lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Merge remote-tracking branch 'development' into psa_crypto_config-in-full

Browse Source 
Conflicts:
* `include/psa/crypto_sizes.h`: the addition of the `u` suffix in this branch
  conflicts with the rework of the calculation of `PSA_HASH_MAX_SIZE` and
  `PSA_HMAC_MAX_HASH_BLOCK_SIZE` in `development`. Use the new definitions
  from `development`, and add the `u` suffix to the relevant constants.
This commit is contained in:
Gilles Peskine
2023-08-30 18:32:57 +02:00
parent ead1766b5f 29bf911058
commit 03e9dea30b
121 changed files with 3699 additions and 1307 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
library/aes.c
View File

@ -33,6 +33,36 @@
#include "mbedtls/platform.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
#if defined(__aarch64__)
#if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
#endif
#endif
#if defined(__amd64__) || defined(__x86_64__) || \
((defined(_M_X64) || defined(_M_AMD64)) && !defined(_M_ARM64EC))
#if !defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
#endif
#endif
#if defined(__i386__) || defined(_M_IX86)
#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY) && !defined(MBEDTLS_AESNI_C)
#error "MBEDTLS_AES_USE_HARDWARE_ONLY defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PADLOCK_C)
#if !defined(MBEDTLS_HAVE_ASM)
#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
#error "MBEDTLS_AES_USE_HARDWARE_ONLY cannot be defined when " \
"MBEDTLS_PADLOCK_C is set"
#endif
#endif
#endif
#if defined(MBEDTLS_PADLOCK_C)
#include "padlock.h"
#endif
@ -47,7 +77,7 @@
#if !defined(MBEDTLS_AES_ALT)
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
static int aes_padlock_ace = -1;
#endif
@ -542,7 +572,7 @@ void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
* Note that the offset is in units of elements of buf, i.e. 32-bit words,
* i.e. an offset of 1 means 4 bytes and so on.
*/
#if (defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)) || \
#if (defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)) || \
(defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2)
#define MAY_NEED_TO_ALIGN
#endif
@ -554,7 +584,7 @@ static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
#if defined(MAY_NEED_TO_ALIGN)
int align_16_bytes = 0;
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
if (aes_padlock_ace == -1) {
aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
}
@ -595,7 +625,6 @@ static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
unsigned int keybits)
{
unsigned int i;
uint32_t *RK;
switch (keybits) {
@ -624,19 +653,20 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
#endif
#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
if (mbedtls_aesce_has_support()) {
if (MBEDTLS_AESCE_HAS_SUPPORT()) {
return mbedtls_aesce_setkey_enc((unsigned char *) RK, key, keybits);
}
#endif
for (i = 0; i < (keybits >> 5); i++) {
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
for (unsigned int i = 0; i < (keybits >> 5); i++) {
RK[i] = MBEDTLS_GET_UINT32_LE(key, i << 2);
}
switch (ctx->nr) {
case 10:
for (i = 0; i < 10; i++, RK += 4) {
for (unsigned int i = 0; i < 10; i++, RK += 4) {
RK[4] = RK[0] ^ RCON[i] ^
((uint32_t) FSb[MBEDTLS_BYTE_1(RK[3])]) ^
((uint32_t) FSb[MBEDTLS_BYTE_2(RK[3])] << 8) ^
@ -652,7 +682,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
#if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH)
case 12:
for (i = 0; i < 8; i++, RK += 6) {
for (unsigned int i = 0; i < 8; i++, RK += 6) {
RK[6] = RK[0] ^ RCON[i] ^
((uint32_t) FSb[MBEDTLS_BYTE_1(RK[5])]) ^
((uint32_t) FSb[MBEDTLS_BYTE_2(RK[5])] << 8) ^
@ -669,7 +699,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
case 14:
for (i = 0; i < 7; i++, RK += 8) {
for (unsigned int i = 0; i < 7; i++, RK += 8) {
RK[8] = RK[0] ^ RCON[i] ^
((uint32_t) FSb[MBEDTLS_BYTE_1(RK[7])]) ^
((uint32_t) FSb[MBEDTLS_BYTE_2(RK[7])] << 8) ^
@ -695,6 +725,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
}
return 0;
#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
}
#endif /* !MBEDTLS_AES_SETKEY_ENC_ALT */
@ -705,10 +736,13 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
unsigned int keybits)
{
int i, j, ret;
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
uint32_t *SK;
#endif
int ret;
mbedtls_aes_context cty;
uint32_t *RK;
uint32_t *SK;
mbedtls_aes_init(&cty);
@ -731,7 +765,7 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
#endif
#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
if (mbedtls_aesce_has_support()) {
if (MBEDTLS_AESCE_HAS_SUPPORT()) {
mbedtls_aesce_inverse_key(
(unsigned char *) RK,
(const unsigned char *) (cty.buf + cty.rk_offset),
@ -740,15 +774,16 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
}
#endif
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
SK = cty.buf + cty.rk_offset + cty.nr * 4;
*RK++ = *SK++;
*RK++ = *SK++;
*RK++ = *SK++;
*RK++ = *SK++;
for (i = ctx->nr - 1, SK -= 8; i > 0; i--, SK -= 8) {
for (j = 0; j < 4; j++, SK++) {
SK -= 8;
for (int i = ctx->nr - 1; i > 0; i--, SK -= 8) {
for (int j = 0; j < 4; j++, SK++) {
*RK++ = AES_RT0(FSb[MBEDTLS_BYTE_0(*SK)]) ^
AES_RT1(FSb[MBEDTLS_BYTE_1(*SK)]) ^
AES_RT2(FSb[MBEDTLS_BYTE_2(*SK)]) ^
@ -760,7 +795,7 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
*RK++ = *SK++;
*RK++ = *SK++;
*RK++ = *SK++;
#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
exit:
mbedtls_aes_free(&cty);
@ -1057,22 +1092,25 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
#endif
#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
if (mbedtls_aesce_has_support()) {
if (MBEDTLS_AESCE_HAS_SUPPORT()) {
return mbedtls_aesce_crypt_ecb(ctx, mode, input, output);
}
#endif
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
if (aes_padlock_ace > 0) {
return mbedtls_padlock_xcryptecb(ctx, mode, input, output);
}
#endif
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
if (mode == MBEDTLS_AES_ENCRYPT) {
return mbedtls_internal_aes_encrypt(ctx, input, output);
} else {
return mbedtls_internal_aes_decrypt(ctx, input, output);
}
#endif
}
#if defined(MBEDTLS_CIPHER_MODE_CBC)
@ -1103,7 +1141,7 @@ int mbedtls_aes_crypt_cbc(mbedtls_aes_context *ctx,
return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
}
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
if (aes_padlock_ace > 0) {
if (mbedtls_padlock_xcryptcbc(ctx, mode, length, iv, input, output) == 0) {
return 0;
@ -1855,29 +1893,33 @@ int mbedtls_aes_self_test(int verbose)
#if defined(MBEDTLS_AES_ALT)
mbedtls_printf(" AES note: alternative implementation.\n");
#else /* MBEDTLS_AES_ALT */
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
mbedtls_printf(" AES note: using VIA Padlock.\n");
} else
#endif
#if defined(MBEDTLS_AESNI_HAVE_CODE)
#if MBEDTLS_AESNI_HAVE_CODE == 1
mbedtls_printf(" AES note: AESNI code present (assembly implementation).\n");
#elif MBEDTLS_AESNI_HAVE_CODE == 2
mbedtls_printf(" AES note: AESNI code present (intrinsics implementation).\n");
#else
#error Unrecognised value for MBEDTLS_AESNI_HAVE_CODE
#error "Unrecognised value for MBEDTLS_AESNI_HAVE_CODE"
#endif
if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
mbedtls_printf(" AES note: using AESNI.\n");
} else
#endif
#if defined(MBEDTLS_VIA_PADLOCK_HAVE_CODE)
if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
mbedtls_printf(" AES note: using VIA Padlock.\n");
} else
#endif
#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
if (mbedtls_aesce_has_support()) {
if (MBEDTLS_AESCE_HAS_SUPPORT()) {
mbedtls_printf(" AES note: using AESCE.\n");
} else
#endif
mbedtls_printf(" AES note: built-in implementation.\n");
{
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
mbedtls_printf(" AES note: built-in implementation.\n");
#endif
}
#endif /* MBEDTLS_AES_ALT */
}

36
library/aesce.c
View File

@ -94,25 +94,39 @@
#endif /* !(__ARM_FEATURE_CRYPTO || __ARM_FEATURE_AES) ||
MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG */
#if defined(__linux__)
#if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
#include <asm/hwcap.h>
#include <sys/auxv.h>
#endif
signed char mbedtls_aesce_has_support_result = -1;
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
/*
* AES instruction support detection routine
*/
int mbedtls_aesce_has_support(void)
int mbedtls_aesce_has_support_impl(void)
{
#if defined(__linux__)
unsigned long auxval = getauxval(AT_HWCAP);
return (auxval & (HWCAP_ASIMD | HWCAP_AES)) ==
(HWCAP_ASIMD | HWCAP_AES);
#else
/* Assume AES instructions are supported. */
return 1;
#endif
/* To avoid many calls to getauxval, cache the result. This is
* thread-safe, because we store the result in a char so cannot
* be vulnerable to non-atomic updates.
* It is possible that we could end up setting result more than
* once, but that is harmless.
*/
if (mbedtls_aesce_has_support_result == -1) {
unsigned long auxval = getauxval(AT_HWCAP);
if ((auxval & (HWCAP_ASIMD | HWCAP_AES)) ==
(HWCAP_ASIMD | HWCAP_AES)) {
mbedtls_aesce_has_support_result = 1;
} else {
mbedtls_aesce_has_support_result = 0;
}
}
return mbedtls_aesce_has_support_result;
}
#endif
#endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
/* Single round of AESCE encryption */
#define AESCE_ENCRYPT_ROUND \

19
library/aesce.h
View File

@ -42,12 +42,29 @@
extern "C" {
#endif
#if defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
extern signed char mbedtls_aesce_has_support_result;
/**
* \brief Internal function to detect the crypto extension in CPUs.
*
* \return 1 if CPU has support for the feature, 0 otherwise
*/
int mbedtls_aesce_has_support(void);
int mbedtls_aesce_has_support_impl(void);
#define MBEDTLS_AESCE_HAS_SUPPORT() (mbedtls_aesce_has_support_result == -1 ? \
mbedtls_aesce_has_support_impl() : \
mbedtls_aesce_has_support_result)
#else /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
/* If we are not on Linux, we can't detect support so assume that it's supported.
* Similarly, assume support if MBEDTLS_AES_USE_HARDWARE_ONLY is set.
*/
#define MBEDTLS_AESCE_HAS_SUPPORT() 1
#endif /* defined(__linux__) && !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) */
/**
* \brief Internal AES-ECB block encryption and decryption

2
library/aesni.c
View File

@ -41,6 +41,7 @@
#include <immintrin.h>
#endif
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
/*
* AES-NI support detection routine
*/
@ -70,6 +71,7 @@ int mbedtls_aesni_has_support(unsigned int what)
return (c & what) != 0;
}
#endif /* !MBEDTLS_AES_USE_HARDWARE_ONLY */
#if MBEDTLS_AESNI_HAVE_CODE == 2

26
library/aesni.h
View File

@ -35,13 +35,20 @@
/* Can we do AESNI with inline assembly?
* (Only implemented with gas syntax, only for 64-bit.)
*/
#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \
(defined(__amd64__) || defined(__x86_64__)) && \
!defined(MBEDTLS_HAVE_X86_64)
#if !defined(MBEDTLS_HAVE_X86_64) && \
(defined(__amd64__) || defined(__x86_64__) || \
defined(_M_X64) || defined(_M_AMD64)) && \
!defined(_M_ARM64EC)
#define MBEDTLS_HAVE_X86_64
#endif
#if defined(MBEDTLS_AESNI_C)
#if !defined(MBEDTLS_HAVE_X86) && \
(defined(__i386__) || defined(_M_IX86))
#define MBEDTLS_HAVE_X86
#endif
#if defined(MBEDTLS_AESNI_C) && \
(defined(MBEDTLS_HAVE_X86_64) || defined(MBEDTLS_HAVE_X86))
/* Can we do AESNI with intrinsics?
* (Only implemented with certain compilers, only for certain targets.)
@ -67,8 +74,13 @@
* In the long run, we will likely remove the assembly implementation. */
#if defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
#define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics
#elif defined(MBEDTLS_HAVE_X86_64)
#elif defined(MBEDTLS_HAVE_ASM) && \
defined(__GNUC__) && defined(MBEDTLS_HAVE_X86_64)
#define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
#elif defined(__GNUC__)
# error "Must use `-mpclmul -msse2 -maes` for MBEDTLS_AESNI_C"
#else
#error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available"
#endif
#if defined(MBEDTLS_AESNI_HAVE_CODE)
@ -88,7 +100,11 @@ extern "C" {
*
* \return 1 if CPU has support for the feature, 0 otherwise
*/
#if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
int mbedtls_aesni_has_support(unsigned int what);
#else
#define mbedtls_aesni_has_support(what) 1
#endif
/**
* \brief Internal AES-NI AES-ECB block encryption and decryption

83
library/bignum.c
View File

@ -1826,8 +1826,9 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
* and squarings. Firstly, when multiplying by an element of the window
* W[i], we do a constant-trace table lookup to obfuscate i. This leaves
* squarings as having a different memory access patterns from other
* multiplications. So secondly, we put the accumulator X in the table as
* well, and also do a constant-trace table lookup to multiply by X.
* multiplications. So secondly, we put the accumulator in the table as
* well, and also do a constant-trace table lookup to multiply by the
* accumulator which is W[x_index].
*
* This way, all multiplications take the form of a lookup-and-multiply.
* The number of lookup-and-multiply operations inside each iteration of
@ -1840,19 +1841,16 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
* observe both memory accesses and branches. However, branch prediction
* exploitation typically requires many traces of execution over the same
* data, which is defeated by randomized blinding.
*
* To achieve this, we make a copy of X and we use the table entry in each
* calculation from this point on.
*/
const size_t x_index = 0;
mbedtls_mpi_init(&W[x_index]);
mbedtls_mpi_copy(&W[x_index], X);
j = N->n + 1;
/* All W[i] and X must have at least N->n limbs for the mpi_montmul()
* and mpi_montred() calls later. Here we ensure that W[1] and X are
* large enough, and later we'll grow other W[i] to the same length.
* They must not be shrunk midway through this function!
/* All W[i] including the accumulator must have at least N->n limbs for
* the mpi_montmul() and mpi_montred() calls later. Here we ensure that
* W[1] and the accumulator W[x_index] are large enough. later we'll grow
* other W[i] to the same length. They must not be shrunk midway through
* this function!
*/
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j));
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j));
@ -2033,7 +2031,7 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
/*
* Load the result in the output variable.
*/
mbedtls_mpi_copy(X, &W[x_index]);
MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &W[x_index]));
cleanup:
@ -2311,29 +2309,30 @@ cleanup:
#if defined(MBEDTLS_GENPRIME)
static const int small_prime[] =
{
3, 5, 7, 11, 13, 17, 19, 23,
29, 31, 37, 41, 43, 47, 53, 59,
61, 67, 71, 73, 79, 83, 89, 97,
101, 103, 107, 109, 113, 127, 131, 137,
139, 149, 151, 157, 163, 167, 173, 179,
181, 191, 193, 197, 199, 211, 223, 227,
229, 233, 239, 241, 251, 257, 263, 269,
271, 277, 281, 283, 293, 307, 311, 313,
317, 331, 337, 347, 349, 353, 359, 367,
373, 379, 383, 389, 397, 401, 409, 419,
421, 431, 433, 439, 443, 449, 457, 461,
463, 467, 479, 487, 491, 499, 503, 509,
521, 523, 541, 547, 557, 563, 569, 571,
577, 587, 593, 599, 601, 607, 613, 617,
619, 631, 641, 643, 647, 653, 659, 661,
673, 677, 683, 691, 701, 709, 719, 727,
733, 739, 743, 751, 757, 761, 769, 773,
787, 797, 809, 811, 821, 823, 827, 829,
839, 853, 857, 859, 863, 877, 881, 883,
887, 907, 911, 919, 929, 937, 941, 947,
953, 967, 971, 977, 983, 991, 997, -103
/* Gaps between primes, starting at 3. https://oeis.org/A001223 */
static const unsigned char small_prime_gaps[] = {
2, 2, 4, 2, 4, 2, 4, 6,
2, 6, 4, 2, 4, 6, 6, 2,
6, 4, 2, 6, 4, 6, 8, 4,
2, 4, 2, 4, 14, 4, 6, 2,
10, 2, 6, 6, 4, 6, 6, 2,
10, 2, 4, 2, 12, 12, 4, 2,
4, 6, 2, 10, 6, 6, 6, 2,
6, 4, 2, 10, 14, 4, 2, 4,
14, 6, 10, 2, 4, 6, 8, 6,
6, 4, 6, 8, 4, 8, 10, 2,
10, 2, 6, 4, 6, 8, 4, 2,
4, 12, 8, 4, 8, 4, 6, 12,
2, 18, 6, 10, 6, 6, 2, 6,
10, 6, 6, 2, 6, 6, 4, 2,
12, 10, 2, 4, 6, 6, 2, 12,
4, 6, 8, 10, 8, 10, 8, 6,
6, 4, 8, 6, 4, 8, 4, 14,
10, 12, 2, 10, 2, 4, 2, 10,
14, 4, 2, 4, 14, 4, 2, 4,
20, 4, 8, 10, 8, 4, 6, 6,
14, 4, 6, 6, 8, 6, /*reaches 997*/
0 /* the last entry is effectively unused */
};
/*
@ -2350,20 +2349,20 @@ static int mpi_check_small_factors(const mbedtls_mpi *X)
int ret = 0;
size_t i;
mbedtls_mpi_uint r;
unsigned p = 3; /* The first odd prime */
if ((X->p[0] & 1) == 0) {
return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
}
for (i = 0; small_prime[i] > 0; i++) {
if (mbedtls_mpi_cmp_int(X, small_prime[i]) <= 0) {
return 1;
}
MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, small_prime[i]));
for (i = 0; i < sizeof(small_prime_gaps); p += small_prime_gaps[i], i++) {
MBEDTLS_MPI_CHK(mbedtls_mpi_mod_int(&r, X, p));
if (r == 0) {
return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
if (mbedtls_mpi_cmp_int(X, p) == 0) {
return 1;
} else {
return MBEDTLS_ERR_MPI_NOT_ACCEPTABLE;
}
}
}

4
library/bignum_mod.c
View File

@ -19,7 +19,7 @@
#include "common.h"
#if defined(MBEDTLS_BIGNUM_C)
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ECP_WITH_MPI_UINT)
#include <string.h>
@ -403,4 +403,4 @@ cleanup:
return ret;
}
#endif /* MBEDTLS_BIGNUM_C */
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ECP_WITH_MPI_UINT */

4
library/bignum_mod_raw.c
View File

@ -19,7 +19,7 @@
#include "common.h"
#if defined(MBEDTLS_BIGNUM_C)
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ECP_WITH_MPI_UINT)
#include <string.h>
@ -285,4 +285,4 @@ void mbedtls_mpi_mod_raw_neg(mbedtls_mpi_uint *X,
(void) mbedtls_mpi_core_add_if(X, N->p, N->limbs, (unsigned) borrow);
}
#endif /* MBEDTLS_BIGNUM_C */
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ECP_WITH_MPI_UINT */

2
library/common.h
View File

@ -288,7 +288,7 @@ static inline void mbedtls_xor_no_simd(unsigned char *r,
/* Normal case (64-bit pointers): use "r" as the constraint for pointer operands to asm */
#define MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT "r"
#else
#error Unrecognised pointer size for aarch64
#error "Unrecognised pointer size for aarch64"
#endif
#endif

15
library/constant_time.c
View File

@ -82,7 +82,7 @@ static inline uint32_t mbedtls_get_unaligned_volatile_uint32(volatile const unsi
#elif defined(MBEDTLS_CT_AARCH64_ASM)
asm volatile ("ldr %w0, [%1]" : "=r" (r) : MBEDTLS_ASM_AARCH64_PTR_CONSTRAINT(p) :);
#else
#error No assembly defined for mbedtls_get_unaligned_volatile_uint32
#error "No assembly defined for mbedtls_get_unaligned_volatile_uint32"
#endif
return r;
}
@ -150,8 +150,13 @@ void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition,
const unsigned char *src2,
size_t len)
{
#if defined(MBEDTLS_CT_SIZE_64)
const uint64_t mask = (uint64_t) condition;
const uint64_t not_mask = (uint64_t) ~mbedtls_ct_compiler_opaque(condition);
#else
const uint32_t mask = (uint32_t) condition;
const uint32_t not_mask = (uint32_t) ~mbedtls_ct_compiler_opaque(condition);
#endif
/* If src2 is NULL, setup src2 so that we read from the destination address.
*
@ -165,11 +170,19 @@ void mbedtls_ct_memcpy_if(mbedtls_ct_condition_t condition,
/* dest[i] = c1 == c2 ? src[i] : dest[i] */
size_t i = 0;
#if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS)
#if defined(MBEDTLS_CT_SIZE_64)
for (; (i + 8) <= len; i += 8) {
uint64_t a = mbedtls_get_unaligned_uint64(src1 + i) & mask;
uint64_t b = mbedtls_get_unaligned_uint64(src2 + i) & not_mask;
mbedtls_put_unaligned_uint64(dest + i, a | b);
}
#else
for (; (i + 4) <= len; i += 4) {
uint32_t a = mbedtls_get_unaligned_uint32(src1 + i) & mask;
uint32_t b = mbedtls_get_unaligned_uint32(src2 + i) & not_mask;
mbedtls_put_unaligned_uint32(dest + i, a | b);
}
#endif /* defined(MBEDTLS_CT_SIZE_64) */
#endif /* MBEDTLS_EFFICIENT_UNALIGNED_ACCESS */
for (; i < len; i++) {
dest[i] = (src1[i] & mask) | (src2[i] & not_mask);

143
library/constant_time_impl.h
View File

@ -48,8 +48,14 @@
#pragma GCC diagnostic ignored "-Wredundant-decls"
#endif
/* Disable asm under Memsan because it confuses Memsan and generates false errors */
#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN)
/* Disable asm under Memsan because it confuses Memsan and generates false errors.
*
* We also disable under Valgrind by default, because it's more useful
* for Valgrind to test the plain C implementation. MBEDTLS_TEST_CONSTANT_FLOW_ASM //no-check-names
* may be set to permit building asm under Valgrind.
*/
#if defined(MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN) || \
(defined(MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND) && !defined(MBEDTLS_TEST_CONSTANT_FLOW_ASM)) //no-check-names
#define MBEDTLS_CT_NO_ASM
#elif defined(__has_feature)
#if __has_feature(memory_sanitizer)
@ -109,6 +115,28 @@ static inline mbedtls_ct_uint_t mbedtls_ct_compiler_opaque(mbedtls_ct_uint_t x)
#endif
}
/*
* Selecting unified syntax is needed for gcc, and harmless on clang.
*
* This is needed because on Thumb 1, condition flags are always set, so
* e.g. "negs" is supported but "neg" is not (on Thumb 2, both exist).
*
* Under Thumb 1 unified syntax, only the "negs" form is accepted, and
* under divided syntax, only the "neg" form is accepted. clang only
* supports unified syntax.
*
* On Thumb 2 and Arm, both compilers are happy with the "s" suffix,
* although we don't actually care about setting the flags.
*
* For gcc, restore divided syntax afterwards - otherwise old versions of gcc
* seem to apply unified syntax globally, which breaks other asm code.
*/
#if !defined(__clang__)
#define RESTORE_ASM_SYNTAX ".syntax divided \n\t"
#else
#define RESTORE_ASM_SYNTAX
#endif
/* Convert a number into a condition in constant time. */
static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x)
{
@ -120,6 +148,34 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x)
* Otherwise, we define a plain C fallback which (in May 2023) does not get optimised into
* conditional instructions or branches by trunk clang, gcc, or MSVC v19.
*/
#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
mbedtls_ct_uint_t s;
asm volatile ("neg %x[s], %x[x] \n\t"
"orr %x[x], %x[s], %x[x] \n\t"
"asr %x[x], %x[x], 63"
:
[s] "=&r" (s),
[x] "+&r" (x)
:
:
);
return (mbedtls_ct_condition_t) x;
#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
uint32_t s;
asm volatile (".syntax unified \n\t"
"negs %[s], %[x] \n\t"
"orrs %[x], %[x], %[s] \n\t"
"asrs %[x], %[x], #31 \n\t"
RESTORE_ASM_SYNTAX
:
[s] "=&l" (s),
[x] "+&l" (x)
:
:
"cc" /* clobbers flag bits */
);
return (mbedtls_ct_condition_t) x;
#else
const mbedtls_ct_uint_t xo = mbedtls_ct_compiler_opaque(x);
#if defined(_MSC_VER)
/* MSVC has a warning about unary minus on unsigned, but this is
@ -127,24 +183,98 @@ static inline mbedtls_ct_condition_t mbedtls_ct_bool(mbedtls_ct_uint_t x)
#pragma warning( push )
#pragma warning( disable : 4146 )
#endif
return (mbedtls_ct_condition_t) (((mbedtls_ct_int_t) ((-xo) | -(xo >> 1))) >>
(MBEDTLS_CT_SIZE - 1));
// y is negative (i.e., top bit set) iff x is non-zero
mbedtls_ct_int_t y = (-xo) | -(xo >> 1);
// extract only the sign bit of y so that y == 1 (if x is non-zero) or 0 (if x is zero)
y = (((mbedtls_ct_uint_t) y) >> (MBEDTLS_CT_SIZE - 1));
// -y has all bits set (if x is non-zero), or all bits clear (if x is zero)
return (mbedtls_ct_condition_t) (-y);
#if defined(_MSC_VER)
#pragma warning( pop )
#endif
#endif
}
static inline mbedtls_ct_uint_t mbedtls_ct_if(mbedtls_ct_condition_t condition,
mbedtls_ct_uint_t if1,
mbedtls_ct_uint_t if0)
{
#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
asm volatile ("and %x[if1], %x[if1], %x[condition] \n\t"
"mvn %x[condition], %x[condition] \n\t"
"and %x[condition], %x[condition], %x[if0] \n\t"
"orr %x[condition], %x[if1], %x[condition]"
:
[condition] "+&r" (condition),
[if1] "+&r" (if1)
:
[if0] "r" (if0)
:
);
return (mbedtls_ct_uint_t) condition;
#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
asm volatile (".syntax unified \n\t"
"ands %[if1], %[if1], %[condition] \n\t"
"mvns %[condition], %[condition] \n\t"
"ands %[condition], %[condition], %[if0] \n\t"
"orrs %[condition], %[if1], %[condition] \n\t"
RESTORE_ASM_SYNTAX
:
[condition] "+&l" (condition),
[if1] "+&l" (if1)
:
[if0] "l" (if0)
:
"cc"
);
return (mbedtls_ct_uint_t) condition;
#else
mbedtls_ct_condition_t not_cond =
(mbedtls_ct_condition_t) (~mbedtls_ct_compiler_opaque(condition));
return (mbedtls_ct_uint_t) ((condition & if1) | (not_cond & if0));
#endif
}
static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
{
#if defined(MBEDTLS_CT_AARCH64_ASM) && (defined(MBEDTLS_CT_SIZE_32) || defined(MBEDTLS_CT_SIZE_64))
uint64_t s1;
asm volatile ("eor %x[s1], %x[y], %x[x] \n\t"
"sub %x[x], %x[x], %x[y] \n\t"
"bic %x[x], %x[x], %x[s1] \n\t"
"and %x[s1], %x[s1], %x[y] \n\t"
"orr %x[s1], %x[x], %x[s1] \n\t"
"asr %x[x], %x[s1], 63"
: [s1] "=&r" (s1), [x] "+&r" (x)
: [y] "r" (y)
:
);
return (mbedtls_ct_condition_t) x;
#elif defined(MBEDTLS_CT_ARM_ASM) && defined(MBEDTLS_CT_SIZE_32)
uint32_t s1;
asm volatile (
".syntax unified \n\t"
#if defined(__thumb__) && !defined(__thumb2__)
"movs %[s1], %[x] \n\t"
"eors %[s1], %[s1], %[y] \n\t"
#else
"eors %[s1], %[x], %[y] \n\t"
#endif
"subs %[x], %[x], %[y] \n\t"
"bics %[x], %[x], %[s1] \n\t"
"ands %[y], %[s1], %[y] \n\t"
"orrs %[x], %[x], %[y] \n\t"
"asrs %[x], %[x], #31 \n\t"
RESTORE_ASM_SYNTAX
: [s1] "=&l" (s1), [x] "+&l" (x), [y] "+&l" (y)
:
:
"cc"
);
return (mbedtls_ct_condition_t) x;
#else
/* Ensure that the compiler cannot optimise the following operations over x and y,
* even if it knows the value of x and y.
*/
@ -173,6 +303,7 @@ static inline mbedtls_ct_condition_t mbedtls_ct_uint_lt(mbedtls_ct_uint_t x, mbe
// Convert to a condition (i.e., all bits set iff non-zero)
return mbedtls_ct_bool(ret);
#endif
}
static inline mbedtls_ct_condition_t mbedtls_ct_uint_ne(mbedtls_ct_uint_t x, mbedtls_ct_uint_t y)
@ -189,8 +320,8 @@ static inline unsigned char mbedtls_ct_uchar_in_range_if(unsigned char low,
unsigned char c,
unsigned char t)
{
const unsigned char co = (const unsigned char) mbedtls_ct_compiler_opaque(c);
const unsigned char to = (const unsigned char) mbedtls_ct_compiler_opaque(t);
const unsigned char co = (unsigned char) mbedtls_ct_compiler_opaque(c);
const unsigned char to = (unsigned char) mbedtls_ct_compiler_opaque(t);
/* low_mask is: 0 if low <= c, 0x...ff if low > c */
unsigned low_mask = ((unsigned) co - low) >> 8;

2
library/constant_time_internal.h
View File

@ -85,12 +85,14 @@ typedef ptrdiff_t mbedtls_ct_int_t;
typedef uint64_t mbedtls_ct_condition_t;
typedef uint64_t mbedtls_ct_uint_t;
typedef int64_t mbedtls_ct_int_t;
#define MBEDTLS_CT_SIZE_64
#define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT64_MAX))
#else
/* Pointer size <= 32-bit, and no 64-bit MPIs */
typedef uint32_t mbedtls_ct_condition_t;
typedef uint32_t mbedtls_ct_uint_t;
typedef int32_t mbedtls_ct_int_t;
#define MBEDTLS_CT_SIZE_32
#define MBEDTLS_CT_TRUE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(UINT32_MAX))
#endif
#define MBEDTLS_CT_FALSE ((mbedtls_ct_condition_t) mbedtls_ct_compiler_opaque(0))

4
library/ecdsa.c
View File

@ -373,7 +373,7 @@ modn:
#if defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && rs_ctx->sig != NULL) {
mbedtls_mpi_copy(r, pr);
MBEDTLS_MPI_CHK(mbedtls_mpi_copy(r, pr));
}
#endif
@ -447,7 +447,7 @@ int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(d, data, grp_len));
MBEDTLS_MPI_CHK(derive_mpi(grp, &h, buf, blen));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, data + grp_len, grp_len));
mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len);
MBEDTLS_MPI_CHK(mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len));
#if defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && rs_ctx->det != NULL) {

2
library/entropy_poll.c
View File

@ -75,7 +75,7 @@ int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
return 0;
}
#else /* !_WIN32_WINNT_WINXP */
#error Entropy not available before Windows XP, use MBEDTLS_NO_PLATFORM_ENTROPY
#error "Entropy not available before Windows XP, use MBEDTLS_NO_PLATFORM_ENTROPY"
#endif /* !_WIN32_WINNT_WINXP */
#else /* _WIN32 && !EFIX64 && !EFI32 */

11
library/gcm.c
View File

@ -98,7 +98,7 @@ static int gcm_gen_table(mbedtls_gcm_context *ctx)
#endif
#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
if (mbedtls_aesce_has_support()) {
if (MBEDTLS_AESCE_HAS_SUPPORT()) {
return 0;
}
#endif
@ -209,7 +209,7 @@ static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16],
#endif /* MBEDTLS_AESNI_HAVE_CODE */
#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
if (mbedtls_aesce_has_support()) {
if (MBEDTLS_AESCE_HAS_SUPPORT()) {
unsigned char h[16];
/* mbedtls_aesce_gcm_mult needs big-endian input */
@ -884,6 +884,13 @@ int mbedtls_gcm_self_test(int verbose)
mbedtls_printf(" GCM note: using AESNI.\n");
} else
#endif
#if defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_HAVE_ARM64)
if (MBEDTLS_AESCE_HAS_SUPPORT()) {
mbedtls_printf(" GCM note: using AESCE.\n");
} else
#endif
mbedtls_printf(" GCM note: built-in implementation.\n");
#endif /* MBEDTLS_GCM_ALT */
}

16
library/md.c
View File

@ -231,6 +231,22 @@ static psa_algorithm_t psa_alg_of_md(const mbedtls_md_info_t *info)
#if defined(MBEDTLS_MD_SHA512_VIA_PSA)
case MBEDTLS_MD_SHA512:
return PSA_ALG_SHA_512;
#endif
#if defined(MBEDTLS_MD_SHA3_224_VIA_PSA)
case MBEDTLS_MD_SHA3_224:
return PSA_ALG_SHA3_224;
#endif
#if defined(MBEDTLS_MD_SHA3_256_VIA_PSA)
case MBEDTLS_MD_SHA3_256:
return PSA_ALG_SHA3_256;
#endif
#if defined(MBEDTLS_MD_SHA3_384_VIA_PSA)
case MBEDTLS_MD_SHA3_384:
return PSA_ALG_SHA3_384;
#endif
#if defined(MBEDTLS_MD_SHA3_512_VIA_PSA)
case MBEDTLS_MD_SHA3_512:
return PSA_ALG_SHA3_512;
#endif
default:
return PSA_ALG_NONE;

56
library/oid.c
View File

@ -760,6 +760,30 @@ static const oid_md_alg_t oid_md_alg[] =
OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_RIPEMD160, "id-ripemd160", "RIPEMD-160"),
MBEDTLS_MD_RIPEMD160,
},
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_224)
{
OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_224, "id-sha3-224", "SHA-3-224"),
MBEDTLS_MD_SHA3_224,
},
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_256)
{
OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_256, "id-sha3-256", "SHA-3-256"),
MBEDTLS_MD_SHA3_256,
},
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_384)
{
OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_384, "id-sha3-384", "SHA-3-384"),
MBEDTLS_MD_SHA3_384,
},
#endif
#if defined(MBEDTLS_MD_CAN_SHA3_512)
{
OID_DESCRIPTOR(MBEDTLS_OID_DIGEST_ALG_SHA3_512, "id-sha3-512", "SHA-3-512"),
MBEDTLS_MD_SHA3_512,
},
#endif
{
NULL_OID_DESCRIPTOR,
@ -796,7 +820,7 @@ static const oid_md_hmac_t oid_md_hmac[] =
OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA224, "hmacSHA224", "HMAC-SHA-224"),
MBEDTLS_MD_SHA224,
},
#endif
#endif /* MBEDTLS_MD_CAN_SHA224 */
#if defined(MBEDTLS_MD_CAN_SHA256)
{
OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA256, "hmacSHA256", "HMAC-SHA-256"),
@ -815,6 +839,36 @@ static const oid_md_hmac_t oid_md_hmac[] =
MBEDTLS_MD_SHA512,
},
#endif /* MBEDTLS_MD_CAN_SHA512 */
#if defined(MBEDTLS_MD_CAN_SHA3_224)
{
OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_224, "hmacSHA3-224", "HMAC-SHA3-224"),
MBEDTLS_MD_SHA3_224,
},
#endif /* MBEDTLS_MD_CAN_SHA3_224 */
#if defined(MBEDTLS_MD_CAN_SHA3_256)
{
OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_256, "hmacSHA3-256", "HMAC-SHA3-256"),
MBEDTLS_MD_SHA3_256,
},
#endif /* MBEDTLS_MD_CAN_SHA3_256 */
#if defined(MBEDTLS_MD_CAN_SHA3_384)
{
OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_384, "hmacSHA3-384", "HMAC-SHA3-384"),
MBEDTLS_MD_SHA3_384,
},
#endif /* MBEDTLS_MD_CAN_SHA3_384 */
#if defined(MBEDTLS_MD_CAN_SHA3_512)
{
OID_DESCRIPTOR(MBEDTLS_OID_HMAC_SHA3_512, "hmacSHA3-512", "HMAC-SHA3-512"),
MBEDTLS_MD_SHA3_512,
},
#endif /* MBEDTLS_MD_CAN_SHA3_512 */
#if defined(MBEDTLS_MD_CAN_RIPEMD160)
{
OID_DESCRIPTOR(MBEDTLS_OID_HMAC_RIPEMD160, "hmacRIPEMD160", "HMAC-RIPEMD160"),
MBEDTLS_MD_RIPEMD160,
},
#endif /* MBEDTLS_MD_CAN_RIPEMD160 */
{
NULL_OID_DESCRIPTOR,
MBEDTLS_MD_NONE,

2
library/padlock.h
View File

@ -42,6 +42,8 @@
#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && defined(__i386__) && \
!defined(MBEDTLS_HAVE_ASAN)
#define MBEDTLS_VIA_PADLOCK_HAVE_CODE
#ifndef MBEDTLS_HAVE_X86
#define MBEDTLS_HAVE_X86
#endif

102
library/psa_crypto_hash.c
View File

@ -73,6 +73,25 @@ psa_status_t mbedtls_psa_hash_abort(
case PSA_ALG_SHA_512:
mbedtls_sha512_free(&operation->ctx.sha512);
break;
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
case PSA_ALG_SHA3_224:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
case PSA_ALG_SHA3_256:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
case PSA_ALG_SHA3_384:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
case PSA_ALG_SHA3_512:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
mbedtls_sha3_free(&operation->ctx.sha3);
break;
#endif
default:
return PSA_ERROR_BAD_STATE;
@ -134,6 +153,30 @@ psa_status_t mbedtls_psa_hash_setup(
mbedtls_sha512_init(&operation->ctx.sha512);
ret = mbedtls_sha512_starts(&operation->ctx.sha512, 0);
break;
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
case PSA_ALG_SHA3_224:
mbedtls_sha3_init(&operation->ctx.sha3);
ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_224);
break;
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
case PSA_ALG_SHA3_256:
mbedtls_sha3_init(&operation->ctx.sha3);
ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_256);
break;
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
case PSA_ALG_SHA3_384:
mbedtls_sha3_init(&operation->ctx.sha3);
ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_384);
break;
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
case PSA_ALG_SHA3_512:
mbedtls_sha3_init(&operation->ctx.sha3);
ret = mbedtls_sha3_starts(&operation->ctx.sha3, MBEDTLS_SHA3_512);
break;
#endif
default:
return PSA_ALG_IS_HASH(alg) ?
@ -196,6 +239,26 @@ psa_status_t mbedtls_psa_hash_clone(
mbedtls_sha512_clone(&target_operation->ctx.sha512,
&source_operation->ctx.sha512);
break;
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
case PSA_ALG_SHA3_224:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
case PSA_ALG_SHA3_256:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
case PSA_ALG_SHA3_384:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
case PSA_ALG_SHA3_512:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
mbedtls_sha3_clone(&target_operation->ctx.sha3,
&source_operation->ctx.sha3);
break;
#endif
default:
(void) source_operation;
@ -256,6 +319,26 @@ psa_status_t mbedtls_psa_hash_update(
ret = mbedtls_sha512_update(&operation->ctx.sha512,
input, input_length);
break;
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
case PSA_ALG_SHA3_224:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
case PSA_ALG_SHA3_256:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
case PSA_ALG_SHA3_384:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
case PSA_ALG_SHA3_512:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
ret = mbedtls_sha3_update(&operation->ctx.sha3,
input, input_length);
break;
#endif
default:
(void) input;
@ -326,6 +409,25 @@ psa_status_t mbedtls_psa_hash_finish(
case PSA_ALG_SHA_512:
ret = mbedtls_sha512_finish(&operation->ctx.sha512, hash);
break;
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224)
case PSA_ALG_SHA3_224:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256)
case PSA_ALG_SHA3_256:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384)
case PSA_ALG_SHA3_384:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
case PSA_ALG_SHA3_512:
#endif
#if defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_224) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_256) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_384) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_SHA3_512)
ret = mbedtls_sha3_finish(&operation->ctx.sha3, hash, hash_size);
break;
#endif
default:
(void) hash;

4
library/psa_crypto_pake.c
View File

@ -178,12 +178,12 @@ psa_status_t mbedtls_psa_pake_setup(mbedtls_psa_pake_operation_t *operation,
return status;
}
psa_crypto_driver_pake_get_user_len(inputs, &user_len);
status = psa_crypto_driver_pake_get_user_len(inputs, &user_len);
if (status != PSA_SUCCESS) {
return status;
}
psa_crypto_driver_pake_get_peer_len(inputs, &peer_len);
status = psa_crypto_driver_pake_get_peer_len(inputs, &peer_len);
if (status != PSA_SUCCESS) {
return status;
}

2
library/psa_crypto_storage.h
View File

@ -39,7 +39,7 @@ extern "C" {
/* Sanity check: a file size must fit in 32 bits. Allow a generous
* 64kB of metadata. */
#if PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000
#error PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000
#error "PSA_CRYPTO_MAX_STORAGE_SIZE > 0xffff0000"
#endif
/** The maximum permitted persistent slot number.

2
library/rsa_alt_helpers.c
View File

@ -126,7 +126,7 @@ int mbedtls_rsa_deduce_primes(mbedtls_mpi const *N,
}
for (; attempt < num_primes; ++attempt) {
mbedtls_mpi_lset(&K, primes[attempt]);
MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&K, primes[attempt]));
/* Check if gcd(K,N) = 1 */
MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));

2
library/x509_crt.c
View File

@ -1599,7 +1599,7 @@ int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path)
cleanup:
FindClose(hFind);
#else /* !_WIN32_WINNT_XP */
#error mbedtls_x509_crt_parse_path not available before Windows XP
#error "mbedtls_x509_crt_parse_path not available before Windows XP"
#endif /* !_WIN32_WINNT_XP */
#else /* _WIN32 */
int t_ret;