From 08fa2380611e19d92499d3538b80f38461d6bd16 Mon Sep 17 00:00:00 2001 From: Michal Gorecki Date: Fri, 21 Mar 2025 16:48:54 +0100 Subject: [PATCH 1/3] crypto/mbedtls: Use config defining flag globally Now -DMBEDTLS_USER_CONFIG_FILE= flag is used globally for each build that depends on mbedtls package. This way we won't have to add this flag in each package that uses mbedtls. --- apps/crypto_test/pkg.yml | 2 -- apps/hash_test/pkg.yml | 2 -- crypto/mbedtls/pkg.yml | 7 +++++-- crypto/mbedtls/syscfg.yml | 4 +++- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/apps/crypto_test/pkg.yml b/apps/crypto_test/pkg.yml index 045d9a3570..0a5c38f8dd 100644 --- a/apps/crypto_test/pkg.yml +++ b/apps/crypto_test/pkg.yml @@ -28,5 +28,3 @@ pkg.deps: - "@apache-mynewt-core/sys/log" - "@apache-mynewt-core/crypto/mbedtls" - "@apache-mynewt-core/crypto/tinycrypt" - -pkg.cflags: '-DMBEDTLS_USER_CONFIG_FILE="mbedtls/config_mynewt.h"' diff --git a/apps/hash_test/pkg.yml b/apps/hash_test/pkg.yml index cf45bea829..ba0cb3118b 100644 --- a/apps/hash_test/pkg.yml +++ b/apps/hash_test/pkg.yml @@ -28,5 +28,3 @@ pkg.deps: - "@apache-mynewt-core/sys/log" - "@apache-mynewt-core/crypto/mbedtls" - "@apache-mynewt-core/crypto/tinycrypt" - -pkg.cflags: '-DMBEDTLS_USER_CONFIG_FILE="mbedtls/config_mynewt.h"' diff --git a/crypto/mbedtls/pkg.yml b/crypto/mbedtls/pkg.yml index b68eea40fe..cb8c1c24f1 100644 --- a/crypto/mbedtls/pkg.yml +++ b/crypto/mbedtls/pkg.yml @@ -26,11 +26,14 @@ pkg.keywords: - tls pkg.type: sdk -pkg.cflags: +app.cflags: - '-DMBEDTLS_USER_CONFIG_FILE=' +app.cflags.TEST: + - '-DTEST' + +pkg.cflags: - -Wno-maybe-uninitialized - -Wno-unknown-warning-option -pkg.cflags.TEST: -DTEST pkg.include_dirs: - "include" diff --git a/crypto/mbedtls/syscfg.yml b/crypto/mbedtls/syscfg.yml index 485144f41e..9315e03f05 100644 --- a/crypto/mbedtls/syscfg.yml +++ b/crypto/mbedtls/syscfg.yml @@ -119,8 +119,10 @@ syscfg.defs: value: 0 MBEDTLS_CIPHER_MODE_CFB: value: 0 + # XXX: This should be 0 on default, but mcuboot's test needs this enabled. Until a new mcuboot version with this + # config enabled is released we have to enable this by default. MBEDTLS_CIPHER_MODE_CTR: - value: 0 + value: 1 MBEDTLS_CIPHER_MODE_OFB: value: 0 MBEDTLS_CIPHER_MODE_XTS: From a1b6dbde98649af4794677387f8a7dbcd95c8b49 Mon Sep 17 00:00:00 2001 From: Michal Gorecki Date: Thu, 20 Mar 2025 15:30:50 +0100 Subject: [PATCH 2/3] crypto/mbedtls: Add unit test for mynewt GCM This adds unit test for additional mynewt GCM related APIs --- crypto/mbedtls/selftest/src/mbedtls_test.c | 2 + crypto/mbedtls/selftest/src/mbedtls_test.h | 1 + .../selftest/src/testcases/gcm_mynewt_test.c | 140 ++++++++++++++++++ 3 files changed, 143 insertions(+) create mode 100644 crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c diff --git a/crypto/mbedtls/selftest/src/mbedtls_test.c b/crypto/mbedtls/selftest/src/mbedtls_test.c index f746cc8662..6928c5cee8 100644 --- a/crypto/mbedtls/selftest/src/mbedtls_test.c +++ b/crypto/mbedtls/selftest/src/mbedtls_test.c @@ -85,6 +85,7 @@ TEST_CASE_DECL(sha512_test) TEST_CASE_DECL(timing_test) TEST_CASE_DECL(x509_test) TEST_CASE_DECL(xtea_test) +TEST_CASE_DECL(gcm_mynewt_test) TEST_SUITE(mbedtls_test_all) { @@ -120,6 +121,7 @@ TEST_SUITE(mbedtls_test_all) timing_test(); x509_test(); xtea_test(); + gcm_mynewt_test(); } int diff --git a/crypto/mbedtls/selftest/src/mbedtls_test.h b/crypto/mbedtls/selftest/src/mbedtls_test.h index 0d1c751400..f4ebb14fff 100644 --- a/crypto/mbedtls/selftest/src/mbedtls_test.h +++ b/crypto/mbedtls/selftest/src/mbedtls_test.h @@ -56,6 +56,7 @@ #include "mbedtls/timing.h" #include "mbedtls/x509.h" #include "mbedtls/xtea.h" +#include "gcm_mynewt.h" #ifdef __cplusplus extern "C" { diff --git a/crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c b/crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c new file mode 100644 index 0000000000..f13bf7f970 --- /dev/null +++ b/crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c @@ -0,0 +1,140 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +#include "mbedtls_test.h" + +#define AES_BLK_SZ 16 + +static const mbedtls_cipher_info_t *rsm_ucast_cipher; + +/* This contains both ADD and plaintext for encryption */ +static const uint8_t initial_data[110] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, + 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, + 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, + 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, + 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, + 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, + 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, + 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, + 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8A, + 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9A, + 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7, 0xA8, 0xA9, 0xAA +}; +static const uint8_t key[32] = { + 0xC0, 0xCA, 0xC0, 0x1A, 0xC0, 0xCA, 0xC0, 0x1A, + 0xC0, 0xCA, 0xC0, 0x1A, 0xC0, 0xCA, 0xC0, 0x1A, + 0xC0, 0xCA, 0xC0, 0x1A, 0xC0, 0xCA, 0xC0, 0x1A, + 0xC0, 0xCA, 0xC0, 0x1A, 0xC0, 0xCA, 0xC0, 0x1A +}; +static const uint8_t iv[12] = { 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xA, 0xB }; +static const uint8_t expected_tag[16] = { 0x05, 0x5D, 0x8E, 0xD4, 0xF9, 0x2A, 0x87, 0x87, + 0x6F, 0x23, 0xF2, 0xE6, 0xF0, 0x1D, 0x6D, 0x5C }; + +static uint8_t test_tag[16]; +static uint8_t test_buf[110]; + +static int mbedtls_gcm_mynewt_test_crypt(uint8_t enc) +{ + int add_len = 40; + mbedtls_gcm_context ctx; + mbedtls_aes_context aes_ctx; + uint8_t *ptr; + + uint16_t off; + uint16_t blklen; + uint16_t totlen; + int rc; + + if (rsm_ucast_cipher == NULL) { + rsm_ucast_cipher = + mbedtls_cipher_info_from_values(MBEDTLS_CIPHER_ID_AES, 256, + MBEDTLS_MODE_ECB); + } + + memset(&ctx, 0, sizeof(ctx)); + mbedtls_aes_init(&aes_ctx); + rc = mbedtls_gcm_setkey_noalloc(&ctx, rsm_ucast_cipher, key, &aes_ctx); + if (rc) { + goto out; + } + + rc = mbedtls_gcm_starts(&ctx, + enc == 1 ? MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT, + iv, sizeof(iv), NULL, 0); + if (rc) { + goto out; + } + + off = 0; + totlen = 110; + + while (off < totlen) { + ptr = test_buf + off; + blklen = sizeof(test_buf) - off; + if (blklen < AES_BLK_SZ) { + blklen = AES_BLK_SZ; + } else { + blklen &= ~(AES_BLK_SZ - 1); + } + if (off < add_len) { + if (blklen + off > add_len) { + blklen = add_len - off; + } + } else { + if (blklen + off > totlen) { + blklen = totlen - off; + } + } + + if (off < add_len) { + mbedtls_gcm_update_add(&ctx, blklen, ptr); + } else { + rc = mbedtls_gcm_update(&ctx, blklen, ptr, ptr); + if (rc) { + goto out; + } + } + + off += blklen; + } + + rc = mbedtls_gcm_finish(&ctx, test_tag, sizeof(test_tag)); +out: + memset(&ctx, 0, sizeof(ctx)); + mbedtls_aes_free(&aes_ctx); + if (rc) { + return 1; + } + return 0; +} + +TEST_CASE_SELF(gcm_mynewt_test) +{ + int rc; + + memcpy(test_buf, initial_data, sizeof(initial_data)); + + rc = mbedtls_gcm_mynewt_test_crypt(1); + TEST_ASSERT(rc == 0); + + rc = mbedtls_gcm_mynewt_test_crypt(0); + TEST_ASSERT(rc == 0); + TEST_ASSERT(memcmp(test_tag, expected_tag, sizeof(test_tag)) == 0); + TEST_ASSERT(memcmp(test_buf, initial_data, sizeof(test_buf)) == 0); +} From 9246da3cee64db29481df954e68600e7dfd51c5c Mon Sep 17 00:00:00 2001 From: Michal Gorecki Date: Wed, 12 Mar 2025 12:27:36 +0100 Subject: [PATCH 3/3] crypto/mbedtls: Upgrade to v3.6.2 This upgrades mbedtls version to v3.62: 1. mbedtls repository changed to version v3.6.2 2. Removed tests that are no longer supported 3. Updated/modified gcm_mynewt API: a) Function mbedtls_gcm_update_add is removed, because now function mbedtls_gcm_update_ad from mbedtls upstream provides the same functionality. b) Due to internal mbedtls API changes mbedtls_gcm_setkey_noalloc function now needs one argument more, which is keybits. This argument specifies length of key in bits and should be set to 128, 192 or 256. Other values won't be accepted. In earlier version this could be extracted from mbedtls_cipher_info_t key_bitlen field, which is no longer the case - now it's 4 bit bitfield later processed by internal mbedtls macros. It probably would be possible to not break this APIs, but since a lot of mbedtls APIs where changed in new version it was assumed that migration changes in projects using mbedtls would be necessary anyway. --- .../mbedtls/include/mbedtls/config_mynewt.h | 1 + crypto/mbedtls/include/mbedtls/gcm_mynewt.h | 26 +- crypto/mbedtls/pkg.yml | 2 +- crypto/mbedtls/selftest/src/mbedtls_test.c | 14 -- crypto/mbedtls/selftest/src/mbedtls_test.h | 6 - .../selftest/src/testcases/arc4_test.c | 27 -- .../selftest/src/testcases/gcm_mynewt_test.c | 21 +- .../mbedtls/selftest/src/testcases/md2_test.c | 27 -- .../mbedtls/selftest/src/testcases/md4_test.c | 27 -- .../selftest/src/testcases/timing_test.c | 27 -- .../selftest/src/testcases/x509_test.c | 27 -- .../selftest/src/testcases/xtea_test.c | 27 -- crypto/mbedtls/src/gcm_mynewt.c | 230 +++++++----------- 13 files changed, 104 insertions(+), 358 deletions(-) delete mode 100644 crypto/mbedtls/selftest/src/testcases/arc4_test.c delete mode 100644 crypto/mbedtls/selftest/src/testcases/md2_test.c delete mode 100644 crypto/mbedtls/selftest/src/testcases/md4_test.c delete mode 100644 crypto/mbedtls/selftest/src/testcases/timing_test.c delete mode 100644 crypto/mbedtls/selftest/src/testcases/x509_test.c delete mode 100644 crypto/mbedtls/selftest/src/testcases/xtea_test.c diff --git a/crypto/mbedtls/include/mbedtls/config_mynewt.h b/crypto/mbedtls/include/mbedtls/config_mynewt.h index 57b39c1194..ebe3676b38 100644 --- a/crypto/mbedtls/include/mbedtls/config_mynewt.h +++ b/crypto/mbedtls/include/mbedtls/config_mynewt.h @@ -501,6 +501,7 @@ extern "C" { #undef MBEDTLS_PSA_CRYPTO_SE_C #undef MBEDTLS_PSA_CRYPTO_STORAGE_C #undef MBEDTLS_PSA_ITS_FILE_C +#undef MBEDTLS_LMS_C #ifdef __cplusplus } diff --git a/crypto/mbedtls/include/mbedtls/gcm_mynewt.h b/crypto/mbedtls/include/mbedtls/gcm_mynewt.h index b0746448a0..40945bd48c 100644 --- a/crypto/mbedtls/include/mbedtls/gcm_mynewt.h +++ b/crypto/mbedtls/include/mbedtls/gcm_mynewt.h @@ -20,38 +20,16 @@ #ifndef _GCM_MYNEWT_H_ #define _GCM_MYNEWT_H_ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include -/** - * \brief This function feeds an input buffer into an ongoing GCM - * encryption or decryption operation as additional data. - * This needs to be called before starting enc/dec - * operations. - * - * ` The function expects input to be a multiple of 16 - * Bytes. Only the last call before mbedtls_gcm_update() or - * mbedtls_gcm_finish() can be less than 16 Bytes. - * - * - * \param ctx The GCM context. - * \param length The length of the input data. This must be a multiple of - * 16 except in the last call before mbedtls_gcm_finish(). - * \param input The buffer holding the input ADD. - * - * \return \c 0 on success. - * \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure. - */ -int mbedtls_gcm_update_add( mbedtls_gcm_context *ctx, - size_t length, - const unsigned char *input ); - - /** * Same as mbedtls_gcm_setkey, but with preallocated memory for cipher algorithm context */ int mbedtls_gcm_setkey_noalloc( mbedtls_gcm_context *ctx, const mbedtls_cipher_info_t *cipher_info, const unsigned char *key, + unsigned int keybits, void *cipher_ctx); diff --git a/crypto/mbedtls/pkg.yml b/crypto/mbedtls/pkg.yml index cb8c1c24f1..4cb20931d8 100644 --- a/crypto/mbedtls/pkg.yml +++ b/crypto/mbedtls/pkg.yml @@ -47,7 +47,7 @@ pkg.src_dirs: repository.mbedtls: type: github - vers: v2.28.9-commit + vers: v3.6.2-commit branch: master user: Mbed-TLS repo: mbedtls diff --git a/crypto/mbedtls/selftest/src/mbedtls_test.c b/crypto/mbedtls/selftest/src/mbedtls_test.c index 6928c5cee8..a8547c1f08 100644 --- a/crypto/mbedtls/selftest/src/mbedtls_test.c +++ b/crypto/mbedtls/selftest/src/mbedtls_test.c @@ -27,7 +27,6 @@ #include "mbedtls/sha256.h" #include "mbedtls/sha512.h" #include "mbedtls/aes.h" -#include "mbedtls/arc4.h" #include "mbedtls/bignum.h" #include "mbedtls/ccm.h" #include "mbedtls/dhm.h" @@ -41,7 +40,6 @@ #include "mbedtls/ripemd160.h" #include "mbedtls/rsa.h" #include "mbedtls/x509.h" -#include "mbedtls/xtea.h" #include "mbedtls/poly1305.h" #include "mbedtls/chacha20.h" #include "mbedtls/chachapoly.h" @@ -53,7 +51,6 @@ #include "mbedtls/timing.h" TEST_CASE_DECL(aes_test) -TEST_CASE_DECL(arc4_test) TEST_CASE_DECL(aria_test) TEST_CASE_DECL(base64_test) TEST_CASE_DECL(bignum_test) @@ -70,8 +67,6 @@ TEST_CASE_DECL(ecp_test) TEST_CASE_DECL(entropy_test) TEST_CASE_DECL(gcm_test) TEST_CASE_DECL(hmac_drbg_test) -TEST_CASE_DECL(md2_test) -TEST_CASE_DECL(md4_test) TEST_CASE_DECL(md5_test) TEST_CASE_DECL(memory_buffer_alloc_test) TEST_CASE_DECL(nist_kw_test) @@ -82,15 +77,11 @@ TEST_CASE_DECL(rsa_test) TEST_CASE_DECL(sha1_test) TEST_CASE_DECL(sha256_test) TEST_CASE_DECL(sha512_test) -TEST_CASE_DECL(timing_test) -TEST_CASE_DECL(x509_test) -TEST_CASE_DECL(xtea_test) TEST_CASE_DECL(gcm_mynewt_test) TEST_SUITE(mbedtls_test_all) { aes_test(); - arc4_test(); aria_test(); base64_test(); bignum_test(); @@ -107,8 +98,6 @@ TEST_SUITE(mbedtls_test_all) entropy_test(); gcm_test(); hmac_drbg_test(); - md2_test(); - md4_test(); md5_test(); nist_kw_test(); pkcs5_test(); @@ -118,9 +107,6 @@ TEST_SUITE(mbedtls_test_all) sha1_test(); sha256_test(); sha512_test(); - timing_test(); - x509_test(); - xtea_test(); gcm_mynewt_test(); } diff --git a/crypto/mbedtls/selftest/src/mbedtls_test.h b/crypto/mbedtls/selftest/src/mbedtls_test.h index f4ebb14fff..5f6286df2e 100644 --- a/crypto/mbedtls/selftest/src/mbedtls_test.h +++ b/crypto/mbedtls/selftest/src/mbedtls_test.h @@ -25,7 +25,6 @@ #include "testutil/testutil.h" #include "mbedtls/aes.h" -#include "mbedtls/arc4.h" #include "mbedtls/aria.h" #include "mbedtls/base64.h" #include "mbedtls/bignum.h" @@ -42,8 +41,6 @@ #include "mbedtls/entropy.h" #include "mbedtls/gcm.h" #include "mbedtls/hmac_drbg.h" -#include "mbedtls/md2.h" -#include "mbedtls/md4.h" #include "mbedtls/md5.h" #include "mbedtls/nist_kw.h" #include "mbedtls/pkcs5.h" @@ -53,9 +50,6 @@ #include "mbedtls/sha1.h" #include "mbedtls/sha256.h" #include "mbedtls/sha512.h" -#include "mbedtls/timing.h" -#include "mbedtls/x509.h" -#include "mbedtls/xtea.h" #include "gcm_mynewt.h" #ifdef __cplusplus diff --git a/crypto/mbedtls/selftest/src/testcases/arc4_test.c b/crypto/mbedtls/selftest/src/testcases/arc4_test.c deleted file mode 100644 index c4f4ec251d..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/arc4_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(arc4_test) -{ - int rc; - - rc = mbedtls_arc4_self_test(1); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c b/crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c index f13bf7f970..f062f2b4e0 100644 --- a/crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c +++ b/crypto/mbedtls/selftest/src/testcases/gcm_mynewt_test.c @@ -59,6 +59,7 @@ static int mbedtls_gcm_mynewt_test_crypt(uint8_t enc) uint16_t off; uint16_t blklen; uint16_t totlen; + size_t len_check; int rc; if (rsm_ucast_cipher == NULL) { @@ -69,14 +70,14 @@ static int mbedtls_gcm_mynewt_test_crypt(uint8_t enc) memset(&ctx, 0, sizeof(ctx)); mbedtls_aes_init(&aes_ctx); - rc = mbedtls_gcm_setkey_noalloc(&ctx, rsm_ucast_cipher, key, &aes_ctx); + rc = mbedtls_gcm_setkey_noalloc(&ctx, rsm_ucast_cipher, key, 256, &aes_ctx); if (rc) { goto out; } rc = mbedtls_gcm_starts(&ctx, enc == 1 ? MBEDTLS_GCM_ENCRYPT : MBEDTLS_GCM_DECRYPT, - iv, sizeof(iv), NULL, 0); + iv, sizeof(iv)); if (rc) { goto out; } @@ -103,18 +104,26 @@ static int mbedtls_gcm_mynewt_test_crypt(uint8_t enc) } if (off < add_len) { - mbedtls_gcm_update_add(&ctx, blklen, ptr); + mbedtls_gcm_update_ad(&ctx, ptr, blklen); } else { - rc = mbedtls_gcm_update(&ctx, blklen, ptr, ptr); + rc = mbedtls_gcm_update(&ctx, ptr, blklen, ptr, blklen, &len_check); if (rc) { goto out; } + if (len_check != blklen) { + rc = 1; + goto out; + } } off += blklen; } - rc = mbedtls_gcm_finish(&ctx, test_tag, sizeof(test_tag)); + rc = mbedtls_gcm_finish(&ctx, NULL, 0, &len_check, test_tag, sizeof(test_tag)); + if (len_check != 0) { + rc = 1; + goto out; + } out: memset(&ctx, 0, sizeof(ctx)); mbedtls_aes_free(&aes_ctx); @@ -136,5 +145,5 @@ TEST_CASE_SELF(gcm_mynewt_test) rc = mbedtls_gcm_mynewt_test_crypt(0); TEST_ASSERT(rc == 0); TEST_ASSERT(memcmp(test_tag, expected_tag, sizeof(test_tag)) == 0); - TEST_ASSERT(memcmp(test_buf, initial_data, sizeof(test_buf)) == 0); + TEST_ASSERT(memcmp(test_buf, initial_data, sizeof(initial_data)) == 0); } diff --git a/crypto/mbedtls/selftest/src/testcases/md2_test.c b/crypto/mbedtls/selftest/src/testcases/md2_test.c deleted file mode 100644 index c65be75735..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/md2_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(md2_test) -{ - int rc; - - rc = mbedtls_md2_self_test(1); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/selftest/src/testcases/md4_test.c b/crypto/mbedtls/selftest/src/testcases/md4_test.c deleted file mode 100644 index 1edf8e115b..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/md4_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(md4_test) -{ - int rc; - - rc = mbedtls_md4_self_test(1); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/selftest/src/testcases/timing_test.c b/crypto/mbedtls/selftest/src/testcases/timing_test.c deleted file mode 100644 index 97d6bc5ad4..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/timing_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(timing_test) -{ - int rc; - - rc = mbedtls_timing_self_test(0); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/selftest/src/testcases/x509_test.c b/crypto/mbedtls/selftest/src/testcases/x509_test.c deleted file mode 100644 index b89bfe9c25..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/x509_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(x509_test) -{ - int rc; - - rc = mbedtls_x509_self_test(1); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/selftest/src/testcases/xtea_test.c b/crypto/mbedtls/selftest/src/testcases/xtea_test.c deleted file mode 100644 index b0f29b7ead..0000000000 --- a/crypto/mbedtls/selftest/src/testcases/xtea_test.c +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -#include "mbedtls_test.h" - -TEST_CASE_SELF(xtea_test) -{ - int rc; - - rc = mbedtls_xtea_self_test(1); - TEST_ASSERT(rc == 0); -} diff --git a/crypto/mbedtls/src/gcm_mynewt.c b/crypto/mbedtls/src/gcm_mynewt.c index dfd68f5594..f846124633 100644 --- a/crypto/mbedtls/src/gcm_mynewt.c +++ b/crypto/mbedtls/src/gcm_mynewt.c @@ -63,193 +63,133 @@ #include #if defined(MBEDTLS_AESNI_C) -#include "mbedtls/aesni.h" +#include "aesni.h" #endif #if !defined(MBEDTLS_GCM_ALT) -/* Parameter validation macros */ -#define GCM_VALIDATE_RET(cond) \ - MBEDTLS_INTERNAL_VALIDATE_RET(cond, MBEDTLS_ERR_GCM_BAD_INPUT) -#define GCM_VALIDATE(cond) \ - MBEDTLS_INTERNAL_VALIDATE(cond) +/* Used to select the acceleration mechanism */ +#define MBEDTLS_GCM_ACC_SMALLTABLE 0 +#define MBEDTLS_GCM_ACC_LARGETABLE 1 +#define MBEDTLS_GCM_ACC_AESNI 2 +#define MBEDTLS_GCM_ACC_AESCE 3 -/* - * Precompute small multiples of H, that is set - * HH[i] || HL[i] = H times i, - * where i is seen as a field element as in [MGV], ie high-order bits - * correspond to low powers of P. The result is stored in the same way, that - * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL - * corresponds to P^127. - */ -static int gcm_gen_table(mbedtls_gcm_context *ctx) +static inline void gcm_set_acceleration(mbedtls_gcm_context *ctx) { - int ret, i, j; - uint64_t hi, lo; - uint64_t vl, vh; - unsigned char h[16]; - size_t olen = 0; - - memset(h, 0, 16); - if ((ret = mbedtls_cipher_update(&ctx->cipher_ctx, h, 16, h, &olen)) != 0) { - return ret; - } - - /* pack h as two 64-bits ints, big-endian */ - hi = MBEDTLS_GET_UINT32_BE(h, 0); - lo = MBEDTLS_GET_UINT32_BE(h, 4); - vh = (uint64_t) hi << 32 | lo; - - hi = MBEDTLS_GET_UINT32_BE(h, 8); - lo = MBEDTLS_GET_UINT32_BE(h, 12); - vl = (uint64_t) hi << 32 | lo; - - /* 8 = 1000 corresponds to 1 in GF(2^128) */ - ctx->HL[8] = vl; - ctx->HH[8] = vh; +#if defined(MBEDTLS_GCM_LARGE_TABLE) + ctx->acceleration = MBEDTLS_GCM_ACC_LARGETABLE; +#else + ctx->acceleration = MBEDTLS_GCM_ACC_SMALLTABLE; +#endif #if defined(MBEDTLS_AESNI_HAVE_CODE) /* With CLMUL support, we need only h, not the rest of the table */ if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) { - return 0; + ctx->acceleration = MBEDTLS_GCM_ACC_AESNI; } #endif - /* 0 corresponds to 0 in GF(2^128) */ - ctx->HH[0] = 0; - ctx->HL[0] = 0; - - for (i = 4; i > 0; i >>= 1) { - uint32_t T = (vl & 1) * 0xe1000000U; - vl = (vh << 63) | (vl >> 1); - vh = (vh >> 1) ^ ((uint64_t) T << 32); - - ctx->HL[i] = vl; - ctx->HH[i] = vh; +#if defined(MBEDTLS_AESCE_HAVE_CODE) + if (MBEDTLS_AESCE_HAS_SUPPORT()) { + ctx->acceleration = MBEDTLS_GCM_ACC_AESCE; } - - for (i = 2; i <= 8; i *= 2) { - uint64_t *HiL = ctx->HL + i, *HiH = ctx->HH + i; - vh = *HiH; - vl = *HiL; - for (j = 1; j < i; j++) { - HiH[j] = vh ^ ctx->HH[j]; - HiL[j] = vl ^ ctx->HL[j]; - } - } - - return 0; +#endif } -/* - * Shoup's method for multiplication use this table with - * last4[x] = x times P^128 - * where x and last4[x] are seen as elements of GF(2^128) as in [MGV] - */ -static const uint64_t last4[16] = +static inline void gcm_gen_table_rightshift(uint64_t dst[2], const uint64_t src[2]) { - 0x0000, 0x1c20, 0x3840, 0x2460, - 0x7080, 0x6ca0, 0x48c0, 0x54e0, - 0xe100, 0xfd20, 0xd940, 0xc560, - 0x9180, 0x8da0, 0xa9c0, 0xb5e0 -}; + uint8_t *u8Dst = (uint8_t *) dst; + uint8_t *u8Src = (uint8_t *) src; + + MBEDTLS_PUT_UINT64_BE(MBEDTLS_GET_UINT64_BE(&src[1], 0) >> 1, &dst[1], 0); + u8Dst[8] |= (u8Src[7] & 0x01) << 7; + MBEDTLS_PUT_UINT64_BE(MBEDTLS_GET_UINT64_BE(&src[0], 0) >> 1, &dst[0], 0); + u8Dst[0] ^= (u8Src[15] & 0x01) ? 0xE1 : 0; +} /* - * Sets output to x times H using the precomputed tables. - * x and output are seen as elements of GF(2^128) as in [MGV]. + * Precompute small multiples of H, that is set + * HH[i] || HL[i] = H times i, + * where i is seen as a field element as in [MGV], ie high-order bits + * correspond to low powers of P. The result is stored in the same way, that + * is the high-order bit of HH corresponds to P^0 and the low-order bit of HL + * corresponds to P^127. */ -static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16], - unsigned char output[16]) +static int gcm_gen_table(mbedtls_gcm_context *ctx) { - int i = 0; - unsigned char lo, hi, rem; - uint64_t zh, zl; - -#if defined(MBEDTLS_AESNI_HAVE_CODE) - if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) { - unsigned char h[16]; - - MBEDTLS_PUT_UINT32_BE(ctx->HH[8] >> 32, h, 0); - MBEDTLS_PUT_UINT32_BE(ctx->HH[8], h, 4); - MBEDTLS_PUT_UINT32_BE(ctx->HL[8] >> 32, h, 8); - MBEDTLS_PUT_UINT32_BE(ctx->HL[8], h, 12); + int ret, i, j; + uint64_t u64h[2] = { 0 }; + uint8_t *h = (uint8_t *) u64h; - mbedtls_aesni_gcm_mult(output, x, h); - return; +#if defined(MBEDTLS_BLOCK_CIPHER_C) + ret = mbedtls_block_cipher_encrypt(&ctx->block_cipher_ctx, h, h); +#else + size_t olen = 0; + ret = mbedtls_cipher_update(&ctx->cipher_ctx, h, 16, h, &olen); +#endif + if (ret != 0) { + return ret; } -#endif /* MBEDTLS_AESNI_HAVE_CODE */ - - lo = x[15] & 0xf; - - zh = ctx->HH[lo]; - zl = ctx->HL[lo]; - - for (i = 15; i >= 0; i--) { - lo = x[i] & 0xf; - hi = (x[i] >> 4) & 0xf; - - if (i != 15) { - rem = (unsigned char) zl & 0xf; - zl = (zh << 60) | (zl >> 4); - zh = (zh >> 4); - zh ^= (uint64_t) last4[rem] << 48; - zh ^= ctx->HH[lo]; - zl ^= ctx->HL[lo]; - } + gcm_set_acceleration(ctx); - rem = (unsigned char) zl & 0xf; - zl = (zh << 60) | (zl >> 4); - zh = (zh >> 4); - zh ^= (uint64_t) last4[rem] << 48; - zh ^= ctx->HH[hi]; - zl ^= ctx->HL[hi]; - } + /* MBEDTLS_GCM_HTABLE_SIZE/2 = 1000 corresponds to 1 in GF(2^128) */ + ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2][0] = u64h[0]; + ctx->H[MBEDTLS_GCM_HTABLE_SIZE/2][1] = u64h[1]; - MBEDTLS_PUT_UINT32_BE(zh >> 32, output, 0); - MBEDTLS_PUT_UINT32_BE(zh, output, 4); - MBEDTLS_PUT_UINT32_BE(zl >> 32, output, 8); - MBEDTLS_PUT_UINT32_BE(zl, output, 12); -} + switch (ctx->acceleration) { +#if defined(MBEDTLS_AESNI_HAVE_CODE) + case MBEDTLS_GCM_ACC_AESNI: + return 0; +#endif -int mbedtls_gcm_update_add( mbedtls_gcm_context *ctx, - size_t add_len, - const unsigned char *add ) -{ - const unsigned char *p; - size_t i; - size_t use_len; +#if defined(MBEDTLS_AESCE_HAVE_CODE) + case MBEDTLS_GCM_ACC_AESCE: + return 0; +#endif - if ( ctx->add_len & 15 ) - { - return( MBEDTLS_ERR_GCM_BAD_INPUT ); - } - ctx->add_len += add_len; - p = add; + default: + /* 0 corresponds to 0 in GF(2^128) */ + ctx->H[0][0] = 0; + ctx->H[0][1] = 0; - while (add_len > 0) - { - use_len = ( add_len < 16 ) ? add_len : 16; + for (i = MBEDTLS_GCM_HTABLE_SIZE/4; i > 0; i >>= 1) { + gcm_gen_table_rightshift(ctx->H[i], ctx->H[i*2]); + } - for( i = 0; i < use_len; i++ ) { - ctx->buf[i] ^= p[i]; +#if !defined(MBEDTLS_GCM_LARGE_TABLE) + /* pack elements of H as 64-bits ints, big-endian */ + for (i = MBEDTLS_GCM_HTABLE_SIZE/2; i > 0; i >>= 1) { + MBEDTLS_PUT_UINT64_BE(ctx->H[i][0], &ctx->H[i][0], 0); + MBEDTLS_PUT_UINT64_BE(ctx->H[i][1], &ctx->H[i][1], 0); } - gcm_mult( ctx, ctx->buf, ctx->buf ); +#endif - add_len -= use_len; - p += use_len; + for (i = 2; i < MBEDTLS_GCM_HTABLE_SIZE; i <<= 1) { + for (j = 1; j < i; j++) { + mbedtls_xor_no_simd((unsigned char *) ctx->H[i+j], + (unsigned char *) ctx->H[i], + (unsigned char *) ctx->H[j], + 16); + } + } } - return( 0 ); + return 0; } int mbedtls_gcm_setkey_noalloc( mbedtls_gcm_context *ctx, const mbedtls_cipher_info_t *cipher_info, const unsigned char *key, + unsigned int keybits, void *cipher_ctx) { int ret; + if (keybits != 128 && keybits != 192 && keybits != 256) { + return MBEDTLS_ERR_GCM_BAD_INPUT; + } + ctx->cipher_ctx.cipher_info = cipher_info; ctx->cipher_ctx.cipher_ctx = cipher_ctx; #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) @@ -266,7 +206,7 @@ int mbedtls_gcm_setkey_noalloc( mbedtls_gcm_context *ctx, #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ if( ( ret = mbedtls_cipher_setkey( &ctx->cipher_ctx, key, - cipher_info->key_bitlen, + keybits, MBEDTLS_ENCRYPT ) ) != 0 ) { return( ret );