lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge branch 'development' into 3649_move_constant_time_functions_into_separate_module

Browse Source
This commit is contained in:
Gabor Mezei
2021-11-24 10:44:13 +01:00
parent 77390dc8ec 3616243391
commit be7b21da22
211 changed files with 20565 additions and 5080 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
include/mbedtls/aes.h
View File

@ -42,6 +42,7 @@
#include "mbedtls/private_access.h"
#include "mbedtls/build_info.h"
#include "mbedtls/platform_util.h"
#include <stddef.h>
#include <stdint.h>
@ -163,6 +164,7 @@ void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx );
* \return \c 0 on success.
* \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
unsigned int keybits );
@ -181,6 +183,7 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
* \return \c 0 on success.
* \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
unsigned int keybits );
@ -201,6 +204,7 @@ int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
* \return \c 0 on success.
* \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
const unsigned char *key,
unsigned int keybits );
@ -221,6 +225,7 @@ int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
* \return \c 0 on success.
* \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
const unsigned char *key,
unsigned int keybits );
@ -249,6 +254,7 @@ int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
* \return \c 0 on success.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
int mode,
const unsigned char input[16],
@ -296,6 +302,7 @@ int mbedtls_aes_crypt_ecb( mbedtls_aes_context *ctx,
* \return #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
* on failure.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
int mode,
size_t length,
@ -340,6 +347,7 @@ int mbedtls_aes_crypt_cbc( mbedtls_aes_context *ctx,
* smaller than an AES block in size (16 Bytes) or if \p
* length is larger than 2^20 blocks (16 MiB).
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
int mode,
size_t length,
@ -388,6 +396,7 @@ int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
*
* \return \c 0 on success.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
int mode,
size_t length,
@ -432,6 +441,7 @@ int mbedtls_aes_crypt_cfb128( mbedtls_aes_context *ctx,
*
* \return \c 0 on success.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
int mode,
size_t length,
@ -486,6 +496,7 @@ int mbedtls_aes_crypt_cfb8( mbedtls_aes_context *ctx,
*
* \return \c 0 on success.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
size_t length,
size_t *iv_off,
@ -500,10 +511,6 @@ int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
* \brief This function performs an AES-CTR encryption or decryption
* operation.
*
* This function performs the operation defined in the \p mode
* parameter (encrypt/decrypt), on the input data buffer
* defined in the \p input parameter.
*
* Due to the nature of CTR, you must use the same key schedule
* for both encryption and decryption operations. Therefore, you
* must use the context initialized with mbedtls_aes_setkey_enc()
@ -572,6 +579,7 @@ int mbedtls_aes_crypt_ofb( mbedtls_aes_context *ctx,
*
* \return \c 0 on success.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
size_t length,
size_t *nc_off,
@ -592,6 +600,7 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
*
* \return \c 0 on success.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
const unsigned char input[16],
unsigned char output[16] );
@ -607,6 +616,7 @@ int mbedtls_internal_aes_encrypt( mbedtls_aes_context *ctx,
*
* \return \c 0 on success.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
const unsigned char input[16],
unsigned char output[16] );
@ -618,6 +628,7 @@ int mbedtls_internal_aes_decrypt( mbedtls_aes_context *ctx,
* \return \c 0 on success.
* \return \c 1 on failure.
*/
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_aes_self_test( int verbose );
#endif /* MBEDTLS_SELF_TEST */

46
include/mbedtls/asn1.h
View File

@ -152,9 +152,9 @@ extern "C" {
*/
typedef struct mbedtls_asn1_buf
{
int MBEDTLS_PRIVATE(tag); /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */
size_t MBEDTLS_PRIVATE(len); /**< ASN1 length, in octets. */
unsigned char *MBEDTLS_PRIVATE(p); /**< ASN1 data, e.g. in ASCII. */
int tag; /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */
size_t len; /**< ASN1 length, in octets. */
unsigned char *p; /**< ASN1 data, e.g. in ASCII. */
}
mbedtls_asn1_buf;
@ -163,9 +163,9 @@ mbedtls_asn1_buf;
*/
typedef struct mbedtls_asn1_bitstring
{
size_t MBEDTLS_PRIVATE(len); /**< ASN1 length, in octets. */
unsigned char MBEDTLS_PRIVATE(unused_bits); /**< Number of unused bits at the end of the string */
unsigned char *MBEDTLS_PRIVATE(p); /**< Raw ASN1 data for the bit string */
size_t len; /**< ASN1 length, in octets. */
unsigned char unused_bits; /**< Number of unused bits at the end of the string */
unsigned char *p; /**< Raw ASN1 data for the bit string */
}
mbedtls_asn1_bitstring;
@ -174,8 +174,16 @@ mbedtls_asn1_bitstring;
*/
typedef struct mbedtls_asn1_sequence
{
mbedtls_asn1_buf MBEDTLS_PRIVATE(buf); /**< Buffer containing the given ASN.1 item. */
struct mbedtls_asn1_sequence *MBEDTLS_PRIVATE(next); /**< The next entry in the sequence. */
mbedtls_asn1_buf buf; /**< Buffer containing the given ASN.1 item. */
/** The next entry in the sequence.
*
* The details of memory management for sequences are not documented and
* may change in future versions. Set this field to \p NULL when
* initializing a structure, and do not modify it except via Mbed TLS
* library functions.
*/
struct mbedtls_asn1_sequence *next;
}
mbedtls_asn1_sequence;
@ -184,10 +192,24 @@ mbedtls_asn1_sequence;
*/
typedef struct mbedtls_asn1_named_data
{
mbedtls_asn1_buf MBEDTLS_PRIVATE(oid); /**< The object identifier. */
mbedtls_asn1_buf MBEDTLS_PRIVATE(val); /**< The named value. */
struct mbedtls_asn1_named_data *MBEDTLS_PRIVATE(next); /**< The next entry in the sequence. */
unsigned char MBEDTLS_PRIVATE(next_merged); /**< Merge next item into the current one? */
mbedtls_asn1_buf oid; /**< The object identifier. */
mbedtls_asn1_buf val; /**< The named value. */
/** The next entry in the sequence.
*
* The details of memory management for named data sequences are not
* documented and may change in future versions. Set this field to \p NULL
* when initializing a structure, and do not modify it except via Mbed TLS
* library functions.
*/
struct mbedtls_asn1_named_data *next;
/** Merge next item into the current one?
*
* This field exists for the sake of Mbed TLS's X.509 certificate parsing
* code and may change in future versions of the library.
*/
unsigned char MBEDTLS_PRIVATE(next_merged);
}
mbedtls_asn1_named_data;

22
include/mbedtls/ccm.h
View File

@ -76,7 +76,27 @@ extern "C" {
*/
typedef struct mbedtls_ccm_context
{
unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working buffer */
unsigned char MBEDTLS_PRIVATE(ctr)[16]; /*!< The counter buffer */
mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */
size_t MBEDTLS_PRIVATE(plaintext_len); /*!< Total plaintext length */
size_t MBEDTLS_PRIVATE(add_len); /*!< Total authentication data length */
size_t MBEDTLS_PRIVATE(tag_len); /*!< Total tag length */
size_t MBEDTLS_PRIVATE(processed); /*!< Track how many bytes of input data
were processed (chunked input).
Used independently for both auth data
and plaintext/ciphertext.
This variable is set to zero after
auth data input is finished. */
unsigned char MBEDTLS_PRIVATE(q); /*!< The Q working value */
unsigned char MBEDTLS_PRIVATE(mode); /*!< The operation to perform:
#MBEDTLS_CCM_ENCRYPT or
#MBEDTLS_CCM_DECRYPT or
#MBEDTLS_CCM_STAR_ENCRYPT or
#MBEDTLS_CCM_STAR_DECRYPT. */
int MBEDTLS_PRIVATE(state); /*!< Working value holding context's
state. Used for chunked data
input */
}
mbedtls_ccm_context;
@ -178,6 +198,7 @@ int mbedtls_ccm_encrypt_and_tag( mbedtls_ccm_context *ctx, size_t length,
* \param ctx The CCM context to use for encryption. This must be
* initialized and bound to a key.
* \param length The length of the input data in Bytes.
* For tag length = 0, input length is ignored.
* \param iv The initialization vector (nonce). This must be a readable
* buffer of at least \p iv_len Bytes.
* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,
@ -259,6 +280,7 @@ int mbedtls_ccm_auth_decrypt( mbedtls_ccm_context *ctx, size_t length,
* \param ctx The CCM context to use for decryption. This must be
* initialized and bound to a key.
* \param length The length of the input data in Bytes.
* For tag length = 0, input length is ignored.
* \param iv The initialization vector (nonce). This must be a readable
* buffer of at least \p iv_len Bytes.
* \param iv_len The length of the nonce in Bytes: 7, 8, 9, 10, 11, 12,

93
include/mbedtls/cipher.h
View File

@ -140,9 +140,15 @@ typedef enum {
MBEDTLS_CIPHER_AES_128_CCM, /**< AES cipher with 128-bit CCM mode. */
MBEDTLS_CIPHER_AES_192_CCM, /**< AES cipher with 192-bit CCM mode. */
MBEDTLS_CIPHER_AES_256_CCM, /**< AES cipher with 256-bit CCM mode. */
MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, /**< AES cipher with 128-bit CCM_STAR_NO_TAG mode. */
MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, /**< AES cipher with 192-bit CCM_STAR_NO_TAG mode. */
MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, /**< AES cipher with 256-bit CCM_STAR_NO_TAG mode. */
MBEDTLS_CIPHER_CAMELLIA_128_CCM, /**< Camellia cipher with 128-bit CCM mode. */
MBEDTLS_CIPHER_CAMELLIA_192_CCM, /**< Camellia cipher with 192-bit CCM mode. */
MBEDTLS_CIPHER_CAMELLIA_256_CCM, /**< Camellia cipher with 256-bit CCM mode. */
MBEDTLS_CIPHER_CAMELLIA_128_CCM_STAR_NO_TAG, /**< Camellia cipher with 128-bit CCM_STAR_NO_TAG mode. */
MBEDTLS_CIPHER_CAMELLIA_192_CCM_STAR_NO_TAG, /**< Camellia cipher with 192-bit CCM_STAR_NO_TAG mode. */
MBEDTLS_CIPHER_CAMELLIA_256_CCM_STAR_NO_TAG, /**< Camellia cipher with 256-bit CCM_STAR_NO_TAG mode. */
MBEDTLS_CIPHER_ARIA_128_ECB, /**< Aria cipher with 128-bit key and ECB mode. */
MBEDTLS_CIPHER_ARIA_192_ECB, /**< Aria cipher with 192-bit key and ECB mode. */
MBEDTLS_CIPHER_ARIA_256_ECB, /**< Aria cipher with 256-bit key and ECB mode. */
@ -161,6 +167,9 @@ typedef enum {
MBEDTLS_CIPHER_ARIA_128_CCM, /**< Aria cipher with 128-bit key and CCM mode. */
MBEDTLS_CIPHER_ARIA_192_CCM, /**< Aria cipher with 192-bit key and CCM mode. */
MBEDTLS_CIPHER_ARIA_256_CCM, /**< Aria cipher with 256-bit key and CCM mode. */
MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG, /**< Aria cipher with 128-bit key and CCM_STAR_NO_TAG mode. */
MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG, /**< Aria cipher with 192-bit key and CCM_STAR_NO_TAG mode. */
MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG, /**< Aria cipher with 256-bit key and CCM_STAR_NO_TAG mode. */
MBEDTLS_CIPHER_AES_128_OFB, /**< AES 128-bit cipher in OFB mode. */
MBEDTLS_CIPHER_AES_192_OFB, /**< AES 192-bit cipher in OFB mode. */
MBEDTLS_CIPHER_AES_256_OFB, /**< AES 256-bit cipher in OFB mode. */
@ -187,6 +196,7 @@ typedef enum {
MBEDTLS_MODE_GCM, /**< The GCM cipher mode. */
MBEDTLS_MODE_STREAM, /**< The stream cipher mode. */
MBEDTLS_MODE_CCM, /**< The CCM cipher mode. */
MBEDTLS_MODE_CCM_STAR_NO_TAG, /**< The CCM*-no-tag cipher mode. */
MBEDTLS_MODE_XTS, /**< The XTS cipher mode. */
MBEDTLS_MODE_CHACHAPOLY, /**< The ChaCha-Poly cipher mode. */
MBEDTLS_MODE_KW, /**< The SP800-38F KW mode */
@ -258,6 +268,13 @@ typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
/**
* Cipher information. Allows calling cipher functions
* in a generic way.
*
* \note The library does not support custom cipher info structures,
* only built-in structures returned by the functions
* mbedtls_cipher_info_from_string(),
* mbedtls_cipher_info_from_type(),
* mbedtls_cipher_info_from_values(),
* mbedtls_cipher_info_from_psa().
*/
typedef struct mbedtls_cipher_info_t
{
@ -414,6 +431,82 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_ciph
int key_bitlen,
const mbedtls_cipher_mode_t mode );
/**
* \brief Retrieve the identifier for a cipher info structure.
*
* \param[in] info The cipher info structure to query.
* This may be \c NULL.
*
* \return The full cipher identifier (\c MBEDTLS_CIPHER_xxx).
* \return #MBEDTLS_CIPHER_NONE if \p info is \c NULL.
*/
static inline mbedtls_cipher_type_t mbedtls_cipher_info_get_type(
const mbedtls_cipher_info_t *info )
{
if( info == NULL )
return( MBEDTLS_CIPHER_NONE );
else
return( info->MBEDTLS_PRIVATE(type) );
}
/**
* \brief Retrieve the operation mode for a cipher info structure.
*
* \param[in] info The cipher info structure to query.
* This may be \c NULL.
*
* \return The cipher mode (\c MBEDTLS_MODE_xxx).
* \return #MBEDTLS_MODE_NONE if \p info is \c NULL.
*/
static inline mbedtls_cipher_mode_t mbedtls_cipher_info_get_mode(
const mbedtls_cipher_info_t *info )
{
if( info == NULL )
return( MBEDTLS_MODE_NONE );
else
return( info->MBEDTLS_PRIVATE(mode) );
}
/**
* \brief Retrieve the key size for a cipher info structure.
*
* \param[in] info The cipher info structure to query.
* This may be \c NULL.
*
* \return The key length in bits.
* For variable-sized ciphers, this is the default length.
* For DES, this includes the parity bits.
* \return \c 0 if \p info is \c NULL.
*/
static inline size_t mbedtls_cipher_info_get_key_bitlen(
const mbedtls_cipher_info_t *info )
{
if( info == NULL )
return( 0 );
else
return( info->MBEDTLS_PRIVATE(key_bitlen) );
}
/**
* \brief Retrieve the human-readable name for a
* cipher info structure.
*
* \param[in] info The cipher info structure to query.
* This may be \c NULL.
*
* \return The cipher name, which is a human readable string,
* with static storage duration.
* \return \c NULL if \c info is \p NULL.
*/
static inline const char *mbedtls_cipher_info_get_name(
const mbedtls_cipher_info_t *info )
{
if( info == NULL )
return( NULL );
else
return( info->MBEDTLS_PRIVATE(name) );
}
/**
* \brief This function initializes a \p cipher_context as NONE.
*

30
include/mbedtls/config_psa.h
View File

@ -56,6 +56,12 @@ extern "C" {
#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW PSA_WANT_ALG_RSA_PKCS1V15_SIGN
#endif
#if defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT) && !defined(PSA_WANT_ALG_RSA_PSS)
#define PSA_WANT_ALG_RSA_PSS PSA_WANT_ALG_RSA_PSS_ANY_SALT
#elif !defined(PSA_WANT_ALG_RSA_PSS_ANY_SALT) && defined(PSA_WANT_ALG_RSA_PSS)
#define PSA_WANT_ALG_RSA_PSS_ANY_SALT PSA_WANT_ALG_RSA_PSS
#endif
/****************************************************************/
@ -267,6 +273,18 @@ extern "C" {
#endif /* PSA_HAVE_SOFT_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */
#endif /* PSA_WANT_KEY_TYPE_AES */
#if defined(PSA_WANT_KEY_TYPE_ARIA)
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA)
#define PSA_HAVE_SOFT_KEY_TYPE_ARIA 1
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA */
#if defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
defined(PSA_HAVE_SOFT_BLOCK_MODE) || \
defined(PSA_HAVE_SOFT_BLOCK_AEAD)
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1
#define MBEDTLS_ARIA_C
#endif /* PSA_HAVE_SOFT_KEY_TYPE_ARIA || PSA_HAVE_SOFT_BLOCK_MODE */
#endif /* PSA_WANT_KEY_TYPE_ARIA */
#if defined(PSA_WANT_KEY_TYPE_CAMELLIA)
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA)
#define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1
@ -301,6 +319,7 @@ extern "C" {
* PSA_HAVE_SOFT_BLOCK_CIPHER, which can be used in any of these
* situations. */
#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
#define PSA_HAVE_SOFT_BLOCK_CIPHER 1
@ -381,6 +400,7 @@ extern "C" {
#if defined(PSA_WANT_ALG_CCM)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_CCM) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
#define MBEDTLS_CCM_C
@ -390,6 +410,7 @@ extern "C" {
#if defined(PSA_WANT_ALG_GCM)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_GCM) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
#define MBEDTLS_PSA_BUILTIN_ALG_GCM 1
#define MBEDTLS_GCM_C
@ -586,7 +607,7 @@ extern "C" {
#define MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN 1
#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1
#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW 1
#endif /* MBEDTLSS_PKCS1_V15 */
#endif /* MBEDTLS_PKCS1_V15 */
#if defined(MBEDTLS_PKCS1_V21)
#define MBEDTLS_PSA_BUILTIN_ALG_RSA_OAEP 1
#define PSA_WANT_ALG_RSA_OAEP 1
@ -629,6 +650,11 @@ extern "C" {
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1
#endif
#if defined(MBEDTLS_ARIA_C)
#define PSA_WANT_KEY_TYPE_ARIA 1
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1
#endif
#if defined(MBEDTLS_CAMELLIA_C)
#define PSA_WANT_KEY_TYPE_CAMELLIA 1
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1
@ -660,7 +686,7 @@ extern "C" {
#endif
#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \
defined(MBEDTLS_CAMELLIA_C)
defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C)
#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
#define PSA_WANT_ALG_ECB_NO_PADDING 1
#endif

14
include/mbedtls/des.h
View File

@ -29,6 +29,7 @@
#include "mbedtls/private_access.h"
#include "mbedtls/build_info.h"
#include "mbedtls/platform_util.h"
#include <stddef.h>
#include <stdint.h>
@ -139,6 +140,7 @@ void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] );
* security risk. We recommend considering stronger ciphers
* instead.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
/**
@ -152,6 +154,7 @@ int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SI
* security risk. We recommend considering stronger ciphers
* instead.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
/**
@ -166,6 +169,7 @@ int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
* security risk. We recommend considering stronger ciphers
* instead.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
/**
@ -180,6 +184,7 @@ int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MB
* security risk. We recommend considering stronger ciphers
* instead.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] );
/**
@ -190,6 +195,7 @@ int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MB
*
* \return 0
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] );
@ -201,6 +207,7 @@ int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
*
* \return 0
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] );
@ -212,6 +219,7 @@ int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
*
* \return 0
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] );
@ -223,6 +231,7 @@ int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
*
* \return 0
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] );
@ -239,6 +248,7 @@ int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
* security risk. We recommend considering stronger ciphers
* instead.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
const unsigned char input[8],
unsigned char output[8] );
@ -266,6 +276,7 @@ int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
* security risk. We recommend considering stronger ciphers
* instead.
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
int mode,
size_t length,
@ -283,6 +294,7 @@ int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
*
* \return 0 if successful
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
const unsigned char input[8],
unsigned char output[8] );
@ -308,6 +320,7 @@ int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
*
* \return 0 if successful, or MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH
*/
MBEDTLS_CHECK_RETURN_TYPICAL
int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
int mode,
size_t length,
@ -338,6 +351,7 @@ void mbedtls_des_setkey( uint32_t SK[32],
*
* \return 0 if successful, or 1 if the test failed
*/
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_des_self_test( int verbose );
#endif /* MBEDTLS_SELF_TEST */

16
include/mbedtls/ecp.h
View File

@ -130,10 +130,8 @@ typedef enum
/**
* The number of supported curves, plus one for #MBEDTLS_ECP_DP_NONE.
*
* \note Montgomery curves are currently excluded.
*/
#define MBEDTLS_ECP_DP_MAX 12
#define MBEDTLS_ECP_DP_MAX 14
/*
* Curve types
@ -147,13 +145,17 @@ typedef enum
/**
* Curve information, for use by other modules.
*
* The fields of this structure are part of the public API and can be
* accessed directly by applications. Future versions of the library may
* add extra fields or reorder existing fields.
*/
typedef struct mbedtls_ecp_curve_info
{
mbedtls_ecp_group_id MBEDTLS_PRIVATE(grp_id); /*!< An internal identifier. */
uint16_t MBEDTLS_PRIVATE(tls_id); /*!< The TLS NamedCurve identifier. */
uint16_t MBEDTLS_PRIVATE(bit_size); /*!< The curve size in bits. */
const char *MBEDTLS_PRIVATE(name); /*!< A human-friendly name. */
mbedtls_ecp_group_id grp_id; /*!< An internal identifier. */
uint16_t tls_id; /*!< The TLS NamedCurve identifier. */
uint16_t bit_size; /*!< The curve size in bits. */
const char *name; /*!< A human-friendly name. */
} mbedtls_ecp_curve_info;
/**

2
include/mbedtls/error.h
View File

@ -56,7 +56,7 @@
* Module Nr Codes assigned
* ERROR 2 0x006E 0x0001
* MPI 7 0x0002-0x0010
* GCM 3 0x0012-0x0014 0x0013-0x0013
* GCM 3 0x0012-0x0016 0x0013-0x0013
* THREADING 3 0x001A-0x001E
* AES 5 0x0020-0x0022 0x0021-0x0025
* CAMELLIA 3 0x0024-0x0026 0x0027-0x0027

2
include/mbedtls/gcm.h
View File

@ -45,6 +45,8 @@
#define MBEDTLS_ERR_GCM_AUTH_FAILED -0x0012
/** Bad input parameters to function. */
#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014
/** An output buffer is too small. */
#define MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL -0x0016
#ifdef __cplusplus
extern "C" {

87
include/mbedtls/mbedtls_config.h
View File

@ -520,6 +520,29 @@
*/
//#define MBEDTLS_CAMELLIA_SMALL_MEMORY
/**
* \def MBEDTLS_CHECK_RETURN_WARNING
*
* If this macro is defined, emit a compile-time warning if application code
* calls a function without checking its return value, but the return value
* should generally be checked in portable applications.
*
* This is only supported on platforms where #MBEDTLS_CHECK_RETURN is
* implemented. Otherwise this option has no effect.
*
* Uncomment to get warnings on using fallible functions without checking
* their return value.
*
* \note This feature is a work in progress.
* Warnings will be added to more functions in the future.
*
* \note A few functions are considered critical, and ignoring the return
* value of these functions will trigger a warning even if this
* macro is not defined. To completely disable return value check
* warnings, define #MBEDTLS_CHECK_RETURN with an empty expansion.
*/
//#define MBEDTLS_CHECK_RETURN_WARNING
/**
* \def MBEDTLS_CIPHER_MODE_CBC
*
@ -1598,16 +1621,6 @@
*/
#define MBEDTLS_SSL_SESSION_TICKETS
/**
* \def MBEDTLS_SSL_EXPORT_KEYS
*
* Enable support for exporting key block and master secret.
* This is required for certain users of TLS, e.g. EAP-TLS.
*
* Comment this macro to disable support for key export
*/
#define MBEDTLS_SSL_EXPORT_KEYS
/**
* \def MBEDTLS_SSL_SERVER_NAME_INDICATION
*
@ -1718,15 +1731,13 @@
* will still continue to work as usual, so enabling this option should not
* break backwards compatibility.
*
* \warning The PSA Crypto API is in beta stage. While you're welcome to
* experiment using it, incompatible API changes are still possible, and some
* parts may not have reached the same quality as the rest of Mbed TLS yet.
* \note See docs/use-psa-crypto.md for a complete description of what this
* option currently does, and of parts that are not affected by it so far.
*
* \warning This option enables new Mbed TLS APIs that are dependent on the
* PSA Crypto API, so can't come with the same stability guarantees as the
* rest of the Mbed TLS APIs. You're welcome to experiment with them, but for
* now, access to these APIs is opt-in (via enabling the present option), in
* order to clearly differentiate them from the stable Mbed TLS APIs.
* \warning This option enables new Mbed TLS APIs which are currently
* considered experimental and may change in incompatible ways at any time.
* That is, the APIs enabled by this option are not covered by the usual
* promises of API stability.
*
* Requires: MBEDTLS_PSA_CRYPTO_C.
*
@ -2592,10 +2603,6 @@
*
* Enable the Platform Security Architecture cryptography API.
*
* \warning The PSA Crypto API is still beta status. While you're welcome to
* experiment using it, incompatible API changes are still possible, and some
* parts may not have reached the same quality as the rest of Mbed TLS yet.
*
* Module: library/psa_crypto.c
*
* Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C,
@ -3073,6 +3080,29 @@
//#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */
//#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */
/** \def MBEDTLS_CHECK_RETURN
*
* This macro is used at the beginning of the declaration of a function
* to indicate that its return value should be checked. It should
* instruct the compiler to emit a warning or an error if the function
* is called without checking its return value.
*
* There is a default implementation for popular compilers in platform_util.h.
* You can override the default implementation by defining your own here.
*
* If the implementation here is empty, this will effectively disable the
* checking of functions' return values.
*/
//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))
/** \def MBEDTLS_IGNORE_RETURN
*
* This macro requires one argument, which should be a C function call.
* If that function call would cause a #MBEDTLS_CHECK_RETURN warning, this
* warning is suppressed.
*/
//#define MBEDTLS_IGNORE_RETURN( result ) ((void) !(result))
/* PSA options */
/**
* Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the
@ -3179,7 +3209,7 @@
* Maximum number of heap-allocated bytes for the purpose of
* DTLS handshake message reassembly and future message buffering.
*
* This should be at least 9/8 * MBEDTLSSL_IN_CONTENT_LEN
* This should be at least 9/8 * MBEDTLS_SSL_IN_CONTENT_LEN
* to account for a reassembled handshake message of maximum size,
* together with its reassembly bitmap.
*
@ -3194,6 +3224,17 @@
//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 bits) */
//#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
/** \def MBEDTLS_TLS_EXT_CID
*
* At the time of writing, the CID extension has not been assigned its
* final value. Set this configuration option to make Mbed TLS use a
* different value.
*
* A future minor revision of Mbed TLS may change the default value of
* this option to match evolving standards and usage.
*/
//#define MBEDTLS_TLS_EXT_CID 254
/**
* Complete list of ciphersuites to use, in order of preference.
*

8
include/mbedtls/net_sockets.h
View File

@ -94,7 +94,13 @@ extern "C" {
*/
typedef struct mbedtls_net_context
{
int MBEDTLS_PRIVATE(fd); /**< The underlying file descriptor */
/** The underlying file descriptor.
*
* This field is only guaranteed to be present on POSIX/Unix-like platforms.
* On other platforms, it may have a different type, have a different
* meaning, or be absent altogether.
*/
int fd;
}
mbedtls_net_context;

4
include/mbedtls/pk.h
View File

@ -186,6 +186,10 @@ typedef struct mbedtls_pk_debug_item
/**
* \brief Public key information and operations
*
* \note The library does not support custom pk info structures,
* only built-in structures returned by
* mbedtls_cipher_info_from_type().
*/
typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;

95
include/mbedtls/platform_util.h
View File

@ -42,10 +42,6 @@ extern "C" {
/* Internal helper macros for deprecating API constants. */
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_DEPRECATED_WARNING)
/* Deliberately don't (yet) export MBEDTLS_DEPRECATED here
* to avoid conflict with other headers which define and use
* it, too. We might want to move all these definitions here at
* some point for uniformity. */
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_string_constant_t;
#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) \
@ -53,13 +49,102 @@ MBEDTLS_DEPRECATED typedef char const * mbedtls_deprecated_string_constant_t;
MBEDTLS_DEPRECATED typedef int mbedtls_deprecated_numeric_constant_t;
#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) \
( (mbedtls_deprecated_numeric_constant_t) ( VAL ) )
#undef MBEDTLS_DEPRECATED
#else /* MBEDTLS_DEPRECATED_WARNING */
#define MBEDTLS_DEPRECATED
#define MBEDTLS_DEPRECATED_STRING_CONSTANT( VAL ) VAL
#define MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( VAL ) VAL
#endif /* MBEDTLS_DEPRECATED_WARNING */
#endif /* MBEDTLS_DEPRECATED_REMOVED */
/* Implementation of the check-return facility.
* See the user documentation in mbedtls_config.h.
*
* Do not use this macro directly to annotate function: instead,
* use one of MBEDTLS_CHECK_RETURN_CRITICAL or MBEDTLS_CHECK_RETURN_TYPICAL
* depending on how important it is to check the return value.
*/
#if !defined(MBEDTLS_CHECK_RETURN)
#if defined(__GNUC__)
#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__))
#elif defined(_MSC_VER) && _MSC_VER >= 1700
#include <sal.h>
#define MBEDTLS_CHECK_RETURN _Check_return_
#else
#define MBEDTLS_CHECK_RETURN
#endif
#endif
/** Critical-failure function
*
* This macro appearing at the beginning of the declaration of a function
* indicates that its return value should be checked in all applications.
* Omitting the check is very likely to indicate a bug in the application
* and will result in a compile-time warning if #MBEDTLS_CHECK_RETURN
* is implemented for the compiler in use.
*
* \note The use of this macro is a work in progress.
* This macro may be added to more functions in the future.
* Such an extension is not considered an API break, provided that
* there are near-unavoidable circumstances under which the function
* can fail. For example, signature/MAC/AEAD verification functions,
* and functions that require a random generator, are considered
* return-check-critical.
*/
#define MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN
/** Ordinary-failure function
*
* This macro appearing at the beginning of the declaration of a function
* indicates that its return value should be generally be checked in portable
* applications. Omitting the check will result in a compile-time warning if
* #MBEDTLS_CHECK_RETURN is implemented for the compiler in use and
* #MBEDTLS_CHECK_RETURN_WARNING is enabled in the compile-time configuration.
*
* You can use #MBEDTLS_IGNORE_RETURN to explicitly ignore the return value
* of a function that is annotated with #MBEDTLS_CHECK_RETURN.
*
* \note The use of this macro is a work in progress.
* This macro will be added to more functions in the future.
* Eventually this should appear before most functions returning
* an error code (as \c int in the \c mbedtls_xxx API or
* as ::psa_status_t in the \c psa_xxx API).
*/
#if defined(MBEDTLS_CHECK_RETURN_WARNING)
#define MBEDTLS_CHECK_RETURN_TYPICAL MBEDTLS_CHECK_RETURN
#else
#define MBEDTLS_CHECK_RETURN_TYPICAL
#endif
/** Benign-failure function
*
* This macro appearing at the beginning of the declaration of a function
* indicates that it is rarely useful to check its return value.
*
* This macro has an empty expansion. It exists for documentation purposes:
* a #MBEDTLS_CHECK_RETURN_OPTIONAL annotation indicates that the function
* has been analyzed for return-check usefuless, whereas the lack of
* an annotation indicates that the function has not been analyzed and its
* return-check usefulness is unknown.
*/
#define MBEDTLS_CHECK_RETURN_OPTIONAL
/** \def MBEDTLS_IGNORE_RETURN
*
* Call this macro with one argument, a function call, to suppress a warning
* from #MBEDTLS_CHECK_RETURN due to that function call.
*/
#if !defined(MBEDTLS_IGNORE_RETURN)
/* GCC doesn't silence the warning with just (void)(result).
* (void)!(result) is known to work up at least up to GCC 10, as well
* as with Clang and MSVC.
*
* https://gcc.gnu.org/onlinedocs/gcc-3.4.6/gcc/Non_002dbugs.html
* https://stackoverflow.com/questions/40576003/ignoring-warning-wunused-result
* https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425#c34
*/
#define MBEDTLS_IGNORE_RETURN(result) ( (void) !( result ) )
#endif
/**
* \brief Securely zeroize a buffer
*

13
include/mbedtls/psa_util.h
View File

@ -51,18 +51,27 @@ static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
case MBEDTLS_CIPHER_AES_128_CCM:
case MBEDTLS_CIPHER_AES_192_CCM:
case MBEDTLS_CIPHER_AES_256_CCM:
case MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_AES_128_GCM:
case MBEDTLS_CIPHER_AES_192_GCM:
case MBEDTLS_CIPHER_AES_256_GCM:
case MBEDTLS_CIPHER_AES_128_CBC:
case MBEDTLS_CIPHER_AES_192_CBC:
case MBEDTLS_CIPHER_AES_256_CBC:
case MBEDTLS_CIPHER_AES_128_ECB:
case MBEDTLS_CIPHER_AES_192_ECB:
case MBEDTLS_CIPHER_AES_256_ECB:
return( PSA_KEY_TYPE_AES );
/* ARIA not yet supported in PSA. */
/* case MBEDTLS_CIPHER_ARIA_128_CCM:
case MBEDTLS_CIPHER_ARIA_192_CCM:
case MBEDTLS_CIPHER_ARIA_256_CCM:
case MBEDTLS_CIPHER_ARIA_128_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_ARIA_192_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_ARIA_256_CCM_STAR_NO_TAG:
case MBEDTLS_CIPHER_ARIA_128_GCM:
case MBEDTLS_CIPHER_ARIA_192_GCM:
case MBEDTLS_CIPHER_ARIA_256_GCM:
@ -87,6 +96,8 @@ static inline psa_algorithm_t mbedtls_psa_translate_cipher_mode(
return( PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_GCM, taglen ) );
case MBEDTLS_MODE_CCM:
return( PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, taglen ) );
case MBEDTLS_MODE_CCM_STAR_NO_TAG:
return PSA_ALG_CCM_STAR_NO_TAG;
case MBEDTLS_MODE_CBC:
if( taglen == 0 )
return( PSA_ALG_CBC_NO_PADDING );
@ -369,7 +380,7 @@ static inline psa_key_type_t mbedtls_psa_parse_tls_ecc_group(
if( curve_info == NULL )
return( 0 );
return( PSA_KEY_TYPE_ECC_KEY_PAIR(
mbedtls_ecc_group_to_psa( curve_info->MBEDTLS_PRIVATE(grp_id), bits ) ) );
mbedtls_ecc_group_to_psa( curve_info->grp_id, bits ) ) );
}
#endif /* MBEDTLS_ECP_C */

3
include/mbedtls/sha256.h
View File

@ -167,6 +167,9 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
* for SHA-256, \c 28 bytes for SHA-224.
* \param is224 Determines which function to use. This must be
* either \c 0 for SHA-256, or \c 1 for SHA-224.
*
* \return \c 0 on success.
* \return A negative error code on failure.
*/
int mbedtls_sha256( const unsigned char *input,
size_t ilen,

370
include/mbedtls/ssl.h
View File

@ -21,6 +21,7 @@
*/
#ifndef MBEDTLS_SSL_H
#define MBEDTLS_SSL_H
#include "mbedtls/platform_util.h"
#include "mbedtls/private_access.h"
#include "mbedtls/build_info.h"
@ -169,6 +170,76 @@
/** Invalid value in SSL config */
#define MBEDTLS_ERR_SSL_BAD_CONFIG -0x5E80
/*
* TLS 1.3 NamedGroup values
*
* From RF 8446
* enum {
* // Elliptic Curve Groups (ECDHE)
* secp256r1(0x0017), secp384r1(0x0018), secp521r1(0x0019),
* x25519(0x001D), x448(0x001E),
* // Finite Field Groups (DHE)
* ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102),
* ffdhe6144(0x0103), ffdhe8192(0x0104),
* // Reserved Code Points
* ffdhe_private_use(0x01FC..0x01FF),
* ecdhe_private_use(0xFE00..0xFEFF),
* (0xFFFF)
* } NamedGroup;
*
*/
/* Elliptic Curve Groups (ECDHE) */
#define MBEDTLS_SSL_IANA_TLS_GROUP_NONE 0
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 0x0012
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 0x0013
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 0x0014
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 0x0015
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 0x0016
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 0x0017
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 0x0018
#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 0x0019
#define MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 0x001A
#define MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 0x001B
#define MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 0x001C
#define MBEDTLS_SSL_IANA_TLS_GROUP_X25519 0x001D
#define MBEDTLS_SSL_IANA_TLS_GROUP_X448 0x001E
/* Finite Field Groups (DHE) */
#define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 0x0100
#define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072 0x0101
#define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096 0x0102
#define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144 0x0103
#define MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 0x0104
/*
* TLS 1.3 Key Exchange Modes
*
* Mbed TLS internal identifiers for use with the SSL configuration API
* mbedtls_ssl_conf_tls13_key_exchange_modes().
*/
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ( 1u << 0 ) /*!< Pure-PSK TLS 1.3 key exchange,
* encompassing both externally agreed PSKs
* as well as resumption PSKs. */
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ( 1u << 1 ) /*!< Pure-Ephemeral TLS 1.3 key exchanges,
* including for example ECDHE and DHE
* key exchanges. */
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ( 1u << 2 ) /*!< PSK-Ephemeral TLS 1.3 key exchanges,
* using both a PSK and an ephemeral
* key exchange. */
/* Convenience macros for sets of key exchanges. */
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL \
( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK | \
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL | \
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) /*!< All TLS 1.3 key exchanges */
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL \
( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK | \
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All PSK-based TLS 1.3 key exchanges */
#define MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL \
( MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL | \
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) /*!< All ephemeral TLS 1.3 key exchanges */
/*
* Various constants
*/
@ -337,6 +408,41 @@
#define MBEDTLS_SSL_SIG_RSA 1
#define MBEDTLS_SSL_SIG_ECDSA 3
/*
* TLS 1.3 signature algorithms
* RFC 8446, Section 4.2.2
*/
/* RSASSA-PKCS1-v1_5 algorithms */
#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA256 0x0401
#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA384 0x0501
#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA512 0x0601
/* ECDSA algorithms */
#define MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256 0x0403
#define MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384 0x0503
#define MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512 0x0603
/* RSASSA-PSS algorithms with public key OID rsaEncryption */
#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA256 0x0804
#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA384 0x0805
#define MBEDTLS_TLS13_SIG_RSA_PSS_RSAE_SHA512 0x0806
/* EdDSA algorithms */
#define MBEDTLS_TLS13_SIG_ED25519 0x0807
#define MBEDTLS_TLS13_SIG_ED448 0x0808
/* RSASSA-PSS algorithms with public key OID RSASSA-PSS */
#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA256 0x0809
#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA384 0x080A
#define MBEDTLS_TLS13_SIG_RSA_PSS_PSS_SHA512 0x080B
/* LEGACY ALGORITHMS */
#define MBEDTLS_TLS13_SIG_RSA_PKCS1_SHA1 0x0201
#define MBEDTLS_TLS13_SIG_ECDSA_SHA1 0x0203
#define MBEDTLS_TLS13_SIG_NONE 0x0
/*
* Client Certificate Types
* RFC 5246 section 7.4.4 plus RFC 4492 section 5.5
@ -391,6 +497,7 @@
#define MBEDTLS_SSL_HS_SERVER_HELLO 2
#define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST 3
#define MBEDTLS_SSL_HS_NEW_SESSION_TICKET 4
#define MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS 8 // NEW IN TLS 1.3
#define MBEDTLS_SSL_HS_CERTIFICATE 11
#define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE 12
#define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST 13
@ -408,25 +515,48 @@
#define MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH 1
#define MBEDTLS_TLS_EXT_TRUNCATED_HMAC 4
#define MBEDTLS_TLS_EXT_STATUS_REQUEST 5 /* RFC 6066 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES 10
#define MBEDTLS_TLS_EXT_SUPPORTED_GROUPS 10 /* RFC 8422,7919 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS 11
#define MBEDTLS_TLS_EXT_SIG_ALG 13
#define MBEDTLS_TLS_EXT_SIG_ALG 13 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_USE_SRTP 14
#define MBEDTLS_TLS_EXT_HEARTBEAT 15 /* RFC 6520 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_ALPN 16
#define MBEDTLS_TLS_EXT_SCT 18 /* RFC 6962 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_CLI_CERT_TYPE 19 /* RFC 7250 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_SERV_CERT_TYPE 20 /* RFC 7250 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_PADDING 21 /* RFC 7685 TLS 1.2 and 1.3 */
#define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC 22 /* 0x16 */
#define MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET 0x0017 /* 23 */
#define MBEDTLS_TLS_EXT_SESSION_TICKET 35
#define MBEDTLS_TLS_EXT_PRE_SHARED_KEY 41 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_EARLY_DATA 42 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS 43 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_COOKIE 44 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES 45 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_CERT_AUTH 47 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_OID_FILTERS 48 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH 49 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_SIG_ALG_CERT 50 /* RFC 8446 TLS 1.3 */
#define MBEDTLS_TLS_EXT_KEY_SHARE 51 /* RFC 8446 TLS 1.3 */
/* The value of the CID extension is still TBD as of
* draft-ietf-tls-dtls-connection-id-05
* (https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) */
* (https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05).
*
* A future minor revision of Mbed TLS may change the default value of
* this option to match evolving standards and usage.
*/
#if !defined(MBEDTLS_TLS_EXT_CID)
#define MBEDTLS_TLS_EXT_CID 254 /* TBD */
#endif
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */
@ -475,6 +605,11 @@ union mbedtls_ssl_premaster_secret
#define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret )
#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE
/* Length in number of bytes of the TLS sequence number */
#define MBEDTLS_SSL_SEQUENCE_NUMBER_LEN 8
#ifdef __cplusplus
extern "C" {
#endif
@ -503,6 +638,10 @@ typedef enum
MBEDTLS_SSL_HANDSHAKE_OVER,
MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET,
MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT,
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
MBEDTLS_SSL_ENCRYPTED_EXTENSIONS,
MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY,
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
}
mbedtls_ssl_states;
@ -537,10 +676,11 @@ typedef int mbedtls_ssl_send_t( void *ctx,
* \param buf Buffer to write the received data to
* \param len Length of the receive buffer
*
* \return The callback must return the number of bytes received,
* or a non-zero error code.
* If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ
* \returns If data has been received, the positive number of bytes received.
* \returns \c 0 if the connection has been closed.
* \returns If performing non-blocking I/O, \c MBEDTLS_ERR_SSL_WANT_READ
* must be returned when the operation would block.
* \returns Another negative error code on other kinds of failures.
*
* \note The callback may receive fewer bytes than the length of the
* buffer. It must always return the number of bytes actually
@ -560,7 +700,7 @@ typedef int mbedtls_ssl_recv_t( void *ctx,
* \param ctx Context for the receive callback (typically a file descriptor)
* \param buf Buffer to write the received data to
* \param len Length of the receive buffer
* \param timeout Maximum nomber of millisecondes to wait for data
* \param timeout Maximum number of milliseconds to wait for data
* 0 means no timeout (potentially waiting forever)
*
* \return The callback must return the number of bytes received,
@ -912,6 +1052,14 @@ typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED &&
!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
typedef struct
{
unsigned char client_application_traffic_secret_N[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
unsigned char server_application_traffic_secret_N[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
unsigned char exporter_master_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
unsigned char resumption_master_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
} mbedtls_ssl_tls1_3_application_secrets;
#if defined(MBEDTLS_SSL_DTLS_SRTP)
#define MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH 255
@ -1002,6 +1150,10 @@ struct mbedtls_ssl_session
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
int MBEDTLS_PRIVATE(encrypt_then_mac); /*!< flag for EtM activation */
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
mbedtls_ssl_tls1_3_application_secrets MBEDTLS_PRIVATE(app_secrets);
#endif
};
/*
@ -1017,7 +1169,6 @@ typedef enum
}
mbedtls_tls_prf_types;
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
typedef enum
{
MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET = 0,
@ -1053,7 +1204,6 @@ typedef void mbedtls_ssl_export_keys_t( void *p_expkey,
const unsigned char client_random[32],
const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type );
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
/**
* SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
@ -1069,6 +1219,11 @@ struct mbedtls_ssl_config
/** Allowed ciphersuites for (D)TLS 1.2 (0-terminated) */
const int *MBEDTLS_PRIVATE(ciphersuite_list);
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/** Allowed TLS 1.3 key exchange modes. */
int MBEDTLS_PRIVATE(tls13_kex_modes);
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/** Callback for printing debug output */
void (*MBEDTLS_PRIVATE(f_dbg))(void *, int, const char *, int, const char *);
void *MBEDTLS_PRIVATE(p_dbg); /*!< context for the debug function */
@ -1147,12 +1302,18 @@ struct mbedtls_ssl_config
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
const int *MBEDTLS_PRIVATE(sig_hashes); /*!< allowed signature hashes */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
const uint16_t *MBEDTLS_PRIVATE(tls13_sig_algs); /*!< allowed signature algorithms for TLS 1.3 */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif
#if defined(MBEDTLS_ECP_C)
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
const mbedtls_ecp_group_id *MBEDTLS_PRIVATE(curve_list); /*!< allowed curves */
#endif
const uint16_t *MBEDTLS_PRIVATE(group_list); /*!< allowed IANA NamedGroups */
#if defined(MBEDTLS_DHM_C)
mbedtls_mpi MBEDTLS_PRIVATE(dhm_P); /*!< prime modulus for DHM */
mbedtls_mpi MBEDTLS_PRIVATE(dhm_G); /*!< generator for DHM */
@ -1328,10 +1489,24 @@ struct mbedtls_ssl_context
/*
* Record layer transformations
*/
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_in); /*!< current transform params (in) */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_out); /*!< current transform params (in) */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_in); /*!< current transform params (in)
* This is always a reference,
* never an owning pointer. */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_out); /*!< current transform params (out)
* This is always a reference,
* never an owning pointer. */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params
* This pointer owns the transform
* it references. */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation
* This pointer owns the transform
* it references. */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/*! The application data transform in TLS 1.3.
* This pointer owns the transform it references. */
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_application);
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/*
* Timers
@ -1381,6 +1556,19 @@ struct mbedtls_ssl_context
int MBEDTLS_PRIVATE(keep_current_message); /*!< drop or reuse current message
on next call to record layer? */
/* The following three variables indicate if and, if yes,
* what kind of alert is pending to be sent.
*/
unsigned char MBEDTLS_PRIVATE(send_alert); /*!< Determines if a fatal alert
should be sent. Values:
- \c 0 , no alert is to be sent.
- \c 1 , alert is to be sent. */
unsigned char MBEDTLS_PRIVATE(alert_type); /*!< Type of alert if send_alert
!= 0 */
int MBEDTLS_PRIVATE(alert_reason); /*!< The error code to be returned
to the user once the fatal alert
has been sent. */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
uint8_t MBEDTLS_PRIVATE(disable_datagram_packing); /*!< Disable packing multiple records
* within a single datagram. */
@ -1407,7 +1595,7 @@ struct mbedtls_ssl_context
size_t MBEDTLS_PRIVATE(out_buf_len); /*!< length of output buffer */
#endif
unsigned char MBEDTLS_PRIVATE(cur_out_ctr)[8]; /*!< Outgoing record sequence number. */
unsigned char MBEDTLS_PRIVATE(cur_out_ctr)[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Outgoing record sequence number. */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
uint16_t MBEDTLS_PRIVATE(mtu); /*!< path mtu, used to fragment outgoing messages */
@ -1472,11 +1660,9 @@ struct mbedtls_ssl_context
* and #MBEDTLS_SSL_CID_DISABLED. */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
/** Callback to export key block and master secret */
mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys);
void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */
#endif
};
/**
@ -2049,7 +2235,6 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
void *p_ticket );
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
/**
* \brief Configure a key export callback.
* (Default: none.)
@ -2071,7 +2256,6 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl,
mbedtls_ssl_export_keys_t *f_export_keys,
void *p_export_keys );
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
/**
@ -2519,23 +2703,93 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
/**
* \brief Set the list of allowed ciphersuites and the preference
* order. First in the list has the highest preference.
* (Overrides all version-specific lists)
*
* The ciphersuites array is not copied, and must remain
* valid for the lifetime of the ssl_config.
* For TLS 1.2, the notion of ciphersuite determines both
* the key exchange mechanism and the suite of symmetric
* algorithms to be used during and after the handshake.
*
* Note: By default, the server chooses its preferred
* For TLS 1.3 (in development), the notion of ciphersuite
* only determines the suite of symmetric algorithms to be
* used during and after the handshake, while key exchange
* mechanisms are configured separately.
*
* In Mbed TLS, ciphersuites for both TLS 1.2 and TLS 1.3
* are configured via this function. For users of TLS 1.3,
* there will be separate API for the configuration of key
* exchange mechanisms.
*
* The list of ciphersuites passed to this function may
* contain a mixture of TLS 1.2 and TLS 1.3 ciphersuite
* identifiers. This is useful if negotiation of TLS 1.3
* should be attempted, but a fallback to TLS 1.2 would
* be tolerated.
*
* \note By default, the server chooses its preferred
* ciphersuite among those that the client supports. If
* mbedtls_ssl_conf_preference_order() is called to prefer
* the client's preferences, the server instead chooses
* the client's preferred ciphersuite among those that
* the server supports.
*
* \param conf SSL configuration
* \param ciphersuites 0-terminated list of allowed ciphersuites
* \warning The ciphersuites array \p ciphersuites is not copied.
* It must remain valid for the lifetime of the SSL
* configuration \p conf.
*
* \param conf The SSL configuration to modify.
* \param ciphersuites A 0-terminated list of IANA identifiers of supported
* ciphersuites, accessible through \c MBEDTLS_TLS_XXX
* and \c MBEDTLS_TLS1_3_XXX macros defined in
* ssl_ciphersuites.h.
*/
void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
const int *ciphersuites );
const int *ciphersuites );
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/**
* \brief Set the supported key exchange modes for TLS 1.3 connections.
*
* In contrast to TLS 1.2, the ciphersuite concept in TLS 1.3 does not
* include the choice of key exchange mechanism. It is therefore not
* covered by the API mbedtls_ssl_conf_ciphersuites(). See the
* documentation of mbedtls_ssl_conf_ciphersuites() for more
* information on the ciphersuite concept in TLS 1.2 and TLS 1.3.
*
* The present function is specific to TLS 1.3 and allows users to
* configure the set of supported key exchange mechanisms in TLS 1.3.
*
* \param conf The SSL configuration the change should apply to.
* \param kex_modes A bitwise combination of one or more of the following:
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK
* This flag enables pure-PSK key exchanges.
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL
* This flag enables combined PSK-ephemeral key exchanges.
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL
* This flag enables pure-ephemeral key exchanges.
* For convenience, the following pre-defined macros are
* available for combinations of the above:
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL
* Includes all of pure-PSK, PSK-ephemeral and pure-ephemeral.
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL
* Includes both pure-PSK and combined PSK-ephemeral
* key exchanges, but excludes pure-ephemeral key exchanges.
* - MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL
* Includes both pure-ephemeral and combined PSK-ephemeral
* key exchanges.
*
* \note If a PSK-based key exchange mode shall be supported, applications
* must also use the APIs mbedtls_ssl_conf_psk() or
* mbedtls_ssl_conf_psk_cb() or mbedtls_ssl_conf_psk_opaque()
* to configure the PSKs to be used.
*
* \note If a pure-ephemeral key exchange mode shall be supported,
* server-side applications must also provide a certificate via
* mbedtls_ssl_conf_own_cert().
*
*/
void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config* conf,
const int kex_modes );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
@ -2916,6 +3170,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_ECP_C)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/**
* \brief Set the allowed curves in order of preference.
*
@ -2929,6 +3184,8 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
* Both sides: limits the set of curves accepted for use in
* ECDHE and in the peer's end-entity certificate.
*
* \deprecated Superseeded by mbedtls_ssl_conf_groups().
*
* \note This has no influence on which curves are allowed inside the
* certificate chains, see \c mbedtls_ssl_conf_cert_profile()
* for that. For the end-entity certificate however, the key
@ -2955,10 +3212,51 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
* \param curves Ordered list of allowed curves,
* terminated by MBEDTLS_ECP_DP_NONE.
*/
void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
const mbedtls_ecp_group_id *curves );
void MBEDTLS_DEPRECATED mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
const mbedtls_ecp_group_id *curves );
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_ECP_C */
/**
* \brief Set the allowed groups in order of preference.
*
* On server: This only affects the choice of key agreement mechanism
*
* On client: this affects the list of groups offered for any
* use. The server can override our preference order.
*
* Both sides: limits the set of groups accepted for use in
* key sharing.
*
* \note This function replaces the deprecated mbedtls_ssl_conf_curves(),
* which only allows ECP curves to be configured.
*
* \note The most recent invocation of either mbedtls_ssl_conf_curves()
* or mbedtls_ssl_conf_groups() nullifies all previous invocations
* of both.
*
* \note This list should be ordered by decreasing preference
* (preferred group first).
*
* \note When this function is not called, a default list is used,
* consisting of all supported curves at 255 bits and above,
* and all supported finite fields at 2048 bits and above.
* The order favors groups with the lowest resource usage.
*
* \note New minor versions of Mbed TLS will not remove items
* from the default list unless serious security concerns require it.
* New minor versions of Mbed TLS may change the order in
* keeping with the general principle of favoring the lowest
* resource usage.
*
* \param conf SSL configuration
* \param groups List of allowed groups ordered by preference, terminated by 0.
* Must contain valid IANA NamedGroup IDs (provided via either an integer
* or using MBEDTLS_TLS13_NAMED_GROUP_XXX macros).
*/
void mbedtls_ssl_conf_groups( mbedtls_ssl_config *conf,
const uint16_t *groups );
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
/**
* \brief Set the allowed hashes for signatures during the handshake.
@ -2991,6 +3289,20 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
*/
void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
const int *hashes );
#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
/**
* \brief Configure allowed signature algorithms for use in TLS 1.3
*
* \param conf The SSL configuration to use.
* \param sig_algs List of allowed IANA values for TLS 1.3 signature algorithms,
* terminated by \c MBEDTLS_TLS13_SIG_NONE. The list must remain
* available throughout the lifetime of the conf object. Supported
* values are available as \c MBEDTLS_TLS13_SIG_XXXX
*/
void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf,
const uint16_t* sig_algs );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_X509_CRT_PARSE_C)

7
include/mbedtls/ssl_ciphersuites.h
View File

@ -256,6 +256,13 @@ extern "C" {
#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD /**< TLS 1.2 */
#define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE /**< TLS 1.2 */
/* RFC 8446, Appendix B.4 */
#define MBEDTLS_TLS1_3_AES_128_GCM_SHA256 0x1301 /**< TLS 1.3 */
#define MBEDTLS_TLS1_3_AES_256_GCM_SHA384 0x1302 /**< TLS 1.3 */
#define MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256 0x1303 /**< TLS 1.3 */
#define MBEDTLS_TLS1_3_AES_128_CCM_SHA256 0x1304 /**< TLS 1.3 */
#define MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256 0x1305 /**< TLS 1.3 */
/* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
* Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
*/

4
include/mbedtls/x509.h
View File

@ -246,8 +246,8 @@ typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
/** Container for date and time (precision in seconds). */
typedef struct mbedtls_x509_time
{
int MBEDTLS_PRIVATE(year), MBEDTLS_PRIVATE(mon), MBEDTLS_PRIVATE(day); /**< Date. */
int MBEDTLS_PRIVATE(hour), MBEDTLS_PRIVATE(min), MBEDTLS_PRIVATE(sec); /**< Time. */
int year, mon, day; /**< Date. */
int hour, min, sec; /**< Time. */
}
mbedtls_x509_time;

53
include/mbedtls/x509_crl.h
View File

@ -43,18 +43,30 @@ extern "C" {
/**
* Certificate revocation list entry.
* Contains the CA-specific serial numbers and revocation dates.
*
* Some fields of this structure are publicly readable. Do not modify
* them except via Mbed TLS library functions: the effect of modifying
* those fields or the data that those fields points to is unspecified.
*/
typedef struct mbedtls_x509_crl_entry
{
mbedtls_x509_buf MBEDTLS_PRIVATE(raw);
/** Direct access to the whole entry inside the containing buffer. */
mbedtls_x509_buf raw;
/** The serial number of the revoked certificate. */
mbedtls_x509_buf serial;
/** The revocation date of this entry. */
mbedtls_x509_time revocation_date;
/** Direct access to the list of CRL entry extensions
* (an ASN.1 constructed sequence).
*
* If there are no extensions, `entry_ext.len == 0` and
* `entry_ext.p == NULL`. */
mbedtls_x509_buf entry_ext;
mbedtls_x509_buf MBEDTLS_PRIVATE(serial);
mbedtls_x509_time MBEDTLS_PRIVATE(revocation_date);
mbedtls_x509_buf MBEDTLS_PRIVATE(entry_ext);
struct mbedtls_x509_crl_entry *MBEDTLS_PRIVATE(next);
/** Next element in the linked list of entries.
* \p NULL indicates the end of the list.
* Do not modify this field directly. */
struct mbedtls_x509_crl_entry *next;
}
mbedtls_x509_crl_entry;
@ -64,22 +76,22 @@ mbedtls_x509_crl_entry;
*/
typedef struct mbedtls_x509_crl
{
mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */
mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */
mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
int MBEDTLS_PRIVATE(version); /**< CRL version (1=v1, 2=v2) */
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< CRL signature type identifier */
int version; /**< CRL version (1=v1, 2=v2) */
mbedtls_x509_buf sig_oid; /**< CRL signature type identifier */
mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). */
mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). */
mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
mbedtls_x509_time MBEDTLS_PRIVATE(this_update);
mbedtls_x509_time MBEDTLS_PRIVATE(next_update);
mbedtls_x509_time this_update;
mbedtls_x509_time next_update;
mbedtls_x509_crl_entry MBEDTLS_PRIVATE(entry); /**< The CRL entries containing the certificate revocation times for this CA. */
mbedtls_x509_crl_entry entry; /**< The CRL entries containing the certificate revocation times for this CA. */
mbedtls_x509_buf MBEDTLS_PRIVATE(crl_ext);
mbedtls_x509_buf crl_ext;
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2);
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
@ -87,7 +99,10 @@ typedef struct mbedtls_x509_crl
mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
struct mbedtls_x509_crl *MBEDTLS_PRIVATE(next);
/** Next element in the linked list of CRL.
* \p NULL indicates the end of the list.
* Do not modify this field directly. */
struct mbedtls_x509_crl *next;
}
mbedtls_x509_crl;

74
include/mbedtls/x509_crt.h
View File

@ -45,36 +45,40 @@ extern "C" {
/**
* Container for an X.509 certificate. The certificate may be chained.
*
* Some fields of this structure are publicly readable. Do not modify
* them except via Mbed TLS library functions: the effect of modifying
* those fields or the data that those fields points to is unspecified.
*/
typedef struct mbedtls_x509_crt
{
int MBEDTLS_PRIVATE(own_buffer); /**< Indicates if \c raw is owned
* by the structure or not. */
mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */
mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */
mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
int MBEDTLS_PRIVATE(version); /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
mbedtls_x509_buf MBEDTLS_PRIVATE(serial); /**< Unique id for certificate issued by a specific CA. */
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< Signature algorithm, e.g. sha1RSA */
int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */
mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */
mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). Used for quick comparison. */
mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). Used for quick comparison. */
mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */
mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
mbedtls_x509_time MBEDTLS_PRIVATE(valid_from); /**< Start time of certificate validity. */
mbedtls_x509_time MBEDTLS_PRIVATE(valid_to); /**< End time of certificate validity. */
mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
mbedtls_x509_time valid_to; /**< End time of certificate validity. */
mbedtls_x509_buf MBEDTLS_PRIVATE(pk_raw);
mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */
mbedtls_x509_buf pk_raw;
mbedtls_pk_context pk; /**< Container for the public key context. */
mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_id); /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf MBEDTLS_PRIVATE(subject_id); /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf MBEDTLS_PRIVATE(v3_ext); /**< Optional X.509 v3 extensions. */
mbedtls_x509_sequence MBEDTLS_PRIVATE(subject_alt_names); /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
mbedtls_x509_sequence MBEDTLS_PRIVATE(certificate_policies); /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
int MBEDTLS_PRIVATE(ca_istrue); /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
@ -82,7 +86,7 @@ typedef struct mbedtls_x509_crt
unsigned int MBEDTLS_PRIVATE(key_usage); /**< Optional key usage extension value: See the values in x509.h */
mbedtls_x509_sequence MBEDTLS_PRIVATE(ext_key_usage); /**< Optional list of extended key usage OIDs. */
mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
unsigned char MBEDTLS_PRIVATE(ns_cert_type); /**< Optional Netscape certificate type extension value: See the values in x509.h */
@ -91,7 +95,10 @@ typedef struct mbedtls_x509_crt
mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
struct mbedtls_x509_crt *MBEDTLS_PRIVATE(next); /**< Next certificate in the CA-chain. */
/** Next certificate in the linked list that constitutes the CA chain.
* \p NULL indicates the end of the list.
* Do not modify this field directly. */
struct mbedtls_x509_crt *next;
}
mbedtls_x509_crt;
@ -100,6 +107,9 @@ mbedtls_x509_crt;
* OtherName ::= SEQUENCE {
* type-id OBJECT IDENTIFIER,
* value [0] EXPLICIT ANY DEFINED BY type-id }
*
* Future versions of the library may add new fields to this structure or
* to its embedded union and structure.
*/
typedef struct mbedtls_x509_san_other_name
{
@ -108,7 +118,7 @@ typedef struct mbedtls_x509_san_other_name
* To check the value of the type id, you should use
* \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf.
*/
mbedtls_x509_buf MBEDTLS_PRIVATE(type_id); /**< The type id. */
mbedtls_x509_buf type_id; /**< The type id. */
union
{
/**
@ -119,26 +129,30 @@ typedef struct mbedtls_x509_san_other_name
*/
struct
{
mbedtls_x509_buf MBEDTLS_PRIVATE(oid); /**< The object identifier. */
mbedtls_x509_buf MBEDTLS_PRIVATE(val); /**< The named value. */
mbedtls_x509_buf oid; /**< The object identifier. */
mbedtls_x509_buf val; /**< The named value. */
}
MBEDTLS_PRIVATE(hardware_module_name);
hardware_module_name;
}
MBEDTLS_PRIVATE(value);
value;
}
mbedtls_x509_san_other_name;
/**
* A structure for holding the parsed Subject Alternative Name, according to type
* A structure for holding the parsed Subject Alternative Name,
* according to type.
*
* Future versions of the library may add new fields to this structure or
* to its embedded union and structure.
*/
typedef struct mbedtls_x509_subject_alternative_name
{
int MBEDTLS_PRIVATE(type); /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
union {
mbedtls_x509_san_other_name MBEDTLS_PRIVATE(other_name); /**< The otherName supported type. */
mbedtls_x509_buf MBEDTLS_PRIVATE(unstructured_name); /**< The buffer for the un constructed types. Only dnsName currently supported */
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
}
MBEDTLS_PRIVATE(san); /**< A union of the supported SAN types */
san; /**< A union of the supported SAN types */
}
mbedtls_x509_subject_alternative_name;

18
include/mbedtls/x509_csr.h
View File

@ -42,20 +42,24 @@ extern "C" {
/**
* Certificate Signing Request (CSR) structure.
*
* Some fields of this structure are publicly readable. Do not modify
* them except via Mbed TLS library functions: the effect of modifying
* those fields or the data that those fields point to is unspecified.
*/
typedef struct mbedtls_x509_csr
{
mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw CSR data (DER). */
mbedtls_x509_buf MBEDTLS_PRIVATE(cri); /**< The raw CertificateRequestInfo body (DER). */
mbedtls_x509_buf raw; /**< The raw CSR data (DER). */
mbedtls_x509_buf cri; /**< The raw CertificateRequestInfo body (DER). */
int MBEDTLS_PRIVATE(version); /**< CSR version (1=v1). */
int version; /**< CSR version (1=v1). */
mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). */
mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */
mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). */
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */
mbedtls_pk_context pk; /**< Container for the public key context. */
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid);
mbedtls_x509_buf sig_oid;
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */

9
include/psa/crypto.h
View File

@ -2990,7 +2990,9 @@ psa_status_t psa_verify_message( mbedtls_svc_key_id_t key,
* \param key Identifier of the key to use for the operation.
* It must be an asymmetric key pair. The key must
* allow the usage #PSA_KEY_USAGE_SIGN_HASH.
* \param alg A signature algorithm that is compatible with
* \param alg A signature algorithm (PSA_ALG_XXX
* value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
* is true), that is compatible with
* the type of \p key.
* \param[in] hash The hash or message to sign.
* \param hash_length Size of the \p hash buffer in bytes.
@ -3043,7 +3045,9 @@ psa_status_t psa_sign_hash(mbedtls_svc_key_id_t key,
* must be a public key or an asymmetric key pair. The
* key must allow the usage
* #PSA_KEY_USAGE_VERIFY_HASH.
* \param alg A signature algorithm that is compatible with
* \param alg A signature algorithm (PSA_ALG_XXX
* value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
* is true), that is compatible with
* the type of \p key.
* \param[in] hash The hash or message whose signature is to be
* verified.
@ -3682,6 +3686,7 @@ psa_status_t psa_key_derivation_output_bytes(
* The following key types defined in this specification follow this scheme:
*
* - #PSA_KEY_TYPE_AES;
* - #PSA_KEY_TYPE_ARIA;
* - #PSA_KEY_TYPE_CAMELLIA;
* - #PSA_KEY_TYPE_DERIVE;
* - #PSA_KEY_TYPE_HMAC;

39
include/psa/crypto_builtin_composites.h
View File

@ -77,6 +77,41 @@ typedef struct
#define MBEDTLS_PSA_MAC_OPERATION_INIT {0, {0}}
#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) || \
defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
#define MBEDTLS_PSA_BUILTIN_AEAD 1
#endif
/* Context structure for the Mbed TLS AEAD implementation. */
typedef struct
{
psa_algorithm_t MBEDTLS_PRIVATE(alg);
psa_key_type_t MBEDTLS_PRIVATE(key_type);
unsigned int MBEDTLS_PRIVATE(is_encrypt) : 1;
uint8_t MBEDTLS_PRIVATE(tag_length);
union
{
unsigned dummy; /* Enable easier initializing of the union. */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM)
mbedtls_ccm_context MBEDTLS_PRIVATE(ccm);
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CCM */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM)
mbedtls_gcm_context MBEDTLS_PRIVATE(gcm);
#endif /* MBEDTLS_PSA_BUILTIN_ALG_GCM */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305)
mbedtls_chachapoly_context MBEDTLS_PRIVATE(chachapoly);
#endif /* MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 */
} ctx;
} mbedtls_psa_aead_operation_t;
#define MBEDTLS_PSA_AEAD_OPERATION_INIT {0, 0, 0, 0, {0}}
/*
* BEYOND THIS POINT, TEST DRIVER DECLARATIONS ONLY.
*/
@ -88,6 +123,10 @@ typedef mbedtls_psa_mac_operation_t mbedtls_opaque_test_driver_mac_operation_t;
#define MBEDTLS_TRANSPARENT_TEST_DRIVER_MAC_OPERATION_INIT MBEDTLS_PSA_MAC_OPERATION_INIT
#define MBEDTLS_OPAQUE_TEST_DRIVER_MAC_OPERATION_INIT MBEDTLS_PSA_MAC_OPERATION_INIT
typedef mbedtls_psa_aead_operation_t mbedtls_transparent_test_driver_aead_operation_t;
#define MBEDTLS_TRANSPARENT_TEST_DRIVER_AEAD_OPERATION_INIT MBEDTLS_PSA_AEAD_OPERATION_INIT
#endif /* PSA_CRYPTO_DRIVER_TEST */
#endif /* PSA_CRYPTO_BUILTIN_COMPOSITES_H */

1
include/psa/crypto_config.h
View File

@ -111,6 +111,7 @@
#define PSA_WANT_KEY_TYPE_DERIVE 1
#define PSA_WANT_KEY_TYPE_HMAC 1
#define PSA_WANT_KEY_TYPE_AES 1
#define PSA_WANT_KEY_TYPE_ARIA 1
#define PSA_WANT_KEY_TYPE_CAMELLIA 1
#define PSA_WANT_KEY_TYPE_CHACHA20 1
#define PSA_WANT_KEY_TYPE_DES 1

8
include/psa/crypto_driver_contexts_composites.h
View File

@ -58,5 +58,13 @@ typedef union {
#endif
} psa_driver_mac_context_t;
typedef union {
unsigned dummy; /* Make sure this union is always non-empty */
mbedtls_psa_aead_operation_t mbedtls_ctx;
#if defined(PSA_CRYPTO_DRIVER_TEST)
mbedtls_transparent_test_driver_aead_operation_t transparent_test_driver_ctx;
#endif
} psa_driver_aead_context_t;
#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H */
/* End of automatically generated file. */

35
include/psa/crypto_sizes.h
View File

@ -79,6 +79,38 @@
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64 : \
0)
/** The input block size of a hash algorithm, in bytes.
*
* Hash algorithms process their input data in blocks. Hash operations will
* retain any partial blocks until they have enough input to fill the block or
* until the operation is finished.
* This affects the output from psa_hash_suspend().
*
* \param alg A hash algorithm (\c PSA_ALG_XXX value such that
* PSA_ALG_IS_HASH(\p alg) is true).
*
* \return The block size in bytes for the specified hash algorithm.
* If the hash algorithm is not recognized, return 0.
* An implementation can return either 0 or the correct size for a
* hash algorithm that it recognizes, but does not support.
*/
#define PSA_HASH_BLOCK_LENGTH(alg) \
( \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 64 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 64 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 64 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 64 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 64 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 128 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 128 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 128 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 128 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 144 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 136 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 104 : \
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 72 : \
0)
/** \def PSA_HASH_MAX_SIZE
*
* Maximum size of a hash.
@ -959,7 +991,8 @@
(alg) == PSA_ALG_CBC_PKCS7) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
(key_type) == PSA_KEY_TYPE_CHACHA20 && \
(alg) == PSA_ALG_STREAM_CIPHER ? 12 : \
0)
(alg) == PSA_ALG_CCM_STAR_NO_TAG ? 13 : \
0)
/** The maximum IV size for all supported cipher algorithms, in bytes.
*

34
include/psa/crypto_struct.h
View File

@ -72,6 +72,8 @@ extern "C" {
#include "mbedtls/cmac.h"
#include "mbedtls/gcm.h"
#include "mbedtls/ccm.h"
#include "mbedtls/chachapoly.h"
/* Include the context definition for the compiled-in drivers for the primitive
* algorithms. */
@ -148,19 +150,31 @@ static inline struct psa_mac_operation_s psa_mac_operation_init( void )
struct psa_aead_operation_s
{
/** Unique ID indicating which driver got assigned to do the
* operation. Since driver contexts are driver-specific, swapping
* drivers halfway through the operation is not supported.
* ID values are auto-generated in psa_crypto_driver_wrappers.h
* ID value zero means the context is not valid or not assigned to
* any driver (i.e. none of the driver contexts are active). */
unsigned int MBEDTLS_PRIVATE(id);
psa_algorithm_t MBEDTLS_PRIVATE(alg);
unsigned int MBEDTLS_PRIVATE(key_set) : 1;
unsigned int MBEDTLS_PRIVATE(iv_set) : 1;
uint8_t MBEDTLS_PRIVATE(iv_size);
uint8_t MBEDTLS_PRIVATE(block_size);
union
{
unsigned MBEDTLS_PRIVATE(dummy); /* Enable easier initializing of the union. */
mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher);
} MBEDTLS_PRIVATE(ctx);
psa_key_type_t MBEDTLS_PRIVATE(key_type);
size_t MBEDTLS_PRIVATE(ad_remaining);
size_t MBEDTLS_PRIVATE(body_remaining);
unsigned int MBEDTLS_PRIVATE(nonce_set) : 1;
unsigned int MBEDTLS_PRIVATE(lengths_set) : 1;
unsigned int MBEDTLS_PRIVATE(ad_started) : 1;
unsigned int MBEDTLS_PRIVATE(body_started) : 1;
unsigned int MBEDTLS_PRIVATE(is_encrypt) : 1;
psa_driver_aead_context_t MBEDTLS_PRIVATE(ctx);
};
#define PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, 0, { 0 } }
#define PSA_AEAD_OPERATION_INIT {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, {0}}
static inline struct psa_aead_operation_s psa_aead_operation_init( void )
{
const struct psa_aead_operation_s v = PSA_AEAD_OPERATION_INIT;

146
include/psa/crypto_values.h
View File

@ -466,6 +466,10 @@
*/
#define PSA_KEY_TYPE_AES ((psa_key_type_t)0x2400)
/** Key for a cipher, AEAD or MAC algorithm based on the
* ARIA block cipher. */
#define PSA_KEY_TYPE_ARIA ((psa_key_type_t)0x2406)
/** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).
*
* The size of the key can be 64 bits (single DES), 128 bits (2-key 3DES) or
@ -843,6 +847,9 @@
(PSA_ALG_IS_KEY_DERIVATION(alg) && \
(alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG)
/** An invalid algorithm identifier value. */
#define PSA_ALG_NONE ((psa_algorithm_t)0)
#define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff)
/** MD5 */
#define PSA_ALG_MD5 ((psa_algorithm_t)0x02000003)
@ -886,7 +893,7 @@
* algorithm parametrized with any supported hash.
*
* That is, suppose that `PSA_xxx_SIGNATURE` is one of the following macros:
* - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS,
* - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS, #PSA_ALG_RSA_PSS_ANY_SALT,
* - #PSA_ALG_ECDSA, #PSA_ALG_DETERMINISTIC_ECDSA.
* Then you may create and use a key as follows:
* - Set the key usage field using #PSA_ALG_ANY_HASH, for example:
@ -1195,6 +1202,17 @@
*/
#define PSA_ALG_CCM ((psa_algorithm_t)0x05500100)
/** The CCM* cipher mode without authentication.
*
* This is CCM* as specified in IEEE 802.15.4 §7, with a tag length of 0.
* For CCM* with a nonzero tag length, use the AEAD algorithm #PSA_ALG_CCM.
*
* The underlying block cipher is determined by the key type.
*
* Currently only 13-byte long IV's are supported.
*/
#define PSA_ALG_CCM_STAR_NO_TAG ((psa_algorithm_t)0x04c01300)
/** The GCM authenticated encryption algorithm.
*
* The underlying block cipher is determined by the key type.
@ -1341,6 +1359,7 @@
(((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PKCS1V15_SIGN_BASE)
#define PSA_ALG_RSA_PSS_BASE ((psa_algorithm_t)0x06000300)
#define PSA_ALG_RSA_PSS_ANY_SALT_BASE ((psa_algorithm_t)0x06001300)
/** RSA PSS signature with hashing.
*
* This is the signature scheme defined by RFC 8017
@ -1361,9 +1380,72 @@
*/
#define PSA_ALG_RSA_PSS(hash_alg) \
(PSA_ALG_RSA_PSS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
#define PSA_ALG_IS_RSA_PSS(alg) \
/** RSA PSS signature with hashing with relaxed verification.
*
* This algorithm has the same behavior as #PSA_ALG_RSA_PSS when signing,
* but allows an arbitrary salt length (including \c 0) when verifying a
* signature.
*
* \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_HASH(\p hash_alg) is true).
* This includes #PSA_ALG_ANY_HASH
* when specifying the algorithm in a usage policy.
*
* \return The corresponding RSA PSS signature algorithm.
* \return Unspecified if \p hash_alg is not a supported
* hash algorithm.
*/
#define PSA_ALG_RSA_PSS_ANY_SALT(hash_alg) \
(PSA_ALG_RSA_PSS_ANY_SALT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
/** Whether the specified algorithm is RSA PSS with standard salt.
*
* \param alg An algorithm value or an algorithm policy wildcard.
*
* \return 1 if \p alg is of the form
* #PSA_ALG_RSA_PSS(\c hash_alg),
* where \c hash_alg is a hash algorithm or
* #PSA_ALG_ANY_HASH. 0 otherwise.
* This macro may return either 0 or 1 if \p alg is not
* a supported algorithm identifier or policy.
*/
#define PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) \
(((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_BASE)
/** Whether the specified algorithm is RSA PSS with any salt.
*
* \param alg An algorithm value or an algorithm policy wildcard.
*
* \return 1 if \p alg is of the form
* #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg),
* where \c hash_alg is a hash algorithm or
* #PSA_ALG_ANY_HASH. 0 otherwise.
* This macro may return either 0 or 1 if \p alg is not
* a supported algorithm identifier or policy.
*/
#define PSA_ALG_IS_RSA_PSS_ANY_SALT(alg) \
(((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_ANY_SALT_BASE)
/** Whether the specified algorithm is RSA PSS.
*
* This includes any of the RSA PSS algorithm variants, regardless of the
* constraints on salt length.
*
* \param alg An algorithm value or an algorithm policy wildcard.
*
* \return 1 if \p alg is of the form
* #PSA_ALG_RSA_PSS(\c hash_alg) or
* #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg),
* where \c hash_alg is a hash algorithm or
* #PSA_ALG_ANY_HASH. 0 otherwise.
* This macro may return either 0 or 1 if \p alg is not
* a supported algorithm identifier or policy.
*/
#define PSA_ALG_IS_RSA_PSS(alg) \
(PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) || \
PSA_ALG_IS_RSA_PSS_ANY_SALT(alg))
#define PSA_ALG_ECDSA_BASE ((psa_algorithm_t)0x06000600)
/** ECDSA signature with hashing.
*
@ -1521,20 +1603,24 @@
* file. */
#define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg) 0
/** Whether the specified algorithm is a hash-and-sign algorithm.
/** Whether the specified algorithm is a signature algorithm that can be used
* with psa_sign_hash() and psa_verify_hash().
*
* Hash-and-sign algorithms are asymmetric (public-key) signature algorithms
* structured in two parts: first the calculation of a hash in a way that
* does not depend on the key, then the calculation of a signature from the
* hash value and the key.
* This encompasses all strict hash-and-sign algorithms categorized by
* PSA_ALG_IS_HASH_AND_SIGN(), as well as algorithms that follow the
* paradigm more loosely:
* - #PSA_ALG_RSA_PKCS1V15_SIGN_RAW (expects its input to be an encoded hash)
* - #PSA_ALG_ECDSA_ANY (doesn't specify what kind of hash the input is)
*
* \param alg An algorithm identifier (value of type #psa_algorithm_t).
* \param alg An algorithm identifier (value of type psa_algorithm_t).
*
* \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise.
* This macro may return either 0 or 1 if \p alg is not a supported
* algorithm identifier.
* \return 1 if alg is a signature algorithm that can be used to sign a
* hash. 0 if alg is a signature algorithm that can only be used
* to sign a message. 0 if alg is not a signature algorithm.
* This macro can return either 0 or 1 if alg is not a
* supported algorithm identifier.
*/
#define PSA_ALG_IS_HASH_AND_SIGN(alg) \
#define PSA_ALG_IS_SIGN_HASH(alg) \
(PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || \
PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_HASH_EDDSA(alg) || \
PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg))
@ -1551,7 +1637,37 @@
* supported algorithm identifier.
*/
#define PSA_ALG_IS_SIGN_MESSAGE(alg) \
(PSA_ALG_IS_HASH_AND_SIGN(alg) || (alg) == PSA_ALG_PURE_EDDSA )
(PSA_ALG_IS_SIGN_HASH(alg) || (alg) == PSA_ALG_PURE_EDDSA )
/** Whether the specified algorithm is a hash-and-sign algorithm.
*
* Hash-and-sign algorithms are asymmetric (public-key) signature algorithms
* structured in two parts: first the calculation of a hash in a way that
* does not depend on the key, then the calculation of a signature from the
* hash value and the key. Hash-and-sign algorithms encode the hash
* used for the hashing step, and you can call #PSA_ALG_SIGN_GET_HASH
* to extract this algorithm.
*
* Thus, for a hash-and-sign algorithm,
* `psa_sign_message(key, alg, input, ...)` is equivalent to
* ```
* psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg), input, ..., hash, ...);
* psa_sign_hash(key, alg, hash, ..., signature, ...);
* ```
* Most usefully, separating the hash from the signature allows the hash
* to be calculated in multiple steps with psa_hash_setup(), psa_hash_update()
* and psa_hash_finish(). Likewise psa_verify_message() is equivalent to
* calculating the hash and then calling psa_verify_hash().
*
* \param alg An algorithm identifier (value of type #psa_algorithm_t).
*
* \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise.
* This macro may return either 0 or 1 if \p alg is not a supported
* algorithm identifier.
*/
#define PSA_ALG_IS_HASH_AND_SIGN(alg) \
(PSA_ALG_IS_SIGN_HASH(alg) && \
((alg) & PSA_ALG_HASH_MASK) != 0)
/** Get the hash used by a hash-and-sign signature algorithm.
*
@ -1573,7 +1689,6 @@
*/
#define PSA_ALG_SIGN_GET_HASH(alg) \
(PSA_ALG_IS_HASH_AND_SIGN(alg) ? \
((alg) & PSA_ALG_HASH_MASK) == 0 ? /*"raw" algorithm*/ 0 : \
((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \
0)
@ -2064,6 +2179,9 @@
#define PSA_KEY_LOCATION_VENDOR_FLAG ((psa_key_location_t)0x800000)
/** The null key identifier.
*/
#define PSA_KEY_ID_NULL ((psa_key_id_t)0)
/** The minimum value for a key identifier chosen by the application.
*/
#define PSA_KEY_ID_USER_MIN ((psa_key_id_t)0x00000001)