mirror of
https://github.com/polhenarejos/pico-hsm.git
synced 2024-09-20 11:20:08 +00:00
Not used as they are pulled from submodule
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
parent
71cf36bbe1
commit
34a0027e78
132
aesni.h
132
aesni.h
@ -1,132 +0,0 @@
|
||||
/**
|
||||
* \file aesni.h
|
||||
*
|
||||
* \brief AES-NI for hardware AES acceleration on some Intel processors
|
||||
*
|
||||
* \warning These functions are only for internal use by other library
|
||||
* functions; you must not call them directly.
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#ifndef MBEDTLS_AESNI_H
|
||||
#define MBEDTLS_AESNI_H
|
||||
|
||||
#include "mbedtls/build_info.h"
|
||||
|
||||
#include "mbedtls/aes.h"
|
||||
|
||||
#define MBEDTLS_AESNI_AES 0x02000000u
|
||||
#define MBEDTLS_AESNI_CLMUL 0x00000002u
|
||||
|
||||
#if defined(MBEDTLS_HAVE_ASM) && defined(__GNUC__) && \
|
||||
( defined(__amd64__) || defined(__x86_64__) ) && \
|
||||
! defined(MBEDTLS_HAVE_X86_64)
|
||||
#define MBEDTLS_HAVE_X86_64
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_HAVE_X86_64)
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \brief Internal function to detect the AES-NI feature in CPUs.
|
||||
*
|
||||
* \note This function is only for internal use by other library
|
||||
* functions; you must not call it directly.
|
||||
*
|
||||
* \param what The feature to detect
|
||||
* (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
|
||||
*
|
||||
* \return 1 if CPU has support for the feature, 0 otherwise
|
||||
*/
|
||||
int mbedtls_aesni_has_support( unsigned int what );
|
||||
|
||||
/**
|
||||
* \brief Internal AES-NI AES-ECB block encryption and decryption
|
||||
*
|
||||
* \note This function is only for internal use by other library
|
||||
* functions; you must not call it directly.
|
||||
*
|
||||
* \param ctx AES context
|
||||
* \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
|
||||
* \param input 16-byte input block
|
||||
* \param output 16-byte output block
|
||||
*
|
||||
* \return 0 on success (cannot fail)
|
||||
*/
|
||||
int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
|
||||
int mode,
|
||||
const unsigned char input[16],
|
||||
unsigned char output[16] );
|
||||
|
||||
/**
|
||||
* \brief Internal GCM multiplication: c = a * b in GF(2^128)
|
||||
*
|
||||
* \note This function is only for internal use by other library
|
||||
* functions; you must not call it directly.
|
||||
*
|
||||
* \param c Result
|
||||
* \param a First operand
|
||||
* \param b Second operand
|
||||
*
|
||||
* \note Both operands and result are bit strings interpreted as
|
||||
* elements of GF(2^128) as per the GCM spec.
|
||||
*/
|
||||
void mbedtls_aesni_gcm_mult( unsigned char c[16],
|
||||
const unsigned char a[16],
|
||||
const unsigned char b[16] );
|
||||
|
||||
/**
|
||||
* \brief Internal round key inversion. This function computes
|
||||
* decryption round keys from the encryption round keys.
|
||||
*
|
||||
* \note This function is only for internal use by other library
|
||||
* functions; you must not call it directly.
|
||||
*
|
||||
* \param invkey Round keys for the equivalent inverse cipher
|
||||
* \param fwdkey Original round keys (for encryption)
|
||||
* \param nr Number of rounds (that is, number of round keys minus one)
|
||||
*/
|
||||
void mbedtls_aesni_inverse_key( unsigned char *invkey,
|
||||
const unsigned char *fwdkey,
|
||||
int nr );
|
||||
|
||||
/**
|
||||
* \brief Internal key expansion for encryption
|
||||
*
|
||||
* \note This function is only for internal use by other library
|
||||
* functions; you must not call it directly.
|
||||
*
|
||||
* \param rk Destination buffer where the round keys are written
|
||||
* \param key Encryption key
|
||||
* \param bits Key size in bits (must be 128, 192 or 256)
|
||||
*
|
||||
* \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
|
||||
*/
|
||||
int mbedtls_aesni_setkey_enc( unsigned char *rk,
|
||||
const unsigned char *key,
|
||||
size_t bits );
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_HAVE_X86_64 */
|
||||
|
||||
#endif /* MBEDTLS_AESNI_H */
|
974
bn_mul.h
974
bn_mul.h
@ -1,974 +0,0 @@
|
||||
/**
|
||||
* \file bn_mul.h
|
||||
*
|
||||
* \brief Multi-precision integer library
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
/*
|
||||
* Multiply source vector [s] with b, add result
|
||||
* to destination vector [d] and set carry c.
|
||||
*
|
||||
* Currently supports:
|
||||
*
|
||||
* . IA-32 (386+) . AMD64 / EM64T
|
||||
* . IA-32 (SSE2) . Motorola 68000
|
||||
* . PowerPC, 32-bit . MicroBlaze
|
||||
* . PowerPC, 64-bit . TriCore
|
||||
* . SPARC v8 . ARM v3+
|
||||
* . Alpha . MIPS32
|
||||
* . C, longlong . C, generic
|
||||
*/
|
||||
#ifndef MBEDTLS_BN_MUL_H
|
||||
#define MBEDTLS_BN_MUL_H
|
||||
|
||||
#include "mbedtls/build_info.h"
|
||||
|
||||
#include "mbedtls/bignum.h"
|
||||
|
||||
|
||||
/*
|
||||
* Conversion macros for embedded constants:
|
||||
* build lists of mbedtls_mpi_uint's from lists of unsigned char's grouped by 8, 4 or 2
|
||||
*/
|
||||
#if defined(MBEDTLS_HAVE_INT32)
|
||||
|
||||
#define MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ) \
|
||||
( (mbedtls_mpi_uint) (a) << 0 ) | \
|
||||
( (mbedtls_mpi_uint) (b) << 8 ) | \
|
||||
( (mbedtls_mpi_uint) (c) << 16 ) | \
|
||||
( (mbedtls_mpi_uint) (d) << 24 )
|
||||
|
||||
#define MBEDTLS_BYTES_TO_T_UINT_2( a, b ) \
|
||||
MBEDTLS_BYTES_TO_T_UINT_4( a, b, 0, 0 )
|
||||
|
||||
#define MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
|
||||
MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ), \
|
||||
MBEDTLS_BYTES_TO_T_UINT_4( e, f, g, h )
|
||||
|
||||
#else /* 64-bits */
|
||||
|
||||
#define MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, e, f, g, h ) \
|
||||
( (mbedtls_mpi_uint) (a) << 0 ) | \
|
||||
( (mbedtls_mpi_uint) (b) << 8 ) | \
|
||||
( (mbedtls_mpi_uint) (c) << 16 ) | \
|
||||
( (mbedtls_mpi_uint) (d) << 24 ) | \
|
||||
( (mbedtls_mpi_uint) (e) << 32 ) | \
|
||||
( (mbedtls_mpi_uint) (f) << 40 ) | \
|
||||
( (mbedtls_mpi_uint) (g) << 48 ) | \
|
||||
( (mbedtls_mpi_uint) (h) << 56 )
|
||||
|
||||
#define MBEDTLS_BYTES_TO_T_UINT_4( a, b, c, d ) \
|
||||
MBEDTLS_BYTES_TO_T_UINT_8( a, b, c, d, 0, 0, 0, 0 )
|
||||
|
||||
#define MBEDTLS_BYTES_TO_T_UINT_2( a, b ) \
|
||||
MBEDTLS_BYTES_TO_T_UINT_8( a, b, 0, 0, 0, 0, 0, 0 )
|
||||
|
||||
#endif /* bits in mbedtls_mpi_uint */
|
||||
|
||||
#if defined(MBEDTLS_HAVE_ASM)
|
||||
|
||||
#ifndef asm
|
||||
#define asm __asm
|
||||
#endif
|
||||
|
||||
/* armcc5 --gnu defines __GNUC__ but doesn't support GNU's extended asm */
|
||||
#if defined(__GNUC__) && \
|
||||
( !defined(__ARMCC_VERSION) || __ARMCC_VERSION >= 6000000 )
|
||||
|
||||
/*
|
||||
* Disable use of the i386 assembly code below if option -O0, to disable all
|
||||
* compiler optimisations, is passed, detected with __OPTIMIZE__
|
||||
* This is done as the number of registers used in the assembly code doesn't
|
||||
* work with the -O0 option.
|
||||
*/
|
||||
#if defined(__i386__) && defined(__OPTIMIZE__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"movl %%ebx, %0 \n\t" \
|
||||
"movl %5, %%esi \n\t" \
|
||||
"movl %6, %%edi \n\t" \
|
||||
"movl %7, %%ecx \n\t" \
|
||||
"movl %8, %%ebx \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"lodsl \n\t" \
|
||||
"mull %%ebx \n\t" \
|
||||
"addl %%ecx, %%eax \n\t" \
|
||||
"adcl $0, %%edx \n\t" \
|
||||
"addl (%%edi), %%eax \n\t" \
|
||||
"adcl $0, %%edx \n\t" \
|
||||
"movl %%edx, %%ecx \n\t" \
|
||||
"stosl \n\t"
|
||||
|
||||
#if defined(MBEDTLS_HAVE_SSE2)
|
||||
|
||||
#define MULADDC_HUIT \
|
||||
"movd %%ecx, %%mm1 \n\t" \
|
||||
"movd %%ebx, %%mm0 \n\t" \
|
||||
"movd (%%edi), %%mm3 \n\t" \
|
||||
"paddq %%mm3, %%mm1 \n\t" \
|
||||
"movd (%%esi), %%mm2 \n\t" \
|
||||
"pmuludq %%mm0, %%mm2 \n\t" \
|
||||
"movd 4(%%esi), %%mm4 \n\t" \
|
||||
"pmuludq %%mm0, %%mm4 \n\t" \
|
||||
"movd 8(%%esi), %%mm6 \n\t" \
|
||||
"pmuludq %%mm0, %%mm6 \n\t" \
|
||||
"movd 12(%%esi), %%mm7 \n\t" \
|
||||
"pmuludq %%mm0, %%mm7 \n\t" \
|
||||
"paddq %%mm2, %%mm1 \n\t" \
|
||||
"movd 4(%%edi), %%mm3 \n\t" \
|
||||
"paddq %%mm4, %%mm3 \n\t" \
|
||||
"movd 8(%%edi), %%mm5 \n\t" \
|
||||
"paddq %%mm6, %%mm5 \n\t" \
|
||||
"movd 12(%%edi), %%mm4 \n\t" \
|
||||
"paddq %%mm4, %%mm7 \n\t" \
|
||||
"movd %%mm1, (%%edi) \n\t" \
|
||||
"movd 16(%%esi), %%mm2 \n\t" \
|
||||
"pmuludq %%mm0, %%mm2 \n\t" \
|
||||
"psrlq $32, %%mm1 \n\t" \
|
||||
"movd 20(%%esi), %%mm4 \n\t" \
|
||||
"pmuludq %%mm0, %%mm4 \n\t" \
|
||||
"paddq %%mm3, %%mm1 \n\t" \
|
||||
"movd 24(%%esi), %%mm6 \n\t" \
|
||||
"pmuludq %%mm0, %%mm6 \n\t" \
|
||||
"movd %%mm1, 4(%%edi) \n\t" \
|
||||
"psrlq $32, %%mm1 \n\t" \
|
||||
"movd 28(%%esi), %%mm3 \n\t" \
|
||||
"pmuludq %%mm0, %%mm3 \n\t" \
|
||||
"paddq %%mm5, %%mm1 \n\t" \
|
||||
"movd 16(%%edi), %%mm5 \n\t" \
|
||||
"paddq %%mm5, %%mm2 \n\t" \
|
||||
"movd %%mm1, 8(%%edi) \n\t" \
|
||||
"psrlq $32, %%mm1 \n\t" \
|
||||
"paddq %%mm7, %%mm1 \n\t" \
|
||||
"movd 20(%%edi), %%mm5 \n\t" \
|
||||
"paddq %%mm5, %%mm4 \n\t" \
|
||||
"movd %%mm1, 12(%%edi) \n\t" \
|
||||
"psrlq $32, %%mm1 \n\t" \
|
||||
"paddq %%mm2, %%mm1 \n\t" \
|
||||
"movd 24(%%edi), %%mm5 \n\t" \
|
||||
"paddq %%mm5, %%mm6 \n\t" \
|
||||
"movd %%mm1, 16(%%edi) \n\t" \
|
||||
"psrlq $32, %%mm1 \n\t" \
|
||||
"paddq %%mm4, %%mm1 \n\t" \
|
||||
"movd 28(%%edi), %%mm5 \n\t" \
|
||||
"paddq %%mm5, %%mm3 \n\t" \
|
||||
"movd %%mm1, 20(%%edi) \n\t" \
|
||||
"psrlq $32, %%mm1 \n\t" \
|
||||
"paddq %%mm6, %%mm1 \n\t" \
|
||||
"movd %%mm1, 24(%%edi) \n\t" \
|
||||
"psrlq $32, %%mm1 \n\t" \
|
||||
"paddq %%mm3, %%mm1 \n\t" \
|
||||
"movd %%mm1, 28(%%edi) \n\t" \
|
||||
"addl $32, %%edi \n\t" \
|
||||
"addl $32, %%esi \n\t" \
|
||||
"psrlq $32, %%mm1 \n\t" \
|
||||
"movd %%mm1, %%ecx \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"emms \n\t" \
|
||||
"movl %4, %%ebx \n\t" \
|
||||
"movl %%ecx, %1 \n\t" \
|
||||
"movl %%edi, %2 \n\t" \
|
||||
"movl %%esi, %3 \n\t" \
|
||||
: "=m" (t), "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (t), "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "eax", "ebx", "ecx", "edx", "esi", "edi" \
|
||||
);
|
||||
|
||||
#else
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"movl %4, %%ebx \n\t" \
|
||||
"movl %%ecx, %1 \n\t" \
|
||||
"movl %%edi, %2 \n\t" \
|
||||
"movl %%esi, %3 \n\t" \
|
||||
: "=m" (t), "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (t), "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "eax", "ebx", "ecx", "edx", "esi", "edi" \
|
||||
);
|
||||
#endif /* SSE2 */
|
||||
#endif /* i386 */
|
||||
|
||||
#if defined(__amd64__) || defined (__x86_64__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"xorq %%r8, %%r8\n"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"movq (%%rsi), %%rax\n" \
|
||||
"mulq %%rbx\n" \
|
||||
"addq $8, %%rsi\n" \
|
||||
"addq %%rcx, %%rax\n" \
|
||||
"movq %%r8, %%rcx\n" \
|
||||
"adcq $0, %%rdx\n" \
|
||||
"nop \n" \
|
||||
"addq %%rax, (%%rdi)\n" \
|
||||
"adcq %%rdx, %%rcx\n" \
|
||||
"addq $8, %%rdi\n"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
: "+c" (c), "+D" (d), "+S" (s), "+m" (*(uint64_t (*)[16]) d) \
|
||||
: "b" (b), "m" (*(const uint64_t (*)[16]) s) \
|
||||
: "rax", "rdx", "r8" \
|
||||
);
|
||||
|
||||
#endif /* AMD64 */
|
||||
|
||||
#if defined(__aarch64__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm(
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"ldr x4, [%2], #8 \n\t" \
|
||||
"ldr x5, [%1] \n\t" \
|
||||
"mul x6, x4, %4 \n\t" \
|
||||
"umulh x7, x4, %4 \n\t" \
|
||||
"adds x5, x5, x6 \n\t" \
|
||||
"adc x7, x7, xzr \n\t" \
|
||||
"adds x5, x5, %0 \n\t" \
|
||||
"adc %0, x7, xzr \n\t" \
|
||||
"str x5, [%1], #8 \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
: "+r" (c), "+r" (d), "+r" (s), "+m" (*(uint64_t (*)[16]) d) \
|
||||
: "r" (b), "m" (*(const uint64_t (*)[16]) s) \
|
||||
: "x4", "x5", "x6", "x7", "cc" \
|
||||
);
|
||||
|
||||
#endif /* Aarch64 */
|
||||
|
||||
#if defined(__mc68020__) || defined(__mcpu32__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"movl %3, %%a2 \n\t" \
|
||||
"movl %4, %%a3 \n\t" \
|
||||
"movl %5, %%d3 \n\t" \
|
||||
"movl %6, %%d2 \n\t" \
|
||||
"moveq #0, %%d0 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"movel %%a2@+, %%d1 \n\t" \
|
||||
"mulul %%d2, %%d4:%%d1 \n\t" \
|
||||
"addl %%d3, %%d1 \n\t" \
|
||||
"addxl %%d0, %%d4 \n\t" \
|
||||
"moveq #0, %%d3 \n\t" \
|
||||
"addl %%d1, %%a3@+ \n\t" \
|
||||
"addxl %%d4, %%d3 \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"movl %%d3, %0 \n\t" \
|
||||
"movl %%a3, %1 \n\t" \
|
||||
"movl %%a2, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "d0", "d1", "d2", "d3", "d4", "a2", "a3" \
|
||||
);
|
||||
|
||||
#define MULADDC_HUIT \
|
||||
"movel %%a2@+, %%d1 \n\t" \
|
||||
"mulul %%d2, %%d4:%%d1 \n\t" \
|
||||
"addxl %%d3, %%d1 \n\t" \
|
||||
"addxl %%d0, %%d4 \n\t" \
|
||||
"addl %%d1, %%a3@+ \n\t" \
|
||||
"movel %%a2@+, %%d1 \n\t" \
|
||||
"mulul %%d2, %%d3:%%d1 \n\t" \
|
||||
"addxl %%d4, %%d1 \n\t" \
|
||||
"addxl %%d0, %%d3 \n\t" \
|
||||
"addl %%d1, %%a3@+ \n\t" \
|
||||
"movel %%a2@+, %%d1 \n\t" \
|
||||
"mulul %%d2, %%d4:%%d1 \n\t" \
|
||||
"addxl %%d3, %%d1 \n\t" \
|
||||
"addxl %%d0, %%d4 \n\t" \
|
||||
"addl %%d1, %%a3@+ \n\t" \
|
||||
"movel %%a2@+, %%d1 \n\t" \
|
||||
"mulul %%d2, %%d3:%%d1 \n\t" \
|
||||
"addxl %%d4, %%d1 \n\t" \
|
||||
"addxl %%d0, %%d3 \n\t" \
|
||||
"addl %%d1, %%a3@+ \n\t" \
|
||||
"movel %%a2@+, %%d1 \n\t" \
|
||||
"mulul %%d2, %%d4:%%d1 \n\t" \
|
||||
"addxl %%d3, %%d1 \n\t" \
|
||||
"addxl %%d0, %%d4 \n\t" \
|
||||
"addl %%d1, %%a3@+ \n\t" \
|
||||
"movel %%a2@+, %%d1 \n\t" \
|
||||
"mulul %%d2, %%d3:%%d1 \n\t" \
|
||||
"addxl %%d4, %%d1 \n\t" \
|
||||
"addxl %%d0, %%d3 \n\t" \
|
||||
"addl %%d1, %%a3@+ \n\t" \
|
||||
"movel %%a2@+, %%d1 \n\t" \
|
||||
"mulul %%d2, %%d4:%%d1 \n\t" \
|
||||
"addxl %%d3, %%d1 \n\t" \
|
||||
"addxl %%d0, %%d4 \n\t" \
|
||||
"addl %%d1, %%a3@+ \n\t" \
|
||||
"movel %%a2@+, %%d1 \n\t" \
|
||||
"mulul %%d2, %%d3:%%d1 \n\t" \
|
||||
"addxl %%d4, %%d1 \n\t" \
|
||||
"addxl %%d0, %%d3 \n\t" \
|
||||
"addl %%d1, %%a3@+ \n\t" \
|
||||
"addxl %%d0, %%d3 \n\t"
|
||||
|
||||
#endif /* MC68000 */
|
||||
|
||||
#if defined(__powerpc64__) || defined(__ppc64__)
|
||||
|
||||
#if defined(__MACH__) && defined(__APPLE__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"ld r3, %3 \n\t" \
|
||||
"ld r4, %4 \n\t" \
|
||||
"ld r5, %5 \n\t" \
|
||||
"ld r6, %6 \n\t" \
|
||||
"addi r3, r3, -8 \n\t" \
|
||||
"addi r4, r4, -8 \n\t" \
|
||||
"addic r5, r5, 0 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"ldu r7, 8(r3) \n\t" \
|
||||
"mulld r8, r7, r6 \n\t" \
|
||||
"mulhdu r9, r7, r6 \n\t" \
|
||||
"adde r8, r8, r5 \n\t" \
|
||||
"ld r7, 8(r4) \n\t" \
|
||||
"addze r5, r9 \n\t" \
|
||||
"addc r8, r8, r7 \n\t" \
|
||||
"stdu r8, 8(r4) \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"addze r5, r5 \n\t" \
|
||||
"addi r4, r4, 8 \n\t" \
|
||||
"addi r3, r3, 8 \n\t" \
|
||||
"std r5, %0 \n\t" \
|
||||
"std r4, %1 \n\t" \
|
||||
"std r3, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "r3", "r4", "r5", "r6", "r7", "r8", "r9" \
|
||||
);
|
||||
|
||||
|
||||
#else /* __MACH__ && __APPLE__ */
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"ld %%r3, %3 \n\t" \
|
||||
"ld %%r4, %4 \n\t" \
|
||||
"ld %%r5, %5 \n\t" \
|
||||
"ld %%r6, %6 \n\t" \
|
||||
"addi %%r3, %%r3, -8 \n\t" \
|
||||
"addi %%r4, %%r4, -8 \n\t" \
|
||||
"addic %%r5, %%r5, 0 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"ldu %%r7, 8(%%r3) \n\t" \
|
||||
"mulld %%r8, %%r7, %%r6 \n\t" \
|
||||
"mulhdu %%r9, %%r7, %%r6 \n\t" \
|
||||
"adde %%r8, %%r8, %%r5 \n\t" \
|
||||
"ld %%r7, 8(%%r4) \n\t" \
|
||||
"addze %%r5, %%r9 \n\t" \
|
||||
"addc %%r8, %%r8, %%r7 \n\t" \
|
||||
"stdu %%r8, 8(%%r4) \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"addze %%r5, %%r5 \n\t" \
|
||||
"addi %%r4, %%r4, 8 \n\t" \
|
||||
"addi %%r3, %%r3, 8 \n\t" \
|
||||
"std %%r5, %0 \n\t" \
|
||||
"std %%r4, %1 \n\t" \
|
||||
"std %%r3, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "r3", "r4", "r5", "r6", "r7", "r8", "r9" \
|
||||
);
|
||||
|
||||
#endif /* __MACH__ && __APPLE__ */
|
||||
|
||||
#elif defined(__powerpc__) || defined(__ppc__) /* end PPC64/begin PPC32 */
|
||||
|
||||
#if defined(__MACH__) && defined(__APPLE__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"lwz r3, %3 \n\t" \
|
||||
"lwz r4, %4 \n\t" \
|
||||
"lwz r5, %5 \n\t" \
|
||||
"lwz r6, %6 \n\t" \
|
||||
"addi r3, r3, -4 \n\t" \
|
||||
"addi r4, r4, -4 \n\t" \
|
||||
"addic r5, r5, 0 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"lwzu r7, 4(r3) \n\t" \
|
||||
"mullw r8, r7, r6 \n\t" \
|
||||
"mulhwu r9, r7, r6 \n\t" \
|
||||
"adde r8, r8, r5 \n\t" \
|
||||
"lwz r7, 4(r4) \n\t" \
|
||||
"addze r5, r9 \n\t" \
|
||||
"addc r8, r8, r7 \n\t" \
|
||||
"stwu r8, 4(r4) \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"addze r5, r5 \n\t" \
|
||||
"addi r4, r4, 4 \n\t" \
|
||||
"addi r3, r3, 4 \n\t" \
|
||||
"stw r5, %0 \n\t" \
|
||||
"stw r4, %1 \n\t" \
|
||||
"stw r3, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "r3", "r4", "r5", "r6", "r7", "r8", "r9" \
|
||||
);
|
||||
|
||||
#else /* __MACH__ && __APPLE__ */
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"lwz %%r3, %3 \n\t" \
|
||||
"lwz %%r4, %4 \n\t" \
|
||||
"lwz %%r5, %5 \n\t" \
|
||||
"lwz %%r6, %6 \n\t" \
|
||||
"addi %%r3, %%r3, -4 \n\t" \
|
||||
"addi %%r4, %%r4, -4 \n\t" \
|
||||
"addic %%r5, %%r5, 0 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"lwzu %%r7, 4(%%r3) \n\t" \
|
||||
"mullw %%r8, %%r7, %%r6 \n\t" \
|
||||
"mulhwu %%r9, %%r7, %%r6 \n\t" \
|
||||
"adde %%r8, %%r8, %%r5 \n\t" \
|
||||
"lwz %%r7, 4(%%r4) \n\t" \
|
||||
"addze %%r5, %%r9 \n\t" \
|
||||
"addc %%r8, %%r8, %%r7 \n\t" \
|
||||
"stwu %%r8, 4(%%r4) \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"addze %%r5, %%r5 \n\t" \
|
||||
"addi %%r4, %%r4, 4 \n\t" \
|
||||
"addi %%r3, %%r3, 4 \n\t" \
|
||||
"stw %%r5, %0 \n\t" \
|
||||
"stw %%r4, %1 \n\t" \
|
||||
"stw %%r3, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "r3", "r4", "r5", "r6", "r7", "r8", "r9" \
|
||||
);
|
||||
|
||||
#endif /* __MACH__ && __APPLE__ */
|
||||
|
||||
#endif /* PPC32 */
|
||||
|
||||
/*
|
||||
* The Sparc(64) assembly is reported to be broken.
|
||||
* Disable it for now, until we're able to fix it.
|
||||
*/
|
||||
#if 0 && defined(__sparc__)
|
||||
#if defined(__sparc64__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"ldx %3, %%o0 \n\t" \
|
||||
"ldx %4, %%o1 \n\t" \
|
||||
"ld %5, %%o2 \n\t" \
|
||||
"ld %6, %%o3 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"ld [%%o0], %%o4 \n\t" \
|
||||
"inc 4, %%o0 \n\t" \
|
||||
"ld [%%o1], %%o5 \n\t" \
|
||||
"umul %%o3, %%o4, %%o4 \n\t" \
|
||||
"addcc %%o4, %%o2, %%o4 \n\t" \
|
||||
"rd %%y, %%g1 \n\t" \
|
||||
"addx %%g1, 0, %%g1 \n\t" \
|
||||
"addcc %%o4, %%o5, %%o4 \n\t" \
|
||||
"st %%o4, [%%o1] \n\t" \
|
||||
"addx %%g1, 0, %%o2 \n\t" \
|
||||
"inc 4, %%o1 \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"st %%o2, %0 \n\t" \
|
||||
"stx %%o1, %1 \n\t" \
|
||||
"stx %%o0, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "g1", "o0", "o1", "o2", "o3", "o4", \
|
||||
"o5" \
|
||||
);
|
||||
|
||||
#else /* __sparc64__ */
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"ld %3, %%o0 \n\t" \
|
||||
"ld %4, %%o1 \n\t" \
|
||||
"ld %5, %%o2 \n\t" \
|
||||
"ld %6, %%o3 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"ld [%%o0], %%o4 \n\t" \
|
||||
"inc 4, %%o0 \n\t" \
|
||||
"ld [%%o1], %%o5 \n\t" \
|
||||
"umul %%o3, %%o4, %%o4 \n\t" \
|
||||
"addcc %%o4, %%o2, %%o4 \n\t" \
|
||||
"rd %%y, %%g1 \n\t" \
|
||||
"addx %%g1, 0, %%g1 \n\t" \
|
||||
"addcc %%o4, %%o5, %%o4 \n\t" \
|
||||
"st %%o4, [%%o1] \n\t" \
|
||||
"addx %%g1, 0, %%o2 \n\t" \
|
||||
"inc 4, %%o1 \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"st %%o2, %0 \n\t" \
|
||||
"st %%o1, %1 \n\t" \
|
||||
"st %%o0, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "g1", "o0", "o1", "o2", "o3", "o4", \
|
||||
"o5" \
|
||||
);
|
||||
|
||||
#endif /* __sparc64__ */
|
||||
#endif /* __sparc__ */
|
||||
|
||||
#if defined(__microblaze__) || defined(microblaze)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"lwi r3, %3 \n\t" \
|
||||
"lwi r4, %4 \n\t" \
|
||||
"lwi r5, %5 \n\t" \
|
||||
"lwi r6, %6 \n\t" \
|
||||
"andi r7, r6, 0xffff \n\t" \
|
||||
"bsrli r6, r6, 16 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"lhui r8, r3, 0 \n\t" \
|
||||
"addi r3, r3, 2 \n\t" \
|
||||
"lhui r9, r3, 0 \n\t" \
|
||||
"addi r3, r3, 2 \n\t" \
|
||||
"mul r10, r9, r6 \n\t" \
|
||||
"mul r11, r8, r7 \n\t" \
|
||||
"mul r12, r9, r7 \n\t" \
|
||||
"mul r13, r8, r6 \n\t" \
|
||||
"bsrli r8, r10, 16 \n\t" \
|
||||
"bsrli r9, r11, 16 \n\t" \
|
||||
"add r13, r13, r8 \n\t" \
|
||||
"add r13, r13, r9 \n\t" \
|
||||
"bslli r10, r10, 16 \n\t" \
|
||||
"bslli r11, r11, 16 \n\t" \
|
||||
"add r12, r12, r10 \n\t" \
|
||||
"addc r13, r13, r0 \n\t" \
|
||||
"add r12, r12, r11 \n\t" \
|
||||
"addc r13, r13, r0 \n\t" \
|
||||
"lwi r10, r4, 0 \n\t" \
|
||||
"add r12, r12, r10 \n\t" \
|
||||
"addc r13, r13, r0 \n\t" \
|
||||
"add r12, r12, r5 \n\t" \
|
||||
"addc r5, r13, r0 \n\t" \
|
||||
"swi r12, r4, 0 \n\t" \
|
||||
"addi r4, r4, 4 \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"swi r5, %0 \n\t" \
|
||||
"swi r4, %1 \n\t" \
|
||||
"swi r3, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "r3", "r4", "r5", "r6", "r7", "r8", \
|
||||
"r9", "r10", "r11", "r12", "r13" \
|
||||
);
|
||||
|
||||
#endif /* MicroBlaze */
|
||||
|
||||
#if defined(__tricore__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"ld.a %%a2, %3 \n\t" \
|
||||
"ld.a %%a3, %4 \n\t" \
|
||||
"ld.w %%d4, %5 \n\t" \
|
||||
"ld.w %%d1, %6 \n\t" \
|
||||
"xor %%d5, %%d5 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"ld.w %%d0, [%%a2+] \n\t" \
|
||||
"madd.u %%e2, %%e4, %%d0, %%d1 \n\t" \
|
||||
"ld.w %%d0, [%%a3] \n\t" \
|
||||
"addx %%d2, %%d2, %%d0 \n\t" \
|
||||
"addc %%d3, %%d3, 0 \n\t" \
|
||||
"mov %%d4, %%d3 \n\t" \
|
||||
"st.w [%%a3+], %%d2 \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"st.w %0, %%d4 \n\t" \
|
||||
"st.a %1, %%a3 \n\t" \
|
||||
"st.a %2, %%a2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "d0", "d1", "e2", "d4", "a2", "a3" \
|
||||
);
|
||||
|
||||
#endif /* TriCore */
|
||||
|
||||
/*
|
||||
* Note, gcc -O0 by default uses r7 for the frame pointer, so it complains about
|
||||
* our use of r7 below, unless -fomit-frame-pointer is passed.
|
||||
*
|
||||
* On the other hand, -fomit-frame-pointer is implied by any -Ox options with
|
||||
* x !=0, which we can detect using __OPTIMIZE__ (which is also defined by
|
||||
* clang and armcc5 under the same conditions).
|
||||
*
|
||||
* So, only use the optimized assembly below for optimized build, which avoids
|
||||
* the build error and is pretty reasonable anyway.
|
||||
*/
|
||||
#if defined(__GNUC__) && !defined(__OPTIMIZE__)
|
||||
#define MULADDC_CANNOT_USE_R7
|
||||
#endif
|
||||
|
||||
#if defined(__arm__) && !defined(MULADDC_CANNOT_USE_R7)
|
||||
|
||||
#if defined(__thumb__) && !defined(__thumb2__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"ldr r0, %3 \n\t" \
|
||||
"ldr r1, %4 \n\t" \
|
||||
"ldr r2, %5 \n\t" \
|
||||
"ldr r3, %6 \n\t" \
|
||||
"lsr r7, r3, #16 \n\t" \
|
||||
"mov r9, r7 \n\t" \
|
||||
"lsl r7, r3, #16 \n\t" \
|
||||
"lsr r7, r7, #16 \n\t" \
|
||||
"mov r8, r7 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"ldmia r0!, {r6} \n\t" \
|
||||
"lsr r7, r6, #16 \n\t" \
|
||||
"lsl r6, r6, #16 \n\t" \
|
||||
"lsr r6, r6, #16 \n\t" \
|
||||
"mov r4, r8 \n\t" \
|
||||
"mul r4, r6 \n\t" \
|
||||
"mov r3, r9 \n\t" \
|
||||
"mul r6, r3 \n\t" \
|
||||
"mov r5, r9 \n\t" \
|
||||
"mul r5, r7 \n\t" \
|
||||
"mov r3, r8 \n\t" \
|
||||
"mul r7, r3 \n\t" \
|
||||
"lsr r3, r6, #16 \n\t" \
|
||||
"add r5, r5, r3 \n\t" \
|
||||
"lsr r3, r7, #16 \n\t" \
|
||||
"add r5, r5, r3 \n\t" \
|
||||
"add r4, r4, r2 \n\t" \
|
||||
"mov r2, #0 \n\t" \
|
||||
"adc r5, r2 \n\t" \
|
||||
"lsl r3, r6, #16 \n\t" \
|
||||
"add r4, r4, r3 \n\t" \
|
||||
"adc r5, r2 \n\t" \
|
||||
"lsl r3, r7, #16 \n\t" \
|
||||
"add r4, r4, r3 \n\t" \
|
||||
"adc r5, r2 \n\t" \
|
||||
"ldr r3, [r1] \n\t" \
|
||||
"add r4, r4, r3 \n\t" \
|
||||
"adc r2, r5 \n\t" \
|
||||
"stmia r1!, {r4} \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"str r2, %0 \n\t" \
|
||||
"str r1, %1 \n\t" \
|
||||
"str r0, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "r0", "r1", "r2", "r3", "r4", "r5", \
|
||||
"r6", "r7", "r8", "r9", "cc" \
|
||||
);
|
||||
|
||||
#elif (__ARM_ARCH >= 6) && \
|
||||
defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm(
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"ldr r0, [%0], #4 \n\t" \
|
||||
"ldr r1, [%1] \n\t" \
|
||||
"umaal r1, %2, %3, r0 \n\t" \
|
||||
"str r1, [%1], #4 \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
: "=r" (s), "=r" (d), "=r" (c) \
|
||||
: "r" (b), "0" (s), "1" (d), "2" (c) \
|
||||
: "r0", "r1", "memory" \
|
||||
);
|
||||
|
||||
#else
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"ldr r0, %3 \n\t" \
|
||||
"ldr r1, %4 \n\t" \
|
||||
"ldr r2, %5 \n\t" \
|
||||
"ldr r3, %6 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"ldr r4, [r0], #4 \n\t" \
|
||||
"mov r5, #0 \n\t" \
|
||||
"ldr r6, [r1] \n\t" \
|
||||
"umlal r2, r5, r3, r4 \n\t" \
|
||||
"adds r7, r6, r2 \n\t" \
|
||||
"adc r2, r5, #0 \n\t" \
|
||||
"str r7, [r1], #4 \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"str r2, %0 \n\t" \
|
||||
"str r1, %1 \n\t" \
|
||||
"str r0, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "r0", "r1", "r2", "r3", "r4", "r5", \
|
||||
"r6", "r7", "cc" \
|
||||
);
|
||||
|
||||
#endif /* Thumb */
|
||||
|
||||
#endif /* ARMv3 */
|
||||
|
||||
#if defined(__alpha__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"ldq $1, %3 \n\t" \
|
||||
"ldq $2, %4 \n\t" \
|
||||
"ldq $3, %5 \n\t" \
|
||||
"ldq $4, %6 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"ldq $6, 0($1) \n\t" \
|
||||
"addq $1, 8, $1 \n\t" \
|
||||
"mulq $6, $4, $7 \n\t" \
|
||||
"umulh $6, $4, $6 \n\t" \
|
||||
"addq $7, $3, $7 \n\t" \
|
||||
"cmpult $7, $3, $3 \n\t" \
|
||||
"ldq $5, 0($2) \n\t" \
|
||||
"addq $7, $5, $7 \n\t" \
|
||||
"cmpult $7, $5, $5 \n\t" \
|
||||
"stq $7, 0($2) \n\t" \
|
||||
"addq $2, 8, $2 \n\t" \
|
||||
"addq $6, $3, $3 \n\t" \
|
||||
"addq $5, $3, $3 \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"stq $3, %0 \n\t" \
|
||||
"stq $2, %1 \n\t" \
|
||||
"stq $1, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "$1", "$2", "$3", "$4", "$5", "$6", "$7" \
|
||||
);
|
||||
#endif /* Alpha */
|
||||
|
||||
#if defined(__mips__) && !defined(__mips64)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
asm( \
|
||||
"lw $10, %3 \n\t" \
|
||||
"lw $11, %4 \n\t" \
|
||||
"lw $12, %5 \n\t" \
|
||||
"lw $13, %6 \n\t"
|
||||
|
||||
#define MULADDC_CORE \
|
||||
"lw $14, 0($10) \n\t" \
|
||||
"multu $13, $14 \n\t" \
|
||||
"addi $10, $10, 4 \n\t" \
|
||||
"mflo $14 \n\t" \
|
||||
"mfhi $9 \n\t" \
|
||||
"addu $14, $12, $14 \n\t" \
|
||||
"lw $15, 0($11) \n\t" \
|
||||
"sltu $12, $14, $12 \n\t" \
|
||||
"addu $15, $14, $15 \n\t" \
|
||||
"sltu $14, $15, $14 \n\t" \
|
||||
"addu $12, $12, $9 \n\t" \
|
||||
"sw $15, 0($11) \n\t" \
|
||||
"addu $12, $12, $14 \n\t" \
|
||||
"addi $11, $11, 4 \n\t"
|
||||
|
||||
#define MULADDC_STOP \
|
||||
"sw $12, %0 \n\t" \
|
||||
"sw $11, %1 \n\t" \
|
||||
"sw $10, %2 \n\t" \
|
||||
: "=m" (c), "=m" (d), "=m" (s) \
|
||||
: "m" (s), "m" (d), "m" (c), "m" (b) \
|
||||
: "$9", "$10", "$11", "$12", "$13", "$14", "$15", "lo", "hi" \
|
||||
);
|
||||
|
||||
#endif /* MIPS */
|
||||
#endif /* GNUC */
|
||||
|
||||
#if (defined(_MSC_VER) && defined(_M_IX86)) || defined(__WATCOMC__)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
__asm mov esi, s \
|
||||
__asm mov edi, d \
|
||||
__asm mov ecx, c \
|
||||
__asm mov ebx, b
|
||||
|
||||
#define MULADDC_CORE \
|
||||
__asm lodsd \
|
||||
__asm mul ebx \
|
||||
__asm add eax, ecx \
|
||||
__asm adc edx, 0 \
|
||||
__asm add eax, [edi] \
|
||||
__asm adc edx, 0 \
|
||||
__asm mov ecx, edx \
|
||||
__asm stosd
|
||||
|
||||
#if defined(MBEDTLS_HAVE_SSE2)
|
||||
|
||||
#define EMIT __asm _emit
|
||||
|
||||
#define MULADDC_HUIT \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0xC9 \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0xC3 \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x1F \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xCB \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x16 \
|
||||
EMIT 0x0F EMIT 0xF4 EMIT 0xD0 \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x66 EMIT 0x04 \
|
||||
EMIT 0x0F EMIT 0xF4 EMIT 0xE0 \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x76 EMIT 0x08 \
|
||||
EMIT 0x0F EMIT 0xF4 EMIT 0xF0 \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x7E EMIT 0x0C \
|
||||
EMIT 0x0F EMIT 0xF4 EMIT 0xF8 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xCA \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x5F EMIT 0x04 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xDC \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x6F EMIT 0x08 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xEE \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x67 EMIT 0x0C \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xFC \
|
||||
EMIT 0x0F EMIT 0x7E EMIT 0x0F \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x56 EMIT 0x10 \
|
||||
EMIT 0x0F EMIT 0xF4 EMIT 0xD0 \
|
||||
EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x66 EMIT 0x14 \
|
||||
EMIT 0x0F EMIT 0xF4 EMIT 0xE0 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xCB \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x76 EMIT 0x18 \
|
||||
EMIT 0x0F EMIT 0xF4 EMIT 0xF0 \
|
||||
EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x04 \
|
||||
EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x5E EMIT 0x1C \
|
||||
EMIT 0x0F EMIT 0xF4 EMIT 0xD8 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xCD \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x6F EMIT 0x10 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xD5 \
|
||||
EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x08 \
|
||||
EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xCF \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x6F EMIT 0x14 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xE5 \
|
||||
EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x0C \
|
||||
EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xCA \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x6F EMIT 0x18 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xF5 \
|
||||
EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x10 \
|
||||
EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xCC \
|
||||
EMIT 0x0F EMIT 0x6E EMIT 0x6F EMIT 0x1C \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xDD \
|
||||
EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x14 \
|
||||
EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xCE \
|
||||
EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x18 \
|
||||
EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
|
||||
EMIT 0x0F EMIT 0xD4 EMIT 0xCB \
|
||||
EMIT 0x0F EMIT 0x7E EMIT 0x4F EMIT 0x1C \
|
||||
EMIT 0x83 EMIT 0xC7 EMIT 0x20 \
|
||||
EMIT 0x83 EMIT 0xC6 EMIT 0x20 \
|
||||
EMIT 0x0F EMIT 0x73 EMIT 0xD1 EMIT 0x20 \
|
||||
EMIT 0x0F EMIT 0x7E EMIT 0xC9
|
||||
|
||||
#define MULADDC_STOP \
|
||||
EMIT 0x0F EMIT 0x77 \
|
||||
__asm mov c, ecx \
|
||||
__asm mov d, edi \
|
||||
__asm mov s, esi \
|
||||
|
||||
#else
|
||||
|
||||
#define MULADDC_STOP \
|
||||
__asm mov c, ecx \
|
||||
__asm mov d, edi \
|
||||
__asm mov s, esi \
|
||||
|
||||
#endif /* SSE2 */
|
||||
#endif /* MSVC */
|
||||
|
||||
#endif /* MBEDTLS_HAVE_ASM */
|
||||
|
||||
#if !defined(MULADDC_CORE)
|
||||
#if defined(MBEDTLS_HAVE_UDBL)
|
||||
|
||||
#define MULADDC_INIT \
|
||||
{ \
|
||||
mbedtls_t_udbl r; \
|
||||
mbedtls_mpi_uint r0, r1;
|
||||
|
||||
#define MULADDC_CORE \
|
||||
r = *(s++) * (mbedtls_t_udbl) b; \
|
||||
r0 = (mbedtls_mpi_uint) r; \
|
||||
r1 = (mbedtls_mpi_uint)( r >> biL ); \
|
||||
r0 += c; r1 += (r0 < c); \
|
||||
r0 += *d; r1 += (r0 < *d); \
|
||||
c = r1; *(d++) = r0;
|
||||
|
||||
#define MULADDC_STOP \
|
||||
}
|
||||
|
||||
#else
|
||||
#define MULADDC_INIT \
|
||||
{ \
|
||||
mbedtls_mpi_uint s0, s1, b0, b1; \
|
||||
mbedtls_mpi_uint r0, r1, rx, ry; \
|
||||
b0 = ( b << biH ) >> biH; \
|
||||
b1 = ( b >> biH );
|
||||
|
||||
#define MULADDC_CORE \
|
||||
s0 = ( *s << biH ) >> biH; \
|
||||
s1 = ( *s >> biH ); s++; \
|
||||
rx = s0 * b1; r0 = s0 * b0; \
|
||||
ry = s1 * b0; r1 = s1 * b1; \
|
||||
r1 += ( rx >> biH ); \
|
||||
r1 += ( ry >> biH ); \
|
||||
rx <<= biH; ry <<= biH; \
|
||||
r0 += rx; r1 += (r0 < rx); \
|
||||
r0 += ry; r1 += (r0 < ry); \
|
||||
r0 += c; r1 += (r0 < c); \
|
||||
r0 += *d; r1 += (r0 < *d); \
|
||||
c = r1; *(d++) = r0;
|
||||
|
||||
#define MULADDC_STOP \
|
||||
}
|
||||
|
||||
#endif /* C (generic) */
|
||||
#endif /* C (longlong) */
|
||||
|
||||
#endif /* bn_mul.h */
|
801
constant_time.c
801
constant_time.c
@ -1,801 +0,0 @@
|
||||
/**
|
||||
* Constant-time functions
|
||||
*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
/*
|
||||
* The following functions are implemented without using comparison operators, as those
|
||||
* might be translated to branches by some compilers on some platforms.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
#include "constant_time_internal.h"
|
||||
#include "mbedtls/constant_time.h"
|
||||
#include "mbedtls/error.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
#include "mbedtls/bignum.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS_C)
|
||||
#include "ssl_misc.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
#include "mbedtls/rsa.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_BASE64_C)
|
||||
#include "constant_time_invasive.h"
|
||||
#endif
|
||||
|
||||
#include <string.h>
|
||||
|
||||
int mbedtls_ct_memcmp( const void *a,
|
||||
const void *b,
|
||||
size_t n )
|
||||
{
|
||||
size_t i;
|
||||
volatile const unsigned char *A = (volatile const unsigned char *) a;
|
||||
volatile const unsigned char *B = (volatile const unsigned char *) b;
|
||||
volatile unsigned char diff = 0;
|
||||
|
||||
for( i = 0; i < n; i++ )
|
||||
{
|
||||
/* Read volatile data in order before computing diff.
|
||||
* This avoids IAR compiler warning:
|
||||
* 'the order of volatile accesses is undefined ..' */
|
||||
unsigned char x = A[i], y = B[i];
|
||||
diff |= x ^ y;
|
||||
}
|
||||
|
||||
return( (int)diff );
|
||||
}
|
||||
|
||||
unsigned mbedtls_ct_uint_mask( unsigned value )
|
||||
{
|
||||
/* MSVC has a warning about unary minus on unsigned, but this is
|
||||
* well-defined and precisely what we want to do here */
|
||||
#if defined(_MSC_VER)
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4146 )
|
||||
#endif
|
||||
return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
|
||||
#if defined(_MSC_VER)
|
||||
#pragma warning( pop )
|
||||
#endif
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
||||
|
||||
size_t mbedtls_ct_size_mask( size_t value )
|
||||
{
|
||||
/* MSVC has a warning about unary minus on unsigned integer types,
|
||||
* but this is well-defined and precisely what we want to do here. */
|
||||
#if defined(_MSC_VER)
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4146 )
|
||||
#endif
|
||||
return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
|
||||
#if defined(_MSC_VER)
|
||||
#pragma warning( pop )
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value )
|
||||
{
|
||||
/* MSVC has a warning about unary minus on unsigned, but this is
|
||||
* well-defined and precisely what we want to do here */
|
||||
#if defined(_MSC_VER)
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4146 )
|
||||
#endif
|
||||
return( - ( ( value | - value ) >> ( sizeof( value ) * 8 - 1 ) ) );
|
||||
#if defined(_MSC_VER)
|
||||
#pragma warning( pop )
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_BIGNUM_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
||||
|
||||
/** Constant-flow mask generation for "less than" comparison:
|
||||
* - if \p x < \p y, return all-bits 1, that is (size_t) -1
|
||||
* - otherwise, return all bits 0, that is 0
|
||||
*
|
||||
* This function can be used to write constant-time code by replacing branches
|
||||
* with bit operations using masks.
|
||||
*
|
||||
* \param x The first value to analyze.
|
||||
* \param y The second value to analyze.
|
||||
*
|
||||
* \return All-bits-one if \p x is less than \p y, otherwise zero.
|
||||
*/
|
||||
static size_t mbedtls_ct_size_mask_lt( size_t x,
|
||||
size_t y )
|
||||
{
|
||||
/* This has the most significant bit set if and only if x < y */
|
||||
const size_t sub = x - y;
|
||||
|
||||
/* sub1 = (x < y) ? 1 : 0 */
|
||||
const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 );
|
||||
|
||||
/* mask = (x < y) ? 0xff... : 0x00... */
|
||||
const size_t mask = mbedtls_ct_size_mask( sub1 );
|
||||
|
||||
return( mask );
|
||||
}
|
||||
|
||||
size_t mbedtls_ct_size_mask_ge( size_t x,
|
||||
size_t y )
|
||||
{
|
||||
return( ~mbedtls_ct_size_mask_lt( x, y ) );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
||||
|
||||
#if defined(MBEDTLS_BASE64_C)
|
||||
|
||||
/* Return 0xff if low <= c <= high, 0 otherwise.
|
||||
*
|
||||
* Constant flow with respect to c.
|
||||
*/
|
||||
MBEDTLS_STATIC_TESTABLE
|
||||
unsigned char mbedtls_ct_uchar_mask_of_range( unsigned char low,
|
||||
unsigned char high,
|
||||
unsigned char c )
|
||||
{
|
||||
/* low_mask is: 0 if low <= c, 0x...ff if low > c */
|
||||
unsigned low_mask = ( (unsigned) c - low ) >> 8;
|
||||
/* high_mask is: 0 if c <= high, 0x...ff if c > high */
|
||||
unsigned high_mask = ( (unsigned) high - c ) >> 8;
|
||||
return( ~( low_mask | high_mask ) & 0xff );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_BASE64_C */
|
||||
|
||||
unsigned mbedtls_ct_size_bool_eq( size_t x,
|
||||
size_t y )
|
||||
{
|
||||
/* diff = 0 if x == y, non-zero otherwise */
|
||||
const size_t diff = x ^ y;
|
||||
|
||||
/* MSVC has a warning about unary minus on unsigned integer types,
|
||||
* but this is well-defined and precisely what we want to do here. */
|
||||
#if defined(_MSC_VER)
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4146 )
|
||||
#endif
|
||||
|
||||
/* diff_msb's most significant bit is equal to x != y */
|
||||
const size_t diff_msb = ( diff | (size_t) -diff );
|
||||
|
||||
#if defined(_MSC_VER)
|
||||
#pragma warning( pop )
|
||||
#endif
|
||||
|
||||
/* diff1 = (x != y) ? 1 : 0 */
|
||||
const unsigned diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
|
||||
|
||||
return( 1 ^ diff1 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
||||
|
||||
/** Constant-flow "greater than" comparison:
|
||||
* return x > y
|
||||
*
|
||||
* This is equivalent to \p x > \p y, but is likely to be compiled
|
||||
* to code using bitwise operation rather than a branch.
|
||||
*
|
||||
* \param x The first value to analyze.
|
||||
* \param y The second value to analyze.
|
||||
*
|
||||
* \return 1 if \p x greater than \p y, otherwise 0.
|
||||
*/
|
||||
static unsigned mbedtls_ct_size_gt( size_t x,
|
||||
size_t y )
|
||||
{
|
||||
/* Return the sign bit (1 for negative) of (y - x). */
|
||||
return( ( y - x ) >> ( sizeof( size_t ) * 8 - 1 ) );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x,
|
||||
const mbedtls_mpi_uint y )
|
||||
{
|
||||
mbedtls_mpi_uint ret;
|
||||
mbedtls_mpi_uint cond;
|
||||
|
||||
/*
|
||||
* Check if the most significant bits (MSB) of the operands are different.
|
||||
*/
|
||||
cond = ( x ^ y );
|
||||
/*
|
||||
* If the MSB are the same then the difference x-y will be negative (and
|
||||
* have its MSB set to 1 during conversion to unsigned) if and only if x<y.
|
||||
*/
|
||||
ret = ( x - y ) & ~cond;
|
||||
/*
|
||||
* If the MSB are different, then the operand with the MSB of 1 is the
|
||||
* bigger. (That is if y has MSB of 1, then x<y is true and it is false if
|
||||
* the MSB of y is 0.)
|
||||
*/
|
||||
ret |= y & cond;
|
||||
|
||||
|
||||
ret = ret >> ( sizeof( mbedtls_mpi_uint ) * 8 - 1 );
|
||||
|
||||
return (unsigned) ret;
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_BIGNUM_C */
|
||||
|
||||
unsigned mbedtls_ct_uint_if( unsigned condition,
|
||||
unsigned if1,
|
||||
unsigned if0 )
|
||||
{
|
||||
unsigned mask = mbedtls_ct_uint_mask( condition );
|
||||
return( ( mask & if1 ) | (~mask & if0 ) );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
/** Select between two sign values without branches.
|
||||
*
|
||||
* This is functionally equivalent to `condition ? if1 : if0` but uses only bit
|
||||
* operations in order to avoid branches.
|
||||
*
|
||||
* \note if1 and if0 must be either 1 or -1, otherwise the result
|
||||
* is undefined.
|
||||
*
|
||||
* \param condition Condition to test.
|
||||
* \param if1 The first sign; must be either +1 or -1.
|
||||
* \param if0 The second sign; must be either +1 or -1.
|
||||
*
|
||||
* \return \c if1 if \p condition is nonzero, otherwise \c if0.
|
||||
* */
|
||||
static int mbedtls_ct_cond_select_sign( unsigned char condition,
|
||||
int if1,
|
||||
int if0 )
|
||||
{
|
||||
/* In order to avoid questions about what we can reasonably assume about
|
||||
* the representations of signed integers, move everything to unsigned
|
||||
* by taking advantage of the fact that if1 and if0 are either +1 or -1. */
|
||||
unsigned uif1 = if1 + 1;
|
||||
unsigned uif0 = if0 + 1;
|
||||
|
||||
/* condition was 0 or 1, mask is 0 or 2 as are uif1 and uif0 */
|
||||
const unsigned mask = condition << 1;
|
||||
|
||||
/* select uif1 or uif0 */
|
||||
unsigned ur = ( uif0 & ~mask ) | ( uif1 & mask );
|
||||
|
||||
/* ur is now 0 or 2, convert back to -1 or +1 */
|
||||
return( (int) ur - 1 );
|
||||
}
|
||||
|
||||
void mbedtls_ct_mpi_uint_cond_assign( size_t n,
|
||||
mbedtls_mpi_uint *dest,
|
||||
const mbedtls_mpi_uint *src,
|
||||
unsigned char condition )
|
||||
{
|
||||
size_t i;
|
||||
|
||||
/* MSVC has a warning about unary minus on unsigned integer types,
|
||||
* but this is well-defined and precisely what we want to do here. */
|
||||
#if defined(_MSC_VER)
|
||||
#pragma warning( push )
|
||||
#pragma warning( disable : 4146 )
|
||||
#endif
|
||||
|
||||
/* all-bits 1 if condition is 1, all-bits 0 if condition is 0 */
|
||||
const mbedtls_mpi_uint mask = -condition;
|
||||
|
||||
#if defined(_MSC_VER)
|
||||
#pragma warning( pop )
|
||||
#endif
|
||||
|
||||
for( i = 0; i < n; i++ )
|
||||
dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_BIGNUM_C */
|
||||
|
||||
#if defined(MBEDTLS_BASE64_C)
|
||||
|
||||
unsigned char mbedtls_ct_base64_enc_char( unsigned char value )
|
||||
{
|
||||
unsigned char digit = 0;
|
||||
/* For each range of values, if value is in that range, mask digit with
|
||||
* the corresponding value. Since value can only be in a single range,
|
||||
* only at most one masking will change digit. */
|
||||
digit |= mbedtls_ct_uchar_mask_of_range( 0, 25, value ) & ( 'A' + value );
|
||||
digit |= mbedtls_ct_uchar_mask_of_range( 26, 51, value ) & ( 'a' + value - 26 );
|
||||
digit |= mbedtls_ct_uchar_mask_of_range( 52, 61, value ) & ( '0' + value - 52 );
|
||||
digit |= mbedtls_ct_uchar_mask_of_range( 62, 62, value ) & '+';
|
||||
digit |= mbedtls_ct_uchar_mask_of_range( 63, 63, value ) & '/';
|
||||
return( digit );
|
||||
}
|
||||
|
||||
signed char mbedtls_ct_base64_dec_value( unsigned char c )
|
||||
{
|
||||
unsigned char val = 0;
|
||||
/* For each range of digits, if c is in that range, mask val with
|
||||
* the corresponding value. Since c can only be in a single range,
|
||||
* only at most one masking will change val. Set val to one plus
|
||||
* the desired value so that it stays 0 if c is in none of the ranges. */
|
||||
val |= mbedtls_ct_uchar_mask_of_range( 'A', 'Z', c ) & ( c - 'A' + 0 + 1 );
|
||||
val |= mbedtls_ct_uchar_mask_of_range( 'a', 'z', c ) & ( c - 'a' + 26 + 1 );
|
||||
val |= mbedtls_ct_uchar_mask_of_range( '0', '9', c ) & ( c - '0' + 52 + 1 );
|
||||
val |= mbedtls_ct_uchar_mask_of_range( '+', '+', c ) & ( c - '+' + 62 + 1 );
|
||||
val |= mbedtls_ct_uchar_mask_of_range( '/', '/', c ) & ( c - '/' + 63 + 1 );
|
||||
/* At this point, val is 0 if c is an invalid digit and v+1 if c is
|
||||
* a digit with the value v. */
|
||||
return( val - 1 );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_BASE64_C */
|
||||
|
||||
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
||||
|
||||
/** Shift some data towards the left inside a buffer.
|
||||
*
|
||||
* `mbedtls_ct_mem_move_to_left(start, total, offset)` is functionally
|
||||
* equivalent to
|
||||
* ```
|
||||
* memmove(start, start + offset, total - offset);
|
||||
* memset(start + offset, 0, total - offset);
|
||||
* ```
|
||||
* but it strives to use a memory access pattern (and thus total timing)
|
||||
* that does not depend on \p offset. This timing independence comes at
|
||||
* the expense of performance.
|
||||
*
|
||||
* \param start Pointer to the start of the buffer.
|
||||
* \param total Total size of the buffer.
|
||||
* \param offset Offset from which to copy \p total - \p offset bytes.
|
||||
*/
|
||||
static void mbedtls_ct_mem_move_to_left( void *start,
|
||||
size_t total,
|
||||
size_t offset )
|
||||
{
|
||||
volatile unsigned char *buf = start;
|
||||
size_t i, n;
|
||||
if( total == 0 )
|
||||
return;
|
||||
for( i = 0; i < total; i++ )
|
||||
{
|
||||
unsigned no_op = mbedtls_ct_size_gt( total - offset, i );
|
||||
/* The first `total - offset` passes are a no-op. The last
|
||||
* `offset` passes shift the data one byte to the left and
|
||||
* zero out the last byte. */
|
||||
for( n = 0; n < total - 1; n++ )
|
||||
{
|
||||
unsigned char current = buf[n];
|
||||
unsigned char next = buf[n+1];
|
||||
buf[n] = mbedtls_ct_uint_if( no_op, current, next );
|
||||
}
|
||||
buf[total-1] = mbedtls_ct_uint_if( no_op, buf[total-1], 0 );
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
||||
|
||||
void mbedtls_ct_memcpy_if_eq( unsigned char *dest,
|
||||
const unsigned char *src,
|
||||
size_t len,
|
||||
size_t c1,
|
||||
size_t c2 )
|
||||
{
|
||||
/* mask = c1 == c2 ? 0xff : 0x00 */
|
||||
const size_t equal = mbedtls_ct_size_bool_eq( c1, c2 );
|
||||
const unsigned char mask = (unsigned char) mbedtls_ct_size_mask( equal );
|
||||
|
||||
/* dest[i] = c1 == c2 ? src[i] : dest[i] */
|
||||
for( size_t i = 0; i < len; i++ )
|
||||
dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask );
|
||||
}
|
||||
|
||||
void mbedtls_ct_memcpy_offset( unsigned char *dest,
|
||||
const unsigned char *src,
|
||||
size_t offset,
|
||||
size_t offset_min,
|
||||
size_t offset_max,
|
||||
size_t len )
|
||||
{
|
||||
size_t offsetval;
|
||||
|
||||
for( offsetval = offset_min; offsetval <= offset_max; offsetval++ )
|
||||
{
|
||||
mbedtls_ct_memcpy_if_eq( dest, src + offsetval, len,
|
||||
offsetval, offset );
|
||||
}
|
||||
}
|
||||
|
||||
int mbedtls_ct_hmac( mbedtls_md_context_t *ctx,
|
||||
const unsigned char *add_data,
|
||||
size_t add_data_len,
|
||||
const unsigned char *data,
|
||||
size_t data_len_secret,
|
||||
size_t min_data_len,
|
||||
size_t max_data_len,
|
||||
unsigned char *output )
|
||||
{
|
||||
/*
|
||||
* This function breaks the HMAC abstraction and uses the md_clone()
|
||||
* extension to the MD API in order to get constant-flow behaviour.
|
||||
*
|
||||
* HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
|
||||
* concatenation, and okey/ikey are the XOR of the key with some fixed bit
|
||||
* patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
|
||||
*
|
||||
* We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
|
||||
* minlen, then cloning the context, and for each byte up to maxlen
|
||||
* finishing up the hash computation, keeping only the correct result.
|
||||
*
|
||||
* Then we only need to compute HASH(okey + inner_hash) and we're done.
|
||||
*/
|
||||
const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info );
|
||||
/* TLS 1.2 only supports SHA-384, SHA-256, SHA-1, MD-5,
|
||||
* all of which have the same block size except SHA-384. */
|
||||
const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
|
||||
const unsigned char * const ikey = ctx->hmac_ctx;
|
||||
const unsigned char * const okey = ikey + block_size;
|
||||
const size_t hash_size = mbedtls_md_get_size( ctx->md_info );
|
||||
|
||||
unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
|
||||
mbedtls_md_context_t aux;
|
||||
size_t offset;
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
mbedtls_md_init( &aux );
|
||||
|
||||
#define MD_CHK( func_call ) \
|
||||
do { \
|
||||
ret = (func_call); \
|
||||
if( ret != 0 ) \
|
||||
goto cleanup; \
|
||||
} while( 0 )
|
||||
|
||||
MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );
|
||||
|
||||
/* After hmac_start() of hmac_reset(), ikey has already been hashed,
|
||||
* so we can start directly with the message */
|
||||
MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
|
||||
MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
|
||||
|
||||
/* For each possible length, compute the hash up to that point */
|
||||
for( offset = min_data_len; offset <= max_data_len; offset++ )
|
||||
{
|
||||
MD_CHK( mbedtls_md_clone( &aux, ctx ) );
|
||||
MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
|
||||
/* Keep only the correct inner_hash in the output buffer */
|
||||
mbedtls_ct_memcpy_if_eq( output, aux_out, hash_size,
|
||||
offset, data_len_secret );
|
||||
|
||||
if( offset < max_data_len )
|
||||
MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
|
||||
}
|
||||
|
||||
/* The context needs to finish() before it starts() again */
|
||||
MD_CHK( mbedtls_md_finish( ctx, aux_out ) );
|
||||
|
||||
/* Now compute HASH(okey + inner_hash) */
|
||||
MD_CHK( mbedtls_md_starts( ctx ) );
|
||||
MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );
|
||||
MD_CHK( mbedtls_md_update( ctx, output, hash_size ) );
|
||||
MD_CHK( mbedtls_md_finish( ctx, output ) );
|
||||
|
||||
/* Done, get ready for next time */
|
||||
MD_CHK( mbedtls_md_hmac_reset( ctx ) );
|
||||
|
||||
#undef MD_CHK
|
||||
|
||||
cleanup:
|
||||
mbedtls_md_free( &aux );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
#define MPI_VALIDATE_RET( cond ) \
|
||||
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_MPI_BAD_INPUT_DATA )
|
||||
|
||||
/*
|
||||
* Conditionally assign X = Y, without leaking information
|
||||
* about whether the assignment was made or not.
|
||||
* (Leaking information about the respective sizes of X and Y is ok however.)
|
||||
*/
|
||||
int mbedtls_mpi_safe_cond_assign( mbedtls_mpi *X,
|
||||
const mbedtls_mpi *Y,
|
||||
unsigned char assign )
|
||||
{
|
||||
int ret = 0;
|
||||
size_t i;
|
||||
mbedtls_mpi_uint limb_mask;
|
||||
MPI_VALIDATE_RET( X != NULL );
|
||||
MPI_VALIDATE_RET( Y != NULL );
|
||||
|
||||
/* all-bits 1 if assign is 1, all-bits 0 if assign is 0 */
|
||||
limb_mask = mbedtls_ct_mpi_uint_mask( assign );;
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
|
||||
|
||||
X->s = mbedtls_ct_cond_select_sign( assign, Y->s, X->s );
|
||||
|
||||
mbedtls_ct_mpi_uint_cond_assign( Y->n, X->p, Y->p, assign );
|
||||
|
||||
for( i = Y->n; i < X->n; i++ )
|
||||
X->p[i] &= ~limb_mask;
|
||||
|
||||
cleanup:
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Conditionally swap X and Y, without leaking information
|
||||
* about whether the swap was made or not.
|
||||
* Here it is not ok to simply swap the pointers, which whould lead to
|
||||
* different memory access patterns when X and Y are used afterwards.
|
||||
*/
|
||||
int mbedtls_mpi_safe_cond_swap( mbedtls_mpi *X,
|
||||
mbedtls_mpi *Y,
|
||||
unsigned char swap )
|
||||
{
|
||||
int ret, s;
|
||||
size_t i;
|
||||
mbedtls_mpi_uint limb_mask;
|
||||
mbedtls_mpi_uint tmp;
|
||||
MPI_VALIDATE_RET( X != NULL );
|
||||
MPI_VALIDATE_RET( Y != NULL );
|
||||
|
||||
if( X == Y )
|
||||
return( 0 );
|
||||
|
||||
/* all-bits 1 if swap is 1, all-bits 0 if swap is 0 */
|
||||
limb_mask = mbedtls_ct_mpi_uint_mask( swap );
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, Y->n ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( Y, X->n ) );
|
||||
|
||||
s = X->s;
|
||||
X->s = mbedtls_ct_cond_select_sign( swap, Y->s, X->s );
|
||||
Y->s = mbedtls_ct_cond_select_sign( swap, s, Y->s );
|
||||
|
||||
|
||||
for( i = 0; i < X->n; i++ )
|
||||
{
|
||||
tmp = X->p[i];
|
||||
X->p[i] = ( X->p[i] & ~limb_mask ) | ( Y->p[i] & limb_mask );
|
||||
Y->p[i] = ( Y->p[i] & ~limb_mask ) | ( tmp & limb_mask );
|
||||
}
|
||||
|
||||
cleanup:
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Compare signed values in constant time
|
||||
*/
|
||||
int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X,
|
||||
const mbedtls_mpi *Y,
|
||||
unsigned *ret )
|
||||
{
|
||||
size_t i;
|
||||
/* The value of any of these variables is either 0 or 1 at all times. */
|
||||
unsigned cond, done, X_is_negative, Y_is_negative;
|
||||
|
||||
MPI_VALIDATE_RET( X != NULL );
|
||||
MPI_VALIDATE_RET( Y != NULL );
|
||||
MPI_VALIDATE_RET( ret != NULL );
|
||||
|
||||
if( X->n != Y->n )
|
||||
return MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
|
||||
|
||||
/*
|
||||
* Set sign_N to 1 if N >= 0, 0 if N < 0.
|
||||
* We know that N->s == 1 if N >= 0 and N->s == -1 if N < 0.
|
||||
*/
|
||||
X_is_negative = ( X->s & 2 ) >> 1;
|
||||
Y_is_negative = ( Y->s & 2 ) >> 1;
|
||||
|
||||
/*
|
||||
* If the signs are different, then the positive operand is the bigger.
|
||||
* That is if X is negative (X_is_negative == 1), then X < Y is true and it
|
||||
* is false if X is positive (X_is_negative == 0).
|
||||
*/
|
||||
cond = ( X_is_negative ^ Y_is_negative );
|
||||
*ret = cond & X_is_negative;
|
||||
|
||||
/*
|
||||
* This is a constant-time function. We might have the result, but we still
|
||||
* need to go through the loop. Record if we have the result already.
|
||||
*/
|
||||
done = cond;
|
||||
|
||||
for( i = X->n; i > 0; i-- )
|
||||
{
|
||||
/*
|
||||
* If Y->p[i - 1] < X->p[i - 1] then X < Y is true if and only if both
|
||||
* X and Y are negative.
|
||||
*
|
||||
* Again even if we can make a decision, we just mark the result and
|
||||
* the fact that we are done and continue looping.
|
||||
*/
|
||||
cond = mbedtls_ct_mpi_uint_lt( Y->p[i - 1], X->p[i - 1] );
|
||||
*ret |= cond & ( 1 - done ) & X_is_negative;
|
||||
done |= cond;
|
||||
|
||||
/*
|
||||
* If X->p[i - 1] < Y->p[i - 1] then X < Y is true if and only if both
|
||||
* X and Y are positive.
|
||||
*
|
||||
* Again even if we can make a decision, we just mark the result and
|
||||
* the fact that we are done and continue looping.
|
||||
*/
|
||||
cond = mbedtls_ct_mpi_uint_lt( X->p[i - 1], Y->p[i - 1] );
|
||||
*ret |= cond & ( 1 - done ) & ( 1 - X_is_negative );
|
||||
done |= cond;
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_BIGNUM_C */
|
||||
|
||||
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
||||
|
||||
int mbedtls_ct_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
||||
size_t ilen,
|
||||
unsigned char *output,
|
||||
size_t output_max_len,
|
||||
size_t *olen )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t i, plaintext_max_size;
|
||||
|
||||
/* The following variables take sensitive values: their value must
|
||||
* not leak into the observable behavior of the function other than
|
||||
* the designated outputs (output, olen, return value). Otherwise
|
||||
* this would open the execution of the function to
|
||||
* side-channel-based variants of the Bleichenbacher padding oracle
|
||||
* attack. Potential side channels include overall timing, memory
|
||||
* access patterns (especially visible to an adversary who has access
|
||||
* to a shared memory cache), and branches (especially visible to
|
||||
* an adversary who has access to a shared code cache or to a shared
|
||||
* branch predictor). */
|
||||
size_t pad_count = 0;
|
||||
unsigned bad = 0;
|
||||
unsigned char pad_done = 0;
|
||||
size_t plaintext_size = 0;
|
||||
unsigned output_too_large;
|
||||
|
||||
plaintext_max_size = ( output_max_len > ilen - 11 ) ? ilen - 11
|
||||
: output_max_len;
|
||||
|
||||
/* Check and get padding length in constant time and constant
|
||||
* memory trace. The first byte must be 0. */
|
||||
bad |= input[0];
|
||||
|
||||
|
||||
/* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
|
||||
* where PS must be at least 8 nonzero bytes. */
|
||||
bad |= input[1] ^ MBEDTLS_RSA_CRYPT;
|
||||
|
||||
/* Read the whole buffer. Set pad_done to nonzero if we find
|
||||
* the 0x00 byte and remember the padding length in pad_count. */
|
||||
for( i = 2; i < ilen; i++ )
|
||||
{
|
||||
pad_done |= ((input[i] | (unsigned char)-input[i]) >> 7) ^ 1;
|
||||
pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
|
||||
}
|
||||
|
||||
|
||||
/* If pad_done is still zero, there's no data, only unfinished padding. */
|
||||
bad |= mbedtls_ct_uint_if( pad_done, 0, 1 );
|
||||
|
||||
/* There must be at least 8 bytes of padding. */
|
||||
bad |= mbedtls_ct_size_gt( 8, pad_count );
|
||||
|
||||
/* If the padding is valid, set plaintext_size to the number of
|
||||
* remaining bytes after stripping the padding. If the padding
|
||||
* is invalid, avoid leaking this fact through the size of the
|
||||
* output: use the maximum message size that fits in the output
|
||||
* buffer. Do it without branches to avoid leaking the padding
|
||||
* validity through timing. RSA keys are small enough that all the
|
||||
* size_t values involved fit in unsigned int. */
|
||||
plaintext_size = mbedtls_ct_uint_if(
|
||||
bad, (unsigned) plaintext_max_size,
|
||||
(unsigned) ( ilen - pad_count - 3 ) );
|
||||
|
||||
/* Set output_too_large to 0 if the plaintext fits in the output
|
||||
* buffer and to 1 otherwise. */
|
||||
output_too_large = mbedtls_ct_size_gt( plaintext_size,
|
||||
plaintext_max_size );
|
||||
|
||||
/* Set ret without branches to avoid timing attacks. Return:
|
||||
* - INVALID_PADDING if the padding is bad (bad != 0).
|
||||
* - OUTPUT_TOO_LARGE if the padding is good but the decrypted
|
||||
* plaintext does not fit in the output buffer.
|
||||
* - 0 if the padding is correct. */
|
||||
ret = - (int) mbedtls_ct_uint_if(
|
||||
bad, - MBEDTLS_ERR_RSA_INVALID_PADDING,
|
||||
mbedtls_ct_uint_if( output_too_large,
|
||||
- MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE,
|
||||
0 ) );
|
||||
|
||||
/* If the padding is bad or the plaintext is too large, zero the
|
||||
* data that we're about to copy to the output buffer.
|
||||
* We need to copy the same amount of data
|
||||
* from the same buffer whether the padding is good or not to
|
||||
* avoid leaking the padding validity through overall timing or
|
||||
* through memory or cache access patterns. */
|
||||
bad = mbedtls_ct_uint_mask( bad | output_too_large );
|
||||
for( i = 11; i < ilen; i++ )
|
||||
input[i] &= ~bad;
|
||||
|
||||
/* If the plaintext is too large, truncate it to the buffer size.
|
||||
* Copy anyway to avoid revealing the length through timing, because
|
||||
* revealing the length is as bad as revealing the padding validity
|
||||
* for a Bleichenbacher attack. */
|
||||
plaintext_size = mbedtls_ct_uint_if( output_too_large,
|
||||
(unsigned) plaintext_max_size,
|
||||
(unsigned) plaintext_size );
|
||||
|
||||
/* Move the plaintext to the leftmost position where it can start in
|
||||
* the working buffer, i.e. make it start plaintext_max_size from
|
||||
* the end of the buffer. Do this with a memory access trace that
|
||||
* does not depend on the plaintext size. After this move, the
|
||||
* starting location of the plaintext is no longer sensitive
|
||||
* information. */
|
||||
mbedtls_ct_mem_move_to_left( input + ilen - plaintext_max_size,
|
||||
plaintext_max_size,
|
||||
plaintext_max_size - plaintext_size );
|
||||
|
||||
/* Finally copy the decrypted plaintext plus trailing zeros into the output
|
||||
* buffer. If output_max_len is 0, then output may be an invalid pointer
|
||||
* and the result of memcpy() would be undefined; prevent undefined
|
||||
* behavior making sure to depend only on output_max_len (the size of the
|
||||
* user-provided output buffer), which is independent from plaintext
|
||||
* length, validity of padding, success of the decryption, and other
|
||||
* secrets. */
|
||||
if( output_max_len != 0 )
|
||||
memcpy( output, input + ilen - plaintext_max_size, plaintext_max_size );
|
||||
|
||||
/* Report the amount of data we copied to the output buffer. In case
|
||||
* of errors (bad padding or output too large), the value of *olen
|
||||
* when this function returns is not specified. Making it equivalent
|
||||
* to the good case limits the risks of leaking the padding validity. */
|
||||
*olen = plaintext_size;
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
|
@ -1,326 +0,0 @@
|
||||
/**
|
||||
* Constant-time functions
|
||||
*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#ifndef MBEDTLS_CONSTANT_TIME_INTERNAL_H
|
||||
#define MBEDTLS_CONSTANT_TIME_INTERNAL_H
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
#include "mbedtls/bignum.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS_C)
|
||||
#include "ssl_misc.h"
|
||||
#endif
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
|
||||
/** Turn a value into a mask:
|
||||
* - if \p value == 0, return the all-bits 0 mask, aka 0
|
||||
* - otherwise, return the all-bits 1 mask, aka (unsigned) -1
|
||||
*
|
||||
* This function can be used to write constant-time code by replacing branches
|
||||
* with bit operations using masks.
|
||||
*
|
||||
* \param value The value to analyze.
|
||||
*
|
||||
* \return Zero if \p value is zero, otherwise all-bits-one.
|
||||
*/
|
||||
unsigned mbedtls_ct_uint_mask( unsigned value );
|
||||
|
||||
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
||||
|
||||
/** Turn a value into a mask:
|
||||
* - if \p value == 0, return the all-bits 0 mask, aka 0
|
||||
* - otherwise, return the all-bits 1 mask, aka (size_t) -1
|
||||
*
|
||||
* This function can be used to write constant-time code by replacing branches
|
||||
* with bit operations using masks.
|
||||
*
|
||||
* \param value The value to analyze.
|
||||
*
|
||||
* \return Zero if \p value is zero, otherwise all-bits-one.
|
||||
*/
|
||||
size_t mbedtls_ct_size_mask( size_t value );
|
||||
|
||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
/** Turn a value into a mask:
|
||||
* - if \p value == 0, return the all-bits 0 mask, aka 0
|
||||
* - otherwise, return the all-bits 1 mask, aka (mbedtls_mpi_uint) -1
|
||||
*
|
||||
* This function can be used to write constant-time code by replacing branches
|
||||
* with bit operations using masks.
|
||||
*
|
||||
* \param value The value to analyze.
|
||||
*
|
||||
* \return Zero if \p value is zero, otherwise all-bits-one.
|
||||
*/
|
||||
mbedtls_mpi_uint mbedtls_ct_mpi_uint_mask( mbedtls_mpi_uint value );
|
||||
|
||||
#endif /* MBEDTLS_BIGNUM_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
||||
|
||||
/** Constant-flow mask generation for "greater or equal" comparison:
|
||||
* - if \p x >= \p y, return all-bits 1, that is (size_t) -1
|
||||
* - otherwise, return all bits 0, that is 0
|
||||
*
|
||||
* This function can be used to write constant-time code by replacing branches
|
||||
* with bit operations using masks.
|
||||
*
|
||||
* \param x The first value to analyze.
|
||||
* \param y The second value to analyze.
|
||||
*
|
||||
* \return All-bits-one if \p x is greater or equal than \p y,
|
||||
* otherwise zero.
|
||||
*/
|
||||
size_t mbedtls_ct_size_mask_ge( size_t x,
|
||||
size_t y );
|
||||
|
||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
||||
|
||||
/** Constant-flow boolean "equal" comparison:
|
||||
* return x == y
|
||||
*
|
||||
* This is equivalent to \p x == \p y, but is likely to be compiled
|
||||
* to code using bitwise operation rather than a branch.
|
||||
*
|
||||
* \param x The first value to analyze.
|
||||
* \param y The second value to analyze.
|
||||
*
|
||||
* \return 1 if \p x equals to \p y, otherwise 0.
|
||||
*/
|
||||
unsigned mbedtls_ct_size_bool_eq( size_t x,
|
||||
size_t y );
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
/** Decide if an integer is less than the other, without branches.
|
||||
*
|
||||
* This is equivalent to \p x < \p y, but is likely to be compiled
|
||||
* to code using bitwise operation rather than a branch.
|
||||
*
|
||||
* \param x The first value to analyze.
|
||||
* \param y The second value to analyze.
|
||||
*
|
||||
* \return 1 if \p x is less than \p y, otherwise 0.
|
||||
*/
|
||||
unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x,
|
||||
const mbedtls_mpi_uint y );
|
||||
|
||||
#endif /* MBEDTLS_BIGNUM_C */
|
||||
|
||||
/** Choose between two integer values without branches.
|
||||
*
|
||||
* This is equivalent to `condition ? if1 : if0`, but is likely to be compiled
|
||||
* to code using bitwise operation rather than a branch.
|
||||
*
|
||||
* \param condition Condition to test.
|
||||
* \param if1 Value to use if \p condition is nonzero.
|
||||
* \param if0 Value to use if \p condition is zero.
|
||||
*
|
||||
* \return \c if1 if \p condition is nonzero, otherwise \c if0.
|
||||
*/
|
||||
unsigned mbedtls_ct_uint_if( unsigned condition,
|
||||
unsigned if1,
|
||||
unsigned if0 );
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
|
||||
/** Conditionally assign a value without branches.
|
||||
*
|
||||
* This is equivalent to `if ( condition ) dest = src`, but is likely
|
||||
* to be compiled to code using bitwise operation rather than a branch.
|
||||
*
|
||||
* \param n \p dest and \p src must be arrays of limbs of size n.
|
||||
* \param dest The MPI to conditionally assign to. This must point
|
||||
* to an initialized MPI.
|
||||
* \param src The MPI to be assigned from. This must point to an
|
||||
* initialized MPI.
|
||||
* \param condition Condition to test, must be 0 or 1.
|
||||
*/
|
||||
void mbedtls_ct_mpi_uint_cond_assign( size_t n,
|
||||
mbedtls_mpi_uint *dest,
|
||||
const mbedtls_mpi_uint *src,
|
||||
unsigned char condition );
|
||||
|
||||
#endif /* MBEDTLS_BIGNUM_C */
|
||||
|
||||
#if defined(MBEDTLS_BASE64_C)
|
||||
|
||||
/** Given a value in the range 0..63, return the corresponding Base64 digit.
|
||||
*
|
||||
* The implementation assumes that letters are consecutive (e.g. ASCII
|
||||
* but not EBCDIC).
|
||||
*
|
||||
* \param value A value in the range 0..63.
|
||||
*
|
||||
* \return A base64 digit converted from \p value.
|
||||
*/
|
||||
unsigned char mbedtls_ct_base64_enc_char( unsigned char value );
|
||||
|
||||
/** Given a Base64 digit, return its value.
|
||||
*
|
||||
* If c is not a Base64 digit ('A'..'Z', 'a'..'z', '0'..'9', '+' or '/'),
|
||||
* return -1.
|
||||
*
|
||||
* The implementation assumes that letters are consecutive (e.g. ASCII
|
||||
* but not EBCDIC).
|
||||
*
|
||||
* \param c A base64 digit.
|
||||
*
|
||||
* \return The value of the base64 digit \p c.
|
||||
*/
|
||||
signed char mbedtls_ct_base64_dec_value( unsigned char c );
|
||||
|
||||
#endif /* MBEDTLS_BASE64_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
|
||||
|
||||
/** Conditional memcpy without branches.
|
||||
*
|
||||
* This is equivalent to `if ( c1 == c2 ) memcpy(dest, src, len)`, but is likely
|
||||
* to be compiled to code using bitwise operation rather than a branch.
|
||||
*
|
||||
* \param dest The pointer to conditionally copy to.
|
||||
* \param src The pointer to copy from. Shouldn't overlap with \p dest.
|
||||
* \param len The number of bytes to copy.
|
||||
* \param c1 The first value to analyze in the condition.
|
||||
* \param c2 The second value to analyze in the condition.
|
||||
*/
|
||||
void mbedtls_ct_memcpy_if_eq( unsigned char *dest,
|
||||
const unsigned char *src,
|
||||
size_t len,
|
||||
size_t c1, size_t c2 );
|
||||
|
||||
/** Copy data from a secret position with constant flow.
|
||||
*
|
||||
* This function copies \p len bytes from \p src_base + \p offset_secret to \p
|
||||
* dst, with a code flow and memory access pattern that does not depend on \p
|
||||
* offset_secret, but only on \p offset_min, \p offset_max and \p len.
|
||||
* Functionally equivalent to `memcpy(dst, src + offset_secret, len)`.
|
||||
*
|
||||
* \param dest The destination buffer. This must point to a writable
|
||||
* buffer of at least \p len bytes.
|
||||
* \param src The base of the source buffer. This must point to a
|
||||
* readable buffer of at least \p offset_max + \p len
|
||||
* bytes. Shouldn't overlap with \p dest.
|
||||
* \param offset The offset in the source buffer from which to copy.
|
||||
* This must be no less than \p offset_min and no greater
|
||||
* than \p offset_max.
|
||||
* \param offset_min The minimal value of \p offset.
|
||||
* \param offset_max The maximal value of \p offset.
|
||||
* \param len The number of bytes to copy.
|
||||
*/
|
||||
void mbedtls_ct_memcpy_offset( unsigned char *dest,
|
||||
const unsigned char *src,
|
||||
size_t offset,
|
||||
size_t offset_min,
|
||||
size_t offset_max,
|
||||
size_t len );
|
||||
|
||||
/** Compute the HMAC of variable-length data with constant flow.
|
||||
*
|
||||
* This function computes the HMAC of the concatenation of \p add_data and \p
|
||||
* data, and does with a code flow and memory access pattern that does not
|
||||
* depend on \p data_len_secret, but only on \p min_data_len and \p
|
||||
* max_data_len. In particular, this function always reads exactly \p
|
||||
* max_data_len bytes from \p data.
|
||||
*
|
||||
* \param ctx The HMAC context. It must have keys configured
|
||||
* with mbedtls_md_hmac_starts() and use one of the
|
||||
* following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
|
||||
* It is reset using mbedtls_md_hmac_reset() after
|
||||
* the computation is complete to prepare for the
|
||||
* next computation.
|
||||
* \param add_data The first part of the message whose HMAC is being
|
||||
* calculated. This must point to a readable buffer
|
||||
* of \p add_data_len bytes.
|
||||
* \param add_data_len The length of \p add_data in bytes.
|
||||
* \param data The buffer containing the second part of the
|
||||
* message. This must point to a readable buffer
|
||||
* of \p max_data_len bytes.
|
||||
* \param data_len_secret The length of the data to process in \p data.
|
||||
* This must be no less than \p min_data_len and no
|
||||
* greater than \p max_data_len.
|
||||
* \param min_data_len The minimal length of the second part of the
|
||||
* message, read from \p data.
|
||||
* \param max_data_len The maximal length of the second part of the
|
||||
* message, read from \p data.
|
||||
* \param output The HMAC will be written here. This must point to
|
||||
* a writable buffer of sufficient size to hold the
|
||||
* HMAC value.
|
||||
*
|
||||
* \retval 0 on success.
|
||||
* \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
|
||||
* The hardware accelerator failed.
|
||||
*/
|
||||
int mbedtls_ct_hmac( mbedtls_md_context_t *ctx,
|
||||
const unsigned char *add_data,
|
||||
size_t add_data_len,
|
||||
const unsigned char *data,
|
||||
size_t data_len_secret,
|
||||
size_t min_data_len,
|
||||
size_t max_data_len,
|
||||
unsigned char *output );
|
||||
|
||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
|
||||
|
||||
#if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT)
|
||||
|
||||
/** This function performs the unpadding part of a PKCS#1 v1.5 decryption
|
||||
* operation (EME-PKCS1-v1_5 decoding).
|
||||
*
|
||||
* \note The return value from this function is a sensitive value
|
||||
* (this is unusual). #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE shouldn't happen
|
||||
* in a well-written application, but 0 vs #MBEDTLS_ERR_RSA_INVALID_PADDING
|
||||
* is often a situation that an attacker can provoke and leaking which
|
||||
* one is the result is precisely the information the attacker wants.
|
||||
*
|
||||
* \param input The input buffer which is the payload inside PKCS#1v1.5
|
||||
* encryption padding, called the "encoded message EM"
|
||||
* by the terminology.
|
||||
* \param ilen The length of the payload in the \p input buffer.
|
||||
* \param output The buffer for the payload, called "message M" by the
|
||||
* PKCS#1 terminology. This must be a writable buffer of
|
||||
* length \p output_max_len bytes.
|
||||
* \param olen The address at which to store the length of
|
||||
* the payload. This must not be \c NULL.
|
||||
* \param output_max_len The length in bytes of the output buffer \p output.
|
||||
*
|
||||
* \return \c 0 on success.
|
||||
* \return #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE
|
||||
* The output buffer is too small for the unpadded payload.
|
||||
* \return #MBEDTLS_ERR_RSA_INVALID_PADDING
|
||||
* The input doesn't contain properly formatted padding.
|
||||
*/
|
||||
int mbedtls_ct_rsaes_pkcs1_v15_unpadding( unsigned char *input,
|
||||
size_t ilen,
|
||||
unsigned char *output,
|
||||
size_t output_max_len,
|
||||
size_t *olen );
|
||||
|
||||
#endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */
|
||||
|
||||
#endif /* MBEDTLS_CONSTANT_TIME_INTERNAL_H */
|
@ -1,51 +0,0 @@
|
||||
/**
|
||||
* \file constant_time_invasive.h
|
||||
*
|
||||
* \brief Constant-time module: interfaces for invasive testing only.
|
||||
*
|
||||
* The interfaces in this file are intended for testing purposes only.
|
||||
* They SHOULD NOT be made available in library integrations except when
|
||||
* building the library for testing.
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#ifndef MBEDTLS_CONSTANT_TIME_INVASIVE_H
|
||||
#define MBEDTLS_CONSTANT_TIME_INVASIVE_H
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_TEST_HOOKS)
|
||||
|
||||
/** Turn a value into a mask:
|
||||
* - if \p low <= \p c <= \p high,
|
||||
* return the all-bits 1 mask, aka (unsigned) -1
|
||||
* - otherwise, return the all-bits 0 mask, aka 0
|
||||
*
|
||||
* \param low The value to analyze.
|
||||
* \param high The value to analyze.
|
||||
* \param c The value to analyze.
|
||||
*
|
||||
* \return All-bits-one if \p low <= \p c <= \p high, otherwise zero.
|
||||
*/
|
||||
unsigned char mbedtls_ct_uchar_mask_of_range( unsigned char low,
|
||||
unsigned char high,
|
||||
unsigned char c );
|
||||
|
||||
#endif /* MBEDTLS_TEST_HOOKS */
|
||||
|
||||
#endif /* MBEDTLS_CONSTANT_TIME_INVASIVE_H */
|
812
md.c
812
md.c
@ -1,812 +0,0 @@
|
||||
/**
|
||||
* \file md.c
|
||||
*
|
||||
* \brief Generic message digest wrapper for mbed TLS
|
||||
*
|
||||
* \author Adriaan de Jong <dejong@fox-it.com>
|
||||
*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_MD_C)
|
||||
|
||||
#include "mbedtls/md.h"
|
||||
#include "md_wrap.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/error.h"
|
||||
|
||||
#include "mbedtls/md5.h"
|
||||
#include "mbedtls/ripemd160.h"
|
||||
#include "mbedtls/sha1.h"
|
||||
#include "mbedtls/sha256.h"
|
||||
#include "mbedtls/sha512.h"
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdlib.h>
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_free free
|
||||
#endif
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_FS_IO)
|
||||
#include <stdio.h>
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
const mbedtls_md_info_t mbedtls_md5_info = {
|
||||
"MD5",
|
||||
MBEDTLS_MD_MD5,
|
||||
16,
|
||||
64,
|
||||
};
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
const mbedtls_md_info_t mbedtls_ripemd160_info = {
|
||||
"RIPEMD160",
|
||||
MBEDTLS_MD_RIPEMD160,
|
||||
20,
|
||||
64,
|
||||
};
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
const mbedtls_md_info_t mbedtls_sha1_info = {
|
||||
"SHA1",
|
||||
MBEDTLS_MD_SHA1,
|
||||
20,
|
||||
64,
|
||||
};
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
const mbedtls_md_info_t mbedtls_sha224_info = {
|
||||
"SHA224",
|
||||
MBEDTLS_MD_SHA224,
|
||||
28,
|
||||
64,
|
||||
};
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
const mbedtls_md_info_t mbedtls_sha256_info = {
|
||||
"SHA256",
|
||||
MBEDTLS_MD_SHA256,
|
||||
32,
|
||||
64,
|
||||
};
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
const mbedtls_md_info_t mbedtls_sha384_info = {
|
||||
"SHA384",
|
||||
MBEDTLS_MD_SHA384,
|
||||
48,
|
||||
128,
|
||||
};
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
const mbedtls_md_info_t mbedtls_sha512_info = {
|
||||
"SHA512",
|
||||
MBEDTLS_MD_SHA512,
|
||||
64,
|
||||
128,
|
||||
};
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Reminder: update profiles in x509_crt.c when adding a new hash!
|
||||
*/
|
||||
static const int supported_digests[] = {
|
||||
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
MBEDTLS_MD_SHA512,
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
MBEDTLS_MD_SHA384,
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
MBEDTLS_MD_SHA256,
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
MBEDTLS_MD_SHA224,
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
MBEDTLS_MD_SHA1,
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
MBEDTLS_MD_RIPEMD160,
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
MBEDTLS_MD_MD5,
|
||||
#endif
|
||||
|
||||
MBEDTLS_MD_NONE
|
||||
};
|
||||
|
||||
const int *mbedtls_md_list( void )
|
||||
{
|
||||
return( supported_digests );
|
||||
}
|
||||
|
||||
const mbedtls_md_info_t *mbedtls_md_info_from_string( const char *md_name )
|
||||
{
|
||||
if( NULL == md_name )
|
||||
return( NULL );
|
||||
|
||||
/* Get the appropriate digest information */
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
if( !strcmp( "MD5", md_name ) )
|
||||
return mbedtls_md_info_from_type( MBEDTLS_MD_MD5 );
|
||||
#endif
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
if( !strcmp( "RIPEMD160", md_name ) )
|
||||
return mbedtls_md_info_from_type( MBEDTLS_MD_RIPEMD160 );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
if( !strcmp( "SHA1", md_name ) || !strcmp( "SHA", md_name ) )
|
||||
return mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
if( !strcmp( "SHA224", md_name ) )
|
||||
return mbedtls_md_info_from_type( MBEDTLS_MD_SHA224 );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
if( !strcmp( "SHA256", md_name ) )
|
||||
return mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
if( !strcmp( "SHA384", md_name ) )
|
||||
return mbedtls_md_info_from_type( MBEDTLS_MD_SHA384 );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
if( !strcmp( "SHA512", md_name ) )
|
||||
return mbedtls_md_info_from_type( MBEDTLS_MD_SHA512 );
|
||||
#endif
|
||||
return( NULL );
|
||||
}
|
||||
|
||||
const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t md_type )
|
||||
{
|
||||
switch( md_type )
|
||||
{
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
case MBEDTLS_MD_MD5:
|
||||
return( &mbedtls_md5_info );
|
||||
#endif
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
case MBEDTLS_MD_RIPEMD160:
|
||||
return( &mbedtls_ripemd160_info );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
case MBEDTLS_MD_SHA1:
|
||||
return( &mbedtls_sha1_info );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
case MBEDTLS_MD_SHA224:
|
||||
return( &mbedtls_sha224_info );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
return( &mbedtls_sha256_info );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
return( &mbedtls_sha384_info );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
case MBEDTLS_MD_SHA512:
|
||||
return( &mbedtls_sha512_info );
|
||||
#endif
|
||||
default:
|
||||
return( NULL );
|
||||
}
|
||||
}
|
||||
|
||||
void mbedtls_md_init( mbedtls_md_context_t *ctx )
|
||||
{
|
||||
memset( ctx, 0, sizeof( mbedtls_md_context_t ) );
|
||||
}
|
||||
|
||||
void mbedtls_md_free( mbedtls_md_context_t *ctx )
|
||||
{
|
||||
if( ctx == NULL || ctx->md_info == NULL )
|
||||
return;
|
||||
|
||||
if( ctx->md_ctx != NULL )
|
||||
{
|
||||
switch( ctx->md_info->type )
|
||||
{
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
case MBEDTLS_MD_MD5:
|
||||
mbedtls_md5_free( ctx->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
case MBEDTLS_MD_RIPEMD160:
|
||||
mbedtls_ripemd160_free( ctx->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
case MBEDTLS_MD_SHA1:
|
||||
mbedtls_sha1_free( ctx->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
case MBEDTLS_MD_SHA224:
|
||||
mbedtls_sha256_free( ctx->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
mbedtls_sha256_free( ctx->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
mbedtls_sha512_free( ctx->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
case MBEDTLS_MD_SHA512:
|
||||
mbedtls_sha512_free( ctx->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
/* Shouldn't happen */
|
||||
break;
|
||||
}
|
||||
mbedtls_free( ctx->md_ctx );
|
||||
}
|
||||
|
||||
if( ctx->hmac_ctx != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ctx->hmac_ctx,
|
||||
2 * ctx->md_info->block_size );
|
||||
mbedtls_free( ctx->hmac_ctx );
|
||||
}
|
||||
|
||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_md_context_t ) );
|
||||
}
|
||||
|
||||
int mbedtls_md_clone( mbedtls_md_context_t *dst,
|
||||
const mbedtls_md_context_t *src )
|
||||
{
|
||||
if( dst == NULL || dst->md_info == NULL ||
|
||||
src == NULL || src->md_info == NULL ||
|
||||
dst->md_info != src->md_info )
|
||||
{
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
switch( src->md_info->type )
|
||||
{
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
case MBEDTLS_MD_MD5:
|
||||
mbedtls_md5_clone( dst->md_ctx, src->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
case MBEDTLS_MD_RIPEMD160:
|
||||
mbedtls_ripemd160_clone( dst->md_ctx, src->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
case MBEDTLS_MD_SHA1:
|
||||
mbedtls_sha1_clone( dst->md_ctx, src->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
case MBEDTLS_MD_SHA224:
|
||||
mbedtls_sha256_clone( dst->md_ctx, src->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
mbedtls_sha256_clone( dst->md_ctx, src->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
mbedtls_sha512_clone( dst->md_ctx, src->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
case MBEDTLS_MD_SHA512:
|
||||
mbedtls_sha512_clone( dst->md_ctx, src->md_ctx );
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#define ALLOC( type ) \
|
||||
do { \
|
||||
ctx->md_ctx = mbedtls_calloc( 1, sizeof( mbedtls_##type##_context ) ); \
|
||||
if( ctx->md_ctx == NULL ) \
|
||||
return( MBEDTLS_ERR_MD_ALLOC_FAILED ); \
|
||||
mbedtls_##type##_init( ctx->md_ctx ); \
|
||||
} \
|
||||
while( 0 )
|
||||
|
||||
int mbedtls_md_setup( mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac )
|
||||
{
|
||||
if( md_info == NULL || ctx == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
ctx->md_info = md_info;
|
||||
ctx->md_ctx = NULL;
|
||||
ctx->hmac_ctx = NULL;
|
||||
|
||||
switch( md_info->type )
|
||||
{
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
case MBEDTLS_MD_MD5:
|
||||
ALLOC( md5 );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
case MBEDTLS_MD_RIPEMD160:
|
||||
ALLOC( ripemd160 );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
case MBEDTLS_MD_SHA1:
|
||||
ALLOC( sha1 );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
case MBEDTLS_MD_SHA224:
|
||||
ALLOC( sha256 );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
ALLOC( sha256 );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
ALLOC( sha512 );
|
||||
break;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
case MBEDTLS_MD_SHA512:
|
||||
ALLOC( sha512 );
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
if( hmac != 0 )
|
||||
{
|
||||
ctx->hmac_ctx = mbedtls_calloc( 2, md_info->block_size );
|
||||
if( ctx->hmac_ctx == NULL )
|
||||
{
|
||||
mbedtls_md_free( ctx );
|
||||
return( MBEDTLS_ERR_MD_ALLOC_FAILED );
|
||||
}
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#undef ALLOC
|
||||
|
||||
int mbedtls_md_starts( mbedtls_md_context_t *ctx )
|
||||
{
|
||||
if( ctx == NULL || ctx->md_info == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
switch( ctx->md_info->type )
|
||||
{
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
case MBEDTLS_MD_MD5:
|
||||
return( mbedtls_md5_starts( ctx->md_ctx ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
case MBEDTLS_MD_RIPEMD160:
|
||||
return( mbedtls_ripemd160_starts( ctx->md_ctx ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
case MBEDTLS_MD_SHA1:
|
||||
return( mbedtls_sha1_starts( ctx->md_ctx ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
case MBEDTLS_MD_SHA224:
|
||||
return( mbedtls_sha256_starts( ctx->md_ctx, 1 ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
return( mbedtls_sha256_starts( ctx->md_ctx, 0 ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
return( mbedtls_sha512_starts( ctx->md_ctx, 1 ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
case MBEDTLS_MD_SHA512:
|
||||
return( mbedtls_sha512_starts( ctx->md_ctx, 0 ) );
|
||||
#endif
|
||||
default:
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
}
|
||||
}
|
||||
|
||||
int mbedtls_md_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen )
|
||||
{
|
||||
if( ctx == NULL || ctx->md_info == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
switch( ctx->md_info->type )
|
||||
{
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
case MBEDTLS_MD_MD5:
|
||||
return( mbedtls_md5_update( ctx->md_ctx, input, ilen ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
case MBEDTLS_MD_RIPEMD160:
|
||||
return( mbedtls_ripemd160_update( ctx->md_ctx, input, ilen ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
case MBEDTLS_MD_SHA1:
|
||||
return( mbedtls_sha1_update( ctx->md_ctx, input, ilen ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
case MBEDTLS_MD_SHA224:
|
||||
return( mbedtls_sha256_update( ctx->md_ctx, input, ilen ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
return( mbedtls_sha256_update( ctx->md_ctx, input, ilen ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
return( mbedtls_sha512_update( ctx->md_ctx, input, ilen ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
case MBEDTLS_MD_SHA512:
|
||||
return( mbedtls_sha512_update( ctx->md_ctx, input, ilen ) );
|
||||
#endif
|
||||
default:
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
}
|
||||
}
|
||||
|
||||
int mbedtls_md_finish( mbedtls_md_context_t *ctx, unsigned char *output )
|
||||
{
|
||||
if( ctx == NULL || ctx->md_info == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
switch( ctx->md_info->type )
|
||||
{
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
case MBEDTLS_MD_MD5:
|
||||
return( mbedtls_md5_finish( ctx->md_ctx, output ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
case MBEDTLS_MD_RIPEMD160:
|
||||
return( mbedtls_ripemd160_finish( ctx->md_ctx, output ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
case MBEDTLS_MD_SHA1:
|
||||
return( mbedtls_sha1_finish( ctx->md_ctx, output ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
case MBEDTLS_MD_SHA224:
|
||||
return( mbedtls_sha256_finish( ctx->md_ctx, output ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
return( mbedtls_sha256_finish( ctx->md_ctx, output ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
return( mbedtls_sha512_finish( ctx->md_ctx, output ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
case MBEDTLS_MD_SHA512:
|
||||
return( mbedtls_sha512_finish( ctx->md_ctx, output ) );
|
||||
#endif
|
||||
default:
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
}
|
||||
}
|
||||
|
||||
int mbedtls_md( const mbedtls_md_info_t *md_info, const unsigned char *input, size_t ilen,
|
||||
unsigned char *output )
|
||||
{
|
||||
if( md_info == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
switch( md_info->type )
|
||||
{
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
case MBEDTLS_MD_MD5:
|
||||
return( mbedtls_md5( input, ilen, output ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
case MBEDTLS_MD_RIPEMD160:
|
||||
return( mbedtls_ripemd160( input, ilen, output ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
case MBEDTLS_MD_SHA1:
|
||||
return( mbedtls_sha1( input, ilen, output ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
case MBEDTLS_MD_SHA224:
|
||||
return( mbedtls_sha256( input, ilen, output, 1 ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
return( mbedtls_sha256( input, ilen, output, 0 ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
return( mbedtls_sha512( input, ilen, output, 1 ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
case MBEDTLS_MD_SHA512:
|
||||
return( mbedtls_sha512( input, ilen, output, 0 ) );
|
||||
#endif
|
||||
default:
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_FS_IO)
|
||||
int mbedtls_md_file( const mbedtls_md_info_t *md_info, const char *path, unsigned char *output )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
FILE *f;
|
||||
size_t n;
|
||||
mbedtls_md_context_t ctx;
|
||||
unsigned char buf[1024];
|
||||
|
||||
if( md_info == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
if( ( f = fopen( path, "rb" ) ) == NULL )
|
||||
return( MBEDTLS_ERR_MD_FILE_IO_ERROR );
|
||||
|
||||
mbedtls_md_init( &ctx );
|
||||
|
||||
if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
while( ( n = fread( buf, 1, sizeof( buf ), f ) ) > 0 )
|
||||
if( ( ret = mbedtls_md_update( &ctx, buf, n ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
if( ferror( f ) != 0 )
|
||||
ret = MBEDTLS_ERR_MD_FILE_IO_ERROR;
|
||||
else
|
||||
ret = mbedtls_md_finish( &ctx, output );
|
||||
|
||||
cleanup:
|
||||
mbedtls_platform_zeroize( buf, sizeof( buf ) );
|
||||
fclose( f );
|
||||
mbedtls_md_free( &ctx );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_FS_IO */
|
||||
|
||||
int mbedtls_md_hmac_starts( mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char sum[MBEDTLS_MD_MAX_SIZE];
|
||||
unsigned char *ipad, *opad;
|
||||
size_t i;
|
||||
|
||||
if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
if( keylen > (size_t) ctx->md_info->block_size )
|
||||
{
|
||||
if( ( ret = mbedtls_md_starts( ctx ) ) != 0 )
|
||||
goto cleanup;
|
||||
if( ( ret = mbedtls_md_update( ctx, key, keylen ) ) != 0 )
|
||||
goto cleanup;
|
||||
if( ( ret = mbedtls_md_finish( ctx, sum ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
keylen = ctx->md_info->size;
|
||||
key = sum;
|
||||
}
|
||||
|
||||
ipad = (unsigned char *) ctx->hmac_ctx;
|
||||
opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
|
||||
|
||||
memset( ipad, 0x36, ctx->md_info->block_size );
|
||||
memset( opad, 0x5C, ctx->md_info->block_size );
|
||||
|
||||
for( i = 0; i < keylen; i++ )
|
||||
{
|
||||
ipad[i] = (unsigned char)( ipad[i] ^ key[i] );
|
||||
opad[i] = (unsigned char)( opad[i] ^ key[i] );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_md_starts( ctx ) ) != 0 )
|
||||
goto cleanup;
|
||||
if( ( ret = mbedtls_md_update( ctx, ipad,
|
||||
ctx->md_info->block_size ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
cleanup:
|
||||
mbedtls_platform_zeroize( sum, sizeof( sum ) );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
int mbedtls_md_hmac_update( mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen )
|
||||
{
|
||||
if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
return( mbedtls_md_update( ctx, input, ilen ) );
|
||||
}
|
||||
|
||||
int mbedtls_md_hmac_finish( mbedtls_md_context_t *ctx, unsigned char *output )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char tmp[MBEDTLS_MD_MAX_SIZE];
|
||||
unsigned char *opad;
|
||||
|
||||
if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
opad = (unsigned char *) ctx->hmac_ctx + ctx->md_info->block_size;
|
||||
|
||||
if( ( ret = mbedtls_md_finish( ctx, tmp ) ) != 0 )
|
||||
return( ret );
|
||||
if( ( ret = mbedtls_md_starts( ctx ) ) != 0 )
|
||||
return( ret );
|
||||
if( ( ret = mbedtls_md_update( ctx, opad,
|
||||
ctx->md_info->block_size ) ) != 0 )
|
||||
return( ret );
|
||||
if( ( ret = mbedtls_md_update( ctx, tmp,
|
||||
ctx->md_info->size ) ) != 0 )
|
||||
return( ret );
|
||||
return( mbedtls_md_finish( ctx, output ) );
|
||||
}
|
||||
|
||||
int mbedtls_md_hmac_reset( mbedtls_md_context_t *ctx )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned char *ipad;
|
||||
|
||||
if( ctx == NULL || ctx->md_info == NULL || ctx->hmac_ctx == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
ipad = (unsigned char *) ctx->hmac_ctx;
|
||||
|
||||
if( ( ret = mbedtls_md_starts( ctx ) ) != 0 )
|
||||
return( ret );
|
||||
return( mbedtls_md_update( ctx, ipad, ctx->md_info->block_size ) );
|
||||
}
|
||||
|
||||
int mbedtls_md_hmac( const mbedtls_md_info_t *md_info,
|
||||
const unsigned char *key, size_t keylen,
|
||||
const unsigned char *input, size_t ilen,
|
||||
unsigned char *output )
|
||||
{
|
||||
mbedtls_md_context_t ctx;
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
|
||||
if( md_info == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
mbedtls_md_init( &ctx );
|
||||
|
||||
if( ( ret = mbedtls_md_setup( &ctx, md_info, 1 ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
if( ( ret = mbedtls_md_hmac_starts( &ctx, key, keylen ) ) != 0 )
|
||||
goto cleanup;
|
||||
if( ( ret = mbedtls_md_hmac_update( &ctx, input, ilen ) ) != 0 )
|
||||
goto cleanup;
|
||||
if( ( ret = mbedtls_md_hmac_finish( &ctx, output ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
cleanup:
|
||||
mbedtls_md_free( &ctx );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
int mbedtls_md_process( mbedtls_md_context_t *ctx, const unsigned char *data )
|
||||
{
|
||||
if( ctx == NULL || ctx->md_info == NULL )
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
|
||||
switch( ctx->md_info->type )
|
||||
{
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
case MBEDTLS_MD_MD5:
|
||||
return( mbedtls_internal_md5_process( ctx->md_ctx, data ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
case MBEDTLS_MD_RIPEMD160:
|
||||
return( mbedtls_internal_ripemd160_process( ctx->md_ctx, data ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
case MBEDTLS_MD_SHA1:
|
||||
return( mbedtls_internal_sha1_process( ctx->md_ctx, data ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
case MBEDTLS_MD_SHA224:
|
||||
return( mbedtls_internal_sha256_process( ctx->md_ctx, data ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
case MBEDTLS_MD_SHA256:
|
||||
return( mbedtls_internal_sha256_process( ctx->md_ctx, data ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
case MBEDTLS_MD_SHA384:
|
||||
return( mbedtls_internal_sha512_process( ctx->md_ctx, data ) );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
case MBEDTLS_MD_SHA512:
|
||||
return( mbedtls_internal_sha512_process( ctx->md_ctx, data ) );
|
||||
#endif
|
||||
default:
|
||||
return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
|
||||
}
|
||||
}
|
||||
|
||||
unsigned char mbedtls_md_get_size( const mbedtls_md_info_t *md_info )
|
||||
{
|
||||
if( md_info == NULL )
|
||||
return( 0 );
|
||||
|
||||
return md_info->size;
|
||||
}
|
||||
|
||||
mbedtls_md_type_t mbedtls_md_get_type( const mbedtls_md_info_t *md_info )
|
||||
{
|
||||
if( md_info == NULL )
|
||||
return( MBEDTLS_MD_NONE );
|
||||
|
||||
return md_info->type;
|
||||
}
|
||||
|
||||
const char *mbedtls_md_get_name( const mbedtls_md_info_t *md_info )
|
||||
{
|
||||
if( md_info == NULL )
|
||||
return( NULL );
|
||||
|
||||
return md_info->name;
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_MD_C */
|
782
oid.c
782
oid.c
@ -1,782 +0,0 @@
|
||||
/**
|
||||
* \file oid.c
|
||||
*
|
||||
* \brief Object Identifier (OID) database
|
||||
*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_OID_C)
|
||||
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/rsa.h"
|
||||
#include "mbedtls/error.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#define mbedtls_snprintf snprintf
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Macro to automatically add the size of #define'd OIDs
|
||||
*/
|
||||
#define ADD_LEN(s) s, MBEDTLS_OID_SIZE(s)
|
||||
|
||||
/*
|
||||
* Macro to generate mbedtls_oid_descriptor_t
|
||||
*/
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
#define OID_DESCRIPTOR(s, name, description) { ADD_LEN(s), name, description }
|
||||
#define NULL_OID_DESCRIPTOR { NULL, 0, NULL, NULL }
|
||||
#else
|
||||
#define OID_DESCRIPTOR(s, name, description) { ADD_LEN(s) }
|
||||
#define NULL_OID_DESCRIPTOR { NULL, 0 }
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Macro to generate an internal function for oid_XXX_from_asn1() (used by
|
||||
* the other functions)
|
||||
*/
|
||||
#define FN_OID_TYPED_FROM_ASN1( TYPE_T, NAME, LIST ) \
|
||||
static const TYPE_T * oid_ ## NAME ## _from_asn1( \
|
||||
const mbedtls_asn1_buf *oid ) \
|
||||
{ \
|
||||
const TYPE_T *p = (LIST); \
|
||||
const mbedtls_oid_descriptor_t *cur = \
|
||||
(const mbedtls_oid_descriptor_t *) p; \
|
||||
if( p == NULL || oid == NULL ) return( NULL ); \
|
||||
while( cur->asn1 != NULL ) { \
|
||||
if( cur->asn1_len == oid->len && \
|
||||
memcmp( cur->asn1, oid->p, oid->len ) == 0 ) { \
|
||||
return( p ); \
|
||||
} \
|
||||
p++; \
|
||||
cur = (const mbedtls_oid_descriptor_t *) p; \
|
||||
} \
|
||||
return( NULL ); \
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
/*
|
||||
* Macro to generate a function for retrieving a single attribute from the
|
||||
* descriptor of an mbedtls_oid_descriptor_t wrapper.
|
||||
*/
|
||||
#define FN_OID_GET_DESCRIPTOR_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
|
||||
int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 ) \
|
||||
{ \
|
||||
const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid ); \
|
||||
if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND ); \
|
||||
*ATTR1 = data->descriptor.ATTR1; \
|
||||
return( 0 ); \
|
||||
}
|
||||
#endif /* MBEDTLS_X509_REMOVE_INFO */
|
||||
|
||||
/*
|
||||
* Macro to generate a function for retrieving a single attribute from an
|
||||
* mbedtls_oid_descriptor_t wrapper.
|
||||
*/
|
||||
#define FN_OID_GET_ATTR1(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1) \
|
||||
int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1 ) \
|
||||
{ \
|
||||
const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid ); \
|
||||
if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND ); \
|
||||
*ATTR1 = data->ATTR1; \
|
||||
return( 0 ); \
|
||||
}
|
||||
|
||||
/*
|
||||
* Macro to generate a function for retrieving two attributes from an
|
||||
* mbedtls_oid_descriptor_t wrapper.
|
||||
*/
|
||||
#define FN_OID_GET_ATTR2(FN_NAME, TYPE_T, TYPE_NAME, ATTR1_TYPE, ATTR1, \
|
||||
ATTR2_TYPE, ATTR2) \
|
||||
int FN_NAME( const mbedtls_asn1_buf *oid, ATTR1_TYPE * ATTR1, \
|
||||
ATTR2_TYPE * ATTR2 ) \
|
||||
{ \
|
||||
const TYPE_T *data = oid_ ## TYPE_NAME ## _from_asn1( oid ); \
|
||||
if( data == NULL ) return( MBEDTLS_ERR_OID_NOT_FOUND ); \
|
||||
*(ATTR1) = data->ATTR1; \
|
||||
*(ATTR2) = data->ATTR2; \
|
||||
return( 0 ); \
|
||||
}
|
||||
|
||||
/*
|
||||
* Macro to generate a function for retrieving the OID based on a single
|
||||
* attribute from a mbedtls_oid_descriptor_t wrapper.
|
||||
*/
|
||||
#define FN_OID_GET_OID_BY_ATTR1(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1) \
|
||||
int FN_NAME( ATTR1_TYPE ATTR1, const char **oid, size_t *olen ) \
|
||||
{ \
|
||||
const TYPE_T *cur = (LIST); \
|
||||
while( cur->descriptor.asn1 != NULL ) { \
|
||||
if( cur->ATTR1 == (ATTR1) ) { \
|
||||
*oid = cur->descriptor.asn1; \
|
||||
*olen = cur->descriptor.asn1_len; \
|
||||
return( 0 ); \
|
||||
} \
|
||||
cur++; \
|
||||
} \
|
||||
return( MBEDTLS_ERR_OID_NOT_FOUND ); \
|
||||
}
|
||||
|
||||
/*
|
||||
* Macro to generate a function for retrieving the OID based on two
|
||||
* attributes from a mbedtls_oid_descriptor_t wrapper.
|
||||
*/
|
||||
#define FN_OID_GET_OID_BY_ATTR2(FN_NAME, TYPE_T, LIST, ATTR1_TYPE, ATTR1, \
|
||||
ATTR2_TYPE, ATTR2) \
|
||||
int FN_NAME( ATTR1_TYPE ATTR1, ATTR2_TYPE ATTR2, const char **oid , \
|
||||
size_t *olen ) \
|
||||
{ \
|
||||
const TYPE_T *cur = (LIST); \
|
||||
while( cur->descriptor.asn1 != NULL ) { \
|
||||
if( cur->ATTR1 == (ATTR1) && cur->ATTR2 == (ATTR2) ) { \
|
||||
*oid = cur->descriptor.asn1; \
|
||||
*olen = cur->descriptor.asn1_len; \
|
||||
return( 0 ); \
|
||||
} \
|
||||
cur++; \
|
||||
} \
|
||||
return( MBEDTLS_ERR_OID_NOT_FOUND ); \
|
||||
}
|
||||
|
||||
/*
|
||||
* For X520 attribute types
|
||||
*/
|
||||
typedef struct {
|
||||
mbedtls_oid_descriptor_t descriptor;
|
||||
const char *short_name;
|
||||
} oid_x520_attr_t;
|
||||
|
||||
static const oid_x520_attr_t oid_x520_attr_type[] =
|
||||
{
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_CN, "id-at-commonName", "Common Name" ),
|
||||
"CN",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_COUNTRY, "id-at-countryName", "Country" ),
|
||||
"C",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_LOCALITY, "id-at-locality", "Locality" ),
|
||||
"L",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_STATE, "id-at-state", "State" ),
|
||||
"ST",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_ORGANIZATION,"id-at-organizationName", "Organization" ),
|
||||
"O",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_ORG_UNIT, "id-at-organizationalUnitName", "Org Unit" ),
|
||||
"OU",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_PKCS9_EMAIL, "emailAddress", "E-mail address" ),
|
||||
"emailAddress",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_SERIAL_NUMBER,"id-at-serialNumber", "Serial number" ),
|
||||
"serialNumber",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_POSTAL_ADDRESS,"id-at-postalAddress", "Postal address" ),
|
||||
"postalAddress",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_POSTAL_CODE, "id-at-postalCode", "Postal code" ),
|
||||
"postalCode",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_SUR_NAME, "id-at-surName", "Surname" ),
|
||||
"SN",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_GIVEN_NAME, "id-at-givenName", "Given name" ),
|
||||
"GN",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_INITIALS, "id-at-initials", "Initials" ),
|
||||
"initials",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_GENERATION_QUALIFIER, "id-at-generationQualifier", "Generation qualifier" ),
|
||||
"generationQualifier",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_TITLE, "id-at-title", "Title" ),
|
||||
"title",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_DN_QUALIFIER,"id-at-dnQualifier", "Distinguished Name qualifier" ),
|
||||
"dnQualifier",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_PSEUDONYM, "id-at-pseudonym", "Pseudonym" ),
|
||||
"pseudonym",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_UID, "id-uid", "User Id" ),
|
||||
"uid",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_DOMAIN_COMPONENT, "id-domainComponent", "Domain component" ),
|
||||
"DC",
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_AT_UNIQUE_IDENTIFIER, "id-at-uniqueIdentifier", "Unique Identifier" ),
|
||||
"uniqueIdentifier",
|
||||
},
|
||||
{
|
||||
NULL_OID_DESCRIPTOR,
|
||||
NULL,
|
||||
}
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(oid_x520_attr_t, x520_attr, oid_x520_attr_type)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_attr_short_name, oid_x520_attr_t, x520_attr, const char *, short_name)
|
||||
|
||||
/*
|
||||
* For X509 extensions
|
||||
*/
|
||||
typedef struct {
|
||||
mbedtls_oid_descriptor_t descriptor;
|
||||
int ext_type;
|
||||
} oid_x509_ext_t;
|
||||
|
||||
static const oid_x509_ext_t oid_x509_ext[] =
|
||||
{
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_BASIC_CONSTRAINTS, "id-ce-basicConstraints", "Basic Constraints" ),
|
||||
MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS,
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_KEY_USAGE, "id-ce-keyUsage", "Key Usage" ),
|
||||
MBEDTLS_OID_X509_EXT_KEY_USAGE,
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EXTENDED_KEY_USAGE, "id-ce-extKeyUsage", "Extended Key Usage" ),
|
||||
MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE,
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_SUBJECT_ALT_NAME, "id-ce-subjectAltName", "Subject Alt Name" ),
|
||||
MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME,
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_NS_CERT_TYPE, "id-netscape-certtype", "Netscape Certificate Type" ),
|
||||
MBEDTLS_OID_X509_EXT_NS_CERT_TYPE,
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_CERTIFICATE_POLICIES, "id-ce-certificatePolicies", "Certificate Policies" ),
|
||||
MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES,
|
||||
},
|
||||
{
|
||||
NULL_OID_DESCRIPTOR,
|
||||
0,
|
||||
},
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(oid_x509_ext_t, x509_ext, oid_x509_ext)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_x509_ext_type, oid_x509_ext_t, x509_ext, int, ext_type)
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
static const mbedtls_oid_descriptor_t oid_ext_key_usage[] =
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_SERVER_AUTH, "id-kp-serverAuth", "TLS Web Server Authentication" ),
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_CLIENT_AUTH, "id-kp-clientAuth", "TLS Web Client Authentication" ),
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_CODE_SIGNING, "id-kp-codeSigning", "Code Signing" ),
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EMAIL_PROTECTION, "id-kp-emailProtection", "E-mail Protection" ),
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_TIME_STAMPING, "id-kp-timeStamping", "Time Stamping" ),
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_OCSP_SIGNING, "id-kp-OCSPSigning", "OCSP Signing" ),
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_WISUN_FAN, "id-kp-wisun-fan-device", "Wi-SUN Alliance Field Area Network (FAN)" ),
|
||||
NULL_OID_DESCRIPTOR,
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, ext_key_usage, oid_ext_key_usage)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_extended_key_usage, mbedtls_oid_descriptor_t, ext_key_usage, const char *, description)
|
||||
|
||||
static const mbedtls_oid_descriptor_t oid_certificate_policies[] =
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_ANY_POLICY, "anyPolicy", "Any Policy" ),
|
||||
NULL_OID_DESCRIPTOR,
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(mbedtls_oid_descriptor_t, certificate_policies, oid_certificate_policies)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_certificate_policies, mbedtls_oid_descriptor_t, certificate_policies, const char *, description)
|
||||
#endif /* MBEDTLS_X509_REMOVE_INFO */
|
||||
|
||||
#if defined(MBEDTLS_MD_C)
|
||||
/*
|
||||
* For SignatureAlgorithmIdentifier
|
||||
*/
|
||||
typedef struct {
|
||||
mbedtls_oid_descriptor_t descriptor;
|
||||
mbedtls_md_type_t md_alg;
|
||||
mbedtls_pk_type_t pk_alg;
|
||||
} oid_sig_alg_t;
|
||||
|
||||
static const oid_sig_alg_t oid_sig_alg[] =
|
||||
{
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_MD5, "md5WithRSAEncryption", "RSA with MD5" ),
|
||||
MBEDTLS_MD_MD5, MBEDTLS_PK_RSA,
|
||||
},
|
||||
#endif /* MBEDTLS_MD5_C */
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_SHA1, "sha-1WithRSAEncryption", "RSA with SHA1" ),
|
||||
MBEDTLS_MD_SHA1, MBEDTLS_PK_RSA,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_SHA224, "sha224WithRSAEncryption", "RSA with SHA-224" ),
|
||||
MBEDTLS_MD_SHA224, MBEDTLS_PK_RSA,
|
||||
},
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_SHA256, "sha256WithRSAEncryption", "RSA with SHA-256" ),
|
||||
MBEDTLS_MD_SHA256, MBEDTLS_PK_RSA,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_SHA384, "sha384WithRSAEncryption", "RSA with SHA-384" ),
|
||||
MBEDTLS_MD_SHA384, MBEDTLS_PK_RSA,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA384_C */
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_SHA512, "sha512WithRSAEncryption", "RSA with SHA-512" ),
|
||||
MBEDTLS_MD_SHA512, MBEDTLS_PK_RSA,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA512_C */
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_RSA_SHA_OBS, "sha-1WithRSAEncryption", "RSA with SHA1" ),
|
||||
MBEDTLS_MD_SHA1, MBEDTLS_PK_RSA,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#endif /* MBEDTLS_RSA_C */
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_ECDSA_SHA1, "ecdsa-with-SHA1", "ECDSA with SHA1" ),
|
||||
MBEDTLS_MD_SHA1, MBEDTLS_PK_ECDSA,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_ECDSA_SHA224, "ecdsa-with-SHA224", "ECDSA with SHA224" ),
|
||||
MBEDTLS_MD_SHA224, MBEDTLS_PK_ECDSA,
|
||||
},
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_ECDSA_SHA256, "ecdsa-with-SHA256", "ECDSA with SHA256" ),
|
||||
MBEDTLS_MD_SHA256, MBEDTLS_PK_ECDSA,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_ECDSA_SHA384, "ecdsa-with-SHA384", "ECDSA with SHA384" ),
|
||||
MBEDTLS_MD_SHA384, MBEDTLS_PK_ECDSA,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA384_C */
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_ECDSA_SHA512, "ecdsa-with-SHA512", "ECDSA with SHA512" ),
|
||||
MBEDTLS_MD_SHA512, MBEDTLS_PK_ECDSA,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA512_C */
|
||||
#endif /* MBEDTLS_ECDSA_C */
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_RSASSA_PSS, "RSASSA-PSS", "RSASSA-PSS" ),
|
||||
MBEDTLS_MD_NONE, MBEDTLS_PK_RSASSA_PSS,
|
||||
},
|
||||
#endif /* MBEDTLS_RSA_C */
|
||||
{
|
||||
NULL_OID_DESCRIPTOR,
|
||||
MBEDTLS_MD_NONE, MBEDTLS_PK_NONE,
|
||||
},
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(oid_sig_alg_t, sig_alg, oid_sig_alg)
|
||||
|
||||
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
||||
FN_OID_GET_DESCRIPTOR_ATTR1(mbedtls_oid_get_sig_alg_desc, oid_sig_alg_t, sig_alg, const char *, description)
|
||||
#endif
|
||||
|
||||
FN_OID_GET_ATTR2(mbedtls_oid_get_sig_alg, oid_sig_alg_t, sig_alg, mbedtls_md_type_t, md_alg, mbedtls_pk_type_t, pk_alg)
|
||||
FN_OID_GET_OID_BY_ATTR2(mbedtls_oid_get_oid_by_sig_alg, oid_sig_alg_t, oid_sig_alg, mbedtls_pk_type_t, pk_alg, mbedtls_md_type_t, md_alg)
|
||||
#endif /* MBEDTLS_MD_C */
|
||||
|
||||
/*
|
||||
* For PublicKeyInfo (PKCS1, RFC 5480)
|
||||
*/
|
||||
typedef struct {
|
||||
mbedtls_oid_descriptor_t descriptor;
|
||||
mbedtls_pk_type_t pk_alg;
|
||||
} oid_pk_alg_t;
|
||||
|
||||
static const oid_pk_alg_t oid_pk_alg[] =
|
||||
{
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_PKCS1_RSA, "rsaEncryption", "RSA" ),
|
||||
MBEDTLS_PK_RSA,
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_ALG_UNRESTRICTED, "id-ecPublicKey", "Generic EC key" ),
|
||||
MBEDTLS_PK_ECKEY,
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_ALG_ECDH, "id-ecDH", "EC key for ECDH" ),
|
||||
MBEDTLS_PK_ECKEY_DH,
|
||||
},
|
||||
{
|
||||
NULL_OID_DESCRIPTOR,
|
||||
MBEDTLS_PK_NONE,
|
||||
},
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(oid_pk_alg_t, pk_alg, oid_pk_alg)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_pk_alg, oid_pk_alg_t, pk_alg, mbedtls_pk_type_t, pk_alg)
|
||||
FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_pk_alg, oid_pk_alg_t, oid_pk_alg, mbedtls_pk_type_t, pk_alg)
|
||||
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
/*
|
||||
* For namedCurve (RFC 5480)
|
||||
*/
|
||||
typedef struct {
|
||||
mbedtls_oid_descriptor_t descriptor;
|
||||
mbedtls_ecp_group_id grp_id;
|
||||
} oid_ecp_grp_t;
|
||||
|
||||
static const oid_ecp_grp_t oid_ecp_grp[] =
|
||||
{
|
||||
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_SECP192R1, "secp192r1", "secp192r1" ),
|
||||
MBEDTLS_ECP_DP_SECP192R1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
|
||||
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_SECP224R1, "secp224r1", "secp224r1" ),
|
||||
MBEDTLS_ECP_DP_SECP224R1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_SECP224R1_ENABLED */
|
||||
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_SECP256R1, "secp256r1", "secp256r1" ),
|
||||
MBEDTLS_ECP_DP_SECP256R1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
|
||||
#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_SECP384R1, "secp384r1", "secp384r1" ),
|
||||
MBEDTLS_ECP_DP_SECP384R1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_SECP384R1_ENABLED */
|
||||
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_SECP521R1, "secp521r1", "secp521r1" ),
|
||||
MBEDTLS_ECP_DP_SECP521R1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
|
||||
#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_SECP192K1, "secp192k1", "secp192k1" ),
|
||||
MBEDTLS_ECP_DP_SECP192K1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_SECP192K1_ENABLED */
|
||||
#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_SECP224K1, "secp224k1", "secp224k1" ),
|
||||
MBEDTLS_ECP_DP_SECP224K1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_SECP224K1_ENABLED */
|
||||
#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_SECP256K1, "secp256k1", "secp256k1" ),
|
||||
MBEDTLS_ECP_DP_SECP256K1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
|
||||
#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_BP256R1, "brainpoolP256r1","brainpool256r1" ),
|
||||
MBEDTLS_ECP_DP_BP256R1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_BP256R1_ENABLED */
|
||||
#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_BP384R1, "brainpoolP384r1","brainpool384r1" ),
|
||||
MBEDTLS_ECP_DP_BP384R1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_BP384R1_ENABLED */
|
||||
#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_EC_GRP_BP512R1, "brainpoolP512r1","brainpool512r1" ),
|
||||
MBEDTLS_ECP_DP_BP512R1,
|
||||
},
|
||||
#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
|
||||
{
|
||||
NULL_OID_DESCRIPTOR,
|
||||
MBEDTLS_ECP_DP_NONE,
|
||||
},
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(oid_ecp_grp_t, grp_id, oid_ecp_grp)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_ec_grp, oid_ecp_grp_t, grp_id, mbedtls_ecp_group_id, grp_id)
|
||||
FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_ec_grp, oid_ecp_grp_t, oid_ecp_grp, mbedtls_ecp_group_id, grp_id)
|
||||
#endif /* MBEDTLS_ECP_C */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_C)
|
||||
/*
|
||||
* For PKCS#5 PBES2 encryption algorithm
|
||||
*/
|
||||
typedef struct {
|
||||
mbedtls_oid_descriptor_t descriptor;
|
||||
mbedtls_cipher_type_t cipher_alg;
|
||||
} oid_cipher_alg_t;
|
||||
|
||||
static const oid_cipher_alg_t oid_cipher_alg[] =
|
||||
{
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_DES_CBC, "desCBC", "DES-CBC" ),
|
||||
MBEDTLS_CIPHER_DES_CBC,
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_DES_EDE3_CBC, "des-ede3-cbc", "DES-EDE3-CBC" ),
|
||||
MBEDTLS_CIPHER_DES_EDE3_CBC,
|
||||
},
|
||||
{
|
||||
NULL_OID_DESCRIPTOR,
|
||||
MBEDTLS_CIPHER_NONE,
|
||||
},
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(oid_cipher_alg_t, cipher_alg, oid_cipher_alg)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_cipher_alg, oid_cipher_alg_t, cipher_alg, mbedtls_cipher_type_t, cipher_alg)
|
||||
#endif /* MBEDTLS_CIPHER_C */
|
||||
|
||||
#if defined(MBEDTLS_MD_C)
|
||||
/*
|
||||
* For digestAlgorithm
|
||||
*/
|
||||
typedef struct {
|
||||
mbedtls_oid_descriptor_t descriptor;
|
||||
mbedtls_md_type_t md_alg;
|
||||
} oid_md_alg_t;
|
||||
|
||||
static const oid_md_alg_t oid_md_alg[] =
|
||||
{
|
||||
#if defined(MBEDTLS_MD5_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_MD5, "id-md5", "MD5" ),
|
||||
MBEDTLS_MD_MD5,
|
||||
},
|
||||
#endif /* MBEDTLS_MD5_C */
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA1, "id-sha1", "SHA-1" ),
|
||||
MBEDTLS_MD_SHA1,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA224, "id-sha224", "SHA-224" ),
|
||||
MBEDTLS_MD_SHA224,
|
||||
},
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA256, "id-sha256", "SHA-256" ),
|
||||
MBEDTLS_MD_SHA256,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA384, "id-sha384", "SHA-384" ),
|
||||
MBEDTLS_MD_SHA384,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA384_C */
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_SHA512, "id-sha512", "SHA-512" ),
|
||||
MBEDTLS_MD_SHA512,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA512_C */
|
||||
#if defined(MBEDTLS_RIPEMD160_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_DIGEST_ALG_RIPEMD160, "id-ripemd160", "RIPEMD-160" ),
|
||||
MBEDTLS_MD_RIPEMD160,
|
||||
},
|
||||
#endif /* MBEDTLS_RIPEMD160_C */
|
||||
{
|
||||
NULL_OID_DESCRIPTOR,
|
||||
MBEDTLS_MD_NONE,
|
||||
},
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(oid_md_alg_t, md_alg, oid_md_alg)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_md_alg, oid_md_alg_t, md_alg, mbedtls_md_type_t, md_alg)
|
||||
FN_OID_GET_OID_BY_ATTR1(mbedtls_oid_get_oid_by_md, oid_md_alg_t, oid_md_alg, mbedtls_md_type_t, md_alg)
|
||||
|
||||
/*
|
||||
* For HMAC digestAlgorithm
|
||||
*/
|
||||
typedef struct {
|
||||
mbedtls_oid_descriptor_t descriptor;
|
||||
mbedtls_md_type_t md_hmac;
|
||||
} oid_md_hmac_t;
|
||||
|
||||
static const oid_md_hmac_t oid_md_hmac[] =
|
||||
{
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_HMAC_SHA1, "hmacSHA1", "HMAC-SHA-1" ),
|
||||
MBEDTLS_MD_SHA1,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_HMAC_SHA224, "hmacSHA224", "HMAC-SHA-224" ),
|
||||
MBEDTLS_MD_SHA224,
|
||||
},
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_HMAC_SHA256, "hmacSHA256", "HMAC-SHA-256" ),
|
||||
MBEDTLS_MD_SHA256,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_HMAC_SHA384, "hmacSHA384", "HMAC-SHA-384" ),
|
||||
MBEDTLS_MD_SHA384,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA384_C */
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_HMAC_SHA512, "hmacSHA512", "HMAC-SHA-512" ),
|
||||
MBEDTLS_MD_SHA512,
|
||||
},
|
||||
#endif /* MBEDTLS_SHA512_C */
|
||||
{
|
||||
NULL_OID_DESCRIPTOR,
|
||||
MBEDTLS_MD_NONE,
|
||||
},
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(oid_md_hmac_t, md_hmac, oid_md_hmac)
|
||||
FN_OID_GET_ATTR1(mbedtls_oid_get_md_hmac, oid_md_hmac_t, md_hmac, mbedtls_md_type_t, md_hmac)
|
||||
#endif /* MBEDTLS_MD_C */
|
||||
|
||||
#if defined(MBEDTLS_PKCS12_C)
|
||||
/*
|
||||
* For PKCS#12 PBEs
|
||||
*/
|
||||
typedef struct {
|
||||
mbedtls_oid_descriptor_t descriptor;
|
||||
mbedtls_md_type_t md_alg;
|
||||
mbedtls_cipher_type_t cipher_alg;
|
||||
} oid_pkcs12_pbe_alg_t;
|
||||
|
||||
static const oid_pkcs12_pbe_alg_t oid_pkcs12_pbe_alg[] =
|
||||
{
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_PKCS12_PBE_SHA1_DES3_EDE_CBC, "pbeWithSHAAnd3-KeyTripleDES-CBC", "PBE with SHA1 and 3-Key 3DES" ),
|
||||
MBEDTLS_MD_SHA1, MBEDTLS_CIPHER_DES_EDE3_CBC,
|
||||
},
|
||||
{
|
||||
OID_DESCRIPTOR( MBEDTLS_OID_PKCS12_PBE_SHA1_DES2_EDE_CBC, "pbeWithSHAAnd2-KeyTripleDES-CBC", "PBE with SHA1 and 2-Key 3DES" ),
|
||||
MBEDTLS_MD_SHA1, MBEDTLS_CIPHER_DES_EDE_CBC,
|
||||
},
|
||||
{
|
||||
NULL_OID_DESCRIPTOR,
|
||||
MBEDTLS_MD_NONE, MBEDTLS_CIPHER_NONE,
|
||||
},
|
||||
};
|
||||
|
||||
FN_OID_TYPED_FROM_ASN1(oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, oid_pkcs12_pbe_alg)
|
||||
FN_OID_GET_ATTR2(mbedtls_oid_get_pkcs12_pbe_alg, oid_pkcs12_pbe_alg_t, pkcs12_pbe_alg, mbedtls_md_type_t, md_alg, mbedtls_cipher_type_t, cipher_alg)
|
||||
#endif /* MBEDTLS_PKCS12_C */
|
||||
|
||||
#define OID_SAFE_SNPRINTF \
|
||||
do { \
|
||||
if( ret < 0 || (size_t) ret >= n ) \
|
||||
return( MBEDTLS_ERR_OID_BUF_TOO_SMALL ); \
|
||||
\
|
||||
n -= (size_t) ret; \
|
||||
p += (size_t) ret; \
|
||||
} while( 0 )
|
||||
|
||||
/* Return the x.y.z.... style numeric string for the given OID */
|
||||
int mbedtls_oid_get_numeric_string( char *buf, size_t size,
|
||||
const mbedtls_asn1_buf *oid )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t i, n;
|
||||
unsigned int value;
|
||||
char *p;
|
||||
|
||||
p = buf;
|
||||
n = size;
|
||||
|
||||
/* First byte contains first two dots */
|
||||
if( oid->len > 0 )
|
||||
{
|
||||
ret = mbedtls_snprintf( p, n, "%d.%d", oid->p[0] / 40, oid->p[0] % 40 );
|
||||
OID_SAFE_SNPRINTF;
|
||||
}
|
||||
|
||||
value = 0;
|
||||
for( i = 1; i < oid->len; i++ )
|
||||
{
|
||||
/* Prevent overflow in value. */
|
||||
if( ( ( value << 7 ) >> 7 ) != value )
|
||||
return( MBEDTLS_ERR_OID_BUF_TOO_SMALL );
|
||||
|
||||
value <<= 7;
|
||||
value += oid->p[i] & 0x7F;
|
||||
|
||||
if( !( oid->p[i] & 0x80 ) )
|
||||
{
|
||||
/* Last byte */
|
||||
ret = mbedtls_snprintf( p, n, ".%u", value );
|
||||
OID_SAFE_SNPRINTF;
|
||||
value = 0;
|
||||
}
|
||||
}
|
||||
|
||||
return( (int) ( size - n ) );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_OID_C */
|
138
platform_util.c
138
platform_util.c
@ -1,138 +0,0 @@
|
||||
/*
|
||||
* Common and shared functions used by multiple modules in the Mbed TLS
|
||||
* library.
|
||||
*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Ensure gmtime_r is available even with -std=c99; must be defined before
|
||||
* mbedtls_config.h, which pulls in glibc's features.h. Harmless on other platforms.
|
||||
*/
|
||||
#if !defined(_POSIX_C_SOURCE)
|
||||
#define _POSIX_C_SOURCE 200112L
|
||||
#endif
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/platform.h"
|
||||
#include "mbedtls/threading.h"
|
||||
|
||||
#include <stddef.h>
|
||||
#include <string.h>
|
||||
|
||||
#if !defined(MBEDTLS_PLATFORM_ZEROIZE_ALT)
|
||||
/*
|
||||
* This implementation should never be optimized out by the compiler
|
||||
*
|
||||
* This implementation for mbedtls_platform_zeroize() was inspired from Colin
|
||||
* Percival's blog article at:
|
||||
*
|
||||
* http://www.daemonology.net/blog/2014-09-04-how-to-zero-a-buffer.html
|
||||
*
|
||||
* It uses a volatile function pointer to the standard memset(). Because the
|
||||
* pointer is volatile the compiler expects it to change at
|
||||
* any time and will not optimize out the call that could potentially perform
|
||||
* other operations on the input buffer instead of just setting it to 0.
|
||||
* Nevertheless, as pointed out by davidtgoldblatt on Hacker News
|
||||
* (refer to http://www.daemonology.net/blog/2014-09-05-erratum.html for
|
||||
* details), optimizations of the following form are still possible:
|
||||
*
|
||||
* if( memset_func != memset )
|
||||
* memset_func( buf, 0, len );
|
||||
*
|
||||
* Note that it is extremely difficult to guarantee that
|
||||
* mbedtls_platform_zeroize() will not be optimized out by aggressive compilers
|
||||
* in a portable way. For this reason, Mbed TLS also provides the configuration
|
||||
* option MBEDTLS_PLATFORM_ZEROIZE_ALT, which allows users to configure
|
||||
* mbedtls_platform_zeroize() to use a suitable implementation for their
|
||||
* platform and needs.
|
||||
*/
|
||||
static void * (* const volatile memset_func)( void *, int, size_t ) = memset;
|
||||
|
||||
void mbedtls_platform_zeroize( void *buf, size_t len )
|
||||
{
|
||||
MBEDTLS_INTERNAL_VALIDATE( len == 0 || buf != NULL );
|
||||
|
||||
if( len > 0 )
|
||||
memset_func( buf, 0, len );
|
||||
}
|
||||
#endif /* MBEDTLS_PLATFORM_ZEROIZE_ALT */
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_PLATFORM_GMTIME_R_ALT)
|
||||
#include <time.h>
|
||||
#if !defined(_WIN32) && (defined(unix) || \
|
||||
defined(__unix) || defined(__unix__) || (defined(__APPLE__) && \
|
||||
defined(__MACH__)))
|
||||
#include <unistd.h>
|
||||
#endif /* !_WIN32 && (unix || __unix || __unix__ ||
|
||||
* (__APPLE__ && __MACH__)) */
|
||||
|
||||
#if !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
|
||||
( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
|
||||
_POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) )
|
||||
/*
|
||||
* This is a convenience shorthand macro to avoid checking the long
|
||||
* preprocessor conditions above. Ideally, we could expose this macro in
|
||||
* platform_util.h and simply use it in platform_util.c, threading.c and
|
||||
* threading.h. However, this macro is not part of the Mbed TLS public API, so
|
||||
* we keep it private by only defining it in this file
|
||||
*/
|
||||
#if ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) )
|
||||
#define PLATFORM_UTIL_USE_GMTIME
|
||||
#endif /* ! ( defined(_WIN32) && !defined(EFIX64) && !defined(EFI32) ) */
|
||||
|
||||
#endif /* !( ( defined(_POSIX_VERSION) && _POSIX_VERSION >= 200809L ) || \
|
||||
( defined(_POSIX_THREAD_SAFE_FUNCTIONS ) && \
|
||||
_POSIX_THREAD_SAFE_FUNCTIONS >= 200112L ) ) */
|
||||
|
||||
struct tm *mbedtls_platform_gmtime_r( const mbedtls_time_t *tt,
|
||||
struct tm *tm_buf )
|
||||
{
|
||||
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
|
||||
return( ( gmtime_s( tm_buf, tt ) == 0 ) ? tm_buf : NULL );
|
||||
#elif !defined(PLATFORM_UTIL_USE_GMTIME)
|
||||
return( gmtime_r( tt, tm_buf ) );
|
||||
#else
|
||||
struct tm *lt;
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( mbedtls_mutex_lock( &mbedtls_threading_gmtime_mutex ) != 0 )
|
||||
return( NULL );
|
||||
#endif /* MBEDTLS_THREADING_C */
|
||||
|
||||
lt = gmtime( tt );
|
||||
|
||||
if( lt != NULL )
|
||||
{
|
||||
memcpy( tm_buf, lt, sizeof( struct tm ) );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( mbedtls_mutex_unlock( &mbedtls_threading_gmtime_mutex ) != 0 )
|
||||
return( NULL );
|
||||
#endif /* MBEDTLS_THREADING_C */
|
||||
|
||||
return( ( lt == NULL ) ? NULL : tm_buf );
|
||||
#endif /* _WIN32 && !EFIX64 && !EFI32 */
|
||||
}
|
||||
#endif /* MBEDTLS_HAVE_TIME_DATE && MBEDTLS_PLATFORM_GMTIME_R_ALT */
|
||||
|
||||
#if defined(MBEDTLS_TEST_HOOKS)
|
||||
void (*mbedtls_test_hook_test_fail)( const char *, int, const char *);
|
||||
#endif /* MBEDTLS_TEST_HOOKS */
|
||||
|
@ -1,486 +0,0 @@
|
||||
/*
|
||||
* Helper functions for the RSA module
|
||||
*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
|
||||
#include "mbedtls/rsa.h"
|
||||
#include "mbedtls/bignum.h"
|
||||
#include "rsa_alt_helpers.h"
|
||||
|
||||
/*
|
||||
* Compute RSA prime factors from public and private exponents
|
||||
*
|
||||
* Summary of algorithm:
|
||||
* Setting F := lcm(P-1,Q-1), the idea is as follows:
|
||||
*
|
||||
* (a) For any 1 <= X < N with gcd(X,N)=1, we have X^F = 1 modulo N, so X^(F/2)
|
||||
* is a square root of 1 in Z/NZ. Since Z/NZ ~= Z/PZ x Z/QZ by CRT and the
|
||||
* square roots of 1 in Z/PZ and Z/QZ are +1 and -1, this leaves the four
|
||||
* possibilities X^(F/2) = (+-1, +-1). If it happens that X^(F/2) = (-1,+1)
|
||||
* or (+1,-1), then gcd(X^(F/2) + 1, N) will be equal to one of the prime
|
||||
* factors of N.
|
||||
*
|
||||
* (b) If we don't know F/2 but (F/2) * K for some odd (!) K, then the same
|
||||
* construction still applies since (-)^K is the identity on the set of
|
||||
* roots of 1 in Z/NZ.
|
||||
*
|
||||
* The public and private key primitives (-)^E and (-)^D are mutually inverse
|
||||
* bijections on Z/NZ if and only if (-)^(DE) is the identity on Z/NZ, i.e.
|
||||
* if and only if DE - 1 is a multiple of F, say DE - 1 = F * L.
|
||||
* Splitting L = 2^t * K with K odd, we have
|
||||
*
|
||||
* DE - 1 = FL = (F/2) * (2^(t+1)) * K,
|
||||
*
|
||||
* so (F / 2) * K is among the numbers
|
||||
*
|
||||
* (DE - 1) >> 1, (DE - 1) >> 2, ..., (DE - 1) >> ord
|
||||
*
|
||||
* where ord is the order of 2 in (DE - 1).
|
||||
* We can therefore iterate through these numbers apply the construction
|
||||
* of (a) and (b) above to attempt to factor N.
|
||||
*
|
||||
*/
|
||||
int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N,
|
||||
mbedtls_mpi const *E, mbedtls_mpi const *D,
|
||||
mbedtls_mpi *P, mbedtls_mpi *Q )
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
uint16_t attempt; /* Number of current attempt */
|
||||
uint16_t iter; /* Number of squares computed in the current attempt */
|
||||
|
||||
uint16_t order; /* Order of 2 in DE - 1 */
|
||||
|
||||
mbedtls_mpi T; /* Holds largest odd divisor of DE - 1 */
|
||||
mbedtls_mpi K; /* Temporary holding the current candidate */
|
||||
|
||||
const unsigned char primes[] = { 2,
|
||||
3, 5, 7, 11, 13, 17, 19, 23,
|
||||
29, 31, 37, 41, 43, 47, 53, 59,
|
||||
61, 67, 71, 73, 79, 83, 89, 97,
|
||||
101, 103, 107, 109, 113, 127, 131, 137,
|
||||
139, 149, 151, 157, 163, 167, 173, 179,
|
||||
181, 191, 193, 197, 199, 211, 223, 227,
|
||||
229, 233, 239, 241, 251
|
||||
};
|
||||
|
||||
const size_t num_primes = sizeof( primes ) / sizeof( *primes );
|
||||
|
||||
if( P == NULL || Q == NULL || P->p != NULL || Q->p != NULL )
|
||||
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
|
||||
|
||||
if( mbedtls_mpi_cmp_int( N, 0 ) <= 0 ||
|
||||
mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||
|
||||
mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||
|
||||
mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||
|
||||
mbedtls_mpi_cmp_mpi( E, N ) >= 0 )
|
||||
{
|
||||
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
/*
|
||||
* Initializations and temporary changes
|
||||
*/
|
||||
|
||||
mbedtls_mpi_init( &K );
|
||||
mbedtls_mpi_init( &T );
|
||||
|
||||
/* T := DE - 1 */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &T, D, E ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &T, &T, 1 ) );
|
||||
|
||||
if( ( order = (uint16_t) mbedtls_mpi_lsb( &T ) ) == 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* After this operation, T holds the largest odd divisor of DE - 1. */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( &T, order ) );
|
||||
|
||||
/*
|
||||
* Actual work
|
||||
*/
|
||||
|
||||
/* Skip trying 2 if N == 1 mod 8 */
|
||||
attempt = 0;
|
||||
if( N->p[0] % 8 == 1 )
|
||||
attempt = 1;
|
||||
|
||||
for( ; attempt < num_primes; ++attempt )
|
||||
{
|
||||
mbedtls_mpi_lset( &K, primes[attempt] );
|
||||
|
||||
/* Check if gcd(K,N) = 1 */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
|
||||
if( mbedtls_mpi_cmp_int( P, 1 ) != 0 )
|
||||
continue;
|
||||
|
||||
/* Go through K^T + 1, K^(2T) + 1, K^(4T) + 1, ...
|
||||
* and check whether they have nontrivial GCD with N. */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_exp_mod( &K, &K, &T, N,
|
||||
Q /* temporarily use Q for storing Montgomery
|
||||
* multiplication helper values */ ) );
|
||||
|
||||
for( iter = 1; iter <= order; ++iter )
|
||||
{
|
||||
/* If we reach 1 prematurely, there's no point
|
||||
* in continuing to square K */
|
||||
if( mbedtls_mpi_cmp_int( &K, 1 ) == 0 )
|
||||
break;
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_add_int( &K, &K, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( P, &K, N ) );
|
||||
|
||||
if( mbedtls_mpi_cmp_int( P, 1 ) == 1 &&
|
||||
mbedtls_mpi_cmp_mpi( P, N ) == -1 )
|
||||
{
|
||||
/*
|
||||
* Have found a nontrivial divisor P of N.
|
||||
* Set Q := N / P.
|
||||
*/
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( Q, NULL, N, P ) );
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &K ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, N ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* If we get here, then either we prematurely aborted the loop because
|
||||
* we reached 1, or K holds primes[attempt]^(DE - 1) mod N, which must
|
||||
* be 1 if D,E,N were consistent.
|
||||
* Check if that's the case and abort if not, to avoid very long,
|
||||
* yet eventually failing, computations if N,D,E were not sane.
|
||||
*/
|
||||
if( mbedtls_mpi_cmp_int( &K, 1 ) != 0 )
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
ret = MBEDTLS_ERR_MPI_BAD_INPUT_DATA;
|
||||
|
||||
cleanup:
|
||||
|
||||
mbedtls_mpi_free( &K );
|
||||
mbedtls_mpi_free( &T );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Given P, Q and the public exponent E, deduce D.
|
||||
* This is essentially a modular inversion.
|
||||
*/
|
||||
int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,
|
||||
mbedtls_mpi const *Q,
|
||||
mbedtls_mpi const *E,
|
||||
mbedtls_mpi *D )
|
||||
{
|
||||
int ret = 0;
|
||||
mbedtls_mpi K, L;
|
||||
|
||||
if( D == NULL || mbedtls_mpi_cmp_int( D, 0 ) != 0 )
|
||||
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
|
||||
|
||||
if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||
|
||||
mbedtls_mpi_cmp_int( Q, 1 ) <= 0 ||
|
||||
mbedtls_mpi_cmp_int( E, 0 ) == 0 )
|
||||
{
|
||||
return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
mbedtls_mpi_init( &K );
|
||||
mbedtls_mpi_init( &L );
|
||||
|
||||
/* Temporarily put K := P-1 and L := Q-1 */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );
|
||||
|
||||
/* Temporarily put D := gcd(P-1, Q-1) */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_gcd( D, &K, &L ) );
|
||||
|
||||
/* K := LCM(P-1, Q-1) */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, &K, &L ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_div_mpi( &K, NULL, &K, D ) );
|
||||
|
||||
/* Compute modular inverse of E in LCM(P-1, Q-1) */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( D, E, &K ) );
|
||||
|
||||
cleanup:
|
||||
|
||||
mbedtls_mpi_free( &K );
|
||||
mbedtls_mpi_free( &L );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
|
||||
const mbedtls_mpi *D, mbedtls_mpi *DP,
|
||||
mbedtls_mpi *DQ, mbedtls_mpi *QP )
|
||||
{
|
||||
int ret = 0;
|
||||
mbedtls_mpi K;
|
||||
mbedtls_mpi_init( &K );
|
||||
|
||||
/* DP = D mod P-1 */
|
||||
if( DP != NULL )
|
||||
{
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DP, D, &K ) );
|
||||
}
|
||||
|
||||
/* DQ = D mod Q-1 */
|
||||
if( DQ != NULL )
|
||||
{
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( DQ, D, &K ) );
|
||||
}
|
||||
|
||||
/* QP = Q^{-1} mod P */
|
||||
if( QP != NULL )
|
||||
{
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_inv_mod( QP, Q, P ) );
|
||||
}
|
||||
|
||||
cleanup:
|
||||
mbedtls_mpi_free( &K );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Check that core RSA parameters are sane.
|
||||
*/
|
||||
int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
|
||||
const mbedtls_mpi *Q, const mbedtls_mpi *D,
|
||||
const mbedtls_mpi *E,
|
||||
int (*f_rng)(void *, unsigned char *, size_t),
|
||||
void *p_rng )
|
||||
{
|
||||
int ret = 0;
|
||||
mbedtls_mpi K, L;
|
||||
|
||||
mbedtls_mpi_init( &K );
|
||||
mbedtls_mpi_init( &L );
|
||||
|
||||
/*
|
||||
* Step 1: If PRNG provided, check that P and Q are prime
|
||||
*/
|
||||
|
||||
#if defined(MBEDTLS_GENPRIME)
|
||||
/*
|
||||
* When generating keys, the strongest security we support aims for an error
|
||||
* rate of at most 2^-100 and we are aiming for the same certainty here as
|
||||
* well.
|
||||
*/
|
||||
if( f_rng != NULL && P != NULL &&
|
||||
( ret = mbedtls_mpi_is_prime_ext( P, 50, f_rng, p_rng ) ) != 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if( f_rng != NULL && Q != NULL &&
|
||||
( ret = mbedtls_mpi_is_prime_ext( Q, 50, f_rng, p_rng ) ) != 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
#else
|
||||
((void) f_rng);
|
||||
((void) p_rng);
|
||||
#endif /* MBEDTLS_GENPRIME */
|
||||
|
||||
/*
|
||||
* Step 2: Check that 1 < N = P * Q
|
||||
*/
|
||||
|
||||
if( P != NULL && Q != NULL && N != NULL )
|
||||
{
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, P, Q ) );
|
||||
if( mbedtls_mpi_cmp_int( N, 1 ) <= 0 ||
|
||||
mbedtls_mpi_cmp_mpi( &K, N ) != 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Step 3: Check and 1 < D, E < N if present.
|
||||
*/
|
||||
|
||||
if( N != NULL && D != NULL && E != NULL )
|
||||
{
|
||||
if ( mbedtls_mpi_cmp_int( D, 1 ) <= 0 ||
|
||||
mbedtls_mpi_cmp_int( E, 1 ) <= 0 ||
|
||||
mbedtls_mpi_cmp_mpi( D, N ) >= 0 ||
|
||||
mbedtls_mpi_cmp_mpi( E, N ) >= 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Step 4: Check that D, E are inverse modulo P-1 and Q-1
|
||||
*/
|
||||
|
||||
if( P != NULL && Q != NULL && D != NULL && E != NULL )
|
||||
{
|
||||
if( mbedtls_mpi_cmp_int( P, 1 ) <= 0 ||
|
||||
mbedtls_mpi_cmp_int( Q, 1 ) <= 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* Compute DE-1 mod P-1 */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, P, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );
|
||||
if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* Compute DE-1 mod Q-1 */
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, D, E ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &L, Q, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, &L ) );
|
||||
if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
cleanup:
|
||||
|
||||
mbedtls_mpi_free( &K );
|
||||
mbedtls_mpi_free( &L );
|
||||
|
||||
/* Wrap MPI error codes by RSA check failure error code */
|
||||
if( ret != 0 && ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED )
|
||||
{
|
||||
ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
}
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Check that RSA CRT parameters are in accordance with core parameters.
|
||||
*/
|
||||
int mbedtls_rsa_validate_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
|
||||
const mbedtls_mpi *D, const mbedtls_mpi *DP,
|
||||
const mbedtls_mpi *DQ, const mbedtls_mpi *QP )
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
mbedtls_mpi K, L;
|
||||
mbedtls_mpi_init( &K );
|
||||
mbedtls_mpi_init( &L );
|
||||
|
||||
/* Check that DP - D == 0 mod P - 1 */
|
||||
if( DP != NULL )
|
||||
{
|
||||
if( P == NULL )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, P, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DP, D ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
|
||||
|
||||
if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
/* Check that DQ - D == 0 mod Q - 1 */
|
||||
if( DQ != NULL )
|
||||
{
|
||||
if( Q == NULL )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, Q, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_mpi( &L, DQ, D ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &L, &L, &K ) );
|
||||
|
||||
if( mbedtls_mpi_cmp_int( &L, 0 ) != 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
/* Check that QP * Q - 1 == 0 mod P */
|
||||
if( QP != NULL )
|
||||
{
|
||||
if( P == NULL || Q == NULL )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mul_mpi( &K, QP, Q ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_sub_int( &K, &K, 1 ) );
|
||||
MBEDTLS_MPI_CHK( mbedtls_mpi_mod_mpi( &K, &K, P ) );
|
||||
if( mbedtls_mpi_cmp_int( &K, 0 ) != 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
||||
cleanup:
|
||||
|
||||
/* Wrap MPI error codes by RSA check failure error code */
|
||||
if( ret != 0 &&
|
||||
ret != MBEDTLS_ERR_RSA_KEY_CHECK_FAILED &&
|
||||
ret != MBEDTLS_ERR_RSA_BAD_INPUT_DATA )
|
||||
{
|
||||
ret += MBEDTLS_ERR_RSA_KEY_CHECK_FAILED;
|
||||
}
|
||||
|
||||
mbedtls_mpi_free( &K );
|
||||
mbedtls_mpi_free( &L );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_RSA_C */
|
@ -1,220 +0,0 @@
|
||||
/**
|
||||
* \file rsa_alt_helpers.h
|
||||
*
|
||||
* \brief Context-independent RSA helper functions
|
||||
*
|
||||
* This module declares some RSA-related helper functions useful when
|
||||
* implementing the RSA interface. These functions are provided in a separate
|
||||
* compilation unit in order to make it easy for designers of alternative RSA
|
||||
* implementations to use them in their own code, as it is conceived that the
|
||||
* functionality they provide will be necessary for most complete
|
||||
* implementations.
|
||||
*
|
||||
* End-users of Mbed TLS who are not providing their own alternative RSA
|
||||
* implementations should not use these functions directly, and should instead
|
||||
* use only the functions declared in rsa.h.
|
||||
*
|
||||
* The interface provided by this module will be maintained through LTS (Long
|
||||
* Term Support) branches of Mbed TLS, but may otherwise be subject to change,
|
||||
* and must be considered an internal interface of the library.
|
||||
*
|
||||
* There are two classes of helper functions:
|
||||
*
|
||||
* (1) Parameter-generating helpers. These are:
|
||||
* - mbedtls_rsa_deduce_primes
|
||||
* - mbedtls_rsa_deduce_private_exponent
|
||||
* - mbedtls_rsa_deduce_crt
|
||||
* Each of these functions takes a set of core RSA parameters and
|
||||
* generates some other, or CRT related parameters.
|
||||
*
|
||||
* (2) Parameter-checking helpers. These are:
|
||||
* - mbedtls_rsa_validate_params
|
||||
* - mbedtls_rsa_validate_crt
|
||||
* They take a set of core or CRT related RSA parameters and check their
|
||||
* validity.
|
||||
*
|
||||
*/
|
||||
/*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef MBEDTLS_RSA_INTERNAL_H
|
||||
#define MBEDTLS_RSA_INTERNAL_H
|
||||
|
||||
#include "mbedtls/build_info.h"
|
||||
|
||||
#include "mbedtls/bignum.h"
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
|
||||
/**
|
||||
* \brief Compute RSA prime moduli P, Q from public modulus N=PQ
|
||||
* and a pair of private and public key.
|
||||
*
|
||||
* \note This is a 'static' helper function not operating on
|
||||
* an RSA context. Alternative implementations need not
|
||||
* overwrite it.
|
||||
*
|
||||
* \param N RSA modulus N = PQ, with P, Q to be found
|
||||
* \param E RSA public exponent
|
||||
* \param D RSA private exponent
|
||||
* \param P Pointer to MPI holding first prime factor of N on success
|
||||
* \param Q Pointer to MPI holding second prime factor of N on success
|
||||
*
|
||||
* \return
|
||||
* - 0 if successful. In this case, P and Q constitute a
|
||||
* factorization of N.
|
||||
* - A non-zero error code otherwise.
|
||||
*
|
||||
* \note It is neither checked that P, Q are prime nor that
|
||||
* D, E are modular inverses wrt. P-1 and Q-1. For that,
|
||||
* use the helper function \c mbedtls_rsa_validate_params.
|
||||
*
|
||||
*/
|
||||
int mbedtls_rsa_deduce_primes( mbedtls_mpi const *N, mbedtls_mpi const *E,
|
||||
mbedtls_mpi const *D,
|
||||
mbedtls_mpi *P, mbedtls_mpi *Q );
|
||||
|
||||
/**
|
||||
* \brief Compute RSA private exponent from
|
||||
* prime moduli and public key.
|
||||
*
|
||||
* \note This is a 'static' helper function not operating on
|
||||
* an RSA context. Alternative implementations need not
|
||||
* overwrite it.
|
||||
*
|
||||
* \param P First prime factor of RSA modulus
|
||||
* \param Q Second prime factor of RSA modulus
|
||||
* \param E RSA public exponent
|
||||
* \param D Pointer to MPI holding the private exponent on success.
|
||||
*
|
||||
* \return
|
||||
* - 0 if successful. In this case, D is set to a simultaneous
|
||||
* modular inverse of E modulo both P-1 and Q-1.
|
||||
* - A non-zero error code otherwise.
|
||||
*
|
||||
* \note This function does not check whether P and Q are primes.
|
||||
*
|
||||
*/
|
||||
int mbedtls_rsa_deduce_private_exponent( mbedtls_mpi const *P,
|
||||
mbedtls_mpi const *Q,
|
||||
mbedtls_mpi const *E,
|
||||
mbedtls_mpi *D );
|
||||
|
||||
|
||||
/**
|
||||
* \brief Generate RSA-CRT parameters
|
||||
*
|
||||
* \note This is a 'static' helper function not operating on
|
||||
* an RSA context. Alternative implementations need not
|
||||
* overwrite it.
|
||||
*
|
||||
* \param P First prime factor of N
|
||||
* \param Q Second prime factor of N
|
||||
* \param D RSA private exponent
|
||||
* \param DP Output variable for D modulo P-1
|
||||
* \param DQ Output variable for D modulo Q-1
|
||||
* \param QP Output variable for the modular inverse of Q modulo P.
|
||||
*
|
||||
* \return 0 on success, non-zero error code otherwise.
|
||||
*
|
||||
* \note This function does not check whether P, Q are
|
||||
* prime and whether D is a valid private exponent.
|
||||
*
|
||||
*/
|
||||
int mbedtls_rsa_deduce_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
|
||||
const mbedtls_mpi *D, mbedtls_mpi *DP,
|
||||
mbedtls_mpi *DQ, mbedtls_mpi *QP );
|
||||
|
||||
|
||||
/**
|
||||
* \brief Check validity of core RSA parameters
|
||||
*
|
||||
* \note This is a 'static' helper function not operating on
|
||||
* an RSA context. Alternative implementations need not
|
||||
* overwrite it.
|
||||
*
|
||||
* \param N RSA modulus N = PQ
|
||||
* \param P First prime factor of N
|
||||
* \param Q Second prime factor of N
|
||||
* \param D RSA private exponent
|
||||
* \param E RSA public exponent
|
||||
* \param f_rng PRNG to be used for primality check, or NULL
|
||||
* \param p_rng PRNG context for f_rng, or NULL
|
||||
*
|
||||
* \return
|
||||
* - 0 if the following conditions are satisfied
|
||||
* if all relevant parameters are provided:
|
||||
* - P prime if f_rng != NULL (%)
|
||||
* - Q prime if f_rng != NULL (%)
|
||||
* - 1 < N = P * Q
|
||||
* - 1 < D, E < N
|
||||
* - D and E are modular inverses modulo P-1 and Q-1
|
||||
* (%) This is only done if MBEDTLS_GENPRIME is defined.
|
||||
* - A non-zero error code otherwise.
|
||||
*
|
||||
* \note The function can be used with a restricted set of arguments
|
||||
* to perform specific checks only. E.g., calling it with
|
||||
* (-,P,-,-,-) and a PRNG amounts to a primality check for P.
|
||||
*/
|
||||
int mbedtls_rsa_validate_params( const mbedtls_mpi *N, const mbedtls_mpi *P,
|
||||
const mbedtls_mpi *Q, const mbedtls_mpi *D,
|
||||
const mbedtls_mpi *E,
|
||||
int (*f_rng)(void *, unsigned char *, size_t),
|
||||
void *p_rng );
|
||||
|
||||
/**
|
||||
* \brief Check validity of RSA CRT parameters
|
||||
*
|
||||
* \note This is a 'static' helper function not operating on
|
||||
* an RSA context. Alternative implementations need not
|
||||
* overwrite it.
|
||||
*
|
||||
* \param P First prime factor of RSA modulus
|
||||
* \param Q Second prime factor of RSA modulus
|
||||
* \param D RSA private exponent
|
||||
* \param DP MPI to check for D modulo P-1
|
||||
* \param DQ MPI to check for D modulo P-1
|
||||
* \param QP MPI to check for the modular inverse of Q modulo P.
|
||||
*
|
||||
* \return
|
||||
* - 0 if the following conditions are satisfied:
|
||||
* - D = DP mod P-1 if P, D, DP != NULL
|
||||
* - Q = DQ mod P-1 if P, D, DQ != NULL
|
||||
* - QP = Q^-1 mod P if P, Q, QP != NULL
|
||||
* - \c MBEDTLS_ERR_RSA_KEY_CHECK_FAILED if check failed,
|
||||
* potentially including \c MBEDTLS_ERR_MPI_XXX if some
|
||||
* MPI calculations failed.
|
||||
* - \c MBEDTLS_ERR_RSA_BAD_INPUT_DATA if insufficient
|
||||
* data was provided to check DP, DQ or QP.
|
||||
*
|
||||
* \note The function can be used with a restricted set of arguments
|
||||
* to perform specific checks only. E.g., calling it with the
|
||||
* parameters (P, -, D, DP, -, -) will check DP = D mod P-1.
|
||||
*/
|
||||
int mbedtls_rsa_validate_crt( const mbedtls_mpi *P, const mbedtls_mpi *Q,
|
||||
const mbedtls_mpi *D, const mbedtls_mpi *DP,
|
||||
const mbedtls_mpi *DQ, const mbedtls_mpi *QP );
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* rsa_alt_helpers.h */
|
557
sha256.c
557
sha256.c
@ -1,557 +0,0 @@
|
||||
/*
|
||||
* FIPS-180-2 compliant SHA-256 implementation
|
||||
*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
/*
|
||||
* The SHA-256 Secure Hash Standard was published by NIST in 2002.
|
||||
*
|
||||
* http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
|
||||
#include "mbedtls/sha256.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/error.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_SELF_TEST)
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#define mbedtls_printf printf
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_free free
|
||||
#endif /* MBEDTLS_PLATFORM_C */
|
||||
#endif /* MBEDTLS_SELF_TEST */
|
||||
|
||||
#define SHA256_VALIDATE_RET(cond) \
|
||||
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA )
|
||||
#define SHA256_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond )
|
||||
|
||||
#if !defined(MBEDTLS_SHA256_ALT)
|
||||
|
||||
void mbedtls_sha256_init( mbedtls_sha256_context *ctx )
|
||||
{
|
||||
SHA256_VALIDATE( ctx != NULL );
|
||||
|
||||
memset( ctx, 0, sizeof( mbedtls_sha256_context ) );
|
||||
}
|
||||
|
||||
void mbedtls_sha256_free( mbedtls_sha256_context *ctx )
|
||||
{
|
||||
if( ctx == NULL )
|
||||
return;
|
||||
|
||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha256_context ) );
|
||||
}
|
||||
|
||||
void mbedtls_sha256_clone( mbedtls_sha256_context *dst,
|
||||
const mbedtls_sha256_context *src )
|
||||
{
|
||||
SHA256_VALIDATE( dst != NULL );
|
||||
SHA256_VALIDATE( src != NULL );
|
||||
|
||||
*dst = *src;
|
||||
}
|
||||
|
||||
/*
|
||||
* SHA-256 context setup
|
||||
*/
|
||||
int mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
|
||||
{
|
||||
SHA256_VALIDATE_RET( ctx != NULL );
|
||||
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
|
||||
#else
|
||||
SHA256_VALIDATE_RET( is224 == 0 );
|
||||
#endif
|
||||
|
||||
ctx->total[0] = 0;
|
||||
ctx->total[1] = 0;
|
||||
|
||||
if( is224 == 0 )
|
||||
{
|
||||
/* SHA-256 */
|
||||
ctx->state[0] = 0x6A09E667;
|
||||
ctx->state[1] = 0xBB67AE85;
|
||||
ctx->state[2] = 0x3C6EF372;
|
||||
ctx->state[3] = 0xA54FF53A;
|
||||
ctx->state[4] = 0x510E527F;
|
||||
ctx->state[5] = 0x9B05688C;
|
||||
ctx->state[6] = 0x1F83D9AB;
|
||||
ctx->state[7] = 0x5BE0CD19;
|
||||
}
|
||||
else
|
||||
{
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
/* SHA-224 */
|
||||
ctx->state[0] = 0xC1059ED8;
|
||||
ctx->state[1] = 0x367CD507;
|
||||
ctx->state[2] = 0x3070DD17;
|
||||
ctx->state[3] = 0xF70E5939;
|
||||
ctx->state[4] = 0xFFC00B31;
|
||||
ctx->state[5] = 0x68581511;
|
||||
ctx->state[6] = 0x64F98FA7;
|
||||
ctx->state[7] = 0xBEFA4FA4;
|
||||
#endif
|
||||
}
|
||||
|
||||
ctx->is224 = is224;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
|
||||
static const uint32_t K[] =
|
||||
{
|
||||
0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
|
||||
0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
|
||||
0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
|
||||
0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
|
||||
0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
|
||||
0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
|
||||
0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
|
||||
0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
|
||||
0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
|
||||
0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
|
||||
0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
|
||||
0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
|
||||
0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
|
||||
0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
|
||||
0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
|
||||
0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
|
||||
};
|
||||
|
||||
#define SHR(x,n) (((x) & 0xFFFFFFFF) >> (n))
|
||||
#define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n))))
|
||||
|
||||
#define S0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3))
|
||||
#define S1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10))
|
||||
|
||||
#define S2(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22))
|
||||
#define S3(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25))
|
||||
|
||||
#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
|
||||
#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
|
||||
|
||||
#define R(t) \
|
||||
( \
|
||||
local.W[t] = S1(local.W[(t) - 2]) + local.W[(t) - 7] + \
|
||||
S0(local.W[(t) - 15]) + local.W[(t) - 16] \
|
||||
)
|
||||
|
||||
#define P(a,b,c,d,e,f,g,h,x,K) \
|
||||
do \
|
||||
{ \
|
||||
local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
|
||||
local.temp2 = S2(a) + F0((a),(b),(c)); \
|
||||
(d) += local.temp1; (h) = local.temp1 + local.temp2; \
|
||||
} while( 0 )
|
||||
|
||||
int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
|
||||
const unsigned char data[64] )
|
||||
{
|
||||
struct
|
||||
{
|
||||
uint32_t temp1, temp2, W[64];
|
||||
uint32_t A[8];
|
||||
} local;
|
||||
|
||||
unsigned int i;
|
||||
|
||||
SHA256_VALIDATE_RET( ctx != NULL );
|
||||
SHA256_VALIDATE_RET( (const unsigned char *)data != NULL );
|
||||
|
||||
for( i = 0; i < 8; i++ )
|
||||
local.A[i] = ctx->state[i];
|
||||
|
||||
#if defined(MBEDTLS_SHA256_SMALLER)
|
||||
for( i = 0; i < 64; i++ )
|
||||
{
|
||||
if( i < 16 )
|
||||
local.W[i] = MBEDTLS_GET_UINT32_BE( data, 4 * i );
|
||||
else
|
||||
R( i );
|
||||
|
||||
P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
|
||||
local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
|
||||
|
||||
local.temp1 = local.A[7]; local.A[7] = local.A[6];
|
||||
local.A[6] = local.A[5]; local.A[5] = local.A[4];
|
||||
local.A[4] = local.A[3]; local.A[3] = local.A[2];
|
||||
local.A[2] = local.A[1]; local.A[1] = local.A[0];
|
||||
local.A[0] = local.temp1;
|
||||
}
|
||||
#else /* MBEDTLS_SHA256_SMALLER */
|
||||
for( i = 0; i < 16; i++ )
|
||||
local.W[i] = MBEDTLS_GET_UINT32_BE( data, 4 * i );
|
||||
|
||||
for( i = 0; i < 16; i += 8 )
|
||||
{
|
||||
P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
|
||||
local.A[5], local.A[6], local.A[7], local.W[i+0], K[i+0] );
|
||||
P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
|
||||
local.A[4], local.A[5], local.A[6], local.W[i+1], K[i+1] );
|
||||
P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
|
||||
local.A[3], local.A[4], local.A[5], local.W[i+2], K[i+2] );
|
||||
P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
|
||||
local.A[2], local.A[3], local.A[4], local.W[i+3], K[i+3] );
|
||||
P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
|
||||
local.A[1], local.A[2], local.A[3], local.W[i+4], K[i+4] );
|
||||
P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
|
||||
local.A[0], local.A[1], local.A[2], local.W[i+5], K[i+5] );
|
||||
P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
|
||||
local.A[7], local.A[0], local.A[1], local.W[i+6], K[i+6] );
|
||||
P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
|
||||
local.A[6], local.A[7], local.A[0], local.W[i+7], K[i+7] );
|
||||
}
|
||||
|
||||
for( i = 16; i < 64; i += 8 )
|
||||
{
|
||||
P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
|
||||
local.A[5], local.A[6], local.A[7], R(i+0), K[i+0] );
|
||||
P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
|
||||
local.A[4], local.A[5], local.A[6], R(i+1), K[i+1] );
|
||||
P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
|
||||
local.A[3], local.A[4], local.A[5], R(i+2), K[i+2] );
|
||||
P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
|
||||
local.A[2], local.A[3], local.A[4], R(i+3), K[i+3] );
|
||||
P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
|
||||
local.A[1], local.A[2], local.A[3], R(i+4), K[i+4] );
|
||||
P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
|
||||
local.A[0], local.A[1], local.A[2], R(i+5), K[i+5] );
|
||||
P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
|
||||
local.A[7], local.A[0], local.A[1], R(i+6), K[i+6] );
|
||||
P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
|
||||
local.A[6], local.A[7], local.A[0], R(i+7), K[i+7] );
|
||||
}
|
||||
#endif /* MBEDTLS_SHA256_SMALLER */
|
||||
|
||||
for( i = 0; i < 8; i++ )
|
||||
ctx->state[i] += local.A[i];
|
||||
|
||||
/* Zeroise buffers and variables to clear sensitive data from memory. */
|
||||
mbedtls_platform_zeroize( &local, sizeof( local ) );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* !MBEDTLS_SHA256_PROCESS_ALT */
|
||||
|
||||
/*
|
||||
* SHA-256 process buffer
|
||||
*/
|
||||
int mbedtls_sha256_update( mbedtls_sha256_context *ctx,
|
||||
const unsigned char *input,
|
||||
size_t ilen )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t fill;
|
||||
uint32_t left;
|
||||
|
||||
SHA256_VALIDATE_RET( ctx != NULL );
|
||||
SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
|
||||
|
||||
if( ilen == 0 )
|
||||
return( 0 );
|
||||
|
||||
left = ctx->total[0] & 0x3F;
|
||||
fill = 64 - left;
|
||||
|
||||
ctx->total[0] += (uint32_t) ilen;
|
||||
ctx->total[0] &= 0xFFFFFFFF;
|
||||
|
||||
if( ctx->total[0] < (uint32_t) ilen )
|
||||
ctx->total[1]++;
|
||||
|
||||
if( left && ilen >= fill )
|
||||
{
|
||||
memcpy( (void *) (ctx->buffer + left), input, fill );
|
||||
|
||||
if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
input += fill;
|
||||
ilen -= fill;
|
||||
left = 0;
|
||||
}
|
||||
|
||||
while( ilen >= 64 )
|
||||
{
|
||||
if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
input += 64;
|
||||
ilen -= 64;
|
||||
}
|
||||
|
||||
if( ilen > 0 )
|
||||
memcpy( (void *) (ctx->buffer + left), input, ilen );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* SHA-256 final digest
|
||||
*/
|
||||
int mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
|
||||
unsigned char *output )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
uint32_t used;
|
||||
uint32_t high, low;
|
||||
|
||||
SHA256_VALIDATE_RET( ctx != NULL );
|
||||
SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
|
||||
|
||||
/*
|
||||
* Add padding: 0x80 then 0x00 until 8 bytes remain for the length
|
||||
*/
|
||||
used = ctx->total[0] & 0x3F;
|
||||
|
||||
ctx->buffer[used++] = 0x80;
|
||||
|
||||
if( used <= 56 )
|
||||
{
|
||||
/* Enough room for padding + length in current block */
|
||||
memset( ctx->buffer + used, 0, 56 - used );
|
||||
}
|
||||
else
|
||||
{
|
||||
/* We'll need an extra block */
|
||||
memset( ctx->buffer + used, 0, 64 - used );
|
||||
|
||||
if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
memset( ctx->buffer, 0, 56 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Add message length
|
||||
*/
|
||||
high = ( ctx->total[0] >> 29 )
|
||||
| ( ctx->total[1] << 3 );
|
||||
low = ( ctx->total[0] << 3 );
|
||||
|
||||
MBEDTLS_PUT_UINT32_BE( high, ctx->buffer, 56 );
|
||||
MBEDTLS_PUT_UINT32_BE( low, ctx->buffer, 60 );
|
||||
|
||||
if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
/*
|
||||
* Output final state
|
||||
*/
|
||||
MBEDTLS_PUT_UINT32_BE( ctx->state[0], output, 0 );
|
||||
MBEDTLS_PUT_UINT32_BE( ctx->state[1], output, 4 );
|
||||
MBEDTLS_PUT_UINT32_BE( ctx->state[2], output, 8 );
|
||||
MBEDTLS_PUT_UINT32_BE( ctx->state[3], output, 12 );
|
||||
MBEDTLS_PUT_UINT32_BE( ctx->state[4], output, 16 );
|
||||
MBEDTLS_PUT_UINT32_BE( ctx->state[5], output, 20 );
|
||||
MBEDTLS_PUT_UINT32_BE( ctx->state[6], output, 24 );
|
||||
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
if( ctx->is224 == 0 )
|
||||
#endif
|
||||
MBEDTLS_PUT_UINT32_BE( ctx->state[7], output, 28 );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* !MBEDTLS_SHA256_ALT */
|
||||
|
||||
/*
|
||||
* output = SHA-256( input buffer )
|
||||
*/
|
||||
int mbedtls_sha256( const unsigned char *input,
|
||||
size_t ilen,
|
||||
unsigned char *output,
|
||||
int is224 )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_sha256_context ctx;
|
||||
|
||||
#if defined(MBEDTLS_SHA224_C)
|
||||
SHA256_VALIDATE_RET( is224 == 0 || is224 == 1 );
|
||||
#else
|
||||
SHA256_VALIDATE_RET( is224 == 0 );
|
||||
#endif
|
||||
|
||||
SHA256_VALIDATE_RET( ilen == 0 || input != NULL );
|
||||
SHA256_VALIDATE_RET( (unsigned char *)output != NULL );
|
||||
|
||||
mbedtls_sha256_init( &ctx );
|
||||
|
||||
if( ( ret = mbedtls_sha256_starts( &ctx, is224 ) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
if( ( ret = mbedtls_sha256_update( &ctx, input, ilen ) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
if( ( ret = mbedtls_sha256_finish( &ctx, output ) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
exit:
|
||||
mbedtls_sha256_free( &ctx );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SELF_TEST)
|
||||
/*
|
||||
* FIPS-180-2 test vectors
|
||||
*/
|
||||
static const unsigned char sha256_test_buf[3][57] =
|
||||
{
|
||||
{ "abc" },
|
||||
{ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
|
||||
{ "" }
|
||||
};
|
||||
|
||||
static const size_t sha256_test_buflen[3] =
|
||||
{
|
||||
3, 56, 1000
|
||||
};
|
||||
|
||||
static const unsigned char sha256_test_sum[6][32] =
|
||||
{
|
||||
/*
|
||||
* SHA-224 test vectors
|
||||
*/
|
||||
{ 0x23, 0x09, 0x7D, 0x22, 0x34, 0x05, 0xD8, 0x22,
|
||||
0x86, 0x42, 0xA4, 0x77, 0xBD, 0xA2, 0x55, 0xB3,
|
||||
0x2A, 0xAD, 0xBC, 0xE4, 0xBD, 0xA0, 0xB3, 0xF7,
|
||||
0xE3, 0x6C, 0x9D, 0xA7 },
|
||||
{ 0x75, 0x38, 0x8B, 0x16, 0x51, 0x27, 0x76, 0xCC,
|
||||
0x5D, 0xBA, 0x5D, 0xA1, 0xFD, 0x89, 0x01, 0x50,
|
||||
0xB0, 0xC6, 0x45, 0x5C, 0xB4, 0xF5, 0x8B, 0x19,
|
||||
0x52, 0x52, 0x25, 0x25 },
|
||||
{ 0x20, 0x79, 0x46, 0x55, 0x98, 0x0C, 0x91, 0xD8,
|
||||
0xBB, 0xB4, 0xC1, 0xEA, 0x97, 0x61, 0x8A, 0x4B,
|
||||
0xF0, 0x3F, 0x42, 0x58, 0x19, 0x48, 0xB2, 0xEE,
|
||||
0x4E, 0xE7, 0xAD, 0x67 },
|
||||
|
||||
/*
|
||||
* SHA-256 test vectors
|
||||
*/
|
||||
{ 0xBA, 0x78, 0x16, 0xBF, 0x8F, 0x01, 0xCF, 0xEA,
|
||||
0x41, 0x41, 0x40, 0xDE, 0x5D, 0xAE, 0x22, 0x23,
|
||||
0xB0, 0x03, 0x61, 0xA3, 0x96, 0x17, 0x7A, 0x9C,
|
||||
0xB4, 0x10, 0xFF, 0x61, 0xF2, 0x00, 0x15, 0xAD },
|
||||
{ 0x24, 0x8D, 0x6A, 0x61, 0xD2, 0x06, 0x38, 0xB8,
|
||||
0xE5, 0xC0, 0x26, 0x93, 0x0C, 0x3E, 0x60, 0x39,
|
||||
0xA3, 0x3C, 0xE4, 0x59, 0x64, 0xFF, 0x21, 0x67,
|
||||
0xF6, 0xEC, 0xED, 0xD4, 0x19, 0xDB, 0x06, 0xC1 },
|
||||
{ 0xCD, 0xC7, 0x6E, 0x5C, 0x99, 0x14, 0xFB, 0x92,
|
||||
0x81, 0xA1, 0xC7, 0xE2, 0x84, 0xD7, 0x3E, 0x67,
|
||||
0xF1, 0x80, 0x9A, 0x48, 0xA4, 0x97, 0x20, 0x0E,
|
||||
0x04, 0x6D, 0x39, 0xCC, 0xC7, 0x11, 0x2C, 0xD0 }
|
||||
};
|
||||
|
||||
/*
|
||||
* Checkup routine
|
||||
*/
|
||||
int mbedtls_sha256_self_test( int verbose )
|
||||
{
|
||||
int i, j, k, buflen, ret = 0;
|
||||
unsigned char *buf;
|
||||
unsigned char sha256sum[32];
|
||||
mbedtls_sha256_context ctx;
|
||||
|
||||
buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
|
||||
if( NULL == buf )
|
||||
{
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( "Buffer allocation failed\n" );
|
||||
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
mbedtls_sha256_init( &ctx );
|
||||
|
||||
for( i = 0; i < 6; i++ )
|
||||
{
|
||||
j = i % 3;
|
||||
k = i < 3;
|
||||
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( " SHA-%d test #%d: ", 256 - k * 32, j + 1 );
|
||||
|
||||
if( ( ret = mbedtls_sha256_starts( &ctx, k ) ) != 0 )
|
||||
goto fail;
|
||||
|
||||
if( j == 2 )
|
||||
{
|
||||
memset( buf, 'a', buflen = 1000 );
|
||||
|
||||
for( j = 0; j < 1000; j++ )
|
||||
{
|
||||
ret = mbedtls_sha256_update( &ctx, buf, buflen );
|
||||
if( ret != 0 )
|
||||
goto fail;
|
||||
}
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
ret = mbedtls_sha256_update( &ctx, sha256_test_buf[j],
|
||||
sha256_test_buflen[j] );
|
||||
if( ret != 0 )
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_sha256_finish( &ctx, sha256sum ) ) != 0 )
|
||||
goto fail;
|
||||
|
||||
|
||||
if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
|
||||
{
|
||||
ret = 1;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( "passed\n" );
|
||||
}
|
||||
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( "\n" );
|
||||
|
||||
goto exit;
|
||||
|
||||
fail:
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( "failed\n" );
|
||||
|
||||
exit:
|
||||
mbedtls_sha256_free( &ctx );
|
||||
mbedtls_free( buf );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SELF_TEST */
|
||||
|
||||
#endif /* MBEDTLS_SHA256_C */
|
618
sha512.c
618
sha512.c
@ -1,618 +0,0 @@
|
||||
/*
|
||||
* FIPS-180-2 compliant SHA-384/512 implementation
|
||||
*
|
||||
* Copyright The Mbed TLS Contributors
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
/*
|
||||
* The SHA-512 Secure Hash Standard was published by NIST in 2002.
|
||||
*
|
||||
* http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
|
||||
*/
|
||||
|
||||
#include "common.h"
|
||||
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
|
||||
#include "mbedtls/sha512.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
#include "mbedtls/error.h"
|
||||
|
||||
#if defined(_MSC_VER) || defined(__WATCOMC__)
|
||||
#define UL64(x) x##ui64
|
||||
#else
|
||||
#define UL64(x) x##ULL
|
||||
#endif
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_SELF_TEST)
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#define mbedtls_printf printf
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_free free
|
||||
#endif /* MBEDTLS_PLATFORM_C */
|
||||
#endif /* MBEDTLS_SELF_TEST */
|
||||
|
||||
#define SHA512_VALIDATE_RET(cond) \
|
||||
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA512_BAD_INPUT_DATA )
|
||||
#define SHA512_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond )
|
||||
|
||||
#if !defined(MBEDTLS_SHA512_ALT)
|
||||
|
||||
#if defined(MBEDTLS_SHA512_SMALLER)
|
||||
static void sha512_put_uint64_be( uint64_t n, unsigned char *b, uint8_t i )
|
||||
{
|
||||
MBEDTLS_PUT_UINT64_BE(n, b, i);
|
||||
}
|
||||
#else
|
||||
#define sha512_put_uint64_be MBEDTLS_PUT_UINT64_BE
|
||||
#endif /* MBEDTLS_SHA512_SMALLER */
|
||||
|
||||
void mbedtls_sha512_init( mbedtls_sha512_context *ctx )
|
||||
{
|
||||
SHA512_VALIDATE( ctx != NULL );
|
||||
|
||||
memset( ctx, 0, sizeof( mbedtls_sha512_context ) );
|
||||
}
|
||||
|
||||
void mbedtls_sha512_free( mbedtls_sha512_context *ctx )
|
||||
{
|
||||
if( ctx == NULL )
|
||||
return;
|
||||
|
||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_sha512_context ) );
|
||||
}
|
||||
|
||||
void mbedtls_sha512_clone( mbedtls_sha512_context *dst,
|
||||
const mbedtls_sha512_context *src )
|
||||
{
|
||||
SHA512_VALIDATE( dst != NULL );
|
||||
SHA512_VALIDATE( src != NULL );
|
||||
|
||||
*dst = *src;
|
||||
}
|
||||
|
||||
/*
|
||||
* SHA-512 context setup
|
||||
*/
|
||||
int mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 )
|
||||
{
|
||||
SHA512_VALIDATE_RET( ctx != NULL );
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
SHA512_VALIDATE_RET( is384 == 0 || is384 == 1 );
|
||||
#else
|
||||
SHA512_VALIDATE_RET( is384 == 0 );
|
||||
#endif
|
||||
|
||||
ctx->total[0] = 0;
|
||||
ctx->total[1] = 0;
|
||||
|
||||
if( is384 == 0 )
|
||||
{
|
||||
/* SHA-512 */
|
||||
ctx->state[0] = UL64(0x6A09E667F3BCC908);
|
||||
ctx->state[1] = UL64(0xBB67AE8584CAA73B);
|
||||
ctx->state[2] = UL64(0x3C6EF372FE94F82B);
|
||||
ctx->state[3] = UL64(0xA54FF53A5F1D36F1);
|
||||
ctx->state[4] = UL64(0x510E527FADE682D1);
|
||||
ctx->state[5] = UL64(0x9B05688C2B3E6C1F);
|
||||
ctx->state[6] = UL64(0x1F83D9ABFB41BD6B);
|
||||
ctx->state[7] = UL64(0x5BE0CD19137E2179);
|
||||
}
|
||||
else
|
||||
{
|
||||
#if !defined(MBEDTLS_SHA384_C)
|
||||
return( MBEDTLS_ERR_SHA512_BAD_INPUT_DATA );
|
||||
#else
|
||||
/* SHA-384 */
|
||||
ctx->state[0] = UL64(0xCBBB9D5DC1059ED8);
|
||||
ctx->state[1] = UL64(0x629A292A367CD507);
|
||||
ctx->state[2] = UL64(0x9159015A3070DD17);
|
||||
ctx->state[3] = UL64(0x152FECD8F70E5939);
|
||||
ctx->state[4] = UL64(0x67332667FFC00B31);
|
||||
ctx->state[5] = UL64(0x8EB44A8768581511);
|
||||
ctx->state[6] = UL64(0xDB0C2E0D64F98FA7);
|
||||
ctx->state[7] = UL64(0x47B5481DBEFA4FA4);
|
||||
#endif /* MBEDTLS_SHA384_C */
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
ctx->is384 = is384;
|
||||
#endif
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_SHA512_PROCESS_ALT)
|
||||
|
||||
/*
|
||||
* Round constants
|
||||
*/
|
||||
static const uint64_t K[80] =
|
||||
{
|
||||
UL64(0x428A2F98D728AE22), UL64(0x7137449123EF65CD),
|
||||
UL64(0xB5C0FBCFEC4D3B2F), UL64(0xE9B5DBA58189DBBC),
|
||||
UL64(0x3956C25BF348B538), UL64(0x59F111F1B605D019),
|
||||
UL64(0x923F82A4AF194F9B), UL64(0xAB1C5ED5DA6D8118),
|
||||
UL64(0xD807AA98A3030242), UL64(0x12835B0145706FBE),
|
||||
UL64(0x243185BE4EE4B28C), UL64(0x550C7DC3D5FFB4E2),
|
||||
UL64(0x72BE5D74F27B896F), UL64(0x80DEB1FE3B1696B1),
|
||||
UL64(0x9BDC06A725C71235), UL64(0xC19BF174CF692694),
|
||||
UL64(0xE49B69C19EF14AD2), UL64(0xEFBE4786384F25E3),
|
||||
UL64(0x0FC19DC68B8CD5B5), UL64(0x240CA1CC77AC9C65),
|
||||
UL64(0x2DE92C6F592B0275), UL64(0x4A7484AA6EA6E483),
|
||||
UL64(0x5CB0A9DCBD41FBD4), UL64(0x76F988DA831153B5),
|
||||
UL64(0x983E5152EE66DFAB), UL64(0xA831C66D2DB43210),
|
||||
UL64(0xB00327C898FB213F), UL64(0xBF597FC7BEEF0EE4),
|
||||
UL64(0xC6E00BF33DA88FC2), UL64(0xD5A79147930AA725),
|
||||
UL64(0x06CA6351E003826F), UL64(0x142929670A0E6E70),
|
||||
UL64(0x27B70A8546D22FFC), UL64(0x2E1B21385C26C926),
|
||||
UL64(0x4D2C6DFC5AC42AED), UL64(0x53380D139D95B3DF),
|
||||
UL64(0x650A73548BAF63DE), UL64(0x766A0ABB3C77B2A8),
|
||||
UL64(0x81C2C92E47EDAEE6), UL64(0x92722C851482353B),
|
||||
UL64(0xA2BFE8A14CF10364), UL64(0xA81A664BBC423001),
|
||||
UL64(0xC24B8B70D0F89791), UL64(0xC76C51A30654BE30),
|
||||
UL64(0xD192E819D6EF5218), UL64(0xD69906245565A910),
|
||||
UL64(0xF40E35855771202A), UL64(0x106AA07032BBD1B8),
|
||||
UL64(0x19A4C116B8D2D0C8), UL64(0x1E376C085141AB53),
|
||||
UL64(0x2748774CDF8EEB99), UL64(0x34B0BCB5E19B48A8),
|
||||
UL64(0x391C0CB3C5C95A63), UL64(0x4ED8AA4AE3418ACB),
|
||||
UL64(0x5B9CCA4F7763E373), UL64(0x682E6FF3D6B2B8A3),
|
||||
UL64(0x748F82EE5DEFB2FC), UL64(0x78A5636F43172F60),
|
||||
UL64(0x84C87814A1F0AB72), UL64(0x8CC702081A6439EC),
|
||||
UL64(0x90BEFFFA23631E28), UL64(0xA4506CEBDE82BDE9),
|
||||
UL64(0xBEF9A3F7B2C67915), UL64(0xC67178F2E372532B),
|
||||
UL64(0xCA273ECEEA26619C), UL64(0xD186B8C721C0C207),
|
||||
UL64(0xEADA7DD6CDE0EB1E), UL64(0xF57D4F7FEE6ED178),
|
||||
UL64(0x06F067AA72176FBA), UL64(0x0A637DC5A2C898A6),
|
||||
UL64(0x113F9804BEF90DAE), UL64(0x1B710B35131C471B),
|
||||
UL64(0x28DB77F523047D84), UL64(0x32CAAB7B40C72493),
|
||||
UL64(0x3C9EBE0A15C9BEBC), UL64(0x431D67C49C100D4C),
|
||||
UL64(0x4CC5D4BECB3E42B6), UL64(0x597F299CFC657E2A),
|
||||
UL64(0x5FCB6FAB3AD6FAEC), UL64(0x6C44198C4A475817)
|
||||
};
|
||||
|
||||
int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
|
||||
const unsigned char data[128] )
|
||||
{
|
||||
int i;
|
||||
struct
|
||||
{
|
||||
uint64_t temp1, temp2, W[80];
|
||||
uint64_t A[8];
|
||||
} local;
|
||||
|
||||
SHA512_VALIDATE_RET( ctx != NULL );
|
||||
SHA512_VALIDATE_RET( (const unsigned char *)data != NULL );
|
||||
|
||||
#define SHR(x,n) ((x) >> (n))
|
||||
#define ROTR(x,n) (SHR((x),(n)) | ((x) << (64 - (n))))
|
||||
|
||||
#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
|
||||
#define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x, 6))
|
||||
|
||||
#define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
|
||||
#define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
|
||||
|
||||
#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
|
||||
#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
|
||||
|
||||
#define P(a,b,c,d,e,f,g,h,x,K) \
|
||||
do \
|
||||
{ \
|
||||
local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
|
||||
local.temp2 = S2(a) + F0((a),(b),(c)); \
|
||||
(d) += local.temp1; (h) = local.temp1 + local.temp2; \
|
||||
} while( 0 )
|
||||
|
||||
for( i = 0; i < 8; i++ )
|
||||
local.A[i] = ctx->state[i];
|
||||
|
||||
#if defined(MBEDTLS_SHA512_SMALLER)
|
||||
for( i = 0; i < 80; i++ )
|
||||
{
|
||||
if( i < 16 )
|
||||
{
|
||||
local.W[i] = MBEDTLS_GET_UINT64_BE( data, i << 3 );
|
||||
}
|
||||
else
|
||||
{
|
||||
local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
|
||||
S0(local.W[i - 15]) + local.W[i - 16];
|
||||
}
|
||||
|
||||
P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
|
||||
local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
|
||||
|
||||
local.temp1 = local.A[7]; local.A[7] = local.A[6];
|
||||
local.A[6] = local.A[5]; local.A[5] = local.A[4];
|
||||
local.A[4] = local.A[3]; local.A[3] = local.A[2];
|
||||
local.A[2] = local.A[1]; local.A[1] = local.A[0];
|
||||
local.A[0] = local.temp1;
|
||||
}
|
||||
#else /* MBEDTLS_SHA512_SMALLER */
|
||||
for( i = 0; i < 16; i++ )
|
||||
{
|
||||
local.W[i] = MBEDTLS_GET_UINT64_BE( data, i << 3 );
|
||||
}
|
||||
|
||||
for( ; i < 80; i++ )
|
||||
{
|
||||
local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
|
||||
S0(local.W[i - 15]) + local.W[i - 16];
|
||||
}
|
||||
|
||||
i = 0;
|
||||
do
|
||||
{
|
||||
P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
|
||||
local.A[5], local.A[6], local.A[7], local.W[i], K[i] ); i++;
|
||||
P( local.A[7], local.A[0], local.A[1], local.A[2], local.A[3],
|
||||
local.A[4], local.A[5], local.A[6], local.W[i], K[i] ); i++;
|
||||
P( local.A[6], local.A[7], local.A[0], local.A[1], local.A[2],
|
||||
local.A[3], local.A[4], local.A[5], local.W[i], K[i] ); i++;
|
||||
P( local.A[5], local.A[6], local.A[7], local.A[0], local.A[1],
|
||||
local.A[2], local.A[3], local.A[4], local.W[i], K[i] ); i++;
|
||||
P( local.A[4], local.A[5], local.A[6], local.A[7], local.A[0],
|
||||
local.A[1], local.A[2], local.A[3], local.W[i], K[i] ); i++;
|
||||
P( local.A[3], local.A[4], local.A[5], local.A[6], local.A[7],
|
||||
local.A[0], local.A[1], local.A[2], local.W[i], K[i] ); i++;
|
||||
P( local.A[2], local.A[3], local.A[4], local.A[5], local.A[6],
|
||||
local.A[7], local.A[0], local.A[1], local.W[i], K[i] ); i++;
|
||||
P( local.A[1], local.A[2], local.A[3], local.A[4], local.A[5],
|
||||
local.A[6], local.A[7], local.A[0], local.W[i], K[i] ); i++;
|
||||
}
|
||||
while( i < 80 );
|
||||
#endif /* MBEDTLS_SHA512_SMALLER */
|
||||
|
||||
for( i = 0; i < 8; i++ )
|
||||
ctx->state[i] += local.A[i];
|
||||
|
||||
/* Zeroise buffers and variables to clear sensitive data from memory. */
|
||||
mbedtls_platform_zeroize( &local, sizeof( local ) );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* !MBEDTLS_SHA512_PROCESS_ALT */
|
||||
|
||||
/*
|
||||
* SHA-512 process buffer
|
||||
*/
|
||||
int mbedtls_sha512_update( mbedtls_sha512_context *ctx,
|
||||
const unsigned char *input,
|
||||
size_t ilen )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
size_t fill;
|
||||
unsigned int left;
|
||||
|
||||
SHA512_VALIDATE_RET( ctx != NULL );
|
||||
SHA512_VALIDATE_RET( ilen == 0 || input != NULL );
|
||||
|
||||
if( ilen == 0 )
|
||||
return( 0 );
|
||||
|
||||
left = (unsigned int) (ctx->total[0] & 0x7F);
|
||||
fill = 128 - left;
|
||||
|
||||
ctx->total[0] += (uint64_t) ilen;
|
||||
|
||||
if( ctx->total[0] < (uint64_t) ilen )
|
||||
ctx->total[1]++;
|
||||
|
||||
if( left && ilen >= fill )
|
||||
{
|
||||
memcpy( (void *) (ctx->buffer + left), input, fill );
|
||||
|
||||
if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
input += fill;
|
||||
ilen -= fill;
|
||||
left = 0;
|
||||
}
|
||||
|
||||
while( ilen >= 128 )
|
||||
{
|
||||
if( ( ret = mbedtls_internal_sha512_process( ctx, input ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
input += 128;
|
||||
ilen -= 128;
|
||||
}
|
||||
|
||||
if( ilen > 0 )
|
||||
memcpy( (void *) (ctx->buffer + left), input, ilen );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* SHA-512 final digest
|
||||
*/
|
||||
int mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
|
||||
unsigned char *output )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
unsigned used;
|
||||
uint64_t high, low;
|
||||
|
||||
SHA512_VALIDATE_RET( ctx != NULL );
|
||||
SHA512_VALIDATE_RET( (unsigned char *)output != NULL );
|
||||
|
||||
/*
|
||||
* Add padding: 0x80 then 0x00 until 16 bytes remain for the length
|
||||
*/
|
||||
used = ctx->total[0] & 0x7F;
|
||||
|
||||
ctx->buffer[used++] = 0x80;
|
||||
|
||||
if( used <= 112 )
|
||||
{
|
||||
/* Enough room for padding + length in current block */
|
||||
memset( ctx->buffer + used, 0, 112 - used );
|
||||
}
|
||||
else
|
||||
{
|
||||
/* We'll need an extra block */
|
||||
memset( ctx->buffer + used, 0, 128 - used );
|
||||
|
||||
if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
memset( ctx->buffer, 0, 112 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Add message length
|
||||
*/
|
||||
high = ( ctx->total[0] >> 61 )
|
||||
| ( ctx->total[1] << 3 );
|
||||
low = ( ctx->total[0] << 3 );
|
||||
|
||||
sha512_put_uint64_be( high, ctx->buffer, 112 );
|
||||
sha512_put_uint64_be( low, ctx->buffer, 120 );
|
||||
|
||||
if( ( ret = mbedtls_internal_sha512_process( ctx, ctx->buffer ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
/*
|
||||
* Output final state
|
||||
*/
|
||||
sha512_put_uint64_be( ctx->state[0], output, 0 );
|
||||
sha512_put_uint64_be( ctx->state[1], output, 8 );
|
||||
sha512_put_uint64_be( ctx->state[2], output, 16 );
|
||||
sha512_put_uint64_be( ctx->state[3], output, 24 );
|
||||
sha512_put_uint64_be( ctx->state[4], output, 32 );
|
||||
sha512_put_uint64_be( ctx->state[5], output, 40 );
|
||||
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
if( ctx->is384 == 0 )
|
||||
#endif
|
||||
{
|
||||
sha512_put_uint64_be( ctx->state[6], output, 48 );
|
||||
sha512_put_uint64_be( ctx->state[7], output, 56 );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* !MBEDTLS_SHA512_ALT */
|
||||
|
||||
/*
|
||||
* output = SHA-512( input buffer )
|
||||
*/
|
||||
int mbedtls_sha512( const unsigned char *input,
|
||||
size_t ilen,
|
||||
unsigned char *output,
|
||||
int is384 )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||
mbedtls_sha512_context ctx;
|
||||
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
SHA512_VALIDATE_RET( is384 == 0 || is384 == 1 );
|
||||
#else
|
||||
SHA512_VALIDATE_RET( is384 == 0 );
|
||||
#endif
|
||||
SHA512_VALIDATE_RET( ilen == 0 || input != NULL );
|
||||
SHA512_VALIDATE_RET( (unsigned char *)output != NULL );
|
||||
|
||||
mbedtls_sha512_init( &ctx );
|
||||
|
||||
if( ( ret = mbedtls_sha512_starts( &ctx, is384 ) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
if( ( ret = mbedtls_sha512_update( &ctx, input, ilen ) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
if( ( ret = mbedtls_sha512_finish( &ctx, output ) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
exit:
|
||||
mbedtls_sha512_free( &ctx );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SELF_TEST)
|
||||
|
||||
/*
|
||||
* FIPS-180-2 test vectors
|
||||
*/
|
||||
static const unsigned char sha512_test_buf[3][113] =
|
||||
{
|
||||
{ "abc" },
|
||||
{ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
|
||||
{ "" }
|
||||
};
|
||||
|
||||
static const size_t sha512_test_buflen[3] =
|
||||
{
|
||||
3, 112, 1000
|
||||
};
|
||||
|
||||
static const unsigned char sha512_test_sum[][64] =
|
||||
{
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
/*
|
||||
* SHA-384 test vectors
|
||||
*/
|
||||
{ 0xCB, 0x00, 0x75, 0x3F, 0x45, 0xA3, 0x5E, 0x8B,
|
||||
0xB5, 0xA0, 0x3D, 0x69, 0x9A, 0xC6, 0x50, 0x07,
|
||||
0x27, 0x2C, 0x32, 0xAB, 0x0E, 0xDE, 0xD1, 0x63,
|
||||
0x1A, 0x8B, 0x60, 0x5A, 0x43, 0xFF, 0x5B, 0xED,
|
||||
0x80, 0x86, 0x07, 0x2B, 0xA1, 0xE7, 0xCC, 0x23,
|
||||
0x58, 0xBA, 0xEC, 0xA1, 0x34, 0xC8, 0x25, 0xA7 },
|
||||
{ 0x09, 0x33, 0x0C, 0x33, 0xF7, 0x11, 0x47, 0xE8,
|
||||
0x3D, 0x19, 0x2F, 0xC7, 0x82, 0xCD, 0x1B, 0x47,
|
||||
0x53, 0x11, 0x1B, 0x17, 0x3B, 0x3B, 0x05, 0xD2,
|
||||
0x2F, 0xA0, 0x80, 0x86, 0xE3, 0xB0, 0xF7, 0x12,
|
||||
0xFC, 0xC7, 0xC7, 0x1A, 0x55, 0x7E, 0x2D, 0xB9,
|
||||
0x66, 0xC3, 0xE9, 0xFA, 0x91, 0x74, 0x60, 0x39 },
|
||||
{ 0x9D, 0x0E, 0x18, 0x09, 0x71, 0x64, 0x74, 0xCB,
|
||||
0x08, 0x6E, 0x83, 0x4E, 0x31, 0x0A, 0x4A, 0x1C,
|
||||
0xED, 0x14, 0x9E, 0x9C, 0x00, 0xF2, 0x48, 0x52,
|
||||
0x79, 0x72, 0xCE, 0xC5, 0x70, 0x4C, 0x2A, 0x5B,
|
||||
0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
|
||||
0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
|
||||
#endif /* MBEDTLS_SHA384_C */
|
||||
|
||||
/*
|
||||
* SHA-512 test vectors
|
||||
*/
|
||||
{ 0xDD, 0xAF, 0x35, 0xA1, 0x93, 0x61, 0x7A, 0xBA,
|
||||
0xCC, 0x41, 0x73, 0x49, 0xAE, 0x20, 0x41, 0x31,
|
||||
0x12, 0xE6, 0xFA, 0x4E, 0x89, 0xA9, 0x7E, 0xA2,
|
||||
0x0A, 0x9E, 0xEE, 0xE6, 0x4B, 0x55, 0xD3, 0x9A,
|
||||
0x21, 0x92, 0x99, 0x2A, 0x27, 0x4F, 0xC1, 0xA8,
|
||||
0x36, 0xBA, 0x3C, 0x23, 0xA3, 0xFE, 0xEB, 0xBD,
|
||||
0x45, 0x4D, 0x44, 0x23, 0x64, 0x3C, 0xE8, 0x0E,
|
||||
0x2A, 0x9A, 0xC9, 0x4F, 0xA5, 0x4C, 0xA4, 0x9F },
|
||||
{ 0x8E, 0x95, 0x9B, 0x75, 0xDA, 0xE3, 0x13, 0xDA,
|
||||
0x8C, 0xF4, 0xF7, 0x28, 0x14, 0xFC, 0x14, 0x3F,
|
||||
0x8F, 0x77, 0x79, 0xC6, 0xEB, 0x9F, 0x7F, 0xA1,
|
||||
0x72, 0x99, 0xAE, 0xAD, 0xB6, 0x88, 0x90, 0x18,
|
||||
0x50, 0x1D, 0x28, 0x9E, 0x49, 0x00, 0xF7, 0xE4,
|
||||
0x33, 0x1B, 0x99, 0xDE, 0xC4, 0xB5, 0x43, 0x3A,
|
||||
0xC7, 0xD3, 0x29, 0xEE, 0xB6, 0xDD, 0x26, 0x54,
|
||||
0x5E, 0x96, 0xE5, 0x5B, 0x87, 0x4B, 0xE9, 0x09 },
|
||||
{ 0xE7, 0x18, 0x48, 0x3D, 0x0C, 0xE7, 0x69, 0x64,
|
||||
0x4E, 0x2E, 0x42, 0xC7, 0xBC, 0x15, 0xB4, 0x63,
|
||||
0x8E, 0x1F, 0x98, 0xB1, 0x3B, 0x20, 0x44, 0x28,
|
||||
0x56, 0x32, 0xA8, 0x03, 0xAF, 0xA9, 0x73, 0xEB,
|
||||
0xDE, 0x0F, 0xF2, 0x44, 0x87, 0x7E, 0xA6, 0x0A,
|
||||
0x4C, 0xB0, 0x43, 0x2C, 0xE5, 0x77, 0xC3, 0x1B,
|
||||
0xEB, 0x00, 0x9C, 0x5C, 0x2C, 0x49, 0xAA, 0x2E,
|
||||
0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
|
||||
};
|
||||
|
||||
#define ARRAY_LENGTH( a ) ( sizeof( a ) / sizeof( ( a )[0] ) )
|
||||
|
||||
/*
|
||||
* Checkup routine
|
||||
*/
|
||||
int mbedtls_sha512_self_test( int verbose )
|
||||
{
|
||||
int i, j, k, buflen, ret = 0;
|
||||
unsigned char *buf;
|
||||
unsigned char sha512sum[64];
|
||||
mbedtls_sha512_context ctx;
|
||||
|
||||
buf = mbedtls_calloc( 1024, sizeof(unsigned char) );
|
||||
if( NULL == buf )
|
||||
{
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( "Buffer allocation failed\n" );
|
||||
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
mbedtls_sha512_init( &ctx );
|
||||
|
||||
for( i = 0; i < (int) ARRAY_LENGTH(sha512_test_sum); i++ )
|
||||
{
|
||||
j = i % 3;
|
||||
#if defined(MBEDTLS_SHA384_C)
|
||||
k = i < 3;
|
||||
#else
|
||||
k = 0;
|
||||
#endif
|
||||
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( " SHA-%d test #%d: ", 512 - k * 128, j + 1 );
|
||||
|
||||
if( ( ret = mbedtls_sha512_starts( &ctx, k ) ) != 0 )
|
||||
goto fail;
|
||||
|
||||
if( j == 2 )
|
||||
{
|
||||
memset( buf, 'a', buflen = 1000 );
|
||||
|
||||
for( j = 0; j < 1000; j++ )
|
||||
{
|
||||
ret = mbedtls_sha512_update( &ctx, buf, buflen );
|
||||
if( ret != 0 )
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
ret = mbedtls_sha512_update( &ctx, sha512_test_buf[j],
|
||||
sha512_test_buflen[j] );
|
||||
if( ret != 0 )
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_sha512_finish( &ctx, sha512sum ) ) != 0 )
|
||||
goto fail;
|
||||
|
||||
if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 )
|
||||
{
|
||||
ret = 1;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( "passed\n" );
|
||||
}
|
||||
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( "\n" );
|
||||
|
||||
goto exit;
|
||||
|
||||
fail:
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( "failed\n" );
|
||||
|
||||
exit:
|
||||
mbedtls_sha512_free( &ctx );
|
||||
mbedtls_free( buf );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#undef ARRAY_LENGTH
|
||||
|
||||
#endif /* MBEDTLS_SELF_TEST */
|
||||
|
||||
#endif /* MBEDTLS_SHA512_C */
|
1746
ssl_misc.h
1746
ssl_misc.h
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user