Import mbedtls 3.6.0 #6797
Open
Import mbedtls 3.6.0 #6797
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Comments on the commit message of "Import mbedtls-3.6.0" Please update the version in "cp -R path/to/mbedtls-3.4.0/mbedtls" For "rm cmake/MbedTLSConfig.cmake.in", how about adding "cmake" to the list of directories we remove instead? Please add .gitmodules and .readthedocs.yaml to the list of files to remove |
|
I've replicated the source importing and it adds up. |
|
@jenswi-linaro, thank you for the review!
I don't see a reason we couldn't, so I've added it to the requested changes. |
tomvaneyck
force-pushed
the
import/mbedtls-3.6.0
branch
from
8350abe
to
1f5b1d1
Compare
|
For "libmbedtls: allow inclusion of arm_neon.h" with the amend, please apply: |
|
For "libmbedtls: adjust use of rsa pk_wrap API" and "Import mbedtls-3.6.0" with the fixup/ammend, apply: Please squash the amended commits. |
tomvaneyck
force-pushed
the
import/mbedtls-3.6.0
branch
from
1f5b1d1
to
925d009
Compare
Imports Mbed TLS 3.6.0 from https://github.com/Mbed-TLS/mbedtls.git tags mbedtls-3.6.0, v3.6.0 Files that are not needed are removed: cd lib/libmbedtls rm -rf mbedtls cp -R path/to/mbedtls-3.6.0/mbedtls . cd mbedtls rm CMakeLists.txt DartConfiguration.tcl Makefile rm .gitignore .travis.yml .pylintrc .globalrc .mypy.ini BRANCHES.md rm include/.gitignore include/CMakeLists.txt library/.gitignore rm library/CMakeLists.txt library/Makefile rm -r cmake rm -rf .git .github doxygen configs programs scripts tests visualc rm -rf 3rdparty ChangeLog.d docs pkgconfig .gitmodules .readthedocs.yaml rm library/mps_* cd .. git add mbedtls This time we leave library/psa_* present to enable TLS 1.3 features. This is a complete overwrite of previous code so earlier changes in the previous branch import/mbedtls-3.4.0 will be added on top of this commit. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Removes default config include/mbedtls/config.h Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jf: rebased onto mbedtls-2.28.1] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Configures mbedtls to reach outside the imported source tree for configuration .h file. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0 and removed inclusion of check_config.h] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Makes mbedtls_mpi_montg_init(), mbedtls_mpi_montmul() and mbedtls_mpi_montred() available for external use. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0, keep static functions] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jf: rebased onto mbedtls-2.28.1] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0, replace original functions] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Adds mbedtls_mpi_init_mempool() which initializes a mbedtls_mpi struct to use the mempool mbedtls_mpi_mempool if configured for memory allocation. All local memory allocation are changed to use mbedtls_mpi_init_mempool() instead of mbedtls_mpi_init(). This will give a stack like alloc/free pattern for which the mempool is optimized. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0, fold fixup commit: 2df910b ("libmbedtls: mbedtls_mpi_shrink(): fix possible unwanted truncation"), adjust macro ECP_MPI_INIT] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0, adjust new coding style] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0, reintroduce mbedtls_mpi_zeroize] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Increase the count limit when generating the witness in the Rabin-Miller primality test. The previous number 30 was too low to reliably detect 000000022770A7DC599BC90B2FF981CCB5CF05703344C8F350418AAD as a prime number. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
For integrating into OPTEE_OS, it needs add some interfaces: 1. add mbedtls_cipher_clone() for cipher to copy context between two operations. 2. add mbedtls_cipher_setup_info() for cipher. cipher need to get its "cipher_info" according the key length, while the key length is not an input in allocate function. So, use a default key len in the beginning. It need to reset the cipher info again in init function. 3. add mbedtls_cipher_cmac_setup() for cmac. This function is separate from mbedtls_cipher_cmac_starts(). 4. copy hmac context in md. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Edison Ai <edison.ai@arm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebase onto mbedtls-2.22.0] [jf: rebase onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jf: rebase onto mbedtls-2.28.1, fix typo in comment] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebase onto mbedtls-3.4.0, adjust new coding style] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebase onto mbedtls-3.6.0, adjust for changes between 3.4 and 3.6] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
In NO_CRT mode, Q and P may be invalid. But Q and P will be re-filled again if PRNG function is valid. So add judgement process if it is in NO_CRT mode. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Summer Qin <summer.qin@arm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebase onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebase onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
When MBEDTLS_ECP_DP_SM2_ENABLED is set, adds support for the ECC curve defined for the Chinese SM2 algorithm (G/MT 0003 Part 5, [1]). Link: [1] http://www.gmbz.org.cn/upload/2018-07-24/1532401863206085511.pdf Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Etienne Carriere <etienne.carriere@linaro.org> [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Adds fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext() by using the macro FTMN_CALLEE_DONE_MEMCMP() instead of memcmp() when checking that the hash in the RSA signature is matching the expected value. FTMN_CALLEE_DONE_MEMCMP() saves on success the result in a thread local storage if fault mitigations was enabled when the function was called. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
…fy() Adds fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify() by using the macro FTMN_CALLEE_DONE_MEMCMP() instead of just mbedtls_safer_memcmp() when checking that the hash in the RSA signature is matching the expected value. FTMN_CALLEE_DONE_MEMCMP() saves on success the result in a thread local storage if fault mitigations was enabled when the function was called. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
For chacha20 and chachapoly, the *_ctx_clone() function is missing and therefore the wrong function pointers are assigned to .ctx_clone_func and .ctx_free_func when MBEDTLS_CHACHA20_C or MBEDTLS_CHACHAPOLY_C is enabled. Signed-off-by: Simon Ott <simon.ott@aisec.fraunhofer.de> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
For AES Key Wrap mode, the *_ctx_clone() function is missing and therefore the wrong function pointers are assigned to .ctx_clone_func and .ctx_free_func when MBEDTLS_NIST_KW_C is enabled. Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-By: Jerome Forissier <jerome.forissier@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
mbedtls/library/common.h includes arm_neon.h since 3.5.0, which collides with the definition of __section and __data in compiler.h. Temporarily remove those definitions while including arm_neon.h. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
These functions now accept `mbedtls_pk_context` instead of `mbedtls_rsa_context`. Use this wrapper struct in `libmbedtls/core/rsa.c`. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
MbedTLS set the default minimum key size to 1024, while test regression_4007 requires a minimum key size of 128. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
tomvaneyck
force-pushed
the
import/mbedtls-3.6.0
branch
from
925d009
to
afd7e60
Compare
|
AFAICT the CI error is totally unrelated the MbedTLS update. |
Wrong.
Without this PR, one iteration takes only 6 seconds so there is clearly something wrong. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request imports MbedTLS 3.6.0, and additionally includes the PSA files necessary for TLS 1.3.