1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-24 13:32:59 +03:00
Commit Graph

7297 Commits

Author SHA1 Message Date
Valerio Setti
aae96c9060 pk: fix: clear buffer holding raw EC private key on exit
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-05-02 16:00:45 +02:00
Tom Cosgrove
503f487cbe Merge pull request #7469 from xkqian/2.28/bignumber_update_comments
Backport 2.28: Update links of references in bignum code
2023-04-26 16:22:09 +01:00
Xiaokang Qian
8738bc46e3 Update gen_prvkey_mx paras to align with comments and c code
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-04-21 10:29:17 +00:00
Xiaokang Qian
0e5a27b640 Update links of references in bignum code
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
2023-04-21 09:58:07 +00:00
Dave Rodgman
6ab5d5c536 Fix trailing whitespace
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-31 17:24:10 +01:00
Dave Rodgman
8f109fc249 Fix use of uninitialised variable
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-31 17:07:04 +01:00
Dave Rodgman
b2e3c7af2d Tidy-up
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-31 16:43:40 +01:00
Dave Rodgman
8dde24eb08 Tidy-up
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-31 16:24:04 +01:00
Dave Rodgman
42a5bb16c6 Fix failure to write back when reset != 0; tidy-up
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-31 16:20:32 +01:00
Dave Rodgman
0feecbd6f3 Copy the struct to align it, avoiding an ABI break
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-31 16:10:18 +01:00
Dave Rodgman
e4f1aac0fd Bump version to 2.28.3
Command used: ./scripts/bump_version.sh --version 2.28.3

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-03-23 18:06:54 +00:00
Paul Elliott
a183e1d53d Merge branch 'mbedtls-2.28-restricted' into mbedtls-2.28.3rc0-pr
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-21 15:34:35 +00:00
Tom Cosgrove
410594c002 Have MBEDTLS_STATIC_ASSERT() match current development more closely
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-20 15:10:11 +00:00
Tom Cosgrove
bdd01a74ef Implement and use MBEDTLS_STATIC_ASSERT()
Fixes #3693

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-20 15:08:21 +00:00
Tom Cosgrove
640b761e49 Print out AESNI mechanism used by GCM in self-test
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-19 15:07:06 +00:00
Tom Cosgrove
2c942a35ff Fix code style nit
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-19 14:04:04 +00:00
Tom Cosgrove
20458c0963 Have selftest print more information about the AESNI build
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-18 14:48:49 +00:00
Tom Cosgrove
3b53caed9f Remove references to MBEDTLS_AESCE_C and MBEDTLS_HAVE_ARM64
that aren't needed in this backport

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-17 18:25:36 +00:00
Tom Cosgrove
58550acba0 Fix merge errors in backporting
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-17 16:54:59 +00:00
Gilles Peskine
6dec541e68 AESNI: Overhaul implementation selection
Have clearly separated code to:
* determine whether the assembly-based implementation is available;
* determine whether the intrinsics-based implementation is available;
* select one of the available implementations if any.

Now MBEDTLS_AESNI_HAVE_CODE can be the single interface for aes.c and
aesni.c to determine which AESNI is built.

Change the implementation selection: now, if both implementations are
available, always prefer assembly. Before, the intrinsics were used if
available. This preference is to minimize disruption, and will likely
be revised in a later minor release.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:59 +00:00
Gilles Peskine
b71d40228d Clean up AES context alignment code
Use a single auxiliary function to determine rk_offset, covering both
setkey_enc and setkey_dec, covering both AESNI and PADLOCK. For AESNI, only
build this when using the intrinsics-based implementation, since the
assembly implementation supports unaligned access.

Simplify "do we need to realign?" to "is the desired offset now equal to
the current offset?".

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:58 +00:00
Gilles Peskine
30c356c540 Use consistent guards for padlock code
The padlock feature is enabled if
```
defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
```
with the second macro coming from `padlock.h`. The availability of the
macro `MBEDTLS_PADLOCK_ALIGN16` is coincidentally equivalent to
`MBEDTLS_HAVE_X86` but this is not meaningful.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:38 +00:00
Gilles Peskine
6978e73939 Fix unaligned access if the context is moved during operation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:34 +00:00
Gilles Peskine
5f1677f582 Fix typo in comment
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:31 +00:00
Gilles Peskine
de34578353 Fix code style
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:28 +00:00
Gilles Peskine
2e8d8d1fd6 Fix MSVC portability
MSVC doesn't have _mm_storeu_si64. Fortunately it isn't really needed here.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:23 +00:00
Gilles Peskine
d4a239310b Improve variable names
To some extent anyway.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:21 +00:00
Tom Cosgrove
790756d439 Get aesni.c compiling with Visual Studio
Clang is nice enough to support bitwise operators on __m128i, but MSVC
isn't.

Also, __cpuid() in MSVC comes from <intrin.h> (which is included via
<emmintrin.h>), not <cpuid.h>.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-03-17 16:31:18 +00:00
Gilles Peskine
e7dc21fabb AESNI: add implementation with intrinsics
As of this commit, to use the intrinsics for MBEDTLS_AESNI_C:

* With MSVC, this should be the default.
* With Clang, build with `clang -maes -mpclmul` or equivalent.
* With GCC, build with `gcc -mpclmul -msse2` or equivalent.

In particular, for now, with a GCC-like compiler, when building specifically
for a target that supports both the AES and GCM instructions, the old
implementation using assembly is selected.

This method for platform selection will likely be improved in the future.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:16 +00:00
Gilles Peskine
2c8ad9400b AES, GCM selftest: indicate which implementation is used
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:14 +00:00
Gilles Peskine
5511a34566 New preprocessor symbol indicating that AESNI support is present
The configuration symbol MBEDTLS_AESNI_C requests AESNI support, but it is
ignored if the platform doesn't have AESNI. This allows keeping
MBEDTLS_AESNI_C enabled (as it is in the default build) when building for
platforms other than x86_64, or when MBEDTLS_HAVE_ASM is disabled.

To facilitate maintenance, always use the symbol MBEDTLS_AESNI_HAVE_CODE to
answer the question "can I call mbedtls_aesni_xxx functions?", rather than
repeating the check `defined(MBEDTLS_AESNI_C) && ...`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:12 +00:00
Gilles Peskine
2808a6047c Improve the presentation of assembly blocks
Uncrustify indents
```
    asm("foo"
        HELLO "bar"
              "wibble");
```
but we would like
```
    asm("foo"
        HELLO "bar"
        "wibble");
```
Make "bar" an argument of the macro HELLO, which makes the indentation from
uncrustify match the semantics (everything should be aligned to the same
column).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:10 +00:00
Gilles Peskine
18d521a57d Don't warn about Msan/Valgrind if AESNI isn't actually built
The warning is only correct if the assembly code for AESNI is built, not if
MBEDTLS_AESNI_C is activated but MBEDTLS_HAVE_ASM is disabled or the target
architecture isn't x86_64.

This is a partial fix for #7236.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:07 +00:00
Gilles Peskine
6055b78328 Update bibliographic references
There are new versions of the Intel whitepapers and they've moved.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-03-17 16:31:05 +00:00
Demi Marie Obenour
6b8e8ff079 Fix segfault in mbedtls_oid_get_numeric_string
When passed an empty OID, mbedtls_oid_get_numeric_string would read one
byte from the zero-sized buffer and return an error code that depends on
its value.  This is demonstrated by the test suite changes, which
check that an OID with length zero and an invalid buffer pointer does
not cause Mbed TLS to segfault.

Also check that second and subsequent subidentifiers are terminated, and
add a test case for that.  Furthermore, stop relying on integer division
by 40, use the same loop for both the first and subsequent
subidentifiers, and add additional tests.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
2023-03-16 01:07:35 -04:00
Dave Rodgman
39987ebde7 Merge pull request #7172 from daverodgman/fix_UB_in_ssl_read-2.28
Backport 2.28: Fix undefined behavior in ssl_read if buf parameter is NULL
2023-03-13 10:46:24 +00:00
Dave Rodgman
1215557e91 Add corresponding fix for mbedtls_ssl_write
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-24 16:02:26 +00:00
ashesman
cf01d78e7e Update library/ssl_msg.c
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-02-24 16:02:26 +00:00
Ashley Duncan
272cc19ab5 Fixed undefined behavior in ssl_read if buf parameter is NULL.
Signed-off-by: Ashley Duncan <ashes.man@gmail.com>
2023-02-24 16:02:25 +00:00
Gilles Peskine
d784833a1b Silence a warning from Clang >=15 about an unused local variable
The assembly code uses t only on some architectures. Fixes #7166.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-24 12:08:57 +01:00
Gilles Peskine
ec1eff386c Make \retval commands non-empty
Pacify Clang >=15 which complained:
```
include/psa/crypto.h:91:23: error: empty paragraph passed to '\retval' command [-Werror,-Wdocumentation]
 * \retval #PSA_SUCCESS
   ~~~~~~~~~~~~~~~~~~~^
```

This commit performs the following systematic replacement:
```
perl -i -0777 -p -e 's/([\\@])(retval +\S+)\n(?! *\*? *([^\n \\*\/]|\\[cp]\b))/$1$2 ${1}emptydescription\n/g' $(git ls-files '*.[hc]' '*.function' '*.jinja')
```
i.e. add an `\emptydescription` argument to `\retval` commands (or
`@retval`, which we don't normally used) that are followed by a single word,
unless the next line looks like it contains text which would be the
description.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-02-24 11:41:45 +01:00
Gilles Peskine
4dcc08c244 Merge pull request #7138 from davidhorstmann-arm/2.28-fix-oid-printing-bug
[Backport 2.28] Fix bugs in OID to string conversion
2023-02-21 23:16:48 +01:00
Dave Rodgman
b0926916f6 Merge pull request #7086 from tom-cosgrove-arm/dont-use-lstrlenW-228
Backport 2.28: Don't use lstrlenW() on Windows
2023-02-20 15:11:32 +00:00
David Horstmann
0518d53ba7 Change error codes to more appropriate codes
The more precise error codes are borrowed from the ASN1 module.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-20 14:44:18 +00:00
David Horstmann
d138181190 Change += to |= for clearer semantics
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-20 14:44:18 +00:00
David Horstmann
8f81d8a305 Make overflow checks more readable
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-20 14:44:18 +00:00
David Horstmann
beb90e30de Disallow overlong encoding when parsing OIDs
OID subidentifiers are encoded as follow. For every byte:
* The top bit is 1 if there is another byte to come, 0 if this is the
last byte.
* The other 7 bits form 7 bits of the number. These groups of 7 are
concatenated together in big-endian order.

Overlong encodings are explicitly disallowed by the BER/DER/X690
specification. For example, the number 1 cannot be encoded as:

0x80 0x80 0x01

It must be encoded as:

0x01

Enforce this in Mbed TLS' OID DER-to-string parser.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-20 14:44:18 +00:00
David Horstmann
cdaee54773 Fix incorrect printing of OIDs
The first 2 components of an OID are combined together into the same
subidentifier via the formula:

subidentifier = (component1 * 40) + component2

The current code extracts component1 and component2 using division and
modulo as one would expect. However, there is a subtlety in the
specification[1]:

>This packing of the first two object identifier components recognizes
>that only three values are allocated from the root node, and at most
>39 subsequent values from nodes reached by X = 0 and X = 1.

If the root node (component1) is 2, the subsequent node (component2)
may be greater than 38. For example, the following are real OIDs:
* 2.40.0.25, UPU standard S25
* 2.49.0.0.826.0, Met Office
* 2.999, Allocated example OID

This has 2 implications that the current parsing code does not take
account of:
1. The second component may be > 39, so (subidentifier % 40) is not
correct in all circumstances.
2. The first subidentifier (containing the first 2 components) may be
more than one byte long. Currently we assume it is just 1 byte.

Improve parsing code to deal with these cases correctly.

[1] Rec. ITU-T X.690 (02/2021), 8.19.4

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-02-20 14:44:18 +00:00
Paul Elliott
fc820d96e0 Fix IAR warnings
IAR was warning that conditional execution could bypass initialisation of
variables, although those same variables were not used uninitialised. Fix
this along with some other IAR warnings.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-02-13 15:07:44 +00:00
Sergey
26f53f107e Fix compiler warning: unreachable code
Signed-off-by: Sergey <sergio_nsk@yahoo.de>
2023-02-11 18:20:20 -07:00