New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import mbedtls 3.6.0 #6797
base: import/mbedtls-3.6.0
Are you sure you want to change the base?
Import mbedtls 3.6.0 #6797
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments for the commit "libmbedtls allow inclusion of arm_neon.h"
Please add a :
after libmbedtls
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments for "libmbedtls: adjust use of rsa pk_wrap API"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For "libmbedtls: reset minimum rsa key size"
Please apply:
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Comments on the commit message of "Import mbedtls-3.6.0" Please update the version in "cp -R path/to/mbedtls-3.4.0/mbedtls" For "rm cmake/MbedTLSConfig.cmake.in", how about adding "cmake" to the list of directories we remove instead? Please add .gitmodules and .readthedocs.yaml to the list of files to remove |
I've replicated the source importing and it adds up. |
@jenswi-linaro, thank you for the review!
I don't see a reason we couldn't, so I've added it to the requested changes. |
8350abe
to
1f5b1d1
Compare
For "libmbedtls: allow inclusion of arm_neon.h" with the amend, please apply: |
For "libmbedtls: adjust use of rsa pk_wrap API" and "Import mbedtls-3.6.0" with the fixup/ammend, apply: Please squash the amended commits. |
1f5b1d1
to
925d009
Compare
Imports Mbed TLS 3.6.0 from https://github.com/Mbed-TLS/mbedtls.git tags mbedtls-3.6.0, v3.6.0 Files that are not needed are removed: cd lib/libmbedtls rm -rf mbedtls cp -R path/to/mbedtls-3.6.0/mbedtls . cd mbedtls rm CMakeLists.txt DartConfiguration.tcl Makefile rm .gitignore .travis.yml .pylintrc .globalrc .mypy.ini BRANCHES.md rm include/.gitignore include/CMakeLists.txt library/.gitignore rm library/CMakeLists.txt library/Makefile rm -r cmake rm -rf .git .github doxygen configs programs scripts tests visualc rm -rf 3rdparty ChangeLog.d docs pkgconfig .gitmodules .readthedocs.yaml rm library/mps_* cd .. git add mbedtls This time we leave library/psa_* present to enable TLS 1.3 features. This is a complete overwrite of previous code so earlier changes in the previous branch import/mbedtls-3.4.0 will be added on top of this commit. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Removes default config include/mbedtls/config.h Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jf: rebased onto mbedtls-2.28.1] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Configures mbedtls to reach outside the imported source tree for configuration .h file. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0 and removed inclusion of check_config.h] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Makes mbedtls_mpi_montg_init(), mbedtls_mpi_montmul() and mbedtls_mpi_montred() available for external use. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0, keep static functions] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jf: rebased onto mbedtls-2.28.1] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0, replace original functions] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Adds mbedtls_mpi_init_mempool() which initializes a mbedtls_mpi struct to use the mempool mbedtls_mpi_mempool if configured for memory allocation. All local memory allocation are changed to use mbedtls_mpi_init_mempool() instead of mbedtls_mpi_init(). This will give a stack like alloc/free pattern for which the mempool is optimized. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0, fold fixup commit: 2df910b ("libmbedtls: mbedtls_mpi_shrink(): fix possible unwanted truncation"), adjust macro ECP_MPI_INIT] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0, adjust new coding style] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0, reintroduce mbedtls_mpi_zeroize] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Increase the count limit when generating the witness in the Rabin-Miller primality test. The previous number 30 was too low to reliably detect 000000022770A7DC599BC90B2FF981CCB5CF05703344C8F350418AAD as a prime number. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
For integrating into OPTEE_OS, it needs add some interfaces: 1. add mbedtls_cipher_clone() for cipher to copy context between two operations. 2. add mbedtls_cipher_setup_info() for cipher. cipher need to get its "cipher_info" according the key length, while the key length is not an input in allocate function. So, use a default key len in the beginning. It need to reset the cipher info again in init function. 3. add mbedtls_cipher_cmac_setup() for cmac. This function is separate from mbedtls_cipher_cmac_starts(). 4. copy hmac context in md. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Edison Ai <edison.ai@arm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebase onto mbedtls-2.22.0] [jf: rebase onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jf: rebase onto mbedtls-2.28.1, fix typo in comment] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebase onto mbedtls-3.4.0, adjust new coding style] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebase onto mbedtls-3.6.0, adjust for changes between 3.4 and 3.6] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
In NO_CRT mode, Q and P may be invalid. But Q and P will be re-filled again if PRNG function is valid. So add judgement process if it is in NO_CRT mode. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Summer Qin <summer.qin@arm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebase onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebase onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
When MBEDTLS_ECP_DP_SM2_ENABLED is set, adds support for the ECC curve defined for the Chinese SM2 algorithm (G/MT 0003 Part 5, [1]). Link: [1] http://www.gmbz.org.cn/upload/2018-07-24/1532401863206085511.pdf Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Etienne Carriere <etienne.carriere@linaro.org> [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Adds fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext() by using the macro FTMN_CALLEE_DONE_MEMCMP() instead of memcmp() when checking that the hash in the RSA signature is matching the expected value. FTMN_CALLEE_DONE_MEMCMP() saves on success the result in a thread local storage if fault mitigations was enabled when the function was called. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
…fy() Adds fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify() by using the macro FTMN_CALLEE_DONE_MEMCMP() instead of just mbedtls_safer_memcmp() when checking that the hash in the RSA signature is matching the expected value. FTMN_CALLEE_DONE_MEMCMP() saves on success the result in a thread local storage if fault mitigations was enabled when the function was called. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
For chacha20 and chachapoly, the *_ctx_clone() function is missing and therefore the wrong function pointers are assigned to .ctx_clone_func and .ctx_free_func when MBEDTLS_CHACHA20_C or MBEDTLS_CHACHAPOLY_C is enabled. Signed-off-by: Simon Ott <simon.ott@aisec.fraunhofer.de> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
For AES Key Wrap mode, the *_ctx_clone() function is missing and therefore the wrong function pointers are assigned to .ctx_clone_func and .ctx_free_func when MBEDTLS_NIST_KW_C is enabled. Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-By: Jerome Forissier <jerome.forissier@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
mbedtls/library/common.h includes arm_neon.h since 3.5.0, which collides with the definition of __section and __data in compiler.h. Temporarily remove those definitions while including arm_neon.h. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
These functions now accept `mbedtls_pk_context` instead of `mbedtls_rsa_context`. Use this wrapper struct in `libmbedtls/core/rsa.c`. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
MbedTLS set the default minimum key size to 1024, while test regression_4007 requires a minimum key size of 128. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
925d009
to
afd7e60
Compare
AFAICT the CI error is totally unrelated the MbedTLS update. |
Wrong.
Without this PR, one iteration takes only 6 seconds so there is clearly something wrong. |
This pull request imports MbedTLS 3.6.0, and additionally includes the PSA files necessary for TLS 1.3.