lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge branch 'development' into convert_NO_SHA384_to_positive

Browse Source 
Conflicts:
* configs/config-psa-crypto.h: modified here, removed in development
* tests/suites/test_suite_x509parse.data: all conflicts are in depends_on
  lines where development made a change unrelated to MBEDTLS_SHAxxx and our
  branch either changed `MBEDTLS_SHA256_C` to `MBEDTLS_SHA224_C` or
  `MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384` to ``MBEDTLS_SHA384_C`, with
  no change to what the test does. Pick the other branch's dependency
  changes then apply our SHA dpeendency change.
This commit is contained in:
Mateusz Starzyk
2021-05-10 15:18:08 +02:00
parent 6326a8dd37 b6800788ca
commit 4228f895c0
169 changed files with 4060 additions and 6751 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
include/mbedtls/aes.h
View File

@ -611,44 +611,6 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
const unsigned char input[16],
unsigned char output[16] );
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif
/**
* \brief Deprecated internal AES block encryption function
* without return value.
*
* \deprecated Superseded by mbedtls_internal_aes_encrypt()
*
* \param ctx The AES context to use for encryption.
* \param input Plaintext block.
* \param output Output (ciphertext) block.
*/
MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
const unsigned char input[16],
unsigned char output[16] );
/**
* \brief Deprecated internal AES block decryption function
* without return value.
*
* \deprecated Superseded by mbedtls_internal_aes_decrypt()
*
* \param ctx The AES context to use for decryption.
* \param input Ciphertext block.
* \param output Output (plaintext) block.
*/
MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
const unsigned char input[16],
unsigned char output[16] );
#undef MBEDTLS_DEPRECATED
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_SELF_TEST)
/**
* \brief Checkup routine.

31
include/mbedtls/bignum.h
View File

@ -904,37 +904,6 @@ int mbedtls_mpi_gcd( mbedtls_mpi *G, const mbedtls_mpi *A,
int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
const mbedtls_mpi *N );
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif
/**
* \brief Perform a Miller-Rabin primality test with error
* probability of 2<sup>-80</sup>.
*
* \deprecated Superseded by mbedtls_mpi_is_prime_ext() which allows
* specifying the number of Miller-Rabin rounds.
*
* \param X The MPI to check for primality.
* This must point to an initialized MPI.
* \param f_rng The RNG function to use. This must not be \c NULL.
* \param p_rng The RNG parameter to be passed to \p f_rng.
* This may be \c NULL if \p f_rng doesn't use a
* context parameter.
*
* \return \c 0 if successful, i.e. \p X is probably prime.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
* \return #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
* \return Another negative error code on other kinds of failure.
*/
MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng );
#undef MBEDTLS_DEPRECATED
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
/**
* \brief Miller-Rabin primality test.
*

127
include/mbedtls/cipher.h
View File

@ -467,8 +467,8 @@ int mbedtls_cipher_setup( mbedtls_cipher_context_t *ctx,
* \param cipher_info The cipher to use.
* \param taglen For AEAD ciphers, the length in bytes of the
* authentication tag to use. Subsequent uses of
* mbedtls_cipher_auth_encrypt() or
* mbedtls_cipher_auth_decrypt() must provide
* mbedtls_cipher_auth_encrypt_ext() or
* mbedtls_cipher_auth_decrypt_ext() must provide
* the same tag length.
* For non-AEAD ciphers, the value must be \c 0.
*
@ -853,129 +853,6 @@ int mbedtls_cipher_crypt( mbedtls_cipher_context_t *ctx,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen );
#if defined(MBEDTLS_CIPHER_MODE_AEAD)
#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif /* MBEDTLS_DEPRECATED_WARNING */
/**
* \brief The generic authenticated encryption (AEAD) function.
*
* \deprecated Superseded by mbedtls_cipher_auth_encrypt_ext().
*
* \note This function only supports AEAD algorithms, not key
* wrapping algorithms such as NIST_KW; for this, see
* mbedtls_cipher_auth_encrypt_ext().
*
* \param ctx The generic cipher context. This must be initialized and
* bound to a key associated with an AEAD algorithm.
* \param iv The nonce to use. This must be a readable buffer of
* at least \p iv_len Bytes and must not be \c NULL.
* \param iv_len The length of the nonce. This must satisfy the
* constraints imposed by the AEAD cipher used.
* \param ad The additional data to authenticate. This must be a
* readable buffer of at least \p ad_len Bytes, and may
* be \c NULL is \p ad_len is \c 0.
* \param ad_len The length of \p ad.
* \param input The buffer holding the input data. This must be a
* readable buffer of at least \p ilen Bytes, and may be
* \c NULL if \p ilen is \c 0.
* \param ilen The length of the input data.
* \param output The buffer for the output data. This must be a
* writable buffer of at least \p ilen Bytes, and must
* not be \c NULL.
* \param olen This will be filled with the actual number of Bytes
* written to the \p output buffer. This must point to a
* writable object of type \c size_t.
* \param tag The buffer for the authentication tag. This must be a
* writable buffer of at least \p tag_len Bytes. See note
* below regarding restrictions with PSA-based contexts.
* \param tag_len The desired length of the authentication tag. This
* must match the constraints imposed by the AEAD cipher
* used, and in particular must not be \c 0.
*
* \note If the context is based on PSA (that is, it was set up
* with mbedtls_cipher_setup_psa()), then it is required
* that \c tag == output + ilen. That is, the tag must be
* appended to the ciphertext as recommended by RFC 5116.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* parameter-verification failure.
* \return A cipher-specific error code on failure.
*/
int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen,
unsigned char *tag, size_t tag_len )
MBEDTLS_DEPRECATED;
/**
* \brief The generic authenticated decryption (AEAD) function.
*
* \deprecated Superseded by mbedtls_cipher_auth_decrypt_ext().
*
* \note This function only supports AEAD algorithms, not key
* wrapping algorithms such as NIST_KW; for this, see
* mbedtls_cipher_auth_decrypt_ext().
*
* \note If the data is not authentic, then the output buffer
* is zeroed out to prevent the unauthentic plaintext being
* used, making this interface safer.
*
* \param ctx The generic cipher context. This must be initialized and
* bound to a key associated with an AEAD algorithm.
* \param iv The nonce to use. This must be a readable buffer of
* at least \p iv_len Bytes and must not be \c NULL.
* \param iv_len The length of the nonce. This must satisfy the
* constraints imposed by the AEAD cipher used.
* \param ad The additional data to authenticate. This must be a
* readable buffer of at least \p ad_len Bytes, and may
* be \c NULL is \p ad_len is \c 0.
* \param ad_len The length of \p ad.
* \param input The buffer holding the input data. This must be a
* readable buffer of at least \p ilen Bytes, and may be
* \c NULL if \p ilen is \c 0.
* \param ilen The length of the input data.
* \param output The buffer for the output data. This must be a
* writable buffer of at least \p ilen Bytes, and must
* not be \c NULL.
* \param olen This will be filled with the actual number of Bytes
* written to the \p output buffer. This must point to a
* writable object of type \c size_t.
* \param tag The buffer for the authentication tag. This must be a
* readable buffer of at least \p tag_len Bytes. See note
* below regarding restrictions with PSA-based contexts.
* \param tag_len The length of the authentication tag. This must match
* the constraints imposed by the AEAD cipher used, and in
* particular must not be \c 0.
*
* \note If the context is based on PSA (that is, it was set up
* with mbedtls_cipher_setup_psa()), then it is required
* that \c tag == input + len. That is, the tag must be
* appended to the ciphertext as recommended by RFC 5116.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
* parameter-verification failure.
* \return #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
* \return A cipher-specific error code on failure.
*/
int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
const unsigned char *iv, size_t iv_len,
const unsigned char *ad, size_t ad_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen,
const unsigned char *tag, size_t tag_len )
MBEDTLS_DEPRECATED;
#undef MBEDTLS_DEPRECATED
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_CIPHER_MODE_AEAD */
#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
/**
* \brief The authenticated encryption (AEAD/NIST_KW) function.

18
include/mbedtls/cmac.h
View File

@ -74,6 +74,12 @@ struct mbedtls_cmac_context_t
* the input data.
* Must be called with an initialized cipher context.
*
* \note When the CMAC implementation is supplied by an alternate
* implementation (through #MBEDTLS_CMAC_ALT), some ciphers
* may not be supported by that implementation, and thus
* return an error. Alternate implementations must support
* AES-128 and AES-256, and may support AES-192 and 3DES.
*
* \param ctx The cipher context used for the CMAC operation, initialized
* as one of the following types: MBEDTLS_CIPHER_AES_128_ECB,
* MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB,
@ -151,6 +157,11 @@ int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx );
* The CMAC result is calculated as
* output = generic CMAC(cmac key, input buffer).
*
* \note When the CMAC implementation is supplied by an alternate
* implementation (through #MBEDTLS_CMAC_ALT), some ciphers
* may not be supported by that implementation, and thus
* return an error. Alternate implementations must support
* AES-128 and AES-256, and may support AES-192 and 3DES.
*
* \param cipher_info The cipher information.
* \param key The CMAC key.
@ -195,6 +206,13 @@ int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len,
/**
* \brief The CMAC checkup routine.
*
* \note In case the CMAC routines are provided by an alternative
* implementation (i.e. #MBEDTLS_CMAC_ALT is defined), the
* checkup routine will succeed even if the implementation does
* not support the less widely used AES-192 or 3DES primitives.
* The self-test requires at least AES-128 and AES-256 to be
* supported by the underlying implementation.
*
* \return \c 0 on success.
* \return \c 1 on failure.
*/

73
include/mbedtls/config.h
View File

@ -421,12 +421,6 @@
* of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
* with this definition.
*
* \note Because of a signature change, the core AES encryption and decryption routines are
* currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
* respectively. When setting up alternative implementations, these functions should
* be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
* must stay untouched.
*
* \note If you use the AES_xxx_ALT macros, then is is recommended to also set
* MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
* tables.
@ -445,9 +439,7 @@
* alternative implementations should use the RNG only for generating
* the ephemeral key and nothing else. If this is not possible, then
* MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
* implementation should be provided for mbedtls_ecdsa_sign_det_ext()
* (and for mbedtls_ecdsa_sign_det() too if backward compatibility is
* desirable).
* implementation should be provided for mbedtls_ecdsa_sign_det_ext().
*
*/
//#define MBEDTLS_MD2_PROCESS_ALT
@ -659,8 +651,7 @@
* Warning: Only do so when you know what you are doing. This allows for
* encryption or channels without any security!
*
* Requires MBEDTLS_ENABLE_WEAK_CIPHERSUITES as well to enable
* the following ciphersuites:
* To enable the following ciphersuites:
* MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA
* MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA
@ -708,20 +699,6 @@
*/
//#define MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
/**
* \def MBEDTLS_ENABLE_WEAK_CIPHERSUITES
*
* Enable weak ciphersuites in SSL / TLS.
* Warning: Only do so when you know what you are doing. This allows for
* channels with virtually no security at all!
*
* Uncomment this macro to enable weak ciphersuites
*
* \warning DES is considered a weak cipher and its use constitutes a
* security risk. We recommend considering stronger ciphers instead.
*/
//#define MBEDTLS_ENABLE_WEAK_CIPHERSUITES
/**
* \def MBEDTLS_REMOVE_3DES_CIPHERSUITES
*
@ -1312,6 +1289,22 @@
*/
#define MBEDTLS_PKCS1_V21
/** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
*
* Enable support for platform built-in keys. If you enable this feature,
* you must implement the function mbedtls_psa_platform_get_builtin_key().
* See the documentation of that function for more information.
*
* Built-in keys are typically derived from a hardware unique key or
* stored in a secure element.
*
* Requires: MBEDTLS_PSA_CRYPTO_C.
*
* \warning This interface is experimental and may change or be removed
* without notice.
*/
//#define MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
/** \def MBEDTLS_PSA_CRYPTO_CLIENT
*
* Enable support for PSA crypto client.
@ -2115,6 +2108,17 @@
*/
#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
/**
* \def MBEDTLS_X509_REMOVE_INFO
*
* Disable mbedtls_x509_*_info() and related APIs.
*
* Uncomment to omit mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt()
* and other functions/constants only used by these functions, thus reducing
* the code footprint by several KB.
*/
//#define MBEDTLS_X509_REMOVE_INFO
/**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
*
@ -2411,7 +2415,7 @@
* MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
*/
//#define MBEDTLS_ARIA_C
#define MBEDTLS_ARIA_C
/**
* \def MBEDTLS_CCM_C
@ -2465,12 +2469,17 @@
* Enable the CMAC (Cipher-based Message Authentication Code) mode for block
* ciphers.
*
* \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying
* implementation of the CMAC algorithm is provided by an alternate
* implementation, that alternate implementation may opt to not support
* AES-192 or 3DES as underlying block ciphers for the CMAC operation.
*
* Module: library/cmac.c
*
* Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
*
*/
//#define MBEDTLS_CMAC_C
#define MBEDTLS_CMAC_C
/**
* \def MBEDTLS_CTR_DRBG_C
@ -2594,9 +2603,9 @@
*
* Enable the elliptic curve J-PAKE library.
*
* \warning This is currently experimental. EC J-PAKE support is based on the
* Thread v1.0.0 specification; incompatible changes to the specification
* might still happen. For this reason, this is disabled by default.
* \note EC J-PAKE support is based on the Thread v1.0.0 specification.
* It has not been reviewed for compliance with newer standards such as
* Thread v1.1 or RFC 8236.
*
* Module: library/ecjpake.c
* Caller:
@ -2606,7 +2615,7 @@
*
* Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
*/
//#define MBEDTLS_ECJPAKE_C
#define MBEDTLS_ECJPAKE_C
/**
* \def MBEDTLS_ECP_C
@ -2702,7 +2711,7 @@
*
* Requires: MBEDTLS_AES_C and MBEDTLS_CIPHER_C
*/
//#define MBEDTLS_NIST_KW_C
#define MBEDTLS_NIST_KW_C
/**
* \def MBEDTLS_MD_C

29
include/mbedtls/ctr_drbg.h
View File

@ -528,35 +528,6 @@ int mbedtls_ctr_drbg_random_with_add( void *p_rng,
int mbedtls_ctr_drbg_random( void *p_rng,
unsigned char *output, size_t output_len );
#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif
/**
* \brief This function updates the state of the CTR_DRBG context.
*
* \deprecated Superseded by mbedtls_ctr_drbg_update_ret()
* in 2.16.0.
*
* \note If \p add_len is greater than
* #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
* #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
* The remaining Bytes are silently discarded.
*
* \param ctx The CTR_DRBG context.
* \param additional The data to update the state with.
* \param add_len Length of \p additional data.
*/
MBEDTLS_DEPRECATED void mbedtls_ctr_drbg_update(
mbedtls_ctr_drbg_context *ctx,
const unsigned char *additional,
size_t add_len );
#undef MBEDTLS_DEPRECATED
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_FS_IO)
/**
* \brief This function writes a seed file.

8
include/mbedtls/debug.h
View File

@ -59,9 +59,13 @@
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if !defined(MBEDTLS_X509_REMOVE_INFO)
#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt ) \
mbedtls_debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt )
#endif
#else
#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt ) do { } while( 0 )
#endif /* MBEDTLS_X509_REMOVE_INFO */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_ECDH_C)
#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr ) \
@ -248,7 +252,7 @@ void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
const char *text, const mbedtls_ecp_point *X );
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
/**
* \brief Print a X.509 certificate structure to the debug output. This
* function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,

155
include/mbedtls/dhm.h
View File

@ -382,161 +382,6 @@ int mbedtls_dhm_self_test( int verbose );
*
*/
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/**
* \warning The origin of the primes in RFC 5114 is not documented and
* their use therefore constitutes a security risk!
*
* \deprecated The hex-encoded primes from RFC 5114 are deprecated and are
* likely to be removed in a future version of the library without
* replacement.
*/
/**
* The hexadecimal presentation of the prime underlying the
* 2048-bit MODP Group with 224-bit Prime Order Subgroup, as defined
* in <em>RFC-5114: Additional Diffie-Hellman Groups for Use with
* IETF Standards</em>.
*/
#define MBEDTLS_DHM_RFC5114_MODP_2048_P \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1" \
"B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15" \
"EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212" \
"9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207" \
"C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708" \
"B3BF8A317091883681286130BC8985DB1602E714415D9330" \
"278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D" \
"CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8" \
"BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763" \
"C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71" \
"CF9DE5384E71B81C0AC4DFFE0C10E64F" )
/**
* The hexadecimal presentation of the chosen generator of the 2048-bit MODP
* Group with 224-bit Prime Order Subgroup, as defined in <em>RFC-5114:
* Additional Diffie-Hellman Groups for Use with IETF Standards</em>.
*/
#define MBEDTLS_DHM_RFC5114_MODP_2048_G \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF" \
"74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA" \
"AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7" \
"C17669101999024AF4D027275AC1348BB8A762D0521BC98A" \
"E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE" \
"F180EB34118E98D119529A45D6F834566E3025E316A330EF" \
"BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB" \
"10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381" \
"B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269" \
"EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179" \
"81BC087F2A7065B384B890D3191F2BFA" )
/**
* The hexadecimal presentation of the prime underlying the 2048-bit MODP
* Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
* Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
*
* \deprecated The hex-encoded primes from RFC 3625 are deprecated and
* superseded by the corresponding macros providing them as
* binary constants. Their hex-encoded constants are likely
* to be removed in a future version of the library.
*
*/
#define MBEDTLS_DHM_RFC3526_MODP_2048_P \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
"670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \
"E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \
"DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \
"15728E5A8AACAA68FFFFFFFFFFFFFFFF" )
/**
* The hexadecimal presentation of the chosen generator of the 2048-bit MODP
* Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
* Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
*/
#define MBEDTLS_DHM_RFC3526_MODP_2048_G \
MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
/**
* The hexadecimal presentation of the prime underlying the 3072-bit MODP
* Group, as defined in <em>RFC-3072: More Modular Exponential (MODP)
* Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
*/
#define MBEDTLS_DHM_RFC3526_MODP_3072_P \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
"670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \
"E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \
"DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \
"15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \
"ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \
"ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \
"F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \
"BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \
"43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" )
/**
* The hexadecimal presentation of the chosen generator of the 3072-bit MODP
* Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
* Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
*/
#define MBEDTLS_DHM_RFC3526_MODP_3072_G \
MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
/**
* The hexadecimal presentation of the prime underlying the 4096-bit MODP
* Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
* Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
*/
#define MBEDTLS_DHM_RFC3526_MODP_4096_P \
MBEDTLS_DEPRECATED_STRING_CONSTANT( \
"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
"670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \
"E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \
"DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \
"15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \
"ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \
"ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \
"F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \
"BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \
"43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" \
"88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" \
"2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" \
"287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" \
"1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" \
"93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" \
"FFFFFFFFFFFFFFFF" )
/**
* The hexadecimal presentation of the chosen generator of the 4096-bit MODP
* Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
* Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
*/
#define MBEDTLS_DHM_RFC3526_MODP_4096_G \
MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
#endif /* MBEDTLS_DEPRECATED_REMOVED */
/*
* Trustworthy DHM parameters in binary form
*/

121
include/mbedtls/ecdsa.h
View File

@ -138,7 +138,7 @@ int mbedtls_ecdsa_can_do( mbedtls_ecp_group_id gid );
* previously-hashed message.
*
* \note The deterministic version implemented in
* mbedtls_ecdsa_sign_det() is usually preferred.
* mbedtls_ecdsa_sign_det_ext() is usually preferred.
*
* \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated
@ -174,67 +174,6 @@ int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif
/**
* \brief This function computes the ECDSA signature of a
* previously-hashed message, deterministic version.
*
* For more information, see <em>RFC-6979: Deterministic
* Usage of the Digital Signature Algorithm (DSA) and Elliptic
* Curve Digital Signature Algorithm (ECDSA)</em>.
*
* \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated as
* defined in <em>Standards for Efficient Cryptography Group
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.3, step 5.
*
* \warning Since the output of the internal RNG is always the same for
* the same key and message, this limits the efficiency of
* blinding and leaks information through side channels. For
* secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
*
* (Optimally the blinding is a random value that is different
* on every execution. In this case the blinding is still
* random from the attackers perspective, but is the same on
* each execution. This means that this blinding does not
* prevent attackers from recovering secrets by combining
* several measurement traces, but may prevent some attacks
* that exploit relationships between secret data.)
*
* \see ecp.h
*
* \param grp The context for the elliptic curve to use.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
* \param r The MPI context in which to store the first part
* the signature. This must be initialized.
* \param s The MPI context in which to store the second part
* the signature. This must be initialized.
* \param d The private signing key. This must be initialized
* and setup, for example through mbedtls_ecp_gen_privkey().
* \param buf The hashed content to be signed. This must be a readable
* buffer of length \p blen Bytes. It may be \c NULL if
* \p blen is zero.
* \param blen The length of \p buf in Bytes.
* \param md_alg The hash algorithm used to hash the original data.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
* error code on failure.
*/
int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
mbedtls_mpi *s, const mbedtls_mpi *d,
const unsigned char *buf, size_t blen,
mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED;
#undef MBEDTLS_DEPRECATED
#endif /* MBEDTLS_DEPRECATED_REMOVED */
/**
* \brief This function computes the ECDSA signature of a
* previously-hashed message, deterministic version.
@ -421,64 +360,6 @@ int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx,
void *p_rng,
mbedtls_ecdsa_restart_ctx *rs_ctx );
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif
/**
* \brief This function computes an ECDSA signature and writes
* it to a buffer, serialized as defined in <em>RFC-4492:
* Elliptic Curve Cryptography (ECC) Cipher Suites for
* Transport Layer Security (TLS)</em>.
*
* The deterministic version is defined in <em>RFC-6979:
* Deterministic Usage of the Digital Signature Algorithm (DSA)
* and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
*
* \warning It is not thread-safe to use the same context in
* multiple threads.
*
* \note If the bitlength of the message hash is larger than the
* bitlength of the group order, then the hash is truncated as
* defined in <em>Standards for Efficient Cryptography Group
* (SECG): SEC1 Elliptic Curve Cryptography</em>, section
* 4.1.3, step 5.
*
* \see ecp.h
*
* \deprecated Superseded by mbedtls_ecdsa_write_signature() in
* Mbed TLS version 2.0 and later.
*
* \param ctx The ECDSA context to use. This must be initialized
* and have a group and private key bound to it, for example
* via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
* \param hash The message hash to be signed. This must be a readable
* buffer of length \p blen Bytes.
* \param hlen The length of the hash \p hash in Bytes.
* \param sig The buffer to which to write the signature. This must be a
* writable buffer of length at least twice as large as the
* size of the curve used, plus 9. For example, 73 Bytes if
* a 256-bit curve is used. A buffer length of
* #MBEDTLS_ECDSA_MAX_LEN is always safe.
* \param slen The address at which to store the actual length of
* the signature written. Must not be \c NULL.
* \param md_alg The message digest that was used to hash the message.
*
* \return \c 0 on success.
* \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
* \c MBEDTLS_ERR_ASN1_XXX error code on failure.
*/
int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
const unsigned char *hash, size_t hlen,
unsigned char *sig, size_t *slen,
mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED;
#undef MBEDTLS_DEPRECATED
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
/**
* \brief This function reads and verifies an ECDSA signature.
*

53
include/mbedtls/error.h
View File

@ -30,6 +30,11 @@
#include <stddef.h>
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
!defined(inline) && !defined(__cplusplus)
#define inline __inline
#endif
/**
* Error code layout.
*
@ -117,6 +122,54 @@ extern "C" {
#define MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED -0x0070 /**< Hardware accelerator failed */
#define MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED -0x0072 /**< The requested feature is not supported by the platform */
/**
* \brief Combines a high-level and low-level error code together.
*
* Wrapper macro for mbedtls_error_add(). See that function for
* more details.
*/
#define MBEDTLS_ERROR_ADD( high, low ) \
mbedtls_error_add( high, low, __FILE__, __LINE__ )
#if defined(MBEDTLS_TEST_HOOKS)
/**
* \brief Testing hook called before adding/combining two error codes together.
* Only used when invasive testing is enabled via MBEDTLS_TEST_HOOKS.
*/
extern void (*mbedtls_test_hook_error_add)( int, int, const char *, int );
#endif
/**
* \brief Combines a high-level and low-level error code together.
*
* This function can be called directly however it is usually
* called via the #MBEDTLS_ERROR_ADD macro.
*
* While a value of zero is not a negative error code, it is still an
* error code (that denotes success) and can be combined with both a
* negative error code or another value of zero.
*
* \note When invasive testing is enabled via #MBEDTLS_TEST_HOOKS, also try to
* call \link mbedtls_test_hook_error_add \endlink.
*
* \param high high-level error code. See error.h for more details.
* \param low low-level error code. See error.h for more details.
* \param file file where this error code addition occured.
* \param line line where this error code addition occured.
*/
static inline int mbedtls_error_add( int high, int low,
const char *file, int line )
{
#if defined(MBEDTLS_TEST_HOOKS)
if( *mbedtls_test_hook_error_add != NULL )
( *mbedtls_test_hook_error_add )( high, low, file, line );
#endif
(void)file;
(void)line;
return( high + low );
}
/**
* \brief Translate a mbed TLS error code into a string representation,
* Result is truncated if necessary and always includes a terminating

24
include/mbedtls/hmac_drbg.h
View File

@ -397,30 +397,6 @@ int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len
*/
void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif
/**
* \brief This function updates the state of the HMAC_DRBG context.
*
* \deprecated Superseded by mbedtls_hmac_drbg_update_ret()
* in 2.16.0.
*
* \param ctx The HMAC_DRBG context.
* \param additional The data to update the state with.
* If this is \c NULL, there is no additional data.
* \param add_len Length of \p additional in bytes.
* Unused if \p additional is \c NULL.
*/
MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
mbedtls_hmac_drbg_context *ctx,
const unsigned char *additional, size_t add_len );
#undef MBEDTLS_DEPRECATED
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_FS_IO)
/**
* \brief This function writes a seed file.

35
include/mbedtls/net.h
View File

@ -1,35 +0,0 @@
/**
* \file net.h
*
* \brief Deprecated header file that includes net_sockets.h
*
* \deprecated Superseded by mbedtls/net_sockets.h
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#include "mbedtls/net_sockets.h"
#if defined(MBEDTLS_DEPRECATED_WARNING)
#warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
#endif /* MBEDTLS_DEPRECATED_WARNING */
#endif /* !MBEDTLS_DEPRECATED_REMOVED */

4
include/mbedtls/oid.h
View File

@ -441,8 +441,10 @@ typedef struct mbedtls_oid_descriptor_t
{
const char *asn1; /*!< OID ASN.1 representation */
size_t asn1_len; /*!< length of asn1 */
#if !defined(MBEDTLS_X509_REMOVE_INFO)
const char *name; /*!< official name (e.g. from RFC) */
const char *description; /*!< human friendly description */
#endif
} mbedtls_oid_descriptor_t;
/**
@ -582,6 +584,7 @@ int mbedtls_oid_get_md_alg( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_a
int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_hmac );
#endif /* MBEDTLS_MD_C */
#if !defined(MBEDTLS_X509_REMOVE_INFO)
/**
* \brief Translate Extended Key Usage OID into description
*
@ -591,6 +594,7 @@ int mbedtls_oid_get_md_hmac( const mbedtls_asn1_buf *oid, mbedtls_md_type_t *md_
* \return 0 if successful, or MBEDTLS_ERR_OID_NOT_FOUND
*/
int mbedtls_oid_get_extended_key_usage( const mbedtls_asn1_buf *oid, const char **desc );
#endif
/**
* \brief Translate certificate policies OID into description

54
include/mbedtls/ssl.h
View File

@ -2859,34 +2859,6 @@ void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif
/**
* \brief Set the Diffie-Hellman public P and G values,
* read as hexadecimal strings (server-side only)
* (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG])
*
* \param conf SSL configuration
* \param dhm_P Diffie-Hellman-Merkle modulus
* \param dhm_G Diffie-Hellman-Merkle generator
*
* \deprecated Superseded by \c mbedtls_ssl_conf_dh_param_bin.
*
* \return 0 if successful
*/
MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf,
const char *dhm_P,
const char *dhm_G );
#endif /* MBEDTLS_DEPRECATED_REMOVED */
/**
* \brief Set the Diffie-Hellman public P and G values
* from big-endian binary presentations.
@ -3659,32 +3631,6 @@ size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl );
* \return Current maximum fragment length for the output buffer.
*/
size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl );
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif
/**
* \brief This function is a deprecated approach to getting the max
* fragment length. Its an alias for
* \c mbedtls_ssl_get_output_max_frag_len(), as the behaviour
* is the same. See \c mbedtls_ssl_get_output_max_frag_len() for
* more detail.
*
* \sa mbedtls_ssl_get_input_max_frag_len()
* \sa mbedtls_ssl_get_output_max_frag_len()
*
* \param ssl SSL context
*
* \return Current maximum fragment length for the output buffer.
*/
MBEDTLS_DEPRECATED size_t mbedtls_ssl_get_max_frag_len(
const mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
/**

2
include/mbedtls/x509.h
View File

@ -316,9 +316,11 @@ int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
mbedtls_x509_buf *serial );
int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
mbedtls_x509_buf *ext, int tag );
#if !defined(MBEDTLS_X509_REMOVE_INFO)
int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
const void *sig_opts );
#endif
int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name );
int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name );
int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,

2
include/mbedtls/x509_crl.h
View File

@ -134,6 +134,7 @@ int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, s
int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path );
#endif /* MBEDTLS_FS_IO */
#if !defined(MBEDTLS_X509_REMOVE_INFO)
/**
* \brief Returns an informational string about the CRL.
*
@ -147,6 +148,7 @@ int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path );
*/
int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
const mbedtls_x509_crl *crl );
#endif /* !MBEDTLS_X509_REMOVE_INFO */
/**
* \brief Initialize a CRL (chain)

71
include/mbedtls/x509_crt.h
View File

@ -176,6 +176,74 @@ mbedtls_x509_crt_profile;
#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
#endif
/* This macro unfolds to the concatenation of macro invocations
* X509_CRT_ERROR_INFO( error code,
* error code as string,
* human readable description )
* where X509_CRT_ERROR_INFO is defined by the user.
* See x509_crt.c for an example of how to use this. */
#define MBEDTLS_X509_CRT_ERROR_INFO_LIST \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_EXPIRED, \
"MBEDTLS_X509_BADCERT_EXPIRED", \
"The certificate validity has expired" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_REVOKED, \
"MBEDTLS_X509_BADCERT_REVOKED", \
"The certificate has been revoked (is on a CRL)" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_CN_MISMATCH, \
"MBEDTLS_X509_BADCERT_CN_MISMATCH", \
"The certificate Common Name (CN) does not match with the expected CN" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_NOT_TRUSTED, \
"MBEDTLS_X509_BADCERT_NOT_TRUSTED", \
"The certificate is not correctly signed by the trusted CA" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_NOT_TRUSTED, \
"MBEDTLS_X509_BADCRL_NOT_TRUSTED", \
"The CRL is not correctly signed by the trusted CA" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_EXPIRED, \
"MBEDTLS_X509_BADCRL_EXPIRED", \
"The CRL is expired" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_MISSING, \
"MBEDTLS_X509_BADCERT_MISSING", \
"Certificate was missing" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_SKIP_VERIFY, \
"MBEDTLS_X509_BADCERT_SKIP_VERIFY", \
"Certificate verification was skipped" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_OTHER, \
"MBEDTLS_X509_BADCERT_OTHER", \
"Other reason (can be used by verify callback)" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_FUTURE, \
"MBEDTLS_X509_BADCERT_FUTURE", \
"The certificate validity starts in the future" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_FUTURE, \
"MBEDTLS_X509_BADCRL_FUTURE", \
"The CRL is from the future" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_KEY_USAGE, \
"MBEDTLS_X509_BADCERT_KEY_USAGE", \
"Usage does not match the keyUsage extension" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, \
"MBEDTLS_X509_BADCERT_EXT_KEY_USAGE", \
"Usage does not match the extendedKeyUsage extension" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_NS_CERT_TYPE, \
"MBEDTLS_X509_BADCERT_NS_CERT_TYPE", \
"Usage does not match the nsCertType extension" ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_MD, \
"MBEDTLS_X509_BADCERT_BAD_MD", \
"The certificate is signed with an unacceptable hash." ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_PK, \
"MBEDTLS_X509_BADCERT_BAD_PK", \
"The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_KEY, \
"MBEDTLS_X509_BADCERT_BAD_KEY", \
"The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_MD, \
"MBEDTLS_X509_BADCRL_BAD_MD", \
"The CRL is signed with an unacceptable hash." ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_PK, \
"MBEDTLS_X509_BADCRL_BAD_PK", \
"The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." ) \
X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_KEY, \
"MBEDTLS_X509_BADCRL_BAD_KEY", \
"The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." )
/**
* Container for writing a certificate (CRT)
*/
@ -509,6 +577,8 @@ int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
*/
int mbedtls_x509_parse_subject_alt_name( const mbedtls_x509_buf *san_buf,
mbedtls_x509_subject_alternative_name *san );
#if !defined(MBEDTLS_X509_REMOVE_INFO)
/**
* \brief Returns an informational string about the
* certificate.
@ -538,6 +608,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
*/
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
uint32_t flags );
#endif /* !MBEDTLS_X509_REMOVE_INFO */
/**
* \brief Verify a chain of certificates.

2
include/mbedtls/x509_csr.h
View File

@ -121,6 +121,7 @@ int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, siz
int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path );
#endif /* MBEDTLS_FS_IO */
#if !defined(MBEDTLS_X509_REMOVE_INFO)
/**
* \brief Returns an informational string about the
* CSR.
@ -135,6 +136,7 @@ int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path );
*/
int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
const mbedtls_x509_csr *csr );
#endif /* !MBEDTLS_X509_REMOVE_INFO */
/**
* \brief Initialize a CSR

121
include/psa/crypto.h
View File

@ -2113,9 +2113,16 @@ psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
* authentication tag is appended to the
* encrypted data.
* \param ciphertext_size Size of the \p ciphertext buffer in bytes.
* This must be at least
* #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p alg,
* \p plaintext_length).
* This must be appropriate for the selected
* algorithm and key:
* - A sufficient output size is
* #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type,
* \p alg, \p plaintext_length) where
* \c key_type is the type of \p key.
* - #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p
* plaintext_length) evaluates to the maximum
* ciphertext size of any supported AEAD
* encryption.
* \param[out] ciphertext_length On success, the size of the output
* in the \p ciphertext buffer.
*
@ -2129,7 +2136,11 @@ psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
* \p alg is not supported or is not an AEAD algorithm.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* \p ciphertext_size is too small
* \p ciphertext_size is too small.
* #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg,
* \p plaintext_length) or
* #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to
* determine the required buffer size.
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_CORRUPTION_DETECTED
@ -2173,9 +2184,16 @@ psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
* \param ciphertext_length Size of \p ciphertext in bytes.
* \param[out] plaintext Output buffer for the decrypted data.
* \param plaintext_size Size of the \p plaintext buffer in bytes.
* This must be at least
* #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p alg,
* \p ciphertext_length).
* This must be appropriate for the selected
* algorithm and key:
* - A sufficient output size is
* #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type,
* \p alg, \p ciphertext_length) where
* \c key_type is the type of \p key.
* - #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p
* ciphertext_length) evaluates to the maximum
* plaintext size of any supported AEAD
* decryption.
* \param[out] plaintext_length On success, the size of the output
* in the \p plaintext buffer.
*
@ -2191,7 +2209,11 @@ psa_status_t psa_aead_encrypt(mbedtls_svc_key_id_t key,
* \p alg is not supported or is not an AEAD algorithm.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* \p plaintext_size or \p nonce_length is too small
* \p plaintext_size is too small.
* #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg,
* \p ciphertext_length) or
* #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used
* to determine the required buffer size.
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_CORRUPTION_DETECTED
@ -2612,10 +2634,18 @@ psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
* \param input_length Size of the \p input buffer in bytes.
* \param[out] output Buffer where the output is to be written.
* \param output_size Size of the \p output buffer in bytes.
* This must be at least
* #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c alg,
* \p input_length) where \c alg is the
* algorithm that is being calculated.
* This must be appropriate for the selected
* algorithm and key:
* - A sufficient output size is
* #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type,
* \c alg, \p input_length) where
* \c key_type is the type of key and \c alg is
* the algorithm that were used to set up the
* operation.
* - #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p
* input_length) evaluates to the maximum
* output size of any supported AEAD
* algorithm.
* \param[out] output_length On success, the number of bytes
* that make up the returned output.
*
@ -2626,9 +2656,9 @@ psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
* set, and have lengths set if required by the algorithm).
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
* You can determine a sufficient buffer size by calling
* #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c alg, \p input_length)
* where \c alg is the algorithm that is being calculated.
* #PSA_AEAD_UPDATE_OUTPUT_SIZE(\c key_type, \c alg, \p input_length) or
* #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length) can be used to
* determine the required buffer size.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The total length of input to psa_aead_update_ad() so far is
* less than the additional data length that was previously
@ -2665,9 +2695,7 @@ psa_status_t psa_aead_update(psa_aead_operation_t *operation,
* This function has two output buffers:
* - \p ciphertext contains trailing ciphertext that was buffered from
* preceding calls to psa_aead_update().
* - \p tag contains the authentication tag. Its length is always
* #PSA_AEAD_TAG_LENGTH(\c alg) where \c alg is the AEAD algorithm
* that the operation performs.
* - \p tag contains the authentication tag.
*
* When this function returns successfuly, the operation becomes inactive.
* If this function returns an error status, the operation enters an error
@ -2677,18 +2705,32 @@ psa_status_t psa_aead_update(psa_aead_operation_t *operation,
* \param[out] ciphertext Buffer where the last part of the ciphertext
* is to be written.
* \param ciphertext_size Size of the \p ciphertext buffer in bytes.
* This must be at least
* #PSA_AEAD_FINISH_OUTPUT_SIZE(\c alg) where
* \c alg is the algorithm that is being
* calculated.
* This must be appropriate for the selected
* algorithm and key:
* - A sufficient output size is
* #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type,
* \c alg) where \c key_type is the type of key
* and \c alg is the algorithm that were used to
* set up the operation.
* - #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE evaluates to
* the maximum output size of any supported AEAD
* algorithm.
* \param[out] ciphertext_length On success, the number of bytes of
* returned ciphertext.
* \param[out] tag Buffer where the authentication tag is
* to be written.
* \param tag_size Size of the \p tag buffer in bytes.
* This must be at least
* #PSA_AEAD_TAG_LENGTH(\c alg) where \c alg is
* the algorithm that is being calculated.
* This must be appropriate for the selected
* algorithm and key:
* - The exact tag size is #PSA_AEAD_TAG_LENGTH(\c
* key_type, \c key_bits, \c alg) where
* \c key_type and \c key_bits are the type and
* bit-size of the key, and \c alg is the
* algorithm that were used in the call to
* psa_aead_encrypt_setup().
* - #PSA_AEAD_TAG_MAX_SIZE evaluates to the
* maximum tag size of any supported AEAD
* algorithm.
* \param[out] tag_length On success, the number of bytes
* that make up the returned tag.
*
@ -2699,11 +2741,11 @@ psa_status_t psa_aead_update(psa_aead_operation_t *operation,
* operation with a nonce set).
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p ciphertext or \p tag buffer is too small.
* You can determine a sufficient buffer size for \p ciphertext by
* calling #PSA_AEAD_FINISH_OUTPUT_SIZE(\c alg)
* where \c alg is the algorithm that is being calculated.
* You can determine a sufficient buffer size for \p tag by
* calling #PSA_AEAD_TAG_LENGTH(\c alg).
* #PSA_AEAD_FINISH_OUTPUT_SIZE(\c key_type, \c alg) or
* #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE can be used to determine the
* required \p ciphertext buffer size. #PSA_AEAD_TAG_LENGTH(\c key_type,
* \c key_bits, \c alg) or #PSA_AEAD_TAG_MAX_SIZE can be used to
* determine the required \p tag buffer size.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The total length of input to psa_aead_update_ad() so far is
* less than the additional data length that was previously
@ -2762,10 +2804,15 @@ psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
* that could not be processed until the end
* of the input.
* \param plaintext_size Size of the \p plaintext buffer in bytes.
* This must be at least
* #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c alg) where
* \c alg is the algorithm that is being
* calculated.
* This must be appropriate for the selected algorithm and key:
* - A sufficient output size is
* #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type,
* \c alg) where \c key_type is the type of key
* and \c alg is the algorithm that were used to
* set up the operation.
* - #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE evaluates to
* the maximum output size of any supported AEAD
* algorithm.
* \param[out] plaintext_length On success, the number of bytes of
* returned plaintext.
* \param[in] tag Buffer containing the authentication tag.
@ -2781,9 +2828,9 @@ psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
* operation with a nonce set).
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p plaintext buffer is too small.
* You can determine a sufficient buffer size for \p plaintext by
* calling #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c alg)
* where \c alg is the algorithm that is being calculated.
* #PSA_AEAD_VERIFY_OUTPUT_SIZE(\c key_type, \c alg) or
* #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE can be used to determine the
* required buffer size.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The total length of input to psa_aead_update_ad() so far is
* less than the additional data length that was previously

98
include/psa/crypto_extra.h
View File

@ -715,6 +715,104 @@ psa_status_t mbedtls_psa_external_get_random(
/**@}*/
/** \defgroup psa_builtin_keys Built-in keys
* @{
*/
/** The minimum value for a key identifier that is built into the
* implementation.
*
* The range of key identifiers from #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN
* to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX within the range from
* #PSA_KEY_ID_VENDOR_MIN and #PSA_KEY_ID_VENDOR_MAX and must not intersect
* with any other set of implementation-chosen key identifiers.
*
* This value is part of the library's ABI since changing it would invalidate
* the values of built-in key identifiers in applications.
*/
#define MBEDTLS_PSA_KEY_ID_BUILTIN_MIN ((psa_key_id_t)0x7fff0000)
/** The maximum value for a key identifier that is built into the
* implementation.
*
* See #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN for more information.
*/
#define MBEDTLS_PSA_KEY_ID_BUILTIN_MAX ((psa_key_id_t)0x7fffefff)
/** A slot number identifying a key in a driver.
*
* Values of this type are used to identify built-in keys.
*/
typedef uint64_t psa_drv_slot_number_t;
#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
/** Test whether a key identifier belongs to the builtin key range.
*
* \param key_id Key identifier to test.
*
* \retval 1
* The key identifier is a builtin key identifier.
* \retval 0
* The key identifier is not a builtin key identifier.
*/
static inline int psa_key_id_is_builtin( psa_key_id_t key_id )
{
return( ( key_id >= MBEDTLS_PSA_KEY_ID_BUILTIN_MIN ) &&
( key_id <= MBEDTLS_PSA_KEY_ID_BUILTIN_MAX ) );
}
/** Platform function to obtain the location and slot number of a built-in key.
*
* An application-specific implementation of this function must be provided if
* #MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled. This would typically be provided
* as part of a platform's system image.
*
* #MBEDTLS_SVC_KEY_ID_GET_KEY_ID(\p key_id) needs to be in the range from
* #MBEDTLS_PSA_KEY_ID_BUILTIN_MIN to #MBEDTLS_PSA_KEY_ID_BUILTIN_MAX.
*
* In a multi-application configuration
* (\c MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER is defined),
* this function should check that #MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(\p key_id)
* is allowed to use the given key.
*
* \param key_id The key ID for which to retrieve the
* location and slot attributes.
* \param[out] lifetime On success, the lifetime associated with the key
* corresponding to \p key_id. Lifetime is a
* combination of which driver contains the key,
* and with what persistence level the key is
* intended to be used. If the platform
* implementation does not contain specific
* information about the intended key persistence
* level, the persistence level may be reported as
* #PSA_KEY_PERSISTENCE_DEFAULT.
* \param[out] slot_number On success, the slot number known to the driver
* registered at the lifetime location reported
* through \p lifetime which corresponds to the
* requested built-in key.
*
* \retval #PSA_SUCCESS
* The requested key identifier designates a built-in key.
* In a multi-application configuration, the requested owner
* is allowed to access it.
* \retval #PSA_ERROR_DOES_NOT_EXIST
* The requested key identifier is not a built-in key which is known
* to this function. If a key exists in the key storage with this
* identifier, the data from the storage will be used.
* \return (any other error)
* Any other error is propagated to the function that requested the key.
* Common errors include:
* - #PSA_ERROR_NOT_PERMITTED: the key exists but the requested owner
* is not allowed to access it.
*/
psa_status_t mbedtls_psa_platform_get_builtin_key(
mbedtls_svc_key_id_t key_id,
psa_key_lifetime_t *lifetime,
psa_drv_slot_number_t *slot_number );
#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
/** @} */
#ifdef __cplusplus
}
#endif

120
include/psa/crypto_sizes.h
View File

@ -117,26 +117,35 @@
*/
#define PSA_MAC_MAX_SIZE PSA_HASH_MAX_SIZE
/** The tag size for an AEAD algorithm, in bytes.
/** The length of a tag for an AEAD algorithm, in bytes.
*
* This macro can be used to allocate a buffer of sufficient size to store the
* tag output from psa_aead_finish().
*
* See also #PSA_AEAD_TAG_MAX_SIZE.
*
* \param key_type The type of the AEAD key.
* \param key_bits The size of the AEAD key in bits.
* \param alg An AEAD algorithm
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_AEAD(\p alg) is true).
*
* \return The tag size for the specified algorithm.
* \return The tag length for the specified algorithm and key.
* If the AEAD algorithm does not have an identified
* tag that can be distinguished from the rest of
* the ciphertext, return 0.
* If the AEAD algorithm is not recognized, return 0.
* If the key type or AEAD algorithm is not
* recognized, or the parameters are incompatible,
* return 0.
*/
#define PSA_AEAD_TAG_LENGTH(alg) \
(PSA_ALG_IS_AEAD(alg) ? \
(((alg) & PSA_ALG_AEAD_TAG_LENGTH_MASK) >> PSA_AEAD_TAG_LENGTH_OFFSET) : \
0)
#define PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg) \
(PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ? \
PSA_ALG_AEAD_GET_TAG_LENGTH(alg) : \
((void) (key_bits), 0))
/** The maximum tag size for all supported AEAD algorithms, in bytes.
*
* See also #PSA_AEAD_TAG_LENGTH(\p alg).
* See also #PSA_AEAD_TAG_LENGTH(\p key_type, \p key_bits, \p alg).
*/
#define PSA_AEAD_TAG_MAX_SIZE 16
@ -241,10 +250,14 @@
* insufficient buffer size. Depending on the algorithm, the actual size of
* the ciphertext may be smaller.
*
* See also #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length).
*
* \warning This macro may evaluate its arguments multiple times or
* zero times, so you should not pass arguments that contain
* side effects.
*
* \param key_type A symmetric key type that is
* compatible with algorithm \p alg.
* \param alg An AEAD algorithm
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_AEAD(\p alg) is true).
@ -252,11 +265,13 @@
*
* \return The AEAD ciphertext size for the specified
* algorithm.
* If the AEAD algorithm is not recognized, return 0.
* If the key type or AEAD algorithm is not
* recognized, or the parameters are incompatible,
* return 0.
*/
#define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(alg, plaintext_length) \
(PSA_AEAD_TAG_LENGTH(alg) != 0 ? \
(plaintext_length) + PSA_AEAD_TAG_LENGTH(alg) : \
#define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext_length) \
(PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ? \
(plaintext_length) + PSA_ALG_AEAD_GET_TAG_LENGTH(alg) : \
0)
/** A sufficient output buffer size for psa_aead_encrypt(), for any of the
@ -268,7 +283,8 @@
* \note This macro returns a compile-time constant if its arguments are
* compile-time constants.
*
* See also #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p alg, \p plaintext_length).
* See also #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\p key_type, \p alg,
* \p plaintext_length).
*
* \param plaintext_length Size of the plaintext in bytes.
*
@ -287,10 +303,14 @@
* insufficient buffer size. Depending on the algorithm, the actual size of
* the plaintext may be smaller.
*
* See also #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length).
*
* \warning This macro may evaluate its arguments multiple times or
* zero times, so you should not pass arguments that contain
* side effects.
*
* \param key_type A symmetric key type that is
* compatible with algorithm \p alg.
* \param alg An AEAD algorithm
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_AEAD(\p alg) is true).
@ -298,11 +318,14 @@
*
* \return The AEAD ciphertext size for the specified
* algorithm.
* If the AEAD algorithm is not recognized, return 0.
* If the key type or AEAD algorithm is not
* recognized, or the parameters are incompatible,
* return 0.
*/
#define PSA_AEAD_DECRYPT_OUTPUT_SIZE(alg, ciphertext_length) \
(PSA_AEAD_TAG_LENGTH(alg) != 0 ? \
(ciphertext_length) - PSA_AEAD_TAG_LENGTH(alg) : \
#define PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext_length) \
(PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 && \
(ciphertext_length) > PSA_ALG_AEAD_GET_TAG_LENGTH(alg) ? \
(ciphertext_length) - PSA_ALG_AEAD_GET_TAG_LENGTH(alg) : \
0)
/** A sufficient output buffer size for psa_aead_decrypt(), for any of the
@ -314,7 +337,8 @@
* \note This macro returns a compile-time constant if its arguments are
* compile-time constants.
*
* See also #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p alg, \p ciphertext_length).
* See also #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\p key_type, \p alg,
* \p ciphertext_length).
*
* \param ciphertext_length Size of the ciphertext in bytes.
*
@ -352,11 +376,11 @@
*/
#define PSA_AEAD_NONCE_LENGTH(key_type, alg) \
(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) == 16 ? \
PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg) == PSA_ALG_CCM ? 13 : \
PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg) == PSA_ALG_GCM ? 12 : \
MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CCM) ? 13 : \
MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_GCM) ? 12 : \
0 : \
(key_type) == PSA_KEY_TYPE_CHACHA20 && \
PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg) == PSA_ALG_CHACHA20_POLY1305 ? 12 : \
MBEDTLS_PSA_ALG_AEAD_EQUAL(alg, PSA_ALG_CHACHA20_POLY1305) ? 12 : \
0)
/** The maximum default nonce size among all supported pairs of key types and
@ -379,10 +403,14 @@
* insufficient buffer size. The actual size of the output may be smaller
* in any given call.
*
* See also #PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(\p input_length).
*
* \warning This macro may evaluate its arguments multiple times or
* zero times, so you should not pass arguments that contain
* side effects.
*
* \param key_type A symmetric key type that is
* compatible with algorithm \p alg.
* \param alg An AEAD algorithm
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_AEAD(\p alg) is true).
@ -390,16 +418,20 @@
*
* \return A sufficient output buffer size for the specified
* algorithm.
* If the AEAD algorithm is not recognized, return 0.
* If the key type or AEAD algorithm is not
* recognized, or the parameters are incompatible,
* return 0.
*/
/* For all the AEAD modes defined in this specification, it is possible
* to emit output without delay. However, hardware may not always be
* capable of this. So for modes based on a block cipher, allow the
* implementation to delay the output until it has a full block. */
#define PSA_AEAD_UPDATE_OUTPUT_SIZE(alg, input_length) \
(PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ? \
PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE, (input_length)) : \
(input_length))
#define PSA_AEAD_UPDATE_OUTPUT_SIZE(key_type, alg, input_length) \
(PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ? \
PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ? \
PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), (input_length)) : \
(input_length) : \
0)
/** A sufficient output buffer size for psa_aead_update(), for any of the
* supported key types and AEAD algorithms.
@ -407,7 +439,7 @@
* If the size of the output buffer is at least this large, it is guaranteed
* that psa_aead_update() will not fail due to an insufficient buffer size.
*
* See also #PSA_AEAD_UPDATE_OUTPUT_SIZE(\p alg, \p input_length).
* See also #PSA_AEAD_UPDATE_OUTPUT_SIZE(\p key_type, \p alg, \p input_length).
*
* \param input_length Size of the input in bytes.
*/
@ -421,23 +453,30 @@
* insufficient ciphertext buffer size. The actual size of the output may
* be smaller in any given call.
*
* See also #PSA_AEAD_FINISH_OUTPUT_MAX_SIZE.
*
* \param key_type A symmetric key type that is
compatible with algorithm \p alg.
* \param alg An AEAD algorithm
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_AEAD(\p alg) is true).
*
* \return A sufficient ciphertext buffer size for the
* specified algorithm.
* If the AEAD algorithm is not recognized, return 0.
* If the key type or AEAD algorithm is not
* recognized, or the parameters are incompatible,
* return 0.
*/
#define PSA_AEAD_FINISH_OUTPUT_SIZE(alg) \
(PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ? \
PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE : \
#define PSA_AEAD_FINISH_OUTPUT_SIZE(key_type, alg) \
(PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 && \
PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ? \
PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
0)
/** A sufficient ciphertext buffer size for psa_aead_finish(), for any of the
* supported key types and AEAD algorithms.
*
* See also #PSA_AEAD_FINISH_OUTPUT_SIZE(\p alg).
* See also #PSA_AEAD_FINISH_OUTPUT_SIZE(\p key_type, \p alg).
*/
#define PSA_AEAD_FINISH_OUTPUT_MAX_SIZE (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)
@ -448,23 +487,30 @@
* insufficient plaintext buffer size. The actual size of the output may
* be smaller in any given call.
*
* See also #PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE.
*
* \param key_type A symmetric key type that is
* compatible with algorithm \p alg.
* \param alg An AEAD algorithm
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_AEAD(\p alg) is true).
*
* \return A sufficient plaintext buffer size for the
* specified algorithm.
* If the AEAD algorithm is not recognized, return 0.
* If the key type or AEAD algorithm is not
* recognized, or the parameters are incompatible,
* return 0.
*/
#define PSA_AEAD_VERIFY_OUTPUT_SIZE(alg) \
(PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ? \
PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE : \
#define PSA_AEAD_VERIFY_OUTPUT_SIZE(key_type, alg) \
(PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 && \
PSA_ALG_IS_AEAD_ON_BLOCK_CIPHER(alg) ? \
PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
0)
/** A sufficient plaintext buffer size for psa_aead_verify(), for any of the
* supported key types and AEAD algorithms.
*
* See also #PSA_AEAD_VERIFY_OUTPUT_SIZE(\p alg).
* See also #PSA_AEAD_VERIFY_OUTPUT_SIZE(\p key_type, \p alg).
*/
#define PSA_AEAD_VERIFY_OUTPUT_MAX_SIZE (PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE)

23
include/psa/crypto_values.h
View File

@ -2137,4 +2137,27 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key )
/**@}*/
/** \defgroup helper_macros Helper macros
* @{
*/
/* Helper macros */
/** Check if two AEAD algorithm identifiers refer to the same AEAD algorithm
* regardless of the tag length they encode.
*
* \param aead_alg_1 An AEAD algorithm identifier.
* \param aead_alg_2 An AEAD algorithm identifier.
*
* \return 1 if both identifiers refer to the same AEAD algorithm,
* 0 otherwise.
* Unspecified if neither \p aead_alg_1 nor \p aead_alg_2 are
* a supported AEAD algorithm.
*/
#define MBEDTLS_PSA_ALG_AEAD_EQUAL(aead_alg_1, aead_alg_2) \
(!(((aead_alg_1) ^ (aead_alg_2)) & \
~(PSA_ALG_AEAD_TAG_LENGTH_MASK | PSA_ALG_AEAD_AT_LEAST_THIS_LENGTH_FLAG)))
/**@}*/
#endif /* PSA_CRYPTO_VALUES_H */