Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: Mbed-TLS/mbedtls
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 18573354f7dd224ba588c0151b4eede41f6e975d
Choose a base ref
...
head repository: Mbed-TLS/mbedtls
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: e323fb3ab5bf9dbdec8731c29108697e8d611755
Choose a head ref

Commits on Mar 15, 2023

  1. Add Threat Model Summary

    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023

    Unverified

    This user has not yet uploaded their public signing key.
    Copy the full SHA
    ce2985b View commit details
  2. Threat Model: Improve wording

    Signed-off-by: Janos Follath <janos.follath@arm.com>
    
    Co-authored-by: Dave Rodgman <dave.rodgman@arm.com>
    yanesca and daverodgman committed Mar 15, 2023
    Copy the full SHA
    661c88f View commit details
  3. Threat Model: Miscellaneous clarifications

    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    e57ed98 View commit details
  4. Threat Model: reorganise threat definitions

    Simplify organisation by placing threat definitions in their respective
    sections.
    
    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    5adb2c2 View commit details
  5. Threat Model: increase classification detail

    Originally for the sake of simplicity there was a single category for
    software based attacks, namely timing side channel attacks.
    
    Be more precise and categorise attacks as software based whether or not
    they rely on physical information.
    
    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    adc8a0b View commit details
  6. Threat model: explain dangling countermeasures

    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    389cdf4 View commit details
  7. Threat Model: move the block cipher section

    The block cipher exception affects both remote and local timing attacks.
    Move them to the Caveats section and reference it from both the local
    and the remote attack section.
    
    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    5e68d3b View commit details
  8. Threat Model: improve wording

    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    18ffba6 View commit details
  9. Threat Model: clarify attack vectors

    Timing attacks can be launched by any of the main 3 attackers. Clarify
    exactly how these are covered.
    
    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    8257d8a View commit details
  10. Threat Model: improve wording and grammar

    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    6ce259d View commit details
  11. Threat Model: clarify stance on timing attacks

    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    08094b8 View commit details
  12. Threat Model: remove references

    Remove references to scientific papers as they are too specific and
    might be misleading.
    
    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    e3d677c View commit details
  13. Threat Model: adjust modality

    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    6cd0459 View commit details
  14. Threat Model: adjust to 2.28

    MBEDTLS_AESCE_C is not available in 2.28., remove it from workarounds.
    
    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 15, 2023
    Copy the full SHA
    35f5ef0 View commit details

Commits on Mar 16, 2023

  1. Threat Model: fix copy paste

    Signed-off-by: Janos Follath <janos.follath@arm.com>
    yanesca committed Mar 16, 2023
    Copy the full SHA
    8305051 View commit details
  2. Merge pull request #999 from yanesca/threat_model_summary-2.28

    Threat model summary 2.28
    daverodgman authored Mar 16, 2023
    Copy the full SHA
    b3b9059 View commit details

Commits on Mar 17, 2023

  1. Merge remote-tracking branch 'development/mbedtls-2.28' into mbedtls-…

    …2.28-restricted
    
    Signed-off-by: Paul Elliott <paul.elliott@arm.com>
    paul-elliott-arm committed Mar 17, 2023
    Copy the full SHA
    01298e6 View commit details
  2. Add space to appease doxygen bug

    See doxygen/doxygen#8706
    
    Signed-off-by: David Horstmann <david.horstmann@arm.com>
    davidhorstmann-arm committed Mar 17, 2023
    Copy the full SHA
    c9d8c33 View commit details
  3. Tell Doxygen to generate XML

    Signed-off-by: David Horstmann <david.horstmann@arm.com>
    davidhorstmann-arm committed Mar 17, 2023
    Copy the full SHA
    62ef621 View commit details
  4. Add initial API doc configuration

    Signed-off-by: David Horstmann <david.horstmann@arm.com>
    davidhorstmann-arm committed Mar 17, 2023
    Copy the full SHA
    241b040 View commit details
  5. Add configuration for Read The Docs

    Signed-off-by: David Horstmann <david.horstmann@arm.com>
    davidhorstmann-arm committed Mar 17, 2023
    Copy the full SHA
    7f7aadd View commit details
  6. Ignore mbedtls macros causing warnings

    Sphinx's breathe plugin cannot readily parse the Mbed TLS macros, so
    define the less essential ones away at the doxygen step to reduce the
    number of warnings.
    
    Signed-off-by: David Horstmann <david.horstmann@arm.com>
    davidhorstmann-arm committed Mar 17, 2023
    Copy the full SHA
    e04d492 View commit details
  7. Add exemption for make.bat in checks for tabs

    Signed-off-by: David Horstmann <david.horstmann@arm.com>
    davidhorstmann-arm committed Mar 17, 2023
    Copy the full SHA
    89bf31d View commit details
  8. Update bibliographic references

    There are new versions of the Intel whitepapers and they've moved.
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    6055b78 View commit details
  9. Don't warn about Msan/Valgrind if AESNI isn't actually built

    The warning is only correct if the assembly code for AESNI is built, not if
    MBEDTLS_AESNI_C is activated but MBEDTLS_HAVE_ASM is disabled or the target
    architecture isn't x86_64.
    
    This is a partial fix for #7236.
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    18d521a View commit details
  10. Improve the presentation of assembly blocks

    Uncrustify indents
    ```
        asm("foo"
            HELLO "bar"
                  "wibble");
    ```
    but we would like
    ```
        asm("foo"
            HELLO "bar"
            "wibble");
    ```
    Make "bar" an argument of the macro HELLO, which makes the indentation from
    uncrustify match the semantics (everything should be aligned to the same
    column).
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    2808a60 View commit details
  11. New preprocessor symbol indicating that AESNI support is present

    The configuration symbol MBEDTLS_AESNI_C requests AESNI support, but it is
    ignored if the platform doesn't have AESNI. This allows keeping
    MBEDTLS_AESNI_C enabled (as it is in the default build) when building for
    platforms other than x86_64, or when MBEDTLS_HAVE_ASM is disabled.
    
    To facilitate maintenance, always use the symbol MBEDTLS_AESNI_HAVE_CODE to
    answer the question "can I call mbedtls_aesni_xxx functions?", rather than
    repeating the check `defined(MBEDTLS_AESNI_C) && ...`.
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    5511a34 View commit details
  12. AES, GCM selftest: indicate which implementation is used

    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    2c8ad94 View commit details
  13. AESNI: add implementation with intrinsics

    As of this commit, to use the intrinsics for MBEDTLS_AESNI_C:
    
    * With MSVC, this should be the default.
    * With Clang, build with `clang -maes -mpclmul` or equivalent.
    * With GCC, build with `gcc -mpclmul -msse2` or equivalent.
    
    In particular, for now, with a GCC-like compiler, when building specifically
    for a target that supports both the AES and GCM instructions, the old
    implementation using assembly is selected.
    
    This method for platform selection will likely be improved in the future.
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    e7dc21f View commit details
  14. Get aesni.c compiling with Visual Studio

    Clang is nice enough to support bitwise operators on __m128i, but MSVC
    isn't.
    
    Also, __cpuid() in MSVC comes from <intrin.h> (which is included via
    <emmintrin.h>), not <cpuid.h>.
    
    Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
    tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    790756d View commit details
  15. Improve variable names

    To some extent anyway.
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    d4a2393 View commit details
  16. Fix MSVC portability

    MSVC doesn't have _mm_storeu_si64. Fortunately it isn't really needed here.
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    2e8d8d1 View commit details
  17. Travis: run selftest on Windows

    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    563c492 View commit details
  18. Fix code style

    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    de34578 View commit details
  19. Fix typo in comment

    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    5f1677f View commit details
  20. Fix unaligned access if the context is moved during operation

    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    6978e73 View commit details
  21. Use consistent guards for padlock code

    The padlock feature is enabled if
    ```
    defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
    ```
    with the second macro coming from `padlock.h`. The availability of the
    macro `MBEDTLS_PADLOCK_ALIGN16` is coincidentally equivalent to
    `MBEDTLS_HAVE_X86` but this is not meaningful.
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    30c356c View commit details
  22. Remove the dependency of MBEDTLS_AESNI_C on MBEDTLS_HAVE_ASM

    AESNI can now be implemented with intrinsics.
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    3ba81d3 View commit details
  23. Clean up AES context alignment code

    Use a single auxiliary function to determine rk_offset, covering both
    setkey_enc and setkey_dec, covering both AESNI and PADLOCK. For AESNI, only
    build this when using the intrinsics-based implementation, since the
    assembly implementation supports unaligned access.
    
    Simplify "do we need to realign?" to "is the desired offset now equal to
    the current offset?".
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    b71d402 View commit details
  24. AESNI: Overhaul implementation selection

    Have clearly separated code to:
    * determine whether the assembly-based implementation is available;
    * determine whether the intrinsics-based implementation is available;
    * select one of the available implementations if any.
    
    Now MBEDTLS_AESNI_HAVE_CODE can be the single interface for aes.c and
    aesni.c to determine which AESNI is built.
    
    Change the implementation selection: now, if both implementations are
    available, always prefer assembly. Before, the intrinsics were used if
    available. This preference is to minimize disruption, and will likely
    be revised in a later minor release.
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    6dec541 View commit details
  25. Document the new state of AESNI support

    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    e5038c6 View commit details
  26. Announce the expanded AESNI support

    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    9a8bf9f View commit details
  27. Finish sentence in comment

    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    3efd314 View commit details
  28. Fix preprocessor conditional

    This was intended as an if-else-if chain. Make it so.
    
    Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
    gilles-peskine-arm authored and tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    9494a99 View commit details
  29. Fix merge errors in backporting

    Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
    tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    58550ac View commit details
  30. Document that MBEDTLS_AESNI_HAVE_INTRINSICS and MBEDTLS_AESNI_HAVE_CO…

    …DE are internal
    
    macros, despite appearing in a public header file.
    
    Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
    tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    779199f View commit details
  31. Remove references to MBEDTLS_AESCE_C and MBEDTLS_HAVE_ARM64

    that aren't needed in this backport
    
    Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
    tom-cosgrove-arm committed Mar 17, 2023
    Copy the full SHA
    3b53cae View commit details

Commits on Mar 18, 2023

  1. Fix another backport issue: it's VS2010/ not VS2013/

    Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
    tom-cosgrove-arm committed Mar 18, 2023
    Copy the full SHA
    e0c7534 View commit details
  2. Have selftest print more information about the AESNI build

    Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
    tom-cosgrove-arm committed Mar 18, 2023
    Copy the full SHA
    20458c0 View commit details
  3. Stop selftest hanging when run on CI

    Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
    tom-cosgrove-arm committed Mar 18, 2023
    Copy the full SHA
    9149e12 View commit details
Showing with 1,332 additions and 335 deletions.
  1. +26 −0 .readthedocs.yaml
  2. +1 −0 .travis.yml
  3. +6 −1 BRANCHES.md
  4. +79 −0 ChangeLog
  5. +0 −3 ChangeLog.d/build-without-certs.txt
  6. +0 −4 ChangeLog.d/c-build-helper-hostcc.txt
  7. +0 −3 ChangeLog.d/clang-15-bignum-warning.txt
  8. +0 −5 ChangeLog.d/coding-style.txt
  9. +0 −4 ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt
  10. +0 −3 ChangeLog.d/empty-retval-description.txt
  11. +0 −4 ChangeLog.d/fix-example-programs-no-args.txt
  12. +0 −4 ChangeLog.d/fix-gettimeofday-overflow.txt
  13. +0 −2 ChangeLog.d/fix-iar-warnings.txt
  14. +0 −10 ChangeLog.d/fix-oid-to-string-bugs.txt
  15. +0 −3 ChangeLog.d/fix-rsaalt-test-guards.txt
  16. +0 −4 ChangeLog.d/fix_build_for_directory_names_containing_spaces.txt
  17. +0 −3 ChangeLog.d/fix_hard_link_across_drives
  18. +0 −5 ChangeLog.d/fix_timing_alt.txt
  19. +0 −5 ChangeLog.d/improve_x509_cert_writing_serial_number_management.txt
  20. +0 −3 ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt
  21. +0 −7 ChangeLog.d/mpi-window-perf
  22. +0 −5 ChangeLog.d/x509-subaltname-ext
  23. +117 −0 SECURITY.md
  24. +2 −0 docs/.gitignore
  25. +40 −0 docs/Makefile
  26. +34 −0 docs/conf.py
  27. +20 −0 docs/index.rst
  28. +2 −0 docs/requirements.in
  29. +66 −0 docs/requirements.txt
  30. +1 −1 doxygen/input/doc_mainpage.h
  31. +13 −1 doxygen/mbedtls.doxyfile
  32. +39 −2 include/mbedtls/aesni.h
  33. +1 −1 include/mbedtls/bignum.h
  34. +0 −4 include/mbedtls/check_config.h
  35. +22 −4 include/mbedtls/config.h
  36. +4 −4 include/mbedtls/version.h
  37. +3 −3 library/CMakeLists.txt
  38. +108 −32 library/aes.c
  39. +475 −135 library/aesni.c
  40. +24 −3 library/gcm.c
  41. +15 −7 library/timing.c
  42. +11 −2 programs/test/selftest.c
  43. +1 −0 tests/.gitignore
  44. +15 −9 tests/include/test/ssl_helpers.h
  45. +58 −39 tests/src/test_helpers/ssl_helpers.c
  46. +9 −0 tests/suites/test_suite_aes.ecb.data
  47. +118 −0 tests/suites/test_suite_aes.function
  48. +8 −8 tests/suites/test_suite_ssl.function
  49. +12 −0 tests/suites/test_suite_timing.function
  50. +2 −2 tests/suites/test_suite_version.data
26 changes: 26 additions & 0 deletions .readthedocs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# .readthedocs.yaml
# Read the Docs configuration file
# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details

# Required
version: 2

# Set the version of Python and other tools you might need
build:
os: ubuntu-20.04
tools:
python: "3.9"
jobs:
pre_build:
- make apidoc
- breathe-apidoc -o docs/api apidoc/xml

# Build documentation in the docs/ directory with Sphinx
sphinx:
builder: dirhtml
configuration: docs/conf.py

# Optionally declare the Python requirements required to build your docs
python:
install:
- requirements: docs/requirements.txt
1 change: 1 addition & 0 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -70,6 +70,7 @@ jobs:
os: windows
script:
- scripts/windows_msbuild.bat v141 # Visual Studio 2017
- visualc/VS2010/x64/Release/selftest.exe --ci

after_failure:
- tests/scripts/travis-log-failure.sh
7 changes: 6 additions & 1 deletion BRANCHES.md
Original file line number Diff line number Diff line change
@@ -16,6 +16,11 @@ API compatibility in the `master` branch between major version changes. We
also maintain ABI compatibility within LTS branches; see the next section for
details.

Every major version will become an LTS branch when the next major version is
released. We may occasionally create LTS branches from other releases at our
discretion.
When a new LTS branch is created, it usually remains supported for three years.

## Backwards Compatibility for application code

We maintain API compatibility in released versions of Mbed TLS. If you have
@@ -71,6 +76,6 @@ The following branches are currently maintained:
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
maintained until at least the end of 2024, see
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2>.
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3>.

Users are urged to always use the latest version of a maintained branch.
79 changes: 79 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,5 +1,84 @@
Mbed TLS ChangeLog (Sorted per branch, date)

= Mbed TLS 2.28.3 branch released 2023-03-28

Features
* Use HOSTCC (if it is set) when compiling C code during generation of the
configuration-independent files. This allows them to be generated when
CC is set for cross compilation.
* AES-NI is now supported with Visual Studio.
* AES-NI is now supported in 32-bit builds, or when MBEDTLS_HAVE_ASM
is disabled, when compiling with GCC or Clang or a compatible compiler
for a target CPU that supports the requisite instructions (for example
gcc -m32 -msse2 -maes -mpclmul). (Generic x86 builds with GCC-like
compilers still require MBEDTLS_HAVE_ASM and a 64-bit target.)

Security
* MBEDTLS_AESNI_C, which is enabled by default, was silently ignored on
builds that couldn't compile the GCC-style assembly implementation
(most notably builds with Visual Studio), leaving them vulnerable to
timing side-channel attacks. There is now an intrinsics-based AES-NI
implementation as a fallback for when the assembly one cannot be used.

Bugfix
* Fix a build issue on Windows where the source and build directory could
not be on different drives (#5751).
* Fix possible integer overflow in mbedtls_timing_hardclock(), which
could cause a crash for certain platforms & compiler options.
* Fix IAR compiler warnings. Fixes #6924.
* Fix a bug in the build where directory names containing spaces were
causing generate_errors.pl to error out resulting in a build failure.
Fixes issue #6879.
* Fix compile error where MBEDTLS_RSA_C and MBEDTLS_X509_CRT_WRITE_C are
defined, but MBEDTLS_PK_RSA_ALT_SUPPORT is not defined. Fixes #3174.
* Fix a build issue when defining MBEDTLS_TIMING_ALT and MBEDTLS_SELF_TEST.
The library would not link if the user didn't provide an external self-test
function. The self-test is now provided regardless of the choice of
internal/alternative timing implementation. Fixes #6923.
* mbedtls_x509write_crt_set_serial() now explicitly rejects serial numbers
whose binary representation is longer than 20 bytes. This was already
forbidden by the standard (RFC5280 - section 4.1.2.2) and now it's being
enforced also at code level.
* Fix potential undefined behavior in mbedtls_mpi_sub_abs(). Reported by
Pascal Cuoq using TrustInSoft Analyzer in #6701; observed independently by
Aaron Ucko under Valgrind.
* Fix behavior of certain sample programs which could, when run with no
arguments, access uninitialized memory in some cases. Fixes #6700 (which
was found by TrustInSoft Analyzer during REDOCS'22) and #1120.
* Fix build errors in test programs when MBEDTLS_CERTS_C is disabled.
Fixes #6243.
* Fix parsing of X.509 SubjectAlternativeName extension. Previously,
malformed alternative name components were not caught during initial
certificate parsing, but only on subsequent calls to
mbedtls_x509_parse_subject_alt_name(). Fixes #2838.
* Fix bug in conversion from OID to string in
mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
correctly.
* Reject OIDs with overlong-encoded subidentifiers when converting
them to a string.
* Reject OIDs with subidentifier values exceeding UINT_MAX. Such
subidentifiers can be valid, but Mbed TLS cannot currently handle them.
* Reject OIDs that have unterminated subidentifiers, or (equivalently)
have the most-significant bit set in their last byte.
* Silence a warning about an unused local variable in bignum.c on
some architectures. Fixes #7166.
* Silence warnings from clang -Wdocumentation about empty \retval
descriptions, which started appearing with Clang 15. Fixes #6960.
* Fix undefined behavior in mbedtls_ssl_read() and mbedtls_ssl_write() if
len argument is 0 and buffer is NULL.

Changes
* The C code follows a new coding style. This is transparent for users but
affects contributors and maintainers of local patches. For more
information, see
https://mbed-tls.readthedocs.io/en/latest/kb/how-to/rewrite-branch-for-coding-style/
* Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
As tested in issue 6790, the correlation between this define and
RSA decryption performance has changed lately due to security fixes.
To fix the performance degradation when using default values the
window was reduced from 6 to 2, a value that gives the best or close
to best results when tested on Cortex-M4 and Intel i7.

= Mbed TLS 2.28.2 branch released 2022-12-14

Security
3 changes: 0 additions & 3 deletions ChangeLog.d/build-without-certs.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/c-build-helper-hostcc.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/clang-15-bignum-warning.txt

This file was deleted.

5 changes: 0 additions & 5 deletions ChangeLog.d/coding-style.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/conditionalize-mbedtls_mpi_sub_abs-memcpy.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/empty-retval-description.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/fix-example-programs-no-args.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/fix-gettimeofday-overflow.txt

This file was deleted.

2 changes: 0 additions & 2 deletions ChangeLog.d/fix-iar-warnings.txt

This file was deleted.

10 changes: 0 additions & 10 deletions ChangeLog.d/fix-oid-to-string-bugs.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/fix-rsaalt-test-guards.txt

This file was deleted.

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/fix_hard_link_across_drives

This file was deleted.

5 changes: 0 additions & 5 deletions ChangeLog.d/fix_timing_alt.txt

This file was deleted.

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/mbedtls_ssl_read_undefined_behavior.txt

This file was deleted.

7 changes: 0 additions & 7 deletions ChangeLog.d/mpi-window-perf

This file was deleted.

5 changes: 0 additions & 5 deletions ChangeLog.d/x509-subaltname-ext

This file was deleted.

117 changes: 117 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -18,3 +18,120 @@ goes public.
Only the maintained branches, as listed in [`BRANCHES.md`](BRANCHES.md),
get security fixes.
Users are urged to always use the latest version of a maintained branch.

## Threat model

We classify attacks based on the capabilities of the attacker.

### Remote attacks

In this section, we consider an attacker who can observe and modify data sent
over the network. This includes observing the content and timing of individual
packets, as well as suppressing or delaying legitimate messages, and injecting
messages.

Mbed TLS aims to fully protect against remote attacks and to enable the user
application in providing full protection against remote attacks. Said
protection is limited to providing security guarantees offered by the protocol
being implemented. (For example Mbed TLS alone won't guarantee that the
messages will arrive without delay, as the TLS protocol doesn't guarantee that
either.)

**Warning!** Block ciphers do not yet achieve full protection against attackers
who can measure the timing of packets with sufficient precision. For details
and workarounds see the [Block Ciphers](#block-ciphers) section.

### Local attacks

In this section, we consider an attacker who can run software on the same
machine. The attacker has insufficient privileges to directly access Mbed TLS
assets such as memory and files.

#### Timing attacks

The attacker is able to observe the timing of instructions executed by Mbed TLS
by leveraging shared hardware that both Mbed TLS and the attacker have access
to. Typical attack vectors include cache timings, memory bus contention and
branch prediction.

Mbed TLS provides limited protection against timing attacks. The cost of
protecting against timing attacks widely varies depending on the granularity of
the measurements and the noise present. Therefore the protection in Mbed TLS is
limited. We are only aiming to provide protection against **publicly
documented attack techniques**.

As attacks keep improving, so does Mbed TLS's protection. Mbed TLS is moving
towards a model of fully timing-invariant code, but has not reached this point
yet.

**Remark:** Timing information can be observed over the network or through
physical side channels as well. Remote and physical timing attacks are covered
in the [Remote attacks](remote-attacks) and [Physical
attacks](physical-attacks) sections respectively.

**Warning!** Block ciphers do not yet achieve full protection. For
details and workarounds see the [Block Ciphers](#block-ciphers) section.

#### Local non-timing side channels

The attacker code running on the platform has access to some sensor capable of
picking up information on the physical state of the hardware while Mbed TLS is
running. This could for example be an analogue-to-digital converter on the
platform that is located unfortunately enough to pick up the CPU noise.

Mbed TLS doesn't make any security guarantees against local non-timing-based
side channel attacks. If local non-timing attacks are present in a use case or
a user application's threat model, they need to be mitigated by the platform.

#### Local fault injection attacks

Software running on the same hardware can affect the physical state of the
device and introduce faults.

Mbed TLS doesn't make any security guarantees against local fault injection
attacks. If local fault injection attacks are present in a use case or a user
application's threat model, they need to be mitigated by the platform.

### Physical attacks

In this section, we consider an attacker who has access to physical information
about the hardware Mbed TLS is running on and/or can alter the physical state
of the hardware (e.g. power analysis, radio emissions or fault injection).

Mbed TLS doesn't make any security guarantees against physical attacks. If
physical attacks are present in a use case or a user application's threat
model, they need to be mitigated by physical countermeasures.

### Caveats

#### Out-of-scope countermeasures

Mbed TLS has evolved organically and a well defined threat model hasn't always
been present. Therefore, Mbed TLS might have countermeasures against attacks
outside the above defined threat model.

The presence of such countermeasures don't mean that Mbed TLS provides
protection against a class of attacks outside of the above described threat
model. Neither does it mean that the failure of such a countermeasure is
considered a vulnerability.

#### Block ciphers

Currently there are four block ciphers in Mbed TLS: AES, CAMELLIA, ARIA and
DES. The pure software implementation in Mbed TLS implementation uses lookup
tables, which are vulnerable to timing attacks.

These timing attacks can be physical, local or depending on network latency
even a remote. The attacks can result in key recovery.

**Workarounds:**

- Turn on hardware acceleration for AES. This is supported only on selected
architectures and currently only available for AES. See configuration options
`MBEDTLS_AESNI_C` and `MBEDTLS_PADLOCK_C` for details.
- Add a secure alternative implementation (typically hardware acceleration) for
the vulnerable cipher. See the [Alternative Implementations
Guide](docs/architecture/alternative-implementations.md) for more information.
- Use cryptographic mechanisms that are not based on block ciphers. In
particular, for authenticated encryption, use ChaCha20/Poly1305 instead of
block cipher modes. For random generation, use HMAC\_DRBG instead of CTR\_DRBG.
2 changes: 2 additions & 0 deletions docs/.gitignore
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
*.html
*.pdf
_build/
api/
40 changes: 40 additions & 0 deletions docs/Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Minimal makefile for Sphinx documentation
#

# You can set these variables from the command line, and also
# from the environment for the first two.
SPHINXOPTS ?=
SPHINXBUILD ?= sphinx-build
SOURCEDIR = .
BUILDDIR = _build

# Put it first so that "make" without argument is like "make help".
help:
@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

.PHONY: help clean apidoc breathe_apidoc Makefile

# Intercept the 'clean' target so we can do the right thing for apidoc as well
clean:
@# Clean the apidoc
$(MAKE) -C .. apidoc_clean
@# Clean the breathe-apidoc generated files
rm -rf ./api
@# Clean the sphinx docs
@$(SPHINXBUILD) -M clean "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

apidoc:
@# Generate doxygen from source using the main Makefile
$(MAKE) -C .. apidoc

breathe_apidoc: apidoc
@# Remove existing files - breathe-apidoc skips them if they're present
rm -rf ./api
@# Generate RST file structure with breathe-apidoc
breathe-apidoc -o ./api ../apidoc/xml

# Catch-all target: route all unknown targets to Sphinx using the new
# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
%: Makefile breathe_apidoc
@# Build the relevant target with sphinx
@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
34 changes: 34 additions & 0 deletions docs/conf.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Configuration file for the Sphinx documentation builder.
#
# For the full list of built-in configuration values, see the documentation:
# https://www.sphinx-doc.org/en/master/usage/configuration.html

# -- Project information -----------------------------------------------------
# https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information
import glob

project = 'Mbed TLS Versioned'
copyright = '2023, Mbed TLS Contributors'
author = 'Mbed TLS Contributors'

# -- General configuration ---------------------------------------------------
# https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration

extensions = ['breathe', 'sphinx.ext.graphviz']

templates_path = ['_templates']
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']

breathe_projects = {
'mbedtls-versioned': '../apidoc/xml'
}
breathe_default_project = 'mbedtls-versioned'

primary_domain = 'c'
highlight_language = 'c'

# -- Options for HTML output -------------------------------------------------
# https://www.sphinx-doc.org/en/master/usage/configuration.html#options-for-html-output

html_theme = 'sphinx_rtd_theme'
html_static_path = ['_static']
20 changes: 20 additions & 0 deletions docs/index.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
.. Mbed TLS Versioned documentation master file, created by
sphinx-quickstart on Thu Feb 23 18:13:44 2023.
You can adapt this file completely to your liking, but it should at least
contain the root `toctree` directive.
Mbed TLS API documentation
==========================

.. doxygenpage:: index
:project: mbedtls-versioned

.. toctree::
:caption: Contents
:maxdepth: 1

Home <self>
api/grouplist.rst
api/filelist.rst
api/structlist.rst
api/unionlist.rst
2 changes: 2 additions & 0 deletions docs/requirements.in
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
sphinx-rtd-theme
breathe
66 changes: 66 additions & 0 deletions docs/requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
#
# This file is autogenerated by pip-compile with Python 3.9
# by the following command:
#
# pip-compile requirements.in
#
alabaster==0.7.13
# via sphinx
babel==2.12.1
# via sphinx
breathe==4.35.0
# via -r requirements.in
certifi==2022.12.7
# via requests
charset-normalizer==3.1.0
# via requests
docutils==0.17.1
# via
# breathe
# sphinx
# sphinx-rtd-theme
idna==3.4
# via requests
imagesize==1.4.1
# via sphinx
importlib-metadata==6.0.0
# via sphinx
jinja2==3.1.2
# via sphinx
markupsafe==2.1.2
# via jinja2
packaging==23.0
# via sphinx
pygments==2.14.0
# via sphinx
requests==2.28.2
# via sphinx
snowballstemmer==2.2.0
# via sphinx
sphinx==4.5.0
# via
# breathe
# sphinx-rtd-theme
sphinx-rtd-theme==1.2.0
# via -r requirements.in
sphinxcontrib-applehelp==1.0.4
# via sphinx
sphinxcontrib-devhelp==1.0.2
# via sphinx
sphinxcontrib-htmlhelp==2.0.1
# via sphinx
sphinxcontrib-jquery==2.0.0
# via sphinx-rtd-theme
sphinxcontrib-jsmath==1.0.1
# via sphinx
sphinxcontrib-qthelp==1.0.3
# via sphinx
sphinxcontrib-serializinghtml==1.1.5
# via sphinx
urllib3==1.26.15
# via requests
zipp==3.15.0
# via importlib-metadata

# The following packages are considered to be unsafe in a requirements file:
# setuptools
2 changes: 1 addition & 1 deletion doxygen/input/doc_mainpage.h
Original file line number Diff line number Diff line change
@@ -22,7 +22,7 @@
*/

/**
* @mainpage mbed TLS v2.28.2 source code documentation
* @mainpage mbed TLS v2.28.3 source code documentation
*
* This documentation describes the internal structure of mbed TLS. It was
* automatically generated from specially formatted comment blocks in
14 changes: 13 additions & 1 deletion doxygen/mbedtls.doxyfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
PROJECT_NAME = "mbed TLS v2.28.2"
PROJECT_NAME = "mbed TLS v2.28.3"
OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES
@@ -19,6 +19,9 @@ HTML_OUTPUT = .
HTML_TIMESTAMP = YES
SEARCHENGINE = YES
GENERATE_LATEX = NO
GENERATE_XML = YES
MACRO_EXPANSION = YES
EXPAND_ONLY_PREDEF = YES
INCLUDE_PATH = ../include
CLASS_DIAGRAMS = NO
HAVE_DOT = YES
@@ -40,3 +43,12 @@ DOT_TRANSPARENT = YES
# \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
# This avoids writing redundant text and keeps Clang happy.
ALIASES += emptydescription=""

# Define away Mbed TLS macros that make parsing definitions difficult.
# MBEDTLS_DEPRECATED is not included in this list as it's important to
# display deprecated status in the documentation.
PREDEFINED = "MBEDTLS_CHECK_RETURN_CRITICAL=" \
"MBEDTLS_CHECK_RETURN_TYPICAL=" \
"MBEDTLS_CHECK_RETURN_OPTIONAL=" \
"MBEDTLS_PRINTF_ATTRIBUTE(a,b)=" \

41 changes: 39 additions & 2 deletions include/mbedtls/aesni.h
Original file line number Diff line number Diff line change
@@ -36,13 +36,49 @@
#define MBEDTLS_AESNI_AES 0x02000000u
#define MBEDTLS_AESNI_CLMUL 0x00000002u

#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \
/* Can we do AESNI with inline assembly?
* (Only implemented with gas syntax, only for 64-bit.)
*/
#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \
(defined(__amd64__) || defined(__x86_64__)) && \
!defined(MBEDTLS_HAVE_X86_64)
#define MBEDTLS_HAVE_X86_64
#endif

#if defined(MBEDTLS_AESNI_C)

/* Can we do AESNI with intrinsics?
* (Only implemented with certain compilers, only for certain targets.)
*
* NOTE: MBEDTLS_AESNI_HAVE_INTRINSICS and MBEDTLS_AESNI_HAVE_CODE are internal
* macros that may change in future releases.
*/
#undef MBEDTLS_AESNI_HAVE_INTRINSICS
#if defined(_MSC_VER)
/* Visual Studio supports AESNI intrinsics since VS 2008 SP1. We only support
* VS 2013 and up for other reasons anyway, so no need to check the version. */
#define MBEDTLS_AESNI_HAVE_INTRINSICS
#endif
/* GCC-like compilers: currently, we only support intrinsics if the requisite
* target flag is enabled when building the library (e.g. `gcc -mpclmul -msse2`
* or `clang -maes -mpclmul`). */
#if defined(__GNUC__) && defined(__AES__) && defined(__PCLMUL__)
#define MBEDTLS_AESNI_HAVE_INTRINSICS
#endif

/* Choose the implementation of AESNI, if one is available. */
#undef MBEDTLS_AESNI_HAVE_CODE
/* To minimize disruption when releasing the intrinsics-based implementation,
* favor the assembly-based implementation if it's available. We intend to
* revise this in a later release of Mbed TLS 3.x. In the long run, we will
* likely remove the assembly implementation. */
#if defined(MBEDTLS_HAVE_X86_64)
#define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly
#elif defined(MBEDTLS_AESNI_HAVE_INTRINSICS)
#define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics
#endif

#if defined(MBEDTLS_AESNI_HAVE_CODE)

#ifdef __cplusplus
extern "C" {
@@ -131,6 +167,7 @@ int mbedtls_aesni_setkey_enc(unsigned char *rk,
}
#endif

#endif /* MBEDTLS_HAVE_X86_64 */
#endif /* MBEDTLS_AESNI_HAVE_CODE */
#endif /* MBEDTLS_AESNI_C */

#endif /* MBEDTLS_AESNI_H */
2 changes: 1 addition & 1 deletion include/mbedtls/bignum.h
Original file line number Diff line number Diff line change
@@ -1039,7 +1039,7 @@ MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime(const mbedtls_mpi *X,
* This must point to an initialized MPI.
* \param rounds The number of bases to perform the Miller-Rabin primality
* test for. The probability of returning 0 on a composite is
* at most 2<sup>-2*\p rounds</sup>.
* at most 2<sup>-2*\p rounds </sup>.
* \param f_rng The RNG function to use. This must not be \c NULL.
* \param p_rng The RNG parameter to be passed to \p f_rng.
* This may be \c NULL if \p f_rng doesn't use
4 changes: 0 additions & 4 deletions include/mbedtls/check_config.h
Original file line number Diff line number Diff line change
@@ -69,10 +69,6 @@
#error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense"
#endif

#if defined(MBEDTLS_AESNI_C) && !defined(MBEDTLS_HAVE_ASM)
#error "MBEDTLS_AESNI_C defined, but not all prerequisites"
#endif

#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
#error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
#endif
26 changes: 22 additions & 4 deletions include/mbedtls/config.h
Original file line number Diff line number Diff line change
@@ -51,7 +51,7 @@
* include/mbedtls/bn_mul.h
*
* Required by:
* MBEDTLS_AESNI_C
* MBEDTLS_AESNI_C (on some platforms)
* MBEDTLS_PADLOCK_C
*
* Comment to disable the use of assembly code.
@@ -2344,14 +2344,32 @@
/**
* \def MBEDTLS_AESNI_C
*
* Enable AES-NI support on x86-64.
* Enable AES-NI support on x86-64 or x86-32.
*
* \note AESNI is only supported with certain compilers and target options:
* - Visual Studio 2013: supported.
* - GCC, x86-64, target not explicitly supporting AESNI:
* requires MBEDTLS_HAVE_ASM.
* - GCC, x86-32, target not explicitly supporting AESNI:
* not supported.
* - GCC, x86-64 or x86-32, target supporting AESNI: supported.
* For this assembly-less implementation, you must currently compile
* `library/aesni.c` and `library/aes.c` with machine options to enable
* SSE2 and AESNI instructions: `gcc -msse2 -maes -mpclmul` or
* `clang -maes -mpclmul`.
* - Non-x86 targets: this option is silently ignored.
* - Other compilers: this option is silently ignored.
*
* \note
* Above, "GCC" includes compatible compilers such as Clang.
* The limitations on target support are likely to be relaxed in the future.
*
* Module: library/aesni.c
* Caller: library/aes.c
*
* Requires: MBEDTLS_HAVE_ASM
* Requires: MBEDTLS_HAVE_ASM (on some platforms, see note)
*
* This modules adds support for the AES-NI instructions on x86-64
* This modules adds support for the AES-NI instructions on x86.
*/
#define MBEDTLS_AESNI_C

8 changes: 4 additions & 4 deletions include/mbedtls/version.h
Original file line number Diff line number Diff line change
@@ -38,16 +38,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 28
#define MBEDTLS_VERSION_PATCH 2
#define MBEDTLS_VERSION_PATCH 3

/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
#define MBEDTLS_VERSION_NUMBER 0x021C0200
#define MBEDTLS_VERSION_STRING "2.28.2"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.28.2"
#define MBEDTLS_VERSION_NUMBER 0x021C0300
#define MBEDTLS_VERSION_STRING "2.28.3"
#define MBEDTLS_VERSION_STRING_FULL "mbed TLS 2.28.3"

#if defined(MBEDTLS_VERSION_C)

6 changes: 3 additions & 3 deletions library/CMakeLists.txt
Original file line number Diff line number Diff line change
@@ -204,15 +204,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto})
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.2 SOVERSION 7)
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.3 SOVERSION 7)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})

add_library(${mbedx509_target} SHARED ${src_x509})
set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.2 SOVERSION 1)
set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.3 SOVERSION 1)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})

add_library(${mbedtls_target} SHARED ${src_tls})
set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.2 SOVERSION 14)
set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.3 SOVERSION 14)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)

140 changes: 108 additions & 32 deletions library/aes.c
Original file line number Diff line number Diff line change
@@ -50,8 +50,7 @@
#define AES_VALIDATE(cond) \
MBEDTLS_INTERNAL_VALIDATE(cond)

#if defined(MBEDTLS_PADLOCK_C) && \
(defined(MBEDTLS_HAVE_X86) || defined(MBEDTLS_PADLOCK_ALIGN16))
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
static int aes_padlock_ace = -1;
#endif

@@ -512,6 +511,53 @@ void mbedtls_aes_xts_free(mbedtls_aes_xts_context *ctx)
}
#endif /* MBEDTLS_CIPHER_MODE_XTS */

/* Some implementations need the round keys to be aligned.
* Return an offset to be added to buf, such that (buf + offset) is
* correctly aligned.
* Note that the offset is in units of elements of buf, i.e. 32-bit words,
* i.e. an offset of 1 means 4 bytes and so on.
*/
#if (defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)) || \
(defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2)
#define MAY_NEED_TO_ALIGN
#endif
static unsigned mbedtls_aes_rk_offset(uint32_t *buf)
{
#if defined(MAY_NEED_TO_ALIGN)
int align_16_bytes = 0;

#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
if (aes_padlock_ace == -1) {
aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
}
if (aes_padlock_ace) {
align_16_bytes = 1;
}
#endif

#if defined(MBEDTLS_AESNI_C) && MBEDTLS_AESNI_HAVE_CODE == 2
if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
align_16_bytes = 1;
}
#endif

if (align_16_bytes) {
/* These implementations needs 16-byte alignment
* for the round key array. */
unsigned delta = ((uintptr_t) buf & 0x0000000fU) / 4;
if (delta == 0) {
return 0;
} else {
return 4 - delta; // 16 bytes = 4 uint32_t
}
}
#else /* MAY_NEED_TO_ALIGN */
(void) buf;
#endif /* MAY_NEED_TO_ALIGN */

return 0;
}

/*
* AES key schedule (encryption)
*/
@@ -539,18 +585,9 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
}
#endif

#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
if (aes_padlock_ace == -1) {
aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
}

if (aes_padlock_ace) {
ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16(ctx->buf);
} else
#endif
ctx->rk = RK = ctx->buf;
ctx->rk = RK = ctx->buf + mbedtls_aes_rk_offset(ctx->buf);

#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
#if defined(MBEDTLS_AESNI_HAVE_CODE)
if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
return mbedtls_aesni_setkey_enc((unsigned char *) ctx->rk, key, keybits);
}
@@ -640,16 +677,7 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,

mbedtls_aes_init(&cty);

#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_PADLOCK_ALIGN16)
if (aes_padlock_ace == -1) {
aes_padlock_ace = mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE);
}

if (aes_padlock_ace) {
ctx->rk = RK = MBEDTLS_PADLOCK_ALIGN16(ctx->buf);
} else
#endif
ctx->rk = RK = ctx->buf;
ctx->rk = RK = ctx->buf + mbedtls_aes_rk_offset(ctx->buf);

/* Also checks keybits */
if ((ret = mbedtls_aes_setkey_enc(&cty, key, keybits)) != 0) {
@@ -658,7 +686,7 @@ int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,

ctx->nr = cty.nr;

#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
#if defined(MBEDTLS_AESNI_HAVE_CODE)
if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
mbedtls_aesni_inverse_key((unsigned char *) ctx->rk,
(const unsigned char *) cty.rk, ctx->nr);
@@ -964,6 +992,30 @@ void mbedtls_aes_decrypt(mbedtls_aes_context *ctx,
}
#endif /* !MBEDTLS_DEPRECATED_REMOVED */

#if defined(MAY_NEED_TO_ALIGN)
/* VIA Padlock and our intrinsics-based implementation of AESNI require
* the round keys to be aligned on a 16-byte boundary. We take care of this
* before creating them, but the AES context may have moved (this can happen
* if the library is called from a language with managed memory), and in later
* calls it might have a different alignment with respect to 16-byte memory.
* So we may need to realign.
* NOTE: In the LTS branch, the context contains a pointer to within itself,
* so if it has been moved, things will probably go pear-shaped. We keep this
* code for compatibility with the development branch, in case of future changes.
*/
static void aes_maybe_realign(mbedtls_aes_context *ctx)
{
unsigned current_offset = (unsigned) (ctx->rk - ctx->buf);
unsigned new_offset = mbedtls_aes_rk_offset(ctx->buf);
if (new_offset != current_offset) {
memmove(ctx->buf + new_offset, // new address
ctx->buf + current_offset, // current address
(ctx->nr + 1) * 16); // number of round keys * bytes per rk
ctx->rk = ctx->buf + new_offset;
}
}
#endif

/*
* AES-ECB block encryption/decryption
*/
@@ -978,21 +1030,19 @@ int mbedtls_aes_crypt_ecb(mbedtls_aes_context *ctx,
AES_VALIDATE_RET(mode == MBEDTLS_AES_ENCRYPT ||
mode == MBEDTLS_AES_DECRYPT);

#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
#if defined(MAY_NEED_TO_ALIGN)
aes_maybe_realign(ctx);
#endif

#if defined(MBEDTLS_AESNI_HAVE_CODE)
if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
return mbedtls_aesni_crypt_ecb(ctx, mode, input, output);
}
#endif

#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
if (aes_padlock_ace) {
if (mbedtls_padlock_xcryptecb(ctx, mode, input, output) == 0) {
return 0;
}

// If padlock data misaligned, we just fall back to
// unaccelerated mode
//
return mbedtls_padlock_xcryptecb(ctx, mode, input, output);
}
#endif

@@ -1785,6 +1835,32 @@ int mbedtls_aes_self_test(int verbose)
memset(key, 0, 32);
mbedtls_aes_init(&ctx);

if (verbose != 0) {
#if defined(MBEDTLS_AES_ALT)
mbedtls_printf(" AES note: alternative implementation.\n");
#else /* MBEDTLS_AES_ALT */
#if defined(MBEDTLS_PADLOCK_C) && defined(MBEDTLS_HAVE_X86)
if (mbedtls_padlock_has_support(MBEDTLS_PADLOCK_ACE)) {
mbedtls_printf(" AES note: using VIA Padlock.\n");
} else
#endif
#if defined(MBEDTLS_AESNI_HAVE_CODE)
if (mbedtls_aesni_has_support(MBEDTLS_AESNI_AES)) {
mbedtls_printf(" AES note: using AESNI via ");
#if MBEDTLS_AESNI_HAVE_CODE == 1
mbedtls_printf("assembly");
#elif MBEDTLS_AESNI_HAVE_CODE == 2
mbedtls_printf("intrinsics");
#else
mbedtls_printf("(unknown)");
#endif
mbedtls_printf(".\n");
} else
#endif
mbedtls_printf(" AES note: built-in implementation.\n");
#endif /* MBEDTLS_AES_ALT */
}

/*
* ECB mode
*/
610 changes: 475 additions & 135 deletions library/aesni.c

Large diffs are not rendered by default.

27 changes: 24 additions & 3 deletions library/gcm.c
Original file line number Diff line number Diff line change
@@ -93,7 +93,7 @@ static int gcm_gen_table(mbedtls_gcm_context *ctx)
ctx->HL[8] = vl;
ctx->HH[8] = vh;

#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
#if defined(MBEDTLS_AESNI_HAVE_CODE)
/* With CLMUL support, we need only h, not the rest of the table */
if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
return 0;
@@ -190,7 +190,7 @@ static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16],
unsigned char lo, hi, rem;
uint64_t zh, zl;

#if defined(MBEDTLS_AESNI_C) && defined(MBEDTLS_HAVE_X86_64)
#if defined(MBEDTLS_AESNI_HAVE_CODE)
if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
unsigned char h[16];

@@ -202,7 +202,7 @@ static void gcm_mult(mbedtls_gcm_context *ctx, const unsigned char x[16],
mbedtls_aesni_gcm_mult(output, x, h);
return;
}
#endif /* MBEDTLS_AESNI_C && MBEDTLS_HAVE_X86_64 */
#endif /* MBEDTLS_AESNI_HAVE_CODE */

lo = x[15] & 0xf;

@@ -754,6 +754,27 @@ int mbedtls_gcm_self_test(int verbose)
int i, j, ret;
mbedtls_cipher_id_t cipher = MBEDTLS_CIPHER_ID_AES;

if (verbose != 0) {
#if defined(MBEDTLS_GCM_ALT)
mbedtls_printf(" GCM note: alternative implementation.\n");
#else /* MBEDTLS_GCM_ALT */
#if defined(MBEDTLS_AESNI_HAVE_CODE)
if (mbedtls_aesni_has_support(MBEDTLS_AESNI_CLMUL)) {
mbedtls_printf(" GCM note: using AESNI via ");
#if MBEDTLS_AESNI_HAVE_CODE == 1
mbedtls_printf("assembly");
#elif MBEDTLS_AESNI_HAVE_CODE == 2
mbedtls_printf("intrinsics");
#else
mbedtls_printf("(unknown)");
#endif
mbedtls_printf(".\n");
} else
#endif
mbedtls_printf(" GCM note: built-in implementation.\n");
#endif /* MBEDTLS_GCM_ALT */
}

for (j = 0; j < 3; j++) {
int key_len = 128 + 64 * j;

22 changes: 15 additions & 7 deletions library/timing.c
Original file line number Diff line number Diff line change
@@ -17,6 +17,8 @@
* limitations under the License.
*/

#include <string.h>

#include "common.h"

#include "mbedtls/platform.h"
@@ -231,17 +233,20 @@ volatile int mbedtls_timing_alarmed = 0;

unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset)
{
struct _hr_time *t = (struct _hr_time *) val;
struct _hr_time t;

if (reset) {
QueryPerformanceCounter(&t->start);
QueryPerformanceCounter(&t.start);
memcpy(val, &t, sizeof(struct _hr_time));
return 0;
} else {
unsigned long delta;
LARGE_INTEGER now, hfreq;
/* We can't safely cast val because it may not be aligned, so use memcpy */
memcpy(&t, val, sizeof(struct _hr_time));
QueryPerformanceCounter(&now);
QueryPerformanceFrequency(&hfreq);
delta = (unsigned long) ((now.QuadPart - t->start.QuadPart) * 1000ul
delta = (unsigned long) ((now.QuadPart - t.start.QuadPart) * 1000ul
/ hfreq.QuadPart);
return delta;
}
@@ -277,17 +282,20 @@ void mbedtls_set_alarm(int seconds)

unsigned long mbedtls_timing_get_timer(struct mbedtls_timing_hr_time *val, int reset)
{
struct _hr_time *t = (struct _hr_time *) val;
struct _hr_time t;

if (reset) {
gettimeofday(&t->start, NULL);
gettimeofday(&t.start, NULL);
memcpy(val, &t, sizeof(struct _hr_time));
return 0;
} else {
unsigned long delta;
struct timeval now;
/* We can't safely cast val because it may not be aligned, so use memcpy */
memcpy(&t, val, sizeof(struct _hr_time));
gettimeofday(&now, NULL);
delta = (now.tv_sec - t->start.tv_sec) * 1000ul
+ (now.tv_usec - t->start.tv_usec) / 1000;
delta = (now.tv_sec - t.start.tv_sec) * 1000ul
+ (now.tv_usec - t.start.tv_usec) / 1000;
return delta;
}
}
13 changes: 11 additions & 2 deletions programs/test/selftest.c
Original file line number Diff line number Diff line change
@@ -353,6 +353,9 @@ int main(int argc, char *argv[])
unsigned char buf[1000000];
#endif
void *pointer;
#if defined(_WIN32)
int ci = 0; /* ci = 1 => running in CI, so don't wait for a key press */
#endif

/*
* The C standard doesn't guarantee that all-bits-0 is the representation
@@ -380,6 +383,10 @@ int main(int argc, char *argv[])
} else if (strcmp(*argp, "--exclude") == 0 ||
strcmp(*argp, "-x") == 0) {
exclude_mode = 1;
#if defined(_WIN32)
} else if (strcmp(*argp, "--ci") == 0) {
ci = 1;
#endif
} else {
break;
}
@@ -450,8 +457,10 @@ int main(int argc, char *argv[])
mbedtls_printf(" [ All tests PASS ]\n\n");
}
#if defined(_WIN32)
mbedtls_printf(" Press Enter to exit this program.\n");
fflush(stdout); getchar();
if (!ci) {
mbedtls_printf(" Press Enter to exit this program.\n");
fflush(stdout); getchar();
}
#endif
}

1 change: 1 addition & 0 deletions tests/.gitignore
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ data_files/entropy_seed
include/test/instrument_record_status.h

src/*.o
src/test_helpers/*.o
src/drivers/*.o
src/libmbed*

24 changes: 15 additions & 9 deletions tests/include/test/ssl_helpers.h
Original file line number Diff line number Diff line change
@@ -277,13 +277,13 @@ int mbedtls_test_ssl_message_queue_pop_info(
/*
* Setup and teardown functions for mock sockets.
*/
void mbedtls_mock_socket_init(mbedtls_test_mock_socket *socket);
void mbedtls_test_mock_socket_init(mbedtls_test_mock_socket *socket);

/*
* Closes the socket \p socket.
*
* \p socket must have been previously initialized by calling
* mbedtls_mock_socket_init().
* mbedtls_test_mock_socket_init().
*
* This function frees all allocated resources and both sockets are aware of the
* new connection state.
@@ -298,7 +298,7 @@ void mbedtls_test_mock_socket_close(mbedtls_test_mock_socket *socket);
* Establishes a connection between \p peer1 and \p peer2.
*
* \p peer1 and \p peer2 must have been previously initialized by calling
* mbedtls_mock_socket_init().
* mbedtls_test_mock_socket_init().
*
* The capacities of the internal buffers are set to \p bufsize. Setting this to
* the correct value allows for simulation of MTU, sanity testing the mock
@@ -377,8 +377,7 @@ int mbedtls_test_mock_tcp_send_msg(void *ctx,
* mbedtls_test_mock_tcp_recv_b failed.
*
* This function will also return any error other than
* MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED from
* mbedtls_test_message_queue_peek_info.
* MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED from test_ssl_message_queue_peek_info.
*/
int mbedtls_test_mock_tcp_recv_msg(void *ctx,
unsigned char *buf, size_t buf_len);
@@ -456,6 +455,12 @@ int mbedtls_test_move_handshake_to_state(mbedtls_ssl_context *ssl,
} \
} while (0)

#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_IN_LEN_MAX
#else
#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_OUT_LEN_MAX
#endif

int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
mbedtls_ssl_transform *t_out,
int cipher_type, int hash_id,
@@ -493,10 +498,11 @@ int mbedtls_test_ssl_populate_session(mbedtls_ssl_session *session,
*
* \retval 0 on success, otherwise error code.
*/
int mbedtls_exchange_data(mbedtls_ssl_context *ssl_1,
int msg_len_1, const int expected_fragments_1,
mbedtls_ssl_context *ssl_2,
int msg_len_2, const int expected_fragments_2);
int mbedtls_test_ssl_exchange_data(
mbedtls_ssl_context *ssl_1,
int msg_len_1, const int expected_fragments_1,
mbedtls_ssl_context *ssl_2,
int msg_len_2, const int expected_fragments_2);

#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \
defined(MBEDTLS_CERTS_C) && \
97 changes: 58 additions & 39 deletions tests/src/test_helpers/ssl_helpers.c
Original file line number Diff line number Diff line change
@@ -257,8 +257,9 @@ int mbedtls_test_ssl_message_queue_pop_info(
* set to the full message length so that the
* caller knows what portion of the message can be dropped.
*/
int mbedtls_test_message_queue_peek_info(mbedtls_test_ssl_message_queue *queue,
size_t buf_len, size_t *msg_len)
static int test_ssl_message_queue_peek_info(
mbedtls_test_ssl_message_queue *queue,
size_t buf_len, size_t *msg_len)
{
if (queue == NULL || msg_len == NULL) {
return MBEDTLS_TEST_ERROR_ARG_NULL;
@@ -271,7 +272,7 @@ int mbedtls_test_message_queue_peek_info(mbedtls_test_ssl_message_queue *queue,
return (*msg_len > buf_len) ? MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED : 0;
}

void mbedtls_mock_socket_init(mbedtls_test_mock_socket *socket)
void mbedtls_test_mock_socket_init(mbedtls_test_mock_socket *socket)
{
memset(socket, 0, sizeof(*socket));
}
@@ -423,7 +424,7 @@ int mbedtls_test_message_socket_setup(
ctx->queue_input = queue_input;
ctx->queue_output = queue_output;
ctx->socket = socket;
mbedtls_mock_socket_init(socket);
mbedtls_test_mock_socket_init(socket);

return 0;
}
@@ -488,7 +489,7 @@ int mbedtls_test_mock_tcp_recv_msg(void *ctx,

/* Peek first, so that in case of a socket error the data remains in
* the queue. */
ret = mbedtls_test_message_queue_peek_info(queue, buf_len, &msg_len);
ret = test_ssl_message_queue_peek_info(queue, buf_len, &msg_len);
if (ret == MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED) {
/* Calculate how much to drop */
drop_len = msg_len - buf_len;
@@ -525,7 +526,7 @@ int mbedtls_test_mock_tcp_recv_msg(void *ctx,
/*
* Deinitializes certificates from endpoint represented by \p ep.
*/
void mbedtls_endpoint_certificate_free(mbedtls_test_ssl_endpoint *ep)
static void test_ssl_endpoint_certificate_free(mbedtls_test_ssl_endpoint *ep)
{
mbedtls_test_ssl_endpoint_certificate *cert = &(ep->cert);
if (cert != NULL) {
@@ -647,7 +648,7 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,

exit:
if (ret != 0) {
mbedtls_endpoint_certificate_free(ep);
test_ssl_endpoint_certificate_free(ep);
}

return ret;
@@ -687,7 +688,7 @@ int mbedtls_test_ssl_endpoint_init(
100, &(ep->socket),
dtls_context) == 0);
} else {
mbedtls_mock_socket_init(&(ep->socket));
mbedtls_test_mock_socket_init(&(ep->socket));
}

ret = mbedtls_ctr_drbg_seed(&(ep->ctr_drbg), mbedtls_entropy_func,
@@ -744,7 +745,7 @@ void mbedtls_test_ssl_endpoint_free(
mbedtls_test_ssl_endpoint *ep,
mbedtls_test_message_socket_context *context)
{
mbedtls_endpoint_certificate_free(ep);
test_ssl_endpoint_certificate_free(ep);

mbedtls_ssl_free(&(ep->ssl));
mbedtls_ssl_config_free(&(ep->conf));
@@ -820,7 +821,7 @@ int mbedtls_ssl_write_fragment(mbedtls_ssl_context *ssl,
/* Used for DTLS and the message size larger than MFL. In that case
* the message can not be fragmented and the library should return
* MBEDTLS_ERR_SSL_BAD_INPUT_DATA error. This error must be returned
* to prevent a dead loop inside mbedtls_exchange_data(). */
* to prevent a dead loop inside mbedtls_test_ssl_exchange_data(). */
return ret;
} else if (expected_fragments == 1) {
/* Used for TLS/DTLS and the message size lower than MFL */
@@ -883,8 +884,12 @@ int mbedtls_ssl_read_fragment(mbedtls_ssl_context *ssl,
return -1;
}

void set_ciphersuite(mbedtls_ssl_config *conf, const char *cipher,
int *forced_ciphersuite)
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \
defined(MBEDTLS_CERTS_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
static void set_ciphersuite(mbedtls_ssl_config *conf, const char *cipher,
int *forced_ciphersuite)
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
forced_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(cipher);
@@ -909,9 +914,16 @@ void set_ciphersuite(mbedtls_ssl_config *conf, const char *cipher,
exit:
return;
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED && MBEDTLS_CERTS_C &&
MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */

int psk_dummy_callback(void *p_info, mbedtls_ssl_context *ssl,
const unsigned char *name, size_t name_len)
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \
defined(MBEDTLS_CERTS_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C) && \
defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
static int psk_dummy_callback(void *p_info, mbedtls_ssl_context *ssl,
const unsigned char *name, size_t name_len)
{
(void) p_info;
(void) ssl;
@@ -920,12 +932,9 @@ int psk_dummy_callback(void *p_info, mbedtls_ssl_context *ssl,

return 0;
}

#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_IN_LEN_MAX
#else
#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_OUT_LEN_MAX
#endif
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED && MBEDTLS_CERTS_C &&
MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */

int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
mbedtls_ssl_transform *t_out,
@@ -1270,10 +1279,11 @@ int mbedtls_test_ssl_populate_session(mbedtls_ssl_session *session,
return 0;
}

int mbedtls_exchange_data(mbedtls_ssl_context *ssl_1,
int msg_len_1, const int expected_fragments_1,
mbedtls_ssl_context *ssl_2,
int msg_len_2, const int expected_fragments_2)
int mbedtls_test_ssl_exchange_data(
mbedtls_ssl_context *ssl_1,
int msg_len_1, const int expected_fragments_1,
mbedtls_ssl_context *ssl_2,
int msg_len_2, const int expected_fragments_2)
{
unsigned char *msg_buf_1 = malloc(msg_len_1);
unsigned char *msg_buf_2 = malloc(msg_len_2);
@@ -1379,16 +1389,26 @@ int mbedtls_exchange_data(mbedtls_ssl_context *ssl_1,
*
* \retval 0 on success, otherwise error code.
*/
int exchange_data(mbedtls_ssl_context *ssl_1,
mbedtls_ssl_context *ssl_2)
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \
defined(MBEDTLS_CERTS_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C) && \
(defined(MBEDTLS_SSL_RENEGOTIATION) || \
defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH))
static int exchange_data(mbedtls_ssl_context *ssl_1,
mbedtls_ssl_context *ssl_2)
{
return mbedtls_exchange_data(ssl_1, 256, 1,
ssl_2, 256, 1);
return mbedtls_test_ssl_exchange_data(ssl_1, 256, 1,
ssl_2, 256, 1);
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED && MBEDTLS_CERTS_C &&
MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
(MBEDTLS_SSL_RENEGOTIATION ||
MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) */

#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \
defined(MBEDTLS_CERTS_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CERTS_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
void mbedtls_test_ssl_perform_handshake(
mbedtls_test_handshake_test_options *options)
@@ -1603,10 +1623,11 @@ void mbedtls_test_ssl_perform_handshake(

if (options->cli_msg_len != 0 || options->srv_msg_len != 0) {
/* Start data exchanging test */
TEST_ASSERT(mbedtls_exchange_data(&(client.ssl), options->cli_msg_len,
options->expected_cli_fragments,
&(server.ssl), options->srv_msg_len,
options->expected_srv_fragments)
TEST_ASSERT(mbedtls_test_ssl_exchange_data(
&(client.ssl), options->cli_msg_len,
options->expected_cli_fragments,
&(server.ssl), options->srv_msg_len,
options->expected_srv_fragments)
== 0);
}
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
@@ -1661,12 +1682,10 @@ void mbedtls_test_ssl_perform_handshake(
#endif
/* Retest writing/reading */
if (options->cli_msg_len != 0 || options->srv_msg_len != 0) {
TEST_ASSERT(mbedtls_exchange_data(
&(client.ssl),
options->cli_msg_len,
TEST_ASSERT(mbedtls_test_ssl_exchange_data(
&(client.ssl), options->cli_msg_len,
options->expected_cli_fragments,
&(server.ssl),
options->srv_msg_len,
&(server.ssl), options->srv_msg_len,
options->expected_srv_fragments)
== 0);
}
9 changes: 9 additions & 0 deletions tests/suites/test_suite_aes.ecb.data
Original file line number Diff line number Diff line change
@@ -228,3 +228,12 @@ aes_decrypt_ecb:"000000000000000000000000000000000000000000000000000000000000000

AES-256-ECB Decrypt NIST KAT #12
aes_decrypt_ecb:"0000000000000000000000000000000000000000000000000000000000000000":"9b80eefb7ebe2d2b16247aa0efc72f5d":"e0000000000000000000000000000000":0

AES-128-ECB context alignment
aes_ecb_context_alignment:"000102030405060708090a0b0c0d0e0f"

AES-192-ECB context alignment
aes_ecb_context_alignment:"000102030405060708090a0b0c0d0e0f1011121314151617"

AES-256-ECB context alignment
aes_ecb_context_alignment:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f"
118 changes: 118 additions & 0 deletions tests/suites/test_suite_aes.function
Original file line number Diff line number Diff line change
@@ -1,5 +1,52 @@
/* BEGIN_HEADER */
#include "mbedtls/aes.h"

/* Test AES with a copied context.
*
* enc and dec must be AES context objects. They don't need to
* be initialized, and are left freed.
*/
static int test_ctx_alignment(const data_t *key,
mbedtls_aes_context *enc,
mbedtls_aes_context *dec)
{
unsigned char plaintext[16] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
};
unsigned char ciphertext[16];
unsigned char output[16];

// Set key and encrypt with original context
mbedtls_aes_init(enc);
TEST_ASSERT(mbedtls_aes_setkey_enc(enc, key->x, key->len * 8) == 0);
TEST_ASSERT(mbedtls_aes_crypt_ecb(enc, MBEDTLS_AES_ENCRYPT,
plaintext, ciphertext) == 0);

// Set key for decryption with original context
mbedtls_aes_init(dec);
TEST_ASSERT(mbedtls_aes_setkey_dec(dec, key->x, key->len * 8) == 0);

// Wipe the original context to make sure nothing from it is used
memset(enc, 0, sizeof(*enc));
mbedtls_aes_free(enc);

// Decrypt
TEST_ASSERT(mbedtls_aes_crypt_ecb(dec, MBEDTLS_AES_DECRYPT,
ciphertext, output) == 0);
ASSERT_COMPARE(plaintext, 16, output, 16);

mbedtls_aes_free(dec);

return 1;

exit:
/* Bug: we may be leaving something unfreed. This is harmless
* in our built-in implementations, but might cause a memory leak
* with alternative implementations. */
return 0;
}

/* END_HEADER */

/* BEGIN_DEPENDENCIES
@@ -621,6 +668,77 @@ void aes_misc_params()
}
/* END_CASE */

/* BEGIN_CASE */
void aes_ecb_context_alignment(data_t *key)
{
/* We test alignment multiple times, with different alignments
* of the context and of the plaintext/ciphertext. */

struct align0 {
mbedtls_aes_context ctx;
};
struct align0 *enc0 = NULL;
struct align0 *dec0 = NULL;

struct align1 {
char bump;
mbedtls_aes_context ctx;
};
struct align1 *enc1 = NULL;
struct align1 *dec1 = NULL;

/* All peak alignment */
ASSERT_ALLOC(enc0, 1);
ASSERT_ALLOC(dec0, 1);
if (!test_ctx_alignment(key, &enc0->ctx, &dec0->ctx)) {
goto exit;
}
mbedtls_free(enc0);
enc0 = NULL;
mbedtls_free(dec0);
dec0 = NULL;

/* Enc aligned, dec not */
ASSERT_ALLOC(enc0, 1);
ASSERT_ALLOC(dec1, 1);
if (!test_ctx_alignment(key, &enc0->ctx, &dec1->ctx)) {
goto exit;
}
mbedtls_free(enc0);
enc0 = NULL;
mbedtls_free(dec1);
dec1 = NULL;

/* Dec aligned, enc not */
ASSERT_ALLOC(enc1, 1);
ASSERT_ALLOC(dec0, 1);
if (!test_ctx_alignment(key, &enc1->ctx, &dec0->ctx)) {
goto exit;
}
mbedtls_free(enc1);
enc1 = NULL;
mbedtls_free(dec0);
dec0 = NULL;

/* Both shifted */
ASSERT_ALLOC(enc1, 1);
ASSERT_ALLOC(dec1, 1);
if (!test_ctx_alignment(key, &enc1->ctx, &dec1->ctx)) {
goto exit;
}
mbedtls_free(enc1);
enc1 = NULL;
mbedtls_free(dec1);
dec1 = NULL;

exit:
mbedtls_free(enc0);
mbedtls_free(dec0);
mbedtls_free(enc1);
mbedtls_free(dec1);
}
/* END_CASE */

/* BEGIN_CASE depends_on:MBEDTLS_SELF_TEST */
void aes_selftest()
{
16 changes: 8 additions & 8 deletions tests/suites/test_suite_ssl.function
Original file line number Diff line number Diff line change
@@ -202,17 +202,17 @@ void ssl_mock_sanity()
unsigned char received[MSGLEN] = { 0 };
mbedtls_test_mock_socket socket;

mbedtls_mock_socket_init(&socket);
mbedtls_test_mock_socket_init(&socket);
TEST_ASSERT(mbedtls_test_mock_tcp_send_b(&socket, message, MSGLEN) < 0);
mbedtls_test_mock_socket_close(&socket);
mbedtls_mock_socket_init(&socket);
mbedtls_test_mock_socket_init(&socket);
TEST_ASSERT(mbedtls_test_mock_tcp_recv_b(&socket, received, MSGLEN) < 0);
mbedtls_test_mock_socket_close(&socket);

mbedtls_mock_socket_init(&socket);
mbedtls_test_mock_socket_init(&socket);
TEST_ASSERT(mbedtls_test_mock_tcp_send_nb(&socket, message, MSGLEN) < 0);
mbedtls_test_mock_socket_close(&socket);
mbedtls_mock_socket_init(&socket);
mbedtls_test_mock_socket_init(&socket);
TEST_ASSERT(mbedtls_test_mock_tcp_recv_nb(&socket, received, MSGLEN) < 0);
mbedtls_test_mock_socket_close(&socket);

@@ -250,8 +250,8 @@ void ssl_mock_tcp(int blocking)
recv = mbedtls_test_mock_tcp_recv_b;
}

mbedtls_mock_socket_init(&client);
mbedtls_mock_socket_init(&server);
mbedtls_test_mock_socket_init(&client);
mbedtls_test_mock_socket_init(&server);

/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
@@ -347,8 +347,8 @@ void ssl_mock_tcp_interleaving(int blocking)
recv = mbedtls_test_mock_tcp_recv_b;
}

mbedtls_mock_socket_init(&client);
mbedtls_mock_socket_init(&server);
mbedtls_test_mock_socket_init(&client);
mbedtls_test_mock_socket_init(&server);

/* Fill up the buffers with structured data so that unwanted changes
* can be detected */
12 changes: 12 additions & 0 deletions tests/suites/test_suite_timing.function
Original file line number Diff line number Diff line change
@@ -29,8 +29,20 @@ void timing_hardclock()
void timing_get_timer()
{
struct mbedtls_timing_hr_time time;

memset(&time, 0, sizeof(time));

(void) mbedtls_timing_get_timer(&time, 1);

/* Check that a non-zero time was written back */
int all_zero = 1;
for (size_t i = 0; i < sizeof(time); i++) {
all_zero &= ((unsigned char *) &time)[i] == 0;
}
TEST_ASSERT(!all_zero);

(void) mbedtls_timing_get_timer(&time, 0);

/* This goto is added to avoid warnings from the generated code. */
goto exit;
}
4 changes: 2 additions & 2 deletions tests/suites/test_suite_version.data
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
Check compile time library version
check_compiletime_version:"2.28.2"
check_compiletime_version:"2.28.3"

Check runtime library version
check_runtime_version:"2.28.2"
check_runtime_version:"2.28.3"

Check for MBEDTLS_VERSION_C
check_feature:"MBEDTLS_VERSION_C":0