Commit graph

2083 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 39b1904b9f Merge branch 'development' into iotssl-2257-chacha-poly-primitives
* development: (97 commits)
  Updated version number to 2.10.0 for release
  Add a disabled CMAC define in the no-entropy configuration
  Adapt the ARIA test cases for new ECB function
  Fix file permissions for ssl.h
  Add ChangeLog entry for PR#1651
  Fix MicroBlaze register typo.
  Fix typo in doc and copy missing warning
  Fix edit mistake in cipher_wrap.c
  Update CTR doc for the 64-bit block cipher
  Update CTR doc for other 128-bit block ciphers
  Slightly tune ARIA CTR documentation
  Remove double declaration of mbedtls_ssl_list_ciphersuites
  Update CTR documentation
  Use zeroize function from new platform_util
  Move to new header style for ALT implementations
  Add ifdef for selftest in header file
  Fix typo in comments
  Use more appropriate type for local variable
  Remove useless parameter from function
  Wipe sensitive info from the stack
  ...
2018-06-07 12:02:55 +02:00
Manuel Pégourié-Gonnard 2adb375c50 Add option to avoid 64-bit multiplication
Motivation is similar to NO_UDBL_DIVISION.

The alternative implementation of 64-bit mult is straightforward and aims at
obvious correctness. Also, visual examination of the generate assembly show
that it's quite efficient with clang, armcc5 and arm-clang. However current
GCC generates fairly inefficient code for it.

I tried to rework the code in order to make GCC generate more efficient code.
Unfortunately the only way to do that is to get rid of 64-bit add and handle
the carry manually, but this causes other compilers to generate less efficient
code with branches, which is not acceptable from a side-channel point of view.

So let's keep the obvious code that works for most compilers and hope future
versions of GCC learn to manage registers in a sensible way in that context.

See https://bugs.launchpad.net/gcc-arm-embedded/+bug/1775263
2018-06-07 11:05:33 +02:00
Simon Butcher d5a09f1e68 Updated version number to 2.10.0 for release 2018-06-06 14:52:00 +01:00
Simon Butcher 6e962b2762 Fix file permissions for ssl.h
Correct the file permissions for ssl.h which were inadvertently made executable
in PR#1402
2018-06-05 10:25:04 +01:00
Manuel Pégourié-Gonnard d2db09f435 Fix typo in documentation 2018-06-04 12:31:12 +02:00
Manuel Pégourié-Gonnard e533b22153 Fix ordering and repetitions in config.h 2018-06-04 12:23:19 +02:00
Manuel Pégourié-Gonnard 3dc62a0a9b chachapoly: force correct mode for integrated API
Allowing DECRYPT with crypt_and_tag is a risk as people might fail to check
the tag correctly (or at all). So force them to use auth_decrypt() instead.

See also https://github.com/ARMmbed/mbedtls/pull/1668
2018-06-04 12:18:19 +02:00
Simon Butcher 2041a31ca8 Merge remote-tracking branch 'public/pr/1402' into development 2018-06-01 19:27:23 +01:00
Simon Butcher 246cb05a92 Merge remote-tracking branch 'public/pr/1410' into development 2018-06-01 19:25:56 +01:00
Simon Butcher b02f7893f6 Merge remote-tracking branch 'public/pr/1470' into development 2018-06-01 19:20:25 +01:00
Zach van Rijn e7d3f8e2ea Fix MicroBlaze register typo. 2018-05-25 08:02:18 -04:00
Manuel Pégourié-Gonnard be78b07015 chachapoly: warn against piecewise decryption 2018-05-24 19:33:59 +02:00
Manuel Pégourié-Gonnard fa0c47d4c8 Fix typo in doc and copy missing warning 2018-05-24 19:02:06 +02:00
Manuel Pégourié-Gonnard 98fae6d800 ChaCha20: move working state from ctx to stack
No need to keep it around.
2018-05-24 17:38:31 +02:00
Manuel Pégourié-Gonnard c22e61a081 Add ifdef for selftest in header file
See https://github.com/ARMmbed/mbedtls/pull/975
2018-05-24 16:54:57 +02:00
Manuel Pégourié-Gonnard 3798b6be6b Add some error codes and merge others
- need HW failure codes too
- re-use relevant poly codes for chachapoly to save on limited space

Values were chosen to leave 3 free slots at the end of the NET odd range.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 32902e6eae cipher: handle ChaCha20 as a stream cipher
That's what it is. So we shouldn't set a block size != 1.

While at it, move call to chachapoly_update() closer to the one for GCM, as
they are similar (AEAD).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard b8bd80aa02 Add FEATURE_NOT_AVAILABLE error codes. 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 5ef92d309a chachapoly: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the GCM API that
very comparable to it, so switch to (pointer, len) for consistency.

Note that the crypt_and_tag() and auth_decrypt() functions were already using
the same convention as GCM, so this also increases intra-module consistency.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard b1ac5e7842 poly1305: adjust parameter order
This module used (len, pointer) while (pointer, len) is more common in the
rest of the library, in particular it's what's used in the CMAC API that is
very comparable to Poly1305, so switch to (pointer, len) for consistency.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard b500f8b911 Update documentation to match new guidelines. 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 346b8d5050 chachapoly: split crypt_and_mac() to match GCM API
In addition to making the APIs of the various AEAD modules more consistent
with each other, it's useful to have an auth_decrypt() function so that we can
safely check the tag ourselves, as the user might otherwise do it in an
insecure way (or even forget to do it altogether).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 56206c4db1 Remove semi-internal chacha20_keystrem_block()
It's actually easy to implement chachapoly without it, so let's not clutter
the API (and avoid adding a burden to alt implementers).
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 502f189253 ChaCha20: allow in-place en/decryption
All other ciphers so far allow this. In particular, the TLS layer depends on
this, despite what's documented in the Cipher layer, see
https://github.com/ARMmbed/mbedtls/issues/1085
https://github.com/ARMmbed/mbedtls/issues/1087

Also, this can be useful for implementing chachapoly without depending on the
semi-internal function keystream_block(), see next commit.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard dca3a5d884 Rename aead_chacha20_poly1305 to chachapoly
While the old name is explicit and aligned with the RFC, it's also very long,
so with the mbedtls_ prefix prepended we get a 31-char prefix to each
identifier, which quickly conflicts with our 80-column policy.

The new name is shorter, it's what a lot of people use when speaking about
that construction anyway, and hopefully should not introduce confusion at
it seems unlikely that variants other than 20/1305 be standardised in the
foreseeable future.
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 4edd51babe Rename poly1305_setkey() to poly1305_starts()
For consistency with the existing CMAC and HMAC APIs
2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 823b7a0ce7 Add missing extern "C" guard to new headers 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard 95d0bdbd84 Adapt the _ALT style to our new standard
- in .h files: only put the context declaration inside the #ifdef _ALT
  (this was changed in 2.9.0, ie after the original PR)
- in .c file: only leave selftest out of _ALT: even though some function are
  trivial to build from other parts, alt implementors might want to go another
way about them (for efficiency or other reasons)
2018-05-24 13:37:31 +02:00
Daniel King 8fe4701abe Add ChaCha20+Poly1305 to the Cipher module 2018-05-24 13:37:31 +02:00
Daniel King a310c5e42b Allow some parameters to be NULL if the length is 0.
This change permits users of the ChaCha20/Poly1305 algorithms
(and the AEAD construction thereof) to pass NULL pointers for
data that they do not need, and avoids the need to provide a valid
buffer for data that is not used.
2018-05-24 13:37:31 +02:00
Daniel King b8025c5826 Implement AEAD-ChaCha20-Poly1305.
This implementation is based off the description in RFC 7539.

The ChaCha20 code is also updated to provide a means of generating
keystream blocks with arbitrary counter values. This is used to
generated the one-time Poly1305 key in the AEAD construction.
2018-05-24 13:37:31 +02:00
Daniel King adc32c0b50 Add Poly1305 authenticator algorithm (RFC 7539)
Test vectors are included from RFC 7539.

Poly1305 is also added to the benchmark program.
2018-05-24 13:37:31 +02:00
Daniel King bd92062269 Add ChaCha20 to the Cipher module 2018-05-24 13:37:31 +02:00
Daniel King 34b822ce7b Initial implementation of ChaCha20 2018-05-24 13:37:31 +02:00
Manuel Pégourié-Gonnard d0f143b1c9 Update CTR doc for the 64-bit block cipher
- constants need adjustment
- don't mention "random nonces" as the space is too small
2018-05-24 12:01:58 +02:00
Manuel Pégourié-Gonnard 4f24e9502e Update CTR doc for other 128-bit block ciphers 2018-05-24 11:59:30 +02:00
Manuel Pégourié-Gonnard f5842864d8 Slightly tune ARIA CTR documentation 2018-05-24 11:51:58 +02:00
Moran Peker a64fba41fb Remove double declaration of mbedtls_ssl_list_ciphersuites
Raised by TrinityTonic. #1359
2018-05-23 18:13:05 +01:00
Simon Butcher 2f3a581567 Merge remote-tracking branch 'public/pr/1178' into development 2018-05-23 16:15:13 +01:00
Manuel Pégourié-Gonnard 8a1b2c8806 Update CTR documentation 2018-05-23 13:26:22 +02:00
Manuel Pégourié-Gonnard a3712beb9b Merge branch 'development' into iotssl-1941-aria-ciphersuites
* development: (504 commits)
  Fix minor code style issues
  Add the uodate to the soversion to the ChangeLog
  Fix the ChangeLog for clarity, english and credit
  Update version to 2.9.0
  ecp: Fix binary compatibility with group ID
  Changelog entry
  Change accepted ciphersuite versions when parsing server hello
  Remove preprocessor directives around platform_util.h include
  Fix style for mbedtls_mpi_zeroize()
  Improve mbedtls_platform_zeroize() docs
  mbedtls_zeroize -> mbedtls_platform_zeroize in docs
  Reword config.h docs for MBEDTLS_PLATFORM_ZEROIZE_ALT
  Organize CMakeLists targets in alphabetical order
  Organize output objs in alfabetical order in Makefile
  Regenerate errors after ecp.h updates
  Update ecp.h
  Change variable bytes_written to header_bytes in record decompression
  Update ecp.h
  Update ecp.h
  Update ecp.h
  ...
2018-05-22 15:58:50 +02:00
Manuel Pégourié-Gonnard 0960b80d53 Move to new header style for ALT implementations
See https://github.com/ARMmbed/mbedtls-restricted/pull/357
2018-05-22 15:22:07 +02:00
Manuel Pégourié-Gonnard c0893122df Add ifdef for selftest in header file
See https://github.com/ARMmbed/mbedtls/pull/975
2018-05-22 15:17:20 +02:00
Manuel Pégourié-Gonnard 08c337d058 Remove useless parameter from function 2018-05-22 13:18:01 +02:00
Manuel Pégourié-Gonnard 9d410733c2 Fix typos from copy-pasting 2018-05-22 12:49:22 +02:00
Darryl Green 11999bb72e Fix minor code style issues 2018-05-15 09:21:57 +01:00
Jaeden Amero a331e0f0af Merge remote-tracking branch 'upstream-restricted/pr/421' into development-proposed 2018-05-04 14:39:24 +01:00
Jaeden Amero fb19399f41 Merge remote-tracking branch 'upstream-public/pr/1498' into development-proposed 2018-05-04 11:09:14 +01:00
Jaeden Amero 7d7bad6b1f Update version to 2.9.0
Bump SOVERSION for parity with 2.7.2 and 2.7.3.
2018-04-30 09:58:33 +01:00
Jaeden Amero fe0669f52a ecp: Fix binary compatibility with group ID
We naturally added the new Curve448 ECP group ID in alphabetical order in
the mbedtls_ecp_group_id enum. However, this causes binary incompatibility
issues as previous binaries will use values for groups that now have a
different meaning. For example, MBEDTLS_ECP_DP_SECP192K1, old value 10,
would mean Curve448 (MBEDTLS_ECP_DP_CURVE448) and the wrong group ID used.

Fix the binary compatibility issue by adding new enum entries to the end of
the enum, even though this isn't so great for readbility as the list is no
longer in alphabetical order. However, the list wasn't perfectly in
alphabetical order before anyway.
2018-04-27 18:20:31 +01:00