. - * RFC 5114 defines a number of standardized Diffie-Hellman groups - * that can be used. - * - * Some are included here for convenience. + * RFC 3526, RFC 5114 and RFC 7919 standardize a number of + * Diffie-Hellman groups, some of which are included here + * for use within the SSL/TLS module and the user's convenience + * when configuring the Diffie-Hellman parameters by hand + * through \c mbedtls_ssl_conf_dh_param. * * Included are: + * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup * RFC 3526 3. 2048-bit MODP Group * RFC 3526 4. 3072-bit MODP Group * RFC 3526 5. 4096-bit MODP Group - * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup + * RFC 7919 A.1 ffdhe2048 + * RFC 7919 A.2 ffdhe3072 + * RFC 7919 A.3 ffdhe4096 + * RFC 7919 A.4 ffdhe6144 + * RFC 7919 A.5 ffdhe8192 + * * The constants with suffix "_p" denote the chosen prime moduli, while * the constants with suffix "_g" denote the chosen generator * of the associated prime field. @@ -81,6 +86,16 @@ const char *mbedtls_dhm_rfc3526_modp_3072_g; const char *mbedtls_dhm_rfc3526_modp_4096_p; const char *mbedtls_dhm_rfc3526_modp_4096_g; +const char *mbedtls_dhm_rfc7919_ffdhe2048_p; +const char *mbedtls_dhm_rfc7919_ffdhe2048_g; +const char *mbedtls_dhm_rfc7919_ffdhe3072_p; +const char *mbedtls_dhm_rfc7919_ffdhe3072_g; +const char *mbedtls_dhm_rfc7919_ffdhe4096_p; +const char *mbedtls_dhm_rfc7919_ffdhe4096_g; +const char *mbedtls_dhm_rfc7919_ffdhe6144_p; +const char *mbedtls_dhm_rfc7919_ffdhe6144_g; +const char *mbedtls_dhm_rfc7919_ffdhe8192_p; +const char *mbedtls_dhm_rfc7919_ffdhe8192_g; #if !defined(MBEDTLS_DEPRECATED_REMOVED) MBEDTLS_DEPRECATED const char *mbedtls_dhm_rfc5114_modp_2048_p; diff --git a/library/dhm.c b/library/dhm.c index 9da33c901..e98148dcd 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -154,6 +154,152 @@ const char * mbedtls_dhm_rfc3526_modp_4096_p = "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" "FFFFFFFFFFFFFFFF"; const char * mbedtls_dhm_rfc3526_modp_4096_g = "02"; + +/* + * Diffie-Hellman groups from RFC 7919 + */ + +const char * mbedtls_dhm_rfc7919_ffdhe2048_p = + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B423861285C97FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc7919_ffdhe2048_g = "02"; + +const char * mbedtls_dhm_rfc7919_ffdhe3072_p = + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + "3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc7919_ffdhe3072_g = "02"; + +const char * mbedtls_dhm_rfc7919_ffdhe4096_p = + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6A" + "FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc7919_ffdhe4096_g = "02"; + +const char * mbedtls_dhm_rfc7919_ffdhe6144_p = + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" + "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" + "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" + "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" + "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" + "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" + "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" + "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" + "D72B03746AE77F5E62292C311562A846505DC82DB854338A" + "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" + "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" + "A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF"; +const char * mbedtls_dhm_rfc7919_ffdhe6144_g = "02"; + +const char * mbedtls_dhm_rfc7919_ffdhe8192_p = + "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" + "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" + "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" + "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" + "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" + "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" + "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" + "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" + "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" + "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" + "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" + "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" + "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" + "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" + "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" + "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" + "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" + "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" + "A907600A918130C46DC778F971AD0038092999A333CB8B7A" + "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" + "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" + "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" + "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" + "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" + "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" + "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" + "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" + "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" + "D72B03746AE77F5E62292C311562A846505DC82DB854338A" + "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" + "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" + "A41D570D7938DAD4A40E329CCFF46AAA36AD004CF600C838" + "1E425A31D951AE64FDB23FCEC9509D43687FEB69EDD1CC5E" + "0B8CC3BDF64B10EF86B63142A3AB8829555B2F747C932665" + "CB2C0F1CC01BD70229388839D2AF05E454504AC78B758282" + "2846C0BA35C35F5C59160CC046FD8251541FC68C9C86B022" + "BB7099876A460E7451A8A93109703FEE1C217E6C3826E52C" + "51AA691E0E423CFC99E9E31650C1217B624816CDAD9A95F9" + "D5B8019488D9C0A0A1FE3075A577E23183F81D4A3F2FA457" + "1EFC8CE0BA8A4FE8B6855DFE72B0A66EDED2FBABFBE58A30" + "FAFABE1C5D71A87E2F741EF8C1FE86FEA6BBFDE530677F0D" + "97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88C" + "D68C8BB7C5C6424CFFFFFFFF" + "FFFFFFFF"; +const char * mbedtls_dhm_rfc7919_ffdhe8192_g = "02"; + + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; From 8c8b0ab8779255ee98e22d885f286b1b890830f0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 11:49:49 +0100 Subject: [PATCH 072/177] Change default Diffie-Hellman parameters from RFC 5114 to RFC 7919 The origin of the primes in RFC 5114 is undocumented and their use therefore constitutes a security risk. --- library/ssl_tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b388156df..1ef50c244 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7538,8 +7538,8 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, if( endpoint == MBEDTLS_SSL_IS_SERVER ) { if( ( ret = mbedtls_ssl_conf_dh_param( conf, - MBEDTLS_DHM_RFC5114_MODP_2048_P, - MBEDTLS_DHM_RFC5114_MODP_2048_G ) ) != 0 ) + mbedtls_dhm_rfc7919_ffdhe2048_p, + mbedtls_dhm_rfc7919_ffdhe2048_g ) ) != 0 ) { return( ret ); } From b1d4d1fa6e59fa8207466cd26203012b5f5b6ff7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 12:42:59 +0100 Subject: [PATCH 073/177] Add description of how the primes from RFC 3526/7919 were generated --- include/mbedtls/dhm.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index c26b5a2d6..57c8acb6c 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -77,6 +77,22 @@ * \deprecated The primes from RFC 5114 are superseded by the primes * from RFC 3526 and RFC 7919 and should no longer be used. * They will be removed in the next major revision. + * + * The primes from RFC 3526 and RFC 7919 have been generating by the following + * trust-worthy procedure: + * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number + * the first and last 64 bits are all 1, and the remaining N - 128 bits of + * which are 0x7ff...ff. + * - Add the smallest multiple of the first N - 129 bits of the binary expansion + * of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string + * such that the resulting integer is a safe-prime. + * - The result is the respective RFC 3526 / 7919 prime, and the corresponding + * generator is always chosen to be 2 (which is a square for these prime, + * hence the corresponding subgroup has order (p-1)/2 and avoids leaking a + * bit in the private exponent). + * + * The above description can be validated using the + * the program programs/util/rfc_3526_7919_verify. */ const char *mbedtls_dhm_rfc3526_modp_2048_p; From 4c72b000cb19e037622576b7f4de8957d70eced7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 16:06:22 +0100 Subject: [PATCH 074/177] Add const-qualifiers to prime constants --- include/mbedtls/dhm.h | 36 ++++++++++++++++++------------------ library/dhm.c | 36 ++++++++++++++++++------------------ 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 57c8acb6c..a9185ec08 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -95,27 +95,27 @@ * the program programs/util/rfc_3526_7919_verify. */ -const char *mbedtls_dhm_rfc3526_modp_2048_p; -const char *mbedtls_dhm_rfc3526_modp_2048_g; -const char *mbedtls_dhm_rfc3526_modp_3072_p; -const char *mbedtls_dhm_rfc3526_modp_3072_g; -const char *mbedtls_dhm_rfc3526_modp_4096_p; -const char *mbedtls_dhm_rfc3526_modp_4096_g; +const char * const mbedtls_dhm_rfc3526_modp_2048_p; +const char * const mbedtls_dhm_rfc3526_modp_2048_g; +const char * const mbedtls_dhm_rfc3526_modp_3072_p; +const char * const mbedtls_dhm_rfc3526_modp_3072_g; +const char * const mbedtls_dhm_rfc3526_modp_4096_p; +const char * const mbedtls_dhm_rfc3526_modp_4096_g; -const char *mbedtls_dhm_rfc7919_ffdhe2048_p; -const char *mbedtls_dhm_rfc7919_ffdhe2048_g; -const char *mbedtls_dhm_rfc7919_ffdhe3072_p; -const char *mbedtls_dhm_rfc7919_ffdhe3072_g; -const char *mbedtls_dhm_rfc7919_ffdhe4096_p; -const char *mbedtls_dhm_rfc7919_ffdhe4096_g; -const char *mbedtls_dhm_rfc7919_ffdhe6144_p; -const char *mbedtls_dhm_rfc7919_ffdhe6144_g; -const char *mbedtls_dhm_rfc7919_ffdhe8192_p; -const char *mbedtls_dhm_rfc7919_ffdhe8192_g; +const char * const mbedtls_dhm_rfc7919_ffdhe2048_p; +const char * const mbedtls_dhm_rfc7919_ffdhe2048_g; +const char * const mbedtls_dhm_rfc7919_ffdhe3072_p; +const char * const mbedtls_dhm_rfc7919_ffdhe3072_g; +const char * const mbedtls_dhm_rfc7919_ffdhe4096_p; +const char * const mbedtls_dhm_rfc7919_ffdhe4096_g; +const char * const mbedtls_dhm_rfc7919_ffdhe6144_p; +const char * const mbedtls_dhm_rfc7919_ffdhe6144_g; +const char * const mbedtls_dhm_rfc7919_ffdhe8192_p; +const char * const mbedtls_dhm_rfc7919_ffdhe8192_g; #if !defined(MBEDTLS_DEPRECATED_REMOVED) -MBEDTLS_DEPRECATED const char *mbedtls_dhm_rfc5114_modp_2048_p; -MBEDTLS_DEPRECATED const char *mbedtls_dhm_rfc5114_modp_2048_g; +MBEDTLS_DEPRECATED const char * const mbedtls_dhm_rfc5114_modp_2048_p; +MBEDTLS_DEPRECATED const char * const mbedtls_dhm_rfc5114_modp_2048_g; #endif /** diff --git a/library/dhm.c b/library/dhm.c index e98148dcd..dbfb6538e 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -68,7 +68,7 @@ * They will be removed in the next major version. */ -const char * mbedtls_dhm_rfc5114_modp_2048_p = +const char * const mbedtls_dhm_rfc5114_modp_2048_p = "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" @@ -80,7 +80,7 @@ const char * mbedtls_dhm_rfc5114_modp_2048_p = "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" "CF9DE5384E71B81C0AC4DFFE0C10E64F"; -const char * mbedtls_dhm_rfc5114_modp_2048_g = +const char * const mbedtls_dhm_rfc5114_modp_2048_g = "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" @@ -97,7 +97,7 @@ const char * mbedtls_dhm_rfc5114_modp_2048_g = * Diffie-Hellman groups from RFC 3526 */ -const char * mbedtls_dhm_rfc3526_modp_2048_p = +const char * const mbedtls_dhm_rfc3526_modp_2048_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" @@ -109,9 +109,9 @@ const char * mbedtls_dhm_rfc3526_modp_2048_p = "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" "15728E5A8AACAA68FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc3526_modp_2048_g = "02"; +const char * const mbedtls_dhm_rfc3526_modp_2048_g = "02"; -const char * mbedtls_dhm_rfc3526_modp_3072_p = +const char * const mbedtls_dhm_rfc3526_modp_3072_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" @@ -128,9 +128,9 @@ const char * mbedtls_dhm_rfc3526_modp_3072_p = "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc3526_modp_3072_g = "02"; +const char * const mbedtls_dhm_rfc3526_modp_3072_g = "02"; -const char * mbedtls_dhm_rfc3526_modp_4096_p = +const char * const mbedtls_dhm_rfc3526_modp_4096_p = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" @@ -153,13 +153,13 @@ const char * mbedtls_dhm_rfc3526_modp_4096_p = "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" "FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc3526_modp_4096_g = "02"; +const char * const mbedtls_dhm_rfc3526_modp_4096_g = "02"; /* * Diffie-Hellman groups from RFC 7919 */ -const char * mbedtls_dhm_rfc7919_ffdhe2048_p = +const char * const mbedtls_dhm_rfc7919_ffdhe2048_p = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" @@ -171,9 +171,9 @@ const char * mbedtls_dhm_rfc7919_ffdhe2048_p = "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" "886B423861285C97FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc7919_ffdhe2048_g = "02"; +const char * const mbedtls_dhm_rfc7919_ffdhe2048_g = "02"; -const char * mbedtls_dhm_rfc7919_ffdhe3072_p = +const char * const mbedtls_dhm_rfc7919_ffdhe3072_p = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" @@ -190,9 +190,9 @@ const char * mbedtls_dhm_rfc7919_ffdhe3072_p = "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" "3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc7919_ffdhe3072_g = "02"; +const char * const mbedtls_dhm_rfc7919_ffdhe3072_g = "02"; -const char * mbedtls_dhm_rfc7919_ffdhe4096_p = +const char * const mbedtls_dhm_rfc7919_ffdhe4096_p = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" @@ -215,9 +215,9 @@ const char * mbedtls_dhm_rfc7919_ffdhe4096_p = "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6A" "FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc7919_ffdhe4096_g = "02"; +const char * const mbedtls_dhm_rfc7919_ffdhe4096_g = "02"; -const char * mbedtls_dhm_rfc7919_ffdhe6144_p = +const char * const mbedtls_dhm_rfc7919_ffdhe6144_p = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" @@ -250,9 +250,9 @@ const char * mbedtls_dhm_rfc7919_ffdhe6144_p = "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" "A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF"; -const char * mbedtls_dhm_rfc7919_ffdhe6144_g = "02"; +const char * const mbedtls_dhm_rfc7919_ffdhe6144_g = "02"; -const char * mbedtls_dhm_rfc7919_ffdhe8192_p = +const char * const mbedtls_dhm_rfc7919_ffdhe8192_p = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" @@ -297,7 +297,7 @@ const char * mbedtls_dhm_rfc7919_ffdhe8192_p = "97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88C" "D68C8BB7C5C6424CFFFFFFFF" "FFFFFFFF"; -const char * mbedtls_dhm_rfc7919_ffdhe8192_g = "02"; +const char * const mbedtls_dhm_rfc7919_ffdhe8192_g = "02"; /* Implementation that should never be optimized out by the compiler */ From 13be9901147efcb4c8cf6e52e2caecdb8957f601 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 27 Sep 2017 17:17:30 +0100 Subject: [PATCH 075/177] Correct expectation in DHM test in ssl-opt.sh The previous test expected a DHM group generator of size 2048 bits, while with the change to RFC 7919, the base is 2, so has bit-size 2. --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 280fc6348..de2058885 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2903,7 +2903,7 @@ run_test "DHM parameters: reference" \ debug_level=3" \ 0 \ -c "value of 'DHM: P ' (2048 bits)" \ - -c "value of 'DHM: G ' (2048 bits)" + -c "value of 'DHM: G ' (2 bits)" run_test "DHM parameters: other parameters" \ "$P_SRV dhm_file=data_files/dhparams.pem" \ From e71ad12cd5d87d15d6862d603ffb34961992c99d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 28 Sep 2017 10:32:25 +0100 Subject: [PATCH 076/177] Minor code-improvements in dhm.c --- library/dhm.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/library/dhm.c b/library/dhm.c index dbfb6538e..a29b02992 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -430,10 +430,13 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, /* * export P, G, GX */ -#define DHM_MPI_EXPORT(X,n) \ - MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( X, p + 2, n ) ); \ - *p++ = (unsigned char)( n >> 8 ); \ - *p++ = (unsigned char)( n ); p += n; +#define DHM_MPI_EXPORT(X,n) \ + do { \ + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( X, p + 2, n ) ); \ + *p++ = (unsigned char)( n >> 8 ); \ + *p++ = (unsigned char)( n ); \ + p += n; \ + } while( 0 ) n1 = mbedtls_mpi_size( &ctx->P ); n2 = mbedtls_mpi_size( &ctx->G ); @@ -444,7 +447,7 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, DHM_MPI_EXPORT( &ctx->G , n2 ); DHM_MPI_EXPORT( &ctx->GX, n3 ); - *olen = p - output; + *olen = p - output; ctx->len = n1; @@ -643,10 +646,11 @@ cleanup: */ void mbedtls_dhm_free( mbedtls_dhm_context *ctx ) { - mbedtls_mpi_free( &ctx->pX); mbedtls_mpi_free( &ctx->Vf ); mbedtls_mpi_free( &ctx->Vi ); - mbedtls_mpi_free( &ctx->RP ); mbedtls_mpi_free( &ctx->K ); mbedtls_mpi_free( &ctx->GY ); - mbedtls_mpi_free( &ctx->GX ); mbedtls_mpi_free( &ctx->X ); mbedtls_mpi_free( &ctx->G ); - mbedtls_mpi_free( &ctx->P ); + mbedtls_mpi_free( &ctx->pX ); mbedtls_mpi_free( &ctx->Vf ); + mbedtls_mpi_free( &ctx->Vi ); mbedtls_mpi_free( &ctx->RP ); + mbedtls_mpi_free( &ctx->K ); mbedtls_mpi_free( &ctx->GY ); + mbedtls_mpi_free( &ctx->GX ); mbedtls_mpi_free( &ctx->X ); + mbedtls_mpi_free( &ctx->G ); mbedtls_mpi_free( &ctx->P ); mbedtls_zeroize( ctx, sizeof( mbedtls_dhm_context ) ); } From e764324d96645efe68d6ac76bb46e17dfcd1d533 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 28 Sep 2017 10:33:11 +0100 Subject: [PATCH 077/177] Improve documentation in dhm.h --- include/mbedtls/dhm.h | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index a9185ec08..43c49402f 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -167,7 +167,8 @@ void mbedtls_dhm_init( mbedtls_dhm_context *ctx ); * \brief Parse the ServerKeyExchange parameters * * \param ctx DHM context - * \param p &(start of input buffer) + * \param p &(start of input buffer), will be increased + * by the amount of data read. * \param end end of buffer * * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code @@ -186,6 +187,11 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx, * \param f_rng RNG function * \param p_rng RNG parameter * + * \note The destination buffer must be large enough to hold + * the modulus, the generator, and the public key, each + * wrapped with a 2-byte length field. It is the responsibility + * of the caller to ensure that enough space is available. + * * \note This function assumes that ctx->P and ctx->G * have already been properly set (for example * using mbedtls_mpi_read_string or mbedtls_mpi_read_binary). @@ -215,10 +221,16 @@ int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx, * \param ctx DHM context * \param x_size private value size in bytes * \param output destination buffer - * \param olen must be at least equal to the size of P, ctx->len + * \param olen size of the destination buffer; + * must be at least equal to the size of P, ctx->len * \param f_rng RNG function * \param p_rng RNG parameter * + * \note The destination buffer will always be fully written + * so as to contain a big-endian presentation of G^X mod P. + * If it is larger than ctx->len, it will accordingly be + * padded with zero-bytes in the beginning. + * * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code */ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size, @@ -231,7 +243,8 @@ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size, * * \param ctx DHM context * \param output destination buffer - * \param output_size size of the destination buffer + * \param output_size size of the destination buffer, must be at + * at least the size of ctx->len * \param olen on exit, holds the actual number of bytes written * \param f_rng RNG function, for blinding purposes * \param p_rng RNG parameter From a2f6b72cbb83302cdec09da68a492f0702f76b70 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 28 Sep 2017 10:33:29 +0100 Subject: [PATCH 078/177] Add warnings regarding the use of DHM in general --- include/mbedtls/config.h | 21 +++++++++++++++++++++ include/mbedtls/dhm.h | 23 +++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 47c719640..b490e33d7 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -618,6 +618,13 @@ * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA + * + * \warning The possibility for the use of custom groups + * in the use of DHM in TLS constitutes a security + * risk. If possible, it is recommended to use + * EC-based key exchanges instead. See the documentation + * at the top of dhm.h for more information. + * */ #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED @@ -717,6 +724,13 @@ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA + * + * \warning The possibility for the use of custom groups + * in the use of DHM in TLS constitutes a security + * risk. If possible, it is recommended to use + * EC-based key exchanges instead. See the documentation + * at the top of dhm.h for more information. + * */ #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED @@ -1835,6 +1849,13 @@ * * This module is used by the following key exchanges: * DHE-RSA, DHE-PSK + * + * \warning The possibility for the use of custom groups + * in the use of DHM in TLS constitutes a security + * risk. If possible, it is recommended to use + * EC-based key exchanges instead. See the documentation + * at the top of dhm.h for more information. + * */ #define MBEDTLS_DHM_C diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 43c49402f..542592d85 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -19,6 +19,29 @@ * limitations under the License. * * This file is part of mbed TLS (https://tls.mbed.org) + * + * \warning The security of the DHM key exchange relies on the proper choice + * of prime modulus - optimally, it should be a safe prime. The usage + * of non-safe primes both decreases the difficulty of the underlying + * discrete logarithm problem and can lead to small subgroup attacks + * leaking private exponent bits when invalid public keys are used + * and not detected. This is especially relevant if the same DHM parameters + * are reused for multiple key exchanges as in static DHM, while the + * criticality of small-subgroup attacks is lower for ephemeral DHM. + * + * For performance reasons, the code does neither perform primality + * nor safe primality tests, nor the expensive checks for invalid + * subgroups. + * + * The possibility for the use of custom, non-safe primes in DHM + * is a deficiency in the TLS protocol that has been adressed only + * recently through the addition of the named group extension from + * RFC 7919, which however is not yet implemented in Mbed TLS. + * + * If possible, we recommend to use elliptic curve based key + * exchanges instead of DHM-based ones, because the former only + * accepts standardized groups. + * */ #ifndef MBEDTLS_DHM_H #define MBEDTLS_DHM_H From 70da2c545b239c710a5f30893402a4f4c051af13 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Oct 2017 15:02:59 +0100 Subject: [PATCH 079/177] Improve documentation of `mbedtls_dhm_make_params` --- include/mbedtls/dhm.h | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 542592d85..9254d953a 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -211,9 +211,11 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx, * \param p_rng RNG parameter * * \note The destination buffer must be large enough to hold - * the modulus, the generator, and the public key, each - * wrapped with a 2-byte length field. It is the responsibility - * of the caller to ensure that enough space is available. + * the reduced binary presentation of the modulus, the generator + * and the public key, each wrapped with a 2-byte length field. + * It is the responsibility of the caller to ensure that enough + * space is available. Refer to \c mbedtls_mpi_size to computing + * the byte-size of an MPI. * * \note This function assumes that ctx->P and ctx->G * have already been properly set (for example From de6c1644cc68e34bf0ccf1161f0cf0e74853434d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Oct 2017 15:03:15 +0100 Subject: [PATCH 080/177] Add brackets around arguments of internal macro DHM_MPI_EXPORT --- library/dhm.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/library/dhm.c b/library/dhm.c index a29b02992..344b92cb5 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -430,12 +430,14 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, /* * export P, G, GX */ -#define DHM_MPI_EXPORT(X,n) \ +#define DHM_MPI_EXPORT( X, n ) \ do { \ - MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( X, p + 2, n ) ); \ - *p++ = (unsigned char)( n >> 8 ); \ - *p++ = (unsigned char)( n ); \ - p += n; \ + MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( ( X ), \ + p + 2, \ + ( n ) ) ); \ + *p++ = (unsigned char)( ( n ) >> 8 ); \ + *p++ = (unsigned char)( ( n ) ); \ + p += ( n ); \ } while( 0 ) n1 = mbedtls_mpi_size( &ctx->P ); From f8258e7d5a50b61e2d525b4a62d056e665dbe320 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Oct 2017 15:04:40 +0100 Subject: [PATCH 081/177] Adapt documentation of `mbedtls_ssl_conf_dh_param` to new moduli --- include/mbedtls/ssl.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index cc0007006..fb2f02f0e 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1702,7 +1702,7 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, /** * \brief Set the Diffie-Hellman public P and G values, * read as hexadecimal strings (server-side only) - * (Default: MBEDTLS_DHM_RFC5114_MODP_2048_[PG]) + * (Default: mbedtls_dhm_rfc7919_ffdhe2048_[pg]) * * \param conf SSL configuration * \param dhm_P Diffie-Hellman-Merkle modulus @@ -1710,7 +1710,9 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, * * \return 0 if successful */ -int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ); +int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, + const char *dhm_P, + const char *dhm_G ); /** * \brief Set the Diffie-Hellman public P and G values, From d4d856265ec2c486a3dc83238934c11a77d239b9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Oct 2017 15:06:27 +0100 Subject: [PATCH 082/177] Don't use deprecated macro form of DHM moduli in benchmark program --- programs/test/benchmark.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index eb578e730..9c6d46271 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -668,12 +668,12 @@ int main( int argc, char *argv[] ) { int dhm_sizes[] = { 2048, 3072 }; const char *dhm_P[] = { - MBEDTLS_DHM_RFC3526_MODP_2048_P, - MBEDTLS_DHM_RFC3526_MODP_3072_P, + mbedtls_dhm_rfc3526_modp_2048_p, + mbedtls_dhm_rfc3526_modp_3072_p, }; const char *dhm_G[] = { - MBEDTLS_DHM_RFC3526_MODP_2048_G, - MBEDTLS_DHM_RFC3526_MODP_3072_G, + mbedtls_dhm_rfc3526_modp_2048_g, + mbedtls_dhm_rfc3526_modp_3072_g, }; mbedtls_dhm_context dhm; From f240ea0b50c16dcae781c23294eba2468fdd59c2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 2 Oct 2017 15:09:14 +0100 Subject: [PATCH 083/177] Expand documentation of `mbedtls_dhm_read_params` --- include/mbedtls/dhm.h | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 9254d953a..ed39f8db4 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -190,8 +190,13 @@ void mbedtls_dhm_init( mbedtls_dhm_context *ctx ); * \brief Parse the ServerKeyExchange parameters * * \param ctx DHM context - * \param p &(start of input buffer), will be increased - * by the amount of data read. + * \param p On input, *p must be the start of the input buffer. + * On output, *p is updated to point to the end of the data + * that has been read. On success, this is the first byte + * past the end of the ServerKeyExchange parameters. + * On error, this is the point at which an error has been + * detected, which is usually not useful except to debug + * failures. * \param end end of buffer * * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code From f9734b35b53fd9707ed3c44925f06068a2c442b6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 3 Oct 2017 12:09:22 +0100 Subject: [PATCH 084/177] Change wording of warnings --- include/mbedtls/config.h | 30 +++++++++++++++--------------- include/mbedtls/dhm.h | 22 ++++++++++------------ 2 files changed, 25 insertions(+), 27 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index b490e33d7..cff9391ea 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -619,11 +619,11 @@ * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA * - * \warning The possibility for the use of custom groups - * in the use of DHM in TLS constitutes a security - * risk. If possible, it is recommended to use - * EC-based key exchanges instead. See the documentation - * at the top of dhm.h for more information. + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. * */ #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED @@ -725,11 +725,11 @@ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA * - * \warning The possibility for the use of custom groups - * in the use of DHM in TLS constitutes a security - * risk. If possible, it is recommended to use - * EC-based key exchanges instead. See the documentation - * at the top of dhm.h for more information. + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. * */ #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED @@ -1850,11 +1850,11 @@ * This module is used by the following key exchanges: * DHE-RSA, DHE-PSK * - * \warning The possibility for the use of custom groups - * in the use of DHM in TLS constitutes a security - * risk. If possible, it is recommended to use - * EC-based key exchanges instead. See the documentation - * at the top of dhm.h for more information. + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. * */ #define MBEDTLS_DHM_C diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index ed39f8db4..9ef814650 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -25,22 +25,20 @@ * of non-safe primes both decreases the difficulty of the underlying * discrete logarithm problem and can lead to small subgroup attacks * leaking private exponent bits when invalid public keys are used - * and not detected. This is especially relevant if the same DHM parameters - * are reused for multiple key exchanges as in static DHM, while the - * criticality of small-subgroup attacks is lower for ephemeral DHM. + * and not detected. This is especially relevant if the same DHM + * parameters are reused for multiple key exchanges as in static DHM, + * while the criticality of small-subgroup attacks is lower for + * ephemeral DHM. * * For performance reasons, the code does neither perform primality * nor safe primality tests, nor the expensive checks for invalid - * subgroups. + * subgroups. Moreover, even if these were performed, non-standardized + * primes cannot be trusted because of the possibility of backdoors + * that can't be effectively checked for. * - * The possibility for the use of custom, non-safe primes in DHM - * is a deficiency in the TLS protocol that has been adressed only - * recently through the addition of the named group extension from - * RFC 7919, which however is not yet implemented in Mbed TLS. - * - * If possible, we recommend to use elliptic curve based key - * exchanges instead of DHM-based ones, because the former only - * accepts standardized groups. + * We therefore consider DHE a security risk. If possible, it is + * recommended users should consider preferring other methods of + * key exchange. * */ #ifndef MBEDTLS_DHM_H From e2fcfa84ea2fe8453adb26cbf32261dc4683d0f7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:12:15 +0100 Subject: [PATCH 085/177] Stick to the use of constant-macros This commit returns to using constant macros instead of global variables for the DHM group constants. Further, macros providing the binary encoding of the primes from RFC 3526 and RFC 7919 are added. The hex-string macros are deprecated. --- include/mbedtls/dhm.h | 812 +++++++++++++++++++++++++++++++++++++----- library/dhm.c | 243 ------------- 2 files changed, 717 insertions(+), 338 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 9ef814650..c105d7a78 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -58,101 +58,7 @@ #define MBEDTLS_ERR_DHM_INVALID_FORMAT -0x3380 /**< The ASN.1 data is not formatted correctly. */ #define MBEDTLS_ERR_DHM_ALLOC_FAILED -0x3400 /**< Allocation of memory failed. */ #define MBEDTLS_ERR_DHM_FILE_IO_ERROR -0x3480 /**< Read/write of file failed. */ - -#if ! defined(MBEDTLS_DEPRECATED_REMOVED) -#if defined(MBEDTLS_DEPRECATED_WARNING) -#define MBEDTLS_DEPRECATED __attribute__((deprecated)) -#else -#define MBEDTLS_DEPRECATED -#endif -#endif - -/** - * RFC 3526, RFC 5114 and RFC 7919 standardize a number of - * Diffie-Hellman groups, some of which are included here - * for use within the SSL/TLS module and the user's convenience - * when configuring the Diffie-Hellman parameters by hand - * through \c mbedtls_ssl_conf_dh_param. - * - * Included are: - * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup - * RFC 3526 3. 2048-bit MODP Group - * RFC 3526 4. 3072-bit MODP Group - * RFC 3526 5. 4096-bit MODP Group - * RFC 7919 A.1 ffdhe2048 - * RFC 7919 A.2 ffdhe3072 - * RFC 7919 A.3 ffdhe4096 - * RFC 7919 A.4 ffdhe6144 - * RFC 7919 A.5 ffdhe8192 - * - * The constants with suffix "_p" denote the chosen prime moduli, while - * the constants with suffix "_g" denote the chosen generator - * of the associated prime field. - * - * All constants are represented as null-terminated strings containing the - * hexadecimal presentation of the respective numbers. - * - * \warning The origin of the primes in RFC 5114 is not documented and - * their use therefore constitutes a security risk! - * - * \deprecated The primes from RFC 5114 are superseded by the primes - * from RFC 3526 and RFC 7919 and should no longer be used. - * They will be removed in the next major revision. - * - * The primes from RFC 3526 and RFC 7919 have been generating by the following - * trust-worthy procedure: - * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number - * the first and last 64 bits are all 1, and the remaining N - 128 bits of - * which are 0x7ff...ff. - * - Add the smallest multiple of the first N - 129 bits of the binary expansion - * of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string - * such that the resulting integer is a safe-prime. - * - The result is the respective RFC 3526 / 7919 prime, and the corresponding - * generator is always chosen to be 2 (which is a square for these prime, - * hence the corresponding subgroup has order (p-1)/2 and avoids leaking a - * bit in the private exponent). - * - * The above description can be validated using the - * the program programs/util/rfc_3526_7919_verify. - */ - -const char * const mbedtls_dhm_rfc3526_modp_2048_p; -const char * const mbedtls_dhm_rfc3526_modp_2048_g; -const char * const mbedtls_dhm_rfc3526_modp_3072_p; -const char * const mbedtls_dhm_rfc3526_modp_3072_g; -const char * const mbedtls_dhm_rfc3526_modp_4096_p; -const char * const mbedtls_dhm_rfc3526_modp_4096_g; - -const char * const mbedtls_dhm_rfc7919_ffdhe2048_p; -const char * const mbedtls_dhm_rfc7919_ffdhe2048_g; -const char * const mbedtls_dhm_rfc7919_ffdhe3072_p; -const char * const mbedtls_dhm_rfc7919_ffdhe3072_g; -const char * const mbedtls_dhm_rfc7919_ffdhe4096_p; -const char * const mbedtls_dhm_rfc7919_ffdhe4096_g; -const char * const mbedtls_dhm_rfc7919_ffdhe6144_p; -const char * const mbedtls_dhm_rfc7919_ffdhe6144_g; -const char * const mbedtls_dhm_rfc7919_ffdhe8192_p; -const char * const mbedtls_dhm_rfc7919_ffdhe8192_g; - -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -MBEDTLS_DEPRECATED const char * const mbedtls_dhm_rfc5114_modp_2048_p; -MBEDTLS_DEPRECATED const char * const mbedtls_dhm_rfc5114_modp_2048_g; -#endif - -/** - * \deprecated These macros are superseded by direct access to the corresponding - * global variables and will be removed in the next major revision. - */ -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -#define MBEDTLS_DHM_RFC5114_MODP_2048_P mbedtls_dhm_rfc5114_modp_2048_p -#define MBEDTLS_DHM_RFC5114_MODP_2048_G mbedtls_dhm_rfc5114_modp_2048_g -#define MBEDTLS_DHM_RFC3526_MODP_2048_P mbedtls_dhm_rfc3526_modp_2048_p -#define MBEDTLS_DHM_RFC3526_MODP_2048_G mbedtls_dhm_rfc3526_modp_2048_g -#define MBEDTLS_DHM_RFC3526_MODP_3072_P mbedtls_dhm_rfc3526_modp_3072_p -#define MBEDTLS_DHM_RFC3526_MODP_3072_G mbedtls_dhm_rfc3526_modp_3072_g -#define MBEDTLS_DHM_RFC3526_MODP_4096_P mbedtls_dhm_rfc3526_modp_4096_p -#define MBEDTLS_DHM_RFC3526_MODP_4096_G mbedtls_dhm_rfc3526_modp_4096_g -#endif +#define MBEDTLS_ERR_DHM_SET_GROUP_FAILED -0x3500 /**< Setting the modulus and generator failed. */ #ifdef __cplusplus extern "C" { @@ -337,4 +243,720 @@ int mbedtls_dhm_self_test( int verbose ); } #endif +/** + * RFC 3526, RFC 5114 and RFC 7919 standardize a number of + * Diffie-Hellman groups, some of which are included here + * for use within the SSL/TLS module and the user's convenience + * when configuring the Diffie-Hellman parameters by hand + * through \c mbedtls_ssl_conf_dh_param. + * + * Included are: + * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup + * RFC 3526 3. 2048-bit MODP Group + * RFC 3526 4. 3072-bit MODP Group + * RFC 3526 5. 4096-bit MODP Group + * RFC 7919 A.1 ffdhe2048 + * RFC 7919 A.2 ffdhe3072 + * RFC 7919 A.3 ffdhe4096 + * RFC 7919 A.4 ffdhe6144 + * RFC 7919 A.5 ffdhe8192 + * + * The constants with suffix "_p" denote the chosen prime moduli, while + * the constants with suffix "_g" denote the chosen generator + * of the associated prime field. + * + * The constants further suffixed with "_bin" are provided in binary format, + * while all other constants represent null-terminated strings holding the + * hexadecimal presentation of the respective numbers. + * + * The primes from RFC 3526 and RFC 7919 have been generating by the following + * trust-worthy procedure: + * - Fix N in { 2048, 3072, 4096, 6144, 8192 } and consider the N-bit number + * the first and last 64 bits are all 1, and the remaining N - 128 bits of + * which are 0x7ff...ff. + * - Add the smallest multiple of the first N - 129 bits of the binary expansion + * of pi (for RFC 5236) or e (for RFC 7919) to this intermediate bit-string + * such that the resulting integer is a safe-prime. + * - The result is the respective RFC 3526 / 7919 prime, and the corresponding + * generator is always chosen to be 2 (which is a square for these prime, + * hence the corresponding subgroup has order (p-1)/2 and avoids leaking a + * bit in the private exponent). + * + * The above description can be validated using the + * the program programs/util/rfc_3526_7919_verify. + */ + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +MBEDTLS_DEPRECATED typedef char const * deprecated_constant_t; +#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) \ + ( (deprecated_constant_t) ( VAL ) ) +#else +#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL +#endif /* ! MBEDTLS_DEPRECATED_WARNING */ + +/** + * \warning The origin of the primes in RFC 5114 is not documented and + * their use therefore constitutes a security risk! + * + * \deprecated The hex-encoded primes from RFC 5114 are deprecated and are + * likely to be removed in a future version of the library without + * replacement. + */ + +#define MBEDTLS_DHM_RFC5114_MODP_P \ + MBEDTLS_DEPRECATED_STRING_CONSTANT( \ + "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" \ + "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" \ + "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" \ + "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" \ + "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" \ + "B3BF8A317091883681286130BC8985DB1602E714415D9330" \ + "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" \ + "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" \ + "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" \ + "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" \ + "CF9DE5384E71B81C0AC4DFFE0C10E64F" ) + +#define MBEDTLS_DHM_RFC5114_MODP_2048_G \ + MBEDTLS_DEPRECATED_STRING_CONSTANT( \ + "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" \ + "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" \ + "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" \ + "C17669101999024AF4D027275AC1348BB8A762D0521BC98A" \ + "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE" \ + "F180EB34118E98D119529A45D6F834566E3025E316A330EF" \ + "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB" \ + "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381" \ + "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269" \ + "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179" \ + "81BC087F2A7065B384B890D3191F2BFA" ) + +/** + * \deprecated The hex-encoded primes from RFC 3625 are deprecated and + * superseded by the corresponding macros providing them as + * binary constants. Their hex-encoded constants are likely + * to be removed in a future version of the library. + * + */ + +#define MBEDTLS_DHM_RFC3526_MODP_2048_P \ + MBEDTLS_DEPRECATED_STRING_CONSTANT( \ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ + "15728E5A8AACAA68FFFFFFFFFFFFFFFF" ) + +#define MBEDTLS_DHM_RFC3526_MODP_2048_G \ + MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + +#define MBEDTLS_DHM_RFC3526_MODP_3072_P \ + MBEDTLS_DEPRECATED_STRING_CONSTANT( \ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \ + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \ + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \ + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \ + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ + "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" ) + +#define MBEDTLS_DHM_RFC3526_MODP_3072_G \ + MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + +#define MBEDTLS_DHM_RFC3526_MODP_4096_P \ + MBEDTLS_DEPRECATED_STRING_CONSTANT( \ + "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ + "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ + "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \ + "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \ + "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \ + "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \ + "83655D23DCA3AD961C62F356208552BB9ED529077096966D" \ + "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \ + "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \ + "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ + "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \ + "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \ + "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \ + "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \ + "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ + "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" \ + "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" \ + "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" \ + "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" \ + "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" \ + "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" \ + "FFFFFFFFFFFFFFFF" ) + +#define MBEDTLS_DHM_RFC3526_MODP_4096_G \ + MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + +#endif /* MBEDTLS_DEPRECATED_REMOVED */ + +/* + * Trustworthy DHM parameters in binary form + */ + +#define MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \ + 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \ + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \ + 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \ + 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \ + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \ + 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \ + 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \ + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \ + 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \ + 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \ + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \ + 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \ + 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \ + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \ + 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \ + 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \ + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \ + 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \ + 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \ + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \ + 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \ + 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \ + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \ + 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \ + 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \ + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \ + 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \ + 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \ + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \ + 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \ + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \ + 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \ + 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \ + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \ + 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \ + 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \ + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \ + 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \ + 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \ + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \ + 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \ + 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \ + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \ + 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \ + 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \ + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \ + 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \ + 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \ + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \ + 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \ + 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \ + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \ + 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \ + 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \ + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \ + 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \ + 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \ + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, \ + 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, \ + 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, \ + 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, \ + 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, \ + 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, \ + 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, \ + 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, \ + 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, \ + 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, \ + 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, \ + 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, \ + 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, \ + 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, \ + 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, \ + 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, \ + 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC3526_MODP_4096_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, \ + 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, \ + 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, \ + 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, \ + 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, \ + 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, \ + 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, \ + 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, \ + 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, \ + 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, \ + 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, \ + 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, \ + 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, \ + 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, \ + 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, \ + 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, \ + 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, \ + 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, \ + 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, \ + 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, \ + 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, \ + 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, \ + 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, \ + 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, \ + 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, \ + 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, \ + 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, \ + 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, \ + 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, \ + 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, \ + 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, \ + 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, \ + 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, \ + 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, \ + 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, \ + 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, \ + 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, \ + 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, \ + 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, \ + 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, \ + 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, \ + 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, \ + 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, \ + 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, \ + 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, \ + 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, \ + 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, \ + 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, \ + 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, \ + 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, \ + 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, \ + 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, \ + 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, \ + 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, \ + 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, \ + 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, \ + 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, \ + 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, \ + 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, \ + 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, \ + 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, \ + 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC3526_MODP_4096_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC7919_FFDHE2048_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \ + 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \ + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \ + 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \ + 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \ + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \ + 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \ + 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \ + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \ + 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \ + 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \ + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \ + 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \ + 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \ + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \ + 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \ + 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \ + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \ + 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \ + 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \ + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \ + 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \ + 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \ + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \ + 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \ + 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \ + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \ + 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \ + 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \ + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, } + +#define MBEDTLS_DHM_RFC7919_FFDHE2048_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC7919_FFDHE3072_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \ + 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \ + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \ + 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \ + 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \ + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \ + 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \ + 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \ + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \ + 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \ + 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \ + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \ + 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \ + 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \ + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \ + 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \ + 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \ + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \ + 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \ + 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \ + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \ + 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \ + 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \ + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \ + 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \ + 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \ + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \ + 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \ + 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \ + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \ + 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \ + 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \ + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \ + 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \ + 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \ + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \ + 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \ + 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \ + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \ + 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \ + 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \ + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \ + 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \ + 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \ + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \ + 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0xC6, 0x2E, 0x37, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC7919_FFDHE3072_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC7919_FFDHE4096_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \ + 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \ + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \ + 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \ + 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \ + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \ + 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \ + 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \ + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \ + 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \ + 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \ + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \ + 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \ + 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \ + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \ + 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \ + 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \ + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \ + 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \ + 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \ + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \ + 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \ + 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \ + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \ + 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \ + 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \ + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \ + 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \ + 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \ + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \ + 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \ + 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \ + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \ + 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \ + 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \ + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \ + 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \ + 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \ + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \ + 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \ + 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \ + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \ + 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \ + 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \ + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \ + 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \ + 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \ + 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \ + 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \ + 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \ + 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \ + 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \ + 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \ + 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \ + 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \ + 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \ + 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \ + 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \ + 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \ + 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \ + 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \ + 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC7919_FFDHE4096_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC7919_FFDHE6144_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \ + 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \ + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \ + 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \ + 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \ + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \ + 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \ + 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \ + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \ + 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \ + 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \ + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \ + 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \ + 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \ + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \ + 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \ + 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \ + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \ + 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \ + 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \ + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \ + 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \ + 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \ + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \ + 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \ + 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \ + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \ + 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \ + 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \ + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \ + 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \ + 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \ + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \ + 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \ + 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \ + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \ + 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \ + 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \ + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \ + 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \ + 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \ + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \ + 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \ + 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \ + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \ + 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \ + 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \ + 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \ + 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \ + 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \ + 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \ + 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \ + 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \ + 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \ + 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \ + 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \ + 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \ + 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \ + 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \ + 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \ + 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \ + 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \ + 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \ + 0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \ + 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \ + 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \ + 0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \ + 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \ + 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \ + 0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \ + 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \ + 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \ + 0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \ + 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \ + 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \ + 0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \ + 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \ + 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \ + 0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \ + 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \ + 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \ + 0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \ + 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \ + 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \ + 0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \ + 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \ + 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \ + 0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \ + 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \ + 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \ + 0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \ + 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \ + 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \ + 0xA4, 0x0E, 0x32, 0x9C, 0xD0, 0xE4, 0x0E, 0x65, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC7919_FFDHE6144_G_BIN { 0x02 } + +#define MBEDTLS_DHM_RFC7919_FFDHE8192_P_BIN { \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \ + 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, \ + 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1, \ + 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, \ + 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, \ + 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, \ + 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, \ + 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A, \ + 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61, \ + 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, \ + 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, \ + 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, \ + 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, \ + 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72, \ + 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, \ + 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, \ + 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, \ + 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB, \ + 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, \ + 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, \ + 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, \ + 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, \ + 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC, \ + 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61, \ + 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, \ + 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, \ + 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, \ + 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, \ + 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2, \ + 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, \ + 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, \ + 0xDE, 0x35, 0x5B, 0x3B, 0x65, 0x19, 0x03, 0x5B, \ + 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38, \ + 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, \ + 0x7A, 0xD9, 0x1D, 0x26, 0x91, 0xF7, 0xF7, 0xEE, \ + 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C, \ + 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, \ + 0xB4, 0x13, 0x0C, 0x93, 0xBC, 0x43, 0x79, 0x44, \ + 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3, \ + 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, \ + 0x5C, 0xAE, 0x82, 0xAB, 0x9C, 0x9D, 0xF6, 0x9E, \ + 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D, \ + 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, \ + 0x1D, 0xBF, 0x9A, 0x42, 0xD5, 0xC4, 0x48, 0x4E, \ + 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF, \ + 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, \ + 0x25, 0xE4, 0x1D, 0x2B, 0x66, 0x9E, 0x1E, 0xF1, \ + 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB, \ + 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, \ + 0xAC, 0x7D, 0x5F, 0x42, 0xD6, 0x9F, 0x6D, 0x18, \ + 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04, \ + 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, \ + 0x71, 0x35, 0xC8, 0x86, 0xEF, 0xB4, 0x31, 0x8A, \ + 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32, \ + 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, \ + 0x6D, 0xC7, 0x78, 0xF9, 0x71, 0xAD, 0x00, 0x38, \ + 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A, \ + 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, \ + 0x2A, 0x4E, 0xCE, 0xA9, 0xF9, 0x8D, 0x0A, 0xCC, \ + 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF, \ + 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, \ + 0x4D, 0xB5, 0xA8, 0x51, 0xF4, 0x41, 0x82, 0xE1, \ + 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02, \ + 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, \ + 0x4E, 0x67, 0x7D, 0x2C, 0x38, 0x53, 0x2A, 0x3A, \ + 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6, \ + 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, \ + 0x91, 0x7B, 0xDD, 0x64, 0xB1, 0xC0, 0xFD, 0x4C, \ + 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A, \ + 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, \ + 0x9B, 0x1F, 0x5C, 0x3E, 0x4E, 0x46, 0x04, 0x1F, \ + 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77, \ + 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, \ + 0xB8, 0x55, 0x32, 0x2E, 0xDB, 0x63, 0x40, 0xD8, \ + 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3, \ + 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, \ + 0x7F, 0xB2, 0x9F, 0x8C, 0x18, 0x30, 0x23, 0xC3, \ + 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4, \ + 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, \ + 0x94, 0xC6, 0x65, 0x1E, 0x77, 0xCA, 0xF9, 0x92, \ + 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6, \ + 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, \ + 0x0A, 0xE8, 0xDB, 0x58, 0x47, 0xA6, 0x7C, 0xBE, \ + 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C, \ + 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, \ + 0x62, 0x29, 0x2C, 0x31, 0x15, 0x62, 0xA8, 0x46, \ + 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A, \ + 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, \ + 0x8C, 0xCF, 0x2D, 0xD5, 0xCA, 0xCE, 0xF4, 0x03, \ + 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04, \ + 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, \ + 0x3F, 0xDD, 0x4A, 0x8E, 0x9A, 0xDB, 0x1E, 0x69, \ + 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1, \ + 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, \ + 0xA4, 0x0E, 0x32, 0x9C, 0xCF, 0xF4, 0x6A, 0xAA, \ + 0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38, \ + 0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, \ + 0xFD, 0xB2, 0x3F, 0xCE, 0xC9, 0x50, 0x9D, 0x43, \ + 0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E, \ + 0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, \ + 0x86, 0xB6, 0x31, 0x42, 0xA3, 0xAB, 0x88, 0x29, \ + 0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65, \ + 0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, \ + 0x29, 0x38, 0x88, 0x39, 0xD2, 0xAF, 0x05, 0xE4, \ + 0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82, \ + 0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, \ + 0x59, 0x16, 0x0C, 0xC0, 0x46, 0xFD, 0x82, 0x51, \ + 0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22, \ + 0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, \ + 0x51, 0xA8, 0xA9, 0x31, 0x09, 0x70, 0x3F, 0xEE, \ + 0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C, \ + 0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, \ + 0x99, 0xE9, 0xE3, 0x16, 0x50, 0xC1, 0x21, 0x7B, \ + 0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9, \ + 0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, \ + 0xA1, 0xFE, 0x30, 0x75, 0xA5, 0x77, 0xE2, 0x31, \ + 0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57, \ + 0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, \ + 0xB6, 0x85, 0x5D, 0xFE, 0x72, 0xB0, 0xA6, 0x6E, \ + 0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30, \ + 0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, \ + 0x2F, 0x74, 0x1E, 0xF8, 0xC1, 0xFE, 0x86, 0xFE, \ + 0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D, \ + 0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, \ + 0x08, 0x22, 0xE5, 0x06, 0xA9, 0xF4, 0x61, 0x4E, \ + 0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C, \ + 0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, \ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF } + +#define MBEDTLS_DHM_RFC7919_FFDHE8192_G_BIN { 0x02 } + #endif /* dhm.h */ diff --git a/library/dhm.c b/library/dhm.c index 344b92cb5..8d9f66386 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -57,249 +57,6 @@ #define mbedtls_free free #endif -/* - * Diffie-Hellman groups from RFC 5114 - * - * \warning The origin of the primes in RFC 5114 is not documented and - * their use therefore constitutes a security risk! - * - * \deprecated The primes from RFC 5114 are superseded by the primes - * from RFC 3526 and RFC 7919 and should no longer be used. - * They will be removed in the next major version. - */ - -const char * const mbedtls_dhm_rfc5114_modp_2048_p = - "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" - "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" - "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" - "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" - "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" - "B3BF8A317091883681286130BC8985DB1602E714415D9330" - "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" - "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" - "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" - "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" - "CF9DE5384E71B81C0AC4DFFE0C10E64F"; -const char * const mbedtls_dhm_rfc5114_modp_2048_g = - "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" - "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" - "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" - "C17669101999024AF4D027275AC1348BB8A762D0521BC98A" - "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE" - "F180EB34118E98D119529A45D6F834566E3025E316A330EF" - "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB" - "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381" - "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269" - "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179" - "81BC087F2A7065B384B890D3191F2BFA"; - -/* - * Diffie-Hellman groups from RFC 3526 - */ - -const char * const mbedtls_dhm_rfc3526_modp_2048_p = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AACAA68FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc3526_modp_2048_g = "02"; - -const char * const mbedtls_dhm_rfc3526_modp_3072_p = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc3526_modp_3072_g = "02"; - -const char * const mbedtls_dhm_rfc3526_modp_4096_p = - "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" - "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" - "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" - "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" - "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" - "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" - "FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc3526_modp_4096_g = "02"; - -/* - * Diffie-Hellman groups from RFC 7919 - */ - -const char * const mbedtls_dhm_rfc7919_ffdhe2048_p = - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" - "886B423861285C97FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc7919_ffdhe2048_g = "02"; - -const char * const mbedtls_dhm_rfc7919_ffdhe3072_p = - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" - "3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc7919_ffdhe3072_g = "02"; - -const char * const mbedtls_dhm_rfc7919_ffdhe4096_p = - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" - "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" - "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" - "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" - "A907600A918130C46DC778F971AD0038092999A333CB8B7A" - "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" - "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6A" - "FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc7919_ffdhe4096_g = "02"; - -const char * const mbedtls_dhm_rfc7919_ffdhe6144_p = - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" - "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" - "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" - "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" - "A907600A918130C46DC778F971AD0038092999A333CB8B7A" - "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" - "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" - "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" - "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" - "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" - "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" - "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" - "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" - "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" - "D72B03746AE77F5E62292C311562A846505DC82DB854338A" - "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" - "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" - "A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF"; -const char * const mbedtls_dhm_rfc7919_ffdhe6144_g = "02"; - -const char * const mbedtls_dhm_rfc7919_ffdhe8192_p = - "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" - "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" - "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" - "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" - "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" - "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" - "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" - "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" - "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" - "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" - "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" - "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" - "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" - "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" - "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" - "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" - "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" - "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" - "A907600A918130C46DC778F971AD0038092999A333CB8B7A" - "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" - "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" - "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" - "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" - "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" - "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" - "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" - "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" - "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" - "D72B03746AE77F5E62292C311562A846505DC82DB854338A" - "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" - "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" - "A41D570D7938DAD4A40E329CCFF46AAA36AD004CF600C838" - "1E425A31D951AE64FDB23FCEC9509D43687FEB69EDD1CC5E" - "0B8CC3BDF64B10EF86B63142A3AB8829555B2F747C932665" - "CB2C0F1CC01BD70229388839D2AF05E454504AC78B758282" - "2846C0BA35C35F5C59160CC046FD8251541FC68C9C86B022" - "BB7099876A460E7451A8A93109703FEE1C217E6C3826E52C" - "51AA691E0E423CFC99E9E31650C1217B624816CDAD9A95F9" - "D5B8019488D9C0A0A1FE3075A577E23183F81D4A3F2FA457" - "1EFC8CE0BA8A4FE8B6855DFE72B0A66EDED2FBABFBE58A30" - "FAFABE1C5D71A87E2F741EF8C1FE86FEA6BBFDE530677F0D" - "97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88C" - "D68C8BB7C5C6424CFFFFFFFF" - "FFFFFFFF"; -const char * const mbedtls_dhm_rfc7919_ffdhe8192_g = "02"; - - /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; From b953921a4e1af098aabbf748a13f7f2f731280ca Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:13:34 +0100 Subject: [PATCH 086/177] Adapt benchmark application to naming and binary format --- programs/test/benchmark.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 9c6d46271..5361a5c8a 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -667,14 +667,22 @@ int main( int argc, char *argv[] ) if( todo.dhm ) { int dhm_sizes[] = { 2048, 3072 }; - const char *dhm_P[] = { - mbedtls_dhm_rfc3526_modp_2048_p, - mbedtls_dhm_rfc3526_modp_3072_p, - }; - const char *dhm_G[] = { - mbedtls_dhm_rfc3526_modp_2048_g, - mbedtls_dhm_rfc3526_modp_3072_g, - }; + const unsigned char dhm_P_2048[] = + MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; + const unsigned char dhm_P_3072[] = + MBEDTLS_DHM_RFC3526_MODP_3072_P_BIN; + const unsigned char dhm_G_2048[] = + MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; + const unsigned char dhm_G_3072[] = + MBEDTLS_DHM_RFC3526_MODP_3072_G_BIN; + + const unsigned char *dhm_P[] = { dhm_P_2048, dhm_P_3072 }; + const size_t dhm_P_size[] = { sizeof( dhm_P_2048 ), + sizeof( dhm_P_3072 ) }; + + const unsigned char *dhm_G[] = { dhm_G_2048, dhm_G_3072 }; + const size_t dhm_G_size[] = { sizeof( dhm_G_2048 ), + sizeof( dhm_G_3072 ) }; mbedtls_dhm_context dhm; size_t olen; @@ -682,8 +690,10 @@ int main( int argc, char *argv[] ) { mbedtls_dhm_init( &dhm ); - if( mbedtls_mpi_read_string( &dhm.P, 16, dhm_P[i] ) != 0 || - mbedtls_mpi_read_string( &dhm.G, 16, dhm_G[i] ) != 0 ) + if( mbedtls_mpi_read_binary( &dhm.P, dhm_P[i], + dhm_P_size[i] ) != 0 || + mbedtls_mpi_read_binary( &dhm.G, dhm_G[i], + dhm_G_size[i] ) != 0 ) { mbedtls_exit( 1 ); } From 00d0a6834ae81c5eea7989a56e8611225884f5c3 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:14:29 +0100 Subject: [PATCH 087/177] Adapt code setting default DHM parameters --- library/ssl_tls.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1ef50c244..f233e0a87 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7537,9 +7537,15 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) if( endpoint == MBEDTLS_SSL_IS_SERVER ) { - if( ( ret = mbedtls_ssl_conf_dh_param( conf, - mbedtls_dhm_rfc7919_ffdhe2048_p, - mbedtls_dhm_rfc7919_ffdhe2048_g ) ) != 0 ) + const unsigned char dhm_p[] = + MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; + const unsigned char dhm_g[] = + MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; + + if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_p, + sizeof( dhm_p ) ) ) != 0 || + ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_g, + sizeof( dhm_g ) ) ) != 0 ) { return( ret ); } From 8880e75dcbe06e74ca205e473fa66bbd9a4e4f2c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:15:08 +0100 Subject: [PATCH 088/177] Add new function mbedtls_dhm_set_group to DHM Group --- include/mbedtls/dhm.h | 21 +++++++++++++++++++-- library/dhm.c | 22 ++++++++++++++++++++++ 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index c105d7a78..de818697d 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -127,8 +127,9 @@ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx, * the byte-size of an MPI. * * \note This function assumes that ctx->P and ctx->G - * have already been properly set (for example - * using mbedtls_mpi_read_string or mbedtls_mpi_read_binary). + * have already been properly set. For that, use + * \c mbedtls_dhm_set_group below in conjunction with + * \c mbedtls_mpi_read_binary and \c mbedtls_mpi_read_string. * * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code */ @@ -137,6 +138,22 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); +/** + * \brief Set prime modulus and generator + * + * \param ctx DHM context + * \param P MPI holding DHM prime modulus + * \param G MPI holding DHM generator + * + * \note This function can be used to set P, G + * in preparation for \c mbedtls_dhm_make_params. + * + * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code + */ +int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx, + const mbedtls_mpi *P, + const mbedtls_mpi *G ); + /** * \brief Import the peer's public value G^Y * diff --git a/library/dhm.c b/library/dhm.c index 8d9f66386..f824f7b9b 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -218,6 +218,28 @@ cleanup: return( 0 ); } +/* + * Set prime modulus and generator + */ +int mbedtls_dhm_set_group( mbedtls_dhm_context *ctx, + const mbedtls_mpi *P, + const mbedtls_mpi *G ) +{ + int ret; + + if( ctx == NULL || P == NULL || G == NULL ) + return( MBEDTLS_ERR_DHM_BAD_INPUT_DATA ); + + if( ( ret = mbedtls_mpi_copy( &ctx->P, P ) ) != 0 || + ( ret = mbedtls_mpi_copy( &ctx->G, G ) ) != 0 ) + { + return( MBEDTLS_ERR_DHM_SET_GROUP_FAILED + ret ); + } + + ctx->len = mbedtls_mpi_size( &ctx->P ); + return( 0 ); +} + /* * Import the peer's public value G^Y */ From ab74056037535de9639c9878a20092ec43c7284c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:15:37 +0100 Subject: [PATCH 089/177] Make use of `mbedtls_dhm_set_group` when generating DHM params --- library/ssl_srv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index f137c3dce..fbfc9222a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2940,10 +2940,11 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) * opaque dh_Ys<1..2^16-1>; * } ServerDHParams; */ - if( ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.P, &ssl->conf->dhm_P ) ) != 0 || - ( ret = mbedtls_mpi_copy( &ssl->handshake->dhm_ctx.G, &ssl->conf->dhm_G ) ) != 0 ) + if( ( ret = mbedtls_dhm_set_group( &ssl->handshake->dhm_ctx, + &ssl->conf->dhm_P, + &ssl->conf->dhm_G ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_mpi_copy", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_set_group", ret ); return( ret ); } From a6dd90de30bc40b8a7703eb79af5420eac8480b5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:15:54 +0100 Subject: [PATCH 090/177] Add error string for failure code in `mbedtls_dhm_set_group` --- library/error.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/error.c b/library/error.c index db42381c4..6fa0c21d0 100644 --- a/library/error.c +++ b/library/error.c @@ -206,6 +206,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "DHM - Allocation of memory failed" ); if( use_ret == -(MBEDTLS_ERR_DHM_FILE_IO_ERROR) ) mbedtls_snprintf( buf, buflen, "DHM - Read/write of file failed" ); + if( use_ret == -(MBEDTLS_ERR_DHM_SET_GROUP_FAILED) ) + mbedtls_snprintf( buf, buflen, "DHM - Setting modulus and generator failed" ); #endif /* MBEDTLS_DHM_C */ #if defined(MBEDTLS_ECP_C) From 5a7c35d1a8d13824efc6c93ba0be2d617844641e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:32:12 +0100 Subject: [PATCH 091/177] Correct documentation of `mbedtls_ssl_conf_dh_param` --- include/mbedtls/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index fb2f02f0e..62f368fc0 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1702,7 +1702,7 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, /** * \brief Set the Diffie-Hellman public P and G values, * read as hexadecimal strings (server-side only) - * (Default: mbedtls_dhm_rfc7919_ffdhe2048_[pg]) + * (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]) * * \param conf SSL configuration * \param dhm_P Diffie-Hellman-Merkle modulus From 0482fd597aae2314e3c97fd5cc37faa4bcd2a101 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:39:08 +0100 Subject: [PATCH 092/177] Remove reference to utility program for RFC 3526/7919 verification --- include/mbedtls/dhm.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index de818697d..460ee7f0f 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -299,8 +299,6 @@ int mbedtls_dhm_self_test( int verbose ); * hence the corresponding subgroup has order (p-1)/2 and avoids leaking a * bit in the private exponent). * - * The above description can be validated using the - * the program programs/util/rfc_3526_7919_verify. */ #if !defined(MBEDTLS_DEPRECATED_REMOVED) From 5e6b8d7d29b47954090a09a00f30a0454e1d808c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:41:36 +0100 Subject: [PATCH 093/177] Add missing whitespace --- include/mbedtls/dhm.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 460ee7f0f..73b69e076 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -372,7 +372,7 @@ MBEDTLS_DEPRECATED typedef char const * deprecated_constant_t; "15728E5A8AACAA68FFFFFFFFFFFFFFFF" ) #define MBEDTLS_DHM_RFC3526_MODP_2048_G \ - MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" ) #define MBEDTLS_DHM_RFC3526_MODP_3072_P \ MBEDTLS_DEPRECATED_STRING_CONSTANT( \ @@ -394,7 +394,7 @@ MBEDTLS_DEPRECATED typedef char const * deprecated_constant_t; "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" ) #define MBEDTLS_DHM_RFC3526_MODP_3072_G \ - MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" ) #define MBEDTLS_DHM_RFC3526_MODP_4096_P \ MBEDTLS_DEPRECATED_STRING_CONSTANT( \ @@ -422,7 +422,7 @@ MBEDTLS_DEPRECATED typedef char const * deprecated_constant_t; "FFFFFFFFFFFFFFFF" ) #define MBEDTLS_DHM_RFC3526_MODP_4096_G \ - MBEDTLS_DEPRECATED_STRING_CONSTANT("02" ) + MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" ) #endif /* MBEDTLS_DEPRECATED_REMOVED */ From 184f6752566bcae1e6dcdfa8408b9f859d7a5111 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:47:33 +0100 Subject: [PATCH 094/177] Improve debugging output --- library/ssl_tls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d2ca10157..162367429 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1270,7 +1270,8 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) if( ssl->out_msglen > MBEDTLS_SSL_MAX_CONTENT_LEN ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content too large, maximum %d", + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d", + (unsigned) ssl->out_msglen, MBEDTLS_SSL_MAX_CONTENT_LEN ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } From d25d44413453bd72e00171812b79905e123c6c1d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 13:56:42 +0100 Subject: [PATCH 095/177] Don't allocate space for DTLS header if DTLS is disabled --- include/mbedtls/ssl_internal.h | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 916817a22..3ce494565 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -158,11 +158,17 @@ #error Bad configuration - protected record payload too large. #endif -#define MBEDTLS_SSL_BUFFER_LEN ( MBEDTLS_SSL_PAYLOAD_LEN \ - + 5 /* TLS record header */ \ - + 8 /* Additional DTLS fields */ \ - ) +#if !defined(MBEDTLS_SSL_PROTO_DTLS) +/* https://tools.ietf.org/html/rfc5246#section-6.2 */ +#define MBEDTLS_SSL_HEADER_LEN 5 +#else +/* https://tools.ietf.org/html/rfc6347#section-4.1 */ +/* 8 additional bytes for epoch and sequence number */ +#define MBEDTLS_SSL_HEADER_LEN 13 +#endif +#define MBEDTLS_SSL_BUFFER_LEN \ + ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_PAYLOAD_LEN ) ) /* * TLS extension flags (for extensions with outgoing ServerHello content From 470a8c4d8767565baa0f1c55f1b1487e2152cdbb Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 15:28:46 +0100 Subject: [PATCH 096/177] Deprecate mbedtls_ssl_conf_dh_param --- include/mbedtls/ssl.h | 18 +++++++++++++++--- library/ssl_tls.c | 3 +++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 62f368fc0..13ee5bd87 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1699,6 +1699,15 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif + /** * \brief Set the Diffie-Hellman public P and G values, * read as hexadecimal strings (server-side only) @@ -1708,12 +1717,15 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, * \param dhm_P Diffie-Hellman-Merkle modulus * \param dhm_G Diffie-Hellman-Merkle generator * + * \deprecated Superseded by \c mbedtls_ssl_conf_dh_param_bin. + * * \return 0 if successful */ -int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, - const char *dhm_P, - const char *dhm_G ); +MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, + const char *dhm_P, + const char *dhm_G ); +#endif /* MBEDTLS_DEPRECATED_REMOVED */ /** * \brief Set the Diffie-Hellman public P and G values, * read from existing context (server-side only) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f233e0a87..fe945c3c9 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6115,6 +6115,8 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf, #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) + +#if !defined(MBEDTLS_DEPRECATED_REMOVED) int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G ) { int ret; @@ -6129,6 +6131,7 @@ int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, cons return( 0 ); } +#endif /* MBEDTLS_DEPRECATED_REMOVED */ int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) { From a90658f248cc7842d1b644f62c12deb9d2b32408 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 15:29:08 +0100 Subject: [PATCH 097/177] Add ssl_conf_dh_param_bin superseding ssl_conf_dh_param --- include/mbedtls/ssl.h | 18 ++++++++++++++++++ library/ssl_tls.c | 24 ++++++++++++++++++++---- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 13ee5bd87..32cec54b1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1726,6 +1726,24 @@ MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_G ); #endif /* MBEDTLS_DEPRECATED_REMOVED */ + +/** + * \brief Set the Diffie-Hellman public P and G values + * from big-endian binary presentations. + * (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG]_BIN) + * + * \param conf SSL configuration + * \param dhm_P Diffie-Hellman-Merkle modulus in big-endian binary form + * \param P_len Length of DHM modulus + * \param dhm_G Diffie-Hellman-Merkle generator in big-endian binary form + * \param G_len Length of DHM generator + * + * \return 0 if successful + */ +int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf, + const unsigned char *dhm_P, size_t P_len, + const unsigned char *dhm_G, size_t G_len ); + /** * \brief Set the Diffie-Hellman public P and G values, * read from existing context (server-side only) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fe945c3c9..89d223d6a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6133,6 +6133,23 @@ int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, cons } #endif /* MBEDTLS_DEPRECATED_REMOVED */ +int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf, + const unsigned char *dhm_P, size_t P_len, + const unsigned char *dhm_G, size_t G_len ) +{ + int ret; + + if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 || + ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 ) + { + mbedtls_mpi_free( &conf->dhm_P ); + mbedtls_mpi_free( &conf->dhm_G ); + return( ret ); + } + + return( 0 ); +} + int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx ) { int ret; @@ -7545,10 +7562,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, const unsigned char dhm_g[] = MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; - if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_p, - sizeof( dhm_p ) ) ) != 0 || - ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_g, - sizeof( dhm_g ) ) ) != 0 ) + if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf, + dhm_p, sizeof( dhm_p ), + dhm_g, sizeof( dhm_g ) ) ) != 0 ) { return( ret ); } From e3481ab533b6416ec3609e2873424a72ce5cdd37 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 4 Oct 2017 16:05:10 +0100 Subject: [PATCH 098/177] Improve top warning in dhm.h --- include/mbedtls/dhm.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 73b69e076..479aef841 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -36,6 +36,14 @@ * primes cannot be trusted because of the possibility of backdoors * that can't be effectively checked for. * + * Diffie-Hellman-Merkle is therefore a security risk when not using + * standardized primes generated using a trustworthy ("nothing up + * my sleeve") method, such as the RFC 3526 / 7919 primes. In the TLS + * protocol, DH parameters need to be negotiated, so using the default + * primes systematically is not always an option. If possible, use + * Elliptic Curve Diffie-Hellman (ECDH), which has better performance, + * and for which the TLS protocol mandates the use of standard + * parameters that were generated in a nothing-up-my-sleeve manner. * We therefore consider DHE a security risk. If possible, it is * recommended users should consider preferring other methods of * key exchange. From f5dce36a2440aaf1d2ecbac7323b5cc93f0311d4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 12 Oct 2017 13:45:10 +0100 Subject: [PATCH 099/177] Don't claim ECDH parameters are nothing-up-my-sleeve numbers --- include/mbedtls/dhm.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 479aef841..05a710903 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -43,10 +43,7 @@ * primes systematically is not always an option. If possible, use * Elliptic Curve Diffie-Hellman (ECDH), which has better performance, * and for which the TLS protocol mandates the use of standard - * parameters that were generated in a nothing-up-my-sleeve manner. - * We therefore consider DHE a security risk. If possible, it is - * recommended users should consider preferring other methods of - * key exchange. + * parameters. * */ #ifndef MBEDTLS_DHM_H From 0cd5b94dba7548c3b40efc0681f377744b424f59 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 13 Oct 2017 17:17:28 +0100 Subject: [PATCH 100/177] Adapt ChangeLog --- ChangeLog | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/ChangeLog b/ChangeLog index e199682ea..62a705d4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,21 @@ Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section 4.1.2.7. +Security + * Change default choice of DHE parameters from untrustworthy RFC 5114 + to RFC 3526 containing parameters generated in a nothing-up-my-sleeve + manner. + +New deprecations + * Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by + parameters from RFC 3526 or the newly added parameters from RFC 7919. + * Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc. + Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN + etc. + * Deprecate mbedtls_ssl_conf_dh_param for setting default DHE parameters + from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin + accepting DHM parameters in binary form, matching the new constants. + = mbed TLS 2.6.0 branch released 2017-08-10 Security From 15f2b3e5386c9956f52093331f85de497c63a397 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 17 Oct 2017 15:17:05 +0100 Subject: [PATCH 101/177] Mention that mpi_fill_random interprets PRNG output as big-endian --- include/mbedtls/bignum.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index 456a80420..214e83c2d 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -683,6 +683,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi * * \return 0 if successful, * MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed + * + * \note The bytes obtained from the PRNG are interpreted + * as a big-endian representation of an MPI; this can + * be relevant in applications like deterministic ECDSA. */ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size, int (*f_rng)(void *, unsigned char *, size_t), From 073c199224fc961e6cb045e4d4b6dc51685e617f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 17 Oct 2017 15:17:27 +0100 Subject: [PATCH 102/177] Make mpi_read_binary time constant This commit modifies mpi_read_binary to always allocate the minimum number of limbs required to hold the entire buffer provided to the function, regardless of its content. Previously, leading zero bytes in the input data were detected and used to reduce memory footprint and time, but this non-constant behavior turned out to be non-tolerable for the cryptographic applications this function is used for. --- library/bignum.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/library/bignum.c b/library/bignum.c index d3a150c3c..79f25f08e 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -672,16 +672,20 @@ cleanup: int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen ) { int ret; - size_t i, j, n; + size_t i, j; + size_t const limbs = CHARS_TO_LIMBS( buflen ); - for( n = 0; n < buflen; n++ ) - if( buf[n] != 0 ) - break; + /* Ensure that target MPI has exactly the necessary number of limbs */ + if( X->n != limbs ) + { + mbedtls_mpi_free( X ); + mbedtls_mpi_init( X ); + MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) ); + } - MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) ); - for( i = buflen, j = 0; i > n; i--, j++ ) + for( i = buflen, j = 0; i > 0; i--, j++ ) X->p[j / ciL] |= ((mbedtls_mpi_uint) buf[i - 1]) << ((j % ciL) << 3); cleanup: From 7c8cb9c28b3153aed05db02a2913915524d5f37b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 17 Oct 2017 15:19:38 +0100 Subject: [PATCH 103/177] Fix information leak in ecp_gen_keypair_base The function mbedtls_ecp_gen_keypair_base did not wipe the stack buffer used to hold the private exponent before returning. This commit fixes this by not using a stack buffer in the first place but instead calling mpi_fill_random directly to acquire the necessary random MPI. --- library/ecp.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/library/ecp.c b/library/ecp.c index 5ad686398..b41baef27 100644 --- a/library/ecp.c +++ b/library/ecp.c @@ -1953,7 +1953,6 @@ int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp, { /* SEC1 3.2.1: Generate d such that 1 <= n < N */ int count = 0; - unsigned char rnd[MBEDTLS_ECP_MAX_BYTES]; /* * Match the procedure given in RFC 6979 (deterministic ECDSA): @@ -1964,8 +1963,7 @@ int mbedtls_ecp_gen_keypair_base( mbedtls_ecp_group *grp, */ do { - MBEDTLS_MPI_CHK( f_rng( p_rng, rnd, n_size ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( d, rnd, n_size ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) ); /* From 28a0c727957990ac655cbe40c7eb20b7ef01167d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Oct 2017 19:01:38 +0200 Subject: [PATCH 104/177] RSA: Fix buffer overflow in PSS signature verification Fix buffer overflow in RSA-PSS signature verification when the hash is too large for the key size. Found by Seth Terashima, Qualcomm. Added a non-regression test and a positive test with the smallest permitted key size for a SHA-512 hash. --- ChangeLog | 5 ++++ library/rsa.c | 2 ++ tests/data_files/rsa512.key | 9 ++++++++ tests/data_files/rsa521.key | 9 ++++++++ tests/data_files/rsa522.key | 9 ++++++++ tests/data_files/rsa528.key | 9 ++++++++ tests/suites/test_suite_pkcs1_v21.data | 32 ++++++++++++++++++++++++++ 7 files changed, 75 insertions(+) create mode 100644 tests/data_files/rsa512.key create mode 100644 tests/data_files/rsa521.key create mode 100644 tests/data_files/rsa522.key create mode 100644 tests/data_files/rsa528.key diff --git a/ChangeLog b/ChangeLog index a89f2a467..292acefe3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,11 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x released xxxx-xx-xx +Security + * Fix buffer overflow in RSA-PSS verification when the hash is too + large for the key size. Found by Seth Terashima, Qualcomm Product + Security Initiative, Qualcomm Technologies Inc. + Features * Allow comments in test data files. diff --git a/library/rsa.c b/library/rsa.c index bdd2538c3..a4e3ee689 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1362,6 +1362,8 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); hlen = mbedtls_md_get_size( md_info ); + if( siglen < hlen + 2 ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); slen = siglen - hlen - 1; /* Currently length of salt + padding */ memset( zeros, 0, 8 ); diff --git a/tests/data_files/rsa512.key b/tests/data_files/rsa512.key new file mode 100644 index 000000000..1fd7987c2 --- /dev/null +++ b/tests/data_files/rsa512.key @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBOwIBAAJBALB20jJQgW+aqwIwfkUrl/DK51mDabQWJOivx5caWaE4kvZLB+qm +7JKMFgstbsj50N1bY8izrAdntPZciS9WwQ8CAwEAAQJAKYfNcIoB7II6PQmsrhrU +Z5dZW3fSKNANX7X/A1DwR0DlF8uZnpWsWbYcRoXX7QjvepZqc54wryhW55Wlm6yI +AQIhAOJIaLjSpbHjzzcJQ7mylxn2WGIlbJPPzJ9OaFZCZQvxAiEAx6OEAvl6JKa6 +6a+N2Wvhtcgb4qqR6UHQGJQYGJz5nP8CIAvgoR6ScAAWZRoOcm+c4DGMrLb6H+ji +T2tNQkzEz2kBAiEAmw34GStU36STpa6RGJ4+tyZN6jWakDVqf7x+HpfFE1cCIQDc +KzXIxec2taye4OeIa1v4W/MigMmYE9w93Uw/Qi3azA== +-----END RSA PRIVATE KEY----- diff --git a/tests/data_files/rsa521.key b/tests/data_files/rsa521.key new file mode 100644 index 000000000..0b940aa6e --- /dev/null +++ b/tests/data_files/rsa521.key @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBPQIBAAJCATG2mGDzy5v4XqNY/fK9KZDxt3qA1qT9+BekPdiWvffdJq+KwCN/ +Um4NM7EFyXH9vU/6ns6Z/EafMez0Kej1YsHDAgMBAAECQCdoYjwdMSHp4kksL5Aa +0kDc58ni0chy9IgXo+FHjTVmR9DkaZANrwfVvYMJxqYCZo0im1Dw7ZJBUDJQNXnl +ZokCIRiSk66I24AWa7XGUFvatVwXWi2ACE4QEKqzWQe1mQ24/wIhDHD1TCKpqucA +XDI+1N7EHs+fN4CfTSWe8FPGiK6q3VM9AiESrKKLi/q011U4KeS8SfR2blDcL2cg +XFkuQWqxzzLoGOUCIQmgl5E0+Ypwe0zc7NYZFDarf4+ZjqxKQnXCvk0irMHcGQIh +EVPli6RQb3Gcx7vXJHltzSTno7NElzBDRMBVUlBmVxAJ +-----END RSA PRIVATE KEY----- diff --git a/tests/data_files/rsa522.key b/tests/data_files/rsa522.key new file mode 100644 index 000000000..18fbe70ca --- /dev/null +++ b/tests/data_files/rsa522.key @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBPgIBAAJCAtMCdT492ij0L02fkshkdCDqb7yXwQ+EmLlmqVPzV2mNZYEGDf4y +yKuY20vFzirN8MHm5ASnWhMoJVDBqjfTzci/AgMBAAECQU05ffxf7uVg74yC9tKg +qCa746NpMh3OM+HZrUxiOXv0sJMRXNEPD5HNLtgcNY6MI5NYbUvkOXktnFZpxWYP +TH7BAiEeFJGs5Z6gRd2v/IbYLMFDHgjqho04INGTOvnyI7lGVKUCIRgJM7moFuoM +UrKTmJK1uOzauWEykCKgc6BGH6TGZoEWkwIhBzQn2v82qO1ydOYGKRk2w2sa+Yd1 +pH5/kkHqf+m8QjKdAiEQ9eVW+4J30wxD0JyX4b1E/S5UpN5KYNhWX0US+6D3NBsC +IRxePzdQlutZWg0Cnku3QE1tOLBCFlP7QVVl5FbKcY5H5w== +-----END RSA PRIVATE KEY----- diff --git a/tests/data_files/rsa528.key b/tests/data_files/rsa528.key new file mode 100644 index 000000000..fd463b54d --- /dev/null +++ b/tests/data_files/rsa528.key @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBRQIBAAJDAOMcJG1GSFmEJh/RdMqz1DVzRGAuzXk8R9vlQlLTe7NQvGNDWbGV +FVQggORySktnIpG+V8dkj1Finq7yNOhH2ZzGXwIDAQABAkMAsWYyLglQSlwnS4NZ +L1z4zieTqW3lomWr2+BgxkHbxl2w0Rx4L+Ezp+YK6mhtIQWNkoytPvWJJMS7Jrkg +agMAHQJBAiIA+F1y5GO0Bv+igsNLXwwtbCqs8hAkavU9W8egt/oDbhzbAiIA6hds +PZp/s1X7n7dwfmebSs+3vLZFuQfifN8XZLw0CXHNAiEuEzgDQrPdMIN3er96zImI +rYoUBgabiQ9u/WPFfa4xOU0CIgDDYC089Tfjy72pPgcr2PkpZVhqro5esg/8PI5f +yxx7TXkCIgCYoE8Y5IxomtL1ub1AQzPe9UyyUGzQB1yWeiloJh6LjxA= +-----END RSA PRIVATE KEY----- diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data index ac16beb8a..6d31494e5 100644 --- a/tests/suites/test_suite_pkcs1_v21.data +++ b/tests/suites/test_suite_pkcs1_v21.data @@ -787,3 +787,35 @@ RSASSA-PSS Signature verify options #13 (MGF1 alg != MSG hash alg, arg wrong) depends_on:MBEDTLS_SHA256_C pkcs1_rsassa_pss_verify_ext:1024:16:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":16:"010001":MBEDTLS_MD_NONE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA1:MBEDTLS_RSA_SALT_LEN_ANY:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":"7fc506d26ca3b22922a1ce39faaedd273161b82d9443c56f1a034f131ae4a18cae1474271cb4b66a17d9707ca58b0bdbd3c406b7e65bbcc9bbbce94dc45de807b4989b23b3e4db74ca29298137837eb90cc83d3219249bc7d480fceaf075203a86e54c4ecfa4e312e39f8f69d76534089a36ed9049ca9cfd5ab1db1fa75fe5c8":0:MBEDTLS_ERR_RSA_INVALID_PADDING +RSASSA-PSS verify ext, 512-bit key, empty salt, good signature +depends_on:MBEDTLS_SHA256_C +pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf246":0:0 + +RSASSA-PSS verify ext, 512-bit key, empty salt, bad signature +depends_on:MBEDTLS_SHA256_C +pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf247":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING + +RSASSA-PSS verify ext, 522-bit key, SHA-512, empty salt, good signature +depends_on:MBEDTLS_SHA512_C +pkcs1_rsassa_pss_verify_ext:522:16:"02d302753e3dda28f42f4d9f92c8647420ea6fbc97c10f8498b966a953f357698d6581060dfe32c8ab98db4bc5ce2acdf0c1e6e404a75a13282550c1aa37d3cdc8bf":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"016752ae0b5dfbade6bbd3dd37868d48c8d741f92dca41c360aeda553204c2212a117b1a3d77e0d3f48723503c46e16c8a64de00f1dee3e37e478417452630859486":0:0 + +RSASSA-PSS verify ext, 528-bit key, SHA-512, saltlen=64, good signature with saltlen=0 +depends_on:MBEDTLS_SHA512_C +pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:64:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:MBEDTLS_ERR_RSA_INVALID_PADDING + +RSASSA-PSS verify ext, 528-bit key, SHA-512, empty salt, good signature +depends_on:MBEDTLS_SHA512_C +pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:0 + +RSASSA-PSS verify ext, 528-bit key, SHA-512, saltlen=64, good signature with saltlen=0 +depends_on:MBEDTLS_SHA512_C +pkcs1_rsassa_pss_verify_ext:528:16:"00e31c246d46485984261fd174cab3d4357344602ecd793c47dbe54252d37bb350bc634359b19515542080e4724a4b672291be57c7648f51629eaef234e847d99cc65f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:64:"":"a9ad7994ba3a1071124153486924448cc67a5af3a5d34e9261d53770782cc85f58e2edde5f7004652a645e3e9606530eb57de41df7298ae2be9dec69cc0d613ab629":0:MBEDTLS_ERR_RSA_INVALID_PADDING + +RSASSA-PSS verify ext, 512-bit key, SHA-512 (hash too large) +depends_on:MBEDTLS_SHA512_C +pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"ace8b03347da1b9a7a5e94a0d76359bb39c819bb170bef38ea84995ed653446c0ae87ede434cdf9d0cb2d7bf164cf427892363e6855a1d24d0ce5dd72acaf246":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA + +RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature +depends_on:MBEDTLS_SHA512_C +pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING + From 6a54b0240dea904b5a823b2b1e01b97c37ac2e8f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Oct 2017 19:02:13 +0200 Subject: [PATCH 105/177] RSA: Fix another buffer overflow in PSS signature verification Fix buffer overflow in RSA-PSS signature verification when the masking operation results in an all-zero buffer. This could happen at any key size. --- ChangeLog | 2 ++ library/rsa.c | 21 +++++++++++---------- tests/suites/test_suite_pkcs1_v21.data | 4 ++++ 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 292acefe3..6f7637dc1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ Security * Fix buffer overflow in RSA-PSS verification when the hash is too large for the key size. Found by Seth Terashima, Qualcomm Product Security Initiative, Qualcomm Technologies Inc. + * Fix buffer overflow in RSA-PSS verification when the unmasked + data is all zeros. Features * Allow comments in test data files. diff --git a/library/rsa.c b/library/rsa.c index a4e3ee689..f9aec2270 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1319,10 +1319,11 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, int ret; size_t siglen; unsigned char *p; + unsigned char *hash_start; unsigned char result[MBEDTLS_MD_MAX_SIZE]; unsigned char zeros[8]; unsigned int hlen; - size_t slen, msb; + size_t observed_salt_len, msb; const mbedtls_md_info_t *md_info; mbedtls_md_context_t md_ctx; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; @@ -1364,7 +1365,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, hlen = mbedtls_md_get_size( md_info ); if( siglen < hlen + 2 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - slen = siglen - hlen - 1; /* Currently length of salt + padding */ + hash_start = buf + siglen - hlen - 1; memset( zeros, 0, 8 ); @@ -1379,6 +1380,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, p++; siglen -= 1; } + else if( buf[0] >> ( 8 - siglen * 8 + msb ) ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -1389,25 +1391,24 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, return( ret ); } - mgf_mask( p, siglen - hlen - 1, p + siglen - hlen - 1, hlen, &md_ctx ); + mgf_mask( p, siglen - hlen - 1, hash_start, hlen, &md_ctx ); buf[0] &= 0xFF >> ( siglen * 8 - msb ); - while( p < buf + siglen && *p == 0 ) + while( p < hash_start - 1 && *p == 0 ) p++; - if( p == buf + siglen || + if( p == hash_start || *p++ != 0x01 ) { mbedtls_md_free( &md_ctx ); return( MBEDTLS_ERR_RSA_INVALID_PADDING ); } - /* Actual salt len */ - slen -= p - buf; + observed_salt_len = hash_start - p; if( expected_salt_len != MBEDTLS_RSA_SALT_LEN_ANY && - slen != (size_t) expected_salt_len ) + observed_salt_len != (size_t) expected_salt_len ) { mbedtls_md_free( &md_ctx ); return( MBEDTLS_ERR_RSA_INVALID_PADDING ); @@ -1419,12 +1420,12 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, mbedtls_md_starts( &md_ctx ); mbedtls_md_update( &md_ctx, zeros, 8 ); mbedtls_md_update( &md_ctx, hash, hashlen ); - mbedtls_md_update( &md_ctx, p, slen ); + mbedtls_md_update( &md_ctx, p, observed_salt_len ); mbedtls_md_finish( &md_ctx, result ); mbedtls_md_free( &md_ctx ); - if( memcmp( p + slen, result, hlen ) == 0 ) + if( memcmp( hash_start, result, hlen ) == 0 ) return( 0 ); else return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data index 6d31494e5..7c202e9cd 100644 --- a/tests/suites/test_suite_pkcs1_v21.data +++ b/tests/suites/test_suite_pkcs1_v21.data @@ -819,3 +819,7 @@ RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature depends_on:MBEDTLS_SHA512_C pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING +RSASSA-PSS verify ext, all-zero padding, automatic salt length +depends_on:MBEDTLS_SHA256_C +pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_NONE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:"":"63a35294577c7e593170378175b7df27c293dae583ec2a971426eb2d66f2af483e897bfae5dc20300a9d61a3644e08c3aee61a463690a3498901563c46041056":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING + From 888071184c3247306ae170ee7d30d2554d230f13 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 18 Oct 2017 12:41:30 +0100 Subject: [PATCH 106/177] Zeroize stack before returning from mpi_fill_random --- library/bignum.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/bignum.c b/library/bignum.c index 79f25f08e..d27c130bc 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -63,6 +63,11 @@ static void mbedtls_mpi_zeroize( mbedtls_mpi_uint *v, size_t n ) { volatile mbedtls_mpi_uint *p = v; while( n-- ) *p++ = 0; } +/* Implementation that should never be optimized out by the compiler */ +static void mbedtls_zeroize( void *v, size_t n ) { + volatile unsigned char *p = v; while( n-- ) *p++ = 0; +} + #define ciL (sizeof(mbedtls_mpi_uint)) /* chars in limb */ #define biL (ciL << 3) /* bits in limb */ #define biH (ciL << 2) /* half limb size */ @@ -1886,6 +1891,7 @@ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size, MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( X, buf, size ) ); cleanup: + mbedtls_zeroize( buf, sizeof( buf ) ); return( ret ); } From 139108af94951855fd37ba5a1b9d6099e63b20c8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 18 Oct 2017 19:03:42 +0200 Subject: [PATCH 107/177] RSA PSS: fix minimum length check for keys of size 8N+1 The check introduced by the previous security fix was off by one. It fixed the buffer overflow but was not compliant with the definition of PSS which technically led to accepting some invalid signatures (but not signatures made without the private key). --- library/rsa.c | 7 ++++--- tests/suites/test_suite_pkcs1_v21.data | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index f9aec2270..f25137ab8 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1363,9 +1363,6 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); hlen = mbedtls_md_get_size( md_info ); - if( siglen < hlen + 2 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - hash_start = buf + siglen - hlen - 1; memset( zeros, 0, 8 ); @@ -1384,6 +1381,10 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, if( buf[0] >> ( 8 - siglen * 8 + msb ) ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + if( siglen < hlen + 2 ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + hash_start = p + siglen - hlen - 1; + mbedtls_md_init( &md_ctx ); if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 0 ) ) != 0 ) { diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data index 7c202e9cd..7785b1232 100644 --- a/tests/suites/test_suite_pkcs1_v21.data +++ b/tests/suites/test_suite_pkcs1_v21.data @@ -817,7 +817,7 @@ pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369 RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature depends_on:MBEDTLS_SHA512_C -pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING +pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA RSASSA-PSS verify ext, all-zero padding, automatic salt length depends_on:MBEDTLS_SHA256_C From a21e2a015b760122e5918a04245597953e950a64 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 19 Oct 2017 09:13:35 +0100 Subject: [PATCH 108/177] Adapt ChangeLog --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index ded60d39f..cef0e7215 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,13 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x branch released xxxx-xx-xx +Security + * Make mbedtls_mpi_read_binary constant-time with respect to + the input data. Previously, trailing zero bytes were detected + and omitted for the sake of saving memory, but potentially + leading to slight timing differences. + Reported by Marco Macchetti, Kudelski Group. + Features * Allow comments in test data files. From 509fef7de331dd4ec336fc3b5f7b9c19b493b049 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 19 Oct 2017 10:10:18 +0100 Subject: [PATCH 109/177] Add ChangeLog message for EC private exponent information leak --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index cef0e7215..7838a6884 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,8 @@ Security and omitted for the sake of saving memory, but potentially leading to slight timing differences. Reported by Marco Macchetti, Kudelski Group. + * Wipe stack buffer temporarily holding EC private exponent + after keypair generation. Features * Allow comments in test data files. From b00b0da45227dface23f1d1da2e28a0165d13313 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 19 Oct 2017 15:23:49 +0200 Subject: [PATCH 110/177] RSA PSS: fix first byte check for keys of size 8N+1 For a key of size 8N+1, check that the first byte after applying the public key operation is 0 (it could have been 1 instead). The code was incorrectly doing a no-op check instead, which led to invalid signatures being accepted. Not a security flaw, since you would need the private key to craft such an invalid signature, but a bug nonetheless. --- library/rsa.c | 6 +++--- tests/suites/test_suite_pkcs1_v21.data | 8 ++++++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index f25137ab8..b54960fb7 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1371,15 +1371,15 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, */ msb = mbedtls_mpi_bitlen( &ctx->N ) - 1; + if( buf[0] >> ( 8 - siglen * 8 + msb ) ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + /* Compensate for boundary condition when applying mask */ if( msb % 8 == 0 ) { p++; siglen -= 1; } - else - if( buf[0] >> ( 8 - siglen * 8 + msb ) ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); if( siglen < hlen + 2 ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); diff --git a/tests/suites/test_suite_pkcs1_v21.data b/tests/suites/test_suite_pkcs1_v21.data index 7785b1232..6258c6262 100644 --- a/tests/suites/test_suite_pkcs1_v21.data +++ b/tests/suites/test_suite_pkcs1_v21.data @@ -819,6 +819,14 @@ RSASSA-PSS verify ext, 521-bit key, SHA-512, empty salt, bad signature depends_on:MBEDTLS_SHA512_C pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:MBEDTLS_MD_SHA512:0:"":"00471794655837da498cbf27242807b40593a353c707eb22fd2cc5a3259e728ac4f1df676043eeec8e16c1175b3d9ac8cae72ec1d5772dd69de71c5677f19031568e":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA +RSASSA-PSS verify ext, 521-bit key, SHA-256, empty salt, good signature +depends_on:MBEDTLS_SHA256_C +pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"41":"009c4941157fa36288e467310b198ab0c615c40963d611ffeef03000549ded809235955ecc57adba44782e9497c004f480ba2b3d58db8335fe0b391075c02c843a6d":0:0 + +RSASSA-PSS verify ext, 521-bit key, SHA-256, empty salt, flipped-highest-bit signature +depends_on:MBEDTLS_SHA256_C +pkcs1_rsassa_pss_verify_ext:521:16:"0131b69860f3cb9bf85ea358fdf2bd2990f1b77a80d6a4fdf817a43dd896bdf7dd26af8ac0237f526e0d33b105c971fdbd4ffa9ece99fc469f31ecf429e8f562c1c3":16:"010001":MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:0:"41":"00e11a2403df681c44a1f73f014b6c9ad17847d0b673f7c2a801cee208d10ab5792c10cd0cd495a4b331aaa521409fca7cb1b0d978b3a84cd67e28078b98753e9466":MBEDTLS_ERR_RSA_BAD_INPUT_DATA:MBEDTLS_ERR_RSA_BAD_INPUT_DATA + RSASSA-PSS verify ext, all-zero padding, automatic salt length depends_on:MBEDTLS_SHA256_C pkcs1_rsassa_pss_verify_ext:512:16:"00b076d23250816f9aab02307e452b97f0cae7598369b41624e8afc7971a59a13892f64b07eaa6ec928c160b2d6ec8f9d0dd5b63c8b3ac0767b4f65c892f56c10f":16:"010001":MBEDTLS_MD_NONE:MBEDTLS_MD_SHA256:MBEDTLS_MD_SHA256:MBEDTLS_RSA_SALT_LEN_ANY:"":"63a35294577c7e593170378175b7df27c293dae583ec2a971426eb2d66f2af483e897bfae5dc20300a9d61a3644e08c3aee61a463690a3498901563c46041056":MBEDTLS_ERR_RSA_INVALID_PADDING:MBEDTLS_ERR_RSA_INVALID_PADDING From 91048a3aac537721a84d964eeaa0de43ba14f791 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 19 Oct 2017 17:46:14 +0200 Subject: [PATCH 111/177] RSA PSS: remove redundant check; changelog Remove a check introduced in the previous buffer overflow fix with keys of size 8N+1 which the subsequent fix for buffer start calculations made redundant. Added a changelog entry for the buffer start calculation fix. --- ChangeLog | 2 ++ library/rsa.c | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6f7637dc1..4a2e710b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,8 @@ Bugfix * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. Found by projectgus and jethrogb, #836. * Fix usage help in ssl_server2 example. Found and fixed by Bei Lin. + * Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were + accepted. Generating these signatures required the private key. = mbed TLS 2.6.0 branch released 2017-08-10 diff --git a/library/rsa.c b/library/rsa.c index b54960fb7..148f6b345 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1399,8 +1399,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, while( p < hash_start - 1 && *p == 0 ) p++; - if( p == hash_start || - *p++ != 0x01 ) + if( *p++ != 0x01 ) { mbedtls_md_free( &md_ctx ); return( MBEDTLS_ERR_RSA_INVALID_PADDING ); From 27b34d5bad4766ab8b4d6b81d4571b946b70f55a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 20 Oct 2017 14:24:51 +0100 Subject: [PATCH 112/177] Wrong identifier used to check Encrypt-then-MAC flag This commit fixes a comparison of ssl_session->encrypt_then_mac against the ETM-unrelated constant MBEDTLS_SSL_EXTENDED_MS_DISABLED. Instead, MBEDTLS_SSL_ETM_DISABLED should be used. The typo is has no functional effect since both constants have the same value 0. --- library/ssl_srv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 37f415dd1..f98e9e8a9 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2042,7 +2042,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *suite = NULL; const mbedtls_cipher_info_t *cipher = NULL; - if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_EXTENDED_MS_DISABLED || + if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { *olen = 0; From 9a51c032ee2c414e814317d4011b549ece778af2 Mon Sep 17 00:00:00 2001 From: Chris Xue Date: Sun, 5 Nov 2017 19:10:51 +0000 Subject: [PATCH 113/177] Fix copy paste error in the error message of mbedtls_ecp_gen_key in gen_key.c --- programs/pkey/gen_key.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c index 48126948d..547426813 100644 --- a/programs/pkey/gen_key.c +++ b/programs/pkey/gen_key.c @@ -339,7 +339,7 @@ int main( int argc, char *argv[] ) mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_rsa_gen_key returned -0x%04x", -ret ); + mbedtls_printf( " failed\n ! mbedtls_ecp_gen_key returned -0x%04x", -ret ); goto exit; } } From c81fcb9d36158091d83cc48038bdee964fdbf2ff Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 14 Nov 2017 21:40:02 +0000 Subject: [PATCH 114/177] Fix typos in documentation for mbedtls_x509_crt_check_extended_key_usage() --- include/mbedtls/x509_crt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 06166d8b1..f4773b4dc 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -373,7 +373,7 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) /** - * \brief Check usage of certificate against extentedJeyUsage. + * \brief Check usage of certificate against extendedKeyUsage. * * \param crt Leaf certificate used. * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). @@ -387,7 +387,7 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len ); -#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) */ +#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ #if defined(MBEDTLS_X509_CRL_PARSE_C) /** From 5a6da63138cf589077f54f49934ca928cf6c73a6 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 14 Nov 2017 21:40:51 +0000 Subject: [PATCH 115/177] Fix indentation for mbedtls_x509_crt_check_key_usage() --- include/mbedtls/x509_crt.h | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index f4773b4dc..b7a509831 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -373,20 +373,21 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) /** - * \brief Check usage of certificate against extendedKeyUsage. + * \brief Check usage of certificate against extendedKeyUsage. * - * \param crt Leaf certificate used. - * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or MBEDTLS_OID_CLIENT_AUTH). + * \param crt Leaf certificate used. + * \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or + * MBEDTLS_OID_CLIENT_AUTH). * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). * - * \return 0 if this use of the certificate is allowed, - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. + * \return 0 if this use of the certificate is allowed, + * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. * - * \note Usually only makes sense on leaf certificates. + * \note Usually only makes sense on leaf certificates. */ int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt, - const char *usage_oid, - size_t usage_len ); + const char *usage_oid, + size_t usage_len ); #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */ #if defined(MBEDTLS_X509_CRL_PARSE_C) From 992b6872f3ca717282ae367749a47f006d337a87 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 9 Nov 2017 18:57:39 +0000 Subject: [PATCH 116/177] Fix heap corruption in ssl_decrypt_buf Previously, MAC validation for an incoming record proceeded as follows: 1) Make a copy of the MAC contained in the record; 2) Compute the expected MAC in place, overwriting the presented one; 3) Compare both. This resulted in a record buffer overflow if truncated MAC was used, as in this case the record buffer only reserved 10 bytes for the MAC, but the MAC computation routine in 2) always wrote a full digest. For specially crafted records, this could be used to perform a controlled write of up to 6 bytes past the boundary of the heap buffer holding the record, thereby corrupting the heap structures and potentially leading to a crash or remote code execution. This commit fixes this by making the following change: 1) Compute the expected MAC in a temporary buffer that has the size of the underlying message digest. 2) Compare to this to the MAC contained in the record, potentially restricting to the first 10 bytes if truncated HMAC is used. A similar fix is applied to the encryption routine `ssl_encrypt_buf`. --- library/ssl_tls.c | 36 +++++++++++++++++------------------- tests/ssl-opt.sh | 20 ++++++++++---------- 2 files changed, 27 insertions(+), 29 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8467b1302..341eb7d01 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1293,14 +1293,17 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { + unsigned char mac[MBEDTLS_SSL_MAC_ADD]; + mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 ); mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 ); mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 ); mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_msg, ssl->out_msglen ); - mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, - ssl->out_msg + ssl->out_msglen ); + mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac ); mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc ); + + memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen ); } else #endif @@ -1562,8 +1565,6 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) return( 0 ); } -#define SSL_MAX_MAC_SIZE 48 - static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) { size_t i; @@ -1731,7 +1732,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) { - unsigned char computed_mac[SSL_MAX_MAC_SIZE]; + unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; unsigned char pseudo_hdr[13]; MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); @@ -1749,16 +1750,16 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 ); mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_iv, ssl->in_msglen ); - mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, computed_mac ); + mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect ); mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec ); MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen, ssl->transform_in->maclen ); - MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", computed_mac, + MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen ); - if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, computed_mac, - ssl->transform_in->maclen ) != 0 ) + if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect, + ssl->transform_in->maclen ) != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); @@ -1918,15 +1919,13 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) #if defined(SSL_SOME_MODES_USE_MAC) if( auth_done == 0 ) { - unsigned char tmp[SSL_MAX_MAC_SIZE]; + unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; ssl->in_msglen -= ssl->transform_in->maclen; ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 ); ssl->in_len[1] = (unsigned char)( ssl->in_msglen ); - memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->transform_in->maclen ); - #if defined(MBEDTLS_SSL_PROTO_SSL3) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { @@ -1965,8 +1964,7 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_len, 2 ); mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, ssl->in_msg, ssl->in_msglen ); - mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, - ssl->in_msg + ssl->in_msglen ); + mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect ); /* Call mbedtls_md_process at least once due to cache attacks */ for( j = 0; j < extra_run + 1; j++ ) mbedtls_md_process( &ssl->transform_in->md_ctx_dec, ssl->in_msg ); @@ -1981,12 +1979,12 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", tmp, ssl->transform_in->maclen ); - MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", ssl->in_msg + ssl->in_msglen, - ssl->transform_in->maclen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen ); + MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_msg + ssl->in_msglen, + ssl->transform_in->maclen ); - if( mbedtls_ssl_safer_memcmp( tmp, ssl->in_msg + ssl->in_msglen, - ssl->transform_in->maclen ) != 0 ) + if( mbedtls_ssl_safer_memcmp( ssl->in_msg + ssl->in_msglen, mac_expect, + ssl->transform_in->maclen ) != 0 ) { #if defined(MBEDTLS_SSL_DEBUG_ALL) MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 64f26a0cf..bbf117272 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -829,40 +829,40 @@ run_test "Truncated HMAC: client default, server default" \ "$P_SRV debug_level=4" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ 0 \ - -s "dumping 'computed mac' (20 bytes)" \ - -S "dumping 'computed mac' (10 bytes)" + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" run_test "Truncated HMAC: client disabled, server default" \ "$P_SRV debug_level=4" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ trunc_hmac=0" \ 0 \ - -s "dumping 'computed mac' (20 bytes)" \ - -S "dumping 'computed mac' (10 bytes)" + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" run_test "Truncated HMAC: client enabled, server default" \ "$P_SRV debug_level=4" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ trunc_hmac=1" \ 0 \ - -s "dumping 'computed mac' (20 bytes)" \ - -S "dumping 'computed mac' (10 bytes)" + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" run_test "Truncated HMAC: client enabled, server disabled" \ "$P_SRV debug_level=4 trunc_hmac=0" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ trunc_hmac=1" \ 0 \ - -s "dumping 'computed mac' (20 bytes)" \ - -S "dumping 'computed mac' (10 bytes)" + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" run_test "Truncated HMAC: client enabled, server enabled" \ "$P_SRV debug_level=4 trunc_hmac=1" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ trunc_hmac=1" \ 0 \ - -S "dumping 'computed mac' (20 bytes)" \ - -s "dumping 'computed mac' (10 bytes)" + -S "dumping 'expected mac' (20 bytes)" \ + -s "dumping 'expected mac' (10 bytes)" # Tests for Encrypt-then-MAC extension From 7dc832bb531d9a7026b5c4a745f4ffbd5878e18d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 16 Nov 2017 17:39:34 +0000 Subject: [PATCH 117/177] Adapt ChangeLog --- ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ChangeLog b/ChangeLog index ded60d39f..ee85a9ba3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,14 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x branch released xxxx-xx-xx +Security + * Fix heap corruption in implementation of truncated HMAC extension. + When the truncated HMAC extension is enabled and CBC is used, + sending a malicious application packet can be used to selectively + corrupt 6 bytes on the peer's heap, potentially leading to crash or + remote code execution. This can be triggered remotely from either + side in both TLS and DTLS. + Features * Allow comments in test data files. From dab611a7b181ebc1f80c731b5f86895b1ece1cfe Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 23 Nov 2017 18:53:55 +0100 Subject: [PATCH 118/177] ChangeLog entry for ssl_parse_client_psk_identity fix --- ChangeLog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog b/ChangeLog index 84a05d003..113570810 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Security + * Fix unsafe bounds check in ssl_parse_client_psk_identity() when adding + 64kB to the address of the SSL buffer wraps around. + = mbed TLS 2.5.1 released xxxx-xx-xx Security From d4755deafac99abe708edb1ba13bcac0bbc4f007 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 28 Nov 2017 13:31:12 +0100 Subject: [PATCH 119/177] add changelog entry --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 84a05d003..9cb4430a0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,7 @@ Security detect it sometimes. Reported by Hugo Leisink. #810 * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack. + * Tighten should-be-constant-time memcmp against compiler optimizations. Bugfix * Remove size zero arrays from ECJPAKE test suite. Size zero arrays are not From 25d6d1a1df3c9ddc077ae62468e4fc5ae06a607d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Dec 2017 08:22:51 +0000 Subject: [PATCH 120/177] Correct record header size in case of TLS The previous commit reduced the internal header size to 5 bytes in case of TLS. This is not a valid since in that situation Mbed TLS internally uses the first 8 bytes of the message buffer for the implicit record sequence number. --- include/mbedtls/ssl_internal.h | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 3ce494565..476409547 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -158,14 +158,10 @@ #error Bad configuration - protected record payload too large. #endif -#if !defined(MBEDTLS_SSL_PROTO_DTLS) -/* https://tools.ietf.org/html/rfc5246#section-6.2 */ -#define MBEDTLS_SSL_HEADER_LEN 5 -#else -/* https://tools.ietf.org/html/rfc6347#section-4.1 */ -/* 8 additional bytes for epoch and sequence number */ +/* Note: Even though the TLS record header is only 5 bytes + long, we're internally using 8 bytes to store the + implicit sequence number. */ #define MBEDTLS_SSL_HEADER_LEN 13 -#endif #define MBEDTLS_SSL_BUFFER_LEN \ ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_PAYLOAD_LEN ) ) From 464147cadc694379b7717afb7b517fe05cdb323f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 18 Dec 2017 18:04:59 +0100 Subject: [PATCH 121/177] Fix SSLv3 MAC computation In a previous PR (Fix heap corruption in implementation of truncated HMAC extension #425) the place where MAC is computed was changed from the end of the SSL I/O buffer to a local buffer (then (part of) the content of the local buffer is either copied to the output buffer of compare to the input buffer). Unfortunately, this change was made only for TLS 1.0 and later, leaving SSL 3.0 in an inconsistent state due to ssl_mac() still writing to the old, hard-coded location, which, for MAC verification, resulted in later comparing the end of the input buffer (containing the computed MAC) to the local buffer (uninitialised), most likely resulting in MAC verification failure, hence no interop (even with ourselves). This commit completes the move to using a local buffer by using this strategy for SSL 3.0 too. Fortunately ssl_mac() was static so it's not a problem to change its signature. --- library/ssl_tls.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a8aa1c04f..b977cfbee 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1203,9 +1203,11 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch /* * SSLv3.0 MAC functions */ -static void ssl_mac( mbedtls_md_context_t *md_ctx, unsigned char *secret, - unsigned char *buf, size_t len, - unsigned char *ctr, int type ) +static void ssl_mac( mbedtls_md_context_t *md_ctx, + const unsigned char *secret, + const unsigned char *buf, size_t len, + const unsigned char *ctr, int type, + unsigned char out[20] ) { unsigned char header[11]; unsigned char padding[48]; @@ -1230,14 +1232,14 @@ static void ssl_mac( mbedtls_md_context_t *md_ctx, unsigned char *secret, mbedtls_md_update( md_ctx, padding, padlen ); mbedtls_md_update( md_ctx, header, 11 ); mbedtls_md_update( md_ctx, buf, len ); - mbedtls_md_finish( md_ctx, buf + len ); + mbedtls_md_finish( md_ctx, out ); memset( padding, 0x5C, padlen ); mbedtls_md_starts( md_ctx ); mbedtls_md_update( md_ctx, secret, md_size ); mbedtls_md_update( md_ctx, padding, padlen ); - mbedtls_md_update( md_ctx, buf + len, md_size ); - mbedtls_md_finish( md_ctx, buf + len ); + mbedtls_md_update( md_ctx, out, md_size ); + mbedtls_md_finish( md_ctx, out ); } #endif /* MBEDTLS_SSL_PROTO_SSL3 */ @@ -1282,10 +1284,15 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_SSL3) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { + unsigned char mac[20]; /* SHA-1 at most */ + ssl_mac( &ssl->transform_out->md_ctx_enc, ssl->transform_out->mac_enc, ssl->out_msg, ssl->out_msglen, - ssl->out_ctr, ssl->out_msgtype ); + ssl->out_ctr, ssl->out_msgtype, + mac ); + + memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen ); } else #endif @@ -1932,7 +1939,8 @@ static int ssl_decrypt_buf( mbedtls_ssl_context *ssl ) ssl_mac( &ssl->transform_in->md_ctx_dec, ssl->transform_in->mac_dec, ssl->in_msg, ssl->in_msglen, - ssl->in_ctr, ssl->in_msgtype ); + ssl->in_ctr, ssl->in_msgtype, + mac_expect ); } else #endif /* MBEDTLS_SSL_PROTO_SSL3 */ From b053efb2954a954415369b42a9249282ec401876 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 19 Dec 2017 10:03:46 +0100 Subject: [PATCH 122/177] Fix magic constant in previous commit --- library/ssl_tls.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b977cfbee..d8df51353 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1203,11 +1203,12 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch /* * SSLv3.0 MAC functions */ +#define SSL_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */ static void ssl_mac( mbedtls_md_context_t *md_ctx, const unsigned char *secret, const unsigned char *buf, size_t len, const unsigned char *ctr, int type, - unsigned char out[20] ) + unsigned char out[SSL_MAC_MAX_BYTES] ) { unsigned char header[11]; unsigned char padding[48]; @@ -1284,7 +1285,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_SSL3) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { - unsigned char mac[20]; /* SHA-1 at most */ + unsigned char mac[SSL_MAC_MAX_BYTES]; ssl_mac( &ssl->transform_out->md_ctx_enc, ssl->transform_out->mac_enc, From a268da9478f3bfc316aeb83a7443048b9ab41d07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 20 Dec 2017 12:52:49 +0100 Subject: [PATCH 123/177] Fix undefined function in platform.c The bug was introduced in 79a2e7ef069d6 and is not present in the default configuration, which let it go unnoticed so far. --- library/platform.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/library/platform.c b/library/platform.c index b882b659d..76df7fac1 100644 --- a/library/platform.c +++ b/library/platform.c @@ -29,6 +29,14 @@ #include "mbedtls/platform.h" +#if defined(MBEDTLS_ENTROPY_NV_SEED) && \ + !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS) && defined(MBEDTLS_FS_IO) +/* Implementation that should never be optimized out by the compiler */ +static void mbedtls_zeroize( void *v, size_t n ) { + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; +} +#endif + #if defined(MBEDTLS_PLATFORM_MEMORY) #if !defined(MBEDTLS_PLATFORM_STD_CALLOC) static void *platform_calloc_uninit( size_t n, size_t size ) From ba8316f79010a3dcf22c04671b3d7bf10ac243e8 Mon Sep 17 00:00:00 2001 From: Micha Kraus Date: Sat, 23 Dec 2017 23:40:08 +0100 Subject: [PATCH 124/177] fix bug in get_one_and_zeros_padding() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit add test case (“0000000082”) which fails with the old implementation. --- library/cipher.c | 6 +++--- tests/suites/test_suite_cipher.padding.data | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index e9e0b223e..ff0327380 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -516,14 +516,14 @@ static int get_one_and_zeros_padding( unsigned char *input, size_t input_len, if( NULL == input || NULL == data_len ) return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA ); - bad = 0xFF; + bad = 0x80; *data_len = 0; for( i = input_len; i > 0; i-- ) { prev_done = done; - done |= ( input[i-1] != 0 ); + done |= ( input[i - 1] != 0 ); *data_len |= ( i - 1 ) * ( done != prev_done ); - bad &= ( input[i-1] ^ 0x80 ) | ( done == prev_done ); + bad ^= input[i - 1] * ( done != prev_done ); } return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) ); diff --git a/tests/suites/test_suite_cipher.padding.data b/tests/suites/test_suite_cipher.padding.data index d6fc26672..1c0ba0980 100644 --- a/tests/suites/test_suite_cipher.padding.data +++ b/tests/suites/test_suite_cipher.padding.data @@ -184,6 +184,10 @@ Check one and zeros padding #7 (overlong) depends_on:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS check_padding:MBEDTLS_PADDING_ONE_AND_ZEROS:"0000000000":MBEDTLS_ERR_CIPHER_INVALID_PADDING:4 +Check one and zeros padding #8 (last byte 0x80 | x) +depends_on:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +check_padding:MBEDTLS_PADDING_ONE_AND_ZEROS:"0000000082":MBEDTLS_ERR_CIPHER_INVALID_PADDING:4 + Check zeros and len padding #1 (correct) depends_on:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN check_padding:MBEDTLS_PADDING_ZEROS_AND_LEN:"DABBAD0001":0:4 From 1f35ca9471617a1478c8fa0e2486a70925580c40 Mon Sep 17 00:00:00 2001 From: Reuven Levin Date: Thu, 7 Dec 2017 10:09:32 +0000 Subject: [PATCH 125/177] Added alternated Diffie-Hellman module. 1. Add modified files dhm.c and dhm.h --- include/mbedtls/dhm.h | 11 +++++++++++ library/dhm.c | 5 ++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index d7ab1522e..6fd74731b 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -23,7 +23,15 @@ #ifndef MBEDTLS_DHM_H #define MBEDTLS_DHM_H +#if !defined(MBEDTLS_CONFIG_FILE) +#include "config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif #include "bignum.h" +#if !defined(MBEDTLS_DHM_ALT) + + /* * DHM Error codes @@ -290,6 +298,9 @@ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin, int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ); #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ +#else +#include "dhm_alt.h" +#endif /* MBEDTLS_DHM_ALT */ /** * \brief Checkup routine diff --git a/library/dhm.c b/library/dhm.c index bec52a11d..6f8f021e5 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -57,6 +57,9 @@ #define mbedtls_free free #endif +#if !defined(MBEDTLS_DHM_ALT) + + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; @@ -577,7 +580,7 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ) } #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ - +#endif/*MBEDTLS_DHM_ALT*/ #if defined(MBEDTLS_SELF_TEST) static const char mbedtls_test_dhm_params[] = From 49762fa21fe4848d78439e812e1b8e8ba6998463 Mon Sep 17 00:00:00 2001 From: nirekh01 Date: Mon, 25 Dec 2017 06:46:48 +0000 Subject: [PATCH 126/177] Add 'MBEDTLS_DHM_ALT' #DEFINE to library/config.h Add 'MBEDTLS_DHM_ALT' #DEFINE to library/config.h to support alternate DHM --- include/mbedtls/config.h | 2 ++ library/dhm.c | 3 ++- library/version_features.c | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 69e997f85..f8594b841 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -275,6 +275,8 @@ //#define MBEDTLS_SHA1_ALT //#define MBEDTLS_SHA256_ALT //#define MBEDTLS_SHA512_ALT +//#define MBEDTLS_DHM_ALT + /* * When replacing the elliptic curve module, pleace consider, that it is * implemented with two .c files: diff --git a/library/dhm.c b/library/dhm.c index 6f8f021e5..882b30674 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -580,7 +580,8 @@ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ) } #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ -#endif/*MBEDTLS_DHM_ALT*/ +#endif /* MBEDTLS_DHM_ALT */ + #if defined(MBEDTLS_SELF_TEST) static const char mbedtls_test_dhm_params[] = diff --git a/library/version_features.c b/library/version_features.c index 5cbe8aca3..000246edc 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -123,6 +123,9 @@ static const char *features[] = { #if defined(MBEDTLS_SHA512_ALT) "MBEDTLS_SHA512_ALT", #endif /* MBEDTLS_SHA512_ALT */ +#if defined(MBEDTLS_DHM_ALT) + "MBEDTLS_DHM_ALT", +#endif /* MBEDTLS_DHM_ALT */ #if defined(MBEDTLS_ECP_ALT) "MBEDTLS_ECP_ALT", #endif /* MBEDTLS_ECP_ALT */ From 08ba530bffe976ef5dd2de6c51326bc9ea762b2b Mon Sep 17 00:00:00 2001 From: nirekh01 Date: Thu, 28 Dec 2017 16:21:38 +0000 Subject: [PATCH 127/177] Remove some extra lines Remove some extra lines as was requested in code review --- include/mbedtls/dhm.h | 2 -- library/dhm.c | 2 -- 2 files changed, 4 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 6fd74731b..40916c661 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -31,8 +31,6 @@ #include "bignum.h" #if !defined(MBEDTLS_DHM_ALT) - - /* * DHM Error codes */ diff --git a/library/dhm.c b/library/dhm.c index 882b30674..cff095875 100644 --- a/library/dhm.c +++ b/library/dhm.c @@ -58,8 +58,6 @@ #endif #if !defined(MBEDTLS_DHM_ALT) - - /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; From 239987fd31255e2f8dc0fb03541d311deae6ee51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 9 Jan 2018 10:43:43 +0100 Subject: [PATCH 128/177] Fix heap-buffer overread in ALPN ext parsing --- ChangeLog | 3 +++ library/ssl_srv.c | 42 +++++++++++++++++++++++++----------------- 2 files changed, 28 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3f5e56f9d..ef5abb8bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,9 @@ Security corrupt 6 bytes on the peer's heap, potentially leading to crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS. + * Fix a potential heap buffer overread in ALPN extension parsing + (server-side). Could result in application crash, but only if an ALPN + name larger than 16 bytes had been configured on the server. Features * Allow comments in test data files. diff --git a/library/ssl_srv.c b/library/ssl_srv.c index de3ea80e3..85c3c30ca 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -603,33 +603,41 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl, } /* - * Use our order of preference + * Validate peer's list (lengths) */ start = buf + 2; end = buf + len; + for( theirs = start; theirs != end; theirs += cur_len ) + { + cur_len = *theirs++; + + /* Current identifier must fit in list */ + if( cur_len > (size_t)( end - theirs ) ) + { + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + /* Empty strings MUST NOT be included */ + if( cur_len == 0 ) + { + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + } + + /* + * Use our order of preference + */ for( ours = ssl->conf->alpn_list; *ours != NULL; ours++ ) { ours_len = strlen( *ours ); for( theirs = start; theirs != end; theirs += cur_len ) { - /* If the list is well formed, we should get equality first */ - if( theirs > end ) - { - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); - } - cur_len = *theirs++; - /* Empty strings MUST NOT be included */ - if( cur_len == 0 ) - { - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); - return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); - } - if( cur_len == ours_len && memcmp( theirs, *ours, cur_len ) == 0 ) { From d569ecfc2c7531159548d96c2d964744c2940b91 Mon Sep 17 00:00:00 2001 From: nirekh01 Date: Tue, 9 Jan 2018 16:43:21 +0000 Subject: [PATCH 129/177] Add some corrections based on code review -Add the DHM_ALT in an alphabetical order -Close correctly the 'extern "C" { ...' --- include/mbedtls/config.h | 3 ++- include/mbedtls/dhm.h | 11 ++++++++++- library/version_features.c | 6 +++--- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index f8594b841..2aa4686d9 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -267,6 +267,7 @@ //#define MBEDTLS_BLOWFISH_ALT //#define MBEDTLS_CAMELLIA_ALT //#define MBEDTLS_DES_ALT +//#define MBEDTLS_DHM_ALT //#define MBEDTLS_XTEA_ALT //#define MBEDTLS_MD2_ALT //#define MBEDTLS_MD4_ALT @@ -275,7 +276,7 @@ //#define MBEDTLS_SHA1_ALT //#define MBEDTLS_SHA256_ALT //#define MBEDTLS_SHA512_ALT -//#define MBEDTLS_DHM_ALT + /* * When replacing the elliptic curve module, pleace consider, that it is diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 40916c661..f9725ab09 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -296,10 +296,19 @@ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin, int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ); #endif /* MBEDTLS_FS_IO */ #endif /* MBEDTLS_ASN1_PARSE_C */ -#else + +#ifdef __cplusplus +} +#endif + +#else /* MBEDTLS_DHM_ALT */ #include "dhm_alt.h" #endif /* MBEDTLS_DHM_ALT */ +#ifdef __cplusplus +extern "C" { +#endif + /** * \brief Checkup routine * diff --git a/library/version_features.c b/library/version_features.c index 000246edc..48bd42bcd 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -99,6 +99,9 @@ static const char *features[] = { #if defined(MBEDTLS_DES_ALT) "MBEDTLS_DES_ALT", #endif /* MBEDTLS_DES_ALT */ +#if defined(MBEDTLS_DHM_ALT) + "MBEDTLS_DHM_ALT", +#endif /* MBEDTLS_DHM_ALT */ #if defined(MBEDTLS_XTEA_ALT) "MBEDTLS_XTEA_ALT", #endif /* MBEDTLS_XTEA_ALT */ @@ -123,9 +126,6 @@ static const char *features[] = { #if defined(MBEDTLS_SHA512_ALT) "MBEDTLS_SHA512_ALT", #endif /* MBEDTLS_SHA512_ALT */ -#if defined(MBEDTLS_DHM_ALT) - "MBEDTLS_DHM_ALT", -#endif /* MBEDTLS_DHM_ALT */ #if defined(MBEDTLS_ECP_ALT) "MBEDTLS_ECP_ALT", #endif /* MBEDTLS_ECP_ALT */ From 91d49e8b6a8b361a9062df1d2208c547ffbdd215 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 11 Jan 2018 16:35:44 +0000 Subject: [PATCH 130/177] ChangeLog: Use Steven Cooreman's correct name --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 63ec7c804..916ec663e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,7 +46,7 @@ Features * New unit tests for timing. Improve the self-test to be more robust when run on a heavily-loaded machine. * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT, - MBEDTLS_CMAC_ALT). Submitted by Steve Cooreman, Silicon Labs. + MBEDTLS_CMAC_ALT). Submitted by Steven Cooreman, Silicon Labs. * Add support for alternative implementations of GCM, selected by the configuration flag MBEDTLS_GCM_ALT. * Add support for alternative implementations for ECDSA, controlled by new From a0188d673046107df8c46e343c99dc4fc7ed4e44 Mon Sep 17 00:00:00 2001 From: Krzysztof Stachowiak Date: Fri, 19 Jan 2018 16:21:11 +0100 Subject: [PATCH 131/177] Have doxygen run in the doxygen directory When the Doxywizzard GUI is used and the doxyfile is loaded, the workind directory for doxygen is set to the location of the doxyfile. However the Make and CMake build systems expect doxygen to be ran from the top level directory. This commit unifies the build system and the Doxywizzard GUI so that all of them expect doxygen to be executed in the doxygen directory. --- CMakeLists.txt | 4 ++-- Makefile | 2 +- doxygen/mbedtls.doxyfile | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 3e47224ea..ca4cba216 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -126,8 +126,8 @@ if(ENABLE_PROGRAMS) endif() ADD_CUSTOM_TARGET(apidoc - COMMAND doxygen doxygen/mbedtls.doxyfile - WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}) + COMMAND doxygen mbedtls.doxyfile + WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/doxygen) if(ENABLE_TESTING) enable_testing() diff --git a/Makefile b/Makefile index d475868a7..c1f60511f 100644 --- a/Makefile +++ b/Makefile @@ -103,7 +103,7 @@ lcov: apidoc: mkdir -p apidoc - doxygen doxygen/mbedtls.doxyfile + cd doxygen; doxygen mbedtls.doxyfile apidoc_clean: rm -rf apidoc diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 5df1c932d..0e148af3e 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -54,7 +54,7 @@ PROJECT_LOGO = # If a relative path is entered, it will be relative to the location # where doxygen was started. If left blank the current directory will be used. -OUTPUT_DIRECTORY = apidoc/ +OUTPUT_DIRECTORY = ../apidoc/ # If the CREATE_SUBDIRS tag is set to YES, then doxygen will create # 4096 sub-directories (in 2 levels) under the output directory of each output @@ -664,7 +664,7 @@ WARN_LOGFILE = # directories like "/usr/src/myproject". Separate the files or directories # with spaces. -INPUT = . +INPUT = .. # This tag can be used to specify the character encoding of the source files # that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is From 0d225daf7d19249e7aab0eada2baefa73c8e04f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 22 Jan 2018 10:22:09 +0100 Subject: [PATCH 132/177] Increase waiting times compat.sh and ssl-opt.sh - Some of the CI machines don't have lsof installed yet, so rely on an sleeping an arbitrary number of seconds while the server starts. We're seeing occasional failures with the current delay because the CI machines are highly loaded, which seems to indicate the current delay is not quite enough, but hopefully not to far either, so double it. - While at it, also double the watchdog delay: while I don't remember seeing much failures due to client timeout, this change doesn't impact normal running time of the script, so better err on the safe side. These changes don't affect the test and should only affect the false positive rate coming from the test framework in those scripts. --- tests/compat.sh | 2 +- tests/ssl-opt.sh | 24 +++++++++++++++++++----- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/tests/compat.sh b/tests/compat.sh index 958d61854..ac1a175e1 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -888,7 +888,7 @@ if type lsof >/dev/null 2>/dev/null; then } else wait_server_start() { - sleep 1 + sleep 2 } fi diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fa785a4f1..d4e82aec9 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -656,14 +656,28 @@ fi # used by watchdog MAIN_PID="$$" -# be more patient with valgrind +# We use somewhat arbitrary delays for tests: +# - how long do we wait for the server to start (when lsof not available)? +# - how long do we allow for the client to finish? +# (not to check performance, just to avoid waiting indefinitely) +# Things are slower with valgrind, so give extra time here. +# +# Note: without lsof, there is a trade-off between the running time of this +# script and the risk of spurious errors because we didn't wait long enough. +# The watchdog delay on the other hand doesn't affect normal running time of +# the script, only the case where a client or server gets stuck. if [ "$MEMCHECK" -gt 0 ]; then - START_DELAY=3 - DOG_DELAY=30 + START_DELAY=6 + DOG_DELAY=60 else - START_DELAY=1 - DOG_DELAY=10 + START_DELAY=2 + DOG_DELAY=20 fi + +# some particular tests need more time: +# - for the client, we multiply the usual watchdog limit by a factor +# - for the server, we sleep for a number of seconds after the client exits +# see client_need_more_time() and server_needs_more_time() CLI_DELAY_FACTOR=1 SRV_DELAY_SECONDS=0 From 3c9e2b5004cf288af6c7a5f0b6223bd8c31e1ab6 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 8 Jan 2018 12:38:15 +0100 Subject: [PATCH 133/177] wait_server_start: warn if lsof is not available If lsof is not available, wait_server_start uses a fixed timeout, which can trigger a race condition if the timeout turns out to be too short. Emit a warning so that we know this is going on from the test logs. --- tests/compat.sh | 1 + tests/ssl-opt.sh | 1 + 2 files changed, 2 insertions(+) diff --git a/tests/compat.sh b/tests/compat.sh index ac1a175e1..672bdab78 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -887,6 +887,7 @@ if type lsof >/dev/null 2>/dev/null; then done } else + echo "Warning: lsof not available, wait_server_start = sleep" wait_server_start() { sleep 2 } diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d4e82aec9..f13c38f68 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -308,6 +308,7 @@ if type lsof >/dev/null 2>/dev/null; then done } else + echo "Warning: lsof not available, wait_server_start = sleep $START_DELAY" wait_server_start() { sleep "$START_DELAY" } From 15932e0cbfd25ba044f0d38b24801829de7c1884 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2018 11:43:45 +0100 Subject: [PATCH 134/177] Fix typo in deprecation statement --- include/mbedtls/md2.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index 2a14b1002..23145de46 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -220,7 +220,7 @@ int mbedtls_md2_ext( const unsigned char *input, /** * \brief Output = MD2( input buffer ) * - * \deprecated Superseded by mbedtls_md2() in 2.5.0 + * \deprecated Superseded by mbedtls_md2_ext() in 2.5.0 * * \param input buffer holding the data * \param ilen length of the input data From 9e4f77c6068a633b18f439d8e06670826c54a1d5 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2018 11:48:08 +0100 Subject: [PATCH 135/177] New MD API: rename functions from _ext to _ret The _ext suffix suggests "new arguments", but the new functions have the same arguments. Use _ret instead, to convey that the difference is that the new functions return a value. --- include/mbedtls/md2.h | 24 ++-- include/mbedtls/md4.h | 24 ++-- include/mbedtls/md5.h | 24 ++-- include/mbedtls/ripemd160.h | 24 ++-- include/mbedtls/sha1.h | 24 ++-- include/mbedtls/sha256.h | 24 ++-- include/mbedtls/sha512.h | 24 ++-- library/entropy.c | 32 ++--- library/md2.c | 16 +-- library/md4.c | 20 ++-- library/md5.c | 20 ++-- library/md_wrap.c | 64 +++++----- library/pem.c | 18 +-- library/ripemd160.c | 20 ++-- library/rsa.c | 2 +- library/sha1.c | 26 ++-- library/sha256.c | 26 ++-- library/sha512.c | 26 ++-- library/ssl_tls.c | 166 +++++++++++++------------- library/x509write_crt.c | 4 +- programs/hash/hello.c | 2 +- programs/pkey/dh_client.c | 4 +- programs/pkey/dh_server.c | 4 +- programs/pkey/ecdsa.c | 4 +- programs/test/benchmark.c | 12 +- tests/suites/test_suite_mdx.function | 8 +- tests/suites/test_suite_shax.function | 10 +- 27 files changed, 326 insertions(+), 326 deletions(-) diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index 23145de46..0df6b36f4 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -86,7 +86,7 @@ void mbedtls_md2_clone( mbedtls_md2_context *dst, * * \return 0 if successful */ -int mbedtls_md2_starts_ext( mbedtls_md2_context *ctx ); +int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx ); /** * \brief MD2 process buffer @@ -97,7 +97,7 @@ int mbedtls_md2_starts_ext( mbedtls_md2_context *ctx ); * * \return 0 if successful */ -int mbedtls_md2_update_ext( mbedtls_md2_context *ctx, +int mbedtls_md2_update_ret( mbedtls_md2_context *ctx, const unsigned char *input, size_t ilen ); @@ -109,7 +109,7 @@ int mbedtls_md2_update_ext( mbedtls_md2_context *ctx, * * \return 0 if successful */ -int mbedtls_md2_finish_ext( mbedtls_md2_context *ctx, +int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx, unsigned char output[16] ); /** @@ -130,20 +130,20 @@ int mbedtls_internal_md2_process( mbedtls_md2_context *ctx ); /** * \brief MD2 context setup * - * \deprecated Superseded by mbedtls_md2_starts_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md2_starts_ret() in 2.5.0 * * \param ctx context to be initialized */ MBEDTLS_DEPRECATED static inline void mbedtls_md2_starts( mbedtls_md2_context *ctx ) { - mbedtls_md2_starts_ext( ctx ); + mbedtls_md2_starts_ret( ctx ); } /** * \brief MD2 process buffer * - * \deprecated Superseded by mbedtls_md2_update_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md2_update_ret() in 2.5.0 * * \param ctx MD2 context * \param input buffer holding the data @@ -154,13 +154,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2_update( const unsigned char *input, size_t ilen ) { - mbedtls_md2_update_ext( ctx, input, ilen ); + mbedtls_md2_update_ret( ctx, input, ilen ); } /** * \brief MD2 final digest * - * \deprecated Superseded by mbedtls_md2_finish_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md2_finish_ret() in 2.5.0 * * \param ctx MD2 context * \param output MD2 checksum result @@ -169,7 +169,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2_finish( mbedtls_md2_context *ctx, unsigned char output[16] ) { - mbedtls_md2_finish_ext( ctx, output ); + mbedtls_md2_finish_ret( ctx, output ); } /** @@ -207,7 +207,7 @@ extern "C" { * \param ilen length of the input data * \param output MD2 checksum result */ -int mbedtls_md2_ext( const unsigned char *input, +int mbedtls_md2_ret( const unsigned char *input, size_t ilen, unsigned char output[16] ); @@ -220,7 +220,7 @@ int mbedtls_md2_ext( const unsigned char *input, /** * \brief Output = MD2( input buffer ) * - * \deprecated Superseded by mbedtls_md2_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md2_ret() in 2.5.0 * * \param input buffer holding the data * \param ilen length of the input data @@ -230,7 +230,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2( const unsigned char *input, size_t ilen, unsigned char output[16] ) { - mbedtls_md2_ext( input, ilen, output ); + mbedtls_md2_ret( input, ilen, output ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h index f5d335d8f..acd09bd61 100644 --- a/include/mbedtls/md4.h +++ b/include/mbedtls/md4.h @@ -86,7 +86,7 @@ void mbedtls_md4_clone( mbedtls_md4_context *dst, * * \return 0 if successful */ -int mbedtls_md4_starts_ext( mbedtls_md4_context *ctx ); +int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx ); /** * \brief MD4 process buffer @@ -97,7 +97,7 @@ int mbedtls_md4_starts_ext( mbedtls_md4_context *ctx ); * * \return 0 if successful */ -int mbedtls_md4_update_ext( mbedtls_md4_context *ctx, +int mbedtls_md4_update_ret( mbedtls_md4_context *ctx, const unsigned char *input, size_t ilen ); @@ -109,7 +109,7 @@ int mbedtls_md4_update_ext( mbedtls_md4_context *ctx, * * \return 0 if successful */ -int mbedtls_md4_finish_ext( mbedtls_md4_context *ctx, +int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx, unsigned char output[16] ); /** @@ -132,20 +132,20 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, /** * \brief MD4 context setup * - * \deprecated Superseded by mbedtls_md4_starts_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md4_starts_ret() in 2.5.0 * * \param ctx context to be initialized */ MBEDTLS_DEPRECATED static inline void mbedtls_md4_starts( mbedtls_md4_context *ctx ) { - mbedtls_md4_starts_ext( ctx ); + mbedtls_md4_starts_ret( ctx ); } /** * \brief MD4 process buffer * - * \deprecated Superseded by mbedtls_md4_update_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md4_update_ret() in 2.5.0 * * \param ctx MD4 context * \param input buffer holding the data @@ -156,13 +156,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_update( const unsigned char *input, size_t ilen ) { - mbedtls_md4_update_ext( ctx, input, ilen ); + mbedtls_md4_update_ret( ctx, input, ilen ); } /** * \brief MD4 final digest * - * \deprecated Superseded by mbedtls_md4_finish_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md4_finish_ret() in 2.5.0 * * \param ctx MD4 context * \param output MD4 checksum result @@ -171,7 +171,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_finish( mbedtls_md4_context *ctx, unsigned char output[16] ) { - mbedtls_md4_finish_ext( ctx, output ); + mbedtls_md4_finish_ret( ctx, output ); } /** @@ -213,7 +213,7 @@ extern "C" { * * \return 0 if successful */ -int mbedtls_md4_ext( const unsigned char *input, +int mbedtls_md4_ret( const unsigned char *input, size_t ilen, unsigned char output[16] ); @@ -226,7 +226,7 @@ int mbedtls_md4_ext( const unsigned char *input, /** * \brief Output = MD4( input buffer ) * - * \deprecated Superseded by mbedtls_md4_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md4_ret() in 2.5.0 * * \param input buffer holding the data * \param ilen length of the input data @@ -236,7 +236,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4( const unsigned char *input, size_t ilen, unsigned char output[16] ) { - mbedtls_md4_ext( input, ilen, output ); + mbedtls_md4_ret( input, ilen, output ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index 5a7a00a6b..18db8b734 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -81,7 +81,7 @@ void mbedtls_md5_clone( mbedtls_md5_context *dst, * * \return 0 if successful */ -int mbedtls_md5_starts_ext( mbedtls_md5_context *ctx ); +int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx ); /** * \brief MD5 process buffer @@ -92,7 +92,7 @@ int mbedtls_md5_starts_ext( mbedtls_md5_context *ctx ); * * \return 0 if successful */ -int mbedtls_md5_update_ext( mbedtls_md5_context *ctx, +int mbedtls_md5_update_ret( mbedtls_md5_context *ctx, const unsigned char *input, size_t ilen ); @@ -104,7 +104,7 @@ int mbedtls_md5_update_ext( mbedtls_md5_context *ctx, * * \return 0 if successful */ -int mbedtls_md5_finish_ext( mbedtls_md5_context *ctx, +int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx, unsigned char output[16] ); /** @@ -127,20 +127,20 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx, /** * \brief MD5 context setup * - * \deprecated Superseded by mbedtls_md5_starts_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md5_starts_ret() in 2.5.0 * * \param ctx context to be initialized */ MBEDTLS_DEPRECATED static inline void mbedtls_md5_starts( mbedtls_md5_context *ctx ) { - mbedtls_md5_starts_ext( ctx ); + mbedtls_md5_starts_ret( ctx ); } /** * \brief MD5 process buffer * - * \deprecated Superseded by mbedtls_md5_update_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md5_update_ret() in 2.5.0 * * \param ctx MD5 context * \param input buffer holding the data @@ -151,13 +151,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_update( const unsigned char *input, size_t ilen ) { - mbedtls_md5_update_ext( ctx, input, ilen ); + mbedtls_md5_update_ret( ctx, input, ilen ); } /** * \brief MD5 final digest * - * \deprecated Superseded by mbedtls_md5_finish_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md5_finish_ret() in 2.5.0 * * \param ctx MD5 context * \param output MD5 checksum result @@ -166,7 +166,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_finish( mbedtls_md5_context *ctx, unsigned char output[16] ) { - mbedtls_md5_finish_ext( ctx, output ); + mbedtls_md5_finish_ret( ctx, output ); } /** @@ -208,7 +208,7 @@ extern "C" { * * \return 0 if successful */ -int mbedtls_md5_ext( const unsigned char *input, +int mbedtls_md5_ret( const unsigned char *input, size_t ilen, unsigned char output[16] ); @@ -221,7 +221,7 @@ int mbedtls_md5_ext( const unsigned char *input, /** * \brief Output = MD5( input buffer ) * - * \deprecated Superseded by mbedtls_md5_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_md5_ret() in 2.5.0 * * \param input buffer holding the data * \param ilen length of the input data @@ -231,7 +231,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5( const unsigned char *input, size_t ilen, unsigned char output[16] ) { - mbedtls_md5_ext( input, ilen, output ); + mbedtls_md5_ret( input, ilen, output ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h index 318635988..ea679810e 100644 --- a/include/mbedtls/ripemd160.h +++ b/include/mbedtls/ripemd160.h @@ -86,7 +86,7 @@ void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst, * * \return 0 if successful */ -int mbedtls_ripemd160_starts_ext( mbedtls_ripemd160_context *ctx ); +int mbedtls_ripemd160_starts_ret( mbedtls_ripemd160_context *ctx ); /** * \brief RIPEMD-160 process buffer @@ -97,7 +97,7 @@ int mbedtls_ripemd160_starts_ext( mbedtls_ripemd160_context *ctx ); * * \return 0 if successful */ -int mbedtls_ripemd160_update_ext( mbedtls_ripemd160_context *ctx, +int mbedtls_ripemd160_update_ret( mbedtls_ripemd160_context *ctx, const unsigned char *input, size_t ilen ); @@ -109,7 +109,7 @@ int mbedtls_ripemd160_update_ext( mbedtls_ripemd160_context *ctx, * * \return 0 if successful */ -int mbedtls_ripemd160_finish_ext( mbedtls_ripemd160_context *ctx, +int mbedtls_ripemd160_finish_ret( mbedtls_ripemd160_context *ctx, unsigned char output[20] ); /** @@ -132,20 +132,20 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, /** * \brief RIPEMD-160 context setup * - * \deprecated Superseded by mbedtls_ripemd160_starts_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_ripemd160_starts_ret() in 2.5.0 * * \param ctx context to be initialized */ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_starts( mbedtls_ripemd160_context *ctx ) { - mbedtls_ripemd160_starts_ext( ctx ); + mbedtls_ripemd160_starts_ret( ctx ); } /** * \brief RIPEMD-160 process buffer * - * \deprecated Superseded by mbedtls_ripemd160_update_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_ripemd160_update_ret() in 2.5.0 * * \param ctx RIPEMD-160 context * \param input buffer holding the data @@ -156,13 +156,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_update( const unsigned char *input, size_t ilen ) { - mbedtls_ripemd160_update_ext( ctx, input, ilen ); + mbedtls_ripemd160_update_ret( ctx, input, ilen ); } /** * \brief RIPEMD-160 final digest * - * \deprecated Superseded by mbedtls_ripemd160_finish_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_ripemd160_finish_ret() in 2.5.0 * * \param ctx RIPEMD-160 context * \param output RIPEMD-160 checksum result @@ -171,7 +171,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_finish( mbedtls_ripemd160_context *ctx, unsigned char output[20] ) { - mbedtls_ripemd160_finish_ext( ctx, output ); + mbedtls_ripemd160_finish_ret( ctx, output ); } /** @@ -213,7 +213,7 @@ extern "C" { * * \return 0 if successful */ -int mbedtls_ripemd160_ext( const unsigned char *input, +int mbedtls_ripemd160_ret( const unsigned char *input, size_t ilen, unsigned char output[20] ); @@ -226,7 +226,7 @@ int mbedtls_ripemd160_ext( const unsigned char *input, /** * \brief Output = RIPEMD-160( input buffer ) * - * \deprecated Superseded by mbedtls_ripemd160_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_ripemd160_ret() in 2.5.0 * * \param input buffer holding the data * \param ilen length of the input data @@ -237,7 +237,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160( size_t ilen, unsigned char output[20] ) { - mbedtls_ripemd160_ext( input, ilen, output ); + mbedtls_ripemd160_ret( input, ilen, output ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index e18e6ac99..57bfea4e6 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -86,7 +86,7 @@ void mbedtls_sha1_clone( mbedtls_sha1_context *dst, * * \return 0 if successful */ -int mbedtls_sha1_starts_ext( mbedtls_sha1_context *ctx ); +int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx ); /** * \brief SHA-1 process buffer @@ -97,7 +97,7 @@ int mbedtls_sha1_starts_ext( mbedtls_sha1_context *ctx ); * * \return 0 if successful */ -int mbedtls_sha1_update_ext( mbedtls_sha1_context *ctx, +int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen ); @@ -109,7 +109,7 @@ int mbedtls_sha1_update_ext( mbedtls_sha1_context *ctx, * * \return 0 if successful */ -int mbedtls_sha1_finish_ext( mbedtls_sha1_context *ctx, +int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx, unsigned char output[20] ); /** @@ -132,20 +132,20 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, /** * \brief SHA-1 context setup * - * \deprecated Superseded by mbedtls_sha1_starts_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha1_starts_ret() in 2.5.0 * * \param ctx context to be initialized */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_starts( mbedtls_sha1_context *ctx ) { - mbedtls_sha1_starts_ext( ctx ); + mbedtls_sha1_starts_ret( ctx ); } /** * \brief SHA-1 process buffer * - * \deprecated Superseded by mbedtls_sha1_update_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha1_update_ret() in 2.5.0 * * \param ctx SHA-1 context * \param input buffer holding the data @@ -156,13 +156,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_update( const unsigned char *input, size_t ilen ) { - mbedtls_sha1_update_ext( ctx, input, ilen ); + mbedtls_sha1_update_ret( ctx, input, ilen ); } /** * \brief SHA-1 final digest * - * \deprecated Superseded by mbedtls_sha1_finish_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha1_finish_ret() in 2.5.0 * * \param ctx SHA-1 context * \param output SHA-1 checksum result @@ -171,7 +171,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[20] ) { - mbedtls_sha1_finish_ext( ctx, output ); + mbedtls_sha1_finish_ret( ctx, output ); } /** @@ -213,7 +213,7 @@ extern "C" { * * \return 0 if successful */ -int mbedtls_sha1_ext( const unsigned char *input, +int mbedtls_sha1_ret( const unsigned char *input, size_t ilen, unsigned char output[20] ); @@ -226,7 +226,7 @@ int mbedtls_sha1_ext( const unsigned char *input, /** * \brief Output = SHA-1( input buffer ) * - * \deprecated Superseded by mbedtls_sha1_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha1_ret() in 2.5.0 * * \param input buffer holding the data * \param ilen length of the input data @@ -236,7 +236,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1( const unsigned char *input, size_t ilen, unsigned char output[20] ) { - mbedtls_sha1_ext( input, ilen, output ); + mbedtls_sha1_ret( input, ilen, output ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index 5fce7ee93..be5ef794f 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -88,7 +88,7 @@ void mbedtls_sha256_clone( mbedtls_sha256_context *dst, * * \return 0 if successful */ -int mbedtls_sha256_starts_ext( mbedtls_sha256_context *ctx, int is224 ); +int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 ); /** * \brief SHA-256 process buffer @@ -99,7 +99,7 @@ int mbedtls_sha256_starts_ext( mbedtls_sha256_context *ctx, int is224 ); * * \return 0 if successful */ -int mbedtls_sha256_update_ext( mbedtls_sha256_context *ctx, +int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx, const unsigned char *input, size_t ilen ); @@ -111,7 +111,7 @@ int mbedtls_sha256_update_ext( mbedtls_sha256_context *ctx, * * \return 0 if successful */ -int mbedtls_sha256_finish_ext( mbedtls_sha256_context *ctx, +int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, unsigned char output[32] ); /** @@ -134,7 +134,7 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, /** * \brief SHA-256 context setup * - * \deprecated Superseded by mbedtls_sha256_starts_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha256_starts_ret() in 2.5.0 * * \param ctx context to be initialized * \param is224 0 = use SHA256, 1 = use SHA224 @@ -143,13 +143,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 ) { - mbedtls_sha256_starts_ext( ctx, is224 ); + mbedtls_sha256_starts_ret( ctx, is224 ); } /** * \brief SHA-256 process buffer * - * \deprecated Superseded by mbedtls_sha256_update_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha256_update_ret() in 2.5.0 * * \param ctx SHA-256 context * \param input buffer holding the data @@ -160,13 +160,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_update( const unsigned char *input, size_t ilen ) { - mbedtls_sha256_update_ext( ctx, input, ilen ); + mbedtls_sha256_update_ret( ctx, input, ilen ); } /** * \brief SHA-256 final digest * - * \deprecated Superseded by mbedtls_sha256_finish_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha256_finish_ret() in 2.5.0 * * \param ctx SHA-256 context * \param output SHA-224/256 checksum result @@ -175,7 +175,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32] ) { - mbedtls_sha256_finish_ext( ctx, output ); + mbedtls_sha256_finish_ret( ctx, output ); } /** @@ -218,7 +218,7 @@ extern "C" { * * \return 0 if successful */ -int mbedtls_sha256_ext( const unsigned char *input, +int mbedtls_sha256_ret( const unsigned char *input, size_t ilen, unsigned char output[32], int is224 ); @@ -232,7 +232,7 @@ int mbedtls_sha256_ext( const unsigned char *input, /** * \brief Output = SHA-256( input buffer ) * - * \deprecated Superseded by mbedtls_sha256_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha256_ret() in 2.5.0 * * \param input buffer holding the data * \param ilen length of the input data @@ -245,7 +245,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256( unsigned char output[32], int is224 ) { - mbedtls_sha256_ext( input, ilen, output, is224 ); + mbedtls_sha256_ret( input, ilen, output, is224 ); } #undef MBEDTLS_DEPRECATED diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h index 7cba3f63c..0fadb4c3b 100644 --- a/include/mbedtls/sha512.h +++ b/include/mbedtls/sha512.h @@ -88,7 +88,7 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst, * * \return 0 if successful */ -int mbedtls_sha512_starts_ext( mbedtls_sha512_context *ctx, int is384 ); +int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 ); /** * \brief SHA-512 process buffer @@ -99,7 +99,7 @@ int mbedtls_sha512_starts_ext( mbedtls_sha512_context *ctx, int is384 ); * * \return 0 if successful */ -int mbedtls_sha512_update_ext( mbedtls_sha512_context *ctx, +int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx, const unsigned char *input, size_t ilen ); @@ -111,7 +111,7 @@ int mbedtls_sha512_update_ext( mbedtls_sha512_context *ctx, * * \return 0 if successful */ -int mbedtls_sha512_finish_ext( mbedtls_sha512_context *ctx, +int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx, unsigned char output[64] ); /** @@ -134,7 +134,7 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, /** * \brief SHA-512 context setup * - * \deprecated Superseded by mbedtls_sha512_starts_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha512_starts_ret() in 2.5.0 * * \param ctx context to be initialized * \param is384 0 = use SHA512, 1 = use SHA384 @@ -143,13 +143,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 ) { - mbedtls_sha512_starts_ext( ctx, is384 ); + mbedtls_sha512_starts_ret( ctx, is384 ); } /** * \brief SHA-512 process buffer * - * \deprecated Superseded by mbedtls_sha512_update_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha512_update_ret() in 2.5.0 * * \param ctx SHA-512 context * \param input buffer holding the data @@ -160,13 +160,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_update( const unsigned char *input, size_t ilen ) { - mbedtls_sha512_update_ext( ctx, input, ilen ); + mbedtls_sha512_update_ret( ctx, input, ilen ); } /** * \brief SHA-512 final digest * - * \deprecated Superseded by mbedtls_sha512_finish_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha512_finish_ret() in 2.5.0 * * \param ctx SHA-512 context * \param output SHA-384/512 checksum result @@ -175,7 +175,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char output[64] ) { - mbedtls_sha512_finish_ext( ctx, output ); + mbedtls_sha512_finish_ret( ctx, output ); } /** @@ -218,7 +218,7 @@ extern "C" { * * \return 0 if successful */ -int mbedtls_sha512_ext( const unsigned char *input, +int mbedtls_sha512_ret( const unsigned char *input, size_t ilen, unsigned char output[64], int is384 ); @@ -232,7 +232,7 @@ int mbedtls_sha512_ext( const unsigned char *input, /** * \brief Output = SHA-512( input buffer ) * - * \deprecated Superseded by mbedtls_sha512_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_sha512_ret() in 2.5.0 * * \param input buffer holding the data * \param ilen length of the input data @@ -245,7 +245,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512( unsigned char output[64], int is384 ) { - mbedtls_sha512_ext( input, ilen, output, is384 ); + mbedtls_sha512_ret( input, ilen, output, is384 ); } #undef MBEDTLS_DEPRECATED diff --git a/library/entropy.c b/library/entropy.c index 45b2f2b57..20b24ff09 100644 --- a/library/entropy.c +++ b/library/entropy.c @@ -193,10 +193,10 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id if( use_len > MBEDTLS_ENTROPY_BLOCK_SIZE ) { #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) - if( ( ret = mbedtls_sha512_ext( data, len, tmp, 0 ) ) != 0 ) + if( ( ret = mbedtls_sha512_ret( data, len, tmp, 0 ) ) != 0 ) return( ret ); #else - if( ( ret = mbedtls_sha256_ext( data, len, tmp, 0 ) ) != 0 ) + if( ( ret = mbedtls_sha256_ret( data, len, tmp, 0 ) ) != 0 ) return( ret ); #endif p = tmp; @@ -213,22 +213,22 @@ static int entropy_update( mbedtls_entropy_context *ctx, unsigned char source_id */ #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) if( ctx->accumulator_started == 0 && - ( ret = mbedtls_sha512_starts_ext( &ctx->accumulator, 0 ) ) != 0 ) + ( ret = mbedtls_sha512_starts_ret( &ctx->accumulator, 0 ) ) != 0 ) return( ret ); else ctx->accumulator_started = 1; - if( ( ret = mbedtls_sha512_update_ext( &ctx->accumulator, header, 2 ) ) != 0 ) + if( ( ret = mbedtls_sha512_update_ret( &ctx->accumulator, header, 2 ) ) != 0 ) return( ret ); - return( mbedtls_sha512_update_ext( &ctx->accumulator, p, use_len ) ); + return( mbedtls_sha512_update_ret( &ctx->accumulator, p, use_len ) ); #else if( ctx->accumulator_started == 0 && - ( ret = mbedtls_sha256_starts_ext( &ctx->accumulator, 0 ) ) != 0 ) + ( ret = mbedtls_sha256_starts_ret( &ctx->accumulator, 0 ) ) != 0 ) return( ret ); else ctx->accumulator_started = 1; - if( ( ret = mbedtls_sha256_update_ext( &ctx->accumulator, header, 2 ) ) != 0 ) + if( ( ret = mbedtls_sha256_update_ret( &ctx->accumulator, header, 2 ) ) != 0 ) return( ret ); - return( mbedtls_sha256_update_ext( &ctx->accumulator, p, use_len ) ); + return( mbedtls_sha256_update_ret( &ctx->accumulator, p, use_len ) ); #endif } @@ -374,7 +374,7 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len ) * in a previous call to entropy_update(). If this is not guaranteed, the * code below will fail. */ - if( ( ret = mbedtls_sha512_finish_ext( &ctx->accumulator, buf ) ) != 0 ) + if( ( ret = mbedtls_sha512_finish_ret( &ctx->accumulator, buf ) ) != 0 ) goto exit; /* @@ -382,20 +382,20 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len ) */ mbedtls_sha512_free( &ctx->accumulator ); mbedtls_sha512_init( &ctx->accumulator ); - if( ( ret = mbedtls_sha512_starts_ext( &ctx->accumulator, 0 ) ) != 0 ) + if( ( ret = mbedtls_sha512_starts_ret( &ctx->accumulator, 0 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha512_update_ext( &ctx->accumulator, buf, + if( ( ret = mbedtls_sha512_update_ret( &ctx->accumulator, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 ) goto exit; /* * Perform second SHA-512 on entropy */ - if( ( ret = mbedtls_sha512_ext( buf, MBEDTLS_ENTROPY_BLOCK_SIZE, + if( ( ret = mbedtls_sha512_ret( buf, MBEDTLS_ENTROPY_BLOCK_SIZE, buf, 0 ) ) != 0 ) goto exit; #else /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */ - if( ( ret = mbedtls_sha256_finish_ext( &ctx->accumulator, buf ) ) != 0 ) + if( ( ret = mbedtls_sha256_finish_ret( &ctx->accumulator, buf ) ) != 0 ) goto exit; /* @@ -403,16 +403,16 @@ int mbedtls_entropy_func( void *data, unsigned char *output, size_t len ) */ mbedtls_sha256_free( &ctx->accumulator ); mbedtls_sha256_init( &ctx->accumulator ); - if( ( ret = mbedtls_sha256_starts_ext( &ctx->accumulator, 0 ) ) != 0 ) + if( ( ret = mbedtls_sha256_starts_ret( &ctx->accumulator, 0 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha256_update_ext( &ctx->accumulator, buf, + if( ( ret = mbedtls_sha256_update_ret( &ctx->accumulator, buf, MBEDTLS_ENTROPY_BLOCK_SIZE ) ) != 0 ) goto exit; /* * Perform second SHA-256 on entropy */ - if( ( ret = mbedtls_sha256_ext( buf, MBEDTLS_ENTROPY_BLOCK_SIZE, + if( ( ret = mbedtls_sha256_ret( buf, MBEDTLS_ENTROPY_BLOCK_SIZE, buf, 0 ) ) != 0 ) goto exit; #endif /* MBEDTLS_ENTROPY_SHA512_ACCUMULATOR */ diff --git a/library/md2.c b/library/md2.c index 06d6ac288..5028e8c58 100644 --- a/library/md2.c +++ b/library/md2.c @@ -105,7 +105,7 @@ void mbedtls_md2_clone( mbedtls_md2_context *dst, /* * MD2 context setup */ -int mbedtls_md2_starts_ext( mbedtls_md2_context *ctx ) +int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx ) { memset( ctx->cksum, 0, 16 ); memset( ctx->state, 0, 46 ); @@ -156,7 +156,7 @@ int mbedtls_internal_md2_process( mbedtls_md2_context *ctx ) /* * MD2 process buffer */ -int mbedtls_md2_update_ext( mbedtls_md2_context *ctx, +int mbedtls_md2_update_ret( mbedtls_md2_context *ctx, const unsigned char *input, size_t ilen ) { @@ -190,7 +190,7 @@ int mbedtls_md2_update_ext( mbedtls_md2_context *ctx, /* * MD2 final digest */ -int mbedtls_md2_finish_ext( mbedtls_md2_context *ctx, +int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx, unsigned char output[16] ) { int ret; @@ -219,7 +219,7 @@ int mbedtls_md2_finish_ext( mbedtls_md2_context *ctx, /* * output = MD2( input buffer ) */ -int mbedtls_md2_ext( const unsigned char *input, +int mbedtls_md2_ret( const unsigned char *input, size_t ilen, unsigned char output[16] ) { @@ -228,13 +228,13 @@ int mbedtls_md2_ext( const unsigned char *input, mbedtls_md2_init( &ctx ); - if( ( ret = mbedtls_md2_starts_ext( &ctx ) ) != 0 ) + if( ( ret = mbedtls_md2_starts_ret( &ctx ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md2_update_ext( &ctx, input, ilen ) ) != 0 ) + if( ( ret = mbedtls_md2_update_ret( &ctx, input, ilen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md2_finish_ext( &ctx, output ) ) != 0 ) + if( ( ret = mbedtls_md2_finish_ret( &ctx, output ) ) != 0 ) goto exit; exit: @@ -296,7 +296,7 @@ int mbedtls_md2_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " MD2 test #%d: ", i + 1 ); - ret = mbedtls_md2_ext( md2_test_str[i], md2_test_strlen[i], md2sum ); + ret = mbedtls_md2_ret( md2_test_str[i], md2_test_strlen[i], md2sum ); if( ret != 0 ) goto fail; diff --git a/library/md4.c b/library/md4.c index f5972eb63..34a4b0e24 100644 --- a/library/md4.c +++ b/library/md4.c @@ -98,7 +98,7 @@ void mbedtls_md4_clone( mbedtls_md4_context *dst, /* * MD4 context setup */ -int mbedtls_md4_starts_ext( mbedtls_md4_context *ctx ) +int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -222,7 +222,7 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, /* * MD4 process buffer */ -int mbedtls_md4_update_ext( mbedtls_md4_context *ctx, +int mbedtls_md4_update_ret( mbedtls_md4_context *ctx, const unsigned char *input, size_t ilen ) { @@ -284,7 +284,7 @@ static const unsigned char md4_padding[64] = /* * MD4 final digest */ -int mbedtls_md4_finish_ext( mbedtls_md4_context *ctx, +int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx, unsigned char output[16] ) { int ret; @@ -302,11 +302,11 @@ int mbedtls_md4_finish_ext( mbedtls_md4_context *ctx, last = ctx->total[0] & 0x3F; padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - ret = mbedtls_md4_update_ext( ctx, (unsigned char *)md4_padding, padn ); + ret = mbedtls_md4_update_ret( ctx, (unsigned char *)md4_padding, padn ); if( ret != 0 ) return( ret ); - if( ( ret = mbedtls_md4_update_ext( ctx, msglen, 8 ) ) != 0 ) + if( ( ret = mbedtls_md4_update_ret( ctx, msglen, 8 ) ) != 0 ) return( ret ); @@ -323,7 +323,7 @@ int mbedtls_md4_finish_ext( mbedtls_md4_context *ctx, /* * output = MD4( input buffer ) */ -int mbedtls_md4_ext( const unsigned char *input, +int mbedtls_md4_ret( const unsigned char *input, size_t ilen, unsigned char output[16] ) { @@ -332,13 +332,13 @@ int mbedtls_md4_ext( const unsigned char *input, mbedtls_md4_init( &ctx ); - if( ( ret = mbedtls_md4_starts_ext( &ctx ) ) != 0 ) + if( ( ret = mbedtls_md4_starts_ret( &ctx ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md4_update_ext( &ctx, input, ilen ) ) != 0 ) + if( ( ret = mbedtls_md4_update_ret( &ctx, input, ilen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md4_finish_ext( &ctx, output ) ) != 0 ) + if( ( ret = mbedtls_md4_finish_ret( &ctx, output ) ) != 0 ) goto exit; exit: @@ -400,7 +400,7 @@ int mbedtls_md4_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " MD4 test #%d: ", i + 1 ); - ret = mbedtls_md4_ext( md4_test_str[i], md4_test_strlen[i], md4sum ); + ret = mbedtls_md4_ret( md4_test_str[i], md4_test_strlen[i], md4sum ); if( ret != 0 ) goto fail; diff --git a/library/md5.c b/library/md5.c index 68a112ab7..8872dc467 100644 --- a/library/md5.c +++ b/library/md5.c @@ -97,7 +97,7 @@ void mbedtls_md5_clone( mbedtls_md5_context *dst, /* * MD5 context setup */ -int mbedtls_md5_starts_ext( mbedtls_md5_context *ctx ) +int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -241,7 +241,7 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx, /* * MD5 process buffer */ -int mbedtls_md5_update_ext( mbedtls_md5_context *ctx, +int mbedtls_md5_update_ret( mbedtls_md5_context *ctx, const unsigned char *input, size_t ilen ) { @@ -300,7 +300,7 @@ static const unsigned char md5_padding[64] = /* * MD5 final digest */ -int mbedtls_md5_finish_ext( mbedtls_md5_context *ctx, +int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx, unsigned char output[16] ) { int ret; @@ -318,10 +318,10 @@ int mbedtls_md5_finish_ext( mbedtls_md5_context *ctx, last = ctx->total[0] & 0x3F; padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - if( ( ret = mbedtls_md5_update_ext( ctx, md5_padding, padn ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( ctx, md5_padding, padn ) ) != 0 ) return( ret ); - if( ( ret = mbedtls_md5_update_ext( ctx, msglen, 8 ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( ctx, msglen, 8 ) ) != 0 ) return( ret ); PUT_UINT32_LE( ctx->state[0], output, 0 ); @@ -337,7 +337,7 @@ int mbedtls_md5_finish_ext( mbedtls_md5_context *ctx, /* * output = MD5( input buffer ) */ -int mbedtls_md5_ext( const unsigned char *input, +int mbedtls_md5_ret( const unsigned char *input, size_t ilen, unsigned char output[16] ) { @@ -346,13 +346,13 @@ int mbedtls_md5_ext( const unsigned char *input, mbedtls_md5_init( &ctx ); - if( ( ret = mbedtls_md5_starts_ext( &ctx ) ) != 0 ) + if( ( ret = mbedtls_md5_starts_ret( &ctx ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_update_ext( &ctx, input, ilen ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( &ctx, input, ilen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_finish_ext( &ctx, output ) ) != 0 ) + if( ( ret = mbedtls_md5_finish_ret( &ctx, output ) ) != 0 ) goto exit; exit: @@ -413,7 +413,7 @@ int mbedtls_md5_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " MD5 test #%d: ", i + 1 ); - ret = mbedtls_md5_ext( md5_test_buf[i], md5_test_buflen[i], md5sum ); + ret = mbedtls_md5_ret( md5_test_buf[i], md5_test_buflen[i], md5sum ); if( ret != 0 ) goto fail; diff --git a/library/md_wrap.c b/library/md_wrap.c index bfd492736..32f087197 100644 --- a/library/md_wrap.c +++ b/library/md_wrap.c @@ -73,18 +73,18 @@ static int md2_starts_wrap( void *ctx ) { - return( mbedtls_md2_starts_ext( (mbedtls_md2_context *) ctx ) ); + return( mbedtls_md2_starts_ret( (mbedtls_md2_context *) ctx ) ); } static int md2_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - return( mbedtls_md2_update_ext( (mbedtls_md2_context *) ctx, input, ilen ) ); + return( mbedtls_md2_update_ret( (mbedtls_md2_context *) ctx, input, ilen ) ); } static int md2_finish_wrap( void *ctx, unsigned char *output ) { - return( mbedtls_md2_finish_ext( (mbedtls_md2_context *) ctx, output ) ); + return( mbedtls_md2_finish_ret( (mbedtls_md2_context *) ctx, output ) ); } static void *md2_ctx_alloc( void ) @@ -124,7 +124,7 @@ const mbedtls_md_info_t mbedtls_md2_info = { md2_starts_wrap, md2_update_wrap, md2_finish_wrap, - mbedtls_md2_ext, + mbedtls_md2_ret, md2_ctx_alloc, md2_ctx_free, md2_clone_wrap, @@ -137,18 +137,18 @@ const mbedtls_md_info_t mbedtls_md2_info = { static int md4_starts_wrap( void *ctx ) { - return( mbedtls_md4_starts_ext( (mbedtls_md4_context *) ctx ) ); + return( mbedtls_md4_starts_ret( (mbedtls_md4_context *) ctx ) ); } static int md4_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - return( mbedtls_md4_update_ext( (mbedtls_md4_context *) ctx, input, ilen ) ); + return( mbedtls_md4_update_ret( (mbedtls_md4_context *) ctx, input, ilen ) ); } static int md4_finish_wrap( void *ctx, unsigned char *output ) { - return( mbedtls_md4_finish_ext( (mbedtls_md4_context *) ctx, output ) ); + return( mbedtls_md4_finish_ret( (mbedtls_md4_context *) ctx, output ) ); } static void *md4_ctx_alloc( void ) @@ -186,7 +186,7 @@ const mbedtls_md_info_t mbedtls_md4_info = { md4_starts_wrap, md4_update_wrap, md4_finish_wrap, - mbedtls_md4_ext, + mbedtls_md4_ret, md4_ctx_alloc, md4_ctx_free, md4_clone_wrap, @@ -199,18 +199,18 @@ const mbedtls_md_info_t mbedtls_md4_info = { static int md5_starts_wrap( void *ctx ) { - return( mbedtls_md5_starts_ext( (mbedtls_md5_context *) ctx ) ); + return( mbedtls_md5_starts_ret( (mbedtls_md5_context *) ctx ) ); } static int md5_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - return( mbedtls_md5_update_ext( (mbedtls_md5_context *) ctx, input, ilen ) ); + return( mbedtls_md5_update_ret( (mbedtls_md5_context *) ctx, input, ilen ) ); } static int md5_finish_wrap( void *ctx, unsigned char *output ) { - return( mbedtls_md5_finish_ext( (mbedtls_md5_context *) ctx, output ) ); + return( mbedtls_md5_finish_ret( (mbedtls_md5_context *) ctx, output ) ); } static void *md5_ctx_alloc( void ) @@ -248,7 +248,7 @@ const mbedtls_md_info_t mbedtls_md5_info = { md5_starts_wrap, md5_update_wrap, md5_finish_wrap, - mbedtls_md5_ext, + mbedtls_md5_ret, md5_ctx_alloc, md5_ctx_free, md5_clone_wrap, @@ -261,19 +261,19 @@ const mbedtls_md_info_t mbedtls_md5_info = { static int ripemd160_starts_wrap( void *ctx ) { - return( mbedtls_ripemd160_starts_ext( (mbedtls_ripemd160_context *) ctx ) ); + return( mbedtls_ripemd160_starts_ret( (mbedtls_ripemd160_context *) ctx ) ); } static int ripemd160_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - return( mbedtls_ripemd160_update_ext( (mbedtls_ripemd160_context *) ctx, + return( mbedtls_ripemd160_update_ret( (mbedtls_ripemd160_context *) ctx, input, ilen ) ); } static int ripemd160_finish_wrap( void *ctx, unsigned char *output ) { - return( mbedtls_ripemd160_finish_ext( (mbedtls_ripemd160_context *) ctx, + return( mbedtls_ripemd160_finish_ret( (mbedtls_ripemd160_context *) ctx, output ) ); } @@ -313,7 +313,7 @@ const mbedtls_md_info_t mbedtls_ripemd160_info = { ripemd160_starts_wrap, ripemd160_update_wrap, ripemd160_finish_wrap, - mbedtls_ripemd160_ext, + mbedtls_ripemd160_ret, ripemd160_ctx_alloc, ripemd160_ctx_free, ripemd160_clone_wrap, @@ -326,19 +326,19 @@ const mbedtls_md_info_t mbedtls_ripemd160_info = { static int sha1_starts_wrap( void *ctx ) { - return( mbedtls_sha1_starts_ext( (mbedtls_sha1_context *) ctx ) ); + return( mbedtls_sha1_starts_ret( (mbedtls_sha1_context *) ctx ) ); } static int sha1_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - return( mbedtls_sha1_update_ext( (mbedtls_sha1_context *) ctx, + return( mbedtls_sha1_update_ret( (mbedtls_sha1_context *) ctx, input, ilen ) ); } static int sha1_finish_wrap( void *ctx, unsigned char *output ) { - return( mbedtls_sha1_finish_ext( (mbedtls_sha1_context *) ctx, output ) ); + return( mbedtls_sha1_finish_ret( (mbedtls_sha1_context *) ctx, output ) ); } static void *sha1_ctx_alloc( void ) @@ -377,7 +377,7 @@ const mbedtls_md_info_t mbedtls_sha1_info = { sha1_starts_wrap, sha1_update_wrap, sha1_finish_wrap, - mbedtls_sha1_ext, + mbedtls_sha1_ret, sha1_ctx_alloc, sha1_ctx_free, sha1_clone_wrap, @@ -393,26 +393,26 @@ const mbedtls_md_info_t mbedtls_sha1_info = { static int sha224_starts_wrap( void *ctx ) { - return( mbedtls_sha256_starts_ext( (mbedtls_sha256_context *) ctx, 1 ) ); + return( mbedtls_sha256_starts_ret( (mbedtls_sha256_context *) ctx, 1 ) ); } static int sha224_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - return( mbedtls_sha256_update_ext( (mbedtls_sha256_context *) ctx, + return( mbedtls_sha256_update_ret( (mbedtls_sha256_context *) ctx, input, ilen ) ); } static int sha224_finish_wrap( void *ctx, unsigned char *output ) { - return( mbedtls_sha256_finish_ext( (mbedtls_sha256_context *) ctx, + return( mbedtls_sha256_finish_ret( (mbedtls_sha256_context *) ctx, output ) ); } static int sha224_wrap( const unsigned char *input, size_t ilen, unsigned char *output ) { - return( mbedtls_sha256_ext( input, ilen, output, 1 ) ); + return( mbedtls_sha256_ret( input, ilen, output, 1 ) ); } static void *sha224_ctx_alloc( void ) @@ -460,13 +460,13 @@ const mbedtls_md_info_t mbedtls_sha224_info = { static int sha256_starts_wrap( void *ctx ) { - return( mbedtls_sha256_starts_ext( (mbedtls_sha256_context *) ctx, 0 ) ); + return( mbedtls_sha256_starts_ret( (mbedtls_sha256_context *) ctx, 0 ) ); } static int sha256_wrap( const unsigned char *input, size_t ilen, unsigned char *output ) { - return( mbedtls_sha256_ext( input, ilen, output, 0 ) ); + return( mbedtls_sha256_ret( input, ilen, output, 0 ) ); } const mbedtls_md_info_t mbedtls_sha256_info = { @@ -490,26 +490,26 @@ const mbedtls_md_info_t mbedtls_sha256_info = { static int sha384_starts_wrap( void *ctx ) { - return( mbedtls_sha512_starts_ext( (mbedtls_sha512_context *) ctx, 1 ) ); + return( mbedtls_sha512_starts_ret( (mbedtls_sha512_context *) ctx, 1 ) ); } static int sha384_update_wrap( void *ctx, const unsigned char *input, size_t ilen ) { - return( mbedtls_sha512_update_ext( (mbedtls_sha512_context *) ctx, + return( mbedtls_sha512_update_ret( (mbedtls_sha512_context *) ctx, input, ilen ) ); } static int sha384_finish_wrap( void *ctx, unsigned char *output ) { - return( mbedtls_sha512_finish_ext( (mbedtls_sha512_context *) ctx, + return( mbedtls_sha512_finish_ret( (mbedtls_sha512_context *) ctx, output ) ); } static int sha384_wrap( const unsigned char *input, size_t ilen, unsigned char *output ) { - return( mbedtls_sha512_ext( input, ilen, output, 1 ) ); + return( mbedtls_sha512_ret( input, ilen, output, 1 ) ); } static void *sha384_ctx_alloc( void ) @@ -557,13 +557,13 @@ const mbedtls_md_info_t mbedtls_sha384_info = { static int sha512_starts_wrap( void *ctx ) { - return( mbedtls_sha512_starts_ext( (mbedtls_sha512_context *) ctx, 0 ) ); + return( mbedtls_sha512_starts_ret( (mbedtls_sha512_context *) ctx, 0 ) ); } static int sha512_wrap( const unsigned char *input, size_t ilen, unsigned char *output ) { - return( mbedtls_sha512_ext( input, ilen, output, 0 ) ); + return( mbedtls_sha512_ret( input, ilen, output, 0 ) ); } const mbedtls_md_info_t mbedtls_sha512_info = { diff --git a/library/pem.c b/library/pem.c index dea6f9962..bbcfd9bb6 100644 --- a/library/pem.c +++ b/library/pem.c @@ -96,13 +96,13 @@ static int pem_pbkdf1( unsigned char *key, size_t keylen, /* * key[ 0..15] = MD5(pwd || IV) */ - if( ( ret = mbedtls_md5_starts_ext( &md5_ctx ) ) != 0 ) + if( ( ret = mbedtls_md5_starts_ret( &md5_ctx ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_update_ext( &md5_ctx, pwd, pwdlen ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( &md5_ctx, pwd, pwdlen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_update_ext( &md5_ctx, iv, 8 ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( &md5_ctx, iv, 8 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_finish_ext( &md5_ctx, md5sum ) ) != 0 ) + if( ( ret = mbedtls_md5_finish_ret( &md5_ctx, md5sum ) ) != 0 ) goto exit; if( keylen <= 16 ) @@ -116,15 +116,15 @@ static int pem_pbkdf1( unsigned char *key, size_t keylen, /* * key[16..23] = MD5(key[ 0..15] || pwd || IV]) */ - if( ( ret = mbedtls_md5_starts_ext( &md5_ctx ) ) != 0 ) + if( ( ret = mbedtls_md5_starts_ret( &md5_ctx ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_update_ext( &md5_ctx, md5sum, 16 ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( &md5_ctx, md5sum, 16 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_update_ext( &md5_ctx, pwd, pwdlen ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( &md5_ctx, pwd, pwdlen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_update_ext( &md5_ctx, iv, 8 ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( &md5_ctx, iv, 8 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_finish_ext( &md5_ctx, md5sum ) ) != 0 ) + if( ( ret = mbedtls_md5_finish_ret( &md5_ctx, md5sum ) ) != 0 ) goto exit; use_len = 16; diff --git a/library/ripemd160.c b/library/ripemd160.c index 274a7c9c7..260fee686 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -96,7 +96,7 @@ void mbedtls_ripemd160_clone( mbedtls_ripemd160_context *dst, /* * RIPEMD-160 context setup */ -int mbedtls_ripemd160_starts_ext( mbedtls_ripemd160_context *ctx ) +int mbedtls_ripemd160_starts_ret( mbedtls_ripemd160_context *ctx ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -298,7 +298,7 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, /* * RIPEMD-160 process buffer */ -int mbedtls_ripemd160_update_ext( mbedtls_ripemd160_context *ctx, +int mbedtls_ripemd160_update_ret( mbedtls_ripemd160_context *ctx, const unsigned char *input, size_t ilen ) { @@ -358,7 +358,7 @@ static const unsigned char ripemd160_padding[64] = /* * RIPEMD-160 final digest */ -int mbedtls_ripemd160_finish_ext( mbedtls_ripemd160_context *ctx, +int mbedtls_ripemd160_finish_ret( mbedtls_ripemd160_context *ctx, unsigned char output[20] ) { int ret; @@ -376,11 +376,11 @@ int mbedtls_ripemd160_finish_ext( mbedtls_ripemd160_context *ctx, last = ctx->total[0] & 0x3F; padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - ret = mbedtls_ripemd160_update_ext( ctx, ripemd160_padding, padn ); + ret = mbedtls_ripemd160_update_ret( ctx, ripemd160_padding, padn ); if( ret != 0 ) return( ret ); - ret = mbedtls_ripemd160_update_ext( ctx, msglen, 8 ); + ret = mbedtls_ripemd160_update_ret( ctx, msglen, 8 ); if( ret != 0 ) return( ret ); @@ -396,7 +396,7 @@ int mbedtls_ripemd160_finish_ext( mbedtls_ripemd160_context *ctx, /* * output = RIPEMD-160( input buffer ) */ -int mbedtls_ripemd160_ext( const unsigned char *input, +int mbedtls_ripemd160_ret( const unsigned char *input, size_t ilen, unsigned char output[20] ) { @@ -405,13 +405,13 @@ int mbedtls_ripemd160_ext( const unsigned char *input, mbedtls_ripemd160_init( &ctx ); - if( ( ret = mbedtls_ripemd160_starts_ext( &ctx ) ) != 0 ) + if( ( ret = mbedtls_ripemd160_starts_ret( &ctx ) ) != 0 ) goto exit; - if( ( ret = mbedtls_ripemd160_update_ext( &ctx, input, ilen ) ) != 0 ) + if( ( ret = mbedtls_ripemd160_update_ret( &ctx, input, ilen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_ripemd160_finish_ext( &ctx, output ) ) != 0 ) + if( ( ret = mbedtls_ripemd160_finish_ret( &ctx, output ) ) != 0 ) goto exit; exit: @@ -479,7 +479,7 @@ int mbedtls_ripemd160_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " RIPEMD-160 test #%d: ", i + 1 ); - ret = mbedtls_ripemd160_ext( ripemd160_test_str[i], + ret = mbedtls_ripemd160_ret( ripemd160_test_str[i], ripemd160_test_strlen[i], output ); if( ret != 0 ) goto fail; diff --git a/library/rsa.c b/library/rsa.c index ab0bd678d..1909744a7 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2259,7 +2259,7 @@ int mbedtls_rsa_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " PKCS#1 data sign : " ); - if( mbedtls_sha1_ext( rsa_plaintext, PT_LEN, sha1sum ) != 0 ) + if( mbedtls_sha1_ret( rsa_plaintext, PT_LEN, sha1sum ) != 0 ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); diff --git a/library/sha1.c b/library/sha1.c index 8d3895035..8432eba8b 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -97,7 +97,7 @@ void mbedtls_sha1_clone( mbedtls_sha1_context *dst, /* * SHA-1 context setup */ -int mbedtls_sha1_starts_ext( mbedtls_sha1_context *ctx ) +int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -275,7 +275,7 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, /* * SHA-1 process buffer */ -int mbedtls_sha1_update_ext( mbedtls_sha1_context *ctx, +int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen ) { @@ -333,7 +333,7 @@ static const unsigned char sha1_padding[64] = /* * SHA-1 final digest */ -int mbedtls_sha1_finish_ext( mbedtls_sha1_context *ctx, +int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx, unsigned char output[20] ) { int ret; @@ -351,9 +351,9 @@ int mbedtls_sha1_finish_ext( mbedtls_sha1_context *ctx, last = ctx->total[0] & 0x3F; padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - if( ( ret = mbedtls_sha1_update_ext( ctx, sha1_padding, padn ) ) != 0 ) + if( ( ret = mbedtls_sha1_update_ret( ctx, sha1_padding, padn ) ) != 0 ) return( ret ); - if( ( ret = mbedtls_sha1_update_ext( ctx, msglen, 8 ) ) != 0 ) + if( ( ret = mbedtls_sha1_update_ret( ctx, msglen, 8 ) ) != 0 ) return( ret ); PUT_UINT32_BE( ctx->state[0], output, 0 ); @@ -370,7 +370,7 @@ int mbedtls_sha1_finish_ext( mbedtls_sha1_context *ctx, /* * output = SHA-1( input buffer ) */ -int mbedtls_sha1_ext( const unsigned char *input, +int mbedtls_sha1_ret( const unsigned char *input, size_t ilen, unsigned char output[20] ) { @@ -379,13 +379,13 @@ int mbedtls_sha1_ext( const unsigned char *input, mbedtls_sha1_init( &ctx ); - if( ( ret = mbedtls_sha1_starts_ext( &ctx ) ) != 0 ) + if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha1_update_ext( &ctx, input, ilen ) ) != 0 ) + if( ( ret = mbedtls_sha1_update_ret( &ctx, input, ilen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha1_finish_ext( &ctx, output ) ) != 0 ) + if( ( ret = mbedtls_sha1_finish_ret( &ctx, output ) ) != 0 ) goto exit; exit: @@ -440,7 +440,7 @@ int mbedtls_sha1_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " SHA-1 test #%d: ", i + 1 ); - if( ( ret = mbedtls_sha1_starts_ext( &ctx ) ) != 0 ) + if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 ) goto fail; if( i == 2 ) @@ -449,20 +449,20 @@ int mbedtls_sha1_self_test( int verbose ) for( j = 0; j < 1000; j++ ) { - ret = mbedtls_sha1_update_ext( &ctx, buf, buflen ); + ret = mbedtls_sha1_update_ret( &ctx, buf, buflen ); if( ret != 0 ) goto fail; } } else { - ret = mbedtls_sha1_update_ext( &ctx, sha1_test_buf[i], + ret = mbedtls_sha1_update_ret( &ctx, sha1_test_buf[i], sha1_test_buflen[i] ); if( ret != 0 ) goto fail; } - if( ( ret = mbedtls_sha1_finish_ext( &ctx, sha1sum ) ) != 0 ) + if( ( ret = mbedtls_sha1_finish_ret( &ctx, sha1sum ) ) != 0 ) goto fail; if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 ) diff --git a/library/sha256.c b/library/sha256.c index b76569792..abcd64d13 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -100,7 +100,7 @@ void mbedtls_sha256_clone( mbedtls_sha256_context *dst, /* * SHA-256 context setup */ -int mbedtls_sha256_starts_ext( mbedtls_sha256_context *ctx, int is224 ) +int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -243,7 +243,7 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, /* * SHA-256 process buffer */ -int mbedtls_sha256_update_ext( mbedtls_sha256_context *ctx, +int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx, const unsigned char *input, size_t ilen ) { @@ -301,7 +301,7 @@ static const unsigned char sha256_padding[64] = /* * SHA-256 final digest */ -int mbedtls_sha256_finish_ext( mbedtls_sha256_context *ctx, +int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, unsigned char output[32] ) { int ret; @@ -319,10 +319,10 @@ int mbedtls_sha256_finish_ext( mbedtls_sha256_context *ctx, last = ctx->total[0] & 0x3F; padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); - if( ( ret = mbedtls_sha256_update_ext( ctx, sha256_padding, padn ) ) != 0 ) + if( ( ret = mbedtls_sha256_update_ret( ctx, sha256_padding, padn ) ) != 0 ) return( ret ); - if( ( ret = mbedtls_sha256_update_ext( ctx, msglen, 8 ) ) != 0 ) + if( ( ret = mbedtls_sha256_update_ret( ctx, msglen, 8 ) ) != 0 ) return( ret ); PUT_UINT32_BE( ctx->state[0], output, 0 ); @@ -344,7 +344,7 @@ int mbedtls_sha256_finish_ext( mbedtls_sha256_context *ctx, /* * output = SHA-256( input buffer ) */ -int mbedtls_sha256_ext( const unsigned char *input, +int mbedtls_sha256_ret( const unsigned char *input, size_t ilen, unsigned char output[32], int is224 ) @@ -354,13 +354,13 @@ int mbedtls_sha256_ext( const unsigned char *input, mbedtls_sha256_init( &ctx ); - if( ( ret = mbedtls_sha256_starts_ext( &ctx, is224 ) ) != 0 ) + if( ( ret = mbedtls_sha256_starts_ret( &ctx, is224 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha256_update_ext( &ctx, input, ilen ) ) != 0 ) + if( ( ret = mbedtls_sha256_update_ret( &ctx, input, ilen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha256_finish_ext( &ctx, output ) ) != 0 ) + if( ( ret = mbedtls_sha256_finish_ret( &ctx, output ) ) != 0 ) goto exit; exit: @@ -449,7 +449,7 @@ int mbedtls_sha256_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 ); - if( ( ret = mbedtls_sha256_starts_ext( &ctx, k ) ) != 0 ) + if( ( ret = mbedtls_sha256_starts_ret( &ctx, k ) ) != 0 ) goto fail; if( j == 2 ) @@ -458,7 +458,7 @@ int mbedtls_sha256_self_test( int verbose ) for( j = 0; j < 1000; j++ ) { - ret = mbedtls_sha256_update_ext( &ctx, buf, buflen ); + ret = mbedtls_sha256_update_ret( &ctx, buf, buflen ); if( ret != 0 ) goto fail; } @@ -466,13 +466,13 @@ int mbedtls_sha256_self_test( int verbose ) } else { - ret = mbedtls_sha256_update_ext( &ctx, sha256_test_buf[j], + ret = mbedtls_sha256_update_ret( &ctx, sha256_test_buf[j], sha256_test_buflen[j] ); if( ret != 0 ) goto fail; } - if( ( ret = mbedtls_sha256_finish_ext( &ctx, sha256sum ) ) != 0 ) + if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 ) goto fail; diff --git a/library/sha512.c b/library/sha512.c index d0faba941..c99b6da95 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -114,7 +114,7 @@ void mbedtls_sha512_clone( mbedtls_sha512_context *dst, /* * SHA-512 context setup */ -int mbedtls_sha512_starts_ext( mbedtls_sha512_context *ctx, int is384 ) +int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 ) { ctx->total[0] = 0; ctx->total[1] = 0; @@ -274,7 +274,7 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, /* * SHA-512 process buffer */ -int mbedtls_sha512_update_ext( mbedtls_sha512_context *ctx, +int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx, const unsigned char *input, size_t ilen ) { @@ -335,7 +335,7 @@ static const unsigned char sha512_padding[128] = /* * SHA-512 final digest */ -int mbedtls_sha512_finish_ext( mbedtls_sha512_context *ctx, +int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx, unsigned char output[64] ) { int ret; @@ -353,10 +353,10 @@ int mbedtls_sha512_finish_ext( mbedtls_sha512_context *ctx, last = (size_t)( ctx->total[0] & 0x7F ); padn = ( last < 112 ) ? ( 112 - last ) : ( 240 - last ); - if( ( ret = mbedtls_sha512_update_ext( ctx, sha512_padding, padn ) ) != 0 ) + if( ( ret = mbedtls_sha512_update_ret( ctx, sha512_padding, padn ) ) != 0 ) return( ret ); - if( ( ret = mbedtls_sha512_update_ext( ctx, msglen, 16 ) ) != 0 ) + if( ( ret = mbedtls_sha512_update_ret( ctx, msglen, 16 ) ) != 0 ) return( ret ); PUT_UINT64_BE( ctx->state[0], output, 0 ); @@ -380,7 +380,7 @@ int mbedtls_sha512_finish_ext( mbedtls_sha512_context *ctx, /* * output = SHA-512( input buffer ) */ -int mbedtls_sha512_ext( const unsigned char *input, +int mbedtls_sha512_ret( const unsigned char *input, size_t ilen, unsigned char output[64], int is384 ) @@ -390,13 +390,13 @@ int mbedtls_sha512_ext( const unsigned char *input, mbedtls_sha512_init( &ctx ); - if( ( ret = mbedtls_sha512_starts_ext( &ctx, is384 ) ) != 0 ) + if( ( ret = mbedtls_sha512_starts_ret( &ctx, is384 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha512_update_ext( &ctx, input, ilen ) ) != 0 ) + if( ( ret = mbedtls_sha512_update_ret( &ctx, input, ilen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha512_finish_ext( &ctx, output ) ) != 0 ) + if( ( ret = mbedtls_sha512_finish_ret( &ctx, output ) ) != 0 ) goto exit; exit: @@ -505,7 +505,7 @@ int mbedtls_sha512_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( " SHA-%d test #%d: ", 512 - k * 128, j + 1 ); - if( ( ret = mbedtls_sha512_starts_ext( &ctx, k ) ) != 0 ) + if( ( ret = mbedtls_sha512_starts_ret( &ctx, k ) ) != 0 ) goto fail; if( j == 2 ) @@ -514,20 +514,20 @@ int mbedtls_sha512_self_test( int verbose ) for( j = 0; j < 1000; j++ ) { - ret = mbedtls_sha512_update_ext( &ctx, buf, buflen ); + ret = mbedtls_sha512_update_ret( &ctx, buf, buflen ); if( ret != 0 ) goto fail; } } else { - ret = mbedtls_sha512_update_ext( &ctx, sha512_test_buf[j], + ret = mbedtls_sha512_update_ret( &ctx, sha512_test_buf[j], sha512_test_buflen[j] ); if( ret != 0 ) goto fail; } - if( ( ret = mbedtls_sha512_finish_ext( &ctx, sha512sum ) ) != 0 ) + if( ( ret = mbedtls_sha512_finish_ret( &ctx, sha512sum ) ) != 0 ) goto fail; if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7bee4e8f5..4f9a084b8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -244,24 +244,24 @@ static int ssl3_prf( const unsigned char *secret, size_t slen, { memset( padding, (unsigned char) ('A' + i), 1 + i ); - if( ( ret = mbedtls_sha1_starts_ext( &sha1 ) ) != 0 ) + if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha1_update_ext( &sha1, padding, 1 + i ) ) != 0 ) + if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha1_update_ext( &sha1, secret, slen ) ) != 0 ) + if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha1_update_ext( &sha1, random, rlen ) ) != 0 ) + if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_sha1_finish_ext( &sha1, sha1sum ) ) != 0 ) + if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_starts_ext( &md5 ) ) != 0 ) + if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_update_ext( &md5, secret, slen ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_update_ext( &md5, sha1sum, 20 ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 ) goto exit; - if( ( ret = mbedtls_md5_finish_ext( &md5, dstbuf + i * 16 ) ) != 0 ) + if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 ) goto exit; } @@ -989,25 +989,25 @@ void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] ) memset( pad_1, 0x36, 48 ); memset( pad_2, 0x5C, 48 ); - mbedtls_md5_update_ext( &md5, ssl->session_negotiate->master, 48 ); - mbedtls_md5_update_ext( &md5, pad_1, 48 ); - mbedtls_md5_finish_ext( &md5, hash ); + mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 ); + mbedtls_md5_update_ret( &md5, pad_1, 48 ); + mbedtls_md5_finish_ret( &md5, hash ); - mbedtls_md5_starts_ext( &md5 ); - mbedtls_md5_update_ext( &md5, ssl->session_negotiate->master, 48 ); - mbedtls_md5_update_ext( &md5, pad_2, 48 ); - mbedtls_md5_update_ext( &md5, hash, 16 ); - mbedtls_md5_finish_ext( &md5, hash ); + mbedtls_md5_starts_ret( &md5 ); + mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 ); + mbedtls_md5_update_ret( &md5, pad_2, 48 ); + mbedtls_md5_update_ret( &md5, hash, 16 ); + mbedtls_md5_finish_ret( &md5, hash ); - mbedtls_sha1_update_ext( &sha1, ssl->session_negotiate->master, 48 ); - mbedtls_sha1_update_ext( &sha1, pad_1, 40 ); - mbedtls_sha1_finish_ext( &sha1, hash + 16 ); + mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 ); + mbedtls_sha1_update_ret( &sha1, pad_1, 40 ); + mbedtls_sha1_finish_ret( &sha1, hash + 16 ); - mbedtls_sha1_starts_ext( &sha1 ); - mbedtls_sha1_update_ext( &sha1, ssl->session_negotiate->master, 48 ); - mbedtls_sha1_update_ext( &sha1, pad_2, 40 ); - mbedtls_sha1_update_ext( &sha1, hash + 16, 20 ); - mbedtls_sha1_finish_ext( &sha1, hash + 16 ); + mbedtls_sha1_starts_ret( &sha1 ); + mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 ); + mbedtls_sha1_update_ret( &sha1, pad_2, 40 ); + mbedtls_sha1_update_ret( &sha1, hash + 16, 20 ); + mbedtls_sha1_finish_ret( &sha1, hash + 16 ); MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); @@ -1033,8 +1033,8 @@ void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] ) mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); - mbedtls_md5_finish_ext( &md5, hash ); - mbedtls_sha1_finish_ext( &sha1, hash + 16 ); + mbedtls_md5_finish_ret( &md5, hash ); + mbedtls_sha1_finish_ret( &sha1, hash + 16 ); MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); @@ -1057,7 +1057,7 @@ void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) ); mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); - mbedtls_sha256_finish_ext( &sha256, hash ); + mbedtls_sha256_finish_ret( &sha256, hash ); MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); @@ -1078,7 +1078,7 @@ void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) ); mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 ); - mbedtls_sha512_finish_ext( &sha512, hash ); + mbedtls_sha512_finish_ret( &sha512, hash ); MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); @@ -4854,15 +4854,15 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_starts_ext( &ssl->handshake->fin_md5 ); - mbedtls_sha1_starts_ext( &ssl->handshake->fin_sha1 ); + mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 ); + mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 ); #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_starts_ext( &ssl->handshake->fin_sha256, 0 ); + mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 ); #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_starts_ext( &ssl->handshake->fin_sha512, 1 ); + mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 ); #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } @@ -4872,15 +4872,15 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, { #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_update_ext( &ssl->handshake->fin_md5 , buf, len ); - mbedtls_sha1_update_ext( &ssl->handshake->fin_sha1, buf, len ); + mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len ); + mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len ); #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_update_ext( &ssl->handshake->fin_sha256, buf, len ); + mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len ); #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_update_ext( &ssl->handshake->fin_sha512, buf, len ); + mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } @@ -4890,8 +4890,8 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - mbedtls_md5_update_ext( &ssl->handshake->fin_md5 , buf, len ); - mbedtls_sha1_update_ext( &ssl->handshake->fin_sha1, buf, len ); + mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len ); + mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len ); } #endif @@ -4900,7 +4900,7 @@ static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - mbedtls_sha256_update_ext( &ssl->handshake->fin_sha256, buf, len ); + mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len ); } #endif @@ -4908,7 +4908,7 @@ static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { - mbedtls_sha512_update_ext( &ssl->handshake->fin_sha512, buf, len ); + mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len ); } #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ @@ -4961,29 +4961,29 @@ static void ssl_calc_finished_ssl( memset( padbuf, 0x36, 48 ); - mbedtls_md5_update_ext( &md5, (const unsigned char *) sender, 4 ); - mbedtls_md5_update_ext( &md5, session->master, 48 ); - mbedtls_md5_update_ext( &md5, padbuf, 48 ); - mbedtls_md5_finish_ext( &md5, md5sum ); + mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 ); + mbedtls_md5_update_ret( &md5, session->master, 48 ); + mbedtls_md5_update_ret( &md5, padbuf, 48 ); + mbedtls_md5_finish_ret( &md5, md5sum ); - mbedtls_sha1_update_ext( &sha1, (const unsigned char *) sender, 4 ); - mbedtls_sha1_update_ext( &sha1, session->master, 48 ); - mbedtls_sha1_update_ext( &sha1, padbuf, 40 ); - mbedtls_sha1_finish_ext( &sha1, sha1sum ); + mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 ); + mbedtls_sha1_update_ret( &sha1, session->master, 48 ); + mbedtls_sha1_update_ret( &sha1, padbuf, 40 ); + mbedtls_sha1_finish_ret( &sha1, sha1sum ); memset( padbuf, 0x5C, 48 ); - mbedtls_md5_starts_ext( &md5 ); - mbedtls_md5_update_ext( &md5, session->master, 48 ); - mbedtls_md5_update_ext( &md5, padbuf, 48 ); - mbedtls_md5_update_ext( &md5, md5sum, 16 ); - mbedtls_md5_finish_ext( &md5, buf ); + mbedtls_md5_starts_ret( &md5 ); + mbedtls_md5_update_ret( &md5, session->master, 48 ); + mbedtls_md5_update_ret( &md5, padbuf, 48 ); + mbedtls_md5_update_ret( &md5, md5sum, 16 ); + mbedtls_md5_finish_ret( &md5, buf ); - mbedtls_sha1_starts_ext( &sha1 ); - mbedtls_sha1_update_ext( &sha1, session->master, 48 ); - mbedtls_sha1_update_ext( &sha1, padbuf , 40 ); - mbedtls_sha1_update_ext( &sha1, sha1sum, 20 ); - mbedtls_sha1_finish_ext( &sha1, buf + 16 ); + mbedtls_sha1_starts_ret( &sha1 ); + mbedtls_sha1_update_ret( &sha1, session->master, 48 ); + mbedtls_sha1_update_ret( &sha1, padbuf , 40 ); + mbedtls_sha1_update_ret( &sha1, sha1sum, 20 ); + mbedtls_sha1_finish_ret( &sha1, buf + 16 ); MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 ); @@ -5040,8 +5040,8 @@ static void ssl_calc_finished_tls( ? "client finished" : "server finished"; - mbedtls_md5_finish_ext( &md5, padbuf ); - mbedtls_sha1_finish_ext( &sha1, padbuf + 16 ); + mbedtls_md5_finish_ret( &md5, padbuf ); + mbedtls_sha1_finish_ret( &sha1, padbuf + 16 ); ssl->handshake->tls_prf( session->master, 48, sender, padbuf, 36, buf, len ); @@ -5092,7 +5092,7 @@ static void ssl_calc_finished_tls_sha256( ? "client finished" : "server finished"; - mbedtls_sha256_finish_ext( &sha256, padbuf ); + mbedtls_sha256_finish_ret( &sha256, padbuf ); ssl->handshake->tls_prf( session->master, 48, sender, padbuf, 32, buf, len ); @@ -5141,7 +5141,7 @@ static void ssl_calc_finished_tls_sha384( ? "client finished" : "server finished"; - mbedtls_sha512_finish_ext( &sha512, padbuf ); + mbedtls_sha512_finish_ret( &sha512, padbuf ); ssl->handshake->tls_prf( session->master, 48, sender, padbuf, 48, buf, len ); @@ -5455,17 +5455,17 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) defined(MBEDTLS_SSL_PROTO_TLS1_1) mbedtls_md5_init( &handshake->fin_md5 ); mbedtls_sha1_init( &handshake->fin_sha1 ); - mbedtls_md5_starts_ext( &handshake->fin_md5 ); - mbedtls_sha1_starts_ext( &handshake->fin_sha1 ); + mbedtls_md5_starts_ret( &handshake->fin_md5 ); + mbedtls_sha1_starts_ret( &handshake->fin_sha1 ); #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) mbedtls_sha256_init( &handshake->fin_sha256 ); - mbedtls_sha256_starts_ext( &handshake->fin_sha256, 0 ); + mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 ); #endif #if defined(MBEDTLS_SHA512_C) mbedtls_sha512_init( &handshake->fin_sha512 ); - mbedtls_sha512_starts_ext( &handshake->fin_sha512, 1 ); + mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 ); #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ @@ -8095,49 +8095,49 @@ int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, * SHA(ClientHello.random + ServerHello.random * + ServerParams); */ - if( ( ret = mbedtls_md5_starts_ext( &mbedtls_md5 ) ) != 0 ) + if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret ); goto exit; } - if( ( ret = mbedtls_md5_update_ext( &mbedtls_md5, + if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, ssl->handshake->randbytes, 64 ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret ); goto exit; } - if( ( ret = mbedtls_md5_update_ext( &mbedtls_md5, data, data_len ) ) != 0 ) + if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret ); goto exit; } - if( ( ret = mbedtls_md5_finish_ext( &mbedtls_md5, output ) ) != 0 ) + if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret ); goto exit; } - if( ( ret = mbedtls_sha1_starts_ext( &mbedtls_sha1 ) ) != 0 ) + if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret ); goto exit; } - if( ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, + if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, ssl->handshake->randbytes, 64 ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret ); goto exit; } - if( ( ret = mbedtls_sha1_update_ext( &mbedtls_sha1, data, + if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data, data_len ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret ); goto exit; } - if( ( ret = mbedtls_sha1_finish_ext( &mbedtls_sha1, + if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1, output + 16 ) ) != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ext", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret ); goto exit; } diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 3ec55a5ac..41dfe87b7 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -177,7 +177,7 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct memset( buf, 0, sizeof(buf) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) ); - ret = mbedtls_sha1_ext( buf + sizeof( buf ) - len, len, + ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 ); if( ret != 0 ) return( ret ); @@ -202,7 +202,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert * memset( buf, 0, sizeof(buf) ); MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) ); - ret = mbedtls_sha1_ext( buf + sizeof( buf ) - len, len, + ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len, buf + sizeof( buf ) - 20 ); if( ret != 0 ) return( ret ); diff --git a/programs/hash/hello.c b/programs/hash/hello.c index a0c08c734..2e8c2244d 100644 --- a/programs/hash/hello.c +++ b/programs/hash/hello.c @@ -54,7 +54,7 @@ int main( void ) mbedtls_printf( "\n MD5('%s') = ", str ); - if( ( ret = mbedtls_md5_ext( (unsigned char *) str, 13, digest ) ) != 0 ) + if( ( ret = mbedtls_md5_ret( (unsigned char *) str, 13, digest ) ) != 0 ) return( MBEDTLS_EXIT_FAILURE ); for( i = 0; i < 16; i++ ) diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index 21c4a815f..0978408c1 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -212,9 +212,9 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_sha1_ext( buf, (int)( p - 2 - buf ), hash ) ) != 0 ) + if( ( ret = mbedtls_sha1_ret( buf, (int)( p - 2 - buf ), hash ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_sha1_ext returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_sha1_ret returned %d\n\n", ret ); goto exit; } diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index f1d3be363..4d8632bf9 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -217,9 +217,9 @@ int main( void ) /* * 5. Sign the parameters and send them */ - if( ( ret = mbedtls_sha1_ext( buf, n, hash ) ) != 0 ) + if( ( ret = mbedtls_sha1_ret( buf, n, hash ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_sha1_ext returned %d\n\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_sha1_ret returned %d\n\n", ret ); goto exit; } diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c index ecb6c2230..b47406010 100644 --- a/programs/pkey/ecdsa.c +++ b/programs/pkey/ecdsa.c @@ -163,9 +163,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Computing message hash..." ); fflush( stdout ); - if( ( ret = mbedtls_sha256_ext( message, sizeof( message ), hash, 0 ) ) != 0 ) + if( ( ret = mbedtls_sha256_ret( message, sizeof( message ), hash, 0 ) ) != 0 ) { - mbedtls_printf( " failed\n ! mbedtls_sha256_ext returned %d\n", ret ); + mbedtls_printf( " failed\n ! mbedtls_sha256_ret returned %d\n", ret ); goto exit; } diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 539d9adda..419557de5 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -327,32 +327,32 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_MD4_C) if( todo.md4 ) - TIME_AND_TSC( "MD4", mbedtls_md4_ext( buf, BUFSIZE, tmp ) ); + TIME_AND_TSC( "MD4", mbedtls_md4_ret( buf, BUFSIZE, tmp ) ); #endif #if defined(MBEDTLS_MD5_C) if( todo.md5 ) - TIME_AND_TSC( "MD5", mbedtls_md5_ext( buf, BUFSIZE, tmp ) ); + TIME_AND_TSC( "MD5", mbedtls_md5_ret( buf, BUFSIZE, tmp ) ); #endif #if defined(MBEDTLS_RIPEMD160_C) if( todo.ripemd160 ) - TIME_AND_TSC( "RIPEMD160", mbedtls_ripemd160_ext( buf, BUFSIZE, tmp ) ); + TIME_AND_TSC( "RIPEMD160", mbedtls_ripemd160_ret( buf, BUFSIZE, tmp ) ); #endif #if defined(MBEDTLS_SHA1_C) if( todo.sha1 ) - TIME_AND_TSC( "SHA-1", mbedtls_sha1_ext( buf, BUFSIZE, tmp ) ); + TIME_AND_TSC( "SHA-1", mbedtls_sha1_ret( buf, BUFSIZE, tmp ) ); #endif #if defined(MBEDTLS_SHA256_C) if( todo.sha256 ) - TIME_AND_TSC( "SHA-256", mbedtls_sha256_ext( buf, BUFSIZE, tmp, 0 ) ); + TIME_AND_TSC( "SHA-256", mbedtls_sha256_ret( buf, BUFSIZE, tmp, 0 ) ); #endif #if defined(MBEDTLS_SHA512_C) if( todo.sha512 ) - TIME_AND_TSC( "SHA-512", mbedtls_sha512_ext( buf, BUFSIZE, tmp, 0 ) ); + TIME_AND_TSC( "SHA-512", mbedtls_sha512_ret( buf, BUFSIZE, tmp, 0 ) ); #endif #if defined(MBEDTLS_ARC4_C) diff --git a/tests/suites/test_suite_mdx.function b/tests/suites/test_suite_mdx.function index 387e7eeb7..648a9cc35 100644 --- a/tests/suites/test_suite_mdx.function +++ b/tests/suites/test_suite_mdx.function @@ -19,7 +19,7 @@ void md2_text( char *text_src_string, char *hex_hash_string ) strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 ); - ret = mbedtls_md2_ext( src_str, strlen( (char *) src_str ), output ); + ret = mbedtls_md2_ret( src_str, strlen( (char *) src_str ), output ); TEST_ASSERT( ret == 0 ) ; hexify( hash_str, output, sizeof output ); @@ -41,7 +41,7 @@ void md4_text( char *text_src_string, char *hex_hash_string ) strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 ); - ret = mbedtls_md4_ext( src_str, strlen( (char *) src_str ), output ); + ret = mbedtls_md4_ret( src_str, strlen( (char *) src_str ), output ); TEST_ASSERT( ret == 0 ); hexify( hash_str, output, sizeof output ); @@ -63,7 +63,7 @@ void md5_text( char *text_src_string, char *hex_hash_string ) strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 ); - ret = mbedtls_md5_ext( src_str, strlen( (char *) src_str ), output ); + ret = mbedtls_md5_ret( src_str, strlen( (char *) src_str ), output ); TEST_ASSERT( ret == 0 ); hexify( hash_str, output, sizeof output ); @@ -85,7 +85,7 @@ void ripemd160_text( char *text_src_string, char *hex_hash_string ) strncpy( (char *) src_str, text_src_string, sizeof(src_str) - 1 ); - ret = mbedtls_ripemd160_ext( src_str, strlen( (char *) src_str ), output ); + ret = mbedtls_ripemd160_ret( src_str, strlen( (char *) src_str ), output ); TEST_ASSERT( ret == 0 ); hexify( hash_str, output, sizeof output ); diff --git a/tests/suites/test_suite_shax.function b/tests/suites/test_suite_shax.function index b6f8f510c..d704b388b 100644 --- a/tests/suites/test_suite_shax.function +++ b/tests/suites/test_suite_shax.function @@ -18,7 +18,7 @@ void mbedtls_sha1( char *hex_src_string, char *hex_hash_string ) src_len = unhexify( src_str, hex_src_string ); - TEST_ASSERT( mbedtls_sha1_ext( src_str, src_len, output ) == 0 ); + TEST_ASSERT( mbedtls_sha1_ret( src_str, src_len, output ) == 0 ); hexify( hash_str, output, 20 ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -39,7 +39,7 @@ void sha224(char *hex_src_string, char *hex_hash_string ) src_len = unhexify( src_str, hex_src_string ); - TEST_ASSERT( mbedtls_sha256_ext( src_str, src_len, output, 1 ) == 0 ); + TEST_ASSERT( mbedtls_sha256_ret( src_str, src_len, output, 1 ) == 0 ); hexify( hash_str, output, 28 ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -60,7 +60,7 @@ void mbedtls_sha256(char *hex_src_string, char *hex_hash_string ) src_len = unhexify( src_str, hex_src_string ); - TEST_ASSERT( mbedtls_sha256_ext( src_str, src_len, output, 0 ) == 0 ); + TEST_ASSERT( mbedtls_sha256_ret( src_str, src_len, output, 0 ) == 0 ); hexify( hash_str, output, 32 ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -81,7 +81,7 @@ void sha384(char *hex_src_string, char *hex_hash_string ) src_len = unhexify( src_str, hex_src_string ); - TEST_ASSERT( mbedtls_sha512_ext( src_str, src_len, output, 1 ) == 0 ); + TEST_ASSERT( mbedtls_sha512_ret( src_str, src_len, output, 1 ) == 0 ); hexify( hash_str, output, 48 ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); @@ -102,7 +102,7 @@ void mbedtls_sha512(char *hex_src_string, char *hex_hash_string ) src_len = unhexify( src_str, hex_src_string ); - TEST_ASSERT( mbedtls_sha512_ext( src_str, src_len, output, 0 ) == 0 ); + TEST_ASSERT( mbedtls_sha512_ret( src_str, src_len, output, 0 ) == 0 ); hexify( hash_str, output, 64 ); TEST_ASSERT( strcmp( (char *) hash_str, hex_hash_string ) == 0 ); From 3e28d70813542d32ff398cd9ce608086df95826b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2018 12:18:59 +0100 Subject: [PATCH 136/177] New MD API: update version number in deprecation statements --- include/mbedtls/md2.h | 10 +++++----- include/mbedtls/md4.h | 10 +++++----- include/mbedtls/md5.h | 10 +++++----- include/mbedtls/ripemd160.h | 10 +++++----- include/mbedtls/sha1.h | 10 +++++----- include/mbedtls/sha256.h | 10 +++++----- include/mbedtls/sha512.h | 10 +++++----- 7 files changed, 35 insertions(+), 35 deletions(-) diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index 0df6b36f4..925c69dde 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -130,7 +130,7 @@ int mbedtls_internal_md2_process( mbedtls_md2_context *ctx ); /** * \brief MD2 context setup * - * \deprecated Superseded by mbedtls_md2_starts_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md2_starts_ret() in 2.7.0 * * \param ctx context to be initialized */ @@ -143,7 +143,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2_starts( /** * \brief MD2 process buffer * - * \deprecated Superseded by mbedtls_md2_update_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md2_update_ret() in 2.7.0 * * \param ctx MD2 context * \param input buffer holding the data @@ -160,7 +160,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2_update( /** * \brief MD2 final digest * - * \deprecated Superseded by mbedtls_md2_finish_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md2_finish_ret() in 2.7.0 * * \param ctx MD2 context * \param output MD2 checksum result @@ -175,7 +175,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2_finish( /** * \brief MD2 process data block (internal use only) * - * \deprecated Superseded by mbedtls_internal_md2_process() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_md2_process() in 2.7.0 * * \param ctx MD2 context */ @@ -220,7 +220,7 @@ int mbedtls_md2_ret( const unsigned char *input, /** * \brief Output = MD2( input buffer ) * - * \deprecated Superseded by mbedtls_md2_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md2_ret() in 2.7.0 * * \param input buffer holding the data * \param ilen length of the input data diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h index acd09bd61..f9341a856 100644 --- a/include/mbedtls/md4.h +++ b/include/mbedtls/md4.h @@ -132,7 +132,7 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, /** * \brief MD4 context setup * - * \deprecated Superseded by mbedtls_md4_starts_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md4_starts_ret() in 2.7.0 * * \param ctx context to be initialized */ @@ -145,7 +145,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_starts( /** * \brief MD4 process buffer * - * \deprecated Superseded by mbedtls_md4_update_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md4_update_ret() in 2.7.0 * * \param ctx MD4 context * \param input buffer holding the data @@ -162,7 +162,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_update( /** * \brief MD4 final digest * - * \deprecated Superseded by mbedtls_md4_finish_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md4_finish_ret() in 2.7.0 * * \param ctx MD4 context * \param output MD4 checksum result @@ -177,7 +177,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_finish( /** * \brief MD4 process data block (internal use only) * - * \deprecated Superseded by mbedtls_internal_md4_process() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_md4_process() in 2.7.0 * * \param ctx MD4 context * \param data buffer holding one block of data @@ -226,7 +226,7 @@ int mbedtls_md4_ret( const unsigned char *input, /** * \brief Output = MD4( input buffer ) * - * \deprecated Superseded by mbedtls_md4_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md4_ret() in 2.7.0 * * \param input buffer holding the data * \param ilen length of the input data diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index 18db8b734..4f8c92197 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -127,7 +127,7 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx, /** * \brief MD5 context setup * - * \deprecated Superseded by mbedtls_md5_starts_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md5_starts_ret() in 2.7.0 * * \param ctx context to be initialized */ @@ -140,7 +140,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_starts( /** * \brief MD5 process buffer * - * \deprecated Superseded by mbedtls_md5_update_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md5_update_ret() in 2.7.0 * * \param ctx MD5 context * \param input buffer holding the data @@ -157,7 +157,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_update( /** * \brief MD5 final digest * - * \deprecated Superseded by mbedtls_md5_finish_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md5_finish_ret() in 2.7.0 * * \param ctx MD5 context * \param output MD5 checksum result @@ -172,7 +172,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_finish( /** * \brief MD5 process data block (internal use only) * - * \deprecated Superseded by mbedtls_internal_md5_process() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_md5_process() in 2.7.0 * * \param ctx MD5 context * \param data buffer holding one block of data @@ -221,7 +221,7 @@ int mbedtls_md5_ret( const unsigned char *input, /** * \brief Output = MD5( input buffer ) * - * \deprecated Superseded by mbedtls_md5_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_md5_ret() in 2.7.0 * * \param input buffer holding the data * \param ilen length of the input data diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h index ea679810e..ad548d302 100644 --- a/include/mbedtls/ripemd160.h +++ b/include/mbedtls/ripemd160.h @@ -132,7 +132,7 @@ int mbedtls_internal_ripemd160_process( mbedtls_ripemd160_context *ctx, /** * \brief RIPEMD-160 context setup * - * \deprecated Superseded by mbedtls_ripemd160_starts_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_ripemd160_starts_ret() in 2.7.0 * * \param ctx context to be initialized */ @@ -145,7 +145,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_starts( /** * \brief RIPEMD-160 process buffer * - * \deprecated Superseded by mbedtls_ripemd160_update_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_ripemd160_update_ret() in 2.7.0 * * \param ctx RIPEMD-160 context * \param input buffer holding the data @@ -162,7 +162,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_update( /** * \brief RIPEMD-160 final digest * - * \deprecated Superseded by mbedtls_ripemd160_finish_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_ripemd160_finish_ret() in 2.7.0 * * \param ctx RIPEMD-160 context * \param output RIPEMD-160 checksum result @@ -177,7 +177,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_finish( /** * \brief RIPEMD-160 process data block (internal use only) * - * \deprecated Superseded by mbedtls_internal_ripemd160_process() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_ripemd160_process() in 2.7.0 * * \param ctx RIPEMD-160 context * \param data buffer holding one block of data @@ -226,7 +226,7 @@ int mbedtls_ripemd160_ret( const unsigned char *input, /** * \brief Output = RIPEMD-160( input buffer ) * - * \deprecated Superseded by mbedtls_ripemd160_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_ripemd160_ret() in 2.7.0 * * \param input buffer holding the data * \param ilen length of the input data diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index 57bfea4e6..03c474bc6 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -132,7 +132,7 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, /** * \brief SHA-1 context setup * - * \deprecated Superseded by mbedtls_sha1_starts_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha1_starts_ret() in 2.7.0 * * \param ctx context to be initialized */ @@ -145,7 +145,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_starts( /** * \brief SHA-1 process buffer * - * \deprecated Superseded by mbedtls_sha1_update_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha1_update_ret() in 2.7.0 * * \param ctx SHA-1 context * \param input buffer holding the data @@ -162,7 +162,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_update( /** * \brief SHA-1 final digest * - * \deprecated Superseded by mbedtls_sha1_finish_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha1_finish_ret() in 2.7.0 * * \param ctx SHA-1 context * \param output SHA-1 checksum result @@ -177,7 +177,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_finish( /** * \brief SHA-1 process data block (internal use only) * - * \deprecated Superseded by mbedtls_internal_sha1_process() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_sha1_process() in 2.7.0 * * \param ctx SHA-1 context * \param data buffer holding one block of data @@ -226,7 +226,7 @@ int mbedtls_sha1_ret( const unsigned char *input, /** * \brief Output = SHA-1( input buffer ) * - * \deprecated Superseded by mbedtls_sha1_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha1_ret() in 2.7.0 * * \param input buffer holding the data * \param ilen length of the input data diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index be5ef794f..9c52f781c 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -134,7 +134,7 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, /** * \brief SHA-256 context setup * - * \deprecated Superseded by mbedtls_sha256_starts_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha256_starts_ret() in 2.7.0 * * \param ctx context to be initialized * \param is224 0 = use SHA256, 1 = use SHA224 @@ -149,7 +149,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_starts( /** * \brief SHA-256 process buffer * - * \deprecated Superseded by mbedtls_sha256_update_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha256_update_ret() in 2.7.0 * * \param ctx SHA-256 context * \param input buffer holding the data @@ -166,7 +166,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_update( /** * \brief SHA-256 final digest * - * \deprecated Superseded by mbedtls_sha256_finish_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha256_finish_ret() in 2.7.0 * * \param ctx SHA-256 context * \param output SHA-224/256 checksum result @@ -181,7 +181,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_finish( /** * \brief SHA-256 process data block (internal use only) * - * \deprecated Superseded by mbedtls_internal_sha256_process() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_sha256_process() in 2.7.0 * * \param ctx SHA-256 context * \param data buffer holding one block of data @@ -232,7 +232,7 @@ int mbedtls_sha256_ret( const unsigned char *input, /** * \brief Output = SHA-256( input buffer ) * - * \deprecated Superseded by mbedtls_sha256_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha256_ret() in 2.7.0 * * \param input buffer holding the data * \param ilen length of the input data diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h index 0fadb4c3b..7e2fcc592 100644 --- a/include/mbedtls/sha512.h +++ b/include/mbedtls/sha512.h @@ -134,7 +134,7 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, /** * \brief SHA-512 context setup * - * \deprecated Superseded by mbedtls_sha512_starts_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha512_starts_ret() in 2.7.0 * * \param ctx context to be initialized * \param is384 0 = use SHA512, 1 = use SHA384 @@ -149,7 +149,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_starts( /** * \brief SHA-512 process buffer * - * \deprecated Superseded by mbedtls_sha512_update_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha512_update_ret() in 2.7.0 * * \param ctx SHA-512 context * \param input buffer holding the data @@ -166,7 +166,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_update( /** * \brief SHA-512 final digest * - * \deprecated Superseded by mbedtls_sha512_finish_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha512_finish_ret() in 2.7.0 * * \param ctx SHA-512 context * \param output SHA-384/512 checksum result @@ -181,7 +181,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_finish( /** * \brief SHA-512 process data block (internal use only) * - * \deprecated Superseded by mbedtls_internal_sha512_process() in 2.5.0 + * \deprecated Superseded by mbedtls_internal_sha512_process() in 2.7.0 * * \param ctx SHA-512 context * \param data buffer holding one block of data @@ -232,7 +232,7 @@ int mbedtls_sha512_ret( const unsigned char *input, /** * \brief Output = SHA-512( input buffer ) * - * \deprecated Superseded by mbedtls_sha512_ret() in 2.5.0 + * \deprecated Superseded by mbedtls_sha512_ret() in 2.7.0 * * \param input buffer holding the data * \param ilen length of the input data From 744a4ac6726a0ee18c3c160748c235cdeff0a202 Mon Sep 17 00:00:00 2001 From: Krzysztof Stachowiak Date: Mon, 22 Jan 2018 13:38:31 +0100 Subject: [PATCH 137/177] Run doxygen only if the doxygen directory exists --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index c1f60511f..c18b99b2f 100644 --- a/Makefile +++ b/Makefile @@ -103,7 +103,7 @@ lcov: apidoc: mkdir -p apidoc - cd doxygen; doxygen mbedtls.doxyfile + cd doxygen && doxygen mbedtls.doxyfile apidoc_clean: rm -rf apidoc From 64c3703d1318888211ed15fb4c8c8a342c8329bc Mon Sep 17 00:00:00 2001 From: Krzysztof Stachowiak Date: Mon, 22 Jan 2018 14:32:06 +0100 Subject: [PATCH 138/177] Adjust exclusion list to the new working directory --- doxygen/mbedtls.doxyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 0e148af3e..d5b3abe75 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -696,7 +696,7 @@ RECURSIVE = YES # Note that relative paths are relative to the directory from which doxygen is # run. -EXCLUDE = configs yotta/module +EXCLUDE = ../configs ../yotta/module # The EXCLUDE_SYMLINKS tag can be used to select whether or not files or # directories that are symbolic links (a Unix file system feature) are excluded From 0a96910e5505d75a4dc32c09dc99e500063b4b44 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2018 14:55:20 +0100 Subject: [PATCH 139/177] MD API deprecation: ChangeLog updates Use the updated names for the new functions (xxx_ret instead of xxx_ext). List the new deprecations in the appropriate sections. Credit the independent report of the misuse of zeroizing to reset a hash context in entropy.c. --- ChangeLog | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 31b6f98c4..e60ca14d9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,11 @@ New deprecations (e.g., signing with a public key). * Direct manipulation of structure fields of RSA contexts is deprecated. Users are advised to use the extended RSA API instead. + * Deprecate usage of message digest functions that return void + (mbedtls__starts, mbedtls__update, + mbedtls__finish and mbedtls__process where is + any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions + that can return an error code. API Changes * Extend RSA interface by multiple functions allowing structure- @@ -51,19 +56,14 @@ API Changes purpose or CRT and/or blinding. * The configuration option MBEDTLS_RSA_ALT can be used to define alternative implementations of the RSA interface declared in rsa.h. - * The following functions in the MD2, MD4, MD5, SHA1, SHA256 and SHA512 - modules have been deprecated and replaced as shown below. The new - functions change the return type from void to int to allow returning error - codes when using MBEDTLS__ALT. - mbedtls__starts() -> mbedtls__starts_ext() - mbedtls__update() -> mbedtls__update_ext() - mbedtls__finish() -> mbedtls__finish_ext() + * The following functions in the message digest modules (MD2, MD4, MD5, + SHA1, SHA256, SHA512) have been deprecated and replaced as shown below. + The new functions change the return type from void to int to allow + returning error codes when using MBEDTLS__ALT. + mbedtls__starts() -> mbedtls__starts_ret() + mbedtls__update() -> mbedtls__update_ret() + mbedtls__finish() -> mbedtls__finish_ret() mbedtls__process() -> mbedtls_internal__process() - The type of the function pointers in the mbedtls_md_info_t struct have - also been modified taking into account the functions return code. Every - usage of the deprecated functions was updated. Furthermore, the MD return - codes are checked for error after every usage, except in the ssl_tls.c - module. Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records @@ -118,8 +118,9 @@ Bugfix mbedtls_sha512_starts() in the mbedtls_entropy_init() function. * Fix the entropy.c module to ensure that mbedtls_sha256_init() or mbedtls_sha512_init() is called before operating on the relevant context - structure. Also, ensure that message digest contexts are freed when - calling mbedtls_entropy_free(). + structure. Do not assume that zeroizing a context is a correct way to + reset it. Found independently by ccli8 on Github. + * In mbedtls_entropy_free(), properly free the message digest context. Changes * Extend cert_write example program by options to set the CRT version @@ -132,6 +133,10 @@ Changes * Only run AES-192 self-test if AES-192 is available. Fixes #963. * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the undeclared dependency of the RSA module on the ASN.1 module. + * Update all internal usage of deprecated message digest functions to the + new ones with return codes. In particular, this modifies the + mbedtls_md_info_t structure. Propagate errors from these functions + everywhere except some locations in the ssl_tls.c module. = mbed TLS 2.6.0 branch released 2017-08-10 From 980d203a6bcbe9e7cbc7f0022935f5dba21646f0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2018 23:10:53 +0100 Subject: [PATCH 140/177] Add ChangeLog entry --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index e7abd5ce6..38704bc50 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,7 @@ Bugfix * Fix leap year calculation in x509_date_is_valid() to ensure that invalid dates on leap years with 100 and 400 intervals are handled correctly. Found by Nicholas Wilson. #694 + * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue. = mbed TLS 2.6.0 branch released 2017-08-10 From 26faa116305e675534d60263ec332713889abbeb Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2018 23:13:22 +0100 Subject: [PATCH 141/177] Add ChangeLog entry --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 2f0116bcf..99fb85dea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,8 @@ Bugfix Vranken. * Fix a numerical underflow leading to stack overflow in mpi_read_file() that was triggered uppon reading an empty line. Found by Guido Vranken. + * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c. + Found and fixed by Martijn de Milliano. Changes * Send fatal alerts in more cases. The previous behaviour was to skip From 7a0c6b8e954a993386d349817cb055c59520f614 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 22 Jan 2018 23:16:52 +0100 Subject: [PATCH 142/177] Add ChangeLog entry --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index d64f11e4c..24b655cf7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -61,6 +61,7 @@ Changes * Extend cert_write example program by options to set the CRT version and the message digest. Further, allow enabling/disabling of authority identifier, subject identifier and basic constraints extensions. + * Add mechanism to provide alternative implementation of the DHM module. New deprecations * Deprecate usage of RSA primitives with non-matching key-type From 2840f945d29d164d6a882ea3a5250448acb6180c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 23 Jan 2018 11:57:19 +0100 Subject: [PATCH 143/177] Add definition of inline in md5.h --- include/mbedtls/md5.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index 4f8c92197..bbfcae158 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -36,6 +36,11 @@ // Regular implementation // +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ + !defined(inline) && !defined(__cplusplus) +#define inline __inline +#endif + #ifdef __cplusplus extern "C" { #endif From a40a101e26ffc1aacf55e471d48a26a9799278f6 Mon Sep 17 00:00:00 2001 From: Darryl Green Date: Fri, 5 Jan 2018 15:33:17 +0000 Subject: [PATCH 144/177] Update Doxygen file blocks to remove copyright and license information --- configs/config-ccm-psk-tls1_2.h | 7 +++++-- configs/config-mini-tls1_1.h | 7 +++++-- configs/config-no-entropy.h | 5 ++++- configs/config-picocoin.h | 7 +++++-- configs/config-suite-b.h | 7 +++++-- configs/config-thread.h | 7 +++++-- include/mbedtls/aes.h | 3 ++- include/mbedtls/aesni.h | 3 ++- include/mbedtls/arc4.h | 3 ++- include/mbedtls/asn1.h | 3 ++- include/mbedtls/asn1write.h | 3 ++- include/mbedtls/base64.h | 3 ++- include/mbedtls/bignum.h | 5 +++-- include/mbedtls/blowfish.h | 3 ++- include/mbedtls/bn_mul.h | 5 +++-- include/mbedtls/camellia.h | 3 ++- include/mbedtls/ccm.h | 3 ++- include/mbedtls/certs.h | 3 ++- include/mbedtls/check_config.h | 3 ++- include/mbedtls/cipher.h | 3 ++- include/mbedtls/cipher_internal.h | 3 ++- include/mbedtls/cmac.h | 3 ++- include/mbedtls/compat-1.3.h | 3 ++- include/mbedtls/config.h | 3 ++- include/mbedtls/ctr_drbg.h | 3 ++- include/mbedtls/debug.h | 3 ++- include/mbedtls/des.h | 3 ++- include/mbedtls/dhm.h | 3 ++- include/mbedtls/ecdh.h | 3 ++- include/mbedtls/ecdsa.h | 3 ++- include/mbedtls/ecjpake.h | 3 ++- include/mbedtls/ecp.h | 3 ++- include/mbedtls/ecp_internal.h | 3 ++- include/mbedtls/entropy.h | 3 ++- include/mbedtls/entropy_poll.h | 3 ++- include/mbedtls/error.h | 3 ++- include/mbedtls/gcm.h | 3 ++- include/mbedtls/havege.h | 3 ++- include/mbedtls/hmac_drbg.h | 3 ++- include/mbedtls/md.h | 3 ++- include/mbedtls/md2.h | 3 ++- include/mbedtls/md4.h | 3 ++- include/mbedtls/md5.h | 3 ++- include/mbedtls/md_internal.h | 3 ++- include/mbedtls/memory_buffer_alloc.h | 3 ++- include/mbedtls/net.h | 5 +++-- include/mbedtls/net_sockets.h | 3 ++- include/mbedtls/oid.h | 3 ++- include/mbedtls/padlock.h | 3 ++- include/mbedtls/pem.h | 3 ++- include/mbedtls/pk.h | 3 ++- include/mbedtls/pk_internal.h | 5 +++-- include/mbedtls/pkcs11.h | 3 ++- include/mbedtls/pkcs12.h | 3 ++- include/mbedtls/pkcs5.h | 3 ++- include/mbedtls/platform.h | 3 ++- include/mbedtls/platform_time.h | 3 ++- include/mbedtls/ripemd160.h | 3 ++- include/mbedtls/rsa.h | 3 ++- include/mbedtls/rsa_internal.h | 3 ++- include/mbedtls/sha1.h | 3 ++- include/mbedtls/sha256.h | 3 ++- include/mbedtls/sha512.h | 3 ++- include/mbedtls/ssl.h | 3 ++- include/mbedtls/ssl_cache.h | 3 ++- include/mbedtls/ssl_ciphersuites.h | 3 ++- include/mbedtls/ssl_cookie.h | 3 ++- include/mbedtls/ssl_internal.h | 5 +++-- include/mbedtls/ssl_ticket.h | 3 ++- include/mbedtls/threading.h | 3 ++- include/mbedtls/timing.h | 3 ++- include/mbedtls/version.h | 3 ++- include/mbedtls/x509.h | 3 ++- include/mbedtls/x509_crl.h | 3 ++- include/mbedtls/x509_crt.h | 3 ++- include/mbedtls/x509_csr.h | 3 ++- include/mbedtls/xtea.h | 3 ++- 77 files changed, 176 insertions(+), 87 deletions(-) diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index aee10b86f..a783e6b73 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -1,6 +1,9 @@ -/* - * Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites +/** + * \file config-ccm-psk-tls1_2.h * + * \brief Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h index e22363d1a..013bc0300 100644 --- a/configs/config-mini-tls1_1.h +++ b/configs/config-mini-tls1_1.h @@ -1,6 +1,9 @@ -/* - * Minimal configuration for TLS 1.1 (RFC 4346) +/** + * \file config-mini-tls1_1.h * + * \brief Minimal configuration for TLS 1.1 (RFC 4346) + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/configs/config-no-entropy.h b/configs/config-no-entropy.h index 73758602a..b4a0930b9 100644 --- a/configs/config-no-entropy.h +++ b/configs/config-no-entropy.h @@ -1,6 +1,9 @@ /** - * Minimal configuration of features that do not require an entropy source + * \file config-no-entropy.h * + * \brief Minimal configuration of features that do not require an entropy source + */ +/* * Copyright (C) 2016, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/configs/config-picocoin.h b/configs/config-picocoin.h index 26b24a9e2..5d41f282f 100644 --- a/configs/config-picocoin.h +++ b/configs/config-picocoin.h @@ -1,6 +1,9 @@ -/* - * Reduced configuration used by Picocoin. +/** + * \file config-picocoin.h * + * \brief Reduced configuration used by Picocoin. + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index 3c4804c79..18e2c4036 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -1,6 +1,9 @@ -/* - * Minimal configuration for TLS NSA Suite B Profile (RFC 6460) +/** + * \file config-suite-b.h * + * \brief Minimal configuration for TLS NSA Suite B Profile (RFC 6460) + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/configs/config-thread.h b/configs/config-thread.h index 990fe08c6..25db16bf0 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -1,6 +1,9 @@ -/* - * Minimal configuration for using TLS as part of Thread +/** + * \file config-thread.h * + * \brief Minimal configuration for using TLS as part of Thread + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index c8dd0f355..71dcea9e5 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -2,7 +2,8 @@ * \file aes.h * * \brief AES block cipher - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/aesni.h b/include/mbedtls/aesni.h index b1b7f1cde..746baa0e1 100644 --- a/include/mbedtls/aesni.h +++ b/include/mbedtls/aesni.h @@ -2,7 +2,8 @@ * \file aesni.h * * \brief AES-NI for hardware AES acceleration on some Intel processors - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/arc4.h b/include/mbedtls/arc4.h index 5fc5395a8..26de33f8d 100644 --- a/include/mbedtls/arc4.h +++ b/include/mbedtls/arc4.h @@ -2,7 +2,8 @@ * \file arc4.h * * \brief The ARCFOUR stream cipher - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index e159e57ea..fde328a12 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -2,7 +2,8 @@ * \file asn1.h * * \brief Generic ASN.1 parsing - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/asn1write.h b/include/mbedtls/asn1write.h index 73ff32b66..f76fc807d 100644 --- a/include/mbedtls/asn1write.h +++ b/include/mbedtls/asn1write.h @@ -2,7 +2,8 @@ * \file asn1write.h * * \brief ASN.1 buffer writing functionality - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/base64.h b/include/mbedtls/base64.h index 352c652db..7a64f5216 100644 --- a/include/mbedtls/base64.h +++ b/include/mbedtls/base64.h @@ -2,7 +2,8 @@ * \file base64.h * * \brief RFC 1521 base64 encoding/decoding - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index 0b4001542..c20b36780 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -1,8 +1,9 @@ /** * \file bignum.h * - * \brief Multi-precision integer library - * + * \brief Multi-precision integer library + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/blowfish.h b/include/mbedtls/blowfish.h index 34626eef4..6593730e4 100644 --- a/include/mbedtls/blowfish.h +++ b/include/mbedtls/blowfish.h @@ -2,7 +2,8 @@ * \file blowfish.h * * \brief Blowfish block cipher - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/bn_mul.h b/include/mbedtls/bn_mul.h index cac3f1457..354c1cc1a 100644 --- a/include/mbedtls/bn_mul.h +++ b/include/mbedtls/bn_mul.h @@ -1,8 +1,9 @@ /** * \file bn_mul.h * - * \brief Multi-precision integer library - * + * \brief Multi-precision integer library + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h index 0424d623f..107056fc6 100644 --- a/include/mbedtls/camellia.h +++ b/include/mbedtls/camellia.h @@ -2,7 +2,8 @@ * \file camellia.h * * \brief Camellia block cipher - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index 579402fd4..acd94adb8 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -2,7 +2,8 @@ * \file ccm.h * * \brief Counter with CBC-MAC (CCM) for 128-bit block ciphers - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/certs.h b/include/mbedtls/certs.h index ca49086e4..8dab7b5ce 100644 --- a/include/mbedtls/certs.h +++ b/include/mbedtls/certs.h @@ -2,7 +2,8 @@ * \file certs.h * * \brief Sample certificates and DHM parameters for testing - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index fa72454e5..1143aa268 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -2,7 +2,8 @@ * \file check_config.h * * \brief Consistency checks for configuration options - * + */ +/* * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index b12e38843..b92a8dbb9 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -4,7 +4,8 @@ * \brief Generic cipher wrapper. * * \author Adriaan de Jong - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/cipher_internal.h b/include/mbedtls/cipher_internal.h index 6c58bcc52..969ff9ccb 100644 --- a/include/mbedtls/cipher_internal.h +++ b/include/mbedtls/cipher_internal.h @@ -4,7 +4,8 @@ * \brief Cipher wrappers. * * \author Adriaan de Jong - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/cmac.h b/include/mbedtls/cmac.h index 4d3f2d2f4..a7f7f45e9 100644 --- a/include/mbedtls/cmac.h +++ b/include/mbedtls/cmac.h @@ -3,7 +3,8 @@ * * \brief Cipher-based Message Authentication Code (CMAC) Mode for * Authentication - * + */ +/* * Copyright (C) 2015-2016, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h index bba1d2c24..600a0f154 100644 --- a/include/mbedtls/compat-1.3.h +++ b/include/mbedtls/compat-1.3.h @@ -5,7 +5,8 @@ * for the PolarSSL naming conventions. * * \deprecated Use the new names directly instead - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 70039897d..5e6b63e82 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -6,7 +6,8 @@ * This set of compile-time options may be used to enable * or disable features selectively, and reduce the global * memory footprint. - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h index 059d3c5c9..01cd826a1 100644 --- a/include/mbedtls/ctr_drbg.h +++ b/include/mbedtls/ctr_drbg.h @@ -2,7 +2,8 @@ * \file ctr_drbg.h * * \brief CTR_DRBG based on AES-256 (NIST SP 800-90) - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index 295799640..ef8db67ff 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -2,7 +2,8 @@ * \file debug.h * * \brief Functions for controlling and providing debug output from the library. - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/des.h b/include/mbedtls/des.h index 5ca2ecf2e..7f8f27eea 100644 --- a/include/mbedtls/des.h +++ b/include/mbedtls/des.h @@ -2,7 +2,8 @@ * \file des.h * * \brief DES block cipher - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index f9725ab09..d017b380e 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -2,7 +2,8 @@ * \file dhm.h * * \brief Diffie-Hellman-Merkle key exchange - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ecdh.h b/include/mbedtls/ecdh.h index 625a28192..14a362b19 100644 --- a/include/mbedtls/ecdh.h +++ b/include/mbedtls/ecdh.h @@ -2,7 +2,8 @@ * \file ecdh.h * * \brief Elliptic curve Diffie-Hellman - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h index a277715b3..6c6ae294f 100644 --- a/include/mbedtls/ecdsa.h +++ b/include/mbedtls/ecdsa.h @@ -2,7 +2,8 @@ * \file ecdsa.h * * \brief Elliptic curve DSA - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 161a5b213..6fcffc777 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -2,7 +2,8 @@ * \file ecjpake.h * * \brief Elliptic curve J-PAKE - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index dad9aef00..977134059 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -2,7 +2,8 @@ * \file ecp.h * * \brief Elliptic curves over GF(p) - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ecp_internal.h b/include/mbedtls/ecp_internal.h index 2991e26dd..8a6d517ed 100644 --- a/include/mbedtls/ecp_internal.h +++ b/include/mbedtls/ecp_internal.h @@ -3,7 +3,8 @@ * * \brief Function declarations for alternative implementation of elliptic curve * point arithmetic. - * + */ +/* * Copyright (C) 2016, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h index 747aca4df..316177746 100644 --- a/include/mbedtls/entropy.h +++ b/include/mbedtls/entropy.h @@ -2,7 +2,8 @@ * \file entropy.h * * \brief Entropy accumulator implementation - * + */ +/* * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/entropy_poll.h b/include/mbedtls/entropy_poll.h index 81258d5f3..94dd657eb 100644 --- a/include/mbedtls/entropy_poll.h +++ b/include/mbedtls/entropy_poll.h @@ -2,7 +2,8 @@ * \file entropy_poll.h * * \brief Platform-specific and custom entropy polling functions - * + */ +/* * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 4eb7b78eb..bd4ca90f0 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -2,7 +2,8 @@ * \file error.h * * \brief Error to string translation - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index 8f3b56575..f1019861d 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -2,7 +2,8 @@ * \file gcm.h * * \brief Galois/Counter mode for 128-bit block ciphers - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/havege.h b/include/mbedtls/havege.h index dac5d3113..d4cb3ed38 100644 --- a/include/mbedtls/havege.h +++ b/include/mbedtls/havege.h @@ -2,7 +2,8 @@ * \file havege.h * * \brief HAVEGE: HArdware Volatile Entropy Gathering and Expansion - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/hmac_drbg.h b/include/mbedtls/hmac_drbg.h index e01055802..e0821cf78 100644 --- a/include/mbedtls/hmac_drbg.h +++ b/include/mbedtls/hmac_drbg.h @@ -2,7 +2,8 @@ * \file hmac_drbg.h * * \brief HMAC_DRBG (NIST SP 800-90A) - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index 89be847ce..f23bad40a 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -4,7 +4,8 @@ * \brief Generic message digest wrapper * * \author Adriaan de Jong - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index 0f93fbf42..89fcf36ec 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -2,7 +2,8 @@ * \file md2.h * * \brief MD2 message digest algorithm (hash function) - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h index 45214d41d..f086abbdb 100644 --- a/include/mbedtls/md4.h +++ b/include/mbedtls/md4.h @@ -2,7 +2,8 @@ * \file md4.h * * \brief MD4 message digest algorithm (hash function) - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index 5a64061aa..378f63f58 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -2,7 +2,8 @@ * \file md5.h * * \brief MD5 message digest algorithm (hash function) - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/md_internal.h b/include/mbedtls/md_internal.h index e2441bbc4..d05173064 100644 --- a/include/mbedtls/md_internal.h +++ b/include/mbedtls/md_internal.h @@ -6,7 +6,8 @@ * \warning This in an internal header. Do not include directly. * * \author Adriaan de Jong - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/memory_buffer_alloc.h b/include/mbedtls/memory_buffer_alloc.h index d5df316fd..705f9a636 100644 --- a/include/mbedtls/memory_buffer_alloc.h +++ b/include/mbedtls/memory_buffer_alloc.h @@ -2,7 +2,8 @@ * \file memory_buffer_alloc.h * * \brief Buffer-based memory allocator - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/net.h b/include/mbedtls/net.h index 774559b3c..28ae8217c 100644 --- a/include/mbedtls/net.h +++ b/include/mbedtls/net.h @@ -3,6 +3,9 @@ * * \brief Deprecated header file that includes mbedtls/net_sockets.h * + * \deprecated Superseded by mbedtls/net_sockets.h + */ +/* * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * @@ -19,8 +22,6 @@ * limitations under the License. * * This file is part of mbed TLS (https://tls.mbed.org) - * - * \deprecated Superseded by mbedtls/net_sockets.h */ #if !defined(MBEDTLS_DEPRECATED_REMOVED) diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h index de335526f..54e612cc5 100644 --- a/include/mbedtls/net_sockets.h +++ b/include/mbedtls/net_sockets.h @@ -2,7 +2,8 @@ * \file net_sockets.h * * \brief Network communication functions - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index fcecdafdc..bf2ef5ece 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -2,7 +2,8 @@ * \file oid.h * * \brief Object Identifier (OID) database - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/padlock.h b/include/mbedtls/padlock.h index 2045a5ab6..677936ebf 100644 --- a/include/mbedtls/padlock.h +++ b/include/mbedtls/padlock.h @@ -3,7 +3,8 @@ * * \brief VIA PadLock ACE for HW encryption/decryption supported by some * processors - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h index 54dc02d7c..2cf4c0a70 100644 --- a/include/mbedtls/pem.h +++ b/include/mbedtls/pem.h @@ -2,7 +2,8 @@ * \file pem.h * * \brief Privacy Enhanced Mail (PEM) decoding - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index f9f9b9bb0..28f615007 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -2,7 +2,8 @@ * \file pk.h * * \brief Public Key abstraction layer - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/pk_internal.h b/include/mbedtls/pk_internal.h index 01d0f214b..3dae0fc5b 100644 --- a/include/mbedtls/pk_internal.h +++ b/include/mbedtls/pk_internal.h @@ -1,8 +1,9 @@ /** - * \file pk.h + * \file pk_internal.h * * \brief Public Key abstraction layer: wrapper functions - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/pkcs11.h b/include/mbedtls/pkcs11.h index 2e8892813..bf65c55a7 100644 --- a/include/mbedtls/pkcs11.h +++ b/include/mbedtls/pkcs11.h @@ -4,7 +4,8 @@ * \brief Wrapper for PKCS#11 library libpkcs11-helper * * \author Adriaan de Jong - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/pkcs12.h b/include/mbedtls/pkcs12.h index 9b2d90459..a621ef5b1 100644 --- a/include/mbedtls/pkcs12.h +++ b/include/mbedtls/pkcs12.h @@ -2,7 +2,8 @@ * \file pkcs12.h * * \brief PKCS#12 Personal Information Exchange Syntax - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/pkcs5.h b/include/mbedtls/pkcs5.h index ec5cb9e74..9a3c9fddc 100644 --- a/include/mbedtls/pkcs5.h +++ b/include/mbedtls/pkcs5.h @@ -4,7 +4,8 @@ * \brief PKCS#5 functions * * \author Mathias Olsson - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h index 35010f885..e05175118 100644 --- a/include/mbedtls/platform.h +++ b/include/mbedtls/platform.h @@ -2,7 +2,8 @@ * \file platform.h * * \brief mbed TLS Platform abstraction layer - * + */ +/* * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/platform_time.h b/include/mbedtls/platform_time.h index abb343142..2ed36f56c 100644 --- a/include/mbedtls/platform_time.h +++ b/include/mbedtls/platform_time.h @@ -2,7 +2,8 @@ * \file platform_time.h * * \brief mbed TLS Platform time abstraction - * + */ +/* * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h index 7083fc859..ae365f3d6 100644 --- a/include/mbedtls/ripemd160.h +++ b/include/mbedtls/ripemd160.h @@ -2,7 +2,8 @@ * \file ripemd160.h * * \brief RIPE MD-160 message digest - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index d7503ac83..a4a471683 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -2,7 +2,8 @@ * \file rsa.h * * \brief The RSA public-key cryptosystem - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/rsa_internal.h b/include/mbedtls/rsa_internal.h index 7e6a2ecd9..bcb3c9401 100644 --- a/include/mbedtls/rsa_internal.h +++ b/include/mbedtls/rsa_internal.h @@ -2,7 +2,8 @@ * \file rsa_internal.h * * \brief Context-independent RSA helper functions - * + */ +/* * Copyright (C) 2006-2017, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index 7a67c6c1f..d98f166f9 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -2,7 +2,8 @@ * \file sha1.h * * \brief SHA-1 cryptographic hash function - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index f8041adf0..1c872dd55 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -2,7 +2,8 @@ * \file sha256.h * * \brief SHA-224 and SHA-256 cryptographic hash function - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h index 627694f42..542dc990b 100644 --- a/include/mbedtls/sha512.h +++ b/include/mbedtls/sha512.h @@ -2,7 +2,8 @@ * \file sha512.h * * \brief SHA-384 and SHA-512 cryptographic hash function - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index e98101e19..7ad71cc31 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2,7 +2,8 @@ * \file ssl.h * * \brief SSL/TLS functions. - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ssl_cache.h b/include/mbedtls/ssl_cache.h index 3734bb727..ec081e6d2 100644 --- a/include/mbedtls/ssl_cache.h +++ b/include/mbedtls/ssl_cache.h @@ -2,7 +2,8 @@ * \file ssl_cache.h * * \brief SSL session cache implementation - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 9101d9cc7..545468a51 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -2,7 +2,8 @@ * \file ssl_ciphersuites.h * * \brief SSL Ciphersuites for mbed TLS - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ssl_cookie.h b/include/mbedtls/ssl_cookie.h index 037e1c311..80b65bbbb 100644 --- a/include/mbedtls/ssl_cookie.h +++ b/include/mbedtls/ssl_cookie.h @@ -2,7 +2,8 @@ * \file ssl_cookie.h * * \brief DTLS cookie callbacks implementation - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 756360b18..509927ad9 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -1,8 +1,9 @@ /** - * \file ssl_ticket.h + * \file ssl_internal.h * * \brief Internal functions shared by the SSL modules - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h index 7c6bc61bf..93ad46ac9 100644 --- a/include/mbedtls/ssl_ticket.h +++ b/include/mbedtls/ssl_ticket.h @@ -2,7 +2,8 @@ * \file ssl_ticket.h * * \brief TLS server ticket callbacks implementation - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/threading.h b/include/mbedtls/threading.h index b0c34ecc7..58e6db2f3 100644 --- a/include/mbedtls/threading.h +++ b/include/mbedtls/threading.h @@ -2,7 +2,8 @@ * \file threading.h * * \brief Threading abstraction layer - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/timing.h b/include/mbedtls/timing.h index bfb8579a0..2c497bf4e 100644 --- a/include/mbedtls/timing.h +++ b/include/mbedtls/timing.h @@ -2,7 +2,8 @@ * \file timing.h * * \brief Portable interface to timeouts and to the CPU cycle counter - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 3b209a6b0..8af6f0170 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -2,7 +2,8 @@ * \file version.h * * \brief Run-time version information - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index d7e318dfd..d6db9c6e3 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -2,7 +2,8 @@ * \file x509.h * * \brief X.509 generic defines and structures - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h index 798843990..08a4283a6 100644 --- a/include/mbedtls/x509_crl.h +++ b/include/mbedtls/x509_crl.h @@ -2,7 +2,8 @@ * \file x509_crl.h * * \brief X.509 certificate revocation list parsing - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index b7a509831..2dbb7ec96 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -2,7 +2,8 @@ * \file x509_crt.h * * \brief X.509 certificate parsing and writing - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index fe9843cb5..0c6ccad78 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -2,7 +2,8 @@ * \file x509_csr.h * * \brief X.509 certificate signing request parsing and writing - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * diff --git a/include/mbedtls/xtea.h b/include/mbedtls/xtea.h index b073f84ef..1d01e56f8 100644 --- a/include/mbedtls/xtea.h +++ b/include/mbedtls/xtea.h @@ -2,7 +2,8 @@ * \file xtea.h * * \brief XTEA block cipher (32-bit) - * + */ +/* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * From 25facddba4c2248f120b48a7819e9c8ea91ad7d0 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Tue, 23 Jan 2018 15:36:58 +0000 Subject: [PATCH 145/177] doxygen: Remove copyright block from Doxygen comments Remove the copyright block from the Doxygen comments, to clean up the detailed description in the generated Doxygen output. Also, add \file and \brief tags to all headers in doxygen/input. --- doxygen/input/doc_encdec.h | 7 +++++-- doxygen/input/doc_hashing.h | 7 +++++-- doxygen/input/doc_mainpage.h | 7 +++++-- doxygen/input/doc_rng.h | 7 +++++-- doxygen/input/doc_ssltls.h | 7 +++++-- doxygen/input/doc_tcpip.h | 7 +++++-- doxygen/input/doc_x509.h | 7 +++++-- 7 files changed, 35 insertions(+), 14 deletions(-) diff --git a/doxygen/input/doc_encdec.h b/doxygen/input/doc_encdec.h index 9538ed28e..b1281cb63 100644 --- a/doxygen/input/doc_encdec.h +++ b/doxygen/input/doc_encdec.h @@ -1,6 +1,9 @@ /** - * @file - * Encryption/decryption module documentation file. + * \file doc_encdec.h + * + * \brief Encryption/decryption module documentation file. + */ +/* * * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 diff --git a/doxygen/input/doc_hashing.h b/doxygen/input/doc_hashing.h index 49f15ea88..e54b28e56 100644 --- a/doxygen/input/doc_hashing.h +++ b/doxygen/input/doc_hashing.h @@ -1,6 +1,9 @@ /** - * @file - * Hashing module documentation file. + * \file doc_hashing.h + * + * \brief Hashing module documentation file. + */ +/* * * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index 87b5041bb..add75f7a2 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -1,6 +1,9 @@ /** - * @file - * Main page documentation file. + * \file doc_mainpage.h + * + * \brief Main page documentation file. + */ +/* * * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 diff --git a/doxygen/input/doc_rng.h b/doxygen/input/doc_rng.h index 0159ef357..0f212e040 100644 --- a/doxygen/input/doc_rng.h +++ b/doxygen/input/doc_rng.h @@ -1,6 +1,9 @@ /** - * @file - * Random number generator (RNG) module documentation file. + * \file doc_rng.h + * + * \brief Random number generator (RNG) module documentation file. + */ +/* * * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 diff --git a/doxygen/input/doc_ssltls.h b/doxygen/input/doc_ssltls.h index 7f104bd4d..4addfb38e 100644 --- a/doxygen/input/doc_ssltls.h +++ b/doxygen/input/doc_ssltls.h @@ -1,6 +1,9 @@ /** - * @file - * SSL/TLS communication module documentation file. + * \file doc_ssltls.h + * + * \brief SSL/TLS communication module documentation file. + */ +/* * * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 diff --git a/doxygen/input/doc_tcpip.h b/doxygen/input/doc_tcpip.h index 34d3ca1b5..95f458601 100644 --- a/doxygen/input/doc_tcpip.h +++ b/doxygen/input/doc_tcpip.h @@ -1,6 +1,9 @@ /** - * @file - * TCP/IP communication module documentation file. + * \file doc_tcpip.h + * + * \brief TCP/IP communication module documentation file. + */ +/* * * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 diff --git a/doxygen/input/doc_x509.h b/doxygen/input/doc_x509.h index 315f0e3ce..9b52569bb 100644 --- a/doxygen/input/doc_x509.h +++ b/doxygen/input/doc_x509.h @@ -1,6 +1,9 @@ /** - * @file - * X.509 module documentation file. + * \file doc_x509.h + * + * \brief X.509 module documentation file. + */ +/* * * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * SPDX-License-Identifier: Apache-2.0 From a381fe84ce68347631ce09d2f7a655a58f7af046 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 23 Jan 2018 18:16:11 +0100 Subject: [PATCH 146/177] Add HW_FAILED error codes for message digest modules New error codes to report failures from alternative implementations of MD2, MD4, MD5, RIPEMD160, SHA-1, SHA-256, SHA-512. --- include/mbedtls/error.h | 9 +++++- include/mbedtls/md2.h | 2 ++ include/mbedtls/md4.h | 2 ++ include/mbedtls/md5.h | 2 ++ include/mbedtls/ripemd160.h | 2 ++ include/mbedtls/sha1.h | 2 ++ include/mbedtls/sha256.h | 2 ++ include/mbedtls/sha512.h | 2 ++ library/error.c | 63 +++++++++++++++++++++++++++++++++++++ 9 files changed, 85 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 4eb7b78eb..16bc8dcb6 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -64,8 +64,15 @@ * NET 11 0x0042-0x0052 0x0043-0x0045 * ASN1 7 0x0060-0x006C * PBKDF2 1 0x007C-0x007C - * HMAC_DRBG 4 0x0003-0x0009 + * HMAC_DRBG 4 0x0003-0x0009 * CCM 2 0x000D-0x000F + * MD2 1 0x002B-0x002B + * MD4 1 0x002D-0x002D + * MD5 1 0x002F-0x002F + * RIPEMD160 1 0x0031-0x0031 + * SHA1 1 0x0035-0x0035 + * SHA256 1 0x0037-0x0037 + * SHA512 1 0x0039-0x0039 * * High-level module nr (3 bits - 0x0...-0x7...) * Name ID Nr of Errors diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index 925c69dde..1a9940bba 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -31,6 +31,8 @@ #include +#define MBEDTLS_ERR_MD2_HW_ACCEL_FAILED -0x002B /**< MD2 hardware accelerator failed */ + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) #define inline __inline diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h index f9341a856..ed203709b 100644 --- a/include/mbedtls/md4.h +++ b/include/mbedtls/md4.h @@ -32,6 +32,8 @@ #include #include +#define MBEDTLS_ERR_MD4_HW_ACCEL_FAILED -0x002D /**< MD4 hardware accelerator failed */ + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) #define inline __inline diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index bbfcae158..dfd704cf2 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -32,6 +32,8 @@ #include #include +#define MBEDTLS_ERR_MD5_HW_ACCEL_FAILED -0x002F /**< MD5 hardware accelerator failed */ + #if !defined(MBEDTLS_MD5_ALT) // Regular implementation // diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h index ad548d302..93a16bc40 100644 --- a/include/mbedtls/ripemd160.h +++ b/include/mbedtls/ripemd160.h @@ -32,6 +32,8 @@ #include #include +#define MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED -0x0031 /**< RIPEMD160 hardware accelerator failed */ + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) #define inline __inline diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index 03c474bc6..b879ee6aa 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -32,6 +32,8 @@ #include #include +#define MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED -0x0035 /**< SHA-1 hardware accelerator failed */ + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) #define inline __inline diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index 9c52f781c..e9cc0ca21 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -32,6 +32,8 @@ #include #include +#define MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED -0x0037 /**< SHA-256 hardware accelerator failed */ + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) #define inline __inline diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h index 7e2fcc592..395f8bb61 100644 --- a/include/mbedtls/sha512.h +++ b/include/mbedtls/sha512.h @@ -32,6 +32,8 @@ #include #include +#define MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED -0x0039 /**< SHA-512 hardware accelerator failed */ + #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) #define inline __inline diff --git a/library/error.c b/library/error.c index 151ca4eae..9079c5cbc 100644 --- a/library/error.c +++ b/library/error.c @@ -101,6 +101,18 @@ #include "mbedtls/md.h" #endif +#if defined(MBEDTLS_MD2_C) +#include "mbedtls/md2.h" +#endif + +#if defined(MBEDTLS_MD4_C) +#include "mbedtls/md4.h" +#endif + +#if defined(MBEDTLS_MD5_C) +#include "mbedtls/md5.h" +#endif + #if defined(MBEDTLS_NET_C) #include "mbedtls/net_sockets.h" #endif @@ -129,10 +141,26 @@ #include "mbedtls/pkcs5.h" #endif +#if defined(MBEDTLS_RIPEMD160_C) +#include "mbedtls/ripemd160.h" +#endif + #if defined(MBEDTLS_RSA_C) #include "mbedtls/rsa.h" #endif +#if defined(MBEDTLS_SHA1_C) +#include "mbedtls/sha1.h" +#endif + +#if defined(MBEDTLS_SHA256_C) +#include "mbedtls/sha256.h" +#endif + +#if defined(MBEDTLS_SHA512_C) +#include "mbedtls/sha512.h" +#endif + #if defined(MBEDTLS_SSL_TLS_C) #include "mbedtls/ssl.h" #endif @@ -635,6 +663,21 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "HMAC_DRBG - The entropy source failed" ); #endif /* MBEDTLS_HMAC_DRBG_C */ +#if defined(MBEDTLS_MD2_C) + if( use_ret == -(MBEDTLS_ERR_MD2_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "MD2 - MD2 hardware accelerator failed" ); +#endif /* MBEDTLS_MD2_C */ + +#if defined(MBEDTLS_MD4_C) + if( use_ret == -(MBEDTLS_ERR_MD4_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "MD4 - MD4 hardware accelerator failed" ); +#endif /* MBEDTLS_MD4_C */ + +#if defined(MBEDTLS_MD5_C) + if( use_ret == -(MBEDTLS_ERR_MD5_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "MD5 - MD5 hardware accelerator failed" ); +#endif /* MBEDTLS_MD5_C */ + #if defined(MBEDTLS_NET_C) if( use_ret == -(MBEDTLS_ERR_NET_SOCKET_FAILED) ) mbedtls_snprintf( buf, buflen, "NET - Failed to open a socket" ); @@ -672,6 +715,26 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "PADLOCK - Input data should be aligned" ); #endif /* MBEDTLS_PADLOCK_C */ +#if defined(MBEDTLS_RIPEMD160_C) + if( use_ret == -(MBEDTLS_ERR_RIPEMD160_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "RIPEMD160 - RIPEMD160 hardware accelerator failed" ); +#endif /* MBEDTLS_RIPEMD160_C */ + +#if defined(MBEDTLS_SHA1_C) + if( use_ret == -(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "SHA1 - SHA-1 hardware accelerator failed" ); +#endif /* MBEDTLS_SHA1_C */ + +#if defined(MBEDTLS_SHA256_C) + if( use_ret == -(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "SHA256 - SHA-256 hardware accelerator failed" ); +#endif /* MBEDTLS_SHA256_C */ + +#if defined(MBEDTLS_SHA512_C) + if( use_ret == -(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "SHA512 - SHA-512 hardware accelerator failed" ); +#endif /* MBEDTLS_SHA512_C */ + #if defined(MBEDTLS_THREADING_C) if( use_ret == -(MBEDTLS_ERR_THREADING_FEATURE_UNAVAILABLE) ) mbedtls_snprintf( buf, buflen, "THREADING - The selected feature is not available" ); From 342d928e8dda9fc307d685dcbc6b9342a49e805b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 23 Jan 2018 18:21:21 +0100 Subject: [PATCH 147/177] Fix proprocessor directives for MBEDTLS_RIPEMD160_ALT --- include/mbedtls/ripemd160.h | 2 +- library/ripemd160.c | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h index 93a16bc40..3921e6695 100644 --- a/include/mbedtls/ripemd160.h +++ b/include/mbedtls/ripemd160.h @@ -199,7 +199,7 @@ MBEDTLS_DEPRECATED static inline void mbedtls_ripemd160_process( #endif #else /* MBEDTLS_RIPEMD160_ALT */ -#include "ripemd160.h" +#include "ripemd160_alt.h" #endif /* MBEDTLS_RIPEMD160_ALT */ #ifdef __cplusplus diff --git a/library/ripemd160.c b/library/ripemd160.c index 260fee686..b85b117c6 100644 --- a/library/ripemd160.c +++ b/library/ripemd160.c @@ -46,6 +46,8 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_RIPEMD160_ALT) + /* * 32-bit integer manipulation macros (little endian) */ @@ -393,6 +395,8 @@ int mbedtls_ripemd160_finish_ret( mbedtls_ripemd160_context *ctx, return( 0 ); } +#endif /* ! MBEDTLS_RIPEMD160_ALT */ + /* * output = RIPEMD-160( input buffer ) */ From 616d1ca6052307ade19a024127c9c3b0929dfe13 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jan 2018 10:25:05 +0000 Subject: [PATCH 148/177] Add support for alternative ECJPAKE implementation This commit allows users to provide alternative implementations of the ECJPAKE interface through the configuration option MBEDTLS_ECJPAKE_ALT. When set, the user must add `ecjpake_alt.h` declaring the same interface as `ecjpake.h`, as well as add some compilation unit which implements the functionality. This is in line with the preexisting support for alternative implementations of other modules. --- ChangeLog | 2 ++ include/mbedtls/config.h | 1 + include/mbedtls/ecjpake.h | 18 +++++++++++++++++- library/ecjpake.c | 3 +++ library/version_features.c | 3 +++ 5 files changed, 26 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index a200d51fb..0b8667bf1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,8 @@ Features The following functions from the ECDH module can be replaced with an alternative implementation: mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared(). + * Add support for alternative implementation for ECJPAKE, controlled by + new configuration flag MBEDTLS_ECJPAKE_ALT. API Changes * Extend RSA interface by multiple functions allowing structure- diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 5e6b63e82..6f62a8772 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -271,6 +271,7 @@ //#define MBEDTLS_CMAC_ALT //#define MBEDTLS_DES_ALT //#define MBEDTLS_DHM_ALT +//#define MBEDTLS_ECJPAKE_ALT //#define MBEDTLS_GCM_ALT //#define MBEDTLS_MD2_ALT //#define MBEDTLS_MD4_ALT diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 6fcffc777..d86e8207f 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -44,6 +44,8 @@ #include "ecp.h" #include "md.h" +#if !defined(MBEDTLS_ECJPAKE_ALT) + #ifdef __cplusplus extern "C" { #endif @@ -223,17 +225,31 @@ int mbedtls_ecjpake_derive_secret( mbedtls_ecjpake_context *ctx, */ void mbedtls_ecjpake_free( mbedtls_ecjpake_context *ctx ); +#ifdef __cplusplus +} +#endif + +#else /* MBEDTLS_ECJPAKE_ALT */ +#include "ecjpake_alt.h" +#endif /* MBEDTLS_ECJPAKE_ALT */ + #if defined(MBEDTLS_SELF_TEST) + +#ifdef __cplusplus +extern "C" { +#endif + /** * \brief Checkup routine * * \return 0 if successful, or 1 if a test failed */ int mbedtls_ecjpake_self_test( int verbose ); -#endif #ifdef __cplusplus } #endif +#endif /* MBEDTLS_SELF_TEST */ + #endif /* ecjpake.h */ diff --git a/library/ecjpake.c b/library/ecjpake.c index 1fa1c2d80..e8f40862b 100644 --- a/library/ecjpake.c +++ b/library/ecjpake.c @@ -36,6 +36,8 @@ #include +#if !defined(MBEDTLS_ECJPAKE_ALT) + /* * Convert a mbedtls_ecjpake_role to identifier string */ @@ -764,6 +766,7 @@ cleanup: #undef ID_MINE #undef ID_PEER +#endif /* ! MBEDTLS_ECJPAKE_ALT */ #if defined(MBEDTLS_SELF_TEST) diff --git a/library/version_features.c b/library/version_features.c index ede2276a5..72afec2da 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -108,6 +108,9 @@ static const char *features[] = { #if defined(MBEDTLS_DHM_ALT) "MBEDTLS_DHM_ALT", #endif /* MBEDTLS_DHM_ALT */ +#if defined(MBEDTLS_ECJPAKE_ALT) + "MBEDTLS_ECJPAKE_ALT", +#endif /* MBEDTLS_ECJPAKE_ALT */ #if defined(MBEDTLS_GCM_ALT) "MBEDTLS_GCM_ALT", #endif /* MBEDTLS_GCM_ALT */ From 9b534666a211da28c2ccf2f1e0f564bb1fc7ab0d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Jan 2018 00:04:08 +0100 Subject: [PATCH 149/177] Add ChangeLog entry --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index a200d51fb..34e3406eb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -104,6 +104,9 @@ Bugfix * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue. * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c. Found and fixed by Martijn de Milliano. + * Fix bug in cipher decryption with MBEDTLS_PADDING_ONE_AND_ZEROS that + sometimes accepted invalid padding. (Not used in TLS.) Found and fixed + by Micha Kraus. Changes * Extend cert_write example program by options to set the CRT version From 087d5ad593fbd6c1cc432f8c1736afced1060c84 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 24 Jan 2018 16:06:25 +0000 Subject: [PATCH 150/177] Minor improvement in ChangeLog --- ChangeLog | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0b8667bf1..68aa6da48 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,14 +28,14 @@ Features The following functions from the ECDSA module can be replaced with alternative implementation: mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey(). - * Add support for alternative implementation for ECDH, controlled by new - configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and + * Add support for alternative implementation of ECDH, controlled by the + new configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h. The following functions from the ECDH module can be replaced with an alternative implementation: mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared(). - * Add support for alternative implementation for ECJPAKE, controlled by - new configuration flag MBEDTLS_ECJPAKE_ALT. + * Add support for alternative implementation of ECJPAKE, controlled by + the new configuration flag MBEDTLS_ECJPAKE_ALT. API Changes * Extend RSA interface by multiple functions allowing structure- From e278b364610c24307f7b9e7d010ab1b634ddbb64 Mon Sep 17 00:00:00 2001 From: Reut Caspi Date: Thu, 19 Oct 2017 08:49:19 +0100 Subject: [PATCH 151/177] Change mbedtls_entropy_func in tests to mbedtls_test_entropy_func Change function in tests named mbedtls_entropy_func to mbedtls_test_entropy_func to avoid getting error from the linker when calling the mbedtls_entropy_func elsewhere. --- tests/suites/test_suite_ctr_drbg.function | 10 +++++----- tests/suites/test_suite_hmac_drbg.function | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function index 883cfe08e..d8ffebe46 100644 --- a/tests/suites/test_suite_ctr_drbg.function +++ b/tests/suites/test_suite_ctr_drbg.function @@ -1,8 +1,8 @@ /* BEGIN_HEADER */ #include "mbedtls/ctr_drbg.h" -int test_offset_idx; -int mbedtls_entropy_func( void *data, unsigned char *buf, size_t len ) +static int test_offset_idx; +static int mbedtls_test_entropy_func( void *data, unsigned char *buf, size_t len ) { const unsigned char *p = (unsigned char *) data; memcpy( buf, p + test_offset_idx, len ); @@ -72,7 +72,7 @@ void ctr_drbg_validate_pr( char *add_init_string, char *entropy_string, add2_len = unhexify( add2, add2_string ); test_offset_idx = 0; - TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( &ctx, mbedtls_entropy_func, entropy, add_init, add_init_len, 32 ) == 0 ); + TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( &ctx, mbedtls_test_entropy_func, entropy, add_init, add_init_len, 32 ) == 0 ); mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON ); TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add1, add1_len ) == 0 ); @@ -110,7 +110,7 @@ void ctr_drbg_validate_nopr( char *add_init_string, char *entropy_string, add2_len = unhexify( add2, add2_string ); test_offset_idx = 0; - TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( &ctx, mbedtls_entropy_func, entropy, add_init, add_init_len, 32 ) == 0 ); + TEST_ASSERT( mbedtls_ctr_drbg_seed_entropy_len( &ctx, mbedtls_test_entropy_func, entropy, add_init, add_init_len, 32 ) == 0 ); TEST_ASSERT( mbedtls_ctr_drbg_random_with_add( &ctx, buf, 16, add1, add1_len ) == 0 ); TEST_ASSERT( mbedtls_ctr_drbg_reseed( &ctx, add_reseed, add_reseed_len ) == 0 ); @@ -141,7 +141,7 @@ void ctr_drbg_entropy_usage( ) /* Init must use entropy */ last_idx = test_offset_idx; - TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctx, mbedtls_entropy_func, entropy, NULL, 0 ) == 0 ); + TEST_ASSERT( mbedtls_ctr_drbg_seed( &ctx, mbedtls_test_entropy_func, entropy, NULL, 0 ) == 0 ); TEST_ASSERT( last_idx < test_offset_idx ); /* By default, PR is off and reseed_interval is large, diff --git a/tests/suites/test_suite_hmac_drbg.function b/tests/suites/test_suite_hmac_drbg.function index 52094700b..a413f5e18 100644 --- a/tests/suites/test_suite_hmac_drbg.function +++ b/tests/suites/test_suite_hmac_drbg.function @@ -7,7 +7,7 @@ typedef struct size_t len; } entropy_ctx; -int mbedtls_entropy_func( void *data, unsigned char *buf, size_t len ) +static int mbedtls_test_entropy_func( void *data, unsigned char *buf, size_t len ) { entropy_ctx *ctx = (entropy_ctx *) data; @@ -50,7 +50,7 @@ void hmac_drbg_entropy_usage( int md_alg ) /* Init must use entropy */ last_len = entropy.len; - TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_entropy_func, &entropy, + TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_test_entropy_func, &entropy, NULL, 0 ) == 0 ); TEST_ASSERT( entropy.len < last_len ); @@ -206,7 +206,7 @@ void hmac_drbg_no_reseed( int md_alg, TEST_ASSERT( memcmp( my_output, output, out_len ) == 0 ); /* And now the normal entropy-based variant */ - TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_entropy_func, &p_entropy, + TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_test_entropy_func, &p_entropy, custom, custom_len ) == 0 ); TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len, add1, add1_len ) == 0 ); @@ -251,7 +251,7 @@ void hmac_drbg_nopr( int md_alg, md_info = mbedtls_md_info_from_type( md_alg ); TEST_ASSERT( md_info != NULL ); - TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_entropy_func, &p_entropy, + TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_test_entropy_func, &p_entropy, custom, custom_len ) == 0 ); TEST_ASSERT( mbedtls_hmac_drbg_reseed( &ctx, add1, add1_len ) == 0 ); TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len, @@ -296,7 +296,7 @@ void hmac_drbg_pr( int md_alg, md_info = mbedtls_md_info_from_type( md_alg ); TEST_ASSERT( md_info != NULL ); - TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_entropy_func, &p_entropy, + TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_test_entropy_func, &p_entropy, custom, custom_len ) == 0 ); mbedtls_hmac_drbg_set_prediction_resistance( &ctx, MBEDTLS_HMAC_DRBG_PR_ON ); TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, out_len, From 4fa619fe56807f5d143b3eb7533add464791838b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 22 Jan 2018 10:55:10 +0100 Subject: [PATCH 152/177] Fix race condition in error printing in ssl_server2.c The race goes this way: 1. ssl_recv() succeeds (ie no signal received yet) 2. processing the message leads to aborting handshake with ret != 0 3. reset ret if we were signaled 4. print error if ret is still non-zero 5. go back to net_accept() which can be interrupted by a signal We print the error message only if the signal is received between steps 3 and 5, not when it arrives between steps 1 and 3. This can cause failures in ssl-opt.sh where we check for the presence of "Last error was..." in the server's output: if we perform step 2, the client will be notified and exit, then ssl-opt.sh will send SIGTERM to the server, but if it didn't get a chance to run and pass step 3 in the meantime, we're in trouble. The purpose of step 3 was to avoid spurious "Last error" messages in the output so that ssl-opt.sh can check for a successful run by the absence of that message. However, it is enough to suppress that message when the last error we get is the one we expect from being interrupted by a signal - doing more could hide real errors. Also, improve the messages printed when interrupted to make it easier to distinguish the two cases - this could be used in a testing script wanted to check that the server doesn't see the client as disconnecting unexpectedly. --- programs/ssl/ssl_server2.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1285abcbd..cc29b493f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2019,8 +2019,10 @@ reset: #if !defined(_WIN32) if( received_sigterm ) { - mbedtls_printf( " interrupted by SIGTERM\n" ); - ret = 0; + mbedtls_printf( " interrupted by SIGTERM (not in net_accept())\n" ); + if( ret == MBEDTLS_ERR_NET_INVALID_CONTEXT ) + ret = 0; + goto exit; } #endif @@ -2056,8 +2058,10 @@ reset: #if !defined(_WIN32) if( received_sigterm ) { - mbedtls_printf( " interrupted by signal\n" ); - ret = 0; + mbedtls_printf( " interrupted by SIGTERM (in net_accept())\n" ); + if( ret == MBEDTLS_ERR_NET_ACCEPT_FAILED ) + ret = 0; + goto exit; } #endif From 92143276239d95420b56a33f5abaf2b9d0850ca0 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 25 Jan 2018 23:26:24 +0100 Subject: [PATCH 153/177] Sort list to make things easier to find --- scripts/generate_errors.pl | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index cfcf07c8f..882afbdb9 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -29,13 +29,14 @@ if( @ARGV ) { my $error_format_file = $data_dir.'/error.fmt'; -my @low_level_modules = ( "AES", "ASN1", "BLOWFISH", "CAMELLIA", "BIGNUM", - "BASE64", "XTEA", "PBKDF2", "OID", - "PADLOCK", "DES", "NET", "CTR_DRBG", "ENTROPY", - "HMAC_DRBG", "MD2", "MD4", "MD5", "RIPEMD160", - "SHA1", "SHA256", "SHA512", "GCM", "THREADING", "CCM" ); -my @high_level_modules = ( "PEM", "X509", "DHM", "RSA", "ECP", "MD", "CIPHER", "SSL", - "PK", "PKCS12", "PKCS5" ); +my @low_level_modules = qw( AES ASN1 BASE64 BIGNUM BLOWFISH + CAMELLIA CCM CTR_DRBG DES ENTROPY + GCM HMAC_DRBG MD2 MD4 MD5 + NET OID PADLOCK PBKDF2 RIPEMD160 + SHA1 SHA256 SHA512 THREADING XTEA ); +my @high_level_modules = qw( CIPHER DHM ECP MD + PEM PK PKCS12 PKCS5 + RSA SSL X509 ); my $line_separator = $/; undef $/; From 1b3649906261dfaafcc5b8750279a0012c1c604a Mon Sep 17 00:00:00 2001 From: Dvir Markovich Date: Mon, 26 Jun 2017 13:43:34 +0300 Subject: [PATCH 154/177] Improve CTR_DRBG error handling and cleanup Check AES return values and return error when needed. Propagate the underlying AES return code. Perform more memory cleanup. --- library/ctr_drbg.c | 92 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 75 insertions(+), 17 deletions(-) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c index 55612c7fc..2d2da2434 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -94,11 +94,15 @@ int mbedtls_ctr_drbg_seed_entropy_len( /* * Initialize with an empty key */ - mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ); + if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) + { + return( ret ); + } if( ( ret = mbedtls_ctr_drbg_reseed( ctx, custom, len ) ) != 0 ) + { return( ret ); - + } return( 0 ); } @@ -148,6 +152,7 @@ static int block_cipher_df( unsigned char *output, unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE]; unsigned char *p, *iv; mbedtls_aes_context aes_ctx; + int ret = 0; int i, j; size_t buf_len, use_len; @@ -180,7 +185,10 @@ static int block_cipher_df( unsigned char *output, for( i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++ ) key[i] = i; - mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ); + if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, key, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) + { + goto exit; + } /* * Reduce data to MBEDTLS_CTR_DRBG_SEEDLEN bytes of data @@ -199,7 +207,10 @@ static int block_cipher_df( unsigned char *output, use_len -= ( use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len; - mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain ); + if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, chain, chain ) ) != 0 ) + { + goto exit; + } } memcpy( tmp + j, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE ); @@ -213,20 +224,40 @@ static int block_cipher_df( unsigned char *output, /* * Do final encryption with reduced data */ - mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ); + if( ( ret = mbedtls_aes_setkey_enc( &aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) + { + goto exit; + } iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE; p = output; for( j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE ) { - mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv ); + if( ( ret = mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, iv, iv ) ) != 0 ) + { + goto exit; + } memcpy( p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE ); p += MBEDTLS_CTR_DRBG_BLOCKSIZE; } - +exit: mbedtls_aes_free( &aes_ctx ); + /* + * tidy up the stack + */ + mbedtls_zeroize( buf, sizeof( buf ) ); + mbedtls_zeroize( tmp, sizeof( tmp ) ); + mbedtls_zeroize( key, sizeof( key ) ); + mbedtls_zeroize( chain, sizeof( chain ) ); + if( 0 != ret ) + { + /* + * wipe partial seed from memory + */ + mbedtls_zeroize( output, MBEDTLS_CTR_DRBG_SEEDLEN ); + } - return( 0 ); + return( ret ); } static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx, @@ -235,6 +266,7 @@ static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx, unsigned char tmp[MBEDTLS_CTR_DRBG_SEEDLEN]; unsigned char *p = tmp; int i, j; + int ret = 0; memset( tmp, 0, MBEDTLS_CTR_DRBG_SEEDLEN ); @@ -250,7 +282,10 @@ static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx, /* * Crypt counter block */ - mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p ); + if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, p ) ) != 0 ) + { + return( ret ); + } p += MBEDTLS_CTR_DRBG_BLOCKSIZE; } @@ -261,7 +296,10 @@ static int ctr_drbg_update_internal( mbedtls_ctr_drbg_context *ctx, /* * Update key and counter */ - mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ); + if( ( ret = mbedtls_aes_setkey_enc( &ctx->aes_ctx, tmp, MBEDTLS_CTR_DRBG_KEYBITS ) ) != 0 ) + { + return( ret ); + } memcpy( ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE, MBEDTLS_CTR_DRBG_BLOCKSIZE ); return( 0 ); @@ -289,6 +327,7 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx, { unsigned char seed[MBEDTLS_CTR_DRBG_MAX_SEED_INPUT]; size_t seedlen = 0; + int ret; if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT || len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT - ctx->entropy_len ) @@ -319,12 +358,18 @@ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx, /* * Reduce to 384 bits */ - block_cipher_df( seed, seed, seedlen ); + if( ( ret = block_cipher_df( seed, seed, seedlen ) ) != 0 ) + { + return( ret ); + } /* * Update state */ - ctr_drbg_update_internal( ctx, seed ); + if( ( ret = ctr_drbg_update_internal( ctx, seed ) ) != 0 ) + { + return( ret ); + } ctx->reseed_counter = 1; return( 0 ); @@ -354,15 +399,22 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng, ctx->prediction_resistance ) { if( ( ret = mbedtls_ctr_drbg_reseed( ctx, additional, add_len ) ) != 0 ) + { return( ret ); - + } add_len = 0; } if( add_len > 0 ) { - block_cipher_df( add_input, additional, add_len ); - ctr_drbg_update_internal( ctx, add_input ); + if( ( ret = block_cipher_df( add_input, additional, add_len ) ) != 0 ) + { + return( ret ); + } + if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 ) + { + return( ret ); + } } while( output_len > 0 ) @@ -377,7 +429,10 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng, /* * Crypt counter block */ - mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp ); + if( ( ret = mbedtls_aes_crypt_ecb( &ctx->aes_ctx, MBEDTLS_AES_ENCRYPT, ctx->counter, tmp ) ) != 0 ) + { + return( ret ); + } use_len = ( output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE ) ? MBEDTLS_CTR_DRBG_BLOCKSIZE : output_len; @@ -389,7 +444,10 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng, output_len -= use_len; } - ctr_drbg_update_internal( ctx, add_input ); + if( ( ret = ctr_drbg_update_internal( ctx, add_input ) ) != 0 ) + { + return( ret ); + } ctx->reseed_counter++; From 791e08ad8bd2bcbe226fbfddba95d5367e23d932 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 26 Jan 2018 12:04:12 +0000 Subject: [PATCH 155/177] Add a ChangeLog entry --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index a5776c06c..64a95d361 100644 --- a/ChangeLog +++ b/ChangeLog @@ -146,6 +146,7 @@ Changes new ones with return codes. In particular, this modifies the mbedtls_md_info_t structure. Propagate errors from these functions everywhere except some locations in the ssl_tls.c module. + * Improve CTR_DRBG error handling by propagating underlying AES errors. = mbed TLS 2.6.0 branch released 2017-08-10 From 7ecab3df4cc3a79e8b74dd6bd79cf3882e033841 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 26 Jan 2018 17:56:38 +0100 Subject: [PATCH 156/177] Error codes for hardware accelerator failures Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography modules where the software implementation can be replaced by a hardware implementation. This does not include the individual message digest modules since they currently have no way to return error codes. This does include the higher-level md, cipher and pk modules since alternative implementations and even algorithms can be plugged in at runtime. --- ChangeLog | 3 +++ include/mbedtls/aes.h | 3 ++- include/mbedtls/arc4.h | 2 ++ include/mbedtls/blowfish.h | 1 + include/mbedtls/camellia.h | 1 + include/mbedtls/ccm.h | 1 + include/mbedtls/cipher.h | 3 ++- include/mbedtls/cmac.h | 2 ++ include/mbedtls/des.h | 1 + include/mbedtls/dhm.h | 1 + include/mbedtls/ecp.h | 1 + include/mbedtls/error.h | 28 +++++++++++++----------- include/mbedtls/gcm.h | 1 + include/mbedtls/md.h | 1 + include/mbedtls/pk.h | 1 + include/mbedtls/rsa.h | 1 + include/mbedtls/xtea.h | 1 + library/error.c | 44 ++++++++++++++++++++++++++++++++++++++ scripts/generate_errors.pl | 6 +++--- 19 files changed, 84 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index a200d51fb..50b534773 100644 --- a/ChangeLog +++ b/ChangeLog @@ -117,6 +117,9 @@ Changes * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the undeclared dependency of the RSA module on the ASN.1 module. * Add mechanism to provide alternative implementation of the DHM module. + * Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography + modules where the software implementation can be replaced by a hardware + implementation. = mbed TLS 2.6.0 branch released 2017-08-10 diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index 71dcea9e5..541fa930d 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -41,8 +41,9 @@ #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ -/* Error codes in range 0x0023-0x0023 */ +/* Error codes in range 0x0023-0x0025 */ #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 /**< Feature not available, e.g. unsupported AES key size. */ +#define MBEDTLS_ERR_AES_HW_ACCEL_FAILED -0x0025 /**< AES hardware accelerator failed. */ #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ !defined(inline) && !defined(__cplusplus) diff --git a/include/mbedtls/arc4.h b/include/mbedtls/arc4.h index 26de33f8d..875c57431 100644 --- a/include/mbedtls/arc4.h +++ b/include/mbedtls/arc4.h @@ -32,6 +32,8 @@ #include +#define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED -0x0019 /**< ARC4 hardware accelerator failed. */ + #if !defined(MBEDTLS_ARC4_ALT) // Regular implementation // diff --git a/include/mbedtls/blowfish.h b/include/mbedtls/blowfish.h index 6593730e4..c0ef5a04c 100644 --- a/include/mbedtls/blowfish.h +++ b/include/mbedtls/blowfish.h @@ -41,6 +41,7 @@ #define MBEDTLS_BLOWFISH_BLOCKSIZE 8 /* Blowfish uses 64 bit blocks */ #define MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH -0x0016 /**< Invalid key length. */ +#define MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED -0x0017 /**< Blowfish hardware accelerator failed. */ #define MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH -0x0018 /**< Invalid data input length. */ #if !defined(MBEDTLS_BLOWFISH_ALT) diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h index 107056fc6..cf07629d9 100644 --- a/include/mbedtls/camellia.h +++ b/include/mbedtls/camellia.h @@ -38,6 +38,7 @@ #define MBEDTLS_ERR_CAMELLIA_INVALID_KEY_LENGTH -0x0024 /**< Invalid key length. */ #define MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH -0x0026 /**< Invalid data input length. */ +#define MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED -0x0027 /**< Camellia hardware accelerator failed. */ #if !defined(MBEDTLS_CAMELLIA_ALT) // Regular implementation diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index acd94adb8..1459eb8ea 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -28,6 +28,7 @@ #define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /**< Bad input parameters to function. */ #define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F /**< Authenticated decryption failed. */ +#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */ #if !defined(MBEDTLS_CCM_ALT) // Regular implementation diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index b92a8dbb9..97b9226f5 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -58,7 +58,8 @@ #define MBEDTLS_ERR_CIPHER_INVALID_PADDING -0x6200 /**< Input data contains invalid padding and is rejected. */ #define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED -0x6280 /**< Decryption of block requires a full block. */ #define MBEDTLS_ERR_CIPHER_AUTH_FAILED -0x6300 /**< Authentication failed (for AEAD modes). */ -#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT -0x6380 /**< The context is invalid, eg because it was free()ed. */ +#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT -0x6380 /**< The context is invalid, eg because it was free()ed. */ +#define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED -0x6400 /**< Cipher hardware accelerator failed. */ #define MBEDTLS_CIPHER_VARIABLE_IV_LEN 0x01 /**< Cipher accepts IVs of variable length */ #define MBEDTLS_CIPHER_VARIABLE_KEY_LEN 0x02 /**< Cipher accepts keys of variable length */ diff --git a/include/mbedtls/cmac.h b/include/mbedtls/cmac.h index a7f7f45e9..1cac94896 100644 --- a/include/mbedtls/cmac.h +++ b/include/mbedtls/cmac.h @@ -31,6 +31,8 @@ extern "C" { #endif +#define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A /**< CMAC hardware accelerator failed. */ + #define MBEDTLS_AES_BLOCK_SIZE 16 #define MBEDTLS_DES3_BLOCK_SIZE 8 diff --git a/include/mbedtls/des.h b/include/mbedtls/des.h index 7f8f27eea..175289850 100644 --- a/include/mbedtls/des.h +++ b/include/mbedtls/des.h @@ -37,6 +37,7 @@ #define MBEDTLS_DES_DECRYPT 0 #define MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH -0x0032 /**< The data input has an invalid length. */ +#define MBEDTLS_ERR_DES_HW_ACCEL_FAILED -0x0033 /**< DES hardware accelerator failed. */ #define MBEDTLS_DES_KEY_SIZE 8 diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index d017b380e..8a28ffac9 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -44,6 +44,7 @@ #define MBEDTLS_ERR_DHM_INVALID_FORMAT -0x3380 /**< The ASN.1 data is not formatted correctly. */ #define MBEDTLS_ERR_DHM_ALLOC_FAILED -0x3400 /**< Allocation of memory failed. */ #define MBEDTLS_ERR_DHM_FILE_IO_ERROR -0x3480 /**< Read/write of file failed. */ +#define MBEDTLS_ERR_DHM_HW_ACCEL_FAILED -0x3500 /**< DHM hardware accelerator failed. */ /** * RFC 3526 defines a number of standardized Diffie-Hellman groups diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 977134059..b00ba4da8 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -37,6 +37,7 @@ #define MBEDTLS_ERR_ECP_RANDOM_FAILED -0x4D00 /**< Generation of random value, such as (ephemeral) key, failed. */ #define MBEDTLS_ERR_ECP_INVALID_KEY -0x4C80 /**< Invalid private or public key. */ #define MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH -0x4C00 /**< Signature is valid but shorter than the user-supplied length. */ +#define MBEDTLS_ERR_ECP_HW_ACCEL_FAILED -0x4B80 /**< ECP hardware accelerator failed. */ #if !defined(MBEDTLS_ECP_ALT) /* diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index bd4ca90f0..7e3289269 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -50,23 +50,25 @@ * * Module Nr Codes assigned * MPI 7 0x0002-0x0010 - * GCM 2 0x0012-0x0014 - * BLOWFISH 2 0x0016-0x0018 + * GCM 3 0x0012-0x0014 0x0013-0x0013 + * BLOWFISH 3 0x0016-0x0018 0x0017-0x0017 * THREADING 3 0x001A-0x001E - * AES 2 0x0020-0x0022 0x0023-0x0023 - * CAMELLIA 2 0x0024-0x0026 - * XTEA 1 0x0028-0x0028 + * AES 4 0x0020-0x0022 0x0023-0x0025 + * CAMELLIA 3 0x0024-0x0026 0x0027-0x0027 + * XTEA 2 0x0028-0x0028 0x0029-0x0029 * BASE64 2 0x002A-0x002C * OID 1 0x002E-0x002E 0x000B-0x000B * PADLOCK 1 0x0030-0x0030 - * DES 1 0x0032-0x0032 + * DES 2 0x0032-0x0032 0x0033-0x0033 * CTR_DBRG 4 0x0034-0x003A * ENTROPY 3 0x003C-0x0040 0x003D-0x003F * NET 11 0x0042-0x0052 0x0043-0x0045 * ASN1 7 0x0060-0x006C + * CMAC 1 0x007A-0x007A * PBKDF2 1 0x007C-0x007C * HMAC_DRBG 4 0x0003-0x0009 - * CCM 2 0x000D-0x000F + * CCM 3 0x000D-0x0011 + * ARC4 1 0x0019-0x0019 * * High-level module nr (3 bits - 0x0...-0x7...) * Name ID Nr of Errors @@ -74,12 +76,12 @@ * PKCS#12 1 4 (Started from top) * X509 2 20 * PKCS5 2 4 (Started from top) - * DHM 3 9 - * PK 3 14 (Started from top) - * RSA 4 10 - * ECP 4 8 (Started from top) - * MD 5 4 - * CIPHER 6 6 + * DHM 3 10 + * PK 3 15 (Started from top) + * RSA 4 11 + * ECP 4 9 (Started from top) + * MD 5 5 + * CIPHER 6 8 * SSL 6 17 (Started from top) * SSL 7 31 * diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index f1019861d..c7f01c316 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -32,6 +32,7 @@ #define MBEDTLS_GCM_DECRYPT 0 #define MBEDTLS_ERR_GCM_AUTH_FAILED -0x0012 /**< Authenticated decryption failed. */ +#define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED -0x0013 /**< GCM hardware accelerator failed. */ #define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 /**< Bad input parameters to function. */ #if !defined(MBEDTLS_GCM_ALT) diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index f23bad40a..57c27a6f0 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -38,6 +38,7 @@ #define MBEDTLS_ERR_MD_BAD_INPUT_DATA -0x5100 /**< Bad input parameters to function. */ #define MBEDTLS_ERR_MD_ALLOC_FAILED -0x5180 /**< Failed to allocate memory. */ #define MBEDTLS_ERR_MD_FILE_IO_ERROR -0x5200 /**< Opening or reading of file failed. */ +#define MBEDTLS_ERR_MD_HW_ACCEL_FAILED -0x5280 /**< MD hardware accelerator failed. */ #ifdef __cplusplus extern "C" { diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 28f615007..1059bdaa5 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -64,6 +64,7 @@ #define MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE -0x3A00 /**< Elliptic curve is unsupported (only NIST curves are supported). */ #define MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE -0x3980 /**< Unavailable feature, e.g. RSA disabled for RSA key. */ #define MBEDTLS_ERR_PK_SIG_LEN_MISMATCH -0x3900 /**< The signature is valid but its length is less than expected. */ +#define MBEDTLS_ERR_PK_HW_ACCEL_FAILED -0x3880 /**< PK hardware accelerator failed. */ #ifdef __cplusplus extern "C" { diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index a4a471683..752105822 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -50,6 +50,7 @@ #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */ #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */ #define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality */ +#define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED -0x4580 /**< RSA hardware accelerator failed. */ /* * RSA constants diff --git a/include/mbedtls/xtea.h b/include/mbedtls/xtea.h index 1d01e56f8..34ccee3c2 100644 --- a/include/mbedtls/xtea.h +++ b/include/mbedtls/xtea.h @@ -37,6 +37,7 @@ #define MBEDTLS_XTEA_DECRYPT 0 #define MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH -0x0028 /**< The data input has an invalid length. */ +#define MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED -0x0029 /**< XTEA hardware accelerator failed. */ #if !defined(MBEDTLS_XTEA_ALT) // Regular implementation diff --git a/library/error.c b/library/error.c index 151ca4eae..70ea2bffc 100644 --- a/library/error.c +++ b/library/error.c @@ -45,6 +45,10 @@ #include "mbedtls/aes.h" #endif +#if defined(MBEDTLS_ARC4_C) +#include "mbedtls/arc4.h" +#endif + #if defined(MBEDTLS_BASE64_C) #include "mbedtls/base64.h" #endif @@ -69,6 +73,10 @@ #include "mbedtls/cipher.h" #endif +#if defined(MBEDTLS_CMAC_C) +#include "mbedtls/cmac.h" +#endif + #if defined(MBEDTLS_CTR_DRBG_C) #include "mbedtls/ctr_drbg.h" #endif @@ -185,6 +193,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "CIPHER - Authentication failed (for AEAD modes)" ); if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT) ) mbedtls_snprintf( buf, buflen, "CIPHER - The context is invalid, eg because it was free()ed" ); + if( use_ret == -(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "CIPHER - Cipher hardware accelerator failed" ); #endif /* MBEDTLS_CIPHER_C */ #if defined(MBEDTLS_DHM_C) @@ -206,6 +216,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "DHM - Allocation of memory failed" ); if( use_ret == -(MBEDTLS_ERR_DHM_FILE_IO_ERROR) ) mbedtls_snprintf( buf, buflen, "DHM - Read/write of file failed" ); + if( use_ret == -(MBEDTLS_ERR_DHM_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "DHM - DHM hardware accelerator failed" ); #endif /* MBEDTLS_DHM_C */ #if defined(MBEDTLS_ECP_C) @@ -225,6 +237,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "ECP - Invalid private or public key" ); if( use_ret == -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH) ) mbedtls_snprintf( buf, buflen, "ECP - Signature is valid but shorter than the user-supplied length" ); + if( use_ret == -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "ECP - ECP hardware accelerator failed" ); #endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_MD_C) @@ -236,6 +250,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "MD - Failed to allocate memory" ); if( use_ret == -(MBEDTLS_ERR_MD_FILE_IO_ERROR) ) mbedtls_snprintf( buf, buflen, "MD - Opening or reading of file failed" ); + if( use_ret == -(MBEDTLS_ERR_MD_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "MD - MD hardware accelerator failed" ); #endif /* MBEDTLS_MD_C */ #if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C) @@ -288,6 +304,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "PK - Unavailable feature, e.g. RSA disabled for RSA key" ); if( use_ret == -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH) ) mbedtls_snprintf( buf, buflen, "PK - The signature is valid but its length is less than expected" ); + if( use_ret == -(MBEDTLS_ERR_PK_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "PK - PK hardware accelerator failed" ); #endif /* MBEDTLS_PK_C */ #if defined(MBEDTLS_PKCS12_C) @@ -333,6 +351,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" ); if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) ) mbedtls_snprintf( buf, buflen, "RSA - The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality" ); + if( use_ret == -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "RSA - RSA hardware accelerator failed" ); #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_SSL_TLS_C) @@ -522,8 +542,15 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "AES - Invalid data input length" ); if( use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE) ) mbedtls_snprintf( buf, buflen, "AES - Feature not available, e.g. unsupported AES key size" ); + if( use_ret == -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "AES - AES hardware accelerator failed" ); #endif /* MBEDTLS_AES_C */ +#if defined(MBEDTLS_ARC4_C) + if( use_ret == -(MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "ARC4 - ARC4 hardware accelerator failed" ); +#endif /* MBEDTLS_ARC4_C */ + #if defined(MBEDTLS_ASN1_PARSE_C) if( use_ret == -(MBEDTLS_ERR_ASN1_OUT_OF_DATA) ) mbedtls_snprintf( buf, buflen, "ASN1 - Out of data when parsing an ASN1 data structure" ); @@ -570,6 +597,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) #if defined(MBEDTLS_BLOWFISH_C) if( use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_KEY_LENGTH) ) mbedtls_snprintf( buf, buflen, "BLOWFISH - Invalid key length" ); + if( use_ret == -(MBEDTLS_ERR_BLOWFISH_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "BLOWFISH - Blowfish hardware accelerator failed" ); if( use_ret == -(MBEDTLS_ERR_BLOWFISH_INVALID_INPUT_LENGTH) ) mbedtls_snprintf( buf, buflen, "BLOWFISH - Invalid data input length" ); #endif /* MBEDTLS_BLOWFISH_C */ @@ -579,6 +608,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "CAMELLIA - Invalid key length" ); if( use_ret == -(MBEDTLS_ERR_CAMELLIA_INVALID_INPUT_LENGTH) ) mbedtls_snprintf( buf, buflen, "CAMELLIA - Invalid data input length" ); + if( use_ret == -(MBEDTLS_ERR_CAMELLIA_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "CAMELLIA - Camellia hardware accelerator failed" ); #endif /* MBEDTLS_CAMELLIA_C */ #if defined(MBEDTLS_CCM_C) @@ -586,8 +617,15 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) mbedtls_snprintf( buf, buflen, "CCM - Bad input parameters to function" ); if( use_ret == -(MBEDTLS_ERR_CCM_AUTH_FAILED) ) mbedtls_snprintf( buf, buflen, "CCM - Authenticated decryption failed" ); + if( use_ret == -(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "CCM - CCM hardware accelerator failed" ); #endif /* MBEDTLS_CCM_C */ +#if defined(MBEDTLS_CMAC_C) + if( use_ret == -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "CMAC - CMAC hardware accelerator failed" ); +#endif /* MBEDTLS_CMAC_C */ + #if defined(MBEDTLS_CTR_DRBG_C) if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED) ) mbedtls_snprintf( buf, buflen, "CTR_DRBG - The entropy source failed" ); @@ -602,6 +640,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) #if defined(MBEDTLS_DES_C) if( use_ret == -(MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH) ) mbedtls_snprintf( buf, buflen, "DES - The data input has an invalid length" ); + if( use_ret == -(MBEDTLS_ERR_DES_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "DES - DES hardware accelerator failed" ); #endif /* MBEDTLS_DES_C */ #if defined(MBEDTLS_ENTROPY_C) @@ -620,6 +660,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) #if defined(MBEDTLS_GCM_C) if( use_ret == -(MBEDTLS_ERR_GCM_AUTH_FAILED) ) mbedtls_snprintf( buf, buflen, "GCM - Authenticated decryption failed" ); + if( use_ret == -(MBEDTLS_ERR_GCM_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "GCM - GCM hardware accelerator failed" ); if( use_ret == -(MBEDTLS_ERR_GCM_BAD_INPUT) ) mbedtls_snprintf( buf, buflen, "GCM - Bad input parameters to function" ); #endif /* MBEDTLS_GCM_C */ @@ -684,6 +726,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) #if defined(MBEDTLS_XTEA_C) if( use_ret == -(MBEDTLS_ERR_XTEA_INVALID_INPUT_LENGTH) ) mbedtls_snprintf( buf, buflen, "XTEA - The data input has an invalid length" ); + if( use_ret == -(MBEDTLS_ERR_XTEA_HW_ACCEL_FAILED) ) + mbedtls_snprintf( buf, buflen, "XTEA - XTEA hardware accelerator failed" ); #endif /* MBEDTLS_XTEA_C */ // END generated code diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index 882afbdb9..59618d4aa 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -29,9 +29,9 @@ if( @ARGV ) { my $error_format_file = $data_dir.'/error.fmt'; -my @low_level_modules = qw( AES ASN1 BASE64 BIGNUM BLOWFISH - CAMELLIA CCM CTR_DRBG DES ENTROPY - GCM HMAC_DRBG MD2 MD4 MD5 +my @low_level_modules = qw( AES ARC4 ASN1 BASE64 BIGNUM BLOWFISH + CAMELLIA CCM CMAC CTR_DRBG DES + ENTROPY GCM HMAC_DRBG MD2 MD4 MD5 NET OID PADLOCK PBKDF2 RIPEMD160 SHA1 SHA256 SHA512 THREADING XTEA ); my @high_level_modules = qw( CIPHER DHM ECP MD From 54059629549a1ef4f992801d877dc8e8b14e02b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 29 Jan 2018 10:16:30 +0100 Subject: [PATCH 157/177] Fix alarm(0) failure on mingw32 A new test for mbedtls_timing_alarm(0) was introduced in PR 1136, which also fixed it on Unix. Apparently test results on MinGW were not checked at that point, so we missed that this new test was also failing on this platform. --- ChangeLog | 2 +- library/timing.c | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 64a95d361..c18ac5bc9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -108,7 +108,7 @@ Bugfix * Fix incorrect unit in benchmark output. #850 * Fix crash when calling mbedtls_ssl_cache_free() twice. Found by MilenkoMitrovic, #1104 - * Fix mbedtls_timing_alarm(0) on Unix. + * Fix mbedtls_timing_alarm(0) on Unix and MinGW. * Fix use of uninitialized memory in mbedtls_timing_get_timer when reset=1. * Fix possible memory leaks in mbedtls_gcm_self_test(). * Added missing return code checks in mbedtls_aes_self_test(). diff --git a/library/timing.c b/library/timing.c index 6df137d2d..35d6d89e2 100644 --- a/library/timing.c +++ b/library/timing.c @@ -278,6 +278,14 @@ void mbedtls_set_alarm( int seconds ) { DWORD ThreadId; + if( seconds == 0 ) + { + /* No need to create a thread for this simple case. + * Also, this shorcut is more reliable at least on MinGW32 */ + mbedtls_timing_alarmed = 1; + return; + } + mbedtls_timing_alarmed = 0; alarmMs = seconds * 1000; CloseHandle( CreateThread( NULL, 0, TimerProc, NULL, 0, &ThreadId ) ); From bbca8c5d3c531cb26cad0a642cbdf48287a79cab Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 25 Sep 2017 14:53:51 +0100 Subject: [PATCH 158/177] Add documentation warnings for weak algorithms MD2, MD4, MD5, DES and SHA-1 are considered weak and their use constitutes a security risk. If possible, we recommend avoiding dependencies on them, and considering stronger message digests and ciphers instead. --- include/mbedtls/arc4.h | 35 +++++++++++++++++- include/mbedtls/cipher.h | 14 +++++++ include/mbedtls/config.h | 64 ++++++++++++++++++++++++++++++-- include/mbedtls/des.h | 49 ++++++++++++++++++++++++ include/mbedtls/md.h | 8 ++++ include/mbedtls/md2.h | 80 ++++++++++++++++++++++++++++++++++++++++ include/mbedtls/md4.h | 79 +++++++++++++++++++++++++++++++++++++++ include/mbedtls/md5.h | 79 +++++++++++++++++++++++++++++++++++++++ include/mbedtls/sha1.h | 79 +++++++++++++++++++++++++++++++++++++++ 9 files changed, 482 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/arc4.h b/include/mbedtls/arc4.h index 875c57431..f9d93f822 100644 --- a/include/mbedtls/arc4.h +++ b/include/mbedtls/arc4.h @@ -2,6 +2,9 @@ * \file arc4.h * * \brief The ARCFOUR stream cipher + * + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers instead. */ /* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved @@ -20,6 +23,7 @@ * limitations under the License. * * This file is part of mbed TLS (https://tls.mbed.org) + * */ #ifndef MBEDTLS_ARC4_H #define MBEDTLS_ARC4_H @@ -43,7 +47,11 @@ extern "C" { #endif /** - * \brief ARC4 context structure + * \brief ARC4 context structure + * + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers instead. + * */ typedef struct { @@ -57,6 +65,11 @@ mbedtls_arc4_context; * \brief Initialize ARC4 context * * \param ctx ARC4 context to be initialized + * + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. + * */ void mbedtls_arc4_init( mbedtls_arc4_context *ctx ); @@ -64,6 +77,11 @@ void mbedtls_arc4_init( mbedtls_arc4_context *ctx ); * \brief Clear ARC4 context * * \param ctx ARC4 context to be cleared + * + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. + * */ void mbedtls_arc4_free( mbedtls_arc4_context *ctx ); @@ -73,6 +91,11 @@ void mbedtls_arc4_free( mbedtls_arc4_context *ctx ); * \param ctx ARC4 context to be setup * \param key the secret key * \param keylen length of the key, in bytes + * + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. + * */ void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key, unsigned int keylen ); @@ -86,6 +109,11 @@ void mbedtls_arc4_setup( mbedtls_arc4_context *ctx, const unsigned char *key, * \param output buffer for the output data * * \return 0 if successful + * + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. + * */ int mbedtls_arc4_crypt( mbedtls_arc4_context *ctx, size_t length, const unsigned char *input, unsigned char *output ); @@ -106,6 +134,11 @@ extern "C" { * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed + * + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. + * */ int mbedtls_arc4_self_test( int verbose ); diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 97b9226f5..7ac0fd1a5 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -68,6 +68,13 @@ extern "C" { #endif +/** + * \brief An enumeration of supported ciphers. + * + * \warning ARC4 and DES are considered weak ciphers and their use + * constitutes a security risk. We recommend considering stronger + * ciphers instead. + */ typedef enum { MBEDTLS_CIPHER_ID_NONE = 0, MBEDTLS_CIPHER_ID_NULL, @@ -79,6 +86,13 @@ typedef enum { MBEDTLS_CIPHER_ID_ARC4, } mbedtls_cipher_id_t; +/** + * \brief An enumeration of supported (cipher, mode) pairs. + * + * \warning ARC4 and DES are considered weak ciphers and their use + * constitutes a security risk. We recommend considering stronger + * ciphers instead. + */ typedef enum { MBEDTLS_CIPHER_NONE = 0, MBEDTLS_CIPHER_NULL, diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 6f62a8772..25ae1da77 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -262,6 +262,12 @@ * * Uncomment a macro to enable alternate implementation of the corresponding * module. + * + * \warning MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and their + * use constitutes a security risk. If possible, we recommend + * avoiding dependencies on them, and considering stronger message + * digests and ciphers instead. + * */ //#define MBEDTLS_AES_ALT //#define MBEDTLS_ARC4_ALT @@ -321,6 +327,12 @@ * * Uncomment a macro to enable alternate implementation of the corresponding * function. + * + * \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use + * constitutes a security risk. If possible, we recommend avoiding + * dependencies on them, and considering stronger message digests + * and ciphers instead. + * */ //#define MBEDTLS_MD2_PROCESS_ALT //#define MBEDTLS_MD4_PROCESS_ALT @@ -525,6 +537,9 @@ * MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA * * Uncomment this macro to enable weak ciphersuites + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers instead. */ //#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES @@ -1615,6 +1630,11 @@ * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA + * + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. If possible, we recommend avoidng dependencies on + * it, and considering stronger ciphers instead. + * */ #define MBEDTLS_ARC4_C @@ -1841,6 +1861,9 @@ * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA * * PEM_PARSE uses DES/3DES for decrypting encrypted keys. + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers instead. */ #define MBEDTLS_DES_C @@ -2020,6 +2043,11 @@ * Caller: * * Uncomment to enable support for (rare) MD2-signed X.509 certs. + * + * \warning MD2 is considered a weak message digest and its use constitutes a + * security risk. If possible, we recommend avoiding dependencies on + * it, and considering stronger message digests instead. + * */ //#define MBEDTLS_MD2_C @@ -2032,6 +2060,11 @@ * Caller: * * Uncomment to enable support for (rare) MD4-signed X.509 certs. + * + * \warning MD4 is considered a weak message digest and its use constitutes a + * security risk. If possible, we recommend avoiding dependencies on + * it, and considering stronger message digests instead. + * */ //#define MBEDTLS_MD4_C @@ -2045,8 +2078,15 @@ * library/pem.c * library/ssl_tls.c * - * This module is required for SSL/TLS and X.509. - * PEM_PARSE uses MD5 for decrypting encrypted keys. + * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2 + * depending on the handshake parameters. Further, it is used for checking + * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded + * encrypted keys. + * + * \warning MD5 is considered a weak message digest and its use constitutes a + * security risk. If possible, we recommend avoiding dependencies on + * it, and considering stronger message digests instead. + * */ #define MBEDTLS_MD5_C @@ -2309,6 +2349,11 @@ * * This module is required for SSL/TLS up to version 1.1, for TLS 1.2 * depending on the handshake parameters, and for SHA1-signed certificates. + * + * \warning SHA-1 is considered a weak message digest and its use constitutes + * a security risk. If possible, we recommend avoiding dependencies + * on it, and considering stronger message digests instead. + * */ #define MBEDTLS_SHA1_C @@ -2697,8 +2742,13 @@ * Allow SHA-1 in the default TLS configuration for certificate signing. * Without this build-time option, SHA-1 support must be activated explicitly * through mbedtls_ssl_conf_cert_profile. Turning on this option is not - * recommended because of it is possible to generte SHA-1 collisions, however + * recommended because of it is possible to generate SHA-1 collisions, however * this may be safe for legacy infrastructure where additional controls apply. + * + * \warning SHA-1 is considered a weak message digest and its use constitutes + * a security risk. If possible, we recommend avoiding dependencies + * on it, and considering stronger message digests instead. + * */ // #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES @@ -2709,7 +2759,13 @@ * The use of SHA-1 in TLS <= 1.1 and in HMAC-SHA-1 is always allowed by * default. At the time of writing, there is no practical attack on the use * of SHA-1 in handshake signatures, hence this option is turned on by default - * for compatibility with existing peers. + * to preserve compatibility with existing peers, but the general + * warning applies nonetheless: + * + * \warning SHA-1 is considered a weak message digest and its use constitutes + * a security risk. If possible, we recommend avoiding dependencies + * on it, and considering stronger message digests instead. + * */ #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE diff --git a/include/mbedtls/des.h b/include/mbedtls/des.h index 175289850..5a1a63652 100644 --- a/include/mbedtls/des.h +++ b/include/mbedtls/des.h @@ -2,6 +2,10 @@ * \file des.h * * \brief DES block cipher + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ /* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved @@ -20,6 +24,7 @@ * limitations under the License. * * This file is part of mbed TLS (https://tls.mbed.org) + * */ #ifndef MBEDTLS_DES_H #define MBEDTLS_DES_H @@ -51,6 +56,10 @@ extern "C" { /** * \brief DES context structure + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ typedef struct { @@ -71,6 +80,10 @@ mbedtls_des3_context; * \brief Initialize DES context * * \param ctx DES context to be initialized + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ void mbedtls_des_init( mbedtls_des_context *ctx ); @@ -78,6 +91,10 @@ void mbedtls_des_init( mbedtls_des_context *ctx ); * \brief Clear DES context * * \param ctx DES context to be cleared + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ void mbedtls_des_free( mbedtls_des_context *ctx ); @@ -102,6 +119,10 @@ void mbedtls_des3_free( mbedtls_des3_context *ctx ); * a parity bit to allow verification. * * \param key 8-byte secret key + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] ); @@ -114,6 +135,10 @@ void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] ); * \param key 8-byte secret key * * \return 0 is parity was ok, 1 if parity was not correct. + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ); @@ -123,6 +148,10 @@ int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SI * \param key 8-byte secret key * * \return 0 if no weak key was found, 1 if a weak key was identified. + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ); @@ -133,6 +162,10 @@ int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ); * \param key 8-byte secret key * * \return 0 + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] ); @@ -143,6 +176,10 @@ int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MB * \param key 8-byte secret key * * \return 0 + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] ); @@ -198,6 +235,10 @@ int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx, * \param output 64-bit output block * * \return 0 if successful + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx, const unsigned char input[8], @@ -221,6 +262,10 @@ int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx, * \param iv initialization vector (updated after use) * \param input buffer holding the input data * \param output buffer holding the output data + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx, int mode, @@ -279,6 +324,10 @@ int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx, * * \param SK Round keys * \param key Base key + * + * \warning DES is considered a weak cipher and its use constitutes a + * security risk. We recommend considering stronger ciphers + * instead. */ void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] ); diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index 57c27a6f0..bdea393bc 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -44,6 +44,14 @@ extern "C" { #endif +/** + * \brief Enumeration of supported message digests + * + * \warning MD2, MD4, MD5 and SHA-1 are considered weak message digests and + * their use constitutes a security risk. We recommend considering + * stronger message digests instead. + * + */ typedef enum { MBEDTLS_MD_NONE=0, MBEDTLS_MD_MD2, diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index b245b5b7b..2ff3f171a 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -2,6 +2,10 @@ * \file md2.h * * \brief MD2 message digest algorithm (hash function) + * + * \warning MD2 is considered a weak message digest and its use constitutes a + * security risk. We recommend considering stronger message digests + * instead. */ /* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved @@ -20,6 +24,7 @@ * limitations under the License. * * This file is part of mbed TLS (https://tls.mbed.org) + * */ #ifndef MBEDTLS_MD2_H #define MBEDTLS_MD2_H @@ -49,6 +54,11 @@ extern "C" { /** * \brief MD2 context structure + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ typedef struct { @@ -63,6 +73,11 @@ mbedtls_md2_context; * \brief Initialize MD2 context * * \param ctx MD2 context to be initialized + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_md2_init( mbedtls_md2_context *ctx ); @@ -70,6 +85,11 @@ void mbedtls_md2_init( mbedtls_md2_context *ctx ); * \brief Clear MD2 context * * \param ctx MD2 context to be cleared + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_md2_free( mbedtls_md2_context *ctx ); @@ -78,6 +98,11 @@ void mbedtls_md2_free( mbedtls_md2_context *ctx ); * * \param dst The destination context * \param src The context to be cloned + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_md2_clone( mbedtls_md2_context *dst, const mbedtls_md2_context *src ); @@ -88,6 +113,11 @@ void mbedtls_md2_clone( mbedtls_md2_context *dst, * \param ctx context to be initialized * * \return 0 if successful + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx ); @@ -99,6 +129,11 @@ int mbedtls_md2_starts_ret( mbedtls_md2_context *ctx ); * \param ilen length of the input data * * \return 0 if successful + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md2_update_ret( mbedtls_md2_context *ctx, const unsigned char *input, @@ -111,6 +146,11 @@ int mbedtls_md2_update_ret( mbedtls_md2_context *ctx, * \param output MD2 checksum result * * \return 0 if successful + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx, unsigned char output[16] ); @@ -121,6 +161,11 @@ int mbedtls_md2_finish_ret( mbedtls_md2_context *ctx, * \param ctx MD2 context * * \return 0 if successful + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_internal_md2_process( mbedtls_md2_context *ctx ); @@ -136,6 +181,11 @@ int mbedtls_internal_md2_process( mbedtls_md2_context *ctx ); * \deprecated Superseded by mbedtls_md2_starts_ret() in 2.7.0 * * \param ctx context to be initialized + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md2_starts( mbedtls_md2_context *ctx ) @@ -151,6 +201,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2_starts( * \param ctx MD2 context * \param input buffer holding the data * \param ilen length of the input data + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md2_update( mbedtls_md2_context *ctx, @@ -167,6 +222,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2_update( * * \param ctx MD2 context * \param output MD2 checksum result + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md2_finish( mbedtls_md2_context *ctx, @@ -181,6 +241,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2_finish( * \deprecated Superseded by mbedtls_internal_md2_process() in 2.7.0 * * \param ctx MD2 context + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md2_process( mbedtls_md2_context *ctx ) @@ -209,6 +274,11 @@ extern "C" { * \param input buffer holding the data * \param ilen length of the input data * \param output MD2 checksum result + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md2_ret( const unsigned char *input, size_t ilen, @@ -228,6 +298,11 @@ int mbedtls_md2_ret( const unsigned char *input, * \param input buffer holding the data * \param ilen length of the input data * \param output MD2 checksum result + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md2( const unsigned char *input, size_t ilen, @@ -243,6 +318,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md2( const unsigned char *input, * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed + * + * \warning MD2 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md2_self_test( int verbose ); diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h index 886a66939..a2ab57f07 100644 --- a/include/mbedtls/md4.h +++ b/include/mbedtls/md4.h @@ -2,6 +2,10 @@ * \file md4.h * * \brief MD4 message digest algorithm (hash function) + * + * \warning MD4 is considered a weak message digest and its use constitutes a + * security risk. We recommend considering stronger message digests + * instead. */ /* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved @@ -20,6 +24,7 @@ * limitations under the License. * * This file is part of mbed TLS (https://tls.mbed.org) + * */ #ifndef MBEDTLS_MD4_H #define MBEDTLS_MD4_H @@ -50,6 +55,11 @@ extern "C" { /** * \brief MD4 context structure + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ typedef struct { @@ -63,6 +73,11 @@ mbedtls_md4_context; * \brief Initialize MD4 context * * \param ctx MD4 context to be initialized + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_md4_init( mbedtls_md4_context *ctx ); @@ -70,6 +85,11 @@ void mbedtls_md4_init( mbedtls_md4_context *ctx ); * \brief Clear MD4 context * * \param ctx MD4 context to be cleared + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_md4_free( mbedtls_md4_context *ctx ); @@ -78,6 +98,11 @@ void mbedtls_md4_free( mbedtls_md4_context *ctx ); * * \param dst The destination context * \param src The context to be cloned + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_md4_clone( mbedtls_md4_context *dst, const mbedtls_md4_context *src ); @@ -88,6 +113,10 @@ void mbedtls_md4_clone( mbedtls_md4_context *dst, * \param ctx context to be initialized * * \return 0 if successful + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. */ int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx ); @@ -99,6 +128,11 @@ int mbedtls_md4_starts_ret( mbedtls_md4_context *ctx ); * \param ilen length of the input data * * \return 0 if successful + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md4_update_ret( mbedtls_md4_context *ctx, const unsigned char *input, @@ -111,6 +145,11 @@ int mbedtls_md4_update_ret( mbedtls_md4_context *ctx, * \param output MD4 checksum result * * \return 0 if successful + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx, unsigned char output[16] ); @@ -122,6 +161,11 @@ int mbedtls_md4_finish_ret( mbedtls_md4_context *ctx, * \param data buffer holding one block of data * * \return 0 if successful + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, const unsigned char data[64] ); @@ -138,6 +182,11 @@ int mbedtls_internal_md4_process( mbedtls_md4_context *ctx, * \deprecated Superseded by mbedtls_md4_starts_ret() in 2.7.0 * * \param ctx context to be initialized + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md4_starts( mbedtls_md4_context *ctx ) @@ -153,6 +202,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_starts( * \param ctx MD4 context * \param input buffer holding the data * \param ilen length of the input data + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md4_update( mbedtls_md4_context *ctx, @@ -169,6 +223,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_update( * * \param ctx MD4 context * \param output MD4 checksum result + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md4_finish( mbedtls_md4_context *ctx, @@ -184,6 +243,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4_finish( * * \param ctx MD4 context * \param data buffer holding one block of data + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md4_process( mbedtls_md4_context *ctx, @@ -215,6 +279,11 @@ extern "C" { * \param output MD4 checksum result * * \return 0 if successful + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md4_ret( const unsigned char *input, size_t ilen, @@ -234,6 +303,11 @@ int mbedtls_md4_ret( const unsigned char *input, * \param input buffer holding the data * \param ilen length of the input data * \param output MD4 checksum result + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md4( const unsigned char *input, size_t ilen, @@ -249,6 +323,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md4( const unsigned char *input, * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed + * + * \warning MD4 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md4_self_test( int verbose ); diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index 5734b4099..d49391f81 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -2,6 +2,10 @@ * \file md5.h * * \brief MD5 message digest algorithm (hash function) + * + * \warning MD5 is considered a weak message digest and its use constitutes a + * security risk. We recommend considering stronger message + * digests instead. */ /* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved @@ -50,6 +54,11 @@ extern "C" { /** * \brief MD5 context structure + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ typedef struct { @@ -63,6 +72,11 @@ mbedtls_md5_context; * \brief Initialize MD5 context * * \param ctx MD5 context to be initialized + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_md5_init( mbedtls_md5_context *ctx ); @@ -70,6 +84,11 @@ void mbedtls_md5_init( mbedtls_md5_context *ctx ); * \brief Clear MD5 context * * \param ctx MD5 context to be cleared + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_md5_free( mbedtls_md5_context *ctx ); @@ -78,6 +97,11 @@ void mbedtls_md5_free( mbedtls_md5_context *ctx ); * * \param dst The destination context * \param src The context to be cloned + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_md5_clone( mbedtls_md5_context *dst, const mbedtls_md5_context *src ); @@ -88,6 +112,11 @@ void mbedtls_md5_clone( mbedtls_md5_context *dst, * \param ctx context to be initialized * * \return 0 if successful + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx ); @@ -99,6 +128,11 @@ int mbedtls_md5_starts_ret( mbedtls_md5_context *ctx ); * \param ilen length of the input data * * \return 0 if successful + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md5_update_ret( mbedtls_md5_context *ctx, const unsigned char *input, @@ -111,6 +145,11 @@ int mbedtls_md5_update_ret( mbedtls_md5_context *ctx, * \param output MD5 checksum result * * \return 0 if successful + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx, unsigned char output[16] ); @@ -122,6 +161,11 @@ int mbedtls_md5_finish_ret( mbedtls_md5_context *ctx, * \param data buffer holding one block of data * * \return 0 if successful + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx, const unsigned char data[64] ); @@ -138,6 +182,11 @@ int mbedtls_internal_md5_process( mbedtls_md5_context *ctx, * \deprecated Superseded by mbedtls_md5_starts_ret() in 2.7.0 * * \param ctx context to be initialized + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md5_starts( mbedtls_md5_context *ctx ) @@ -153,6 +202,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_starts( * \param ctx MD5 context * \param input buffer holding the data * \param ilen length of the input data + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md5_update( mbedtls_md5_context *ctx, @@ -169,6 +223,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_update( * * \param ctx MD5 context * \param output MD5 checksum result + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md5_finish( mbedtls_md5_context *ctx, @@ -184,6 +243,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5_finish( * * \param ctx MD5 context * \param data buffer holding one block of data + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md5_process( mbedtls_md5_context *ctx, @@ -215,6 +279,11 @@ extern "C" { * \param output MD5 checksum result * * \return 0 if successful + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md5_ret( const unsigned char *input, size_t ilen, @@ -234,6 +303,11 @@ int mbedtls_md5_ret( const unsigned char *input, * \param input buffer holding the data * \param ilen length of the input data * \param output MD5 checksum result + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_md5( const unsigned char *input, size_t ilen, @@ -249,6 +323,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_md5( const unsigned char *input, * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed + * + * \warning MD5 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_md5_self_test( int verbose ); diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index 4d3a16401..613407a2f 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -2,6 +2,10 @@ * \file sha1.h * * \brief SHA-1 cryptographic hash function + * + * \warning SHA-1 is considered a weak message digest and its use constitutes + * a security risk. We recommend considering stronger message + * digests instead. */ /* * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved @@ -50,6 +54,11 @@ extern "C" { /** * \brief SHA-1 context structure + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ typedef struct { @@ -63,6 +72,11 @@ mbedtls_sha1_context; * \brief Initialize SHA-1 context * * \param ctx SHA-1 context to be initialized + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_sha1_init( mbedtls_sha1_context *ctx ); @@ -70,6 +84,11 @@ void mbedtls_sha1_init( mbedtls_sha1_context *ctx ); * \brief Clear SHA-1 context * * \param ctx SHA-1 context to be cleared + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_sha1_free( mbedtls_sha1_context *ctx ); @@ -78,6 +97,11 @@ void mbedtls_sha1_free( mbedtls_sha1_context *ctx ); * * \param dst The destination context * \param src The context to be cloned + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ void mbedtls_sha1_clone( mbedtls_sha1_context *dst, const mbedtls_sha1_context *src ); @@ -88,6 +112,11 @@ void mbedtls_sha1_clone( mbedtls_sha1_context *dst, * \param ctx context to be initialized * * \return 0 if successful + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx ); @@ -99,6 +128,11 @@ int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx ); * \param ilen length of the input data * * \return 0 if successful + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx, const unsigned char *input, @@ -111,6 +145,11 @@ int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx, * \param output SHA-1 checksum result * * \return 0 if successful + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx, unsigned char output[20] ); @@ -122,6 +161,11 @@ int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx, * \param data buffer holding one block of data * * \return 0 if successful + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] ); @@ -138,6 +182,11 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, * \deprecated Superseded by mbedtls_sha1_starts_ret() in 2.7.0 * * \param ctx context to be initialized + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_starts( mbedtls_sha1_context *ctx ) @@ -153,6 +202,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_starts( * \param ctx SHA-1 context * \param input buffer holding the data * \param ilen length of the input data + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_update( mbedtls_sha1_context *ctx, @@ -169,6 +223,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_update( * * \param ctx SHA-1 context * \param output SHA-1 checksum result + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, @@ -184,6 +243,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_finish( * * \param ctx SHA-1 context * \param data buffer holding one block of data + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_process( mbedtls_sha1_context *ctx, @@ -215,6 +279,11 @@ extern "C" { * \param output SHA-1 checksum result * * \return 0 if successful + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_sha1_ret( const unsigned char *input, size_t ilen, @@ -234,6 +303,11 @@ int mbedtls_sha1_ret( const unsigned char *input, * \param input buffer holding the data * \param ilen length of the input data * \param output SHA-1 checksum result + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1( const unsigned char *input, size_t ilen, @@ -249,6 +323,11 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1( const unsigned char *input, * \brief Checkup routine * * \return 0 if successful, or 1 if the test failed + * + * \warning SHA-1 is considered a weak message digest and its use + * constitutes a security risk. We recommend considering + * stronger message digests instead. + * */ int mbedtls_sha1_self_test( int verbose ); From 2a03794d62e0e43109e27f2f75a7e491f7348e1e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 6 Oct 2017 12:29:50 +0100 Subject: [PATCH 159/177] Adapt ChangeLog --- ChangeLog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index 84473657c..852c3cd81 100644 --- a/ChangeLog +++ b/ChangeLog @@ -150,6 +150,8 @@ Changes * Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography modules where the software implementation can be replaced by a hardware implementation. + * Add explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4 + throughout the library. = mbed TLS 2.6.0 branch released 2017-08-10 From 7f44127c71dbdc52f9958b9d6619a24f46587814 Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Mon, 22 Jan 2018 11:48:23 +0000 Subject: [PATCH 160/177] Improve AES documentation - Separate "\file" blocks from copyright, so that Doxygen doesn't repeat the copyright information in all the Detailed Descriptions. - Improve phrasing and clarity of functions, parameters, defines and enums. GitHub PR: #1292 --- include/mbedtls/aes.h | 328 +++++++++++++++++++++++++----------------- library/error.c | 2 +- 2 files changed, 199 insertions(+), 131 deletions(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index 541fa930d..46016dcb7 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -1,10 +1,18 @@ /** * \file aes.h * - * \brief AES block cipher + * \brief The Advanced Encryption Standard (AES) specifies a FIPS-approved + * cryptographic algorithm that can be used to protect electronic + * data. + * + * The AES algorithm is a symmetric block cipher that can + * encrypt and decrypt information. For more information, see + * FIPS Publication 197: Advanced Encryption Standard and + * ISO/IEC 18033-2:2006: Information technology -- Security + * techniques -- Encryption algorithms -- Part 2: Asymmetric + * ciphers. */ -/* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved +/* Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved. * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,8 +27,9 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ + #ifndef MBEDTLS_AES_H #define MBEDTLS_AES_H @@ -34,15 +43,15 @@ #include /* padlock.c and aesni.c rely on these values! */ -#define MBEDTLS_AES_ENCRYPT 1 -#define MBEDTLS_AES_DECRYPT 0 +#define MBEDTLS_AES_ENCRYPT 1 /**< AES encryption. */ +#define MBEDTLS_AES_DECRYPT 0 /**< AES decryption. */ /* Error codes in range 0x0020-0x0022 */ #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH -0x0020 /**< Invalid key length. */ #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH -0x0022 /**< Invalid data input length. */ /* Error codes in range 0x0023-0x0025 */ -#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 /**< Feature not available, e.g. unsupported AES key size. */ +#define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE -0x0023 /**< Feature not available. For example, an unsupported AES key size. */ #define MBEDTLS_ERR_AES_HW_ACCEL_FAILED -0x0025 /**< AES hardware accelerator failed. */ #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ @@ -59,68 +68,90 @@ extern "C" { #endif /** - * \brief AES context structure - * - * \note buf is able to hold 32 extra bytes, which can be used: - * - for alignment purposes if VIA padlock is used, and/or - * - to simplify key expansion in the 256-bit case by - * generating an extra round key + * \brief The AES context-type definition. */ typedef struct { - int nr; /*!< number of rounds */ - uint32_t *rk; /*!< AES round keys */ - uint32_t buf[68]; /*!< unaligned data */ + int nr; /*!< The number of rounds. */ + uint32_t *rk; /*!< AES round keys. */ + uint32_t buf[68]; /*!< Unaligned data buffer. This buffer can + hold 32 extra Bytes, which can be used for + one of the following purposes: +
  • Alignment if VIA padlock is + used.
    • +
  • Simplifying key expansion in the 256-bit + case by generating an extra round key. +
*/ } mbedtls_aes_context; /** - * \brief Initialize AES context + * \brief This function initializes the specified AES context. * - * \param ctx AES context to be initialized + * It must be the first API called before using + * the context. + * + * \param ctx The AES context to initialize. */ void mbedtls_aes_init( mbedtls_aes_context *ctx ); /** - * \brief Clear AES context + * \brief This function releases and clears the specified AES context. * - * \param ctx AES context to be cleared + * \param ctx The AES context to clear. */ void mbedtls_aes_free( mbedtls_aes_context *ctx ); /** - * \brief AES key schedule (encryption) + * \brief This function sets the encryption key. * - * \param ctx AES context to be initialized - * \param key encryption key - * \param keybits must be 128, 192 or 256 + * \param ctx The AES context to which the key should be bound. + * \param key The encryption key. + * \param keybits The size of data passed in bits. Valid options are: + *
  • 128 bits
    • + *
  • 192 bits
    • + *
  • 256 bits
* - * \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH + * \return \c 0 on success or #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH + * on failure. */ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits ); /** - * \brief AES key schedule (decryption) + * \brief This function sets the decryption key. * - * \param ctx AES context to be initialized - * \param key decryption key - * \param keybits must be 128, 192 or 256 + * \param ctx The AES context to which the key should be bound. + * \param key The decryption key. + * \param keybits The size of data passed. Valid options are: + *
  • 128 bits
    • + *
  • 192 bits
    • + *
  • 256 bits
* - * \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH + * \return \c 0 on success, or #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure. */ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits ); /** - * \brief AES-ECB block encryption/decryption + * \brief This function performs an AES single-block encryption or + * decryption operation. * - * \param ctx AES context - * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT - * \param input 16-byte input block - * \param output 16-byte output block + * It performs the operation defined in the \p mode parameter + * (encrypt or decrypt), on the input data buffer defined in + * the \p input parameter. * - * \return 0 if successful + * mbedtls_aes_init(), and either mbedtls_aes_setkey_enc() or + * mbedtls_aes_setkey_dec() must be called before the first + * call to this API with the same context. + * + * \param ctx The AES context to use for encryption or decryption. + * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or + * #MBEDTLS_AES_DECRYPT. + * \param input The 16-Byte buffer holding the input data. + * \param output The 16-Byte buffer holding the output data. + + * \return \c 0 on success. */ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, int mode, @@ -129,26 +160,40 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx, #if defined(MBEDTLS_CIPHER_MODE_CBC) /** - * \brief AES-CBC buffer encryption/decryption - * Length should be a multiple of the block - * size (16 bytes) + * \brief This function performs an AES-CBC encryption or decryption operation + * on full blocks. * - * \note Upon exit, the content of the IV is updated so that you can - * call the function same function again on the following - * block(s) of data and get the same result as if it was - * encrypted in one call. This allows a "streaming" usage. - * If on the other hand you need to retain the contents of the - * IV, you should either save it manually or use the cipher - * module instead. + * It performs the operation defined in the \p mode + * parameter (encrypt/decrypt), on the input data buffer defined in + * the \p input parameter. * - * \param ctx AES context - * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT - * \param length length of the input data - * \param iv initialization vector (updated after use) - * \param input buffer holding the input data - * \param output buffer holding the output data + * It can be called as many times as needed, until all the input + * data is processed. mbedtls_aes_init(), and either + * mbedtls_aes_setkey_enc() or mbedtls_aes_setkey_dec() must be called + * before the first call to this API with the same context. * - * \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH + * \note This function operates on aligned blocks, that is, the input size + * must be a multiple of the AES block size of 16 Bytes. + * + * \note Upon exit, the content of the IV is updated so that you can + * call the same function again on the next + * block(s) of data and get the same result as if it was + * encrypted in one call. This allows a "streaming" usage. + * If you need to retain the contents of the IV, you should + * either save it manually or use the cipher module instead. + * + * + * \param ctx The AES context to use for encryption or decryption. + * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or + * #MBEDTLS_AES_DECRYPT. + * \param length The length of the input data in Bytes. This must be a + * multiple of the block size (16 Bytes). + * \param iv Initialization vector (updated after use). + * \param input The buffer holding the input data. + * \param output The buffer holding the output data. + * + * \return \c 0 on success, or #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH + * on failure. */ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, int mode, @@ -160,29 +205,38 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx, #if defined(MBEDTLS_CIPHER_MODE_CFB) /** - * \brief AES-CFB128 buffer encryption/decryption. + * \brief This function performs an AES-CFB128 encryption or decryption + * operation. * - * Note: Due to the nature of CFB you should use the same key schedule for - * both encryption and decryption. So a context initialized with - * mbedtls_aes_setkey_enc() for both MBEDTLS_AES_ENCRYPT and MBEDTLS_AES_DECRYPT. + * It performs the operation defined in the \p mode + * parameter (encrypt or decrypt), on the input data buffer + * defined in the \p input parameter. * - * \note Upon exit, the content of the IV is updated so that you can - * call the function same function again on the following - * block(s) of data and get the same result as if it was - * encrypted in one call. This allows a "streaming" usage. - * If on the other hand you need to retain the contents of the - * IV, you should either save it manually or use the cipher - * module instead. + * For CFB, you must set up the context with mbedtls_aes_setkey_enc(), + * regardless of whether you are performing an encryption or decryption + * operation, that is, regardless of the \p mode parameter. This is + * because CFB mode uses the same key schedule for encryption and + * decryption. * - * \param ctx AES context - * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT - * \param length length of the input data - * \param iv_off offset in IV (updated after use) - * \param iv initialization vector (updated after use) - * \param input buffer holding the input data - * \param output buffer holding the output data + * \note Upon exit, the content of the IV is updated so that you can + * call the same function again on the next + * block(s) of data and get the same result as if it was + * encrypted in one call. This allows a "streaming" usage. + * If you need to retain the contents of the + * IV, you must either save it manually or use the cipher + * module instead. * - * \return 0 if successful + * + * \param ctx The AES context to use for encryption or decryption. + * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or + * #MBEDTLS_AES_DECRYPT. + * \param length The length of the input data. + * \param iv_off The offset in IV (updated after use). + * \param iv The initialization vector (updated after use). + * \param input The buffer holding the input data. + * \param output The buffer holding the output data. + * + * \return \c 0 on success. */ int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, int mode, @@ -193,28 +247,36 @@ int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx, unsigned char *output ); /** - * \brief AES-CFB8 buffer encryption/decryption. + * \brief This function performs an AES-CFB8 encryption or decryption + * operation. * - * Note: Due to the nature of CFB you should use the same key schedule for - * both encryption and decryption. So a context initialized with - * mbedtls_aes_setkey_enc() for both MBEDTLS_AES_ENCRYPT and MBEDTLS_AES_DECRYPT. + * It performs the operation defined in the \p mode + * parameter (encrypt/decrypt), on the input data buffer defined + * in the \p input parameter. * - * \note Upon exit, the content of the IV is updated so that you can - * call the function same function again on the following - * block(s) of data and get the same result as if it was - * encrypted in one call. This allows a "streaming" usage. - * If on the other hand you need to retain the contents of the - * IV, you should either save it manually or use the cipher - * module instead. + * Due to the nature of CFB, you must use the same key schedule for + * both encryption and decryption operations. Therefore, you must + * use the context initialized with mbedtls_aes_setkey_enc() for + * both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT. * - * \param ctx AES context - * \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT - * \param length length of the input data - * \param iv initialization vector (updated after use) - * \param input buffer holding the input data - * \param output buffer holding the output data + * \note Upon exit, the content of the IV is updated so that you can + * call the same function again on the next + * block(s) of data and get the same result as if it was + * encrypted in one call. This allows a "streaming" usage. + * If you need to retain the contents of the + * IV, you should either save it manually or use the cipher + * module instead. * - * \return 0 if successful + * + * \param ctx The AES context to use for encryption or decryption. + * \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or + * #MBEDTLS_AES_DECRYPT + * \param length The length of the input data. + * \param iv The initialization vector (updated after use). + * \param input The buffer holding the input data. + * \param output The buffer holding the output data. + * + * \return \c 0 on success. */ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, int mode, @@ -226,26 +288,32 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx, #if defined(MBEDTLS_CIPHER_MODE_CTR) /** - * \brief AES-CTR buffer encryption/decryption + * \brief This function performs an AES-CTR encryption or decryption + * operation. * - * Warning: You have to keep the maximum use of your counter in mind! + * This function performs the operation defined in the \p mode + * parameter (encrypt/decrypt), on the input data buffer + * defined in the \p input parameter. * - * Note: Due to the nature of CTR you should use the same key schedule for - * both encryption and decryption. So a context initialized with - * mbedtls_aes_setkey_enc() for both MBEDTLS_AES_ENCRYPT and MBEDTLS_AES_DECRYPT. + * Due to the nature of CTR, you must use the same key schedule + * for both encryption and decryption operations. Therefore, you + * must use the context initialized with mbedtls_aes_setkey_enc() + * for both #MBEDTLS_AES_ENCRYPT and #MBEDTLS_AES_DECRYPT. * - * \param ctx AES context - * \param length The length of the data - * \param nc_off The offset in the current stream_block (for resuming - * within current cipher stream). The offset pointer to - * should be 0 at the start of a stream. - * \param nonce_counter The 128-bit nonce and counter. - * \param stream_block The saved stream-block for resuming. Is overwritten - * by the function. - * \param input The input data stream - * \param output The output data stream + * \warning You must keep the maximum use of your counter in mind. * - * \return 0 if successful + * \param ctx The AES context to use for encryption or decryption. + * \param length The length of the input data. + * \param nc_off The offset in the current \p stream_block, for + * resuming within the current cipher stream. The + * offset pointer should be 0 at the start of a stream. + * \param nonce_counter The 128-bit nonce and counter. + * \param stream_block The saved stream block for resuming. This is + * overwritten by the function. + * \param input The buffer holding the input data. + * \param output The buffer holding the output data. + * + * \return \c 0 on success. */ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, size_t length, @@ -257,30 +325,30 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx, #endif /* MBEDTLS_CIPHER_MODE_CTR */ /** - * \brief Internal AES block encryption function - * (Only exposed to allow overriding it, - * see MBEDTLS_AES_ENCRYPT_ALT) + * \brief Internal AES block encryption function. This is only + * exposed to allow overriding it using + * \c MBEDTLS_AES_ENCRYPT_ALT. * - * \param ctx AES context - * \param input Plaintext block - * \param output Output (ciphertext) block + * \param ctx The AES context to use for encryption. + * \param input The plaintext block. + * \param output The output (ciphertext) block. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx, const unsigned char input[16], unsigned char output[16] ); /** - * \brief Internal AES block decryption function - * (Only exposed to allow overriding it, - * see MBEDTLS_AES_DECRYPT_ALT) + * \brief Internal AES block decryption function. This is only + * exposed to allow overriding it using see + * \c MBEDTLS_AES_DECRYPT_ALT. * - * \param ctx AES context - * \param input Ciphertext block - * \param output Output (plaintext) block + * \param ctx The AES context to use for decryption. + * \param input The ciphertext block. + * \param output The output (plaintext) block. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, const unsigned char input[16], @@ -296,11 +364,11 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx, * \brief Deprecated internal AES block encryption function * without return value. * - * \deprecated Superseded by mbedtls_aes_encrypt_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_aes_encrypt_ext() in 2.5.0. * - * \param ctx AES context - * \param input Plaintext block - * \param output Output (ciphertext) block + * \param ctx The AES context to use for encryption. + * \param input Plaintext block. + * \param output Output (ciphertext) block. */ MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, const unsigned char input[16], @@ -310,11 +378,11 @@ MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx, * \brief Deprecated internal AES block decryption function * without return value. * - * \deprecated Superseded by mbedtls_aes_decrypt_ext() in 2.5.0 + * \deprecated Superseded by mbedtls_aes_decrypt_ext() in 2.5.0. * - * \param ctx AES context - * \param input Ciphertext block - * \param output Output (plaintext) block + * \param ctx The AES context to use for decryption. + * \param input Ciphertext block. + * \param output Output (plaintext) block. */ MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx, const unsigned char input[16], @@ -336,9 +404,9 @@ extern "C" { #endif /** - * \brief Checkup routine + * \brief Checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_aes_self_test( int verbose ); diff --git a/library/error.c b/library/error.c index 4f5e4469f..e39fb09b9 100644 --- a/library/error.c +++ b/library/error.c @@ -569,7 +569,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH) ) mbedtls_snprintf( buf, buflen, "AES - Invalid data input length" ); if( use_ret == -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE) ) - mbedtls_snprintf( buf, buflen, "AES - Feature not available, e.g. unsupported AES key size" ); + mbedtls_snprintf( buf, buflen, "AES - Feature not available. For example, an unsupported AES key size" ); if( use_ret == -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED) ) mbedtls_snprintf( buf, buflen, "AES - AES hardware accelerator failed" ); #endif /* MBEDTLS_AES_C */ From eecdbea30f50ed97715a800302f5dae36e2fddef Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Wed, 24 Jan 2018 12:56:53 +0000 Subject: [PATCH 161/177] Improve CCM documentation - Rephrase function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhering to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. - Fix iv_len values per the standard. GitHub PR: #1305 --- include/mbedtls/ccm.h | 128 +++++++++++++++++++++++------------------- library/error.c | 2 +- 2 files changed, 72 insertions(+), 58 deletions(-) diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index 1459eb8ea..5a9ee4a1c 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -1,10 +1,19 @@ /** * \file ccm.h * - * \brief Counter with CBC-MAC (CCM) for 128-bit block ciphers + * \brief CCM combines Counter mode encryption with CBC-MAC authentication + * for 128-bit block ciphers. + * + * Input to CCM includes the following elements: + *
  • Payload - data that is both authenticated and encrypted.
    • + *
  • Associated data (Adata) - data that is authenticated but not + * encrypted, For example, a header.
    • + *
  • Nonce - A unique value that is assigned to the payload and the + * associated data.
+ * */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,16 +28,17 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ + #ifndef MBEDTLS_CCM_H #define MBEDTLS_CCM_H #include "cipher.h" -#define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /**< Bad input parameters to function. */ -#define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F /**< Authenticated decryption failed. */ -#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */ +#define MBEDTLS_ERR_CCM_BAD_INPUT -0x000D /**< Bad input parameters to the function. */ +#define MBEDTLS_ERR_CCM_AUTH_FAILED -0x000F /**< Authenticated decryption failed. */ +#define MBEDTLS_ERR_CCM_HW_ACCEL_FAILED -0x0011 /**< CCM hardware accelerator failed. */ #if !defined(MBEDTLS_CCM_ALT) // Regular implementation @@ -39,31 +49,33 @@ extern "C" { #endif /** - * \brief CCM context structure + * \brief The CCM context-type definition. The CCM context is passed + * to the APIs called. */ typedef struct { - mbedtls_cipher_context_t cipher_ctx; /*!< cipher context used */ + mbedtls_cipher_context_t cipher_ctx; /*!< The cipher context used. */ } mbedtls_ccm_context; /** - * \brief Initialize CCM context (just makes references valid) - * Makes the context ready for mbedtls_ccm_setkey() or - * mbedtls_ccm_free(). + * \brief This function initializes the specified CCM context, + * to make references valid, and prepare the context + * for mbedtls_ccm_setkey() or mbedtls_ccm_free(). * - * \param ctx CCM context to initialize + * \param ctx The CCM context to initialize. */ void mbedtls_ccm_init( mbedtls_ccm_context *ctx ); /** - * \brief CCM initialization (encryption and decryption) + * \brief This function initializes the CCM context set in the + * \p ctx parameter and sets the encryption key. * - * \param ctx CCM context to be initialized - * \param cipher cipher to use (a 128-bit block cipher) - * \param key encryption key - * \param keybits key size in bits (must be acceptable by the cipher) + * \param ctx The CCM context to initialize. + * \param cipher The 128-bit block cipher to use. + * \param key The encryption key. + * \param keybits The key size in bits. This must be acceptable by the cipher. * - * \return 0 if successful, or a cipher specific error code + * \return \c 0 on success, or a cipher-specific error code. */ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, mbedtls_cipher_id_t cipher, @@ -71,36 +83,37 @@ int mbedtls_ccm_setkey( mbedtls_ccm_context *ctx, unsigned int keybits ); /** - * \brief Free a CCM context and underlying cipher sub-context + * \brief This function releases and clears the specified CCM context + * and underlying cipher sub-context. * - * \param ctx CCM context to free + * \param ctx The CCM context to clear. */ void mbedtls_ccm_free( mbedtls_ccm_context *ctx ); /** - * \brief CCM buffer encryption + * \brief This function encrypts a buffer using CCM. * - * \param ctx CCM context - * \param length length of the input data in bytes - * \param iv nonce (initialization vector) - * \param iv_len length of IV in bytes - * must be 2, 3, 4, 5, 6, 7 or 8 - * \param add additional data - * \param add_len length of additional data in bytes - * must be less than 2^16 - 2^8 - * \param input buffer holding the input data - * \param output buffer for holding the output data - * must be at least 'length' bytes wide - * \param tag buffer for holding the tag - * \param tag_len length of the tag to generate in bytes - * must be 4, 6, 8, 10, 14 or 16 + * \param ctx The CCM context to use for encryption. + * \param length The length of the input data in Bytes. + * \param iv Initialization vector (nonce). + * \param iv_len The length of the IV in Bytes: 7, 8, 9, 10, 11, 12, or 13. + * \param add The additional data field. + * \param add_len The length of additional data in Bytes. + * Must be less than 2^16 - 2^8. + * \param input The buffer holding the input data. + * \param output The buffer holding the output data. + * Must be at least \p length Bytes wide. + * \param tag The buffer holding the tag. + * \param tag_len The length of the tag to generate in Bytes: + * 4, 6, 8, 10, 14 or 16. * - * \note The tag is written to a separate buffer. To get the tag - * concatenated with the output as in the CCM spec, use - * tag = output + length and make sure the output buffer is - * at least length + tag_len wide. + * \note The tag is written to a separate buffer. To concatenate + * the \p tag with the \p output, as done in RFC-3610: + * Counter with CBC-MAC (CCM), use + * \p tag = \p output + \p length, and make sure that the + * output buffer is at least \p length + \p tag_len wide. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, @@ -109,21 +122,22 @@ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length, unsigned char *tag, size_t tag_len ); /** - * \brief CCM buffer authenticated decryption + * \brief This function performs a CCM authenticated decryption of a + * buffer. * - * \param ctx CCM context - * \param length length of the input data - * \param iv initialization vector - * \param iv_len length of IV - * \param add additional data - * \param add_len length of additional data - * \param input buffer holding the input data - * \param output buffer for holding the output data - * \param tag buffer holding the tag - * \param tag_len length of the tag + * \param ctx The CCM context to use for decryption. + * \param length The length of the input data in Bytes. + * \param iv Initialization vector. + * \param iv_len The length of the IV in Bytes: 7, 8, 9, 10, 11, 12, or 13. + * \param add The additional data field. + * \param add_len The length of additional data in Bytes. + * \param input The buffer holding the input data. + * \param output The buffer holding the output data. + * \param tag The buffer holding the tag. + * \param tag_len The length of the tag in Bytes. * - * \return 0 if successful and authenticated, - * MBEDTLS_ERR_CCM_AUTH_FAILED if tag does not match + * \return 0 if successful and authenticated, or + * #MBEDTLS_ERR_CCM_AUTH_FAILED if the tag does not match. */ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, const unsigned char *iv, size_t iv_len, @@ -135,9 +149,9 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length, } #endif -#else /* !MBEDTLS_CCM_ALT */ +#else /* MBEDTLS_CCM_ALT */ #include "ccm_alt.h" -#endif /* !MBEDTLS_CCM_ALT */ +#endif /* MBEDTLS_CCM_ALT */ #ifdef __cplusplus extern "C" { @@ -145,9 +159,9 @@ extern "C" { #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C) /** - * \brief Checkup routine + * \brief The CCM checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_ccm_self_test( int verbose ); #endif /* MBEDTLS_SELF_TEST && MBEDTLS_AES_C */ diff --git a/library/error.c b/library/error.c index e39fb09b9..fdfa94ad0 100644 --- a/library/error.c +++ b/library/error.c @@ -642,7 +642,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) #if defined(MBEDTLS_CCM_C) if( use_ret == -(MBEDTLS_ERR_CCM_BAD_INPUT) ) - mbedtls_snprintf( buf, buflen, "CCM - Bad input parameters to function" ); + mbedtls_snprintf( buf, buflen, "CCM - Bad input parameters to the function" ); if( use_ret == -(MBEDTLS_ERR_CCM_AUTH_FAILED) ) mbedtls_snprintf( buf, buflen, "CCM - Authenticated decryption failed" ); if( use_ret == -(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED) ) From 9ba6b621deac7d1468e4e43cc0f18d730f819b54 Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Wed, 24 Jan 2018 12:59:19 +0000 Subject: [PATCH 162/177] Improve cipher documentation - Rephrase function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. GitHub PR: #1306 --- include/mbedtls/cipher.h | 527 +++++++++++++++++++++------------------ library/error.c | 4 +- 2 files changed, 280 insertions(+), 251 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 97b9226f5..dc1bc5647 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -1,12 +1,12 @@ /** * \file cipher.h * - * \brief Generic cipher wrapper. + * \brief The generic cipher wrapper. * * \author Adriaan de Jong */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -21,7 +21,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ #ifndef MBEDTLS_CIPHER_H @@ -52,22 +52,23 @@ #define inline __inline #endif -#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 /**< The selected feature is not available. */ -#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA -0x6100 /**< Bad input parameters to function. */ -#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED -0x6180 /**< Failed to allocate memory. */ -#define MBEDTLS_ERR_CIPHER_INVALID_PADDING -0x6200 /**< Input data contains invalid padding and is rejected. */ -#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED -0x6280 /**< Decryption of block requires a full block. */ -#define MBEDTLS_ERR_CIPHER_AUTH_FAILED -0x6300 /**< Authentication failed (for AEAD modes). */ -#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT -0x6380 /**< The context is invalid, eg because it was free()ed. */ -#define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED -0x6400 /**< Cipher hardware accelerator failed. */ +#define MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE -0x6080 /**< The selected feature is not available. */ +#define MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA -0x6100 /**< Bad input parameters. */ +#define MBEDTLS_ERR_CIPHER_ALLOC_FAILED -0x6180 /**< Failed to allocate memory. */ +#define MBEDTLS_ERR_CIPHER_INVALID_PADDING -0x6200 /**< Input data contains invalid padding and is rejected. */ +#define MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED -0x6280 /**< Decryption of block requires a full block. */ +#define MBEDTLS_ERR_CIPHER_AUTH_FAILED -0x6300 /**< Authentication failed (for AEAD modes). */ +#define MBEDTLS_ERR_CIPHER_INVALID_CONTEXT -0x6380 /**< The context is invalid. For example, because it was freed. */ +#define MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED -0x6400 /**< Cipher hardware accelerator failed. */ -#define MBEDTLS_CIPHER_VARIABLE_IV_LEN 0x01 /**< Cipher accepts IVs of variable length */ -#define MBEDTLS_CIPHER_VARIABLE_KEY_LEN 0x02 /**< Cipher accepts keys of variable length */ +#define MBEDTLS_CIPHER_VARIABLE_IV_LEN 0x01 /**< Cipher accepts IVs of variable length. */ +#define MBEDTLS_CIPHER_VARIABLE_KEY_LEN 0x02 /**< Cipher accepts keys of variable length. */ #ifdef __cplusplus extern "C" { #endif +/** Supported cipher IDs. */ typedef enum { MBEDTLS_CIPHER_ID_NONE = 0, MBEDTLS_CIPHER_ID_NULL, @@ -79,6 +80,7 @@ typedef enum { MBEDTLS_CIPHER_ID_ARC4, } mbedtls_cipher_id_t; +/** Supported cipher types. */ typedef enum { MBEDTLS_CIPHER_NONE = 0, MBEDTLS_CIPHER_NULL, @@ -131,6 +133,7 @@ typedef enum { MBEDTLS_CIPHER_CAMELLIA_256_CCM, } mbedtls_cipher_type_t; +/** Supported cipher modes. */ typedef enum { MBEDTLS_MODE_NONE = 0, MBEDTLS_MODE_ECB, @@ -143,14 +146,16 @@ typedef enum { MBEDTLS_MODE_CCM, } mbedtls_cipher_mode_t; +/** Supported cipher padding types. */ typedef enum { - MBEDTLS_PADDING_PKCS7 = 0, /**< PKCS7 padding (default) */ - MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding */ - MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding */ - MBEDTLS_PADDING_ZEROS, /**< zero padding (not reversible!) */ - MBEDTLS_PADDING_NONE, /**< never pad (full blocks only) */ + MBEDTLS_PADDING_PKCS7 = 0, /**< PKCS7 padding (default). */ + MBEDTLS_PADDING_ONE_AND_ZEROS, /**< ISO/IEC 7816-4 padding. */ + MBEDTLS_PADDING_ZEROS_AND_LEN, /**< ANSI X.923 padding. */ + MBEDTLS_PADDING_ZEROS, /**< zero padding (not reversible). */ + MBEDTLS_PADDING_NONE, /**< never pad (full blocks only). */ } mbedtls_cipher_padding_t; +/** Type of operation. */ typedef enum { MBEDTLS_OPERATION_NONE = -1, MBEDTLS_DECRYPT = 0, @@ -158,19 +163,19 @@ typedef enum { } mbedtls_operation_t; enum { - /** Undefined key length */ + /** Undefined key length. */ MBEDTLS_KEY_LENGTH_NONE = 0, - /** Key length, in bits (including parity), for DES keys */ + /** Key length, in bits (including parity), for DES keys. */ MBEDTLS_KEY_LENGTH_DES = 64, - /** Key length, in bits (including parity), for DES in two key EDE */ + /** Key length in bits, including parity, for DES in two-key EDE. */ MBEDTLS_KEY_LENGTH_DES_EDE = 128, - /** Key length, in bits (including parity), for DES in three-key EDE */ + /** Key length in bits, including parity, for DES in three-key EDE. */ MBEDTLS_KEY_LENGTH_DES_EDE3 = 192, }; -/** Maximum length of any IV, in bytes */ +/** Maximum length of any IV, in Bytes. */ #define MBEDTLS_MAX_IV_LENGTH 16 -/** Maximum block size of any cipher, in bytes */ +/** Maximum block size of any cipher, in Bytes. */ #define MBEDTLS_MAX_BLOCK_LENGTH 16 /** @@ -184,33 +189,40 @@ typedef struct mbedtls_cipher_base_t mbedtls_cipher_base_t; typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t; /** - * Cipher information. Allows cipher functions to be called in a generic way. + * Cipher information. Allows calling cipher functions + * in a generic way. */ typedef struct { - /** Full cipher identifier (e.g. MBEDTLS_CIPHER_AES_256_CBC) */ + /** Full cipher identifier. For example, + * MBEDTLS_CIPHER_AES_256_CBC. + */ mbedtls_cipher_type_t type; - /** Cipher mode (e.g. MBEDTLS_MODE_CBC) */ + /** The cipher mode. For example, MBEDTLS_MODE_CBC. */ mbedtls_cipher_mode_t mode; - /** Cipher key length, in bits (default length for variable sized ciphers) - * (Includes parity bits for ciphers like DES) */ + /** The cipher key length, in bits. This is the + * default length for variable sized ciphers. + * Includes parity bits for ciphers like DES. + */ unsigned int key_bitlen; - /** Name of the cipher */ + /** Name of the cipher. */ const char * name; - /** IV/NONCE size, in bytes. - * For cipher that accept many sizes: recommended size */ + /** IV or nonce size, in Bytes. + * For ciphers that accept variable IV sizes, + * this is the recommended size. + */ unsigned int iv_size; - /** Flags for variable IV size, variable key size, etc. */ + /** Flags to set. For example, if the cipher supports variable IV sizes or variable key sizes. */ int flags; - /** block size, in bytes */ + /** The block size, in Bytes. */ unsigned int block_size; - /** Base cipher information and functions */ + /** Struct for base cipher information and functions. */ const mbedtls_cipher_base_t *base; } mbedtls_cipher_info_t; @@ -219,125 +231,133 @@ typedef struct { * Generic cipher context. */ typedef struct { - /** Information about the associated cipher */ + /** Information about the associated cipher. */ const mbedtls_cipher_info_t *cipher_info; - /** Key length to use */ + /** Key length to use. */ int key_bitlen; - /** Operation that the context's key has been initialised for */ + /** Operation that the key of the context has been + * initialized for. + */ mbedtls_operation_t operation; #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) - /** Padding functions to use, if relevant for cipher mode */ + /** Padding functions to use, if relevant for + * the specific cipher mode. + */ void (*add_padding)( unsigned char *output, size_t olen, size_t data_len ); int (*get_padding)( unsigned char *input, size_t ilen, size_t *data_len ); #endif - /** Buffer for data that hasn't been encrypted yet */ + /** Buffer for input that has not been processed yet. */ unsigned char unprocessed_data[MBEDTLS_MAX_BLOCK_LENGTH]; - /** Number of bytes that still need processing */ + /** Number of Bytes that have not been processed yet. */ size_t unprocessed_len; - /** Current IV or NONCE_COUNTER for CTR-mode */ + /** Current IV or NONCE_COUNTER for CTR-mode. */ unsigned char iv[MBEDTLS_MAX_IV_LENGTH]; - /** IV size in bytes (for ciphers with variable-length IVs) */ + /** IV size in Bytes, for ciphers with variable-length IVs. */ size_t iv_size; - /** Cipher-specific context */ + /** The cipher-specific context. */ void *cipher_ctx; #if defined(MBEDTLS_CMAC_C) - /** CMAC Specific context */ + /** CMAC-specific context. */ mbedtls_cmac_context_t *cmac_ctx; #endif } mbedtls_cipher_context_t; /** - * \brief Returns the list of ciphers supported by the generic cipher module. + * \brief This function retrieves the list of ciphers supported by the generic + * cipher module. * - * \return a statically allocated array of ciphers, the last entry - * is 0. + * \return A statically-allocated array of ciphers. The last entry + * is zero. */ const int *mbedtls_cipher_list( void ); /** - * \brief Returns the cipher information structure associated - * with the given cipher name. + * \brief This function retrieves the cipher-information + * structure associated with the given cipher name. * * \param cipher_name Name of the cipher to search for. * - * \return the cipher information structure associated with the - * given cipher_name, or NULL if not found. + * \return The cipher information structure associated with the + * given \p cipher_name, or NULL if not found. */ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_string( const char *cipher_name ); /** - * \brief Returns the cipher information structure associated - * with the given cipher type. + * \brief This function retrieves the cipher-information + * structure associated with the given cipher type. * * \param cipher_type Type of the cipher to search for. * - * \return the cipher information structure associated with the - * given cipher_type, or NULL if not found. + * \return The cipher information structure associated with the + * given \p cipher_type, or NULL if not found. */ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_type( const mbedtls_cipher_type_t cipher_type ); /** - * \brief Returns the cipher information structure associated - * with the given cipher id, key size and mode. + * \brief This function retrieves the cipher-information + * structure associated with the given cipher ID, + * key size and mode. * - * \param cipher_id Id of the cipher to search for - * (e.g. MBEDTLS_CIPHER_ID_AES) - * \param key_bitlen Length of the key in bits - * \param mode Cipher mode (e.g. MBEDTLS_MODE_CBC) + * \param cipher_id The ID of the cipher to search for. For example, + * #MBEDTLS_CIPHER_ID_AES. + * \param key_bitlen The length of the key in bits. + * \param mode The cipher mode. For example, #MBEDTLS_MODE_CBC. * - * \return the cipher information structure associated with the - * given cipher_type, or NULL if not found. + * \return The cipher information structure associated with the + * given \p cipher_id, or NULL if not found. */ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_cipher_id_t cipher_id, int key_bitlen, const mbedtls_cipher_mode_t mode ); /** - * \brief Initialize a cipher_context (as NONE) + * \brief This function initializes a \p cipher_context as NONE. */ void mbedtls_cipher_init( mbedtls_cipher_context_t *ctx ); /** - * \brief Free and clear the cipher-specific context of ctx. - * Freeing ctx itself remains the responsibility of the - * caller. + * \brief This function frees and clears the cipher-specific + * context of \p ctx. Freeing \p ctx itself remains the + * responsibility of the caller. */ void mbedtls_cipher_free( mbedtls_cipher_context_t *ctx ); + /** - * \brief Initialises and fills the cipher context structure with - * the appropriate values. + * \brief This function initializes and fills the cipher-context + * structure with the appropriate values. It also clears + * the structure. * - * \note Currently also clears structure. In future versions you - * will be required to call mbedtls_cipher_init() on the structure - * first. + * \param ctx The context to initialize. May not be NULL. + * \param cipher_info The cipher to use. * - * \param ctx context to initialise. May not be NULL. - * \param cipher_info cipher to use. - * - * \return 0 on success, - * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter failure, - * MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the + * \return \c 0 on success, + * #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on parameter failure, + * #MBEDTLS_ERR_CIPHER_ALLOC_FAILED if allocation of the * cipher-specific context failed. + * + * \internal Currently, the function also clears the structure. + * In future versions, the caller will be required to call + * mbedtls_cipher_init() on the structure first. */ int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info ); /** - * \brief Returns the block size of the given cipher. + * \brief This function returns the block size of the given cipher. * - * \param ctx cipher's context. Must have been initialised. + * \param ctx The context of the cipher. Must be initialized. * - * \return size of the cipher's blocks, or 0 if ctx has not been - * initialised. + * \return The size of the blocks of the cipher, or zero if \p ctx + * has not been initialized. */ static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_context_t *ctx ) { @@ -348,13 +368,13 @@ static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_c } /** - * \brief Returns the mode of operation for the cipher. - * (e.g. MBEDTLS_MODE_CBC) + * \brief This function returns the mode of operation for + * the cipher. For example, MBEDTLS_MODE_CBC. * - * \param ctx cipher's context. Must have been initialised. + * \param ctx The context of the cipher. Must be initialized. * - * \return mode of operation, or MBEDTLS_MODE_NONE if ctx - * has not been initialised. + * \return The mode of operation, or #MBEDTLS_MODE_NONE if + * \p ctx has not been initialized. */ static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtls_cipher_context_t *ctx ) { @@ -365,13 +385,14 @@ static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtl } /** - * \brief Returns the size of the cipher's IV/NONCE in bytes. + * \brief This function returns the size of the IV or nonce + * of the cipher, in Bytes. * - * \param ctx cipher's context. Must have been initialised. + * \param ctx The context of the cipher. Must be initialized. * - * \return If IV has not been set yet: (recommended) IV size - * (0 for ciphers not using IV/NONCE). - * If IV has already been set: actual size. + * \return
  • If no IV has been set: the recommended IV size. + * 0 for ciphers not using IV or nonce.
    • + *
  • If IV has already been set: the actual size.
*/ static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ctx ) { @@ -385,12 +406,12 @@ static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ct } /** - * \brief Returns the type of the given cipher. + * \brief This function returns the type of the given cipher. * - * \param ctx cipher's context. Must have been initialised. + * \param ctx The context of the cipher. Must be initialized. * - * \return type of the cipher, or MBEDTLS_CIPHER_NONE if ctx has - * not been initialised. + * \return The type of the cipher, or #MBEDTLS_CIPHER_NONE if + * \p ctx has not been initialized. */ static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_cipher_context_t *ctx ) { @@ -401,11 +422,13 @@ static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( const mbedtls_ciphe } /** - * \brief Returns the name of the given cipher, as a string. + * \brief This function returns the name of the given cipher + * as a string. * - * \param ctx cipher's context. Must have been initialised. + * \param ctx The context of the cipher. Must be initialized. * - * \return name of the cipher, or NULL if ctx was not initialised. + * \return The name of the cipher, or NULL if \p ctx has not + * been not initialized. */ static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_t *ctx ) { @@ -416,13 +439,13 @@ static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_ } /** - * \brief Returns the key length of the cipher. + * \brief This function returns the key length of the cipher. * - * \param ctx cipher's context. Must have been initialised. + * \param ctx The context of the cipher. Must be initialized. * - * \return cipher's key length, in bits, or - * MBEDTLS_KEY_LENGTH_NONE if ctx has not been - * initialised. + * \return The key length of the cipher in bits, or + * #MBEDTLS_KEY_LENGTH_NONE if ctx \p has not been + * initialized. */ static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t *ctx ) { @@ -433,13 +456,13 @@ static inline int mbedtls_cipher_get_key_bitlen( const mbedtls_cipher_context_t } /** - * \brief Returns the operation of the given cipher. + * \brief This function returns the operation of the given cipher. * - * \param ctx cipher's context. Must have been initialised. + * \param ctx The context of the cipher. Must be initialized. * - * \return operation (MBEDTLS_ENCRYPT or MBEDTLS_DECRYPT), - * or MBEDTLS_OPERATION_NONE if ctx has not been - * initialised. + * \return The type of operation: #MBEDTLS_ENCRYPT or + * #MBEDTLS_DECRYPT, or #MBEDTLS_OPERATION_NONE if \p ctx + * has not been initialized. */ static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_cipher_context_t *ctx ) { @@ -450,18 +473,18 @@ static inline mbedtls_operation_t mbedtls_cipher_get_operation( const mbedtls_ci } /** - * \brief Set the key to use with the given context. + * \brief This function sets the key to use with the given context. * - * \param ctx generic cipher context. May not be NULL. Must have been - * initialised using cipher_context_from_type or - * cipher_context_from_string. + * \param ctx The generic cipher context. May not be NULL. Must have + * been initialized using mbedtls_cipher_info_from_type() + * or mbedtls_cipher_info_from_string(). * \param key The key to use. - * \param key_bitlen key length to use, in bits. - * \param operation Operation that the key will be used for, either - * MBEDTLS_ENCRYPT or MBEDTLS_DECRYPT. + * \param key_bitlen The key length to use, in bits. + * \param operation The operation that the key will be used for: + * #MBEDTLS_ENCRYPT or #MBEDTLS_DECRYPT. * - * \returns 0 on success, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if - * parameter verification fails or a cipher specific + * \returns \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if + * parameter verification fails, or a cipher-specific * error code. */ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *key, @@ -469,170 +492,176 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx, const unsigned char *k #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) /** - * \brief Set padding mode, for cipher modes that use padding. - * (Default: PKCS7 padding.) + * \brief This function sets the padding mode, for cipher modes + * that use padding. * - * \param ctx generic cipher context - * \param mode padding mode + * The default passing mode is PKCS7 padding. * - * \returns 0 on success, MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE - * if selected padding mode is not supported, or - * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode + * \param ctx The generic cipher context. + * \param mode The padding mode. + * + * \returns \c 0 on success, #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE + * if the selected padding mode is not supported, or + * #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if the cipher mode * does not support padding. */ int mbedtls_cipher_set_padding_mode( mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode ); #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ /** - * \brief Set the initialization vector (IV) or nonce + * \brief This function sets the initialization vector (IV) + * or nonce. * - * \param ctx generic cipher context - * \param iv IV to use (or NONCE_COUNTER for CTR-mode ciphers) - * \param iv_len IV length for ciphers with variable-size IV; - * discarded by ciphers with fixed-size IV. + * \param ctx The generic cipher context. + * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. + * \param iv_len The IV length for ciphers with variable-size IV. + * This parameter is discarded by ciphers with fixed-size IV. * - * \returns 0 on success, or MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA + * \returns \c 0 on success, or #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA * - * \note Some ciphers don't use IVs nor NONCE. For these - * ciphers, this function has no effect. + * \note Some ciphers do not use IVs nor nonce. For these + * ciphers, this function has no effect. */ int mbedtls_cipher_set_iv( mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len ); /** - * \brief Finish preparation of the given context + * \brief This function resets the cipher state. * - * \param ctx generic cipher context + * \param ctx The generic cipher context. * - * \returns 0 on success, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA - * if parameter verification fails. + * \returns \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA + * if parameter verification fails. */ int mbedtls_cipher_reset( mbedtls_cipher_context_t *ctx ); #if defined(MBEDTLS_GCM_C) /** - * \brief Add additional data (for AEAD ciphers). - * Currently only supported with GCM. - * Must be called exactly once, after mbedtls_cipher_reset(). + * \brief This function adds additional data for AEAD ciphers. + * Only supported with GCM. Must be called + * exactly once, after mbedtls_cipher_reset(). * - * \param ctx generic cipher context - * \param ad Additional data to use. - * \param ad_len Length of ad. + * \param ctx The generic cipher context. + * \param ad The additional data to use. + * \param ad_len the Length of \p ad. * - * \return 0 on success, or a specific error code. + * \return \c 0 on success, or a specific error code on failure. */ int mbedtls_cipher_update_ad( mbedtls_cipher_context_t *ctx, const unsigned char *ad, size_t ad_len ); #endif /* MBEDTLS_GCM_C */ /** - * \brief Generic cipher update function. Encrypts/decrypts - * using the given cipher context. Writes as many block - * size'd blocks of data as possible to output. Any data - * that cannot be written immediately will either be added - * to the next block, or flushed when cipher_final is - * called. - * Exception: for MBEDTLS_MODE_ECB, expects single block - * in size (e.g. 16 bytes for AES) + * \brief The generic cipher update function. It encrypts or + * decrypts using the given cipher context. Writes as + * many block-sized blocks of data as possible to output. + * Any data that cannot be written immediately is either + * added to the next block, or flushed when + * mbedtls_cipher_finish() is called. + * Exception: For MBEDTLS_MODE_ECB, expects a single block + * in size. For example, 16 Bytes for AES. * - * \param ctx generic cipher context - * \param input buffer holding the input data - * \param ilen length of the input data - * \param output buffer for the output data. Should be able to hold at - * least ilen + block_size. Cannot be the same buffer as - * input! - * \param olen length of the output data, will be filled with the - * actual number of bytes written. + * \param ctx The generic cipher context. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * \param output The buffer for the output data. Must be able to hold at + * least \p ilen + block_size. Must not be the same buffer + * as input. + * \param olen The length of the output data, to be updated with the + * actual number of Bytes written. * - * \returns 0 on success, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if + * \returns \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if * parameter verification fails, - * MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an - * unsupported mode for a cipher or a cipher specific + * #MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE on an + * unsupported mode for a cipher, or a cipher-specific * error code. * * \note If the underlying cipher is GCM, all calls to this - * function, except the last one before mbedtls_cipher_finish(), - * must have ilen a multiple of the block size. + * function, except the last one before + * mbedtls_cipher_finish(). Must have \p ilen as a + * multiple of the block_size. */ int mbedtls_cipher_update( mbedtls_cipher_context_t *ctx, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen ); /** - * \brief Generic cipher finalisation function. If data still - * needs to be flushed from an incomplete block, data - * contained within it will be padded with the size of - * the last block, and written to the output buffer. + * \brief The generic cipher finalization function. If data still + * needs to be flushed from an incomplete block, the data + * contained in it is padded to the size of + * the last block, and written to the \p output buffer. * - * \param ctx Generic cipher context - * \param output buffer to write data to. Needs block_size available. - * \param olen length of the data written to the output buffer. + * \param ctx The generic cipher context. + * \param output The buffer to write data to. Needs block_size available. + * \param olen The length of the data written to the \p output buffer. * - * \returns 0 on success, MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if + * \returns \c 0 on success, #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA if * parameter verification fails, - * MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption + * #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption * expected a full block but was not provided one, - * MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding - * while decrypting or a cipher specific error code. + * #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding + * while decrypting, or a cipher-specific error code + * on failure for any other reason. */ int mbedtls_cipher_finish( mbedtls_cipher_context_t *ctx, unsigned char *output, size_t *olen ); #if defined(MBEDTLS_GCM_C) /** - * \brief Write tag for AEAD ciphers. - * Currently only supported with GCM. + * \brief This function writes a tag for AEAD ciphers. + * Only supported with GCM. * Must be called after mbedtls_cipher_finish(). * - * \param ctx Generic cipher context - * \param tag buffer to write the tag - * \param tag_len Length of the tag to write + * \param ctx The generic cipher context. + * \param tag The buffer to write the tag to. + * \param tag_len The length of the tag to write. * - * \return 0 on success, or a specific error code. + * \return \c 0 on success, or a specific error code on failure. */ int mbedtls_cipher_write_tag( mbedtls_cipher_context_t *ctx, unsigned char *tag, size_t tag_len ); /** - * \brief Check tag for AEAD ciphers. - * Currently only supported with GCM. + * \brief This function checks the tag for AEAD ciphers. + * Only supported with GCM. * Must be called after mbedtls_cipher_finish(). * - * \param ctx Generic cipher context - * \param tag Buffer holding the tag - * \param tag_len Length of the tag to check + * \param ctx The generic cipher context. + * \param tag The buffer holding the tag. + * \param tag_len The length of the tag to check. * - * \return 0 on success, or a specific error code. + * \return \c 0 on success, or a specific error code on failure. */ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx, const unsigned char *tag, size_t tag_len ); #endif /* MBEDTLS_GCM_C */ /** - * \brief Generic all-in-one encryption/decryption - * (for all ciphers except AEAD constructs). + * \brief The generic all-in-one encryption/decryption function, + * for all ciphers except AEAD constructs. * - * \param ctx generic cipher context - * \param iv IV to use (or NONCE_COUNTER for CTR-mode ciphers) - * \param iv_len IV length for ciphers with variable-size IV; - * discarded by ciphers with fixed-size IV. - * \param input buffer holding the input data - * \param ilen length of the input data - * \param output buffer for the output data. Should be able to hold at - * least ilen + block_size. Cannot be the same buffer as - * input! - * \param olen length of the output data, will be filled with the - * actual number of bytes written. + * \param ctx The generic cipher context. + * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. + * \param iv_len The IV length for ciphers with variable-size IV. + * This parameter is discarded by ciphers with fixed-size + * IV. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * \param output The buffer for the output data. Must be able to hold at + * least \p ilen + block_size. Must not be the same buffer + * as input. + * \param olen The length of the output data, to be updated with the + * actual number of Bytes written. * - * \note Some ciphers don't use IVs nor NONCE. For these - * ciphers, use iv = NULL and iv_len = 0. + * \note Some ciphers do not use IVs nor nonce. For these + * ciphers, use \p iv = NULL and \p iv_len = 0. * - * \returns 0 on success, or - * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or - * MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption + * \returns \c 0 on success, or + * #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or + * #MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED if decryption * expected a full block but was not provided one, or - * MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding - * while decrypting, or - * a cipher specific error code. + * #MBEDTLS_ERR_CIPHER_INVALID_PADDING on invalid padding + * while decrypting, or a cipher-specific error code on + * failure for any other reason. */ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, @@ -641,26 +670,26 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx, #if defined(MBEDTLS_CIPHER_MODE_AEAD) /** - * \brief Generic autenticated encryption (AEAD ciphers). + * \brief The generic autenticated encryption (AEAD) function. * - * \param ctx generic cipher context - * \param iv IV to use (or NONCE_COUNTER for CTR-mode ciphers) - * \param iv_len IV length for ciphers with variable-size IV; - * discarded by ciphers with fixed-size IV. - * \param ad Additional data to authenticate. - * \param ad_len Length of ad. - * \param input buffer holding the input data - * \param ilen length of the input data - * \param output buffer for the output data. - * Should be able to hold at least ilen. - * \param olen length of the output data, will be filled with the - * actual number of bytes written. - * \param tag buffer for the authentication tag - * \param tag_len desired tag length + * \param ctx The generic cipher context. + * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. + * \param iv_len The IV length for ciphers with variable-size IV. + * This parameter is discarded by ciphers with fixed-size IV. + * \param ad The additional data to authenticate. + * \param ad_len The length of \p ad. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * \param output The buffer for the output data. + * Must be able to hold at least \p ilen. + * \param olen The length of the output data, to be updated with the + * actual number of Bytes written. + * \param tag The buffer for the authentication tag. + * \param tag_len The desired length of the authentication tag. * - * \returns 0 on success, or - * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or - * a cipher specific error code. + * \returns \c 0 on success, or + * #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or + * a cipher-specific error code. */ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, @@ -670,31 +699,31 @@ int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx, unsigned char *tag, size_t tag_len ); /** - * \brief Generic autenticated decryption (AEAD ciphers). + * \brief The generic autenticated decryption (AEAD) function. * - * \param ctx generic cipher context - * \param iv IV to use (or NONCE_COUNTER for CTR-mode ciphers) - * \param iv_len IV length for ciphers with variable-size IV; - * discarded by ciphers with fixed-size IV. - * \param ad Additional data to be authenticated. - * \param ad_len Length of ad. - * \param input buffer holding the input data - * \param ilen length of the input data - * \param output buffer for the output data. - * Should be able to hold at least ilen. - * \param olen length of the output data, will be filled with the - * actual number of bytes written. - * \param tag buffer holding the authentication tag - * \param tag_len length of the authentication tag + * \param ctx The generic cipher context. + * \param iv The IV to use, or NONCE_COUNTER for CTR-mode ciphers. + * \param iv_len The IV length for ciphers with variable-size IV. + * This parameter is discarded by ciphers with fixed-size IV. + * \param ad The additional data to be authenticated. + * \param ad_len The length of \p ad. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * \param output The buffer for the output data. + * Must be able to hold at least \p ilen. + * \param olen The length of the output data, to be updated with the + * actual number of Bytes written. + * \param tag The buffer holding the authentication tag. + * \param tag_len The length of the authentication tag. * - * \returns 0 on success, or - * MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or - * MBEDTLS_ERR_CIPHER_AUTH_FAILED if data isn't authentic, - * or a cipher specific error code. + * \returns \c 0 on success, or + * #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA, or + * #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic, + * or a cipher-specific error code on failure for any other reason. * * \note If the data is not authentic, then the output buffer - * is zeroed out to prevent the unauthentic plaintext to - * be used by mistake, making this interface safer. + * is zeroed out to prevent the unauthentic plaintext being + * used, making this interface safer. */ int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, diff --git a/library/error.c b/library/error.c index fdfa94ad0..f60268659 100644 --- a/library/error.c +++ b/library/error.c @@ -210,7 +210,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE) ) mbedtls_snprintf( buf, buflen, "CIPHER - The selected feature is not available" ); if( use_ret == -(MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA) ) - mbedtls_snprintf( buf, buflen, "CIPHER - Bad input parameters to function" ); + mbedtls_snprintf( buf, buflen, "CIPHER - Bad input parameters" ); if( use_ret == -(MBEDTLS_ERR_CIPHER_ALLOC_FAILED) ) mbedtls_snprintf( buf, buflen, "CIPHER - Failed to allocate memory" ); if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_PADDING) ) @@ -220,7 +220,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(MBEDTLS_ERR_CIPHER_AUTH_FAILED) ) mbedtls_snprintf( buf, buflen, "CIPHER - Authentication failed (for AEAD modes)" ); if( use_ret == -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT) ) - mbedtls_snprintf( buf, buflen, "CIPHER - The context is invalid, eg because it was free()ed" ); + mbedtls_snprintf( buf, buflen, "CIPHER - The context is invalid. For example, because it was freed" ); if( use_ret == -(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED) ) mbedtls_snprintf( buf, buflen, "CIPHER - Cipher hardware accelerator failed" ); #endif /* MBEDTLS_CIPHER_C */ From 380d05d7ff9b3be93cc6df7014f10f69ae7cc84f Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Thu, 25 Jan 2018 21:52:41 +0000 Subject: [PATCH 163/177] Improve CMAC documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. GitHub PR: #1315 --- include/mbedtls/cmac.h | 153 +++++++++++++++++++++++------------------ 1 file changed, 87 insertions(+), 66 deletions(-) diff --git a/include/mbedtls/cmac.h b/include/mbedtls/cmac.h index 1cac94896..628c9daba 100644 --- a/include/mbedtls/cmac.h +++ b/include/mbedtls/cmac.h @@ -1,11 +1,11 @@ /** * \file cmac.h * - * \brief Cipher-based Message Authentication Code (CMAC) Mode for - * Authentication + * \brief The Cipher-based Message Authentication Code (CMAC) Mode for + * Authentication. */ /* - * Copyright (C) 2015-2016, ARM Limited, All Rights Reserved + * Copyright (C) 2015-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -20,8 +20,9 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ + #ifndef MBEDTLS_CMAC_H #define MBEDTLS_CMAC_H @@ -31,110 +32,125 @@ extern "C" { #endif -#define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A /**< CMAC hardware accelerator failed. */ +#define MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED -0x007A /**< CMAC hardware accelerator failed. */ #define MBEDTLS_AES_BLOCK_SIZE 16 #define MBEDTLS_DES3_BLOCK_SIZE 8 #if defined(MBEDTLS_AES_C) -#define MBEDTLS_CIPHER_BLKSIZE_MAX 16 /* longest used by CMAC is AES */ +#define MBEDTLS_CIPHER_BLKSIZE_MAX 16 /* The longest block used by CMAC is that of AES. */ #else -#define MBEDTLS_CIPHER_BLKSIZE_MAX 8 /* longest used by CMAC is 3DES */ +#define MBEDTLS_CIPHER_BLKSIZE_MAX 8 /* The longest block used by CMAC is that of 3DES. */ #endif #if !defined(MBEDTLS_CMAC_ALT) /** - * CMAC context structure - Contains internal state information only + * The CMAC context structure. */ struct mbedtls_cmac_context_t { - /** Internal state of the CMAC algorithm */ + /** The internal state of the CMAC algorithm. */ unsigned char state[MBEDTLS_CIPHER_BLKSIZE_MAX]; /** Unprocessed data - either data that was not block aligned and is still - * pending to be processed, or the final block */ + * pending processing, or the final block. */ unsigned char unprocessed_block[MBEDTLS_CIPHER_BLKSIZE_MAX]; - /** Length of data pending to be processed */ + /** The length of data pending processing. */ size_t unprocessed_len; }; /** - * \brief Set the CMAC key and prepare to authenticate the input - * data. - * Should be called with an initialized cipher context. + * \brief This function sets the CMAC key, and prepares to authenticate + * the input data. + * Must be called with an initialized cipher context. * - * \param ctx Cipher context. This should be a cipher context, - * initialized to be one of the following types: - * MBEDTLS_CIPHER_AES_128_ECB, MBEDTLS_CIPHER_AES_192_ECB, - * MBEDTLS_CIPHER_AES_256_ECB or - * MBEDTLS_CIPHER_DES_EDE3_ECB. - * \param key CMAC key - * \param keybits length of the CMAC key in bits - * (must be acceptable by the cipher) + * \param ctx The cipher context used for the CMAC operation, initialized + * as one of the following types:
    + *
  • MBEDTLS_CIPHER_AES_128_ECB
    • + *
  • MBEDTLS_CIPHER_AES_192_ECB
    • + *
  • MBEDTLS_CIPHER_AES_256_ECB
    • + *
  • MBEDTLS_CIPHER_DES_EDE3_ECB
+ * \param key The CMAC key. + * \param keybits The length of the CMAC key in bits. + * Must be supported by the cipher. * - * \return 0 if successful, or a cipher specific error code + * \return \c 0 on success, or a cipher-specific error code. */ int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx, const unsigned char *key, size_t keybits ); /** - * \brief Generic CMAC process buffer. - * Called between mbedtls_cipher_cmac_starts() or - * mbedtls_cipher_cmac_reset() and - * mbedtls_cipher_cmac_finish(). - * May be called repeatedly. + * \brief This function feeds an input buffer into an ongoing CMAC + * computation. * - * \param ctx CMAC context - * \param input buffer holding the data - * \param ilen length of the input data + * It is called between mbedtls_cipher_cmac_starts() or + * mbedtls_cipher_cmac_reset(), and mbedtls_cipher_cmac_finish(). + * Can be called repeatedly. * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param ctx The cipher context used for the CMAC operation. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA + * if parameter verification fails. */ int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx, const unsigned char *input, size_t ilen ); /** - * \brief Output CMAC. - * Called after mbedtls_cipher_cmac_update(). - * Usually followed by mbedtls_cipher_cmac_reset(), then - * mbedtls_cipher_cmac_starts(), or mbedtls_cipher_free(). + * \brief This function finishes the CMAC operation, and writes + * the result to the output buffer. * - * \param ctx CMAC context - * \param output Generic CMAC checksum result + * It is called after mbedtls_cipher_cmac_update(). + * It can be followed by mbedtls_cipher_cmac_reset() and + * mbedtls_cipher_cmac_update(), or mbedtls_cipher_free(). * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param ctx The cipher context used for the CMAC operation. + * \param output The output buffer for the CMAC checksum result. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA + * if parameter verification fails. */ int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx, unsigned char *output ); /** - * \brief Prepare to authenticate a new message with the same key. - * Called after mbedtls_cipher_cmac_finish() and before - * mbedtls_cipher_cmac_update(). + * \brief This function prepares the authentication of another + * message with the same key as the previous CMAC + * operation. * - * \param ctx CMAC context to be reset + * It is called after mbedtls_cipher_cmac_finish() + * and before mbedtls_cipher_cmac_update(). * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param ctx The cipher context used for the CMAC operation. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA + * if parameter verification fails. */ int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx ); /** - * \brief Output = Generic_CMAC( cmac key, input buffer ) + * \brief This function calculates the full generic CMAC + * on the input buffer with the provided key. * - * \param cipher_info message digest info - * \param key CMAC key - * \param keylen length of the CMAC key in bits - * \param input buffer holding the data - * \param ilen length of the input data - * \param output Generic CMAC-result + * The function allocates the context, performs the + * calculation, and frees the context. * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * The CMAC result is calculated as + * output = generic CMAC(cmac key, input buffer). + * + * + * \param cipher_info The cipher information. + * \param key The CMAC key. + * \param keylen The length of the CMAC key in bits. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * \param output The buffer for the generic CMAC result. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA + * if parameter verification fails. */ int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info, const unsigned char *key, size_t keylen, @@ -143,16 +159,21 @@ int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info, #if defined(MBEDTLS_AES_C) /** - * \brief AES-CMAC-128-PRF - * Implementation of (AES-CMAC-PRF-128), as defined in RFC 4615 + * \brief This function implements the AES-CMAC-PRF-128 pseudorandom + * function, as defined in + * RFC-4615: The Advanced Encryption Standard-Cipher-based + * Message Authentication Code-Pseudo-Random Function-128 + * (AES-CMAC-PRF-128) Algorithm for the Internet Key + * Exchange Protocol (IKE). * - * \param key PRF key - * \param key_len PRF key length in bytes - * \param input buffer holding the input data - * \param in_len length of the input data in bytes - * \param output buffer holding the generated pseudorandom output (16 bytes) + * \param key The key to use. + * \param key_len The key length in Bytes. + * \param input The buffer holding the input data. + * \param in_len The length of the input data in Bytes. + * \param output The buffer holding the generated 16 Bytes of + * pseudorandom output. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len, const unsigned char *input, size_t in_len, @@ -173,9 +194,9 @@ extern "C" { #if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) ) /** - * \brief Checkup routine + * \brief The CMAC checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_cmac_self_test( int verbose ); #endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */ From 332658d80ef0fd712ae232e6b7038ea0879db5aa Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Thu, 25 Jan 2018 22:02:53 +0000 Subject: [PATCH 164/177] Improve platform documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. GitHub PR: #1320 --- include/mbedtls/platform.h | 104 +++++++++++++++++++------------------ 1 file changed, 54 insertions(+), 50 deletions(-) diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h index e05175118..ed1077584 100644 --- a/include/mbedtls/platform.h +++ b/include/mbedtls/platform.h @@ -1,10 +1,10 @@ /** * \file platform.h * - * \brief mbed TLS Platform abstraction layer + * \brief The Mbed TLS platform abstraction layer. */ /* - * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,7 +19,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ #ifndef MBEDTLS_PLATFORM_H #define MBEDTLS_PLATFORM_H @@ -52,34 +52,34 @@ extern "C" { #include #if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF) #if defined(_WIN32) -#define MBEDTLS_PLATFORM_STD_SNPRINTF mbedtls_platform_win32_snprintf /**< Default snprintf to use */ +#define MBEDTLS_PLATFORM_STD_SNPRINTF mbedtls_platform_win32_snprintf /**< The default \c snprintf function to use. */ #else -#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use */ +#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< The default \c snprintf function to use. */ #endif #endif #if !defined(MBEDTLS_PLATFORM_STD_PRINTF) -#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use */ +#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< The default \c printf function to use. */ #endif #if !defined(MBEDTLS_PLATFORM_STD_FPRINTF) -#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use */ +#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< The default \c fprintf function to use. */ #endif #if !defined(MBEDTLS_PLATFORM_STD_CALLOC) -#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use */ +#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< The default \c calloc function to use. */ #endif #if !defined(MBEDTLS_PLATFORM_STD_FREE) -#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use */ +#define MBEDTLS_PLATFORM_STD_FREE free /**< The default \c free function to use. */ #endif #if !defined(MBEDTLS_PLATFORM_STD_EXIT) -#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use */ +#define MBEDTLS_PLATFORM_STD_EXIT exit /**< The default \c exit function to use. */ #endif #if !defined(MBEDTLS_PLATFORM_STD_TIME) -#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use */ +#define MBEDTLS_PLATFORM_STD_TIME time /**< The default \c time function to use. */ #endif #if !defined(MBEDTLS_PLATFORM_STD_EXIT_SUCCESS) -#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS /**< Default exit value to use */ +#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS /**< The default exit value to use. */ #endif #if !defined(MBEDTLS_PLATFORM_STD_EXIT_FAILURE) -#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE /**< Default exit value to use */ +#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE /**< The default exit value to use. */ #endif #if defined(MBEDTLS_FS_IO) #if !defined(MBEDTLS_PLATFORM_STD_NV_SEED_READ) @@ -116,12 +116,12 @@ extern void * (*mbedtls_calloc)( size_t n, size_t size ); extern void (*mbedtls_free)( void *ptr ); /** - * \brief Set your own memory implementation function pointers + * \brief This function allows configuring custom memory-management functions. * - * \param calloc_func the calloc function implementation - * \param free_func the free function implementation + * \param calloc_func The \c calloc function implementation. + * \param free_func The \c free function implementation. * - * \return 0 if successful + * \return \c 0. */ int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ), void (*free_func)( void * ) ); @@ -140,11 +140,11 @@ int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ), extern int (*mbedtls_fprintf)( FILE *stream, const char *format, ... ); /** - * \brief Set your own fprintf function pointer + * \brief This function allows configuring a custom \p fprintf function pointer. * - * \param fprintf_func the fprintf function implementation + * \param fprintf_func The \c fprintf function implementation. * - * \return 0 + * \return \c 0. */ int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *stream, const char *, ... ) ); @@ -163,11 +163,12 @@ int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *stream, const char extern int (*mbedtls_printf)( const char *format, ... ); /** - * \brief Set your own printf function pointer + * \brief This function allows configuring a custom \c printf function + * pointer. * - * \param printf_func the printf function implementation + * \param printf_func The \c printf function implementation. * - * \return 0 + * \return \c 0 on success. */ int mbedtls_platform_set_printf( int (*printf_func)( const char *, ... ) ); #else /* !MBEDTLS_PLATFORM_PRINTF_ALT */ @@ -196,11 +197,12 @@ int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... ); extern int (*mbedtls_snprintf)( char * s, size_t n, const char * format, ... ); /** - * \brief Set your own snprintf function pointer + * \brief This function allows configuring a custom \c snprintf function + * pointer. * - * \param snprintf_func the snprintf function implementation + * \param snprintf_func The \c snprintf function implementation. * - * \return 0 + * \return \c 0 on success. */ int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n, const char * format, ... ) ); @@ -219,11 +221,12 @@ int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n, extern void (*mbedtls_exit)( int status ); /** - * \brief Set your own exit function pointer + * \brief This function allows configuring a custom \c exit function + * pointer. * - * \param exit_func the exit function implementation + * \param exit_func The \c exit function implementation. * - * \return 0 + * \return \c 0 on success. */ int mbedtls_platform_set_exit( void (*exit_func)( int status ) ); #else @@ -266,12 +269,13 @@ extern int (*mbedtls_nv_seed_read)( unsigned char *buf, size_t buf_len ); extern int (*mbedtls_nv_seed_write)( unsigned char *buf, size_t buf_len ); /** - * \brief Set your own seed file writing/reading functions + * \brief This function allows configuring custom seed file writing and + * reading functions. * - * \param nv_seed_read_func the seed reading function implementation - * \param nv_seed_write_func the seed writing function implementation + * \param nv_seed_read_func The seed reading function implementation. + * \param nv_seed_write_func The seed writing function implementation. * - * \return 0 + * \return \c 0 on success. */ int mbedtls_platform_set_nv_seed( int (*nv_seed_read_func)( unsigned char *buf, size_t buf_len ), @@ -292,13 +296,13 @@ int mbedtls_platform_set_nv_seed( #if !defined(MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT) /** - * \brief Platform context structure + * \brief The platform context structure. * * \note This structure may be used to assist platform-specific - * setup/teardown operations. + * setup or teardown operations. */ typedef struct { - char dummy; /**< Placeholder member as empty structs are not portable */ + char dummy; /**< Placeholder member, as empty structs are not portable. */ } mbedtls_platform_context; @@ -307,32 +311,32 @@ mbedtls_platform_context; #endif /* !MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT */ /** - * \brief Perform any platform initialisation operations + * \brief This function performs any platform initialization operations. * - * \param ctx mbed TLS context + * \param ctx The Mbed TLS context. * - * \return 0 if successful + * \return \c 0 on success. * - * \note This function is intended to allow platform specific initialisation, + * \note This function is intended to allow platform-specific initialization, * and should be called before any other library functions. Its - * implementation is platform specific, and by default, unless platform - * specific code is provided, it does nothing. + * implementation is platform-specific, and unless + * platform-specific code is provided, it does nothing. * - * Its use and whether its necessary to be called is dependent on the + * Its use and whether it is necessary to call it is dependent on the * platform. */ int mbedtls_platform_setup( mbedtls_platform_context *ctx ); /** - * \brief Perform any platform teardown operations + * \brief This function performs any platform teardown operations. * - * \param ctx mbed TLS context + * \param ctx The Mbed TLS context. * - * \note This function should be called after every other mbed TLS module has - * been correctly freed using the appropriate free function. - * Its implementation is platform specific, and by default, unless - * platform specific code is provided, it does nothing. + * \note This function should be called after every other Mbed TLS module + * has been correctly freed using the appropriate free function. + * Its implementation is platform-specific, and unless + * platform-specific code is provided, it does nothing. * - * Its use and whether its necessary to be called is dependent on the + * Its use and whether it is necessary to call it is dependent on the * platform. */ void mbedtls_platform_teardown( mbedtls_platform_context *ctx ); From 41ad0824840484c4e1613ac342ce963590eb1156 Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Fri, 26 Jan 2018 10:54:57 +0000 Subject: [PATCH 165/177] Improve DHM documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. - Standardize defines documentation GitHub PR: #1323 --- include/mbedtls/dhm.h | 230 ++++++++++++++++++++++++++---------------- library/error.c | 4 +- 2 files changed, 145 insertions(+), 89 deletions(-) diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 8a28ffac9..b1750f1d4 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -1,10 +1,18 @@ /** * \file dhm.h * - * \brief Diffie-Hellman-Merkle key exchange + * \brief Diffie-Hellman-Merkle key exchange. + * + * RFC-3526: More Modular Exponential (MODP) Diffie-Hellman groups for + * Internet Key Exchange (IKE) defines a number of standardized + * Diffie-Hellman groups for IKE. + * + * RFC-5114: Additional Diffie-Hellman Groups for Use with IETF + * Standards defines a number of standardized Diffie-Hellman + * groups that can be used. */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,8 +27,9 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ + #ifndef MBEDTLS_DHM_H #define MBEDTLS_DHM_H @@ -35,7 +44,7 @@ /* * DHM Error codes */ -#define MBEDTLS_ERR_DHM_BAD_INPUT_DATA -0x3080 /**< Bad input parameters to function. */ +#define MBEDTLS_ERR_DHM_BAD_INPUT_DATA -0x3080 /**< Bad input parameters. */ #define MBEDTLS_ERR_DHM_READ_PARAMS_FAILED -0x3100 /**< Reading of the DHM parameters failed. */ #define MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED -0x3180 /**< Making of the DHM parameters failed. */ #define MBEDTLS_ERR_DHM_READ_PUBLIC_FAILED -0x3200 /**< Reading of the public values failed. */ @@ -43,22 +52,22 @@ #define MBEDTLS_ERR_DHM_CALC_SECRET_FAILED -0x3300 /**< Calculation of the DHM secret failed. */ #define MBEDTLS_ERR_DHM_INVALID_FORMAT -0x3380 /**< The ASN.1 data is not formatted correctly. */ #define MBEDTLS_ERR_DHM_ALLOC_FAILED -0x3400 /**< Allocation of memory failed. */ -#define MBEDTLS_ERR_DHM_FILE_IO_ERROR -0x3480 /**< Read/write of file failed. */ +#define MBEDTLS_ERR_DHM_FILE_IO_ERROR -0x3480 /**< Read or write of file failed. */ #define MBEDTLS_ERR_DHM_HW_ACCEL_FAILED -0x3500 /**< DHM hardware accelerator failed. */ + + /* The following lists the source of the above groups in the standards: + * - RFC-3526 section 3: 2048-bit MODP Group + * - RFC-3526 section 4: 3072-bit MODP Group + * - RFC-3526 section 5: 4096-bit MODP Group + * - RFC-5114 section 2.2: 2048-bit MODP Group with 224-bit Prime Order Subgroup + * . + */ + /** - * RFC 3526 defines a number of standardized Diffie-Hellman groups - * for IKE. - * RFC 5114 defines a number of standardized Diffie-Hellman groups - * that can be used. - * - * Some are included here for convenience. - * - * Included are: - * RFC 3526 3. 2048-bit MODP Group - * RFC 3526 4. 3072-bit MODP Group - * RFC 3526 5. 4096-bit MODP Group - * RFC 5114 2.2. 2048-bit MODP Group with 224-bit Prime Order Subgroup + * The hexadecimal presentation of the prime underlying the 2048-bit MODP + * Group, as defined in RFC-3526: More Modular Exponential (MODP) + * Diffie-Hellman groups for Internet Key Exchange (IKE). */ #define MBEDTLS_DHM_RFC3526_MODP_2048_P \ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ @@ -73,8 +82,18 @@ "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \ "15728E5A8AACAA68FFFFFFFFFFFFFFFF" +/** + * The hexadecimal presentation of the chosen generator of the 2048-bit MODP + * Group, as defined in RFC-3526: More Modular Exponential (MODP) + * Diffie-Hellman groups for Internet Key Exchange (IKE). + */ #define MBEDTLS_DHM_RFC3526_MODP_2048_G "02" +/** + * The hexadecimal presentation of the prime underlying the 3072-bit MODP + * Group, as defined in RFC-3072: More Modular Exponential (MODP) + * Diffie-Hellman groups for Internet Key Exchange (IKE). + */ #define MBEDTLS_DHM_RFC3526_MODP_3072_P \ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ @@ -93,8 +112,18 @@ "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \ "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" +/** + * The hexadecimal presentation of the chosen generator of the 3072-bit MODP + * Group, as defined in RFC-3526: More Modular Exponential (MODP) + * Diffie-Hellman groups for Internet Key Exchange (IKE). + */ #define MBEDTLS_DHM_RFC3526_MODP_3072_G "02" +/** + * The hexadecimal presentation of the prime underlying the 4096-bit MODP + * Group, as defined in RFC-3526: More Modular Exponential (MODP) + * Diffie-Hellman groups for Internet Key Exchange (IKE). + */ #define MBEDTLS_DHM_RFC3526_MODP_4096_P \ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \ @@ -119,8 +148,19 @@ "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" \ "FFFFFFFFFFFFFFFF" +/** + * The hexadecimal presentation of the chosen generator of the 4096-bit MODP + * Group, as defined in RFC-3526: More Modular Exponential (MODP) + * Diffie-Hellman groups for Internet Key Exchange (IKE). + */ #define MBEDTLS_DHM_RFC3526_MODP_4096_G "02" +/** + * The hexadecimal presentation of the prime underlying the + * 2048-bit MODP Group with 224-bit Prime Order Subgroup, as defined + * in RFC-5114: Additional Diffie-Hellman Groups for Use with + * IETF Standards. + */ #define MBEDTLS_DHM_RFC5114_MODP_2048_P \ "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" \ "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" \ @@ -134,6 +174,11 @@ "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" \ "CF9DE5384E71B81C0AC4DFFE0C10E64F" +/** + * The hexadecimal presentation of the chosen generator of the 2048-bit MODP + * Group with 224-bit Prime Order Subgroup, as defined in RFC-5114: + * Additional Diffie-Hellman Groups for Use with IETF Standards. + */ #define MBEDTLS_DHM_RFC5114_MODP_2048_G \ "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF"\ "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA"\ @@ -152,59 +197,62 @@ extern "C" { #endif /** - * \brief DHM context structure + * \brief The DHM context structure. */ typedef struct { - size_t len; /*!< size(P) in chars */ - mbedtls_mpi P; /*!< prime modulus */ - mbedtls_mpi G; /*!< generator */ - mbedtls_mpi X; /*!< secret value */ - mbedtls_mpi GX; /*!< self = G^X mod P */ - mbedtls_mpi GY; /*!< peer = G^Y mod P */ - mbedtls_mpi K; /*!< key = GY^X mod P */ - mbedtls_mpi RP; /*!< cached R^2 mod P */ - mbedtls_mpi Vi; /*!< blinding value */ - mbedtls_mpi Vf; /*!< un-blinding value */ - mbedtls_mpi pX; /*!< previous X */ + size_t len; /*!< The size of \p P in Bytes. */ + mbedtls_mpi P; /*!< The prime modulus. */ + mbedtls_mpi G; /*!< The generator. */ + mbedtls_mpi X; /*!< Our secret value. */ + mbedtls_mpi GX; /*!< Our public key = \c G^X mod \c P. */ + mbedtls_mpi GY; /*!< The public key of the peer = \c G^Y mod \c P. */ + mbedtls_mpi K; /*!< The shared secret = \c G^(XY) mod \c P. */ + mbedtls_mpi RP; /*!< The cached value = \c R^2 mod \c P. */ + mbedtls_mpi Vi; /*!< The blinding value. */ + mbedtls_mpi Vf; /*!< The unblinding value. */ + mbedtls_mpi pX; /*!< The previous \c X. */ } mbedtls_dhm_context; /** - * \brief Initialize DHM context + * \brief This function initializes the DHM context. * - * \param ctx DHM context to be initialized + * \param ctx The DHM context to initialize. */ void mbedtls_dhm_init( mbedtls_dhm_context *ctx ); /** - * \brief Parse the ServerKeyExchange parameters + * \brief This function parses the ServerKeyExchange parameters. * - * \param ctx DHM context - * \param p &(start of input buffer) - * \param end end of buffer + * \param ctx The DHM context. + * \param p The start of the input buffer. + * \param end The end of the input buffer. * - * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code + * on failure. */ int mbedtls_dhm_read_params( mbedtls_dhm_context *ctx, unsigned char **p, const unsigned char *end ); /** - * \brief Setup and write the ServerKeyExchange parameters + * \brief This function sets up and writes the ServerKeyExchange + * parameters. * - * \param ctx DHM context - * \param x_size private value size in bytes - * \param output destination buffer - * \param olen number of chars written - * \param f_rng RNG function - * \param p_rng RNG parameter + * \param ctx The DHM context. + * \param x_size The private value size in Bytes. + * \param olen The number of characters written. + * \param output The destination buffer. + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. * - * \note This function assumes that ctx->P and ctx->G - * have already been properly set (for example - * using mbedtls_mpi_read_string or mbedtls_mpi_read_binary). + * \note This function assumes that the \c ctx->P and \c ctx->G have + * already been properly set, for example, using + * mbedtls_mpi_read_string() or mbedtls_mpi_read_binary(). * - * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code + * on failure. */ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, unsigned char *output, size_t *olen, @@ -212,28 +260,32 @@ int mbedtls_dhm_make_params( mbedtls_dhm_context *ctx, int x_size, void *p_rng ); /** - * \brief Import the peer's public value G^Y + * \brief This function imports the public value G^Y of the peer. * - * \param ctx DHM context - * \param input input buffer - * \param ilen size of buffer + * \param ctx The DHM context. + * \param input The input buffer. + * \param ilen The size of the input buffer. * - * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code + * on failure. */ int mbedtls_dhm_read_public( mbedtls_dhm_context *ctx, const unsigned char *input, size_t ilen ); /** - * \brief Create own private value X and export G^X + * \brief This function creates its own private value \c X and + * exports \c G^X. * - * \param ctx DHM context - * \param x_size private value size in bytes - * \param output destination buffer - * \param olen must be at least equal to the size of P, ctx->len - * \param f_rng RNG function - * \param p_rng RNG parameter + * \param ctx The DHM context. + * \param x_size The private value size in Bytes. + * \param output The destination buffer. + * \param olen The length of the destination buffer. Must be at least + equal to ctx->len (the size of \c P). + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. * - * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code + * on failure. */ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size, unsigned char *output, size_t olen, @@ -241,22 +293,24 @@ int mbedtls_dhm_make_public( mbedtls_dhm_context *ctx, int x_size, void *p_rng ); /** - * \brief Derive and export the shared secret (G^Y)^X mod P + * \brief This function derives and exports the shared secret + * \c (G^Y)^X mod \c P. * - * \param ctx DHM context - * \param output destination buffer - * \param output_size size of the destination buffer - * \param olen on exit, holds the actual number of bytes written - * \param f_rng RNG function, for blinding purposes - * \param p_rng RNG parameter + * \param ctx The DHM context. + * \param output The destination buffer. + * \param output_size The size of the destination buffer. + * \param olen On exit, holds the actual number of Bytes written. + * \param f_rng The RNG function, for blinding purposes. + * \param p_rng The RNG parameter. * - * \return 0 if successful, or an MBEDTLS_ERR_DHM_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_DHM_XXX error code + * on failure. * - * \note If non-NULL, f_rng is used to blind the input as - * countermeasure against timing attacks. Blinding is - * automatically used if and only if our secret value X is - * re-used and costs nothing otherwise, so it is recommended - * to always pass a non-NULL f_rng argument. + * \note If non-NULL, \p f_rng is used to blind the input as + * a countermeasure against timing attacks. Blinding is used + * only if our secret value \p X is re-used and omitted + * otherwise. Therefore, we recommend always passing a + * non-NULL \p f_rng argument. */ int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx, unsigned char *output, size_t output_size, size_t *olen, @@ -264,23 +318,24 @@ int mbedtls_dhm_calc_secret( mbedtls_dhm_context *ctx, void *p_rng ); /** - * \brief Free and clear the components of a DHM key + * \brief This function frees and clears the components of a DHM key. * - * \param ctx DHM context to free and clear + * \param ctx The DHM context to free and clear. */ void mbedtls_dhm_free( mbedtls_dhm_context *ctx ); #if defined(MBEDTLS_ASN1_PARSE_C) /** \ingroup x509_module */ /** - * \brief Parse DHM parameters in PEM or DER format + * \brief This function parses DHM parameters in PEM or DER format. * - * \param dhm DHM context to be initialized - * \param dhmin input buffer - * \param dhminlen size of the buffer - * (including the terminating null byte for PEM data) + * \param dhm The DHM context to initialize. + * \param dhmin The input buffer. + * \param dhminlen The size of the buffer, including the terminating null + * Byte for PEM data. * - * \return 0 if successful, or a specific DHM or PEM error code + * \return \c 0 on success, or a specific DHM or PEM error code + * on failure. */ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin, size_t dhminlen ); @@ -288,12 +343,13 @@ int mbedtls_dhm_parse_dhm( mbedtls_dhm_context *dhm, const unsigned char *dhmin, #if defined(MBEDTLS_FS_IO) /** \ingroup x509_module */ /** - * \brief Load and parse DHM parameters + * \brief This function loads and parses DHM parameters from a file. * - * \param dhm DHM context to be initialized - * \param path filename to read the DHM Parameters from + * \param dhm The DHM context to load the parameters to. + * \param path The filename to read the DHM parameters from. * - * \return 0 if successful, or a specific DHM or PEM error code + * \return \c 0 on success, or a specific DHM or PEM error code + * on failure. */ int mbedtls_dhm_parse_dhmfile( mbedtls_dhm_context *dhm, const char *path ); #endif /* MBEDTLS_FS_IO */ @@ -312,9 +368,9 @@ extern "C" { #endif /** - * \brief Checkup routine + * \brief The DMH checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_dhm_self_test( int verbose ); diff --git a/library/error.c b/library/error.c index f60268659..d9ad6384a 100644 --- a/library/error.c +++ b/library/error.c @@ -227,7 +227,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) #if defined(MBEDTLS_DHM_C) if( use_ret == -(MBEDTLS_ERR_DHM_BAD_INPUT_DATA) ) - mbedtls_snprintf( buf, buflen, "DHM - Bad input parameters to function" ); + mbedtls_snprintf( buf, buflen, "DHM - Bad input parameters" ); if( use_ret == -(MBEDTLS_ERR_DHM_READ_PARAMS_FAILED) ) mbedtls_snprintf( buf, buflen, "DHM - Reading of the DHM parameters failed" ); if( use_ret == -(MBEDTLS_ERR_DHM_MAKE_PARAMS_FAILED) ) @@ -243,7 +243,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(MBEDTLS_ERR_DHM_ALLOC_FAILED) ) mbedtls_snprintf( buf, buflen, "DHM - Allocation of memory failed" ); if( use_ret == -(MBEDTLS_ERR_DHM_FILE_IO_ERROR) ) - mbedtls_snprintf( buf, buflen, "DHM - Read/write of file failed" ); + mbedtls_snprintf( buf, buflen, "DHM - Read or write of file failed" ); if( use_ret == -(MBEDTLS_ERR_DHM_HW_ACCEL_FAILED) ) mbedtls_snprintf( buf, buflen, "DHM - DHM hardware accelerator failed" ); #endif /* MBEDTLS_DHM_C */ From 17b4f7fc60f8a8c018bd977a1b5ae4729a393afd Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Fri, 26 Jan 2018 10:56:42 +0000 Subject: [PATCH 166/177] Improve GCM documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. GitHub PR: #1324 --- include/mbedtls/gcm.h | 194 ++++++++++++++++++++++++------------------ 1 file changed, 110 insertions(+), 84 deletions(-) diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index c7f01c316..1e5a507a2 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -1,10 +1,16 @@ /** * \file gcm.h * - * \brief Galois/Counter mode for 128-bit block ciphers + * \brief Galois/Counter Mode (GCM) for 128-bit block ciphers, as defined + * in D. McGrew, J. Viega, The Galois/Counter Mode of Operation + * (GCM), Natl. Inst. Stand. Technol. + * + * For more information on GCM, see NIST SP 800-38D: Recommendation for + * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. + * */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,8 +25,9 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ + #ifndef MBEDTLS_GCM_H #define MBEDTLS_GCM_H @@ -42,39 +49,49 @@ extern "C" { #endif /** - * \brief GCM context structure + * \brief The GCM context structure. */ typedef struct { - mbedtls_cipher_context_t cipher_ctx;/*!< cipher context used */ - uint64_t HL[16]; /*!< Precalculated HTable */ - uint64_t HH[16]; /*!< Precalculated HTable */ - uint64_t len; /*!< Total data length */ - uint64_t add_len; /*!< Total add length */ - unsigned char base_ectr[16];/*!< First ECTR for tag */ - unsigned char y[16]; /*!< Y working value */ - unsigned char buf[16]; /*!< buf working value */ - int mode; /*!< Encrypt or Decrypt */ + mbedtls_cipher_context_t cipher_ctx; /*!< The cipher context used. */ + uint64_t HL[16]; /*!< Precalculated HTable low. */ + uint64_t HH[16]; /*!< Precalculated HTable high. */ + uint64_t len; /*!< The total length of the encrypted data. */ + uint64_t add_len; /*!< The total length of the additional data. */ + unsigned char base_ectr[16]; /*!< The first ECTR for tag. */ + unsigned char y[16]; /*!< The Y working value. */ + unsigned char buf[16]; /*!< The buf working value. */ + int mode; /*!< The operation to perform: + #MBEDTLS_GCM_ENCRYPT or + #MBEDTLS_GCM_DECRYPT. */ } mbedtls_gcm_context; /** - * \brief Initialize GCM context (just makes references valid) - * Makes the context ready for mbedtls_gcm_setkey() or - * mbedtls_gcm_free(). + * \brief This function initializes the specified GCM context, + * to make references valid, and prepares the context + * for mbedtls_gcm_setkey() or mbedtls_gcm_free(). * - * \param ctx GCM context to initialize + * The function does not bind the GCM context to a particular + * cipher, nor set the key. For this purpose, use + * mbedtls_gcm_setkey(). + * + * \param ctx The GCM context to initialize. */ void mbedtls_gcm_init( mbedtls_gcm_context *ctx ); /** - * \brief GCM initialization (encryption) + * \brief This function associates a GCM context with a + * cipher algorithm and a key. * - * \param ctx GCM context to be initialized - * \param cipher cipher to use (a 128-bit block cipher) - * \param key encryption key - * \param keybits must be 128, 192 or 256 + * \param ctx The GCM context to initialize. + * \param cipher The 128-bit block cipher to use. + * \param key The encryption key. + * \param keybits The key size in bits. Valid options are: + *
  • 128 bits
    • + *
  • 192 bits
    • + *
  • 256 bits
* - * \return 0 if successful, or a cipher specific error code + * \return \c 0 on success, or a cipher specific error code. */ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx, mbedtls_cipher_id_t cipher, @@ -82,26 +99,27 @@ int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx, unsigned int keybits ); /** - * \brief GCM buffer encryption/decryption using a block cipher + * \brief This function performs GCM encryption or decryption of a buffer. * - * \note On encryption, the output buffer can be the same as the input buffer. - * On decryption, the output buffer cannot be the same as input buffer. - * If buffers overlap, the output buffer must trail at least 8 bytes + * \note For encryption, the output buffer can be the same as the input buffer. + * For decryption, the output buffer cannot be the same as input buffer. + * If the buffers overlap, the output buffer must trail at least 8 Bytes * behind the input buffer. * - * \param ctx GCM context - * \param mode MBEDTLS_GCM_ENCRYPT or MBEDTLS_GCM_DECRYPT - * \param length length of the input data - * \param iv initialization vector - * \param iv_len length of IV - * \param add additional data - * \param add_len length of additional data - * \param input buffer holding the input data - * \param output buffer for holding the output data - * \param tag_len length of the tag to generate - * \param tag buffer for holding the tag + * \param ctx The GCM context to use for encryption or decryption. + * \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or + * #MBEDTLS_GCM_DECRYPT. + * \param length The length of the input data. This must be a multiple of 16 except in the last call before mbedtls_gcm_finish(). + * \param iv The initialization vector. + * \param iv_len The length of the IV. + * \param add The buffer holding the additional data. + * \param add_len The length of the additional data. + * \param input The buffer holding the input data. + * \param output The buffer for holding the output data. + * \param tag_len The length of the tag to generate. + * \param tag The buffer for holding the tag. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx, int mode, @@ -116,25 +134,26 @@ int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx, unsigned char *tag ); /** - * \brief GCM buffer authenticated decryption using a block cipher + * \brief This function performs a GCM authenticated decryption of a + * buffer. * - * \note On decryption, the output buffer cannot be the same as input buffer. - * If buffers overlap, the output buffer must trail at least 8 bytes + * \note For decryption, the output buffer cannot be the same as input buffer. + * If the buffers overlap, the output buffer must trail at least 8 Bytes * behind the input buffer. * - * \param ctx GCM context - * \param length length of the input data - * \param iv initialization vector - * \param iv_len length of IV - * \param add additional data - * \param add_len length of additional data - * \param tag buffer holding the tag - * \param tag_len length of the tag - * \param input buffer holding the input data - * \param output buffer for holding the output data + * \param ctx The GCM context. + * \param length The length of the input data. This must be a multiple of 16 except in the last call before mbedtls_gcm_finish(). + * \param iv The initialization vector. + * \param iv_len The length of the IV. + * \param add The buffer holding the additional data. + * \param add_len The length of the additional data. + * \param tag The buffer holding the tag. + * \param tag_len The length of the tag. + * \param input The buffer holding the input data. + * \param output The buffer for holding the output data. * - * \return 0 if successful and authenticated, - * MBEDTLS_ERR_GCM_AUTH_FAILED if tag does not match + * \return 0 if successful and authenticated, or + * #MBEDTLS_ERR_GCM_AUTH_FAILED if tag does not match. */ int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx, size_t length, @@ -148,16 +167,18 @@ int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx, unsigned char *output ); /** - * \brief Generic GCM stream start function + * \brief This function starts a GCM encryption or decryption + * operation. * - * \param ctx GCM context - * \param mode MBEDTLS_GCM_ENCRYPT or MBEDTLS_GCM_DECRYPT - * \param iv initialization vector - * \param iv_len length of IV - * \param add additional data (or NULL if length is 0) - * \param add_len length of additional data + * \param ctx The GCM context. + * \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or + * #MBEDTLS_GCM_DECRYPT. + * \param iv The initialization vector. + * \param iv_len The length of the IV. + * \param add The buffer holding the additional data, or NULL if \p add_len is 0. + * \param add_len The length of the additional data. If 0, \p add is NULL. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, int mode, @@ -167,21 +188,23 @@ int mbedtls_gcm_starts( mbedtls_gcm_context *ctx, size_t add_len ); /** - * \brief Generic GCM update function. Encrypts/decrypts using the - * given GCM context. Expects input to be a multiple of 16 - * bytes! Only the last call before mbedtls_gcm_finish() can be less - * than 16 bytes! + * \brief This function feeds an input buffer into an ongoing GCM + * encryption or decryption operation. * - * \note On decryption, the output buffer cannot be the same as input buffer. - * If buffers overlap, the output buffer must trail at least 8 bytes + * ` The function expects input to be a multiple of 16 + * Bytes. Only the last call before calling + * mbedtls_gcm_finish() can be less than 16 Bytes. + * + * \note For decryption, the output buffer cannot be the same as input buffer. + * If the buffers overlap, the output buffer must trail at least 8 Bytes * behind the input buffer. * - * \param ctx GCM context - * \param length length of the input data - * \param input buffer holding the input data - * \param output buffer for holding the output data + * \param ctx The GCM context. + * \param length The length of the input data. This must be a multiple of 16 except in the last call before mbedtls_gcm_finish(). + * \param input The buffer holding the input data. + * \param output The buffer for holding the output data. * - * \return 0 if successful or MBEDTLS_ERR_GCM_BAD_INPUT + * \return \c 0 on success, or #MBEDTLS_ERR_GCM_BAD_INPUT on failure. */ int mbedtls_gcm_update( mbedtls_gcm_context *ctx, size_t length, @@ -189,24 +212,27 @@ int mbedtls_gcm_update( mbedtls_gcm_context *ctx, unsigned char *output ); /** - * \brief Generic GCM finalisation function. Wraps up the GCM stream - * and generates the tag. The tag can have a maximum length of - * 16 bytes. + * \brief This function finishes the GCM operation and generates + * the authentication tag. * - * \param ctx GCM context - * \param tag buffer for holding the tag - * \param tag_len length of the tag to generate (must be at least 4) + * It wraps up the GCM stream, and generates the + * tag. The tag can have a maximum length of 16 Bytes. * - * \return 0 if successful or MBEDTLS_ERR_GCM_BAD_INPUT + * \param ctx The GCM context. + * \param tag The buffer for holding the tag. + * \param tag_len The length of the tag to generate. Must be at least four. + * + * \return \c 0 on success, or #MBEDTLS_ERR_GCM_BAD_INPUT on failure. */ int mbedtls_gcm_finish( mbedtls_gcm_context *ctx, unsigned char *tag, size_t tag_len ); /** - * \brief Free a GCM context and underlying cipher sub-context + * \brief This function clears a GCM context and the underlying + * cipher sub-context. * - * \param ctx GCM context to free + * \param ctx The GCM context to clear. */ void mbedtls_gcm_free( mbedtls_gcm_context *ctx ); @@ -223,9 +249,9 @@ extern "C" { #endif /** - * \brief Checkup routine + * \brief The GCM checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_gcm_self_test( int verbose ); From 042e97fa7555528a7293611dce55c50eea757ed5 Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Fri, 26 Jan 2018 16:35:10 +0000 Subject: [PATCH 167/177] Improve RSA documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. - Rephrase the descriptions of all md_alg and hashlen parameters. GitHub PR: #1327 --- include/mbedtls/rsa.h | 1098 ++++++++++++++++++++++------------------- library/error.c | 4 +- 2 files changed, 583 insertions(+), 519 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 752105822..fb2f77f94 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1,10 +1,15 @@ /** * \file rsa.h * - * \brief The RSA public-key cryptosystem + * \brief The RSA public-key cryptosystem. + * + * For more information, see Public-Key Cryptography Standards (PKCS) + * #1 v1.5: RSA Encryption and Public-Key Cryptography Standards + * (PKCS) #1 v2.1: RSA Cryptography Specifications. + * */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,7 +24,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ #ifndef MBEDTLS_RSA_H #define MBEDTLS_RSA_H @@ -43,26 +48,26 @@ #define MBEDTLS_ERR_RSA_BAD_INPUT_DATA -0x4080 /**< Bad input parameters to function. */ #define MBEDTLS_ERR_RSA_INVALID_PADDING -0x4100 /**< Input data contains invalid padding and is rejected. */ #define MBEDTLS_ERR_RSA_KEY_GEN_FAILED -0x4180 /**< Something failed during generation of a key. */ -#define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the library's validity check. */ +#define MBEDTLS_ERR_RSA_KEY_CHECK_FAILED -0x4200 /**< Key failed to pass the validity check of the library. */ #define MBEDTLS_ERR_RSA_PUBLIC_FAILED -0x4280 /**< The public key operation failed. */ #define MBEDTLS_ERR_RSA_PRIVATE_FAILED -0x4300 /**< The private key operation failed. */ #define MBEDTLS_ERR_RSA_VERIFY_FAILED -0x4380 /**< The PKCS#1 verification failed. */ #define MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE -0x4400 /**< The output buffer for decryption is not large enough. */ #define MBEDTLS_ERR_RSA_RNG_FAILED -0x4480 /**< The random generator failed to generate non-zeros. */ -#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality */ +#define MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION -0x4500 /**< The implementation does not offer the requested operation, for example, because of security violations or lack of functionality. */ #define MBEDTLS_ERR_RSA_HW_ACCEL_FAILED -0x4580 /**< RSA hardware accelerator failed. */ /* * RSA constants */ -#define MBEDTLS_RSA_PUBLIC 0 -#define MBEDTLS_RSA_PRIVATE 1 +#define MBEDTLS_RSA_PUBLIC 0 /**< Request private key operation. */ +#define MBEDTLS_RSA_PRIVATE 1 /**< Request public key operation. */ -#define MBEDTLS_RSA_PKCS_V15 0 -#define MBEDTLS_RSA_PKCS_V21 1 +#define MBEDTLS_RSA_PKCS_V15 0 /**< Use PKCS-1 v1.5 encoding. */ +#define MBEDTLS_RSA_PKCS_V21 1 /**< Use PKCS-1 v2.1 encoding. */ -#define MBEDTLS_RSA_SIGN 1 -#define MBEDTLS_RSA_CRYPT 2 +#define MBEDTLS_RSA_SIGN 1 /**< Identifier for RSA signature operations. */ +#define MBEDTLS_RSA_CRYPT 2 /**< Identifier for RSA encryption and decryption operations. */ #define MBEDTLS_RSA_SALT_LEN_ANY -1 @@ -80,103 +85,106 @@ extern "C" { #endif /** - * \brief RSA context structure + * \brief The RSA context structure. * * \note Direct manipulation of the members of this structure - * is deprecated and will no longer be supported starting - * from the next major release. All manipulation should instead - * be done through the public interface functions. - * + * is deprecated. All manipulation should instead be done through + * the public interface functions. */ typedef struct { - int ver; /*!< always 0 */ - size_t len; /*!< size(N) in chars */ + int ver; /*!< Always 0.*/ + size_t len; /*!< The size of \p N in Bytes. */ - mbedtls_mpi N; /*!< public modulus */ - mbedtls_mpi E; /*!< public exponent */ + mbedtls_mpi N; /*!< The public modulus. */ + mbedtls_mpi E; /*!< The public exponent. */ - mbedtls_mpi D; /*!< private exponent */ - mbedtls_mpi P; /*!< 1st prime factor */ - mbedtls_mpi Q; /*!< 2nd prime factor */ + mbedtls_mpi D; /*!< The private exponent. */ + mbedtls_mpi P; /*!< The first prime factor. */ + mbedtls_mpi Q; /*!< The second prime factor. */ - mbedtls_mpi DP; /*!< D % (P - 1) */ - mbedtls_mpi DQ; /*!< D % (Q - 1) */ + mbedtls_mpi DP; /*!< \p D % (P - 1) */ + mbedtls_mpi DQ; /*!< \p D % (Q - 1) */ mbedtls_mpi QP; /*!< 1 / (Q % P) */ - mbedtls_mpi RN; /*!< cached R^2 mod N */ + mbedtls_mpi RN; /*!< cached R^2 mod \p N */ - mbedtls_mpi RP; /*!< cached R^2 mod P */ - mbedtls_mpi RQ; /*!< cached R^2 mod Q */ + mbedtls_mpi RP; /*!< cached R^2 mod \p P */ + mbedtls_mpi RQ; /*!< cached R^2 mod \p Q */ - mbedtls_mpi Vi; /*!< cached blinding value */ - mbedtls_mpi Vf; /*!< cached un-blinding value */ + mbedtls_mpi Vi; /*!< The cached blinding value. */ + mbedtls_mpi Vf; /*!< The cached un-blinding value. */ - int padding; /*!< \c MBEDTLS_RSA_PKCS_V15 for 1.5 padding and - \c MBEDTLS_RSA_PKCS_v21 for OAEP/PSS */ - int hash_id; /*!< Hash identifier of mbedtls_md_type_t as - specified in the mbedtls_md.h header file - for the EME-OAEP and EMSA-PSS - encoding */ + int padding; /*!< Selects padding mode: + #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and + #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */ + int hash_id; /*!< Hash identifier of mbedtls_md_type_t type, + as specified in md.h for use in the MGF + mask generating function used in the + EME-OAEP and EMSA-PSS encodings. */ #if defined(MBEDTLS_THREADING_C) - mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex */ + mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex. */ #endif } mbedtls_rsa_context; /** - * \brief Initialize an RSA context + * \brief This function initializes an RSA context. * - * Note: Set padding to \c MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP + * \note Set padding to #MBEDTLS_RSA_PKCS_V21 for the RSAES-OAEP * encryption scheme and the RSASSA-PSS signature scheme. * - * \param ctx RSA context to be initialized - * \param padding \c MBEDTLS_RSA_PKCS_V15 or \c MBEDTLS_RSA_PKCS_V21 - * \param hash_id \c MBEDTLS_RSA_PKCS_V21 hash identifier + * \param ctx The RSA context to initialize. + * \param padding Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or + * #MBEDTLS_RSA_PKCS_V21. + * \param hash_id The hash identifier of #mbedtls_md_type_t type, if + * \p padding is #MBEDTLS_RSA_PKCS_V21. * - * \note The hash_id parameter is actually ignored - * when using \c MBEDTLS_RSA_PKCS_V15 padding. + * \note The \p hash_id parameter is ignored when using + * #MBEDTLS_RSA_PKCS_V15 padding. * - * \note Choice of padding mode is strictly enforced for private key + * \note The choice of padding mode is strictly enforced for private key * operations, since there might be security concerns in - * mixing padding modes. For public key operations it's merely + * mixing padding modes. For public key operations it is * a default value, which can be overriden by calling specific - * rsa_rsaes_xxx or rsa_rsassa_xxx functions. + * \c rsa_rsaes_xxx or \c rsa_rsassa_xxx functions. * - * \note The chosen hash is always used for OEAP encryption. - * For PSS signatures, it's always used for making signatures, - * but can be overriden (and always is, if set to - * \c MBEDTLS_MD_NONE) for verifying them. + * \note The hash selected in \p hash_id is always used for OEAP + * encryption. For PSS signatures, it is always used for + * making signatures, but can be overriden for verifying them. + * If set to #MBEDTLS_MD_NONE, it is always overriden. */ void mbedtls_rsa_init( mbedtls_rsa_context *ctx, int padding, int hash_id); /** - * \brief Import a set of core parameters into an RSA context + * \brief This function imports a set of core parameters into an + * RSA context. * - * \param ctx Initialized RSA context to store parameters - * \param N RSA modulus, or NULL - * \param P First prime factor of N, or NULL - * \param Q Second prime factor of N, or NULL - * \param D Private exponent, or NULL - * \param E Public exponent, or NULL + * \param ctx The initialized RSA context to store the parameters in. + * \param N The RSA modulus, or NULL. + * \param P The first prime factor of \p N, or NULL. + * \param Q The second prime factor of \p N, or NULL. + * \param D The private exponent, or NULL. + * \param E The public exponent, or NULL. * * \note This function can be called multiple times for successive - * imports if the parameters are not simultaneously present. + * imports, if the parameters are not simultaneously present. + * * Any sequence of calls to this function should be followed - * by a call to \c mbedtls_rsa_complete which will check - * and complete the provided information to a ready-for-use + * by a call to mbedtls_rsa_complete(), which checks and + * completes the provided information to a ready-for-use * public or private RSA key. * - * \note See the documentation of \c mbedtls_rsa_complete for more - * information on which parameters are necessary to setup - * a private or public RSA key. + * \note See mbedtls_rsa_complete() for more information on which + * parameters are necessary to set up a private or public + * RSA key. * * \note The imported parameters are copied and need not be preserved * for the lifetime of the RSA context being set up. * - * \return 0 if successful, non-zero error code on failure. + * \return \c 0 on success, or a non-zero error code on failure. */ int mbedtls_rsa_import( mbedtls_rsa_context *ctx, const mbedtls_mpi *N, @@ -184,36 +192,37 @@ int mbedtls_rsa_import( mbedtls_rsa_context *ctx, const mbedtls_mpi *D, const mbedtls_mpi *E ); /** - * \brief Import core RSA parameters in raw big-endian - * binary format into an RSA context + * \brief This function imports core RSA parameters, in raw big-endian + * binary format, into an RSA context. * - * \param ctx Initialized RSA context to store parameters - * \param N RSA modulus, or NULL - * \param N_len Byte length of N, ignored if N == NULL - * \param P First prime factor of N, or NULL - * \param P_len Byte length of P, ignored if P == NULL - * \param Q Second prime factor of N, or NULL - * \param Q_len Byte length of Q, ignored if Q == NULL - * \param D Private exponent, or NULL - * \param D_len Byte length of D, ignored if D == NULL - * \param E Public exponent, or NULL - * \param E_len Byte length of E, ignored if E == NULL + * \param ctx The initialized RSA context to store the parameters in. + * \param N The RSA modulus, or NULL. + * \param N_len The Byte length of \p N, ignored if \p N == NULL. + * \param P The first prime factor of \p N, or NULL. + * \param P_len The Byte length of \p P, ignored if \p P == NULL. + * \param Q The second prime factor of \p N, or NULL. + * \param Q_len The Byte length of \p Q, ignored if \p Q == NULL. + * \param D The private exponent, or NULL. + * \param D_len The Byte length of \p D, ignored if \p D == NULL. + * \param E The public exponent, or NULL. + * \param E_len The Byte length of \p E, ignored if \p E == NULL. * * \note This function can be called multiple times for successive - * imports if the parameters are not simultaneously present. + * imports, if the parameters are not simultaneously present. + * * Any sequence of calls to this function should be followed - * by a call to \c mbedtls_rsa_complete which will check - * and complete the provided information to a ready-for-use + * by a call to mbedtls_rsa_complete(), which checks and + * completes the provided information to a ready-for-use * public or private RSA key. * - * \note See the documentation of \c mbedtls_rsa_complete for more - * information on which parameters are necessary to setup - * a private or public RSA key. + * \note See mbedtls_rsa_complete() for more information on which + * parameters are necessary to set up a private or public + * RSA key. * * \note The imported parameters are copied and need not be preserved * for the lifetime of the RSA context being set up. * - * \return 0 if successful, non-zero error code on failure. + * \return \c 0 on success, or a non-zero error code on failure. */ int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx, unsigned char const *N, size_t N_len, @@ -223,71 +232,71 @@ int mbedtls_rsa_import_raw( mbedtls_rsa_context *ctx, unsigned char const *E, size_t E_len ); /** - * \brief Attempt to complete an RSA context from + * \brief This function completes an RSA context from * a set of imported core parameters. * - * \param ctx Initialized RSA context to store parameters + * To setup an RSA public key, precisely \p N and \p E + * must have been imported. * - * \note - * - To setup an RSA public key, precisely N and E - * must have been imported. + * To setup an RSA private key, sufficient information must + * be present for the other parameters to be derivable. * - * - To setup an RSA private key, enough information must be - * present for the other parameters to be derivable. + * The default implementation supports the following: + *
  • Derive \p P, \p Q from \p N, \p D, \p E.
    • + *
  • Derive \p N, \p D from \p P, \p Q, \p E.
+ * Alternative implementations need not support these. * - * The default implementation supports the following: - * - Derive P, Q from N, D, E - * - Derive N, D from P, Q, E. + * If this function runs successfully, it guarantees that + * the RSA context can be used for RSA operations without + * the risk of failure or crash. * - * - Alternative implementations need not support these - * and may return \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA instead. + * \param ctx The initialized RSA context holding imported parameters. * - * \return - * - 0 if successful. In this case, it is guaranteed - * that the RSA context can be used for RSA operations - * without the risk of failure or crash. - * - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the attempted - * derivations failed. + * \return \c 0 on success, or #MBEDTLS_ERR_RSA_BAD_INPUT_DATA if the + * attempted derivations failed. * * \warning This function need not perform consistency checks - * for the imported parameters! In particular, parameters that - * are not needed by the implementation may be silently discarded - * and left unchecked. For the purpose of checking the consistency - * of the key material, see \c mbedtls_rsa_check_privkey. + * for the imported parameters. In particular, parameters that + * are not needed by the implementation might be silently + * discarded and left unchecked. To check the consistency + * of the key material, see mbedtls_rsa_check_privkey(). * */ int mbedtls_rsa_complete( mbedtls_rsa_context *ctx ); /** - * \brief Export core parameters of an RSA key + * \brief This function exports the core parameters of an RSA key. * - * \param ctx Initialized RSA context - * \param N MPI to hold the RSA modulus, or NULL - * \param P MPI to hold the first prime factor of N, or NULL - * \param Q MPI to hold the second prime factor of N, or NULL - * \param D MPI to hold the private exponent, or NULL - * \param E MPI to hold the public exponent, or NULL + * If this function runs successfully, the non-NULL buffers + * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + * written, with additional unused space filled leading by + * zero Bytes. * - * \return - * - 0 if successful. In this case, the non-NULL buffers - * pointed to by N, P, Q, D, E are fully written, with - * additional unused space filled leading by 0-bytes. - * - Non-zero return code otherwise. In particular, if - * exporting the requested parameters - * cannot be done because of a lack of functionality - * or because of security policies, the error code - * \c MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION is returned. - * In this case, the RSA context stays intact and can - * be continued to be used. + * Possible reasons for returning + * #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:
    + *
  • An alternative RSA implementation is in use, which + * stores the key externally, and either cannot or should + * not export it into RAM.
    • + *
  • A SW or HW implementation might not support a certain + * deduction. For example, \p P, \p Q from \p N, \p D, + * and \p E if the former are not part of the + * implementation.
* - * \note Reasons for returning \c MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION - * would be the following: Firstly, it might be that an - * alternative RSA implementation is in use which stores - * the key externally, and which either cannot or should not - * export it into RAM. Alternatively, an implementation - * (regardless of SW or HW) might not support deducing e.g. - * P, Q from N, D, E if the former are not part of the - * implementation. + * If the function fails due to an unsupported operation, + * the RSA context stays intact and remains usable. + * + * \param ctx The initialized RSA context. + * \param N The MPI to hold the RSA modulus, or NULL. + * \param P The MPI to hold the first prime factor of \p N, or NULL. + * \param Q The MPI to hold the second prime factor of \p N, or NULL. + * \param D The MPI to hold the private exponent, or NULL. + * \param E The MPI to hold the public exponent, or NULL. + * + * \return \c 0 on success, + * #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the + * requested parameters cannot be done due to missing + * functionality or because of security policies, + * or a non-zero return code on any other failure. * */ int mbedtls_rsa_export( const mbedtls_rsa_context *ctx, @@ -295,46 +304,48 @@ int mbedtls_rsa_export( const mbedtls_rsa_context *ctx, mbedtls_mpi *D, mbedtls_mpi *E ); /** - * \brief Export core parameters of an RSA key - * in raw big-endian binary format + * \brief This function exports core parameters of an RSA key + * in raw big-endian binary format. * - * \param ctx Initialized RSA context - * \param N Byte array to store the RSA modulus, or NULL - * \param N_len Size of buffer for modulus - * \param P Byte array to hold the first prime factor of N, or NULL - * \param P_len Size of buffer for first prime factor - * \param Q Byte array to hold the second prime factor of N, or NULL - * \param Q_len Size of buffer for second prime factor - * \param D Byte array to hold the private exponent, or NULL - * \param D_len Size of buffer for private exponent - * \param E Byte array to hold the public exponent, or NULL - * \param E_len Size of buffer for public exponent + * If this function runs successfully, the non-NULL buffers + * pointed to by \p N, \p P, \p Q, \p D, and \p E are fully + * written, with additional unused space filled leading by + * zero Bytes. + * + * Possible reasons for returning + * #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION:
    + *
  • An alternative RSA implementation is in use, which + * stores the key externally, and either cannot or should + * not export it into RAM.
    • + *
  • A SW or HW implementation might not support a certain + * deduction. For example, \p P, \p Q from \p N, \p D, + * and \p E if the former are not part of the + * implementation.
+ * If the function fails due to an unsupported operation, + * the RSA context stays intact and remains usable. + * + * \param ctx The initialized RSA context. + * \param N The Byte array to store the RSA modulus, or NULL. + * \param N_len The size of the buffer for the modulus. + * \param P The Byte array to hold the first prime factor of \p N, or + * NULL. + * \param P_len The size of the buffer for the first prime factor. + * \param Q The Byte array to hold the second prime factor of \p N, or + NULL. + * \param Q_len The size of the buffer for the second prime factor. + * \param D The Byte array to hold the private exponent, or NULL. + * \param D_len The size of the buffer for the private exponent. + * \param E The Byte array to hold the public exponent, or NULL. + * \param E_len The size of the buffer for the public exponent. * * \note The length fields are ignored if the corresponding * buffer pointers are NULL. * - * \return - * - 0 if successful. In this case, the non-NULL buffers - * pointed to by N, P, Q, D, E are fully written, with - * additional unused space filled leading by 0-bytes. - * - Non-zero return code otherwise. In particular, if - * exporting the requested parameters - * cannot be done because of a lack of functionality - * or because of security policies, the error code - * \c MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION is returned. - * In this case, the RSA context stays intact and can - * be continued to be used. - * - * \note Reasons for returning \c MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION - * would be the following: Firstly, it might be that an - * alternative RSA implementation is in use which stores - * the key externally, and which either cannot or should not - * export it into RAM. Alternatively, an implementation - * (regardless of SW or HW) might not support deducing e.g. - * P, Q from N, D, E if the former are not part of the - * implementation. - * - * + * \return \c 0 on success, + * #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION if exporting the + * requested parameters cannot be done due to missing + * functionality or because of security policies, + * or a non-zero return code on any other failure. */ int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx, unsigned char *N, size_t N_len, @@ -344,57 +355,59 @@ int mbedtls_rsa_export_raw( const mbedtls_rsa_context *ctx, unsigned char *E, size_t E_len ); /** - * \brief Export CRT parameters of a private RSA key + * \brief This function exports CRT parameters of a private RSA key. * - * \param ctx Initialized RSA context - * \param DP MPI to hold D modulo P-1, or NULL - * \param DQ MPI to hold D modulo Q-1, or NULL - * \param QP MPI to hold modular inverse of Q modulo P, or NULL + * \param ctx The initialized RSA context. + * \param DP The MPI to hold D modulo P-1, or NULL. + * \param DQ The MPI to hold D modulo Q-1, or NULL. + * \param QP The MPI to hold modular inverse of Q modulo P, or NULL. * - * \return 0 if successful, non-zero error code otherwise. + * \return \c 0 on success, non-zero error code otherwise. * * \note Alternative RSA implementations not using CRT-parameters - * internally can implement this function using based on - * \c mbedtls_rsa_deduce_opt. + * internally can implement this function based on + * mbedtls_rsa_deduce_opt(). * */ int mbedtls_rsa_export_crt( const mbedtls_rsa_context *ctx, mbedtls_mpi *DP, mbedtls_mpi *DQ, mbedtls_mpi *QP ); /** - * \brief Set padding for an already initialized RSA context - * See \c mbedtls_rsa_init() for details. + * \brief This function sets padding for an already initialized RSA + * context. See mbedtls_rsa_init() for details. * - * \param ctx RSA context to be set - * \param padding \c MBEDTLS_RSA_PKCS_V15 or \c MBEDTLS_RSA_PKCS_V21 - * \param hash_id \c MBEDTLS_RSA_PKCS_V21 hash identifier + * \param ctx The RSA context to be set. + * \param padding Selects padding mode: #MBEDTLS_RSA_PKCS_V15 or + * #MBEDTLS_RSA_PKCS_V21. + * \param hash_id The #MBEDTLS_RSA_PKCS_V21 hash identifier. */ void mbedtls_rsa_set_padding( mbedtls_rsa_context *ctx, int padding, int hash_id); /** - * \brief Get length of RSA modulus in bytes + * \brief This function retrieves the length of RSA modulus in Bytes. * - * \param ctx Initialized RSA context + * \param ctx The initialized RSA context. * - * \return Length of RSA modulus, in bytes. + * \return The length of the RSA modulus in Bytes. * */ size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx ); /** - * \brief Generate an RSA keypair + * \brief This function generates an RSA keypair. * - * \param ctx RSA context that will hold the key - * \param f_rng RNG function - * \param p_rng RNG parameter - * \param nbits size of the public key in bits - * \param exponent public exponent (e.g., 65537) + * \param ctx The RSA context used to hold the key. + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. + * \param nbits The size of the public key in bits. + * \param exponent The public exponent. For example, 65537. * - * \note mbedtls_rsa_init() must be called beforehand to setup - * the RSA context. + * \note mbedtls_rsa_init() must be called before this function, + * to set up the RSA context. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + on failure. */ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -402,101 +415,109 @@ int mbedtls_rsa_gen_key( mbedtls_rsa_context *ctx, unsigned int nbits, int exponent ); /** - * \brief Check if a context contains (at least) an RSA public key + * \brief This function checks if a context contains at least an RSA + * public key. * - * \param ctx RSA context to be checked + * If the function runs successfully, it is guaranteed that + * enough information is present to perform an RSA public key + * operation using mbedtls_rsa_public(). * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code. - * On success, it is guaranteed that enough information is - * present to perform an RSA public key operation - * \c mbedtls_rsa_public. + * \param ctx The RSA context to check. + * + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * */ int mbedtls_rsa_check_pubkey( const mbedtls_rsa_context *ctx ); /** - * \brief Check if a context contains an RSA private key + * \brief This function checks if a context contains an RSA private key * and perform basic consistency checks. * - * \param ctx RSA context to be checked + * \param ctx The RSA context to check. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code. + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code on + * failure. * * \note The consistency checks performed by this function not only - * ensure that \c mbedtls_rsa_private can be called successfully + * ensure that mbedtls_rsa_private() can be called successfully * on the given context, but that the various parameters are * mutually consistent with high probability, in the sense that - * \c mbedtls_rsa_public and \c mbedtls_rsa_private are inverses. + * mbedtls_rsa_public() and mbedtls_rsa_private() are inverses. * * \warning This function should catch accidental misconfigurations * like swapping of parameters, but it cannot establish full * trust in neither the quality nor the consistency of the key * material that was used to setup the given RSA context: - * - Regarding consistency, note (see \c mbedtls_rsa_complete) - * that imported parameters irrelevant for the implementation - * might be silently dropped, in which case the present - * function doesn't have access to and hence cannot check them. - * If you want to check the consistency of the entire - * content of, say, an PKCS1-encoded RSA private key, you - * should use \c mbedtls_rsa_validate_params before setting - * up the RSA context. - * Further, if the implementation performs empirical checks, - * these checks will substantiate but not guarantee consistency. - * - Regarding quality, this function is not expected to perform - * extended quality assessments like checking that the prime - * factors are safe. Further, it is the user's responsibility to - * ensure trustworthiness of the source of his RSA parameters, - * a question going beyond what's effectively checkable - * by the library. - * + *
  • Consistency: Imported parameters that are irrelevant + * for the implementation might be silently dropped. If dropped, + * the current function does not have access to them, + * and therefore cannot check them. See mbedtls_rsa_complete(). + * If you want to check the consistency of the entire + * content of an PKCS1-encoded RSA private key, for example, you + * should use mbedtls_rsa_validate_params() before setting + * up the RSA context. + * Additionally, if the implementation performs empirical checks, + * these checks substantiate but do not guarantee consistency.
    • + *
  • Quality: This function is not expected to perform + * extended quality assessments like checking that the prime + * factors are safe. Additionally, it is the responsibility of the + * user to ensure the trustworthiness of the source of his RSA + * parameters, which goes beyond what is effectively checkable + * by the library.
*/ int mbedtls_rsa_check_privkey( const mbedtls_rsa_context *ctx ); /** - * \brief Check a public-private RSA key pair. - * Check each of the contexts, and make sure they match. + * \brief This function checks a public-private RSA key pair. * - * \param pub RSA context holding the public key - * \param prv RSA context holding the private key + * It checks each of the contexts, and makes sure they match. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code + * \param pub The RSA context holding the public key. + * \param prv The RSA context holding the private key. + * + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. */ int mbedtls_rsa_check_pub_priv( const mbedtls_rsa_context *pub, const mbedtls_rsa_context *prv ); /** - * \brief Do an RSA public key operation + * \brief This function performs an RSA public key operation. * - * \param ctx RSA context - * \param input input buffer - * \param output output buffer + * \param ctx The RSA context. + * \param input The input buffer. + * \param output The output buffer. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * - * \note This function does NOT take care of message - * padding. Also, be sure to set input[0] = 0 or ensure that - * input is smaller than N. + * \note This function does not handle message padding. + * + * \note Make sure to set \p input[0] = 0 or ensure that + * input is smaller than \p N. * * \note The input and output buffers must be large - * enough (eg. 128 bytes if RSA-1024 is used). + * enough. For example, 128 Bytes if RSA-1024 is used. */ int mbedtls_rsa_public( mbedtls_rsa_context *ctx, const unsigned char *input, unsigned char *output ); /** - * \brief Do an RSA private key operation + * \brief This function performs an RSA private key operation. * - * \param ctx RSA context - * \param f_rng RNG function (Needed for blinding) - * \param p_rng RNG parameter - * \param input input buffer - * \param output output buffer + * \param ctx The RSA context. + * \param f_rng The RNG function. Needed for blinding. + * \param p_rng The RNG parameter. + * \param input The input buffer. + * \param output The output buffer. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * * \note The input and output buffers must be large - * enough (eg. 128 bytes if RSA-1024 is used). + * enough. For example, 128 Bytes if RSA-1024 is used. */ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -505,32 +526,36 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, unsigned char *output ); /** - * \brief Generic wrapper to perform a PKCS#1 encryption using the - * mode from the context. Add the message padding, then do an - * RSA operation. + * \brief This function adds the message padding, then performs an RSA + * operation. * - * \param ctx RSA context - * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding - * and \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param ilen contains the plaintext length - * \param input buffer holding the data to be encrypted - * \param output buffer that will hold the ciphertext + * It is the generic wrapper for performing a PKCS#1 encryption + * operation using the \p mode from the context. + * + * + * \param ctx The RSA context. + * \param f_rng The RNG function. Needed for padding, PKCS#1 v2.1 + * encoding, and #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param ilen The length of the plaintext. + * \param input The buffer holding the data to encrypt. + * \param output The buffer used to hold the ciphertext. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PUBLIC. + * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * implicitly set to #MBEDTLS_RSA_PUBLIC. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PRIVATE and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PRIVATE and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * - * \note The output buffer must be as large as the size - * of ctx->N (eg. 128 bytes if RSA-1024 is used). + * \note The input and output buffers must be as large as the size + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. */ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -540,29 +565,32 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, unsigned char *output ); /** - * \brief Perform a PKCS#1 v1.5 encryption (RSAES-PKCS1-v1_5-ENCRYPT) + * \brief This function performs a PKCS#1 v1.5 encryption operation + * (RSAES-PKCS1-v1_5-ENCRYPT). * - * \param ctx RSA context - * \param f_rng RNG function (Needed for padding and \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param ilen contains the plaintext length - * \param input buffer holding the data to be encrypted - * \param output buffer that will hold the ciphertext + * \param ctx The RSA context. + * \param f_rng The RNG function. Needed for padding and + * #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param ilen The length of the plaintext. + * \param input The buffer holding the data to encrypt. + * \param output The buffer used to hold the ciphertext. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PUBLIC. + * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * implicitly set to #MBEDTLS_RSA_PUBLIC. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PRIVATE and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PRIVATE and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * * \note The output buffer must be as large as the size - * of ctx->N (eg. 128 bytes if RSA-1024 is used). + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. */ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -572,32 +600,34 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, unsigned char *output ); /** - * \brief Perform a PKCS#1 v2.1 OAEP encryption (RSAES-OAEP-ENCRYPT) + * \brief This function performs a PKCS#1 v2.1 OAEP encryption + * operation (RSAES-OAEP-ENCRYPT). * - * \param ctx RSA context - * \param f_rng RNG function (Needed for padding and PKCS#1 v2.1 encoding - * and \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param label buffer holding the custom label to use - * \param label_len contains the label length - * \param ilen contains the plaintext length - * \param input buffer holding the data to be encrypted - * \param output buffer that will hold the ciphertext + * \param ctx The RSA context. + * \param f_rng The RNG function. Needed for padding and PKCS#1 v2.1 + * encoding and #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param label The buffer holding the custom label to use. + * \param label_len The length of the label. + * \param ilen The length of the plaintext. + * \param input The buffer holding the data to encrypt. + * \param output The buffer used to hold the ciphertext. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PUBLIC. + * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * implicitly set to #MBEDTLS_RSA_PUBLIC. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PRIVATE and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PRIVATE and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * * \note The output buffer must be as large as the size - * of ctx->N (eg. 128 bytes if RSA-1024 is used). + * of ctx->N. For example, 128 Bytes if RSA-1024 is used. */ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -609,39 +639,42 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, unsigned char *output ); /** - * \brief Generic wrapper to perform a PKCS#1 decryption using the - * mode from the context. Do an RSA operation, then remove - * the message padding + * \brief This function performs an RSA operation, then removes the + * message padding. * - * \param ctx RSA context - * \param f_rng RNG function (Only needed for \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param olen will contain the plaintext length - * \param input buffer holding the encrypted data - * \param output buffer that will hold the plaintext - * \param output_max_len maximum length of the output buffer + * It is the generic wrapper for performing a PKCS#1 decryption + * operation using the \p mode from the context. + * + * \param ctx The RSA context. + * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param olen The length of the plaintext. + * \param input The buffer holding the encrypted data. + * \param output The buffer used to hold the plaintext. + * \param output_max_len The maximum length of the output buffer. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PRIVATE. + * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * implicitly set to #MBEDTLS_RSA_PRIVATE. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PUBLIC and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PUBLIC and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * * \note The output buffer length \c output_max_len should be - * as large as the size \c ctx->len of \c ctx->N (eg. 128 bytes - * if RSA-1024 is used) to be able to hold an arbitrary - * decrypted message. If it is not large enough to hold - * the decryption of the particular ciphertext provided, - * the function will return \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + * as large as the size \p ctx->len of \p ctx->N (for example, + * 128 Bytes if RSA-1024 is used) to be able to hold an + * arbitrary decrypted message. If it is not large enough to + * hold the decryption of the particular ciphertext provided, + * the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \note The input buffer must be as large as the size - * of \c ctx->N (eg. 128 bytes if RSA-1024 is used). + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. */ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -652,37 +685,39 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, size_t output_max_len ); /** - * \brief Perform a PKCS#1 v1.5 decryption (RSAES-PKCS1-v1_5-DECRYPT) + * \brief This function performs a PKCS#1 v1.5 decryption + * operation (RSAES-PKCS1-v1_5-DECRYPT). * - * \param ctx RSA context - * \param f_rng RNG function (Only needed for \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param olen will contain the plaintext length - * \param input buffer holding the encrypted data - * \param output buffer that will hold the plaintext - * \param output_max_len maximum length of the output buffer + * \param ctx The RSA context. + * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param olen The length of the plaintext. + * \param input The buffer holding the encrypted data. + * \param output The buffer to hold the plaintext. + * \param output_max_len The maximum length of the output buffer. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PRIVATE. + * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * implicitly set to #MBEDTLS_RSA_PRIVATE. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PUBLIC and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PUBLIC and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * * \note The output buffer length \c output_max_len should be - * as large as the size \c ctx->len of \c ctx->N (eg. 128 bytes - * if RSA-1024 is used) to be able to hold an arbitrary - * decrypted message. If it is not large enough to hold - * the decryption of the particular ciphertext provided, - * the function will return \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + * as large as the size \p ctx->len of \p ctx->N, for example, + * 128 Bytes if RSA-1024 is used, to be able to hold an + * arbitrary decrypted message. If it is not large enough to + * hold the decryption of the particular ciphertext provided, + * the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \note The input buffer must be as large as the size - * of \c ctx->N (eg. 128 bytes if RSA-1024 is used). + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. */ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -693,40 +728,42 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, size_t output_max_len ); /** - * \brief Perform a PKCS#1 v2.1 OAEP decryption (RSAES-OAEP-DECRYPT) + * \brief This function performs a PKCS#1 v2.1 OAEP decryption + * operation (RSAES-OAEP-DECRYPT). * - * \param ctx RSA context - * \param f_rng RNG function (Only needed for \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param label buffer holding the custom label to use - * \param label_len contains the label length - * \param olen will contain the plaintext length - * \param input buffer holding the encrypted data - * \param output buffer that will hold the plaintext - * \param output_max_len maximum length of the output buffer + * \param ctx The RSA context. + * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param label The buffer holding the custom label to use. + * \param label_len The length of the label. + * \param olen The length of the plaintext. + * \param input The buffer holding the encrypted data. + * \param output The buffer to hold the plaintext. + * \param output_max_len The maximum length of the output buffer. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PRIVATE. + * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * implicitly set to #MBEDTLS_RSA_PRIVATE. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PUBLIC and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PUBLIC and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if successful, or an \c MBEDTLS_ERR_RSA_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * * \note The output buffer length \c output_max_len should be - * as large as the size \c ctx->len of \c ctx->N (eg. 128 bytes - * if RSA-1024 is used) to be able to hold an arbitrary - * decrypted message. If it is not large enough to hold - * the decryption of the particular ciphertext provided, - * the function will return \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. + * as large as the size \p ctx->len of \p ctx->N, for + * example, 128 Bytes if RSA-1024 is used, to be able to + * hold an arbitrary decrypted message. If it is not + * large enough to hold the decryption of the particular + * ciphertext provided, the function returns + * #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \note The input buffer must be as large as the size - * of \c ctx->N (eg. 128 bytes if RSA-1024 is used). - * + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. */ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -739,39 +776,41 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, size_t output_max_len ); /** - * \brief Generic wrapper to perform a PKCS#1 signature using the - * mode from the context. Do a private RSA operation to sign - * a message digest + * \brief This function performs a private RSA operation to sign + * a message digest using PKCS#1. * - * \param ctx RSA context - * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for - * \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param md_alg a \c MBEDTLS_MD_XXX (use \c MBEDTLS_MD_NONE for - * signing raw data) - * \param hashlen message digest length (for \c MBEDTLS_MD_NONE only) - * \param hash buffer holding the message digest - * \param sig buffer that will hold the ciphertext + * It is the generic wrapper for performing a PKCS#1 + * signature using the \p mode from the context. + * + * \param ctx The RSA context. + * \param f_rng The RNG function. Needed for PKCS#1 v2.1 encoding and for + * #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param md_alg The message-digest algorithm used to hash the original data. + * Use #MBEDTLS_MD_NONE for signing raw data. + * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hash The buffer holding the message digest. + * \param sig The buffer to hold the ciphertext. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PRIVATE. + * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * implicitly set to #MBEDTLS_RSA_PRIVATE. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PUBLIC and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PUBLIC and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if the signing operation was successful, - * or an \c MBEDTLS_ERR_RSA_XXX error code + * \return \c 0 if the signing operation was successful, + * or an \c MBEDTLS_ERR_RSA_XXX error code on failure. * - * \note The \c sig buffer must be as large as the size - * of \c ctx->N (eg. 128 bytes if RSA-1024 is used). + * \note The \p sig buffer must be as large as the size + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. * - * \note In case of PKCS#1 v2.1 encoding, see comments on - * \c mbedtls_rsa_rsassa_pss_sign() for details on - * \c md_alg and \c hash_id. + * \note For PKCS#1 v2.1 encoding, see comments on + * mbedtls_rsa_rsassa_pss_sign() for details on + * \p md_alg and \p hash_id. */ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -783,32 +822,34 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, unsigned char *sig ); /** - * \brief Perform a PKCS#1 v1.5 signature (RSASSA-PKCS1-v1_5-SIGN) + * \brief This function performs a PKCS#1 v1.5 signature + * operation (RSASSA-PKCS1-v1_5-SIGN). * - * \param ctx RSA context - * \param f_rng RNG function (Only needed for \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param md_alg a \c MBEDTLS_MD_XXX (use \c MBEDTLS_MD_NONE - * for signing raw data) - * \param hashlen message digest length (for \c MBEDTLS_MD_NONE only) - * \param hash buffer holding the message digest - * \param sig buffer that will hold the ciphertext + * \param ctx The RSA context. + * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param md_alg The message-digest algorithm used to hash the original data. + * Use #MBEDTLS_MD_NONE for signing raw data. + * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hash The buffer holding the message digest. + * \param sig The buffer to hold the ciphertext. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PRIVATE. + * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * implicitly set to #MBEDTLS_RSA_PRIVATE. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PUBLIC and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PUBLIC and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if the signing operation was successful, + * \return \c 0 if the signing operation was successful, * or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * - * \note The \c sig buffer must be as large as the size - * of \c ctx->N (eg. 128 bytes if RSA-1024 is used). + * \note The \p sig buffer must be as large as the size + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. */ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -820,38 +861,42 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, unsigned char *sig ); /** - * \brief Perform a PKCS#1 v2.1 PSS signature (RSASSA-PSS-SIGN) + * \brief This function performs a PKCS#1 v2.1 PSS signature + * operation (RSASSA-PSS-SIGN). * - * \param ctx RSA context - * \param f_rng RNG function (Needed for PKCS#1 v2.1 encoding and for - * \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param md_alg a \c MBEDTLS_MD_XXX (use \c MBEDTLS_MD_NONE - * for signing raw data) - * \param hashlen message digest length (for \c MBEDTLS_MD_NONE only) - * \param hash buffer holding the message digest - * \param sig buffer that will hold the ciphertext + * \param ctx The RSA context. + * \param f_rng The RNG function. Needed for PKCS#1 v2.1 encoding and for + * #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param md_alg The message-digest algorithm used to hash the original data. + * Use #MBEDTLS_MD_NONE for signing raw data. + * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hash The buffer holding the message digest. + * \param sig The buffer to hold the ciphertext. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PUBLIC. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PRIVATE. + * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * implicitly set to #MBEDTLS_RSA_PRIVATE. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PUBLIC and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PUBLIC and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if the signing operation was successful, + * \return \c 0 if the signing operation was successful, * or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * - * \note The \c sig buffer must be as large as the size - * of \c ctx->N (eg. 128 bytes if RSA-1024 is used). + * \note The \p sig buffer must be as large as the size + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. * - * \note The \c hash_id in the RSA context is the one used for the - * encoding. \c md_alg in the function call is the type of hash - * that is encoded. According to RFC 3447 it is advised to - * keep both hashes the same. + * \note The \p hash_id in the RSA context is the one used for the + * encoding. \p md_alg in the function call is the type of hash + * that is encoded. According to RFC-3447: Public-Key + * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + * Specifications it is advised to keep both hashes the + * same. */ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -863,36 +908,41 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, unsigned char *sig ); /** - * \brief Generic wrapper to perform a PKCS#1 verification using the - * mode from the context. Do a public RSA operation and check - * the message digest + * \brief This function performs a public RSA operation and checks + * the message digest. * - * \param ctx points to an RSA public key - * \param f_rng RNG function (Only needed for \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param md_alg a \c MBEDTLS_MD_XXX (use \c MBEDTLS_MD_NONE for signing raw data) - * \param hashlen message digest length (for \c MBEDTLS_MD_NONE only) - * \param hash buffer holding the message digest - * \param sig buffer holding the ciphertext + * This is the generic wrapper for performing a PKCS#1 + * verification using the mode from the context. + * + * \param ctx The RSA public key context. + * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param md_alg The message-digest algorithm used to hash the original data. + * Use #MBEDTLS_MD_NONE for signing raw data. + * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hash The buffer holding the message digest. + * \param sig The buffer holding the ciphertext. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PUBLIC. + * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * set to #MBEDTLS_RSA_PUBLIC. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PRIVATE and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PRIVATE and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if the verify operation was successful, + * \return \c 0 if the verify operation was successful, * or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * - * \note The \c sig buffer must be as large as the size - * of \c ctx->N (eg. 128 bytes if RSA-1024 is used). + * \note The \p sig buffer must be as large as the size + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. * - * \note In case of PKCS#1 v2.1 encoding, see comments on - * \c mbedtls_rsa_rsassa_pss_verify() about md_alg and hash_id. + * \note For PKCS#1 v2.1 encoding, see comments on + * mbedtls_rsa_rsassa_pss_verify() about \p md_alg and + * \p hash_id. */ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -904,32 +954,34 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, const unsigned char *sig ); /** - * \brief Perform a PKCS#1 v1.5 verification (RSASSA-PKCS1-v1_5-VERIFY) + * \brief This function performs a PKCS#1 v1.5 verification + * operation (RSASSA-PKCS1-v1_5-VERIFY). * - * \param ctx points to an RSA public key - * \param f_rng RNG function (Only needed for \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param md_alg a \c MBEDTLS_MD_XXX (use \c MBEDTLS_MD_NONE - * for signing raw data) - * \param hashlen message digest length (for \c MBEDTLS_MD_NONE only) - * \param hash buffer holding the message digest - * \param sig buffer holding the ciphertext + * \param ctx The RSA public key context. + * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param md_alg The message-digest algorithm used to hash the original data. + * Use #MBEDTLS_MD_NONE for signing raw data. + * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hash The buffer holding the message digest. + * \param sig The buffer holding the ciphertext. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PUBLIC. + * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * set to #MBEDTLS_RSA_PUBLIC. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PRIVATE and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PRIVATE and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if the verify operation was successful, + * \return \c 0 if the verify operation was successful, * or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * - * \note The \c sig buffer must be as large as the size - * of \c ctx->N (eg. 128 bytes if RSA-1024 is used). + * \note The \p sig buffer must be as large as the size + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. */ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -941,38 +993,45 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, const unsigned char *sig ); /** - * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY) - * (This is the "simple" version.) + * \brief This function performs a PKCS#1 v2.1 PSS verification + * operation (RSASSA-PSS-VERIFY). * - * \param ctx points to an RSA public key - * \param f_rng RNG function (Only needed for \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param md_alg a \c MBEDTLS_MD_XXX (use \c MBEDTLS_MD_NONE for signing raw data) - * \param hashlen message digest length (for \c MBEDTLS_MD_NONE only) - * \param hash buffer holding the message digest - * \param sig buffer holding the ciphertext + * The hash function for the MGF mask generating function + * is that specified in the RSA context. + * + * \param ctx The RSA public key context. + * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param md_alg The message-digest algorithm used to hash the original data. + * Use #MBEDTLS_MD_NONE for signing raw data. + * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hash The buffer holding the message digest. + * \param sig The buffer holding the ciphertext. * * \deprecated It is deprecated and discouraged to call this function - * in mode MBEDTLS_RSA_PRIVATE. Future versions of the libary - * are likely to remove the mode argument and have it implicitly - * set to MBEDTLS_RSA_PUBLIC. + * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library + * are likely to remove the \p mode argument and have it + * implicitly set to #MBEDTLS_RSA_PUBLIC. * * \note Alternative implementations of RSA need not support - * mode being set to MBEDTLS_RSA_PRIVATE and may instead - * return MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. + * mode being set to #MBEDTLS_RSA_PRIVATE and might instead + * return #MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION. * - * \return 0 if the verify operation was successful, + * \return \c 0 if the verify operation was successful, * or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * - * \note The \c sig buffer must be as large as the size - * of \c ctx->N (eg. 128 bytes if RSA-1024 is used). + * \note The \p sig buffer must be as large as the size + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. * - * \note The \c hash_id in the RSA context is the one used for the - * verification. \c md_alg in the function call is the type of - * hash that is verified. According to RFC 3447 it is advised to - * keep both hashes the same. If \c hash_id in the RSA context is - * unset, the \c md_alg from the function call is used. + * \note The \p hash_id in the RSA context is the one used for the + * verification. \p md_alg in the function call is the type of + * hash that is verified. According to RFC-3447: Public-Key + * Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography + * Specifications it is advised to keep both hashes the + * same. If \p hash_id in the RSA context is unset, + * the \p md_alg from the function call is used. */ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -984,28 +1043,33 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, const unsigned char *sig ); /** - * \brief Perform a PKCS#1 v2.1 PSS verification (RSASSA-PSS-VERIFY) - * (This is the version with "full" options.) + * \brief This function performs a PKCS#1 v2.1 PSS verification + * operation (RSASSA-PSS-VERIFY). * - * \param ctx points to an RSA public key - * \param f_rng RNG function (Only needed for \c MBEDTLS_RSA_PRIVATE) - * \param p_rng RNG parameter - * \param mode \c MBEDTLS_RSA_PUBLIC or \c MBEDTLS_RSA_PRIVATE - * \param md_alg a \c MBEDTLS_MD_XXX (use \c MBEDTLS_MD_NONE for signing raw data) - * \param hashlen message digest length (for \c MBEDTLS_MD_NONE only) - * \param hash buffer holding the message digest - * \param mgf1_hash_id message digest used for mask generation - * \param expected_salt_len Length of the salt used in padding, use - * \c MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length - * \param sig buffer holding the ciphertext + * The hash function for the MGF mask generating function + * is that specified in \p mgf1_hash_id. * - * \return 0 if the verify operation was successful, + * \param ctx The RSA public key context. + * \param f_rng The RNG function. Only needed for #MBEDTLS_RSA_PRIVATE. + * \param p_rng The RNG parameter. + * \param mode #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. + * \param md_alg The message-digest algorithm used to hash the original data. + * Use #MBEDTLS_MD_NONE for signing raw data. + * \param hashlen The length of the message digest. Only used if \p md_alg is #MBEDTLS_MD_NONE. + * \param hash The buffer holding the message digest. + * \param mgf1_hash_id The message digest used for mask generation. + * \param expected_salt_len The length of the salt used in padding. Use + * #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length. + * \param sig The buffer holding the ciphertext. + * + * \return \c 0 if the verify operation was successful, * or an \c MBEDTLS_ERR_RSA_XXX error code + * on failure. * - * \note The \c sig buffer must be as large as the size - * of \c ctx->N (eg. 128 bytes if RSA-1024 is used). + * \note The \p sig buffer must be as large as the size + * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. * - * \note The \c hash_id in the RSA context is ignored. + * \note The \p hash_id in the RSA context is ignored. */ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), @@ -1019,20 +1083,20 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, const unsigned char *sig ); /** - * \brief Copy the components of an RSA context + * \brief This function copies the components of an RSA context. * - * \param dst Destination context - * \param src Source context + * \param dst The destination context. + * \param src The source context. * - * \return 0 on success, - * \c MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure + * \return \c 0 on success, + * #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure. */ int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src ); /** - * \brief Free the components of an RSA key + * \brief This function frees the components of an RSA key. * - * \param ctx RSA Context to free + * \param ctx The RSA Context to free. */ void mbedtls_rsa_free( mbedtls_rsa_context *ctx ); @@ -1049,9 +1113,9 @@ extern "C" { #endif /** - * \brief Checkup routine + * \brief The RSA checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_rsa_self_test( int verbose ); diff --git a/library/error.c b/library/error.c index d9ad6384a..eaf75adb1 100644 --- a/library/error.c +++ b/library/error.c @@ -366,7 +366,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(MBEDTLS_ERR_RSA_KEY_GEN_FAILED) ) mbedtls_snprintf( buf, buflen, "RSA - Something failed during generation of a key" ); if( use_ret == -(MBEDTLS_ERR_RSA_KEY_CHECK_FAILED) ) - mbedtls_snprintf( buf, buflen, "RSA - Key failed to pass the library's validity check" ); + mbedtls_snprintf( buf, buflen, "RSA - Key failed to pass the validity check of the library" ); if( use_ret == -(MBEDTLS_ERR_RSA_PUBLIC_FAILED) ) mbedtls_snprintf( buf, buflen, "RSA - The public key operation failed" ); if( use_ret == -(MBEDTLS_ERR_RSA_PRIVATE_FAILED) ) @@ -378,7 +378,7 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(MBEDTLS_ERR_RSA_RNG_FAILED) ) mbedtls_snprintf( buf, buflen, "RSA - The random generator failed to generate non-zeros" ); if( use_ret == -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION) ) - mbedtls_snprintf( buf, buflen, "RSA - The implementation doesn't offer the requested operation, e.g. because of security violations or lack of functionality" ); + mbedtls_snprintf( buf, buflen, "RSA - The implementation does not offer the requested operation, for example, because of security violations or lack of functionality" ); if( use_ret == -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED) ) mbedtls_snprintf( buf, buflen, "RSA - RSA hardware accelerator failed" ); #endif /* MBEDTLS_RSA_C */ From de2d6221c802d9ede7d46528b605ed9abf9acd5a Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Thu, 25 Jan 2018 21:57:43 +0000 Subject: [PATCH 168/177] Improve ECDH documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. GitHub PR: #1317 --- include/mbedtls/ecdh.h | 238 ++++++++++++++++++++++++++--------------- 1 file changed, 150 insertions(+), 88 deletions(-) diff --git a/include/mbedtls/ecdh.h b/include/mbedtls/ecdh.h index 14a362b19..99cfde00d 100644 --- a/include/mbedtls/ecdh.h +++ b/include/mbedtls/ecdh.h @@ -1,10 +1,18 @@ /** * \file ecdh.h * - * \brief Elliptic curve Diffie-Hellman + * \brief The Elliptic Curve Diffie-Hellman (ECDH) protocol APIs. + * + * ECDH is an anonymous key agreement protocol allowing two parties to + * establish a shared secret over an insecure channel. Each party must have an + * elliptic-curve public–private key pair. + * + * For more information, see NIST SP 800-56A Rev. 2: Recommendation for + * Pair-Wise Key Establishment Schemes Using Discrete Logarithm + * Cryptography. */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,8 +27,9 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ + #ifndef MBEDTLS_ECDH_H #define MBEDTLS_ECDH_H @@ -31,7 +40,9 @@ extern "C" { #endif /** - * When importing from an EC key, select if it is our key or the peer's key + * Defines the source of the imported EC key: + *
  • Our key.
    • + *
  • The key of the peer.
*/ typedef enum { @@ -40,56 +51,67 @@ typedef enum } mbedtls_ecdh_side; /** - * \brief ECDH context structure + * \brief The ECDH context structure. */ typedef struct { - mbedtls_ecp_group grp; /*!< elliptic curve used */ - mbedtls_mpi d; /*!< our secret value (private key) */ - mbedtls_ecp_point Q; /*!< our public value (public key) */ - mbedtls_ecp_point Qp; /*!< peer's public value (public key) */ - mbedtls_mpi z; /*!< shared secret */ - int point_format; /*!< format for point export in TLS messages */ - mbedtls_ecp_point Vi; /*!< blinding value (for later) */ - mbedtls_ecp_point Vf; /*!< un-blinding value (for later) */ - mbedtls_mpi _d; /*!< previous d (for later) */ + mbedtls_ecp_group grp; /*!< The elliptic curve used. */ + mbedtls_mpi d; /*!< The private key. */ + mbedtls_ecp_point Q; /*!< The public key. */ + mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */ + mbedtls_mpi z; /*!< The shared secret. */ + int point_format; /*!< The format of point export in TLS messages. */ + mbedtls_ecp_point Vi; /*!< The blinding value. */ + mbedtls_ecp_point Vf; /*!< The unblinding value. */ + mbedtls_mpi _d; /*!< The previous \p d. */ } mbedtls_ecdh_context; /** - * \brief Generate a public key. - * Raw function that only does the core computation. + * \brief This function generates an ECDH keypair on an elliptic + * curve. * - * \param grp ECP group - * \param d Destination MPI (secret exponent, aka private key) - * \param Q Destination point (public key) - * \param f_rng RNG function - * \param p_rng RNG parameter + * This function performs the first of two core computations + * implemented during the ECDH key exchange. The second core + * computation is performed by mbedtls_ecdh_compute_shared(). * - * \return 0 if successful, - * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code + * \param grp The ECP group. + * \param d The destination MPI (private key). + * \param Q The destination point (public key). + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. + * + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX or + * \c MBEDTLS_MPI_XXX error code on failure. + * + * \see ecp.h */ int mbedtls_ecdh_gen_public( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp_point *Q, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** - * \brief Compute shared secret - * Raw function that only does the core computation. + * \brief This function computes the shared secret. * - * \param grp ECP group - * \param z Destination MPI (shared secret) - * \param Q Public key from other party - * \param d Our secret exponent (private key) - * \param f_rng RNG function (see notes) - * \param p_rng RNG parameter + * This function performs the second of two core computations + * implemented during the ECDH key exchange. The first core + * computation is performed by mbedtls_ecdh_gen_public(). * - * \return 0 if successful, - * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code + * \param grp The ECP group. + * \param z The destination MPI (shared secret). + * \param Q The public key from another party. + * \param d Our secret exponent (private key). + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. * - * \note If f_rng is not NULL, it is used to implement + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX or + * \c MBEDTLS_MPI_XXX error code on failure. + * + * \see ecp.h + * + * \note If \p f_rng is not NULL, it is used to implement * countermeasures against potential elaborate timing - * attacks, see \c mbedtls_ecp_mul() for details. + * attacks. For more information, see mbedtls_ecp_mul(). */ int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z, const mbedtls_ecp_point *Q, const mbedtls_mpi *d, @@ -97,34 +119,41 @@ int mbedtls_ecdh_compute_shared( mbedtls_ecp_group *grp, mbedtls_mpi *z, void *p_rng ); /** - * \brief Initialize context + * \brief This function initializes an ECDH context. * - * \param ctx Context to initialize + * \param ctx The ECDH context to initialize. */ void mbedtls_ecdh_init( mbedtls_ecdh_context *ctx ); /** - * \brief Free context + * \brief This function frees a context. * - * \param ctx Context to free + * \param ctx The context to free. */ void mbedtls_ecdh_free( mbedtls_ecdh_context *ctx ); /** - * \brief Generate a public key and a TLS ServerKeyExchange payload. - * (First function used by a TLS server for ECDHE.) + * \brief This function generates a public key and a TLS + * ServerKeyExchange payload. * - * \param ctx ECDH context - * \param olen number of chars written - * \param buf destination buffer - * \param blen length of buffer - * \param f_rng RNG function - * \param p_rng RNG parameter + * This is the first function used by a TLS server for ECDHE + * ciphersuites. * - * \note This function assumes that ctx->grp has already been - * properly set (for example using mbedtls_ecp_group_load). + * \param ctx The ECDH context. + * \param olen The number of characters written. + * \param buf The destination buffer. + * \param blen The length of the destination buffer. + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. * - * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code + * \note This function assumes that the ECP group (grp) of the + * \p ctx context has already been properly set, + * for example, using mbedtls_ecp_group_load(). + * + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code + * on failure. + * + * \see ecp.h */ int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, @@ -132,45 +161,63 @@ int mbedtls_ecdh_make_params( mbedtls_ecdh_context *ctx, size_t *olen, void *p_rng ); /** - * \brief Parse and procress a TLS ServerKeyExhange payload. - * (First function used by a TLS client for ECDHE.) + * \brief This function parses and processes a TLS ServerKeyExhange + * payload. * - * \param ctx ECDH context - * \param buf pointer to start of input buffer - * \param end one past end of buffer + * This is the first function used by a TLS client for ECDHE + * ciphersuites. * - * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code + * \param ctx The ECDH context. + * \param buf The pointer to the start of the input buffer. + * \param end The address for one Byte past the end of the buffer. + * + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code + * on failure. + * + * \see ecp.h */ int mbedtls_ecdh_read_params( mbedtls_ecdh_context *ctx, const unsigned char **buf, const unsigned char *end ); /** - * \brief Setup an ECDH context from an EC key. - * (Used by clients and servers in place of the - * ServerKeyEchange for static ECDH: import ECDH parameters - * from a certificate's EC key information.) + * \brief This function sets up an ECDH context from an EC key. * - * \param ctx ECDH constext to set - * \param key EC key to use - * \param side Is it our key (1) or the peer's key (0) ? + * It is used by clients and servers in place of the + * ServerKeyEchange for static ECDH, and imports ECDH + * parameters from the EC key information of a certificate. * - * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code + * \param ctx The ECDH context to set up. + * \param key The EC key to use. + * \param side Defines the source of the key: + *
  • 1: Our key.
    • +
  • 0: The key of the peer.
+ * + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code + * on failure. + * + * \see ecp.h */ int mbedtls_ecdh_get_params( mbedtls_ecdh_context *ctx, const mbedtls_ecp_keypair *key, mbedtls_ecdh_side side ); /** - * \brief Generate a public key and a TLS ClientKeyExchange payload. - * (Second function used by a TLS client for ECDH(E).) + * \brief This function generates a public key and a TLS + * ClientKeyExchange payload. * - * \param ctx ECDH context - * \param olen number of bytes actually written - * \param buf destination buffer - * \param blen size of destination buffer - * \param f_rng RNG function - * \param p_rng RNG parameter + * This is the second function used by a TLS client for ECDH(E) + * ciphersuites. * - * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code + * \param ctx The ECDH context. + * \param olen The number of Bytes written. + * \param buf The destination buffer. + * \param blen The size of the destination buffer. + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. + * + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code + * on failure. + * + * \see ecp.h */ int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, @@ -178,30 +225,45 @@ int mbedtls_ecdh_make_public( mbedtls_ecdh_context *ctx, size_t *olen, void *p_rng ); /** - * \brief Parse and process a TLS ClientKeyExchange payload. - * (Second function used by a TLS server for ECDH(E).) + * \brief This function parses and processes a TLS ClientKeyExchange + * payload. * - * \param ctx ECDH context - * \param buf start of input buffer - * \param blen length of input buffer + * This is the second function used by a TLS server for ECDH(E) + * ciphersuites. * - * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code + * \param ctx The ECDH context. + * \param buf The start of the input buffer. + * \param blen The length of the input buffer. + * + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code + * on failure. + * + * \see ecp.h */ int mbedtls_ecdh_read_public( mbedtls_ecdh_context *ctx, const unsigned char *buf, size_t blen ); /** - * \brief Derive and export the shared secret. - * (Last function used by both TLS client en servers.) + * \brief This function derives and exports the shared secret. * - * \param ctx ECDH context - * \param olen number of bytes written - * \param buf destination buffer - * \param blen buffer length - * \param f_rng RNG function, see notes for \c mbedtls_ecdh_compute_shared() - * \param p_rng RNG parameter + * This is the last function used by both TLS client + * and servers. * - * \return 0 if successful, or an MBEDTLS_ERR_ECP_XXX error code + * \param ctx The ECDH context. + * \param olen The number of Bytes written. + * \param buf The destination buffer. + * \param blen The length of the destination buffer. + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. + * + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX error code + * on failure. + * + * \see ecp.h + * + * \note If \p f_rng is not NULL, it is used to implement + * countermeasures against potential elaborate timing + * attacks. For more information, see mbedtls_ecp_mul(). */ int mbedtls_ecdh_calc_secret( mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, From bff87d905d127d166a0f169268ac580c372b872a Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Thu, 25 Jan 2018 21:58:53 +0000 Subject: [PATCH 169/177] Improve ECDSA documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. GitHub PR: #1318 --- include/mbedtls/ecdsa.h | 275 ++++++++++++++++++++++++---------------- 1 file changed, 168 insertions(+), 107 deletions(-) diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h index 6c6ae294f..aa23d67f9 100644 --- a/include/mbedtls/ecdsa.h +++ b/include/mbedtls/ecdsa.h @@ -1,10 +1,16 @@ /** * \file ecdsa.h * - * \brief Elliptic curve DSA + * \brief The Elliptic Curve Digital Signature Algorithm (ECDSA). + * + * ECDSA is defined in Standards for Efficient Cryptography Group (SECG): + * SEC1 Elliptic Curve Cryptography. + * The use of ECDSA for TLS is defined in RFC-4492: Elliptic Curve + * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). + * */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,8 +25,9 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ + #ifndef MBEDTLS_ECDSA_H #define MBEDTLS_ECDSA_H @@ -28,7 +35,7 @@ #include "md.h" /* - * RFC 4492 page 20: + * RFC-4492 page 20: * * Ecdsa-Sig-Value ::= SEQUENCE { * r INTEGER, @@ -44,11 +51,11 @@ #if MBEDTLS_ECP_MAX_BYTES > 124 #error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN" #endif -/** Maximum size of an ECDSA signature in bytes */ +/** The maximal size of an ECDSA signature in Bytes. */ #define MBEDTLS_ECDSA_MAX_LEN ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) ) /** - * \brief ECDSA context structure + * \brief The ECDSA context structure. */ typedef mbedtls_ecp_keypair mbedtls_ecdsa_context; @@ -57,25 +64,30 @@ extern "C" { #endif /** - * \brief Compute ECDSA signature of a previously hashed message + * \brief This function computes the ECDSA signature of a + * previously-hashed message. * - * \note The deterministic version is usually prefered. + * \note The deterministic version is usually preferred. * - * \param grp ECP group - * \param r First output integer - * \param s Second output integer - * \param d Private signing key - * \param buf Message hash - * \param blen Length of buf - * \param f_rng RNG function - * \param p_rng RNG parameter + * \param grp The ECP group. + * \param r The first output integer. + * \param s The second output integer. + * \param d The private signing key. + * \param buf The message hash. + * \param blen The length of \p buf. + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. * * \note If the bitlength of the message hash is larger than the - * bitlength of the group order, then the hash is truncated as - * prescribed by SEC1 4.1.3 step 5. + * bitlength of the group order, then the hash is truncated + * as defined in Standards for Efficient Cryptography Group + * (SECG): SEC1 Elliptic Curve Cryptography, section + * 4.1.3, step 5. * - * \return 0 if successful, - * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX + * or \c MBEDTLS_MPI_XXX error code on failure. + * + * \see ecp.h */ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, const mbedtls_mpi *d, const unsigned char *buf, size_t blen, @@ -83,23 +95,31 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, #if defined(MBEDTLS_ECDSA_DETERMINISTIC) /** - * \brief Compute ECDSA signature of a previously hashed message, - * deterministic version (RFC 6979). + * \brief This function computes the ECDSA signature of a + * previously-hashed message, deterministic version. + * For more information, see RFC-6979: Deterministic + * Usage of the Digital Signature Algorithm (DSA) and Elliptic + * Curve Digital Signature Algorithm (ECDSA). * - * \param grp ECP group - * \param r First output integer - * \param s Second output integer - * \param d Private signing key - * \param buf Message hash - * \param blen Length of buf - * \param md_alg MD algorithm used to hash the message + * \param grp The ECP group. + * \param r The first output integer. + * \param s The second output integer. + * \param d The private signing key. + * \param buf The message hash. + * \param blen The length of \p buf. + * \param md_alg The MD algorithm used to hash the message. * * \note If the bitlength of the message hash is larger than the * bitlength of the group order, then the hash is truncated as - * prescribed by SEC1 4.1.3 step 5. + * defined in Standards for Efficient Cryptography Group + * (SECG): SEC1 Elliptic Curve Cryptography, section + * 4.1.3, step 5. * - * \return 0 if successful, - * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code + * \return \c 0 on success, + * or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + * error code on failure. + * + * \see ecp.h */ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, const mbedtls_mpi *d, const unsigned char *buf, size_t blen, @@ -107,55 +127,73 @@ int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ /** - * \brief Verify ECDSA signature of a previously hashed message + * \brief This function verifies the ECDSA signature of a + * previously-hashed message. * - * \param grp ECP group - * \param buf Message hash - * \param blen Length of buf - * \param Q Public key to use for verification - * \param r First integer of the signature - * \param s Second integer of the signature + * \param grp The ECP group. + * \param buf The message hash. + * \param blen The length of \p buf. + * \param Q The public key to use for verification. + * \param r The first integer of the signature. + * \param s The second integer of the signature. * * \note If the bitlength of the message hash is larger than the * bitlength of the group order, then the hash is truncated as - * prescribed by SEC1 4.1.4 step 3. + * defined in Standards for Efficient Cryptography Group + * (SECG): SEC1 Elliptic Curve Cryptography, section + * 4.1.4, step 3. * - * \return 0 if successful, - * MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid - * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_MPI_XXX error code + * \return \c 0 on success, + * #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid, + * or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX + * error code on failure for any other reason. + * + * \see ecp.h */ int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp, const unsigned char *buf, size_t blen, const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s); /** - * \brief Compute ECDSA signature and write it to buffer, - * serialized as defined in RFC 4492 page 20. - * (Not thread-safe to use same context in multiple threads) + * \brief This function computes the ECDSA signature and writes it + * to a buffer, serialized as defined in RFC-4492: + * Elliptic Curve Cryptography (ECC) Cipher Suites for + * Transport Layer Security (TLS). * - * \note The deterministic version (RFC 6979) is used if - * MBEDTLS_ECDSA_DETERMINISTIC is defined. + * \warning It is not thread-safe to use the same context in + * multiple threads. * - * \param ctx ECDSA context - * \param md_alg Algorithm that was used to hash the message - * \param hash Message hash - * \param hlen Length of hash - * \param sig Buffer that will hold the signature - * \param slen Length of the signature written - * \param f_rng RNG function - * \param p_rng RNG parameter + * \note The deterministic version is used if + * #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more + * information, see RFC-6979: Deterministic Usage + * of the Digital Signature Algorithm (DSA) and Elliptic + * Curve Digital Signature Algorithm (ECDSA). * - * \note The "sig" buffer must be at least as large as twice the - * size of the curve used, plus 9 (eg. 73 bytes if a 256-bit - * curve is used). MBEDTLS_ECDSA_MAX_LEN is always safe. + * \param ctx The ECDSA context. + * \param md_alg The message digest that was used to hash the message. + * \param hash The message hash. + * \param hlen The length of the hash. + * \param sig The buffer that holds the signature. + * \param slen The length of the signature written. + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. + * + * \note The \p sig buffer must be at least twice as large as the + * size of the curve used, plus 9. For example, 73 Bytes if + * a 256-bit curve is used. A buffer length of + * #MBEDTLS_ECDSA_MAX_LEN is always safe. * * \note If the bitlength of the message hash is larger than the * bitlength of the group order, then the hash is truncated as - * prescribed by SEC1 4.1.3 step 5. + * defined in Standards for Efficient Cryptography Group + * (SECG): SEC1 Elliptic Curve Cryptography, section + * 4.1.3, step 5. * - * \return 0 if successful, - * or a MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or - * MBEDTLS_ERR_ASN1_XXX error code + * \return \c 0 on success, + * or an \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + * \c MBEDTLS_ERR_ASN1_XXX error code on failure. + * + * \see ecp.h */ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hlen, @@ -171,31 +209,43 @@ int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, mbedtls_md_type_t #define MBEDTLS_DEPRECATED #endif /** - * \brief Compute ECDSA signature and write it to buffer, - * serialized as defined in RFC 4492 page 20. - * Deterministic version, RFC 6979. - * (Not thread-safe to use same context in multiple threads) + * \brief This function computes an ECDSA signature and writes it to a buffer, + * serialized as defined in RFC-4492: Elliptic Curve Cryptography + * (ECC) Cipher Suites for Transport Layer Security (TLS). + * + * The deterministic version is defined in RFC-6979: + * Deterministic Usage of the Digital Signature Algorithm (DSA) and + * Elliptic Curve Digital Signature Algorithm (ECDSA). + * + * \warning It is not thread-safe to use the same context in + * multiple threads. + * * \deprecated Superseded by mbedtls_ecdsa_write_signature() in 2.0.0 * - * \param ctx ECDSA context - * \param hash Message hash - * \param hlen Length of hash - * \param sig Buffer that will hold the signature - * \param slen Length of the signature written - * \param md_alg MD algorithm used to hash the message + * \param ctx The ECDSA context. + * \param hash The Message hash. + * \param hlen The length of the hash. + * \param sig The buffer that holds the signature. + * \param slen The length of the signature written. + * \param md_alg The MD algorithm used to hash the message. * - * \note The "sig" buffer must be at least as large as twice the - * size of the curve used, plus 9 (eg. 73 bytes if a 256-bit - * curve is used). MBEDTLS_ECDSA_MAX_LEN is always safe. + * \note The \p sig buffer must be at least twice as large as the + * size of the curve used, plus 9. For example, 73 Bytes if a + * 256-bit curve is used. A buffer length of + * #MBEDTLS_ECDSA_MAX_LEN is always safe. * * \note If the bitlength of the message hash is larger than the * bitlength of the group order, then the hash is truncated as - * prescribed by SEC1 4.1.3 step 5. + * defined in Standards for Efficient Cryptography Group + * (SECG): SEC1 Elliptic Curve Cryptography, section + * 4.1.3, step 5. * - * \return 0 if successful, - * or a MBEDTLS_ERR_ECP_XXX, MBEDTLS_ERR_MPI_XXX or - * MBEDTLS_ERR_ASN1_XXX error code + * \return \c 0 on success, + * or an \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or + * \c MBEDTLS_ERR_ASN1_XXX error code on failure. + * + * \see ecp.h */ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx, const unsigned char *hash, size_t hlen, @@ -206,63 +256,74 @@ int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx, #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ /** - * \brief Read and verify an ECDSA signature + * \brief This function reads and verifies an ECDSA signature. * - * \param ctx ECDSA context - * \param hash Message hash - * \param hlen Size of hash - * \param sig Signature to read and verify - * \param slen Size of sig + * \param ctx The ECDSA context. + * \param hash The message hash. + * \param hlen The size of the hash. + * \param sig The signature to read and verify. + * \param slen The size of \p sig. * * \note If the bitlength of the message hash is larger than the * bitlength of the group order, then the hash is truncated as - * prescribed by SEC1 4.1.4 step 3. + * defined in Standards for Efficient Cryptography Group + * (SECG): SEC1 Elliptic Curve Cryptography, section + * 4.1.4, step 3. * - * \return 0 if successful, - * MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid, - * MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if the signature is - * valid but its actual length is less than siglen, - * or a MBEDTLS_ERR_ECP_XXX or MBEDTLS_ERR_MPI_XXX error code + * \return \c 0 on success, + * #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid, + * #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if the signature is + * valid but its actual length is less than \p siglen, + * or an \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX + * error code on failure for any other reason. + * + * \see ecp.h */ int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx, const unsigned char *hash, size_t hlen, const unsigned char *sig, size_t slen ); /** - * \brief Generate an ECDSA keypair on the given curve + * \brief This function generates an ECDSA keypair on the given curve. * - * \param ctx ECDSA context in which the keypair should be stored - * \param gid Group (elliptic curve) to use. One of the various - * MBEDTLS_ECP_DP_XXX macros depending on configuration. - * \param f_rng RNG function - * \param p_rng RNG parameter + * \param ctx The ECDSA context to store the keypair in. + * \param gid The elliptic curve to use. One of the various + * \c MBEDTLS_ECP_DP_XXX macros depending on configuration. + * \param f_rng The RNG function. + * \param p_rng The RNG parameter. * - * \return 0 on success, or a MBEDTLS_ERR_ECP_XXX code. + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX code on + * failure. + * + * \see ecp.h */ int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); /** - * \brief Set an ECDSA context from an EC key pair + * \brief This function sets an ECDSA context from an EC key pair. * - * \param ctx ECDSA context to set - * \param key EC key to use + * \param ctx The ECDSA context to set. + * \param key The EC key to use. * - * \return 0 on success, or a MBEDTLS_ERR_ECP_XXX code. + * \return \c 0 on success, or an \c MBEDTLS_ERR_ECP_XXX code on + * failure. + * + * \see ecp.h */ int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, const mbedtls_ecp_keypair *key ); /** - * \brief Initialize context + * \brief This function initializes an ECDSA context. * - * \param ctx Context to initialize + * \param ctx The ECDSA context to initialize. */ void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx ); /** - * \brief Free context + * \brief This function frees an ECDSA context. * - * \param ctx Context to free + * \param ctx The ECDSA context to free. */ void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx ); From 44833d9597e854cad5eaac934b0b408ff074fe01 Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Fri, 26 Jan 2018 08:41:09 +0000 Subject: [PATCH 170/177] Improve SHA-1 documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. GitHub PR: #1322 --- include/mbedtls/sha1.h | 100 ++++++++++++++++++++++------------------- 1 file changed, 54 insertions(+), 46 deletions(-) diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index 4d3a16401..700a34831 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -1,10 +1,10 @@ /** * \file sha1.h * - * \brief SHA-1 cryptographic hash function + * \brief The SHA-1 cryptographic hash function. */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,7 +19,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ #ifndef MBEDTLS_SHA1_H #define MBEDTLS_SHA1_H @@ -49,68 +49,70 @@ extern "C" { #endif /** - * \brief SHA-1 context structure + * \brief The SHA-1 context structure. */ typedef struct { - uint32_t total[2]; /*!< number of bytes processed */ - uint32_t state[5]; /*!< intermediate digest state */ - unsigned char buffer[64]; /*!< data block being processed */ + uint32_t total[2]; /*!< The number of Bytes processed. */ + uint32_t state[5]; /*!< The intermediate digest state. */ + unsigned char buffer[64]; /*!< The data block being processed. */ } mbedtls_sha1_context; /** - * \brief Initialize SHA-1 context + * \brief This function initializes a SHA-1 context. * - * \param ctx SHA-1 context to be initialized + * \param ctx The SHA-1 context to initialize. */ void mbedtls_sha1_init( mbedtls_sha1_context *ctx ); /** - * \brief Clear SHA-1 context + * \brief This function clears a SHA-1 context. * - * \param ctx SHA-1 context to be cleared + * \param ctx The SHA-1 context to clear. */ void mbedtls_sha1_free( mbedtls_sha1_context *ctx ); /** - * \brief Clone (the state of) a SHA-1 context + * \brief This function clones the state of a SHA-1 context. * - * \param dst The destination context - * \param src The context to be cloned + * \param dst The destination context. + * \param src The context to clone. */ void mbedtls_sha1_clone( mbedtls_sha1_context *dst, const mbedtls_sha1_context *src ); /** - * \brief SHA-1 context setup + * \brief This function starts a SHA-1 checksum calculation. * - * \param ctx context to be initialized + * \param ctx The context to initialize. * - * \return 0 if successful + * \return \c 0 if successful */ int mbedtls_sha1_starts_ret( mbedtls_sha1_context *ctx ); /** - * \brief SHA-1 process buffer + * \brief This function feeds an input buffer into an ongoing SHA-1 + * checksum calculation. * - * \param ctx SHA-1 context - * \param input buffer holding the data - * \param ilen length of the input data + * \param ctx The SHA-1 context. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. * - * \return 0 if successful + * \return \c 0 if successful */ int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen ); /** - * \brief SHA-1 final digest + * \brief This function finishes the SHA-1 operation, and writes + * the result to the output buffer. * - * \param ctx SHA-1 context - * \param output SHA-1 checksum result + * \param ctx The SHA-1 context. + * \param output The SHA-1 checksum result. * - * \return 0 if successful + * \return \c 0 if successful */ int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx, unsigned char output[20] ); @@ -119,9 +121,9 @@ int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx, * \brief SHA-1 process data block (internal use only) * * \param ctx SHA-1 context - * \param data buffer holding one block of data + * \param data The data block being processed. * - * \return 0 if successful + * \return \c 0 if successful */ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] ); @@ -137,7 +139,7 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, * * \deprecated Superseded by mbedtls_sha1_starts_ret() in 2.7.0 * - * \param ctx context to be initialized + * \param ctx The SHA-1 context to be initialized. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_starts( mbedtls_sha1_context *ctx ) @@ -150,9 +152,9 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_starts( * * \deprecated Superseded by mbedtls_sha1_update_ret() in 2.7.0 * - * \param ctx SHA-1 context - * \param input buffer holding the data - * \param ilen length of the input data + * \param ctx The SHA-1 context. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_update( mbedtls_sha1_context *ctx, @@ -167,8 +169,8 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_update( * * \deprecated Superseded by mbedtls_sha1_finish_ret() in 2.7.0 * - * \param ctx SHA-1 context - * \param output SHA-1 checksum result + * \param ctx The SHA-1 context. + * \param output The SHA-1 checksum result. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, @@ -182,8 +184,8 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_finish( * * \deprecated Superseded by mbedtls_internal_sha1_process() in 2.7.0 * - * \param ctx SHA-1 context - * \param data buffer holding one block of data + * \param ctx The SHA-1 context. + * \param data The data block being processed. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1_process( mbedtls_sha1_context *ctx, @@ -208,13 +210,19 @@ extern "C" { #endif /** - * \brief Output = SHA-1( input buffer ) + * \brief This function calculates the SHA-1 checksum of a buffer. * - * \param input buffer holding the data - * \param ilen length of the input data - * \param output SHA-1 checksum result + * The function allocates the context, performs the + * calculation, and frees the context. * - * \return 0 if successful + * The SHA-1 result is calculated as + * output = SHA-1(input buffer). + * + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * \param output The SHA-1 checksum result. + * + * \return \c 0 if successful */ int mbedtls_sha1_ret( const unsigned char *input, size_t ilen, @@ -231,9 +239,9 @@ int mbedtls_sha1_ret( const unsigned char *input, * * \deprecated Superseded by mbedtls_sha1_ret() in 2.7.0 * - * \param input buffer holding the data - * \param ilen length of the input data - * \param output SHA-1 checksum result + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * \param output The SHA-1 checksum result. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha1( const unsigned char *input, size_t ilen, @@ -246,9 +254,9 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha1( const unsigned char *input, #endif /* !MBEDTLS_DEPRECATED_REMOVED */ /** - * \brief Checkup routine + * \brief The SHA-1 checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_sha1_self_test( int verbose ); From 2f8163d3cdfcfdac65fd83e2784b994b467114fe Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Thu, 25 Jan 2018 21:55:14 +0000 Subject: [PATCH 171/177] Improve CTR-DRBG documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. - Add full standard name in file description. GitHub PR: #1316 --- include/mbedtls/ctr_drbg.h | 249 +++++++++++++++++++++---------------- library/error.c | 6 +- 2 files changed, 143 insertions(+), 112 deletions(-) diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h index 01cd826a1..121575a51 100644 --- a/include/mbedtls/ctr_drbg.h +++ b/include/mbedtls/ctr_drbg.h @@ -1,10 +1,13 @@ /** * \file ctr_drbg.h * - * \brief CTR_DRBG based on AES-256 (NIST SP 800-90) + * \brief CTR_DRBG is based on AES-256, as defined in NIST SP 800-90A: + * Recommendation for Random Number Generation Using Deterministic + * Random Bit Generators. + * */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,8 +22,9 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ + #ifndef MBEDTLS_CTR_DRBG_H #define MBEDTLS_CTR_DRBG_H @@ -31,78 +35,95 @@ #endif #define MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED -0x0034 /**< The entropy source failed. */ -#define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG -0x0036 /**< Too many random requested in single call. */ -#define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG -0x0038 /**< Input too large (Entropy + additional). */ -#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR -0x003A /**< Read/write error in file. */ +#define MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG -0x0036 /**< The requested random buffer length is too big. */ +#define MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG -0x0038 /**< The input (entropy + additional data) is too large. */ +#define MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR -0x003A /**< Read or write error in file. */ -#define MBEDTLS_CTR_DRBG_BLOCKSIZE 16 /**< Block size used by the cipher */ -#define MBEDTLS_CTR_DRBG_KEYSIZE 32 /**< Key size used by the cipher */ -#define MBEDTLS_CTR_DRBG_KEYBITS ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 ) -#define MBEDTLS_CTR_DRBG_SEEDLEN ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE ) - /**< The seed length (counter + AES key) */ +#define MBEDTLS_CTR_DRBG_BLOCKSIZE 16 /**< The block size used by the cipher. */ +#define MBEDTLS_CTR_DRBG_KEYSIZE 32 /**< The key size used by the cipher. */ +#define MBEDTLS_CTR_DRBG_KEYBITS ( MBEDTLS_CTR_DRBG_KEYSIZE * 8 ) /**< The key size for the DRBG operation, in bits. */ +#define MBEDTLS_CTR_DRBG_SEEDLEN ( MBEDTLS_CTR_DRBG_KEYSIZE + MBEDTLS_CTR_DRBG_BLOCKSIZE ) /**< The seed length, calculated as (counter + AES key). */ /** * \name SECTION: Module settings * * The configuration options you can set for this module are in this section. - * Either change them in config.h or define them on the compiler command line. + * Either change them in config.h or define them using the compiler command + * line. * \{ */ #if !defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_ENTROPY_FORCE_SHA256) -#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ +#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 48 +/**< The amount of entropy used per seed by default: + *
  • 48 with SHA-512.
    • + *
  • 32 with SHA-256.
+ */ #else -#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 32 /**< Amount of entropy used per seed by default (48 with SHA-512, 32 with SHA-256) */ +#define MBEDTLS_CTR_DRBG_ENTROPY_LEN 32 +/**< Amount of entropy used per seed by default: + *
  • 48 with SHA-512.
    • + *
  • 32 with SHA-256.
+ */ #endif #endif #if !defined(MBEDTLS_CTR_DRBG_RESEED_INTERVAL) -#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 /**< Interval before reseed is performed by default */ +#define MBEDTLS_CTR_DRBG_RESEED_INTERVAL 10000 +/**< The interval before reseed is performed by default. */ #endif #if !defined(MBEDTLS_CTR_DRBG_MAX_INPUT) -#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 /**< Maximum number of additional input bytes */ +#define MBEDTLS_CTR_DRBG_MAX_INPUT 256 +/**< The maximum number of additional input Bytes. */ #endif #if !defined(MBEDTLS_CTR_DRBG_MAX_REQUEST) -#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 /**< Maximum number of requested bytes per call */ +#define MBEDTLS_CTR_DRBG_MAX_REQUEST 1024 +/**< The maximum number of requested Bytes per call. */ #endif #if !defined(MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) -#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ +#define MBEDTLS_CTR_DRBG_MAX_SEED_INPUT 384 +/**< The maximum size of seed or reseed buffer. */ #endif /* \} name SECTION: Module settings */ -#define MBEDTLS_CTR_DRBG_PR_OFF 0 /**< No prediction resistance */ -#define MBEDTLS_CTR_DRBG_PR_ON 1 /**< Prediction resistance enabled */ +#define MBEDTLS_CTR_DRBG_PR_OFF 0 +/**< Prediction resistance is disabled. */ +#define MBEDTLS_CTR_DRBG_PR_ON 1 +/**< Prediction resistance is enabled. */ #ifdef __cplusplus extern "C" { #endif /** - * \brief CTR_DRBG context structure + * \brief The CTR_DRBG context structure. */ typedef struct { - unsigned char counter[16]; /*!< counter (V) */ - int reseed_counter; /*!< reseed counter */ - int prediction_resistance; /*!< enable prediction resistance (Automatic - reseed before every random generation) */ - size_t entropy_len; /*!< amount of entropy grabbed on each - (re)seed */ - int reseed_interval; /*!< reseed interval */ + unsigned char counter[16]; /*!< The counter (V). */ + int reseed_counter; /*!< The reseed counter. */ + int prediction_resistance; /*!< This determines whether prediction + resistance is enabled, that is + whether to systematically reseed before + each random generation. */ + size_t entropy_len; /*!< The amount of entropy grabbed on each + seed or reseed operation. */ + int reseed_interval; /*!< The reseed interval. */ - mbedtls_aes_context aes_ctx; /*!< AES context */ + mbedtls_aes_context aes_ctx; /*!< The AES context. */ /* * Callbacks (Entropy) */ int (*f_entropy)(void *, unsigned char *, size_t); + /*!< The entropy callback function. */ - void *p_entropy; /*!< context for the entropy function */ + void *p_entropy; /*!< The context for the entropy function. */ #if defined(MBEDTLS_THREADING_C) mbedtls_threading_mutex_t mutex; @@ -111,31 +132,32 @@ typedef struct mbedtls_ctr_drbg_context; /** - * \brief CTR_DRBG context initialization - * Makes the context ready for mbedtls_ctr_drbg_seed() or - * mbedtls_ctr_drbg_free(). + * \brief This function initializes the CTR_DRBG context, + * and prepares it for mbedtls_ctr_drbg_seed() + * or mbedtls_ctr_drbg_free(). * - * \param ctx CTR_DRBG context to be initialized + * \param ctx The CTR_DRBG context to initialize. */ void mbedtls_ctr_drbg_init( mbedtls_ctr_drbg_context *ctx ); /** - * \brief CTR_DRBG initial seeding - * Seed and setup entropy source for future reseeds. + * \brief This function seeds and sets up the CTR_DRBG + * entropy source for future reseeds. * - * Note: Personalization data can be provided in addition to the more generic - * entropy source to make this instantiation as unique as possible. + * \note Personalization data can be provided in addition to the more generic + * entropy source, to make this instantiation as unique as possible. * - * \param ctx CTR_DRBG context to be seeded - * \param f_entropy Entropy callback (p_entropy, buffer to fill, buffer - * length) - * \param p_entropy Entropy context - * \param custom Personalization data (Device specific identifiers) - * (Can be NULL) - * \param len Length of personalization data + * \param ctx The CTR_DRBG context to seed. + * \param f_entropy The entropy callback, taking as arguments the + * \p p_entropy context, the buffer to fill, and the + length of the buffer. + * \param p_entropy The entropy context. + * \param custom Personalization data, that is device-specific + identifiers. Can be NULL. + * \param len The length of the personalization data. * - * \return 0 if successful, or - * MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED + * \return \c 0 on success, or + * #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. */ int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx, int (*f_entropy)(void *, unsigned char *, size_t), @@ -144,138 +166,147 @@ int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx, size_t len ); /** - * \brief Clear CTR_CRBG context data + * \brief This function clears CTR_CRBG context data. * - * \param ctx CTR_DRBG context to clear + * \param ctx The CTR_DRBG context to clear. */ void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx ); /** - * \brief Enable / disable prediction resistance (Default: Off) + * \brief This function turns prediction resistance on or off. + * The default value is off. * - * Note: If enabled, entropy is used for ctx->entropy_len before each call! - * Only use this if you have ample supply of good entropy! + * \note If enabled, entropy is gathered at the beginning of + * every call to mbedtls_ctr_drbg_random_with_add(). + * Only use this if your entropy source has sufficient + * throughput. * - * \param ctx CTR_DRBG context - * \param resistance MBEDTLS_CTR_DRBG_PR_ON or MBEDTLS_CTR_DRBG_PR_OFF + * \param ctx The CTR_DRBG context. + * \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF. */ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx, int resistance ); /** - * \brief Set the amount of entropy grabbed on each (re)seed - * (Default: MBEDTLS_CTR_DRBG_ENTROPY_LEN) + * \brief This function sets the amount of entropy grabbed on each + * seed or reseed. The default value is + * #MBEDTLS_CTR_DRBG_ENTROPY_LEN. * - * \param ctx CTR_DRBG context - * \param len Amount of entropy to grab + * \param ctx The CTR_DRBG context. + * \param len The amount of entropy to grab. */ void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx, size_t len ); /** - * \brief Set the reseed interval - * (Default: MBEDTLS_CTR_DRBG_RESEED_INTERVAL) + * \brief This function sets the reseed interval. + * The default value is #MBEDTLS_CTR_DRBG_RESEED_INTERVAL. * - * \param ctx CTR_DRBG context - * \param interval Reseed interval + * \param ctx The CTR_DRBG context. + * \param interval The reseed interval. */ void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx, int interval ); /** - * \brief CTR_DRBG reseeding (extracts data from entropy source) + * \brief This function reseeds the CTR_DRBG context, that is + * extracts data from the entropy source. * - * \param ctx CTR_DRBG context - * \param additional Additional data to add to state (Can be NULL) - * \param len Length of additional data + * \param ctx The CTR_DRBG context. + * \param additional Additional data to add to the state. Can be NULL. + * \param len The length of the additional data. * - * \return 0 if successful, or - * MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED + * \return \c 0 on success, or + * #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on failure. */ int mbedtls_ctr_drbg_reseed( mbedtls_ctr_drbg_context *ctx, const unsigned char *additional, size_t len ); /** - * \brief CTR_DRBG update state + * \brief This function updates the state of the CTR_DRBG context. * - * \param ctx CTR_DRBG context - * \param additional Additional data to update state with - * \param add_len Length of additional data + * \param ctx The CTR_DRBG context. + * \param additional The data to update the state with. + * \param add_len Length of \p additional data. * - * \note If add_len is greater than MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, - * only the first MBEDTLS_CTR_DRBG_MAX_SEED_INPUT bytes are used, - * the remaining ones are silently discarded. + * \note If \p add_len is greater than #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, + * only the first #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used. + * The remaining Bytes are silently discarded. */ void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx, const unsigned char *additional, size_t add_len ); /** - * \brief CTR_DRBG generate random with additional update input + * \brief This function updates a CTR_DRBG instance with additional + * data and uses it to generate random data. * - * Note: Automatically reseeds if reseed_counter is reached. + * \note The function automatically reseeds if the reseed counter is exceeded. * - * \param p_rng CTR_DRBG context - * \param output Buffer to fill - * \param output_len Length of the buffer - * \param additional Additional data to update with (Can be NULL) - * \param add_len Length of additional data + * \param p_rng The CTR_DRBG context. This must be a pointer to a + * #mbedtls_ctr_drbg_context structure. + * \param output The buffer to fill. + * \param output_len The length of the buffer. + * \param additional Additional data to update. Can be NULL. + * \param add_len The length of the additional data. * - * \return 0 if successful, or - * MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED, or - * MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG + * \return \c 0 on success, or + * #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + * #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. */ int mbedtls_ctr_drbg_random_with_add( void *p_rng, unsigned char *output, size_t output_len, const unsigned char *additional, size_t add_len ); /** - * \brief CTR_DRBG generate random + * \brief This function uses CTR_DRBG to generate random data. * - * Note: Automatically reseeds if reseed_counter is reached. + * \note The function automatically reseeds if the reseed counter is exceeded. * - * \param p_rng CTR_DRBG context - * \param output Buffer to fill - * \param output_len Length of the buffer + * \param p_rng The CTR_DRBG context. This must be a pointer to a + * #mbedtls_ctr_drbg_context structure. + * \param output The buffer to fill. + * \param output_len The length of the buffer. * - * \return 0 if successful, or - * MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED, or - * MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG + * \return \c 0 on success, or + * #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + * #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure. */ int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len ); #if defined(MBEDTLS_FS_IO) /** - * \brief Write a seed file + * \brief This function writes a seed file. * - * \param ctx CTR_DRBG context - * \param path Name of the file + * \param ctx The CTR_DRBG context. + * \param path The name of the file. * - * \return 0 if successful, - * MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error, or - * MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED + * \return \c 0 on success, + * #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error, or + * #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED on + * failure. */ int mbedtls_ctr_drbg_write_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path ); /** - * \brief Read and update a seed file. Seed is added to this - * instance + * \brief This function reads and updates a seed file. The seed + * is added to this instance. * - * \param ctx CTR_DRBG context - * \param path Name of the file + * \param ctx The CTR_DRBG context. + * \param path The name of the file. * - * \return 0 if successful, - * MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error, - * MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or - * MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG + * \return \c 0 on success, + * #MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR on file error, + * #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or + * #MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG on failure. */ int mbedtls_ctr_drbg_update_seed_file( mbedtls_ctr_drbg_context *ctx, const char *path ); #endif /* MBEDTLS_FS_IO */ /** - * \brief Checkup routine + * \brief The CTR_DRBG checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_ctr_drbg_self_test( int verbose ); diff --git a/library/error.c b/library/error.c index eaf75adb1..ac9909188 100644 --- a/library/error.c +++ b/library/error.c @@ -658,11 +658,11 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen ) if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED) ) mbedtls_snprintf( buf, buflen, "CTR_DRBG - The entropy source failed" ); if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG) ) - mbedtls_snprintf( buf, buflen, "CTR_DRBG - Too many random requested in single call" ); + mbedtls_snprintf( buf, buflen, "CTR_DRBG - The requested random buffer length is too big" ); if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG) ) - mbedtls_snprintf( buf, buflen, "CTR_DRBG - Input too large (Entropy + additional)" ); + mbedtls_snprintf( buf, buflen, "CTR_DRBG - The input (entropy + additional data) is too large" ); if( use_ret == -(MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR) ) - mbedtls_snprintf( buf, buflen, "CTR_DRBG - Read/write error in file" ); + mbedtls_snprintf( buf, buflen, "CTR_DRBG - Read or write error in file" ); #endif /* MBEDTLS_CTR_DRBG_C */ #if defined(MBEDTLS_DES_C) From 64feefb4a2a1a492b306b7c09c49d419ed7e62ca Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Thu, 25 Jan 2018 22:01:10 +0000 Subject: [PATCH 172/177] Improve message digest documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. GitHub PR: #1319 --- include/mbedtls/md.h | 349 ++++++++++++++++++++++++++----------------- 1 file changed, 216 insertions(+), 133 deletions(-) diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index 57c27a6f0..5e0376c05 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -1,12 +1,12 @@ -/** + /** * \file md.h * - * \brief Generic message digest wrapper + * \brief The generic message-digest wrapper. * * \author Adriaan de Jong */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -21,8 +21,9 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ + #ifndef MBEDTLS_MD_H #define MBEDTLS_MD_H @@ -64,65 +65,79 @@ typedef enum { #endif /** - * Opaque struct defined in md_internal.h + * Opaque struct defined in md_internal.h. */ typedef struct mbedtls_md_info_t mbedtls_md_info_t; /** - * Generic message digest context. + * The generic message-digest context. */ typedef struct { - /** Information about the associated message digest */ + /** Information about the associated message digest. */ const mbedtls_md_info_t *md_info; - /** Digest-specific context */ + /** The digest-specific context. */ void *md_ctx; - /** HMAC part of the context */ + /** The HMAC part of the context. */ void *hmac_ctx; } mbedtls_md_context_t; /** - * \brief Returns the list of digests supported by the generic digest module. + * \brief This function returns the list of digests supported by the + * generic digest module. * - * \return a statically allocated array of digests, the last entry - * is 0. + * \return A statically allocated array of digests. Each element + * in the returned list is an integer belonging to the + * message-digest enumeration #mbedtls_md_type_t. + * The last entry is 0. */ const int *mbedtls_md_list( void ); /** - * \brief Returns the message digest information associated with the - * given digest name. + * \brief This function returns the message-digest information + * associated with the given digest name. * - * \param md_name Name of the digest to search for. + * \param md_name The name of the digest to search for. * - * \return The message digest information associated with md_name or - * NULL if not found. + * \return The message-digest information associated with \p md_name, + * or NULL if not found. */ const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name ); /** - * \brief Returns the message digest information associated with the - * given digest type. + * \brief This function returns the message-digest information + * associated with the given digest type. * - * \param md_type type of digest to search for. + * \param md_type The type of digest to search for. * - * \return The message digest information associated with md_type or - * NULL if not found. + * \return The message-digest information associated with \p md_type, + * or NULL if not found. */ const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t md_type ); /** - * \brief Initialize a md_context (as NONE) - * This should always be called first. - * Prepares the context for mbedtls_md_setup() or mbedtls_md_free(). + * \brief This function initializes a message-digest context without + * binding it to a particular message-digest algorithm. + * + * This function should always be called first. It prepares the + * context for mbedtls_md_setup() for binding it to a + * message-digest algorithm. */ void mbedtls_md_init( mbedtls_md_context_t *ctx ); /** - * \brief Free and clear the internal structures of ctx. - * Can be called at any time after mbedtls_md_init(). - * Mandatory once mbedtls_md_setup() has been called. + * \brief This function clears the internal structure of \p ctx and + * frees any embedded internal structure, but does not free + * \p ctx itself. + * + * If you have called mbedtls_md_setup() on \p ctx, you must + * call mbedtls_md_free() when you are no longer using the + * context. + * Calling this function if you have previously + * called mbedtls_md_init() and nothing else is optional. + * You must not call this function if you have not called + * mbedtls_md_init(). */ void mbedtls_md_free( mbedtls_md_context_t *ctx ); @@ -133,220 +148,288 @@ void mbedtls_md_free( mbedtls_md_context_t *ctx ); #define MBEDTLS_DEPRECATED #endif /** - * \brief Select MD to use and allocate internal structures. - * Should be called after mbedtls_md_init() or mbedtls_md_free(). + * \brief This function selects the message digest algorithm to use, + * and allocates internal structures. + * + * It should be called after mbedtls_md_init() or mbedtls_md_free(). * Makes it necessary to call mbedtls_md_free() later. * * \deprecated Superseded by mbedtls_md_setup() in 2.0.0 * - * \param ctx Context to set up. - * \param md_info Message digest to use. + * \param ctx The context to set up. + * \param md_info The information structure of the message-digest algorithm + * to use. * * \returns \c 0 on success, - * \c MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure, - * \c MBEDTLS_ERR_MD_ALLOC_FAILED memory allocation failure. + * #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure, + * #MBEDTLS_ERR_MD_ALLOC_FAILED memory allocation failure. */ int mbedtls_md_init_ctx( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info ) MBEDTLS_DEPRECATED; #undef MBEDTLS_DEPRECATED #endif /* MBEDTLS_DEPRECATED_REMOVED */ /** - * \brief Select MD to use and allocate internal structures. - * Should be called after mbedtls_md_init() or mbedtls_md_free(). - * Makes it necessary to call mbedtls_md_free() later. + * \brief This function selects the message digest algorithm to use, + * and allocates internal structures. * - * \param ctx Context to set up. - * \param md_info Message digest to use. - * \param hmac 0 to save some memory if HMAC will not be used, - * non-zero is HMAC is going to be used with this context. + * It should be called after mbedtls_md_init() or + * mbedtls_md_free(). Makes it necessary to call + * mbedtls_md_free() later. + * + * \param ctx The context to set up. + * \param md_info The information structure of the message-digest algorithm + * to use. + * \param hmac
  • 0: HMAC is not used. Saves some memory.
    • + *
  • non-zero: HMAC is used with this context.
* * \returns \c 0 on success, - * \c MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure, - * \c MBEDTLS_ERR_MD_ALLOC_FAILED memory allocation failure. + * #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure, or + * #MBEDTLS_ERR_MD_ALLOC_FAILED on memory allocation failure. */ int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac ); /** - * \brief Clone the state of an MD context + * \brief This function clones the state of an message-digest + * context. * - * \note The two contexts must have been setup to the same type - * (cloning from SHA-256 to SHA-512 make no sense). + * \note You must call mbedtls_md_setup() on \c dst before calling + * this function. * - * \warning Only clones the MD state, not the HMAC state! (for now) + * \note The two contexts must have the same type, + * for example, both are SHA-256. * - * \param dst The destination context - * \param src The context to be cloned + * \warning This function clones the message-digest state, not the + * HMAC state. + * + * \param dst The destination context. + * \param src The context to be cloned. * * \return \c 0 on success, - * \c MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure. + * #MBEDTLS_ERR_MD_BAD_INPUT_DATA on parameter failure. */ int mbedtls_md_clone( mbedtls_md_context_t *dst, const mbedtls_md_context_t *src ); /** - * \brief Returns the size of the message digest output. + * \brief This function extracts the message-digest size from the + * message-digest information structure. * - * \param md_info message digest info + * \param md_info The information structure of the message-digest algorithm + * to use. * - * \return size of the message digest output in bytes. + * \return The size of the message-digest output in Bytes. */ unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info ); /** - * \brief Returns the type of the message digest output. + * \brief This function extracts the message-digest type from the + * message-digest information structure. * - * \param md_info message digest info + * \param md_info The information structure of the message-digest algorithm + * to use. * - * \return type of the message digest output. + * \return The type of the message digest. */ mbedtls_md_type_t mbedtls_md_get_type( const mbedtls_md_info_t *md_info ); /** - * \brief Returns the name of the message digest output. + * \brief This function extracts the message-digest name from the + * message-digest information structure. * - * \param md_info message digest info + * \param md_info The information structure of the message-digest algorithm + * to use. * - * \return name of the message digest output. + * \return The name of the message digest. */ const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info ); /** - * \brief Prepare the context to digest a new message. - * Generally called after mbedtls_md_setup() or mbedtls_md_finish(). - * Followed by mbedtls_md_update(). + * \brief This function starts a message-digest computation. * - * \param ctx generic message digest context. + * You must call this function after setting up the context + * with mbedtls_md_setup(), and before passing data with + * mbedtls_md_update(). * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param ctx The generic message-digest context. + * + * \returns \c 0 on success, #MBEDTLS_ERR_MD_BAD_INPUT_DATA if + * parameter verification fails. */ int mbedtls_md_starts( mbedtls_md_context_t *ctx ); /** - * \brief Generic message digest process buffer - * Called between mbedtls_md_starts() and mbedtls_md_finish(). - * May be called repeatedly. + * \brief This function feeds an input buffer into an ongoing + * message-digest computation. * - * \param ctx Generic message digest context - * \param input buffer holding the datal - * \param ilen length of the input data + * You must call mbedtls_md_starts() before calling this + * function. You may call this function multiple times. + * Afterwards, call mbedtls_md_finish(). * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param ctx The generic message-digest context. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * + * \returns \c 0 on success, #MBEDTLS_ERR_MD_BAD_INPUT_DATA if + * parameter verification fails. */ int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen ); /** - * \brief Generic message digest final digest - * Called after mbedtls_md_update(). - * Usually followed by mbedtls_md_free() or mbedtls_md_starts(). + * \brief This function finishes the digest operation, + * and writes the result to the output buffer. * - * \param ctx Generic message digest context - * \param output Generic message digest checksum result + * Call this function after a call to mbedtls_md_starts(), + * followed by any number of calls to mbedtls_md_update(). + * Afterwards, you may either clear the context with + * mbedtls_md_free(), or call mbedtls_md_starts() to reuse + * the context for another digest operation with the same + * algorithm. * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param ctx The generic message-digest context. + * \param output The buffer for the generic message-digest checksum result. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if + * parameter verification fails. */ int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output ); /** - * \brief Output = message_digest( input buffer ) + * \brief This function calculates the message-digest of a buffer, + * with respect to a configurable message-digest algorithm + * in a single call. * - * \param md_info message digest info - * \param input buffer holding the data - * \param ilen length of the input data - * \param output Generic message digest checksum result + * The result is calculated as + * Output = message_digest(input buffer). * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param md_info The information structure of the message-digest algorithm + * to use. + * \param input The buffer holding the data. + * \param ilen The length of the input data. + * \param output The generic message-digest checksum result. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if + * parameter verification fails. */ int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen, unsigned char *output ); #if defined(MBEDTLS_FS_IO) /** - * \brief Output = message_digest( file contents ) + * \brief This function calculates the message-digest checksum + * result of the contents of the provided file. * - * \param md_info message digest info - * \param path input file name - * \param output generic message digest checksum result + * The result is calculated as + * Output = message_digest(file contents). * - * \return 0 if successful, - * MBEDTLS_ERR_MD_FILE_IO_ERROR if file input failed, - * MBEDTLS_ERR_MD_BAD_INPUT_DATA if md_info was NULL. + * \param md_info The information structure of the message-digest algorithm + * to use. + * \param path The input file name. + * \param output The generic message-digest checksum result. + * + * \return \c 0 on success, + * #MBEDTLS_ERR_MD_FILE_IO_ERROR if file input failed, or + * #MBEDTLS_ERR_MD_BAD_INPUT_DATA if \p md_info was NULL. */ int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigned char *output ); #endif /* MBEDTLS_FS_IO */ /** - * \brief Set HMAC key and prepare to authenticate a new message. - * Usually called after mbedtls_md_setup() or mbedtls_md_hmac_finish(). + * \brief This function sets the HMAC key and prepares to + * authenticate a new message. * - * \param ctx HMAC context - * \param key HMAC secret key - * \param keylen length of the HMAC key in bytes + * Call this function after mbedtls_md_setup(), to use + * the MD context for an HMAC calculation, then call + * mbedtls_md_hmac_update() to provide the input data, and + * mbedtls_md_hmac_finish() to get the HMAC value. * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param ctx The message digest context containing an embedded HMAC + * context. + * \param key The HMAC secret key. + * \param keylen The length of the HMAC key in Bytes. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if + * parameter verification fails. */ int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen ); /** - * \brief Generic HMAC process buffer. - * Called between mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() - * and mbedtls_md_hmac_finish(). - * May be called repeatedly. + * \brief This function feeds an input buffer into an ongoing HMAC + * computation. * - * \param ctx HMAC context - * \param input buffer holding the data - * \param ilen length of the input data + * Call mbedtls_md_hmac_starts() or mbedtls_md_hmac_reset() + * before calling this function. + * You may call this function multiple times to pass the + * input piecewise. + * Afterwards, call mbedtls_md_hmac_finish(). * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param ctx The message digest context containing an embedded HMAC + * context. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if + * parameter verification fails. */ int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen ); /** - * \brief Output HMAC. - * Called after mbedtls_md_hmac_update(). - * Usually followed by mbedtls_md_hmac_reset(), - * mbedtls_md_hmac_starts(), or mbedtls_md_free(). + * \brief This function finishes the HMAC operation, and writes + * the result to the output buffer. * - * \param ctx HMAC context - * \param output Generic HMAC checksum result + * Call this function after mbedtls_md_hmac_starts() and + * mbedtls_md_hmac_update() to get the HMAC value. Afterwards + * you may either call mbedtls_md_free() to clear the context, + * or call mbedtls_md_hmac_reset() to reuse the context with + * the same HMAC key. * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param ctx The message digest context containing an embedded HMAC + * context. + * \param output The generic HMAC checksum result. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if + * parameter verification fails. */ int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output); /** - * \brief Prepare to authenticate a new message with the same key. - * Called after mbedtls_md_hmac_finish() and before - * mbedtls_md_hmac_update(). + * \brief This function prepares to authenticate a new message with + * the same key as the previous HMAC operation. * - * \param ctx HMAC context to be reset + * You may call this function after mbedtls_md_hmac_finish(). + * Afterwards call mbedtls_md_hmac_update() to pass the new + * input. * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * \param ctx The message digest context containing an embedded HMAC + * context. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if + * parameter verification fails. */ int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx ); /** - * \brief Output = Generic_HMAC( hmac key, input buffer ) + * \brief This function calculates the full generic HMAC + * on the input buffer with the provided key. * - * \param md_info message digest info - * \param key HMAC secret key - * \param keylen length of the HMAC key in bytes - * \param input buffer holding the data - * \param ilen length of the input data - * \param output Generic HMAC-result + * The function allocates the context, performs the + * calculation, and frees the context. * - * \returns 0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter - * verification fails. + * The HMAC result is calculated as + * output = generic HMAC(hmac key, input buffer). + * + * \param md_info The information structure of the message-digest algorithm + * to use. + * \param key The HMAC secret key. + * \param keylen The length of the HMAC secret key in Bytes. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * \param output The generic HMAC result. + * + * \returns \c 0 on success, or #MBEDTLS_ERR_MD_BAD_INPUT_DATA if + * parameter verification fails. */ int mbedtls_md_hmac( const mbedtls_md_info_t *md_info, const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen, From 602285eac239fc94bd623be955f5eddb4036aaef Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Fri, 26 Jan 2018 11:00:39 +0000 Subject: [PATCH 173/177] Improve SHA-256 documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. - Align deprecated function descriptions with those of the superseding functions. GitHub PR: #1325 --- include/mbedtls/sha256.h | 158 ++++++++++++++++++++++++--------------- 1 file changed, 96 insertions(+), 62 deletions(-) diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index 5c5d07ad2..a2b6e1164 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -1,10 +1,10 @@ /** * \file sha256.h * - * \brief SHA-224 and SHA-256 cryptographic hash function + * \brief The SHA-224 and SHA-256 cryptographic hash function. */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,7 +19,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ #ifndef MBEDTLS_SHA256_H #define MBEDTLS_SHA256_H @@ -39,7 +39,6 @@ !defined(inline) && !defined(__cplusplus) #define inline __inline #endif - #if !defined(MBEDTLS_SHA256_ALT) // Regular implementation // @@ -49,81 +48,94 @@ extern "C" { #endif /** - * \brief SHA-256 context structure + * \brief The SHA-256 context structure. + * + * The structure is used both for SHA-256 and for SHA-224 + * checksum calculations. The choice between these two is + * made in the call to mbedtls_sha256_starts_ret(). */ typedef struct { - uint32_t total[2]; /*!< number of bytes processed */ - uint32_t state[8]; /*!< intermediate digest state */ - unsigned char buffer[64]; /*!< data block being processed */ - int is224; /*!< 0 => SHA-256, else SHA-224 */ + uint32_t total[2]; /*!< The number of Bytes processed. */ + uint32_t state[8]; /*!< The intermediate digest state. */ + unsigned char buffer[64]; /*!< The data block being processed. */ + int is224; /*!< Determines which function to use. +
  • 0: Use SHA-256.
    • +
  • 1: Use SHA-224.
*/ } mbedtls_sha256_context; /** - * \brief Initialize SHA-256 context + * \brief This function initializes a SHA-256 context. * - * \param ctx SHA-256 context to be initialized + * \param ctx The SHA-256 context to initialize. */ void mbedtls_sha256_init( mbedtls_sha256_context *ctx ); /** - * \brief Clear SHA-256 context + * \brief This function clears a SHA-256 context. * - * \param ctx SHA-256 context to be cleared + * \param ctx The SHA-256 context to clear. */ void mbedtls_sha256_free( mbedtls_sha256_context *ctx ); /** - * \brief Clone (the state of) a SHA-256 context + * \brief This function clones the state of a SHA-256 context. * - * \param dst The destination context - * \param src The context to be cloned + * \param dst The destination context. + * \param src The context to clone. */ void mbedtls_sha256_clone( mbedtls_sha256_context *dst, const mbedtls_sha256_context *src ); /** - * \brief SHA-256 context setup + * \brief This function starts a SHA-224 or SHA-256 checksum + * calculation. * - * \param ctx context to be initialized - * \param is224 0 = use SHA256, 1 = use SHA224 + * \param ctx The context to initialize. + * \param is224 Determines which function to use. + *
  • 0: Use SHA-256.
    • + *
  • 1: Use SHA-224.
* - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 ); /** - * \brief SHA-256 process buffer + * \brief This function feeds an input buffer into an ongoing + * SHA-256 checksum calculation. * * \param ctx SHA-256 context * \param input buffer holding the data * \param ilen length of the input data * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx, const unsigned char *input, size_t ilen ); /** - * \brief SHA-256 final digest + * \brief This function finishes the SHA-256 operation, and writes + * the result to the output buffer. * - * \param ctx SHA-256 context - * \param output SHA-224/256 checksum result + * \param ctx The SHA-256 context. + * \param output The SHA-224 or SHA-256 checksum result. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_sha256_finish_ret( mbedtls_sha256_context *ctx, unsigned char output[32] ); /** - * \brief SHA-256 process data block (internal use only) + * \brief This function processes a single data block within + * the ongoing SHA-256 computation. This function is for + * internal use only. * - * \param ctx SHA-256 context - * \param data buffer holding one block of data + * \param ctx The SHA-256 context. + * \param data The buffer holding one block of data. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] ); @@ -135,12 +147,14 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, #define MBEDTLS_DEPRECATED #endif /** - * \brief SHA-256 context setup + * \brief This function starts a SHA-256 checksum calculation. * - * \deprecated Superseded by mbedtls_sha256_starts_ret() in 2.7.0 + * \deprecated Superseded by mbedtls_sha256_starts_ret() in 2.7.0. * - * \param ctx context to be initialized - * \param is224 0 = use SHA256, 1 = use SHA224 + * \param ctx The SHA-256 context to initialize. + * \param is224 Determines which function to use. + *
  • 0: Use SHA-256.
    • + *
  • 1: Use SHA-224.
*/ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, @@ -150,13 +164,14 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_starts( } /** - * \brief SHA-256 process buffer + * \brief This function feeds an input buffer into an ongoing + * SHA-256 checksum calculation. * - * \deprecated Superseded by mbedtls_sha256_update_ret() in 2.7.0 + * \deprecated Superseded by mbedtls_sha256_update_ret() in 2.7.0. * - * \param ctx SHA-256 context - * \param input buffer holding the data - * \param ilen length of the input data + * \param ctx The SHA-256 context to initialize. + * \param input The buffer holding the data. + * \param ilen The length of the input data. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_update( mbedtls_sha256_context *ctx, @@ -167,12 +182,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_update( } /** - * \brief SHA-256 final digest + * \brief This function finishes the SHA-256 operation, and writes + * the result to the output buffer. * - * \deprecated Superseded by mbedtls_sha256_finish_ret() in 2.7.0 + * \deprecated Superseded by mbedtls_sha256_finish_ret() in 2.7.0. * - * \param ctx SHA-256 context - * \param output SHA-224/256 checksum result + * \param ctx The SHA-256 context. + * \param output The SHA-224or SHA-256 checksum result. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, @@ -182,12 +198,14 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_finish( } /** - * \brief SHA-256 process data block (internal use only) + * \brief This function processes a single data block within + * the ongoing SHA-256 computation. This function is for + * internal use only. * - * \deprecated Superseded by mbedtls_internal_sha256_process() in 2.7.0 + * \deprecated Superseded by mbedtls_internal_sha256_process() in 2.7.0. * - * \param ctx SHA-256 context - * \param data buffer holding one block of data + * \param ctx The SHA-256 context. + * \param data The buffer holding one block of data. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_process( mbedtls_sha256_context *ctx, @@ -198,7 +216,6 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256_process( #undef MBEDTLS_DEPRECATED #endif /* !MBEDTLS_DEPRECATED_REMOVED */ - #ifdef __cplusplus } #endif @@ -212,14 +229,21 @@ extern "C" { #endif /** - * \brief Output = SHA-256( input buffer ) + * \brief This function calculates the SHA-224 or SHA-256 + * checksum of a buffer. * - * \param input buffer holding the data - * \param ilen length of the input data - * \param output SHA-224/256 checksum result - * \param is224 0 = use SHA256, 1 = use SHA224 + * The function allocates the context, performs the + * calculation, and frees the context. * - * \return 0 if successful + * The SHA-256 result is calculated as + * output = SHA-256(input buffer). + * + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * \param output The SHA-224 or SHA-256 checksum result. + * \param is224 Determines which function to use. + *
  • 0: Use SHA-256.
    • + *
  • 1: Use SHA-224.
*/ int mbedtls_sha256_ret( const unsigned char *input, size_t ilen, @@ -232,15 +256,25 @@ int mbedtls_sha256_ret( const unsigned char *input, #else #define MBEDTLS_DEPRECATED #endif + /** - * \brief Output = SHA-256( input buffer ) + * \brief This function calculates the SHA-224 or SHA-256 checksum + * of a buffer. * - * \deprecated Superseded by mbedtls_sha256_ret() in 2.7.0 + * The function allocates the context, performs the + * calculation, and frees the context. * - * \param input buffer holding the data - * \param ilen length of the input data - * \param output SHA-224/256 checksum result - * \param is224 0 = use SHA256, 1 = use SHA224 + * The SHA-256 result is calculated as + * output = SHA-256(input buffer). + * + * \deprecated Superseded by mbedtls_sha256_ret() in 2.7.0. + * + * \param input The buffer holding the data. + * \param ilen The length of the input data. + * \param output The SHA-224 or SHA-256 checksum result. + * \param is224 Determines which function to use. + *
  • 0: Use SHA-256.
    • + *
  • 1: Use SHA-224.
*/ MBEDTLS_DEPRECATED static inline void mbedtls_sha256( const unsigned char *input, @@ -255,9 +289,9 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha256( #endif /* !MBEDTLS_DEPRECATED_REMOVED */ /** - * \brief Checkup routine + * \brief The SHA-224 and SHA-256 checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_sha256_self_test( int verbose ); From 27ff120a6121528de9f9a726dfd80a209ee05a1a Mon Sep 17 00:00:00 2001 From: Rose Zadik Date: Fri, 26 Jan 2018 11:01:31 +0000 Subject: [PATCH 174/177] Improve SHA-512 documentation - Rephrase file/function/parameter/enum/define/error descriptions into full and clear sentences. - Make sure to adhere to the Arm writing guidelines. - Fix missing/incorrect Doxygen tags. - Standardize terminology used within the file. - Align deprecated function descriptions with those of the superseding functions. GitHub PR: #1326 --- include/mbedtls/sha512.h | 163 ++++++++++++++++++++++++--------------- 1 file changed, 99 insertions(+), 64 deletions(-) diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h index 7453c44d4..52ae204d4 100644 --- a/include/mbedtls/sha512.h +++ b/include/mbedtls/sha512.h @@ -1,10 +1,10 @@ /** * \file sha512.h * - * \brief SHA-384 and SHA-512 cryptographic hash function + * \brief The SHA-384 and SHA-512 cryptographic hash function. */ /* - * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved + * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved * SPDX-License-Identifier: Apache-2.0 * * Licensed under the Apache License, Version 2.0 (the "License"); you may @@ -19,7 +19,7 @@ * See the License for the specific language governing permissions and * limitations under the License. * - * This file is part of mbed TLS (https://tls.mbed.org) + * This file is part of Mbed TLS (https://tls.mbed.org) */ #ifndef MBEDTLS_SHA512_H #define MBEDTLS_SHA512_H @@ -39,7 +39,6 @@ !defined(inline) && !defined(__cplusplus) #define inline __inline #endif - #if !defined(MBEDTLS_SHA512_ALT) // Regular implementation // @@ -49,85 +48,97 @@ extern "C" { #endif /** - * \brief SHA-512 context structure + * \brief The SHA-512 context structure. + * + * The structure is used both for SHA-384 and for SHA-512 + * checksum calculations. The choice between these two is + * made in the call to mbedtls_sha512_starts_ret(). */ typedef struct { - uint64_t total[2]; /*!< number of bytes processed */ - uint64_t state[8]; /*!< intermediate digest state */ - unsigned char buffer[128]; /*!< data block being processed */ - int is384; /*!< 0 => SHA-512, else SHA-384 */ + uint64_t total[2]; /*!< The number of Bytes processed. */ + uint64_t state[8]; /*!< The intermediate digest state. */ + unsigned char buffer[128]; /*!< The data block being processed. */ + int is384; /*!< Determines which function to use. + *
  • 0: Use SHA-512.
    • + *
  • 1: Use SHA-384.
*/ } mbedtls_sha512_context; /** - * \brief Initialize SHA-512 context + * \brief This function initializes a SHA-512 context. * - * \param ctx SHA-512 context to be initialized + * \param ctx The SHA-512 context to initialize. */ void mbedtls_sha512_init( mbedtls_sha512_context *ctx ); /** - * \brief Clear SHA-512 context + * \brief This function clears a SHA-512 context. * - * \param ctx SHA-512 context to be cleared + * \param ctx The SHA-512 context to clear. */ void mbedtls_sha512_free( mbedtls_sha512_context *ctx ); /** - * \brief Clone (the state of) a SHA-512 context + * \brief This function clones the state of a SHA-512 context. * - * \param dst The destination context - * \param src The context to be cloned + * \param dst The destination context. + * \param src The context to clone. */ void mbedtls_sha512_clone( mbedtls_sha512_context *dst, const mbedtls_sha512_context *src ); /** - * \brief SHA-512 context setup + * \brief This function starts a SHA-384 or SHA-512 checksum + * calculation. * - * \param ctx context to be initialized - * \param is384 0 = use SHA512, 1 = use SHA384 + * \param ctx The SHA-512 context to initialize. + * \param is384 Determines which function to use. + *
  • 0: Use SHA-512.
    • + *
  • 1: Use SHA-384.
* - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 ); /** - * \brief SHA-512 process buffer + * \brief This function feeds an input buffer into an ongoing + * SHA-512 checksum calculation. * - * \param ctx SHA-512 context - * \param input buffer holding the data - * \param ilen length of the input data + * \param ctx The SHA-512 context. + * \param input The buffer holding the input data. + * \param ilen The length of the input data. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx, - const unsigned char *input, - size_t ilen ); + const unsigned char *input, + size_t ilen ); /** - * \brief SHA-512 final digest + * \brief This function finishes the SHA-512 operation, and writes + * the result to the output buffer. This function is for + * internal use only. * - * \param ctx SHA-512 context - * \param output SHA-384/512 checksum result + * \param ctx The SHA-512 context. + * \param output The SHA-384 or SHA-512 checksum result. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_sha512_finish_ret( mbedtls_sha512_context *ctx, unsigned char output[64] ); /** - * \brief SHA-512 process data block (internal use only) + * \brief This function processes a single data block within + * the ongoing SHA-512 computation. * - * \param ctx SHA-512 context - * \param data buffer holding one block of data + * \param ctx The SHA-512 context. + * \param data The buffer holding one block of data. * - * \return 0 if successful + * \return \c 0 on success. */ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, const unsigned char data[128] ); - #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_DEPRECATED_WARNING) #define MBEDTLS_DEPRECATED __attribute__((deprecated)) @@ -135,12 +146,15 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, #define MBEDTLS_DEPRECATED #endif /** - * \brief SHA-512 context setup + * \brief This function starts a SHA-384 or SHA-512 checksum + * calculation. * * \deprecated Superseded by mbedtls_sha512_starts_ret() in 2.7.0 * - * \param ctx context to be initialized - * \param is384 0 = use SHA512, 1 = use SHA384 + * \param ctx The SHA-512 context to initialize. + * \param is384 Determines which function to use. + *
  • 0: Use SHA-512.
    • + *
  • 1: Use SHA-384.
*/ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, @@ -150,13 +164,14 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_starts( } /** - * \brief SHA-512 process buffer + * \brief This function feeds an input buffer into an ongoing + * SHA-512 checksum calculation. * * \deprecated Superseded by mbedtls_sha512_update_ret() in 2.7.0 * - * \param ctx SHA-512 context - * \param input buffer holding the data - * \param ilen length of the input data + * \param ctx The SHA-512 context. + * \param input The buffer holding the data. + * \param ilen The length of the input data. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_update( mbedtls_sha512_context *ctx, @@ -167,12 +182,13 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_update( } /** - * \brief SHA-512 final digest + * \brief This function finishes the SHA-512 operation, and writes + * the result to the output buffer. * * \deprecated Superseded by mbedtls_sha512_finish_ret() in 2.7.0 * - * \param ctx SHA-512 context - * \param output SHA-384/512 checksum result + * \param ctx The SHA-512 context. + * \param output The SHA-384 or SHA-512 checksum result. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, @@ -182,12 +198,14 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_finish( } /** - * \brief SHA-512 process data block (internal use only) + * \brief This function processes a single data block within + * the ongoing SHA-512 computation. This function is for + * internal use only. * * \deprecated Superseded by mbedtls_internal_sha512_process() in 2.7.0 * - * \param ctx SHA-512 context - * \param data buffer holding one block of data + * \param ctx The SHA-512 context. + * \param data The buffer holding one block of data. */ MBEDTLS_DEPRECATED static inline void mbedtls_sha512_process( mbedtls_sha512_context *ctx, @@ -212,14 +230,23 @@ extern "C" { #endif /** - * \brief Output = SHA-512( input buffer ) + * \brief This function calculates the SHA-512 or SHA-384 + * checksum of a buffer. * - * \param input buffer holding the data - * \param ilen length of the input data - * \param output SHA-384/512 checksum result - * \param is384 0 = use SHA512, 1 = use SHA384 + * The function allocates the context, performs the + * calculation, and frees the context. * - * \return 0 if successful + * The SHA-512 result is calculated as + * output = SHA-512(input buffer). + * + * \param input The buffer holding the input data. + * \param ilen The length of the input data. + * \param output The SHA-384 or SHA-512 checksum result. + * \param is384 Determines which function to use. + *
  • 0: Use SHA-512.
    • + *
  • 1: Use SHA-384.
+ * + * \return \c 0 on success. */ int mbedtls_sha512_ret( const unsigned char *input, size_t ilen, @@ -233,14 +260,23 @@ int mbedtls_sha512_ret( const unsigned char *input, #define MBEDTLS_DEPRECATED #endif /** - * \brief Output = SHA-512( input buffer ) + * \brief This function calculates the SHA-512 or SHA-384 + * checksum of a buffer. + * + * The function allocates the context, performs the + * calculation, and frees the context. + * + * The SHA-512 result is calculated as + * output = SHA-512(input buffer). * * \deprecated Superseded by mbedtls_sha512_ret() in 2.7.0 * - * \param input buffer holding the data - * \param ilen length of the input data - * \param output SHA-384/512 checksum result - * \param is384 0 = use SHA512, 1 = use SHA384 + * \param input The buffer holding the data. + * \param ilen The length of the input data. + * \param output The SHA-384 or SHA-512 checksum result. + * \param is384 Determines which function to use. + *
  • 0: Use SHA-512.
    • + *
  • 1: Use SHA-384.
*/ MBEDTLS_DEPRECATED static inline void mbedtls_sha512( const unsigned char *input, @@ -253,11 +289,10 @@ MBEDTLS_DEPRECATED static inline void mbedtls_sha512( #undef MBEDTLS_DEPRECATED #endif /* !MBEDTLS_DEPRECATED_REMOVED */ - -/** - * \brief Checkup routine + /** + * \brief The SHA-384 or SHA-512 checkup routine. * - * \return 0 if successful, or 1 if the test failed + * \return \c 0 on success, or \c 1 on failure. */ int mbedtls_sha512_self_test( int verbose ); From 8dd16ab7c0e8c516f130260e001550761815832a Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Tue, 30 Jan 2018 15:24:42 +0000 Subject: [PATCH 175/177] doxygen: Disable JAVADOC_AUTOBRIEF Disable JAVADOC_AUTOBRIEF so that we can have periods in our brief descriptions. We always use '\brief' where we want a brief, so this won't hide any documentation previously used as a brief. --- doxygen/mbedtls.doxyfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index d5b3abe75..40fa056d8 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -165,7 +165,7 @@ SHORT_NAMES = NO # comments will behave just like regular Qt-style comments # (thus requiring an explicit @brief command for a brief description.) -JAVADOC_AUTOBRIEF = YES +JAVADOC_AUTOBRIEF = NO # If the QT_AUTOBRIEF tag is set to YES then Doxygen will # interpret the first line (until the first dot) of a Qt-style From 3b438d33c18cc6c9473027010945dce05eb5e1e3 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 2 Feb 2018 17:52:47 +0000 Subject: [PATCH 176/177] Update version to 2.7.0 --- doxygen/input/doc_mainpage.h | 2 +- doxygen/mbedtls.doxyfile | 2 +- include/mbedtls/version.h | 8 ++++---- library/CMakeLists.txt | 6 +++--- library/Makefile | 2 +- tests/suites/test_suite_version.data | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h index add75f7a2..641d5c4fb 100644 --- a/doxygen/input/doc_mainpage.h +++ b/doxygen/input/doc_mainpage.h @@ -24,7 +24,7 @@ */ /** - * @mainpage mbed TLS v2.6.0 source code documentation + * @mainpage mbed TLS v2.7.0 source code documentation * * This documentation describes the internal structure of mbed TLS. It was * automatically generated from specially formatted comment blocks in diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 40fa056d8..cbe0db4f2 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -28,7 +28,7 @@ DOXYFILE_ENCODING = UTF-8 # identify the project. Note that if you do not use Doxywizard you need # to put quotes around the project name if it contains spaces. -PROJECT_NAME = "mbed TLS v2.6.0" +PROJECT_NAME = "mbed TLS v2.7.0" # The PROJECT_NUMBER tag can be used to enter a project or revision number. # This could be handy for archiving the generated documentation or diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 8af6f0170..961be59c3 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -39,7 +39,7 @@ * Major, Minor, Patchlevel */ #define MBEDTLS_VERSION_MAJOR 2 -#define MBEDTLS_VERSION_MINOR 6 +#define MBEDTLS_VERSION_MINOR 7 #define MBEDTLS_VERSION_PATCH 0 /** @@ -47,9 +47,9 @@ * MMNNPP00 * Major version | Minor version | Patch version */ -#define MBEDTLS_VERSION_NUMBER 0x02060000 -#define MBEDTLS_VERSION_STRING "2.6.0" -#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.6.0" +#define MBEDTLS_VERSION_NUMBER 0x02070000 +#define MBEDTLS_VERSION_STRING "2.7.0" +#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.7.0" #if defined(MBEDTLS_VERSION_C) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index e02229d03..02ccea8bc 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -141,15 +141,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) add_library(mbedcrypto SHARED ${src_crypto}) - set_target_properties(mbedcrypto PROPERTIES VERSION 2.6.0 SOVERSION 0) + set_target_properties(mbedcrypto PROPERTIES VERSION 2.7.0 SOVERSION 1) target_link_libraries(mbedcrypto ${libs}) add_library(mbedx509 SHARED ${src_x509}) - set_target_properties(mbedx509 PROPERTIES VERSION 2.6.0 SOVERSION 0) + set_target_properties(mbedx509 PROPERTIES VERSION 2.7.0 SOVERSION 0) target_link_libraries(mbedx509 ${libs} mbedcrypto) add_library(mbedtls SHARED ${src_tls}) - set_target_properties(mbedtls PROPERTIES VERSION 2.6.0 SOVERSION 10) + set_target_properties(mbedtls PROPERTIES VERSION 2.7.0 SOVERSION 10) target_link_libraries(mbedtls ${libs} mbedx509) install(TARGETS mbedtls mbedx509 mbedcrypto diff --git a/library/Makefile b/library/Makefile index 541d47fe9..65a102f3a 100644 --- a/library/Makefile +++ b/library/Makefile @@ -33,7 +33,7 @@ endif SOEXT_TLS=so.10 SOEXT_X509=so.0 -SOEXT_CRYPTO=so.0 +SOEXT_CRYPTO=so.1 DLEXT=so # OSX shared library extension: diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data index 1442a384c..1aa4ffa75 100644 --- a/tests/suites/test_suite_version.data +++ b/tests/suites/test_suite_version.data @@ -1,8 +1,8 @@ Check compiletime library version -check_compiletime_version:"2.6.0" +check_compiletime_version:"2.7.0" Check runtime library version -check_runtime_version:"2.6.0" +check_runtime_version:"2.7.0" Check for MBEDTLS_VERSION_C check_feature:"MBEDTLS_VERSION_C":0 From 55fc4e0c5af313f078d6a80d54ab448acb940dc6 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Mon, 5 Feb 2018 01:09:13 +0000 Subject: [PATCH 177/177] Update ChangeLog with language and technical corrections To clarify and correct the ChangeLog. --- ChangeLog | 77 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 41 insertions(+), 36 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2f54aafe8..8db021591 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,44 +1,46 @@ mbed TLS ChangeLog (Sorted per branch, date) -= mbed TLS x.x.x branch released xxxx-xx-xx += mbed TLS 2.7.0 branch released 2018-02-03 Security - * Fix buffer overflow in RSA-PSS verification when the hash is too - large for the key size. Found by Seth Terashima, Qualcomm Product - Security Initiative, Qualcomm Technologies Inc. - * Fix buffer overflow in RSA-PSS verification when the unmasked - data is all zeros. - * Fix unsafe bounds check in ssl_parse_client_psk_identity() when adding - 64kB to the address of the SSL buffer wraps around. - * Fix a potential heap buffer overflow in mbedtls_ssl_write. When the (by + * Fix a heap corruption issue in the implementation of the truncated HMAC + extension. When the truncated HMAC extension is enabled and CBC is used, + sending a malicious application packet could be used to selectively corrupt + 6 bytes on the peer's heap, which could potentially lead to crash or remote + code execution. The issue could be triggered remotely from either side in + both TLS and DTLS. CVE-2018-0488 + * Fix a buffer overflow in RSA-PSS verification when the hash was too large + for the key size, which could potentially lead to crash or remote code + execution. Found by Seth Terashima, Qualcomm Product Security Initiative, + Qualcomm Technologies Inc. CVE-2018-0487 + * Fix buffer overflow in RSA-PSS verification when the unmasked data is all + zeros. + * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding + 64 KiB to the address of the SSL buffer and causing a wrap around. + * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by default enabled) maximum fragment length extension is disabled in the config and the application data buffer passed to mbedtls_ssl_write is larger than the internal message buffer (16384 bytes by default), the latter overflows. The exploitability of this issue depends on whether the application layer can be forced into sending such large packets. The issue was independently reported by Tim Nordell via e-mail and by Florin Petriuc - and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. Fixes #707. - * Tighten should-be-constant-time memcmp against compiler optimizations. + and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. + Fixes #707. + * Add a provision to prevent compiler optimizations breaking the time + constancy of mbedtls_ssl_safer_memcmp(). * Ensure that buffers are cleared after use if they contain sensitive data. Changes were introduced in multiple places in the library. * Set PEM buffer to zero before freeing it, to avoid decoded private keys being leaked to memory after release. * Fix dhm_check_range() failing to detect trivial subgroups and potentially leaking 1 bit of the private key. Reported by prashantkspatil. - * Make mbedtls_mpi_read_binary constant-time with respect to - the input data. Previously, trailing zero bytes were detected - and omitted for the sake of saving memory, but potentially - leading to slight timing differences. - Reported by Marco Macchetti, Kudelski Group. + * Make mbedtls_mpi_read_binary() constant-time with respect to the input + data. Previously, trailing zero bytes were detected and omitted for the + sake of saving memory, but potentially leading to slight timing + differences. Reported by Marco Macchetti, Kudelski Group. * Wipe stack buffer temporarily holding EC private exponent after keypair generation. - * Fix heap corruption in implementation of truncated HMAC extension. - When the truncated HMAC extension is enabled and CBC is used, - sending a malicious application packet can be used to selectively - corrupt 6 bytes on the peer's heap, potentially leading to crash or - remote code execution. This can be triggered remotely from either - side in both TLS and DTLS. - * Fix a potential heap buffer overread in ALPN extension parsing + * Fix a potential heap buffer over-read in ALPN extension parsing (server-side). Could result in application crash, but only if an ALPN name larger than 16 bytes had been configured on the server. * Change default choice of DHE parameters from untrustworthy RFC 5114 @@ -69,11 +71,12 @@ Features mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared(). * Add support for alternative implementation of ECJPAKE, controlled by the new configuration flag MBEDTLS_ECJPAKE_ALT. + * Add mechanism to provide alternative implementation of the DHM module. API Changes * Extend RSA interface by multiple functions allowing structure- independent setup and export of RSA contexts. Most notably, - mbedtls_rsa_import and mbedtls_rsa_complete are introduced for setting + mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting up RSA contexts from partial key material and having them completed to the needs of the implementation automatically. This allows to setup private RSA contexts from keys consisting of N,D,E only, even if P,Q are needed for the @@ -91,7 +94,7 @@ API Changes New deprecations * Deprecate usage of RSA primitives with non-matching key-type - (e.g., signing with a public key). + (e.g. signing with a public key). * Direct manipulation of structure fields of RSA contexts is deprecated. Users are advised to use the extended RSA API instead. * Deprecate usage of message digest functions that return void @@ -104,8 +107,8 @@ New deprecations * Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc. Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN etc. - * Deprecate mbedtls_ssl_conf_dh_param for setting default DHE parameters - from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin + * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters + from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin() accepting DHM parameters in binary form, matching the new constants. Bugfix @@ -141,11 +144,11 @@ Bugfix * Don't print X.509 version tag for v1 CRT's, and omit extensions for non-v3 CRT's. * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024 - * Fix net_would_block to avoid modification by errno through fcntl call. + * Fix net_would_block() to avoid modification by errno through fcntl() call. Found by nkolban. Fixes #845. - * Fix handling of handshake messages in mbedtls_ssl_read in case + * Fix handling of handshake messages in mbedtls_ssl_read() in case MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp. - * Add a check for invalid private parameters in mbedtls_ecdsa_sign. + * Add a check for invalid private parameters in mbedtls_ecdsa_sign(). Reported by Yolan Romailler. * Fix word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64. * Fix incorrect unit in benchmark output. #850 @@ -154,7 +157,7 @@ Bugfix * Fix crash when calling mbedtls_ssl_cache_free() twice. Found by MilenkoMitrovic, #1104 * Fix mbedtls_timing_alarm(0) on Unix and MinGW. - * Fix use of uninitialized memory in mbedtls_timing_get_timer when reset=1. + * Fix use of uninitialized memory in mbedtls_timing_get_timer() when reset=1. * Fix possible memory leaks in mbedtls_gcm_self_test(). * Added missing return code checks in mbedtls_aes_self_test(). * Fix issues in RSA key generation program programs/x509/rsa_genkey and the @@ -164,9 +167,10 @@ Bugfix * Fix error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue. * Fix programs/pkey/dh_server.c so that it actually works with dh_client.c. Found and fixed by Martijn de Milliano. - * Fix bug in cipher decryption with MBEDTLS_PADDING_ONE_AND_ZEROS that - sometimes accepted invalid padding. (Not used in TLS.) Found and fixed - by Micha Kraus. + * Fix an issue in the cipher decryption with the mode + MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding. + Note, this padding mode is not used by the TLS protocol. Found and fixed by + Micha Kraus. * Fix the entropy.c module to not call mbedtls_sha256_starts() or mbedtls_sha512_starts() in the mbedtls_entropy_init() function. * Fix the entropy.c module to ensure that mbedtls_sha256_init() or @@ -174,9 +178,11 @@ Bugfix structure. Do not assume that zeroizing a context is a correct way to reset it. Found independently by ccli8 on Github. * In mbedtls_entropy_free(), properly free the message digest context. + * Fix status handshake status message in programs/ssl/dtls_client.c. Found + and fixed by muddog. Changes - * Extend cert_write example program by options to set the CRT version + * Extend cert_write example program by options to set the certificate version and the message digest. Further, allow enabling/disabling of authority identifier, subject identifier and basic constraints extensions. * Only check for necessary RSA structure fields in `mbedtls_rsa_private`. In @@ -186,7 +192,6 @@ Changes * Only run AES-192 self-test if AES-192 is available. Fixes #963. * Tighten the RSA PKCS#1 v1.5 signature verification code and remove the undeclared dependency of the RSA module on the ASN.1 module. - * Add mechanism to provide alternative implementation of the DHM module. * Update all internal usage of deprecated message digest functions to the new ones with return codes. In particular, this modifies the mbedtls_md_info_t structure. Propagate errors from these functions