Merge pull request #96385 from Faless/mbedtls/3.6.1
[mbedTLS] Update to 3.6.1
This commit is contained in:
commit
9c2263366b
68 changed files with 1783 additions and 967 deletions
4
thirdparty/README.md
vendored
4
thirdparty/README.md
vendored
|
@ -543,7 +543,7 @@ in the MSVC debugger.
|
|||
## mbedtls
|
||||
|
||||
- Upstream: https://github.com/Mbed-TLS/mbedtls
|
||||
- Version: 3.6.0 (2ca6c285a0dd3f33982dd57299012dacab1ff206, 2024)
|
||||
- Version: 3.6.1 (71c569d44bf3a8bd53d874c81ee8ac644dd6e9e3, 2024)
|
||||
- License: Apache 2.0
|
||||
|
||||
File extracted from upstream release tarball:
|
||||
|
@ -553,8 +553,6 @@ File extracted from upstream release tarball:
|
|||
- All `.c` and `.h` from `library/` to `thirdparty/mbedtls/library/` except
|
||||
for the `psa_*.c` source files
|
||||
- The `LICENSE` file (edited to keep only the Apache 2.0 variant)
|
||||
- Applied the patch `no-flexible-arrays.diff` to fix Windows build (see
|
||||
upstream GH-9020)
|
||||
- Applied the patch `msvc-redeclaration-bug.diff` to fix a compilation error
|
||||
with some MSVC versions
|
||||
- Added 2 files `godot_core_mbedtls_platform.c` and `godot_core_mbedtls_config.h`
|
||||
|
|
2
thirdparty/mbedtls/include/mbedtls/bignum.h
vendored
2
thirdparty/mbedtls/include/mbedtls/bignum.h
vendored
|
@ -880,7 +880,7 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A,
|
|||
mbedtls_mpi_sint b);
|
||||
|
||||
/**
|
||||
* \brief Perform a sliding-window exponentiation: X = A^E mod N
|
||||
* \brief Perform a modular exponentiation: X = A^E mod N
|
||||
*
|
||||
* \param X The destination MPI. This must point to an initialized MPI.
|
||||
* This must not alias E or N.
|
||||
|
|
30
thirdparty/mbedtls/include/mbedtls/build_info.h
vendored
30
thirdparty/mbedtls/include/mbedtls/build_info.h
vendored
|
@ -26,16 +26,16 @@
|
|||
*/
|
||||
#define MBEDTLS_VERSION_MAJOR 3
|
||||
#define MBEDTLS_VERSION_MINOR 6
|
||||
#define MBEDTLS_VERSION_PATCH 0
|
||||
#define MBEDTLS_VERSION_PATCH 1
|
||||
|
||||
/**
|
||||
* The single version number has the following structure:
|
||||
* MMNNPP00
|
||||
* Major version | Minor version | Patch version
|
||||
*/
|
||||
#define MBEDTLS_VERSION_NUMBER 0x03060000
|
||||
#define MBEDTLS_VERSION_STRING "3.6.0"
|
||||
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.0"
|
||||
#define MBEDTLS_VERSION_NUMBER 0x03060100
|
||||
#define MBEDTLS_VERSION_STRING "3.6.1"
|
||||
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.6.1"
|
||||
|
||||
/* Macros for build-time platform detection */
|
||||
|
||||
|
@ -101,6 +101,13 @@
|
|||
#define inline __inline
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Something went wrong: MBEDTLS_CONFIG_FILES_READ defined before reading the config files!"
|
||||
#endif
|
||||
#if defined(MBEDTLS_CONFIG_IS_FINALIZED)
|
||||
#error "Something went wrong: MBEDTLS_CONFIG_IS_FINALIZED defined before reading the config files!"
|
||||
#endif
|
||||
|
||||
/* X.509, TLS and non-PSA crypto configuration */
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/mbedtls_config.h"
|
||||
|
@ -135,6 +142,12 @@
|
|||
#endif
|
||||
#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */
|
||||
|
||||
/* Indicate that all configuration files have been read.
|
||||
* It is now time to adjust the configuration (follow through on dependencies,
|
||||
* make PSA and legacy crypto consistent, etc.).
|
||||
*/
|
||||
#define MBEDTLS_CONFIG_FILES_READ
|
||||
|
||||
/* Auto-enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY if
|
||||
* MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH and MBEDTLS_CTR_DRBG_C defined
|
||||
* to ensure a 128-bit key size in CTR_DRBG.
|
||||
|
@ -169,8 +182,13 @@
|
|||
|
||||
#include "mbedtls/config_adjust_ssl.h"
|
||||
|
||||
/* Make sure all configuration symbols are set before including check_config.h,
|
||||
* even the ones that are calculated programmatically. */
|
||||
/* Indicate that all configuration symbols are set,
|
||||
* even the ones that are calculated programmatically.
|
||||
* It is now safe to query the configuration (to check it, to size buffers,
|
||||
* etc.).
|
||||
*/
|
||||
#define MBEDTLS_CONFIG_IS_FINALIZED
|
||||
|
||||
#include "mbedtls/check_config.h"
|
||||
|
||||
#endif /* MBEDTLS_BUILD_INFO_H */
|
||||
|
|
|
@ -2,6 +2,13 @@
|
|||
* \file check_config.h
|
||||
*
|
||||
* \brief Consistency checks for configuration options
|
||||
*
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* This header is included automatically by all public Mbed TLS headers
|
||||
* (via mbedtls/build_info.h). Do not include it directly in a configuration
|
||||
* file such as mbedtls/mbedtls_config.h or #MBEDTLS_USER_CONFIG_FILE!
|
||||
* It would run at the wrong time due to missing derived symbols.
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
|
@ -12,6 +19,13 @@
|
|||
#define MBEDTLS_CHECK_CONFIG_H
|
||||
|
||||
/* *INDENT-OFF* */
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_IS_FINALIZED)
|
||||
#warning "Do not include mbedtls/check_config.h manually! " \
|
||||
"This may cause spurious errors. " \
|
||||
"It is included automatically at the right point since Mbed TLS 3.0."
|
||||
#endif /* !MBEDTLS_CONFIG_IS_FINALIZED */
|
||||
|
||||
/*
|
||||
* We assume CHAR_BIT is 8 in many places. In practice, this is true on our
|
||||
* target platforms, so not an issue, but let's just be extra sure.
|
||||
|
|
|
@ -2,7 +2,9 @@
|
|||
* \file mbedtls/config_adjust_legacy_crypto.h
|
||||
* \brief Adjust legacy configuration configuration
|
||||
*
|
||||
* Automatically enable certain dependencies. Generally, MBEDLTS_xxx
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* Automatically enable certain dependencies. Generally, MBEDTLS_xxx
|
||||
* configurations need to be explicitly enabled by the user: enabling
|
||||
* MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
|
||||
* compilation error. However, we do automatically enable certain options
|
||||
|
@ -22,6 +24,14 @@
|
|||
#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
|
||||
#define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
/* Ideally, we'd set those as defaults in mbedtls_config.h, but
|
||||
* putting an #ifdef _WIN32 in mbedtls_config.h would confuse config.py.
|
||||
*
|
||||
|
@ -48,7 +58,8 @@
|
|||
defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG))
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) || \
|
||||
defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC))
|
||||
#define MBEDTLS_CIPHER_C
|
||||
#endif
|
||||
|
||||
|
@ -293,6 +304,14 @@
|
|||
#define MBEDTLS_ECP_LIGHT
|
||||
#endif
|
||||
|
||||
/* Backward compatibility: after #8740 the RSA module offers functions to parse
|
||||
* and write RSA private/public keys without relying on the PK one. Of course
|
||||
* this needs ASN1 support to do so, so we enable it here. */
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
#define MBEDTLS_ASN1_PARSE_C
|
||||
#define MBEDTLS_ASN1_WRITE_C
|
||||
#endif
|
||||
|
||||
/* MBEDTLS_PK_PARSE_EC_COMPRESSED is introduced in Mbed TLS version 3.5, while
|
||||
* in previous version compressed points were automatically supported as long
|
||||
* as PK_PARSE_C and ECP_C were enabled. As a consequence, for backward
|
||||
|
@ -409,12 +428,12 @@
|
|||
|
||||
/* psa_util file features some ECDSA conversion functions, to convert between
|
||||
* legacy's ASN.1 DER format and PSA's raw one. */
|
||||
#if defined(MBEDTLS_ECDSA_C) || (defined(MBEDTLS_PSA_CRYPTO_C) && \
|
||||
#if (defined(MBEDTLS_PSA_CRYPTO_CLIENT) && \
|
||||
(defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)))
|
||||
#define MBEDTLS_PSA_UTIL_HAVE_ECDSA
|
||||
#endif
|
||||
|
||||
/* Some internal helpers to determine which keys are availble. */
|
||||
/* Some internal helpers to determine which keys are available. */
|
||||
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \
|
||||
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES))
|
||||
#define MBEDTLS_SSL_HAVE_AES
|
||||
|
@ -428,7 +447,7 @@
|
|||
#define MBEDTLS_SSL_HAVE_CAMELLIA
|
||||
#endif
|
||||
|
||||
/* Some internal helpers to determine which operation modes are availble. */
|
||||
/* Some internal helpers to determine which operation modes are available. */
|
||||
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \
|
||||
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING))
|
||||
#define MBEDTLS_SSL_HAVE_CBC
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
* \file mbedtls/config_adjust_legacy_from_psa.h
|
||||
* \brief Adjust PSA configuration: activate legacy implementations
|
||||
*
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, activate legacy implementations
|
||||
* of cryptographic mechanisms as needed to fulfill the needs of the PSA
|
||||
* configuration. Generally speaking, we activate a legacy mechanism if
|
||||
|
@ -16,6 +18,14 @@
|
|||
#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H
|
||||
#define MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
/* Define appropriate ACCEL macros for the p256-m driver.
|
||||
* In the future, those should be generated from the drivers JSON description.
|
||||
*/
|
||||
|
@ -498,7 +508,6 @@
|
|||
* The PSA implementation has its own implementation of HKDF, separate from
|
||||
* hkdf.c. No need to enable MBEDTLS_HKDF_C here.
|
||||
*/
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
|
||||
#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */
|
||||
#endif /* PSA_WANT_ALG_HKDF */
|
||||
|
@ -509,7 +518,6 @@
|
|||
* The PSA implementation has its own implementation of HKDF, separate from
|
||||
* hkdf.c. No need to enable MBEDTLS_HKDF_C here.
|
||||
*/
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1
|
||||
#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT */
|
||||
#endif /* PSA_WANT_ALG_HKDF_EXTRACT */
|
||||
|
@ -520,7 +528,6 @@
|
|||
* The PSA implementation has its own implementation of HKDF, separate from
|
||||
* hkdf.c. No need to enable MBEDTLS_HKDF_C here.
|
||||
*/
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1
|
||||
#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND */
|
||||
#endif /* PSA_WANT_ALG_HKDF_EXPAND */
|
||||
|
@ -630,9 +637,6 @@
|
|||
#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1
|
||||
#define PSA_HAVE_SOFT_PBKDF2_HMAC 1
|
||||
#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
|
||||
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
|
||||
#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
|
||||
#endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
|
||||
#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
|
||||
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
* \file mbedtls/config_adjust_psa_from_legacy.h
|
||||
* \brief Adjust PSA configuration: construct PSA configuration from legacy
|
||||
*
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* When MBEDTLS_PSA_CRYPTO_CONFIG is disabled, we automatically enable
|
||||
* cryptographic mechanisms through the PSA interface when the corresponding
|
||||
* legacy mechanism is enabled. In many cases, this just enables the PSA
|
||||
|
@ -18,6 +20,14 @@
|
|||
#ifndef MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H
|
||||
#define MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
/*
|
||||
* Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG
|
||||
* is not defined
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
* \file mbedtls/config_adjust_psa_superset_legacy.h
|
||||
* \brief Adjust PSA configuration: automatic enablement from legacy
|
||||
*
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* To simplify some edge cases, we automatically enable certain cryptographic
|
||||
* mechanisms in the PSA API if they are enabled in the legacy API. The general
|
||||
* idea is that if legacy module M uses mechanism A internally, and A has
|
||||
|
@ -17,6 +19,14 @@
|
|||
#ifndef MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H
|
||||
#define MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
/****************************************************************/
|
||||
/* Hashes that are built in are also enabled in PSA.
|
||||
* This simplifies dependency declarations especially
|
||||
|
|
|
@ -2,7 +2,9 @@
|
|||
* \file mbedtls/config_adjust_ssl.h
|
||||
* \brief Adjust TLS configuration
|
||||
*
|
||||
* Automatically enable certain dependencies. Generally, MBEDLTS_xxx
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* Automatically enable certain dependencies. Generally, MBEDTLS_xxx
|
||||
* configurations need to be explicitly enabled by the user: enabling
|
||||
* MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
|
||||
* compilation error. However, we do automatically enable certain options
|
||||
|
@ -22,6 +24,14 @@
|
|||
#ifndef MBEDTLS_CONFIG_ADJUST_SSL_H
|
||||
#define MBEDTLS_CONFIG_ADJUST_SSL_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
/* The following blocks make it easier to disable all of TLS,
|
||||
* or of TLS 1.2 or 1.3 or DTLS, without having to manually disable all
|
||||
* key exchanges, options and extensions related to them. */
|
||||
|
|
|
@ -2,7 +2,9 @@
|
|||
* \file mbedtls/config_adjust_x509.h
|
||||
* \brief Adjust X.509 configuration
|
||||
*
|
||||
* Automatically enable certain dependencies. Generally, MBEDLTS_xxx
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* Automatically enable certain dependencies. Generally, MBEDTLS_xxx
|
||||
* configurations need to be explicitly enabled by the user: enabling
|
||||
* MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
|
||||
* compilation error. However, we do automatically enable certain options
|
||||
|
@ -22,4 +24,12 @@
|
|||
#ifndef MBEDTLS_CONFIG_ADJUST_X509_H
|
||||
#define MBEDTLS_CONFIG_ADJUST_X509_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include mbedtls/config_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
#endif /* MBEDTLS_CONFIG_ADJUST_X509_H */
|
||||
|
|
|
@ -22,6 +22,8 @@
|
|||
|
||||
#include "psa/crypto_adjust_config_synonyms.h"
|
||||
|
||||
#include "psa/crypto_adjust_config_dependencies.h"
|
||||
|
||||
#include "mbedtls/config_adjust_psa_superset_legacy.h"
|
||||
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
|
||||
|
@ -32,7 +34,11 @@
|
|||
* before we deduce what built-ins are required. */
|
||||
#include "psa/crypto_adjust_config_key_pair_types.h"
|
||||
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||
/* If we are implementing PSA crypto ourselves, then we want to enable the
|
||||
* required built-ins. Otherwise, PSA features will be provided by the server. */
|
||||
#include "mbedtls/config_adjust_legacy_from_psa.h"
|
||||
#endif
|
||||
|
||||
#else /* MBEDTLS_PSA_CRYPTO_CONFIG */
|
||||
|
||||
|
|
33
thirdparty/mbedtls/include/mbedtls/ctr_drbg.h
vendored
33
thirdparty/mbedtls/include/mbedtls/ctr_drbg.h
vendored
|
@ -32,12 +32,27 @@
|
|||
|
||||
#include "mbedtls/build_info.h"
|
||||
|
||||
/* In case AES_C is defined then it is the primary option for backward
|
||||
* compatibility purposes. If that's not available, PSA is used instead */
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
#include "mbedtls/aes.h"
|
||||
#else
|
||||
/* The CTR_DRBG implementation can either directly call the low-level AES
|
||||
* module (gated by MBEDTLS_AES_C) or call the PSA API to perform AES
|
||||
* operations. Calling the AES module directly is the default, both for
|
||||
* maximum backward compatibility and because it's a bit more efficient
|
||||
* (less glue code).
|
||||
*
|
||||
* When MBEDTLS_AES_C is disabled, the CTR_DRBG module calls PSA crypto and
|
||||
* thus benefits from the PSA AES accelerator driver.
|
||||
* It is technically possible to enable MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO
|
||||
* to use PSA even when MBEDTLS_AES_C is enabled, but there is very little
|
||||
* reason to do so other than testing purposes and this is not officially
|
||||
* supported.
|
||||
*/
|
||||
#if !defined(MBEDTLS_AES_C)
|
||||
#define MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
#include "psa/crypto.h"
|
||||
#else
|
||||
#include "mbedtls/aes.h"
|
||||
#endif
|
||||
|
||||
#include "entropy.h"
|
||||
|
@ -157,7 +172,7 @@ extern "C" {
|
|||
#define MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN (MBEDTLS_CTR_DRBG_ENTROPY_LEN + 1) / 2
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_AES_C)
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
typedef struct mbedtls_ctr_drbg_psa_context {
|
||||
mbedtls_svc_key_id_t key_id;
|
||||
psa_cipher_operation_t operation;
|
||||
|
@ -189,10 +204,10 @@ typedef struct mbedtls_ctr_drbg_context {
|
|||
* This is the maximum number of requests
|
||||
* that can be made between reseedings. */
|
||||
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
mbedtls_aes_context MBEDTLS_PRIVATE(aes_ctx); /*!< The AES context. */
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
mbedtls_ctr_drbg_psa_context MBEDTLS_PRIVATE(psa_ctx); /*!< The PSA context. */
|
||||
#else
|
||||
mbedtls_aes_context MBEDTLS_PRIVATE(aes_ctx); /*!< The AES context. */
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
|
2
thirdparty/mbedtls/include/mbedtls/ecdh.h
vendored
2
thirdparty/mbedtls/include/mbedtls/ecdh.h
vendored
|
@ -325,7 +325,7 @@ int mbedtls_ecdh_read_params(mbedtls_ecdh_context *ctx,
|
|||
* \brief This function sets up an ECDH context from an EC key.
|
||||
*
|
||||
* It is used by clients and servers in place of the
|
||||
* ServerKeyEchange for static ECDH, and imports ECDH
|
||||
* ServerKeyExchange for static ECDH, and imports ECDH
|
||||
* parameters from the EC key information of a certificate.
|
||||
*
|
||||
* \see ecp.h
|
||||
|
|
2
thirdparty/mbedtls/include/mbedtls/ecp.h
vendored
2
thirdparty/mbedtls/include/mbedtls/ecp.h
vendored
|
@ -216,7 +216,7 @@ mbedtls_ecp_point;
|
|||
* range of <code>0..2^(2*pbits)-1</code>, and transforms it in-place to an integer
|
||||
* which is congruent mod \p P to the given MPI, and is close enough to \p pbits
|
||||
* in size, so that it may be efficiently brought in the 0..P-1 range by a few
|
||||
* additions or subtractions. Therefore, it is only an approximative modular
|
||||
* additions or subtractions. Therefore, it is only an approximate modular
|
||||
* reduction. It must return 0 on success and non-zero on failure.
|
||||
*
|
||||
* \note Alternative implementations of the ECP module must obey the
|
||||
|
|
|
@ -1118,7 +1118,7 @@
|
|||
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
*
|
||||
* \warning If SHA-256 is provided only by a PSA driver, you must call
|
||||
* psa_crypto_init() before the first hanshake (even if
|
||||
* psa_crypto_init() before the first handshake (even if
|
||||
* MBEDTLS_USE_PSA_CRYPTO is disabled).
|
||||
*
|
||||
* This enables the following ciphersuites (if other requisites are
|
||||
|
@ -1414,6 +1414,23 @@
|
|||
*/
|
||||
//#define MBEDTLS_PSA_CRYPTO_SPM
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PSA_KEY_STORE_DYNAMIC
|
||||
*
|
||||
* Dynamically resize the PSA key store to accommodate any number of
|
||||
* volatile keys (until the heap memory is exhausted).
|
||||
*
|
||||
* If this option is disabled, the key store has a fixed size
|
||||
* #MBEDTLS_PSA_KEY_SLOT_COUNT for volatile keys and loaded persistent keys
|
||||
* together.
|
||||
*
|
||||
* This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled.
|
||||
*
|
||||
* Module: library/psa_crypto.c
|
||||
* Requires: MBEDTLS_PSA_CRYPTO_C
|
||||
*/
|
||||
#define MBEDTLS_PSA_KEY_STORE_DYNAMIC
|
||||
|
||||
/**
|
||||
* Uncomment to enable p256-m. This is an alternative implementation of
|
||||
* key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
|
||||
|
@ -1781,8 +1798,9 @@
|
|||
* Requires: MBEDTLS_PSA_CRYPTO_C
|
||||
*
|
||||
* \note TLS 1.3 uses PSA crypto for cryptographic operations that are
|
||||
* directly performed by TLS 1.3 code. As a consequence, you must
|
||||
* call psa_crypto_init() before the first TLS 1.3 handshake.
|
||||
* directly performed by TLS 1.3 code. As a consequence, when TLS 1.3
|
||||
* is enabled, a TLS handshake may call psa_crypto_init(), even
|
||||
* if it ends up negotiating a different TLS version.
|
||||
*
|
||||
* \note Cryptographic operations performed indirectly via another module
|
||||
* (X.509, PK) or by code shared with TLS 1.2 (record protection,
|
||||
|
@ -2625,7 +2643,7 @@
|
|||
* The CTR_DRBG generator uses AES-256 by default.
|
||||
* To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
|
||||
*
|
||||
* AES support can either be achived through builtin (MBEDTLS_AES_C) or PSA.
|
||||
* AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA.
|
||||
* Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA
|
||||
* is used.
|
||||
*
|
||||
|
@ -4016,22 +4034,38 @@
|
|||
* Use HMAC_DRBG with the specified hash algorithm for HMAC_DRBG for the
|
||||
* PSA crypto subsystem.
|
||||
*
|
||||
* If this option is unset:
|
||||
* - If CTR_DRBG is available, the PSA subsystem uses it rather than HMAC_DRBG.
|
||||
* - Otherwise, the PSA subsystem uses HMAC_DRBG with either
|
||||
* #MBEDTLS_MD_SHA512 or #MBEDTLS_MD_SHA256 based on availability and
|
||||
* on unspecified heuristics.
|
||||
* If this option is unset, the library chooses a hash (currently between
|
||||
* #MBEDTLS_MD_SHA512 and #MBEDTLS_MD_SHA256) based on availability and
|
||||
* unspecified heuristics.
|
||||
*
|
||||
* \note The PSA crypto subsystem uses the first available mechanism amongst
|
||||
* the following:
|
||||
* - #MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG if enabled;
|
||||
* - Entropy from #MBEDTLS_ENTROPY_C plus CTR_DRBG with AES
|
||||
* if #MBEDTLS_CTR_DRBG_C is enabled;
|
||||
* - Entropy from #MBEDTLS_ENTROPY_C plus HMAC_DRBG.
|
||||
*
|
||||
* A future version may reevaluate the prioritization of DRBG mechanisms.
|
||||
*/
|
||||
//#define MBEDTLS_PSA_HMAC_DRBG_MD_TYPE MBEDTLS_MD_SHA256
|
||||
|
||||
/** \def MBEDTLS_PSA_KEY_SLOT_COUNT
|
||||
* Restrict the PSA library to supporting a maximum amount of simultaneously
|
||||
* loaded keys. A loaded key is a key stored by the PSA Crypto core as a
|
||||
* volatile key, or a persistent key which is loaded temporarily by the
|
||||
* library as part of a crypto operation in flight.
|
||||
*
|
||||
* If this option is unset, the library will fall back to a default value of
|
||||
* 32 keys.
|
||||
* When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled,
|
||||
* the maximum amount of PSA keys simultaneously in memory. This counts all
|
||||
* volatile keys, plus loaded persistent keys.
|
||||
*
|
||||
* When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled,
|
||||
* the maximum number of loaded persistent keys.
|
||||
*
|
||||
* Currently, persistent keys do not need to be loaded all the time while
|
||||
* a multipart operation is in progress, only while the operation is being
|
||||
* set up. This may change in future versions of the library.
|
||||
*
|
||||
* Currently, the library traverses of the whole table on each access to a
|
||||
* persistent key. Therefore large values may cause poor performance.
|
||||
*
|
||||
* This option has no effect when #MBEDTLS_PSA_CRYPTO_C is disabled.
|
||||
*/
|
||||
//#define MBEDTLS_PSA_KEY_SLOT_COUNT 32
|
||||
|
||||
|
|
46
thirdparty/mbedtls/include/mbedtls/pk.h
vendored
46
thirdparty/mbedtls/include/mbedtls/pk.h
vendored
|
@ -361,29 +361,37 @@ int mbedtls_pk_setup(mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info);
|
|||
/**
|
||||
* \brief Initialize a PK context to wrap a PSA key.
|
||||
*
|
||||
* \note This function replaces mbedtls_pk_setup() for contexts
|
||||
* that wrap a (possibly opaque) PSA key instead of
|
||||
* storing and manipulating the key material directly.
|
||||
* This function creates a PK context which wraps a PSA key. The PSA wrapped
|
||||
* key must be an EC or RSA key pair (DH is not suported in the PK module).
|
||||
*
|
||||
* Under the hood PSA functions will be used to perform the required
|
||||
* operations and, based on the key type, used algorithms will be:
|
||||
* * EC:
|
||||
* * verify, verify_ext, sign, sign_ext: ECDSA.
|
||||
* * RSA:
|
||||
* * sign, decrypt: use the primary algorithm in the wrapped PSA key;
|
||||
* * sign_ext: RSA PSS if the pk_type is #MBEDTLS_PK_RSASSA_PSS, otherwise
|
||||
* it falls back to the sign() case;
|
||||
* * verify, verify_ext, encrypt: not supported.
|
||||
*
|
||||
* In order for the above operations to succeed, the policy of the wrapped PSA
|
||||
* key must allow the specified algorithm.
|
||||
*
|
||||
* Opaque PK contexts wrapping an EC keys also support \c mbedtls_pk_check_pair(),
|
||||
* whereas RSA ones do not.
|
||||
*
|
||||
* \warning The PSA wrapped key must remain valid as long as the wrapping PK
|
||||
* context is in use, that is at least between the point this function
|
||||
* is called and the point mbedtls_pk_free() is called on this context.
|
||||
*
|
||||
* \param ctx The context to initialize. It must be empty (type NONE).
|
||||
* \param key The PSA key to wrap, which must hold an ECC or RSA key
|
||||
* pair (see notes below).
|
||||
*
|
||||
* \note The wrapped key must remain valid as long as the
|
||||
* wrapping PK context is in use, that is at least between
|
||||
* the point this function is called and the point
|
||||
* mbedtls_pk_free() is called on this context. The wrapped
|
||||
* key might then be independently used or destroyed.
|
||||
*
|
||||
* \note This function is currently only available for ECC or RSA
|
||||
* key pairs (that is, keys containing private key material).
|
||||
* Support for other key types may be added later.
|
||||
* \param key The PSA key to wrap, which must hold an ECC or RSA key pair.
|
||||
*
|
||||
* \return \c 0 on success.
|
||||
* \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input
|
||||
* (context already used, invalid key identifier).
|
||||
* \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an
|
||||
* ECC key pair.
|
||||
* \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input (context already
|
||||
* used, invalid key identifier).
|
||||
* \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an ECC or
|
||||
* RSA key pair.
|
||||
* \return #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
|
||||
*/
|
||||
int mbedtls_pk_setup_opaque(mbedtls_pk_context *ctx,
|
||||
|
|
145
thirdparty/mbedtls/include/mbedtls/ssl.h
vendored
145
thirdparty/mbedtls/include/mbedtls/ssl.h
vendored
|
@ -83,10 +83,7 @@
|
|||
/** Processing of the Certificate handshake message failed. */
|
||||
#define MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00
|
||||
/* Error space gap */
|
||||
/**
|
||||
* Received NewSessionTicket Post Handshake Message.
|
||||
* This error code is experimental and may be changed or removed without notice.
|
||||
*/
|
||||
/** A TLS 1.3 NewSessionTicket message has been received. */
|
||||
#define MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET -0x7B00
|
||||
/** Not possible to read early data */
|
||||
#define MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA -0x7B80
|
||||
|
@ -324,6 +321,9 @@
|
|||
#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0
|
||||
#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1
|
||||
|
||||
#define MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED 0
|
||||
#define MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED 1
|
||||
|
||||
#define MBEDTLS_SSL_PRESET_DEFAULT 0
|
||||
#define MBEDTLS_SSL_PRESET_SUITEB 2
|
||||
|
||||
|
@ -1446,6 +1446,12 @@ struct mbedtls_ssl_config {
|
|||
#endif
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
|
||||
defined(MBEDTLS_SSL_CLI_C)
|
||||
/** Encodes two booleans, one stating whether TLS 1.2 session tickets are
|
||||
* enabled or not, the other one whether the handling of TLS 1.3
|
||||
* NewSessionTicket messages is enabled or not. They are respectively set
|
||||
* by mbedtls_ssl_conf_session_tickets() and
|
||||
* mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets().
|
||||
*/
|
||||
uint8_t MBEDTLS_PRIVATE(session_tickets); /*!< use session tickets? */
|
||||
#endif
|
||||
|
||||
|
@ -2364,7 +2370,7 @@ int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
|
|||
*/
|
||||
int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
|
||||
int *enabled,
|
||||
unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
|
||||
unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
|
||||
size_t *own_cid_len);
|
||||
|
||||
/**
|
||||
|
@ -3216,16 +3222,16 @@ void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
|
|||
* a full handshake.
|
||||
*
|
||||
* \note This function can handle a variety of mechanisms for session
|
||||
* resumption: For TLS 1.2, both session ID-based resumption and
|
||||
* ticket-based resumption will be considered. For TLS 1.3,
|
||||
* once implemented, sessions equate to tickets, and loading
|
||||
* one or more sessions via this call will lead to their
|
||||
* corresponding tickets being advertised as resumption PSKs
|
||||
* by the client.
|
||||
*
|
||||
* \note Calling this function multiple times will only be useful
|
||||
* once TLS 1.3 is supported. For TLS 1.2 connections, this
|
||||
* function should be called at most once.
|
||||
* resumption: For TLS 1.2, both session ID-based resumption
|
||||
* and ticket-based resumption will be considered. For TLS 1.3,
|
||||
* sessions equate to tickets, and loading one session by
|
||||
* calling this function will lead to its corresponding ticket
|
||||
* being advertised as resumption PSK by the client. This
|
||||
* depends on session tickets being enabled (see
|
||||
* #MBEDTLS_SSL_SESSION_TICKETS configuration option) though.
|
||||
* If session tickets are disabled, a call to this function
|
||||
* with a TLS 1.3 session, will not have any effect on the next
|
||||
* handshake for the SSL context \p ssl.
|
||||
*
|
||||
* \param ssl The SSL context representing the connection which should
|
||||
* be attempted to be setup using session resumption. This
|
||||
|
@ -3240,9 +3246,10 @@ void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
|
|||
*
|
||||
* \return \c 0 if successful.
|
||||
* \return \c MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the session
|
||||
* could not be loaded because of an implementation limitation.
|
||||
* This error is non-fatal, and has no observable effect on
|
||||
* the SSL context or the session that was attempted to be loaded.
|
||||
* could not be loaded because one session has already been
|
||||
* loaded. This error is non-fatal, and has no observable
|
||||
* effect on the SSL context or the session that was attempted
|
||||
* to be loaded.
|
||||
* \return Another negative error code on other kinds of failure.
|
||||
*
|
||||
* \sa mbedtls_ssl_get_session()
|
||||
|
@ -3309,8 +3316,16 @@ int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
|
|||
* to determine the necessary size by calling this function
|
||||
* with \p buf set to \c NULL and \p buf_len to \c 0.
|
||||
*
|
||||
* \note For TLS 1.3 sessions, this feature is supported only if the
|
||||
* MBEDTLS_SSL_SESSION_TICKETS configuration option is enabled,
|
||||
* as in TLS 1.3 session resumption is possible only with
|
||||
* tickets.
|
||||
*
|
||||
* \return \c 0 if successful.
|
||||
* \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small.
|
||||
* \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the
|
||||
* MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled
|
||||
* and the session is a TLS 1.3 session.
|
||||
*/
|
||||
int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
|
||||
unsigned char *buf,
|
||||
|
@ -4456,21 +4471,50 @@ int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_co
|
|||
void mbedtls_ssl_conf_preference_order(mbedtls_ssl_config *conf, int order);
|
||||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
|
||||
defined(MBEDTLS_SSL_CLI_C)
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
||||
/**
|
||||
* \brief Enable / Disable session tickets (client only).
|
||||
* (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED.)
|
||||
* \brief Enable / Disable TLS 1.2 session tickets (client only,
|
||||
* TLS 1.2 only). Enabled by default.
|
||||
*
|
||||
* \note On server, use \c mbedtls_ssl_conf_session_tickets_cb().
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param use_tickets Enable or disable (MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
|
||||
* MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
|
||||
* \param use_tickets Enable or disable (#MBEDTLS_SSL_SESSION_TICKETS_ENABLED or
|
||||
* #MBEDTLS_SSL_SESSION_TICKETS_DISABLED)
|
||||
*/
|
||||
void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets);
|
||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS &&
|
||||
MBEDTLS_SSL_CLI_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
/**
|
||||
* \brief Enable / Disable handling of TLS 1.3 NewSessionTicket messages
|
||||
* (client only, TLS 1.3 only).
|
||||
*
|
||||
* The handling of TLS 1.3 NewSessionTicket messages is disabled by
|
||||
* default.
|
||||
*
|
||||
* In TLS 1.3, servers may send a NewSessionTicket message at any time,
|
||||
* and may send multiple NewSessionTicket messages. By default, TLS 1.3
|
||||
* clients ignore NewSessionTicket messages.
|
||||
*
|
||||
* To support session tickets in TLS 1.3 clients, call this function
|
||||
* with #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED. When
|
||||
* this is enabled, when a client receives a NewSessionTicket message,
|
||||
* the next call to a message processing functions (notably
|
||||
* mbedtls_ssl_handshake() and mbedtls_ssl_read()) will return
|
||||
* #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. The client should then
|
||||
* call mbedtls_ssl_get_session() to retrieve the session ticket before
|
||||
* calling the same message processing function again.
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param signal_new_session_tickets Enable or disable
|
||||
* (#MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED or
|
||||
* #MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED)
|
||||
*/
|
||||
void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
|
||||
mbedtls_ssl_config *conf, int signal_new_session_tickets);
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \
|
||||
defined(MBEDTLS_SSL_SRV_C) && \
|
||||
|
@ -4837,23 +4881,16 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl
|
|||
* \note This function can handle a variety of mechanisms for session
|
||||
* resumption: For TLS 1.2, both session ID-based resumption and
|
||||
* ticket-based resumption will be considered. For TLS 1.3,
|
||||
* once implemented, sessions equate to tickets, and calling
|
||||
* this function multiple times will export the available
|
||||
* tickets one a time until no further tickets are available,
|
||||
* in which case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE will
|
||||
* be returned.
|
||||
*
|
||||
* \note Calling this function multiple times will only be useful
|
||||
* once TLS 1.3 is supported. For TLS 1.2 connections, this
|
||||
* function should be called at most once.
|
||||
* sessions equate to tickets, and if session tickets are
|
||||
* enabled (see #MBEDTLS_SSL_SESSION_TICKETS configuration
|
||||
* option), this function exports the last received ticket and
|
||||
* the exported session may be used to resume the TLS 1.3
|
||||
* session. If session tickets are disabled, exported sessions
|
||||
* cannot be used to resume a TLS 1.3 session.
|
||||
*
|
||||
* \return \c 0 if successful. In this case, \p session can be used for
|
||||
* session resumption by passing it to mbedtls_ssl_set_session(),
|
||||
* and serialized for storage via mbedtls_ssl_session_save().
|
||||
* \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if no further session
|
||||
* is available for export.
|
||||
* This error is a non-fatal, and has no observable effect on
|
||||
* the SSL context or the destination session.
|
||||
* \return Another negative error code on other kinds of failure.
|
||||
*
|
||||
* \sa mbedtls_ssl_set_session()
|
||||
|
@ -4885,6 +4922,10 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
|
|||
* \return #MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED if DTLS is in use
|
||||
* and the client did not demonstrate reachability yet - in
|
||||
* this case you must stop using the context (see below).
|
||||
* \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3
|
||||
* NewSessionTicket message has been received. See the
|
||||
* documentation of mbedtls_ssl_read() for more information
|
||||
* about this error code.
|
||||
* \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
|
||||
* defined in RFC 8446 (TLS 1.3 specification), has been
|
||||
* received as part of the handshake. This is server specific
|
||||
|
@ -4901,6 +4942,7 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
|
|||
* #MBEDTLS_ERR_SSL_WANT_WRITE,
|
||||
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS or
|
||||
* #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
|
||||
* #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or
|
||||
* #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
|
||||
* you must stop using the SSL context for reading or writing,
|
||||
* and either free it or call \c mbedtls_ssl_session_reset()
|
||||
|
@ -4921,10 +4963,13 @@ int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
|
|||
* currently being processed might or might not contain further
|
||||
* DTLS records.
|
||||
*
|
||||
* \note If the context is configured to allow TLS 1.3, or if
|
||||
* #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
|
||||
* \note If #MBEDTLS_USE_PSA_CRYPTO is enabled, the PSA crypto
|
||||
* subsystem must have been initialized by calling
|
||||
* psa_crypto_init() before calling this function.
|
||||
* Otherwise, the handshake may call psa_crypto_init()
|
||||
* if a negotiation involving TLS 1.3 takes place (this may
|
||||
* be the case even if TLS 1.3 is offered but eventually
|
||||
* not selected).
|
||||
*/
|
||||
int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl);
|
||||
|
||||
|
@ -4972,6 +5017,7 @@ static inline int mbedtls_ssl_is_handshake_over(mbedtls_ssl_context *ssl)
|
|||
* #MBEDTLS_ERR_SSL_WANT_READ, #MBEDTLS_ERR_SSL_WANT_WRITE,
|
||||
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
|
||||
* #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
|
||||
* #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or
|
||||
* #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA, you must stop using
|
||||
* the SSL context for reading or writing, and either free it
|
||||
* or call \c mbedtls_ssl_session_reset() on it before
|
||||
|
@ -5040,6 +5086,17 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl);
|
|||
* \return #MBEDTLS_ERR_SSL_CLIENT_RECONNECT if we're at the server
|
||||
* side of a DTLS connection and the client is initiating a
|
||||
* new connection using the same source port. See below.
|
||||
* \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3
|
||||
* NewSessionTicket message has been received.
|
||||
* This error code is only returned on the client side. It is
|
||||
* only returned if handling of TLS 1.3 NewSessionTicket
|
||||
* messages has been enabled through
|
||||
* mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets().
|
||||
* This error code indicates that a TLS 1.3 NewSessionTicket
|
||||
* message has been received and parsed successfully by the
|
||||
* client. The ticket data can be retrieved from the SSL
|
||||
* context by calling mbedtls_ssl_get_session(). It remains
|
||||
* available until the next call to mbedtls_ssl_read().
|
||||
* \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
|
||||
* defined in RFC 8446 (TLS 1.3 specification), has been
|
||||
* received as part of the handshake. This is server specific
|
||||
|
@ -5057,6 +5114,7 @@ int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl);
|
|||
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
|
||||
* #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS,
|
||||
* #MBEDTLS_ERR_SSL_CLIENT_RECONNECT or
|
||||
* #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or
|
||||
* #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
|
||||
* you must stop using the SSL context for reading or writing,
|
||||
* and either free it or call \c mbedtls_ssl_session_reset()
|
||||
|
@ -5122,6 +5180,10 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len);
|
|||
* operation is in progress (see mbedtls_ecp_set_max_ops()) -
|
||||
* in this case you must call this function again to complete
|
||||
* the handshake when you're done attending other tasks.
|
||||
* \return #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET if a TLS 1.3
|
||||
* NewSessionTicket message has been received. See the
|
||||
* documentation of mbedtls_ssl_read() for more information
|
||||
* about this error code.
|
||||
* \return #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA if early data, as
|
||||
* defined in RFC 8446 (TLS 1.3 specification), has been
|
||||
* received as part of the handshake. This is server specific
|
||||
|
@ -5138,6 +5200,7 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len);
|
|||
* #MBEDTLS_ERR_SSL_WANT_WRITE,
|
||||
* #MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS,
|
||||
* #MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS or
|
||||
* #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET or
|
||||
* #MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA,
|
||||
* you must stop using the SSL context for reading or writing,
|
||||
* and either free it or call \c mbedtls_ssl_session_reset()
|
||||
|
|
188
thirdparty/mbedtls/include/psa/crypto.h
vendored
188
thirdparty/mbedtls/include/psa/crypto.h
vendored
|
@ -121,8 +121,8 @@ static psa_key_attributes_t psa_key_attributes_init(void);
|
|||
* value in the structure.
|
||||
* The persistent key will be written to storage when the attribute
|
||||
* structure is passed to a key creation function such as
|
||||
* psa_import_key(), psa_generate_key(), psa_generate_key_ext(),
|
||||
* psa_key_derivation_output_key(), psa_key_derivation_output_key_ext()
|
||||
* psa_import_key(), psa_generate_key(), psa_generate_key_custom(),
|
||||
* psa_key_derivation_output_key(), psa_key_derivation_output_key_custom()
|
||||
* or psa_copy_key().
|
||||
*
|
||||
* This function may be declared as `static` (i.e. without external
|
||||
|
@ -131,6 +131,9 @@ static psa_key_attributes_t psa_key_attributes_init(void);
|
|||
*
|
||||
* \param[out] attributes The attribute structure to write to.
|
||||
* \param key The persistent identifier for the key.
|
||||
* This can be any value in the range from
|
||||
* #PSA_KEY_ID_USER_MIN to #PSA_KEY_ID_USER_MAX
|
||||
* inclusive.
|
||||
*/
|
||||
static void psa_set_key_id(psa_key_attributes_t *attributes,
|
||||
mbedtls_svc_key_id_t key);
|
||||
|
@ -166,8 +169,8 @@ static void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes,
|
|||
* value in the structure.
|
||||
* The persistent key will be written to storage when the attribute
|
||||
* structure is passed to a key creation function such as
|
||||
* psa_import_key(), psa_generate_key(), psa_generate_key_ext(),
|
||||
* psa_key_derivation_output_key(), psa_key_derivation_output_key_ext()
|
||||
* psa_import_key(), psa_generate_key(), psa_generate_key_custom(),
|
||||
* psa_key_derivation_output_key(), psa_key_derivation_output_key_custom()
|
||||
* or psa_copy_key().
|
||||
*
|
||||
* This function may be declared as `static` (i.e. without external
|
||||
|
@ -875,7 +878,7 @@ psa_status_t psa_hash_compute(psa_algorithm_t alg,
|
|||
* such that #PSA_ALG_IS_HASH(\p alg) is true).
|
||||
* \param[in] input Buffer containing the message to hash.
|
||||
* \param input_length Size of the \p input buffer in bytes.
|
||||
* \param[out] hash Buffer containing the expected hash value.
|
||||
* \param[in] hash Buffer containing the expected hash value.
|
||||
* \param hash_length Size of the \p hash buffer in bytes.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
|
@ -1230,7 +1233,7 @@ psa_status_t psa_mac_compute(mbedtls_svc_key_id_t key,
|
|||
* such that #PSA_ALG_IS_MAC(\p alg) is true).
|
||||
* \param[in] input Buffer containing the input message.
|
||||
* \param input_length Size of the \p input buffer in bytes.
|
||||
* \param[out] mac Buffer containing the expected MAC value.
|
||||
* \param[in] mac Buffer containing the expected MAC value.
|
||||
* \param mac_length Size of the \p mac buffer in bytes.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
|
@ -2922,7 +2925,7 @@ psa_status_t psa_sign_message(mbedtls_svc_key_id_t key,
|
|||
* \p key.
|
||||
* \param[in] input The message whose signature is to be verified.
|
||||
* \param[in] input_length Size of the \p input buffer in bytes.
|
||||
* \param[out] signature Buffer containing the signature to verify.
|
||||
* \param[in] signature Buffer containing the signature to verify.
|
||||
* \param[in] signature_length Size of the \p signature buffer in bytes.
|
||||
*
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
|
@ -3248,7 +3251,7 @@ static psa_key_derivation_operation_t psa_key_derivation_operation_init(void);
|
|||
* of or after providing inputs. For some algorithms, this step is mandatory
|
||||
* because the output depends on the maximum capacity.
|
||||
* -# To derive a key, call psa_key_derivation_output_key() or
|
||||
* psa_key_derivation_output_key_ext().
|
||||
* psa_key_derivation_output_key_custom().
|
||||
* To derive a byte string for a different purpose, call
|
||||
* psa_key_derivation_output_bytes().
|
||||
* Successive calls to these functions use successive output bytes
|
||||
|
@ -3471,7 +3474,7 @@ psa_status_t psa_key_derivation_input_integer(
|
|||
* \note Once all inputs steps are completed, the operations will allow:
|
||||
* - psa_key_derivation_output_bytes() if each input was either a direct input
|
||||
* or a key with #PSA_KEY_USAGE_DERIVE set;
|
||||
* - psa_key_derivation_output_key() or psa_key_derivation_output_key_ext()
|
||||
* - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom()
|
||||
* if the input for step
|
||||
* #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD
|
||||
* was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was
|
||||
|
@ -3721,9 +3724,9 @@ psa_status_t psa_key_derivation_output_bytes(
|
|||
* on the derived key based on the attributes and strength of the secret key.
|
||||
*
|
||||
* \note This function is equivalent to calling
|
||||
* psa_key_derivation_output_key_ext()
|
||||
* with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT
|
||||
* and `params_data_length == 0` (i.e. `params->data` is empty).
|
||||
* psa_key_derivation_output_key_custom()
|
||||
* with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT
|
||||
* and `custom_data_length == 0` (i.e. `custom_data` is empty).
|
||||
*
|
||||
* \param[in] attributes The attributes for the new key.
|
||||
* If the key type to be created is
|
||||
|
@ -3795,6 +3798,85 @@ psa_status_t psa_key_derivation_output_key(
|
|||
* the policy must be the same as in the current
|
||||
* operation.
|
||||
* \param[in,out] operation The key derivation operation object to read from.
|
||||
* \param[in] custom Customization parameters for the key generation.
|
||||
* When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT
|
||||
* with \p custom_data_length = 0,
|
||||
* this function is equivalent to
|
||||
* psa_key_derivation_output_key().
|
||||
* \param[in] custom_data Variable-length data associated with \c custom.
|
||||
* \param custom_data_length
|
||||
* Length of `custom_data` in bytes.
|
||||
* \param[out] key On success, an identifier for the newly created
|
||||
* key. For persistent keys, this is the key
|
||||
* identifier defined in \p attributes.
|
||||
* \c 0 on failure.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* Success.
|
||||
* If the key is persistent, the key material and the key's metadata
|
||||
* have been saved to persistent storage.
|
||||
* \retval #PSA_ERROR_ALREADY_EXISTS
|
||||
* This is an attempt to create a persistent key, and there is
|
||||
* already a persistent key with the given identifier.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_DATA
|
||||
* There was not enough data to create the desired key.
|
||||
* Note that in this case, no output is written to the output buffer.
|
||||
* The operation's capacity is set to 0, thus subsequent calls to
|
||||
* this function will not succeed, even with a smaller output buffer.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED
|
||||
* The key type or key size is not supported, either by the
|
||||
* implementation in general or in this particular location.
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT
|
||||
* The provided key attributes are not valid for the operation.
|
||||
* \retval #PSA_ERROR_NOT_PERMITTED
|
||||
* The #PSA_KEY_DERIVATION_INPUT_SECRET or
|
||||
* #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
|
||||
* key; or one of the inputs was a key whose policy didn't allow
|
||||
* #PSA_KEY_USAGE_DERIVE.
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The operation state is not valid (it must be active and completed
|
||||
* all required input steps), or the library has not been previously
|
||||
* initialized by psa_crypto_init().
|
||||
* It is implementation-dependent whether a failure to initialize
|
||||
* results in this error code.
|
||||
*/
|
||||
psa_status_t psa_key_derivation_output_key_custom(
|
||||
const psa_key_attributes_t *attributes,
|
||||
psa_key_derivation_operation_t *operation,
|
||||
const psa_custom_key_parameters_t *custom,
|
||||
const uint8_t *custom_data,
|
||||
size_t custom_data_length,
|
||||
mbedtls_svc_key_id_t *key);
|
||||
|
||||
#ifndef __cplusplus
|
||||
/* Omitted when compiling in C++, because one of the parameters is a
|
||||
* pointer to a struct with a flexible array member, and that is not
|
||||
* standard C++.
|
||||
* https://github.com/Mbed-TLS/mbedtls/issues/9020
|
||||
*/
|
||||
/** Derive a key from an ongoing key derivation operation with custom
|
||||
* production parameters.
|
||||
*
|
||||
* \note
|
||||
* This is a deprecated variant of psa_key_derivation_output_key_custom().
|
||||
* It is equivalent except that the associated variable-length data
|
||||
* is passed in `params->data` instead of a separate parameter.
|
||||
* This function will be removed in a future version of Mbed TLS.
|
||||
*
|
||||
* \param[in] attributes The attributes for the new key.
|
||||
* If the key type to be created is
|
||||
* #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in
|
||||
* the policy must be the same as in the current
|
||||
* operation.
|
||||
* \param[in,out] operation The key derivation operation object to read from.
|
||||
* \param[in] params Customization parameters for the key derivation.
|
||||
* When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
|
||||
* with \p params_data_length = 0,
|
||||
|
@ -3848,14 +3930,13 @@ psa_status_t psa_key_derivation_output_key(
|
|||
* It is implementation-dependent whether a failure to initialize
|
||||
* results in this error code.
|
||||
*/
|
||||
#ifndef __cplusplus
|
||||
psa_status_t psa_key_derivation_output_key_ext(
|
||||
const psa_key_attributes_t *attributes,
|
||||
psa_key_derivation_operation_t *operation,
|
||||
const psa_key_production_parameters_t *params,
|
||||
size_t params_data_length,
|
||||
mbedtls_svc_key_id_t *key);
|
||||
#endif
|
||||
#endif /* !__cplusplus */
|
||||
|
||||
/** Compare output data from a key derivation operation to an expected value.
|
||||
*
|
||||
|
@ -3881,8 +3962,8 @@ psa_status_t psa_key_derivation_output_key_ext(
|
|||
* psa_key_derivation_abort().
|
||||
*
|
||||
* \param[in,out] operation The key derivation operation object to read from.
|
||||
* \param[in] expected_output Buffer containing the expected derivation output.
|
||||
* \param output_length Length of the expected output; this is also the
|
||||
* \param[in] expected Buffer containing the expected derivation output.
|
||||
* \param expected_length Length of the expected output; this is also the
|
||||
* number of bytes that will be read.
|
||||
*
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
|
@ -3912,8 +3993,8 @@ psa_status_t psa_key_derivation_output_key_ext(
|
|||
*/
|
||||
psa_status_t psa_key_derivation_verify_bytes(
|
||||
psa_key_derivation_operation_t *operation,
|
||||
const uint8_t *expected_output,
|
||||
size_t output_length);
|
||||
const uint8_t *expected,
|
||||
size_t expected_length);
|
||||
|
||||
/** Compare output data from a key derivation operation to an expected value
|
||||
* stored in a key object.
|
||||
|
@ -3943,7 +4024,7 @@ psa_status_t psa_key_derivation_verify_bytes(
|
|||
* operation. The value of this key was likely
|
||||
* computed by a previous call to
|
||||
* psa_key_derivation_output_key() or
|
||||
* psa_key_derivation_output_key_ext().
|
||||
* psa_key_derivation_output_key_custom().
|
||||
*
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_SIGNATURE
|
||||
|
@ -4111,9 +4192,9 @@ psa_status_t psa_generate_random(uint8_t *output,
|
|||
* between 2^{n-1} and 2^n where n is the bit size specified in the
|
||||
* attributes.
|
||||
*
|
||||
* \note This function is equivalent to calling psa_generate_key_ext()
|
||||
* with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT
|
||||
* and `params_data_length == 0` (i.e. `params->data` is empty).
|
||||
* \note This function is equivalent to calling psa_generate_key_custom()
|
||||
* with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT
|
||||
* and `custom_data_length == 0` (i.e. `custom_data` is empty).
|
||||
*
|
||||
* \param[in] attributes The attributes for the new key.
|
||||
* \param[out] key On success, an identifier for the newly created
|
||||
|
@ -4153,7 +4234,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
|
|||
* See the description of psa_generate_key() for the operation of this
|
||||
* function with the default production parameters. In addition, this function
|
||||
* supports the following production customizations, described in more detail
|
||||
* in the documentation of ::psa_key_production_parameters_t:
|
||||
* in the documentation of ::psa_custom_key_parameters_t:
|
||||
*
|
||||
* - RSA keys: generation with a custom public exponent.
|
||||
*
|
||||
|
@ -4161,6 +4242,64 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
|
|||
* versions of Mbed TLS.
|
||||
*
|
||||
* \param[in] attributes The attributes for the new key.
|
||||
* \param[in] custom Customization parameters for the key generation.
|
||||
* When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT
|
||||
* with \p custom_data_length = 0,
|
||||
* this function is equivalent to
|
||||
* psa_generate_key().
|
||||
* \param[in] custom_data Variable-length data associated with \c custom.
|
||||
* \param custom_data_length
|
||||
* Length of `custom_data` in bytes.
|
||||
* \param[out] key On success, an identifier for the newly created
|
||||
* key. For persistent keys, this is the key
|
||||
* identifier defined in \p attributes.
|
||||
* \c 0 on failure.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* Success.
|
||||
* If the key is persistent, the key material and the key's metadata
|
||||
* have been saved to persistent storage.
|
||||
* \retval #PSA_ERROR_ALREADY_EXISTS
|
||||
* This is an attempt to create a persistent key, and there is
|
||||
* already a persistent key with the given identifier.
|
||||
* \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
|
||||
* \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
|
||||
* \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_INVALID \emptydescription
|
||||
* \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
|
||||
* \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
|
||||
* \retval #PSA_ERROR_BAD_STATE
|
||||
* The library has not been previously initialized by psa_crypto_init().
|
||||
* It is implementation-dependent whether a failure to initialize
|
||||
* results in this error code.
|
||||
*/
|
||||
psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes,
|
||||
const psa_custom_key_parameters_t *custom,
|
||||
const uint8_t *custom_data,
|
||||
size_t custom_data_length,
|
||||
mbedtls_svc_key_id_t *key);
|
||||
|
||||
#ifndef __cplusplus
|
||||
/* Omitted when compiling in C++, because one of the parameters is a
|
||||
* pointer to a struct with a flexible array member, and that is not
|
||||
* standard C++.
|
||||
* https://github.com/Mbed-TLS/mbedtls/issues/9020
|
||||
*/
|
||||
/**
|
||||
* \brief Generate a key or key pair using custom production parameters.
|
||||
*
|
||||
* \note
|
||||
* This is a deprecated variant of psa_key_derivation_output_key_custom().
|
||||
* It is equivalent except that the associated variable-length data
|
||||
* is passed in `params->data` instead of a separate parameter.
|
||||
* This function will be removed in a future version of Mbed TLS.
|
||||
*
|
||||
* \param[in] attributes The attributes for the new key.
|
||||
* \param[in] params Customization parameters for the key generation.
|
||||
* When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT
|
||||
* with \p params_data_length = 0,
|
||||
|
@ -4196,12 +4335,11 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
|
|||
* It is implementation-dependent whether a failure to initialize
|
||||
* results in this error code.
|
||||
*/
|
||||
#ifndef __cplusplus
|
||||
psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
|
||||
const psa_key_production_parameters_t *params,
|
||||
size_t params_data_length,
|
||||
mbedtls_svc_key_id_t *key);
|
||||
#endif
|
||||
#endif /* !__cplusplus */
|
||||
|
||||
/**@}*/
|
||||
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
* \file psa/crypto_adjust_auto_enabled.h
|
||||
* \brief Adjust PSA configuration: enable always-on features
|
||||
*
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* Always enable certain features which require a negligible amount of code
|
||||
* to implement, to avoid some edge cases in the configuration combinatorics.
|
||||
*/
|
||||
|
@ -13,6 +15,14 @@
|
|||
#ifndef PSA_CRYPTO_ADJUST_AUTO_ENABLED_H
|
||||
#define PSA_CRYPTO_ADJUST_AUTO_ENABLED_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
#define PSA_WANT_KEY_TYPE_DERIVE 1
|
||||
#define PSA_WANT_KEY_TYPE_PASSWORD 1
|
||||
#define PSA_WANT_KEY_TYPE_PASSWORD_HASH 1
|
||||
|
|
51
thirdparty/mbedtls/include/psa/crypto_adjust_config_dependencies.h
vendored
Normal file
51
thirdparty/mbedtls/include/psa/crypto_adjust_config_dependencies.h
vendored
Normal file
|
@ -0,0 +1,51 @@
|
|||
/**
|
||||
* \file psa/crypto_adjust_config_dependencies.h
|
||||
* \brief Adjust PSA configuration by resolving some dependencies.
|
||||
*
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* See docs/proposed/psa-conditional-inclusion-c.md.
|
||||
* If the Mbed TLS implementation of a cryptographic mechanism A depends on a
|
||||
* cryptographic mechanism B then if the cryptographic mechanism A is enabled
|
||||
* and not accelerated enable B. Note that if A is enabled and accelerated, it
|
||||
* is not necessary to enable B for A support.
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||
*/
|
||||
|
||||
#ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
|
||||
#define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
#if (defined(PSA_WANT_ALG_TLS12_PRF) && \
|
||||
!defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)) || \
|
||||
(defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) && \
|
||||
!defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)) || \
|
||||
(defined(PSA_WANT_ALG_HKDF) && \
|
||||
!defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)) || \
|
||||
(defined(PSA_WANT_ALG_HKDF_EXTRACT) && \
|
||||
!defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)) || \
|
||||
(defined(PSA_WANT_ALG_HKDF_EXPAND) && \
|
||||
!defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)) || \
|
||||
(defined(PSA_WANT_ALG_PBKDF2_HMAC) && \
|
||||
!defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC))
|
||||
#define PSA_WANT_ALG_HMAC 1
|
||||
#define PSA_WANT_KEY_TYPE_HMAC 1
|
||||
#endif
|
||||
|
||||
#if (defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) && \
|
||||
!defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128))
|
||||
#define PSA_WANT_KEY_TYPE_AES 1
|
||||
#define PSA_WANT_ALG_CMAC 1
|
||||
#endif
|
||||
|
||||
#endif /* PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H */
|
|
@ -2,6 +2,8 @@
|
|||
* \file psa/crypto_adjust_config_key_pair_types.h
|
||||
* \brief Adjust PSA configuration for key pair types.
|
||||
*
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* See docs/proposed/psa-conditional-inclusion-c.md.
|
||||
* - Support non-basic operations in a keypair type implicitly enables basic
|
||||
* support for that keypair type.
|
||||
|
@ -19,6 +21,14 @@
|
|||
#ifndef PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H
|
||||
#define PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
/*****************************************************************
|
||||
* ANYTHING -> BASIC
|
||||
****************************************************************/
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
* \file psa/crypto_adjust_config_synonyms.h
|
||||
* \brief Adjust PSA configuration: enable quasi-synonyms
|
||||
*
|
||||
* This is an internal header. Do not include it directly.
|
||||
*
|
||||
* When two features require almost the same code, we automatically enable
|
||||
* both when either one is requested, to reduce the combinatorics of
|
||||
* possible configurations.
|
||||
|
@ -14,6 +16,14 @@
|
|||
#ifndef PSA_CRYPTO_ADJUST_CONFIG_SYNONYMS_H
|
||||
#define PSA_CRYPTO_ADJUST_CONFIG_SYNONYMS_H
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILES_READ)
|
||||
#error "Do not include psa/crypto_adjust_*.h manually! This can lead to problems, " \
|
||||
"up to and including runtime errors such as buffer overflows. " \
|
||||
"If you're trying to fix a complaint from check_config.h, just remove " \
|
||||
"it from your configuration file: since Mbed TLS 3.0, it is included " \
|
||||
"automatically at the right point."
|
||||
#endif /* */
|
||||
|
||||
/****************************************************************/
|
||||
/* De facto synonyms */
|
||||
/****************************************************************/
|
||||
|
|
10
thirdparty/mbedtls/include/psa/crypto_extra.h
vendored
10
thirdparty/mbedtls/include/psa/crypto_extra.h
vendored
|
@ -154,6 +154,14 @@ static inline void psa_clear_key_slot_number(
|
|||
* specified in \p attributes.
|
||||
*
|
||||
* \param[in] attributes The attributes of the existing key.
|
||||
* - The lifetime must be a persistent lifetime
|
||||
* in a secure element. Volatile lifetimes are
|
||||
* not currently supported.
|
||||
* - The key identifier must be in the valid
|
||||
* range for persistent keys.
|
||||
* - The key type and size must be specified and
|
||||
* must be consistent with the key material
|
||||
* in the secure element.
|
||||
*
|
||||
* \retval #PSA_SUCCESS
|
||||
* The key was successfully registered.
|
||||
|
@ -479,7 +487,7 @@ psa_status_t mbedtls_psa_external_get_random(
|
|||
* #PSA_KEY_ID_VENDOR_MIN and #PSA_KEY_ID_VENDOR_MAX and must not intersect
|
||||
* with any other set of implementation-chosen key identifiers.
|
||||
*
|
||||
* This value is part of the library's ABI since changing it would invalidate
|
||||
* This value is part of the library's API since changing it would invalidate
|
||||
* the values of built-in key identifiers in applications.
|
||||
*/
|
||||
#define MBEDTLS_PSA_KEY_ID_BUILTIN_MIN ((psa_key_id_t) 0x7fff0000)
|
||||
|
|
30
thirdparty/mbedtls/include/psa/crypto_struct.h
vendored
30
thirdparty/mbedtls/include/psa/crypto_struct.h
vendored
|
@ -223,13 +223,36 @@ static inline struct psa_key_derivation_s psa_key_derivation_operation_init(
|
|||
return v;
|
||||
}
|
||||
|
||||
#ifndef __cplusplus
|
||||
struct psa_key_production_parameters_s {
|
||||
struct psa_custom_key_parameters_s {
|
||||
/* Future versions may add other fields in this structure. */
|
||||
uint32_t flags;
|
||||
};
|
||||
|
||||
/** The default production parameters for key generation or key derivation.
|
||||
*
|
||||
* Calling psa_generate_key_custom() or psa_key_derivation_output_key_custom()
|
||||
* with `custom=PSA_CUSTOM_KEY_PARAMETERS_INIT` and `custom_data_length=0` is
|
||||
* equivalent to calling psa_generate_key() or psa_key_derivation_output_key()
|
||||
* respectively.
|
||||
*/
|
||||
#define PSA_CUSTOM_KEY_PARAMETERS_INIT { 0 }
|
||||
|
||||
#ifndef __cplusplus
|
||||
/* Omitted when compiling in C++, because one of the parameters is a
|
||||
* pointer to a struct with a flexible array member, and that is not
|
||||
* standard C++.
|
||||
* https://github.com/Mbed-TLS/mbedtls/issues/9020
|
||||
*/
|
||||
/* This is a deprecated variant of `struct psa_custom_key_parameters_s`.
|
||||
* It has exactly the same layout, plus an extra field which is a flexible
|
||||
* array member. Thus a `const struct psa_key_production_parameters_s *`
|
||||
* can be passed to any function that reads a
|
||||
* `const struct psa_custom_key_parameters_s *`.
|
||||
*/
|
||||
struct psa_key_production_parameters_s {
|
||||
uint32_t flags;
|
||||
uint8_t data[];
|
||||
};
|
||||
#endif
|
||||
|
||||
/** The default production parameters for key generation or key derivation.
|
||||
*
|
||||
|
@ -240,6 +263,7 @@ struct psa_key_production_parameters_s {
|
|||
* respectively.
|
||||
*/
|
||||
#define PSA_KEY_PRODUCTION_PARAMETERS_INIT { 0 }
|
||||
#endif /* !__cplusplus */
|
||||
|
||||
struct psa_key_policy_s {
|
||||
psa_key_usage_t MBEDTLS_PRIVATE(usage);
|
||||
|
|
26
thirdparty/mbedtls/include/psa/crypto_types.h
vendored
26
thirdparty/mbedtls/include/psa/crypto_types.h
vendored
|
@ -455,6 +455,30 @@ typedef uint64_t psa_key_slot_number_t;
|
|||
*/
|
||||
typedef uint16_t psa_key_derivation_step_t;
|
||||
|
||||
/** \brief Custom parameters for key generation or key derivation.
|
||||
*
|
||||
* This is a structure type with at least the following field:
|
||||
*
|
||||
* - \c flags: an unsigned integer type. 0 for the default production parameters.
|
||||
*
|
||||
* Functions that take such a structure as input also take an associated
|
||||
* input buffer \c custom_data of length \c custom_data_length.
|
||||
*
|
||||
* The interpretation of this structure and the associated \c custom_data
|
||||
* parameter depend on the type of the created key.
|
||||
*
|
||||
* - #PSA_KEY_TYPE_RSA_KEY_PAIR:
|
||||
* - \c flags: must be 0.
|
||||
* - \c custom_data: the public exponent, in little-endian order.
|
||||
* This must be an odd integer and must not be 1.
|
||||
* Implementations must support 65537, should support 3 and may
|
||||
* support other values.
|
||||
* When not using a driver, Mbed TLS supports values up to \c INT_MAX.
|
||||
* If this is empty, the default value 65537 is used.
|
||||
* - Other key types: reserved for future use. \c flags must be 0.
|
||||
*/
|
||||
typedef struct psa_custom_key_parameters_s psa_custom_key_parameters_t;
|
||||
|
||||
/** \brief Custom parameters for key generation or key derivation.
|
||||
*
|
||||
* This is a structure type with at least the following fields:
|
||||
|
@ -477,9 +501,7 @@ typedef uint16_t psa_key_derivation_step_t;
|
|||
* - Other key types: reserved for future use. \c flags must be 0.
|
||||
*
|
||||
*/
|
||||
#ifndef __cplusplus
|
||||
typedef struct psa_key_production_parameters_s psa_key_production_parameters_t;
|
||||
#endif
|
||||
|
||||
/**@}*/
|
||||
|
||||
|
|
29
thirdparty/mbedtls/library/bignum.c
vendored
29
thirdparty/mbedtls/library/bignum.c
vendored
|
@ -27,6 +27,7 @@
|
|||
|
||||
#include "mbedtls/bignum.h"
|
||||
#include "bignum_core.h"
|
||||
#include "bignum_internal.h"
|
||||
#include "bn_mul.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/error.h"
|
||||
|
@ -1610,9 +1611,13 @@ int mbedtls_mpi_mod_int(mbedtls_mpi_uint *r, const mbedtls_mpi *A, mbedtls_mpi_s
|
|||
return 0;
|
||||
}
|
||||
|
||||
int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
const mbedtls_mpi *E, const mbedtls_mpi *N,
|
||||
mbedtls_mpi *prec_RR)
|
||||
/*
|
||||
* Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value,
|
||||
* this function is not constant time with respect to the exponent (parameter E).
|
||||
*/
|
||||
static int mbedtls_mpi_exp_mod_optionally_safe(mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
const mbedtls_mpi *E, int E_public,
|
||||
const mbedtls_mpi *N, mbedtls_mpi *prec_RR)
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
|
@ -1695,7 +1700,11 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
|
|||
{
|
||||
mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N->p);
|
||||
mbedtls_mpi_core_to_mont_rep(X->p, X->p, N->p, N->n, mm, RR.p, T);
|
||||
if (E_public == MBEDTLS_MPI_IS_PUBLIC) {
|
||||
mbedtls_mpi_core_exp_mod_unsafe(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
|
||||
} else {
|
||||
mbedtls_mpi_core_exp_mod(X->p, X->p, N->p, N->n, E->p, E->n, RR.p, T);
|
||||
}
|
||||
mbedtls_mpi_core_from_mont_rep(X->p, X->p, N->p, N->n, mm, T);
|
||||
}
|
||||
|
||||
|
@ -1720,6 +1729,20 @@ cleanup:
|
|||
return ret;
|
||||
}
|
||||
|
||||
int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
const mbedtls_mpi *E, const mbedtls_mpi *N,
|
||||
mbedtls_mpi *prec_RR)
|
||||
{
|
||||
return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_SECRET, N, prec_RR);
|
||||
}
|
||||
|
||||
int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
const mbedtls_mpi *E, const mbedtls_mpi *N,
|
||||
mbedtls_mpi *prec_RR)
|
||||
{
|
||||
return mbedtls_mpi_exp_mod_optionally_safe(X, A, E, MBEDTLS_MPI_IS_PUBLIC, N, prec_RR);
|
||||
}
|
||||
|
||||
/*
|
||||
* Greatest common divisor: G = gcd(A, B) (HAC 14.54)
|
||||
*/
|
||||
|
|
149
thirdparty/mbedtls/library/bignum_core.c
vendored
149
thirdparty/mbedtls/library/bignum_core.c
vendored
|
@ -746,7 +746,93 @@ static void exp_mod_precompute_window(const mbedtls_mpi_uint *A,
|
|||
}
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
|
||||
// Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET
|
||||
int mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* This function calculates the indices of the exponent where the exponentiation algorithm should
|
||||
* start processing.
|
||||
*
|
||||
* Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value,
|
||||
* this function is not constant time with respect to the exponent (parameter E).
|
||||
*/
|
||||
static inline void exp_mod_calc_first_bit_optionally_safe(const mbedtls_mpi_uint *E,
|
||||
size_t E_limbs,
|
||||
int E_public,
|
||||
size_t *E_limb_index,
|
||||
size_t *E_bit_index)
|
||||
{
|
||||
if (E_public == MBEDTLS_MPI_IS_PUBLIC) {
|
||||
/*
|
||||
* Skip leading zero bits.
|
||||
*/
|
||||
size_t E_bits = mbedtls_mpi_core_bitlen(E, E_limbs);
|
||||
if (E_bits == 0) {
|
||||
/*
|
||||
* If E is 0 mbedtls_mpi_core_bitlen() returns 0. Even if that is the case, we will want
|
||||
* to represent it as a single 0 bit and as such the bitlength will be 1.
|
||||
*/
|
||||
E_bits = 1;
|
||||
}
|
||||
|
||||
*E_limb_index = E_bits / biL;
|
||||
*E_bit_index = E_bits % biL;
|
||||
|
||||
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC;
|
||||
#endif
|
||||
} else {
|
||||
/*
|
||||
* Here we need to be constant time with respect to E and can't do anything better than
|
||||
* start at the first allocated bit.
|
||||
*/
|
||||
*E_limb_index = E_limbs;
|
||||
*E_bit_index = 0;
|
||||
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
|
||||
// Only mark the codepath safe if there wasn't an unsafe codepath before
|
||||
if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) {
|
||||
mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Warning! If the parameter window_public has MBEDTLS_MPI_IS_PUBLIC as its value, this function is
|
||||
* not constant time with respect to the window parameter and consequently the exponent of the
|
||||
* exponentiation (parameter E of mbedtls_mpi_core_exp_mod_optionally_safe).
|
||||
*/
|
||||
static inline void exp_mod_table_lookup_optionally_safe(mbedtls_mpi_uint *Wselect,
|
||||
mbedtls_mpi_uint *Wtable,
|
||||
size_t AN_limbs, size_t welem,
|
||||
mbedtls_mpi_uint window,
|
||||
int window_public)
|
||||
{
|
||||
if (window_public == MBEDTLS_MPI_IS_PUBLIC) {
|
||||
memcpy(Wselect, Wtable + window * AN_limbs, AN_limbs * ciL);
|
||||
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC;
|
||||
#endif
|
||||
} else {
|
||||
/* Select Wtable[window] without leaking window through
|
||||
* memory access patterns. */
|
||||
mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable,
|
||||
AN_limbs, welem, window);
|
||||
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
|
||||
// Only mark the codepath safe if there wasn't an unsafe codepath before
|
||||
if (mbedtls_mpi_optionally_safe_codepath != MBEDTLS_MPI_IS_PUBLIC) {
|
||||
mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_SECRET;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
/* Exponentiation: X := A^E mod N.
|
||||
*
|
||||
* Warning! If the parameter E_public has MBEDTLS_MPI_IS_PUBLIC as its value,
|
||||
* this function is not constant time with respect to the exponent (parameter E).
|
||||
*
|
||||
* A must already be in Montgomery form.
|
||||
*
|
||||
|
@ -758,16 +844,25 @@ static void exp_mod_precompute_window(const mbedtls_mpi_uint *A,
|
|||
* (The difference is that the body in our loop processes a single bit instead
|
||||
* of a full window.)
|
||||
*/
|
||||
void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
|
||||
static void mbedtls_mpi_core_exp_mod_optionally_safe(mbedtls_mpi_uint *X,
|
||||
const mbedtls_mpi_uint *A,
|
||||
const mbedtls_mpi_uint *N,
|
||||
size_t AN_limbs,
|
||||
const mbedtls_mpi_uint *E,
|
||||
size_t E_limbs,
|
||||
int E_public,
|
||||
const mbedtls_mpi_uint *RR,
|
||||
mbedtls_mpi_uint *T)
|
||||
{
|
||||
const size_t wsize = exp_mod_get_window_size(E_limbs * biL);
|
||||
/* We'll process the bits of E from most significant
|
||||
* (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant
|
||||
* (limb_index=0, E_bit_index=0). */
|
||||
size_t E_limb_index;
|
||||
size_t E_bit_index;
|
||||
exp_mod_calc_first_bit_optionally_safe(E, E_limbs, E_public,
|
||||
&E_limb_index, &E_bit_index);
|
||||
|
||||
const size_t wsize = exp_mod_get_window_size(E_limb_index * biL);
|
||||
const size_t welem = ((size_t) 1) << wsize;
|
||||
|
||||
/* This is how we will use the temporary storage T, which must have space
|
||||
|
@ -786,7 +881,7 @@ void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
|
|||
|
||||
const mbedtls_mpi_uint mm = mbedtls_mpi_core_montmul_init(N);
|
||||
|
||||
/* Set Wtable[i] = A^(2^i) (in Montgomery representation) */
|
||||
/* Set Wtable[i] = A^i (in Montgomery representation) */
|
||||
exp_mod_precompute_window(A, N, AN_limbs,
|
||||
mm, RR,
|
||||
welem, Wtable, temp);
|
||||
|
@ -798,11 +893,6 @@ void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
|
|||
/* X = 1 (in Montgomery presentation) initially */
|
||||
memcpy(X, Wtable, AN_limbs * ciL);
|
||||
|
||||
/* We'll process the bits of E from most significant
|
||||
* (limb_index=E_limbs-1, E_bit_index=biL-1) to least significant
|
||||
* (limb_index=0, E_bit_index=0). */
|
||||
size_t E_limb_index = E_limbs;
|
||||
size_t E_bit_index = 0;
|
||||
/* At any given time, window contains window_bits bits from E.
|
||||
* window_bits can go up to wsize. */
|
||||
size_t window_bits = 0;
|
||||
|
@ -828,10 +918,9 @@ void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
|
|||
* when we've finished processing the exponent. */
|
||||
if (window_bits == wsize ||
|
||||
(E_bit_index == 0 && E_limb_index == 0)) {
|
||||
/* Select Wtable[window] without leaking window through
|
||||
* memory access patterns. */
|
||||
mbedtls_mpi_core_ct_uint_table_lookup(Wselect, Wtable,
|
||||
AN_limbs, welem, window);
|
||||
|
||||
exp_mod_table_lookup_optionally_safe(Wselect, Wtable, AN_limbs, welem,
|
||||
window, E_public);
|
||||
/* Multiply X by the selected element. */
|
||||
mbedtls_mpi_core_montmul(X, X, Wselect, AN_limbs, N, AN_limbs, mm,
|
||||
temp);
|
||||
|
@ -841,6 +930,42 @@ void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
|
|||
} while (!(E_bit_index == 0 && E_limb_index == 0));
|
||||
}
|
||||
|
||||
void mbedtls_mpi_core_exp_mod(mbedtls_mpi_uint *X,
|
||||
const mbedtls_mpi_uint *A,
|
||||
const mbedtls_mpi_uint *N, size_t AN_limbs,
|
||||
const mbedtls_mpi_uint *E, size_t E_limbs,
|
||||
const mbedtls_mpi_uint *RR,
|
||||
mbedtls_mpi_uint *T)
|
||||
{
|
||||
mbedtls_mpi_core_exp_mod_optionally_safe(X,
|
||||
A,
|
||||
N,
|
||||
AN_limbs,
|
||||
E,
|
||||
E_limbs,
|
||||
MBEDTLS_MPI_IS_SECRET,
|
||||
RR,
|
||||
T);
|
||||
}
|
||||
|
||||
void mbedtls_mpi_core_exp_mod_unsafe(mbedtls_mpi_uint *X,
|
||||
const mbedtls_mpi_uint *A,
|
||||
const mbedtls_mpi_uint *N, size_t AN_limbs,
|
||||
const mbedtls_mpi_uint *E, size_t E_limbs,
|
||||
const mbedtls_mpi_uint *RR,
|
||||
mbedtls_mpi_uint *T)
|
||||
{
|
||||
mbedtls_mpi_core_exp_mod_optionally_safe(X,
|
||||
A,
|
||||
N,
|
||||
AN_limbs,
|
||||
E,
|
||||
E_limbs,
|
||||
MBEDTLS_MPI_IS_PUBLIC,
|
||||
RR,
|
||||
T);
|
||||
}
|
||||
|
||||
mbedtls_mpi_uint mbedtls_mpi_core_sub_int(mbedtls_mpi_uint *X,
|
||||
const mbedtls_mpi_uint *A,
|
||||
mbedtls_mpi_uint c, /* doubles as carry */
|
||||
|
|
70
thirdparty/mbedtls/library/bignum_core.h
vendored
70
thirdparty/mbedtls/library/bignum_core.h
vendored
|
@ -90,6 +90,27 @@
|
|||
#define GET_BYTE(X, i) \
|
||||
(((X)[(i) / ciL] >> (((i) % ciL) * 8)) & 0xff)
|
||||
|
||||
/* Constants to identify whether a value is public or secret. If a parameter is marked as secret by
|
||||
* this constant, the function must be constant time with respect to the parameter.
|
||||
*
|
||||
* This is only needed for functions with the _optionally_safe postfix. All other functions have
|
||||
* fixed behavior that can't be changed at runtime and are constant time with respect to their
|
||||
* parameters as prescribed by their documentation or by conventions in their module's documentation.
|
||||
*
|
||||
* Parameters should be named X_public where X is the name of the
|
||||
* corresponding input parameter.
|
||||
*
|
||||
* Implementation should always check using
|
||||
* if (X_public == MBEDTLS_MPI_IS_PUBLIC) {
|
||||
* // unsafe path
|
||||
* } else {
|
||||
* // safe path
|
||||
* }
|
||||
* not the other way round, in order to prevent misuse. (This is, if a value
|
||||
* other than the two below is passed, default to the safe path.) */
|
||||
#define MBEDTLS_MPI_IS_PUBLIC 0x2a2a2a2a
|
||||
#define MBEDTLS_MPI_IS_SECRET 0
|
||||
|
||||
/** Count leading zero bits in a given integer.
|
||||
*
|
||||
* \warning The result is undefined if \p a == 0
|
||||
|
@ -604,6 +625,42 @@ int mbedtls_mpi_core_random(mbedtls_mpi_uint *X,
|
|||
*/
|
||||
size_t mbedtls_mpi_core_exp_mod_working_limbs(size_t AN_limbs, size_t E_limbs);
|
||||
|
||||
/**
|
||||
* \brief Perform a modular exponentiation with public or secret exponent:
|
||||
* X = A^E mod N, where \p A is already in Montgomery form.
|
||||
*
|
||||
* \warning This function is not constant time with respect to \p E (the exponent).
|
||||
*
|
||||
* \p X may be aliased to \p A, but not to \p RR or \p E, even if \p E_limbs ==
|
||||
* \p AN_limbs.
|
||||
*
|
||||
* \param[out] X The destination MPI, as a little endian array of length
|
||||
* \p AN_limbs.
|
||||
* \param[in] A The base MPI, as a little endian array of length \p AN_limbs.
|
||||
* Must be in Montgomery form.
|
||||
* \param[in] N The modulus, as a little endian array of length \p AN_limbs.
|
||||
* \param AN_limbs The number of limbs in \p X, \p A, \p N, \p RR.
|
||||
* \param[in] E The exponent, as a little endian array of length \p E_limbs.
|
||||
* \param E_limbs The number of limbs in \p E.
|
||||
* \param[in] RR The precomputed residue of 2^{2*biL} modulo N, as a little
|
||||
* endian array of length \p AN_limbs.
|
||||
* \param[in,out] T Temporary storage of at least the number of limbs returned
|
||||
* by `mbedtls_mpi_core_exp_mod_working_limbs()`.
|
||||
* Its initial content is unused and its final content is
|
||||
* indeterminate.
|
||||
* It must not alias or otherwise overlap any of the other
|
||||
* parameters.
|
||||
* It is up to the caller to zeroize \p T when it is no
|
||||
* longer needed, and before freeing it if it was dynamically
|
||||
* allocated.
|
||||
*/
|
||||
void mbedtls_mpi_core_exp_mod_unsafe(mbedtls_mpi_uint *X,
|
||||
const mbedtls_mpi_uint *A,
|
||||
const mbedtls_mpi_uint *N, size_t AN_limbs,
|
||||
const mbedtls_mpi_uint *E, size_t E_limbs,
|
||||
const mbedtls_mpi_uint *RR,
|
||||
mbedtls_mpi_uint *T);
|
||||
|
||||
/**
|
||||
* \brief Perform a modular exponentiation with secret exponent:
|
||||
* X = A^E mod N, where \p A is already in Montgomery form.
|
||||
|
@ -760,4 +817,17 @@ void mbedtls_mpi_core_from_mont_rep(mbedtls_mpi_uint *X,
|
|||
mbedtls_mpi_uint mm,
|
||||
mbedtls_mpi_uint *T);
|
||||
|
||||
/*
|
||||
* Can't define thread local variables with our abstraction layer: do nothing if threading is on.
|
||||
*/
|
||||
#if defined(MBEDTLS_TEST_HOOKS) && !defined(MBEDTLS_THREADING_C)
|
||||
extern int mbedtls_mpi_optionally_safe_codepath;
|
||||
|
||||
static inline void mbedtls_mpi_optionally_safe_codepath_reset(void)
|
||||
{
|
||||
// Set to a default that is neither MBEDTLS_MPI_IS_PUBLIC nor MBEDTLS_MPI_IS_SECRET
|
||||
mbedtls_mpi_optionally_safe_codepath = MBEDTLS_MPI_IS_PUBLIC + MBEDTLS_MPI_IS_SECRET + 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_BIGNUM_CORE_H */
|
||||
|
|
50
thirdparty/mbedtls/library/bignum_internal.h
vendored
Normal file
50
thirdparty/mbedtls/library/bignum_internal.h
vendored
Normal file
|
@ -0,0 +1,50 @@
|
|||
/**
|
||||
* \file bignum_internal.h
|
||||
*
|
||||
* \brief Internal-only bignum public-key cryptosystem API.
|
||||
*
|
||||
* This file declares bignum-related functions that are to be used
|
||||
* only from within the Mbed TLS library itself.
|
||||
*
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||
*/
|
||||
#ifndef MBEDTLS_BIGNUM_INTERNAL_H
|
||||
#define MBEDTLS_BIGNUM_INTERNAL_H
|
||||
|
||||
/**
|
||||
* \brief Perform a modular exponentiation: X = A^E mod N
|
||||
*
|
||||
* \warning This function is not constant time with respect to \p E (the exponent).
|
||||
*
|
||||
* \param X The destination MPI. This must point to an initialized MPI.
|
||||
* This must not alias E or N.
|
||||
* \param A The base of the exponentiation.
|
||||
* This must point to an initialized MPI.
|
||||
* \param E The exponent MPI. This must point to an initialized MPI.
|
||||
* \param N The base for the modular reduction. This must point to an
|
||||
* initialized MPI.
|
||||
* \param prec_RR A helper MPI depending solely on \p N which can be used to
|
||||
* speed-up multiple modular exponentiations for the same value
|
||||
* of \p N. This may be \c NULL. If it is not \c NULL, it must
|
||||
* point to an initialized MPI. If it hasn't been used after
|
||||
* the call to mbedtls_mpi_init(), this function will compute
|
||||
* the helper value and store it in \p prec_RR for reuse on
|
||||
* subsequent calls to this function. Otherwise, the function
|
||||
* will assume that \p prec_RR holds the helper value set by a
|
||||
* previous call to mbedtls_mpi_exp_mod(), and reuse it.
|
||||
*
|
||||
* \return \c 0 if successful.
|
||||
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
|
||||
* \return #MBEDTLS_ERR_MPI_BAD_INPUT_DATA if \c N is negative or
|
||||
* even, or if \c E is negative.
|
||||
* \return Another negative error code on different kinds of failures.
|
||||
*
|
||||
*/
|
||||
int mbedtls_mpi_exp_mod_unsafe(mbedtls_mpi *X, const mbedtls_mpi *A,
|
||||
const mbedtls_mpi *E, const mbedtls_mpi *N,
|
||||
mbedtls_mpi *prec_RR);
|
||||
|
||||
#endif /* bignum_internal.h */
|
4
thirdparty/mbedtls/library/block_cipher.c
vendored
4
thirdparty/mbedtls/library/block_cipher.c
vendored
|
@ -51,6 +51,10 @@ static int mbedtls_cipher_error_from_psa(psa_status_t status)
|
|||
|
||||
void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
|
||||
if (ctx->engine == MBEDTLS_BLOCK_CIPHER_ENGINE_PSA) {
|
||||
psa_destroy_key(ctx->psa_key_id);
|
||||
|
|
3
thirdparty/mbedtls/library/cipher.c
vendored
3
thirdparty/mbedtls/library/cipher.c
vendored
|
@ -849,6 +849,9 @@ static int get_pkcs_padding(unsigned char *input, size_t input_len,
|
|||
}
|
||||
|
||||
padding_len = input[input_len - 1];
|
||||
if (padding_len == 0 || padding_len > input_len) {
|
||||
return MBEDTLS_ERR_CIPHER_INVALID_PADDING;
|
||||
}
|
||||
*data_len = input_len - padding_len;
|
||||
|
||||
mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
|
||||
|
|
16
thirdparty/mbedtls/library/common.h
vendored
16
thirdparty/mbedtls/library/common.h
vendored
|
@ -352,17 +352,19 @@ static inline void mbedtls_xor_no_simd(unsigned char *r,
|
|||
#endif
|
||||
|
||||
/* Always provide a static assert macro, so it can be used unconditionally.
|
||||
* It will expand to nothing on some systems.
|
||||
* Can be used outside functions (but don't add a trailing ';' in that case:
|
||||
* the semicolon is included here to avoid triggering -Wextra-semi when
|
||||
* MBEDTLS_STATIC_ASSERT() expands to nothing).
|
||||
* Can't use the C11-style `defined(static_assert)` on FreeBSD, since it
|
||||
* It does nothing on systems where we don't know how to define a static assert.
|
||||
*/
|
||||
/* Can't use the C11-style `defined(static_assert)` on FreeBSD, since it
|
||||
* defines static_assert even with -std=c99, but then complains about it.
|
||||
*/
|
||||
#if defined(static_assert) && !defined(__FreeBSD__)
|
||||
#define MBEDTLS_STATIC_ASSERT(expr, msg) static_assert(expr, msg);
|
||||
#define MBEDTLS_STATIC_ASSERT(expr, msg) static_assert(expr, msg)
|
||||
#else
|
||||
#define MBEDTLS_STATIC_ASSERT(expr, msg)
|
||||
/* Make sure `MBEDTLS_STATIC_ASSERT(expr, msg);` is valid both inside and
|
||||
* outside a function. We choose a struct declaration, which can be repeated
|
||||
* any number of times and does not need a matching definition. */
|
||||
#define MBEDTLS_STATIC_ASSERT(expr, msg) \
|
||||
struct ISO_C_does_not_allow_extra_semicolon_outside_of_a_function
|
||||
#endif
|
||||
|
||||
#if defined(__has_builtin)
|
||||
|
|
128
thirdparty/mbedtls/library/ctr_drbg.c
vendored
128
thirdparty/mbedtls/library/ctr_drbg.c
vendored
|
@ -26,13 +26,13 @@
|
|||
#endif
|
||||
|
||||
/* Using error translation functions from PSA to MbedTLS */
|
||||
#if !defined(MBEDTLS_AES_C)
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
#include "psa_util_internal.h"
|
||||
#endif
|
||||
|
||||
#include "mbedtls/platform.h"
|
||||
|
||||
#if !defined(MBEDTLS_AES_C)
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
static psa_status_t ctr_drbg_setup_psa_context(mbedtls_ctr_drbg_psa_context *psa_ctx,
|
||||
unsigned char *key, size_t key_len)
|
||||
{
|
||||
|
@ -73,11 +73,11 @@ static void ctr_drbg_destroy_psa_contex(mbedtls_ctr_drbg_psa_context *psa_ctx)
|
|||
void mbedtls_ctr_drbg_init(mbedtls_ctr_drbg_context *ctx)
|
||||
{
|
||||
memset(ctx, 0, sizeof(mbedtls_ctr_drbg_context));
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
mbedtls_aes_init(&ctx->aes_ctx);
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
ctx->psa_ctx.key_id = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
ctx->psa_ctx.operation = psa_cipher_operation_init();
|
||||
#else
|
||||
mbedtls_aes_init(&ctx->aes_ctx);
|
||||
#endif
|
||||
/* Indicate that the entropy nonce length is not set explicitly.
|
||||
* See mbedtls_ctr_drbg_set_nonce_len(). */
|
||||
|
@ -102,10 +102,10 @@ void mbedtls_ctr_drbg_free(mbedtls_ctr_drbg_context *ctx)
|
|||
mbedtls_mutex_free(&ctx->mutex);
|
||||
}
|
||||
#endif
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
mbedtls_aes_free(&ctx->aes_ctx);
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
ctr_drbg_destroy_psa_contex(&ctx->psa_ctx);
|
||||
#else
|
||||
mbedtls_aes_free(&ctx->aes_ctx);
|
||||
#endif
|
||||
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_ctr_drbg_context));
|
||||
ctx->reseed_interval = MBEDTLS_CTR_DRBG_RESEED_INTERVAL;
|
||||
|
@ -168,15 +168,15 @@ static int block_cipher_df(unsigned char *output,
|
|||
unsigned char chain[MBEDTLS_CTR_DRBG_BLOCKSIZE];
|
||||
unsigned char *p, *iv;
|
||||
int ret = 0;
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
mbedtls_aes_context aes_ctx;
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
psa_status_t status;
|
||||
size_t tmp_len;
|
||||
mbedtls_ctr_drbg_psa_context psa_ctx;
|
||||
|
||||
psa_ctx.key_id = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
psa_ctx.operation = psa_cipher_operation_init();
|
||||
#else
|
||||
mbedtls_aes_context aes_ctx;
|
||||
#endif
|
||||
|
||||
int i, j;
|
||||
|
@ -209,19 +209,19 @@ static int block_cipher_df(unsigned char *output,
|
|||
key[i] = i;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
status = ctr_drbg_setup_psa_context(&psa_ctx, key, sizeof(key));
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = psa_generic_status_to_mbedtls(status);
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
mbedtls_aes_init(&aes_ctx);
|
||||
|
||||
if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, key,
|
||||
MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
status = ctr_drbg_setup_psa_context(&psa_ctx, key, sizeof(key));
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = psa_generic_status_to_mbedtls(status);
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -238,18 +238,18 @@ static int block_cipher_df(unsigned char *output,
|
|||
use_len -= (use_len >= MBEDTLS_CTR_DRBG_BLOCKSIZE) ?
|
||||
MBEDTLS_CTR_DRBG_BLOCKSIZE : use_len;
|
||||
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
|
||||
chain, chain)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
status = psa_cipher_update(&psa_ctx.operation, chain, MBEDTLS_CTR_DRBG_BLOCKSIZE,
|
||||
chain, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = psa_generic_status_to_mbedtls(status);
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
|
||||
chain, chain)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -264,12 +264,7 @@ static int block_cipher_df(unsigned char *output,
|
|||
/*
|
||||
* Do final encryption with reduced data
|
||||
*/
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp,
|
||||
MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
ctr_drbg_destroy_psa_contex(&psa_ctx);
|
||||
|
||||
status = ctr_drbg_setup_psa_context(&psa_ctx, tmp, MBEDTLS_CTR_DRBG_KEYSIZE);
|
||||
|
@ -277,32 +272,37 @@ static int block_cipher_df(unsigned char *output,
|
|||
ret = psa_generic_status_to_mbedtls(status);
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, tmp,
|
||||
MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
iv = tmp + MBEDTLS_CTR_DRBG_KEYSIZE;
|
||||
p = output;
|
||||
|
||||
for (j = 0; j < MBEDTLS_CTR_DRBG_SEEDLEN; j += MBEDTLS_CTR_DRBG_BLOCKSIZE) {
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
|
||||
iv, iv)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
status = psa_cipher_update(&psa_ctx.operation, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE,
|
||||
iv, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = psa_generic_status_to_mbedtls(status);
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
if ((ret = mbedtls_aes_crypt_ecb(&aes_ctx, MBEDTLS_AES_ENCRYPT,
|
||||
iv, iv)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
memcpy(p, iv, MBEDTLS_CTR_DRBG_BLOCKSIZE);
|
||||
p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
|
||||
}
|
||||
exit:
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
mbedtls_aes_free(&aes_ctx);
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
ctr_drbg_destroy_psa_contex(&psa_ctx);
|
||||
#else
|
||||
mbedtls_aes_free(&aes_ctx);
|
||||
#endif
|
||||
/*
|
||||
* tidy up the stack
|
||||
|
@ -336,7 +336,7 @@ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx,
|
|||
unsigned char *p = tmp;
|
||||
int j;
|
||||
int ret = 0;
|
||||
#if !defined(MBEDTLS_AES_C)
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
psa_status_t status;
|
||||
size_t tmp_len;
|
||||
#endif
|
||||
|
@ -352,18 +352,18 @@ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx,
|
|||
/*
|
||||
* Crypt counter block
|
||||
*/
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
|
||||
ctx->counter, p)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
status = psa_cipher_update(&ctx->psa_ctx.operation, ctx->counter, sizeof(ctx->counter),
|
||||
p, MBEDTLS_CTR_DRBG_BLOCKSIZE, &tmp_len);
|
||||
if (status != PSA_SUCCESS) {
|
||||
ret = psa_generic_status_to_mbedtls(status);
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
|
||||
ctx->counter, p)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
|
||||
p += MBEDTLS_CTR_DRBG_BLOCKSIZE;
|
||||
|
@ -374,12 +374,7 @@ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx,
|
|||
/*
|
||||
* Update key and counter
|
||||
*/
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp,
|
||||
MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
ctr_drbg_destroy_psa_contex(&ctx->psa_ctx);
|
||||
|
||||
status = ctr_drbg_setup_psa_context(&ctx->psa_ctx, tmp, MBEDTLS_CTR_DRBG_KEYSIZE);
|
||||
|
@ -387,6 +382,11 @@ static int ctr_drbg_update_internal(mbedtls_ctr_drbg_context *ctx,
|
|||
ret = psa_generic_status_to_mbedtls(status);
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, tmp,
|
||||
MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
memcpy(ctx->counter, tmp + MBEDTLS_CTR_DRBG_KEYSIZE,
|
||||
MBEDTLS_CTR_DRBG_BLOCKSIZE);
|
||||
|
@ -564,12 +564,7 @@ int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx,
|
|||
good_nonce_len(ctx->entropy_len));
|
||||
|
||||
/* Initialize with an empty key. */
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key,
|
||||
MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
psa_status_t status;
|
||||
|
||||
status = ctr_drbg_setup_psa_context(&ctx->psa_ctx, key, MBEDTLS_CTR_DRBG_KEYSIZE);
|
||||
|
@ -577,6 +572,11 @@ int mbedtls_ctr_drbg_seed(mbedtls_ctr_drbg_context *ctx,
|
|||
ret = psa_generic_status_to_mbedtls(status);
|
||||
return status;
|
||||
}
|
||||
#else
|
||||
if ((ret = mbedtls_aes_setkey_enc(&ctx->aes_ctx, key,
|
||||
MBEDTLS_CTR_DRBG_KEYBITS)) != 0) {
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Do the initial seeding. */
|
||||
|
@ -655,12 +655,7 @@ int mbedtls_ctr_drbg_random_with_add(void *p_rng,
|
|||
/*
|
||||
* Crypt counter block
|
||||
*/
|
||||
#if defined(MBEDTLS_AES_C)
|
||||
if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
|
||||
ctx->counter, locals.tmp)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
#if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO)
|
||||
psa_status_t status;
|
||||
size_t tmp_len;
|
||||
|
||||
|
@ -670,6 +665,11 @@ int mbedtls_ctr_drbg_random_with_add(void *p_rng,
|
|||
ret = psa_generic_status_to_mbedtls(status);
|
||||
goto exit;
|
||||
}
|
||||
#else
|
||||
if ((ret = mbedtls_aes_crypt_ecb(&ctx->aes_ctx, MBEDTLS_AES_ENCRYPT,
|
||||
ctx->counter, locals.tmp)) != 0) {
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
|
||||
use_len = (output_len > MBEDTLS_CTR_DRBG_BLOCKSIZE)
|
||||
|
|
4
thirdparty/mbedtls/library/entropy.c
vendored
4
thirdparty/mbedtls/library/entropy.c
vendored
|
@ -61,6 +61,10 @@ void mbedtls_entropy_init(mbedtls_entropy_context *ctx)
|
|||
|
||||
void mbedtls_entropy_free(mbedtls_entropy_context *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
/* If the context was already free, don't call free() again.
|
||||
* This is important for mutexes which don't allow double-free. */
|
||||
if (ctx->accumulator_started == -1) {
|
||||
|
|
4
thirdparty/mbedtls/library/entropy_poll.c
vendored
4
thirdparty/mbedtls/library/entropy_poll.c
vendored
|
@ -5,10 +5,12 @@
|
|||
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||
*/
|
||||
|
||||
#if defined(__linux__) || defined(__midipix__) && !defined(_GNU_SOURCE)
|
||||
#if defined(__linux__) || defined(__midipix__)
|
||||
/* Ensure that syscall() is available even when compiling with -std=c99 */
|
||||
#if !defined(_GNU_SOURCE)
|
||||
#define _GNU_SOURCE
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#include "common.h"
|
||||
|
||||
|
|
2
thirdparty/mbedtls/library/error.c
vendored
2
thirdparty/mbedtls/library/error.c
vendored
|
@ -418,7 +418,7 @@ const char *mbedtls_high_level_strerr(int error_code)
|
|||
case -(MBEDTLS_ERR_SSL_BAD_CERTIFICATE):
|
||||
return( "SSL - Processing of the Certificate handshake message failed" );
|
||||
case -(MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET):
|
||||
return( "SSL - * Received NewSessionTicket Post Handshake Message. This error code is experimental and may be changed or removed without notice" );
|
||||
return( "SSL - A TLS 1.3 NewSessionTicket message has been received" );
|
||||
case -(MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA):
|
||||
return( "SSL - Not possible to read early data" );
|
||||
case -(MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA):
|
||||
|
|
8
thirdparty/mbedtls/library/lmots.c
vendored
8
thirdparty/mbedtls/library/lmots.c
vendored
|
@ -387,6 +387,10 @@ void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx)
|
|||
|
||||
void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
mbedtls_platform_zeroize(ctx, sizeof(*ctx));
|
||||
}
|
||||
|
||||
|
@ -556,6 +560,10 @@ void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx)
|
|||
|
||||
void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
mbedtls_platform_zeroize(ctx,
|
||||
sizeof(*ctx));
|
||||
}
|
||||
|
|
8
thirdparty/mbedtls/library/lms.c
vendored
8
thirdparty/mbedtls/library/lms.c
vendored
|
@ -229,6 +229,10 @@ void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx)
|
|||
|
||||
void mbedtls_lms_public_free(mbedtls_lms_public_t *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
mbedtls_platform_zeroize(ctx, sizeof(*ctx));
|
||||
}
|
||||
|
||||
|
@ -528,6 +532,10 @@ void mbedtls_lms_private_init(mbedtls_lms_private_t *ctx)
|
|||
|
||||
void mbedtls_lms_private_free(mbedtls_lms_private_t *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
unsigned int idx;
|
||||
|
||||
if (ctx->have_private_key) {
|
||||
|
|
6
thirdparty/mbedtls/library/md.c
vendored
6
thirdparty/mbedtls/library/md.c
vendored
|
@ -41,7 +41,7 @@
|
|||
#include "mbedtls/sha512.h"
|
||||
#include "mbedtls/sha3.h"
|
||||
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
|
||||
#include <psa/crypto.h>
|
||||
#include "md_psa.h"
|
||||
#include "psa_util_internal.h"
|
||||
|
@ -761,13 +761,13 @@ mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info)
|
|||
return md_info->type;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
|
||||
int mbedtls_md_error_from_psa(psa_status_t status)
|
||||
{
|
||||
return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_md_errors,
|
||||
psa_generic_status_to_mbedtls);
|
||||
}
|
||||
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
||||
#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */
|
||||
|
||||
|
||||
/************************************************************************
|
||||
|
|
2
thirdparty/mbedtls/library/net_sockets.c
vendored
2
thirdparty/mbedtls/library/net_sockets.c
vendored
|
@ -683,7 +683,7 @@ void mbedtls_net_close(mbedtls_net_context *ctx)
|
|||
*/
|
||||
void mbedtls_net_free(mbedtls_net_context *ctx)
|
||||
{
|
||||
if (ctx->fd == -1) {
|
||||
if (ctx == NULL || ctx->fd == -1) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
4
thirdparty/mbedtls/library/nist_kw.c
vendored
4
thirdparty/mbedtls/library/nist_kw.c
vendored
|
@ -102,6 +102,10 @@ int mbedtls_nist_kw_setkey(mbedtls_nist_kw_context *ctx,
|
|||
*/
|
||||
void mbedtls_nist_kw_free(mbedtls_nist_kw_context *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
mbedtls_cipher_free(&ctx->cipher_ctx);
|
||||
mbedtls_platform_zeroize(ctx, sizeof(mbedtls_nist_kw_context));
|
||||
}
|
||||
|
|
4
thirdparty/mbedtls/library/pem.c
vendored
4
thirdparty/mbedtls/library/pem.c
vendored
|
@ -481,6 +481,10 @@ int mbedtls_pem_read_buffer(mbedtls_pem_context *ctx, const char *header, const
|
|||
|
||||
void mbedtls_pem_free(mbedtls_pem_context *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (ctx->buf != NULL) {
|
||||
mbedtls_zeroize_and_free(ctx->buf, ctx->buflen);
|
||||
}
|
||||
|
|
46
thirdparty/mbedtls/library/pk.c
vendored
46
thirdparty/mbedtls/library/pk.c
vendored
|
@ -868,7 +868,6 @@ static int copy_from_psa(mbedtls_svc_key_id_t key_id,
|
|||
psa_status_t status;
|
||||
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
|
||||
psa_key_type_t key_type;
|
||||
psa_algorithm_t alg_type;
|
||||
size_t key_bits;
|
||||
/* Use a buffer size large enough to contain either a key pair or public key. */
|
||||
unsigned char exp_key[PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE];
|
||||
|
@ -899,7 +898,6 @@ static int copy_from_psa(mbedtls_svc_key_id_t key_id,
|
|||
key_type = PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(key_type);
|
||||
}
|
||||
key_bits = psa_get_key_bits(&key_attr);
|
||||
alg_type = psa_get_key_algorithm(&key_attr);
|
||||
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
if ((key_type == PSA_KEY_TYPE_RSA_KEY_PAIR) ||
|
||||
|
@ -919,6 +917,7 @@ static int copy_from_psa(mbedtls_svc_key_id_t key_id,
|
|||
goto exit;
|
||||
}
|
||||
|
||||
psa_algorithm_t alg_type = psa_get_key_algorithm(&key_attr);
|
||||
mbedtls_md_type_t md_type = MBEDTLS_MD_NONE;
|
||||
if (PSA_ALG_GET_HASH(alg_type) != PSA_ALG_ANY_HASH) {
|
||||
md_type = mbedtls_md_type_from_psa_alg(alg_type);
|
||||
|
@ -968,6 +967,7 @@ static int copy_from_psa(mbedtls_svc_key_id_t key_id,
|
|||
} else
|
||||
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
|
||||
{
|
||||
(void) key_bits;
|
||||
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
|
||||
}
|
||||
|
||||
|
@ -1327,43 +1327,19 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
|
|||
}
|
||||
|
||||
if (mbedtls_pk_get_type(ctx) == MBEDTLS_PK_OPAQUE) {
|
||||
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
|
||||
psa_algorithm_t psa_alg, sign_alg;
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||
psa_algorithm_t psa_enrollment_alg;
|
||||
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
||||
psa_status_t status;
|
||||
|
||||
status = psa_get_key_attributes(ctx->priv_id, &key_attr);
|
||||
if (status != PSA_SUCCESS) {
|
||||
return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
|
||||
}
|
||||
psa_alg = psa_get_key_algorithm(&key_attr);
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||
psa_enrollment_alg = psa_get_key_enrollment_algorithm(&key_attr);
|
||||
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
||||
psa_reset_key_attributes(&key_attr);
|
||||
|
||||
/* Since we're PK type is MBEDTLS_PK_RSASSA_PSS at least one between
|
||||
* alg and enrollment alg should be of type RSA_PSS. */
|
||||
if (PSA_ALG_IS_RSA_PSS(psa_alg)) {
|
||||
sign_alg = psa_alg;
|
||||
}
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||
else if (PSA_ALG_IS_RSA_PSS(psa_enrollment_alg)) {
|
||||
sign_alg = psa_enrollment_alg;
|
||||
}
|
||||
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
||||
else {
|
||||
/* The opaque key has no RSA PSS algorithm associated. */
|
||||
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
|
||||
}
|
||||
/* Adjust the hashing algorithm. */
|
||||
sign_alg = (sign_alg & ~PSA_ALG_HASH_MASK) | PSA_ALG_GET_HASH(psa_md_alg);
|
||||
|
||||
status = psa_sign_hash(ctx->priv_id, sign_alg,
|
||||
/* PSA_ALG_RSA_PSS() behaves the same as PSA_ALG_RSA_PSS_ANY_SALT() when
|
||||
* performing a signature, but they are encoded differently. Instead of
|
||||
* extracting the proper one from the wrapped key policy, just try both. */
|
||||
status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS(psa_md_alg),
|
||||
hash, hash_len,
|
||||
sig, sig_size, sig_len);
|
||||
if (status == PSA_ERROR_NOT_PERMITTED) {
|
||||
status = psa_sign_hash(ctx->priv_id, PSA_ALG_RSA_PSS_ANY_SALT(psa_md_alg),
|
||||
hash, hash_len,
|
||||
sig, sig_size, sig_len);
|
||||
}
|
||||
return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
|
||||
}
|
||||
|
||||
|
|
2
thirdparty/mbedtls/library/platform_util.c
vendored
2
thirdparty/mbedtls/library/platform_util.c
vendored
|
@ -149,7 +149,7 @@ void mbedtls_zeroize_and_free(void *buf, size_t len)
|
|||
#include <time.h>
|
||||
#if !defined(_WIN32) && (defined(unix) || \
|
||||
defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
|
||||
defined(__MACH__)) || defined__midipix__)
|
||||
defined(__MACH__)) || defined(__midipix__))
|
||||
#include <unistd.h>
|
||||
#endif /* !_WIN32 && (unix || __unix || __unix__ ||
|
||||
* (__APPLE__ && __MACH__) || __midipix__) */
|
||||
|
|
110
thirdparty/mbedtls/library/psa_crypto_core.h
vendored
110
thirdparty/mbedtls/library/psa_crypto_core.h
vendored
|
@ -59,6 +59,8 @@ typedef enum {
|
|||
* and metadata for one key.
|
||||
*/
|
||||
typedef struct {
|
||||
/* This field is accessed in a lot of places. Putting it first
|
||||
* reduces the code size. */
|
||||
psa_key_attributes_t attr;
|
||||
|
||||
/*
|
||||
|
@ -78,35 +80,77 @@ typedef struct {
|
|||
* slots that are in a suitable state for the function.
|
||||
* For example, psa_get_and_lock_key_slot_in_memory, which finds a slot
|
||||
* containing a given key ID, will only check slots whose state variable is
|
||||
* PSA_SLOT_FULL. */
|
||||
* PSA_SLOT_FULL.
|
||||
*/
|
||||
psa_key_slot_state_t state;
|
||||
|
||||
#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
|
||||
/* The index of the slice containing this slot.
|
||||
* This field must be filled if the slot contains a key
|
||||
* (including keys being created or destroyed), and can be either
|
||||
* filled or 0 when the slot is free.
|
||||
*
|
||||
* In most cases, the slice index can be deduced from the key identifer.
|
||||
* We keep it in a separate field for robustness (it reduces the chance
|
||||
* that a coding mistake in the key store will result in accessing the
|
||||
* wrong slice), and also so that it's available even on code paths
|
||||
* during creation or destruction where the key identifier might not be
|
||||
* filled in.
|
||||
* */
|
||||
uint8_t slice_index;
|
||||
#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
|
||||
|
||||
union {
|
||||
struct {
|
||||
/* The index of the next slot in the free list for this
|
||||
* slice, relative * to the next array element.
|
||||
*
|
||||
* That is, 0 means the next slot, 1 means the next slot
|
||||
* but one, etc. -1 would mean the slot itself. -2 means
|
||||
* the previous slot, etc.
|
||||
*
|
||||
* If this is beyond the array length, the free list ends with the
|
||||
* current element.
|
||||
*
|
||||
* The reason for this strange encoding is that 0 means the next
|
||||
* element. This way, when we allocate a slice and initialize it
|
||||
* to all-zero, the slice is ready for use, with a free list that
|
||||
* consists of all the slots in order.
|
||||
*/
|
||||
int32_t next_free_relative_to_next;
|
||||
} free;
|
||||
|
||||
struct {
|
||||
/*
|
||||
* Number of functions registered as reading the material in the key slot.
|
||||
*
|
||||
* Library functions must not write directly to registered_readers
|
||||
*
|
||||
* A function must call psa_register_read(slot) before reading the current
|
||||
* contents of the slot for an operation.
|
||||
* They then must call psa_unregister_read(slot) once they have finished
|
||||
* reading the current contents of the slot. If the key slot mutex is not
|
||||
* held (when mutexes are enabled), this call must be done via a call to
|
||||
* A function must call psa_register_read(slot) before reading
|
||||
* the current contents of the slot for an operation.
|
||||
* They then must call psa_unregister_read(slot) once they have
|
||||
* finished reading the current contents of the slot. If the key
|
||||
* slot mutex is not held (when mutexes are enabled), this call
|
||||
* must be done via a call to
|
||||
* psa_unregister_read_under_mutex(slot).
|
||||
* A function must call psa_key_slot_has_readers(slot) to check if
|
||||
* the slot is in use for reading.
|
||||
*
|
||||
* This counter is used to prevent resetting the key slot while the library
|
||||
* may access it. For example, such control is needed in the following
|
||||
* scenarios:
|
||||
* . In case of key slot starvation, all key slots contain the description
|
||||
* of a key, and the library asks for the description of a persistent
|
||||
* key not present in the key slots, the key slots currently accessed by
|
||||
* the library cannot be reclaimed to free a key slot to load the
|
||||
* persistent key.
|
||||
* . In case of a multi-threaded application where one thread asks to close
|
||||
* or purge or destroy a key while it is in use by the library through
|
||||
* another thread. */
|
||||
* This counter is used to prevent resetting the key slot while
|
||||
* the library may access it. For example, such control is needed
|
||||
* in the following scenarios:
|
||||
* . In case of key slot starvation, all key slots contain the
|
||||
* description of a key, and the library asks for the
|
||||
* description of a persistent key not present in the
|
||||
* key slots, the key slots currently accessed by the
|
||||
* library cannot be reclaimed to free a key slot to load
|
||||
* the persistent key.
|
||||
* . In case of a multi-threaded application where one thread
|
||||
* asks to close or purge or destroy a key while it is in use
|
||||
* by the library through another thread. */
|
||||
size_t registered_readers;
|
||||
} occupied;
|
||||
} var;
|
||||
|
||||
/* Dynamically allocated key data buffer.
|
||||
* Format as specified in psa_export_key(). */
|
||||
|
@ -169,7 +213,7 @@ typedef struct {
|
|||
*/
|
||||
static inline int psa_key_slot_has_readers(const psa_key_slot_t *slot)
|
||||
{
|
||||
return slot->registered_readers > 0;
|
||||
return slot->var.occupied.registered_readers > 0;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
|
||||
|
@ -343,19 +387,18 @@ psa_status_t psa_export_public_key_internal(
|
|||
const uint8_t *key_buffer, size_t key_buffer_size,
|
||||
uint8_t *data, size_t data_size, size_t *data_length);
|
||||
|
||||
/** Whether a key production parameters structure is the default.
|
||||
/** Whether a key custom production parameters structure is the default.
|
||||
*
|
||||
* Calls to a key generation driver with non-default production parameters
|
||||
* Calls to a key generation driver with non-default custom production parameters
|
||||
* require a driver supporting custom production parameters.
|
||||
*
|
||||
* \param[in] params The key production parameters to check.
|
||||
* \param params_data_length Size of `params->data` in bytes.
|
||||
* \param[in] custom The key custom production parameters to check.
|
||||
* \param custom_data_length Size of the associated variable-length data
|
||||
* in bytes.
|
||||
*/
|
||||
#ifndef __cplusplus
|
||||
int psa_key_production_parameters_are_default(
|
||||
const psa_key_production_parameters_t *params,
|
||||
size_t params_data_length);
|
||||
#endif
|
||||
int psa_custom_key_parameters_are_default(
|
||||
const psa_custom_key_parameters_t *custom,
|
||||
size_t custom_data_length);
|
||||
|
||||
/**
|
||||
* \brief Generate a key.
|
||||
|
@ -364,9 +407,9 @@ int psa_key_production_parameters_are_default(
|
|||
* entry point.
|
||||
*
|
||||
* \param[in] attributes The attributes for the key to generate.
|
||||
* \param[in] params The production parameters from
|
||||
* psa_generate_key_ext().
|
||||
* \param params_data_length The size of `params->data` in bytes.
|
||||
* \param[in] custom Custom parameters for the key generation.
|
||||
* \param[in] custom_data Variable-length data associated with \c custom.
|
||||
* \param custom_data_length Length of `custom_data` in bytes.
|
||||
* \param[out] key_buffer Buffer where the key data is to be written.
|
||||
* \param[in] key_buffer_size Size of \p key_buffer in bytes.
|
||||
* \param[out] key_buffer_length On success, the number of bytes written in
|
||||
|
@ -380,14 +423,13 @@ int psa_key_production_parameters_are_default(
|
|||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of \p key_buffer is too small.
|
||||
*/
|
||||
#ifndef __cplusplus
|
||||
psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes,
|
||||
const psa_key_production_parameters_t *params,
|
||||
size_t params_data_length,
|
||||
const psa_custom_key_parameters_t *custom,
|
||||
const uint8_t *custom_data,
|
||||
size_t custom_data_length,
|
||||
uint8_t *key_buffer,
|
||||
size_t key_buffer_size,
|
||||
size_t *key_buffer_length);
|
||||
#endif
|
||||
|
||||
/** Sign a message with a private key. For hash-and-sign algorithms,
|
||||
* this includes the hashing step.
|
||||
|
|
|
@ -728,10 +728,10 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data(
|
|||
}
|
||||
}
|
||||
|
||||
#ifndef __cplusplus
|
||||
static inline psa_status_t psa_driver_wrapper_generate_key(
|
||||
const psa_key_attributes_t *attributes,
|
||||
const psa_key_production_parameters_t *params, size_t params_data_length,
|
||||
const psa_custom_key_parameters_t *custom,
|
||||
const uint8_t *custom_data, size_t custom_data_length,
|
||||
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
|
||||
{
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
|
@ -740,7 +740,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
|
|||
|
||||
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
|
||||
int is_default_production =
|
||||
psa_key_production_parameters_are_default(params, params_data_length);
|
||||
psa_custom_key_parameters_are_default(custom, custom_data_length);
|
||||
if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_production )
|
||||
{
|
||||
/* We don't support passing custom production parameters
|
||||
|
@ -811,7 +811,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
|
|||
|
||||
/* Software fallback */
|
||||
status = psa_generate_key_internal(
|
||||
attributes, params, params_data_length,
|
||||
attributes, custom, custom_data, custom_data_length,
|
||||
key_buffer, key_buffer_size, key_buffer_length );
|
||||
break;
|
||||
|
||||
|
@ -833,7 +833,6 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
|
|||
|
||||
return( status );
|
||||
}
|
||||
#endif
|
||||
|
||||
static inline psa_status_t psa_driver_wrapper_import_key(
|
||||
const psa_key_attributes_t *attributes,
|
||||
|
|
|
@ -21,13 +21,10 @@ typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t;
|
|||
#include "mbedtls/entropy.h"
|
||||
|
||||
/* Choose a DRBG based on configuration and availability */
|
||||
#if defined(MBEDTLS_PSA_HMAC_DRBG_MD_TYPE)
|
||||
|
||||
#include "mbedtls/hmac_drbg.h"
|
||||
|
||||
#elif defined(MBEDTLS_CTR_DRBG_C)
|
||||
#if defined(MBEDTLS_CTR_DRBG_C)
|
||||
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#undef MBEDTLS_PSA_HMAC_DRBG_MD_TYPE
|
||||
|
||||
#elif defined(MBEDTLS_HMAC_DRBG_C)
|
||||
|
||||
|
@ -49,16 +46,10 @@ typedef mbedtls_psa_external_random_context_t mbedtls_psa_random_context_t;
|
|||
#error "No hash algorithm available for HMAC_DBRG."
|
||||
#endif
|
||||
|
||||
#else /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
|
||||
#else /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
|
||||
|
||||
#error "No DRBG module available for the psa_crypto module."
|
||||
|
||||
#endif /* !MBEDTLS_PSA_HMAC_DRBG_MD_TYPE && !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
|
||||
|
||||
#if defined(MBEDTLS_CTR_DRBG_C)
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#elif defined(MBEDTLS_HMAC_DRBG_C)
|
||||
#include "mbedtls/hmac_drbg.h"
|
||||
#endif /* !MBEDTLS_CTR_DRBG_C && !MBEDTLS_HMAC_DRBG_C*/
|
||||
|
||||
/* The maximum number of bytes that mbedtls_psa_get_random() is expected to return. */
|
||||
|
|
14
thirdparty/mbedtls/library/psa_crypto_rsa.h
vendored
14
thirdparty/mbedtls/library/psa_crypto_rsa.h
vendored
|
@ -105,17 +105,11 @@ psa_status_t mbedtls_psa_rsa_export_public_key(
|
|||
/**
|
||||
* \brief Generate an RSA key.
|
||||
*
|
||||
* \note The signature of the function is that of a PSA driver generate_key
|
||||
* entry point.
|
||||
*
|
||||
* \param[in] attributes The attributes for the RSA key to generate.
|
||||
* \param[in] params Production parameters for the key
|
||||
* generation. This function only uses
|
||||
* `params->data`,
|
||||
* which contains the public exponent.
|
||||
* \param[in] custom_data The public exponent to use.
|
||||
* This can be a null pointer if
|
||||
* \c params_data_length is 0.
|
||||
* \param params_data_length Length of `params->data` in bytes.
|
||||
* \param custom_data_length Length of \p custom_data in bytes.
|
||||
* This can be 0, in which case the
|
||||
* public exponent will be 65537.
|
||||
* \param[out] key_buffer Buffer where the key data is to be written.
|
||||
|
@ -130,12 +124,10 @@ psa_status_t mbedtls_psa_rsa_export_public_key(
|
|||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of \p key_buffer is too small.
|
||||
*/
|
||||
#ifndef __cplusplus
|
||||
psa_status_t mbedtls_psa_rsa_generate_key(
|
||||
const psa_key_attributes_t *attributes,
|
||||
const psa_key_production_parameters_t *params, size_t params_data_length,
|
||||
const uint8_t *custom_data, size_t custom_data_length,
|
||||
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
|
||||
#endif
|
||||
|
||||
/** Sign an already-calculated hash with an RSA private key.
|
||||
*
|
||||
|
|
|
@ -15,20 +15,26 @@
|
|||
|
||||
/** Range of volatile key identifiers.
|
||||
*
|
||||
* The last #MBEDTLS_PSA_KEY_SLOT_COUNT identifiers of the implementation
|
||||
* The first #MBEDTLS_PSA_KEY_SLOT_COUNT identifiers of the implementation
|
||||
* range of key identifiers are reserved for volatile key identifiers.
|
||||
* A volatile key identifier is equal to #PSA_KEY_ID_VOLATILE_MIN plus the
|
||||
* index of the key slot containing the volatile key definition.
|
||||
*
|
||||
* If \c id is a a volatile key identifier, #PSA_KEY_ID_VOLATILE_MIN - \c id
|
||||
* indicates the key slot containing the volatile key definition. See
|
||||
* psa_crypto_slot_management.c for details.
|
||||
*/
|
||||
|
||||
/** The minimum value for a volatile key identifier.
|
||||
*/
|
||||
#define PSA_KEY_ID_VOLATILE_MIN (PSA_KEY_ID_VENDOR_MAX - \
|
||||
MBEDTLS_PSA_KEY_SLOT_COUNT + 1)
|
||||
#define PSA_KEY_ID_VOLATILE_MIN PSA_KEY_ID_VENDOR_MIN
|
||||
|
||||
/** The maximum value for a volatile key identifier.
|
||||
*/
|
||||
#define PSA_KEY_ID_VOLATILE_MAX PSA_KEY_ID_VENDOR_MAX
|
||||
#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
|
||||
#define PSA_KEY_ID_VOLATILE_MAX (MBEDTLS_PSA_KEY_ID_BUILTIN_MIN - 1)
|
||||
#else /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
|
||||
#define PSA_KEY_ID_VOLATILE_MAX \
|
||||
(PSA_KEY_ID_VOLATILE_MIN + MBEDTLS_PSA_KEY_SLOT_COUNT - 1)
|
||||
#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
|
||||
|
||||
/** Test whether a key identifier is a volatile key identifier.
|
||||
*
|
||||
|
@ -58,6 +64,9 @@ static inline int psa_key_id_is_volatile(psa_key_id_t key_id)
|
|||
* It is the responsibility of the caller to call psa_unregister_read(slot)
|
||||
* when they have finished reading the contents of the slot.
|
||||
*
|
||||
* On failure, `*p_slot` is set to NULL. This ensures that it is always valid
|
||||
* to call psa_unregister_read on the returned slot.
|
||||
*
|
||||
* \param key Key identifier to query.
|
||||
* \param[out] p_slot On success, `*p_slot` contains a pointer to the
|
||||
* key slot containing the description of the key
|
||||
|
@ -91,6 +100,24 @@ psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
|
|||
*/
|
||||
psa_status_t psa_initialize_key_slots(void);
|
||||
|
||||
#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
|
||||
/* Allow test code to customize the key slice length. We use this in tests
|
||||
* that exhaust the key store to reach a full key store in reasonable time
|
||||
* and memory.
|
||||
*
|
||||
* The length of each slice must be between 1 and
|
||||
* (1 << KEY_ID_SLOT_INDEX_WIDTH) inclusive.
|
||||
*
|
||||
* The length for a given slice index must not change while
|
||||
* the key store is initialized.
|
||||
*/
|
||||
extern size_t (*mbedtls_test_hook_psa_volatile_key_slice_length)(
|
||||
size_t slice_idx);
|
||||
|
||||
/* The number of volatile key slices. */
|
||||
size_t psa_key_slot_volatile_slice_count(void);
|
||||
#endif
|
||||
|
||||
/** Delete all data from key slots in memory.
|
||||
* This function is not thread safe, it wipes every key slot regardless of
|
||||
* state and reader count. It should only be called when no slot is in use.
|
||||
|
@ -110,13 +137,22 @@ void psa_wipe_all_key_slots(void);
|
|||
* If multi-threading is enabled, the caller must hold the
|
||||
* global key slot mutex.
|
||||
*
|
||||
* \param[out] volatile_key_id On success, volatile key identifier
|
||||
* associated to the returned slot.
|
||||
* \param[out] volatile_key_id - If null, reserve a cache slot for
|
||||
* a persistent or built-in key.
|
||||
* - If non-null, allocate a slot for
|
||||
* a volatile key. On success,
|
||||
* \p *volatile_key_id is the
|
||||
* identifier corresponding to the
|
||||
* returned slot. It is the caller's
|
||||
* responsibility to set this key identifier
|
||||
* in the attributes.
|
||||
* \param[out] p_slot On success, a pointer to the slot.
|
||||
*
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
|
||||
* There were no free key slots.
|
||||
* When #MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, there was not
|
||||
* enough memory to allocate more slots.
|
||||
* \retval #PSA_ERROR_BAD_STATE \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* This function attempted to operate on a key slot which was in an
|
||||
|
@ -125,6 +161,29 @@ void psa_wipe_all_key_slots(void);
|
|||
psa_status_t psa_reserve_free_key_slot(psa_key_id_t *volatile_key_id,
|
||||
psa_key_slot_t **p_slot);
|
||||
|
||||
#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
|
||||
/** Return a key slot to the free list.
|
||||
*
|
||||
* Call this function when a slot obtained from psa_reserve_free_key_slot()
|
||||
* is no longer in use.
|
||||
*
|
||||
* If multi-threading is enabled, the caller must hold the
|
||||
* global key slot mutex.
|
||||
*
|
||||
* \param slice_idx The slice containing the slot.
|
||||
* This is `slot->slice_index` when the slot
|
||||
* is obtained from psa_reserve_free_key_slot().
|
||||
* \param slot The key slot.
|
||||
*
|
||||
* \retval #PSA_SUCCESS \emptydescription
|
||||
* \retval #PSA_ERROR_CORRUPTION_DETECTED
|
||||
* This function attempted to operate on a key slot which was in an
|
||||
* unexpected state.
|
||||
*/
|
||||
psa_status_t psa_free_key_slot(size_t slice_idx,
|
||||
psa_key_slot_t *slot);
|
||||
#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
|
||||
|
||||
/** Change the state of a key slot.
|
||||
*
|
||||
* This function changes the state of the key slot from expected_state to
|
||||
|
@ -171,10 +230,10 @@ static inline psa_status_t psa_key_slot_state_transition(
|
|||
static inline psa_status_t psa_register_read(psa_key_slot_t *slot)
|
||||
{
|
||||
if ((slot->state != PSA_SLOT_FULL) ||
|
||||
(slot->registered_readers >= SIZE_MAX)) {
|
||||
(slot->var.occupied.registered_readers >= SIZE_MAX)) {
|
||||
return PSA_ERROR_CORRUPTION_DETECTED;
|
||||
}
|
||||
slot->registered_readers++;
|
||||
slot->var.occupied.registered_readers++;
|
||||
|
||||
return PSA_SUCCESS;
|
||||
}
|
||||
|
|
3
thirdparty/mbedtls/library/rsa.c
vendored
3
thirdparty/mbedtls/library/rsa.c
vendored
|
@ -29,6 +29,7 @@
|
|||
|
||||
#include "mbedtls/rsa.h"
|
||||
#include "bignum_core.h"
|
||||
#include "bignum_internal.h"
|
||||
#include "rsa_alt_helpers.h"
|
||||
#include "rsa_internal.h"
|
||||
#include "mbedtls/oid.h"
|
||||
|
@ -1259,7 +1260,7 @@ int mbedtls_rsa_public(mbedtls_rsa_context *ctx,
|
|||
}
|
||||
|
||||
olen = ctx->len;
|
||||
MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
|
||||
MBEDTLS_MPI_CHK(mbedtls_mpi_exp_mod_unsafe(&T, &T, &ctx->E, &ctx->N, &ctx->RN));
|
||||
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&T, output, olen));
|
||||
|
||||
cleanup:
|
||||
|
|
4
thirdparty/mbedtls/library/sha256.c
vendored
4
thirdparty/mbedtls/library/sha256.c
vendored
|
@ -44,7 +44,9 @@
|
|||
#endif /* defined(__clang__) && (__clang_major__ >= 4) */
|
||||
|
||||
/* Ensure that SIG_SETMASK is defined when -std=c99 is used. */
|
||||
#if !defined(_GNU_SOURCE)
|
||||
#define _GNU_SOURCE
|
||||
#endif
|
||||
|
||||
#include "common.h"
|
||||
|
||||
|
@ -150,7 +152,9 @@ static int mbedtls_a64_crypto_sha256_determine_support(void)
|
|||
return 1;
|
||||
}
|
||||
#elif defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64)
|
||||
#ifndef WIN32_LEAN_AND_MEAN
|
||||
#define WIN32_LEAN_AND_MEAN
|
||||
#endif
|
||||
#include <Windows.h>
|
||||
#include <processthreadsapi.h>
|
||||
|
||||
|
|
4
thirdparty/mbedtls/library/ssl_cookie.c
vendored
4
thirdparty/mbedtls/library/ssl_cookie.c
vendored
|
@ -84,6 +84,10 @@ void mbedtls_ssl_cookie_set_timeout(mbedtls_ssl_cookie_ctx *ctx, unsigned long d
|
|||
|
||||
void mbedtls_ssl_cookie_free(mbedtls_ssl_cookie_ctx *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_destroy_key(ctx->psa_hmac_key);
|
||||
#else
|
||||
|
|
|
@ -60,7 +60,7 @@ const char *mbedtls_ssl_named_group_to_str( uint16_t in )
|
|||
return "ffdhe8192";
|
||||
};
|
||||
|
||||
return "UNKOWN";
|
||||
return "UNKNOWN";
|
||||
}
|
||||
const char *mbedtls_ssl_sig_alg_to_str( uint16_t in )
|
||||
{
|
||||
|
|
96
thirdparty/mbedtls/library/ssl_misc.h
vendored
96
thirdparty/mbedtls/library/ssl_misc.h
vendored
|
@ -1507,7 +1507,7 @@ int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
|
|||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
#if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
|
||||
#endif
|
||||
|
@ -1674,18 +1674,53 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
|
|||
}
|
||||
|
||||
/*
|
||||
* Check usage of a certificate wrt extensions:
|
||||
* keyUsage, extendedKeyUsage (later), and nSCertType (later).
|
||||
* Verify a certificate.
|
||||
*
|
||||
* Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
|
||||
* check a cert we received from them)!
|
||||
* [in/out] ssl: misc. things read
|
||||
* ssl->session_negotiate->verify_result updated
|
||||
* [in] authmode: one of MBEDTLS_SSL_VERIFY_{NONE,OPTIONAL,REQUIRED}
|
||||
* [in] chain: the certificate chain to verify (ie the peer's chain)
|
||||
* [in] ciphersuite_info: For TLS 1.2, this session's ciphersuite;
|
||||
* for TLS 1.3, may be left NULL.
|
||||
* [in] rs_ctx: restart context if restartable ECC is in use;
|
||||
* leave NULL for no restartable behaviour.
|
||||
*
|
||||
* Return:
|
||||
* - 0 if the handshake should continue. Depending on the
|
||||
* authmode it means:
|
||||
* - REQUIRED: the certificate was found to be valid, trusted & acceptable.
|
||||
* ssl->session_negotiate->verify_result is 0.
|
||||
* - OPTIONAL: the certificate may or may not be acceptable, but
|
||||
* ssl->session_negotiate->verify_result was updated with the result.
|
||||
* - NONE: the certificate wasn't even checked.
|
||||
* - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED or MBEDTLS_ERR_SSL_BAD_CERTIFICATE if
|
||||
* the certificate was found to be invalid/untrusted/unacceptable and the
|
||||
* handshake should be aborted (can only happen with REQUIRED).
|
||||
* - another error code if another error happened (out-of-memory, etc.)
|
||||
*/
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
|
||||
int authmode,
|
||||
mbedtls_x509_crt *chain,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
|
||||
void *rs_ctx);
|
||||
|
||||
/*
|
||||
* Check usage of a certificate wrt usage extensions:
|
||||
* keyUsage and extendedKeyUsage.
|
||||
* (Note: nSCertType is deprecated and not standard, we don't check it.)
|
||||
*
|
||||
* Note: if tls_version is 1.3, ciphersuite is ignored and can be NULL.
|
||||
*
|
||||
* Note: recv_endpoint is the receiver's endpoint.
|
||||
*
|
||||
* Return 0 if everything is OK, -1 if not.
|
||||
*/
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
int cert_endpoint,
|
||||
int recv_endpoint,
|
||||
mbedtls_ssl_protocol_version tls_version,
|
||||
uint32_t *flags);
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
|
@ -1891,6 +1926,26 @@ static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_confi
|
|||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
|
||||
/** \brief Initialize the PSA crypto subsystem if necessary.
|
||||
*
|
||||
* Call this function before doing any cryptography in a TLS 1.3 handshake.
|
||||
*
|
||||
* This is necessary in Mbed TLS 3.x for backward compatibility.
|
||||
* Up to Mbed TLS 3.5, in the default configuration, you could perform
|
||||
* a TLS connection with default parameters without having called
|
||||
* psa_crypto_init(), since the TLS layer only supported TLS 1.2 and
|
||||
* did not use PSA crypto. (TLS 1.2 only uses PSA crypto if
|
||||
* MBEDTLS_USE_PSA_CRYPTO is enabled, which is not the case in the default
|
||||
* configuration.) Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled
|
||||
* by default, and the TLS 1.3 layer uses PSA crypto. This means that
|
||||
* applications that are not otherwise using PSA crypto and that worked
|
||||
* with Mbed TLS 3.5 started failing in TLS 3.6.0 if they connected to
|
||||
* a peer that supports TLS 1.3. See
|
||||
* https://github.com/Mbed-TLS/mbedtls/issues/9072
|
||||
*/
|
||||
int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl);
|
||||
|
||||
extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
|
||||
MBEDTLS_SERVER_HELLO_RANDOM_LEN];
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
|
@ -2914,8 +2969,37 @@ static inline void mbedtls_ssl_tls13_session_clear_ticket_flags(
|
|||
{
|
||||
session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
||||
#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0
|
||||
#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1
|
||||
|
||||
#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \
|
||||
(1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT)
|
||||
#define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \
|
||||
(1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT)
|
||||
|
||||
static inline int mbedtls_ssl_conf_get_session_tickets(
|
||||
const mbedtls_ssl_config *conf)
|
||||
{
|
||||
return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ?
|
||||
MBEDTLS_SSL_SESSION_TICKETS_ENABLED :
|
||||
MBEDTLS_SSL_SESSION_TICKETS_DISABLED;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(
|
||||
const mbedtls_ssl_config *conf)
|
||||
{
|
||||
return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ?
|
||||
MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED :
|
||||
MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
|
||||
#endif
|
||||
|
|
39
thirdparty/mbedtls/library/ssl_msg.c
vendored
39
thirdparty/mbedtls/library/ssl_msg.c
vendored
|
@ -5570,9 +5570,9 @@ static int ssl_check_ctr_renegotiate(mbedtls_ssl_context *ssl)
|
|||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl)
|
||||
static int ssl_tls13_is_new_session_ticket(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
|
||||
if ((ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl)) ||
|
||||
|
@ -5580,15 +5580,9 @@ static int ssl_tls13_check_new_session_ticket(mbedtls_ssl_context *ssl)
|
|||
return 0;
|
||||
}
|
||||
|
||||
ssl->keep_current_message = 1;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
|
||||
mbedtls_ssl_handshake_set_state(ssl,
|
||||
MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
|
||||
|
||||
return MBEDTLS_ERR_SSL_WANT_READ;
|
||||
return 1;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
|
||||
#endif /* MBEDTLS_SSL_CLI_C */
|
||||
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
|
||||
|
@ -5596,14 +5590,29 @@ static int ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context *ssl)
|
|||
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("received post-handshake message"));
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
|
||||
int ret = ssl_tls13_check_new_session_ticket(ssl);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
if (ssl_tls13_is_new_session_ticket(ssl)) {
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("NewSessionTicket received"));
|
||||
if (mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(ssl->conf) ==
|
||||
MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED) {
|
||||
ssl->keep_current_message = 1;
|
||||
|
||||
mbedtls_ssl_handshake_set_state(ssl,
|
||||
MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
|
||||
return MBEDTLS_ERR_SSL_WANT_READ;
|
||||
} else {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("Ignoring NewSessionTicket, handling disabled."));
|
||||
return 0;
|
||||
}
|
||||
#else
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("Ignoring NewSessionTicket, not supported."));
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
|
||||
#endif /* MBEDTLS_SSL_CLI_C */
|
||||
|
||||
/* Fail in all other cases. */
|
||||
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
|
||||
|
|
4
thirdparty/mbedtls/library/ssl_ticket.c
vendored
4
thirdparty/mbedtls/library/ssl_ticket.c
vendored
|
@ -534,6 +534,10 @@ cleanup:
|
|||
*/
|
||||
void mbedtls_ssl_ticket_free(mbedtls_ssl_ticket_context *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_destroy_key(ctx->keys[0].key);
|
||||
psa_destroy_key(ctx->keys[1].key);
|
||||
|
|
617
thirdparty/mbedtls/library/ssl_tls.c
vendored
617
thirdparty/mbedtls/library/ssl_tls.c
vendored
|
@ -132,7 +132,7 @@ int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
|
|||
|
||||
int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
|
||||
int *enabled,
|
||||
unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
|
||||
unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
|
||||
size_t *own_cid_len)
|
||||
{
|
||||
*enabled = MBEDTLS_SSL_CID_DISABLED;
|
||||
|
@ -1354,29 +1354,6 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl)
|
|||
return ret;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
/* RFC 8446 section 4.4.3
|
||||
*
|
||||
* If the verification fails, the receiver MUST terminate the handshake with
|
||||
* a "decrypt_error" alert.
|
||||
*
|
||||
* If the client is configured as TLS 1.3 only with optional verify, return
|
||||
* bad config.
|
||||
*
|
||||
*/
|
||||
if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled(
|
||||
(mbedtls_ssl_context *) ssl) &&
|
||||
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
|
||||
ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
|
||||
ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
|
||||
ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(
|
||||
1, ("Optional verify auth mode "
|
||||
"is not available for TLS 1.3 client"));
|
||||
return MBEDTLS_ERR_SSL_BAD_CONFIG;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
if (ssl->conf->f_rng == NULL) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
|
||||
return MBEDTLS_ERR_SSL_NO_RNG;
|
||||
|
@ -1760,6 +1737,7 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session
|
|||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
|
||||
|
||||
|
@ -1770,6 +1748,14 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session
|
|||
session->ciphersuite));
|
||||
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
||||
}
|
||||
#else
|
||||
/*
|
||||
* If session tickets are not enabled, it is not possible to resume a
|
||||
* TLS 1.3 session, thus do not make any change to the SSL context in
|
||||
* the first place.
|
||||
*/
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
|
||||
|
@ -2234,6 +2220,7 @@ static void ssl_remove_psk(mbedtls_ssl_context *ssl)
|
|||
mbedtls_zeroize_and_free(ssl->handshake->psk,
|
||||
ssl->handshake->psk_len);
|
||||
ssl->handshake->psk_len = 0;
|
||||
ssl->handshake->psk = NULL;
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
}
|
||||
|
@ -2999,11 +2986,24 @@ void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
|
|||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
|
||||
void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
|
||||
{
|
||||
conf->session_tickets = use_tickets;
|
||||
conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK;
|
||||
conf->session_tickets |= (use_tickets != 0) <<
|
||||
MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
|
||||
mbedtls_ssl_config *conf, int signal_new_session_tickets)
|
||||
{
|
||||
conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK;
|
||||
conf->session_tickets |= (signal_new_session_tickets != 0) <<
|
||||
MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
|
||||
#endif /* MBEDTLS_SSL_CLI_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
|
||||
|
@ -4049,7 +4049,7 @@ static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
|
|||
}
|
||||
|
||||
static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
|
||||
unsigned char *buf,
|
||||
const unsigned char *buf,
|
||||
size_t buf_len)
|
||||
{
|
||||
((void) session);
|
||||
|
@ -5868,7 +5868,33 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
|
|||
if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
|
||||
conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
|
||||
mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
/* Contrary to TLS 1.2 tickets, TLS 1.3 NewSessionTicket message
|
||||
* handling is disabled by default in Mbed TLS 3.6.x for backward
|
||||
* compatibility with client applications developed using Mbed TLS 3.5
|
||||
* or earlier with the default configuration.
|
||||
*
|
||||
* Up to Mbed TLS 3.5, in the default configuration TLS 1.3 was
|
||||
* disabled, and a Mbed TLS client with the default configuration would
|
||||
* establish a TLS 1.2 connection with a TLS 1.2 and TLS 1.3 capable
|
||||
* server.
|
||||
*
|
||||
* Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled by default, and thus
|
||||
* an Mbed TLS client with the default configuration establishes a
|
||||
* TLS 1.3 connection with a TLS 1.2 and TLS 1.3 capable server. If
|
||||
* following the handshake the TLS 1.3 server sends NewSessionTicket
|
||||
* messages and the Mbed TLS client processes them, this results in
|
||||
* Mbed TLS high level APIs (mbedtls_ssl_read(),
|
||||
* mbedtls_ssl_handshake(), ...) to eventually return an
|
||||
* #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET non fatal error code
|
||||
* (see the documentation of mbedtls_ssl_read() for more information on
|
||||
* that error code). Applications unaware of that TLS 1.3 specific non
|
||||
* fatal error code are then failing.
|
||||
*/
|
||||
mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
|
||||
conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED);
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
|
@ -6030,6 +6056,10 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
|
|||
*/
|
||||
void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
|
||||
{
|
||||
if (conf == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_DHM_C)
|
||||
mbedtls_mpi_free(&conf->dhm_P);
|
||||
mbedtls_mpi_free(&conf->dhm_G);
|
||||
|
@ -6344,71 +6374,6 @@ const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
|
|||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
int cert_endpoint,
|
||||
uint32_t *flags)
|
||||
{
|
||||
int ret = 0;
|
||||
unsigned int usage = 0;
|
||||
const char *ext_oid;
|
||||
size_t ext_len;
|
||||
|
||||
if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
|
||||
/* Server part of the key exchange */
|
||||
switch (ciphersuite->key_exchange) {
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
|
||||
break;
|
||||
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
|
||||
break;
|
||||
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||
usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
|
||||
break;
|
||||
|
||||
/* Don't use default: we want warnings when adding new values */
|
||||
case MBEDTLS_KEY_EXCHANGE_NONE:
|
||||
case MBEDTLS_KEY_EXCHANGE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
|
||||
usage = 0;
|
||||
}
|
||||
} else {
|
||||
/* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
|
||||
usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
|
||||
}
|
||||
|
||||
if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
|
||||
*flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
|
||||
ret = -1;
|
||||
}
|
||||
|
||||
if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
|
||||
ext_oid = MBEDTLS_OID_SERVER_AUTH;
|
||||
ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
|
||||
} else {
|
||||
ext_oid = MBEDTLS_OID_CLIENT_AUTH;
|
||||
ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
|
||||
}
|
||||
|
||||
if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
|
||||
*flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
|
||||
ret = -1;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
|
||||
const mbedtls_md_type_t md,
|
||||
|
@ -7927,196 +7892,6 @@ static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
|
|||
return SSL_CERTIFICATE_EXPECTED;
|
||||
}
|
||||
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
|
||||
int authmode,
|
||||
mbedtls_x509_crt *chain,
|
||||
void *rs_ctx)
|
||||
{
|
||||
int ret = 0;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
int have_ca_chain = 0;
|
||||
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
|
||||
void *p_vrfy;
|
||||
|
||||
if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ssl->f_vrfy != NULL) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
|
||||
f_vrfy = ssl->f_vrfy;
|
||||
p_vrfy = ssl->p_vrfy;
|
||||
} else {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
|
||||
f_vrfy = ssl->conf->f_vrfy;
|
||||
p_vrfy = ssl->conf->p_vrfy;
|
||||
}
|
||||
|
||||
/*
|
||||
* Main check: verify certificate
|
||||
*/
|
||||
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||
if (ssl->conf->f_ca_cb != NULL) {
|
||||
((void) rs_ctx);
|
||||
have_ca_chain = 1;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
|
||||
ret = mbedtls_x509_crt_verify_with_ca_cb(
|
||||
chain,
|
||||
ssl->conf->f_ca_cb,
|
||||
ssl->conf->p_ca_cb,
|
||||
ssl->conf->cert_profile,
|
||||
ssl->hostname,
|
||||
&ssl->session_negotiate->verify_result,
|
||||
f_vrfy, p_vrfy);
|
||||
} else
|
||||
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
|
||||
{
|
||||
mbedtls_x509_crt *ca_chain;
|
||||
mbedtls_x509_crl *ca_crl;
|
||||
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
if (ssl->handshake->sni_ca_chain != NULL) {
|
||||
ca_chain = ssl->handshake->sni_ca_chain;
|
||||
ca_crl = ssl->handshake->sni_ca_crl;
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
ca_chain = ssl->conf->ca_chain;
|
||||
ca_crl = ssl->conf->ca_crl;
|
||||
}
|
||||
|
||||
if (ca_chain != NULL) {
|
||||
have_ca_chain = 1;
|
||||
}
|
||||
|
||||
ret = mbedtls_x509_crt_verify_restartable(
|
||||
chain,
|
||||
ca_chain, ca_crl,
|
||||
ssl->conf->cert_profile,
|
||||
ssl->hostname,
|
||||
&ssl->session_negotiate->verify_result,
|
||||
f_vrfy, p_vrfy, rs_ctx);
|
||||
}
|
||||
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
|
||||
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
|
||||
return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Secondary checks: always done, but change 'ret' only if it was 0
|
||||
*/
|
||||
|
||||
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
|
||||
{
|
||||
const mbedtls_pk_context *pk = &chain->pk;
|
||||
|
||||
/* If certificate uses an EC key, make sure the curve is OK.
|
||||
* This is a public key, so it can't be opaque, so can_do() is a good
|
||||
* enough check to ensure pk_ec() is safe to use here. */
|
||||
if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
|
||||
/* and in the unlikely case the above assumption no longer holds
|
||||
* we are making sure that pk_ec() here does not return a NULL
|
||||
*/
|
||||
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
|
||||
if (grp_id == MBEDTLS_ECP_DP_NONE) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID"));
|
||||
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
}
|
||||
if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
|
||||
ssl->session_negotiate->verify_result |=
|
||||
MBEDTLS_X509_BADCERT_BAD_KEY;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
|
||||
if (ret == 0) {
|
||||
ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
|
||||
|
||||
if (mbedtls_ssl_check_cert_usage(chain,
|
||||
ciphersuite_info,
|
||||
!ssl->conf->endpoint,
|
||||
&ssl->session_negotiate->verify_result) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
|
||||
if (ret == 0) {
|
||||
ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
|
||||
}
|
||||
}
|
||||
|
||||
/* mbedtls_x509_crt_verify_with_profile is supposed to report a
|
||||
* verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
|
||||
* with details encoded in the verification flags. All other kinds
|
||||
* of error codes, including those from the user provided f_vrfy
|
||||
* functions, are treated as fatal and lead to a failure of
|
||||
* ssl_parse_certificate even if verification was optional. */
|
||||
if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
|
||||
(ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
|
||||
ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
|
||||
ret = 0;
|
||||
}
|
||||
|
||||
if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
|
||||
ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
|
||||
}
|
||||
|
||||
if (ret != 0) {
|
||||
uint8_t alert;
|
||||
|
||||
/* The certificate may have been rejected for several reasons.
|
||||
Pick one and send the corresponding alert. Which alert to send
|
||||
may be a subject of debate in some cases. */
|
||||
if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
|
||||
} else {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
|
||||
}
|
||||
mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
alert);
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_DEBUG_C)
|
||||
if (ssl->session_negotiate->verify_result != 0) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
|
||||
(unsigned int) ssl->session_negotiate->verify_result));
|
||||
} else {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
|
||||
}
|
||||
#endif /* MBEDTLS_DEBUG_C */
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
|
||||
|
@ -8173,6 +7948,7 @@ int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
|
|||
{
|
||||
int ret = 0;
|
||||
int crt_expected;
|
||||
/* Authmode: precedence order is SNI if used else configuration */
|
||||
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
|
||||
? ssl->handshake->sni_authmode
|
||||
|
@ -8252,8 +8028,9 @@ crt_verify:
|
|||
}
|
||||
#endif
|
||||
|
||||
ret = ssl_parse_certificate_verify(ssl, authmode,
|
||||
chain, rs_ctx);
|
||||
ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain,
|
||||
ssl->handshake->ciphersuite_info,
|
||||
rs_ctx);
|
||||
if (ret != 0) {
|
||||
goto exit;
|
||||
}
|
||||
|
@ -9919,4 +9696,274 @@ int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
|
|||
return 0;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
|
||||
|
||||
/*
|
||||
* The following functions are used by 1.2 and 1.3, client and server.
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
|
||||
int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
int recv_endpoint,
|
||||
mbedtls_ssl_protocol_version tls_version,
|
||||
uint32_t *flags)
|
||||
{
|
||||
int ret = 0;
|
||||
unsigned int usage = 0;
|
||||
const char *ext_oid;
|
||||
size_t ext_len;
|
||||
|
||||
/*
|
||||
* keyUsage
|
||||
*/
|
||||
|
||||
/* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
|
||||
* to check what a compliant client will think while choosing which cert
|
||||
* to send to the client. */
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
|
||||
recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
|
||||
/* TLS 1.2 server part of the key exchange */
|
||||
switch (ciphersuite->key_exchange) {
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
|
||||
break;
|
||||
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
|
||||
break;
|
||||
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||
usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
|
||||
break;
|
||||
|
||||
/* Don't use default: we want warnings when adding new values */
|
||||
case MBEDTLS_KEY_EXCHANGE_NONE:
|
||||
case MBEDTLS_KEY_EXCHANGE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
|
||||
usage = 0;
|
||||
}
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
/* This is either TLS 1.3 authentication, which always uses signatures,
|
||||
* or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only
|
||||
* options we implement, both using signatures. */
|
||||
(void) tls_version;
|
||||
(void) ciphersuite;
|
||||
usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
|
||||
}
|
||||
|
||||
if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
|
||||
*flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
|
||||
ret = -1;
|
||||
}
|
||||
|
||||
/*
|
||||
* extKeyUsage
|
||||
*/
|
||||
|
||||
if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
|
||||
ext_oid = MBEDTLS_OID_SERVER_AUTH;
|
||||
ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
|
||||
} else {
|
||||
ext_oid = MBEDTLS_OID_CLIENT_AUTH;
|
||||
ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
|
||||
}
|
||||
|
||||
if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
|
||||
*flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
|
||||
ret = -1;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
|
||||
int authmode,
|
||||
mbedtls_x509_crt *chain,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
|
||||
void *rs_ctx)
|
||||
{
|
||||
if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Primary check: use the appropriate X.509 verification function
|
||||
*/
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
|
||||
void *p_vrfy;
|
||||
if (ssl->f_vrfy != NULL) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
|
||||
f_vrfy = ssl->f_vrfy;
|
||||
p_vrfy = ssl->p_vrfy;
|
||||
} else {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
|
||||
f_vrfy = ssl->conf->f_vrfy;
|
||||
p_vrfy = ssl->conf->p_vrfy;
|
||||
}
|
||||
|
||||
int ret = 0;
|
||||
int have_ca_chain_or_callback = 0;
|
||||
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||
if (ssl->conf->f_ca_cb != NULL) {
|
||||
((void) rs_ctx);
|
||||
have_ca_chain_or_callback = 1;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
|
||||
ret = mbedtls_x509_crt_verify_with_ca_cb(
|
||||
chain,
|
||||
ssl->conf->f_ca_cb,
|
||||
ssl->conf->p_ca_cb,
|
||||
ssl->conf->cert_profile,
|
||||
ssl->hostname,
|
||||
&ssl->session_negotiate->verify_result,
|
||||
f_vrfy, p_vrfy);
|
||||
} else
|
||||
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
|
||||
{
|
||||
mbedtls_x509_crt *ca_chain;
|
||||
mbedtls_x509_crl *ca_crl;
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
if (ssl->handshake->sni_ca_chain != NULL) {
|
||||
ca_chain = ssl->handshake->sni_ca_chain;
|
||||
ca_crl = ssl->handshake->sni_ca_crl;
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
ca_chain = ssl->conf->ca_chain;
|
||||
ca_crl = ssl->conf->ca_crl;
|
||||
}
|
||||
|
||||
if (ca_chain != NULL) {
|
||||
have_ca_chain_or_callback = 1;
|
||||
}
|
||||
|
||||
ret = mbedtls_x509_crt_verify_restartable(
|
||||
chain,
|
||||
ca_chain, ca_crl,
|
||||
ssl->conf->cert_profile,
|
||||
ssl->hostname,
|
||||
&ssl->session_negotiate->verify_result,
|
||||
f_vrfy, p_vrfy, rs_ctx);
|
||||
}
|
||||
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
|
||||
if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
|
||||
return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Secondary checks: always done, but change 'ret' only if it was 0
|
||||
*/
|
||||
|
||||
/* With TLS 1.2 and ECC certs, check that the curve used by the
|
||||
* certificate is on our list of acceptable curves.
|
||||
*
|
||||
* With TLS 1.3 this is not needed because the curve is part of the
|
||||
* signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when
|
||||
* we validate the signature made with the key associated to this cert.
|
||||
*/
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||
defined(MBEDTLS_PK_HAVE_ECC_KEYS)
|
||||
if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
|
||||
mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) {
|
||||
if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
|
||||
ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
|
||||
if (ret == 0) {
|
||||
ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */
|
||||
|
||||
/* Check X.509 usage extensions (keyUsage, extKeyUsage) */
|
||||
if (mbedtls_ssl_check_cert_usage(chain,
|
||||
ciphersuite_info,
|
||||
ssl->conf->endpoint,
|
||||
ssl->tls_version,
|
||||
&ssl->session_negotiate->verify_result) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
|
||||
if (ret == 0) {
|
||||
ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
|
||||
}
|
||||
}
|
||||
|
||||
/* With authmode optional, we want to keep going if the certificate was
|
||||
* unacceptable, but still fail on other errors (out of memory etc),
|
||||
* including fatal errors from the f_vrfy callback.
|
||||
*
|
||||
* The only acceptable errors are:
|
||||
* - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
|
||||
* - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
|
||||
* Anything else is a fatal error. */
|
||||
if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
|
||||
(ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
|
||||
ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
|
||||
ret = 0;
|
||||
}
|
||||
|
||||
/* Return a specific error as this is a user error: inconsistent
|
||||
* configuration - can't verify without trust anchors. */
|
||||
if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
|
||||
ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
|
||||
}
|
||||
|
||||
if (ret != 0) {
|
||||
uint8_t alert;
|
||||
|
||||
/* The certificate may have been rejected for several reasons.
|
||||
Pick one and send the corresponding alert. Which alert to send
|
||||
may be a subject of debate in some cases. */
|
||||
if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
|
||||
} else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
|
||||
} else {
|
||||
alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
|
||||
}
|
||||
mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
alert);
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_DEBUG_C)
|
||||
if (ssl->session_negotiate->verify_result != 0) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
|
||||
(unsigned int) ssl->session_negotiate->verify_result));
|
||||
} else {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
|
||||
}
|
||||
#endif /* MBEDTLS_DEBUG_C */
|
||||
|
||||
return ret;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
|
||||
|
||||
#endif /* MBEDTLS_SSL_TLS_C */
|
||||
|
|
|
@ -364,7 +364,8 @@ static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
|
|||
|
||||
*olen = 0;
|
||||
|
||||
if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
|
||||
if (mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
|
||||
MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -787,7 +788,8 @@ static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
|
|||
const unsigned char *buf,
|
||||
size_t len)
|
||||
{
|
||||
if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
|
||||
if ((mbedtls_ssl_conf_get_session_tickets(ssl->conf) ==
|
||||
MBEDTLS_SSL_SESSION_TICKETS_DISABLED) ||
|
||||
len != 0) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1,
|
||||
("non-matching session ticket extension"));
|
||||
|
|
27
thirdparty/mbedtls/library/ssl_tls12_server.c
vendored
27
thirdparty/mbedtls/library/ssl_tls12_server.c
vendored
|
@ -756,7 +756,9 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
|
|||
* and decrypting with the same RSA key.
|
||||
*/
|
||||
if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
|
||||
MBEDTLS_SSL_IS_SERVER, &flags) != 0) {
|
||||
MBEDTLS_SSL_IS_CLIENT,
|
||||
MBEDTLS_SSL_VERSION_TLS1_2,
|
||||
&flags) != 0) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
|
||||
"(extended) key usage extension"));
|
||||
continue;
|
||||
|
@ -2631,13 +2633,8 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
|
|||
ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes);
|
||||
ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes);
|
||||
|
||||
if (pk_type == MBEDTLS_PK_OPAQUE) {
|
||||
/* Opaque key is created by the user (externally from Mbed TLS)
|
||||
* so we assume it already has the right algorithm and flags
|
||||
* set. Just copy its ID as reference. */
|
||||
ssl->handshake->xxdh_psa_privkey = pk->priv_id;
|
||||
ssl->handshake->xxdh_psa_privkey_is_external = 1;
|
||||
} else {
|
||||
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
|
||||
if (pk_type != MBEDTLS_PK_OPAQUE) {
|
||||
/* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK
|
||||
* module and only have ECDSA capabilities. Since we need
|
||||
* them for ECDH later, we export and then re-import them with
|
||||
|
@ -2665,10 +2662,20 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
|
|||
/* Set this key as owned by the TLS library: it will be its duty
|
||||
* to clear it exit. */
|
||||
ssl->handshake->xxdh_psa_privkey_is_external = 0;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
break;
|
||||
}
|
||||
#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
|
||||
|
||||
/* Opaque key is created by the user (externally from Mbed TLS)
|
||||
* so we assume it already has the right algorithm and flags
|
||||
* set. Just copy its ID as reference. */
|
||||
ssl->handshake->xxdh_psa_privkey = pk->priv_id;
|
||||
ssl->handshake->xxdh_psa_privkey_is_external = 1;
|
||||
ret = 0;
|
||||
break;
|
||||
|
||||
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
|
||||
case MBEDTLS_PK_ECKEY:
|
||||
case MBEDTLS_PK_ECKEY_DH:
|
||||
|
@ -3916,7 +3923,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
|
|||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||
uint8_t ecpoint_len;
|
||||
size_t ecpoint_len;
|
||||
|
||||
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
|
||||
|
||||
|
|
|
@ -666,6 +666,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
|
|||
return 0;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
|
||||
|
@ -678,7 +679,6 @@ static psa_algorithm_t ssl_tls13_get_ciphersuite_hash_alg(int ciphersuite)
|
|||
return PSA_ALG_NONE;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
static int ssl_tls13_has_configured_ticket(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
mbedtls_ssl_session *session = ssl->session_negotiate;
|
||||
|
@ -1141,6 +1141,11 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
|
|||
|
||||
*out_len = 0;
|
||||
|
||||
ret = mbedtls_ssl_tls13_crypto_init(ssl);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Write supported_versions extension
|
||||
*
|
||||
* Supported Versions Extension is mandatory with TLS 1.3.
|
||||
|
|
167
thirdparty/mbedtls/library/ssl_tls13_generic.c
vendored
167
thirdparty/mbedtls/library/ssl_tls13_generic.c
vendored
|
@ -27,7 +27,6 @@
|
|||
#include "psa/crypto.h"
|
||||
#include "psa_util_internal.h"
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
|
||||
/* Define a local translating function to save code size by not using too many
|
||||
* arguments in each translating place. */
|
||||
static int local_err_translation(psa_status_t status)
|
||||
|
@ -37,7 +36,16 @@ static int local_err_translation(psa_status_t status)
|
|||
psa_generic_status_to_mbedtls);
|
||||
}
|
||||
#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
|
||||
#endif
|
||||
|
||||
int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
psa_status_t status = psa_crypto_init();
|
||||
if (status != PSA_SUCCESS) {
|
||||
(void) ssl; // unused when debugging is disabled
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "psa_crypto_init", status);
|
||||
}
|
||||
return PSA_TO_MBEDTLS_ERR(status);
|
||||
}
|
||||
|
||||
const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
|
||||
MBEDTLS_SERVER_HELLO_RANDOM_LEN] =
|
||||
|
@ -193,10 +201,12 @@ static void ssl_tls13_create_verify_structure(const unsigned char *transcript_ha
|
|||
idx = 64;
|
||||
|
||||
if (from == MBEDTLS_SSL_IS_CLIENT) {
|
||||
memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(client_cv));
|
||||
memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.client_cv,
|
||||
MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv));
|
||||
idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(client_cv);
|
||||
} else { /* from == MBEDTLS_SSL_IS_SERVER */
|
||||
memcpy(verify_buffer + idx, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(server_cv));
|
||||
memcpy(verify_buffer + idx, mbedtls_ssl_tls13_labels.server_cv,
|
||||
MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv));
|
||||
idx += MBEDTLS_SSL_TLS1_3_LBL_LEN(server_cv);
|
||||
}
|
||||
|
||||
|
@ -470,6 +480,7 @@ int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
|
|||
mbedtls_free(ssl->session_negotiate->peer_cert);
|
||||
}
|
||||
|
||||
/* This is used by ssl_tls13_validate_certificate() */
|
||||
if (certificate_list_len == 0) {
|
||||
ssl->session_negotiate->peer_cert = NULL;
|
||||
ret = 0;
|
||||
|
@ -625,25 +636,13 @@ int mbedtls_ssl_tls13_parse_certificate(mbedtls_ssl_context *ssl,
|
|||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
int ret = 0;
|
||||
int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
||||
mbedtls_x509_crt *ca_chain;
|
||||
mbedtls_x509_crl *ca_crl;
|
||||
const char *ext_oid;
|
||||
size_t ext_len;
|
||||
uint32_t verify_result = 0;
|
||||
|
||||
/* If SNI was used, overwrite authentication mode
|
||||
* from the configuration. */
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
if (ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET) {
|
||||
authmode = ssl->handshake->sni_authmode;
|
||||
} else
|
||||
#endif
|
||||
authmode = ssl->conf->authmode;
|
||||
}
|
||||
/* Authmode: precedence order is SNI if used else configuration */
|
||||
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
|
||||
? ssl->handshake->sni_authmode
|
||||
: ssl->conf->authmode;
|
||||
#else
|
||||
const int authmode = ssl->conf->authmode;
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -675,6 +674,11 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
|
|||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CLI_C)
|
||||
/* Regardless of authmode, the server is not allowed to send an empty
|
||||
* certificate chain. (Last paragraph before 4.4.2.1 in RFC 8446: "The
|
||||
* server's certificate_list MUST always be non-empty.") With authmode
|
||||
* optional/none, we continue the handshake if we can't validate the
|
||||
* server's cert, but we still break it if no certificate was sent. */
|
||||
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT,
|
||||
MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE);
|
||||
|
@ -683,114 +687,9 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
|
|||
#endif /* MBEDTLS_SSL_CLI_C */
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
if (ssl->handshake->sni_ca_chain != NULL) {
|
||||
ca_chain = ssl->handshake->sni_ca_chain;
|
||||
ca_crl = ssl->handshake->sni_ca_crl;
|
||||
} else
|
||||
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
||||
{
|
||||
ca_chain = ssl->conf->ca_chain;
|
||||
ca_crl = ssl->conf->ca_crl;
|
||||
}
|
||||
|
||||
/*
|
||||
* Main check: verify certificate
|
||||
*/
|
||||
ret = mbedtls_x509_crt_verify_with_profile(
|
||||
return mbedtls_ssl_verify_certificate(ssl, authmode,
|
||||
ssl->session_negotiate->peer_cert,
|
||||
ca_chain, ca_crl,
|
||||
ssl->conf->cert_profile,
|
||||
ssl->hostname,
|
||||
&verify_result,
|
||||
ssl->conf->f_vrfy, ssl->conf->p_vrfy);
|
||||
|
||||
if (ret != 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
|
||||
}
|
||||
|
||||
/*
|
||||
* Secondary checks: always done, but change 'ret' only if it was 0
|
||||
*/
|
||||
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
|
||||
ext_oid = MBEDTLS_OID_SERVER_AUTH;
|
||||
ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
|
||||
} else {
|
||||
ext_oid = MBEDTLS_OID_CLIENT_AUTH;
|
||||
ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
|
||||
}
|
||||
|
||||
if ((mbedtls_x509_crt_check_key_usage(
|
||||
ssl->session_negotiate->peer_cert,
|
||||
MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0) ||
|
||||
(mbedtls_x509_crt_check_extended_key_usage(
|
||||
ssl->session_negotiate->peer_cert,
|
||||
ext_oid, ext_len) != 0)) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
|
||||
if (ret == 0) {
|
||||
ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
|
||||
}
|
||||
}
|
||||
|
||||
/* mbedtls_x509_crt_verify_with_profile is supposed to report a
|
||||
* verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
|
||||
* with details encoded in the verification flags. All other kinds
|
||||
* of error codes, including those from the user provided f_vrfy
|
||||
* functions, are treated as fatal and lead to a failure of
|
||||
* mbedtls_ssl_tls13_parse_certificate even if verification was optional.
|
||||
*/
|
||||
if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
|
||||
(ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
|
||||
ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
|
||||
ret = 0;
|
||||
}
|
||||
|
||||
if (ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
|
||||
ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
|
||||
}
|
||||
|
||||
if (ret != 0) {
|
||||
/* The certificate may have been rejected for several reasons.
|
||||
Pick one and send the corresponding alert. Which alert to send
|
||||
may be a subject of debate in some cases. */
|
||||
if (verify_result & MBEDTLS_X509_BADCERT_OTHER) {
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||
MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret);
|
||||
} else if (verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret);
|
||||
} else if (verify_result & (MBEDTLS_X509_BADCERT_KEY_USAGE |
|
||||
MBEDTLS_X509_BADCERT_EXT_KEY_USAGE |
|
||||
MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
|
||||
MBEDTLS_X509_BADCERT_BAD_PK |
|
||||
MBEDTLS_X509_BADCERT_BAD_KEY)) {
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret);
|
||||
} else if (verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||
MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret);
|
||||
} else if (verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||
MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret);
|
||||
} else if (verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret);
|
||||
} else {
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||
MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret);
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_DEBUG_C)
|
||||
if (verify_result != 0) {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
|
||||
(unsigned int) verify_result));
|
||||
} else {
|
||||
MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
|
||||
}
|
||||
#endif /* MBEDTLS_DEBUG_C */
|
||||
|
||||
ssl->session_negotiate->verify_result = verify_result;
|
||||
return ret;
|
||||
NULL, NULL);
|
||||
}
|
||||
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
|
@ -1482,9 +1381,11 @@ int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
|
|||
ssl->total_early_data_size)) {
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(
|
||||
2, ("EarlyData: Too much early data received, %u + %" MBEDTLS_PRINTF_SIZET " > %u",
|
||||
ssl->total_early_data_size, early_data_len,
|
||||
ssl->session_negotiate->max_early_data_size));
|
||||
2, ("EarlyData: Too much early data received, "
|
||||
"%lu + %" MBEDTLS_PRINTF_SIZET " > %lu",
|
||||
(unsigned long) ssl->total_early_data_size,
|
||||
early_data_len,
|
||||
(unsigned long) ssl->session_negotiate->max_early_data_size));
|
||||
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||
MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
|
||||
|
|
29
thirdparty/mbedtls/library/ssl_tls13_server.c
vendored
29
thirdparty/mbedtls/library/ssl_tls13_server.c
vendored
|
@ -92,8 +92,9 @@ static void ssl_tls13_select_ciphersuite(
|
|||
return;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%x",
|
||||
(unsigned) psk_ciphersuite_id, psk_hash_alg));
|
||||
MBEDTLS_SSL_DEBUG_MSG(2, ("No matched ciphersuite, psk_ciphersuite_id=%x, psk_hash_alg=%lx",
|
||||
(unsigned) psk_ciphersuite_id,
|
||||
(unsigned long) psk_hash_alg));
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
|
||||
|
@ -172,12 +173,12 @@ static int ssl_tls13_parse_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
|
|||
#define SSL_TLS1_3_PSK_IDENTITY_MATCH_BUT_PSK_NOT_USABLE 1
|
||||
#define SSL_TLS1_3_PSK_IDENTITY_MATCH 0
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_key_exchange_is_psk_available(mbedtls_ssl_context *ssl);
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_key_exchange_is_psk_ephemeral_available(mbedtls_ssl_context *ssl);
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_offered_psks_check_identity_match_ticket(
|
||||
mbedtls_ssl_context *ssl,
|
||||
|
@ -575,10 +576,8 @@ static int ssl_tls13_parse_pre_shared_key_ext(
|
|||
psa_algorithm_t psk_hash_alg;
|
||||
int allowed_key_exchange_modes;
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
mbedtls_ssl_session session;
|
||||
mbedtls_ssl_session_init(&session);
|
||||
#endif
|
||||
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR(p_identity_len, identities_end, 2 + 1 + 4);
|
||||
identity_len = MBEDTLS_GET_UINT16_BE(p_identity_len, 0);
|
||||
|
@ -1356,19 +1355,23 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
|
|||
* compression methods and the length of the extensions.
|
||||
*
|
||||
* cipher_suites cipher_suites_len bytes
|
||||
* legacy_compression_methods 2 bytes
|
||||
* extensions_len 2 bytes
|
||||
* legacy_compression_methods length 1 byte
|
||||
*/
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2);
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 1);
|
||||
p += cipher_suites_len;
|
||||
cipher_suites_end = p;
|
||||
|
||||
/* Check if we have enough data for legacy_compression_methods
|
||||
* and the length of the extensions (2 bytes).
|
||||
*/
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR(p + 1, end, p[0] + 2);
|
||||
|
||||
/*
|
||||
* Search for the supported versions extension and parse it to determine
|
||||
* if the client supports TLS 1.3.
|
||||
*/
|
||||
ret = mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
|
||||
ssl, p + 2, end,
|
||||
ssl, p + 1 + p[0], end,
|
||||
&supported_versions_data, &supported_versions_data_end);
|
||||
if (ret < 0) {
|
||||
MBEDTLS_SSL_DEBUG_RET(1,
|
||||
|
@ -1409,6 +1412,12 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
|
|||
ssl->session_negotiate->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
|
||||
ssl->session_negotiate->endpoint = ssl->conf->endpoint;
|
||||
|
||||
/* Before doing any crypto, make sure we can. */
|
||||
ret = mbedtls_ssl_tls13_crypto_init(ssl);
|
||||
if (ret != 0) {
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* We are negotiating the version 1.3 of the protocol. Do what we have
|
||||
* postponed: copy of the client random bytes, copy of the legacy session
|
||||
|
@ -3109,6 +3118,7 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
|
|||
return 0;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
/*
|
||||
* Handler for MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET
|
||||
*/
|
||||
|
@ -3138,7 +3148,6 @@ static int ssl_tls13_write_new_session_ticket_coordinate(mbedtls_ssl_context *ss
|
|||
return SSL_NEW_SESSION_TICKET_WRITE;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||
static int ssl_tls13_prepare_new_session_ticket(mbedtls_ssl_context *ssl,
|
||||
unsigned char *ticket_nonce,
|
||||
|
|
|
@ -423,6 +423,9 @@ static const char * const features[] = {
|
|||
#if defined(MBEDTLS_PSA_CRYPTO_SPM)
|
||||
"PSA_CRYPTO_SPM", //no-check-names
|
||||
#endif /* MBEDTLS_PSA_CRYPTO_SPM */
|
||||
#if defined(MBEDTLS_PSA_KEY_STORE_DYNAMIC)
|
||||
"PSA_KEY_STORE_DYNAMIC", //no-check-names
|
||||
#endif /* MBEDTLS_PSA_KEY_STORE_DYNAMIC */
|
||||
#if defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)
|
||||
"PSA_P256M_DRIVER_ENABLED", //no-check-names
|
||||
#endif /* MBEDTLS_PSA_P256M_DRIVER_ENABLED */
|
||||
|
|
2
thirdparty/mbedtls/library/x509_crt.c
vendored
2
thirdparty/mbedtls/library/x509_crt.c
vendored
|
@ -48,7 +48,9 @@
|
|||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
|
||||
#ifndef WIN32_LEAN_AND_MEAN
|
||||
#define WIN32_LEAN_AND_MEAN
|
||||
#endif
|
||||
#include <windows.h>
|
||||
#else
|
||||
#include <time.h>
|
||||
|
|
4
thirdparty/mbedtls/library/x509write_crt.c
vendored
4
thirdparty/mbedtls/library/x509write_crt.c
vendored
|
@ -46,6 +46,10 @@ void mbedtls_x509write_crt_init(mbedtls_x509write_cert *ctx)
|
|||
|
||||
void mbedtls_x509write_crt_free(mbedtls_x509write_cert *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
mbedtls_asn1_free_named_data_list(&ctx->subject);
|
||||
mbedtls_asn1_free_named_data_list(&ctx->issuer);
|
||||
mbedtls_asn1_free_named_data_list(&ctx->extensions);
|
||||
|
|
4
thirdparty/mbedtls/library/x509write_csr.c
vendored
4
thirdparty/mbedtls/library/x509write_csr.c
vendored
|
@ -43,6 +43,10 @@ void mbedtls_x509write_csr_init(mbedtls_x509write_csr *ctx)
|
|||
|
||||
void mbedtls_x509write_csr_free(mbedtls_x509write_csr *ctx)
|
||||
{
|
||||
if (ctx == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
mbedtls_asn1_free_named_data_list(&ctx->subject);
|
||||
mbedtls_asn1_free_named_data_list(&ctx->extensions);
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
diff --git a/thirdparty/mbedtls/include/psa/crypto.h b/thirdparty/mbedtls/include/psa/crypto.h
|
||||
index 92f9c824e9..1cc2e7e729 100644
|
||||
index 2bbcea3ee0..96baf8f3ed 100644
|
||||
--- a/thirdparty/mbedtls/include/psa/crypto.h
|
||||
+++ b/thirdparty/mbedtls/include/psa/crypto.h
|
||||
@@ -107,7 +107,9 @@ psa_status_t psa_crypto_init(void);
|
||||
|
@ -12,7 +12,7 @@ index 92f9c824e9..1cc2e7e729 100644
|
|||
|
||||
/** Declare a key as persistent and set its key identifier.
|
||||
*
|
||||
@@ -333,7 +335,9 @@ static void psa_set_key_bits(psa_key_attributes_t *attributes,
|
||||
@@ -336,7 +338,9 @@ static void psa_set_key_bits(psa_key_attributes_t *attributes,
|
||||
*
|
||||
* \return The key type stored in the attribute structure.
|
||||
*/
|
||||
|
@ -22,7 +22,7 @@ index 92f9c824e9..1cc2e7e729 100644
|
|||
|
||||
/** Retrieve the key size from key attributes.
|
||||
*
|
||||
@@ -936,7 +940,9 @@ typedef struct psa_hash_operation_s psa_hash_operation_t;
|
||||
@@ -939,7 +943,9 @@ typedef struct psa_hash_operation_s psa_hash_operation_t;
|
||||
|
||||
/** Return an initial value for a hash operation object.
|
||||
*/
|
||||
|
@ -32,7 +32,7 @@ index 92f9c824e9..1cc2e7e729 100644
|
|||
|
||||
/** Set up a multipart hash operation.
|
||||
*
|
||||
@@ -1295,7 +1301,9 @@ typedef struct psa_mac_operation_s psa_mac_operation_t;
|
||||
@@ -1298,7 +1304,9 @@ typedef struct psa_mac_operation_s psa_mac_operation_t;
|
||||
|
||||
/** Return an initial value for a MAC operation object.
|
||||
*/
|
||||
|
@ -42,7 +42,7 @@ index 92f9c824e9..1cc2e7e729 100644
|
|||
|
||||
/** Set up a multipart MAC calculation operation.
|
||||
*
|
||||
@@ -1708,7 +1716,9 @@ typedef struct psa_cipher_operation_s psa_cipher_operation_t;
|
||||
@@ -1711,7 +1719,9 @@ typedef struct psa_cipher_operation_s psa_cipher_operation_t;
|
||||
|
||||
/** Return an initial value for a cipher operation object.
|
||||
*/
|
||||
|
@ -52,7 +52,7 @@ index 92f9c824e9..1cc2e7e729 100644
|
|||
|
||||
/** Set the key for a multipart symmetric encryption operation.
|
||||
*
|
||||
@@ -2226,7 +2236,9 @@ typedef struct psa_aead_operation_s psa_aead_operation_t;
|
||||
@@ -2229,7 +2239,9 @@ typedef struct psa_aead_operation_s psa_aead_operation_t;
|
||||
|
||||
/** Return an initial value for an AEAD operation object.
|
||||
*/
|
||||
|
@ -62,7 +62,7 @@ index 92f9c824e9..1cc2e7e729 100644
|
|||
|
||||
/** Set the key for a multipart authenticated encryption operation.
|
||||
*
|
||||
@@ -3213,7 +3225,9 @@ typedef struct psa_key_derivation_s psa_key_derivation_operation_t;
|
||||
@@ -3216,7 +3228,9 @@ typedef struct psa_key_derivation_s psa_key_derivation_operation_t;
|
||||
|
||||
/** Return an initial value for a key derivation operation object.
|
||||
*/
|
||||
|
@ -73,10 +73,10 @@ index 92f9c824e9..1cc2e7e729 100644
|
|||
/** Set up a key derivation operation.
|
||||
*
|
||||
diff --git a/thirdparty/mbedtls/include/psa/crypto_extra.h b/thirdparty/mbedtls/include/psa/crypto_extra.h
|
||||
index 6ed1f6c43a..2686b9d74d 100644
|
||||
index 0cf42c6055..d276cd4c7f 100644
|
||||
--- a/thirdparty/mbedtls/include/psa/crypto_extra.h
|
||||
+++ b/thirdparty/mbedtls/include/psa/crypto_extra.h
|
||||
@@ -915,7 +915,9 @@ typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t;
|
||||
@@ -923,7 +923,9 @@ typedef struct psa_pake_cipher_suite_s psa_pake_cipher_suite_t;
|
||||
|
||||
/** Return an initial value for a PAKE cipher suite object.
|
||||
*/
|
||||
|
@ -86,7 +86,7 @@ index 6ed1f6c43a..2686b9d74d 100644
|
|||
|
||||
/** Retrieve the PAKE algorithm from a PAKE cipher suite.
|
||||
*
|
||||
@@ -1048,7 +1050,9 @@ typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t;
|
||||
@@ -1056,7 +1058,9 @@ typedef struct psa_jpake_computation_stage_s psa_jpake_computation_stage_t;
|
||||
|
||||
/** Return an initial value for a PAKE operation object.
|
||||
*/
|
||||
|
|
132
thirdparty/mbedtls/patches/no-flexible-arrays.diff
vendored
132
thirdparty/mbedtls/patches/no-flexible-arrays.diff
vendored
|
@ -1,132 +0,0 @@
|
|||
diff --git a/thirdparty/mbedtls/include/psa/crypto.h b/thirdparty/mbedtls/include/psa/crypto.h
|
||||
index 7083bd911b..92f9c824e9 100644
|
||||
--- a/thirdparty/mbedtls/include/psa/crypto.h
|
||||
+++ b/thirdparty/mbedtls/include/psa/crypto.h
|
||||
@@ -3834,12 +3834,14 @@ psa_status_t psa_key_derivation_output_key(
|
||||
* It is implementation-dependent whether a failure to initialize
|
||||
* results in this error code.
|
||||
*/
|
||||
+#ifndef __cplusplus
|
||||
psa_status_t psa_key_derivation_output_key_ext(
|
||||
const psa_key_attributes_t *attributes,
|
||||
psa_key_derivation_operation_t *operation,
|
||||
const psa_key_production_parameters_t *params,
|
||||
size_t params_data_length,
|
||||
mbedtls_svc_key_id_t *key);
|
||||
+#endif
|
||||
|
||||
/** Compare output data from a key derivation operation to an expected value.
|
||||
*
|
||||
@@ -4180,10 +4182,12 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
|
||||
* It is implementation-dependent whether a failure to initialize
|
||||
* results in this error code.
|
||||
*/
|
||||
+#ifndef __cplusplus
|
||||
psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
|
||||
const psa_key_production_parameters_t *params,
|
||||
size_t params_data_length,
|
||||
mbedtls_svc_key_id_t *key);
|
||||
+#endif
|
||||
|
||||
/**@}*/
|
||||
|
||||
diff --git a/thirdparty/mbedtls/include/psa/crypto_struct.h b/thirdparty/mbedtls/include/psa/crypto_struct.h
|
||||
index 3913551aa8..e2c227b2eb 100644
|
||||
--- a/thirdparty/mbedtls/include/psa/crypto_struct.h
|
||||
+++ b/thirdparty/mbedtls/include/psa/crypto_struct.h
|
||||
@@ -223,11 +223,13 @@ static inline struct psa_key_derivation_s psa_key_derivation_operation_init(
|
||||
return v;
|
||||
}
|
||||
|
||||
+#ifndef __cplusplus
|
||||
struct psa_key_production_parameters_s {
|
||||
/* Future versions may add other fields in this structure. */
|
||||
uint32_t flags;
|
||||
uint8_t data[];
|
||||
};
|
||||
+#endif
|
||||
|
||||
/** The default production parameters for key generation or key derivation.
|
||||
*
|
||||
diff --git a/thirdparty/mbedtls/include/psa/crypto_types.h b/thirdparty/mbedtls/include/psa/crypto_types.h
|
||||
index c21bad86cc..a36b6ee65d 100644
|
||||
--- a/thirdparty/mbedtls/include/psa/crypto_types.h
|
||||
+++ b/thirdparty/mbedtls/include/psa/crypto_types.h
|
||||
@@ -477,7 +477,9 @@ typedef uint16_t psa_key_derivation_step_t;
|
||||
* - Other key types: reserved for future use. \c flags must be 0.
|
||||
*
|
||||
*/
|
||||
+#ifndef __cplusplus
|
||||
typedef struct psa_key_production_parameters_s psa_key_production_parameters_t;
|
||||
+#endif
|
||||
|
||||
/**@}*/
|
||||
|
||||
diff --git a/thirdparty/mbedtls/library/psa_crypto_core.h b/thirdparty/mbedtls/library/psa_crypto_core.h
|
||||
index 9462d2e8be..c059162efe 100644
|
||||
--- a/thirdparty/mbedtls/library/psa_crypto_core.h
|
||||
+++ b/thirdparty/mbedtls/library/psa_crypto_core.h
|
||||
@@ -351,9 +351,11 @@ psa_status_t psa_export_public_key_internal(
|
||||
* \param[in] params The key production parameters to check.
|
||||
* \param params_data_length Size of `params->data` in bytes.
|
||||
*/
|
||||
+#ifndef __cplusplus
|
||||
int psa_key_production_parameters_are_default(
|
||||
const psa_key_production_parameters_t *params,
|
||||
size_t params_data_length);
|
||||
+#endif
|
||||
|
||||
/**
|
||||
* \brief Generate a key.
|
||||
@@ -378,12 +380,14 @@ int psa_key_production_parameters_are_default(
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of \p key_buffer is too small.
|
||||
*/
|
||||
+#ifndef __cplusplus
|
||||
psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes,
|
||||
const psa_key_production_parameters_t *params,
|
||||
size_t params_data_length,
|
||||
uint8_t *key_buffer,
|
||||
size_t key_buffer_size,
|
||||
size_t *key_buffer_length);
|
||||
+#endif
|
||||
|
||||
/** Sign a message with a private key. For hash-and-sign algorithms,
|
||||
* this includes the hashing step.
|
||||
diff --git a/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h b/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h
|
||||
index ea6aee32eb..6919971aca 100644
|
||||
--- a/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h
|
||||
+++ b/thirdparty/mbedtls/library/psa_crypto_driver_wrappers.h
|
||||
@@ -728,6 +728,7 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data(
|
||||
}
|
||||
}
|
||||
|
||||
+#ifndef __cplusplus
|
||||
static inline psa_status_t psa_driver_wrapper_generate_key(
|
||||
const psa_key_attributes_t *attributes,
|
||||
const psa_key_production_parameters_t *params, size_t params_data_length,
|
||||
@@ -832,6 +833,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
|
||||
|
||||
return( status );
|
||||
}
|
||||
+#endif
|
||||
|
||||
static inline psa_status_t psa_driver_wrapper_import_key(
|
||||
const psa_key_attributes_t *attributes,
|
||||
diff --git a/thirdparty/mbedtls/library/psa_crypto_rsa.h b/thirdparty/mbedtls/library/psa_crypto_rsa.h
|
||||
index ffeef26be1..6d695ddf50 100644
|
||||
--- a/thirdparty/mbedtls/library/psa_crypto_rsa.h
|
||||
+++ b/thirdparty/mbedtls/library/psa_crypto_rsa.h
|
||||
@@ -130,10 +130,12 @@ psa_status_t mbedtls_psa_rsa_export_public_key(
|
||||
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
|
||||
* The size of \p key_buffer is too small.
|
||||
*/
|
||||
+#ifndef __cplusplus
|
||||
psa_status_t mbedtls_psa_rsa_generate_key(
|
||||
const psa_key_attributes_t *attributes,
|
||||
const psa_key_production_parameters_t *params, size_t params_data_length,
|
||||
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length);
|
||||
+#endif
|
||||
|
||||
/** Sign an already-calculated hash with an RSA private key.
|
||||
*
|
Loading…
Reference in a new issue