Import mbedtls 3.6.0 #6797

Imports Mbed TLS 3.6.0 from https://github.com/Mbed-TLS/mbedtls.git tags mbedtls-3.6.0, v3.6.0 Files that are not needed are removed: cd lib/libmbedtls rm -rf mbedtls cp -R path/to/mbedtls-3.6.0/mbedtls . cd mbedtls rm CMakeLists.txt DartConfiguration.tcl Makefile rm .gitignore .travis.yml .pylintrc .globalrc .mypy.ini BRANCHES.md rm include/.gitignore include/CMakeLists.txt library/.gitignore rm library/CMakeLists.txt library/Makefile rm -r cmake rm -rf .git .github doxygen configs programs scripts tests visualc rm -rf 3rdparty ChangeLog.d docs pkgconfig .gitmodules .readthedocs.yaml rm library/mps_* cd .. git add mbedtls This time we leave library/psa_* present to enable TLS 1.3 features. This is a complete overwrite of previous code so earlier changes in the previous branch import/mbedtls-3.4.0 will be added on top of this commit. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

Removes default config include/mbedtls/config.h Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jf: rebased onto mbedtls-2.28.1] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

Configures mbedtls to reach outside the imported source tree for configuration .h file. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0 and removed inclusion of check_config.h] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

Makes mbedtls_mpi_montg_init(), mbedtls_mpi_montmul() and mbedtls_mpi_montred() available for external use. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0, keep static functions] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jf: rebased onto mbedtls-2.28.1] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0, replace original functions] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

Adds mbedtls_mpi_init_mempool() which initializes a mbedtls_mpi struct to use the mempool mbedtls_mpi_mempool if configured for memory allocation. All local memory allocation are changed to use mbedtls_mpi_init_mempool() instead of mbedtls_mpi_init(). This will give a stack like alloc/free pattern for which the mempool is optimized. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0, fold fixup commit: 2df910b ("libmbedtls: mbedtls_mpi_shrink(): fix possible unwanted truncation"), adjust macro ECP_MPI_INIT] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0, adjust new coding style] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0, reintroduce mbedtls_mpi_zeroize] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

Increase the count limit when generating the witness in the Rabin-Miller primality test. The previous number 30 was too low to reliably detect 000000022770A7DC599BC90B2FF981CCB5CF05703344C8F350418AAD as a prime number. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebased onto mbedtls-2.22.0] [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

For integrating into OPTEE_OS, it needs add some interfaces: 1. add mbedtls_cipher_clone() for cipher to copy context between two operations. 2. add mbedtls_cipher_setup_info() for cipher. cipher need to get its "cipher_info" according the key length, while the key length is not an input in allocate function. So, use a default key len in the beginning. It need to reset the cipher info again in init function. 3. add mbedtls_cipher_cmac_setup() for cmac. This function is separate from mbedtls_cipher_cmac_starts(). 4. copy hmac context in md. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Edison Ai <edison.ai@arm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebase onto mbedtls-2.22.0] [jf: rebase onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jf: rebase onto mbedtls-2.28.1, fix typo in comment] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebase onto mbedtls-3.4.0, adjust new coding style] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebase onto mbedtls-3.6.0, adjust for changes between 3.4 and 3.6] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

In NO_CRT mode, Q and P may be invalid. But Q and P will be re-filled again if PRNG function is valid. So add judgement process if it is in NO_CRT mode. Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Summer Qin <summer.qin@arm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [jf: rebase onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebase onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

When MBEDTLS_ECP_DP_SM2_ENABLED is set, adds support for the ECC curve defined for the Chinese SM2 algorithm (G/MT 0003 Part 5, [1]). Link: [1] http://www.gmbz.org.cn/upload/2018-07-24/1532401863206085511.pdf Acked-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Etienne Carriere <etienne.carriere@linaro.org> [jf: rebased onto mbedtls-2.27.0] Signed-off-by: Jerome Forissier <jerome@forissier.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

Adds fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext() by using the macro FTMN_CALLEE_DONE_MEMCMP() instead of memcmp() when checking that the hash in the RSA signature is matching the expected value. FTMN_CALLEE_DONE_MEMCMP() saves on success the result in a thread local storage if fault mitigations was enabled when the function was called. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

…fy() Adds fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify() by using the macro FTMN_CALLEE_DONE_MEMCMP() instead of just mbedtls_safer_memcmp() when checking that the hash in the RSA signature is matching the expected value. FTMN_CALLEE_DONE_MEMCMP() saves on success the result in a thread local storage if fault mitigations was enabled when the function was called. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

For chacha20 and chachapoly, the *_ctx_clone() function is missing and therefore the wrong function pointers are assigned to .ctx_clone_func and .ctx_free_func when MBEDTLS_CHACHA20_C or MBEDTLS_CHACHAPOLY_C is enabled. Signed-off-by: Simon Ott <simon.ott@aisec.fraunhofer.de> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org> [jw: rebased onto mbedtls-3.4.0] Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

For AES Key Wrap mode, the *_ctx_clone() function is missing and therefore the wrong function pointers are assigned to .ctx_clone_func and .ctx_free_func when MBEDTLS_NIST_KW_C is enabled. Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-By: Jerome Forissier <jerome.forissier@linaro.org> [tve: rebased onto mbedtls-3.6.0] Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>

mbedtls/library/common.h includes arm_neon.h since 3.5.0, which collides with the definition of __section and __data in compiler.h. Temporarily remove those definitions while including arm_neon.h. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

These functions now accept `mbedtls_pk_context` instead of `mbedtls_rsa_context`. Use this wrapper struct in `libmbedtls/core/rsa.c`. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

MbedTLS set the default minimum key size to 1024, while test regression_4007 requires a minimum key size of 128. Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be> Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Import mbedtls 3.6.0 #6797

Import mbedtls 3.6.0 #6797

Commits on Apr 29, 2024

Import mbedtls 3.6.0 #6797

Are you sure you want to change the base?

Import mbedtls 3.6.0 #6797

Commits on Apr 29, 2024